00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
#include <linux/string.h>
00013
#include <rsbac/types.h>
00014
#include <rsbac/aci.h>
00015
#include <rsbac/adf_main.h>
00016
#include <rsbac/error.h>
00017
#include <rsbac/helpers.h>
00018
#include <rsbac/getname.h>
00019
#include <rsbac/debug.h>
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033
enum rsbac_adf_req_ret_t
00034 rsbac_adf_request_res (
enum rsbac_adf_request_t request,
00035
rsbac_pid_t caller_pid,
00036
enum rsbac_target_t target,
00037
union rsbac_target_id_t tid,
00038
enum rsbac_attribute_t attr,
00039
union rsbac_attribute_value_t attr_val,
00040
rsbac_uid_t owner)
00041 {
00042
union rsbac_target_id_t i_tid;
00043
union rsbac_attribute_value_t i_attr_val1;
00044
00045
switch (request)
00046 {
00047
case R_MODIFY_ATTRIBUTE:
00048
switch(attr)
00049 {
00050
case A_system_role:
00051
case A_res_role:
00052
case A_res_min:
00053
case A_res_max:
00054
#ifdef CONFIG_RSBAC_RES_AUTH_PROT
00055
case A_auth_may_setuid:
00056
case A_auth_may_set_cap:
00057
case A_auth_start_uid:
00058
case A_auth_program_file:
00059
case A_auth_learn:
00060
case A_auth_add_f_cap:
00061
case A_auth_remove_f_cap:
00062
#endif
00063
00064
case A_none:
00065
00066 i_tid.
user = owner;
00067
if (
rsbac_get_attr(
RES,
00068
T_USER,
00069 i_tid,
00070
A_res_role,
00071 &i_attr_val1,
00072
TRUE))
00073 {
00074 rsbac_ds_get_error(
"rsbac_adf_request_res()",
A_res_role);
00075
return(
NOT_GRANTED);
00076 }
00077
00078
if (i_attr_val1.
system_role ==
SR_security_officer)
00079
return(
GRANTED);
00080
else
00081
return(
NOT_GRANTED);
00082
00083
default:
00084
return(
DO_NOT_CARE);
00085 }
00086
00087
case R_READ_ATTRIBUTE:
00088
switch(attr)
00089 {
00090
case A_system_role:
00091
case A_res_role:
00092
case A_res_min:
00093
case A_res_max:
00094
00095
case A_none:
00096
00097 i_tid.
user = owner;
00098
if (
rsbac_get_attr(
RES,
00099
T_USER,
00100 i_tid,
00101
A_res_role,
00102 &i_attr_val1,
00103
TRUE))
00104 {
00105 rsbac_ds_get_error(
"rsbac_adf_request_res()",
A_res_role);
00106
return(
NOT_GRANTED);
00107 }
00108
00109
if( (i_attr_val1.
system_role ==
SR_security_officer)
00110 || (i_attr_val1.
system_role ==
SR_administrator)
00111 )
00112
return(
GRANTED);
00113
else
00114
return(
NOT_GRANTED);
00115
00116
default:
00117
return(
DO_NOT_CARE);
00118 }
00119
00120
case R_SWITCH_LOG:
00121
switch(target)
00122 {
00123
case T_NONE:
00124
00125 i_tid.
user = owner;
00126
if (
rsbac_get_attr(
RES,
00127
T_USER,
00128 i_tid,
00129
A_res_role,
00130 &i_attr_val1,
00131
TRUE))
00132 {
00133 rsbac_ds_get_error(
"rsbac_adf_request_res()",
A_res_role);
00134
return(
NOT_GRANTED);
00135 }
00136
00137
if (i_attr_val1.
system_role ==
SR_security_officer)
00138
return(
GRANTED);
00139
else
00140
return(
NOT_GRANTED);
00141
00142
00143
default:
return(
DO_NOT_CARE);
00144 }
00145
00146
case R_SWITCH_MODULE:
00147
switch(target)
00148 {
00149
case T_NONE:
00150
00151
if(attr != A_switch_target)
00152
return(
UNDEFINED);
00153
00154
if( (attr_val.switch_target !=
RES)
00155
#ifdef CONFIG_RSBAC_RES_AUTH_PROT
00156
&& (attr_val.switch_target !=
AUTH)
00157
#endif
00158
#ifdef CONFIG_RSBAC_SOFTMODE
00159
&& (attr_val.switch_target !=
SOFTMODE)
00160
#endif
00161
)
00162
return(
DO_NOT_CARE);
00163
00164 i_tid.
user = owner;
00165
if (
rsbac_get_attr(
RES,
00166
T_USER,
00167 i_tid,
00168
A_res_role,
00169 &i_attr_val1,
00170
TRUE))
00171 {
00172 rsbac_ds_get_error(
"rsbac_adf_request_res()",
A_res_role);
00173
return(
NOT_GRANTED);
00174 }
00175
00176
if (i_attr_val1.
