/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/help/lsm.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of AEF LSM hooks */ 00004 /* Author and (c) 2003: Amon Ott <ao@rsbac.org> */ 00005 /* */ 00006 /* Last modified: 05/Sep/2003 */ 00007 /*************************************************** */ 00008 00009 #include <linux/types.h> 00010 #include <linux/version.h> 00011 #include <linux/security.h> 00012 #include <linux/ptrace.h> 00013 #include <linux/fs.h> 00014 #include <linux/mount.h> 00015 #include <linux/namei.h> 00016 #include <net/sock.h> 00017 #include <rsbac/types.h> 00018 #include <rsbac/adf.h> 00019 #include <rsbac/aci.h> 00020 00021 static int rsbac_aef_ptrace(struct task_struct * parent, struct task_struct * child) 00022 { 00023 union rsbac_target_id_t rsbac_target_id; 00024 union rsbac_attribute_value_t rsbac_attribute_value; 00025 00026 #ifdef CONFIG_RSBAC_DEBUG 00027 if (rsbac_debug_aef) 00028 printk(KERN_DEBUG "rsbac_aef_ptrace(): calling ADF\n"); 00029 #endif 00030 rsbac_target_id.process = child->pid; 00031 rsbac_attribute_value.trace_request = PTRACE_TRACEME; 00032 if (!rsbac_adf_request(R_TRACE, 00033 parent->pid, 00034 T_PROCESS, 00035 rsbac_target_id, 00036 A_trace_request, 00037 rsbac_attribute_value)) 00038 return -EPERM; 00039 else 00040 return 0; 00041 } 00042 00043 static int rsbac_aef_statfs(struct super_block * sb) 00044 { 00045 union rsbac_target_id_t rsbac_target_id; 00046 union rsbac_attribute_value_t rsbac_attribute_value; 00047 00048 #ifdef CONFIG_RSBAC_DEBUG 00049 if (rsbac_debug_aef) 00050 printk(KERN_DEBUG "rsbac_aef_statfs(): calling ADF\n"); 00051 #endif 00052 rsbac_target_id.dev.type = D_block; 00053 rsbac_target_id.dev.id = sb->s_dev; 00054 rsbac_attribute_value.dummy = 0; 00055 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00056 current->pid, 00057 T_DEV, 00058 rsbac_target_id, 00059 A_none, 00060 rsbac_attribute_value)) 00061 return -EPERM; 00062 else 00063 return 0; 00064 } 00065 00066 static int rsbac_aef_inode_follow_link(struct dentry *dentry, struct nameidata *nd) 00067 { 00068 union rsbac_target_id_t rsbac_target_id; 00069 union rsbac_attribute_value_t rsbac_attribute_value; 00070 00071 #ifdef CONFIG_RSBAC_DEBUG 00072 if (rsbac_debug_aef) 00073 printk(KERN_DEBUG "rsbac_aef_inode_follow_link(): calling ADF\n"); 00074 #endif 00075 rsbac_target_id.symlink.device = dentry->d_sb->s_dev; 00076 rsbac_target_id.symlink.inode = dentry->d_inode->i_ino; 00077 rsbac_target_id.symlink.dentry_p = dentry; 00078 rsbac_attribute_value.dummy = 0; 00079 if (!rsbac_adf_request(R_SEARCH, 00080 current->pid, 00081 T_SYMLINK, 00082 rsbac_target_id, 00083 A_none, 00084 rsbac_attribute_value)) 00085 return -EPERM; 00086 else 00087 return 0; 00088 } 00089 00090 static int rsbac_aef_inode_create(struct inode *dir, 00091 struct dentry *dentry, 00092 int mode) 00093 { 00094 union rsbac_target_id_t rsbac_target_id; 00095 union rsbac_attribute_value_t rsbac_attribute_value; 00096 00097 #ifdef CONFIG_RSBAC_DEBUG 00098 if (rsbac_debug_aef) 00099 printk(KERN_DEBUG "rsbac_aef_inode_create(): calling ADF\n"); 00100 #endif 00101 rsbac_target_id.dir.device = dir->i_sb->s_dev; 00102 rsbac_target_id.dir.inode = dir->i_ino; 00103 rsbac_target_id.dir.dentry_p = dentry->d_parent; 00104 rsbac_attribute_value.create_data.target = T_FILE; 00105 rsbac_attribute_value.create_data.dentry_p = dentry; 00106 rsbac_attribute_value.create_data.mode = mode; 00107 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV; 00108 if (!rsbac_adf_request(R_CREATE, 00109 current->pid, 00110 T_DIR, 00111 rsbac_target_id, 00112 A_create_data, 00113 rsbac_attribute_value)) 00114 return -EPERM; 00115 else 00116 return 0; 00117 } 00118 00119 static void rsbac_aef_inode_post_create(struct inode *dir, 00120 struct dentry *dentry, 00121 int mode) 00122 { 00123 union rsbac_target_id_t rsbac_target_id; 00124 union rsbac_target_id_t rsbac_new_target_id; 00125 union rsbac_attribute_value_t rsbac_attribute_value; 00126 00127 #ifdef CONFIG_RSBAC_DEBUG 00128 if (rsbac_debug_aef) 00129 printk(KERN_DEBUG "rsbac_aef_inode_post_create(): notifying ADF\n"); 00130 #endif 00131 rsbac_target_id.dir.device = dir->i_sb->s_dev; 00132 rsbac_target_id.dir.inode = dir->i_ino; 00133 rsbac_target_id.dir.dentry_p = dentry->d_parent; 00134 rsbac_attribute_value.create_data.target = T_FILE; 00135 rsbac_attribute_value.create_data.dentry_p = dentry; 00136 rsbac_attribute_value.create_data.mode = mode; 00137 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV; 00138 rsbac_new_target_id.file.device = dentry->d_sb->s_dev; 00139 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino; 00140 rsbac_new_target_id.file.dentry_p = dentry; 00141 if (rsbac_adf_set_attr(R_CREATE, 00142 current->pid, 00143 T_DIR, 00144 rsbac_target_id, 00145 T_FILE, 00146 rsbac_new_target_id, 00147 A_create_data, 00148 rsbac_attribute_value)) 00149 { 00150 printk(KERN_WARNING 00151 "rsbac_aef_inode_post_create() [vfs_create() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error"); 00152 } 00153 } 00154 00155 static int rsbac_aef_inode_mknod(struct inode *dir, struct