Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
linux-2.6.16-rsbac-1.2.6 / rsbac / adf / mac

mac_syscalls.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Mandatory Access Control         */
00005 /* File: rsbac/adf/mac/syscalls.c                    */
00006 /*                                                   */
00007 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */
00008 /*                                                   */
00009 /* Last modified: 15/Jul/2004                        */
00010 /*************************************************** */
00011 
00012 #include <linux/string.h>
00013 #include <rsbac/types.h>
00014 #include <rsbac/aci.h>
00015 #include <rsbac/mac.h>
00016 #include <rsbac/adf_main.h>
00017 #include <rsbac/error.h>
00018 #include <rsbac/helpers.h>
00019 #include <rsbac/getname.h>
00020 #include <rsbac/debug.h>
00021 #include <rsbac/rkmem.h>
00022 
00023 /************************************************* */
00024 /*           Global Variables                      */
00025 /************************************************* */
00026 
00027 /************************************************* */
00028 /*          Internal Help functions                */
00029 /************************************************* */
00030 
00031 #ifndef CONFIG_RSBAC_MAINT
00032 static int
00033   mac_sys_check_role(enum rsbac_system_role_t role)
00034   {
00035     union rsbac_target_id_t i_tid;
00036     union rsbac_attribute_value_t i_attr_val1;
00037 
00038     i_tid.user = current->uid;
00039     if (rsbac_get_attr(MAC,
00040                        T_USER,
00041                        i_tid,
00042                        A_mac_role,
00043                        &i_attr_val1,
00044                        TRUE))
00045       {
00046         rsbac_ds_get_error("mac_sys_check_role", A_mac_role);
00047         return -EPERM;
00048       }
00049     /* if correct role, then grant */
00050     if (i_attr_val1.system_role == role)
00051       return 0;
00052     else
00053       return -EPERM;
00054   }
00055 #endif
00056 
00057 /************************************************* */
00058 /*          Externally visible functions           */
00059 /************************************************* */
00060 
00061 /*****************************************************************************/
00062 /* This function allows processes to set their own current security level    */
00063 /* via sys_rsbac_mac_set_curr_seclevel() system call.                        */
00064 /* The level must keep within the min_write_open/max_read_open-boundary and  */
00065 /* must not be greater than owner_sec_level. Setting current_sec_level by    */
00066 /* this function also turns off auto-levelling via mac_auto.                 */
00067 
00068 int  rsbac_mac_set_curr_level(rsbac_security_level_t level,
00069                               rsbac_mac_category_vector_t categories)
00070   {
00071     union rsbac_target_id_t       tid;
00072     union rsbac_attribute_value_t attr_val1;
00073 #ifndef CONFIG_RSBAC_MAINT
00074     rsbac_mac_process_flags_t     flags;
00075 #endif
00076 
00077     if(   (level > SL_max)
00078        && (level != SL_none)
00079       )
00080       return -RSBAC_EINVALIDVALUE;
00081     
00082     tid.process = current->pid;
00083 
00084 #ifndef CONFIG_RSBAC_MAINT
00085     /* check flags */
00086     if (rsbac_get_attr(MAC,
00087                        T_PROCESS,
00088                        tid,
00089                        A_mac_process_flags,
00090                        &attr_val1,
00091                        FALSE))
00092       { /* failed! */
00093         rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00094         return(-RSBAC_EREADFAILED);
00095       }
00096     flags = attr_val1.mac_process_flags;
00097     if(   !(flags & MAC_auto)
00098        && !(flags & MAC_trusted)
00099        && !(flags & MAC_override)
00100       )
00101       {
00102         rsbac_printk(KERN_INFO
00103                      "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: no auto, trusted or override -> not granted \n",
00104                      current->uid,
00105                      current->pid,
00106                      current->comm);
00107         #ifdef CONFIG_RSBAC_SOFTMODE
00108         if(   !rsbac_softmode
00109         #ifdef CONFIG_RSBAC_SOFTMODE_IND
00110            && !rsbac_ind_softmode[MAC]
00111         #endif
00112           )
00113         #endif
00114           return -EPERM;
00115       }
00116 
00117     /* override allows full range */
00118     if(!(flags & MAC_override))
00119       {
00120         if(level != SL_none)
00121           {
00122             /* get maximum security level */
00123             tid.process = current->pid;
00124             if (rsbac_get_attr(MAC,
00125                                T_PROCESS,
00126                                tid,
00127                                A_security_level,
