00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
#include <linux/string.h>
00013
#include <linux/sched.h>
00014
#include <linux/errno.h>
00015
#include <linux/vmalloc.h>
00016
#include <rsbac/types.h>
00017
#include <rsbac/aci.h>
00018
#include <rsbac/error.h>
00019
#include <rsbac/acl.h>
00020
#include <rsbac/getname.h>
00021
#include <rsbac/acl_getname.h>
00022
#include <rsbac/helpers.h>
00023
#include <rsbac/debug.h>
00024
#include <rsbac/rkmem.h>
00025
#include <rsbac/adf_main.h>
00026
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00027
#ifdef CONFIG_RSBAC_NET_OBJ
00028
#include <net/sock.h>
00029
#endif
00030
#endif
00031
00032
00033
00034
00035
00036
00037
00038
00039
00040 boolean rsbac_acl_check_super(
enum rsbac_target_t target,
00041
union rsbac_target_id_t tid,
00042
rsbac_uid_t user)
00043 {
00044
boolean i_result =
FALSE;
00045
int err=0, tmperr;
00046
int i;
00047
rsbac_acl_group_id_t * group_p;
00048
#if defined(CONFIG_RSBAC_RC)
00049
union rsbac_target_id_t i_tid;
00050
union rsbac_attribute_value_t i_attr_val1;
00051
#endif
00052
00053
00054
switch(target)
00055 {
00056
case T_FILE:
00057
case T_DIR:
00058
case T_FIFO:
00059
case T_SYMLINK:
00060
case T_DEV:
00061
case T_IPC:
00062
case T_SCD:
00063
case T_USER:
00064
case T_PROCESS:
00065
case T_NETDEV:
00066
case T_NETTEMP_NT:
00067
case T_NETTEMP:
00068
case T_NETOBJ:
00069
break;
00070
default:
00071
return TRUE;
00072 }
00073
00074 err =
rsbac_acl_get_single_right(target,
00075 tid,
00076
ACLS_USER,
00077 (
rsbac_acl_subject_id_t) user,
00078
ACLR_SUPERVISOR,
00079 &i_result);
00080
if(err)
00081 {
00082
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00083
00084
if(tmp)
00085 {
00086
#ifdef CONFIG_RSBAC_RMSG
00087
rsbac_printk(KERN_WARNING
00088
"rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00089
get_error_name(tmp,err));
00090
#endif
00091
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00092
if (!rsbac_nosyslog)
00093
#endif
00094
printk(KERN_WARNING
00095
"rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00096
get_error_name(tmp,err));
00097
rsbac_kfree(tmp);
00098 }
00099
return FALSE;
00100 }
00101
if(i_result)
00102
return(
TRUE);
00103
00104
00105
00106 err =
rsbac_acl_get_single_right(target,
00107 tid,
00108
ACLS_GROUP,
00109
RSBAC_ACL_GROUP_EVERYONE,
00110
ACLR_SUPERVISOR,
00111 &i_result);
00112
if(err)
00113 {
00114
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00115
00116
if(tmp)
00117 {
00118
#ifdef CONFIG_RSBAC_RMSG
00119
rsbac_printk(KERN_WARNING
00120
"rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00121
get_error_name(tmp,err));
00122
#endif
00123
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00124
if (!rsbac_nosyslog)
00125
#endif
00126
printk(KERN_WARNING
00127
"rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00128
get_error_name(tmp,err));
00129
rsbac_kfree(tmp);
00130 }
00131
return FALSE;
00132 }
00133
if(i_result)
00134
return(
TRUE);
00135
00136
#if defined(CONFIG_RSBAC_RC)
00137
00138
00139 i_tid.
process = current->pid;
00140
if (
rsbac_get_attr(
RC,
00141
T_PROCESS,
00142 i_tid,
00143
A_rc_role,
00144 &i_attr_val1,
00145
FALSE))
00146 {
00147
#ifdef CONFIG_RSBAC_RMSG
00148
rsbac_printk(KERN_WARNING
00149
"rsbac_acl_check_super(): rsbac_get_attr() for process rc_role returned error!\n");
00150
#endif
00151
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00152
if (!rsbac_nosyslog)
00153
#endif
00154
printk(KERN_WARNING
00155
"rsbac_acl_check_super(): rsbac_get_attr() for process rc_role returned error!\n");
00156 }
00157
else
00158 {
00159 err =
rsbac_acl_get_single_right(target,
00160 tid,
00161
ACLS_ROLE,
00162 i_attr_val1.
rc_role,
00163
ACLR_SUPERVISOR,
00164 &i_result);
00165
if(err)
00166 {
00167
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00168
00169
if(tmp)
00170 {
00171
get_error_name(tmp,err);
00172
#ifdef CONFIG_RSBAC_RMSG
00173
rsbac_printk(KERN_WARNING
00174
"rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00175 tmp);
00176
#endif
00177
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00178
if (!rsbac_nosyslog)
00179
#endif
00180
printk(KERN_WARNING
00181
"rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00182 tmp);
00183
rsbac_kfree(tmp);
00184 }
00185
return FALSE;
00186 }
00187
if(i_result)
00188
return(
TRUE);
00189 }
00190
#endif
00191
00192
00193
00194 group_p =
NULL;
00195 err =
rsbac_acl_get_user_groups(user, &group_p,
NULL);
00196
if(err<0)
00197 {
00198
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00199
00200
if(tmp)
00201 {
00202
#ifdef CONFIG_RSBAC_RMSG
00203
rsbac_printk(KERN_WARNING
00204
"rsbac_acl_check_super(): rsbac_acl_get_user_groups() returned error %s!\n",
00205
get_error_name(tmp,err));
00206
#endif
00207
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00208
if (!rsbac_nosyslog)
00209
#endif
00210
printk(KERN_WARNING
00211
"rsbac_acl_check_super(): rsbac_acl_get_user_groups() returned error %s!\n",
00212
get_error_name(tmp,err));
00213
rsbac_kfree(tmp);
00214 }
00215
return err;
00216 }
00217
for(i=0; i<err; i++)
00218 {
00219 tmperr =
rsbac_acl_get_single_right(target,
00220 tid,
00221
ACLS_GROUP,
00222 group_p[i],
00223
ACLR_SUPERVISOR,
00224 &i_result);
00225
if(tmperr)
00226 {
00227
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00228
00229
if(tmp)
00230 {
00231
#ifdef CONFIG_RSBAC_RMSG
00232
rsbac_printk(KERN_WARNING
00233
"rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00234
get_error_name(tmp,tmperr));
00235
#endif
00236
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00237
if (!rsbac_nosyslog)
00238
#endif
00239
printk(KERN_WARNING
00240
"rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00241
get_error_name(tmp,tmperr));
00242
rsbac_kfree(tmp);
00243 }
00244
if(group_p)
00245
rsbac_vfree(group_p);
00246
return FALSE;
00247 }
00248
if(i_result)
00249 {
00250
if(group_p)
00251
rsbac_vfree(group_p);
00252
return(
TRUE);
00253 }
00254 }
00255
if(group_p)
00256
rsbac_vfree(group_p);
00257
00258
00259
return FALSE;
00260 };
00261
00262
00263
#if !defined(CONFIG_RSBAC_MAINT)
00264
boolean rsbac_acl_check_forward(
enum rsbac_target_t target,
00265
union rsbac_target_id_t tid,
00266
rsbac_uid_t user,
00267
rsbac_acl_rights_vector_t rights);
00268
00269
boolean rsbac_acl_check_super(
enum rsbac_target_t target,
00270
union rsbac_target_id_t tid,
00271
rsbac_uid_t user);
00272
00273
boolean rsbac_acl_check_right(
enum rsbac_target_t target,
00274
union rsbac_target_id_t tid,
00275
rsbac_uid_t user,
00276
rsbac_pid_t caller_pid,
00277
enum rsbac_adf_request_t request);
00278
#endif
00279
00280
00281
00282
00283
00284 int rsbac_acl_sys_set_acl_entry (
enum rsbac_target_t target,
00285
union rsbac_target_id_t tid,
00286
enum rsbac_acl_subject_type_t subj_type,
00287
rsbac_acl_subject_id_t subj_id,
00288
rsbac_acl_rights_vector_t rights,
00289
rsbac_time_t ttl)
00290 {
00291
int err=0;
00292
00293
#ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00294
00295
if( (target ==
T_NETOBJ)
00296 && tid.
netobj.
sock_p
00297 && ( tid.
netobj.
remote_addr
00298
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00299
|| !tid.
netobj.
sock_p->file
00300 || !tid.
netobj.
sock_p->file->f_dentry
00301 || !tid.
netobj.
sock_p->file->f_dentry->d_inode
00302 || (SOCKET_I(tid.
netobj.
sock_p->file->f_dentry->d_inode) != tid.
netobj.
sock_p)
00303
#else
00304
|| !tid.
netobj.
