00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
#include <linux/string.h>
00013
#include <rsbac/aci.h>
00014
#include <linux/sched.h>
00015
#include <linux/fs.h>
00016
#include <linux/stat.h>
00017
#include <linux/smp_lock.h>
00018
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00019
#include <linux/syscalls.h>
00020
#endif
00021
#include <rsbac/pm_types.h>
00022
#include <rsbac/pm.h>
00023
#include <rsbac/pm_getname.h>
00024
#include <rsbac/error.h>
00025
#include <rsbac/debug.h>
00026
#include <rsbac/helpers.h>
00027
#include <rsbac/adf.h>
00028
#include <rsbac/adf_main.h>
00029
00030
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00031
#include <linux/namei.h>
00032
#include <linux/file.h>
00033
#include <linux/mount.h>
00034
#endif
00035
00036
00037
00038
00039
00040
00041
00042
00043
00044
00045
00046
00047
00048
00049 static int pm_get_file(
const char * name,
00050
enum rsbac_target_t * target_p,
00051
union rsbac_target_id_t * tid_p)
00052 {
00053
int error = 0;
00054
struct dentry * dentry_p;
00055
struct nameidata nd;
00056
00057
00058
if ((error = user_path_walk(name, &nd)))
00059 {
00060
#ifdef CONFIG_RSBAC_DEBUG
00061
if (rsbac_debug_aef_pm)
00062 printk(KERN_DEBUG
"pm_get_file(): call to user_path_walk() returned %i\n", error);
00063
#endif
00064
return(-
RSBAC_EINVALIDTARGET);
00065 }
00066 dentry_p = nd.dentry;
00067
if (!dentry_p->d_inode)
00068 {
00069
#ifdef CONFIG_RSBAC_DEBUG
00070
if (rsbac_debug_aef_pm)
00071 printk(KERN_DEBUG
00072
"pm_get_file(): file not found\n");
00073
#endif
00074
return(-
RSBAC_EINVALIDTARGET);
00075 }
00076
if(S_ISREG(dentry_p->d_inode->i_mode))
00077 {
00078
00079 tid_p->file.device = dentry_p->d_sb->s_dev;
00080 tid_p->file.inode = dentry_p->d_inode->i_ino;
00081 tid_p->file.dentry_p = dentry_p;
00082 *target_p =
T_FILE;
00083 }
00084
else if(S_ISFIFO(dentry_p->d_inode->i_mode))
00085 {
00086
00087 tid_p->file.device = dentry_p->d_sb->s_dev;
00088 tid_p->file.inode = dentry_p->d_inode->i_ino;
00089 tid_p->file.dentry_p = dentry_p;
00090 *target_p =
T_FIFO;
00091 }
00092
else if(S_ISBLK(dentry_p->d_inode->i_mode))
00093 {
00094
00095 tid_p->dev.type =
D_block;
00096 tid_p->dev.id = dentry_p->d_inode->i_rdev;
00097 *target_p =
T_DEV;
00098 }
00099
else if(S_ISCHR(dentry_p->d_inode->i_mode))
00100 {
00101
00102 tid_p->dev.type =
D_char;
00103 tid_p->dev.id = dentry_p->d_inode->i_rdev;
00104 *target_p =
T_DEV;
00105 }
00106
else
00107 error = -
RSBAC_EINVALIDTARGET;
00108
00109 dput(dentry_p);
00110
00111
return(error);
00112 };
00113
00114
00115
00116
00117
00118
00119
00120
00121
00122 int rsbac_pm(
enum rsbac_pm_function_type_t function,
00123
union rsbac_pm_function_param_t param,
00124
rsbac_pm_tkt_id_t tkt)
00125 {
00126
union rsbac_pm_all_data_value_t all_data;
00127
enum rsbac_target_t target;
00128
union rsbac_target_id_t tid;
00129
union rsbac_attribute_value_t attr_val;
00130
union rsbac_pm_target_id_t pm_tid;
00131
union rsbac_pm_target_id_t pm_tid2;
00132
union rsbac_pm_data_value_t data_val;
00133
int error = 0;
00134
rsbac_uid_t owner;
00135
enum rsbac_pm_role_t role;
00136
struct rsbac_pm_purpose_list_item_t pp_set;
00137
union rsbac_pm_set_id_t pm_set_id;
00138
union rsbac_pm_set_member_t pm_set_member;
00139
union rsbac_pm_tkt_internal_function_param_t tkt_i_function_param;
00140
struct rsbac_fs_file_t file;
00141
struct rsbac_dev_t dev;
00142
char tmp[80];
00143
boolean class_exists =
FALSE;
00144
00145
00146
if (!
rsbac_is_initialized())
00147
return(-
RSBAC_ENOTINITIALIZED);
00148
00149
get_pm_function_type_name(tmp,function);
00150
#ifdef CONFIG_RSBAC_DEBUG
00151
if(rsbac_debug_ds_pm)
00152 printk(KERN_DEBUG
00153
"rsbac_pm(): called for function %s (No.%i)\n",
00154 tmp,function);
00155
#endif
00156
00157
00158
if (current->pid > 1)
00159 owner = current->uid;
00160
else
00161 owner = 0;
00162
00163
00164 tid.
user = owner;
00165 error =
rsbac_get_attr(
PM,
T_USER,tid,
A_pm_role,&attr_val,
TRUE);
00166
if (error)
00167 {
00168 printk(KERN_WARNING
00169
"rsbac_pm(): rsbac_get_attr() for pm_role returned error %i",
00170 error);
00171
return(-
RSBAC_EREADFAILED);
00172 }
00173 role = attr_val.
pm_role;
00174
00175
switch(function)
00176 {
00177
case PF_create_ticket:
00178
00179 pm_tid.tkt = param.
create_ticket.
id;
00180
if(
rsbac_pm_exists(PMT_TKT,
00181 pm_tid))
00182
return(-
RSBAC_EEXISTS);
00183
00184
00185
00186
00187
switch(param.
create_ticket.
function_type)
00188 {
00189
case PTF_add_na:
00190
if(role !=
PR_data_protection_officer)
00191
return(-
RSBAC_EPERM);
00192 tkt_i_function_param.add_na
00193 = param.
create_ticket.
function_param.
add_na;
00194
break;
00195
00196
case PTF_delete_na:
00197
if(role !=
PR_data_protection_officer)
00198
return(-
RSBAC_EPERM);
00199 tkt_i_function_param.delete_na
00200 = param.
create_ticket.
function_param.
delete_na;
00201
break;
00202
00203
case PTF_add_task:
00204
if(role !=
PR_data_protection_officer)
00205
return(-
RSBAC_EPERM);
00206 tkt_i_function_param.add_task
00207 = param.
create_ticket.
function_param.
add_task;
00208
break;
00209
00210
case PTF_delete_task:
00211
if(role !=
PR_data_protection_officer)
00212
return(-
RSBAC_EPERM);
00213 tkt_i_function_param.delete_task
00214 = param.
create_ticket.
function_param.
delete_task;
00215
break;
00216
00217
case PTF_add_object_class:
00218
if(role !=
PR_data_protection_officer)
00219
return(-
RSBAC_EPERM);
00220
00221
if( !param.
create_ticket.
function_param.
add_object_class.
id
00222 || (param.
create_ticket.
function_param.
add_object_class.
id
00223 ==
RSBAC_PM_IPC_OBJECT_CLASS_ID)
00224 || (param.
create_ticket.
function_param.
add_object_class.
id
00225 ==
RSBAC_PM_DEV_OBJECT_CLASS_ID))
00226 {
00227 printk(KERN_DEBUG
00228
"rsbac_pm(): add_object_class: reserved class-id 0, %u or %u requested!\n",
00229
RSBAC_PM_IPC_OBJECT_CLASS_ID,
00230
RSBAC_PM_DEV_OBJECT_CLASS_ID);
00231
return(-
RSBAC_EINVALIDVALUE);
00232 }
00233
00234 tkt_i_function_param.tkt_add_object_class.id
00235 = param.
create_ticket.
function_param.
add_object_class.
id;
00236
00237 tkt_i_function_param.tkt_add_object_class.pp_set
00238 = 0;
00239
00240
if(param.
create_ticket.
function_param.
add_object_class.
pp_list_p)
00241 {
00242
#ifdef CONFIG_RSBAC_DEBUG
00243
if(rsbac_debug_ds_pm)
00244 printk(KERN_DEBUG
00245
"rsbac_pm(): getting pp_list from user space\n");
00246
#endif
00247
00248 pm_set_id.pp_set = -param.
create_ticket.
id;
00249
if((error =
rsbac_pm_create_set(PS_PP,pm_set_id)))
00250 {
00251 printk(KERN_WARNING
00252
"rsbac_pm(): rsbac_pm_create_set() for PP returned error %i",
00253 error);
00254
return(-
RSBAC_EWRITEFAILED);
00255 }
00256 rsbac_get_user((u_char *) &pp_set,
00257 (u_char *) param.
create_ticket.
function_param.
add_object_class.
pp_list_p,
00258
sizeof(pp_set));
00259 pm_set_member.pp = pp_set.id;
00260
if((error =
rsbac_pm_add_to_set(PS_PP,pm_set_id,pm_set_member)))
00261 {
00262 printk(KERN_WARNING
00263
"rsbac_pm(): rsbac_pm_add_to_set() for PP returned error %i",
00264 error);
00265
rsbac_pm_remove_set(PS_PP,pm_set_id);
00266
return(-
RSBAC_EWRITEFAILED);
00267 }
00268
00269
while(pp_set.next)
00270 {
00271 rsbac_get_user((u_char *) &pp_set,
00272 (u_char *) pp_set.next,
00273
sizeof(pp_set));
00274 pm_set_member.pp = pp_set.id;
00275
if((error =
rsbac_pm_add_to_set(PS_PP,pm_set_id,pm_set_member)))
00276 {
00277 printk(KERN_WARNING
00278
"rsbac_pm(): rsbac_pm_add_to_set() for PP returned error %i",
00279 error);
00280
rsbac_pm_remove_set(PS_PP,pm_set_id);
00281
return(-
RSBAC_EWRITEFAILED);
00282 }
00283 }
00284 tkt_i_function_param.tkt_add_object_class.pp_set
00285 = -param.
create_ticket.
id;
00286 }
00287
break;
00288
00289
case PTF_delete_object_class:
00290
if(role !=
PR_data_protection_officer)
00291
return(-
RSBAC_EPERM);
00292 tkt_i_function_param.delete_object_class
00293 = param.
create_ticket.
function_param.
delete_object_class;
00294
break;
00295
00296
case PTF_add_authorized_tp:
00297
if(role !=
PR_data_protection_officer)
00298
return(-
RSBAC_EPERM);
00299 tkt_i_function_param.add_authorized_tp
00300 = param.
create_ticket.
function_param.
add_authorized_tp;
00301
break;
00302
00303
case PTF_delete_authorized_tp:
00304
if(role !=
PR_data_protection_officer)
00305
return(-
RSBAC_EPERM);
00306 tkt_i_function_param.delete_authorized_tp
00307 = param.
create_ticket.
function_param.
delete_authorized_tp;
00308
break;
00309
00310
case PTF_add_consent:
00311
if(role !=
PR_data_protection_officer)
00312
return(-
RSBAC_EPERM);
00313
00314
if ((error =
pm_get_file(param.
create_ticket.
function_param.
add_consent.
filename,
00315 &target,
00316 &tid)))
00317 {
00318
#ifdef CONFIG_RSBAC_DEBUG
00319
if (rsbac_debug_aef_pm)
00320 printk(KERN_DEBUG
00321
"rsbac_pm(): call to pm_get_file() returned error %i\n",
00322 error);
00323
#endif
00324
return(-
RSBAC_EINVALIDTARGET);
00325 }
00326
00327
if(target !=
T_FILE)
00328
return(-
RSBAC_EINVALIDTARGET);
00329 tkt_i_function_param.tkt_add_consent.file = tid.file;
00330 tkt_i_function_param.tkt_add_consent.purpose
00331 = param.
create_ticket.
function_param.
add_consent.
purpose;
00332
break;
00333
00334
case PTF_delete_consent:
00335
if(role !=
PR_data_protection_officer)
00336
return(-
RSBAC_EPERM);
00337
00338
if ((error =
pm_get_file(param.
create_ticket.
function_param.
delete_consent.
filename,
00339 &target,
00340 &tid)))
00341 {
00342
#ifdef CONFIG_RSBAC_DEBUG
00343
if (rsbac_debug_aef_pm)
00344 printk(KERN_DEBUG
00345
"rsbac_pm(): call to pm_get_file() returned error %i\n",
00346 error);
00347
#endif
00348
return(-
RSBAC_EINVALIDTARGET);
00349 }
00350
00351
if(target !=
T_FILE)
00352
return(-
RSBAC_EINVALIDTARGET);
00353 tkt_i_function_param.tkt_delete_consent.file = tid.file;
00354 tkt_i_function_param.tkt_delete_consent.purpose
00355 = param.
create_ticket.
function_param.
delete_consent.
purpose;
00356
break;
00357
00358
case PTF_add_purpose:
00359
if(role !=
PR_data_protection_officer)
00360
return(-
RSBAC_EPERM);
00361 tkt_i_function_param.add_purpose
00362 = param.
create_ticket.
function_param.
add_purpose;
00363
break;
00364
00365
case PTF_delete_purpose:
00366
if(role !=
PR_data_protection_officer)
00367
return(-
RSBAC_EPERM);
00368 tkt_i_function_param.delete_purpose
00369 = param.
create_ticket.
function_param.
delete_purpose;
00370
break;
00371
00372
case PTF_add_responsible_user:
00373
if(role !=
PR_data_protection_officer)
00374
return(-
RSBAC_EPERM);
00375 tkt_i_function_param.add_responsible_user
00376 = param.
create_ticket.
function_param.
