00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
#include <linux/string.h>
00012
#include <linux/init.h>
00013
#include <linux/config.h>
00014
#include <linux/module.h>
00015
#include <rsbac/types.h>
00016
#include <rsbac/aci.h>
00017
#include <rsbac/adf.h>
00018
#include <rsbac/adf_main.h>
00019
#include <rsbac/error.h>
00020
#include <rsbac/helpers.h>
00021
#include <rsbac/getname.h>
00022
#include <rsbac/rkmem.h>
00023
#include <rsbac/network.h>
00024
00025
#ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00026
#include <linux/nfs_fs.h>
00027
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00028
#include <linux/coda.h>
00029
#endif
00030
#include <linux/coda_psdev.h>
00031
#include <linux/ncp_fs.h>
00032
#include <linux/smb.h>
00033
#endif
00034
00035
#ifdef CONFIG_RSBAC_SECDEL
00036
#include <linux/types.h>
00037
#include <linux/dcache.h>
00038
#include <asm/uaccess.h>
00039
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00040
#include <linux/buffer_head.h>
00041
#endif
00042
#endif
00043
00044
00045
00046
00047
00048 u_long
rsbac_adf_request_count[
T_NONE+1] = {0,0,0,0,0,0,0,0};
00049 u_long
rsbac_adf_set_attr_count[
T_NONE+1] = {0,0,0,0,0,0,0,0};
00050
#ifdef CONFIG_RSBAC_XSTATS
00051
u_long rsbac_adf_request_xcount[
T_NONE+1][
R_NONE];
00052 u_long rsbac_adf_set_attr_xcount[
T_NONE+1][
R_NONE];
00053
#endif
00054
00055
#ifdef CONFIG_RSBAC_SWITCH
00056
00057
00058
#ifdef CONFIG_RSBAC_MAC
00059
boolean rsbac_switch_mac =
TRUE;
00060
#endif
00061
00062
00063
#ifdef CONFIG_RSBAC_FC
00064
boolean rsbac_switch_fc =
TRUE;
00065
#endif
00066
00067
00068
#ifdef CONFIG_RSBAC_SIM
00069
boolean rsbac_switch_sim =
TRUE;
00070
#endif
00071
00072
00073
#ifdef CONFIG_RSBAC_PM
00074
boolean rsbac_switch_pm =
TRUE;
00075
#endif
00076
00077
00078
#ifdef CONFIG_RSBAC_DAZ
00079
boolean rsbac_switch_daz =
TRUE;
00080
#endif
00081
00082
00083
#ifdef CONFIG_RSBAC_FF
00084
boolean rsbac_switch_ff =
TRUE;
00085
#endif
00086
00087
00088
#ifdef CONFIG_RSBAC_RC
00089
boolean rsbac_switch_rc =
TRUE;
00090
#endif
00091
00092
00093
#ifdef CONFIG_RSBAC_AUTH
00094
boolean rsbac_switch_auth =
TRUE;
00095
#endif
00096
00097
00098
#ifdef CONFIG_RSBAC_ACL
00099
boolean rsbac_switch_acl =
TRUE;
00100
#endif
00101
00102
00103
#ifdef CONFIG_RSBAC_CAP
00104
boolean rsbac_switch_cap =
TRUE;
00105
#endif
00106
00107
00108
#ifdef CONFIG_RSBAC_JAIL
00109
boolean rsbac_switch_jail =
TRUE;
00110
#endif
00111
00112
00113
#ifdef CONFIG_RSBAC_PAX
00114
boolean rsbac_switch_pax =
TRUE;
00115
#endif
00116
00117
00118
#ifdef CONFIG_RSBAC_RES
00119
boolean rsbac_switch_res =
TRUE;
00120
#endif
00121
00122
#endif
00123
00124
00125
00126
00127
00128
00129
00130
00131
00132
00133
00134
#ifdef CONFIG_RSBAC_INIT_DELAY
00135
void rsbac_init_adf(
void)
00136 #
else
00137 void __init
rsbac_init_adf(
void)
00138 #endif
00139 {
00140
#if defined(CONFIG_RSBAC_REG)
00141
rsbac_reg_init();
00142
#endif
00143
};
00144
00145
enum rsbac_adf_req_ret_t
00146 adf_and_plus(
enum rsbac_adf_req_ret_t res1,
00147
enum rsbac_adf_req_ret_t res2)
00148 {
00149
switch (res1)
00150 {
00151
case GRANTED:
if (res2 ==
DO_NOT_CARE)
00152
return (
GRANTED);
00153
else
00154
return (res2);
00155
case NOT_GRANTED:
if (res2 ==
UNDEFINED)
00156
return (
UNDEFINED);
00157
else
00158
return (
NOT_GRANTED);
00159
case DO_NOT_CARE:
return (res2);
00160
default:
return (
UNDEFINED);
00161 }
00162 };
00163
00164
00165
00166
00167
00168
EXPORT_SYMBOL(rsbac_adf_request_int);
00169
enum rsbac_adf_req_ret_t
00170 rsbac_adf_request_int(
enum rsbac_adf_request_t request,
00171
rsbac_pid_t caller_pid,
00172
enum rsbac_target_t target,
00173
union rsbac_target_id_t tid,
00174
enum rsbac_attribute_t attr,
00175
union rsbac_attribute_value_t attr_val,
00176
enum rsbac_switch_target_t ignore_module)
00177 {
00178
union rsbac_target_id_t i_tid;
00179
union rsbac_attribute_value_t i_attr_val;
00180
rsbac_uid_t owner=0;
00181
int tmperr=0;
00182
enum rsbac_adf_req_ret_t result =
DO_NOT_CARE;
00183
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00184
enum rsbac_adf_req_ret_t ret_result =
DO_NOT_CARE;
00185
#endif
00186
#ifndef CONFIG_RSBAC_MAINT
00187
enum rsbac_adf_req_ret_t mod_result[
SW_NONE + 1] = {
00188
DO_NOT_CARE,
00189
DO_NOT_CARE,
00190
DO_NOT_CARE,
00191
DO_NOT_CARE,
00192
DO_NOT_CARE,
00193
DO_NOT_CARE,
00194
DO_NOT_CARE,
00195
DO_NOT_CARE,
00196
DO_NOT_CARE,
00197
DO_NOT_CARE,
00198
DO_NOT_CARE,
00199
DO_NOT_CARE,
00200
DO_NOT_CARE,
00201
DO_NOT_CARE,
00202
DO_NOT_CARE,
00203
DO_NOT_CARE,
00204
DO_NOT_CARE,
00205
DO_NOT_CARE
00206 };
00207
#endif
00208
boolean do_log =
FALSE;
00209
boolean log_on_request =
TRUE;
00210
00211
#if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
00212
union rsbac_attribute_value_t i_attr_val2;
00213
enum rsbac_log_level_t log_level;
00214
#endif
00215
struct super_block * sb_p;
00216
#ifdef CONFIG_RSBAC_SOFTMODE
00217
boolean rsbac_internal =
FALSE;
00218
#endif
00219
00220
00221
if (!
rsbac_is_initialized())
00222
return(
DO_NOT_CARE);
00223
00224
00225
if ( !caller_pid
00226
#if defined(CONFIG_RSBAC_LOG_REMOTE)
00227
|| (caller_pid == rsbaclogd_pid)
00228
#endif
00229
)
00230
return(
GRANTED);
00231
00232
00233
if( request >=
R_NONE
00234 || target >
T_NONE
00235 || attr >
A_none)
00236 {
00237
#ifdef CONFIG_RSBAC_RMSG
00238
rsbac_printk(KERN_WARNING
00239
"rsbac_adf_request(): called with invalid request, target or attribute\n");
00240
#endif
00241
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00242
if (!rsbac_nosyslog)
00243
#endif
00244
printk(KERN_WARNING
00245
"rsbac_adf_request(): called with invalid request, target or attribute\n");
00246
return(
NOT_GRANTED);
00247 }
00248
00249
if (in_interrupt())
00250 {
00251
char * request_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00252
00253
if(request_name)
00254 {
00255
get_request_name(request_name, request);
00256
#ifdef CONFIG_RSBAC_RMSG
00257
rsbac_printk(KERN_WARNING
"rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00258 request_name, caller_pid, attr_val.
dummy);
00259
#endif
00260
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00261
if (!rsbac_nosyslog)
00262
#endif
00263
printk(KERN_WARNING
"rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00264 request_name, caller_pid, attr_val.
