/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/adf/pax/pax_main.c

Go to the documentation of this file.
00001 /**************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of the Access Control Decision */ 00004 /* Facility (ADF) - PAX */ 00005 /* File: rsbac/adf/pax/pax_main.c */ 00006 /* */ 00007 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */ 00008 /* */ 00009 /* Last modified: 11/Mar/2004 */ 00010 /**************************************************** */ 00011 00012 #include <linux/string.h> 00013 #include <linux/binfmts.h> 00014 #include <rsbac/types.h> 00015 #include <rsbac/aci.h> 00016 #include <rsbac/adf_main.h> 00017 #include <rsbac/error.h> 00018 #include <rsbac/helpers.h> 00019 #include <rsbac/getname.h> 00020 #include <rsbac/pax_getname.h> 00021 #include <rsbac/debug.h> 00022 00023 /************************************************* */ 00024 /* Global Variables */ 00025 /************************************************* */ 00026 00027 /************************************************* */ 00028 /* Internal Help functions */ 00029 /************************************************* */ 00030 00031 /************************************************* */ 00032 /* Externally visible functions */ 00033 /************************************************* */ 00034 00035 /**** PaX set flags func ****/ 00036 #if defined(CONFIG_RSBAC_PAX) && (defined(CONFIG_PAX_HAVE_ACL_FLAGS) || defined(CONFIG_PAX_HOOK_ACL_FLAGS)) 00037 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS) 00038 void pax_set_flags(struct linux_binprm * bprm) 00039 #else 00040 void rsbac_pax_set_flags_func(struct linux_binprm * bprm) 00041 #endif 00042 { 00043 int err; 00044 union rsbac_target_id_t tid; 00045 union rsbac_attribute_value_t attr_val; 00046 00047 tid.file.device = bprm->file->f_dentry->d_sb->s_dev; 00048 tid.file.inode = bprm->file->f_dentry->d_inode->i_ino; 00049 tid.file.dentry_p = bprm->file->f_dentry; 00050 err = rsbac_get_attr(PAX, 00051 T_FILE, 00052 tid, 00053 A_pax_flags, 00054 &attr_val, 00055 TRUE); 00056 if(!err) 00057 { 00058 pax_check_flags(&attr_val.pax_flags); 00059 #ifdef CONFIG_RSBAC_DEBUG 00060 if(rsbac_debug_adf_pax) 00061 { 00062 #ifdef CONFIG_RSBAC_RMSG 00063 rsbac_printk(KERN_DEBUG 00064 "rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n", 00065 current->pid, 00066 current->flags & RSBAC_PAX_ALL_FLAGS, 00067 attr_val.pax_flags, 00068 MAJOR(tid.file.device),MINOR(tid.file.device), 00069 tid.file.inode); 00070 #endif 00071 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00072 if (!rsbac_nosyslog) 00073 #endif 00074 printk(KERN_DEBUG 00075 "rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n", 00076 current->pid, 00077 current->flags & RSBAC_PAX_ALL_FLAGS, 00078 attr_val.pax_flags, 00079 MAJOR(tid.file.device),MINOR(tid.file.device), 00080 tid.file.inode); 00081 } 00082 #endif 00083 /* Set flags for process */ 00084 current->flags = (current->flags & ~RSBAC_PAX_ALL_FLAGS) | attr_val.pax_flags; 00085 } 00086 else 00087 { 00088 #ifdef CONFIG_RSBAC_RMSG 00089 rsbac_printk(KERN_WARNING 00090 "rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n", 00091 MAJOR(tid.file.device), 00092 MINOR(tid.file.device), 00093 tid.file.inode, 00094 err); 00095 #endif 00096 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00097 if (!rsbac_nosyslog) 00098 #endif 00099 printk(KERN_WARNING 00100 "rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n", 00101 MAJOR(tid.file.device), 00102 MINOR(tid.file.device), 00103 tid.file.inode, 00104 err); 00105 } 00106 } 00107 #endif 00108 00109 00110 enum rsbac_adf_req_ret_t 00111 rsbac_adf_request_pax (enum rsbac_adf_request_t request, 00112 rsbac_pid_t caller_pid, 00113 enum rsbac_target_t target, 00114 union rsbac_target_id_t tid, 00115 enum rsbac_attribute_t attr, 00116 union rsbac_attribute_value_t attr_val, 00117 rsbac_uid_t owner) 00118 { 00119 union rsbac_target_id_t i_tid; 00120 union rsbac_attribute_value_t i_attr_val1; 00121 00122 switch (request) 00123 { 00124 case R_MODIFY_ATTRIBUTE: 00125 switch(attr) 00126 { 00127 case A_system_role: 00128 case A_pax_role: 00129 case A_pax_flags: 00130 #ifdef CONFIG_RSBAC_PAX_AUTH_PROT 00131 case A_auth_may_setuid: 00132 case A_auth_may_set_cap: 00133 case A_auth_start_uid: 00134 case A_auth_program_file: 00135 case A_auth_learn: 00136 case A_auth_add_f_cap: 00137 