00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
#include <linux/string.h>
00013
#include <rsbac/aci.h>
00014
#include <rsbac/adf_main.h>
00015
#include <rsbac/error.h>
00016
#include <rsbac/helpers.h>
00017
#include <rsbac/getname.h>
00018
#include <rsbac/network.h>
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
static enum rsbac_adf_req_ret_t
00029 check_role_fc(
enum rsbac_target_t target,
00030
union rsbac_target_id_t tid,
00031
rsbac_uid_t owner)
00032 {
00033
int err;
00034
union rsbac_target_id_t i_tid;
00035
union rsbac_attribute_value_t i_attr_val1;
00036
union rsbac_attribute_value_t i_attr_val2;
00037
00038
00039
if ((err=
rsbac_get_attr(
FC,
00040 target,
00041 tid,
00042
A_object_category,
00043 &i_attr_val1,
00044
TRUE)))
00045 {
00046 rsbac_ds_get_error(
"check_role_fc()",
A_object_category);
00047
return(
NOT_GRANTED);
00048 }
00049
00050
if (i_attr_val1.
object_category ==
OC_general)
00051
return(
GRANTED);
00052
00053
00054 i_tid.
user = owner;
00055
if ((err=
rsbac_get_attr(
FC,
00056
T_USER,
00057 i_tid,
00058
A_fc_role,
00059 &i_attr_val2,
00060
TRUE)))
00061 {
00062 rsbac_ds_get_error(
"check_role_fc()",
A_fc_role);
00063
return(
NOT_GRANTED);
00064 }
00065
00066
00067
00068
if ( ( (i_attr_val1.
object_category ==
OC_system)
00069 && (i_attr_val2.
system_role ==
SR_administrator)
00070 )
00071 || ( (i_attr_val1.
object_category ==
OC_security)
00072 && (i_attr_val2.
system_role ==
SR_security_officer)
00073 )
00074 )
00075
return(
GRANTED);
00076
else
00077 {
00078
00079
00080
return(
NOT_GRANTED);
00081 }
00082 }
00083
00084
#ifdef CONFIG_RSBAC_FC_NET_OBJ_PROT
00085
static enum rsbac_adf_req_ret_t
00086 check_role_fc_netobj(
enum rsbac_adf_request_t request,
00087
union rsbac_target_id_t tid,
00088
rsbac_uid_t owner)
00089 {
00090
int err;
00091
union rsbac_target_id_t i_tid;
00092
enum rsbac_attribute_t i_attr;
00093
union rsbac_attribute_value_t i_attr_val1;
00094
union rsbac_attribute_value_t i_attr_val2;
00095
00096
if(
rsbac_net_remote_request(request))
00097 i_attr =
A_remote_object_category;
00098
else
00099 i_attr =
A_local_object_category;
00100
00101
if ((err=
rsbac_get_attr(FC,
00102 T_NETOBJ,
00103 tid,
00104 i_attr,
00105 &i_attr_val1,
00106 TRUE)))
00107 {
00108 rsbac_ds_get_error(
"check_role_fc_netobj()", i_attr);
00109
return(
NOT_GRANTED);
00110 }
00111
00112
if (i_attr_val1.
object_category ==
OC_general)
00113
return(
GRANTED);
00114
00115
00116 i_tid.
user = owner;
00117
if ((err=
rsbac_get_attr(FC,
00118 T_USER,
00119 i_tid,
00120 A_fc_role,
00121 &i_attr_val2,
00122 TRUE)))
00123 {
00124 rsbac_ds_get_error(
"check_role_fc_netobj()", A_fc_role);
00125
return(
NOT_GRANTED);
00126 }
00127
00128
00129
00130
if ( ( (i_attr_val1.
object_category ==
OC_system)
00131 && (i_attr_val2.
system_role ==
SR_administrator)
00132 )
00133 || ( (i_attr_val1.
object_category ==
OC_security)
00134 && (i_attr_val2.