sock_p->inode
00305 || (&(tid.
netobj.
sock_p->inode->u.socket_i) != tid.
netobj.
sock_p)
00306
#endif
00307
)
00308 )
00309
return -
RSBAC_EINVALIDTARGET;
00310
#endif
00311
00312
00313
#if !defined(CONFIG_RSBAC_MAINT)
00314
#ifdef CONFIG_RSBAC_SWITCH
00315
if(rsbac_switch_acl)
00316
#endif
00317
{
00318
rsbac_uid_t user;
00319
00320
if(rsbac_get_owner(&user))
00321
return -
RSBAC_EREADFAILED;
00322
00323
if(!
rsbac_acl_check_right(target, tid, user, current->pid,
ACLR_ACCESS_CONTROL))
00324 {
00325
00326
00327
if( (ttl !=
RSBAC_LIST_TTL_KEEP)
00328 || !
rsbac_acl_check_forward(target, tid, user, rights)
00329 )
00330 {
00331
char * rights_string =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00332
char * subject_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00333
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00334
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
00335
char * target_id_name
00336 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
00337
00338
#else
00339
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
00340
00341
#endif
00342
00343
u64tostracl(rights_string, rights);
00344
get_acl_subject_type_name(subject_type_name, subj_type);
00345
get_target_name(target_type_name, target, target_id_name, tid);
00346
#ifdef CONFIG_RSBAC_RMSG
00347
rsbac_printk(KERN_INFO
00348
"rsbac_acl_sys_set_acl_entry(): setting rights %s for %s %u to %s %s denied for user %u!\n",
00349 rights_string,
00350 subject_type_name,
00351 subj_id,
00352 target_type_name,
00353 target_id_name,
00354 user);
00355
#endif
00356
#ifndef CONFIG_RSBAC_RMSG_EXCL
00357
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00358
if (!rsbac_nosyslog)
00359
#endif
00360
printk(KERN_INFO
00361
"rsbac_acl_sys_set_acl_entry(): setting rights %s for %s %u to %s %s denied for user %u!\n",
00362 rights_string,
00363 subject_type_name,
00364 subj_id,
00365 target_type_name,
00366 target_id_name,
00367 user);
00368
#endif
00369
rsbac_kfree(rights_string);
00370
rsbac_kfree(subject_type_name);
00371
rsbac_kfree(target_type_name);
00372
rsbac_kfree(target_id_name);
00373
00374
#ifdef CONFIG_RSBAC_SOFTMODE
00375
if( !rsbac_softmode
00376
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00377
&& !rsbac_ind_softmode[
ACL]
00378
#endif
00379
)
00380
#endif
00381
return(-EPERM);
00382 }
00383 }
00384
if(rights &
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
00385 {
00386
00387
if(!
rsbac_acl_check_super(target, tid, user))
00388 {
00389
char * subject_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00390
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00391
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
00392
char * target_id_name
00393 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
00394
00395
#else
00396
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
00397
00398
#endif
00399
00400
get_acl_subject_type_name(subject_type_name, subj_type);
00401
get_target_name(target_type_name, target, target_id_name, tid);
00402
#ifdef CONFIG_RSBAC_RMSG
00403
rsbac_printk(KERN_INFO
00404
"rsbac_acl_sys_set_acl_entry(): setting SUPERVISOR for %s %u to %s %s denied for user %u!\n",
00405 subject_type_name,
00406 subj_id,
00407 target_type_name,
00408 target_id_name,
00409 user);
00410
#endif
00411
#ifndef CONFIG_RSBAC_RMSG_EXCL
00412
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00413
if (!rsbac_nosyslog)
00414
#endif
00415
printk(KERN_INFO
00416
"rsbac_acl_sys_set_acl_entry(): setting SUPERVISOR for %s %u to %s %s denied for user %u!\n",
00417 subject_type_name,
00418 subj_id,
00419 target_type_name,
00420 target_id_name,
00421 user);
00422
#endif
00423
rsbac_kfree(subject_type_name);
00424
rsbac_kfree(target_type_name);
00425
rsbac_kfree(target_id_name);
00426
#ifdef CONFIG_RSBAC_SOFTMODE
00427
if( !rsbac_softmode
00428
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00429
&& !rsbac_ind_softmode[
ACL]
00430
#endif
00431
)
00432
#endif
00433
return(-EPERM);
00434 }
00435 }
00436 }
00437
#endif
00438
00439
00440 err =
rsbac_acl_set_acl_entry(target, tid, subj_type, subj_id, rights, ttl);
00441
if(err)
00442 {
00443
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00444
00445
if(tmp)
00446 {
00447
#ifdef CONFIG_RSBAC_RMSG
00448
rsbac_printk(KERN_WARNING
00449
"rsbac_acl_sys_set_acl_entry(): rsbac_acl_set_acl_entry() returned error %s!\n",
00450
get_error_name(tmp,err));
00451
#endif
00452
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00453
if (!rsbac_nosyslog)
00454
#endif
00455
printk(KERN_WARNING
00456
"rsbac_acl_sys_set_acl_entry(): rsbac_acl_set_acl_entry() returned error %s!\n",
00457
get_error_name(tmp,err));
00458
rsbac_kfree(tmp);
00459 }
00460 }
00461
return err;
00462 }
00463
00464 int rsbac_acl_sys_remove_acl_entry (
enum rsbac_target_t target,
00465
union rsbac_target_id_t tid,
00466
enum rsbac_acl_subject_type_t subj_type,
00467
rsbac_acl_subject_id_t subj_id)
00468 {
00469
int err=0;
00470
00471
#ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00472
00473
if( (target ==
T_NETOBJ)
00474 && tid.
netobj.
sock_p
00475 && ( tid.
netobj.
remote_addr
00476
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00477
|| !tid.
netobj.
sock_p->file
00478 || !tid.
netobj.
sock_p->file->f_dentry
00479 || !tid.
netobj.
sock_p->file->f_dentry->d_inode
00480 || (SOCKET_I(tid.
netobj.
sock_p->file->f_dentry->d_inode) != tid.
netobj.
sock_p)
00481
#else
00482
|| !tid.
netobj.
sock_p->inode
00483 || (&(tid.
netobj.
sock_p->inode->u.socket_i) != tid.
netobj.
sock_p)
00484
#endif
00485
)
00486 )
00487
return -
RSBAC_EINVALIDTARGET;
00488
#endif
00489
00490
00491
#if !defined(CONFIG_RSBAC_MAINT)
00492
#ifdef CONFIG_RSBAC_SWITCH
00493
if(rsbac_switch_acl)
00494
#endif
00495
{
00496
rsbac_uid_t user;
00497
rsbac_acl_rights_vector_t res_rights = 0;
00498
00499
if(rsbac_get_owner(&user))
00500
return -
RSBAC_EREADFAILED;
00501
00502
if(!
rsbac_acl_check_right(target, tid, user, current->pid,
ACLR_ACCESS_CONTROL))
00503 {
00504
char * subject_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00505
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00506
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
00507
char * target_id_name
00508 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
00509
00510
#else
00511
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
00512
00513
#endif
00514
00515
get_acl_subject_type_name(subject_type_name, subj_type);
00516
get_target_name(target_type_name, target, target_id_name, tid);
00517
#ifdef CONFIG_RSBAC_RMSG
00518
rsbac_printk(KERN_INFO
00519
"rsbac_acl_sys_remove_acl_entry(): removing ACL entry for %s %u at %s %s denied for user %u!\n",
00520 subject_type_name,
00521 subj_id,
00522 target_type_name,
00523 target_id_name,
00524 user);
00525
#endif
00526
#ifndef CONFIG_RSBAC_RMSG_EXCL
00527
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00528
if (!rsbac_nosyslog)
00529
#endif
00530
printk(KERN_INFO
00531
"rsbac_acl_sys_remove_acl_entry(): removing ACL entry for %s %u at %s %s denied for user %u!\n",
00532 subject_type_name,
00533 subj_id,
00534 target_type_name,
00535 target_id_name,
00536 user);
00537
#endif
00538
rsbac_kfree(subject_type_name);
00539
rsbac_kfree(target_type_name);
00540
rsbac_kfree(target_id_name);
00541
#ifdef CONFIG_RSBAC_SOFTMODE
00542
if( !rsbac_softmode
00543
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00544
&& !rsbac_ind_softmode[
ACL]
00545
#endif
00546
)
00547
#endif
00548
return(-EPERM);
00549 }
00550
00551 err =
rsbac_acl_get_rights(target, tid, subj_type, subj_id, &res_rights,
FALSE);
00552
if(err)
00553 {
00554
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00555
00556
if(tmp)
00557 {
00558
#ifdef CONFIG_RSBAC_RMSG
00559
rsbac_printk(KERN_WARNING
00560
"rsbac_acl_sys_remove_acl_entry(): rsbac_acl_get_rights() returned error %s!\n",
00561
get_error_name(tmp,err));
00562
#endif
00563
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00564
if (!rsbac_nosyslog)
00565
#endif
00566
printk(KERN_WARNING
00567
"rsbac_acl_sys_remove_acl_entry(): rsbac_acl_get_rights() returned error %s!\n",
00568
get_error_name(tmp,err));
00569
rsbac_kfree(tmp);
00570 }
00571
return err;
00572 }
00573
if(res_rights &
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
00574 {
00575
00576
if(!