add_responsible_user;
00377
break;
00378
00379
case PTF_delete_responsible_user:
00380
if(role !=
PR_data_protection_officer)
00381
return(-
RSBAC_EPERM);
00382 tkt_i_function_param.delete_responsible_user
00383 = param.
create_ticket.
function_param.
delete_responsible_user;
00384
break;
00385
00386
case PTF_delete_user_aci:
00387
if(role !=
PR_data_protection_officer)
00388
return(-
RSBAC_EPERM);
00389 tkt_i_function_param.delete_user_aci.id
00390 = param.
create_ticket.
function_param.
delete_user_aci.
id;
00391
break;
00392
00393
case PTF_set_role:
00394
if(role !=
PR_data_protection_officer)
00395
return(-
RSBAC_EPERM);
00396 tkt_i_function_param.set_role
00397 = param.
create_ticket.
function_param.
set_role;
00398
break;
00399
00400
case PTF_set_object_class:
00401
if(role !=
PR_data_protection_officer)
00402
return(-
RSBAC_EPERM);
00403
00404
if ((error =
pm_get_file(param.
create_ticket.
function_param.
set_object_class.
filename,
00405 &target,
00406 &tid)))
00407 {
00408
#ifdef CONFIG_RSBAC_DEBUG
00409
if (rsbac_debug_aef_pm)
00410 printk(KERN_DEBUG
00411
"rsbac_pm(): call to pm_get_file() returned error %i\n",
00412 error);
00413
#endif
00414
return(-
RSBAC_EINVALIDTARGET);
00415 }
00416
00417
if( (target !=
T_FILE)
00418 && (target !=
T_FIFO)
00419 )
00420
return(-
RSBAC_EINVALIDTARGET);
00421 tkt_i_function_param.tkt_set_object_class.file = tid.file;
00422 tkt_i_function_param.tkt_set_object_class.object_class
00423 = param.
create_ticket.
function_param.
set_object_class.
object_class;
00424
break;
00425
00426
#ifdef CONFIG_RSBAC_SWITCH
00427
case PTF_switch_pm:
00428
if(role !=
PR_data_protection_officer)
00429
return(-
RSBAC_EPERM);
00430 tkt_i_function_param.switch_pm
00431 = param.
create_ticket.
function_param.
switch_pm;
00432
break;
00433
00434
case PTF_switch_auth:
00435
if(role !=
PR_data_protection_officer)
00436
return(-
RSBAC_EPERM);
00437 tkt_i_function_param.switch_auth
00438 = param.
create_ticket.
function_param.
switch_auth;
00439
break;
00440
#endif
00441
00442
case PTF_set_device_object_type:
00443
if(role !=
PR_data_protection_officer)
00444
return(-
RSBAC_EPERM);
00445
00446
if ((error =
pm_get_file(param.
create_ticket.
function_param.
set_device_object_type.
filename,
00447 &target,
00448 &tid)))
00449 {
00450
#ifdef CONFIG_RSBAC_DEBUG
00451
if (rsbac_debug_aef_pm)
00452 printk(KERN_DEBUG
00453
"rsbac_pm(): call to pm_get_file() returned error %i\n",
00454 error);
00455
#endif
00456
return(-
RSBAC_EINVALIDTARGET);
00457 }
00458
00459
if(target !=
T_DEV)
00460
return(-
RSBAC_EINVALIDTARGET);
00461 tkt_i_function_param.tkt_set_device_object_type.dev = tid.dev;
00462 tkt_i_function_param.tkt_set_device_object_type.object_type
00463 = param.
create_ticket.
function_param.
set_device_object_type.
object_type;
00464 tkt_i_function_param.tkt_set_device_object_type.object_class
00465 = param.
create_ticket.
function_param.
set_device_object_type.
object_class;
00466
break;
00467
00468
case PTF_set_auth_may_setuid:
00469
if(role !=
PR_data_protection_officer)
00470
return(-
RSBAC_EPERM);
00471
00472
if ((error =
pm_get_file(param.
create_ticket.
function_param.
set_auth_may_setuid.
filename,
00473 &target,
00474 &tid)))
00475 {
00476
#ifdef CONFIG_RSBAC_DEBUG
00477
if (rsbac_debug_aef_pm)
00478 printk(KERN_DEBUG
00479
"rsbac_pm(): call to pm_get_file() returned error %i\n",
00480 error);
00481
#endif
00482
return(-
RSBAC_EINVALIDTARGET);
00483 }
00484
00485
if(target !=
T_FILE)
00486
return(-
RSBAC_EINVALIDTARGET);
00487 tkt_i_function_param.tkt_set_auth_may_setuid.file = tid.file;
00488 tkt_i_function_param.tkt_set_auth_may_setuid.value
00489 = param.
create_ticket.
function_param.
set_auth_may_setuid.
value;
00490
break;
00491
00492
case PTF_set_auth_may_set_cap:
00493
if(role !=
PR_data_protection_officer)
00494
return(-
RSBAC_EPERM);
00495
00496
if ((error =
pm_get_file(param.
create_ticket.
function_param.
set_auth_may_set_cap.
filename,
00497 &target,
00498 &tid)))
00499 {
00500
#ifdef CONFIG_RSBAC_DEBUG
00501
if (rsbac_debug_aef_pm)
00502 printk(KERN_DEBUG
00503
"rsbac_pm(): call to pm_get_file() returned error %i\n",
00504 error);
00505
#endif
00506
return(-
RSBAC_EINVALIDTARGET);
00507 }
00508
00509
if(target !=
T_FILE)
00510
return(-
RSBAC_EINVALIDTARGET);
00511 tkt_i_function_param.tkt_set_auth_may_set_cap.file = tid.file;
00512 tkt_i_function_param.tkt_set_auth_may_set_cap.value
00513 = param.
create_ticket.
function_param.
set_auth_may_set_cap.
value;
00514
break;
00515
00516
case PTF_add_authorized_task:
00517
case PTF_delete_authorized_task:
00518
00519
if(param.
create_ticket.
function_type
00520 ==
PTF_add_authorized_task)
00521 {
00522 tkt_i_function_param.add_authorized_task
00523 = param.
create_ticket.
function_param.
add_authorized_task;
00524 }
00525
else
00526 {
00527 tkt_i_function_param.delete_authorized_task
00528 = param.
create_ticket.
function_param.
delete_authorized_task;
00529 }
00530
00531
if(role ==
PR_data_protection_officer)
00532
break;
00533
00534
00535
00536
if(param.
create_ticket.
function_type
00537 ==
PTF_add_authorized_task)
00538 {
00539 pm_tid.
task
00540 = param.
create_ticket.
function_param.
add_authorized_task.
task;
00541 }
00542
else
00543 {
00544 pm_tid.task
00545 = param.
create_ticket.
function_param.
delete_authorized_task.
task;
00546 }
00547
if((error =
rsbac_pm_get_data(PMT_TASK,
00548 pm_tid,
00549 PD_ru_set,
00550 &data_val)))
00551
return(-
RSBAC_EREADFAILED);
00552
00553
if(!data_val.ru_set)
00554
return(-
RSBAC_EPERM);
00555
00556 pm_set_id.ru_set = data_val.ru_set;
00557 pm_set_member.ru = owner;
00558
if(!
rsbac_pm_set_member(PS_RU,pm_set_id,pm_set_member))
00559 {
00560
00561
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00562
return(-
RSBAC_EPERM);
00563 }
00564
00565
break;
00566
00567
default:
00568
00569
return(-
RSBAC_EINVALIDVALUE);
00570 }
00571
00572
00573 all_data.tkt.id = param.
create_ticket.
id;
00574 all_data.tkt.issuer = owner;
00575 all_data.tkt.function_type = param.
create_ticket.
function_type;
00576 all_data.tkt.function_param = tkt_i_function_param;
00577
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00578
{
00579
struct timespec now = CURRENT_TIME;
00580
00581 all_data.tkt.valid_until = param.
create_ticket.
valid_for
00582 + now.tv_sec;
00583 }
00584
#else
00585
all_data.tkt.valid_until = param.
create_ticket.
valid_for
00586 + CURRENT_TIME;
00587
#endif
00588
error =
rsbac_pm_add_target(PMT_TKT,
00589 all_data);
00590
if(error && (param.
create_ticket.
function_type ==
PTF_add_object_class))
00591 {
00592
rsbac_pm_remove_set(PS_PP,pm_set_id);
00593 }
00594
return(error);
00595
00596
00597
case PF_add_na:
00598
if(role !=
PR_security_officer)
00599
return(-
RSBAC_EPERM);
00600
00601 pm_tid.tkt = tkt;
00602
if((error =
rsbac_pm_get_all_data(PMT_TKT,
00603 pm_tid,
00604 &all_data)))
00605 {
00606
if( (error != -
RSBAC_EINVALIDTARGET)
00607 && (error != -
RSBAC_ENOTFOUND)
00608 )
00609 printk(KERN_WARNING
00610
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
00611 error);
00612
return(-
RSBAC_EPERM);
00613 }
00614
00615
if( (all_data.tkt.function_type !=
PTF_add_na)
00616 || (all_data.tkt.function_param.add_na.task
00617 != param.
add_na.
task)
00618 || (all_data.tkt.function_param.add_na.object_class
00619 != param.
add_na.
object_class)
00620 || (all_data.tkt.function_param.add_na.tp
00621 != param.
add_na.
tp)
00622 || (all_data.tkt.function_param.add_na.accesses
00623 != param.
add_na.
accesses) )
00624
return(-
RSBAC_EPERM);
00625
00626
00627 pm_tid2.task = param.
add_na.
task;
00628
if(!
rsbac_pm_exists(PMT_TASK,
00629 pm_tid2))
00630
return(-
RSBAC_EINVALIDVALUE);
00631
00632
if( param.
add_na.
object_class
00633 && (param.
add_na.
object_class !=
RSBAC_PM_IPC_OBJECT_CLASS_ID)
00634 && (param.
add_na.
object_class !=
RSBAC_PM_DEV_OBJECT_CLASS_ID))
00635 {
00636 pm_tid2.object_class = param.
add_na.
object_class;
00637
if(!
rsbac_pm_exists(PMT_CLASS,
00638 pm_tid2))
00639
return(-
RSBAC_EINVALIDVALUE);
00640 }
00641
00642 pm_tid2.tp = param.
add_na.
tp;
00643
if(!
rsbac_pm_exists(PMT_TP,
00644 pm_tid2))
00645
return(-
RSBAC_EINVALIDVALUE);
00646
00647
00648 tid.
user = all_data.tkt.issuer;
00649
if((error =
rsbac_get_attr(
PM,
T_USER,
00650 tid,
00651
A_pm_role,
00652 &attr_val,
00653
TRUE)))
00654 {
00655 printk(KERN_WARNING
00656
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
00657 error);
00658
return(-
RSBAC_EREADFAILED);
00659 }
00660
00661
if(attr_val.
pm_role !=
PR_data_protection_officer)
00662 {
00663
00664
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00665
return(-
RSBAC_EPERM);
00666 }
00667
00668
00669
00670
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00671
00672
00673 pm_tid.na.task = param.
add_na.
task;
00674 pm_tid.na.object_class = param.
add_na.
object_class;
00675 pm_tid.na.tp = param.
add_na.
tp;
00676 error =
rsbac_pm_get_data(PMT_NA,
00677 pm_tid,
00678 PD_accesses,
00679 &data_val);
00680
switch(error)
00681 {
00682
case 0:
00683 data_val.accesses = param.
add_na.
accesses;
00684
rsbac_pm_set_data(PMT_NA,
00685 pm_tid,
00686 PD_accesses,
00687 data_val);
00688
return(0);
00689
00690
00691
case -
RSBAC_EINVALIDTARGET:
00692
case -
RSBAC_ENOTFOUND:
00693 all_data.na.task = param.
add_na.
task;
00694 all_data.na.object_class = param.
add_na.
object_class;
00695 all_data.na.tp = param.
add_na.
tp;
00696 all_data.na.accesses = param.
add_na.
accesses;
00697
if((error =
rsbac_pm_add_target(PMT_NA,
00698 all_data)))
00699 {
00700 printk(KERN_WARNING
00701
"rsbac_pm(): rsbac_pm_add_target() for NA returned error %i",
00702 error);
00703
return(error);
00704 }
00705
return(0);
00706
00707
default:
00708 printk(KERN_WARNING
00709
"rsbac_pm(): rsbac_pm_get_data() for NA/accesses returned error %i",
00710 error);
00711
return(-
RSBAC_EREADFAILED);
00712 }
00713
00714
case PF_delete_na:
00715
if(role !=
PR_security_officer)
00716
return(-
RSBAC_EPERM);
00717
00718
00719 pm_tid.tkt = tkt;
00720
if((error =
rsbac_pm_get_all_data(PMT_TKT,
00721 pm_tid,
00722 &all_data)))
00723 {
00724
if( (error != -
RSBAC_EINVALIDTARGET)
00725 && (error != -
RSBAC_ENOTFOUND)
00726 )
00727 printk(KERN_WARNING
00728
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
00729 error);
00730
return(-
RSBAC_EPERM);
00731 }
00732
00733
if( (all_data.tkt.function_type !=
PTF_delete_na)
00734 || (all_data.tkt.function_param.delete_na.task
00735 != param.
delete_na.
task)
00736 || (all_data.tkt.function_param.delete_na.object_class
00737 != param.
delete_na.
object_class)
00738 || (all_data.tkt.function_param.delete_na.tp
00739 != param.
delete_na.
tp)
00740 || (all_data.tkt.function_param.delete_na.accesses
00741 != param.
delete_na.
accesses) )
00742
return(-
RSBAC_EPERM);
00743
00744
00745 tid.