system_role ==
SR_security_officer)
00135 )
00136 )
00137
return(
GRANTED);
00138
else
00139 {
00140
00141
00142
return(
NOT_GRANTED);
00143 }
00144 }
00145
#endif
00146
00147
static enum rsbac_adf_req_ret_t
00148 fc_check_sysrole(
rsbac_uid_t owner,
enum rsbac_system_role_t role)
00149 {
00150
union rsbac_target_id_t i_tid;
00151
union rsbac_attribute_value_t i_attr_val1;
00152
00153 i_tid.
user = owner;
00154
if (
rsbac_get_attr(
FC,
00155
T_USER,
00156 i_tid,
00157
A_fc_role,
00158 &i_attr_val1,
00159
TRUE))
00160 {
00161 rsbac_ds_get_error(
"fc_check_sysrole()",
A_fc_role);
00162
return(
NOT_GRANTED);
00163 }
00164
00165
if (i_attr_val1.
system_role == role)
00166
return(
GRANTED);
00167
else
00168
return(
NOT_GRANTED);
00169 }
00170
00171
00172
00173
00174
00175
00176
enum rsbac_adf_req_ret_t
00177 rsbac_adf_request_fc (
enum rsbac_adf_request_t request,
00178
rsbac_pid_t caller_pid,
00179
enum rsbac_target_t target,
00180
union rsbac_target_id_t tid,
00181
enum rsbac_attribute_t attr,
00182
union rsbac_attribute_value_t attr_val,
00183
rsbac_uid_t owner)
00184 {
00185
int err;
00186
enum rsbac_adf_req_ret_t result =
DO_NOT_CARE;
00187
union rsbac_target_id_t i_tid;
00188
union rsbac_attribute_value_t i_attr_val1;
00189
#ifdef CONFIG_RSBAC_FC_ROLE_PROT
00190
union rsbac_attribute_value_t i_attr_val2;
00191
#endif
00192
00193
switch (request)
00194 {
00195
case R_ADD_TO_KERNEL:
00196
switch(target)
00197 {
00198
case T_NONE:
00199
00200
return fc_check_sysrole(owner,
SR_administrator);
00201
00202
00203
default:
00204
return(
DO_NOT_CARE);
00205 }
00206
00207
case R_ALTER:
00208
00209
switch(target)
00210 {
00211
case T_IPC:
00212
return(
check_role_fc(target,tid,owner));
00213
00214
00215
default:
return(
DO_NOT_CARE);
00216 }
00217
00218
case R_APPEND_OPEN:
00219
case R_READ_WRITE_OPEN:
00220
switch(target)
00221 {
00222
case T_FILE:
00223
case T_DEV:
00224
case T_FIFO:
00225
case T_IPC:
00226
return(
check_role_fc(target,tid,owner));
00227
00228
00229
default:
return(
DO_NOT_CARE);
00230 }
00231
00232
case R_CHANGE_GROUP:
00233
switch(target)
00234 {
00235
case T_FILE:
00236
case T_DIR:
00237
case T_FIFO:
00238
case T_SYMLINK:
00239
case T_IPC:
00240
return(
check_role_fc(target,tid,owner));
00241
00242
case T_PROCESS:
00243
case T_USER:
00244
return(
DO_NOT_CARE);
00245
00246
default:
return(
DO_NOT_CARE);
00247 }
00248
00249
case R_CHANGE_OWNER:
00250
switch(target)
00251 {
00252
case T_FILE:
00253
case T_DIR:
00254
case T_FIFO:
00255
case T_SYMLINK:
00256
case T_IPC:
00257
return(
check_role_fc(target,tid,owner));
00258
00259
case T_PROCESS:
00260
#ifdef CONFIG_RSBAC_FC_ROLE_PROT
00261
if(attr != A_owner)
00262
return(
UNDEFINED);
00263
00264 i_tid.