dummy);
00265 kfree(request_name);
00266 }
00267
else
00268 {
00269
#ifdef CONFIG_RSBAC_RMSG
00270
rsbac_printk(KERN_WARNING
"rsbac_adf_request(): called from interrupt: request %u, pid %u!\n",
00271 request, caller_pid);
00272
#endif
00273
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00274
if (!rsbac_nosyslog)
00275
#endif
00276
printk(KERN_WARNING
"rsbac_adf_request(): called from interrupt: request %u, pid %u!\n",
00277 request, caller_pid);
00278 }
00279
00280 }
00281
00282
00283
00284
00285
if (caller_pid > 1)
00286 {
00287 tmperr = rsbac_get_owner(&owner);
00288
if(tmperr)
00289 {
00290
#ifdef CONFIG_RSBAC_RMSG
00291
rsbac_printk(KERN_DEBUG
00292
"rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE",
00293 caller_pid);
00294
#endif
00295
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00296
if (!rsbac_nosyslog)
00297
#endif
00298
printk(KERN_DEBUG
00299
"rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE",
00300 caller_pid);
00301
return(
DO_NOT_CARE);
00302 }
00303 }
00304
else
00305 owner = 0;
00306
00307
00308
00309
00310
00311
switch(target)
00312 {
00313
case T_FILE:
00314
case T_DIR:
00315
case T_FIFO:
00316
case T_SYMLINK:
00317
#ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00318
if ( ((sb_p =
rsbac_get_super_block(tid.file.device)))
00319 && ( (sb_p->s_magic == NFS_SUPER_MAGIC)
00320 || (sb_p->s_magic == CODA_SUPER_MAGIC)
00321 || (sb_p->s_magic == NCP_SUPER_MAGIC)
00322 || (sb_p->s_magic == SMB_SUPER_MAGIC)
00323 )
00324 )
00325 {
00326 result =
DO_NOT_CARE;
00327
goto log;
00328 }
00329
#endif
00330
00331
if( (target ==
T_FIFO)
00332 && ((sb_p =
rsbac_get_super_block(tid.file.device)))
00333 && (sb_p->s_magic == PIPEFS_MAGIC)
00334 )
00335
return DO_NOT_CARE;
00336
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00337
00338
if( (target ==
T_FILE)
00339 && (!RSBAC_MAJOR(tid.file.device))
00340 && (!RSBAC_MINOR(tid.file.device))
00341 )
00342
return DO_NOT_CARE;
00343
#endif
00344
switch(request)
00345 {
00346
case R_GET_STATUS_DATA:
00347
case R_READ_ATTRIBUTE:
00348
#ifdef CONFIG_RSBAC_DAT_VISIBLE
00349
case R_SEARCH:
00350
case R_READ:
00351
case R_CLOSE:
00352
case R_CHDIR:
00353
case R_GET_PERMISSIONS_DATA:
00354
#endif
00355
break;
00356
00357
default:
00358
if ((tmperr =
rsbac_get_attr(
GEN,
00359 target,
00360 tid,
00361 A_internal,
00362 &i_attr_val,
00363
TRUE) ))
00364 {
00365
if(tmperr == -
RSBAC_EINVALIDDEV)
00366 {
00367 rsbac_ds_get_error(
"rsbac_adf_request()", A_internal);
00368
return(
DO_NOT_CARE);
00369 }
00370
else
00371 {
00372 rsbac_ds_get_error(
"rsbac_adf_request()", A_internal);
00373
return(
NOT_GRANTED);
00374 }
00375 }
00376
00377
if (i_attr_val.internal)
00378 {
00379
#ifdef CONFIG_RSBAC_RMSG
00380
rsbac_printk(KERN_WARNING
00381
"rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00382
#endif
00383
#ifndef CONFIG_RSBAC_RMSG_EXCL
00384
00385
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00386
if (!rsbac_nosyslog)
00387
#endif
00388
printk(KERN_WARNING
00389
"rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00390
#endif
00391
result =
NOT_GRANTED;
00392
#ifndef CONFIG_RSBAC_MAINT
00393
mod_result[
SW_NONE] =
NOT_GRANTED;
00394
#endif
00395
#ifdef CONFIG_RSBAC_SOFTMODE
00396
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00397
ret_result =
NOT_GRANTED;
00398
#endif
00399
rsbac_internal =
TRUE;
00400
#endif
00401
}
00402 }
00403
break;
00404
00405
default:
00406
break;
00407 }
00408
00409
00410
00411
00412
#ifdef CONFIG_RSBAC_DEBUG
00413
00414
00415 result =
adf_and_plus(result,
rsbac_adf_request_check(request,
00416 caller_pid,
00417 target,
00418 tid,
00419 attr,
00420 attr_val,
00421 owner) );
00422
00423
if(result ==
UNDEFINED)
00424
goto log;
00425
#endif
00426
00427
#if !defined(CONFIG_RSBAC_MAINT)
00428
00429
#if defined(CONFIG_RSBAC_MAC)
00430
#ifdef CONFIG_RSBAC_SWITCH
00431
if (rsbac_switch_mac)
00432
#endif
00433
00434
if(ignore_module !=
MAC)
00435 {
00436 mod_result[
MAC] =
rsbac_adf_request_mac(request,
00437 caller_pid,
00438 target,
00439 tid,
00440 attr,
00441 attr_val,
00442 owner);
00443 result =
adf_and_plus(result, mod_result[
MAC]);
00444
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00445
if(!rsbac_ind_softmode[
MAC])
00446 ret_result =
adf_and_plus(ret_result, mod_result[
MAC]);
00447
#endif
00448
}
00449
#endif
00450
00451
00452
#if defined(CONFIG_RSBAC_FC)
00453
#ifdef CONFIG_RSBAC_SWITCH
00454
if (rsbac_switch_fc)
00455
#endif
00456
00457
if(ignore_module !=
FC)
00458 {
00459 mod_result[
FC] =
rsbac_adf_request_fc (request,
00460 caller_pid,
00461 target,
00462 tid,
00463 attr,
00464 attr_val,
00465 owner);
00466 result =
adf_and_plus(result, mod_result[
FC]);
00467
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00468
if(!rsbac_ind_softmode[
FC])
00469 ret_result =
adf_and_plus(ret_result, mod_result[
FC]);
00470
#endif
00471
}
00472
#endif
00473
00474
00475
#if defined(CONFIG_RSBAC_SIM)
00476
#ifdef CONFIG_RSBAC_SWITCH
00477
if (rsbac_switch_sim)
00478
#endif
00479
00480
if(ignore_module !=
SIM)
00481 {
00482 mod_result[
SIM] =
rsbac_adf_request_sim(request,
00483 caller_pid,
00484 target,
00485 tid,
00486 attr,
00487 attr_val,
00488 owner);
00489 result =
adf_and_plus(result, mod_result[
SIM]);
00490
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00491
if(!rsbac_ind_softmode[
SIM])
00492 ret_result =
adf_and_plus(ret_result, mod_result[
SIM]);
00493
#endif
00494
}
00495
#endif
00496
00497
00498
#if defined(CONFIG_RSBAC_PM)
00499
#ifdef CONFIG_RSBAC_SWITCH
00500
if (rsbac_switch_pm)
00501
#endif
00502
00503
if(ignore_module !=
PM)
00504 {
00505 mod_result[
PM] =
rsbac_adf_request_pm (request,
00506 caller_pid,
00507 target,
00508 tid,
00509 attr,
00510 attr_val,
00511 owner);
00512 result =
adf_and_plus(result, mod_result[
PM]);
00513
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00514
if(!rsbac_ind_softmode[
PM])
00515 ret_result =
adf_and_plus(ret_result, mod_result[
PM]);
00516
#endif
00517
}
00518
#endif
00519
00520
00521
#if defined(CONFIG_RSBAC_DAZ)
00522
#ifdef CONFIG_RSBAC_SWITCH
00523
if (rsbac_switch_daz)
00524
#endif
00525
00526
if(ignore_module !=
DAZ)
00527 {
00528 mod_result[
DAZ] =
rsbac_adf_request_daz (request,
00529 caller_pid,
00530 target,
00531 tid,
00532 attr,
00533 attr_val,
00534 owner);
00535 result =
adf_and_plus(result, mod_result[
DAZ]);
00536
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00537
if(!rsbac_ind_softmode[
DAZ])
00538 ret_result =
adf_and_plus(ret_result, mod_result[
DAZ]);
00539
#endif
00540
}
00541
#endif
00542
00543
00544
#if defined(CONFIG_RSBAC_FF)
00545
#ifdef CONFIG_RSBAC_SWITCH
00546
if (rsbac_switch_ff)
00547
#endif
00548
00549
if(ignore_module !=
FF)
00550 {
00551 mod_result[
FF] =
rsbac_adf_request_ff (request,
00552 caller_pid,
00553 target,
00554 tid,
00555 attr,
00556 attr_val,
00557 owner);
00558 result =
adf_and_plus(result, mod_result[
FF]);
00559
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00560
if(!rsbac_ind_softmode[
FF])
00561 ret_result =
adf_and_plus(ret_result, mod_result[
FF]);
00562
#endif
00563
}
00564
#endif
00565
00566
00567
#if defined(CONFIG_RSBAC_RC)
00568
#ifdef CONFIG_RSBAC_SWITCH
00569
if (rsbac_switch_rc)
00570
#endif
00571
00572
if(ignore_module !=
RC)
00573 {
00574 mod_result[
RC] =
rsbac_adf_request_rc (request,
00575 caller_pid,
00576 target,
00577 tid,
00578 attr,
00579 attr_val,
00580 owner);
00581 result =
adf_and_plus(result, mod_result[
RC]);
00582
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00583
if(!rsbac_ind_softmode[
RC])
00584 ret_result =
adf_and_plus(ret_result, mod_result[
RC]);
00585
#endif
00586
}
00587
#endif
00588
00589
00590
#if defined(CONFIG_RSBAC_AUTH)
00591
#ifdef CONFIG_RSBAC_SWITCH
00592
if (rsbac_switch_auth)
00593
#endif
00594
00595
if(ignore_module !=
AUTH)
00596 {
00597 mod_result[
AUTH]=
rsbac_adf_request_auth(request,
00598 caller_pid,
00599 target,
00600 tid,
00601 attr,
00602 attr_val,
00603 owner);
00604 result =
adf_and_plus(result, mod_result[
AUTH]);
00605
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00606
if(!rsbac_ind_softmode[
AUTH])
00607 ret_result =
adf_and_plus(ret_result, mod_result[
AUTH]);
00608
#endif
00609
}
00610
#endif
00611
00612
00613
#if defined(CONFIG_RSBAC_ACL)
00614
#ifdef CONFIG_RSBAC_SWITCH
00615
if (rsbac_switch_acl)
00616
#endif
00617
00618
if(ignore_module !=
ACL)
00619 {
00620 mod_result[
ACL] =
rsbac_adf_request_acl(request,
00621 caller_pid,
00622 target,
00623 tid,
00624 attr,
00625 attr_val,
00626 owner);
00627 result =
adf_and_plus(result, mod_result[
ACL]);
00628
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00629
if(!rsbac_ind_softmode[
ACL])
00630 ret_result =
adf_and_plus(ret_result, mod_result[
ACL]);
00631
#endif
00632
}
00633
#endif
00634
00635
00636
#if defined(CONFIG_RSBAC_CAP)
00637
#ifdef CONFIG_RSBAC_SWITCH
00638
if (rsbac_switch_cap)
00639
#endif
00640
00641
if(ignore_module !=
CAP)
00642 {
00643 mod_result[
CAP] =
rsbac_adf_request_cap(request,
00644 caller_pid,
00645 target,
00646 tid,
00647 attr,
00648 attr_val,
00649 owner);
00650 result =
adf_and_plus(result, mod_result[
CAP]);
00651
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00652
if(!rsbac_ind_softmode[
CAP])
00653 ret_result =
adf_and_plus(ret_result, mod_result[
CAP]);
00654
#endif
00655
}
00656
#endif
00657
00658
00659
#if defined(CONFIG_RSBAC_JAIL)
00660
#ifdef CONFIG_RSBAC_SWITCH
00661
if (rsbac_switch_jail)
00662
#endif
00663
00664
if(ignore_module !=
JAIL)
00665 {
00666 mod_result[
JAIL]=
rsbac_adf_request_jail(request,
00667 caller_pid,
00668 target,
00669 tid,
00670 attr,
00671 attr_val,
00672 owner);
00673 result =
adf_and_plus(result, mod_result[
JAIL]);
00674
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00675
if(!rsbac_ind_softmode[
JAIL])
00676 ret_result =
adf_and_plus(ret_result, mod_result[
JAIL]);
00677
#endif
00678
}
00679
#endif
00680
00681
00682
#if defined(CONFIG_RSBAC_PAX)
00683
#ifdef CONFIG_RSBAC_SWITCH
00684
if (rsbac_switch_pax)
00685
#endif
00686
00687
if(ignore_module !=
PAX)
00688 {
00689 mod_result[
PAX] =
rsbac_adf_request_pax (request,
00690 caller_pid,
00691 target,
00692 tid,
00693 attr,
00694 attr_val,
00695 owner);
00696 result =
adf_and_plus(result, mod_result[
PAX]);
00697
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00698
if(!rsbac_ind_softmode[
PAX])
00699 ret_result =
adf_and_plus(ret_result, mod_result[
PAX]);
00700
#endif
00701
}
00702
#endif
00703
00704
00705
#if defined(CONFIG_RSBAC_RES)
00706
#ifdef CONFIG_RSBAC_SWITCH
00707
if (rsbac_switch_res)
00708
#endif
00709
00710
if(ignore_module !=
RES)
00711 {
00712 mod_result[
RES] =
rsbac_adf_request_res(request,
00713 caller_pid,
00714 target,
00715 tid,
00716 attr,
00717 attr_val,
00718 owner);
00719 result =
adf_and_plus(result, mod_result[
RES]);
00720
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00721
if(!rsbac_ind_softmode[
RES])
00722 ret_result =
adf_and_plus(ret_result, mod_result[
RES]);
00723
#endif
00724
}
00725
#endif
00726
00727
00728
#if defined(CONFIG_RSBAC_REG)
00729
if(ignore_module !=
REG)
00730 {
00731 mod_result[
REG]=
rsbac_adf_request_reg (request,
00732 caller_pid,
00733 target,
00734 tid,
00735 attr,
00736 attr_val,
00737 owner);
00738 result =
adf_and_plus(result, mod_result[
REG]);
00739
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00740
if(!rsbac_ind_softmode[
REG])
00741 ret_result =
adf_and_plus(ret_result, mod_result[
REG]);
00742
#endif
00743
}
00744
#endif
00745
00746
#endif
00747
00748
00749
00750
#if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
00751
if( rsbac_debug_adf_net
00752 && ( (target ==
T_NETDEV)
00753 || (target ==
T_NETTEMP)
00754 || (target ==
T_NETOBJ)
00755 )
00756 )
00757 do_log =
TRUE;
00758
#endif
00759
00760
00761
#ifdef CONFIG_RSBAC_IND_USER_LOG
00762
i_tid.
