00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
#include <linux/string.h>
00013
#include <rsbac/types.h>
00014
#include <rsbac/aci.h>
00015
#include <rsbac/adf_main.h>
00016
#include <rsbac/rc.h>
00017
#include <rsbac/error.h>
00018
#include <rsbac/debug.h>
00019
#include <rsbac/helpers.h>
00020
#include <rsbac/getname.h>
00021
#include <rsbac/rc_getname.h>
00022
#include <rsbac/rkmem.h>
00023
#include <rsbac/network.h>
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033
static enum rsbac_adf_req_ret_t
00034 check_comp_rc(
enum rsbac_target_t target,
00035
union rsbac_target_id_t tid,
00036
enum rsbac_adf_request_t request,
00037
rsbac_pid_t caller_pid)
00038 {
00039
int err;
00040
union rsbac_target_id_t i_tid;
00041
enum rsbac_attribute_t i_attr;
00042
union rsbac_attribute_value_t i_attr_val1;
00043
union rsbac_attribute_value_t i_attr_val2;
00044
00045
union rsbac_rc_target_id_t i_rc_subtid;
00046
enum rsbac_rc_item_t i_rc_item;
00047
00048
00049 i_tid.
process = caller_pid;
00050
if ((err=
rsbac_get_attr(
RC,
00051
T_PROCESS,
00052 i_tid,
00053
A_rc_role,
00054 &i_attr_val1,
00055
FALSE)))
00056 {
00057 rsbac_ds_get_error(
"check_comp_rc",
A_rc_role);
00058
return(
NOT_GRANTED);
00059 }
00060
switch(target)
00061 {
00062
case T_FILE:
00063
case T_DIR:
00064
case T_FIFO:
00065
case T_SYMLINK:
00066 i_rc_item =
RI_type_comp_fd;
00067 i_attr =
A_rc_type_fd;
00068
break;
00069
case T_DEV:
00070 i_rc_item =
RI_type_comp_dev;
00071 i_attr =
A_rc_type;
00072
break;
00073
case T_USER:
00074 i_rc_item =
RI_type_comp_user;
00075 i_attr =
A_rc_type;
00076
break;
00077
case T_PROCESS:
00078 i_rc_item =
RI_type_comp_process;
00079 i_attr =
A_rc_type;
00080
break;
00081
case T_IPC:
00082 i_rc_item =
RI_type_comp_ipc;
00083 i_attr =
A_rc_type;
00084
break;
00085
#if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00086
case T_NETDEV:
00087 i_rc_item =
RI_type_comp_netdev;
00088 i_attr =
A_rc_type;
00089
break;
00090
#endif
00091
#if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00092
case T_NETTEMP:
00093 i_rc_item =
RI_type_comp_nettemp;
00094 i_attr =
A_rc_type_nt;
00095
break;
00096
case T_NETOBJ:
00097 i_rc_item =
RI_type_comp_netobj;
00098
if(
rsbac_net_remote_request(request))
00099 i_attr =
A_remote_rc_type;
00100
else
00101 i_attr =
A_local_rc_type;
00102
break;
00103
#endif
00104
default:
00105
#ifdef CONFIG_RSBAC_RMSG
00106
rsbac_printk(KERN_WARNING
"check_comp_rc(): invalid target %i!\n",target);
00107
#endif
00108
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00109
if (!rsbac_nosyslog)
00110
#endif
00111
printk(KERN_WARNING
"check_comp_rc(): invalid target %i!\n",target);
00112
return(
NOT_GRANTED);
00113 }
00114
00115
00116
if ((err=
rsbac_get_attr(
RC,
00117 target,
00118 tid,
00119 i_attr,
00120 &i_attr_val2,
00121
TRUE)))
00122 {
00123 rsbac_ds_get_error(
"check_comp_rc", i_attr);
00124
return(
NOT_GRANTED);
00125 }
00126
00127
00128 i_rc_subtid.
type = i_attr_val2.
rc_type;
00129
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00130 i_rc_subtid,
00131 i_rc_item,
00132 request))
00133
return(
GRANTED);
00134
else
00135 {
00136
#ifdef CONFIG_RSBAC_DEBUG
00137
if(rsbac_debug_adf_rc)
00138 {
00139
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00140
00141
if(tmp)
00142 {
00143
char * tmp2 =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00144
if(tmp2)
00145 {
00146
#ifdef CONFIG_RSBAC_RMSG
00147
rsbac_printk(KERN_DEBUG
"check_comp_rc(): pid %u (%.15s), owner %u, rc_role %i, %s rc_type %i, request %s -> NOT_GRANTED!\n",
00148 caller_pid, current->comm, current->uid, i_attr_val1.
rc_role,
get_target_name_only(tmp, target), i_attr_val2.
rc_type,
get_rc_special_right_name(tmp2, request));
00149
#endif
00150
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00151
if (!rsbac_nosyslog)
00152
#endif
00153
printk(KERN_DEBUG
"check_comp_rc(): pid %u (%.15s), owner %u, rc_role %i, %s rc_type %i, request %s -> NOT_GRANTED!\n",
00154 caller_pid, current->comm, current->uid, i_attr_val1.
rc_role,
get_target_name_only(tmp, target), i_attr_val2.
rc_type,
get_rc_special_right_name(tmp2, request));
00155
rsbac_kfree(tmp2);
00156 }
00157
rsbac_kfree(tmp);
00158 }
00159 }
00160
#endif
00161
return(
NOT_GRANTED);
00162 }
00163 }
00164
00165
static enum rsbac_adf_req_ret_t
00166 check_comp_rc_scd(
enum rsbac_rc_scd_type_t scd_type,
00167
enum rsbac_adf_request_t request,
00168
rsbac_pid_t caller_pid)
00169 {
00170
int err;
00171
union rsbac_target_id_t i_tid;
00172
union rsbac_attribute_value_t i_attr_val1;
00173
00174
union rsbac_rc_target_id_t i_rc_subtid;
00175
00176
00177 i_tid.
process = caller_pid;
00178
if ((err=
rsbac_get_attr(
RC,
00179
T_PROCESS,
00180 i_tid,
00181
A_rc_role,
00182 &i_attr_val1,
00183
FALSE)))
00184 {
00185 rsbac_ds_get_error(
"check_comp_rc_scd",
A_rc_role);
00186
return(
NOT_GRANTED);
00187 }
00188
00189 i_rc_subtid.
type = scd_type;
00190
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00191 i_rc_subtid,
00192
RI_type_comp_scd,
00193 request))
00194 {
00195
return(
GRANTED);
00196 }
00197
else
00198 {
00199
#ifdef CONFIG_RSBAC_DEBUG
00200
if(rsbac_debug_adf_rc)
00201 {
00202
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00203
00204
if(tmp)
00205 {
00206
#ifdef CONFIG_RSBAC_RMSG
00207
rsbac_printk(KERN_DEBUG
"check_comp_rc_scd(): pid %u (%.15s), owner %u, rc_role %i, scd_type %i, request %s -> NOT_GRANTED!\n",
00208 caller_pid, current->comm, current->uid, i_attr_val1.
rc_role, scd_type,
get_request_name(tmp,request));
00209
#endif
00210
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00211
if (!rsbac_nosyslog)
00212
#endif
00213
printk(KERN_DEBUG
"check_comp_rc_scd(): pid %u (%.15s), owner %u, rc_role %i, scd_type %i, request %s -> NOT_GRANTED!\n",
00214 caller_pid, current->comm, current->uid, i_attr_val1.
rc_role, scd_type,
get_request_name(tmp,request));
00215
rsbac_kfree(tmp);
00216 }
00217 }
00218
#endif
00219
return(
NOT_GRANTED);
00220 }
00221 }
00222
00223
00224 int rsbac_rc_test_admin_roles(
rsbac_rc_role_id_t t_role,
boolean modify)
00225 {
00226
int err;
00227
union rsbac_target_id_t i_tid;
00228
union rsbac_attribute_value_t i_attr_val1;
00229
union rsbac_rc_target_id_t i_rc_subtid;
00230
00231
if(t_role >
RC_role_max_value)
00232
return -
RSBAC_EINVALIDVALUE;
00233
00234 i_tid.
process = current->pid;
00235
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00236 i_tid,
00237
A_rc_role,
00238 &i_attr_val1,
00239
TRUE)))
00240 {
00241 rsbac_ds_get_error(
"rsbac_rc_test_admin_roles",
A_rc_role);
00242
return -
RSBAC_EREADFAILED;
00243 }
00244
00245 i_rc_subtid.
