00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
#include <linux/string.h>
00013
#include <rsbac/types.h>
00014
#include <rsbac/aci.h>
00015
#include <rsbac/rc.h>
00016
#include <rsbac/adf_main.h>
00017
#include <rsbac/error.h>
00018
#include <rsbac/debug.h>
00019
#include <rsbac/helpers.h>
00020
#include <rsbac/getname.h>
00021
#include <rsbac/rc_getname.h>
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
#if !defined(CONFIG_RSBAC_MAINT)
00032
00033
int rsbac_rc_test_role_admin(
boolean modify);
00034
00035
int rsbac_rc_test_admin_roles(
rsbac_rc_role_id_t t_role,
boolean modify);
00036
00037
enum rsbac_adf_req_ret_t
00038
rsbac_rc_check_type_comp(
enum rsbac_target_t target,
00039
rsbac_rc_type_id_t type,
00040
enum rsbac_adf_request_t request,
00041
rsbac_pid_t caller_pid);
00042
#endif
00043
00044
00045
00046
00047
00048
00049
00050
00051
00052
00053
00054
00055
00056 int rsbac_rc_sys_copy_role (
rsbac_rc_role_id_t from_role,
00057
rsbac_rc_role_id_t to_role)
00058 {
00059
#if !defined(CONFIG_RSBAC_MAINT)
00060
#ifdef CONFIG_RSBAC_SWITCH
00061
if(rsbac_switch_rc)
00062
#endif
00063
{
00064
int err;
00065
00066
if ( (err=
rsbac_rc_test_admin_roles(from_role,
FALSE))
00067 &&
rsbac_rc_test_role_admin(
FALSE)
00068 )
00069 {
00070
if(err == -EPERM)
00071 {
00072
rsbac_uid_t user;
00073
00074
if(!rsbac_get_owner(&user))
00075 {
00076
#ifdef CONFIG_RSBAC_RMSG
00077
rsbac_printk(KERN_INFO
00078
"rsbac_rc_sys_copy_role(): reading role %u denied for pid %u, user %u - not in admin_roles!\n",
00079 from_role,
00080 current->pid,
00081 user);
00082
#endif
00083
#ifndef CONFIG_RSBAC_RMSG_EXCL
00084
00085
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00086
if (!rsbac_nosyslog)
00087
#endif
00088
printk(KERN_INFO
00089
"rsbac_rc_sys_copy_role(): reading role %u denied for pid %u, user %u - not in admin_roles!\n",
00090 from_role,
00091 current->pid,
00092 user);
00093
#endif
00094
}
00095
#ifdef CONFIG_RSBAC_SOFTMODE
00096
if( !rsbac_softmode
00097
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00098
&& !rsbac_ind_softmode[
RC]
00099
#endif
00100
)
00101
#endif
00102
return err;
00103 }
00104
else
00105
return err;
00106 }
00107
00108
if ( (err=
rsbac_rc_test_admin_roles(to_role,
TRUE))
00109 &&
rsbac_rc_test_role_admin(
TRUE)
00110 )
00111 {
00112
if(err == -EPERM)
00113 {
00114
rsbac_uid_t user;
00115
00116
if(!rsbac_get_owner(&user))
00117 {
00118
#ifdef CONFIG_RSBAC_RMSG
00119
rsbac_printk(KERN_INFO
00120
"rsbac_rc_sys_copy_role(): changing role %u denied for pid %u, user %u - not in admin_roles!\n",
00121 to_role,
00122 current->pid,
00123 user);
00124
#endif
00125
#ifndef CONFIG_RSBAC_RMSG_EXCL
00126
00127
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00128
if (!rsbac_nosyslog)
00129
#endif
00130
printk(KERN_INFO
00131
"rsbac_rc_sys_copy_role(): changing role %u denied for pid %u, user %u - not in admin_roles!\n",
00132 to_role,
00133 current->pid,
00134 user);
00135
#endif
00136
}
00137
#ifdef CONFIG_RSBAC_SOFTMODE
00138
if( !rsbac_softmode
00139
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00140
&& !rsbac_ind_softmode[
RC]
00141
#endif
00142
)
00143
#endif
00144
return err;
00145 }
00146
else
00147
return err;
00148 }
00149 }
00150
#endif
00151
00152
00153
return(
rsbac_rc_copy_role(from_role, to_role));
00154 };
00155
00156
00157 int rsbac_rc_sys_get_item (
enum rsbac_rc_target_t target,
00158
union rsbac_rc_target_id_t tid,
00159
union rsbac_rc_target_id_t subtid,
00160
enum rsbac_rc_item_t item,
00161
union rsbac_rc_item_value_t * value_p,
00162
rsbac_time_t * ttl_p)
00163 {
00164
#if !defined(CONFIG_RSBAC_MAINT)
00165
#ifdef CONFIG_RSBAC_SWITCH
00166
if(rsbac_switch_rc)
00167
#endif
00168
{
00169
int err;
00170
00171
switch(item)
00172 {
00173
case RI_name:
00174
case RI_type_fd_name:
00175
case RI_type_dev_name:
00176
case RI_type_ipc_name:
00177
case RI_type_user_name:
00178
case RI_type_process_name:
00179
case RI_type_scd_name:
00180
case RI_type_netdev_name:
00181
case RI_type_nettemp_name:
00182
case RI_type_netobj_name:
00183
00184
break;
00185
00186
case RI_type_fd_need_secdel:
00187
if(target !=
RT_TYPE)
00188
return -
RSBAC_EINVALIDTARGET;
00189
if( (err=
rsbac_rc_check_type_comp(
T_FILE, tid.