user = owner;
00763
if (
rsbac_get_attr(
GEN,
00764
T_USER,
00765 i_tid,
00766
A_log_user_based,
00767 &i_attr_val,
00768
FALSE))
00769 {
00770 rsbac_ds_get_error(
"rsbac_adf_request()",
A_log_user_based);
00771 }
00772
else
00773 {
00774
if(((
rsbac_request_vector_t) 1 << request) & i_attr_val.
log_user_based)
00775 do_log =
TRUE;
00776 }
00777
#endif
00778
00779
00780
#ifdef CONFIG_RSBAC_IND_PROG_LOG
00781
if(!do_log)
00782 {
00783 i_tid.
process = caller_pid;
00784
if (
rsbac_get_attr(
GEN,
00785
T_PROCESS,
00786 i_tid,
00787
A_log_program_based,
00788 &i_attr_val,
00789
FALSE))
00790 {
00791 rsbac_ds_get_error(
"rsbac_adf_request()",
A_log_program_based);
00792 }
00793
else
00794 {
00795
if(((
rsbac_request_vector_t) 1 << request) & i_attr_val.
log_program_based)
00796 do_log =
TRUE;
00797 }
00798 }
00799
#endif
00800
00801
00802
00803
00804
switch(request)
00805 {
00806
case R_TERMINATE:
00807
if (target ==
T_PROCESS)
00808
rsbac_remove_target(
T_PROCESS,tid);
00809
break;
00810
default:
00811
break;
00812 }
00813
00814
00815
00816
00817
00818
00819
00820
00821
#ifdef CONFIG_RSBAC_IND_LOG
00822
00823
00824
00825
if( !do_log
00826 && ( ( ( (target ==
T_FILE)
00827 || (target ==
T_DIR)
00828 || (target ==
T_FIFO)
00829 || (target ==
T_SYMLINK)
00830 )
00831 && RSBAC_MAJOR(tid.file.device)
00832 && RSBAC_MINOR(tid.file.device)
00833 )
00834 || (target ==
T_DEV)
00835 )
00836 )
00837 {
00838
if (
rsbac_get_attr(
GEN,
00839 target,
00840 tid,
00841
A_log_array_low,
00842 &i_attr_val,
00843
FALSE))
00844 {
00845 rsbac_ds_get_error(
"rsbac_adf_request()",
A_log_array_low);
00846 }
00847
else
00848 {
00849
if (
rsbac_get_attr(
GEN,
00850 target,
00851 tid,
00852
A_log_array_high,
00853 &i_attr_val2,
00854
FALSE))
00855 {
00856 rsbac_ds_get_error(
"rsbac_adf_request()",
A_log_array_high);
00857 }
00858
else
00859 {
00860
00861
00862 log_level = ((i_attr_val.
log_array_low >> request) & 1)
00863 | ( ((i_attr_val2.
log_array_high >> request) & 1) << 1);
00864
if ( log_level ==
LL_full
00865 || ( log_level ==
LL_denied
00866 && (result ==
NOT_GRANTED
00867 || result ==
UNDEFINED)) )
00868 {
00869 do_log =
TRUE;
00870 }
00871
if(log_level !=
LL_request)
00872 log_on_request =
FALSE;
00873 }
00874 }
00875 }
00876
#endif
00877
00878
#ifdef CONFIG_RSBAC_IND_NETDEV_LOG
00879
00880
00881
if( !do_log
00882 && (target ==
T_NETDEV)
00883 )
00884 {
00885
if (
rsbac_get_attr(
GEN,
00886 target,
00887 tid,
00888
A_log_array_low,
00889 &i_attr_val,
00890
FALSE))
00891 {
00892 rsbac_ds_get_error(
"rsbac_adf_request()",
A_log_array_low);
00893 }
00894
else
00895 {
00896
if (
rsbac_get_attr(
GEN,
00897 target,
00898 tid,
00899
A_log_array_high,
00900 &i_attr_val2,
00901
FALSE))
00902 {
00903 rsbac_ds_get_error(
"rsbac_adf_request()",
A_log_array_high);
00904 }
00905
else
00906 {
00907
00908
00909 log_level = ((i_attr_val.
log_array_low >> request) & 1)
00910 | ( ((i_attr_val2.
log_array_high >> request) & 1) << 1);
00911
if ( log_level ==
LL_full
00912 || ( log_level ==
LL_denied
00913 && (result ==
NOT_GRANTED
00914 || result ==
UNDEFINED)) )
00915 {
00916 do_log =
TRUE;
00917 }
00918
if(log_level !=
LL_request)
00919 log_on_request =
FALSE;
00920 }
00921 }
00922 }
00923
#endif
00924
00925
#ifdef CONFIG_RSBAC_IND_NETOBJ_LOG
00926
00927
00928
00929
if( !do_log
00930 && ( (target ==
T_NETTEMP)
00931 || (target ==
T_NETOBJ)
00932 )
00933 )
00934 {
00935
enum rsbac_attribute_t i_attr1, i_attr2;
00936
00937
if(target ==
T_NETOBJ)
00938 {
00939
if(
rsbac_net_remote_request(request))
00940 {
00941 i_attr1 =
A_remote_log_array_low;
00942 i_attr2 =
A_remote_log_array_high;
00943 }
00944
else
00945 {
00946 i_attr1 =
A_local_log_array_low;
00947 i_attr2 =
A_local_log_array_high;
00948 }
00949 }
00950
else
00951 {
00952 i_attr1 =
A_log_array_low;
00953 i_attr2 =
A_log_array_high;
00954 }
00955
if (
rsbac_get_attr(
GEN,
00956 target,
00957 tid,
00958 i_attr1,
00959 &i_attr_val,
00960
FALSE))
00961 {
00962 rsbac_ds_get_error(
"rsbac_adf_request()", i_attr1);
00963 }
00964
else
00965 {
00966
if (
rsbac_get_attr(
GEN,
00967 target,
00968 tid,
00969 i_attr2,
00970 &i_attr_val2,
00971
FALSE))
00972 {
00973 rsbac_ds_get_error(
"rsbac_adf_request()", i_attr2);
00974 }
00975
else
00976 {
00977
00978
00979 log_level = ((i_attr_val.
log_array_low >> request) & 1)
00980 | ( ((i_attr_val2.
log_array_high >> request) & 1) << 1);
00981
if ( log_level ==
LL_full
00982 || ( log_level ==
LL_denied
00983 && (result ==
NOT_GRANTED
00984 || result ==
UNDEFINED)) )
00985 {
00986 do_log =
TRUE;
00987 }
00988
if(log_level !=
LL_request)
00989 log_on_request =
FALSE;
00990 }
00991 }
00992 }
00993
#endif
00994
00995 log:
00996
00997
if ( !do_log
00998 && log_on_request
00999 && (
rsbac_log_levels[request][target] ==
LL_full
01000 || (
rsbac_log_levels[request][target] ==
LL_denied
01001 && (result ==
NOT_GRANTED
01002 || result ==
UNDEFINED)) ) )
01003 do_log =
TRUE;
01004
01005
if(do_log)
01006 {
01007
char * request_name;
01008
char * res_name;
01009
char * res_mods;
01010
char * target_type_name;
01011
char * target_id_name;
01012
char * attr_name;
01013
char * new_target_name;
01014
char command[17];
01015
rsbac_pseudo_t pseudo = 0;
01016
rsbac_pid_t parent_pid = 0;
01017
01018
01019
if (
rsbac_get_attr(
GEN,
T_USER,i_tid,
A_pseudo,&i_attr_val,
FALSE))
01020 {
01021 rsbac_ds_get_error(
"rsbac_adf_request()",
A_pseudo);
01022
return(
NOT_GRANTED);
01023 }
01024
01025 pseudo = i_attr_val.