user = all_data.tkt.issuer;
00746
if((error =
rsbac_get_attr(
PM,
T_USER,
00747 tid,
00748
A_pm_role,
00749 &attr_val,
00750
TRUE)))
00751 {
00752 printk(KERN_WARNING
00753
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
00754 error);
00755
return(-
RSBAC_EREADFAILED);
00756 }
00757
00758
if(attr_val.
pm_role !=
PR_data_protection_officer)
00759 {
00760
00761
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00762
return(-
RSBAC_EPERM);
00763 }
00764
00765
00766
00767
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00768
00769 pm_tid.na.task = param.
delete_na.
task;
00770 pm_tid.na.object_class = param.
delete_na.
object_class;
00771 pm_tid.na.tp = param.
delete_na.
tp;
00772
return(
rsbac_pm_remove_target(PMT_NA,
00773 pm_tid));
00774
00775
case PF_add_task:
00776
00777
if(!param.
add_task.
id)
00778
return(-
RSBAC_EINVALIDVALUE);
00779
00780
if(!param.
add_task.
purpose)
00781
return(-
RSBAC_EINVALIDVALUE);
00782
00783
if(role !=
PR_security_officer)
00784
return(-
RSBAC_EPERM);
00785
00786 pm_tid.tkt = tkt;
00787
if((error =
rsbac_pm_get_all_data(PMT_TKT,
00788 pm_tid,
00789 &all_data)))
00790 {
00791
if( (error != -
RSBAC_EINVALIDTARGET)
00792 && (error != -
RSBAC_ENOTFOUND)
00793 )
00794 printk(KERN_WARNING
00795
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
00796 error);
00797
return(-
RSBAC_EPERM);
00798 }
00799
00800
if( (all_data.tkt.function_type !=
PTF_add_task)
00801 || (all_data.tkt.function_param.add_task.id
00802 != param.
add_task.
id)
00803 || (all_data.tkt.function_param.add_task.purpose
00804 != param.
add_task.
purpose) )
00805
return(-
RSBAC_EPERM);
00806
00807
00808 pm_tid2.pp = param.
add_task.
purpose;
00809
if(!
rsbac_pm_exists(PMT_PP,
00810 pm_tid2))
00811
return(-
RSBAC_EINVALIDVALUE);
00812
00813
00814 tid.
user = all_data.tkt.issuer;
00815
if((error =
rsbac_get_attr(
PM,
T_USER,
00816 tid,
00817
A_pm_role,
00818 &attr_val,
00819
TRUE)))
00820 {
00821 printk(KERN_WARNING
00822
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
00823 error);
00824
return(-
RSBAC_EREADFAILED);
00825 }
00826
00827
if(attr_val.
pm_role !=
PR_data_protection_officer)
00828 {
00829
00830
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00831
return(-
RSBAC_EPERM);
00832 }
00833
00834
00835
00836
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00837
00838
00839 all_data.task.id = param.
add_task.
id;
00840 all_data.task.purpose = param.
add_task.
purpose;
00841 all_data.task.tp_set = 0;
00842 all_data.task.ru_set = 0;
00843
return(
rsbac_pm_add_target(PMT_TASK,
00844 all_data));
00845
00846
case PF_delete_task:
00847
00848
if(!param.
add_task.
id)
00849
return(-
RSBAC_EINVALIDVALUE);
00850
if(role !=
PR_security_officer)
00851
return(-
RSBAC_EPERM);
00852
00853 pm_tid.tkt = tkt;
00854
if((error =
rsbac_pm_get_all_data(PMT_TKT,
00855 pm_tid,
00856 &all_data)))
00857 {
00858
if( (error != -
RSBAC_EINVALIDTARGET)
00859 && (error != -
RSBAC_ENOTFOUND)
00860 )
00861 printk(KERN_WARNING
00862
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
00863 error);
00864
return(-
RSBAC_EPERM);
00865 }
00866
00867
if( (all_data.tkt.function_type !=
PTF_delete_task)
00868 || (all_data.tkt.function_param.delete_task.id
00869 != param.
delete_task.
id) )
00870
return(-
RSBAC_EPERM);
00871
00872
00873 tid.
user = all_data.tkt.issuer;
00874
if((error =
rsbac_get_attr(
PM,
T_USER,
00875 tid,
00876
A_pm_role,
00877 &attr_val,
00878
TRUE)))
00879 {
00880 printk(KERN_WARNING
00881
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
00882 error);
00883
return(-
RSBAC_EREADFAILED);
00884 }
00885
00886
if(attr_val.
pm_role !=
PR_data_protection_officer)
00887 {
00888
00889
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00890
return(-
RSBAC_EPERM);
00891 }
00892
00893
00894
00895
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00896
00897
00898 pm_tid.task = param.
delete_task.
id;
00899
return(
rsbac_pm_remove_target(PMT_TASK,
00900 pm_tid));
00901
00902
case PF_add_object_class:
00903
00904
if( !param.
add_object_class.
id
00905 || (param.
add_object_class.
id ==
RSBAC_PM_IPC_OBJECT_CLASS_ID)
00906 || (param.
add_object_class.
id ==
RSBAC_PM_DEV_OBJECT_CLASS_ID))
00907 {
00908 printk(KERN_DEBUG
00909
"rsbac_pm(): add_object_class: reserved class-id 0, %u or %u requested!\n",
00910
RSBAC_PM_IPC_OBJECT_CLASS_ID,
00911
RSBAC_PM_DEV_OBJECT_CLASS_ID);
00912
return(-
RSBAC_EINVALIDVALUE);
00913 }
00914
if(role !=
PR_security_officer)
00915
return(-
RSBAC_EPERM);
00916
00917 pm_tid.tkt = tkt;
00918
if((error =
rsbac_pm_get_all_data(PMT_TKT,
00919 pm_tid,
00920 &all_data)))
00921 {
00922
if( (error != -
RSBAC_EINVALIDTARGET)
00923 && (error != -
RSBAC_ENOTFOUND)
00924 )
00925 printk(KERN_WARNING
00926
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
00927 error);
00928
return(-
RSBAC_EPERM);
00929 }
00930
00931
if( (all_data.tkt.function_type !=
PTF_add_object_class)
00932 || (all_data.tkt.function_param.tkt_add_object_class.id
00933 != param.
add_object_class.
id) )
00934
return(-
RSBAC_EPERM);
00935
00936 tid.
user = all_data.tkt.issuer;
00937
if((error =
rsbac_get_attr(
PM,
T_USER,
00938 tid,
00939
A_pm_role,
00940 &attr_val,
00941
TRUE)))
00942 {
00943 printk(KERN_WARNING
00944
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
00945 error);
00946
return(-
RSBAC_EREADFAILED);
00947 }
00948
00949
if(attr_val.
pm_role !=
PR_data_protection_officer)
00950 {
00951
00952
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00953
return(-
RSBAC_EPERM);
00954 }
00955
00956
00957
if(param.
add_object_class.
pp_list_p)
00958 {
00959
if(!all_data.tkt.function_param.tkt_add_object_class.pp_set)
00960 {
00961 printk(KERN_DEBUG
00962
"rsbac_pm(): add_object_class: no purpose in tkt\n");
00963
return(-
RSBAC_EINVALIDVALUE);
00964 }
00965 pm_set_id.pp_set = all_data.tkt.function_param.tkt_add_object_class.pp_set;
00966 rsbac_get_user((u_char *) &pp_set,
00967 (u_char *) param.
add_object_class.
pp_list_p,
00968
sizeof(pp_set));
00969 pm_set_member.pp = pp_set.id;
00970
if(!
rsbac_pm_set_member(PS_PP,pm_set_id,pm_set_member))
00971 {
00972 printk(KERN_DEBUG
00973
"rsbac_pm(): add_object_class: first purpose-id %i not in tkt-set\n",
00974 pp_set.id);
00975
return(-
RSBAC_EINVALIDVALUE);
00976 }
00977
00978
while(pp_set.next)
00979 {
00980 rsbac_get_user((u_char *) &pp_set,
00981 (u_char *) pp_set.next,
00982
sizeof(pp_set));
00983 pm_set_member.pp = pp_set.id;
00984
if(!
rsbac_pm_set_member(PS_PP,pm_set_id,pm_set_member))
00985 {
00986 printk(KERN_DEBUG
00987
"rsbac_pm(): add_object_class: purpose-id %i not in tkt-set\n",
00988 pp_set.id);
00989
return(-
RSBAC_EINVALIDVALUE);
00990 }
00991 }
00992 }
00993
00994
00995
00996
00997
rsbac_pm_remove_target(PMT_TKT,pm_tid);
00998
00999
01000 pm_tid.object_class = param.
add_object_class.
id;
01001 class_exists =
rsbac_pm_exists(PMT_CLASS, pm_tid);
01002
if(!class_exists)
01003 {
01004
01005 all_data.object_class.id = param.
add_object_class.
id;
01006 all_data.object_class.pp_set = 0;
01007
if((error =
rsbac_pm_add_target(PMT_CLASS,
01008 all_data)))
01009
return(error);
01010 }
01011
01012
01013
if(param.
add_object_class.
pp_list_p)
01014 {
01015 pm_set_id.pp_set = param.
add_object_class.
id;
01016
if(!class_exists)
01017 {
01018
if(
rsbac_pm_create_set(PS_PP,pm_set_id))
01019
return(-
RSBAC_EWRITEFAILED);
01020 }
01021
else
01022 {
01023
if(
rsbac_pm_clear_set(PS_PP,pm_set_id))
01024
return(-
RSBAC_EWRITEFAILED);
01025 }
01026
01027 rsbac_get_user((u_char *) &pp_set,
01028 (u_char *) param.
add_object_class.
pp_list_p,
01029
sizeof(pp_set));
01030 pm_set_member.pp = pp_set.id;
01031
if(
rsbac_pm_add_to_set(PS_PP,pm_set_id,pm_set_member))
01032 {
01033 printk(KERN_DEBUG
01034
"rsbac_pm(): add_object_class: could not add first purpose-id %i to pp_set\n",
01035 pp_set.id);
01036
return(-
RSBAC_EWRITEFAILED);
01037 }
01038
01039
while(pp_set.next)
01040 {
01041 rsbac_get_user((u_char *) &pp_set,
01042 (u_char *) pp_set.next,
01043
sizeof(pp_set));
01044 pm_set_member.pp = pp_set.id;
01045
if(
rsbac_pm_add_to_set(PS_PP,pm_set_id,pm_set_member))
01046 {
01047 printk(KERN_DEBUG
01048
"rsbac_pm(): add_object_class: could not add purpose-id %i to pp_set\n",
01049 pp_set.id);
01050
return(-
RSBAC_EWRITEFAILED);
01051 }
01052 }
01053
01054 pm_tid.object_class = param.
add_object_class.
id;
01055 data_val.pp_set = param.
add_object_class.
id;
01056
if((error =
rsbac_pm_set_data(PMT_CLASS,
01057 pm_tid,
01058 PD_pp_set,
01059 data_val)))
01060 {
01061 printk(KERN_DEBUG
01062
"rsbac_pm(): add_object_class: could not set pp_set_id for class\n");
01063
return(-
RSBAC_EWRITEFAILED);
01064 }
01065 }
01066
01067
return(0);
01068
01069
case PF_delete_object_class:
01070
01071
if( !param.
delete_object_class.
id
01072 || (param.
delete_object_class.
id ==
RSBAC_PM_IPC_OBJECT_CLASS_ID)
01073 || (param.
delete_object_class.
id ==
RSBAC_PM_DEV_OBJECT_CLASS_ID))
01074
return(-
RSBAC_EINVALIDVALUE);
01075
if(role !=
PR_security_officer)
01076
return(-
RSBAC_EPERM);
01077
01078 pm_tid.tkt = tkt;
01079
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01080 pm_tid,
01081 &all_data)))
01082 {
01083
if( (error != -
RSBAC_EINVALIDTARGET)
01084 && (error != -
RSBAC_ENOTFOUND)
01085 )
01086 printk(KERN_WARNING
01087
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01088 error);
01089
return(-
RSBAC_EPERM);
01090 }
01091
01092
if( (all_data.tkt.function_type !=
PTF_delete_object_class)
01093 || (all_data.tkt.function_param.delete_object_class.id
01094 != param.
delete_object_class.
id) )
01095
return(-
RSBAC_EPERM);
01096
01097 tid.
user = all_data.tkt.issuer;
01098
if((error =
rsbac_get_attr(
PM,
T_USER,
01099 tid,
01100
A_pm_role,
01101 &attr_val,
01102
TRUE)))
01103 {
01104 printk(KERN_WARNING
01105
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01106 error);
01107
return(-
RSBAC_EREADFAILED);
01108 }
01109
01110
if(attr_val.
pm_role !=
PR_data_protection_officer)
01111 {
01112
01113
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01114
return(-
RSBAC_EPERM);
01115 }
01116
01117
01118
01119
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01120
01121
01122 pm_tid.object_class = param.
delete_object_class.
id;
01123
return(
rsbac_pm_remove_target(PMT_CLASS,
01124 pm_tid));
01125
01126
case PF_add_authorized_tp:
01127
01128
if(!param.
add_authorized_tp.
task || !param.
add_authorized_tp.
tp)
01129
return(-
RSBAC_EINVALIDVALUE);
01130
if(role !=
PR_security_officer)
01131
return(-
RSBAC_EPERM);
01132
01133
01134 pm_tid.tkt = tkt;
01135
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01136 pm_tid,
01137 &all_data)))
01138 {
01139
if( (error != -
RSBAC_EINVALIDTARGET)
01140 && (error != -
RSBAC_ENOTFOUND)
01141 )
01142 printk(KERN_WARNING
01143
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01144 error);
01145
return(-
RSBAC_EPERM);
01146 }
01147
01148
if( (all_data.tkt.function_type !=
PTF_add_authorized_tp)
01149 || (all_data.tkt.function_param.add_authorized_tp.task
01150 != param.
add_authorized_tp.