type,
RCR_ADMIN, 0))
00190 && (err=
rsbac_rc_test_role_admin(
FALSE))
00191 )
00192 {
00193
if(err == -EPERM)
00194 {
00195
rsbac_uid_t user;
00196
00197
if(!rsbac_get_owner(&user))
00198 {
00199
#ifdef CONFIG_RSBAC_RMSG
00200
rsbac_printk(KERN_INFO
00201
"rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n",
00202 tid.
type,
00203 current->pid,
00204 user);
00205
#endif
00206
#ifndef CONFIG_RSBAC_RMSG_EXCL
00207
00208
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00209
if (!rsbac_nosyslog)
00210
#endif
00211
printk(KERN_INFO
00212
"rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n",
00213 tid.
type,
00214 current->pid,
00215 user);
00216
#endif
00217
}
00218
#ifdef CONFIG_RSBAC_SOFTMODE
00219
if( !rsbac_softmode
00220
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00221
&& !rsbac_ind_softmode[
RC]
00222
#endif
00223
)
00224
#endif
00225
return err;
00226 }
00227
else
00228
return err;
00229 }
00230
break;
00231
00232
default:
00233
if(target !=
RT_ROLE)
00234
return -
RSBAC_EINVALIDATTR;
00235
00236
if ( (err=
rsbac_rc_test_admin_roles(tid.
role,
FALSE))
00237 && (err=
rsbac_rc_test_role_admin(
FALSE))
00238 )
00239 {
00240
if(err == -EPERM)
00241 {
00242
rsbac_uid_t user;
00243
00244
if(!rsbac_get_owner(&user))
00245 {
00246
#ifdef CONFIG_RSBAC_RMSG
00247
rsbac_printk(KERN_INFO
00248
"rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n",
00249 tid.
role,
00250 current->pid,
00251 user);
00252
#endif
00253
#ifndef CONFIG_RSBAC_RMSG_EXCL
00254
00255
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00256
if (!rsbac_nosyslog)
00257
#endif
00258
printk(KERN_INFO
00259
"rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n",
00260 tid.
role,
00261 current->pid,
00262 user);
00263
#endif
00264
}
00265
#ifdef CONFIG_RSBAC_SOFTMODE
00266
if( !rsbac_softmode
00267
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00268
&& !rsbac_ind_softmode[
RC]
00269
#endif
00270
)
00271
#endif
00272
return err;
00273 }
00274
else
00275
return err;
00276 }
00277 }
00278 }
00279
#endif
00280
00281
00282
return(
rsbac_rc_get_item(target, tid, subtid, item, value_p, ttl_p));
00283 };
00284
00285
00286 int rsbac_rc_sys_set_item (
enum rsbac_rc_target_t target,
00287
union rsbac_rc_target_id_t tid,
00288
union rsbac_rc_target_id_t subtid,
00289
enum rsbac_rc_item_t item,
00290
union rsbac_rc_item_value_t value,
00291
rsbac_time_t ttl)
00292 {
00293
#if !defined(CONFIG_RSBAC_MAINT)
00294
#ifdef CONFIG_RSBAC_SWITCH
00295
if(rsbac_switch_rc)
00296
#endif
00297
{
00298
int err;
00299
00300
switch(item)
00301 {
00302
00303
case RI_type_fd_name:
00304
case RI_type_fd_need_secdel:
00305
case RI_type_fd_remove:
00306
if(target !=
RT_TYPE)
00307
return -
RSBAC_EINVALIDTARGET;
00308
if( (
rsbac_rc_check_type_comp(
T_FILE, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00309 && (err=
rsbac_rc_test_role_admin(
TRUE))
00310 )
00311 {
00312
if(err == -EPERM)
00313 {
00314
rsbac_uid_t user;
00315
char tmp[80];
00316
00317
if(!rsbac_get_owner(&user))
00318 {
00319
#ifdef CONFIG_RSBAC_RMSG
00320
rsbac_printk(KERN_INFO
00321
"rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n",
00322
get_rc_item_name(tmp, item),
00323 tid.