pseudo;
01026
01027
01028
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01029
if(current->parent)
01030 parent_pid = current->parent->pid;
01031
#else
01032
if(current->p_pptr)
01033 parent_pid = current->p_pptr->pid;
01034
#endif
01035
01036 request_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01037 res_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01038 res_mods =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01039 target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01040
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
01041
target_id_name
01042 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
01043
01044
#else
01045
target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
01046
01047
#endif
01048
attr_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01049 new_target_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01050
01051 request_name[0] = (
char) 0;
01052 target_type_name[0] = (
char) 0;
01053 target_id_name[0] = (
char) 0;
01054 attr_name[0] = (
char) 0;
01055 new_target_name[0] = (
char) 0;
01056 res_name[0] = (
char) 0;
01057 res_mods[0] = (
char) 0;
01058 command[0] = (
char) 0;
01059
get_request_name(request_name, request);
01060
#if !defined(CONFIG_RSBAC_MAINT)
01061
if(result == mod_result[
SW_NONE])
01062 {
01063 strcat(res_mods,
" GEN");
01064 }
01065
#if defined(CONFIG_RSBAC_MAC)
01066
if(result == mod_result[
MAC])
01067 {
01068
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01069
if(rsbac_ind_softmode[
MAC])
01070 strcat(res_mods,
" MAC(Softmode)");
01071
else
01072
#endif
01073
strcat(res_mods,
" MAC");
01074 }
01075
#endif
01076
#if defined(CONFIG_RSBAC_FC)
01077
if(result == mod_result[
FC])
01078 {
01079
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01080
if(rsbac_ind_softmode[
FC])
01081 strcat(res_mods,
" FC(Softmode)");
01082
else
01083
#endif
01084
strcat(res_mods,
" FC");
01085 }
01086
#endif
01087
#if defined(CONFIG_RSBAC_SIM)
01088
if(result == mod_result[
SIM])
01089 {
01090
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01091
if(rsbac_ind_softmode[
SIM])
01092 strcat(res_mods,
" SIM(Softmode)");
01093
else
01094
#endif
01095
strcat(res_mods,
" SIM");
01096 }
01097
#endif
01098
#if defined(CONFIG_RSBAC_PM)
01099
if(result == mod_result[
PM])
01100 {
01101
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01102
if(rsbac_ind_softmode[
PM])
01103 strcat(res_mods,
" PM(Softmode)");
01104
else
01105
#endif
01106
strcat(res_mods,
" PM");
01107 }
01108
#endif
01109
#if defined(CONFIG_RSBAC_DAZ)
01110
if(result == mod_result[
DAZ])
01111 {
01112
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01113
if(rsbac_ind_softmode[
DAZ])
01114 strcat(res_mods,
" DAZ(Softmode)");
01115
else
01116
#endif
01117
strcat(res_mods,
" DAZ");
01118 }
01119
#endif
01120
#ifdef CONFIG_RSBAC_FF
01121
if(result == mod_result[
FF])
01122 {
01123
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01124
if(rsbac_ind_softmode[
FF])
01125 strcat(res_mods,
" FF(Softmode)");
01126
else
01127
#endif
01128
strcat(res_mods,
" FF");
01129 }
01130
#endif
01131
#ifdef CONFIG_RSBAC_RC
01132
if(result == mod_result[
RC])
01133 {
01134
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01135
if(rsbac_ind_softmode[
RC])
01136 strcat(res_mods,
" RC(Softmode)");
01137
else
01138
#endif
01139
strcat(res_mods,
" RC");
01140 }
01141
#endif
01142
#ifdef CONFIG_RSBAC_AUTH
01143
if(result == mod_result[
AUTH])
01144 {
01145
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01146
if(rsbac_ind_softmode[
AUTH])
01147 strcat(res_mods,
" AUTH(Softmode)");
01148
else
01149
#endif
01150
strcat(res_mods,
" AUTH");
01151 }
01152
#endif
01153
#ifdef CONFIG_RSBAC_ACL
01154
if(result == mod_result[
ACL])
01155 {
01156
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01157
if(rsbac_ind_softmode[
ACL])
01158 strcat(res_mods,
" ACL(Softmode)");
01159
else
01160
#endif
01161
strcat(res_mods,
" ACL");
01162 }
01163
#endif
01164
#ifdef CONFIG_RSBAC_CAP
01165
if(result == mod_result[
CAP])
01166 {
01167
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01168
if(rsbac_ind_softmode[
CAP])
01169 strcat(res_mods,
" CAP(Softmode)");
01170
else
01171
#endif
01172
strcat(res_mods,
" CAP");
01173 }
01174
#endif
01175
#ifdef CONFIG_RSBAC_JAIL
01176
if(result == mod_result[
JAIL])
01177 {
01178
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01179
if(rsbac_ind_softmode[
JAIL])
01180 strcat(res_mods,
" JAIL(Softmode)");
01181
else
01182
#endif
01183
strcat(res_mods,
" JAIL");
01184 }
01185
#endif
01186
#ifdef CONFIG_RSBAC_RES
01187
if(result == mod_result[
RES])
01188 {
01189
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01190
if(rsbac_ind_softmode[
RES])
01191 strcat(res_mods,
" RES(Softmode)");
01192
else
01193
#endif
01194
strcat(res_mods,
" RES");
01195 }
01196
#endif
01197
#ifdef CONFIG_RSBAC_REG
01198
if(result == mod_result[
REG])
01199 {
01200
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01201
if(rsbac_ind_softmode[
REG])
01202 strcat(res_mods,
" REG(Softmode)");
01203
else
01204
#endif
01205
strcat(res_mods,
" REG");
01206 }
01207
#endif
01208
#endif
01209
if(!res_mods[0])
01210 strcat(res_mods,
" ADF");
01211
get_target_name(target_type_name, target, target_id_name, tid);
01212
get_attribute_name(attr_name, attr);
01213
get_result_name(res_name, result);
01214
if ((current) && (current->comm))
01215 {
01216 strncpy(command,current->comm,16);
01217 command[16] = (
char) 0;
01218 }
01219
if( (request ==
R_CREATE)
01220 && (target ==
T_DIR)
01221 && (attr == A_create_data)
01222 )
01223 {
01224
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01225
01226
if(tmp)
01227 {
01228
if(attr_val.create_data.dentry_p)
01229 snprintf(new_target_name,
RSBAC_MAXNAMELEN,
01230
", new_object %s %s, mode %o",
01231
get_target_name_only(tmp, attr_val.create_data.target),
01232 attr_val.create_data.dentry_p->d_name.name,
01233 attr_val.create_data.mode & S_IALLUGO);
01234
else
01235 snprintf(new_target_name,
RSBAC_MAXNAMELEN,
01236
", new_object %s, mode %o",
01237
get_target_name_only(tmp, attr_val.create_data.target),
01238 attr_val.create_data.mode & S_IALLUGO);
01239
rsbac_kfree(tmp);
01240 }
01241 }
01242
01243
#ifdef CONFIG_RSBAC_RMSG
01244
01245
if (pseudo)
01246 {
01247
#ifdef CONFIG_RSBAC_SOFTMODE
01248
if(rsbac_softmode)
01249 rsbac_printk(KERN_INFO
"rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, pseudo %u, target_type %s, tid %s, attr %s, value %u%s, result %s (Softmode) by%s\n",
01250 request_name, caller_pid, parent_pid, command, i_attr_val.
pseudo, target_type_name, target_id_name, attr_name, attr_val.
dummy, new_target_name, res_name, res_mods);
01251
else
01252
#endif
01253
rsbac_printk(KERN_INFO
"rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, pseudo %u, target_type %s, tid %s, attr %s, value %u%s, result %s by%s\n",
01254 request_name, caller_pid, parent_pid, command, i_attr_val.
pseudo, target_type_name, target_id_name, attr_name, attr_val.
dummy, new_target_name, res_name, res_mods);
01255 }
01256
else
01257 {
01258
#ifdef CONFIG_RSBAC_SOFTMODE
01259
if(rsbac_softmode)
01260 rsbac_printk(KERN_INFO
"rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, uid %u, target_type %s, tid %s, attr %s, value %u%s, result %s (Softmode) by%s\n",
01261 request_name, caller_pid, parent_pid, command, owner, target_type_name, target_id_name, attr_name, attr_val.
dummy, new_target_name, res_name, res_mods);
01262
else
01263
#endif
01264
rsbac_printk(KERN_INFO
"rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, uid %u, target_type %s, tid %s, attr %s, value %u%s, result %s by%s\n",
01265 request_name, caller_pid, parent_pid, command, owner, target_type_name, target_id_name, attr_name, attr_val.
dummy, new_target_name, res_name, res_mods);
01266 }
01267
#endif
01268
#ifndef CONFIG_RSBAC_RMSG_EXCL
01269
01270
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01271
if (!rsbac_nosyslog)
01272
#endif
01273
{
01274
01275
if (pseudo)
01276 {
01277
#ifdef CONFIG_RSBAC_SOFTMODE
01278
if(rsbac_softmode)
01279 printk(KERN_INFO
01280
"rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, pseudo %u, target_type %s, tid %s, attr %s, value %u%s, result %s (Softmode) by%s\n",
01281 request_name, caller_pid, parent_pid, command, i_attr_val.
pseudo, target_type_name, target_id_name, attr_name, attr_val.
dummy, new_target_name, res_name, res_mods);
01282
else
01283
#endif
01284
printk(KERN_INFO
01285
"rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, pseudo %u, target_type %s, tid %s, attr %s, value %u%s, result %s by%s\n",
01286 request_name, caller_pid, parent_pid, command, i_attr_val.
pseudo, target_type_name, target_id_name, attr_name, attr_val.
dummy, new_target_name, res_name, res_mods);
01287 }
01288
else
01289 {
01290
#ifdef CONFIG_RSBAC_SOFTMODE
01291
if(rsbac_softmode)
01292 printk(KERN_INFO
01293
"rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, uid %u, target_type %s, tid %s, attr %s, value %u%s, result %s (Softmode) by%s\n",
01294 request_name, caller_pid, parent_pid, command, owner, target_type_name, target_id_name, attr_name, attr_val.
dummy, new_target_name, res_name, res_mods);
01295
else
01296
#endif
01297
printk(KERN_INFO
01298
"rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, uid %u, target_type %s, tid %s, attr %s, value %u%s, result %s by%s\n",
01299 request_name, caller_pid, parent_pid, command, owner, target_type_name, target_id_name, attr_name, attr_val.
dummy, new_target_name, res_name, res_mods);
01300 }
01301 }
01302
#endif
01303
01304
rsbac_kfree(request_name);
01305
rsbac_kfree(res_name);
01306
rsbac_kfree(res_mods);
01307
rsbac_kfree(target_type_name);
01308
rsbac_kfree(target_id_name);
01309
rsbac_kfree(attr_name);
01310
rsbac_kfree(new_target_name);
01311 }
01312
01313
01314
if(result ==
UNDEFINED)
01315 result =
NOT_GRANTED;
01316
01317
01318
rsbac_adf_request_count[target]++;
01319
#ifdef CONFIG_RSBAC_XSTATS
01320
rsbac_adf_request_xcount[target][request]++;
01321
#endif
01322
01323
01324
#ifdef CONFIG_RSBAC_SOFTMODE
01325
if(rsbac_softmode && !rsbac_internal)
01326
return DO_NOT_CARE;
01327
else
01328
#endif
01329
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01330
return ret_result;
01331
#else
01332
return result;
01333
#endif
01334
};
01335
01336
01337
01338
01339
01340
01341
01342
01343
EXPORT_SYMBOL(rsbac_adf_request);
01344
enum rsbac_adf_req_ret_t
01345 rsbac_adf_request(
enum rsbac_adf_request_t request,
01346
rsbac_pid_t caller_pid,
01347
enum rsbac_target_t target,
01348
union rsbac_target_id_t tid,
01349
enum rsbac_attribute_t attr,
01350
union rsbac_attribute_value_t attr_val)
01351 {
01352
return(
rsbac_adf_request_int(request,
01353 caller_pid,
01354 target,
01355 tid,
01356 attr,
01357 attr_val,
01358
SW_NONE));
01359 }
01360
01361
01362
01363
01364
01365
01366
01367
01368
EXPORT_SYMBOL(rsbac_adf_set_attr);
01369 int rsbac_adf_set_attr(
01370
enum rsbac_adf_request_t request,
01371
rsbac_pid_t caller_pid,
01372
enum rsbac_target_t target,
01373
union rsbac_target_id_t tid,
01374
enum rsbac_target_t new_target,
01375
union rsbac_target_id_t new_tid,
01376
enum rsbac_attribute_t attr,
01377
union rsbac_attribute_value_t attr_val)
01378 {
01379
#if defined(CONFIG_RSBAC_IND_PROG_LOG) || defined(CONFIG_RSBAC_IND_USER_LOG)
01380
union rsbac_target_id_t i_tid;
01381
#endif
01382
rsbac_uid_t owner;
01383
int error = 0;
01384
boolean do_log =
FALSE;
01385
boolean log_on_request =
TRUE;
01386
#ifdef CONFIG_RSBAC_IND_LOG
01387
union rsbac_attribute_value_t i_attr_val,i_attr_val2;
01388
enum rsbac_log_level_t log_level;
01389
#endif
01390
#ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01391
struct super_block * sb_p;
01392
#endif
01393
01394
01395
01396
if (!