task)
01151 || (all_data.tkt.function_param.add_authorized_tp.tp
01152 != param.
add_authorized_tp.
tp) )
01153
return(-
RSBAC_EPERM);
01154
01155
01156 pm_tid2.task = param.
add_authorized_tp.
task;
01157
if(!
rsbac_pm_exists(PMT_TASK,
01158 pm_tid2))
01159
return(-
RSBAC_EINVALIDVALUE);
01160
01161 pm_tid2.tp = param.
add_authorized_tp.
tp;
01162
if(!
rsbac_pm_exists(PMT_TP,
01163 pm_tid2))
01164
return(-
RSBAC_EINVALIDVALUE);
01165
01166
01167 tid.
user = all_data.tkt.issuer;
01168
if((error =
rsbac_get_attr(
PM,
T_USER,
01169 tid,
01170
A_pm_role,
01171 &attr_val,
01172
TRUE)))
01173 {
01174 printk(KERN_WARNING
01175
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01176 error);
01177
return(-
RSBAC_EREADFAILED);
01178 }
01179
01180
if(attr_val.
pm_role !=
PR_data_protection_officer)
01181 {
01182
01183
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01184
return(-
RSBAC_EPERM);
01185 }
01186
01187
01188
01189
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01190
01191
01192
01193 pm_tid.task = param.
add_authorized_tp.
task;
01194
if((error =
rsbac_pm_get_data(PMT_TASK,
01195 pm_tid,
01196 PD_tp_set,
01197 &data_val)))
01198
return(-
RSBAC_EREADFAILED);
01199
01200
if(!data_val.tp_set)
01201 {
01202 pm_set_id.tp_set = param.
add_authorized_tp.
task;
01203
if((error =
rsbac_pm_create_set(PS_TP,
01204 pm_set_id)))
01205
return(error);
01206 data_val.tp_set = param.
add_authorized_tp.
task;
01207
if((error =
rsbac_pm_set_data(PMT_TASK,
01208 pm_tid,
01209 PD_tp_set,
01210 data_val)))
01211
return(-
RSBAC_EWRITEFAILED);
01212 }
01213
01214
01215 pm_set_id.tp_set = data_val.tp_set;
01216 pm_set_member.tp = param.
add_authorized_tp.
tp;
01217
if(
rsbac_pm_add_to_set(PS_TP,pm_set_id,pm_set_member))
01218
return(-
RSBAC_EWRITEFAILED);
01219
else
01220
01221
return(0);
01222
01223
case PF_delete_authorized_tp:
01224
01225
if(!param.
delete_authorized_tp.
task || !param.
delete_authorized_tp.
tp)
01226
return(-
RSBAC_EINVALIDVALUE);
01227
if(role !=
PR_security_officer)
01228
return(-
RSBAC_EPERM);
01229
01230
01231 pm_tid.tkt = tkt;
01232
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01233 pm_tid,
01234 &all_data)))
01235 {
01236
if( (error != -
RSBAC_EINVALIDTARGET)
01237 && (error != -
RSBAC_ENOTFOUND)
01238 )
01239 printk(KERN_WARNING
01240
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01241 error);
01242
return(-
RSBAC_EPERM);
01243 }
01244
01245
if( (all_data.tkt.function_type !=
PTF_delete_authorized_tp)
01246 || (all_data.tkt.function_param.delete_authorized_tp.task
01247 != param.
delete_authorized_tp.
task)
01248 || (all_data.tkt.function_param.delete_authorized_tp.tp
01249 != param.
delete_authorized_tp.
tp) )
01250
return(-
RSBAC_EPERM);
01251
01252
01253 tid.
user = all_data.tkt.issuer;
01254
if((error =
rsbac_get_attr(
PM,
T_USER,
01255 tid,
01256
A_pm_role,
01257 &attr_val,
01258
TRUE)))
01259 {
01260 printk(KERN_WARNING
01261
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01262 error);
01263
return(-
RSBAC_EREADFAILED);
01264 }
01265
01266
if(attr_val.
pm_role !=
PR_data_protection_officer)
01267 {
01268
01269
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01270
return(-
RSBAC_EPERM);
01271 }
01272
01273
01274
01275
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01276
01277
01278
01279 pm_tid.task = param.
delete_authorized_tp.
task;
01280
if((error =
rsbac_pm_get_data(PMT_TASK,
01281 pm_tid,
01282 PD_tp_set,
01283 &data_val)))
01284
return(-
RSBAC_EREADFAILED);
01285
01286
if(!data_val.tp_set)
01287
return(-
RSBAC_EINVALIDVALUE);
01288
01289
01290 pm_set_id.tp_set = data_val.tp_set;
01291 pm_set_member.tp = param.
delete_authorized_tp.
tp;
01292
if(
rsbac_pm_remove_from_set(PS_TP,pm_set_id,pm_set_member))
01293
return(-
RSBAC_EWRITEFAILED);
01294
else
01295
01296
return(0);
01297
01298
case PF_add_consent:
01299
01300
if(!param.
add_consent.
purpose)
01301
return(-
RSBAC_EINVALIDVALUE);
01302
if(role !=
PR_security_officer)
01303
return(-
RSBAC_EPERM);
01304
01305
01306 pm_tid.tkt = tkt;
01307
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01308 pm_tid,
01309 &all_data)))
01310 {
01311
if( (error != -
RSBAC_EINVALIDTARGET)
01312 && (error != -
RSBAC_ENOTFOUND)
01313 )
01314 printk(KERN_WARNING
01315
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01316 error);
01317
return(-
RSBAC_EPERM);
01318 }
01319
01320
if ((error =
pm_get_file(param.
add_consent.
filename, &target, &tid)) < 0)
01321 {
01322
#ifdef CONFIG_RSBAC_DEBUG
01323
if (rsbac_debug_aef_pm)
01324 printk(KERN_DEBUG
01325
"rsbac_pm(): call to pm_get_file() returned error %i\n",
01326 error);
01327
#endif
01328
return(-
RSBAC_EINVALIDTARGET);
01329 }
01330
01331
if(target !=
T_FILE)
01332
return(-
RSBAC_EINVALIDTARGET);
01333
01334
if( (all_data.tkt.function_type !=
PTF_add_consent)
01335 || (RSBAC_MAJOR(all_data.tkt.function_param.tkt_add_consent.file.device)
01336 != RSBAC_MAJOR(tid.file.device))
01337 || (RSBAC_MINOR(all_data.tkt.function_param.tkt_add_consent.file.device)
01338 != RSBAC_MINOR(tid.file.device))
01339 || (all_data.tkt.function_param.tkt_add_consent.file.inode
01340 != tid.file.inode)
01341 || (all_data.tkt.function_param.tkt_add_consent.purpose
01342 != param.
add_consent.
purpose) )
01343
return(-
RSBAC_EPERM);
01344 file = tid.file;
01345
01346 pm_tid2.pp = param.
add_consent.
purpose;
01347
if(!
rsbac_pm_exists(PMT_PP,
01348 pm_tid2))
01349
return(-
RSBAC_EINVALIDVALUE);
01350
01351
01352 tid.
user = all_data.tkt.issuer;
01353
if((error =
rsbac_get_attr(
PM,
T_USER,
01354 tid,
01355
A_pm_role,
01356 &attr_val,
01357
TRUE)))
01358 {
01359 printk(KERN_WARNING
01360
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01361 error);
01362
return(-
RSBAC_EREADFAILED);
01363 }
01364
01365
if(attr_val.
pm_role !=
PR_data_protection_officer)
01366 {
01367
01368
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01369
return(-
RSBAC_EPERM);
01370 }
01371
01372
01373
01374
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01375
01376
01377 pm_tid.cs.file = file;
01378 pm_tid.cs.purpose = param.
add_consent.
purpose;
01379
if(
rsbac_pm_exists(PMT_CS,
01380 pm_tid))
01381
return(-
RSBAC_EEXISTS);
01382
01383 all_data.cs.file = file;
01384 all_data.cs.purpose = param.
add_consent.
purpose;
01385
return(
rsbac_pm_add_target(PMT_CS,all_data));
01386
01387
case PF_delete_consent:
01388
01389
if(!param.
delete_consent.
purpose)
01390
return(-
RSBAC_EINVALIDVALUE);
01391
if(role !=
PR_security_officer)
01392
return(-
RSBAC_EPERM);
01393
01394
01395 pm_tid.tkt = tkt;
01396
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01397 pm_tid,
01398 &all_data)))
01399 {
01400
if( (error != -
RSBAC_EINVALIDTARGET)
01401 && (error != -
RSBAC_ENOTFOUND)
01402 )
01403 printk(KERN_WARNING
01404
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01405 error);
01406
return(-
RSBAC_EPERM);
01407 }
01408
01409
if ((error =
pm_get_file(param.
add_consent.
filename, &target, &tid)) < 0)
01410 {
01411
#ifdef CONFIG_RSBAC_DEBUG
01412
if (rsbac_debug_aef_pm)
01413 printk(KERN_DEBUG
01414
"rsbac_pm(): call to pm_get_file() returned error %i\n",
01415 error);
01416
#endif
01417
return(-
RSBAC_EINVALIDTARGET);
01418 }
01419
01420
if(target !=
T_FILE)
01421
return(-
RSBAC_EINVALIDTARGET);
01422 file=tid.file;
01423
01424
if( (all_data.tkt.function_type !=
PTF_delete_consent)
01425 || (RSBAC_MAJOR(all_data.tkt.function_param.tkt_delete_consent.file.device)
01426 != RSBAC_MAJOR(file.device))
01427 || (RSBAC_MINOR(all_data.tkt.function_param.tkt_delete_consent.file.device)
01428 != RSBAC_MINOR(file.device))
01429 || (all_data.tkt.function_param.tkt_delete_consent.file.inode
01430 != file.inode)
01431 || (all_data.tkt.function_param.tkt_delete_consent.purpose
01432 != param.
delete_consent.
purpose) )
01433
return(-
RSBAC_EPERM);
01434
01435
01436 tid.
user = all_data.tkt.issuer;
01437
if((error =
rsbac_get_attr(
PM,
T_USER,
01438 tid,
01439
A_pm_role,
01440 &attr_val,
01441
TRUE)))
01442 {
01443 printk(KERN_WARNING
01444
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01445 error);
01446
return(-
RSBAC_EREADFAILED);
01447 }
01448
01449
if(attr_val.
pm_role !=
PR_data_protection_officer)
01450 {
01451
01452
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01453
return(-
RSBAC_EPERM);
01454 }
01455
01456
01457
01458
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01459
01460
01461 pm_tid.cs.file = file;
01462 pm_tid.cs.purpose = param.
delete_consent.
purpose;
01463
return(
rsbac_pm_remove_target(PMT_CS,
01464 pm_tid));
01465
01466
case PF_add_purpose:
01467
01468
if( !param.
add_purpose.
id
01469 || !param.
add_purpose.
def_class
01470 || (param.
add_purpose.
def_class
01471 ==
RSBAC_PM_IPC_OBJECT_CLASS_ID)
01472 || (param.
add_purpose.
def_class
01473 ==
RSBAC_PM_DEV_OBJECT_CLASS_ID) )
01474
return(-
RSBAC_EINVALIDVALUE);
01475
if(role !=
PR_security_officer)
01476
return(-
RSBAC_EPERM);
01477
01478
01479 pm_tid.tkt = tkt;
01480
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01481 pm_tid,
01482 &all_data)))
01483 {
01484
if( (error != -
RSBAC_EINVALIDTARGET)
01485 && (error != -
RSBAC_ENOTFOUND)
01486 )
01487 printk(KERN_WARNING
01488
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01489 error);
01490
return(-
RSBAC_EPERM);
01491 }
01492
01493
if( (all_data.tkt.function_type !=
PTF_add_purpose)
01494 || (all_data.tkt.function_param.add_purpose.id
01495 != param.
add_purpose.
id)
01496 || (all_data.tkt.function_param.add_purpose.def_class
01497 != param.
add_purpose.
def_class) )
01498
return(-
RSBAC_EPERM);
01499
01500
01501 tid.
user = all_data.tkt.issuer;
01502
if((error =
rsbac_get_attr(
PM,
T_USER,
01503 tid,
01504
A_pm_role,
01505 &attr_val,
01506
TRUE)))
01507 {
01508 printk(KERN_WARNING
01509
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01510 error);
01511
return(-
RSBAC_EREADFAILED);
01512 }
01513
01514
if(attr_val.
pm_role !=
PR_data_protection_officer)
01515 {
01516
01517
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01518
return(-
RSBAC_EPERM);
01519 }
01520
01521
01522
01523
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01524
01525
01526 pm_tid.object_class = param.
add_purpose.
def_class;
01527
if(!
rsbac_pm_exists(PMT_CLASS,
01528 pm_tid))
01529 {
01530
01531 all_data.object_class.id = param.
add_purpose.
def_class;
01532 all_data.object_class.pp_set = 0;
01533
if((error =
rsbac_pm_add_target(PMT_CLASS,
01534 all_data)))
01535
return(error);
01536 }
01537
01538
01539 all_data.pp.id = param.
add_purpose.
id;
01540 all_data.pp.def_class = param.
add_purpose.
def_class;
01541
if((error =
rsbac_pm_add_target(PMT_PP,
01542 all_data)))
01543
return(error);
01544
01545
01546
01547 pm_tid.object_class = param.
add_purpose.
def_class;
01548
if((error =
rsbac_pm_get_data(PMT_CLASS,
01549 pm_tid,
01550 PD_pp_set,
01551 &data_val)))
01552
return(-
RSBAC_EREADFAILED);
01553
01554
if(!data_val.pp_set)
01555 {
01556 pm_set_id.pp_set = param.
add_purpose.
def_class;
01557
if(
rsbac_pm_create_set(PS_PP,pm_set_id))
01558
return(-
RSBAC_EWRITEFAILED);
01559 data_val.pp_set = param.
