/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/adf/auth/auth_syscalls.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of the Access Control Decision */ 00004 /* Facility (ADF) - Authentification module */ 00005 /* File: rsbac/adf/auth/syscalls.c */ 00006 /* */ 00007 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */ 00008 /* */ 00009 /* Last modified: 11/Mar/2004 */ 00010 /*************************************************** */ 00011 00012 #include <linux/string.h> 00013 #include <linux/sched.h> 00014 #include <linux/errno.h> 00015 #include <rsbac/types.h> 00016 #include <rsbac/aci.h> 00017 #include <rsbac/error.h> 00018 #include <rsbac/auth.h> 00019 #include <rsbac/debug.h> 00020 #include <rsbac/helpers.h> 00021 #include <rsbac/adf_main.h> 00022 00023 /************************************************* */ 00024 /* Global Variables */ 00025 /************************************************* */ 00026 00027 /************************************************* */ 00028 /* Internal Help functions */ 00029 /************************************************* */ 00030 00031 /************************************************* */ 00032 /* Externally visible functions */ 00033 /************************************************* */ 00034 00035 int rsbac_auth_add_p_cap(rsbac_pid_t pid, 00036 enum rsbac_auth_cap_type_t cap_type, 00037 struct rsbac_auth_cap_range_t cap_range, 00038 rsbac_time_t ttl) 00039 { 00040 /* check only in non-maint mode */ 00041 #if !defined(CONFIG_RSBAC_MAINT) 00042 #ifdef CONFIG_RSBAC_SWITCH 00043 if(rsbac_switch_auth) 00044 #endif 00045 { 00046 union rsbac_target_id_t i_tid; 00047 union rsbac_attribute_value_t i_attr_val1; 00048 00049 /* check auth_may_set_cap of calling process */ 00050 i_tid.process = current->pid; 00051 if (rsbac_get_attr(AUTH, 00052 T_PROCESS, 00053 i_tid, 00054 A_auth_may_set_cap, 00055 &i_attr_val1, 00056 FALSE)) 00057 { 00058 rsbac_ds_get_error("rsbac_auth_add_p_cap()", A_auth_may_set_cap); 00059 return(-RSBAC_EREADFAILED); 00060 } 00061 /* if auth_may_set_cap is not set, then reject */ 00062 if (!i_attr_val1.auth_may_set_cap) 00063 { 00064 #ifdef CONFIG_RSBAC_RMSG 00065 rsbac_printk(KERN_INFO 00066 "rsbac_auth_add_p_cap(): adding AUTH cap %u:%u to process %u denied for process %u!\n", 00067 cap_range.first, 00068 cap_range.last, 00069 pid, 00070 current->pid); 00071 #endif 00072 #ifndef CONFIG_RSBAC_RMSG_EXCL 00073 printk(KERN_INFO 00074 "rsbac_auth_add_p_cap(): adding AUTH cap %u:%u to process %u denied for process %u!\n", 00075 cap_range.first, 00076 cap_range.last, 00077 pid, 00078 current->pid); 00079 #endif 00080 #ifdef CONFIG_RSBAC_SOFTMODE 00081 if( !rsbac_softmode 00082 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00083 && !rsbac_ind_softmode[AUTH] 00084 #endif 00085 ) 00086 #endif 00087 return(-EPERM); 00088 } 00089 } 00090 #endif 00091 00092 /* OK, check passed. Add the capability. */ 00093 if(rsbac_auth_add_to_p_capset(pid, cap_type, cap_range, ttl)) 00094 { 00095 #ifdef CONFIG_RSBAC_RMSG 00096 rsbac_printk(KERN_WARNING 00097 "rsbac_auth_add_p_cap(): rsbac_auth_add_to_p_capset() returned error!