rsbac_is_initialized())
01397
return(0);
01398
01399
01400
if ( !caller_pid
01401
#if defined(CONFIG_RSBAC_LOG_REMOTE)
01402
|| (caller_pid == rsbaclogd_pid)
01403
#endif
01404
)
01405
return(0);
01406
01407
01408
if( request >=
R_NONE
01409 || target >
T_NONE
01410 || new_target >
T_NONE
01411 || attr >
A_none)
01412 {
01413
#ifdef CONFIG_RSBAC_RMSG
01414
rsbac_printk(KERN_WARNING
01415
"rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01416
#endif
01417
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01418
if (!rsbac_nosyslog)
01419
#endif
01420
printk(KERN_WARNING
01421
"rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01422
return(-
RSBAC_EINVALIDVALUE);
01423 }
01424
01425
01426
01427 owner =
RSBAC_NO_USER;
01428
01429
if (caller_pid > 1)
01430 {
01431 error = rsbac_get_owner(&owner);
01432
if(error)
01433 {
01434
#ifdef CONFIG_RSBAC_RMSG
01435
rsbac_printk(KERN_DEBUG
01436
"rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01437 caller_pid);
01438
#endif
01439
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01440
if (!rsbac_nosyslog)
01441
#endif
01442
printk(KERN_DEBUG
01443
"rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01444 caller_pid);
01445
return(0);
01446 }
01447 }
01448
else
01449 owner = 0;
01450
01451
01452
01453
#ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01454
if ( ( (target ==
T_FILE)
01455 || (target ==
T_DIR)
01456 || (target ==
T_FIFO)
01457 || (target ==
T_SYMLINK)
01458 )
01459 && ((sb_p =
rsbac_get_super_block(tid.file.device)))
01460 && ( (sb_p->s_magic == NFS_SUPER_MAGIC)
01461 || (sb_p->s_magic == CODA_SUPER_MAGIC)
01462 || (sb_p->s_magic == NCP_SUPER_MAGIC)
01463 || (sb_p->s_magic == SMB_SUPER_MAGIC)
01464 )
01465 )
01466 {
01467 error = 0;
01468
goto log;
01469 }
01470
#endif
01471
01472
01473
01474
01475
01476
#ifdef CONFIG_RSBAC_DEBUG
01477
01478 error |=
rsbac_adf_set_attr_check(request,
01479 caller_pid,
01480 target,
01481 tid,
01482 new_target,
01483 new_tid,
01484 attr,
01485 attr_val,
01486 owner);
01487
if(error)
01488
goto general_work;
01489
#endif
01490
01491
#if !defined(CONFIG_RSBAC_MAINT)
01492
01493
#if defined(CONFIG_RSBAC_MAC)
01494
#ifdef CONFIG_RSBAC_SWITCH
01495
if (rsbac_switch_mac)
01496
#endif
01497
error |=
rsbac_adf_set_attr_mac(request,
01498 caller_pid,
01499 target,
01500 tid,
01501 new_target,
01502 new_tid,
01503 attr,
01504 attr_val,
01505 owner);
01506
#endif
01507
01508
01509
#ifdef CONFIG_RSBAC_FC
01510
#ifdef CONFIG_RSBAC_SWITCH
01511
if (rsbac_switch_fc)
01512
#endif
01513
error |=
rsbac_adf_set_attr_fc (request,
01514 caller_pid,
01515 target,
01516 tid,
01517 new_target,
01518 new_tid,
01519 attr,
01520 attr_val,
01521 owner);
01522
#endif
01523
01524
01525
#ifdef CONFIG_RSBAC_SIM
01526
#ifdef CONFIG_RSBAC_SWITCH
01527
if (rsbac_switch_sim)
01528
#endif
01529
error |=
rsbac_adf_set_attr_sim(request,
01530 caller_pid,
01531 target,
01532 tid,
01533 new_target,
01534 new_tid,
01535 attr,
01536 attr_val,
01537 owner);
01538
#endif
01539
01540
01541
#ifdef CONFIG_RSBAC_PM
01542
#ifdef CONFIG_RSBAC_SWITCH
01543
if (rsbac_switch_pm)
01544
#endif
01545
error |=
rsbac_adf_set_attr_pm (request,
01546 caller_pid,
01547 target,
01548 tid,
01549 new_target,
01550 new_tid,
01551 attr,
01552 attr_val,
01553 owner);
01554
#endif
01555
01556
01557
#ifdef CONFIG_RSBAC_DAZ
01558
#ifdef CONFIG_RSBAC_SWITCH
01559
if (rsbac_switch_daz)
01560
#endif
01561
error |=
rsbac_adf_set_attr_daz (request,
01562 caller_pid,
01563 target,
01564 tid,
01565 new_target,
01566 new_tid,
01567 attr,
01568 attr_val,
01569 owner);
01570
#endif
01571
01572
01573
#if 0
01574
#ifdef CONFIG_RSBAC_FF
01575
#ifdef CONFIG_RSBAC_SWITCH
01576
if (rsbac_switch_ff)
01577
#endif
01578
error |=
rsbac_adf_set_attr_ff (request,
01579 caller_pid,
01580 target,
01581 tid,
01582 new_target,
01583 new_tid,
01584 attr,
01585 attr_val,
01586 owner);
01587
#endif
01588
#endif
01589
01590
01591
#ifdef CONFIG_RSBAC_RC
01592
#ifdef CONFIG_RSBAC_SWITCH
01593
if (rsbac_switch_rc)
01594
#endif
01595
error |=
rsbac_adf_set_attr_rc (request,
01596 caller_pid,
01597 target,
01598 tid,
01599 new_target,
01600 new_tid,
01601 attr,
01602 attr_val,
01603 owner);
01604
#endif
01605
01606
01607
#ifdef CONFIG_RSBAC_AUTH
01608
#ifdef CONFIG_RSBAC_SWITCH
01609
if (rsbac_switch_auth)
01610
#endif
01611
error |=
rsbac_adf_set_attr_auth(request,
01612 caller_pid,
01613 target,
01614 tid,
01615 new_target,
01616 new_tid,
01617 attr,
01618 attr_val,
01619 owner);
01620
#endif
01621
01622
01623
#ifdef CONFIG_RSBAC_ACL
01624
#ifdef CONFIG_RSBAC_SWITCH
01625
if (rsbac_switch_acl)
01626
#endif
01627
error |=
rsbac_adf_set_attr_acl (request,
01628 caller_pid,
01629 target,
01630 tid,
01631 new_target,
01632 new_tid,
01633 attr,
01634 attr_val,
01635 owner);
01636
#endif
01637
01638
01639
#ifdef CONFIG_RSBAC_CAP
01640
#ifdef CONFIG_RSBAC_SWITCH
01641
if (rsbac_switch_cap)
01642
#endif
01643
error |=
rsbac_adf_set_attr_cap (request,
01644 caller_pid,
01645 target,
01646 tid,
01647 new_target,
01648 new_tid,
01649 attr,
01650 attr_val,
01651 owner);
01652
#endif
01653
01654
01655
#ifdef CONFIG_RSBAC_JAIL
01656
#ifdef CONFIG_RSBAC_SWITCH
01657
if (rsbac_switch_jail)
01658
#endif
01659
error |=
rsbac_adf_set_attr_jail(request,
01660 caller_pid,
01661 target,
01662 tid,
01663 new_target,
01664 new_tid,
01665 attr,
01666 attr_val,
01667 owner);
01668
#endif
01669
01670
01671
#ifdef CONFIG_RSBAC_PAX
01672
#ifdef CONFIG_RSBAC_SWITCH
01673
if (rsbac_switch_pax)
01674
#endif
01675
error |=
rsbac_adf_set_attr_pax (request,
01676 caller_pid,
01677 target,
01678 tid,
01679 new_target,
01680 new_tid,
01681 attr,
01682 attr_val,
01683 owner);
01684
#endif
01685
01686
01687
#ifdef CONFIG_RSBAC_RES
01688
#ifdef CONFIG_RSBAC_SWITCH
01689
if (rsbac_switch_res)
01690
#endif
01691
error |=
rsbac_adf_set_attr_res (request,
01692 caller_pid,
01693 target,
01694 tid,
01695 new_target,
01696 new_tid,
01697 attr,
01698 attr_val,
01699 owner);
01700
#endif
01701
01702
01703
#ifdef CONFIG_RSBAC_REG
01704
error |=
rsbac_adf_set_attr_reg (request,
01705 caller_pid,
01706 target,
01707 tid,
01708 new_target,
01709 new_tid,
01710 attr,
01711 attr_val,
01712 owner);
01713
#endif
01714
#endif
01715
01716
01717
#ifdef CONFIG_RSBAC_DEBUG
01718
general_work:
01719
#endif
01720
switch(request)
01721 {
01722
01723
case R_DELETE :
01724
switch (target)
01725 {
01726
case T_FILE:
01727
case T_FIFO:
01728
case T_SYMLINK:
01729
01730
if ( (attr == A_nlink)
01731 && (attr_val.nlink > 1)
01732 )
01733
break;
01734
01735
case T_DIR:
01736
rsbac_remove_target(target,tid);
01737
break;
01738
case T_IPC:
01739
01740
if(tid.
ipc.