add_purpose.
def_class;
01560
if((error =
rsbac_pm_set_data(PMT_CLASS,
01561 pm_tid,
01562 PD_pp_set,
01563 data_val)))
01564
return(-
RSBAC_EWRITEFAILED);
01565 }
01566
01567 pm_set_id.pp_set = data_val.pp_set;
01568 pm_set_member.pp = param.
add_purpose.
id;
01569
if(
rsbac_pm_add_to_set(PS_PP,pm_set_id,pm_set_member))
01570
return(-
RSBAC_EWRITEFAILED);
01571
else
01572
01573
return(0);
01574
01575
case PF_delete_purpose:
01576
01577
if(!param.
delete_purpose.
id)
01578
return(-
RSBAC_EINVALIDVALUE);
01579
if(role !=
PR_security_officer)
01580
return(-
RSBAC_EPERM);
01581
01582
01583 pm_tid.tkt = tkt;
01584
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01585 pm_tid,
01586 &all_data)))
01587 {
01588
if( (error != -
RSBAC_EINVALIDTARGET)
01589 && (error != -
RSBAC_ENOTFOUND)
01590 )
01591 printk(KERN_WARNING
01592
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01593 error);
01594
return(-
RSBAC_EPERM);
01595 }
01596
01597
if( (all_data.tkt.function_type !=
PTF_delete_purpose)
01598 || (all_data.tkt.function_param.delete_purpose.id
01599 != param.
delete_purpose.
id) )
01600
return(-
RSBAC_EPERM);
01601
01602
01603 tid.
user = all_data.tkt.issuer;
01604
if((error =
rsbac_get_attr(
PM,
T_USER,
01605 tid,
01606
A_pm_role,
01607 &attr_val,
01608
TRUE)))
01609 {
01610 printk(KERN_WARNING
01611
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01612 error);
01613
return(-
RSBAC_EREADFAILED);
01614 }
01615
01616
if(attr_val.
pm_role !=
PR_data_protection_officer)
01617 {
01618
01619
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01620
return(-
RSBAC_EPERM);
01621 }
01622
01623
01624
01625
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01626
01627
01628 pm_tid.pp = param.
delete_purpose.
id;
01629
return(
rsbac_pm_remove_target(PMT_PP,
01630 pm_tid));
01631
01632
case PF_add_responsible_user:
01633
01634
if(!param.
add_responsible_user.
task)
01635
return(-
RSBAC_EINVALIDVALUE);
01636
if(role !=
PR_security_officer)
01637
return(-
RSBAC_EPERM);
01638
01639
01640 pm_tid.tkt = tkt;
01641
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01642 pm_tid,
01643 &all_data)))
01644 {
01645
if( (error != -
RSBAC_EINVALIDTARGET)
01646 && (error != -
RSBAC_ENOTFOUND)
01647 )
01648 printk(KERN_WARNING
01649
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01650 error);
01651
return(-
RSBAC_EPERM);
01652 }
01653
01654
if( (all_data.tkt.function_type !=
PTF_add_responsible_user)
01655 || (all_data.tkt.function_param.add_responsible_user.user
01656 != param.
add_responsible_user.
user)
01657 || (all_data.tkt.function_param.add_responsible_user.task
01658 != param.
add_responsible_user.
task) )
01659
return(-
RSBAC_EPERM);
01660
01661
01662 pm_tid2.task = param.
add_responsible_user.
task;
01663
if(!
rsbac_pm_exists(PMT_TASK,
01664 pm_tid2))
01665
return(-
RSBAC_EINVALIDVALUE);
01666
01667
01668 tid.
user = all_data.tkt.issuer;
01669
if((error =
rsbac_get_attr(
PM,
T_USER,
01670 tid,
01671
A_pm_role,
01672 &attr_val,
01673
TRUE)))
01674 {
01675 printk(KERN_WARNING
01676
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01677 error);
01678
return(-
RSBAC_EREADFAILED);
01679 }
01680
01681
if(attr_val.
pm_role !=
PR_data_protection_officer)
01682 {
01683
01684
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01685
return(-
RSBAC_EPERM);
01686 }
01687
01688
01689
01690
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01691
01692
01693
01694
01695 pm_tid.task = param.
add_responsible_user.
task;
01696
if((error =
rsbac_pm_get_data(PMT_TASK,
01697 pm_tid,
01698 PD_ru_set,
01699 &data_val)))
01700
return(-
RSBAC_EREADFAILED);
01701
01702
if(!data_val.ru_set)
01703 {
01704 pm_set_id.ru_set = param.
add_responsible_user.
task;
01705
if((error =
rsbac_pm_create_set(PS_RU,
01706 pm_set_id)))
01707
return(error);
01708 data_val.ru_set = param.
add_responsible_user.
task;
01709
if((error =
rsbac_pm_set_data(PMT_TASK,
01710 pm_tid,
01711 PD_ru_set,
01712 data_val)))
01713
return(-
RSBAC_EWRITEFAILED);
01714 }
01715
01716
01717 pm_set_id.ru_set = data_val.ru_set;
01718 pm_set_member.ru = param.
add_responsible_user.
user;
01719
if(
rsbac_pm_add_to_set(PS_RU,pm_set_id,pm_set_member))
01720
return(-
RSBAC_EWRITEFAILED);
01721
else
01722
01723
return(0);
01724
01725
case PF_delete_responsible_user:
01726
01727
if(!param.
delete_responsible_user.
task)
01728
return(-
RSBAC_EINVALIDVALUE);
01729
if(role !=
PR_security_officer)
01730
return(-
RSBAC_EPERM);
01731
01732
01733 pm_tid.tkt = tkt;
01734
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01735 pm_tid,
01736 &all_data)))
01737 {
01738
if( (error != -
RSBAC_EINVALIDTARGET)
01739 && (error != -
RSBAC_ENOTFOUND)
01740 )
01741 printk(KERN_WARNING
01742
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01743 error);
01744
return(-
RSBAC_EPERM);
01745 }
01746
01747
if( (all_data.tkt.function_type !=
PTF_delete_responsible_user)
01748 || (all_data.tkt.function_param.delete_responsible_user.user
01749 != param.
delete_responsible_user.
user)
01750 || (all_data.tkt.function_param.delete_responsible_user.task
01751 != param.
delete_responsible_user.
task) )
01752
return(-
RSBAC_EPERM);
01753
01754
01755 tid.
user = all_data.tkt.issuer;
01756
if((error =
rsbac_get_attr(
PM,
T_USER,
01757 tid,
01758
A_pm_role,
01759 &attr_val,
01760
TRUE)))
01761 {
01762 printk(KERN_WARNING
01763
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01764 error);
01765
return(-
RSBAC_EREADFAILED);
01766 }
01767
01768
if(attr_val.
pm_role !=
PR_data_protection_officer)
01769 {
01770
01771
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01772
return(-
RSBAC_EPERM);
01773 }
01774
01775
01776
01777
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01778
01779
01780 pm_tid.task = param.
delete_responsible_user.
task;
01781
if((error =
rsbac_pm_get_data(PMT_TASK,
01782 pm_tid,
01783 PD_ru_set,
01784 &data_val)))
01785
return(-
RSBAC_EREADFAILED);
01786
01787
if(!data_val.ru_set)
01788
return(-
RSBAC_EINVALIDVALUE);
01789
01790
01791 pm_set_id.ru_set = data_val.ru_set;
01792 pm_set_member.ru = param.
delete_responsible_user.
user;
01793
if(
rsbac_pm_remove_from_set(PS_RU,pm_set_id,pm_set_member))
01794
return(-
RSBAC_EWRITEFAILED);
01795
else
01796
01797
return(0);
01798
01799
case PF_delete_user_aci:
01800
if(role !=
PR_security_officer)
01801
return(-
RSBAC_EPERM);
01802
01803
01804 pm_tid.tkt = tkt;
01805
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01806 pm_tid,
01807 &all_data)))
01808 {
01809
if( (error != -
RSBAC_EINVALIDTARGET)
01810 && (error != -
RSBAC_ENOTFOUND)
01811 )
01812 printk(KERN_WARNING
01813
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01814 error);
01815
return(-
RSBAC_EPERM);
01816 }
01817
01818
if( (all_data.tkt.function_type !=
PTF_delete_user_aci)
01819 || (all_data.tkt.function_param.delete_user_aci.id
01820 != param.
delete_user_aci.
id) )
01821
return(-
RSBAC_EPERM);
01822
01823
01824 tid.
user = all_data.tkt.issuer;
01825
if((error =
rsbac_get_attr(
PM,
T_USER,
01826 tid,
01827
A_pm_role,
01828 &attr_val,
01829
TRUE)))
01830 {
01831 printk(KERN_WARNING
01832
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01833 error);
01834
return(-
RSBAC_EREADFAILED);
01835 }
01836
01837
if(attr_val.
pm_role !=
PR_data_protection_officer)
01838 {
01839
01840
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01841
return(-
RSBAC_EPERM);
01842 }
01843
01844
01845
01846
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01847 tid.
user = param.
delete_user_aci.
id;
01848
rsbac_remove_target(
T_USER,tid);
01849
return(0);
01850
01851
case PF_set_role:
01852
if(role !=
PR_security_officer)
01853
return(-
RSBAC_EPERM);
01854
01855
01856 pm_tid.tkt = tkt;
01857
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01858 pm_tid,
01859 &all_data)))
01860 {
01861
if( (error != -
RSBAC_EINVALIDTARGET)
01862 && (error != -
RSBAC_ENOTFOUND)
01863 )
01864 printk(KERN_WARNING
01865
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01866 error);
01867
return(-
RSBAC_EPERM);
01868 }
01869
01870
if( (all_data.tkt.function_type !=
PTF_set_role)
01871 || (all_data.tkt.function_param.set_role.user
01872 != param.
set_role.
user)
01873 || (all_data.tkt.function_param.set_role.role
01874 != param.
set_role.
role) )
01875
return(-
RSBAC_EPERM);
01876
01877
01878 tid.
user = all_data.tkt.issuer;
01879
if((error =
rsbac_get_attr(
PM,
T_USER,
01880 tid,
01881
A_pm_role,
01882 &attr_val,
01883
TRUE)))
01884 {
01885 printk(KERN_WARNING
01886
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01887 error);
01888
return(-
RSBAC_EREADFAILED);
01889 }
01890
01891
if(attr_val.
pm_role !=
PR_data_protection_officer)
01892 {
01893
01894
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01895
return(-
RSBAC_EPERM);
01896 }
01897
01898
01899
01900
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01901
01902
01903 tid.
user = param.
set_role.
user;
01904 attr_val.
pm_role = param.
set_role.
role;
01905
return(
rsbac_set_attr(
PM,
T_USER,
01906 tid,
01907
A_pm_role,
01908 attr_val));
01909
01910
case PF_set_object_class:
01911
if(role !=
PR_security_officer)
01912
return(-
RSBAC_EPERM);
01913
01914
01915 pm_tid.tkt = tkt;
01916
if((error =
rsbac_pm_get_all_data(PMT_TKT,
01917 pm_tid,
01918 &all_data)))
01919 {
01920
if( (error != -
RSBAC_EINVALIDTARGET)
01921 && (error != -
RSBAC_ENOTFOUND)
01922 )
01923 printk(KERN_WARNING
01924
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
01925 error);
01926
return(-
RSBAC_EPERM);
01927 }
01928
01929
if ((error =
pm_get_file(param.
set_object_class.
filename, &target, &tid)) < 0)
01930 {
01931
#ifdef CONFIG_RSBAC_DEBUG
01932
if (rsbac_debug_aef_pm)
01933 printk(KERN_DEBUG
01934
"rsbac_pm(): call to pm_get_file() returned error %i\n",
01935 error);
01936
#endif
01937
return(-
RSBAC_EINVALIDTARGET);
01938 }
01939
01940
if( (target !=
T_FILE)
01941 && (target !=
T_FIFO)
01942 )
01943
return(-
RSBAC_EINVALIDTARGET);
01944 file=tid.file;
01945
01946
if( (all_data.tkt.function_type !=
PTF_set_object_class)
01947 || (RSBAC_MAJOR(all_data.tkt.function_param.tkt_set_object_class.file.device)
01948 != RSBAC_MAJOR(file.device))
01949 || (RSBAC_MINOR(all_data.tkt.function_param.tkt_set_object_class.file.device)
01950 != RSBAC_MINOR(file.device))
01951 || (all_data.tkt.function_param.tkt_set_object_class.file.inode
01952 != file.inode)
01953 || (all_data.tkt.function_param.tkt_set_object_class.object_class
01954 != param.
set_object_class.
object_class) )
01955
return(-
RSBAC_EPERM);
01956
01957
01958 tid.
user = all_data.tkt.issuer;
01959
if((error =
rsbac_get_attr(
PM,
T_USER,
01960 tid,
01961
A_pm_role,
01962 &attr_val,
01963
TRUE)))
01964 {
01965 printk(KERN_WARNING
01966
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
01967 error);
01968
return(-
RSBAC_EREADFAILED);
01969 }
01970
01971
if(attr_val.
pm_role !=
PR_data_protection_officer)
01972 {
01973
01974
rsbac_pm_remove_target(PMT_TKT,pm_tid);
01975
return(-
RSBAC_EPERM);
01976 }
01977
01978
01979 tid.file = file;
01980
if((error =
rsbac_get_attr(
PM,target,
01981 tid,
01982
A_pm_object_type,
01983 &attr_val,
01984
FALSE)))
01985 {
01986 printk(KERN_WARNING
01987
"rsbac_pm(): rsbac_get_attr() for FILE/FIFO/pm_object_type returned error %i",
01988 error);
01989
return(-
RSBAC_EREADFAILED);
01990 }
01991
01992
switch(attr_val.