00128                                &attr_val1,
00129                                FALSE))
00130               { /* failed! */
00131                 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00132                 return(-RSBAC_EREADFAILED);
00133               }
00134             /* if level is too high -> error */
00135             if (level > attr_val1.security_level)
00136               {
00137                 rsbac_printk(KERN_INFO
00138                              "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over max level %u, no override -> not granted \n",
00139                              current->uid,
00140                              current->pid,
00141                              current->comm,
00142                              level,
00143                              attr_val1.security_level);
00144                 #ifdef CONFIG_RSBAC_SOFTMODE
00145                 if(   !rsbac_softmode
00146                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00147                    && !rsbac_ind_softmode[MAC]
00148                 #endif
00149                   )
00150                 #endif
00151                   return -EPERM;
00152               }
00153             /* get minimum security level */
00154             tid.process = current->pid;
00155             if (rsbac_get_attr(MAC,
00156                                T_PROCESS,
00157                                tid,
00158                                A_min_security_level,
00159                                &attr_val1,
00160                                FALSE))
00161               { /* failed! */
00162                 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00163                 return(-RSBAC_EREADFAILED);
00164               }
00165             /* if level is too low -> error */
00166             if (level < attr_val1.security_level)
00167               {
00168                 rsbac_printk(KERN_INFO
00169                              "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u under min level %u, no override -> not granted \n",
00170                              current->uid,
00171                              current->pid,
00172                              current->comm,
00173                              level,
00174                              attr_val1.security_level);
00175                 #ifdef CONFIG_RSBAC_SOFTMODE
00176                 if(   !rsbac_softmode
00177                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00178                    && !rsbac_ind_softmode[MAC]
00179                 #endif
00180                   )
00181                 #endif
00182                   return -EPERM;
00183               }
00184 
00185             /* auto needed? -> stay inside boundaries */
00186             if(!flags & MAC_trusted)
00187               {
00188                 /* check against upper/write boundary */ 
00189                 if (rsbac_get_attr(MAC,
00190                                    T_PROCESS,
00191                                    tid,
00192                                    A_min_write_open,
00193                                    &attr_val1,
00194                                    FALSE))
00195                   { /* failed! */
00196                     rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00197                     return(-RSBAC_EREADFAILED);
00198                   }
00199                 if (level > attr_val1.min_write_open)
00200                   {
00201                     rsbac_printk(KERN_INFO
00202                                  "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over min_write_open %u, no override or trusted -> not granted \n",
00203                                  current->uid,
00204                                  current->pid,
00205                                  current->comm,
00206                                  level,
00207                                  attr_val1.min_write_open);
00208                     #ifdef CONFIG_RSBAC_SOFTMODE
00209                     if(   !rsbac_softmode
00210                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00211                        && !rsbac_ind_softmode[MAC]
00212                     #endif
00213                       )
00214                     #endif
00215                       return -EPERM;
00216                   }
00217 
00218                 /* check against lower/read boundary */ 
00219                 if (rsbac_get_attr(MAC,
00220                                    T_PROCESS,
00221                                    tid,
00222                                    A_max_read_open,
00223                                    &attr_val1,
00224                                    FALSE))
00225                   { /* failed! */
00226                     rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00227                     return(-RSBAC_EREADFAILED);