user = owner;
00265
if (
rsbac_get_attr(
FC,
00266
T_USER,
00267 i_tid,
00268
A_fc_role,
00269 &i_attr_val1,
00270
TRUE))
00271 {
00272 rsbac_ds_get_error(
"rsbac_adf_request_fc()",
A_fc_role);
00273
return(
NOT_GRANTED);
00274 }
00275
00276
if (i_attr_val1.
system_role ==
SR_user)
00277
return(
GRANTED);
00278
00279 i_tid.
user = attr_val.
owner;
00280
if (
rsbac_get_attr(
FC,
00281
T_USER,
00282 i_tid,
00283
A_fc_role,
00284 &i_attr_val2,
00285
TRUE))
00286 {
00287 rsbac_ds_get_error(
"rsbac_adf_request_fc()",
A_fc_role);
00288
return(
NOT_GRANTED);
00289 }
00290
00291
if ( (i_attr_val2.
system_role !=
SR_user)
00292 && (i_attr_val1.
system_role != i_attr_val2.
system_role)
00293 )
00294
return(
NOT_GRANTED);
00295
else
00296
return(
GRANTED);
00297
#endif
00298
00299
00300
case T_NONE:
00301
return(
DO_NOT_CARE);
00302
00303
default:
00304
return(
DO_NOT_CARE);
00305 }
00306
00307
case R_CHDIR:
00308
switch(target)
00309 {
00310
case T_DIR:
00311
return(
check_role_fc(target,tid,owner));
00312
00313
00314
default:
return(
DO_NOT_CARE);
00315 }
00316
00317
case R_CLONE:
00318
case R_TRACE:
00319
case R_SEND_SIGNAL:
00320
case R_TERMINATE:
00321
if (target ==
T_PROCESS)
00322
return(
DO_NOT_CARE);
00323
else
00324
return(
DO_NOT_CARE);
00325
00326
00327
case R_CREATE:
00328
switch(target)
00329 {
00330
case T_DIR:
00331
return(
check_role_fc(target,tid,owner));
00332
00333
case T_IPC:
00334
return(
GRANTED);
00335
00336
#ifdef CONFIG_RSBAC_FC_NET_OBJ_PROT
00337
case T_NETTEMP:
00338
return fc_check_sysrole(owner,
SR_security_officer);
00339
00340
case T_NETOBJ:
00341
return(check_role_fc_netobj(request,tid,owner));
00342
#endif
00343
00344
00345
default:
return(
DO_NOT_CARE);
00346 }
00347
00348
case R_DELETE:
00349
switch(target)
00350 {
00351
case T_FILE:
00352
case T_DIR:
00353
case T_FIFO:
00354
case T_SYMLINK:
00355
case T_IPC:
00356
return(
check_role_fc(target,tid,owner));
00357
00358
#ifdef CONFIG_RSBAC_FC_NET_OBJ_PROT
00359
case T_NETTEMP:
00360
return fc_check_sysrole(owner,
SR_security_officer);
00361
#endif
00362
00363
default:
return(
DO_NOT_CARE);
00364 }
00365
00366
case R_EXECUTE:
00367
switch(target)
00368 {
00369
case T_FILE:
00370
return(
check_role_fc(target,tid,owner));
00371
00372
00373
default:
00374
return(
DO_NOT_CARE);
00375 }
00376
00377
case R_GET_STATUS_DATA:
00378
switch(target)
00379 {
00380
case T_SCD:
00381
00382
if (tid.