rsbac_acl_check_super(target, tid, user))
00577 {
00578
char * subject_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00579
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00580
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
00581
char * target_id_name
00582 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
00583
00584
#else
00585
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
00586
00587
#endif
00588
00589
get_acl_subject_type_name(subject_type_name, subj_type);
00590
get_target_name(target_type_name, target, target_id_name, tid);
00591
#ifdef CONFIG_RSBAC_RMSG
00592
rsbac_printk(KERN_INFO
00593
"rsbac_acl_sys_remove_acl_entry(): removing ACL entry with SUPERVISOR for %s %u at %s %s denied for user %u!\n",
00594 subject_type_name,
00595 subj_id,
00596 target_type_name,
00597 target_id_name,
00598 user);
00599
#endif
00600
#ifndef CONFIG_RSBAC_RMSG_EXCL
00601
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00602
if (!rsbac_nosyslog)
00603
#endif
00604
printk(KERN_INFO
00605
"rsbac_acl_sys_remove_acl_entry(): removing ACL entry with SUPERVISOR for %s %u at %s %s denied for user %u!\n",
00606 subject_type_name,
00607 subj_id,
00608 target_type_name,
00609 target_id_name,
00610 user);
00611
#endif
00612
rsbac_kfree(subject_type_name);
00613
rsbac_kfree(target_type_name);
00614
rsbac_kfree(target_id_name);
00615
#ifdef CONFIG_RSBAC_SOFTMODE
00616
if( !rsbac_softmode
00617
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00618
&& !rsbac_ind_softmode[
ACL]
00619
#endif
00620
)
00621
#endif
00622
return(-EPERM);
00623 }
00624 }
00625 }
00626
#endif
00627
00628
00629 err =
rsbac_acl_remove_acl_entry(target, tid, subj_type, subj_id);
00630
if(err)
00631 {
00632
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00633
00634
if(tmp)
00635 {
00636
#ifdef CONFIG_RSBAC_RMSG
00637
rsbac_printk(KERN_WARNING
00638
"rsbac_acl_sys_remove_acl_entry(): rsbac_acl_remove_acl_entry() returned error %s!\n",
00639
get_error_name(tmp,err));
00640
#endif
00641
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00642
if (!rsbac_nosyslog)
00643
#endif
00644
printk(KERN_WARNING
00645
"rsbac_acl_sys_remove_acl_entry(): rsbac_acl_remove_acl_entry() returned error %s!\n",
00646
get_error_name(tmp,err));
00647
rsbac_kfree(tmp);
00648 }
00649 }
00650
return err;
00651 }
00652
00653 int rsbac_acl_sys_remove_acl (
enum rsbac_target_t target,
00654
union rsbac_target_id_t tid)
00655 {
00656
int err=0;
00657
00658
00659
#if !defined(CONFIG_RSBAC_MAINT)
00660
#ifdef CONFIG_RSBAC_SWITCH
00661
if(rsbac_switch_acl)
00662
#endif
00663
{
00664
rsbac_uid_t user;
00665
00666
if(rsbac_get_owner(&user))
00667
return -
RSBAC_EREADFAILED;
00668
00669
if(!
rsbac_acl_check_super(target, tid, user))
00670 {
00671
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00672
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
00673
char * target_id_name
00674 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
00675
00676
#else
00677
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
00678
00679
#endif
00680
00681
get_target_name(target_type_name, target, target_id_name, tid);
00682
#ifdef CONFIG_RSBAC_RMSG
00683
rsbac_printk(KERN_INFO
00684
"rsbac_acl_sys_remove_acl(): removing ACL from %s %s denied for user %u!\n",
00685 target_type_name,
00686 target_id_name,
00687 user);
00688
#endif
00689
#ifndef CONFIG_RSBAC_RMSG_EXCL
00690
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00691
if (!rsbac_nosyslog)
00692
#endif
00693
printk(KERN_INFO
00694
"rsbac_acl_sys_remove_acl(): removing ACL from %s %s denied for user %u!\n",
00695 target_type_name,
00696 target_id_name,
00697 user);
00698
#endif
00699
rsbac_kfree(target_type_name);
00700
rsbac_kfree(target_id_name);
00701
#ifdef CONFIG_RSBAC_SOFTMODE
00702
if( !rsbac_softmode
00703
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00704
&& !rsbac_ind_softmode[
ACL]
00705
#endif
00706
)
00707
#endif
00708
return(-EPERM);
00709 }
00710 }
00711
#endif
00712
00713
00714 err =
rsbac_acl_remove_acl(target, tid);
00715
if(err)
00716 {
00717
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00718
00719
if(tmp)
00720 {
00721
#ifdef CONFIG_RSBAC_RMSG
00722
rsbac_printk(KERN_WARNING
00723
"rsbac_acl_sys_remove_acl(): rsbac_acl_remove_acl() returned error %s!\n",
00724
get_error_name(tmp,err));
00725
#endif
00726
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00727
if (!rsbac_nosyslog)
00728
#endif
00729
printk(KERN_WARNING
00730
"rsbac_acl_sys_remove_acl(): rsbac_acl_remove_acl() returned error %s!\n",
00731
get_error_name(tmp,err));
00732
rsbac_kfree(tmp);
00733 }
00734 }
00735
return err;
00736 }
00737
00738 int rsbac_acl_sys_add_to_acl_entry (
enum rsbac_target_t target,
00739
union rsbac_target_id_t tid,
00740
enum rsbac_acl_subject_type_t subj_type,
00741
rsbac_acl_subject_id_t subj_id,
00742
rsbac_acl_rights_vector_t rights,
00743
rsbac_time_t ttl)
00744 {
00745
int err=0;
00746
00747
#ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00748
00749
if( (target ==
T_NETOBJ)
00750 && tid.
netobj.
sock_p
00751 && ( tid.
netobj.
remote_addr
00752
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00753
|| !tid.
netobj.
sock_p->file
00754 || !tid.
netobj.
sock_p->file->f_dentry
00755 || !tid.
netobj.
sock_p->file->f_dentry->d_inode
00756 || (SOCKET_I(tid.
netobj.
sock_p->file->f_dentry->d_inode) != tid.
netobj.
sock_p)
00757
#else
00758
|| !tid.
netobj.
sock_p->inode
00759 || (&(tid.
netobj.
sock_p->inode->u.socket_i) != tid.
netobj.
sock_p)
00760
#endif
00761
)
00762 )
00763
return -
RSBAC_EINVALIDTARGET;
00764
#endif
00765
00766
00767
#if !defined(CONFIG_RSBAC_MAINT)
00768
#ifdef CONFIG_RSBAC_SWITCH
00769
if(rsbac_switch_acl)
00770
#endif
00771
{
00772
rsbac_uid_t user;
00773
00774
if(rsbac_get_owner(&user))
00775
return -
RSBAC_EREADFAILED;
00776
00777
if(!
rsbac_acl_check_right(target, tid, user, current->pid,
ACLR_ACCESS_CONTROL))
00778 {
00779
00780
00781
if( (ttl !=
RSBAC_LIST_TTL_KEEP)
00782 || !
rsbac_acl_check_forward(target, tid, user, rights)
00783 )
00784 {
00785
char * rights_string =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00786
char * subject_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00787
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00788
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
00789
char * target_id_name
00790 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
00791
00792
#else
00793
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
00794
00795
#endif
00796
00797
u64tostracl(rights_string, rights);
00798
get_acl_subject_type_name(subject_type_name, subj_type);
00799
get_target_name(target_type_name, target, target_id_name, tid);
00800
#ifdef CONFIG_RSBAC_RMSG
00801
rsbac_printk(KERN_INFO
00802
"rsbac_acl_sys_add_to_acl_entry(): adding rights %s for %s %u to %s %s denied for user %u!\n",
00803 rights_string,
00804 subject_type_name,
00805 subj_id,
00806 target_type_name,
00807 target_id_name,
00808 user);
00809
#endif
00810
#ifndef CONFIG_RSBAC_RMSG_EXCL
00811
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00812
if (!rsbac_nosyslog)
00813
#endif
00814
printk(KERN_INFO
00815
"rsbac_acl_sys_add_to_acl_entry(): adding rights %s for %s %u to %s %s denied for user %u!\n",
00816 rights_string,
00817 subject_type_name,
00818 subj_id,
00819 target_type_name,
00820 target_id_name,
00821 user);
00822
#endif
00823
rsbac_kfree(rights_string);
00824
rsbac_kfree(subject_type_name);
00825
rsbac_kfree(target_type_name);
00826
rsbac_kfree(target_id_name);
00827
#ifdef CONFIG_RSBAC_SOFTMODE
00828
if( !rsbac_softmode
00829
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00830
&& !rsbac_ind_softmode[
ACL]
00831
#endif
00832
)
00833
#endif
00834
return(-EPERM);
00835 }
00836 }
00837
if(rights &
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
00838 {
00839
00840
if(!