role = t_role;
00246
00247
if(!modify)
00248 {
00249
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00250 i_rc_subtid,
00251
RI_assign_roles,
00252
R_NONE))
00253
return 0;
00254
00255 }
00256
00257
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00258 i_rc_subtid,
00259
RI_admin_roles,
00260
R_NONE))
00261
return 0;
00262
else
00263
return -EPERM;
00264 }
00265
00266
00267 int rsbac_rc_test_assign_roles(
enum rsbac_target_t target,
00268
union rsbac_target_id_t tid,
00269
enum rsbac_attribute_t attr,
00270
rsbac_rc_role_id_t t_role)
00271 {
00272
int err;
00273
union rsbac_target_id_t i_tid;
00274
union rsbac_attribute_value_t i_attr_val1;
00275
union rsbac_attribute_value_t i_attr_val2;
00276
union rsbac_rc_target_id_t i_rc_subtid;
00277
00278
if( ( (t_role >
RC_role_max_value)
00279 && (t_role !=
RC_role_inherit_user)
00280 )
00281 || (target >=
T_NONE)
00282 )
00283
return -
RSBAC_EINVALIDVALUE;
00284
00285 i_tid.
process = current->pid;
00286
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00287 i_tid,
00288
A_rc_role,
00289 &i_attr_val1,
00290
TRUE)))
00291 {
00292 rsbac_ds_get_error(
"rsbac_rc_test_assign_roles",
A_rc_role);
00293
return -
RSBAC_EREADFAILED;
00294 }
00295
00296
if ((err=
rsbac_get_attr(
RC,
00297 target,
00298 tid,
00299 attr,
00300 &i_attr_val2,
00301
TRUE)))
00302 {
00303 rsbac_ds_get_error(
"rsbac_rc_test_assign_roles", attr);
00304
return -
RSBAC_EREADFAILED;
00305 }
00306
00307 i_rc_subtid.
role = i_attr_val2.
rc_role;
00308
if(!
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00309 i_rc_subtid,
00310
RI_assign_roles,
00311
R_NONE))
00312
return -EPERM;
00313
if(t_role !=
RC_role_inherit_user)
00314 {
00315 i_rc_subtid.
role = t_role;
00316
if(!
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00317 i_rc_subtid,
00318
RI_assign_roles,
00319
R_NONE))
00320
return -EPERM;
00321 }
00322
return 0;
00323 }
00324
00325
enum rsbac_adf_req_ret_t
00326 rsbac_rc_check_type_comp(
enum rsbac_target_t target,
00327
rsbac_rc_type_id_t type,
00328
enum rsbac_adf_request_t request,
00329
rsbac_pid_t caller_pid)
00330 {
00331
int err;
00332
union rsbac_target_id_t i_tid;
00333
union rsbac_attribute_value_t i_attr_val1;
00334
00335
union rsbac_rc_target_id_t i_rc_subtid;
00336
enum rsbac_rc_item_t i_rc_item;
00337
00338
if(!caller_pid)
00339 caller_pid = current->pid;
00340
00341
00342
00343
00344
if(type >
RC_type_max_value)
00345 {
00346
if(request ==
RCR_ASSIGN)
00347
return GRANTED;
00348
else
00349
return NOT_GRANTED;
00350 }
00351
00352
00353 i_tid.
process = caller_pid;
00354
if ((err=
rsbac_get_attr(
RC,
00355
T_PROCESS,
00356 i_tid,
00357
A_rc_role,
00358 &i_attr_val1,
00359
FALSE)))
00360 {
00361 rsbac_ds_get_error(
"rsbac_rc_check_type_comp",
A_rc_role);
00362
return(
NOT_GRANTED);
00363 }
00364
switch(target)
00365 {
00366
case T_FILE:
00367
case T_DIR:
00368
case T_FIFO:
00369
case T_SYMLINK:
00370 i_rc_item =
RI_type_comp_fd;
00371
break;
00372
case T_DEV:
00373 i_rc_item =
RI_type_comp_dev;
00374
break;
00375
case T_USER:
00376 i_rc_item =
RI_type_comp_user;
00377
break;
00378
case T_PROCESS:
00379 i_rc_item =
RI_type_comp_process;
00380
break;
00381
case T_IPC:
00382 i_rc_item =
RI_type_comp_ipc;
00383
break;
00384
#if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00385
case T_NETDEV:
00386 i_rc_item =
RI_type_comp_netdev;
00387
break;
00388
#endif
00389
#if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00390
case T_NETTEMP:
00391 i_rc_item =
RI_type_comp_nettemp;
00392
break;
00393
case T_NETOBJ:
00394 i_rc_item =
RI_type_comp_netobj;
00395
break;
00396
#endif
00397
00398
default:
00399
#ifdef CONFIG_RSBAC_RMSG
00400
rsbac_printk(KERN_WARNING
"rsbac_rc_check_type_comp(): invalid target %i!\n",target);
00401
#endif
00402
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00403
if (!rsbac_nosyslog)
00404
#endif
00405
printk(KERN_WARNING
"rsbac_rc_check_type_comp(): invalid target %i!\n",target);
00406
return(
NOT_GRANTED);
00407 }
00408
00409 i_rc_subtid.
type = type;
00410
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00411 i_rc_subtid,
00412 i_rc_item,
00413 request))
00414
return(
GRANTED);
00415
else
00416 {
00417
#ifdef CONFIG_RSBAC_DEBUG
00418
if(rsbac_debug_adf_rc)
00419 {
00420
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00421
00422
if(tmp)
00423 {
00424
#ifdef CONFIG_RSBAC_RMSG
00425
rsbac_printk(KERN_DEBUG
"rsbac_rc_check_type_comp(): rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n",
00426 i_attr_val1.
rc_role, type,
get_rc_special_right_name(tmp, request));
00427
#endif
00428
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00429
if (!rsbac_nosyslog)
00430
#endif
00431
printk(KERN_DEBUG
"rsbac_rc_check_type_comp(): rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n",
00432 i_attr_val1.
rc_role, type,
get_rc_special_right_name(tmp, request));
00433
rsbac_kfree(tmp);
00434 }
00435 }
00436
#endif
00437
return(
NOT_GRANTED);
00438 }
00439 }
00440
00441
00442 int rsbac_rc_test_role_admin(
boolean modify)
00443 {
00444
int err;
00445
union rsbac_target_id_t i_tid;
00446
union rsbac_attribute_value_t i_attr_val1;
00447
union rsbac_rc_target_id_t i_rc_tid;
00448
union rsbac_rc_item_value_t i_rc_item_val1;
00449
00450
00451 i_tid.
process = current->pid;
00452
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00453 i_tid,
00454
A_rc_role,
00455 &i_attr_val1,
00456
TRUE)))
00457 {
00458 rsbac_ds_get_error(
"rsbac_rc_test_role_admin",
A_rc_role);
00459
return -
RSBAC_EREADFAILED;
00460 }
00461
00462
00463 i_rc_tid.
role = i_attr_val1.
rc_role;
00464
if ((err=
rsbac_rc_get_item(
RT_ROLE,
00465 i_rc_tid,
00466 i_rc_tid,
00467
RI_admin_type,
00468 &i_rc_item_val1,
00469
NULL)))
00470 {
00471 rsbac_rc_ds_get_error(
"rsbac_rc_test_role_admin",
RI_admin_type);
00472
return -
RSBAC_EREADFAILED;
00473 }
00474
00475
00476
if ( (i_rc_item_val1.
admin_type ==
RC_role_admin)
00477 || ( !modify
00478 && (i_rc_item_val1.
admin_type ==
RC_system_admin)
00479 )
00480 )
00481
return 0;
00482
else
00483
return -EPERM;
00484 }
00485
00486
00487
00488
00489
00490
enum rsbac_adf_req_ret_t
00491 rsbac_adf_request_rc (
enum rsbac_adf_request_t request,
00492
rsbac_pid_t caller_pid,
00493
enum rsbac_target_t target,
00494
union rsbac_target_id_t tid,
00495
enum rsbac_attribute_t attr,
00496
union rsbac_attribute_value_t attr_val,
00497
rsbac_uid_t owner)
00498 {
00499
int err;
00500
enum rsbac_adf_req_ret_t result =
DO_NOT_CARE;
00501
union rsbac_attribute_value_t i_attr_val1;
00502
union rsbac_rc_target_id_t i_rc_tid;
00503
union rsbac_rc_target_id_t i_rc_subtid;
00504
union rsbac_rc_item_value_t i_rc_item_val1;
00505
union rsbac_target_id_t i_tid;
00506
#ifdef CONFIG_RSBAC_RC_ROLE_PROT
00507
union rsbac_attribute_value_t i_attr_val2;
00508
#endif
00509
00510
switch (request)
00511 {
00512
case R_ADD_TO_KERNEL:
00513
switch(target)
00514 {
00515
case T_NONE:
00516
00517
return(
check_comp_rc_scd(
ST_other, request, caller_pid));
00518
00519
00520
default:
00521
return(
DO_NOT_CARE);
00522 }
00523
00524
00525
case R_ALTER:
00526
00527
switch(target)
00528 {
00529
case T_IPC:
00530
return(
check_comp_rc(target, tid, request, caller_pid));
00531
00532
00533
default:
return(
DO_NOT_CARE);
00534 }
00535
00536
case R_APPEND_OPEN:
00537
case R_READ_WRITE_OPEN:
00538
switch(target)
00539 {
00540
case T_FILE:
00541
case T_DEV:
00542
case T_FIFO:
00543
case T_IPC:
00544
return(
check_comp_rc(target, tid, request, caller_pid));
00545
00546
00547
default:
return(
DO_NOT_CARE);
00548 }
00549
00550
case R_CHANGE_GROUP:
00551
switch(target)
00552 {
00553
case T_FILE:
00554
case T_DIR:
00555
case T_FIFO:
00556
case T_SYMLINK:
00557
case T_IPC:
00558
return(
check_comp_rc(target, tid, request, caller_pid));
00559
00560
case T_PROCESS:
00561
case T_USER:
00562
return(
DO_NOT_CARE);
00563
00564
default:
return(
DO_NOT_CARE);
00565 }
00566
00567
case R_CHANGE_OWNER:
00568
switch(target)
00569 {
00570
case T_FILE:
00571
case T_DIR:
00572
case T_FIFO:
00573
case T_SYMLINK:
00574
case T_IPC:
00575
return(
check_comp_rc(target, tid, request, caller_pid));
00576
00577
case T_PROCESS:
00578
00579
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00580 tid,
00581
A_rc_role,
00582 &i_attr_val1,
00583
FALSE)))
00584 {
00585 rsbac_ds_get_error(
"rsbac_adf_request_rc",
A_rc_role);
00586
return(-
RSBAC_EREADFAILED);
00587 }
00588
00589 i_rc_tid.