type !=
I_shm)
01741
rsbac_remove_target(target,tid);
01742
break;
01743
default:
01744
break;
01745 }
01746
break;
01747
01748
#if defined(CONFIG_RSBAC_IND_PROG_LOG) || defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01749
case R_CLONE:
01750
switch (target)
01751 {
01752
case T_PROCESS:
01753
#if defined(CONFIG_RSBAC_IND_PROG_LOG)
01754
01755
if (
rsbac_get_attr(
GEN,
01756 target,
01757 tid,
01758
A_log_program_based,
01759 &i_attr_val,
01760
FALSE))
01761 {
01762 rsbac_ds_get_error(
"rsbac_adf_set_attr()",
A_log_program_based);
01763 }
01764
else
01765 {
01766
if(i_attr_val.
log_program_based)
01767 {
01768
01769
if (
rsbac_set_attr(
GEN, new_target,
01770 new_tid,
01771
A_log_program_based,
01772 i_attr_val))
01773 {
01774 rsbac_ds_set_error(
"rsbac_adf_set_attr()",
A_log_program_based);
01775 }
01776 }
01777 }
01778
#endif
01779
#if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01780
01781
if (
rsbac_get_attr(
GEN,
01782 target,
01783 tid,
01784
A_fake_root_uid,
01785 &i_attr_val,
01786
FALSE))
01787 {
01788 rsbac_ds_get_error(
"rsbac_adf_set_attr()",
A_fake_root_uid);
01789 }
01790
else
01791 {
01792
if(i_attr_val.
fake_root_uid)
01793 {
01794
01795
if (
rsbac_set_attr(
GEN, new_target,
01796 new_tid,
01797
A_fake_root_uid,
01798 i_attr_val))
01799 {
01800 rsbac_ds_set_error(
"rsbac_adf_set_attr()",
A_fake_root_uid);
01801 }
01802 }
01803 }
01804
#endif
01805
break;
01806
01807
default:
01808
break;
01809 }
01810
break;
01811
#endif
01812
01813
#ifdef CONFIG_RSBAC_NET_OBJ
01814
case R_CLOSE:
01815
switch (target)
01816 {
01817
case T_NETOBJ:
01818
rsbac_remove_target(target,tid);
01819
break;
01820
01821
default:
01822
break;
01823 }
01824
break;
01825
#endif
01826
01827
#if defined(CONFIG_RSBAC_IND_PROG_LOG) || defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01828
case R_EXECUTE :
01829
switch (target)
01830 {
01831
case T_FILE:
01832
#if defined(CONFIG_RSBAC_IND_PROG_LOG)
01833
01834
if (
rsbac_get_attr(
GEN,
01835 target,
01836 tid,
01837
A_log_program_based,
01838 &i_attr_val,
01839
FALSE))
01840 {
01841 rsbac_ds_get_error(
"rsbac_adf_set_attr()",
A_log_program_based);
01842 }
01843
else
01844 {
01845
01846 i_tid.
process = caller_pid;
01847
if (
rsbac_set_attr(
GEN,
T_PROCESS,
01848 i_tid,
01849
A_log_program_based,
01850 i_attr_val))
01851 {
01852 rsbac_ds_set_error(
"rsbac_adf_set_attr()",
A_log_program_based);
01853 }
01854 }
01855
#endif
01856
#if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01857
01858
if (
rsbac_get_attr(
GEN,
01859 target,
01860 tid,
01861
A_fake_root_uid,
01862 &i_attr_val,
01863
FALSE))
01864 {
01865 rsbac_ds_get_error(
"rsbac_adf_set_attr()",
A_fake_root_uid);
01866 }
01867
else
01868 {
01869
01870 i_tid.
process = caller_pid;
01871
if (
rsbac_set_attr(
GEN,
T_PROCESS,
01872 i_tid,
01873
A_fake_root_uid,
01874 i_attr_val))
01875 {
01876 rsbac_ds_set_error(
"rsbac_adf_set_attr()",
A_fake_root_uid);
01877 }
01878 }
01879
#endif
01880
break;
01881
01882
default:
01883
break;
01884 }
01885
break;
01886
#endif
01887
01888
default:
01889
break;
01890 }
01891
01892
#if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
01893
if( rsbac_debug_adf_net
01894 && ( (target ==
T_NETDEV)
01895 || (target ==
T_NETTEMP)
01896 || (target ==
T_NETOBJ)
01897 )
01898 )
01899 do_log =
TRUE;
01900
#endif
01901
01902
01903
#ifdef CONFIG_RSBAC_IND_USER_LOG
01904
i_tid.
user = owner;
01905
if (
rsbac_get_attr(
GEN,
01906
T_USER,
01907 i_tid,
01908
A_log_user_based,
01909 &i_attr_val,
01910
FALSE))
01911 {
01912 rsbac_ds_get_error(
"rsbac_adf_set_attr()",
A_log_user_based);
01913 }
01914
else
01915 {
01916
if(((
rsbac_request_vector_t) 1 << request) & i_attr_val.
log_user_based)
01917 do_log =
TRUE;
01918 }
01919
#endif
01920
01921
01922
#ifdef CONFIG_RSBAC_IND_PROG_LOG
01923
if(!do_log)
01924 {
01925 i_tid.
process = caller_pid;
01926
if (
rsbac_get_attr(
GEN,
01927
T_PROCESS,
01928 i_tid,
01929
A_log_program_based,
01930 &i_attr_val,
01931
FALSE))
01932 {
01933 rsbac_ds_get_error(
"rsbac_adf_set_attr()",
A_log_program_based);
01934 }
01935
else
01936 {
01937
if(((
rsbac_request_vector_t) 1 << request) & i_attr_val.
log_program_based)
01938 do_log =
TRUE;
01939 }
01940 }
01941
#endif
01942
01943
01944
01945
01946
01947
01948
01949
01950
01951
#ifdef CONFIG_RSBAC_IND_LOG
01952
01953
01954
01955
if(!do_log)
01956 {
01957
if( ( ( (target ==
T_FILE)
01958 || (target ==
T_DIR)
01959 || (target ==
T_FIFO)
01960 || (target ==
T_SYMLINK)
01961 )
01962 && RSBAC_MAJOR(tid.file.device)
01963 && RSBAC_MINOR(tid.file.device)
01964 )
01965 || (target ==
T_DEV)
01966 )
01967 {
01968
if (
rsbac_get_attr(
GEN,
01969 target,
01970 tid,
01971
A_log_array_low,
01972 &i_attr_val,
01973
FALSE))
01974 {
01975 rsbac_ds_get_error(
"rsbac_adf_set_attr()",
A_log_array_low);
01976 }
01977
else
01978 {
01979
if (
rsbac_get_attr(
GEN,
01980 target,
01981 tid,
01982
A_log_array_high,
01983 &i_attr_val2,
01984
FALSE))
01985 {
01986 rsbac_ds_get_error(
"rsbac_adf_set_attr()",
A_log_array_high);
01987 }
01988
else
01989 {
01990 log_level = ((i_attr_val.
log_array_low >> request) & 1)
01991 | ( ((i_attr_val2.
log_array_high >> request) & 1) << 1);
01992
if ( log_level ==
LL_full
01993 || ( log_level ==
LL_denied
01994 && error) )
01995 {
01996 do_log =
TRUE;
01997 }
01998
if(log_level !=
LL_request)
01999 log_on_request =
FALSE;
02000 }
02001 }
02002 }
02003 }
02004
#endif
02005
02006
#ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
02007
log:
02008
#endif
02009
02010
if (log_on_request
02011 && (
rsbac_log_levels[request][target] ==
LL_full
02012 || (
rsbac_log_levels[request][target] ==
LL_denied
02013 && error) ) )
02014 do_log =
TRUE;
02015
02016
if(do_log)
02017 {
02018
char * request_name;
02019
char * target_type_name;
02020
char * new_target_type_name;
02021
char * target_id_name;
02022
char * new_target_id_name;
02023
char * attr_name;
02024
02025
02026 request_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
02027 target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
02028 new_target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
02029
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
02030
target_id_name
02031 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
02032 new_target_id_name
02033 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
02034
02035
#else
02036
target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
02037 new_target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
02038
02039
#endif
02040
attr_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
02041
02042
02043 request_name[0] = (
char) 0;
02044 target_type_name[0] = (
char) 0;
02045 target_id_name[0] = (
char) 0;
02046 new_target_type_name[0] = (
char) 0;
02047 new_target_id_name[0] = (
char) 0;
02048 attr_name[0] = (
char) 0;
02049
get_request_name(request_name, request);
02050
get_target_name(target_type_name, target, target_id_name, tid);
02051
get_target_name(new_target_type_name, new_target,
02052 new_target_id_name, new_tid);
02053
get_attribute_name(attr_name, attr);
02054
02055
#ifdef CONFIG_RSBAC_RMSG
02056
02057 rsbac_printk(KERN_INFO
02058
"rsbac_adf_set_attr(): request %s, pid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02059 request_name, (u_int) caller_pid, target_type_name, target_id_name,
02060 new_target_type_name, new_target_id_name, attr_name, attr_val.
dummy, error);
02061
#endif
02062
#ifndef CONFIG_RSBAC_RMSG_EXCL
02063
02064
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02065
if (!rsbac_nosyslog)
02066
#endif
02067
printk(KERN_INFO
02068
"rsbac_adf_set_attr(): request %s, pid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02069 request_name, (u_int) caller_pid, target_type_name, target_id_name,
02070 new_target_type_name, new_target_id_name, attr_name, attr_val.