case A_auth_remove_f_cap: 00138 #endif 00139 /* All attributes (remove target!) */ 00140 case A_none: 00141 /* Security Officer? */ 00142 i_tid.user = owner; 00143 if (rsbac_get_attr(PAX, 00144 T_USER, 00145 i_tid, 00146 A_pax_role, 00147 &i_attr_val1, 00148 TRUE)) 00149 { 00150 rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role); 00151 return(NOT_GRANTED); 00152 } 00153 /* if sec_officer, then grant */ 00154 if (i_attr_val1.system_role == SR_security_officer) 00155 return(GRANTED); 00156 else 00157 return(NOT_GRANTED); 00158 00159 default: 00160 return(DO_NOT_CARE); 00161 } 00162 00163 case R_READ_ATTRIBUTE: 00164 switch(attr) 00165 { 00166 case A_system_role: 00167 case A_pax_role: 00168 case A_pax_flags: 00169 /* All attributes (remove target!) */ 00170 case A_none: 00171 /* Security Officer or Admin? */ 00172 i_tid.user = owner; 00173 if (rsbac_get_attr(PAX, 00174 T_USER, 00175 i_tid, 00176 A_pax_role, 00177 &i_attr_val1, 00178 TRUE)) 00179 { 00180 rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role); 00181 return(NOT_GRANTED); 00182 } 00183 /* if sec_officer, then grant */ 00184 if( (i_attr_val1.system_role == SR_security_officer) 00185 || (i_attr_val1.system_role == SR_administrator) 00186 ) 00187 return(GRANTED); 00188 else 00189 return(NOT_GRANTED); 00190 00191 default: 00192 return(DO_NOT_CARE); 00193 } 00194 00195 case R_SWITCH_LOG: 00196 switch(target) 00197 { 00198 case T_NONE: 00199 /* test owner's pax_role */ 00200 i_tid.user = owner; 00201 if (rsbac_get_attr(PAX, 00202 T_USER, 00203 i_tid, 00204 A_pax_role, 00205 &i_attr_val1, 00206 TRUE)) 00207 { 00208 rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role); 00209 return(NOT_GRANTED); 00210 } 00211 /* security officer? -> grant */ 00212 if (i_attr_val1.system_role == SR_security_officer) 00213 return(GRANTED); 00214 else 00215 return(NOT_GRANTED); 00216 00217 /* all other cases are unknown */ 00218 default: return(DO_NOT_CARE); 00219 } 00220 00221 case R_SWITCH_MODULE: 00222 switch(target) 00223 { 00224 case T_NONE: 00225 /* we need the switch_target */ 00226 if(attr != A_switch_target) 00227 return(UNDEFINED); 00228 /* do not care for other modules */ 00229 if( (attr_val.switch_target != PAX) 00230 #ifdef CONFIG_RSBAC_PAX_AUTH_PROT 00231 && (attr_val.switch_target != AUTH) 00232 #endif 00233 #ifdef CONFIG_RSBAC_SOFTMODE 00234 && (attr_val.switch_target != SOFTMODE) 00235 #endif 00236 ) 00237 return(DO_NOT_CARE); 00238 /* test owner's pax_role */ 00239 i_tid.user = owner; 00240 if (rsbac_get_attr(PAX, 00241 T_USER, 00242 i_tid, 00243 A_pax_role, 00244 &i_attr_val1, 00245 TRUE)) 00246 { 00247 rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role); 00248 return(NOT_GRANTED); 00249 } 00250 /* security officer? -> grant */ 00251 if (i_attr_val1.system_role == SR_security_officer) 00252 return(GRANTED); 00253 else 00254 return(NOT_GRANTED); 00255 00256 /* all other cases are unknown */ 00257 default: return(DO_NOT_CARE); 00258 } 00259 00260 /*********************/ 00261 default: return DO_NOT_CARE; 00262 } 00263 00264 return(DO_NOT_CARE); 00265 }; /* end of rsbac_adf_request_pax() */ 00266 00267 00268 /*****************************************************************************/ 00269 /* If the request returned granted and the operation is performed, */ 00270 /* the following function can be called by the AEF to get all aci set */ 00271 /* correctly. For write accesses that are performed fully within the kernel, */ 00272 /* this is usually not done to prevent extra calls, including R_CLOSE for */ 00273 /* cleaning up. */ 00274 /* The second instance of target specification is the new target, if one has */ 00275 /* been created, otherwise its values are ignored. */ 00276 /* On success, 0 is returned, and an error from rsbac/error.h otherwise. */ 00277 00278 int rsbac_adf_set_attr_pax( 00279 enum rsbac_adf_request_t request, 00280 rsbac_pid_t caller_pid, 00281 enum rsbac_target_t target, 00282 union rsbac_target_id_t tid, 00283 enum rsbac_target_t new_target, 00284 union rsbac_target_id_t new_tid, 00285 enum rsbac_attribute_t attr, 00286 union rsbac_attribute_value_t attr_val, 00287 rsbac_uid_t owner) 00288 { 00289 return 0; 00290 }; /* end of rsbac_adf_set_attr_pax() */ 00291 00292 /* end of rsbac/adf/pax/pax_main.c */

Generated on Tue Aug 31 10:05:23 2004 for RSBAC by doxygen 1.3.8