/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/mac_data_structures.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of MAC data structures */ 00004 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */ 00005 /* */ 00006 /* Last modified: 16/Jun/2004 */ 00007 /*************************************************** */ 00008 00009 #include <linux/types.h> 00010 #include <linux/sched.h> 00011 #include <linux/mm.h> 00012 #include <linux/init.h> 00013 #include <linux/ext2_fs.h> 00014 #include <asm/uaccess.h> 00015 #include <rsbac/types.h> 00016 #include <rsbac/aci_data_structures.h> 00017 #include <rsbac/mac_data_structures.h> 00018 #include <rsbac/error.h> 00019 #include <rsbac/helpers.h> 00020 #include <rsbac/adf.h> 00021 #include <rsbac/aci.h> 00022 #include <rsbac/lists.h> 00023 #include <rsbac/proc_fs.h> 00024 #include <rsbac/rkmem.h> 00025 #include <rsbac/getname.h> 00026 #include <linux/string.h> 00027 #include <linux/smp_lock.h> 00028 00029 /************************************************************************** */ 00030 /* Global Variables */ 00031 /************************************************************************** */ 00032 00033 static struct rsbac_mac_device_list_head_t device_list_head; 00034 00035 static rsbac_list_handle_t process_handle = NULL; 00036 00037 /**************************************************/ 00038 /* Declarations of external functions */ 00039 /**************************************************/ 00040 00041 boolean writable(struct super_block * sb_p); 00042 00043 /**************************************************/ 00044 /* Declarations of internal functions */ 00045 /**************************************************/ 00046 00047 /************************************************* */ 00048 /* Internal Help functions */ 00049 /************************************************* */ 00050 00051 static inline int fd_hash(rsbac_inode_nr_t inode) 00052 { 00053 return(inode % RSBAC_MAC_NR_TRU_FD_LISTS); 00054 } 00055 00056 /* mac_register_fd_lists() */ 00057 /* register fd ACL lists for device */ 00058 00059 static int mac_register_fd_lists(struct rsbac_mac_device_list_item_t * device_p, 00060 kdev_t kdev) 00061 { 00062 char * name; 00063 int err = 0; 00064 int tmperr; 00065 char number[10]; 00066 u_int file_no; 00067 struct rsbac_list_lol_info_t lol_info; 00068 00069 if(!device_p) 00070 return(-RSBAC_EINVALIDPOINTER); 00071 name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00072 if(!name) 00073 return -RSBAC_ENOMEM; 00074 00075 /* register all the MAC lists of lists */ 00076 for (file_no = 0; file_no < RSBAC_MAC_NR_TRU_FD_LISTS; file_no++) 00077 { 00078 /* construct name from base name + number */ 00079 strcpy(name, RSBAC_MAC_FD_FILENAME); 00080 strcat(name, inttostr(number,file_no) ); 00081 00082 lol_info.version = RSBAC_MAC_FD_LIST_VERSION; 00083 lol_info.key = RSBAC_MAC_LIST_KEY; 00084 lol_info.desc_size = sizeof(rsbac_inode_nr_t); 00085 lol_info.data_size = 0; 00086 lol_info.subdesc_size = sizeof(rsbac_uid_t); 00087 lol_info.subdata_size = 0; /* rights */ 00088 lol_info.max_age = 0; 00089 tmperr = rsbac_list_lol_register(RSBAC_LIST_VERSION, 00090 &(device_p->handles[file_no]), 00091 &lol_info, 00092 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA, 00093 rsbac_list_compare_u32, 00094 rsbac_list_compare_u32, 00095 NULL, 00096 NULL, 00097 NULL, 00098 NULL, 00099 name, 00100 kdev); 00101 if(tmperr) 00102 { 00103 char * tmp; 00104 00105 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00106 if(tmp) 00107 { 00108 printk(KERN_WARNING 00109 "mac_register_fd_lists(): registering list %s for device %02u:%02u failed with error %s!\n", 00110 name, 00111 RSBAC_MAJOR(kdev), 00112 RSBAC_MINOR(kdev), 00113 get_error_name(tmp, tmperr)); 00114 rsbac_kfree(tmp); 00115 } 00116 err = tmperr; 00117 } 00118 } 00119 return err; 00120 } 00121 00122 /* mac_detach_fd_lists() */ 00123 /* detach from fd MAC lists for device */ 00124 00125 static int mac_detach_fd_lists(struct rsbac_mac_device_list_item_t * device_p) 00126 { 00127 char * name; 00128 int err = 0; 00129 int tmperr; 00130 char number[10]; 00131 u_int file_no; 00132 00133 if(!device_p) 00134 return(-RSBAC_EINVALIDPOINTER); 00135 name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00136 if(!name) 00137 return -RSBAC_ENOMEM; 00138 00139 /* detach all the MAC lists of lists */ 00140 for (file_no = 0; file_no < RSBAC_MAC_NR_TRU_FD_LISTS; file_no++) 00141 { 00142 /* construct name from base name + number */ 00143 strcpy(name, RSBAC_MAC_FD_FILENAME); 00144 strcat(name, inttostr(number,file_no) ); 00145 00146 tmperr = rsbac_list_lol_detach(&device_p->handles[file_no], 00147 RSBAC_MAC_LIST_KEY); 00148 if(tmperr) 00149 { 00150 char * tmp; 00151 00152 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00153 if(tmp) 00154 { 00155 printk(KERN_WARNING 00156 "mac_detach_fd_lists(): detaching from list %s for device %02u:%02u failed with error %s!\n", 00157 name, 00158 RSBAC_MAJOR(device_p->id), 00159 RSBAC_MINOR(device_p->id), 00160 get_error_name(tmp, tmperr)); 00161 rsbac_kfree(tmp); 00162 } 00163 err = tmperr; 00164 } 00165 } 00166 return err; 00167 } 00168 00169 /************************************************************************** */ 00170 /* The lookup functions return NULL, if the item is not found, and a */ 00171 /* pointer to the item otherwise. */ 00172 00173 /* first the device item lookup */ 00174 static struct rsbac_mac_device_list_item_t * lookup_device(kdev_t kdev) 00175 { 00176 struct rsbac_mac_device_list_item_t * curr = device_list_head.curr; 00177 00178 /* if there is no current item or it is not the right one, search... */ 00179 if(! ( curr 00180 && (RSBAC_MAJOR(curr->id) == RSBAC_MAJOR(kdev)) 00181 && (RSBAC_MINOR(curr->id) == RSBAC_MINOR(kdev)) 00182 ) 00183 ) 00184 { 00185 curr = device_list_head.head; 00186 while( curr 00187 && ( (RSBAC_MAJOR(curr->id) != RSBAC_MAJOR(kdev)) 00188 || (RSBAC_MINOR(curr->id) != RSBAC_MINOR(kdev)) 00189 ) 00190 ) 00191 { 00192 curr = curr->next; 00193 } 00194 if (curr) 00195 device_list_head.curr=curr; 00196 } 00197 /* it is the current item -> return it */ 00198 return (curr); 00199 }; 00200 00201 /************************************************************************** */ 00202 /* The add_item() functions add an item to the list, set head.curr to it, */ 00203 /* and return a pointer to the item. */ 00204 /* These functions will NOT check, if there is already an item under the */ 00205 /* same ID! If this happens, the lookup functions will return the old item! */ 00206 /* All list manipulation is protected by rw-spinlocks to prevent inconsistency */ 00207 /* and undefined behaviour in other concurrent functions. */ 00208 00209 /* Create a device item without adding to list. No locking needed. */ 00210 static struct rsbac_mac_device_list_item_t 00211 * create_device_item(kdev_t kdev) 00212 { 00213 struct rsbac_mac_device_list_item_t * new_item_p; 00214 int i; 00215 00216 /* allocate memory for new device, return NULL, if failed */ 00217 if ( !