00228                   }
00229                 if (level < attr_val1.max_read_open)
00230                   return(-EPERM);
00231               }
00232           }
00233         if(categories != RSBAC_MAC_MIN_CAT_VECTOR)
00234           {
00235             /* get maximum categories */
00236             tid.process = current->pid;
00237             if (rsbac_get_attr(MAC,
00238                                T_PROCESS,
00239                                tid,
00240                                A_mac_categories,
00241                                &attr_val1,
00242                                FALSE))
00243               { /* failed! */
00244                 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00245                 return(-RSBAC_EREADFAILED);
00246               }
00247             /* if categories are no subset -> error */
00248             if ((categories & attr_val1.mac_categories) != categories)
00249               {
00250                 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00251 
00252                 if(tmp)
00253                   {
00254                     char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00255 
00256                     if(tmp2)
00257                       {
00258                         rsbac_printk(KERN_INFO
00259                                      "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over max categories %s, no override -> not granted \n",
00260                                      current->uid,
00261                                      current->pid,
00262                                      current->comm,
00263                                      u64tostrmac(tmp, categories),
00264                                      u64tostrmac(tmp2, attr_val1.mac_categories));
00265                         rsbac_kfree(tmp2);
00266                       }
00267                     rsbac_kfree(tmp);
00268                   }
00269                 #ifdef CONFIG_RSBAC_SOFTMODE
00270                 if(   !rsbac_softmode
00271                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00272                    && !rsbac_ind_softmode[MAC]
00273                 #endif
00274                   )
00275                 #endif
00276                   return -EPERM;
00277               }
00278             /* get minimum categories */
00279             tid.process = current->pid;
00280             if (rsbac_get_attr(MAC,
00281                                T_PROCESS,
00282                                tid,
00283                                A_mac_min_categories,
00284                                &attr_val1,
00285                                FALSE))
00286               { /* failed! */
00287                 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00288                 return(-RSBAC_EREADFAILED);
00289               }
00290             /* if level is too low -> error */
00291             if ((categories & attr_val1.mac_categories) != attr_val1.mac_categories)
00292               {
00293                 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00294 
00295                 if(tmp)
00296                   {
00297                     char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00298 
00299                     if(tmp2)
00300                       {
00301                         rsbac_printk(KERN_INFO
00302                                      "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under min categories %s, no override -> not granted \n",
00303                                      current->uid,
00304                                      current->pid,
00305                                      current->comm,
00306                                      u64tostrmac(tmp, categories),
00307                                      u64tostrmac(tmp2, attr_val1.mac_categories));
00308                         rsbac_kfree(tmp2);
00309                       }
00310                     rsbac_kfree(tmp);
00311                   }
00312                 #ifdef CONFIG_RSBAC_SOFTMODE
00313                 if(   !rsbac_softmode
00314                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00315                    && !rsbac_ind_softmode[MAC]
00316                 #endif
00317                   )
00318                 #endif
00319                   return -EPERM;
00320               }
00321 
00322             /* auto needed? -> stay inside boundaries */
00323             if(!flags & MAC_trusted)
00324               {
00325                 /* check against upper/write boundary */ 
00326                 if (rsbac_get_attr(MAC,
00327                                    T_PROCESS,
00328                                    tid,
00329                                    A_min_write_categories,
00330                                    &attr_val1,
00331                                    FALSE))