\n"); 00098 #endif 00099 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00100 if (!rsbac_nosyslog) 00101 #endif 00102 printk(KERN_WARNING 00103 "rsbac_auth_add_p_cap(): rsbac_auth_add_to_p_capset() returned error!\n"); 00104 return(-RSBAC_EWRITEFAILED); 00105 } 00106 return 0; 00107 } 00108 00109 int rsbac_auth_remove_p_cap(rsbac_pid_t pid, 00110 enum rsbac_auth_cap_type_t cap_type, 00111 struct rsbac_auth_cap_range_t cap_range) 00112 { 00113 /* check only in non-maint mode */ 00114 #if !defined(CONFIG_RSBAC_MAINT) 00115 #ifdef CONFIG_RSBAC_SWITCH 00116 if(rsbac_switch_auth) 00117 #endif 00118 { 00119 union rsbac_target_id_t i_tid; 00120 union rsbac_attribute_value_t i_attr_val1; 00121 00122 /* check auth_may_set_cap of calling process */ 00123 i_tid.process = current->pid; 00124 if (rsbac_get_attr(AUTH, 00125 T_PROCESS, 00126 i_tid, 00127 A_auth_may_set_cap, 00128 &i_attr_val1, 00129 FALSE)) 00130 { 00131 rsbac_ds_get_error("rsbac_auth_remove_p_cap()", A_auth_may_set_cap); 00132 return(-RSBAC_EREADFAILED); 00133 } 00134 /* if auth_may_set_cap is not set, then reject */ 00135 if (!i_attr_val1.auth_may_set_cap) 00136 { 00137 #ifdef CONFIG_RSBAC_RMSG 00138 rsbac_printk(KERN_INFO 00139 "rsbac_auth_remove_p_cap(): removing AUTH cap %u:%u from process %u denied for process %u!\n", 00140 cap_range.first, 00141 cap_range.last, 00142 pid, 00143 current->pid); 00144 #endif 00145 #ifndef CONFIG_RSBAC_RMSG_EXCL 00146 printk(KERN_INFO 00147 "rsbac_auth_remove_p_cap(): removing AUTH cap %u:%u from process %u denied for process %u!\n", 00148 cap_range.first, 00149 cap_range.last, 00150 pid, 00151 current->pid); 00152 #endif 00153 #ifdef CONFIG_RSBAC_SOFTMODE 00154 if( !rsbac_softmode 00155 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00156 && !rsbac_ind_softmode[AUTH] 00157 #endif 00158 ) 00159 #endif 00160 return(-EPERM); 00161 } 00162 } 00163 #endif 00164 00165 /* OK, check passed. Try to remove the capability. */ 00166 return(rsbac_auth_remove_from_p_capset(pid, cap_type, cap_range)); 00167 } 00168 00169 int rsbac_auth_add_f_cap(rsbac_auth_file_t file, 00170 enum rsbac_auth_cap_type_t cap_type, 00171 struct rsbac_auth_cap_range_t cap_range, 00172 rsbac_time_t ttl) 00173 { 00174 /* check has been done in help/syscalls.c: sys_rsbac_auth_add_f_cap */ 00175 if(rsbac_auth_add_to_f_capset(file, cap_type, cap_range, ttl)) 00176 { 00177 #ifdef CONFIG_RSBAC_RMSG 00178 rsbac_printk(KERN_WARNING 00179 "rsbac_auth_add_f_cap(): rsbac_auth_add_to_f_capset() returned error!\n"); 00180 #endif 00181 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00182 if (!rsbac_nosyslog) 00183 #endif 00184 printk(KERN_WARNING 00185 "rsbac_auth_add_f_cap(): rsbac_auth_add_to_f_capset() returned error!\n"); 00186 return(-RSBAC_EWRITEFAILED); 00187 } 00188 return 0; 00189 } 00190 00191 int rsbac_auth_remove_f_cap(rsbac_auth_file_t file, 00192 enum rsbac_auth_cap_type_t cap_type, 00193 struct rsbac_auth_cap_range_t cap_range) 00194 { 00195 /* check has been done in help/syscalls.c: sys_rsbac_auth_remove_f_cap */ 00196 return(rsbac_auth_remove_from_f_capset(file, cap_type, cap_range)); 00197 } 00198 00199 /* end of rsbac/adf/auth/syscalls.c */

Generated on Tue Aug 31 10:05:23 2004 for RSBAC by doxygen 1.3.8