scd !=
ST_rsbaclog)
00383
return(
GRANTED);
00384
00385
if(
fc_check_sysrole(owner,
SR_security_officer) ==
NOT_GRANTED)
00386
return fc_check_sysrole(owner,
SR_auditor);
00387
else
00388
return GRANTED;
00389
default:
00390
return(
DO_NOT_CARE);
00391 };
00392
00393
case R_LINK_HARD:
00394
switch(target)
00395 {
00396
case T_FILE:
00397
case T_FIFO:
00398
case T_SYMLINK:
00399
return(
check_role_fc(target,tid,owner));
00400
00401
00402
default:
return(
DO_NOT_CARE);
00403 }
00404
00405
case R_MODIFY_ACCESS_DATA:
00406
case R_RENAME:
00407
switch(target)
00408 {
00409
case T_FILE:
00410
case T_DIR:
00411
case T_FIFO:
00412
case T_SYMLINK:
00413
return(
check_role_fc(target,tid,owner));
00414
00415
00416
default:
return(
DO_NOT_CARE);
00417 }
00418
00419
case R_MODIFY_ATTRIBUTE:
00420
switch(attr)
00421 {
00422
case A_system_role:
00423
case A_fc_role:
00424
case A_object_category:
00425
case A_local_object_category:
00426
case A_remote_object_category:
00427
#ifdef CONFIG_RSBAC_FC_GEN_PROT
00428
case A_log_array_low:
00429
case A_log_array_high:
00430
case A_log_program_based:
00431
case A_log_user_based:
00432
case A_symlink_add_uid:
00433
case A_symlink_add_rc_role:
00434
case A_linux_dac_disable:
00435
case A_fake_root_uid:
00436
#endif
00437
#ifdef CONFIG_RSBAC_FC_AUTH_PROT
00438
case A_auth_may_setuid:
00439
case A_auth_may_set_cap:
00440
case A_auth_start_uid:
00441
case A_auth_program_file:
00442
case A_auth_learn:
00443
case A_auth_add_f_cap:
00444
case A_auth_remove_f_cap:
00445
#endif
00446
00447
case A_none:
00448
00449
return fc_check_sysrole(owner,
SR_security_officer);
00450
00451
default:
00452
return(
DO_NOT_CARE);
00453 }
00454
00455
case R_MODIFY_PERMISSIONS_DATA:
00456
switch(target)
00457 {
00458
case T_FILE:
00459
case T_DIR:
00460
case T_FIFO:
00461
case T_SYMLINK:
00462
case T_IPC:
00463
return(
check_role_fc(target,tid,owner));
00464
00465
case T_SCD:
00466
#ifdef CONFIG_RSBAC_USER_MOD_IOPERM
00467
if(tid.
scd ==
ST_ioports)
00468
return GRANTED;
00469
#endif
00470
00471 i_tid.
user = owner;
00472
if ((err=
rsbac_get_attr(
FC,
00473
T_USER,
00474 i_tid,
00475
A_fc_role,
00476 &i_attr_val1,
00477
TRUE)))
00478 {
00479 rsbac_ds_get_error(
"rsbac_adf_request_fc()",
A_fc_role);
00480
return(
NOT_GRANTED);
00481 }
00482
00483
if (i_attr_val1.
system_role ==
SR_security_officer)
00484
return(
GRANTED);
00485
00486
if ( (i_attr_val1.
system_role ==
SR_administrator)
00487 && (tid.
scd ==
ST_ioports) )
00488
return(
GRANTED);
00489
else
00490
return(
NOT_GRANTED);
00491
00492
#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE
00493
00494
case T_NONE:
00495
00496
return fc_check_sysrole(owner,
SR_security_officer);
00497
#endif
00498
00499
00500
default:
return(
DO_NOT_CARE);
00501 }
00502
00503
case R_MODIFY_SYSTEM_DATA:
00504
switch(target)
00505 {
00506
case T_SCD:
00507
00508
if (tid.
scd ==
ST_rlimit)
00509
return(
GRANTED);
00510
00511 i_tid.
user = owner;
00512
if ((err=
rsbac_get_attr(
FC,
00513
T_USER,
00514 i_tid,
00515
A_fc_role,
00516 &i_attr_val1,
00517
TRUE)))
00518 {
00519 rsbac_ds_get_error(
"rsbac_adf_request_fc()",
A_fc_role);
00520
return(
NOT_GRANTED);
00521 }
00522
00523
if(tid.