00332                   { /* failed! */
00333                     rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00334                     return(-RSBAC_EREADFAILED);
00335                   }
00336                 if ((categories & attr_val1.mac_categories) != categories)
00337                   {
00338                     char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00339 
00340                     if(tmp)
00341                       {
00342                         char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00343 
00344                         if(tmp2)
00345                           {
00346                             rsbac_printk(KERN_INFO
00347                                          "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over min_write categories %s, no override or trusted -> not granted \n",
00348                                          current->uid,
00349                                          current->pid,
00350                                          current->comm,
00351                                          u64tostrmac(tmp, categories),
00352                                          u64tostrmac(tmp2, attr_val1.mac_categories));
00353                             rsbac_kfree(tmp2);
00354                           }
00355                         rsbac_kfree(tmp);
00356                       }
00357                     #ifdef CONFIG_RSBAC_SOFTMODE
00358                     if(   !rsbac_softmode
00359                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00360                        && !rsbac_ind_softmode[MAC]
00361                     #endif
00362                       )
00363                     #endif
00364                       return -EPERM;
00365                   }
00366                 /* check against lower/read boundary */ 
00367                 if (rsbac_get_attr(MAC,
00368                                    T_PROCESS,
00369                                    tid,
00370                                    A_max_read_categories,
00371                                    &attr_val1,
00372                                    FALSE))
00373                   { /* failed! */
00374                     rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00375                     return(-RSBAC_EREADFAILED);
00376                   }
00377                 if ((categories & attr_val1.mac_categories) != attr_val1.mac_categories)
00378                   {
00379                     char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00380 
00381                     if(tmp)
00382                       {
00383                         char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00384 
00385                         if(tmp2)
00386                           {
00387                             rsbac_printk(KERN_INFO
00388                                          "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under max_read categories %s, no override or trusted -> not granted \n",
00389                                          current->uid,
00390                                          current->pid,
00391                                          current->comm,
00392                                          u64tostrmac(tmp, categories),
00393                                          u64tostrmac(tmp2, attr_val1.mac_categories));
00394                             rsbac_kfree(tmp2);
00395                           }
00396                         rsbac_kfree(tmp);
00397                       }
00398                     #ifdef CONFIG_RSBAC_SOFTMODE
00399                     if(   !rsbac_softmode
00400                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00401                        && !rsbac_ind_softmode[MAC]
00402                     #endif
00403                       )
00404                     #endif
00405                       return -EPERM;
00406                   }
00407               }
00408           }
00409       }
00410 #endif /* ifndef CONFIG_RSBAC_MAINT */
00411 
00412     /* OK, checks passed: set values */
00413     if(level != SL_none)
00414       {
00415         attr_val1.current_sec_level = level;
00416         if (rsbac_set_attr(MAC,
00417                            T_PROCESS,
00418                            tid,
00419                            A_current_sec_level,
00420                            attr_val1))
00421           { /* failed! */
00422             rsbac_ds_set_error("rsbac_mac_set_curr_level", A_none);
00423             return(-RSBAC_EWRITEFAILED);
00424           }
00425       }
00426     if(categories != RSBAC_MAC_MIN_CAT_VECTOR)
00427       {
00428         attr_val1.mac_categories = categories;
00429         if (rsbac_set_attr(MAC,
00430                            T_PROCESS,
00431                            tid,
00432                            A_mac_curr_categories,
00433                            attr_val1))