(new_item_p = (struct rsbac_mac_device_list_item_t *) 00218 rsbac_kmalloc(sizeof(*new_item_p)) ) ) 00219 return(NULL); 00220 00221 new_item_p->id = kdev; 00222 new_item_p->mount_count = 1; 00223 00224 /* init file/dir sublists */ 00225 for(i=0 ; i < RSBAC_MAC_NR_TRU_FD_LISTS ; i++) 00226 new_item_p->handles[i] = NULL; 00227 return(new_item_p); 00228 }; 00229 00230 /* Add an existing device item to list. Locking needed. */ 00231 static struct rsbac_mac_device_list_item_t 00232 * add_device_item(struct rsbac_mac_device_list_item_t * device_p) 00233 { 00234 if (!device_p) 00235 return(NULL); 00236 00237 /* add new device to device list */ 00238 if (!device_list_head.head) 00239 { /* first device */ 00240 device_list_head.head=device_p; 00241 device_list_head.tail=device_p; 00242 device_list_head.curr=device_p; 00243 device_list_head.count=1; 00244 device_p->prev=NULL; 00245 device_p->next=NULL; 00246 } 00247 else 00248 { /* there is another device -> hang to tail */ 00249 device_p->prev=device_list_head.tail; 00250 device_p->next=NULL; 00251 device_list_head.tail->next=device_p; 00252 device_list_head.tail=device_p; 00253 device_list_head.curr=device_p; 00254 device_list_head.count++; 00255 }; 00256 return(device_p); 00257 }; 00258 00259 /************************************************************************** */ 00260 /* The remove_item() functions remove an item from the list. If this item */ 00261 /* is head, tail or curr, these pointers are set accordingly. */ 00262 /* To speed up removing several subsequent items, curr is set to the next */ 00263 /* item, if possible. */ 00264 /* If the item is not found, nothing is done. */ 00265 00266 static void clear_device_item(struct rsbac_mac_device_list_item_t * item_p) 00267 { 00268 if(!item_p) 00269 return; 00270 00271 /* First deregister lists... */ 00272 mac_detach_fd_lists(item_p); 00273 /* OK, lets remove the device item itself */ 00274 rsbac_kfree(item_p); 00275 }; /* end of clear_device_item() */ 00276 00277 static void remove_device_item(kdev_t kdev) 00278 { 00279 struct rsbac_mac_device_list_item_t * item_p; 00280 00281 /* first we must locate the item. */ 00282 if ( (item_p = lookup_device(kdev)) ) 00283 { /* ok, item was found */ 00284 if (device_list_head.head == item_p) 00285 { /* item is head */ 00286 if (device_list_head.tail == item_p) 00287 { /* item is head and tail = only item -> list will be empty*/ 00288 device_list_head.head = NULL; 00289 device_list_head.tail = NULL; 00290 } 00291 else 00292 { /* item is head, but not tail -> next item becomes head */ 00293 item_p->next->prev = NULL; 00294 device_list_head.head = item_p->next; 00295 }; 00296 } 00297 else 00298 { /* item is not head */ 00299 if (device_list_head.tail == item_p) 00300 { /*item is not head, but tail -> previous item becomes tail*/ 00301 item_p->prev->next = NULL; 00302 device_list_head.tail = item_p->prev; 00303 } 00304 else 00305 { /* item is neither head nor tail -> item is cut out */ 00306 item_p->prev->next = item_p->next; 00307 item_p->next->prev = item_p->prev; 00308 }; 00309 }; 00310 00311 /* curr is no longer valid -> reset. */ 00312 device_list_head.curr=NULL; 00313 /* adjust counter */ 00314 device_list_head.count--; 00315 00316 /* now we can remove the item from memory. This means cleaning up */ 00317 /* everything below. */ 00318 clear_device_item(item_p); 00319 }; /* end of if: item was found */ 00320 00321 }; /* end of remove_device_item() */ 00322 00323 /************************************************************************** */ 00324 /* The copy_fp_tru_set_item() function copies a file cap set to a process */ 00325 /* cap set */ 00326 00327 static int copy_fp_tru_set_item(struct rsbac_mac_device_list_item_t * device_p, 00328 rsbac_mac_file_t file, 00329 rsbac_pid_t pid) 00330 { 00331 rsbac_uid_t * tru_item_p; 00332 rsbac_time_t * ttl_p; 00333 int i; 00334 long count; 00335 enum rsbac_target_t target = T_FILE; 00336 union rsbac_target_id_t tid; 00337 00338 rsbac_list_lol_remove(process_handle, &pid); 00339 count = rsbac_list_lol_get_all_subdesc_ttl(device_p->handles[fd_hash(file.inode)], 00340 &file.inode, 00341 (void **) &tru_item_p, 00342 &ttl_p); 00343 if( !count 00344 || (count == -RSBAC_ENOTFOUND) 00345 ) 00346 { 00347 tid.file = file; 00348 if(!rsbac_get_parent(target, tid, &target, &tid)) 00349 count = rsbac_list_lol_get_all_subdesc_ttl(device_p->handles[fd_hash(tid.file.inode)], 00350 &tid.file.inode, 00351 (void **) &tru_item_p, 00352 &ttl_p); 00353 } 00354 if(count > 0) 00355 { 00356 for(i=0; i < count ; i++) 00357 { 00358 rsbac_list_lol_subadd_ttl(process_handle, 00359 ttl_p[i], 00360 &pid, 00361 &tru_item_p[i], 00362 NULL); 00363 } 00364 rsbac_vfree(tru_item_p); 00365 rsbac_vfree(ttl_p); 00366 } 00367 else 00368 { 00369 if( (count < 0) 00370 && (count != -RSBAC_ENOTFOUND) 00371 ) 00372 return count; 00373 } 00374 00375 return 0; 00376 }; /* end of copy_fp_tru_set_item() */ 00377 00378 /************************************************************************** */ 00379 /* The copy_pp_tru_set_item() function copies a process cap set to another */ 00380 00381 static int copy_pp_tru_set_item_handle(rsbac_list_handle_t handle, 00382 rsbac_pid_t old_pid, 00383 rsbac_pid_t new_pid) 00384 { 00385 rsbac_uid_t * tru_item_p; 00386 rsbac_time_t * ttl_p; 00387 int i; 00388 long count; 00389 00390 rsbac_list_lol_remove(handle, &new_pid); 00391 count = rsbac_list_lol_get_all_subdesc_ttl(handle, 00392 &old_pid, 00393 (void **) &tru_item_p, 00394 &ttl_p); 00395 if(count > 0) 00396 { 00397 for(i=0; i < count ; i++) 00398 { 00399 rsbac_list_lol_subadd_ttl(handle, 00400 ttl_p[i], 00401 &new_pid, 00402 &tru_item_p[i], 00403 NULL); 00404 } 00405 rsbac_vfree(tru_item_p); 00406 rsbac_vfree(ttl_p); 00407 } 00408 else 00409 { 00410 if(count < 0) 00411 return count; 00412 } 00413 return 0; 00414 } 00415 00416 static int copy_pp_tru_set_item(rsbac_pid_t old_pid, 00417 rsbac_pid_t new_pid) 00418 { 00419 return copy_pp_tru_set_item_handle(process_handle, old_pid, new_pid); 00420 }; /* end of copy_pp_tru_set_item() */ 00421 00422 /************************************************* */ 00423 /* proc functions */ 00424 /************************************************* */ 00425 00426 #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) 00427 static int 00428 mac_devices_proc_info(char *buffer, char **start, off_t offset, int length) 00429 { 00430 int len = 0; 00431 off_t pos = 0; 00432 off_t begin = 0; 00433 struct rsbac_mac_device_list_item_t * device_p; 00434 u_long dflags; 00435 00436 if (!rsbac_is_initialized()) return (-ENOSYS); 00437 00438 len += sprintf(buffer, "%u RSBAC MAC Devices\n-------------------\n", 00439 device_list_head.count); 00440 00441 /* wait for read access to device_list_head */ 00442 rsbac_read_lock(&device_list_head.lock, &dflags); 00443 /* OK, go on */ 00444 for (device_p = device_list_head.head; device_p; device_p = device_p->next) 00445 { 00446 len += sprintf(buffer + len, "%02u:%02u with mount_count = %u\n", 00447 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), 00448 device_p->mount_count); 00449 pos = begin + len; 00450 if (pos < offset) 00451 { 00452 len = 0; 00453 begin = pos; 00454 } 00455 if (pos > offset+length) 00456 break; 00457 } 00458 00459 /* free access to device_list_head */ 00460 rsbac_read_unlock(&device_list_head.lock, &dflags); 00461 00462 *start = buffer + (offset - begin); 00463 len -= (offset - begin); 00464 00465 if (len > length) 00466 len = length; 00467 return len; 00468 } 00469 00470 static int 00471 stats_mac_proc_info(char *buffer, char **start, off_t offset, int length) 00472 { 00473 u_int len = 0; 00474 off_t pos = 0; 00475 off_t begin = 0; 00476 00477 u_int tru_set_count = 0; 00478 u_int member_count = 0; 00479 u_long dflags; 00480 struct rsbac_mac_device_list_item_t * device_p; 00481 int i; 00482 00483 union rsbac_target_id_t rsbac_target_id; 00484 union rsbac_attribute_value_t rsbac_attribute_value; 00485 00486 if (!rsbac_is_initialized) 00487 { 00488 printk(KERN_WARNING "stats_mac_proc_info(): RSBAC not initialized\n"); 00489 return(-RSBAC_ENOTINITIALIZED); 00490 } 00491 #ifdef CONFIG_RSBAC_DEBUG 00492 if (rsbac_debug_aef_mac) 00493 { 00494 #ifdef CONFIG_RSBAC_RMSG 00495 rsbac_printk(KERN_DEBUG "stats_mac_proc_info(): calling ADF\n"); 00496 #endif 00497 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00498 if (!rsbac_nosyslog) 