dentry *dentry, 00156 int mode, dev_t dev) 00157 { 00158 union rsbac_target_id_t rsbac_target_id; 00159 union rsbac_attribute_value_t rsbac_attribute_value; 00160 00161 #ifdef CONFIG_RSBAC_DEBUG 00162 if (rsbac_debug_aef) 00163 printk(KERN_DEBUG "rsbac_aef_inode_mknod(): calling ADF\n"); 00164 #endif 00165 rsbac_target_id.dir.device = dir->i_sb->s_dev; 00166 rsbac_target_id.dir.inode = dir->i_ino; 00167 rsbac_target_id.dir.dentry_p = dentry->d_parent; 00168 rsbac_attribute_value.create_data.target = T_FILE; 00169 rsbac_attribute_value.create_data.dentry_p = dentry; 00170 rsbac_attribute_value.create_data.mode = mode; 00171 rsbac_attribute_value.create_data.device = dev; 00172 if (!rsbac_adf_request(R_CREATE, 00173 current->pid, 00174 T_DIR, 00175 rsbac_target_id, 00176 A_create_data, 00177 rsbac_attribute_value)) 00178 return -EPERM; 00179 else 00180 return 0; 00181 } 00182 00183 static void rsbac_aef_inode_post_mknod(struct inode *dir, struct dentry *dentry, 00184 int mode, dev_t dev) 00185 { 00186 union rsbac_target_id_t rsbac_target_id; 00187 union rsbac_target_id_t rsbac_new_target_id; 00188 union rsbac_attribute_value_t rsbac_attribute_value; 00189 00190 #ifdef CONFIG_RSBAC_DEBUG 00191 if (rsbac_debug_aef) 00192 printk(KERN_DEBUG "rsbac_aef_inode_post_mknod(): notifying ADF\n"); 00193 #endif 00194 rsbac_target_id.dir.device = dir->i_sb->s_dev; 00195 rsbac_target_id.dir.inode = dir->i_ino; 00196 rsbac_target_id.dir.dentry_p = dentry->d_parent; 00197 rsbac_attribute_value.create_data.target = T_FILE; 00198 rsbac_attribute_value.create_data.dentry_p = dentry; 00199 rsbac_attribute_value.create_data.mode = mode; 00200 rsbac_attribute_value.create_data.device = dev; 00201 rsbac_new_target_id.file.device = dentry->d_sb->s_dev; 00202 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino; 00203 rsbac_new_target_id.file.dentry_p = dentry; 00204 if (rsbac_adf_set_attr(R_CREATE, 00205 current->pid, 00206 T_DIR, 00207 rsbac_target_id, 00208 T_FILE, 00209 rsbac_new_target_id, 00210 A_create_data, 00211 rsbac_attribute_value)) 00212 { 00213 printk(KERN_WARNING 00214 "rsbac_aef_inode_post_mknod() [vfs_mknod() [sys_mknod()]: rsbac_adf_set_attr() returned error"); 00215 } 00216 } 00217 00218 static int rsbac_aef_inode_mkdir(struct inode *dir, 00219 struct dentry *dentry, 00220 int mode) 00221 { 00222 union rsbac_target_id_t rsbac_target_id; 00223 union rsbac_attribute_value_t rsbac_attribute_value; 00224 00225 #ifdef CONFIG_RSBAC_DEBUG 00226 if (rsbac_debug_aef) 00227 printk(KERN_DEBUG "rsbac_aef_inode_mkdir(): calling ADF\n"); 00228 #endif 00229 rsbac_target_id.dir.device = dir->i_sb->s_dev; 00230 rsbac_target_id.dir.inode = dir->i_ino; 00231 rsbac_target_id.dir.dentry_p = dentry->d_parent; 00232 rsbac_attribute_value.create_data.target = T_FILE; 00233 rsbac_attribute_value.create_data.dentry_p = dentry; 00234 rsbac_attribute_value.create_data.mode = mode; 00235 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV; 00236 if (!rsbac_adf_request(R_CREATE, 00237 current->pid, 00238 T_DIR, 00239 rsbac_target_id, 00240 A_create_data, 00241 rsbac_attribute_value)) 00242 return -EPERM; 00243 else 00244 return 0; 00245 } 00246 00247 static void rsbac_aef_inode_post_mkdir(struct inode *dir, 00248 struct dentry *dentry, 00249 int mode) 00250 { 00251 union rsbac_target_id_t rsbac_target_id; 00252 union rsbac_target_id_t rsbac_new_target_id; 00253 union rsbac_attribute_value_t rsbac_attribute_value; 00254 00255 #ifdef CONFIG_RSBAC_DEBUG 00256 if (rsbac_debug_aef) 00257 printk(KERN_DEBUG "rsbac_aef_inode_post_mkdir(): notifying ADF\n"); 00258 #endif 00259 rsbac_target_id.dir.device = dir->i_sb->s_dev; 00260 rsbac_target_id.dir.inode = dir->i_ino; 00261 rsbac_target_id.dir.dentry_p = dentry->d_parent; 00262 rsbac_attribute_value.create_data.target = T_FILE; 00263 rsbac_attribute_value.create_data.dentry_p = dentry; 00264 rsbac_attribute_value.create_data.mode = mode; 00265 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV; 00266 rsbac_new_target_id.file.device = dentry->d_sb->s_dev; 00267 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino; 00268 rsbac_new_target_id.file.dentry_p = dentry; 00269 if (rsbac_adf_set_attr(R_CREATE, 00270 current->pid, 00271 T_DIR, 00272 rsbac_target_id, 00273 T_FILE, 00274 rsbac_new_target_id, 00275 A_create_data, 00276 rsbac_attribute_value)) 00277 { 00278 printk(KERN_WARNING 00279 "rsbac_aef_inode_post_mkdir() [vfs_mkdir() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error"); 00280 } 00281 } 00282 00283 static int rsbac_aef_inode_symlink(struct inode *dir, 00284 struct dentry *dentry, 00285 const char *old_name) 00286 { 00287 union rsbac_target_id_t rsbac_target_id; 00288 union rsbac_attribute_value_t rsbac_attribute_value; 00289 00290 #ifdef CONFIG_RSBAC_DEBUG 00291 if (rsbac_debug_aef) 00292 printk(KERN_DEBUG "rsbac_aef_inode_symlink(): calling ADF\n"); 00293 #endif 00294 rsbac_target_id.dir.device = dir->i_sb->s_dev; 00295 rsbac_target_id.dir.inode = dir->i_ino; 00296 rsbac_target_id.dir.dentry_p = dentry->d_parent; 00297 rsbac_attribute_value.create_data.target = T_SYMLINK; 00298 