00434           { /* failed! */
00435             rsbac_ds_set_error("rsbac_mac_set_curr_level", A_none);
00436             return(-RSBAC_EWRITEFAILED);
00437           }
00438       }
00439     return(0);
00440   }
00441 
00442 /*  getting own levels as well - no restrictions */
00443 int  rsbac_mac_get_curr_level(rsbac_security_level_t * level_p,
00444                               rsbac_mac_category_vector_t * categories_p)
00445   {
00446     union rsbac_target_id_t       tid;
00447     union rsbac_attribute_value_t attr_val;
00448 
00449     tid.process = current->pid;
00450     if(level_p)
00451       {
00452         if (rsbac_get_attr(MAC,
00453                            T_PROCESS,
00454                            tid,
00455                            A_current_sec_level,
00456                            &attr_val,
00457                            FALSE))
00458           { /* failed! */
00459             rsbac_ds_get_error("rsbac_mac_get_curr_level", A_none);
00460             return(-RSBAC_EREADFAILED);
00461           }
00462         *level_p = attr_val.current_sec_level;
00463       }
00464     if(categories_p)
00465       {
00466         if (rsbac_get_attr(MAC,
00467                            T_PROCESS,
00468                            tid,
00469                            A_mac_curr_categories,
00470                            &attr_val,
00471                            FALSE))
00472           { /* failed! */
00473             rsbac_ds_get_error("rsbac_mac_get_curr_level", A_none);
00474             return(-RSBAC_EREADFAILED);
00475           }
00476         *categories_p = attr_val.mac_categories;
00477       }
00478     return 0;
00479   }
00480 
00481 int  rsbac_mac_get_max_level(rsbac_security_level_t * level_p,
00482                               rsbac_mac_category_vector_t * categories_p)
00483   {
00484     union rsbac_target_id_t       tid;
00485     union rsbac_attribute_value_t attr_val;
00486 
00487     tid.process = current->pid;
00488     if(level_p)
00489       {
00490         if (rsbac_get_attr(MAC,
00491                            T_PROCESS,
00492                            tid,
00493                            A_security_level,
00494                            &attr_val,
00495                            FALSE))
00496           { /* failed! */
00497             rsbac_ds_get_error("rsbac_mac_get_max_level", A_none);
00498             return(-RSBAC_EREADFAILED);
00499           }
00500         *level_p = attr_val.security_level;
00501       }
00502     if(categories_p)
00503       {
00504         if (rsbac_get_attr(MAC,
00505                            T_PROCESS,
00506                            tid,
00507                            A_mac_categories,
00508                            &attr_val,
00509                            FALSE))
00510           { /* failed! */
00511             rsbac_ds_get_error("rsbac_mac_get_max_level", A_none);
00512             return(-RSBAC_EREADFAILED);
00513           }
00514         *categories_p = attr_val.mac_categories;
00515       }
00516     return 0;
00517   }
00518 
00519 
00520 int  rsbac_mac_get_min_level(rsbac_security_level_t * level_p,
00521                               rsbac_mac_category_vector_t * categories_p)
00522   {
00523     union rsbac_target_id_t       tid;
00524     union rsbac_attribute_value_t attr_val;
00525 
00526     tid.process = current->pid;
00527     if(level_p)
00528       {
00529         if (rsbac_get_attr(MAC,
00530                            T_PROCESS,
00531                            tid,
00532                            A_min_security_level,
00533                            &attr_val,
00534                            FALSE))
00535           { /* failed! */
00536             rsbac_ds_get_error("rsbac_mac_get_min_level", A_none);
00537             return(-RSBAC_EREADFAILED);
00538           }
00539         *level_p = attr_val.security_level;
00540       }
00541     if(categories_p)
00542       {
00543         if (rsbac_get_attr(MAC,
00544                            T_PROCESS,
00545                            tid,
00546                            A_mac_min_categories,
00547                            &attr_val,
00548                            FALSE))
00549           { /* failed! */
00550             rsbac_ds_get_error("rsbac_mac_get_min_level", A_none);
00551             return(-RSBAC_EREADFAILED);
00552           }
00553         *categories_p = attr_val.mac_categories;
00554       }
00555     return 0;
00556   }
00557 
00558 int rsbac_mac_add_p_tru(
00559   rsbac_list_ta_number_t ta_number,
00560   rsbac_pid_t pid,
00561   rsbac_uid_t uid,
00562   rsbac_time_t ttl)
00563   {
00564 /* check only in non-maint mode */
00565 #if !defined(CONFIG_RSBAC_MAINT)
00566 #ifdef CONFIG_RSBAC_SWITCH_MAC
00567     if(rsbac_switch_mac)
00568 #endif
00569       {
00570         if(mac_sys_check_role(SR_security_officer))
00571           {
00572             rsbac_printk(KERN_INFO