00499 #endif 00500 printk(KERN_DEBUG "stats_mac_proc_info(): calling ADF\n"); 00501 } 00502 #endif 00503 rsbac_target_id.scd = ST_rsbac; 00504 rsbac_attribute_value.dummy = 0; 00505 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00506 current->pid, 00507 T_SCD, 00508 rsbac_target_id, 00509 A_none, 00510 rsbac_attribute_value)) 00511 { 00512 return -EPERM; 00513 } 00514 00515 len += sprintf(buffer, "MAC Status\n----------\n"); 00516 00517 len += sprintf(buffer + len, "%lu process trusted user set items, sum of %lu members\n", 00518 rsbac_list_lol_count(process_handle), 00519 rsbac_list_lol_all_subcount(process_handle)); 00520 pos = begin + len; 00521 if (pos < offset) 00522 { 00523 len = 0; 00524 begin = pos; 00525 } 00526 if (pos > offset+length) 00527 goto out; 00528 00529 /* protect device list */ 00530 rsbac_read_lock(&device_list_head.lock, &dflags); 00531 device_p = device_list_head.head; 00532 while(device_p) 00533 { 00534 /* reset counters */ 00535 tru_set_count = 0; 00536 member_count = 0; 00537 for(i=0 ; i < RSBAC_MAC_NR_TRU_FD_LISTS; i++) 00538 { 00539 tru_set_count += rsbac_list_lol_count(device_p->handles[i]); 00540 member_count += rsbac_list_lol_all_subcount(device_p->handles[i]); 00541 } 00542 len += sprintf(buffer + len, "device %02u:%02u has %u file trusted user set items, sum of %u members\n", 00543 RSBAC_MAJOR(device_p->id), 00544 RSBAC_MINOR(device_p->id), 00545 tru_set_count,member_count); 00546 pos = begin + len; 00547 if (pos < offset) 00548 { 00549 len = 0; 00550 begin = pos; 00551 } 00552 if (pos > offset+length) 00553 goto out_unlock; 00554 00555 device_p = device_p->next; 00556 } 00557 out_unlock: 00558 /* unprotect device list */ 00559 rsbac_read_unlock(&device_list_head.lock, &dflags); 00560 00561 out: 00562 *start = buffer + (offset - begin); 00563 len -= (offset - begin); 00564 00565 if (len > length) 00566 len = length; 00567 return len; 00568 } 00569 00570 static int 00571 mac_trulist_proc_info(char *buffer, char **start, off_t offset, int length) 00572 { 00573 u_int len = 0; 00574 off_t pos = 0; 00575 off_t begin = 0; 00576 00577 u_int count = 0; 00578 u_int member_count = 0; 00579 u_long all_member_count; 00580 u_long dflags; 00581 int i,j,list; 00582 struct rsbac_mac_device_list_item_t * device_p; 00583 rsbac_pid_t * p_list; 00584 rsbac_inode_nr_t * f_list; 00585 rsbac_uid_t * tru_list; 00586 00587 union rsbac_target_id_t rsbac_target_id; 00588 union rsbac_attribute_value_t rsbac_attribute_value; 00589 00590 if (!rsbac_is_initialized) 00591 { 00592 printk(KERN_WARNING "mac_trulist_proc_info(): RSBAC not initialized\n"); 00593 return(-RSBAC_ENOTINITIALIZED); 00594 } 00595 #ifdef CONFIG_RSBAC_DEBUG 00596 if (rsbac_debug_aef_mac) 00597 { 00598 #ifdef CONFIG_RSBAC_RMSG 00599 rsbac_printk(KERN_DEBUG "mac_trulist_proc_info(): calling ADF\n"); 00600 #endif 00601 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00602 if (!rsbac_nosyslog) 00603 #endif 00604 printk(KERN_DEBUG "mac_trulist_proc_info(): calling ADF\n"); 00605 } 00606 #endif 00607 rsbac_target_id.scd = ST_rsbac; 00608 rsbac_attribute_value.dummy = 0; 00609 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00610 current->pid, 00611 T_SCD, 00612 rsbac_target_id, 00613 A_none, 00614 rsbac_attribute_value)) 00615 { 00616 return -EPERM; 00617 } 00618 00619 len += sprintf(buffer, "MAC Trusted User Lists\n---------------------\n"); 00620 00621 /* protect process cap set list */ 00622 len += sprintf(buffer + len, "Process trusted user sets:\nset-id count members"); 00623 pos = begin + len; 00624 if (pos < offset) 00625 { 00626 len = 0; 00627 begin = pos; 00628 } 00629 if (pos > offset+length) 00630 goto out; 00631 00632 all_member_count = 0; 00633 count = rsbac_list_lol_get_all_desc(process_handle, 00634 (void **) &p_list); 00635 if(count > 0) 00636 { 00637 for(i=0; i<count; i++) 00638 { 00639 member_count = rsbac_list_lol_get_all_subdesc(process_handle, 00640 &p_list[i], 00641 (void **) &tru_list); 00642 len += sprintf(buffer + len, "\n %u\t%u\t", 00643 p_list[i], 00644 member_count); 00645 if(member_count > 0) 00646 { 00647 for(j=0; j<member_count; j++) 00648 { 00649 len += sprintf(buffer + len, "%u ", 00650 tru_list[j]); 00651 pos = begin + len; 00652 if (pos < offset) 00653 { 00654 len = 0; 00655 begin = pos; 00656 } 00657 if (pos > offset+length) 00658 { 00659 rsbac_vfree(tru_list); 00660 rsbac_vfree(p_list); 00661 goto out; 00662 } 00663 } 00664 rsbac_vfree(tru_list); 00665 all_member_count += member_count; 00666 } 00667 pos = begin + len; 00668 if (pos < offset) 00669 { 00670 len = 0; 00671 begin = pos; 00672 } 00673 if (pos > offset+length) 00674 { 00675 rsbac_vfree(p_list); 00676 goto out; 00677 } 00678 } 00679 rsbac_vfree(p_list); 00680 } 00681 len += sprintf(buffer + len, "\n%u process trusted user set items, sum of %lu members\n", 00682 count,all_member_count); 00683 pos = begin + len; 00684 if (pos < offset) 00685 { 00686 len = 0; 00687 begin = pos; 00688 } 00689 if (pos > offset+length) 00690 goto out; 00691 00692 len += sprintf(buffer + len, "\nFile trusted user sets:\nset-id count members"); 00693 pos = begin + len; 00694 if (pos < offset) 00695 { 00696 len = 0; 00697 begin = pos; 00698 } 00699 if (pos > offset+length) 00700 goto out; 00701 00702 /* protect device list */ 00703 rsbac_read_lock(&device_list_head.lock, &dflags); 00704 device_p = device_list_head.head; 00705 while(device_p) 00706 { 00707 /* reset counters */ 00708 all_member_count = 0; 00709 for(list=0 ; list < RSBAC_MAC_NR_TRU_FD_LISTS; list++) 00710 { 00711 count = rsbac_list_lol_get_all_desc(device_p->handles[list], 00712 (void **) &f_list); 00713 if(count > 0) 00714 { 00715 for(i=0; i<count; i++) 00716 { 00717 member_count = rsbac_list_lol_get_all_subdesc(device_p->handles[list], 00718 &f_list[i], 00719 (void **) &tru_list); 00720 len += sprintf(buffer + len, "\n %u\t%u\t", 00721 f_list[i], 00722 member_count); 00723 if(member_count > 0) 00724 { 00725 for(j=0; j<member_count; j++) 00726 { 00727 len += sprintf(buffer + len, "%u ", 00728 tru_list[j]); 00729 pos = begin + len; 00730 if (pos < offset) 00731 { 00732 len = 0; 00733 begin = pos; 00734 } 00735 if (pos > offset+length) 00736 { 00737 rsbac_vfree(tru_list); 00738 rsbac_vfree(f_list); 00739 goto out_unlock; 00740 } 00741 } 00742 rsbac_vfree(tru_list); 00743 all_member_count += member_count; 00744 } 00745 pos = begin + len; 00746 if (pos < offset) 00747 { 00748 len = 0; 00749 begin = pos; 00750 } 00751 if (pos > offset+length) 00752 { 00753 rsbac_vfree(f_list); 00754 goto out_unlock; 00755 } 00756 } 00757 rsbac_vfree(f_list); 00758 } 00759 } 00760 len += sprintf(buffer + len, "\ndevice %02u:%02u has %u file trusted user set items, sum of %lu members\n", 00761 RSBAC_MAJOR(device_p->id), 00762 RSBAC_MINOR(device_p->id), 00763 count, all_member_count); 00764 pos = begin + len; 00765 if (pos < offset) 00766 { 00767 len = 0; 00768 begin = pos; 00769 } 00770 if (pos > offset+length) 00771 goto out_unlock; 00772 00773 device_p = device_p->next; 00774 } 00775 out_unlock: 00776 /* unprotect device list */ 00777 rsbac_read_unlock(&device_list_head.lock, &dflags); 00778 00779 out: 00780 *start = buffer + (offset - begin); 00781 len -= (offset - begin); 00782 00783 if (len > length) 00784 len = length; 00785 return len; 00786 } 00787 #endif /* CONFIG_PROC_FS && CONFIG_RSBAC_PROC */ 00788 00789 /************************************************* */ 00790 /* Init functions */ 00791 /************************************************* */ 00792 00793 /* All functions return 0, if no error occurred, and a negative error code */ 00794 /* otherwise. The error codes are defined in rsbac/error.h. */ 00795 00796 /************************************************************************** */ 00797 /* Initialization of all MAC data structures. After this call, all MAC */ 00798 /* data is kept in memory for performance reasons, but is written to disk */ 00799 /* on every change. */ 00800 00801 /* Because there can be no access to aci data structures before init, */ 00802 /* rsbac_init_mac() will initialize all rw-spinlocks to unlocked. */ 00803 00804 #ifdef CONFIG_RSBAC_INIT_DELAY 00805 int rsbac_init_mac(void) 00806 #else 00807 int __init rsbac_init_mac(void) 00808 #endif 00809 { 00810 int err = 0; 00811 struct rsbac_mac_device_list_item_t * device_p = NULL; 00812 u_long dflags; 00813 struct proc_dir_entry * tmp_entry_p; 00814 struct rsbac_list_lol_info_t lol_info; 00815 00816 if (rsbac_is_initialized()) 00817 { 00818 #ifdef CONFIG_RSBAC_RMSG 00819 rsbac_printk(KERN_WARNING "rsbac_init_mac(): RSBAC already initialized\n"); 00820 #endif 00821 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00822 if (!rsbac_nosyslog) 00823 #endif 00824 printk(KERN_WARNING "rsbac_init_mac(): RSBAC already initialized\n"); 00825 return(-RSBAC_EREINIT); 00826 } 00827 00828 /* set rw-spinlocks to unlocked status and init data structures */ 00829 #ifdef CONFIG_RSBAC_RMSG 00830 rsbac_printk(KERN_INFO "rsbac_init_mac(): Initializing RSBAC: MAC subsystem\n"); 00831 #endif 00832 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00833 if (!rsbac_nosyslog) 00834 #endif 00835 printk(KERN_INFO "rsbac_init_mac(): Initializing RSBAC: MAC subsystem\n"); 00836 00837 lol_info.version = RSBAC_MAC_P_LIST_VERSION; 00838 lol_info.key = RSBAC_MAC_LIST_KEY; 00839 lol_info.desc_size = sizeof(rsbac_pid_t); 00840 lol_info.data_size = 0; 00841 lol_info.subdesc_size = sizeof(rsbac_uid_t); 00842 lol_info.subdata_size = 0; 00843 lol_info.max_age = 0; 00844 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 00845 &process_handle, 00846 &lol_info, 00847 RSBAC_LIST_DEF_DATA, 00848 NULL, 00849 NULL, 00850 NULL, 00851 NULL, 00852 NULL, 00853 NULL, 00854 RSBAC_MAC_P_LIST_NAME, 00855 RSBAC_AUTO_DEV); 00856 if(err) 00857 { 00858 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00859 00860 if(tmp) 00861 { 00862 #ifdef CONFIG_RSBAC_RMSG 00863 rsbac_printk(KERN_WARNING 00864 "rsbac_init_mac(): Registering MAC process trusted user list failed with error %s\n", 00865 get_error_name(tmp, err)); 00866 #endif 00867 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00868 if (!rsbac_nosyslog) 00869 #endif 00870 printk(KERN_WARNING 00871 "rsbac_init_mac(): Registering MAC process trusted user list failed with error %s\n", 00872 get_error_name(tmp, err)); 00873 rsbac_kfree(tmp); 00874 } 00875 } 00876 00877 /* Init FD lists */ 00878 device_list_head.lock = RW_LOCK_UNLOCKED; 00879 device_list_head.head = NULL; 00880 device_list_head.tail = NULL; 00881 device_list_head.curr = NULL; 00882 device_list_head.count = 0; 00883 00884 /* read all data */ 00885 #ifdef CONFIG_RSBAC_DEBUG 00886 if (rsbac_debug_ds_mac) 00887 { 00888 #ifdef CONFIG_RSBAC_RMSG 00889 rsbac_printk(KERN_INFO "rsbac_init_mac(): Registering FD lists\n"); 00890 #endif 00891 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00892 if (!rsbac_nosyslog) 00893 #endif 00894 printk(KERN_INFO "rsbac_init_mac(): Registering FD lists\n"); 00895 } 00896 #endif 00897 device_p = create_device_item(rsbac_root_dev); 00898 if (!device_p) 00899 { 00900 #ifdef CONFIG_RSBAC_RMSG 00901 rsbac_printk(KERN_CRIT "rsbac_init_mac(): Could not add device!\n"); 00902 #endif 00903 printk(KERN_CRIT "rsbac_init_mac(): Could not add device!\n"); 00904 return(-RSBAC_ECOULDNOTADDDEVICE); 00905 } 00906 if((err = mac_register_fd_lists(device_p,rsbac_root_dev))) 00907 { 00908 char tmp[RSBAC_MAXNAMELEN]; 00909 00910 #ifdef CONFIG_RSBAC_RMSG 00911 rsbac_printk(KERN_WARNING 00912 "rsbac_init_mac(): File/Dir trusted user set registration failed for dev %02u:%02u, err %s!\n", 00913 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev), get_error_name(tmp,err)); 00914 #endif 00915 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00916 if (!rsbac_nosyslog) 00917 #endif 00918 printk(KERN_WARNING 00919 "rsbac_init_mac(): File/Dir trusted user set registration failed for dev %02u:%02u, err %s!\n", 00920 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev), get_error_name(tmp,err)); 00921 } 00922 /* wait for write access to device_list_head */ 00923 rsbac_write_lock_irq(&device_list_head.lock, &dflags); 00924 device_p = add_device_item(device_p); 00925 /* device was added, allow access */ 00926 rsbac_write_unlock_irq(&device_list_head.lock, &dflags); 00927 if (!device_p) 00928 { 00929 #ifdef CONFIG_RSBAC_RMSG 00930 rsbac_printk(KERN_CRIT "rsbac_init_mac(): Could not add device!\n"); 00931 #endif 00932 printk(KERN_CRIT "rsbac_init_mac(): Could not add device!\n"); 00933 return(-RSBAC_ECOULDNOTADDDEVICE); 00934 } 00935 00936 #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) 00937 tmp_entry_p = create_proc_entry("mac_devices", 00938 S_IFREG | S_IRUGO | S_IWUGO, 00939 proc_rsbac_root_p); 00940 if(tmp_entry_p) 00941 { 00942 tmp_entry_p->get_info = mac_devices_proc_info; 00943 } 00944 tmp_entry_p = create_proc_entry("stats_mac", 00945 S_IFREG | S_IRUGO, 00946 proc_rsbac_root_p); 00947 if(tmp_entry_p) 00948 { 00949 tmp_entry_p->get_info = stats_mac_proc_info; 00950 } 00951 tmp_entry_p = create_proc_entry("mac_trusted", 00952 S_IFREG | S_IRUGO, 00953 proc_rsbac_root_p); 00954 if(tmp_entry_p) 00955 { 00956 tmp_entry_p->get_info = mac_trulist_proc_info; 00957 } 00958 #endif 00959 00960 #ifdef CONFIG_RSBAC_DEBUG 00961 if (rsbac_debug_ds_mac) 00962 { 00963 #ifdef CONFIG_RSBAC_RMSG 00964 rsbac_printk(KERN_DEBUG "rsbac_init_mac(): Ready.\n"); 00965 #endif 00966 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00967 if (!rsbac_nosyslog) 00968 #endif 00969 printk(KERN_DEBUG "rsbac_init_mac(): Ready.\n"); 00970 } 00971 #endif 00972 return(err); 00973 }; 00974 00975 int rsbac_mount_mac(kdev_t kdev) 00976 { 00977 int err = 0; 00978 struct rsbac_mac_device_list_item_t * device_p; 00979 struct rsbac_mac_device_list_item_t * new_device_p; 00980 u_long dflags; 00981 00982 if (!rsbac_is_initialized()) 00983 { 00984 #ifdef CONFIG_RSBAC_RMSG 00985 rsbac_printk(KERN_WARNING "rsbac_mount_mac(): RSBAC not initialized\n"); 00986 #endif 00987 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00988 if (!rsbac_nosyslog) 00989 #endif 00990 printk(KERN_WARNING "rsbac_mount_mac(): RSBAC not initialized\n"); 00991 return(-RSBAC_ENOTINITIALIZED); 00992 } 00993 #ifdef CONFIG_RSBAC_DEBUG 00994 if (rsbac_debug_ds_mac) 00995 { 00996 #ifdef CONFIG_RSBAC_RMSG 00997 rsbac_printk(KERN_DEBUG "rsbac_mount_mac(): mounting device %02u:%02u\n", 00998 RSBAC_MAJOR(kdev),RSBAC_MINOR(kdev)); 00999 #endif 01000 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01001 if (!rsbac_nosyslog) 01002 #endif 01003 printk(KERN_DEBUG "rsbac_mount_mac(): mounting device %02u:%02u\n", 01004 RSBAC_MAJOR(kdev),RSBAC_MINOR(kdev)); 01005 } 01006 #endif 01007 /* wait for write access to device_list_head */ 01008 rsbac_read_lock(&device_list_head.lock, &dflags); 01009 device_p = lookup_device(kdev); 01010 /* repeated mount? */ 01011 if(device_p) 01012 { 01013 #ifdef CONFIG_RSBAC_RMSG 01014 rsbac_printk(KERN_WARNING "rsbac_mount_mac: repeated mount %u of device %02u:%02u\n", 01015 device_p->mount_count, RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01016 #endif 01017 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01018 if (!rsbac_nosyslog) 01019 #endif 01020 printk(KERN_WARNING "rsbac_mount_mac: repeated mount %u of device %02u:%02u\n", 01021 device_p->mount_count, RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01022 device_p->mount_count++; 01023 