rsbac_acl_check_super(target, tid, user))
00841 {
00842
char * subject_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00843
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00844
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
00845
char * target_id_name
00846 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
00847
00848
#else
00849
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
00850
00851
#endif
00852
00853
get_acl_subject_type_name(subject_type_name, subj_type);
00854
get_target_name(target_type_name, target, target_id_name, tid);
00855
#ifdef CONFIG_RSBAC_RMSG
00856
rsbac_printk(KERN_INFO
00857
"rsbac_acl_sys_add_to_acl_entry(): adding SUPERVISOR for %s %u to %s %s denied for user %u!\n",
00858 subject_type_name,
00859 subj_id,
00860 target_type_name,
00861 target_id_name,
00862 user);
00863
#endif
00864
#ifndef CONFIG_RSBAC_RMSG_EXCL
00865
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00866
if (!rsbac_nosyslog)
00867
#endif
00868
printk(KERN_INFO
00869
"rsbac_acl_sys_add_to_acl_entry(): adding SUPERVISOR for %s %u to %s %s denied for user %u!\n",
00870 subject_type_name,
00871 subj_id,
00872 target_type_name,
00873 target_id_name,
00874 user);
00875
#endif
00876
rsbac_kfree(subject_type_name);
00877
rsbac_kfree(target_type_name);
00878
rsbac_kfree(target_id_name);
00879
#ifdef CONFIG_RSBAC_SOFTMODE
00880
if( !rsbac_softmode
00881
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00882
&& !rsbac_ind_softmode[
ACL]
00883
#endif
00884
)
00885
#endif
00886
return(-EPERM);
00887 }
00888 }
00889 }
00890
#endif
00891
00892
00893 err =
rsbac_acl_add_to_acl_entry(target, tid, subj_type, subj_id, rights, ttl);
00894
if(err)
00895 {
00896
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00897
00898
if(tmp)
00899 {
00900
#ifdef CONFIG_RSBAC_RMSG
00901
rsbac_printk(KERN_WARNING
00902
"rsbac_acl_sys_add_to_acl_entry(): rsbac_acl_add_to_acl_entry() returned error %s!\n",
00903
get_error_name(tmp,err));
00904
#endif
00905
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00906
if (!rsbac_nosyslog)
00907
#endif
00908
printk(KERN_WARNING
00909
"rsbac_acl_sys_add_to_acl_entry(): rsbac_acl_add_to_acl_entry() returned error %s!\n",
00910
get_error_name(tmp,err));
00911
rsbac_kfree(tmp);
00912 }
00913 }
00914
return err;
00915 }
00916
00917 int rsbac_acl_sys_remove_from_acl_entry (
enum rsbac_target_t target,
00918
union rsbac_target_id_t tid,
00919
enum rsbac_acl_subject_type_t subj_type,
00920
rsbac_acl_subject_id_t subj_id,
00921
rsbac_acl_rights_vector_t rights)
00922 {
00923
int err=0;
00924
00925
#ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00926
00927
if( (target ==
T_NETOBJ)
00928 && tid.
netobj.
sock_p
00929 && ( tid.
netobj.
remote_addr
00930
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00931
|| !tid.
netobj.
sock_p->file
00932 || !tid.
netobj.
sock_p->file->f_dentry
00933 || !tid.
netobj.
sock_p->file->f_dentry->d_inode
00934 || (SOCKET_I(tid.
netobj.
sock_p->file->f_dentry->d_inode) != tid.
netobj.
sock_p)
00935
#else
00936
|| !tid.
netobj.
sock_p->inode
00937 || (&(tid.
netobj.
sock_p->inode->u.socket_i) != tid.
netobj.
sock_p)
00938
#endif
00939
)
00940 )
00941
return -
RSBAC_EINVALIDTARGET;
00942
#endif
00943
00944
00945
#if !defined(CONFIG_RSBAC_MAINT)
00946
#ifdef CONFIG_RSBAC_SWITCH
00947
if(rsbac_switch_acl)
00948
#endif
00949
{
00950
rsbac_uid_t user;
00951
00952
if(rsbac_get_owner(&user))
00953
return -
RSBAC_EREADFAILED;
00954
00955
if(!
rsbac_acl_check_right(target, tid, user, current->pid,
ACLR_ACCESS_CONTROL))
00956 {
00957
char * rights_string =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00958
char * subject_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00959
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
00960
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
00961
char * target_id_name
00962 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
00963
00964
#else
00965
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
00966
00967
#endif
00968
00969
u64tostracl(rights_string, rights);
00970
get_acl_subject_type_name(subject_type_name, subj_type);
00971
get_target_name(target_type_name, target, target_id_name, tid);
00972
#ifdef CONFIG_RSBAC_RMSG
00973
rsbac_printk(KERN_INFO
00974
"rsbac_acl_sys_remove_from_acl_entry(): removing rights %s for %s %u to %s %s denied for user %u!\n",
00975 rights_string,
00976 subject_type_name,
00977 subj_id,
00978 target_type_name,
00979 target_id_name,
00980 user);
00981
#endif
00982
#ifndef CONFIG_RSBAC_RMSG_EXCL
00983
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00984
if (!rsbac_nosyslog)
00985
#endif
00986
printk(KERN_INFO
00987
"rsbac_acl_sys_remove_from_acl_entry(): removing rights %s for %s %u to %s %s denied for user %u!\n",
00988 rights_string,
00989 subject_type_name,
00990 subj_id,
00991 target_type_name,
00992 target_id_name,
00993 user);
00994
#endif
00995
rsbac_kfree(rights_string);
00996
rsbac_kfree(subject_type_name);
00997
rsbac_kfree(target_type_name);
00998
rsbac_kfree(target_id_name);
00999
#ifdef CONFIG_RSBAC_SOFTMODE
01000
if( !rsbac_softmode
01001
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01002
&& !rsbac_ind_softmode[
ACL]
01003
#endif
01004
)
01005
#endif
01006
return(-EPERM);
01007 }
01008
if(rights &
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
01009 {
01010
01011
if(!
rsbac_acl_check_super(target, tid, user))
01012 {
01013
char * subject_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01014
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01015
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
01016
char * target_id_name
01017 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
01018
01019
#else
01020
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
01021
01022
#endif
01023
01024
get_acl_subject_type_name(subject_type_name, subj_type);
01025
get_target_name(target_type_name, target, target_id_name, tid);
01026
#ifdef CONFIG_RSBAC_RMSG
01027
rsbac_printk(KERN_INFO
01028
"rsbac_acl_sys_remove_from_acl_entry(): removing SUPERVISOR for %s %u to %s %s denied for user %u!\n",
01029 subject_type_name,
01030 subj_id,
01031 target_type_name,
01032 target_id_name,
01033 user);
01034
#endif
01035
#ifndef CONFIG_RSBAC_RMSG_EXCL
01036
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01037
if (!rsbac_nosyslog)
01038
#endif
01039
printk(KERN_INFO
01040
"rsbac_acl_sys_remove_from_acl_entry(): removing SUPERVISOR for %s %u to %s %s denied for user %u!\n",
01041 subject_type_name,
01042 subj_id,
01043 target_type_name,
01044 target_id_name,
01045 user);
01046
#endif
01047
rsbac_kfree(subject_type_name);
01048
rsbac_kfree(target_type_name);
01049
rsbac_kfree(target_id_name);
01050
#ifdef CONFIG_RSBAC_SOFTMODE
01051
if( !rsbac_softmode
01052
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01053
&& !rsbac_ind_softmode[
ACL]
01054
#endif
01055
)
01056
#endif
01057
return(-EPERM);
01058 }
01059 }
01060 }
01061
#endif
01062
01063
01064 err =
rsbac_acl_remove_from_acl_entry(target, tid, subj_type, subj_id, rights);
01065
if(err)
01066 {
01067
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01068
01069
if(tmp)
01070 {
01071
#ifdef CONFIG_RSBAC_RMSG
01072
rsbac_printk(KERN_WARNING
01073
"rsbac_acl_sys_remove_from_acl_entry(): rsbac_acl_remove_from_acl_entry() returned error %s!\n",
01074
get_error_name(tmp,err));
01075
#endif
01076
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01077
if (!rsbac_nosyslog)
01078
#endif
01079
printk(KERN_WARNING
01080
"rsbac_acl_sys_remove_from_acl_entry(): rsbac_acl_remove_from_acl_entry() returned error %s!\n",
01081
get_error_name(tmp,err));
01082
rsbac_kfree(tmp);
01083 }
01084 }
01085
return err;
01086 }
01087
01088 int rsbac_acl_sys_set_mask (
enum rsbac_target_t target,
01089
union rsbac_target_id_t tid,
01090
rsbac_acl_rights_vector_t mask)
01091 {
01092
int err=0;
01093
01094
01095
#if !defined(CONFIG_RSBAC_MAINT) || defined (CONFIG_RSBAC_ACL_SUPER_FILTER)
01096
rsbac_uid_t user;
01097
01098
if(rsbac_get_owner(&user))
01099
return -
RSBAC_EREADFAILED;
01100
#endif
01101
01102
#ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
01103
01104
if( (target ==
T_NETOBJ)
01105 && tid.