00573                    "rsbac_mac_add_p_tru(): adding MAC trusted user %u to process %u denied for process %u!\n",
00574                    uid,
00575                    pid,
00576                    current->pid);
00577             #ifdef CONFIG_RSBAC_SOFTMODE
00578             if(   !rsbac_softmode
00579             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00580                && !rsbac_ind_softmode[MAC]
00581             #endif
00582               )
00583             #endif
00584               return(-EPERM);
00585           }
00586       }
00587 #endif
00588 
00589     /* OK, check passed. Add the truability. */
00590     if(rsbac_mac_add_to_p_truset(ta_number, pid, uid, ttl))
00591       {
00592         rsbac_printk(KERN_WARNING
00593                "rsbac_mac_add_p_tru(): rsbac_mac_add_to_p_truset() returned error!\n");
00594         return(-RSBAC_EWRITEFAILED);
00595       }
00596     return 0;
00597   }
00598 
00599 int rsbac_mac_remove_p_tru(
00600   rsbac_list_ta_number_t ta_number,
00601   rsbac_pid_t pid,
00602   rsbac_uid_t uid)
00603   {
00604 /* check only in non-maint mode */
00605 #if !defined(CONFIG_RSBAC_MAINT)
00606 #ifdef CONFIG_RSBAC_SWITCH_MAC
00607     if(rsbac_switch_mac)
00608 #endif
00609       {
00610         if(mac_sys_check_role(SR_security_officer))
00611           {
00612             rsbac_printk(KERN_INFO
00613                    "rsbac_mac_remove_p_tru(): removing MAC trusted user %u from process %u denied for process %u!\n",
00614                    uid,
00615                    pid,
00616                    current->pid);
00617             #ifdef CONFIG_RSBAC_SOFTMODE
00618             if(   !rsbac_softmode
00619             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00620                && !rsbac_ind_softmode[MAC]
00621             #endif
00622               )
00623             #endif
00624               return(-EPERM);
00625           }
00626       }
00627 #endif
00628     /* OK, check passed. Try to remove the trusted user */
00629     return(rsbac_mac_remove_from_p_truset(ta_number, pid, uid));
00630   }
00631 
00632 int rsbac_mac_add_f_tru(
00633   rsbac_list_ta_number_t ta_number,
00634   rsbac_mac_file_t file,
00635   rsbac_uid_t uid,
00636   rsbac_time_t ttl)
00637   {
00638 /* check only in non-maint mode */
00639 #if !defined(CONFIG_RSBAC_MAINT)
00640 #ifdef CONFIG_RSBAC_SWITCH_MAC
00641     if(rsbac_switch_mac)
00642 #endif
00643       {
00644         if(mac_sys_check_role(SR_security_officer))
00645           {
00646             rsbac_printk(KERN_INFO
00647                    "rsbac_mac_add_f_tru(): adding MAC trusted user %u to file %u on device %02u:%02u denied for process %u!\n",
00648                    uid,
00649                    file.inode,
00650                    MAJOR(file.device),
00651                    MINOR(file.device),
00652                    current->pid);
00653             #ifdef CONFIG_RSBAC_SOFTMODE
00654             if(   !rsbac_softmode
00655             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00656                && !rsbac_ind_softmode[MAC]
00657             #endif
00658               )
00659             #endif
00660               return(-EPERM);
00661           }
00662       }
00663 #endif
00664 
00665     if(rsbac_mac_add_to_f_truset(ta_number, file, uid, ttl))
00666       {
00667         rsbac_printk(KERN_WARNING
00668                "rsbac_mac_add_f_tru(): rsbac_mac_add_to_f_truset() returned error!\n");
00669         return(-RSBAC_EWRITEFAILED);
00670       }
00671     return 0;
00672   }
00673 
00674 int rsbac_mac_remove_f_tru(
00675   rsbac_list_ta_number_t ta_number,
00676   rsbac_mac_file_t file,
00677   rsbac_uid_t uid)
00678   {
00679 /* check only in non-maint mode */
00680 #if !defined(CONFIG_RSBAC_MAINT)
00681 #ifdef CONFIG_RSBAC_SWITCH_MAC
00682     if(rsbac_switch_mac)
00683 #endif
00684       {
00685         if(mac_sys_check_role(SR_security_officer))
00686           {
00687             rsbac_printk(KERN_INFO
00688                    "rsbac_mac_remove_f_tru(): removing MAC trusted user %u from file %u on device %02u:%02u denied for process %u!\n",
00689                    uid,
00690                    file.inode,
00691                    MAJOR(file.device),
00692                    MINOR(file.device),
00693                    current->pid);
00694             #ifdef CONFIG_RSBAC_SOFTMODE
00695             if(   !rsbac_softmode
00696             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00697                && !rsbac_ind_softmode[MAC]
00698             #endif
00699               )
00700             #endif
00701               return(-EPERM);
00702           }
00703       }
00704 #endif
00705 
00706     return(rsbac_mac_remove_from_f_truset(ta_number, file, uid));
00707   }
00708 
00709 
00710 /* end of rsbac/adf/mac/syscalls.c */
Generated on Sun May 21 14:30:50 2006 for RSBAC by  doxygen 1.4.2