rsbac_read_unlock(&device_list_head.lock, &dflags); 01024 return 0; 01025 } 01026 rsbac_read_unlock(&device_list_head.lock, &dflags); 01027 01028 new_device_p = create_device_item(kdev); 01029 if(!new_device_p) 01030 return -RSBAC_ECOULDNOTADDDEVICE; 01031 01032 /* register lists */ 01033 if((err = mac_register_fd_lists(new_device_p, kdev))) 01034 { 01035 char tmp[RSBAC_MAXNAMELEN]; 01036 01037 #ifdef CONFIG_RSBAC_RMSG 01038 rsbac_printk(KERN_WARNING 01039 "rsbac_mount_mac(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 01040 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev), get_error_name(tmp,err)); 01041 #endif 01042 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01043 if (!rsbac_nosyslog) 01044 #endif 01045 printk(KERN_WARNING 01046 "rsbac_mount_mac(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 01047 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev), get_error_name(tmp,err)); 01048 } 01049 01050 /* wait for read access to device_list_head */ 01051 rsbac_read_lock(&device_list_head.lock, &dflags); 01052 /* make sure to only add, if this device item has not been added in the meantime */ 01053 device_p = lookup_device(kdev); 01054 if(device_p) 01055 { 01056 #ifdef CONFIG_RSBAC_RMSG 01057 rsbac_printk(KERN_WARNING 01058 "rsbac_mount_mac(): mount race for device %02u:%02u detected!\n", 01059 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01060 #endif 01061 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01062 if (!rsbac_nosyslog) 01063 #endif 01064 printk(KERN_WARNING 01065 "rsbac_mount_mac(): mount race for device %02u:%02u detected!\n", 01066 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01067 device_p->mount_count++; 01068 rsbac_read_unlock(&device_list_head.lock, &dflags); 01069 clear_device_item(new_device_p); 01070 } 01071 else 01072 { 01073 rsbac_read_unlock(&device_list_head.lock, &dflags); 01074 rsbac_write_lock_irq(&device_list_head.lock, &dflags); 01075 device_p = add_device_item(new_device_p); 01076 rsbac_write_unlock_irq(&device_list_head.lock, &dflags); 01077 if(!device_p) 01078 { 01079 #ifdef CONFIG_RSBAC_RMSG 01080 rsbac_printk(KERN_WARNING "rsbac_mount_mac: adding device %02u:%02u failed!\n", 01081 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01082 #endif 01083 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01084 if (!rsbac_nosyslog) 01085 #endif 01086 printk(KERN_WARNING "rsbac_mount_mac: adding device %02u:%02u failed!\n", 01087 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01088 clear_device_item(new_device_p); 01089 err = -RSBAC_ECOULDNOTADDDEVICE; 01090 } 01091 } 01092 return(err); 01093 }; 01094 01095 /* When umounting a device, its file lists must be removed. */ 01096 01097 int rsbac_umount_mac(kdev_t kdev) 01098 { 01099 u_long flags; 01100 struct rsbac_mac_device_list_item_t * device_p; 01101 01102 if (!rsbac_is_initialized()) 01103 { 01104 #ifdef CONFIG_RSBAC_RMSG 01105 rsbac_printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n"); 01106 #endif 01107 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01108 if (!rsbac_nosyslog) 01109 #endif 01110 printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n"); 01111 return(-RSBAC_ENOTINITIALIZED); 01112 } 01113 01114 #ifdef CONFIG_RSBAC_DEBUG 01115 if (rsbac_debug_ds_mac) 01116 { 01117 #ifdef CONFIG_RSBAC_RMSG 01118 rsbac_printk(KERN_DEBUG "rsbac_umount_mac(): umounting device %02u:%02u\n", 01119 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01120 #endif 01121 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01122 if (!rsbac_nosyslog) 01123 #endif 01124 printk(KERN_DEBUG "rsbac_umount_mac(): umounting device %02u:%02u\n", 01125 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01126 } 01127 #endif 01128 /* sync of attribute lists was done in rsbac_umount */ 01129 /* wait for write access to device_list_head */ 01130 rsbac_write_lock(&device_list_head.lock, &flags); 01131 /* OK, nobody else is working on it... */ 01132 device_p = lookup_device(kdev); 01133 if(device_p) 01134 { 01135 if(device_p->mount_count == 1) 01136 remove_device_item(kdev); 01137 else 01138 { 01139 if(device_p->mount_count > 1) 01140 { 01141 device_p->mount_count--; 01142 } 01143 else 01144 { 01145 #ifdef CONFIG_RSBAC_RMSG 01146 rsbac_printk(KERN_WARNING "rsbac_mount_mac: device %02u:%02u has mount_count < 1!\n", 01147 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01148 #endif 01149 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01150 if (!rsbac_nosyslog) 01151 #endif 01152 printk(KERN_WARNING "rsbac_mount_mac: device %02u:%02u has mount_count < 1!\n", 01153 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 01154 } 01155 } 01156 } 01157 01158 /* allow access */ 01159 rsbac_write_unlock(&device_list_head.lock, &flags); 01160 return(0); 01161 }; 01162 01163 /***************************************************/ 01164 /* We also need some status information... */ 01165 01166 int rsbac_stats_mac(void) 01167 { 01168 u_int tru_set_count = 0; 01169 u_int member_count = 0; 01170 u_long dflags; 01171 struct rsbac_mac_device_list_item_t * device_p; 01172 int i; 01173 01174 union rsbac_target_id_t rsbac_target_id; 01175 union rsbac_attribute_value_t rsbac_attribute_value; 01176 01177 if (!rsbac_is_initialized) 01178 { 01179 #ifdef CONFIG_RSBAC_RMSG 01180 rsbac_printk(KERN_WARNING "rsbac_stats_mac(): RSBAC not initialized\n"); 01181 #endif 01182 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01183 if (!rsbac_nosyslog) 01184 #endif 01185 printk(KERN_WARNING "rsbac_stats_mac(): RSBAC not initialized\n"); 01186 return(-RSBAC_ENOTINITIALIZED); 01187 } 01188 #ifdef CONFIG_RSBAC_DEBUG 01189 if (rsbac_debug_aef_mac) 01190 { 01191 #ifdef CONFIG_RSBAC_RMSG 01192 rsbac_printk(KERN_DEBUG "rsbac_stats_mac(): calling ADF\n"); 01193 #endif 01194 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01195 if (!rsbac_nosyslog) 01196 #endif 01197 printk(KERN_DEBUG "rsbac_stats_mac(): calling ADF\n"); 01198 } 01199 #endif 01200 rsbac_target_id.scd = ST_rsbac; 01201 rsbac_attribute_value.dummy = 0; 01202 if (!rsbac_adf_request(R_GET_STATUS_DATA, 01203 current->pid, 01204 T_SCD, 01205 rsbac_target_id, 01206 A_none, 01207 rsbac_attribute_value)) 01208 { 01209 return -EPERM; 01210 } 01211 01212 printk(KERN_INFO "MAC Status\n----------\n"); 01213 01214 printk(KERN_INFO "%lu process trusted user set items, sum of %lu members\n", 01215 rsbac_list_lol_count(process_handle), 01216 rsbac_list_lol_all_subcount(process_handle)); 01217 01218 /* protect device list */ 01219 rsbac_read_lock(&device_list_head.lock, &dflags); 01220 device_p = device_list_head.head; 01221 while(device_p) 01222 { 01223 /* reset counters */ 01224 tru_set_count = 0; 01225 member_count = 0; 01226 for(i=0 ; i < RSBAC_MAC_NR_TRU_FD_LISTS; i++) 01227 { 01228 tru_set_count += rsbac_list_lol_count(device_p->handles[i]); 01229 member_count += rsbac_list_lol_all_subcount(device_p->handles[i]); 01230 } 01231 printk(KERN_INFO "device %02u:%02u has %u file trusted user set items, sum of %u members\n", 01232 RSBAC_MAJOR(device_p->id), 01233 RSBAC_MINOR(device_p->id), 01234 tru_set_count,member_count); 01235 device_p = device_p->next; 01236 } 01237 /* unprotect device list */ 01238 rsbac_read_unlock(&device_list_head.lock, &dflags); 01239 return(0); 01240 }; 01241 01242 /***************************************************/ 01243 /* consistency checking (as far as possible) */ 01244 01245 int rsbac_check_mac(int correct, int check_inode) 01246 { 01247 struct rsbac_mac_device_list_item_t * device_p; 01248 u_long f_count = 0, f_sum = 0, tmp_count, 01249 r_count, u_count, b_count, no_member_count; 01250 long desc_count; 01251 u_int i,list_no; 01252 u_long dflags; 01253 struct super_block * sb_p; 01254 struct inode * inode_p; 01255 rsbac_inode_nr_t * fd_desc_p; 01256 01257 if (!rsbac_is_initialized()) 01258 { 01259 #ifdef CONFIG_RSBAC_RMSG 01260 rsbac_printk(KERN_WARNING "rsbac_check_mac(): RSBAC not initialized\n"); 01261 #endif 01262 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01263 if (!rsbac_nosyslog) 01264 #endif 01265 printk(KERN_WARNING "rsbac_check_mac(): RSBAC not initialized\n"); 01266 return(-RSBAC_ENOTINITIALIZED); 01267 } 01268 01269 /* wait for read access to device_list_head */ 01270 rsbac_read_lock(&device_list_head.lock, &dflags); 01271 /* OK, go on */ 01272 /* printk(KERN_INFO "rsbac_check_mac(): currently %u processes working on file/dir aci\n", 01273 device_list_head.lock.lock); */ 01274 device_p = device_list_head.head; 01275 while (device_p) 01276 { /* for all sublists */ 01277 f_count = 0; 01278 r_count = 0; 01279 u_count = 0; 01280 b_count = 0; 01281 no_member_count = 0; 01282 if(check_inode) 01283 { 01284 sb_p = rsbac_get_super_block(device_p->id); 01285 if(!sb_p) 01286 { 01287 #ifdef CONFIG_RSBAC_RMSG 01288 rsbac_printk(KERN_WARNING "rsbac_check_mac(): no super block for device %02u:%02u!