scd ==
ST_rsbaclog)
00524 {
00525
if ( (i_attr_val1.
system_role ==
SR_security_officer)
00526 || (i_attr_val1.
system_role ==
SR_auditor)
00527 )
00528
return(
GRANTED);
00529
else
00530
return(
NOT_GRANTED);
00531 }
00532
00533
if (i_attr_val1.
system_role ==
SR_administrator)
00534
return(
GRANTED);
00535
else
00536
return(
NOT_GRANTED);
00537
00538
#ifdef CONFIG_RSBAC_FC_NET_DEV_PROT
00539
case T_NETDEV:
00540
return fc_check_sysrole(owner,
SR_administrator);
00541
#endif
00542
00543
00544
default:
return(
DO_NOT_CARE);
00545 }
00546
00547
case R_MOUNT:
00548
case R_UMOUNT:
00549
switch(target)
00550 {
00551
case T_FILE:
00552
case T_DIR:
00553
case T_DEV:
00554
00555
if(
fc_check_sysrole(owner,
SR_administrator) ==
NOT_GRANTED)
00556
return NOT_GRANTED;
00557
00558
00559
return(
check_role_fc(target,tid,owner));
00560
00561
00562
default:
return(
DO_NOT_CARE);
00563 }
00564
00565
case R_READ:
00566
switch(target)
00567 {
00568
case T_DIR:
00569
#ifdef CONFIG_RSBAC_RW
00570
case T_FILE:
00571
case T_FIFO:
00572
case T_IPC:
00573
#endif
00574
return(
check_role_fc(target,tid,owner));
00575
00576
#if defined(CONFIG_RSBAC_FC_NET_OBJ_PROT)
00577
case T_NETTEMP:
00578
if(
fc_check_sysrole(owner,
SR_security_officer) ==
GRANTED)
00579
return GRANTED;
00580
return fc_check_sysrole(owner,
SR_administrator);
00581
00582
case T_NETOBJ:
00583
return(check_role_fc_netobj(request,tid,owner));
00584
#endif
00585
00586
00587
default:
return(
DO_NOT_CARE);
00588 }
00589
00590
case R_READ_ATTRIBUTE:
00591
switch(attr)
00592 {
00593
case A_system_role:
00594
case A_fc_role:
00595
case A_object_category:
00596
case A_local_object_category:
00597
case A_remote_object_category:
00598
#ifdef CONFIG_RSBAC_FC_GEN_PROT
00599
case A_log_array_low:
00600
case A_log_array_high:
00601
case A_log_program_based:
00602
case A_log_user_based:
00603
case A_symlink_add_uid:
00604
case A_symlink_add_rc_role:
00605
case A_linux_dac_disable:
00606
case A_fake_root_uid:
00607
#endif
00608
#ifdef CONFIG_RSBAC_FC_AUTH_PROT
00609
case A_auth_may_setuid:
00610
case A_auth_may_set_cap:
00611
case A_auth_start_uid:
00612
case A_auth_program_file:
00613
case A_auth_learn:
00614
#endif
00615
00616
return fc_check_sysrole(owner,
SR_security_officer);
00617
00618
default:
00619
return(
DO_NOT_CARE);
00620 }
00621
00622
case R_READ_OPEN:
00623
switch(target)
00624 {
00625
case T_FILE:
00626
case T_DIR:
00627
case T_FIFO:
00628
case T_DEV:
00629
case T_IPC:
00630
return(
check_role_fc(target,tid,owner));
00631
00632
00633
default:
return(
DO_NOT_CARE);
00634 }
00635
00636
case R_REMOVE_FROM_KERNEL:
00637
case R_SHUTDOWN:
00638
switch(target)
00639 {
00640
case T_NONE:
00641
00642
return fc_check_sysrole(owner,
SR_administrator);
00643
00644
00645
default:
return(
DO_NOT_CARE);
00646 }
00647
00648
case R_SEARCH:
00649
switch(target)
00650 {
00651
case T_DIR:
00652
case T_SYMLINK:
00653
return(