netobj.
sock_p
01106 && ( tid.
netobj.
remote_addr
01107
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01108
|| !tid.
netobj.
sock_p->file
01109 || !tid.
netobj.
sock_p->file->f_dentry
01110 || !tid.
netobj.
sock_p->file->f_dentry->d_inode
01111 || (SOCKET_I(tid.
netobj.
sock_p->file->f_dentry->d_inode) != tid.
netobj.
sock_p)
01112
#else
01113
|| !tid.
netobj.
sock_p->inode
01114 || (&(tid.
netobj.
sock_p->inode->u.socket_i) != tid.
netobj.
sock_p)
01115
#endif
01116
)
01117 )
01118
return -
RSBAC_EINVALIDTARGET;
01119
#endif
01120
01121
#if !defined(CONFIG_RSBAC_MAINT)
01122
#ifdef CONFIG_RSBAC_SWITCH
01123
if(rsbac_switch_acl)
01124
#endif
01125
{
01126
01127
if(!
rsbac_acl_check_right(target, tid, user, current->pid,
ACLR_ACCESS_CONTROL))
01128 {
01129
char * rights_string =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01130
char * target_type_name =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01131
#ifdef CONFIG_RSBAC_LOG_FULL_PATH
01132
char * target_id_name
01133 =
rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN +
RSBAC_MAXNAMELEN);
01134
01135
#else
01136
char * target_id_name =
rsbac_kmalloc(2 *
RSBAC_MAXNAMELEN);
01137
01138
#endif
01139
01140
u64tostracl(rights_string, mask);
01141
get_target_name(target_type_name, target, target_id_name, tid);
01142
#ifdef CONFIG_RSBAC_RMSG
01143
rsbac_printk(KERN_INFO
01144
"rsbac_acl_sys_set_mask(): setting mask %s for %s %s denied for user %u!\n",
01145 rights_string,
01146 target_type_name,
01147 target_id_name,
01148 user);
01149
#endif
01150
#ifndef CONFIG_RSBAC_RMSG_EXCL
01151
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01152
if (!rsbac_nosyslog)
01153
#endif
01154
printk(KERN_INFO
01155
"rsbac_acl_sys_set_mask(): setting mask %s for %s %s denied for user %u!\n",
01156 rights_string,
01157 target_type_name,
01158 target_id_name,
01159 user);
01160
#endif
01161
rsbac_kfree(rights_string);
01162
rsbac_kfree(target_type_name);
01163
rsbac_kfree(target_id_name);
01164
#ifdef CONFIG_RSBAC_SOFTMODE
01165
if( !rsbac_softmode
01166
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01167
&& !rsbac_ind_softmode[
ACL]
01168
#endif
01169
)
01170
#endif
01171
return(-EPERM);
01172 }
01173 }
01174
#endif
01175
01176
#ifdef CONFIG_RSBAC_ACL_SUPER_FILTER
01177
if(!(mask &
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR))
01178 {
01179
rsbac_acl_rights_vector_t res_rights = 0;
01180
01181
01182
01183 err =
rsbac_acl_get_rights(target, tid,
ACLS_USER, user, &res_rights,
FALSE);
01184
if(err)
01185
return -
RSBAC_EREADFAILED;
01186
if(!(res_rights &
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR))
01187 mask |=
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR;
01188 }
01189
#else
01190
01191 mask |=
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR;
01192
#endif
01193
01194
01195 err =
rsbac_acl_set_mask(target, tid, mask);
01196
if(err)
01197 {
01198
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01199
01200
if(tmp)
01201 {
01202
#ifdef CONFIG_RSBAC_RMSG
01203
rsbac_printk(KERN_WARNING
01204
"rsbac_acl_sys_set_mask(): rsbac_acl_set_mask() returned error %s!\n",
01205
get_error_name(tmp,err));
01206
#endif
01207
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01208
if (!rsbac_nosyslog)
01209
#endif
01210
printk(KERN_WARNING
01211
"rsbac_acl_sys_set_mask(): rsbac_acl_set_mask() returned error %s!\n",
01212
get_error_name(tmp,err));
01213
rsbac_kfree(tmp);
01214 }
01215 }
01216
return err;
01217 }
01218
01219 int rsbac_acl_sys_remove_user(
rsbac_uid_t uid)
01220 {
01221
int err=0;
01222
01223
01224
#if !defined(CONFIG_RSBAC_MAINT)
01225
#ifdef CONFIG_RSBAC_SWITCH
01226
if(rsbac_switch_acl)
01227
#endif
01228
{
01229
rsbac_uid_t user;
01230
union rsbac_target_id_t tid;
01231
01232
if(rsbac_get_owner(&user))
01233
return -
RSBAC_EREADFAILED;
01234 tid.
user = uid;
01235
01236
if(!
rsbac_acl_check_right(
T_USER, tid, user, current->pid,
R_DELETE))
01237 {
01238
#ifdef CONFIG_RSBAC_RMSG
01239
rsbac_printk(KERN_INFO
01240
"rsbac_acl_sys_remove_user(): removing all data for user %u denied for user %u!\n",
01241 uid,
01242 user);
01243
#endif
01244
#ifndef CONFIG_RSBAC_RMSG_EXCL
01245
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01246
if (!rsbac_nosyslog)
01247
#endif
01248
printk(KERN_INFO
01249
"rsbac_acl_sys_remove_user(): removing all data for user %u denied for user %u!\n",
01250 uid,
01251 user);
01252
#endif
01253
#ifdef CONFIG_RSBAC_SOFTMODE
01254
if( !rsbac_softmode
01255
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01256
&& !rsbac_ind_softmode[
ACL]
01257
#endif
01258
)
01259
#endif
01260
return(-EPERM);
01261 }
01262 }
01263
#endif
01264
01265
#ifdef CONFIG_RSBAC_RMSG
01266
rsbac_printk(KERN_INFO
01267
"rsbac_acl_sys_remove_user(): removing all data for user %u!\n",
01268 uid);
01269
#endif
01270
#ifndef CONFIG_RSBAC_RMSG_EXCL
01271
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01272
if (!rsbac_nosyslog)
01273
#endif
01274
printk(KERN_INFO
01275
"rsbac_acl_sys_remove_user(): removing all data for user %u!\n",
01276 uid);
01277
#endif
01278
01279 err =
rsbac_acl_remove_user(uid);
01280
if(err)
01281 {
01282
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01283
01284
if(tmp)
01285 {
01286
#ifdef CONFIG_RSBAC_RMSG
01287
rsbac_printk(KERN_WARNING
01288
"rsbac_acl_sys_remove_user(): rsbac_acl_remove_user() returned error %s!\n",
01289
get_error_name(tmp,err));
01290
#endif
01291
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01292
if (!rsbac_nosyslog)
01293
#endif
01294
printk(KERN_WARNING
01295
"rsbac_acl_sys_remove_user(): rsbac_acl_remove_user() returned error %s!\n",
01296
get_error_name(tmp,err));
01297
rsbac_kfree(tmp);
01298 }
01299 }
01300
return err;
01301 }
01302
01303
01304
01305 int rsbac_acl_sys_get_mask (
enum rsbac_target_t target,
01306
union rsbac_target_id_t tid,
01307
rsbac_acl_rights_vector_t * mask_p)
01308 {
01309
int err=0;
01310
01311
01312
01313
01314 err =
rsbac_acl_get_mask(target, tid, mask_p);
01315
if(err)
01316 {
01317
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01318
01319
if(tmp)
01320 {
01321
#ifdef CONFIG_RSBAC_RMSG
01322
rsbac_printk(KERN_WARNING
01323
"rsbac_acl_sys_get_mask(): rsbac_acl_get_mask() returned error %s!\n",
01324
get_error_name(tmp,err));
01325
#endif
01326
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01327
if (!rsbac_nosyslog)
01328
#endif
01329
printk(KERN_WARNING
01330
"rsbac_acl_sys_get_mask(): rsbac_acl_get_mask() returned error %s!\n",
01331
get_error_name(tmp,err));
01332
rsbac_kfree(tmp);
01333 }
01334 }
01335
return err;
01336 }
01337
01338 int rsbac_acl_sys_get_rights (
enum rsbac_target_t target,
01339
union rsbac_target_id_t tid,
01340
enum rsbac_acl_subject_type_t subj_type,
01341
rsbac_acl_subject_id_t subj_id,
01342
rsbac_acl_rights_vector_t * rights_p,
01343
boolean effective)
01344 {
01345
int err=0;
01346
rsbac_acl_rights_vector_t res_rights;
01347
#if defined(CONFIG_RSBAC_RC)
01348
union rsbac_target_id_t i_tid;
01349
union rsbac_attribute_value_t i_attr_val1;
01350
#endif
01351
01352
01353
01354
if( (subj_type ==
ACLS_USER)
01355 && (subj_id ==
RSBAC_NO_USER)
01356 )
01357 rsbac_get_owner((
rsbac_uid_t *) &subj_id);
01358
01359
if(effective)
01360 {
01361
01362 res_rights = 0;
01363 err =
rsbac_acl_get_rights(target, tid, subj_type, subj_id, &res_rights,
TRUE);
01364
if(err)
01365 {
01366
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01367
01368
if(tmp)
01369 {
01370
#ifdef CONFIG_RSBAC_RMSG
01371
rsbac_printk(KERN_WARNING
01372
"rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01373
get_error_name(tmp,err));