role = i_attr_val1.
rc_role;
00590
if ((err=
rsbac_rc_get_item(
RT_ROLE,
00591 i_rc_tid,
00592 i_rc_tid,
00593
RI_def_process_chown_type,
00594 &i_rc_item_val1,
00595
NULL)))
00596 {
00597 rsbac_rc_ds_get_error(
"rsbac_adf_request_rc()",
00598
RI_def_process_chown_type);
00599
return(-
RSBAC_EREADFAILED);
00600 }
00601
if( (i_rc_item_val1.
type_id ==
RC_type_no_chown)
00602 || (i_rc_item_val1.
type_id ==
RC_type_no_create)
00603 )
00604
return(
NOT_GRANTED);
00605
else
00606
return(
GRANTED);
00607
00608
00609
default:
00610
return(
DO_NOT_CARE);
00611 }
00612
00613
case R_CHDIR:
00614
switch(target)
00615 {
00616
case T_DIR:
00617
return(
check_comp_rc(target, tid, request, caller_pid));
00618
00619
00620
default:
return(
DO_NOT_CARE);
00621 }
00622
00623
case R_CLONE:
00624
if (target ==
T_PROCESS)
00625 {
00626
00627
00628 i_tid.
process = caller_pid;
00629
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00630 i_tid,
00631
A_rc_role,
00632 &i_attr_val1,
00633
FALSE)))
00634 {
00635 rsbac_ds_get_error(
"rsbac_adf_request_rc",
A_rc_role);
00636
return(
NOT_GRANTED);
00637 }
00638
00639 i_rc_tid.
role = i_attr_val1.
rc_role;
00640
if ((err=
rsbac_rc_get_item(
RT_ROLE,
00641 i_rc_tid,
00642 i_rc_tid,
00643
RI_def_process_create_type,
00644 &i_rc_item_val1,
00645
NULL)))
00646 {
00647 rsbac_rc_ds_get_error(
"rsbac_adf_request_rc()",
00648
RI_def_process_create_type);
00649
return(-
RSBAC_EREADFAILED);
00650 }
00651
switch(i_rc_item_val1.
type_id)
00652 {
00653
case RC_type_no_create:
00654
return(
NOT_GRANTED);
00655
00656
case RC_type_use_new_role_def_create:
00657
00658
#ifdef CONFIG_RSBAC_RMSG
00659
rsbac_printk(KERN_WARNING
00660
"rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00661 i_attr_val1.
rc_role);
00662
#endif
00663
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00664
if (!rsbac_nosyslog)
00665
#endif
00666
printk(KERN_WARNING
00667
"rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00668 i_attr_val1.
rc_role);
00669
return(
NOT_GRANTED);
00670
00671
case RC_type_inherit_process:
00672
case RC_type_inherit_parent:
00673
return GRANTED;
00674
00675
default:
00676
00677
00678 i_rc_subtid.
type = i_rc_item_val1.
type_id;
00679
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00680 i_rc_subtid,
00681
RI_type_comp_process,
00682
R_CREATE))
00683
return(
GRANTED);
00684
else
00685 {
00686
#ifdef CONFIG_RSBAC_RMSG
00687
rsbac_printk(KERN_WARNING
00688
"rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_process_create_type %i -> NOT_GRANTED!\n",
00689 i_attr_val1.
rc_role, i_rc_item_val1.
type_id);
00690
#endif
00691
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00692
if (!rsbac_nosyslog)
00693
#endif
00694
printk(KERN_WARNING
00695
"rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_process_create_type %i -> NOT_GRANTED!\n",
00696 i_attr_val1.
rc_role, i_rc_item_val1.
type_id);
00697
return(
NOT_GRANTED);
00698 }
00699 }
00700 }
00701
else
00702
return(
DO_NOT_CARE);
00703
00704
00705
case R_CREATE:
00706
switch(target)
00707 {
00708
case T_DIR:
00709
00710 result =
check_comp_rc(target, tid, request, caller_pid);
00711
if((result !=
GRANTED) && (result !=
DO_NOT_CARE))
00712
return result;
00713
00714
00715
00716 i_tid.
process = caller_pid;
00717
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00718 i_tid,
00719
A_rc_role,
00720 &i_attr_val1,
00721
FALSE)))
00722 {
00723 rsbac_ds_get_error(
"rsbac_adf_request_rc",
A_rc_role);
00724
return(
NOT_GRANTED);
00725 }
00726
00727 i_rc_tid.
role = i_attr_val1.
rc_role;
00728
if ((err=
rsbac_rc_get_item(
RT_ROLE,
00729 i_rc_tid,
00730 i_rc_tid,
00731
RI_def_fd_create_type,
00732 &i_rc_item_val1,
00733
NULL)))
00734 {
00735 rsbac_rc_ds_get_error(
"rsbac_adf_request_rc()",
00736
RI_def_fd_create_type);
00737
return(-
RSBAC_EREADFAILED);
00738 }
00739
switch(i_rc_item_val1.
type_id)
00740 {
00741
case RC_type_no_create:
00742
return(
NOT_GRANTED);
00743
break;
00744
00745
case RC_type_use_new_role_def_create:
00746
00747
#ifdef CONFIG_RSBAC_RMSG
00748
rsbac_printk(KERN_WARNING
00749
"rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00750 i_attr_val1.
rc_role);
00751
#endif
00752
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00753
if (!rsbac_nosyslog)
00754
#endif
00755
printk(KERN_WARNING
00756
"rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00757 i_attr_val1.
rc_role);
00758
return(
NOT_GRANTED);
00759
00760
case RC_type_inherit_process:
00761
case RC_type_inherit_parent:
00762
return GRANTED;
00763
00764
default:
00765
00766
00767 i_rc_subtid.
type = i_rc_item_val1.
type_id;
00768
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00769 i_rc_subtid,
00770
RI_type_comp_fd,
00771
R_CREATE))
00772
return(
GRANTED);
00773
else
00774 {
00775
#ifdef CONFIG_RSBAC_RMSG
00776
rsbac_printk(KERN_WARNING
00777
"rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_fd_create_type %i -> NOT_GRANTED!\n",
00778 i_attr_val1.
rc_role, i_rc_item_val1.
type_id);
00779
#endif
00780
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00781
if (!rsbac_nosyslog)
00782
#endif
00783
printk(KERN_WARNING
00784
"rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_fd_create_type %i -> NOT_GRANTED!\n",
00785 i_attr_val1.
rc_role, i_rc_item_val1.
type_id);
00786
return(
NOT_GRANTED);
00787 }
00788 }
00789
00790
case T_IPC:
00791
00792
00793 i_tid.
process = caller_pid;
00794
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00795 i_tid,
00796
A_rc_role,
00797 &i_attr_val1,
00798
FALSE)))
00799 {
00800 rsbac_ds_get_error(
"rsbac_adf_request_rc",
A_rc_role);
00801
return(
NOT_GRANTED);
00802 }
00803
00804 i_rc_tid.
role = i_attr_val1.
rc_role;
00805
if ((err=
rsbac_rc_get_item(
RT_ROLE,
00806 i_rc_tid,
00807 i_rc_tid,
00808
RI_def_ipc_create_type,
00809 &i_rc_item_val1,
00810
NULL)))
00811 {
00812 rsbac_rc_ds_get_error(
"rsbac_adf_request_rc()",
00813
RI_def_ipc_create_type);
00814
return(-
RSBAC_EREADFAILED);
00815 }
00816
switch(i_rc_item_val1.
type_id)
00817 {
00818
case RC_type_no_create:
00819
return(
NOT_GRANTED);
00820
00821
case RC_type_use_new_role_def_create:
00822
00823
#ifdef CONFIG_RSBAC_RMSG
00824
rsbac_printk(KERN_WARNING
00825
"rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00826 i_attr_val1.