rsbac_attribute_value.create_data.dentry_p = dentry; 00299 rsbac_attribute_value.create_data.mode = 0; 00300 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV; 00301 if (!rsbac_adf_request(R_CREATE, 00302 current->pid, 00303 T_DIR, 00304 rsbac_target_id, 00305 A_create_data, 00306 rsbac_attribute_value)) 00307 return -EPERM; 00308 else 00309 return 0; 00310 } 00311 00312 static void rsbac_aef_inode_post_symlink(struct inode *dir, 00313 struct dentry *dentry, 00314 const char *old_name) 00315 { 00316 union rsbac_target_id_t rsbac_target_id; 00317 union rsbac_target_id_t rsbac_new_target_id; 00318 union rsbac_attribute_value_t rsbac_attribute_value; 00319 00320 #ifdef CONFIG_RSBAC_DEBUG 00321 if (rsbac_debug_aef) 00322 printk(KERN_DEBUG "rsbac_aef_inode_post_symlink(): notifying ADF\n"); 00323 #endif 00324 rsbac_target_id.dir.device = dir->i_sb->s_dev; 00325 rsbac_target_id.dir.inode = dir->i_ino; 00326 rsbac_target_id.dir.dentry_p = dentry->d_parent; 00327 rsbac_attribute_value.create_data.target = T_FILE; 00328 rsbac_attribute_value.create_data.dentry_p = dentry; 00329 rsbac_attribute_value.create_data.mode = 0; 00330 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV; 00331 rsbac_new_target_id.file.device = dentry->d_sb->s_dev; 00332 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino; 00333 rsbac_new_target_id.file.dentry_p = dentry; 00334 if (rsbac_adf_set_attr(R_CREATE, 00335 current->pid, 00336 T_DIR, 00337 rsbac_target_id, 00338 T_SYMLINK, 00339 rsbac_new_target_id, 00340 A_create_data, 00341 rsbac_attribute_value)) 00342 { 00343 printk(KERN_WARNING 00344 "rsbac_aef_inode_post_symlink() [vfs_symlink() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error"); 00345 } 00346 } 00347 00348 static int rsbac_aef_inode_link(struct dentry *old_dentry, 00349 struct inode *dir, 00350 struct dentry *new_dentry) 00351 { 00352 enum rsbac_target_t rsbac_target; 00353 union rsbac_target_id_t rsbac_target_id; 00354 union rsbac_attribute_value_t rsbac_attribute_value; 00355 00356 #ifdef CONFIG_RSBAC_DEBUG 00357 if (rsbac_debug_aef) 00358 printk(KERN_DEBUG "rsbac_aef_inode_link(): calling ADF\n"); 00359 #endif 00360 rsbac_target = T_FILE; 00361 if (S_ISDIR (old_dentry->d_inode->i_mode)) 00362 rsbac_target = T_DIR; 00363 else if (S_ISFIFO (old_dentry->d_inode->i_mode)) 00364 rsbac_target = T_FIFO; 00365 else if (S_ISLNK (old_dentry->d_inode->i_mode)) 00366 rsbac_target = T_SYMLINK; 00367 rsbac_target_id.dir.device = old_dentry->d_sb->s_dev; 00368 rsbac_target_id.dir.inode = old_dentry->d_inode->i_ino; 00369 rsbac_target_id.dir.dentry_p = old_dentry; 00370 rsbac_attribute_value.dummy = 0; 00371 if (!rsbac_adf_request(R_LINK_HARD, 00372 current->pid, 00373 rsbac_target, 00374 rsbac_target_id, 00375 A_none, 00376 rsbac_attribute_value)) 00377 return -EPERM; 00378 else 00379 return 0; 00380 } 00381 00382 static int rsbac_aef_inode_rename(struct inode *old_dir, struct dentry *old_dentry, 00383 struct inode *new_dir, struct dentry *new_dentry) 00384 { 00385 enum rsbac_target_t rsbac_target; 00386 union rsbac_target_id_t rsbac_target_id; 00387 union rsbac_attribute_value_t rsbac_attribute_value; 00388 00389 #ifdef CONFIG_RSBAC_DEBUG 00390 if (rsbac_debug_aef) 00391 printk(KERN_DEBUG "rsbac_aef_inode_rename(): calling ADF\n"); 00392 #endif 00393 rsbac_target = T_FILE; 00394 if (S_ISDIR(old_dentry->d_inode->i_mode)) 00395 rsbac_target = T_DIR; 00396 else if (S_ISFIFO (old_dentry->d_inode->i_mode)) 00397 rsbac_target = T_FIFO; 00398 else if (S_ISLNK (old_dentry->d_inode->i_mode)) 00399 rsbac_target = T_SYMLINK; 00400 rsbac_target_id.file.device = old_dentry->d_sb->s_dev; 00401 rsbac_target_id.file.inode = old_dentry->d_inode->i_ino; 00402 rsbac_target_id.file.dentry_p = old_dentry; 00403 rsbac_attribute_value.new_dir_dentry_p = new_dentry->d_parent; 00404 if (!rsbac_adf_request(R_RENAME, 00405 current->pid, 00406 rsbac_target, 00407 rsbac_target_id, 00408 A_new_dir_dentry_p, 00409 rsbac_attribute_value)) 00410 return -EPERM; 00411 00412 #ifdef CONFIG_RSBAC_DEBUG 00413 if (rsbac_debug_aef) 00414 printk(KERN_DEBUG "rsbac_aef_inode_rename(): calling ADF for WRITE on new dir\n"); 00415 #endif 00416 rsbac_target_id.dir.device = new_dir->i_sb->s_dev; 00417 rsbac_target_id.dir.inode = new_dir->i_ino; 00418 rsbac_target_id.dir.dentry_p = new_dentry->d_parent; 00419 rsbac_attribute_value.dummy = 0; 00420 if (!rsbac_adf_request(R_WRITE, 00421 current->pid, 00422 T_DIR, 00423 rsbac_target_id, 00424 A_none, 00425 rsbac_attribute_value)) 00426 return -EPERM; 00427 00428 return 0; 00429 } 00430 00431 static int rsbac_aef_sb_umount(struct vfsmount * mnt, int flags) 00432 { 00433 struct super_block * sb = mnt->mnt_sb; 00434 union rsbac_target_id_t rsbac_target_id; 00435 union rsbac_attribute_value_t rsbac_attribute_value; 00436 00437 #ifdef CONFIG_RSBAC_DEBUG 00438 if (rsbac_debug_aef) 00439 printk(KERN_DEBUG "rsbac_aef_sb_umount(): calling ADF for DIR\n"); 00440 #endif 00441 rsbac_target_id.dir.device = sb->s_dev; 00442 rsbac_target_id.dir.inode = sb->s_root->d_inode->i_ino; 00443 rsbac_target_id.dir.dentry_p = sb->s_root; 00444 rsbac_attribute_value.dummy = 0; 00445 if (!rsbac_adf_request(R_UMOUNT, 00446 current->pid, 00447 T_DIR, 00448 rsbac_target_id, 00449 A_none, 00450 rsbac_attribute_value)) 00451 return -EPERM; 00452 00453 #ifdef CONFIG_RSBAC_DEBUG 00454 if (rsbac_debug_aef) 00455 printk(KERN_DEBUG "rsbac_aef_sb_umount(): calling ADF for DEV\n"); 00456 #endif 00457 rsbac_target_id.dev.type = D_block; 00458 rsbac_target_id.dev.id = sb->s_dev; 00459 rsbac_attribute_value.dummy = 0; 00460 if (!rsbac_adf_request(R_UMOUNT, 00461 current->pid, 00462 T_DEV, 00463 rsbac_target_id, 00464 A_none, 00465 rsbac_attribute_value)) 00466 return -EPERM; 00467 00468 if (! (mnt == current->fs->rootmnt && !