dummy, error);
02071
#endif
02072
02073
rsbac_kfree(request_name);
02074
rsbac_kfree(target_type_name);
02075
rsbac_kfree(new_target_type_name);
02076
rsbac_kfree(target_id_name);
02077
rsbac_kfree(new_target_id_name);
02078
rsbac_kfree(attr_name);
02079 }
02080
02081
02082
rsbac_adf_set_attr_count[target]++;
02083
#ifdef CONFIG_RSBAC_XSTATS
02084
rsbac_adf_set_attr_xcount[target][request]++;
02085
#endif
02086
02087
return(error);
02088 };
02089
02090
02091
02092
02093
02094
02095
02096
02097
#ifdef CONFIG_RSBAC_SECDEL
02098
02099
02100
02101
02102
02103
static int open_by_dentry(
struct dentry * file_dentry_p,
struct file * file_p)
02104 {
02105
int tmperr;
02106
02107
if ( !(S_ISREG(file_dentry_p->d_inode->i_mode)) )
02108 {
02109
#ifdef CONFIG_RSBAC_RMSG
02110
rsbac_printk(KERN_WARNING
02111
"open_by_dentry(): expected file is not a file!\n");
02112
#endif
02113
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02114
if (!rsbac_nosyslog)
02115
#endif
02116
printk(KERN_WARNING
02117
"open_by_dentry(): expected file is not a file!\n");
02118
return (-
RSBAC_EWRITEFAILED);
02119 }
02120
02121
02122
if ((tmperr =
init_private_file(file_p, file_dentry_p, O_WRONLY)))
02123 {
02124
#ifdef CONFIG_RSBAC_RMSG
02125
rsbac_printk(KERN_WARNING
02126
"open_by_dentry(): could not open file!\n");
02127
#endif
02128
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02129
if (!rsbac_nosyslog)
02130
#endif
02131
printk(KERN_WARNING
02132
"open_by_dentry(): could not open file!\n");
02133
return (-
RSBAC_EWRITEFAILED);
02134 }
02135
02136
if ((!file_p->f_op) || (!file_p->f_op->write))
02137 {
02138
#ifdef CONFIG_RSBAC_RMSG
02139
rsbac_printk(KERN_WARNING
02140
"open_by_dentry(): file write function missing!\n");
02141
#endif
02142
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02143
if (!rsbac_nosyslog)
02144
#endif
02145
printk(KERN_WARNING
02146
"open_by_dentry(): file write function missing!\n");
02147
if (file_p->f_op && file_p->f_op->release)
02148 file_p->f_op->release(file_dentry_p->d_inode,file_p);
02149
return(-
RSBAC_EWRITEFAILED);
02150 }
02151
02152
02153
02154
02155
02156
02157
02158
02159
02160
02161
02162
02163
02164
02165
02166
02167
02168
02169
return 0;
02170 }
02171
02172
02173
02174
02175
02176
02177
EXPORT_SYMBOL(rsbac_sec_trunc);
02178
int rsbac_sec_trunc(
struct dentry * dentry_p,
02179 loff_t new_len, loff_t old_len)
02180 {
02181
#if defined(CONFIG_RSBAC_MAINT)
02182
return 0;
02183
#else
02184
int err = 0;
02185
boolean need_overwrite =
FALSE;
02186
02187
if (!
rsbac_is_initialized())
02188
return 0;
02189
02190
if( !dentry_p
02191 || !dentry_p->d_inode)
02192
return -
RSBAC_EINVALIDPOINTER;
02193
if(!S_ISREG(dentry_p->d_inode->i_mode))
02194
return -
RSBAC_EINVALIDTARGET;
02195
if(new_len >= old_len)
02196
return 0;
02197
02198
02199
02200
#ifdef CONFIG_RSBAC_PM
02201
#ifdef CONFIG_RSBAC_SWITCH
02202
if (rsbac_switch_pm)
02203
#endif
02204
02205
if(!need_overwrite)
02206 need_overwrite = rsbac_need_overwrite_pm(dentry_p);
02207
#endif
02208
02209
02210
#ifdef CONFIG_RSBAC_FF
02211
#ifdef CONFIG_RSBAC_SWITCH
02212
if (rsbac_switch_ff)
02213
#endif
02214
02215
if(!need_overwrite)
02216 need_overwrite = rsbac_need_overwrite_ff(dentry_p);
02217
#endif
02218
02219
02220
#ifdef CONFIG_RSBAC_RC
02221
#ifdef CONFIG_RSBAC_SWITCH
02222
if (rsbac_switch_rc)
02223
#endif
02224
02225
if(!need_overwrite)
02226 need_overwrite = rsbac_need_overwrite_rc(dentry_p);
02227
#endif
02228
02229
02230
#ifdef CONFIG_RSBAC_RES
02231
#ifdef CONFIG_RSBAC_SWITCH
02232
if (rsbac_switch_res)
02233
#endif
02234
02235
if(!need_overwrite)
02236 need_overwrite = rsbac_need_overwrite_res(dentry_p);
02237
#endif
02238
02239
02240
#ifdef CONFIG_RSBAC_REG
02241
if(!need_overwrite)
02242 need_overwrite = rsbac_need_overwrite_reg(dentry_p);
02243
#endif
02244
02245
if(need_overwrite)
02246 {
02247
char * buffer;
02248
boolean vmalloc_used;
02249
struct file file;
02250
int tmperr = 0;
02251
int len;
02252 mm_segment_t oldfs;
02253
02254 buffer =
rsbac_vkmalloc(RSBAC_SEC_DEL_CHUNK_SIZE, &vmalloc_used);
02255
if(!buffer)
02256
return -
RSBAC_ENOMEM;
02257
02258
#ifdef CONFIG_RSBAC_DEBUG
02259
if(rsbac_debug_write)
02260 {
02261
#ifdef CONFIG_RSBAC_RMSG
02262
rsbac_printk(KERN_DEBUG
02263
"rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n",
02264 dentry_p->d_inode->i_ino,
02265 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02266 MINOR(dentry_p->d_inode->i_sb->s_dev),
02267 (u_long) new_len,
02268 (u_long) old_len-1);
02269
#endif
02270
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02271
if (!rsbac_nosyslog)
02272
#endif
02273
printk(KERN_DEBUG
02274
"rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n",
02275 dentry_p->d_inode->i_ino,
02276 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02277 MINOR(dentry_p->d_inode->i_sb->s_dev),
02278 (u_long) new_len,
02279 (u_long) old_len-1);
02280 }
02281
#endif
02282
02283 err = open_by_dentry(dentry_p, &file);
02284
if(err)
02285 {
02286
rsbac_vkfree(buffer, vmalloc_used);
02287
return(err);
02288 }
02289
02290
#ifdef CONFIG_RSBAC_DEBUG
02291
if(rsbac_debug_write)
02292 {
02293
#ifdef CONFIG_RSBAC_RMSG
02294
rsbac_printk(KERN_DEBUG
02295
"rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n",
02296 dentry_p->d_inode->i_ino,
02297 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02298 MINOR(dentry_p->d_inode->i_sb->s_dev),
02299 (u_long) new_len);
02300
#endif
02301
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02302
if (!rsbac_nosyslog)
02303
#endif
02304
printk(KERN_DEBUG
02305
"rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n",
02306 dentry_p->d_inode->i_ino,
02307 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02308 MINOR(dentry_p->d_inode->i_sb->s_dev),
02309 (u_long) new_len);
02310 }
02311
#endif
02312
02313
02314
02315
02316
02317
02318 oldfs = get_fs();
02319 set_fs(KERNEL_DS);
02320
02321
#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02322
if(file.f_op->llseek)
02323 file.f_op->llseek(&file,new_len,0);
02324
else
02325
#endif
02326
{
02327 file.f_pos = new_len;
02328
#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02329
file.f_reada = 0;
02330
#endif
02331
#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02332
file.f_version = ++event;
02333
#else
02334
file.f_version = 0;
02335
#endif
02336
}
02337 memset(buffer,0,RSBAC_SEC_DEL_CHUNK_SIZE);
02338
02339
#ifdef CONFIG_RSBAC_DEBUG
02340
if(rsbac_debug_write)
02341 {
02342
#ifdef CONFIG_RSBAC_RMSG
02343
rsbac_printk(KERN_DEBUG
02344
"rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n",
02345 dentry_p->d_inode->i_ino,
02346 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02347 MINOR(dentry_p->d_inode->i_sb->s_dev));
02348
#endif
02349
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02350
if (!rsbac_nosyslog)
02351
#endif
02352
printk(KERN_DEBUG
02353
"rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n",
02354 dentry_p->d_inode->i_ino,
02355 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02356 MINOR(dentry_p->d_inode->i_sb->s_dev));
02357 }
02358
#endif
02359
02360
while(new_len < old_len)
02361 {
02362 len =
rsbac_min(RSBAC_SEC_DEL_CHUNK_SIZE, old_len-new_len);
02363 tmperr = file.f_op->write(&file,
02364 buffer,
02365 len,
02366 &file.f_pos);
02367
02368
if (tmperr <= 0)
02369 {
02370
#ifdef CONFIG_RSBAC_RMSG
02371
rsbac_printk(KERN_WARNING
02372
"rsbac_sec_trunc(): write error on file!\n");
02373
#endif
02374
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02375
if (!rsbac_nosyslog)
02376
#endif
02377
printk(KERN_WARNING
02378
"rsbac_sec_trunc(): write error on file!\n");
02379 err = -
RSBAC_EWRITEFAILED;
02380
goto out;
02381 }
02382 new_len += tmperr;
02383 }
02384
02385 out:
02386
02387
02388 set_fs(oldfs);
02389
02390
#ifdef CONFIG_RSBAC_DEBUG
02391
if(rsbac_debug_write)
02392 {
02393
#ifdef CONFIG_RSBAC_RMSG
02394
rsbac_printk(KERN_DEBUG
02395
"rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n",
02396 dentry_p->d_inode->i_ino,
02397 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02398 MINOR(dentry_p->d_inode->i_sb->s_dev));
02399
#endif
02400
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02401
if (!rsbac_nosyslog)
02402
#endif
02403
printk(KERN_DEBUG
02404
"rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n",
02405 dentry_p->d_inode->i_ino,
02406 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02407 MINOR(dentry_p->d_inode->i_sb->s_dev));
02408 }
02409
#endif
02410
02411
02412
#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02413
err = fsync_inode_data_buffers(dentry_p->d_inode);
02414
#else
02415
err = file_fsync(&file, dentry_p, 1);
02416
#endif
02417
02418
02419
02420
02421
02422
02423
02424
02425
02426
02427
rsbac_vkfree(buffer, vmalloc_used);
02428 }
02429
02430
02431
return(err);
02432
02433
#endif
02434 }
02435
02436
EXPORT_SYMBOL(rsbac_sec_del);
02437
int rsbac_sec_del(
struct dentry * dentry_p)
02438 {
02439
return(
rsbac_sec_trunc(dentry_p,
02440 0,
02441 dentry_p->d_inode->i_size));
02442 }
02443
02444
#else
02445
EXPORT_SYMBOL(rsbac_sec_trunc);
02446 int rsbac_sec_trunc(
struct dentry * dentry_p,
02447 loff_t new_len, loff_t old_len)
02448 {
02449
return 0;
02450 }
02451
EXPORT_SYMBOL(rsbac_sec_del);
02452 int rsbac_sec_del(
struct dentry * dentry_p)
02453 {
02454
return 0;
02455 }
02456
#endif
02457
02458
#ifdef CONFIG_RSBAC_SYM_REDIR
02459
void rsbac_symlink_redirect(
struct dentry * dentry_p,
char * name)
02460 {
02461
int err;
02462
union rsbac_target_id_t i_tid;
02463
#if defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC)
02464
union rsbac_target_id_t i_tid2;
02465
#endif
02466
union rsbac_attribute_value_t i_attr_val;
02467
02468
if(!name || !dentry_p || !dentry_p->d_inode)
02469
return;
02470
if (!