rc_role);
00827
#endif
00828
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00829
if (!rsbac_nosyslog)
00830
#endif
00831
printk(KERN_WARNING
00832
"rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00833 i_attr_val1.
rc_role);
00834
return(
NOT_GRANTED);
00835
00836
case RC_type_inherit_process:
00837
case RC_type_inherit_parent:
00838
return GRANTED;
00839
00840
default:
00841
00842
00843 i_rc_subtid.
type = i_rc_item_val1.
type_id;
00844
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00845 i_rc_subtid,
00846
RI_type_comp_ipc,
00847
R_CREATE))
00848
return(
GRANTED);
00849
else
00850 {
00851
#ifdef CONFIG_RSBAC_RMSG
00852
rsbac_printk(KERN_WARNING
00853
"rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_ipc_create_type %i -> NOT_GRANTED!\n",
00854 i_attr_val1.
rc_role, i_rc_item_val1.
type_id);
00855
#endif
00856
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00857
if (!rsbac_nosyslog)
00858
#endif
00859
printk(KERN_WARNING
00860
"rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_ipc_create_type %i -> NOT_GRANTED!\n",
00861 i_attr_val1.
rc_role, i_rc_item_val1.
type_id);
00862
return(
NOT_GRANTED);
00863 }
00864 }
00865
00866
#if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00867
case T_NETTEMP:
00868
00869 i_tid.
process = caller_pid;
00870
if ((err=
rsbac_get_attr(
RC,
00871
T_PROCESS,
00872 i_tid,
00873
A_rc_role,
00874 &i_attr_val1,
00875
FALSE)))
00876 {
00877 rsbac_ds_get_error(
"rsbac_adf_request_rc",
A_rc_role);
00878
return(
NOT_GRANTED);
00879 }
00880
00881 i_rc_subtid.
type =
RSBAC_RC_GENERAL_TYPE;
00882
if(
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00883 i_rc_subtid,
00884
RI_type_comp_nettemp,
00885 request))
00886
return(
GRANTED);
00887
else
00888 {
00889
#ifdef CONFIG_RSBAC_DEBUG
00890
if(rsbac_debug_adf_rc)
00891 {
00892
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00893
00894
if(tmp)
00895 {
00896
#ifdef CONFIG_RSBAC_RMSG
00897
rsbac_printk(KERN_DEBUG
00898
"rsbac_adf_request_rc(): rc_role is %i, rc_nettemp_type is %i, request is CREATE -> NOT_GRANTED!\n",
00899 i_attr_val1.
rc_role,
RSBAC_RC_GENERAL_TYPE);
00900
#endif
00901
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00902
if (!rsbac_nosyslog)
00903
#endif
00904
printk(KERN_DEBUG
00905
"rsbac_adf_request_rc(): rc_role is %i, rc_nettemp_type is %i, request is CREATE -> NOT_GRANTED!\n",
00906 i_attr_val1.
rc_role,
RSBAC_RC_GENERAL_TYPE);
00907
rsbac_kfree(tmp);
00908 }
00909 }
00910
#endif
00911
return(
NOT_GRANTED);
00912 }
00913
00914
case T_NETOBJ:
00915
00916
return(
check_comp_rc(target, tid, request, caller_pid));
00917
#endif
00918
00919
00920
default:
return(
DO_NOT_CARE);
00921 }
00922
00923
case R_DELETE:
00924
switch(target)
00925 {
00926
case T_FILE:
00927
case T_DIR:
00928
case T_FIFO:
00929
case T_SYMLINK:
00930
case T_IPC:
00931
#if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00932
case T_NETTEMP:
00933
case T_NETOBJ:
00934
#endif
00935
return(
check_comp_rc(target, tid, request, caller_pid));
00936
00937
00938
default:
return(
DO_NOT_CARE);
00939 }
00940
00941
case R_EXECUTE:
00942
switch(target)
00943 {
00944
case T_FILE:
00945
00946
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00947 tid,
00948
A_rc_role,
00949 &i_attr_val1,
00950
FALSE)))
00951 {
00952 rsbac_ds_get_error(
"rsbac_adf_request_rc",
A_rc_role);
00953
return(-
RSBAC_EREADFAILED);
00954 }
00955
00956 i_rc_tid.
role = i_attr_val1.
rc_role;
00957
if ((err=
rsbac_rc_get_item(
RT_ROLE,
00958 i_rc_tid,
00959 i_rc_tid,
00960
RI_def_process_execute_type,
00961 &i_rc_item_val1,
00962
NULL)))
00963 {
00964 rsbac_rc_ds_get_error(
"rsbac_adf_request_rc()",
00965
RI_def_process_execute_type);
00966
return(-
RSBAC_EREADFAILED);
00967 }
00968
if(i_rc_item_val1.
type_id ==
RC_type_no_execute)
00969
return(
NOT_GRANTED);
00970
else
00971
return(
check_comp_rc(target, tid, request, caller_pid));
00972
00973
00974
default:
00975
return(
DO_NOT_CARE);
00976 }
00977
00978
case R_GET_STATUS_DATA:
00979
switch(target)
00980 {
00981
case T_SCD:
00982
return(
check_comp_rc_scd(tid.
scd, request, caller_pid));
00983
case T_FILE:
00984
case T_DIR:
00985
case T_FIFO:
00986
case T_SYMLINK:
00987
case T_IPC:
00988
case T_PROCESS:
00989
return(
check_comp_rc(target, tid, request, caller_pid));
00990
00991
#if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00992
case T_NETDEV:
00993
return(
check_comp_rc(target, tid, request, caller_pid));
00994
#endif
00995
00996
default:
00997
return(
DO_NOT_CARE);
00998 };
00999
01000
case R_LINK_HARD:
01001
switch(target)
01002 {
01003
case T_FILE:
01004
case T_FIFO:
01005
case T_SYMLINK:
01006
return(
check_comp_rc(target, tid, request, caller_pid));
01007
01008
01009
default:
return(
DO_NOT_CARE);
01010 }
01011
01012
case R_MAP_EXEC:
01013
switch(target)
01014 {
01015
case T_FILE:
01016
return(
check_comp_rc(target, tid, request, caller_pid));
01017
01018
01019
default:
01020
return(
DO_NOT_CARE);
01021 }
01022
01023
case R_MODIFY_ACCESS_DATA:
01024
case R_RENAME:
01025
switch(target)
01026 {
01027
case T_FILE:
01028
case T_DIR:
01029
case T_FIFO:
01030
case T_SYMLINK:
01031
return(
check_comp_rc(target, tid, request, caller_pid));
01032
01033
01034
default:
return(
DO_NOT_CARE);
01035 }
01036
01037
case R_MODIFY_ATTRIBUTE:
01038
switch(attr)
01039 {
01040
case A_owner:
01041
return(
NOT_GRANTED);
01042
case A_rc_type:
01043
case A_rc_type_fd:
01044
case A_rc_type_nt:
01045
01046 result =
check_comp_rc(target, tid, request, caller_pid);
01047
if( (result ==
GRANTED)
01048 || (result ==
DO_NOT_CARE)
01049 )
01050 {
01051
01052 result =
rsbac_rc_check_type_comp(target, attr_val.
rc_type,
RCR_ASSIGN, caller_pid);
01053
if( (result ==
GRANTED)
01054 || (result ==
DO_NOT_CARE)
01055 )
01056
return result;
01057 }
01058
01059
if ((err=
rsbac_rc_test_role_admin(
TRUE)))
01060
return(
NOT_GRANTED);
01061
else
01062
return(
GRANTED);
01063
01064
case A_rc_force_role:
01065
case A_rc_initial_role:
01066
case A_rc_role:
01067
case A_rc_def_role:
01068
01069 result =
check_comp_rc(target, tid, request, caller_pid);
01070
if( (result ==
GRANTED)
01071 || (result ==
DO_NOT_CARE)
01072 )
01073 {
01074
01075
if (!(err=
rsbac_rc_test_assign_roles(target, tid, attr, attr_val.