(flags & MNT_DETACH)) ) 00469 { 00470 #ifdef CONFIG_RSBAC_DEBUG 00471 if (rsbac_debug_ds) 00472 printk(KERN_DEBUG "rsbac_aef_sb_umount(): calling rsbac_umount for Device %02u:%02u\n", 00473 MAJOR(sb->s_dev), MINOR(sb->s_dev)); 00474 #endif 00475 rsbac_umount(sb, mnt->mnt_mountpoint); 00476 } 00477 return 0; 00478 } 00479 00480 static void rsbac_aef_sb_umount_busy(struct vfsmount * mnt) 00481 { 00482 /* RSBAC: reinitialising data structures for this fs (not root fs) */ 00483 #ifdef CONFIG_RSBAC_DEBUG 00484 if (rsbac_debug_ds) 00485 printk(KERN_DEBUG 00486 "rsbac_aef_sb_umount_busy: umount failed, calling rsbac_mount for Device %02u:%02u\n", 00487 MAJOR(mnt->mnt_sb->s_dev), MINOR(mnt->mnt_sb->s_dev)); 00488 #endif 00489 rsbac_mount(mnt->mnt_sb, mnt->mnt_mountpoint); 00490 } 00491 00492 static void rsbac_aef_sb_post_addmount(struct vfsmount * mnt, 00493 struct nameidata * mountpoint_nd) 00494 { 00495 /* RSBAC: initialising data structures for this fs (not root fs) */ 00496 #ifdef CONFIG_RSBAC_DEBUG 00497 if (rsbac_debug_ds) 00498 printk(KERN_DEBUG 00499 "rsbac_aef_sb_post_addmount: calling rsbac_mount for Device %02u:%02u\n", 00500 MAJOR(mnt->mnt_sb->s_dev), MINOR(mnt->mnt_sb->s_dev)); 00501 #endif 00502 rsbac_mount(mnt->mnt_sb, mnt->mnt_mountpoint); 00503 } 00504 00505 static int rsbac_aef_sb_mount(char *dev_name, struct nameidata * nd, 00506 char *type, unsigned long flags, void *data) 00507 { 00508 struct super_block * sb = nd->mnt->mnt_sb; 00509 union rsbac_target_id_t rsbac_target_id; 00510 union rsbac_attribute_value_t rsbac_attribute_value; 00511 00512 #ifdef CONFIG_RSBAC_DEBUG 00513 if (rsbac_debug_aef) 00514 printk(KERN_DEBUG "rsbac_aef_sb_mount(): calling ADF for DIR\n"); 00515 #endif 00516 rsbac_target_id.dir.device = sb->s_dev; 00517 rsbac_target_id.dir.inode = sb->s_root->d_inode->i_ino; 00518 rsbac_target_id.dir.dentry_p = sb->s_root; 00519 rsbac_attribute_value.dummy = 0; 00520 if (!rsbac_adf_request(R_MOUNT, 00521 current->pid, 00522 T_DIR, 00523 rsbac_target_id, 00524 A_none, 00525 rsbac_attribute_value)) 00526 return -EPERM; 00527 00528 #ifdef CONFIG_RSBAC_DEBUG 00529 if (rsbac_debug_aef) 00530 printk(KERN_DEBUG "rsbac_aef_sb_mount(): calling ADF for DEV\n"); 00531 #endif 00532 rsbac_target_id.dev.type = D_block; 00533 rsbac_target_id.dev.id = sb->s_dev; 00534 rsbac_attribute_value.dummy = 0; 00535 if (!rsbac_adf_request(R_MOUNT, 00536 current->pid, 00537 T_DEV, 00538 rsbac_target_id, 00539 A_none, 00540 rsbac_attribute_value)) 00541 return -EPERM; 00542 return 0; 00543 } 00544 00545 static int rsbac_aef_sb_pivotroot(struct nameidata * old_nd, 00546 struct nameidata * new_nd) 00547 { 00548 union rsbac_target_id_t rsbac_target_id; 00549 union rsbac_attribute_value_t rsbac_attribute_value; 00550 00551 #ifdef CONFIG_RSBAC_DEBUG 00552 if (rsbac_debug_aef) 00553 printk(KERN_DEBUG "rsbac_aef_sb_pivotroot(): calling ADF for MOUNT on put_old\n"); 00554 #endif 00555 rsbac_target_id.dir.device = old_nd->dentry->d_sb->s_dev; 00556 rsbac_target_id.dir.inode = old_nd->dentry->d_inode->i_ino; 00557 rsbac_target_id.dir.dentry_p = old_nd->dentry; 00558 rsbac_attribute_value.dummy = 0; 00559 if (!rsbac_adf_request(R_MOUNT, 00560 current->pid, 00561 T_DIR, 00562 rsbac_target_id, 00563 A_none, 00564 rsbac_attribute_value)) 00565 return -EPERM; 00566 00567 #ifdef CONFIG_RSBAC_DEBUG 00568 if (rsbac_debug_aef) 00569 printk(KERN_DEBUG "rsbac_aef_sb_pivotroot(): calling ADF for MOUNT on root DIR\n"); 00570 #endif 00571 rsbac_target_id.dir.device = current->fs->rootmnt->mnt_sb->s_dev; 00572 rsbac_target_id.dir.inode = current->fs->root->d_inode->i_ino; 00573 rsbac_target_id.dir.dentry_p = current->fs->root; 00574 rsbac_attribute_value.dummy = 0; 00575 if (!rsbac_adf_request(R_MOUNT, 00576 current->pid, 00577 T_DIR, 00578 rsbac_target_id, 00579 A_none, 00580 rsbac_attribute_value)) 00581 return -EPERM; 00582 00583 return 0; 00584 } 00585 00586 static int rsbac_aef_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 00587 { 00588 enum rsbac_target_t rsbac_target; 00589 union rsbac_target_id_t rsbac_target_id; 00590 union rsbac_attribute_value_t rsbac_attribute_value; 00591 00592 #ifdef CONFIG_RSBAC_DEBUG 00593 if (rsbac_debug_aef) 00594 printk(KERN_DEBUG "rsbac_aef_inode_getattr(): calling ADF\n"); 00595 #endif 00596 rsbac_target = T_FILE; 00597 if (S_ISDIR (dentry->d_inode->i_mode)) 00598 rsbac_target = T_DIR; 00599 else if (S_ISFIFO (dentry->d_inode->i_mode)) 00600 