\n", 01289 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id)); 01290 #endif 01291 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01292 if (!rsbac_nosyslog) 01293 #endif 01294 printk(KERN_WARNING "rsbac_check_mac(): no super block for device %02u:%02u!\n", 01295 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id)); 01296 } 01297 } 01298 else 01299 sb_p = NULL; 01300 01301 /* OK, go ahead */ 01302 for(list_no = 0; list_no < RSBAC_MAC_NR_TRU_FD_LISTS; list_no++) 01303 { 01304 /* printk(KERN_INFO "rsbac_check_mac(): list %u\n", 01305 list_no); */ 01306 tmp_count = 0; 01307 desc_count = rsbac_list_lol_get_all_desc(device_p->handles[list_no], (void **) &fd_desc_p); 01308 if(desc_count > 0) 01309 { 01310 for(i=0; i<desc_count; i++) 01311 { 01312 /* check for inode on disk (but not for reiserfs, because of 64bit inode numbers) */ 01313 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 01314 if(sb_p) 01315 #else 01316 if(sb_p && !sb_p->s_op->read_inode2) 01317 #endif 01318 { 01319 inode_p = iget(sb_p, fd_desc_p[i]); 01320 if(is_bad_inode(inode_p)) 01321 { /* inode is bad -> remove */ 01322 b_count++; 01323 if(correct) 01324 { 01325 #ifdef CONFIG_RSBAC_RMSG 01326 rsbac_printk(KERN_INFO 01327 "rsbac_check_mac(): fd_item for bad inode %u on device %02u:%02u, list %u, removing!\n", 01328 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01329 #endif 01330 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01331 if (!rsbac_nosyslog) 01332 #endif 01333 printk(KERN_INFO 01334 "rsbac_check_mac(): fd_item for bad inode %u on device %02u:%02u, list %u, removing!\n", 01335 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01336 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]); 01337 continue; 01338 } 01339 else 01340 { 01341 #ifdef CONFIG_RSBAC_RMSG 01342 rsbac_printk(KERN_INFO 01343 "rsbac_check_mac(): fd_item for bad inode %u on device %02u:%02u, list %u!\n", 01344 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01345 #endif 01346 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01347 if (!rsbac_nosyslog) 01348 #endif 01349 printk(KERN_INFO 01350 "rsbac_check_mac(): fd_item for bad inode %u on device %02u:%02u, list %u!\n", 01351 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01352 } 01353 } /* end of bad_inode */ 01354 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 01355 else 01356 { /* good inode */ 01357 /* currently only deletion checking of ext2 inodes is possible */ 01358 if(sb_p->s_magic == EXT2_SUPER_MAGIC) 01359 { 01360 if(inode_p->u.ext2_i.i_dtime) 01361 { /* inode has been deleted -> remove */ 01362 r_count++; 01363 if(correct) 01364 { 01365 #ifdef CONFIG_RSBAC_RMSG 01366 rsbac_printk(KERN_INFO 01367 "rsbac_check_mac(): fd_item for deleted inode %u on device %02u:%02u, list %u, removing!\n", 01368 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01369 #endif 01370 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01371 if (!rsbac_nosyslog) 01372 #endif 01373 printk(KERN_INFO 01374 "rsbac_check_mac(): fd_item for deleted inode %u on device %02u:%02u, list %u, removing!\n", 01375 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01376 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]); 01377 continue; 01378 } 01379 else 01380 { 01381 #ifdef CONFIG_RSBAC_RMSG 01382 rsbac_printk(KERN_INFO 01383 "rsbac_check_mac(): fd_item for deleted inode %u on device %02u:%02u, list %u!\n", 01384 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01385 #endif 01386 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01387 if (!rsbac_nosyslog) 01388 #endif 01389 printk(KERN_INFO 01390 "rsbac_check_mac(): fd_item for deleted inode %u on device %02u:%02u, list %u!\n", 01391 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01392 } 01393 } 01394 else 01395 { 01396 if(inode_p->i_nlink <= 0) 01397 { /* inode has been unlinked, but no dtime is set -> warn */ 01398 u_count++; 01399 if(correct >= 2) 01400 { 01401 #ifdef CONFIG_RSBAC_RMSG 01402 rsbac_printk(KERN_INFO 01403 "rsbac_check_mac(): fd_item for inode %u with nlink <= 0 on device %02u:%02u, list %u, removing!\n", 01404 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01405 #endif 01406 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01407 if (!rsbac_nosyslog) 01408 #endif 01409 printk(KERN_INFO 01410 "rsbac_check_mac(): fd_item for inode %u with nlink <= 0 on device %02u:%02u, list %u, removing!\n", 01411 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01412 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]); 01413 continue; 01414 } 01415 else 01416 { 01417 #ifdef CONFIG_RSBAC_RMSG 01418 rsbac_printk(KERN_INFO 01419 "rsbac_check_mac(): deleted inode %u on device %02u:%02u, list %u, has no dtime!\n", 01420 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01421 #endif 01422 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01423 if (!rsbac_nosyslog) 01424 #endif 01425 printk(KERN_INFO 01426 "rsbac_check_mac(): deleted inode %u on device %02u:%02u, list %u, has no dtime!\n", 01427 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 01428 } 01429 } 01430 } 01431 } 01432 } /* end of is_good_inode */ 01433 #endif /* VERSION < 2.6.0 */ 01434 iput(inode_p); 01435 } /* end of sb_p */ 01436 } 01437 tmp_count++; 01438 rsbac_vfree(fd_desc_p); 01439 f_count += desc_count; 01440 } 01441 } /* end of for-fd-list-array */ 01442 01443 switch(correct) 01444 { 01445 case 2: 01446 #ifdef CONFIG_RSBAC_RMSG 01447 rsbac_printk(KERN_INFO 01448 "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n", 01449 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + u_count + no_member_count, 01450 b_count, r_count, u_count, no_member_count); 01451 #endif 01452 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01453 if (!rsbac_nosyslog) 01454 #endif 01455 printk(KERN_INFO 01456 "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n", 01457 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + u_count + no_member_count, 01458 b_count, r_count, u_count, no_member_count); 01459 break; 01460 case 1: 01461 #ifdef CONFIG_RSBAC_RMSG 01462 rsbac_printk(KERN_INFO 01463 "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n", 01464 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + no_member_count, 01465 b_count, r_count, no_member_count, u_count); 01466 #endif 01467 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01468 if (!rsbac_nosyslog) 01469 #endif 01470 printk(KERN_INFO 01471 "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n", 01472 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + no_member_count, 01473 