rc_role)))
01076
return(
GRANTED);
01077 }
01078
01079
if (
rsbac_rc_test_role_admin(
TRUE))
01080
return(
NOT_GRANTED);
01081
else
01082
return(
GRANTED);
01083
01084
01085
case A_pseudo:
01086
if(target !=
T_USER)
01087
return UNDEFINED;
01088
01089
if (
rsbac_rc_test_assign_roles(target, tid,
A_rc_def_role,
RC_role_inherit_user))
01090
return(
NOT_GRANTED);
01091
else
01092
return(
GRANTED);
01093
01094
#ifdef CONFIG_RSBAC_RC_GEN_PROT
01095
case A_log_array_low:
01096
case A_log_array_high:
01097
case A_log_program_based:
01098
case A_log_user_based:
01099
case A_symlink_add_uid:
01100
case A_symlink_add_rc_role:
01101
case A_linux_dac_disable:
01102
case A_fake_root_uid:
01103
01104 result =
check_comp_rc(target, tid, request, caller_pid);
01105
if( (result ==
GRANTED)
01106 || (result ==
DO_NOT_CARE)
01107 )
01108
return result;
01109
01110
if (
rsbac_rc_test_role_admin(
TRUE))
01111
return(
NOT_GRANTED);
01112
else
01113
return(
GRANTED);
01114
#endif
01115
01116
01117
case A_none:
01118
switch(target)
01119 {
01120
case T_USER:
01121
01122
if ((err=
rsbac_rc_test_assign_roles(target, tid,
A_rc_def_role,
RC_role_inherit_user)))
01123
return(
NOT_GRANTED);
01124
else
01125
return(
GRANTED);
01126
01127
default:
01128
01129
return(
check_comp_rc(target, tid, request, caller_pid));
01130 }
01131
01132
#ifdef CONFIG_RSBAC_RC_AUTH_PROT
01133
case A_auth_may_setuid:
01134
case A_auth_may_set_cap:
01135
case A_auth_start_uid:
01136
case A_auth_program_file:
01137
case A_auth_learn:
01138
case A_auth_add_f_cap:
01139
case A_auth_remove_f_cap:
01140
01141 result =
check_comp_rc_scd(
RST_auth_administration, request, caller_pid);
01142
if( (result ==
GRANTED)
01143 || (result ==
DO_NOT_CARE)
01144 )
01145 {
01146
01147 result =
check_comp_rc(target, tid,
RCR_MODIFY_AUTH, caller_pid);
01148
if( (result ==
GRANTED)
01149 || (result ==
DO_NOT_CARE)
01150 )
01151
return result;
01152 }
01153
01154
if ((err=
rsbac_rc_test_role_admin(
TRUE)))
01155
return(
NOT_GRANTED);
01156
else
01157
return(
GRANTED);
01158
#endif
01159
01160
default:
01161
return(
DO_NOT_CARE);
01162 }
01163
01164
case R_MODIFY_PERMISSIONS_DATA:
01165
switch(target)
01166 {
01167
case T_FILE:
01168
case T_DIR:
01169
case T_FIFO:
01170
case T_SYMLINK:
01171
case T_IPC:
01172
return(
check_comp_rc(target, tid, request, caller_pid));
01173
01174
case T_SCD:
01175
return(
check_comp_rc_scd(tid.
scd, request, caller_pid));
01176
01177
#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE
01178
case T_NONE:
01179
01180
return(
check_comp_rc_scd(
ST_other, request, caller_pid));
01181
#endif
01182
01183
01184
default:
return(
DO_NOT_CARE);
01185 }
01186
01187
case R_MODIFY_SYSTEM_DATA:
01188
switch(target)
01189 {
01190
case T_SCD:
01191
return(
check_comp_rc_scd(tid.
scd, request, caller_pid));
01192
01193
#if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
01194
case T_NETDEV:
01195
return(
check_comp_rc(target, tid, request, caller_pid));
01196
#endif
01197
01198
01199
default:
return(
DO_NOT_CARE);
01200 }
01201
01202
case R_MOUNT:
01203
switch(target)
01204 {
01205
case T_FILE:
01206
case T_DIR:
01207
case T_DEV:
01208
return(
check_comp_rc(target, tid, request, caller_pid));
01209
01210
01211
default:
return(
DO_NOT_CARE);
01212 }
01213
01214
case R_READ:
01215
case R_WRITE:
01216
switch(target)
01217 {
01218
case T_DIR:
01219
#ifdef CONFIG_RSBAC_RW
01220
case T_FILE:
01221
case T_FIFO:
01222
case T_DEV:
01223
#endif
01224
#if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01225
#if defined(CONFIG_RSBAC_NET_OBJ_RW)
01226
case T_NETTEMP:
01227
case T_NETOBJ:
01228
#endif
01229
#endif
01230
return(
check_comp_rc(target, tid, request, caller_pid));
01231
01232
01233
default:
return(
DO_NOT_CARE);
01234 }
01235
01236
case R_READ_ATTRIBUTE:
01237
switch(attr)
01238 {
01239
case A_rc_type:
01240
case A_rc_type_fd:
01241
case A_rc_type_nt:
01242
case A_rc_force_role:
01243
case A_rc_initial_role:
01244
case A_rc_role:
01245
case A_rc_def_role:
01246
case A_pseudo:
01247
#ifdef CONFIG_RSBAC_RC_GEN_PROT
01248
case A_owner:
01249
case A_log_array_low:
01250
case A_log_array_high:
01251
case A_log_program_based:
01252
case A_log_user_based:
01253
case A_symlink_add_uid:
01254
case A_symlink_add_rc_role:
01255
case A_linux_dac_disable:
01256
case A_fake_root_uid:
01257
#endif
01258
01259 result =
check_comp_rc(target, tid, request, caller_pid);
01260
if( (result ==
GRANTED)
01261 || (result ==
DO_NOT_CARE)
01262 )
01263
return result;
01264
01265
if (
rsbac_rc_test_role_admin(
FALSE))
01266
return(
NOT_GRANTED);
01267
else
01268
return(
GRANTED);
01269
01270
#ifdef CONFIG_RSBAC_RC_AUTH_PROT
01271
case A_auth_may_setuid:
01272
case A_auth_may_set_cap:
01273
case A_auth_start_uid:
01274
case A_auth_program_file:
01275
case A_auth_learn:
01276
case A_auth_add_f_cap:
01277
case A_auth_remove_f_cap:
01278
01279 result =
check_comp_rc_scd(
RST_auth_administration, request, caller_pid);
01280
if( (result ==
GRANTED)
01281 || (result ==
DO_NOT_CARE)
01282 )
01283
return result;
01284
01285
if (
rsbac_rc_test_role_admin(
FALSE))
01286
return(
NOT_GRANTED);
01287
else
01288
return(
GRANTED);
01289
#endif
01290
01291
default:
01292
return(
DO_NOT_CARE);
01293 }
01294
01295
case R_READ_OPEN:
01296
switch(target)
01297 {
01298
case T_FILE:
01299
case T_DIR:
01300
case T_FIFO:
01301
case T_DEV:
01302
case T_IPC:
01303
return(
check_comp_rc(target, tid, request, caller_pid));
01304
01305
01306
default:
return(
DO_NOT_CARE);
01307 }
01308
01309
case R_REMOVE_FROM_KERNEL:
01310
switch(target)
01311 {
01312
case T_NONE:
01313
return(
check_comp_rc_scd(
ST_other, request, caller_pid));
01314
01315
01316
default:
return(
DO_NOT_CARE);
01317 }
01318
01319
case R_SEARCH:
01320
switch(target)
01321 {
01322
case T_DIR:
01323
case T_SYMLINK:
01324
return(
check_comp_rc(target, tid, request, caller_pid));
01325
01326
01327
default:
return(
DO_NOT_CARE);
01328 }
01329
01330
case R_SEND_SIGNAL:
01331
case R_TRACE:
01332
if (target ==
T_PROCESS)
01333
return(
check_comp_rc(target, tid, request, caller_pid));
01334
else
01335
return(
DO_NOT_CARE);
01336
01337
case R_SHUTDOWN:
01338
switch(target)
01339 {
01340
case T_NONE:
01341
return(
check_comp_rc_scd(
ST_other, request, caller_pid));
01342
01343
01344
default:
return(
DO_NOT_CARE);
01345 }
01346
01347
case R_SWITCH_LOG:
01348
switch(target)
01349 {
01350
case T_NONE:
01351
return(
check_comp_rc_scd(
ST_other, request, caller_pid));
01352
01353
01354
default:
return(
DO_NOT_CARE);
01355 }
01356
01357
case R_SWITCH_MODULE:
01358
switch(target)
01359 {
01360
case T_NONE:
01361
01362
if(attr != A_switch_target)
01363
return(
UNDEFINED);
01364
01365
if( (attr_val.switch_target !=
RC)
01366
#ifdef CONFIG_RSBAC_SOFTMODE
01367
&& (attr_val.switch_target !=
SOFTMODE)
01368
#endif
01369
)
01370
return(
DO_NOT_CARE);
01371
return(
check_comp_rc_scd(
ST_other, request, caller_pid));
01372
01373
01374
default:
return(
DO_NOT_CARE);
01375 }
01376
01377
case R_TERMINATE:
01378
if (target ==
T_PROCESS)
01379
return(
DO_NOT_CARE);
01380
else
01381
return(
DO_NOT_CARE);
01382
01383
case R_TRUNCATE:
01384
switch(target)
01385 {
01386
case T_FILE:
01387
return(
check_comp_rc(target, tid, request, caller_pid));
01388
01389
01390
default:
return(
DO_NOT_CARE);
01391 }
01392
01393
case R_WRITE_OPEN:
01394
switch(target)
01395 {
01396
case T_FILE:
01397
case T_DEV:
01398
case T_FIFO:
01399
case T_IPC:
01400
return(
check_comp_rc(target, tid, request, caller_pid));
01401
01402
01403
default:
return(
DO_NOT_CARE);
01404 }
01405
01406
case R_UMOUNT:
01407
switch(target)
01408 {
01409
case T_FILE:
01410
case T_DIR:
01411
case T_DEV:
01412
return(
check_comp_rc(target, tid, request, caller_pid));
01413
01414
01415
default:
return(
DO_NOT_CARE);
01416 }
01417
01418
01419
#if defined(CONFIG_RSBAC_NET)
01420
case R_BIND:
01421
switch(target)
01422 {
01423
#if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
01424
case T_NETDEV:
01425
return(
check_comp_rc(target, tid, request, caller_pid));
01426
#endif
01427
01428
#if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01429
case T_NETOBJ:
01430
return(
check_comp_rc(target, tid, request, caller_pid));
01431
#endif
01432
01433
01434
default:
return(
DO_NOT_CARE);
01435 }
01436
#endif
01437
01438
#if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01439
case R_LISTEN:
01440
case R_ACCEPT:
01441
case R_CONNECT:
01442
case R_SEND:
01443
case R_RECEIVE:
01444
case R_NET_SHUTDOWN:
01445
switch(target)
01446 {
01447
case T_NETOBJ:
01448
return(
check_comp_rc(target, tid, request, caller_pid));
01449
01450
01451
default:
return(
DO_NOT_CARE);
01452 }
01453
#endif
01454
01455
01456
default:
return DO_NOT_CARE;
01457 }
01458
01459
return(result);
01460 };
01461
01462
01463
01464
01465
01466
01467
01468
01469
01470
01471
01472
01473
01474 int rsbac_adf_set_attr_rc(
01475
enum rsbac_adf_request_t request,
01476
rsbac_pid_t caller_pid,
01477
enum rsbac_target_t target,
01478
union rsbac_target_id_t tid,
01479
enum rsbac_target_t new_target,
01480
union rsbac_target_id_t new_tid,
01481
enum rsbac_attribute_t attr,
01482
union rsbac_attribute_value_t attr_val,
01483
rsbac_uid_t owner)
01484 {
01485
int err;
01486
union rsbac_target_id_t i_tid;
01487
union rsbac_attribute_value_t i_attr_val1;
01488
union rsbac_attribute_value_t i_attr_val2;
01489
union rsbac_rc_target_id_t i_rc_tid;
01490
union rsbac_rc_item_value_t i_rc_item_val1;
01491
01492
switch (request)
01493 {
01494
case R_CHANGE_OWNER:
01495
switch (target)
01496 {
01497
case T_PROCESS:
01498
01499
01500
01501
if(attr != A_owner)
01502
return(-
RSBAC_EINVALIDATTR);
01503
01504
01505 i_tid.