system_role ==
SR_security_officer)
00177
return(
GRANTED);
00178
else
00179
return(
NOT_GRANTED);
00180
00181
00182
default:
return(
DO_NOT_CARE);
00183 }
00184
00185
00186
00187
default:
return DO_NOT_CARE;
00188 }
00189
00190
return(
DO_NOT_CARE);
00191 };
00192
00193
00194
00195
00196
00197
00198
00199
00200
00201
00202
00203
00204 int rsbac_adf_set_attr_res(
00205
enum rsbac_adf_request_t request,
00206
rsbac_pid_t caller_pid,
00207
enum rsbac_target_t target,
00208
union rsbac_target_id_t tid,
00209
enum rsbac_target_t new_target,
00210
union rsbac_target_id_t new_tid,
00211
enum rsbac_attribute_t attr,
00212
union rsbac_attribute_value_t attr_val,
00213
rsbac_uid_t owner)
00214 {
00215
union rsbac_target_id_t i_tid;
00216
union rsbac_attribute_value_t i_attr_val1;
00217
00218
switch (request)
00219 {
00220
case R_CHANGE_OWNER:
00221
switch(target)
00222 {
00223
case T_PROCESS:
00224
if(attr != A_owner)
00225
return(-
RSBAC_EINVALIDATTR);
00226
00227 i_tid.
user = attr_val.
owner;
00228
#ifdef CONFIG_RSBAC_SOFTMODE
00229
if(!rsbac_softmode)
00230
#endif
00231
{
00232
int maxval =
rsbac_min(RLIM_NLIMITS - 1,
RSBAC_RES_MAX);
00233
int i;
00234
00235
if (
rsbac_get_attr(
RES,
00236
T_USER,
00237 i_tid,
00238
A_res_max,
00239 &i_attr_val1,
00240
FALSE))
00241 {
00242 rsbac_ds_get_error(
"rsbac_adf_set_attr_res()",
A_res_max);
00243
return -
RSBAC_EREADFAILED;
00244 }
00245
for(i = 0; i <= maxval ; i++)
00246 {
00247
if(i_attr_val1.
res_array[i])
00248 {
00249
if(current->rlim[i].rlim_max > i_attr_val1.
res_array[i])
00250 current->rlim[i].rlim_max = i_attr_val1.
res_array[i];
00251
if(current->rlim[i].rlim_cur > i_attr_val1.
res_array[i])
00252 current->rlim[i].rlim_cur = i_attr_val1.
res_array[i];
00253 }
00254 }
00255
if (
rsbac_get_attr(
RES,
00256
T_USER,
00257 i_tid,
00258
A_res_min,
00259 &i_attr_val1,
00260
FALSE))
00261 {
00262 rsbac_ds_get_error(
"rsbac_adf_set_attr_res()",
A_res_min);
00263
return -
RSBAC_EREADFAILED;
00264 }
00265
if(i_attr_val1.
res_array[RLIMIT_NOFILE] > NR_OPEN)
00266 i_attr_val1.
res_array[RLIMIT_NOFILE] = NR_OPEN;
00267
for(i = 0; i <= maxval ; i++)
00268 {
00269
if(i_attr_val1.
res_array[i])
00270 {
00271
if(current->rlim[i].rlim_max < i_attr_val1.
res_array[i])
00272 current->rlim[i].rlim_max = i_attr_val1.
res_array[i];
00273
if(current->rlim[i].rlim_cur < i_attr_val1.
res_array[i])
00274 current->rlim[i].rlim_cur = i_attr_val1.
res_array[i];
00275 }
00276 }
00277 }
00278
return 0;
00279
00280
00281
default:
00282
return(0);
00283 }
00284
break;
00285
00286
case R_EXECUTE:
00287
switch(target)
00288 {
00289
case T_FILE:
00290
#ifdef CONFIG_RSBAC_SOFTMODE
00291
if(!rsbac_softmode)
00292
#endif
00293
{
00294
int maxval =
rsbac_min(RLIM_NLIMITS - 1,
RSBAC_RES_MAX);
00295
int i;
00296
00297
if (
rsbac_get_attr(
RES,
00298 target,
00299 tid,
00300
A_res_max,
00301 &i_attr_val1,
00302
FALSE))
00303 {
00304 rsbac_ds_get_error(
"rsbac_adf_set_attr_res()",
A_res_max);
00305
return -
RSBAC_EREADFAILED;
00306 }
00307
for(i = 0; i <= maxval ; i++)
00308 {
00309
if(i_attr_val1.
res_array[i])
00310 {
00311
if(current->rlim[i].rlim_max > i_attr_val1.
res_array[i])
00312 current->rlim[i].rlim_max = i_attr_val1.
res_array[i];
00313
if(current->rlim[i].rlim_cur > i_attr_val1.
res_array[i])
00314 current->rlim[i].rlim_cur = i_attr_val1.
res_array[i];
00315 }
00316 }
00317
if (
rsbac_get_attr(
RES,
00318 target,
00319 tid,
00320
A_res_min,
00321 &i_attr_val1,
00322
FALSE))
00323 {
00324 rsbac_ds_get_error(
"rsbac_adf_set_attr_res()",
A_res_min);
00325
return -
RSBAC_EREADFAILED;
00326 }
00327
for(i = 0; i <= maxval ; i++)
00328 {
00329
if(i_attr_val1.
res_array[i])
00330 {
00331
if(current->rlim[i].rlim_max < i_attr_val1.
res_array[i])
00332 current->rlim[i].rlim_max = i_attr_val1.
res_array[i];
00333
if(current->rlim[i].rlim_cur < i_attr_val1.
res_array[i])
00334 current->rlim[i].rlim_cur = i_attr_val1.
res_array[i];
00335 }
00336 }
00337 }
00338
return 0;
00339
00340
00341
default:
00342
return(0);
00343 }
00344
break;
00345
00346
00347
default:
return(0);
00348 }
00349
00350
return(0);
00351 };
00352
00353