b_count, r_count, no_member_count, u_count); 01474 break; 01475 default: 01476 #ifdef CONFIG_RSBAC_RMSG 01477 rsbac_printk(KERN_INFO 01478 "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n", 01479 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, 01480 b_count, r_count, u_count, no_member_count); 01481 #endif 01482 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01483 if (!rsbac_nosyslog) 01484 #endif 01485 printk(KERN_INFO 01486 "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n", 01487 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, 01488 b_count, r_count, u_count, no_member_count); 01489 } 01490 f_sum += f_count; 01491 /* go on */ 01492 device_p = device_p->next; 01493 } 01494 #ifdef CONFIG_RSBAC_RMSG 01495 rsbac_printk(KERN_INFO "rsbac_check_mac(): Sum of %u Devices with %lu file/dir trusted user sets\n", 01496 device_list_head.count, f_sum); 01497 #endif 01498 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01499 if (!rsbac_nosyslog) 01500 #endif 01501 printk(KERN_INFO "rsbac_check_mac(): Sum of %u Devices with %lu file/dir trusted user sets\n", 01502 device_list_head.count, f_sum); 01503 /* free access to device_list_head */ 01504 rsbac_read_unlock(&device_list_head.lock, &dflags); 01505 01506 #ifdef CONFIG_RSBAC_RMSG 01507 rsbac_printk(KERN_INFO 01508 "rsbac_check_mac(): Total of %lu registered mac items\n", 01509 f_sum); 01510 #endif 01511 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01512 if (!rsbac_nosyslog) 01513 #endif 01514 printk(KERN_INFO 01515 "rsbac_check_mac(): Total of %lu registered mac items\n", 01516 f_sum); 01517 return(0); 01518 }; 01519 01520 /************************************************* */ 01521 /* Access functions */ 01522 /************************************************* */ 01523 01524 /* All these procedures handle the rw-spinlocks to protect the targets during */ 01525 /* access. */ 01526 /* Trying to access a never created or removed set returns an error! */ 01527 01528 /* rsbac_mac_add_to_truset */ 01529 /* Add a set member to a set sublist. Set behaviour: also returns success, */ 01530 /* if member was already in set! */ 01531 01532 int rsbac_mac_add_to_p_truset(rsbac_pid_t pid, 01533 rsbac_uid_t member, 01534 rsbac_time_t ttl) 01535 { 01536 if (!rsbac_is_initialized()) 01537 { 01538 printk(KERN_WARNING "rsbac_mac_add_to_p_truset(): RSBAC not initialized\n"); 01539 return(-RSBAC_ENOTINITIALIZED); 01540 } 01541 if (in_interrupt()) 01542 { 01543 printk(KERN_WARNING "rsbac_mac_add_to_p_truset(): called from interrupt!\n"); 01544 } 01545 return rsbac_list_lol_subadd_ttl(process_handle, ttl, &pid, &member, NULL); 01546 } 01547 01548 int rsbac_mac_add_to_f_truset(rsbac_mac_file_t file, 01549 rsbac_uid_t member, 01550 rsbac_time_t ttl) 01551 { 01552 int err=0; 01553 u_long dflags; 01554 struct rsbac_mac_device_list_item_t * device_p; 01555 01556 if (!rsbac_is_initialized()) 01557 { 01558 printk(KERN_WARNING "rsbac_mac_add_to_f_truset(): RSBAC not initialized\n"); 01559 return(-RSBAC_ENOTINITIALIZED); 01560 } 01561 if (in_interrupt()) 01562 { 01563 printk(KERN_WARNING "rsbac_mac_add_to_f_truset(): called from interrupt!\n"); 01564 } 01565 01566 /* protect device list */ 01567 rsbac_read_lock(&device_list_head.lock, &dflags); 01568 device_p = lookup_device(file.device); 01569 if(!device_p) 01570 { 01571 /* trigger rsbac_mount() */ 01572 rsbac_read_unlock(&device_list_head.lock, &dflags); 01573 rsbac_get_super_block(file.device); 01574 /* retry */ 01575 rsbac_read_lock(&device_list_head.lock, &dflags); 01576 device_p = lookup_device(file.device); 01577 if(!device_p) 01578 { 01579 #ifdef CONFIG_RSBAC_RMSG 01580 rsbac_printk(KERN_WARNING "rsbac_mac_add_to_f_truset(): invalid device %02u:%02u!\n", 01581 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01582 #endif 01583 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01584 if (!rsbac_nosyslog) 01585 #endif 01586 printk(KERN_WARNING "rsbac_mac_add_to_f_truset(): invalid device %02u:%02u!\n", 01587 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01588 rsbac_read_unlock(&device_list_head.lock, &dflags); 01589 return(-RSBAC_EINVALIDDEV); 01590 } 01591 } 01592 01593 err = rsbac_list_lol_subadd_ttl(device_p->handles[fd_hash(file.inode)], 01594 ttl, &file.inode, &member, NULL); 01595 rsbac_read_unlock(&device_list_head.lock, &dflags); 01596 return(err); 01597 } 01598 01599 /* rsbac_mac_remove_from_truset */ 01600 /* Remove a set member from a sublist. Set behaviour: Returns no error, if */ 01601 /* member is not in list. */ 01602 01603 int rsbac_mac_remove_from_p_truset(rsbac_pid_t pid, 01604 rsbac_uid_t member) 01605 { 01606 if (!rsbac_is_initialized()) 01607 { 01608 printk(KERN_WARNING "rsbac_mac_remove_from_p_truset(): RSBAC not initialized\n"); 01609 return(-RSBAC_ENOTINITIALIZED); 01610 } 01611 if (in_interrupt()) 01612 { 01613 printk(KERN_WARNING "rsbac_mac_remove_from_p_truset(): called from interrupt!\n"); 01614 } 01615 return rsbac_list_lol_subremove(process_handle, &pid, &member); 01616 } 01617 01618 int rsbac_mac_remove_from_f_truset(rsbac_mac_file_t file, 01619 rsbac_uid_t member) 01620 { 01621 int err=0; 01622 u_long dflags; 01623 struct rsbac_mac_device_list_item_t * device_p; 01624 01625 if (!rsbac_is_initialized()) 01626 { 01627 printk(KERN_WARNING "rsbac_mac_remove_from_f_truset(): RSBAC not initialized\n"); 01628 return(-RSBAC_ENOTINITIALIZED); 01629 } 01630 if (in_interrupt()) 01631 { 01632 printk(KERN_WARNING "rsbac_mac_remove_from_f_truset(): called from interrupt!\n"); 01633 } 01634 01635 /* protect device list */ 01636 rsbac_read_lock(&device_list_head.lock, &dflags); 01637 device_p = lookup_device(file.device); 01638 if(!device_p) 01639 { 01640 /* trigger rsbac_mount() */ 01641 rsbac_read_unlock(&device_list_head.lock, &dflags); 01642 rsbac_get_super_block(file.device); 01643 /* retry */ 01644 rsbac_read_lock(&device_list_head.lock, &dflags); 01645 device_p = lookup_device(file.device); 01646 if(!device_p) 01647 { 01648 #ifdef CONFIG_RSBAC_RMSG 01649 rsbac_printk(KERN_WARNING "rsbac_mac_remove_from_f_truset(): invalid device %02u:%02u!\n", 01650 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01651 #endif 01652 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01653 if (!rsbac_nosyslog) 01654 #endif 01655 printk(KERN_WARNING "rsbac_mac_remove_from_f_truset(): invalid device %02u:%02u!\n", 01656 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01657 rsbac_read_unlock(&device_list_head.lock, &dflags); 01658 return(-RSBAC_EINVALIDDEV); 01659 } 01660 } 01661 err = rsbac_list_lol_subremove(device_p->handles[fd_hash(file.inode)], 01662 &file.inode, 01663 &member); 01664 rsbac_read_unlock(&device_list_head.lock, &dflags); 01665 return(err); 01666 } 01667 01668 /* rsbac_mac_clear_truset */ 01669 /* Remove all set members from a sublist. Set behaviour: Returns no error, */ 01670 /* if list is empty. */ 01671 01672 int rsbac_mac_clear_p_truset(rsbac_pid_t pid) 01673 { 01674 if (!rsbac_is_initialized()) 01675 { 01676 printk(KERN_WARNING "rsbac_mac_clear_p_truset(): RSBAC not initialized\n"); 01677 return(-RSBAC_ENOTINITIALIZED); 01678 } 01679 if (in_interrupt()) 01680 { 01681 printk(KERN_WARNING "rsbac_mac_clear_p_truset(): called from interrupt!\n"); 01682 } 01683 return rsbac_list_lol_remove(process_handle, &pid); 01684 } 01685 01686 int rsbac_mac_clear_f_truset(rsbac_mac_file_t file) 01687 { 01688 int err=0; 01689 u_long dflags; 01690 struct rsbac_mac_device_list_item_t * device_p; 01691 01692 if (!rsbac_is_initialized()) 01693 { 01694 printk(KERN_WARNING "rsbac_mac_clear_f_truset(): RSBAC not initialized\n"); 01695 return(-RSBAC_ENOTINITIALIZED); 01696 } 01697 if (in_interrupt()) 01698 { 01699 printk(KERN_WARNING "rsbac_mac_clear_f_truset(): called from interrupt!