process = caller_pid;
01506
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01507 i_tid,
01508
A_rc_role,
01509 &i_attr_val1,
01510
TRUE)))
01511 {
01512 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
01513
return(-
RSBAC_EREADFAILED);
01514 }
01515
01516 i_rc_tid.
role = i_attr_val1.
rc_role;
01517
if ((err=
rsbac_rc_get_item(
RT_ROLE,
01518 i_rc_tid,
01519 i_rc_tid,
01520
RI_def_process_chown_type,
01521 &i_rc_item_val1,
01522
NULL)))
01523 {
01524 rsbac_rc_ds_get_error(
"rsbac_adf_set_attr_rc()",
01525
RI_def_process_chown_type);
01526
return(-
RSBAC_EREADFAILED);
01527 }
01528
01529
01530 i_tid.
process = caller_pid;
01531
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01532 i_tid,
01533
A_rc_force_role,
01534 &i_attr_val1,
01535
TRUE)))
01536 {
01537 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_force_role);
01538
return(-
RSBAC_EREADFAILED);
01539 }
01540
01541
if( (i_attr_val1.
rc_force_role ==
RC_role_inherit_user)
01542 || (i_attr_val1.
rc_force_role ==
RC_role_inherit_up_mixed)
01543 )
01544 {
01545
01546 i_tid.
user = attr_val.
owner;
01547
if ((err=
rsbac_get_attr(
RC,
T_USER,
01548 i_tid,
01549
A_rc_def_role,
01550 &i_attr_val1,
01551
TRUE)))
01552 {
01553 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_def_role);
01554
return(-
RSBAC_EREADFAILED);
01555 }
01556
01557
if(i_attr_val1.
rc_def_role >
RC_role_max_value)
01558 {
01559
#ifdef CONFIG_RSBAC_RMSG
01560
rsbac_printk(KERN_WARNING
01561
"rsbac_adf_set_attr_rc(): rc_def_role %u of user %u is higher than MAX_ROLE %u, setting role of process %u to GENERAL_ROLE %u!\n",
01562 i_attr_val1.
rc_def_role, attr_val.
owner,
RC_role_max_value, caller_pid,
RSBAC_RC_GENERAL_ROLE);
01563
#endif
01564
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01565
if (!rsbac_nosyslog)
01566
#endif
01567
printk(KERN_WARNING
01568
"rsbac_adf_set_attr_rc(): rc_def_role %u of user %u is higher than MAX_ROLE %u, setting role of process %u to GENERAL_ROLE %u!\n",
01569 i_attr_val1.
rc_def_role, attr_val.
owner,
RC_role_max_value, caller_pid,
RSBAC_RC_GENERAL_ROLE);
01570 i_attr_val1.
rc_def_role =
RSBAC_RC_GENERAL_ROLE;
01571 }
01572
01573 i_tid.
process = caller_pid;
01574
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
01575 i_tid,
01576
A_rc_role,
01577 i_attr_val1)))
01578 {
01579 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
01580
return(-
RSBAC_EWRITEFAILED);
01581 }
01582 }
01583
else
01584
if( (i_attr_val1.
rc_force_role <=
RC_role_max_value)
01585 )
01586 {
01587
01588 i_tid.
process = caller_pid;
01589
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
01590 i_tid,
01591
A_rc_role,
01592 i_attr_val1)))
01593 {
01594 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
01595
return(-
RSBAC_EWRITEFAILED);
01596 }
01597 }
01598
01599
01600
switch(i_rc_item_val1.
type_id)
01601 {
01602
case RC_type_inherit_process:
01603
case RC_type_inherit_parent:
01604
01605
break;
01606
case RC_type_use_new_role_def_create:
01607
01608 i_rc_tid.
role = i_attr_val1.
rc_role;
01609
if ((err=
rsbac_rc_get_item(
RT_ROLE,
01610 i_rc_tid,
01611 i_rc_tid,
01612
RI_def_process_create_type,
01613 &i_rc_item_val1,
01614
NULL)))
01615 {
01616 rsbac_rc_ds_get_error(
"rsbac_adf_set_attr_rc()",
01617
RI_def_process_create_type);
01618
return(-
RSBAC_EREADFAILED);
01619 }
01620
switch(i_rc_item_val1.
type_id)
01621 {
01622
case RC_type_inherit_process:
01623
case RC_type_inherit_parent:
01624
01625
break;
01626
case RC_type_use_new_role_def_create:
01627
01628
#ifdef CONFIG_RSBAC_RMSG
01629
rsbac_printk(KERN_WARNING
01630
"rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
01631 i_attr_val1.
rc_role);
01632
#endif
01633
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01634
if (!rsbac_nosyslog)
01635
#endif
01636
printk(KERN_WARNING
01637
"rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
01638 i_attr_val1.
rc_role);
01639
break;
01640
case RC_type_no_create:
01641
01642 i_rc_item_val1.
type_id =
RSBAC_RC_GENERAL_TYPE;
01643
01644
default:
01645
01646 i_attr_val1.
rc_type = i_rc_item_val1.
type_id;
01647
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
01648 i_tid,
01649
A_rc_type,
01650 i_attr_val1)))
01651 {
01652 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01653
return(-
RSBAC_EWRITEFAILED);
01654 }
01655 }
01656
break;
01657
case RC_type_no_create:
01658
case RC_type_no_chown:
01659
01660 i_rc_item_val1.
type_id =
RSBAC_RC_GENERAL_TYPE;
01661
01662
default:
01663
01664 i_attr_val1.
rc_type = i_rc_item_val1.
type_id;
01665
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
01666 i_tid,
01667
A_rc_type,
01668 i_attr_val1)))
01669 {
01670 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01671
return(-
RSBAC_EWRITEFAILED);
01672 }
01673 }
01674
01675
return(0);
01676
01677
01678
default:
01679
return(0);
01680 }
01681
01682
case R_CLONE:
01683
if (target ==
T_PROCESS)
01684 {
01685
01686
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01687 tid,
01688
A_rc_role,
01689 &i_attr_val1,
01690
FALSE)))
01691 {
01692 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
01693
return(-
RSBAC_EREADFAILED);
01694 }
01695
01696
01697
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01698 tid,
01699
A_rc_force_role,
01700 &i_attr_val2,
01701
FALSE)))
01702 {
01703 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_force_role);
01704
return(-
RSBAC_EREADFAILED);
01705 }
01706
01707
01708
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
01709 new_tid,
01710
A_rc_role,
01711 i_attr_val1)))
01712 {
01713 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
01714
return(-
RSBAC_EWRITEFAILED);
01715 }
01716
01717
01718
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
01719 new_tid,
01720
A_rc_force_role,
01721 i_attr_val2)))
01722 {
01723 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_force_role);
01724
return(-
RSBAC_EWRITEFAILED);
01725 }
01726
01727
01728 i_rc_tid.