pm_object_type)
01993 {
01994
case PO_personal_data:
01995
case PO_none:
01996
case PO_non_personal_data:
01997
break;
01998
default:
01999
return(-
RSBAC_EPERM);
02000 }
02001
02002
02003
02004
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02005
02006
02007
if(param.
set_object_class.
object_class)
02008 attr_val.
pm_object_type =
PO_personal_data;
02009
else
02010 attr_val.
pm_object_type =
PO_non_personal_data;
02011
if((error =
rsbac_set_attr(
PM,target,
02012 tid,
02013
A_pm_object_type,
02014 attr_val)))
02015 {
02016 printk(KERN_WARNING
02017
"rsbac_pm(): rsbac_set_attr() for FILE/pm_object_type returned error %i",
02018 error);
02019
return(-
RSBAC_EWRITEFAILED);
02020 }
02021
02022 attr_val.
pm_object_class = param.
set_object_class.
object_class;
02023
if((error =
rsbac_set_attr(
PM,target,
02024 tid,
02025
A_pm_object_class,
02026 attr_val)))
02027 {
02028 printk(KERN_WARNING
02029
"rsbac_pm(): rsbac_set_attr() for FILE/pm_object_type returned error %i",
02030 error);
02031
return(-
RSBAC_EWRITEFAILED);
02032 }
02033
02034
return(0);
02035
02036
#ifdef CONFIG_RSBAC_SWITCH
02037
case PF_switch_pm:
02038
02039
if(param.
switch_pm.
value && (param.
switch_pm.
value != 1))
02040
return(-
RSBAC_EINVALIDVALUE);
02041
if(role !=
PR_security_officer)
02042
return(-
RSBAC_EPERM);
02043
02044
02045 pm_tid.tkt = tkt;
02046
if((error =
rsbac_pm_get_all_data(PMT_TKT,
02047 pm_tid,
02048 &all_data)))
02049 {
02050
if( (error != -
RSBAC_EINVALIDTARGET)
02051 && (error != -
RSBAC_ENOTFOUND)
02052 )
02053 printk(KERN_WARNING
02054
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
02055 error);
02056
return(-
RSBAC_EPERM);
02057 }
02058
02059
if( (all_data.tkt.function_type !=
PTF_switch_pm)
02060 || (all_data.tkt.function_param.switch_pm.value
02061 != param.
switch_pm.
value))
02062
return(-
RSBAC_EPERM);
02063
02064
02065 tid.
user = all_data.tkt.issuer;
02066
if((error =
rsbac_get_attr(
PM,
T_USER,
02067 tid,
02068
A_pm_role,
02069 &attr_val,
02070
TRUE)))
02071 {
02072 printk(KERN_WARNING
02073
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
02074 error);
02075
return(-
RSBAC_EREADFAILED);
02076 }
02077
02078
if(attr_val.
pm_role !=
PR_data_protection_officer)
02079 {
02080
02081
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02082
return(-
RSBAC_EPERM);
02083 }
02084
02085
02086
02087
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02088
02089
02090 printk(KERN_WARNING
"sys_rsbac_switch(): switching RSBAC module PM (No. %i) to %i!\n",
02091
PM, param.
switch_pm.
value);
02092 rsbac_switch_pm = param.
switch_pm.
value;
02093
return(0);
02094
02095
#ifdef CONFIG_RSBAC_AUTH
02096
case PF_switch_auth:
02097
02098
if(param.
switch_auth.
value && (param.
switch_auth.
value != 1))
02099
return(-
RSBAC_EINVALIDVALUE);
02100
if(role !=
PR_security_officer)
02101
return(-
RSBAC_EPERM);
02102
02103
02104 pm_tid.tkt = tkt;
02105
if((error =
rsbac_pm_get_all_data(PMT_TKT,
02106 pm_tid,
02107 &all_data)))
02108 {
02109
if( (error != -
RSBAC_EINVALIDTARGET)
02110 && (error != -
RSBAC_ENOTFOUND)
02111 )
02112 printk(KERN_WARNING
02113
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
02114 error);
02115
return(-
RSBAC_EPERM);
02116 }
02117
02118
if( (all_data.tkt.function_type !=
PTF_switch_auth)
02119 || (all_data.tkt.function_param.switch_auth.value
02120 != param.
switch_auth.
value))
02121
return(-
RSBAC_EPERM);
02122
02123
02124 tid.
user = all_data.tkt.issuer;
02125
if((error =
rsbac_get_attr(
PM,
T_USER,
02126 tid,
02127
A_pm_role,
02128 &attr_val,
02129
TRUE)))
02130 {
02131 printk(KERN_WARNING
02132
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
02133 error);
02134
return(-
RSBAC_EREADFAILED);
02135 }
02136
02137
if(attr_val.
pm_role !=
PR_data_protection_officer)
02138 {
02139
02140
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02141
return(-
RSBAC_EPERM);
02142 }
02143
02144
02145
#ifdef CONFIG_RSBAC_DEBUG
02146
if (rsbac_debug_aef_pm)
02147 printk(KERN_DEBUG
"rsbac_pm(): calling ADF int\n");
02148
#endif
02149
tid.
dummy = 0;
02150 attr_val.switch_target =
AUTH;
02151
if (!
rsbac_adf_request_int(
R_SWITCH_MODULE,
02152 current->pid,
02153
T_NONE,
02154 tid,
02155 A_switch_target,
02156 attr_val,
02157
PM))
02158 {
02159
return -EPERM;
02160 }
02161
02162
02163
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02164
02165
02166 printk(KERN_WARNING
"sys_rsbac_pm/switch(): switching RSBAC module AUTH (No. %i) to %i!\n",
02167
AUTH, param.
switch_auth.
value);
02168 rsbac_switch_auth = param.
switch_auth.
value;
02169
return(0);
02170
#endif
02171
#endif
02172
02173
case PF_set_device_object_type:
02174
if(role !=
PR_security_officer)
02175
return(-
RSBAC_EPERM);
02176
02177
02178 pm_tid.tkt = tkt;
02179
if((error =
rsbac_pm_get_all_data(PMT_TKT,
02180 pm_tid,
02181 &all_data)))
02182 {
02183
if( (error != -
RSBAC_EINVALIDTARGET)
02184 && (error != -
RSBAC_ENOTFOUND)
02185 )
02186 printk(KERN_WARNING
02187
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
02188 error);
02189
return(-
RSBAC_EPERM);
02190 }
02191
02192
if ((error =
pm_get_file(param.
set_device_object_type.
filename, &target, &tid)) < 0)
02193 {
02194
#ifdef CONFIG_RSBAC_DEBUG
02195
if (rsbac_debug_aef_pm)
02196 printk(KERN_DEBUG
02197
"rsbac_pm(): call to pm_get_file() returned error %i\n",
02198 error);
02199
#endif
02200
return(-
RSBAC_EINVALIDTARGET);
02201 }
02202
02203
if(target !=
T_DEV)
02204
return(-
RSBAC_EINVALIDTARGET);
02205 dev=tid.dev;
02206
02207
if( (all_data.tkt.function_type !=
PTF_set_device_object_type)
02208 || (all_data.tkt.function_param.tkt_set_device_object_type.dev.type
02209 != dev.type)
02210 || (RSBAC_MAJOR(all_data.tkt.function_param.tkt_set_device_object_type.dev.id)
02211 != RSBAC_MAJOR(dev.id))
02212 || (RSBAC_MINOR(all_data.tkt.function_param.tkt_set_device_object_type.dev.id)
02213 != RSBAC_MINOR(dev.id))
02214 || (all_data.tkt.function_param.tkt_set_device_object_type.object_type
02215 != param.
set_device_object_type.
object_type)
02216 || (all_data.tkt.function_param.tkt_set_device_object_type.object_class
02217 != param.
set_device_object_type.
object_class) )
02218
return(-
RSBAC_EPERM);
02219
02220
02221 tid.
user = all_data.tkt.issuer;
02222
if((error =
rsbac_get_attr(
PM,
T_USER,
02223 tid,
02224
A_pm_role,
02225 &attr_val,
02226
TRUE)))
02227 {
02228 printk(KERN_WARNING
02229
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
02230 error);
02231
return(-
RSBAC_EREADFAILED);
02232 }
02233
02234
if(attr_val.
pm_role !=
PR_data_protection_officer)
02235 {
02236
02237
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02238
return(-
RSBAC_EPERM);
02239 }
02240
02241
switch(param.
set_device_object_type.
object_type)
02242 {
02243
case PO_personal_data:
02244
case PO_none:
02245
case PO_TP:
02246
case PO_non_personal_data:
02247
break;
02248
default:
02249
return(-
RSBAC_EINVALIDVALUE);
02250 }
02251
02252
02253
02254
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02255
02256
02257 tid.dev = dev;
02258 attr_val.
pm_object_type = param.
set_device_object_type.
object_type;
02259
if((error =
rsbac_set_attr(
PM,
T_DEV,
02260 tid,
02261
A_pm_object_type,
02262 attr_val)))
02263 {
02264 printk(KERN_WARNING
02265
"rsbac_pm(): rsbac_set_attr() for DEV/pm_object_type returned error %i",
02266 error);
02267
return(-
RSBAC_EWRITEFAILED);
02268 }
02269
02270 attr_val.
pm_object_class = param.
set_device_object_type.
object_class;
02271
if((error =
rsbac_set_attr(
PM,
T_DEV,
02272 tid,
02273
A_pm_object_class,
02274 attr_val)))
02275 {
02276 printk(KERN_WARNING
02277
"rsbac_pm(): rsbac_set_attr() for DEV/pm_object_class returned error %i",
02278 error);
02279
return(-
RSBAC_EWRITEFAILED);
02280 }
02281
02282
return(0);
02283
02284
case PF_set_auth_may_setuid:
02285
if(role !=
PR_security_officer)
02286
return(-
RSBAC_EPERM);
02287
02288
02289 pm_tid.tkt = tkt;
02290
if((error =
rsbac_pm_get_all_data(PMT_TKT,
02291 pm_tid,
02292 &all_data)))
02293 {
02294
if( (error != -
RSBAC_EINVALIDTARGET)
02295 && (error != -
RSBAC_ENOTFOUND)
02296 )
02297 printk(KERN_WARNING
02298
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
02299 error);
02300
return(-
RSBAC_EPERM);
02301 }
02302
02303
if ((error =
pm_get_file(param.
set_auth_may_setuid.
filename, &target, &tid)) < 0)
02304 {
02305
#ifdef CONFIG_RSBAC_DEBUG
02306
if (rsbac_debug_aef_pm)
02307 printk(KERN_DEBUG
02308
"rsbac_pm(): call to pm_get_file() returned error %i\n",
02309 error);
02310
#endif
02311
return(-
RSBAC_EINVALIDTARGET);
02312 }
02313
02314
if( (target !=
T_FILE)
02315 && (target !=
T_FIFO)
02316 )
02317
return(-
RSBAC_EINVALIDTARGET);
02318 file=tid.file;
02319
02320
if( (all_data.tkt.function_type !=
PTF_set_auth_may_setuid)
02321 || (RSBAC_MAJOR(all_data.tkt.function_param.tkt_set_auth_may_setuid.file.device)
02322 != RSBAC_MAJOR(file.device))
02323 || (RSBAC_MINOR(all_data.tkt.function_param.tkt_set_auth_may_setuid.file.device)
02324 != RSBAC_MINOR(file.device))
02325 || (all_data.tkt.function_param.tkt_set_auth_may_setuid.file.inode
02326 != file.inode)
02327 || (all_data.tkt.function_param.tkt_set_auth_may_setuid.value
02328 != param.
set_auth_may_setuid.
value)
02329 )
02330
return(-
RSBAC_EPERM);
02331
02332
02333 tid.
user = all_data.tkt.issuer;
02334
if((error =
rsbac_get_attr(
PM,
T_USER,
02335 tid,
02336
A_pm_role,
02337 &attr_val,
02338
TRUE)))
02339 {
02340 printk(KERN_WARNING
02341
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
02342 error);
02343
return(-
RSBAC_EREADFAILED);
02344 }
02345
02346
if(attr_val.
pm_role !=
PR_data_protection_officer)
02347 {
02348
02349
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02350
return(-
RSBAC_EPERM);
02351 }
02352
02353
switch(param.
set_auth_may_setuid.
value)
02354 {
02355
case FALSE:
02356
case TRUE:
02357
break;
02358
default:
02359
return(-
RSBAC_EINVALIDVALUE);
02360 }
02361
02362
#ifdef CONFIG_RSBAC_DEBUG
02363
if (rsbac_debug_aef_pm)
02364 printk(KERN_DEBUG
"rsbac_pm(): calling ADF int\n");
02365
#endif
02366
tid.file = file;
02367 attr_val.
auth_may_setuid = param.
set_auth_may_setuid.
value;
02368
if (!
rsbac_adf_request_int(
R_MODIFY_ATTRIBUTE,
02369 current->pid,
02370
T_FILE,
02371 tid,
02372
A_auth_may_setuid,
02373 attr_val,
02374
PM))
02375 {
02376
return -EPERM;
02377 }
02378
02379
02380
02381
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02382
02383
02384
if((error =
rsbac_set_attr(
PM,
T_FILE,
02385 tid,
02386
A_auth_may_setuid,
02387 attr_val)))
02388 {
02389 printk(KERN_WARNING
02390
"rsbac_pm(): rsbac_set_attr() for FILE/auth_may_setuid returned error %i",
02391 error);
02392
return(-
RSBAC_EWRITEFAILED);
02393 }
02394
02395
return(0);
02396
02397
case PF_set_auth_may_set_cap:
02398
if(role !=
PR_security_officer)
02399
return(-
RSBAC_EPERM);
02400
02401
02402 pm_tid.tkt = tkt;
02403
if((error =
rsbac_pm_get_all_data(PMT_TKT,
02404 pm_tid,
02405 &all_data)))
02406 {
02407
if( (error != -
RSBAC_EINVALIDTARGET)
02408 && (error != -
RSBAC_ENOTFOUND)
02409 )
02410 printk(KERN_WARNING
02411
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
02412 error);
02413
return(-
RSBAC_EPERM);
02414 }
02415
02416
if ((error =
pm_get_file(param.