\n"); 01700 } 01701 /* protect device list */ 01702 rsbac_read_lock(&device_list_head.lock, &dflags); 01703 device_p = lookup_device(file.device); 01704 if(!device_p) 01705 { 01706 /* trigger rsbac_mount() */ 01707 rsbac_read_unlock(&device_list_head.lock, &dflags); 01708 rsbac_get_super_block(file.device); 01709 /* retry */ 01710 rsbac_read_lock(&device_list_head.lock, &dflags); 01711 device_p = lookup_device(file.device); 01712 if(!device_p) 01713 { 01714 #ifdef CONFIG_RSBAC_RMSG 01715 rsbac_printk(KERN_WARNING "rsbac_mac_clear_f_truset(): invalid device %02u:%02u!\n", 01716 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01717 #endif 01718 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01719 if (!rsbac_nosyslog) 01720 #endif 01721 printk(KERN_WARNING "rsbac_mac_clear_f_truset(): invalid device %02u:%02u!\n", 01722 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01723 rsbac_read_unlock(&device_list_head.lock, &dflags); 01724 return(-RSBAC_EINVALIDDEV); 01725 } 01726 } 01727 err = rsbac_list_lol_remove(device_p->handles[fd_hash(file.inode)], &file.inode); 01728 rsbac_read_unlock(&device_list_head.lock, &dflags); 01729 return(err); 01730 } 01731 01732 /* rsbac_mac_truset_member */ 01733 /* Return truth value, whether member is in set */ 01734 01735 boolean rsbac_mac_p_truset_member(rsbac_pid_t pid, 01736 rsbac_uid_t member) 01737 { 01738 if (!rsbac_is_initialized()) 01739 { 01740 printk(KERN_WARNING "rsbac_mac_p_truset_member(): RSBAC not initialized\n"); 01741 return FALSE; 01742 } 01743 if (in_interrupt()) 01744 { 01745 printk(KERN_WARNING "rsbac_mac_p_truset_member(): called from interrupt!\n"); 01746 } 01747 if(rsbac_list_lol_subexist(process_handle, &pid, &member)) 01748 return TRUE; 01749 member = RSBAC_ALL_USERS; 01750 return rsbac_list_lol_subexist(process_handle, &pid, &member); 01751 } 01752 01753 /* rsbac_mac_remove_truset */ 01754 /* Remove a full set. For cleanup, if object is deleted. */ 01755 /* To empty an existing set use rsbac_mac_clear_truset. */ 01756 01757 int rsbac_mac_remove_p_trusets(rsbac_pid_t pid) 01758 { 01759 return rsbac_mac_clear_p_truset(pid); 01760 } 01761 01762 int rsbac_mac_remove_f_trusets(rsbac_mac_file_t file) 01763 { 01764 return rsbac_mac_clear_f_truset(file); 01765 } 01766 01767 int rsbac_mac_copy_fp_truset(rsbac_mac_file_t file, 01768 rsbac_pid_t p_tru_set_id) 01769 { 01770 u_long dflags; 01771 struct rsbac_mac_device_list_item_t * device_p; 01772 int err=0; 01773 01774 if (!rsbac_is_initialized) 01775 { 01776 printk(KERN_WARNING "rsbac_mac_copy_fp_truset(): RSBAC not initialized\n"); 01777 return(-RSBAC_ENOTINITIALIZED); 01778 } 01779 if (in_interrupt()) 01780 { 01781 printk(KERN_WARNING "rsbac_mac_copy_fp_truset(): called from interrupt!\n"); 01782 } 01783 /* 01784 #ifdef CONFIG_RSBAC_DEBUG 01785 if (rsbac_debug_ds_mac) 01786 printk(KERN_DEBUG 01787 "rsbac_mac_copy_fp_truset(): Copying file cap set data to process cap set\n"); 01788 #endif 01789 */ 01790 /* protect device list */ 01791 rsbac_read_lock(&device_list_head.lock, &dflags); 01792 device_p = lookup_device(file.device); 01793 if(!device_p) 01794 { 01795 /* trigger rsbac_mount() */ 01796 rsbac_read_unlock(&device_list_head.lock, &dflags); 01797 rsbac_get_super_block(file.device); 01798 /* retry */ 01799 rsbac_read_lock(&device_list_head.lock, &dflags); 01800 device_p = lookup_device(file.device); 01801 if(!device_p) 01802 { 01803 #ifdef CONFIG_RSBAC_RMSG 01804 rsbac_printk(KERN_WARNING "rsbac_mac_copy_fp_truset(): invalid device %02u:%02u!\n", 01805 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01806 #endif 01807 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01808 if (!rsbac_nosyslog) 01809 #endif 01810 printk(KERN_WARNING "rsbac_mac_copy_fp_truset(): invalid device %02u:%02u!\n", 01811 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01812 rsbac_read_unlock(&device_list_head.lock, &dflags); 01813 return(-RSBAC_EINVALIDDEV); 01814 } 01815 } 01816 /* call the copy function */ 01817 err = copy_fp_tru_set_item(device_p,file,p_tru_set_id); 01818 rsbac_read_unlock(&device_list_head.lock, &dflags); 01819 return(err); 01820 } 01821 01822 int rsbac_mac_copy_pp_truset(rsbac_pid_t old_p_set_id, 01823 rsbac_pid_t new_p_set_id) 01824 { 01825 if (!rsbac_is_initialized) 01826 { 01827 printk(KERN_WARNING "rsbac_mac_copy_pp_truset(): RSBAC not initialized\n"); 01828 return(-RSBAC_ENOTINITIALIZED); 01829 } 01830 if (in_interrupt()) 01831 { 01832 printk(KERN_WARNING "rsbac_mac_copy_pp_truset(): called from interrupt!\n"); 01833 } 01834 /* 01835 #ifdef CONFIG_RSBAC_DEBUG 01836 if (rsbac_debug_ds_mac) 01837 printk(KERN_DEBUG 01838 "rsbac_mac_copy_pp_truset(): Copying process cap set data to process cap set\n"); 01839 #endif 01840 */ 01841 /* call the copy function */ 01842 return copy_pp_tru_set_item(old_p_set_id,new_p_set_id); 01843 } 01844 01845 int rsbac_mac_get_f_trulist(rsbac_mac_file_t file, 01846 rsbac_uid_t **trulist_p, 01847 rsbac_time_t **ttllist_p) 01848 { 01849 u_long dflags; 01850 struct rsbac_mac_device_list_item_t * device_p; 01851 long count; 01852 01853 if (!rsbac_is_initialized) 01854 { 01855 printk(KERN_WARNING "rsbac_mac_get_f_trulist(): RSBAC not initialized\n"); 01856 return(-RSBAC_ENOTINITIALIZED); 01857 } 01858 if (in_interrupt()) 01859 { 01860 printk(KERN_WARNING "rsbac_mac_get_f_trulist(): called from interrupt!\n"); 01861 } 01862 /* 01863 #ifdef CONFIG_RSBAC_DEBUG 01864 if (rsbac_debug_ds_mac) 01865 printk(KERN_DEBUG 01866 "rsbac_mac_get_f_trulist(): Getting file/dir trusted user set list\n"); 01867 #endif 01868 */ 01869 /* protect device list */ 01870 rsbac_read_lock(&device_list_head.lock, &dflags); 01871 device_p = lookup_device(file.device); 01872 if(!device_p) 01873 { 01874 /* trigger rsbac_mount() */ 01875 rsbac_read_unlock(&device_list_head.lock, &dflags); 01876 rsbac_get_super_block(file.device); 01877 /* retry */ 01878 rsbac_read_lock(&device_list_head.lock, &dflags); 01879 device_p = lookup_device(file.device); 01880 if(!device_p) 01881 { 01882 #ifdef CONFIG_RSBAC_RMSG 01883 rsbac_printk(KERN_WARNING "rsbac_mac_get_f_trulist(): invalid device %02u:%02u!\n", 01884 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01885 #endif 01886 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01887 if (!rsbac_nosyslog) 01888 #endif 01889 printk(KERN_WARNING "rsbac_mac_get_f_trulist(): invalid device %02u:%02u!\n", 01890 RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device)); 01891 rsbac_read_unlock(&device_list_head.lock, &dflags); 01892 return(-RSBAC_EINVALIDDEV); 01893 } 01894 } 01895 count = rsbac_list_lol_get_all_subdesc_ttl(device_p->handles[fd_hash(file.inode)], 01896 &file.inode, 01897 (void **) trulist_p, 01898 ttllist_p); 01899 rsbac_read_unlock(&device_list_head.lock, &dflags); 01900 return(count); 01901 } 01902 01903 int rsbac_mac_get_p_trulist(rsbac_pid_t pid, 01904 rsbac_uid_t **trulist_p, 01905 rsbac_time_t **ttllist_p) 01906 { 01907 if (!rsbac_is_initialized) 01908 { 01909 printk(KERN_WARNING "rsbac_mac_get_p_trulist(): RSBAC not initialized\n"); 01910 return(-RSBAC_ENOTINITIALIZED); 01911 } 01912 if (in_interrupt()) 01913 { 01914 printk(KERN_WARNING "rsbac_mac_get_p_trulist(): called from interrupt!\n"); 01915 } 01916 /* 01917 #ifdef CONFIG_RSBAC_DEBUG 01918 if (rsbac_debug_ds_mac) 01919 printk(KERN_DEBUG 01920 "rsbac_mac_get_p_trulist(): Getting process trusted user set list\n"); 01921 #endif 01922 */ 01923 return rsbac_list_lol_get_all_subdesc_ttl(process_handle, 01924 &pid, 01925 (void **) trulist_p, 01926 ttllist_p); 01927 } 01928 01929 /* end of mac_data_structures.c */

Generated on Tue Aug 31 10:05:26 2004 for RSBAC by doxygen 1.3.8