role = i_attr_val1.
rc_role;
01729
if ((err=
rsbac_rc_get_item(
RT_ROLE,
01730 i_rc_tid,
01731 i_rc_tid,
01732
RI_def_process_create_type,
01733 &i_rc_item_val1,
01734
NULL)))
01735 {
01736 rsbac_rc_ds_get_error(
"rsbac_adf_set_attr_rc()",
01737
RI_def_process_create_type);
01738
return(-
RSBAC_EREADFAILED);
01739 }
01740
switch(i_rc_item_val1.
type_id)
01741 {
01742
case RC_type_inherit_parent:
01743
case RC_type_inherit_process:
01744
01745
01746
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01747 tid,
01748
A_rc_type,
01749 &i_attr_val1,
01750
FALSE)))
01751 {
01752 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01753
return(-
RSBAC_EREADFAILED);
01754 }
01755
01756
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
01757 new_tid,
01758
A_rc_type,
01759 i_attr_val1)))
01760 {
01761 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01762
return(-
RSBAC_EWRITEFAILED);
01763 }
01764
break;
01765
case RC_type_no_create:
01766
return(-
RSBAC_EDECISIONMISMATCH);
01767
case RC_type_use_new_role_def_create:
01768
01769
#ifdef CONFIG_RSBAC_RMSG
01770
rsbac_printk(KERN_WARNING
01771
"rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
01772 i_attr_val1.
rc_role);
01773
#endif
01774
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01775
if (!rsbac_nosyslog)
01776
#endif
01777
printk(KERN_WARNING
01778
"rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
01779 i_attr_val1.
rc_role);
01780
return(-
RSBAC_EINVALIDVALUE);
01781
default:
01782
01783 i_attr_val1.
rc_type = i_rc_item_val1.
type_id;
01784
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
01785 new_tid,
01786
A_rc_type,
01787 i_attr_val1)))
01788 {
01789 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01790
return(-
RSBAC_EWRITEFAILED);
01791 }
01792 }
01793
return(0);
01794 }
01795
else
01796
return(0);
01797
01798
case R_CREATE:
01799
switch(target)
01800 {
01801
01802
case T_DIR:
01803
01804
01805 i_tid.
process = caller_pid;
01806
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01807 i_tid,
01808
A_rc_role,
01809 &i_attr_val1,
01810
FALSE)))
01811 {
01812 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
01813
return(-
RSBAC_EREADFAILED);
01814 }
01815
01816 i_rc_tid.
role = i_attr_val1.
rc_role;
01817
if ((err=
rsbac_rc_get_item(
RT_ROLE,
01818 i_rc_tid,
01819 i_rc_tid,
01820
RI_def_fd_create_type,
01821 &i_rc_item_val1,
01822
NULL)))
01823 {
01824 rsbac_rc_ds_get_error(
"rsbac_adf_set_attr_rc()",
01825
RI_def_fd_create_type);
01826
return(-
RSBAC_EREADFAILED);
01827 }
01828
switch(i_rc_item_val1.
type_id)
01829 {
01830
case RC_type_no_create:
01831
return(-
RSBAC_EDECISIONMISMATCH);
01832
break;
01833
01834
case RC_type_use_new_role_def_create:
01835
01836
#ifdef CONFIG_RSBAC_RMSG
01837
rsbac_printk(KERN_WARNING
01838
"rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
01839 i_attr_val1.
rc_role);
01840
#endif
01841
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01842
if (!rsbac_nosyslog)
01843
#endif
01844
printk(KERN_WARNING
01845
"rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
01846 i_attr_val1.
rc_role);
01847
return(-
RSBAC_EINVALIDVALUE);
01848
01849
case RC_type_inherit_process:
01850
01851 i_tid.
process = caller_pid;
01852
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01853 i_tid,
01854
A_rc_type,
01855 &i_attr_val1,
01856
FALSE)))
01857 {
01858 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01859
return(-
RSBAC_EREADFAILED);
01860 }
01861
01862
if ((err=
rsbac_get_attr(
RC, new_target,
01863 new_tid,
01864
A_rc_type_fd,
01865 &i_attr_val2,
01866
FALSE)))
01867 {
01868 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_type_fd);
01869
return(-
RSBAC_EREADFAILED);
01870 }
01871
01872
if(i_attr_val2.
rc_type_fd != i_attr_val1.
rc_type_fd)
01873
if ((err=
rsbac_set_attr(
RC, new_target,
01874 new_tid,
01875
A_rc_type_fd,
01876 i_attr_val1)))
01877 {
01878 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type_fd);
01879
return(-
RSBAC_EWRITEFAILED);
01880 }
01881
break;
01882
01883
case RC_type_inherit_parent:
01884
default:
01885
01886
if ((err=
rsbac_get_attr(
RC, new_target,
01887 new_tid,
01888
A_rc_type_fd,
01889 &i_attr_val1,
01890
FALSE)))
01891 {
01892 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_type_fd);
01893
return(-
RSBAC_EREADFAILED);
01894 }
01895
01896
if(i_attr_val1.
rc_type_fd != i_rc_item_val1.
type_id)
01897 {
01898 i_attr_val1.
rc_type_fd = i_rc_item_val1.
type_id;
01899
if ((err=
rsbac_set_attr(
RC, new_target,
01900 new_tid,
01901
A_rc_type_fd,
01902 i_attr_val1)))
01903 {
01904 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type_fd);
01905
return(-
RSBAC_EWRITEFAILED);
01906 }
01907 }
01908 }
01909
return(0);
01910
01911
case T_IPC:
01912
01913 i_tid.
process = caller_pid;
01914
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01915 i_tid,
01916
A_rc_role,
01917 &i_attr_val1,
01918
FALSE)))
01919 {
01920 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
01921
return(-
RSBAC_EREADFAILED);
01922 }
01923
01924 i_rc_tid.
role = i_attr_val1.
rc_role;
01925
if ((err=
rsbac_rc_get_item(
RT_ROLE,
01926 i_rc_tid,
01927 i_rc_tid,
01928
RI_def_ipc_create_type,
01929 &i_rc_item_val1,
01930
NULL)))
01931 {
01932 rsbac_rc_ds_get_error(
"rsbac_adf_set_attr_rc()",
01933
RI_def_ipc_create_type);
01934
return(-
RSBAC_EREADFAILED);
01935 }
01936
switch(i_rc_item_val1.
type_id)
01937 {
01938
case RC_type_no_create:
01939
return(-
RSBAC_EDECISIONMISMATCH);
01940
break;
01941
01942
case RC_type_use_new_role_def_create:
01943
01944
#ifdef CONFIG_RSBAC_RMSG
01945
rsbac_printk(KERN_WARNING
01946
"rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n",
01947 i_attr_val1.
rc_role);
01948
#endif
01949
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01950
if (!rsbac_nosyslog)
01951
#endif
01952
printk(KERN_WARNING
01953
"rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n",
01954 i_attr_val1.
rc_role);
01955
return(-
RSBAC_EINVALIDVALUE);
01956
01957
case RC_type_inherit_parent:
01958
case RC_type_inherit_process:
01959
01960 i_tid.
process = caller_pid;
01961
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01962 i_tid,
01963
A_rc_type,
01964 &i_attr_val1,
01965
FALSE)))
01966 {
01967 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01968
return(-
RSBAC_EREADFAILED);
01969 }
01970
01971
if ((err=
rsbac_get_attr(
RC,
01972 target,
01973 tid,
01974
A_rc_type,
01975 &i_attr_val2,
01976
FALSE)))
01977 {
01978 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01979
return(-
RSBAC_EREADFAILED);
01980 }
01981
01982
if(i_attr_val1.
rc_type != i_attr_val2.
rc_type)
01983 {
01984
if ((err=
rsbac_set_attr(
RC, target,
01985 tid,
01986
A_rc_type,
01987 i_attr_val1)))
01988 {
01989 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
01990
return(-
RSBAC_EWRITEFAILED);
01991 }
01992 }
01993
break;
01994
01995
default:
01996
01997 i_attr_val1.
rc_type = i_rc_item_val1.
type_id;
01998
01999
if ((err=
rsbac_get_attr(
RC,
02000 target,
02001 tid,
02002
A_rc_type,
02003 &i_attr_val2,
02004
FALSE)))
02005 {
02006 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
02007
return(-
RSBAC_EREADFAILED);
02008 }
02009
02010
if(i_attr_val1.
rc_type != i_attr_val2.
rc_type)
02011 {
02012
if ((err=
rsbac_set_attr(
RC, target,
02013 tid,
02014
A_rc_type,
02015 i_attr_val1)))
02016 {
02017 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
02018
return(-
RSBAC_EWRITEFAILED);
02019 }
02020 }
02021 }
02022
return(0);
02023
02024
02025
default:
02026
return(0);
02027 }
02028
02029
case R_EXECUTE:
02030
switch(target)
02031 {
02032
02033
case T_FILE:
02034
02035 i_tid.