rsbac_is_initialized())
02471
return;
02472
02473 i_tid.symlink.device = dentry_p->d_inode->i_sb->s_dev;
02474 i_tid.symlink.inode = dentry_p->d_inode->i_ino;
02475 i_tid.symlink.dentry_p = dentry_p;
02476
if(!S_ISLNK(dentry_p->d_inode->i_mode))
02477 {
02478
#ifdef CONFIG_RSBAC_RMSG
02479
rsbac_printk(KERN_DEBUG
02480
"rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n",
02481 i_tid.symlink.inode,
02482 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02483
#endif
02484
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02485
if (!rsbac_nosyslog)
02486
#endif
02487
printk(KERN_DEBUG
02488
"rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n",
02489 i_tid.symlink.inode,
02490 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02491
return;
02492 }
02493
02494
#ifdef CONFIG_RSBAC_DEBUG
02495
if (rsbac_debug_aef)
02496 {
02497
#ifdef CONFIG_RSBAC_RMSG
02498
rsbac_printk(KERN_DEBUG
02499
"rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n",
02500 i_tid.symlink.inode,
02501 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02502
#endif
02503
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02504
if (!rsbac_nosyslog)
02505
#endif
02506
printk(KERN_DEBUG
02507
"rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n",
02508 i_tid.symlink.inode,
02509 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02510 }
02511
#endif
02512
02513
#ifdef CONFIG_RSBAC_SYM_REDIR_UID
02514
if ((err =
rsbac_get_attr(GEN,
02515 T_SYMLINK,
02516 i_tid,
02517 A_symlink_add_uid,
02518 &i_attr_val,
02519 FALSE) ))
02520 {
02521 rsbac_ds_get_error(
"rsbac_symlink_redirect()", A_symlink_add_uid);
02522
return;
02523 }
02524
if(i_attr_val.
symlink_add_uid)
02525 {
02526
rsbac_uid_t user;
02527 u_int len;
02528
02529 len = strlen(name);
02530
while( len
02531 && (name[len-1] >=
'0')
02532 && (name[len-1] <=
'9')
02533 )
02534 len--;
02535
if(len > (PAGE_SIZE - 20))
02536
return;
02537
if(!rsbac_get_owner(&user))
02538
ulongtostr(name+len, user);
02539 }
02540
#endif
02541
02542
#ifdef CONFIG_RSBAC_SYM_REDIR_MAC
02543
if ((err =
rsbac_get_attr(GEN,
02544 T_SYMLINK,
02545 i_tid,
02546 A_symlink_add_mac_level,
02547 &i_attr_val,
02548 FALSE) ))
02549 {
02550 rsbac_ds_get_error(
"rsbac_symlink_redirect()", A_symlink_add_mac_level);
02551
return;
02552 }
02553
if(i_attr_val.
symlink_add_mac_level)
02554 {
02555 u_int len;
02556
02557 len = strlen(name);
02558
while( len
02559 && ( ( (name[len-1] >=
'0')
02560 && (name[len-1] <=
'9')
02561 )
02562
#ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02563
|| (name[len-1] ==
':')
02564
#endif
02565
)
02566 )
02567 len--;
02568
#ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02569
if(len > (PAGE_SIZE - 85))
02570
#else
02571
if(len > (PAGE_SIZE - 20))
02572
#endif
02573
return;
02574
02575 i_tid2.
process = current->pid;
02576
if ((err =
rsbac_get_attr(MAC,
02577 T_PROCESS,
02578 i_tid2,
02579 A_current_sec_level,
02580 &i_attr_val,
02581 FALSE) ))
02582 {
02583 rsbac_ds_get_error(
"rsbac_symlink_redirect()", A_current_sec_level);
02584
return;
02585 }
02586
02587
#ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02588
len+=sprintf(name+len,
"%u:", i_attr_val.
current_sec_level);
02589
#else
02590
len+=sprintf(name+len,
"%u", i_attr_val.
current_sec_level);
02591
#endif
02592
02593
#ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02594
if ((err =
rsbac_get_attr(MAC,
02595 T_PROCESS,
02596 i_tid2,
02597 A_mac_curr_categories,
02598 &i_attr_val,
02599 FALSE) ))
02600 {
02601 rsbac_ds_get_error(
"rsbac_symlink_redirect()", A_mac_curr_categories);
02602
return;
02603 }
02604
u64tostrmac(name+len, i_attr_val.
mac_categories);
02605
#endif
02606
}
02607
#endif
02608
02609
#ifdef CONFIG_RSBAC_SYM_REDIR_RC
02610
if ((err =
rsbac_get_attr(GEN,
02611 T_SYMLINK,
02612 i_tid,
02613 A_symlink_add_rc_role,
02614 &i_attr_val,
02615 FALSE) ))
02616 {
02617 rsbac_ds_get_error(
"rsbac_symlink_redirect()", A_symlink_add_rc_role);
02618
return;
02619 }
02620
if(i_attr_val.
symlink_add_rc_role)
02621 {
02622 u_int len;
02623
02624 len = strlen(name);
02625
while( len
02626 && (name[len-1] >=
'0')
02627 && (name[len-1] <=
'9')
02628 )
02629 len--;
02630
if(len > (PAGE_SIZE - 20))
02631
return;
02632
02633 i_tid2.
process = current->pid;
02634
if ((err =
rsbac_get_attr(RC,
02635 T_PROCESS,
02636 i_tid2,
02637 A_rc_role,
02638 &i_attr_val,
02639 FALSE) ))
02640 {
02641 rsbac_ds_get_error(
"rsbac_symlink_redirect()", A_rc_role);
02642
return;
02643 }
02644
02645
ulongtostr(name+len, i_attr_val.
rc_role);
02646 }
02647
#endif
02648
02649
return;
02650 }
02651
#endif
02652
02653
#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
02654
int rsbac_dac_part_disabled(
struct dentry * dentry_p)
02655 {
02656
int err;
02657
enum rsbac_target_t i_target;
02658
union rsbac_target_id_t i_tid;
02659
union rsbac_attribute_value_t i_attr_val;
02660
02661
if(!dentry_p || !dentry_p->d_inode || !dentry_p->d_inode->i_sb->s_dev || !
rsbac_is_initialized())
02662
return FALSE;
02663
02664
if(S_ISREG(dentry_p->d_inode->i_mode))
02665 i_target =
T_FILE;
02666
else
02667
if(S_ISDIR(dentry_p->d_inode->i_mode))
02668 i_target =
T_DIR;
02669
else
02670
if(S_ISFIFO(dentry_p->d_inode->i_mode))
02671 i_target =
T_FIFO;
02672
else
02673
if(S_ISLNK(dentry_p->d_inode->i_mode))
02674 i_target =
T_SYMLINK;
02675
else
02676
return FALSE;
02677
02678 i_tid.file.device = dentry_p->d_sb->s_dev;
02679 i_tid.file.inode = dentry_p->d_inode->i_ino;
02680 i_tid.file.dentry_p = dentry_p;
02681
02682
#ifdef CONFIG_RSBAC_DEBUG
02683
if (rsbac_debug_aef)
02684 {
02685
#ifdef CONFIG_RSBAC_RMSG
02686
rsbac_printk(KERN_DEBUG
02687
"rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n",
02688 i_tid.file.inode,
02689 RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device),
02690 i_tid.file.dentry_p );
02691
#endif
02692
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02693
if (!rsbac_nosyslog)
02694
#endif
02695
printk(KERN_DEBUG
02696
"rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n",
02697 i_tid.file.inode,
02698 RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device),
02699 i_tid.file.dentry_p );
02700 }
02701
#endif
02702
02703
if ((err =
rsbac_get_attr(GEN,
02704 i_target,
02705 i_tid,
02706 A_linux_dac_disable,
02707 &i_attr_val,
02708 TRUE) ))
02709 {
02710
#ifdef CONFIG_RSBAC_RMSG
02711
rsbac_printk(KERN_WARNING
02712
"rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n",
02713 err);
02714
#endif
02715
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02716
if (!rsbac_nosyslog)
02717
#endif
02718
printk(KERN_WARNING
02719
"rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n",
02720 err);
02721
return FALSE;
02722 }
02723
if(i_attr_val.
linux_dac_disable ==
LDD_true)
02724
return TRUE;
02725
else
02726
return FALSE;
02727 }
02728
#endif
02729
02730
#ifdef CONFIG_RSBAC_FAKE_ROOT_UID
02731
rsbac_uid_t rsbac_fake_uid(
void)
02732 {
02733
int err;
02734
union rsbac_target_id_t i_tid;
02735
union rsbac_attribute_value_t i_attr_val;
02736
02737
if(!current->uid)
02738
return 0;
02739
if (!
rsbac_is_initialized())
02740
return current->uid;
02741
02742 i_tid.
process = current->pid;
02743
if ((err =
rsbac_get_attr(GEN,
02744 T_PROCESS,
02745 i_tid,
02746 A_fake_root_uid,
02747 &i_attr_val,
02748 FALSE) ))
02749 {
02750 rsbac_ds_get_error(
"rsbac_fake_uid()", A_fake_root_uid);
02751
return current->uid;
02752 }
02753
switch(i_attr_val.
fake_root_uid)
02754 {
02755
case FR_both:
02756
case FR_uid_only:
02757
return 0;
02758
default:
02759
return current->uid;
02760 }
02761 }
02762
02763
rsbac_uid_t rsbac_fake_euid(
void)
02764 {
02765
int err;
02766
union rsbac_target_id_t i_tid;
02767
union rsbac_attribute_value_t i_attr_val;
02768
02769
if(!current->euid)
02770
return 0;
02771
if (!
rsbac_is_initialized())
02772
return current->euid;
02773
02774 i_tid.
process = current->pid;
02775
if ((err =
rsbac_get_attr(GEN,
02776 T_PROCESS,
02777 i_tid,
02778 A_fake_root_uid,
02779 &i_attr_val,
02780 FALSE) ))
02781 {
02782 rsbac_ds_get_error(
"rsbac_fake_euid()", A_fake_root_uid);
02783
return current->euid;
02784 }
02785
switch(i_attr_val.
fake_root_uid)
02786 {
02787
case FR_both:
02788
case FR_euid_only:
02789
return 0;
02790
default:
02791
return current->euid;
02792 }
02793 }
02794
02795
int rsbac_uid_faked(
void)
02796 {
02797
int err;
02798
union rsbac_target_id_t i_tid;
02799
union rsbac_attribute_value_t i_attr_val;
02800
02801
if (!
rsbac_is_initialized())
02802
return 0;
02803
02804 i_tid.
process = current->pid;
02805
if ((err =
rsbac_get_attr(GEN,
02806 T_PROCESS,
02807 i_tid,
02808 A_fake_root_uid,
02809 &i_attr_val,
02810 FALSE) ))
02811 {
02812 rsbac_ds_get_error(
"rsbac_uid_faked()", A_fake_root_uid);
02813
return 0;
02814 }
02815
switch(i_attr_val.
fake_root_uid)
02816 {
02817
case FR_both:
02818
case FR_uid_only:
02819
return 1;
02820
default:
02821
return 0;
02822 }
02823 }
02824
02825
#endif
02826
02827