set_auth_may_set_cap.
filename, &target, &tid)) < 0)
02417 {
02418
#ifdef CONFIG_RSBAC_DEBUG
02419
if (rsbac_debug_aef_pm)
02420 printk(KERN_DEBUG
02421
"rsbac_pm(): call to pm_get_file() returned error %i\n",
02422 error);
02423
#endif
02424
return(-
RSBAC_EINVALIDTARGET);
02425 }
02426
02427
if(target !=
T_FILE)
02428
return(-
RSBAC_EINVALIDTARGET);
02429 file=tid.file;
02430
02431
if( (all_data.tkt.function_type !=
PTF_set_auth_may_set_cap)
02432 || (RSBAC_MAJOR(all_data.tkt.function_param.tkt_set_auth_may_set_cap.file.device)
02433 != RSBAC_MAJOR(file.device))
02434 || (RSBAC_MINOR(all_data.tkt.function_param.tkt_set_auth_may_set_cap.file.device)
02435 != RSBAC_MINOR(file.device))
02436 || (all_data.tkt.function_param.tkt_set_auth_may_set_cap.file.inode
02437 != file.inode)
02438 || (all_data.tkt.function_param.tkt_set_auth_may_set_cap.value
02439 != param.
set_auth_may_set_cap.
value)
02440 )
02441
return(-
RSBAC_EPERM);
02442
02443
02444 tid.
user = all_data.tkt.issuer;
02445
if((error =
rsbac_get_attr(
PM,
T_USER,
02446 tid,
02447
A_pm_role,
02448 &attr_val,
02449
TRUE)))
02450 {
02451 printk(KERN_WARNING
02452
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
02453 error);
02454
return(-
RSBAC_EREADFAILED);
02455 }
02456
02457
if(attr_val.
pm_role !=
PR_data_protection_officer)
02458 {
02459
02460
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02461
return(-
RSBAC_EPERM);
02462 }
02463
02464
switch(param.
set_auth_may_set_cap.
value)
02465 {
02466
case FALSE:
02467
case TRUE:
02468
break;
02469
default:
02470
return(-
RSBAC_EINVALIDVALUE);
02471 }
02472
02473
#ifdef CONFIG_RSBAC_DEBUG
02474
if (rsbac_debug_aef_pm)
02475 printk(KERN_DEBUG
"rsbac_pm(): calling ADF int\n");
02476
#endif
02477
tid.file = file;
02478 attr_val.
auth_may_set_cap = param.
set_auth_may_set_cap.
value;
02479
if (!
rsbac_adf_request_int(
R_MODIFY_ATTRIBUTE,
02480 current->pid,
02481
T_FILE,
02482 tid,
02483
A_auth_may_set_cap,
02484 attr_val,
02485
PM))
02486 {
02487
return -EPERM;
02488 }
02489
02490
02491
02492
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02493
02494
02495
if((error =
rsbac_set_attr(
PM,
T_FILE,
02496 tid,
02497
A_auth_may_set_cap,
02498 attr_val)))
02499 {
02500 printk(KERN_WARNING
02501
"rsbac_pm(): rsbac_set_attr() for FILE/auth_may_set_cap returned error %i",
02502 error);
02503
return(-
RSBAC_EWRITEFAILED);
02504 }
02505
02506
return(0);
02507
02508
02509
02510
02511
case PF_add_authorized_task:
02512
02513
if(!param.
add_authorized_task.
task)
02514
return(-
RSBAC_EINVALIDVALUE);
02515
if(role !=
PR_security_officer)
02516 {
02517
#ifdef CONFIG_RSBAC_DEBUG
02518
if(rsbac_debug_aef_pm)
02519 printk(KERN_DEBUG
02520
"rsbac_pm(): caller of add_authorized_task is not SO\n");
02521
#endif
02522
return(-
RSBAC_EPERM);
02523 }
02524
02525
02526 pm_tid.tkt = tkt;
02527
if((error =
rsbac_pm_get_all_data(PMT_TKT,
02528 pm_tid,
02529 &all_data)))
02530 {
02531
if( (error != -
RSBAC_EINVALIDTARGET)
02532 && (error != -
RSBAC_ENOTFOUND)
02533 )
02534 printk(KERN_WARNING
02535
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i\n",
02536 error);
02537
return(-
RSBAC_EPERM);
02538 }
02539
02540
if( (all_data.tkt.function_type !=
PTF_add_authorized_task)
02541 || (all_data.tkt.function_param.add_authorized_task.user
02542 != param.
add_authorized_task.
user)
02543 || (all_data.tkt.function_param.add_authorized_task.task
02544 != param.
add_authorized_task.
task) )
02545 {
02546
#ifdef CONFIG_RSBAC_DEBUG
02547
if(rsbac_debug_aef_pm)
02548 {
02549 printk(KERN_DEBUG
02550
"rsbac_pm(): calling add_authorized_task with invalid ticket\n");
02551 printk(KERN_DEBUG
02552
"rsbac_pm(): tkt-task: %i, tkt-user: %i, call-task: %i, call-user: %i\n",
02553 all_data.tkt.function_param.add_authorized_task.user,
02554 all_data.tkt.function_param.add_authorized_task.task,
02555 param.
add_authorized_task.
task,
02556 param.
add_authorized_task.
user);
02557 }
02558
#endif
02559
return(-
RSBAC_EPERM);
02560 }
02561
02562
02563 pm_tid2.task = param.
add_authorized_task.
task;
02564
if(!
rsbac_pm_exists(PMT_TASK,
02565 pm_tid2))
02566 {
02567
#ifdef CONFIG_RSBAC_DEBUG
02568
if(rsbac_debug_aef_pm)
02569 printk(KERN_DEBUG
02570
"rsbac_pm(): calling add_authorized_task with invalid task id\n");
02571
#endif
02572
return(-
RSBAC_EINVALIDVALUE);
02573 }
02574
02575
02576 tid.
user = all_data.tkt.issuer;
02577
if((error =
rsbac_get_attr(
PM,
T_USER,
02578 tid,
02579
A_pm_role,
02580 &attr_val,
02581
TRUE)))
02582 {
02583 printk(KERN_WARNING
02584
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i\n",
02585 error);
02586
return(-
RSBAC_EREADFAILED);
02587 }
02588
02589
if(attr_val.
pm_role !=
PR_data_protection_officer)
02590 {
02591
02592 pm_tid.task = param.
add_authorized_task.
task;
02593
if((error =
rsbac_pm_get_data(PMT_TASK,
02594 pm_tid,
02595 PD_ru_set,
02596 &data_val)))
02597
return(-
RSBAC_EREADFAILED);
02598
02599
if(!data_val.ru_set)
02600 {
02601
02602
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02603
#ifdef CONFIG_RSBAC_DEBUG
02604
if(rsbac_debug_aef_pm)
02605 printk(KERN_DEBUG
02606
"rsbac_pm(): calling add_authorized_task with invalid ticket issuer (no set)\n");
02607
#endif
02608
return(-
RSBAC_EPERM);
02609 }
02610
02611 pm_set_id.ru_set = data_val.ru_set;
02612 pm_set_member.ru = all_data.tkt.issuer;
02613
if(!
rsbac_pm_set_member(PS_RU,pm_set_id,pm_set_member))
02614 {
02615
02616
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02617
#ifdef CONFIG_RSBAC_DEBUG
02618
if(rsbac_debug_aef_pm)
02619 printk(KERN_DEBUG
02620
"rsbac_pm(): calling add_authorized_task with invalid ticket issuer\n");
02621
#endif
02622
return(-
RSBAC_EPERM);
02623 }
02624 }
02625
02626
02627
02628
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02629
02630
02631 tid.
user = param.
add_authorized_task.
user;
02632
if((error =
rsbac_get_attr(
PM,
T_USER,
02633 tid,
02634
A_pm_task_set,
02635 &attr_val,
02636
FALSE)))
02637
return(-
RSBAC_EREADFAILED);
02638
02639
if(!attr_val.
pm_task_set)
02640 {
02641 pm_set_id.task_set = param.
add_authorized_task.
user;
02642
02643
if(!pm_set_id.task_set)
02644 pm_set_id.task_set =
RSBAC_PM_ROOT_TASK_SET_ID;
02645
if((error =
rsbac_pm_create_set(PS_TASK,
02646 pm_set_id)))
02647
return(error);
02648 attr_val.
pm_task_set = pm_set_id.task_set;
02649
if((error =
rsbac_set_attr(
PM,
T_USER,
02650 tid,
02651
A_pm_task_set,
02652 attr_val)))
02653
return(-
RSBAC_EWRITEFAILED);
02654 }
02655
02656
02657 pm_set_id.task_set = attr_val.
pm_task_set;
02658 pm_set_member.task = param.
add_authorized_task.
task;
02659
if(
rsbac_pm_add_to_set(PS_TASK,pm_set_id,pm_set_member))
02660
return(-
RSBAC_EWRITEFAILED);
02661
else
02662
02663
return(0);
02664
02665
case PF_delete_authorized_task:
02666
02667
if(!param.
delete_authorized_task.
task)
02668
return(-
RSBAC_EINVALIDVALUE);
02669
if(role !=
PR_security_officer)
02670
return(-
RSBAC_EPERM);
02671
02672
02673 pm_tid.tkt = tkt;
02674
if((error =
rsbac_pm_get_all_data(PMT_TKT,
02675 pm_tid,
02676 &all_data)))
02677 {
02678
if( (error != -
RSBAC_EINVALIDTARGET)
02679 && (error != -
RSBAC_ENOTFOUND)
02680 )
02681 printk(KERN_WARNING
02682
"rsbac_pm(): rsbac_pm_get_all_data() for ticket returned error %i",
02683 error);
02684
return(-
RSBAC_EPERM);
02685 }
02686
02687
if( (all_data.tkt.function_type !=
PTF_delete_authorized_task)
02688 || (all_data.tkt.function_param.delete_authorized_task.user
02689 != param.
delete_authorized_task.
user)
02690 || (all_data.tkt.function_param.delete_authorized_task.task
02691 != param.
delete_authorized_task.
task) )
02692
return(-
RSBAC_EPERM);
02693
02694
02695 tid.
user = all_data.tkt.issuer;
02696
if((error =
rsbac_get_attr(
PM,
T_USER,
02697 tid,
02698
A_pm_role,
02699 &attr_val,
02700
TRUE)))
02701 {
02702 printk(KERN_WARNING
02703
"rsbac_pm(): rsbac_get_attr() for USER/pm_role returned error %i",
02704 error);
02705
return(-
RSBAC_EREADFAILED);
02706 }
02707
02708
if(attr_val.
pm_role !=
PR_data_protection_officer)
02709 {
02710
02711
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02712
return(-
RSBAC_EPERM);
02713 }
02714
02715
02716
02717
rsbac_pm_remove_target(PMT_TKT,pm_tid);
02718
02719
02720 tid.
user = param.
delete_authorized_task.
user;
02721
if((error =
rsbac_get_attr(
PM,
T_USER,
02722 tid,
02723
A_pm_task_set,
02724 &attr_val,
02725
FALSE)))
02726
return(-
RSBAC_EREADFAILED);
02727
02728
if(!attr_val.
pm_task_set)
02729
return(-
RSBAC_EINVALIDVALUE);
02730
02731
02732 pm_set_id.task_set = attr_val.
pm_task_set;
02733 pm_set_member.task = param.
delete_authorized_tp.
task;
02734
if(
rsbac_pm_remove_from_set(PS_TASK,pm_set_id,pm_set_member))
02735
return(-
RSBAC_EWRITEFAILED);
02736
else
02737
02738
return(0);
02739
02740
02741
02742
02743
case PF_create_tp:
02744
02745
if(!param.
create_tp.
id)
02746
return(-
RSBAC_EINVALIDVALUE);
02747
if(role !=
PR_tp_manager)
02748
return(-
RSBAC_EPERM);
02749
02750
02751
02752 all_data.tp.id = param.
create_tp.
id;
02753
return(
rsbac_pm_add_target(PMT_TP,all_data));
02754
02755
case PF_delete_tp:
02756
02757
if(!param.
delete_tp.
id)
02758
return(-
RSBAC_EINVALIDVALUE);
02759
if(role !=
PR_tp_manager)
02760
return(-
RSBAC_EPERM);
02761
02762
02763
02764
02765 pm_tid.tp = param.
delete_tp.
id;
02766
return(
rsbac_pm_remove_target(PMT_TP,pm_tid));
02767
02768
case PF_set_tp:
02769
02770
if(role !=
PR_tp_manager)
02771
return(-
RSBAC_EPERM);
02772
02773
02774
if(param.
set_tp.
tp)
02775 {
02776 pm_tid.tp = param.
set_tp.
tp;
02777
if(!
rsbac_pm_exists(PMT_TP,pm_tid))
02778
return(-
RSBAC_EINVALIDVALUE);
02779 }
02780
02781
02782
if ((error =
pm_get_file(param.
set_tp.
filename,
02783 &target,
02784 &tid)))
02785 {
02786
#ifdef CONFIG_RSBAC_DEBUG
02787
if (rsbac_debug_aef_pm)
02788 printk(KERN_DEBUG
02789
"rsbac_pm(): call to pm_get_file() returned error %i\n",
02790 error);
02791
#endif
02792
return(-
RSBAC_EINVALIDTARGET);
02793 }
02794
02795
if(target !=
T_FILE)
02796
return(-
RSBAC_EINVALIDTARGET);
02797 file=tid.file;
02798
02799
if (
rsbac_get_attr(
PM,
T_FILE,
02800 tid,
02801
A_pm_object_type,
02802 &attr_val,
02803
FALSE))
02804 {
02805 printk(KERN_WARNING
"rsbac_pm(): rsbac_get_attr() returned error!\n");
02806
return(-
RSBAC_EREADFAILED);
02807 }
02808
02809
if( (attr_val.