rsbac_target = T_FIFO; 00601 else if (S_ISLNK (dentry->d_inode->i_mode)) 00602 rsbac_target = T_SYMLINK; 00603 rsbac_target_id.dir.device = dentry->d_sb->s_dev; 00604 rsbac_target_id.dir.inode = dentry->d_inode->i_ino; 00605 rsbac_target_id.dir.dentry_p = dentry; 00606 rsbac_attribute_value.dummy = 0; 00607 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00608 current->pid, 00609 rsbac_target, 00610 rsbac_target_id, 00611 A_none, 00612 rsbac_attribute_value)) 00613 return -EPERM; 00614 else 00615 return 0; 00616 } 00617 00618 static int rsbac_aef_inode_readlink(struct dentry *dentry) 00619 { 00620 union rsbac_target_id_t rsbac_target_id; 00621 union rsbac_attribute_value_t rsbac_attribute_value; 00622 00623 #ifdef CONFIG_RSBAC_DEBUG 00624 if (rsbac_debug_aef) 00625 printk(KERN_DEBUG "rsbac_aef_inode_readlink(): calling ADF\n"); 00626 #endif 00627 rsbac_target_id.dir.device = dentry->d_sb->s_dev; 00628 rsbac_target_id.dir.inode = dentry->d_inode->i_ino; 00629 rsbac_target_id.dir.dentry_p = dentry; 00630 rsbac_attribute_value.dummy = 0; 00631 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00632 current->pid, 00633 T_SYMLINK, 00634 rsbac_target_id, 00635 A_none, 00636 rsbac_attribute_value)) 00637 return -EPERM; 00638 else 00639 return 0; 00640 } 00641 00642 static int rsbac_aef_file_permission(struct file * file, int mask) 00643 { 00644 enum rsbac_adf_request_t rsbac_request; 00645 enum rsbac_target_t rsbac_target = T_NONE; 00646 union rsbac_target_id_t rsbac_target_id; 00647 union rsbac_attribute_value_t rsbac_attribute_value; 00648 00649 #ifdef CONFIG_RSBAC_DEBUG 00650 if (rsbac_debug_aef) 00651 printk(KERN_DEBUG "rsbac_aef_file_permission(): calling ADF\n"); 00652 #endif 00653 if(mask & MAY_WRITE) 00654 rsbac_request = R_WRITE; 00655 else 00656 rsbac_request = R_READ; 00657 #ifdef CONFIG_RSBAC_NET_OBJ_RW 00658 if(S_ISSOCK(file->f_dentry->d_inode->i_mode)) 00659 { 00660 #if !defined(CONFIG_RSBAC_NET_OBJ_UNIX) 00661 if( file->f_dentry->d_inode->u.socket_i.ops 00662 && (file->f_dentry->d_inode->u.socket_i.ops->family != AF_UNIX) 00663 ) 00664 #endif 00665 { 00666 rsbac_target = T_NETOBJ; 00667 rsbac_target_id.netobj.sock_p 00668 = SOCKET_I(file->f_dentry->d_inode); 00669 rsbac_target_id.netobj.local_addr = NULL; 00670 rsbac_target_id.netobj.local_len = 0; 00671 rsbac_target_id.netobj.remote_addr = NULL; 00672 rsbac_target_id.netobj.remote_len = 0; 00673 } 00674 } 00675 else 00676 #endif 00677 #ifdef CONFIG_RSBAC_RW 00678 if( S_ISFIFO(file->f_dentry->d_inode->i_mode) 00679 /* named FIFO only */ 00680 && (file->f_dentry->d_sb->s_magic != PIPEFS_MAGIC) 00681 ) 00682 { 00683 rsbac_target = T_FIFO; 00684 rsbac_target_id.file.device = file->f_dentry->d_sb->s_dev; 00685 rsbac_target_id.fifo.inode = file->f_dentry->d_inode->i_ino; 00686 rsbac_target_id.fifo.dentry_p = file->f_dentry; 00687 } 00688 else 00689 if(S_ISREG(file->f_dentry->d_inode->i_mode)) 00690 { 00691 rsbac_target = T_FILE; 00692 rsbac_target_id.file.device = file->f_dentry->d_sb->s_dev; 00693 rsbac_target_id.file.inode = file->f_dentry->d_inode->i_ino; 00694 rsbac_target_id.file.dentry_p = file->f_dentry; 00695 } 00696 else 00697 if(S_ISBLK(file->f_dentry->d_inode->i_mode)) 00698 { 00699 rsbac_target = T_DEV; 00700 rsbac_target_id.dev.type = D_block; 00701 rsbac_target_id.dev.id = file->f_dentry->d_inode->i_rdev; 00702 } 00703 else 00704 if(S_ISCHR(file->f_dentry->d_inode->i_mode)) 00705 { 00706 rsbac_target = T_DEV; 00707 rsbac_target_id.dev.type = D_char; 00708 rsbac_target_id.dev.id = file->f_dentry->d_inode->i_rdev; 00709 } 00710 else 00711 #endif 00712 if(S_ISDIR(file->f_dentry->d_inode->i_mode)) 00713 { 00714 rsbac_target = T_DIR; 00715 rsbac_target_id.dir.device = file->f_dentry->d_sb->s_dev; 00716 rsbac_target_id.dir.inode = file->f_dentry->d_inode->i_ino; 00717 rsbac_target_id.dir.dentry_p = file->f_dentry; 00718 } 00719 rsbac_attribute_value.dummy = 0; 00720 if ( (rsbac_target != T_NONE) 00721 && !rsbac_adf_request(rsbac_request, 00722 current->pid, 00723 rsbac_target, 00724 rsbac_target_id, 00725 A_none, 00726 rsbac_attribute_value)) 00727 return -EPERM; 00728 else 00729 return 0; 00730 } 00731 00732 static int rsbac_aef_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 00733 { 00734 union rsbac_target_id_t rsbac_target_id; 00735 union rsbac_attribute_value_t rsbac_attribute_value; 00736 00737 #ifdef CONFIG_RSBAC_DEBUG 00738 if (rsbac_debug_aef) 00739 printk(KERN_DEBUG "rsbac_aef_task_setgid(): calling ADF\n"); 00740 #endif 00741 rsbac_target_id.process = current->pid; 00742 switch(flags) 00743 { 00744 case LSM_SETID_RE: 00745 case LSM_SETID_ID: 00746 case LSM_SETID_RES: 00747 if(id0 != (gid_t) -1) 00748 { 00749 rsbac_attribute_value.group = id0; 00750 if (!rsbac_adf_request(R_CHANGE_GROUP, 00751 current->pid, 00752 T_PROCESS, 00753 rsbac_target_id, 00754 A_group, 00755 rsbac_attribute_value)) 00756 return -EPERM; 00757 } 00758 break; 00759 case LSM_SETID_FS: 00760 break; 00761 00762 default: 00763 printk(KERN_WARNING "rsbac_aef_task_setgid(): called with unknown flags value!