process = caller_pid;
02036
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
02037 i_tid,
02038
A_rc_role,
02039 &i_attr_val1,
02040
FALSE)))
02041 {
02042 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
02043
return(-
RSBAC_EREADFAILED);
02044 }
02045
02046 i_rc_tid.
role = i_attr_val1.
rc_role;
02047
if ((err=
rsbac_rc_get_item(
RT_ROLE,
02048 i_rc_tid,
02049 i_rc_tid,
02050
RI_def_process_execute_type,
02051 &i_rc_item_val1,
02052
NULL)))
02053 {
02054 rsbac_rc_ds_get_error(
"rsbac_adf_set_attr_rc()",
02055
RI_def_process_execute_type);
02056
return(-
RSBAC_EREADFAILED);
02057 }
02058
switch(i_rc_item_val1.
type_id)
02059 {
02060
case RC_type_no_create:
02061
case RC_type_use_new_role_def_create:
02062
02063
#ifdef CONFIG_RSBAC_RMSG
02064
rsbac_printk(KERN_WARNING
02065
"rsbac_adf_set_attr_rc(): invalid type in def_process_execute_type of role %i!\n",
02066 i_attr_val1.
rc_role);
02067
#endif
02068
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02069
if (!rsbac_nosyslog)
02070
#endif
02071
printk(KERN_WARNING
02072
"rsbac_adf_set_attr_rc(): invalid type in def_process_execute_type of role %i!\n",
02073 i_attr_val1.
rc_role);
02074
return(-
RSBAC_EINVALIDVALUE);
02075
case RC_type_inherit_parent:
02076
case RC_type_inherit_process:
02077
break;
02078
case RC_type_no_execute:
02079
return(-
RSBAC_EDECISIONMISMATCH);
02080
default:
02081
02082 i_attr_val1.
rc_type = i_rc_item_val1.
type_id;
02083
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
02084 i_tid,
02085
A_rc_type,
02086 i_attr_val1)))
02087 {
02088 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_type);
02089
return(-
RSBAC_EWRITEFAILED);
02090 }
02091 }
02092
02093
02094
if ((err=
rsbac_get_attr(
RC,
T_FILE,
02095 tid,
02096
A_rc_force_role,
02097 &i_attr_val1,
02098
TRUE)))
02099 {
02100 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_force_role);
02101
return(-
RSBAC_EREADFAILED);
02102 }
02103
02104
if( (i_attr_val1.
rc_force_role >
RC_role_max_value)
02105 && (i_attr_val1.
rc_force_role <
RC_role_min_special)
02106 )
02107 {
02108
#ifdef CONFIG_RSBAC_RMSG
02109
rsbac_printk(KERN_WARNING
02110
"rsbac_adf_set_attr_rc(): rc_force_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting forced role of process %u to default value %u!\n",
02111 i_attr_val1.
rc_force_role, tid.file.inode,
02112 MAJOR(tid.file.device), MINOR(tid.file.device),
02113
RC_role_max_value, caller_pid,
RC_default_root_dir_force_role);
02114
#endif
02115
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02116
if (!rsbac_nosyslog)
02117
#endif
02118
printk(KERN_WARNING
02119
"rsbac_adf_set_attr_rc(): rc_force_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting forced role of process %u to default value %u!\n",
02120 i_attr_val1.
rc_force_role, tid.file.inode,
02121 MAJOR(tid.file.device), MINOR(tid.file.device),
02122
RC_role_max_value, caller_pid,
RC_default_root_dir_force_role);
02123 i_attr_val1.
rc_force_role =
RC_default_root_dir_force_role;
02124 }
02125
02126 i_tid.
process = caller_pid;
02127
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
02128 i_tid,
02129
A_rc_force_role,
02130 i_attr_val1)))
02131 {
02132 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_force_role);
02133
return(-
RSBAC_EWRITEFAILED);
02134 }
02135
02136
if ((err=
rsbac_get_attr(
RC,
T_FILE,
02137 tid,
02138
A_rc_initial_role,
02139 &i_attr_val2,
02140
TRUE)))
02141 {
02142 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_initial_role);
02143
return(-
RSBAC_EREADFAILED);
02144 }
02145
02146
if( (i_attr_val2.
rc_initial_role >
RC_role_max_value)
02147 && (i_attr_val2.
rc_initial_role !=
RC_role_use_force_role)
02148 )
02149 {
02150
#ifdef CONFIG_RSBAC_RMSG
02151
rsbac_printk(KERN_WARNING
02152
"rsbac_adf_set_attr_rc(): rc_initial_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting initial role of process %u to default value %u!\n",
02153 i_attr_val2.
rc_initial_role, tid.file.inode,
02154 MAJOR(tid.file.device), MINOR(tid.file.device),
02155
RC_role_max_value, caller_pid,
RC_default_root_dir_initial_role);
02156
#endif
02157
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02158
if (!rsbac_nosyslog)
02159
#endif
02160
printk(KERN_WARNING
02161
"rsbac_adf_set_attr_rc(): rc_initial_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting initial role of process %u to default value %u!\n",
02162 i_attr_val2.
rc_initial_role, tid.file.inode,
02163 MAJOR(tid.file.device), MINOR(tid.file.device),
02164
RC_role_max_value, caller_pid,
RC_default_root_dir_initial_role);
02165 i_attr_val2.
rc_initial_role =
RC_default_root_dir_initial_role;
02166 }
02167
if(i_attr_val2.
rc_initial_role ==
RC_role_use_force_role)
02168 {
02169
switch(i_attr_val1.
rc_force_role)
02170 {
02171
case RC_role_inherit_user:
02172
02173 i_tid.
user = owner;
02174
if ((err=
rsbac_get_attr(
RC,
T_USER,
02175 i_tid,
02176
A_rc_def_role,
02177 &i_attr_val1,
02178
TRUE)))
02179 {
02180 rsbac_ds_get_error(
"rsbac_adf_set_attr_rc",
A_rc_def_role);
02181
return(-
RSBAC_EREADFAILED);
02182 }
02183
02184 i_tid.
process = caller_pid;
02185
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
02186 i_tid,
02187
A_rc_role,
02188 i_attr_val1)))
02189 {
02190 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
02191
return(-
RSBAC_EWRITEFAILED);
02192 }
02193
break;
02194
02195
case RC_role_inherit_process:
02196
case RC_role_inherit_parent:
02197
case RC_role_inherit_up_mixed:
02198
02199
break;
02200
02201
default:
02202
02203 i_tid.
process = caller_pid;
02204
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
02205 i_tid,
02206
A_rc_role,
02207 i_attr_val1)))
02208 {
02209 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
02210
return(-
RSBAC_EWRITEFAILED);
02211 }
02212 }
02213 }
02214
else
02215 {
02216
02217 i_tid.
process = caller_pid;
02218
if ((err=
rsbac_set_attr(
RC,
T_PROCESS,
02219 i_tid,
02220
A_rc_role,
02221 i_attr_val2)))
02222 {
02223 rsbac_ds_set_error(
"rsbac_adf_set_attr_rc",
A_rc_role);
02224
return(-
RSBAC_EWRITEFAILED);
02225 }
02226 }
02227
02228
return(0);
02229
02230
02231
default:
02232
return(0);
02233 }
02234
02235
02236
02237
default:
return(0);
02238 }
02239
02240
return(0);
02241 };
02242
02243
02244
#ifdef CONFIG_RSBAC_SECDEL
02245
boolean rsbac_need_overwrite_rc(
struct dentry * dentry_p)
02246 {
02247
int err = 0;
02248
union rsbac_target_id_t i_tid;
02249
union rsbac_attribute_value_t i_attr_val1;
02250
union rsbac_rc_target_id_t i_rc_tid;
02251
union rsbac_rc_item_value_t i_rc_item_val1;
02252
02253
if( !dentry_p
02254 || !dentry_p->d_inode)
02255
return FALSE;
02256
02257 i_tid.file.device = dentry_p->d_sb->s_dev;
02258 i_tid.file.inode = dentry_p->d_inode->i_ino;
02259 i_tid.file.dentry_p = dentry_p;
02260
02261
if (
rsbac_get_attr(RC, T_FILE,
02262 i_tid,
02263 A_rc_type_fd,
02264 &i_attr_val1,
02265 TRUE))
02266 {
02267 rsbac_ds_get_error(
"rsbac_need_overwrite_rc", A_rc_type_fd);
02268
return FALSE;
02269 }
02270
02271 i_rc_tid.
role = i_attr_val1.
rc_role;
02272
if ((err=
rsbac_rc_get_item(RT_TYPE,
02273 i_rc_tid,
02274 i_rc_tid,
02275 RI_type_fd_need_secdel,
02276 &i_rc_item_val1,
02277 NULL)))
02278 {
02279 rsbac_rc_ds_get_error(
"rsbac_need_overwrite_rc()",
02280 RI_type_fd_need_secdel);
02281
return(
FALSE);
02282 }
02283
02284
02285
return(i_rc_item_val1.
need_secdel);
02286 }
02287
#endif
02288
02289