check_role_fc(target,tid,owner));
00654
00655
00656
default:
return(
DO_NOT_CARE);
00657 }
00658
00659
case R_SWITCH_LOG:
00660
switch(target)
00661 {
00662
case T_NONE:
00663
00664
return fc_check_sysrole(owner,
SR_security_officer);
00665
00666
00667
default:
return(
DO_NOT_CARE);
00668 }
00669
00670
case R_SWITCH_MODULE:
00671
switch(target)
00672 {
00673
case T_NONE:
00674
00675
if(attr != A_switch_target)
00676
return(
UNDEFINED);
00677
00678
if( (attr_val.switch_target !=
FC)
00679
#ifdef CONFIG_RSBAC_FC_AUTH_PROT
00680
&& (attr_val.switch_target !=
AUTH)
00681
#endif
00682
#ifdef CONFIG_RSBAC_SOFTMODE
00683
&& (attr_val.switch_target !=
SOFTMODE)
00684
#endif
00685
)
00686
return(
DO_NOT_CARE);
00687
00688
return fc_check_sysrole(owner,
SR_security_officer);
00689
00690
00691
default:
return(
DO_NOT_CARE);
00692 }
00693
00694
case R_TRUNCATE:
00695
switch(target)
00696 {
00697
case T_FILE:
00698
return(
check_role_fc(target,tid,owner));
00699
00700
00701
default:
return(
DO_NOT_CARE);
00702 }
00703
00704
case R_WRITE:
00705
switch(target)
00706 {
00707
case T_DIR:
00708
#ifdef CONFIG_RSBAC_RW
00709
case T_FILE:
00710
case T_FIFO:
00711
case T_DEV:
00712
case T_IPC:
00713
#endif
00714
return(
check_role_fc(target,tid,owner));
00715
00716
#if defined(CONFIG_RSBAC_FC_NET_OBJ_PROT)
00717
case T_NETTEMP:
00718
return fc_check_sysrole(owner,
SR_security_officer);
00719
00720
case T_NETOBJ:
00721
return(check_role_fc_netobj(request,tid,owner));
00722
#endif
00723
00724
00725
default:
return(
DO_NOT_CARE);
00726 }
00727
00728
case R_WRITE_OPEN:
00729
switch(target)
00730 {
00731
case T_FILE:
00732
case T_FIFO:
00733
case T_DEV:
00734
case T_IPC:
00735
return(
check_role_fc(target,tid,owner));
00736
00737
00738
default:
return(
DO_NOT_CARE);
00739 }
00740
00741
#ifdef CONFIG_RSBAC_FC_NET_OBJ_PROT
00742
case R_BIND:
00743
case R_LISTEN:
00744
case R_ACCEPT:
00745
case R_CONNECT:
00746
case R_SEND:
00747
case R_RECEIVE:
00748
switch(target)
00749 {
00750
case T_NETOBJ:
00751
return(check_role_fc_netobj(request,tid,owner));
00752
00753
00754
default:
return(
DO_NOT_CARE);
00755 }
00756
#endif
00757
00758
00759
default:
return DO_NOT_CARE;
00760 }
00761
00762
return(result);
00763 };
00764
00765
00766
00767
00768
00769
00770
00771
00772
00773
00774
00775
00776
00777 int rsbac_adf_set_attr_fc(
00778
enum rsbac_adf_request_t request,
00779
rsbac_pid_t caller_pid,
00780
enum rsbac_target_t target,
00781
union rsbac_target_id_t tid,
00782
enum rsbac_target_t new_target,
00783
union rsbac_target_id_t new_tid,
00784
enum rsbac_attribute_t attr,
00785
union rsbac_attribute_value_t attr_val,
00786
rsbac_uid_t owner)
00787 {
00788
int err;
00789
union rsbac_target_id_t i_tid;
00790
union rsbac_attribute_value_t i_attr_val1;
00791
union rsbac_attribute_value_t i_attr_val2;
00792
00793
switch (request)
00794 {
00795
case R_CREATE:
00796
switch(target)
00797 {
00798
case T_IPC:
00799
00800 i_tid.