\n"); 00764 break; 00765 } 00766 return 0; 00767 } 00768 00769 static int rsbac_aef_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 00770 { 00771 union rsbac_target_id_t rsbac_target_id; 00772 union rsbac_attribute_value_t rsbac_attribute_value; 00773 00774 #ifdef CONFIG_RSBAC_DEBUG 00775 if (rsbac_debug_aef) 00776 printk(KERN_DEBUG "rsbac_aef_task_setuid(): calling ADF\n"); 00777 #endif 00778 rsbac_target_id.process = current->pid; 00779 switch(flags) 00780 { 00781 case LSM_SETID_RE: 00782 if(id0 != (uid_t) -1) 00783 { 00784 rsbac_attribute_value.owner = id0; 00785 if (!rsbac_adf_request(R_CHANGE_OWNER, 00786 current->pid, 00787 T_PROCESS, 00788 rsbac_target_id, 00789 A_owner, 00790 rsbac_attribute_value)) 00791 return -EPERM; 00792 } 00793 #ifdef CONFIG_RSBAC_DAC_OWNER 00794 if(id1 != (uid_t) -1) 00795 { 00796 rsbac_attribute_value.owner = id1; 00797 if (!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER, 00798 current->pid, 00799 T_PROCESS, 00800 rsbac_target_id, 00801 A_owner, 00802 rsbac_attribute_value)) 00803 return -EPERM; 00804 } 00805 #endif 00806 break; 00807 case LSM_SETID_ID: 00808 rsbac_attribute_value.owner = id0; 00809 if (!rsbac_adf_request(R_CHANGE_OWNER, 00810 current->pid, 00811 T_PROCESS, 00812 rsbac_target_id, 00813 A_owner, 00814 rsbac_attribute_value)) 00815 return -EPERM; 00816 #ifdef CONFIG_RSBAC_DAC_OWNER 00817 if (!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER, 00818 current->pid, 00819 T_PROCESS, 00820 rsbac_target_id, 00821 A_owner, 00822 rsbac_attribute_value)) 00823 return -EPERM; 00824 if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER, 00825 current->pid, 00826 T_PROCESS, 00827 rsbac_target_id, 00828 A_owner, 00829 rsbac_attribute_value)) 00830 return -EPERM; 00831 #endif 00832 break; 00833 case LSM_SETID_RES: 00834 if(id0 != (uid_t) -1) 00835 { 00836 rsbac_attribute_value.group = id0; 00837 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00838 current->pid, 00839 T_PROCESS, 00840 rsbac_target_id, 00841 A_group, 00842 rsbac_attribute_value)) 00843 return -EPERM; 00844 } 00845 #ifdef CONFIG_RSBAC_DAC_OWNER 00846 if(id1 != (uid_t) -1) 00847 { 00848 rsbac_attribute_value.owner = id1; 00849 if (!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER, 00850 current->pid, 00851 T_PROCESS, 00852 rsbac_target_id, 00853 A_owner, 00854 rsbac_attribute_value)) 00855 return -EPERM; 00856 } 00857 else 00858 rsbac_attribute_value.owner = current->euid; 00859 if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER, 00860 current->pid, 00861 T_PROCESS, 00862 rsbac_target_id, 00863 A_owner, 00864 rsbac_attribute_value)) 00865 return -EPERM; 00866 #endif 00867 break; 00868 case LSM_SETID_FS: 00869 #ifdef CONFIG_RSBAC_DAC_OWNER 00870 rsbac_attribute_value.owner = id0; 00871 if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER, 00872 current->pid, 00873 T_PROCESS, 00874 rsbac_target_id, 00875 A_owner, 00876 rsbac_attribute_value)) 00877 return -EPERM; 00878 #endif 00879 break; 00880 00881 default: 00882 printk(KERN_WARNING "rsbac_aef_task_setuid(): called with unknown flags value!\n"); 00883 break; 00884 } 00885 return 0; 00886 } 00887 00888 static int rsbac_aef_task_setgroups(int gidsetsize, gid_t * grouplist) 00889 { 00890 union rsbac_target_id_t rsbac_target_id; 00891 union rsbac_attribute_value_t rsbac_attribute_value; 00892 00893 #ifdef CONFIG_RSBAC_DEBUG 00894 if (rsbac_debug_aef) 00895 printk(KERN_DEBUG "rsbac_aef_task_setgroups(): calling ADF\n"); 00896 #endif 00897 rsbac_target_id.process = current->pid; 00898 rsbac_attribute_value.dummy = 0; 00899 if (!rsbac_adf_request(R_CHANGE_GROUP, 00900 current->pid, 00901 T_PROCESS, 00902 rsbac_target_id, 00903 A_none, 00904 rsbac_attribute_value)) 00905 return -EPERM; 00906 else 00907 return 0; 00908 } 00909 00910 static int rsbac_aef_task_setrlimit(unsigned int resource, struct rlimit * new_rlim) 00911 { 00912 union rsbac_target_id_t rsbac_target_id; 00913 union rsbac_attribute_value_t rsbac_attribute_value; 00914 00915 #ifdef CONFIG_RSBAC_DEBUG 00916 if (rsbac_debug_aef) 00917 printk(KERN_DEBUG "rsbac_aef_task_setrlimit(): calling ADF\n"); 00918 #endif 00919 rsbac_target_id.scd = ST_rlimit; 00920 rsbac_attribute_value.dummy = 0; 00921 if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA, 00922 current->pid, 00923 T_SCD, 00924 rsbac_target_id, 00925 A_none, 00926 rsbac_attribute_value)) 00927 return -EPERM; 00928 else 00929 return 0; 00930 } 00931 00932 static int rsbac_aef_task_kill(struct task_struct * p, 00933 struct siginfo * info, int sig) 00934 { 00935 union rsbac_target_id_t rsbac_target_id; 00936 union rsbac_attribute_value_t rsbac_attribute_value; 00937 00938 #if 0 00939 if( (!info || ((unsigned long)info != 1 && 00940 (unsigned long)info != 2 && SI_FROMUSER(info))) 00941 && ((sig != SIGCONT) || (current->session != p->session)) 00942 ) 00943 #endif 00944 { 00945 if(in_interrupt()) 00946 printk(KERN_DEBUG "signal in interrupt, caller_pid %u, target pid %u, signal %u\n", 00947 current->pid, p->pid, sig); 00948 #ifdef CONFIG_RSBAC_DEBUG 00949 if (rsbac_debug_aef) 00950 printk(KERN_DEBUG "rsbac_aef_task_kill(): calling ADF\n"); 00951 #endif 00952 rsbac_target_id.process = p->pid; 00953 rsbac_attribute_value.signal = sig; 00954 if (!rsbac_adf_request(R_SEND_SIGNAL, 00955 current->pid, 00956 T_PROCESS, 00957 rsbac_target_id, 00958 A_signal, 00959 rsbac_attribute_value)) 00960 return -EPERM; 00961 } 00962 return 0; 00963 } 00964 00965 #ifdef CONFIG_RSBAC_SYSLOG 00966 static int rsbac_aef_syslog(int type) 00967 { 00968 enum rsbac_adf_request_t rsbac_request; 00969 union rsbac_target_id_t rsbac_target_id; 00970 union rsbac_attribute_value_t rsbac_attribute_value; 00971 00972 #ifdef CONFIG_RSBAC_DEBUG 00973 if (rsbac_debug_aef) 00974 printk(KERN_DEBUG "rsbac_aef_syslog(): calling ADF\n"); 00975 #endif 00976 switch(type) 00977 { 00978 case 2: 00979 case 3: 00980 rsbac_request = R_GET_STATUS_DATA; 00981 break; 00982 case 4: 00983 case 5: 00984 case 6: 00985 case 7: 00986 case 8: 00987 rsbac_request = R_MODIFY_SYSTEM_DATA; 00988 break; 00989 00990 default: 00991 return 0; 00992 } 00993 rsbac_target_id.scd = ST_syslog; 00994 rsbac_attribute_value.dummy = 0; 00995 if (!rsbac_adf_request(rsbac_request, 00996 current->pid, 00997 T_SCD, 00998 rsbac_target_id, 00999 A_signal, 01000 rsbac_attribute_value)) 01001 return -EPERM; 01002 else 01003 return 0; 01004 } 01005 #endif 01006 01007 static int rsbac_aef_sysctl(ctl_table * table, int op) 01008 { 01009 union rsbac_target_id_t rsbac_target_id; 01010 union rsbac_attribute_value_t rsbac_attribute_value; 01011 01012 #ifdef CONFIG_RSBAC_DEBUG 01013 if (rsbac_debug_aef) 01014 printk(KERN_DEBUG "rsbac_aef_sysctl(): calling ADF\n"); 01015 #endif 01016 if(!(op & S_IWUGO)) 01017 return 0; 01018 switch(table->ctl_name) 01019 { 01020 case KERN_NODENAME: 01021 rsbac_target_id.scd = ST_host_id; 01022 break; 01023 case KERN_DOMAINNAME: 01024 rsbac_target_id.scd = ST_net_id; 01025 break; 01026 default: 01027 rsbac_target_id.scd = ST_other; 01028 } 01029 rsbac_attribute_value.dummy = 0; 01030 if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA, 01031 current->pid, 01032 T_SCD, 01033 rsbac_target_id, 01034 A_signal, 01035 rsbac_attribute_value)) 01036 return -EPERM; 01037 else 01038 return 0; 01039 } 01040 01041 static int rsbac_aef_msg_queue_alloc_security(struct msg_queue * msq) 01042 { 01043 union rsbac_target_id_t rsbac_target_id; 01044 union rsbac_attribute_value_t rsbac_attribute_value; 01045 01046 #ifdef CONFIG_RSBAC_DEBUG 01047 if (rsbac_debug_aef) 01048 printk(KERN_DEBUG "rsbac_aef_msg_queue_alloc_security(): calling ADF\n"); 01049 #endif 01050 rsbac_target_id.ipc.type = I_msg; 01051 rsbac_target_id.ipc.id.id_nr = 0; 01052 rsbac_attribute_value.dummy = 0; 01053 if (!rsbac_adf_request(R_CREATE, 01054 current->pid, 01055 T_IPC, 01056 rsbac_target_id, 01057 A_none, 01058 rsbac_attribute_value)) 01059 return -EPERM; 01060 else 01061 return 0; 01062 } 01063 01064 static void rsbac_aef_shm_free_security(struct shmid_kernel * shp) 01065 { 01066 union rsbac_target_id_t rsbac_target_id; 01067 01068 #ifdef CONFIG_RSBAC_DEBUG 01069 if (rsbac_debug_aef) 01070 printk(KERN_DEBUG "rsbac_aef_shm_free_security: calling ACI remove_target()\n"); 01071 #endif 01072 rsbac_target_id.ipc.type = I_shm; 01073 rsbac_target_id.ipc.id.id_nr = shp->id; 01074 rsbac_remove_target(T_IPC, rsbac_target_id); 01075 } 01076 01077 static int rsbac_aef_shm_alloc_security(struct shmid_kernel * shp) 01078 { 01079 union rsbac_target_id_t rsbac_target_id; 01080 union rsbac_attribute_value_t rsbac_attribute_value; 01081 01082 #ifdef CONFIG_RSBAC_DEBUG 01083 if (rsbac_debug_aef) 01084 printk(KERN_DEBUG "rsbac_aef_shm_alloc_security(): calling ADF\n"); 01085 #endif 01086 rsbac_target_id.ipc.type = I_shm; 01087 rsbac_target_id.ipc.id.id_nr = 0; 01088 rsbac_attribute_value.dummy = 0; 01089 if (!rsbac_adf_request(R_CREATE, 01090 current->pid, 01091 T_IPC, 01092 rsbac_target_id, 01093 A_none, 01094 rsbac_attribute_value)) 01095 return -EPERM; 01096 else 01097 return 0; 01098 } 01099 01100 static int rsbac_aef_shm_shmat(struct shmid_kernel * shp, 01101 char *shmaddr, int shmflg) 01102 { 01103 enum rsbac_adf_request_t rsbac_request; 01104 union rsbac_target_id_t rsbac_target_id; 01105 union rsbac_attribute_value_t rsbac_attribute_value; 01106 01107 #ifdef CONFIG_RSBAC_DEBUG 01108 if (rsbac_debug_aef) 01109 printk(KERN_DEBUG "rsbac_aef_shm_shmat(): calling ADF\n"); 01110 #endif 01111 if ((shmflg & SHM_RDONLY)) 01112 rsbac_request = R_READ_OPEN; 01113 else 01114 rsbac_request = R_READ_WRITE_OPEN; 01115 rsbac_target_id.ipc.type = I_shm; 01116 rsbac_target_id.ipc.id.id_nr = shp->id; 01117 rsbac_attribute_value.dummy = 0; 01118 if (!rsbac_adf_request(rsbac_request, 01119 current->pid, 01120 T_IPC, 01121 rsbac_target_id, 01122 A_none, 01123 rsbac_attribute_value)) 01124 return -EPERM; 01125 else 01126 return 0; 01127 } 01128 01129 #ifdef CONFIG_RSBAC_IPC_SEM 01130 static int rsbac_aef_sem_alloc_security(struct sem_array * sma) 01131 { 01132 union rsbac_target_id_t rsbac_target_id; 01133 union rsbac_attribute_value_t rsbac_attribute_value; 01134 01135 #ifdef CONFIG_RSBAC_DEBUG 01136 if (rsbac_debug_aef) 01137 printk(KERN_DEBUG "rsbac_aef_sem_alloc_security(): calling ADF\n"); 01138 #endif 01139 