01374
#endif
01375
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01376
if (!rsbac_nosyslog)
01377
#endif
01378
printk(KERN_WARNING
01379
"rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01380
get_error_name(tmp,err));
01381
rsbac_kfree(tmp);
01382 }
01383
return err;
01384 }
01385 *rights_p = res_rights;
01386
01387
if(subj_type ==
ACLS_USER)
01388 {
01389
rsbac_acl_group_id_t * group_p;
01390
int i;
01391
int tmperr;
01392
01393
01394 res_rights = 0;
01395 err =
rsbac_acl_get_rights(target, tid,
ACLS_GROUP,
RSBAC_ACL_GROUP_EVERYONE,
01396 &res_rights,
TRUE);
01397
if(err)
01398 {
01399
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01400
01401
if(tmp)
01402 {
01403
#ifdef CONFIG_RSBAC_RMSG
01404
rsbac_printk(KERN_WARNING
01405
"rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01406
get_error_name(tmp,err));
01407
#endif
01408
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01409
if (!rsbac_nosyslog)
01410
#endif
01411
printk(KERN_WARNING
01412
"rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01413
get_error_name(tmp,err));
01414
rsbac_kfree(tmp);
01415 }
01416
return err;
01417 }
01418 *rights_p |= res_rights;
01419
01420
01421
01422 group_p =
NULL;
01423 err =
rsbac_acl_get_user_groups(subj_id, &group_p,
NULL);
01424
if(err<0)
01425 {
01426
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01427
01428
if(tmp)
01429 {
01430
#ifdef CONFIG_RSBAC_RMSG
01431
rsbac_printk(KERN_WARNING
01432
"rsbac_acl_sys_get_rights(): rsbac_acl_get_user_groups() returned error %s!\n",
01433
get_error_name(tmp,err));
01434
#endif
01435
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01436
if (!rsbac_nosyslog)
01437
#endif
01438
printk(KERN_WARNING
01439
"rsbac_acl_sys_get_rights(): rsbac_acl_get_user_groups() returned error %s!\n",
01440
get_error_name(tmp,err));
01441
rsbac_kfree(tmp);
01442 }
01443
return err;
01444 }
01445
for(i=0; i<err; i++)
01446 {
01447 res_rights = 0;
01448 tmperr =
rsbac_acl_get_rights(target, tid,
ACLS_GROUP, group_p[i],
01449 &res_rights,
TRUE);
01450
if(tmperr)
01451 {
01452
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01453
01454
if(tmp)
01455 {
01456
#ifdef CONFIG_RSBAC_RMSG
01457
rsbac_printk(KERN_WARNING
01458
"rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01459
get_error_name(tmp,err));
01460
#endif
01461
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01462
if (!rsbac_nosyslog)
01463
#endif
01464
printk(KERN_WARNING
01465
"rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01466
get_error_name(tmp,err));
01467
rsbac_kfree(tmp);
01468 }
01469
if(group_p)
01470
rsbac_vfree(group_p);
01471
return tmperr;
01472 }
01473 *rights_p |= res_rights;
01474 }
01475 err = 0;
01476
if(group_p)
01477
rsbac_vfree(group_p);
01478
01479
#if defined(CONFIG_RSBAC_RC)
01480
01481
01482 i_tid.
user = subj_id;
01483
if (
rsbac_get_attr(
RC,
01484
T_USER,
01485 i_tid,
01486
A_rc_def_role,
01487 &i_attr_val1,
01488
FALSE))
01489 {
01490
#ifdef CONFIG_RSBAC_RMSG
01491
rsbac_printk(KERN_WARNING
01492
"rsbac_acl_sys_get_rights(): rsbac_get_attr() for process rc_role returned error!\n");
01493
#endif
01494
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01495
if (!rsbac_nosyslog)
01496
#endif
01497
printk(KERN_WARNING
01498
"rsbac_acl_sys_get_rights(): rsbac_get_attr() for process rc_role returned error!\n");
01499 }
01500
else
01501 {
01502 res_rights = 0;
01503 err =
rsbac_acl_get_rights(target, tid,
ACLS_ROLE, i_attr_val1.
rc_role,
01504 &res_rights,
TRUE);
01505
if(err)
01506 {
01507
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01508
01509
if(tmp)
01510 {
01511
get_error_name(tmp,err);
01512
#ifdef CONFIG_RSBAC_RMSG
01513
rsbac_printk(KERN_WARNING
01514
"rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01515 tmp);
01516
#endif
01517
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01518
if (!rsbac_nosyslog)
01519
#endif
01520
printk(KERN_WARNING
01521
"rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01522 tmp);
01523
rsbac_kfree(tmp);
01524 }
01525
return err;
01526 }
01527 *rights_p |= res_rights;
01528 }
01529
#endif
01530
01531
01532
if( !(*rights_p &
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
01533 &&
rsbac_acl_check_super(target, tid, subj_id)
01534 )
01535 *rights_p |=
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR;
01536 }
01537
else
01538 {
01539
if(!(*rights_p &
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR))
01540 {
01541
boolean i_result =
FALSE;
01542
01543
01544
01545 err =
rsbac_acl_get_single_right(target,
01546 tid,
01547 subj_type,
01548 subj_id,
01549
ACLR_SUPERVISOR,
01550 &i_result);
01551
if(err)
01552 {
01553
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01554
01555
if(tmp)
01556 {
01557
#ifdef CONFIG_RSBAC_RMSG
01558
rsbac_printk(KERN_WARNING
01559
"rsbac_acl_sys_get_rights(): rsbac_acl_get_right() returned error %s!\n",
01560
get_error_name(tmp,err));
01561
#endif
01562
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01563
if (!rsbac_nosyslog)
01564
#endif
01565
printk(KERN_WARNING
01566
"rsbac_acl_sys_get_rights(): rsbac_acl_get_right() returned error %s!\n",
01567
get_error_name(tmp,err));
01568
rsbac_kfree(tmp);
01569 }
01570 }
01571
else
01572
if(i_result)
01573 *rights_p |=
RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR;
01574 }
01575 }
01576 }
01577
else
01578 {
01579
01580 res_rights = 0;
01581 err =
rsbac_acl_get_rights(target, tid, subj_type, subj_id, &res_rights,
FALSE);
01582
if(!err)
01583 *rights_p = res_rights;
01584 }
01585
return err;
01586 }
01587
01588 int rsbac_acl_sys_get_tlist (
enum rsbac_target_t target,
01589
union rsbac_target_id_t tid,
01590
struct rsbac_acl_entry_t ** entry_pp,
01591
rsbac_time_t ** ttl_pp)
01592 {
01593
int err=0;
01594
01595
01596
01597
01598 err =
rsbac_acl_get_tlist(target, tid, entry_pp, ttl_pp);
01599
if(err == -
RSBAC_ENOTFOUND)
01600 err = 0;
01601
else
01602
if(err<0)
01603 {
01604
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01605
01606
if(tmp)
01607 {
01608
#ifdef CONFIG_RSBAC_RMSG
01609
rsbac_printk(KERN_WARNING
01610
"rsbac_acl_sys_get_tlist(): rsbac_acl_get_tlist() returned error %s!\n",
01611
get_error_name(tmp,err));
01612
#endif
01613
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01614
if (!rsbac_nosyslog)
01615
#endif
01616
printk(KERN_WARNING
01617
"rsbac_acl_sys_get_tlist(): rsbac_acl_get_tlist() returned error %s!\n",
01618
get_error_name(tmp,err));
01619
rsbac_kfree(tmp);
01620 }
01621 }
01622
return err;
01623 }
01624
01625
01626
01627 int rsbac_acl_sys_group(
enum rsbac_acl_group_syscall_type_t call,
01628
union rsbac_acl_group_syscall_arg_t arg)
01629 {
01630
int err = -
RSBAC_EINVALIDREQUEST;
01631
char * k_name;
01632
rsbac_acl_group_id_t k_group;
01633
struct rsbac_acl_group_entry_t entry;
01634
rsbac_uid_t caller;
01635
01636
if(call >=
ACLGS_none)
01637
return -
RSBAC_EINVALIDREQUEST;
01638
if(rsbac_get_owner(&caller))
01639
return -
RSBAC_EREADFAILED;
01640
01641
#ifdef CONFIG_RSBAC_DEBUG
01642
if(rsbac_debug_aef_acl)
01643 {
01644
char * tmp =
rsbac_kmalloc(
RSBAC_MAXNAMELEN);
01645
01646
if(tmp)
01647 {
01648
#ifdef CONFIG_RSBAC_RMSG
01649
rsbac_printk(KERN_DEBUG
01650
"rsbac_acl_sys_group(): %s called\n",
01651
get_acl_group_syscall_name(tmp,call));
01652
#endif
01653
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01654
if (!rsbac_nosyslog)
01655
#endif
01656
printk(KERN_DEBUG
01657
"rsbac_acl_sys_group(): %s called\n",
01658
get_acl_group_syscall_name(tmp,call));
01659
rsbac_kfree(tmp);
01660 }
01661 }
01662
#endif
01663
01664
switch(call)
01665 {
01666
case ACLGS_add_group:
01667
if(arg.