pm_object_type !=
PO_TP)
02810 && (attr_val.
pm_object_type !=
PO_none)
02811 && (attr_val.
pm_object_type !=
PO_non_personal_data))
02812
return(-
RSBAC_EINVALIDTARGET);
02813
02814
02815
02816
if(param.
set_tp.
tp)
02817 attr_val.
pm_object_type =
PO_TP;
02818
else
02819 attr_val.
pm_object_type =
PO_none;
02820
if (
rsbac_set_attr(
PM,
T_FILE,
02821 tid,
02822
A_pm_object_type,
02823 attr_val))
02824 {
02825 printk(KERN_WARNING
"rsbac_pm(): rsbac_set_attr() returned error!\n");
02826
return(-
RSBAC_EWRITEFAILED);
02827 }
02828
02829 attr_val.
pm_tp = param.
set_tp.
tp;
02830
if (
rsbac_set_attr(
PM,
T_FILE,
02831 tid,
02832
A_pm_tp,
02833 attr_val))
02834 {
02835 printk(KERN_WARNING
"rsbac_pm(): rsbac_set_attr() returned error!\n");
02836
return(-
RSBAC_EWRITEFAILED);
02837 }
02838
return(0);
02839
02840
02841
02842
default:
02843
return(-
RSBAC_EINVALIDREQUEST);
02844 }
02845 }
02846
02847
02848
02849 int rsbac_pm_change_current_task(
rsbac_pm_task_id_t task)
02850 {
02851
union rsbac_target_id_t tid;
02852
union rsbac_attribute_value_t attr_val;
02853
int error = 0;
02854
rsbac_uid_t owner;
02855
union rsbac_pm_set_id_t pm_set_id;
02856
union rsbac_pm_set_member_t pm_set_member;
02857
02858
02859
if (!
rsbac_is_initialized())
02860
return(-
RSBAC_ENOTINITIALIZED);
02861
02862
if(!task)
02863
return(-
RSBAC_EINVALIDVALUE);
02864
#ifdef CONFIG_RSBAC_DEBUG
02865
if (rsbac_debug_aef_pm)
02866 printk(KERN_DEBUG
02867
"rsbac_pm_change_current_task(): called for task %i!\n",
02868 task);
02869
#endif
02870
02871 tid.
process = current->pid;
02872
if((error =
rsbac_get_attr(
PM,
T_PROCESS,
02873 tid,
02874
A_pm_tp,
02875 &attr_val,
02876
FALSE)))
02877 {
02878 printk(KERN_WARNING
02879
"rsbac_pm_change_current_task(): rsbac_get_attr() for pm_tp returned error %i",
02880 error);
02881
return(-
RSBAC_EREADFAILED);
02882 }
02883
02884
if(attr_val.
pm_tp)
02885 {
02886
#ifdef CONFIG_RSBAC_DEBUG
02887
if(rsbac_debug_adf_pm)
02888 printk(KERN_DEBUG
02889
"rsbac_pm_change_current_task(): tried to change current_task for tp-process\n");
02890
#endif
02891
return(-
RSBAC_EPERM);
02892 }
02893
02894
02895
02896
if (current->pid > 1)
02897 owner = current->uid;
02898
else
02899 owner = 0;
02900
02901
02902 tid.
user = owner;
02903
if((error =
rsbac_get_attr(
PM,
T_USER,
02904 tid,
02905
A_pm_task_set,
02906 &attr_val,
02907
FALSE)))
02908 {
02909 printk(KERN_WARNING
02910
"rsbac_pm_change_current_task(): rsbac_get_attr() for pm_task_set returned error %i",
02911 error);
02912
return(-
RSBAC_EREADFAILED);
02913 }
02914
02915
02916
if(!attr_val.
pm_task_set)
02917 {
02918
#ifdef CONFIG_RSBAC_DEBUG
02919
if(rsbac_debug_adf_pm)
02920 printk(KERN_DEBUG
02921
"rsbac_pm_change_current_task(): process owner has no authorized task\n");
02922
#endif
02923
return(-
RSBAC_EPERM);
02924 }
02925
02926
02927 pm_set_id.task_set = attr_val.
pm_task_set;
02928 pm_set_member.task = task;
02929
if(!
rsbac_pm_set_member(PS_TASK,pm_set_id,pm_set_member))
02930 {
02931
#ifdef CONFIG_RSBAC_DEBUG
02932
if(rsbac_debug_adf_pm)
02933 printk(KERN_DEBUG
02934
"rsbac_pm_change_current_task(): process owner is not authorized for task\n");
02935
#endif
02936
return(-
RSBAC_EPERM);
02937 }
02938
02939
02940 tid.
process = current->pid;
02941 attr_val.
pm_current_task = task;
02942
if((error =
rsbac_set_attr(
PM,
T_PROCESS,
02943 tid,
02944
A_pm_current_task,
02945 attr_val)))
02946 {
02947 printk(KERN_WARNING
02948
"rsbac_pm_change_current_task(): rsbac_set_attr() for pm_current_task returned error %i",
02949 error);
02950
return(-
RSBAC_EWRITEFAILED);
02951 }
02952
return(0);
02953 }
02954
02955 int rsbac_pm_create_file(
const char * filename,
02956
int mode,
02957
rsbac_pm_object_class_id_t object_class)
02958 {
02959
union rsbac_target_id_t tid;
02960
union rsbac_attribute_value_t attr_val;
02961
union rsbac_attribute_value_t attr_val2;
02962
union rsbac_pm_target_id_t pm_tid;
02963
union rsbac_pm_data_value_t data_val;
02964
union rsbac_pm_data_value_t data_val2;
02965
int error = 0;
02966
union rsbac_pm_set_id_t pm_set_id;
02967
union rsbac_pm_set_member_t pm_set_member;
02968
02969
#ifdef CONFIG_RSBAC_DEBUG
02970
if (rsbac_debug_aef_pm)
02971 printk(KERN_DEBUG
02972
"sys_rsbac_pm_create_file(): called with class %i, mode %o!\n",
02973 object_class, mode);
02974
#endif
02975
02976
if( (object_class ==
RSBAC_PM_IPC_OBJECT_CLASS_ID)
02977 || (object_class ==
RSBAC_PM_DEV_OBJECT_CLASS_ID))
02978 {
02979
#ifdef CONFIG_RSBAC_DEBUG
02980
if(rsbac_debug_adf_pm)
02981 printk(KERN_DEBUG
02982
"rsbac_pm_create_file(): Class-ID is IPC or DEV\n");
02983
#endif
02984
return(-
RSBAC_EINVALIDVALUE);
02985 }
02986
02987
02988
if(mode & ~S_IRWXUGO)
02989 {
02990
#ifdef CONFIG_RSBAC_DEBUG
02991
if(rsbac_debug_adf_pm)
02992 printk(KERN_DEBUG
02993
"rsbac_pm_create_file(): illegal creation mode\n");
02994
#endif
02995
return(-
RSBAC_EINVALIDVALUE);
02996 }
02997
02998
02999
if(object_class)
03000 {
03001 pm_tid.object_class = object_class;
03002
if(!
rsbac_pm_exists(PMT_CLASS,
03003 pm_tid))
03004 {
03005
#ifdef CONFIG_RSBAC_DEBUG
03006
if(rsbac_debug_adf_pm)
03007 printk(KERN_DEBUG
03008
"rsbac_pm_create_file(): non-existent class\n");
03009
#endif
03010
return(-
RSBAC_EINVALIDVALUE);
03011 }
03012 }
03013
03014
03015 tid.
process = current->pid;
03016
if((error =
rsbac_get_attr(
PM,
T_PROCESS,
03017 tid,
03018
A_pm_current_task,
03019 &attr_val,
03020
FALSE)))
03021 {
03022 printk(KERN_WARNING
03023
"rsbac_pm_create_file(): rsbac_get_attr() for pm_current_task returned error %i",
03024 error);
03025
return(-
RSBAC_EREADFAILED);
03026 }
03027
03028
03029
if((error =
rsbac_get_attr(
PM,
T_PROCESS,
03030 tid,
03031
A_pm_tp,
03032 &attr_val2,
03033
FALSE)))
03034 {
03035 printk(KERN_WARNING
03036
"rsbac_pm_create_file(): rsbac_get_attr() for pm_tp returned error %i",
03037 error);
03038
return(-
RSBAC_EREADFAILED);
03039 }
03040
03041
03042 pm_tid.na.task = attr_val.
pm_current_task;
03043 pm_tid.na.object_class = object_class;
03044 pm_tid.na.tp = attr_val2.
pm_tp;
03045
if((error =
rsbac_pm_get_data(PMT_NA,
03046 pm_tid,
03047 PD_accesses,
03048 &data_val)))
03049 {
03050
if( (error != -
RSBAC_EINVALIDTARGET)
03051 && (error != -
RSBAC_ENOTFOUND)
03052 )
03053 printk(KERN_WARNING
03054
"rsbac_pm_create_file(): rsbac_pm_get_data() for NA/accesses returned error %i",
03055 error);
03056
#ifdef CONFIG_RSBAC_DEBUG
03057
else if(rsbac_debug_adf_pm)
03058 printk(KERN_DEBUG
03059
"rsbac_pm_create_file(): NA/accesses (%i,%i,%i) not found\n",
03060 pm_tid.na.task, object_class, pm_tid.na.tp);
03061
#endif
03062
return(-
RSBAC_EPERM);
03063 }
03064
03065
03066
if(!(data_val.accesses &
RSBAC_PM_A_CREATE))
03067 {
03068
#ifdef CONFIG_RSBAC_DEBUG
03069
if(rsbac_debug_adf_pm)
03070 printk(KERN_DEBUG
03071
"rsbac_pm_create_file(): create is not necessary\n");
03072
#endif
03073
return(-
RSBAC_EPERM);
03074 }
03075
03076
03077 pm_tid.task = attr_val.
pm_current_task;
03078
if((error =
rsbac_pm_get_data(PMT_TASK,
03079 pm_tid,
03080 PD_purpose,
03081 &data_val)))
03082 {
03083
if( (error != -
RSBAC_EINVALIDTARGET)
03084 && (error != -
RSBAC_ENOTFOUND)
03085 )
03086 printk(KERN_WARNING
03087
"rsbac_pm_create_file(): rsbac_get_data() for TASK/purpose returned error %i",
03088 error);
03089
return(-
RSBAC_EPERM);
03090 }
03091
03092
03093
if(data_val.purpose)
03094 {
03095
03096 pm_tid.object_class = object_class;
03097
if((error =
rsbac_pm_get_data(PMT_CLASS,
03098 pm_tid,
03099 PD_pp_set,
03100 &data_val2)))
03101 {
03102
if( (error == -
RSBAC_EINVALIDTARGET)
03103 || (error == -
RSBAC_ENOTFOUND)
03104 )
03105 {
03106
#ifdef CONFIG_RSBAC_DEBUG
03107
if(rsbac_debug_adf_pm)
03108 printk(KERN_DEBUG
03109
"rsbac_pm_create_file(): non-existent class\n");
03110
#endif
03111
return(-
RSBAC_EINVALIDVALUE);
03112 }
03113 printk(KERN_WARNING
03114
"rsbac_pm_create_file(): rsbac_get_data() for TASK/purpose returned error %i",
03115 error);
03116
return(-
RSBAC_EREADFAILED);
03117 }
03118
03119
if(!data_val2.pp_set)
03120 {
03121
#ifdef CONFIG_RSBAC_DEBUG
03122
if(rsbac_debug_adf_pm)
03123 printk(KERN_DEBUG
03124
"rsbac_pm_create_file(): current_task has purpose, class not\n");
03125
#endif
03126
return(-
RSBAC_EPERM);
03127 }
03128
03129
03130 pm_set_id.pp_set = data_val2.pp_set;
03131 pm_set_member.pp = data_val.purpose;
03132
if(!
rsbac_pm_set_member(PS_PP,pm_set_id,pm_set_member))
03133
03134 {
03135
#ifdef CONFIG_RSBAC_DEBUG
03136
if(rsbac_debug_adf_pm)
03137 printk(KERN_DEBUG
03138
"rsbac_pm_create_file(): purpose of current_task is not in purpose set of class\n");
03139
#endif
03140
return(-
RSBAC_EPERM);
03141 }
03142 }
03143
03144
03145
03146
03147 lock_kernel();
03148 error = sys_open(filename, O_CREAT | O_WRONLY | O_TRUNC, mode);
03149 unlock_kernel();
03150
if (error < 0)
03151
return(error);
03152
03153
03154
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03155
tid.file.device = current->files->fd[error]->f_vfsmnt->mnt_sb->s_dev;
03156 tid.file.inode = current->files->fd[error]->f_dentry->d_inode->i_ino;
03157 tid.file.dentry_p = current->files->fd[error]->f_dentry;
03158
#else
03159
tid.file.device = current->files->fd[error]->f_dentry->d_inode->i_dev;
03160 tid.file.inode = current->files->fd[error]->f_dentry->d_inode->i_ino;
03161 tid.file.dentry_p = current->files->fd[error]->f_dentry;
03162
#endif
03163
attr_val.
pm_object_class = object_class;
03164
if(
rsbac_set_attr(
PM,
T_FILE,
03165 tid,
03166
A_pm_object_class,
03167 attr_val))
03168 {
03169 printk(KERN_WARNING
03170
"rsbac_pm_create_file(): rsbac_set_attr() for pm_object_class returned error");
03171 }
03172
return(error);
03173 }
03174
03175
03176