rsbac_target_id.ipc.type = I_sem; 01140 rsbac_target_id.ipc.id.id_nr = 0; 01141 rsbac_attribute_value.dummy = 0; 01142 if (!rsbac_adf_request(R_CREATE, 01143 current->pid, 01144 T_IPC, 01145 rsbac_target_id, 01146 A_none, 01147 rsbac_attribute_value)) 01148 return -EPERM; 01149 else 01150 return 0; 01151 } 01152 #endif 01153 01154 #ifdef CONFIG_RSBAC_NET_OBJ 01155 static int rsbac_aef_socket_accept(struct socket * sock, struct socket * newsock) 01156 { 01157 union rsbac_target_id_t rsbac_target_id; 01158 union rsbac_attribute_value_t rsbac_attribute_value; 01159 01160 #if !defined(CONFIG_RSBAC_NET_OBJ_UNIX) 01161 if( sock->ops 01162 && (sock->ops->family != AF_UNIX) 01163 ) 01164 #endif 01165 { 01166 #ifdef CONFIG_RSBAC_DEBUG 01167 if (rsbac_debug_aef) 01168 printk(KERN_DEBUG "rsbac_aef_socket_accept(): calling ADF\n"); 01169 #endif 01170 rsbac_target_id.netobj.sock_p = newsock; 01171 rsbac_target_id.netobj.local_addr = NULL; 01172 rsbac_target_id.netobj.local_len = 0; 01173 rsbac_target_id.netobj.remote_addr = NULL; 01174 rsbac_target_id.netobj.remote_len = 0; 01175 rsbac_attribute_value.dummy = 0; 01176 if (!rsbac_adf_request(R_ACCEPT, 01177 current->pid, 01178 T_NETOBJ, 01179 rsbac_target_id, 01180 A_none, 01181 rsbac_attribute_value)) 01182 { 01183 #ifdef CONFIG_RSBAC_DEBUG 01184 if (rsbac_debug_aef) 01185 printk(KERN_DEBUG "rsbac_aef_socket_accept(): ADF returned NOT_GRANTED\n"); 01186 #endif 01187 return -EPERM; 01188 } 01189 } 01190 return 0; 01191 } 01192 01193 static void rsbac_aef_socket_post_accept(struct socket * sock, struct socket * newsock) 01194 { 01195 union rsbac_target_id_t rsbac_target_id; 01196 union rsbac_target_id_t rsbac_new_target_id; 01197 union rsbac_attribute_value_t rsbac_attribute_value; 01198 01199 #if !defined(CONFIG_RSBAC_NET_OBJ_UNIX) 01200 if( sock->ops 01201 && (sock->ops->family != AF_UNIX) 01202 ) 01203 #endif 01204 { 01205 rsbac_target_id.netobj.sock_p = newsock; 01206 rsbac_target_id.netobj.local_addr = NULL; 01207 rsbac_target_id.netobj.local_len = 0; 01208 rsbac_target_id.netobj.remote_addr = NULL; 01209 rsbac_target_id.netobj.remote_len = 0; 01210 rsbac_attribute_value.dummy = 0; 01211 rsbac_new_target_id.dummy = 0; 01212 if (rsbac_adf_set_attr(R_ACCEPT, 01213 current->pid, 01214 T_NETOBJ, 01215 rsbac_target_id, 01216 T_NONE, 01217 rsbac_new_target_id, 01218 A_none, 01219 rsbac_attribute_value)) 01220 { 01221 printk(KERN_WARNING 01222 "rsbac_aef_socket_post_accept(): rsbac_adf_set_attr() returned error\n"); 01223 } 01224 } 01225 } 01226 #endif 01227 01228 #ifdef CONFIG_RSBAC_INIT_DELAY 01229 static struct security_operations rsbac_sec_ops = { 01230 #else 01231 static struct security_operations rsbac_sec_ops = { 01232 #endif 01233 .ptrace = rsbac_aef_ptrace, 01234 .sb_statfs = rsbac_aef_statfs, 01235 .inode_follow_link = rsbac_aef_inode_follow_link, 01236 .inode_create = rsbac_aef_inode_create, 01237 .inode_post_create = rsbac_aef_inode_post_create, 01238 .inode_mknod = rsbac_aef_inode_mknod, 01239 .inode_post_mknod = rsbac_aef_inode_post_mknod, 01240 .inode_mkdir = rsbac_aef_inode_mkdir, 01241 .inode_post_mkdir = rsbac_aef_inode_post_mkdir, 01242 .inode_symlink = rsbac_aef_inode_symlink, 01243 .inode_post_symlink = rsbac_aef_inode_post_symlink, 01244 .inode_link = rsbac_aef_inode_link, 01245 .inode_rename = rsbac_aef_inode_rename, 01246 .sb_umount = rsbac_aef_sb_umount, 01247 .sb_umount_busy = rsbac_aef_sb_umount_busy, 01248 .sb_post_addmount = rsbac_aef_sb_post_addmount, 01249 .sb_mount = rsbac_aef_sb_mount, 01250 .sb_pivotroot = rsbac_aef_sb_pivotroot, 01251 .inode_getattr = rsbac_aef_inode_getattr, 01252 .inode_readlink = rsbac_aef_inode_readlink, 01253 .file_permission = rsbac_aef_file_permission, 01254 .task_setgid = rsbac_aef_task_setgid, 01255 .task_setuid = rsbac_aef_task_setuid, 01256 .task_setgroups = rsbac_aef_task_setgroups, 01257 .task_setrlimit = rsbac_aef_task_setrlimit, 01258 .task_kill = rsbac_aef_task_kill, 01259 #ifdef CONFIG_RSBAC_SYSLOG 01260 .syslog = rsbac_aef_syslog, 01261 #endif 01262 .sysctl = rsbac_aef_sysctl, 01263 .msg_queue_alloc_security = rsbac_aef_msg_queue_alloc_security, 01264 .shm_free_security = rsbac_aef_shm_free_security, 01265 .shm_alloc_security = rsbac_aef_shm_alloc_security, 01266 #ifdef CONFIG_RSBAC_IPC_SEM 01267 .sem_alloc_security = rsbac_aef_sem_alloc_security, 01268 #endif 01269 #ifdef CONFIG_RSBAC_NET_OBJ 01270 .socket_accept = rsbac_aef_socket_accept, 01271 .socket_post_accept = rsbac_aef_socket_post_accept, 01272 #endif 01273 .shm_shmat = rsbac_aef_shm_shmat 01274 }; 01275 01276 int rsbac_lsm_register(void) 01277 { 01278 if (register_security (&rsbac_sec_ops)) 01279 { 01280 printk (KERN_INFO 01281 "Failure registering RSBAC with LSM, trying to stack on primary module\n"); 01282 /* try registering with primary module */ 01283 if (mod_reg_security ("RSBAC", &rsbac_sec_ops)) 01284 { 01285 printk (KERN_ERR "Failure registering RSBAC " 01286 "with primary LSM security module, interceptions missing!\n"); 01287 return -EINVAL; 01288 } 01289 } 01290 return 0; 01291 }

Generated on Tue Aug 31 10:05:26 2004 for RSBAC by doxygen 1.3.8