add_group.
type >=
ACLG_NONE)
01668 {
01669 err = -
RSBAC_EINVALIDVALUE;
01670
break;
01671 }
01672 k_name = rsbac_getname(arg.
add_group.
name);
01673
if(!k_name)
01674 {
01675 err = -
RSBAC_EINVALIDVALUE;
01676
break;
01677 }
01678 err = rsbac_get_user((
char *)&k_group, (
char *)arg.
add_group.
group_id_p,
sizeof(k_group));
01679
if(err)
01680
break;
01681 err =
rsbac_acl_add_group(caller,
01682 arg.
add_group.
type,
01683 k_name,
01684 &k_group);
01685 rsbac_putname(k_name);
01686
if(!err)
01687 err = rsbac_put_user((
char *)&k_group, (
char *) arg.
add_group.
group_id_p,
sizeof(k_group));
01688
break;
01689
01690
case ACLGS_change_group:
01691
if(arg.
change_group.
type >=
ACLG_NONE)
01692 {
01693 err = -
RSBAC_EINVALIDVALUE;
01694
break;
01695 }
01696 err =
rsbac_acl_get_group_entry(arg.
change_group.
id, &entry);
01697
if(err)
01698
break;
01699
01700
#if !defined(CONFIG_RSBAC_MAINT)
01701
#ifdef CONFIG_RSBAC_SWITCH
01702
if(rsbac_switch_acl)
01703
#endif
01704
{
01705
if(entry.
owner != caller)
01706 {
01707
#ifdef CONFIG_RSBAC_RMSG
01708
rsbac_printk(KERN_INFO
01709
"rsbac_acl_group(): changing group %u denied for user %u - not owner!\n",
01710 entry.
id,
01711 caller);
01712
#endif
01713
#ifndef CONFIG_RSBAC_RMSG_EXCL
01714
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01715
if (!rsbac_nosyslog)
01716
#endif
01717
printk(KERN_INFO
01718
"rsbac_acl_group(): changing group %u denied for user %u - not owner!\n",
01719 entry.
id,
01720 caller);
01721
#endif
01722
err = -EPERM;
01723
break;
01724 }
01725 }
01726
#endif
01727 {
01728
char * k_name;
01729
01730 k_name = rsbac_getname(arg.
change_group.
name);
01731
if(k_name)
01732 {
01733 err =
rsbac_acl_change_group(arg.
change_group.
id,
01734 arg.
change_group.
owner,
01735 arg.
change_group.
type,
01736 k_name);
01737 putname(k_name);
01738 }
01739
else
01740 err = -
RSBAC_EINVALIDVALUE;
01741 }
01742
break;
01743
01744
case ACLGS_remove_group:
01745 err =
rsbac_acl_get_group_entry(arg.
remove_group.
id, &entry);
01746
if(err)
01747
break;
01748
01749
#if !defined(CONFIG_RSBAC_MAINT)
01750
#ifdef CONFIG_RSBAC_SWITCH
01751
if(rsbac_switch_acl)
01752
#endif
01753
{
01754
if(entry.
owner != caller)
01755 {
01756
#ifdef CONFIG_RSBAC_RMSG
01757
rsbac_printk(KERN_INFO
01758
"rsbac_acl_group(): removing group %u denied for user %u - not owner!\n",
01759 entry.
id,
01760 caller);
01761
#endif
01762
#ifndef CONFIG_RSBAC_RMSG_EXCL
01763
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01764
if (!rsbac_nosyslog)
01765
#endif
01766
printk(KERN_INFO
01767
"rsbac_acl_group(): removing group %u denied for user %u - not owner!\n",
01768 entry.
id,
01769 caller);
01770
#endif
01771
err = -EPERM;
01772
break;
01773 }
01774 }
01775
#endif
01776 err =
rsbac_acl_remove_group(arg.
remove_group.
id);
01777
break;
01778
01779
case ACLGS_get_group_entry:
01780
if(!arg.
get_group_entry.
entry_p)
01781 {
01782 err = -
RSBAC_EINVALIDPOINTER;
01783
break;
01784 }
01785
if(!arg.
get_group_entry.
id)
01786 {
01787 entry.
id=0;
01788 entry.
owner=
RSBAC_NO_USER;
01789 entry.
type=
ACLG_GLOBAL;
01790 strcpy(entry.
name,
"Everyone");
01791 err=0;
01792 }
01793
else
01794 {
01795 err =
rsbac_acl_get_group_entry(arg.
get_group_entry.
id,
01796 &entry);
01797 }
01798
if(!err)
01799 {
01800
if( (entry.
owner != caller)
01801 &&(entry.
type !=
ACLG_GLOBAL)
01802 )
01803 {
01804
#ifdef CONFIG_RSBAC_RMSG
01805
rsbac_printk(KERN_INFO
01806
"rsbac_acl_group(): getting group entry %u denied for user %u - neither owner nor global!\n",
01807 entry.
id,
01808 caller);
01809
#endif
01810
#ifndef CONFIG_RSBAC_RMSG_EXCL
01811
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01812
if (!rsbac_nosyslog)
01813
#endif
01814
printk(KERN_INFO
01815
"rsbac_acl_group(): getting group entry %u denied for user %u - neither owner nor global!\n",
01816 entry.
id,
01817 caller);
01818
#endif
01819
err = -EPERM;
01820 }
01821
else
01822 err = rsbac_put_user((
char *)&entry, (
char *)arg.
get_group_entry.
entry_p,
sizeof(entry));
01823 }
01824
break;
01825
01826
case ACLGS_list_groups:
01827
if(arg.
list_groups.
maxnum <= 0)
01828 {
01829 err = -
RSBAC_EINVALIDVALUE;
01830
break;
01831 }
01832
if(!arg.
list_groups.
group_entry_array)
01833 {
01834 err = -
RSBAC_EINVALIDPOINTER;
01835
break;
01836 }
01837 {
01838
struct rsbac_acl_group_entry_t * entry_p;
01839
int tmperr=0;
01840
01841
if(arg.
list_groups.
include_global)
01842 {
01843
struct rsbac_acl_group_entry_t entry_0;
01844
01845 entry_0.
id=0;
01846 entry_0.
owner=
RSBAC_NO_USER;
01847 entry_0.
type=
ACLG_GLOBAL;
01848 strcpy(entry_0.
name,
"Everyone");
01849 tmperr = rsbac_put_user((
char *) &entry_0,
01850 (
char *) arg.
list_groups.
group_entry_array,
01851
sizeof(entry_0));
01852
if(tmperr)
01853 {
01854 err = tmperr;
01855
break;
01856 }
01857
else
01858 err = 1;
01859 arg.
list_groups.
maxnum--;
01860 arg.
list_groups.
group_entry_array++;
01861 }
01862
else
01863 err = 0;
01864
01865
if(arg.
list_groups.
maxnum)
01866 {
01867
long count;
01868
01869 count =
rsbac_acl_list_groups(caller,
01870 arg.
list_groups.
include_global,
01871 &entry_p);
01872
if(count>0)
01873 {
01874
if(count > arg.
list_groups.
maxnum)
01875 count = arg.
list_groups.
maxnum;
01876 err+=count;
01877 tmperr = rsbac_put_user((
char *)entry_p,
01878 ((
char *)arg.
list_groups.