user = owner;
00801
if ((err=
rsbac_get_attr(
FC,
00802
T_USER,
00803 i_tid,
00804
A_fc_role,
00805 &i_attr_val1,
00806
TRUE)))
00807 {
00808 rsbac_ds_get_error(
"rsbac_adf_request_fc()",
A_fc_role);
00809
return(-
RSBAC_EREADFAILED);
00810 }
00811
00812
00813
switch (i_attr_val1.
system_role)
00814 {
00815
case SR_user:
00816
return 0;
00817
case SR_security_officer:
00818 i_attr_val2.
object_category =
OC_security;
00819
break;
00820
case SR_administrator:
00821 i_attr_val2.
object_category =
OC_system;
00822
break;
00823
default:
00824
#ifdef CONFIG_RSBAC_RMSG
00825
rsbac_printk(KERN_WARNING
00826
"rsbac_adf_set_attr_fc(): invalid fc_role %i!\n",
00827 i_attr_val1.
system_role);
00828
#endif
00829
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00830
if (!rsbac_nosyslog)
00831
#endif
00832
printk(KERN_WARNING
00833
"rsbac_adf_set_attr_fc(): invalid fc_role %i!\n",
00834 i_attr_val1.
system_role);
00835
return 0;
00836 }
00837
00838
if ((err=
rsbac_set_attr(
FC,
00839 target,
00840 tid,
00841
A_object_category,
00842 i_attr_val2)))
00843 {
00844 rsbac_ds_set_error(
"rsbac_adf_request_fc()",
A_object_category);
00845
return(-
RSBAC_EWRITEFAILED);
00846 }
00847
return(0);
00848
00849
#if defined(CONFIG_RSBAC_FC_NET_OBJ_PROT)
00850
case T_NETOBJ:
00851
00852 i_tid.
user = owner;
00853
if ((err=
rsbac_get_attr(
FC,
00854
T_USER,
00855 i_tid,
00856
A_fc_role,
00857 &i_attr_val1,
00858
TRUE)))
00859 {
00860 rsbac_ds_get_error(
"rsbac_adf_request_fc()",
A_fc_role);
00861
return(-
RSBAC_EREADFAILED);
00862 }
00863
00864
00865
switch (i_attr_val1.
system_role)
00866 {
00867
case SR_user:
00868
return 0;
00869
case SR_security_officer:
00870 i_attr_val2.
object_category =
OC_security;
00871
break;
00872
case SR_administrator:
00873 i_attr_val2.
object_category =
OC_system;
00874
break;
00875
default:
00876
#ifdef CONFIG_RSBAC_RMSG
00877
rsbac_printk(KERN_WARNING
00878
"rsbac_adf_set_attr_fc(): invalid fc_role %i!\n",
00879 i_attr_val1.
system_role);
00880
#endif
00881
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00882
if (!rsbac_nosyslog)
00883
#endif
00884
printk(KERN_WARNING
00885
"rsbac_adf_set_attr_fc(): invalid fc_role %i!\n",
00886 i_attr_val1.
system_role);
00887
return 0;
00888 }
00889
00890
if ((err=
rsbac_set_attr(
FC,
00891 target,
00892 tid,
00893
A_local_object_category,
00894 i_attr_val2)))
00895 {
00896 rsbac_ds_set_error(
"rsbac_adf_request_fc()",
A_local_object_category);
00897
return(-
RSBAC_EWRITEFAILED);
00898 }
00899
return(0);
00900
#endif
00901
00902
00903
default:
00904
return(0);
00905 }
00906
00907
00908
00909
default:
return(0);
00910 }
00911
00912
return(0);
00913 };
00914
00915