group_entry_array),
01879 count *
sizeof(*entry_p));
01880
if(tmperr)
01881 err=tmperr;
01882
rsbac_vfree(entry_p);
01883 }
01884
else
01885
if(count < 0)
01886 err=count;
01887 }
01888 }
01889
break;
01890
01891
case ACLGS_add_member:
01892
01893
#if !defined(CONFIG_RSBAC_MAINT)
01894
#ifdef CONFIG_RSBAC_SWITCH
01895
if(rsbac_switch_acl)
01896
#endif
01897
{
01898 err =
rsbac_acl_get_group_entry(arg.
add_member.
group, &entry);
01899
if(err)
01900
break;
01901
if(entry.
owner != caller)
01902 {
01903
#ifdef CONFIG_RSBAC_RMSG
01904
rsbac_printk(KERN_INFO
01905
"rsbac_acl_group(): adding group member to group %u denied for user %u - not owner!\n",
01906 entry.
id,
01907 caller);
01908
#endif
01909
#ifndef CONFIG_RSBAC_RMSG_EXCL
01910
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01911
if (!rsbac_nosyslog)
01912
#endif
01913
printk(KERN_INFO
01914
"rsbac_acl_group(): adding group member to group %u denied for user %u - not owner!\n",
01915 entry.
id,
01916 caller);
01917
#endif
01918
err = -EPERM;
01919
break;
01920 }
01921 }
01922
#endif
01923 err =
rsbac_acl_add_group_member(arg.
add_member.
group,
01924 arg.
add_member.
user,
01925 arg.
add_member.
ttl);
01926
break;
01927
01928
case ACLGS_remove_member:
01929
01930
#if !defined(CONFIG_RSBAC_MAINT)
01931
#ifdef CONFIG_RSBAC_SWITCH
01932
if(rsbac_switch_acl)
01933
#endif
01934
{
01935 err =
rsbac_acl_get_group_entry(arg.
remove_member.
group, &entry);
01936
if(err)
01937
break;
01938
if(entry.
owner != caller)
01939 {
01940
#ifdef CONFIG_RSBAC_RMSG
01941
rsbac_printk(KERN_INFO
01942
"rsbac_acl_group(): removing group member from group %u denied for user %u - not owner!\n",
01943 entry.
id,
01944 caller);
01945
#endif
01946
#ifndef CONFIG_RSBAC_RMSG_EXCL
01947
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01948
if (!rsbac_nosyslog)
01949
#endif
01950
printk(KERN_INFO
01951
"rsbac_acl_group(): removing group member from group %u denied for user %u - not owner!\n",
01952 entry.
id,
01953 caller);
01954
#endif
01955
err = -EPERM;
01956
break;
01957 }
01958 }
01959
#endif
01960 err =
rsbac_acl_remove_group_member(arg.
remove_member.
group, arg.
remove_member.
user);
01961
break;
01962
01963
case ACLGS_get_user_groups:
01964 {
01965
rsbac_acl_group_id_t * group_p =
NULL;
01966
rsbac_time_t * ttl_p =
NULL;
01967
01968
if(arg.
get_user_groups.
maxnum <= 0)
01969 {
01970 err = -
RSBAC_EINVALIDVALUE;
01971
break;
01972 }
01973
if(!arg.
get_user_groups.
group_array)
01974 {
01975 err = -
RSBAC_EINVALIDPOINTER;
01976
break;
01977 }
01978
if(arg.
get_user_groups.
user ==
RSBAC_NO_USER)
01979 arg.
get_user_groups.
user = caller;
01980
#if !defined(CONFIG_RSBAC_MAINT)
01981
else
01982
#ifdef CONFIG_RSBAC_SWITCH
01983
if(rsbac_switch_acl)
01984
#endif
01985
{
01986
if(arg.
get_user_groups.
user != caller)
01987 {
01988
#ifdef CONFIG_RSBAC_RMSG
01989
rsbac_printk(KERN_INFO
01990
"rsbac_acl_group(): getting user groups for user %u denied for user %u!\n",
01991 arg.
get_user_groups.
user,
01992 caller);
01993
#endif
01994
#ifndef CONFIG_RSBAC_RMSG_EXCL
01995
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01996
if (!rsbac_nosyslog)
01997
#endif
01998
printk(KERN_INFO
01999
"rsbac_acl_group(): getting user groups for user %u denied for user %u!\n",
02000 arg.
get_user_groups.
user,
02001 caller);
02002
#endif
02003
err = -EPERM;
02004
break;
02005 }
02006 }
02007
#endif
02008 err =
rsbac_acl_get_user_groups(arg.
get_user_groups.
user, &group_p, &ttl_p);
02009
if(err>0)
02010 {
02011
int tmperr;
02012
02013 err =
rsbac_min(err, arg.
get_user_groups.
maxnum);
02014 tmperr = rsbac_put_user((
char *)group_p,
02015 (
char *)arg.
get_user_groups.
group_array,
02016 err *
sizeof(*group_p));
02017
if(tmperr)
02018 err=tmperr;
02019
if(arg.
get_user_groups.
ttl_array)
02020 {
02021 tmperr = rsbac_put_user((
char *)ttl_p,
02022 (
char *)arg.
get_user_groups.
ttl_array,
02023 err *
sizeof(*ttl_p));
02024
if(tmperr)
02025 err=tmperr;
02026 }
02027 }
02028
if(group_p)
02029
rsbac_vfree(group_p);
02030
if(ttl_p)
02031
rsbac_vfree(ttl_p);
02032
break;
02033 }
02034
02035
case ACLGS_get_group_members:
02036
if( (arg.
get_group_members.
maxnum <= 0)
02037 || !arg.
get_group_members.
group
02038 )
02039 {
02040 err = -
RSBAC_EINVALIDVALUE;
02041
break;
02042 }
02043
if(arg.
get_group_members.
maxnum >
RSBAC_ACL_MAX_MAXNUM)
02044 arg.
get_group_members.
maxnum =
RSBAC_ACL_MAX_MAXNUM;
02045
if(!arg.
get_group_members.
user_array)
02046 {
02047 err = -
RSBAC_EINVALIDPOINTER;
02048
break;
02049 }
02050 err =
rsbac_acl_get_group_entry(arg.
get_group_members.
group,
02051 &entry);
02052
if(err)
02053
break;
02054
if( (entry.
owner != caller)
02055 &&(entry.
type !=
ACLG_GLOBAL)
02056 )
02057 {
02058
#ifdef CONFIG_RSBAC_RMSG
02059
rsbac_printk(KERN_INFO
02060
"rsbac_acl_group(): getting group members of group %u denied for user %u - neither owner nor global!\n",
02061 entry.
id,
02062 caller);
02063
#endif
02064
#ifndef CONFIG_RSBAC_RMSG_EXCL
02065
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02066
if (!rsbac_nosyslog)
02067
#endif
02068
printk(KERN_INFO
02069
"rsbac_acl_group(): getting group members of group %u denied for user %u - neither owner nor global!\n",
02070 entry.
id,
02071 caller);
02072
#endif
02073
err = -EPERM;
02074
break;
02075 }
02076 {
02077
rsbac_uid_t * user_array;
02078
rsbac_time_t * ttl_array;
02079
02080 user_array =
rsbac_vmalloc(
sizeof(*user_array) * arg.
get_group_members.
maxnum);
02081
if(!user_array)
02082
return -
RSBAC_ENOMEM;
02083 ttl_array =
rsbac_vmalloc(
sizeof(*ttl_array) * arg.
get_group_members.
maxnum);
02084
if(!ttl_array)
02085 {
02086
rsbac_vfree(user_array);
02087
return -
RSBAC_ENOMEM;
02088 }
02089
02090 err =
rsbac_acl_get_group_members(arg.
get_group_members.
group,
02091 user_array,
02092 ttl_array,
02093 arg.
get_group_members.
maxnum);
02094
if(err>0)
02095 {
02096
int tmperr;
02097
02098 tmperr = rsbac_put_user((
char *)user_array,
02099 (
char *)arg.
get_group_members.
user_array,
02100 err *
sizeof(*user_array));
02101
if(tmperr)
02102 err=tmperr;
02103
if(arg.
get_group_members.
ttl_array)
02104 {
02105 tmperr = rsbac_put_user((
char *)ttl_array,
02106 (
char *)arg.
get_group_members.
ttl_array,
02107 err *
sizeof(*ttl_array));
02108
if(tmperr)
02109 err=tmperr;
02110 }
02111 }
02112
rsbac_vfree(user_array);
02113
rsbac_vfree(ttl_array);
02114 }
02115
break;
02116
02117
default:
02118
break;
02119 }
02120
#ifdef CONFIG_RSBAC_SOFTMODE
02121
if( ( rsbac_softmode
02122
#ifdef CONFIG_RSBAC_SOFTMODE_IND
02123
|| rsbac_ind_softmode[
ACL]
02124
#endif
02125
)
02126 && (err == -EPERM)
02127 )
02128
return 0;
02129
else
02130
#endif
02131
return(err);
02132 };
02133
02134