type,
00324 current->pid,
00325 user);
00326
#endif
00327
#ifndef CONFIG_RSBAC_RMSG_EXCL
00328
00329
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00330
if (!rsbac_nosyslog)
00331
#endif
00332
printk(KERN_INFO
00333
"rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n",
00334
get_rc_item_name(tmp, item),
00335 tid.
type,
00336 current->pid,
00337 user);
00338
#endif
00339
}
00340
#ifdef CONFIG_RSBAC_SOFTMODE
00341
if( !rsbac_softmode
00342
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00343
&& !rsbac_ind_softmode[
RC]
00344
#endif
00345
)
00346
#endif
00347
return err;
00348 }
00349
else
00350
return err;
00351 }
00352
break;
00353
case RI_type_dev_name:
00354
case RI_type_dev_remove:
00355
if(target !=
RT_TYPE)
00356
return -
RSBAC_EINVALIDTARGET;
00357
if( (
rsbac_rc_check_type_comp(
T_DEV, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00358 && (err=
rsbac_rc_test_role_admin(
TRUE))
00359 )
00360 {
00361
if(err == -EPERM)
00362 {
00363
rsbac_uid_t user;
00364
00365
if(!rsbac_get_owner(&user))
00366 {
00367
#ifdef CONFIG_RSBAC_RMSG
00368
rsbac_printk(KERN_INFO
00369
"rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00370 tid.
type,
00371 current->pid,
00372 user);
00373
#endif
00374
#ifndef CONFIG_RSBAC_RMSG_EXCL
00375
00376
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00377
if (!rsbac_nosyslog)
00378
#endif
00379
printk(KERN_INFO
00380
"rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00381 tid.
type,
00382 current->pid,
00383 user);
00384
#endif
00385
}
00386
#ifdef CONFIG_RSBAC_SOFTMODE
00387
if( !rsbac_softmode
00388
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00389
&& !rsbac_ind_softmode[
RC]
00390
#endif
00391
)
00392
#endif
00393
return err;
00394 }
00395
else
00396
return err;
00397 }
00398
break;
00399
case RI_type_ipc_name:
00400
case RI_type_ipc_remove:
00401
if(target !=
RT_TYPE)
00402
return -
RSBAC_EINVALIDTARGET;
00403
if( (
rsbac_rc_check_type_comp(
T_IPC, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00404 && (err=
rsbac_rc_test_role_admin(
TRUE))
00405 )
00406 {
00407
if(err == -EPERM)
00408 {
00409
rsbac_uid_t user;
00410
00411
if(!rsbac_get_owner(&user))
00412 {
00413
#ifdef CONFIG_RSBAC_RMSG
00414
rsbac_printk(KERN_INFO
00415
"rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n",
00416 tid.
type,
00417 current->pid,
00418 user);
00419
#endif
00420
#ifndef CONFIG_RSBAC_RMSG_EXCL
00421
00422
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00423
if (!rsbac_nosyslog)
00424
#endif
00425
printk(KERN_INFO
00426
"rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n",
00427 tid.
type,
00428 current->pid,
00429 user);
00430
#endif
00431
}
00432
#ifdef CONFIG_RSBAC_SOFTMODE
00433
if( !rsbac_softmode
00434
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00435
&& !rsbac_ind_softmode[
RC]
00436
#endif
00437
)
00438
#endif
00439
return err;
00440 }
00441
else
00442
return err;
00443 }
00444
break;
00445
case RI_type_user_name:
00446
case RI_type_user_remove:
00447
if(target !=
RT_TYPE)
00448
return -
RSBAC_EINVALIDTARGET;
00449
if( (
rsbac_rc_check_type_comp(
T_USER, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00450 && (err=
rsbac_rc_test_role_admin(
TRUE))
00451 )
00452 {
00453
if(err == -EPERM)
00454 {
00455
rsbac_uid_t user;
00456
00457
if(!rsbac_get_owner(&user))
00458 {
00459
#ifdef CONFIG_RSBAC_RMSG
00460
rsbac_printk(KERN_INFO
00461
"rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n",
00462 tid.
type,
00463 current->pid,
00464 user);
00465
#endif
00466
#ifndef CONFIG_RSBAC_RMSG_EXCL
00467
00468
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00469
if (!rsbac_nosyslog)
00470
#endif
00471
printk(KERN_INFO
00472
"rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n",
00473 tid.
type,
00474 current->pid,
00475 user);
00476
#endif
00477
}
00478
#ifdef CONFIG_RSBAC_SOFTMODE
00479
if( !rsbac_softmode
00480
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00481
&& !rsbac_ind_softmode[
RC]
00482
#endif
00483
)
00484
#endif
00485
return err;
00486 }
00487
else
00488
return err;
00489 }
00490
break;
00491
case RI_type_process_name:
00492
case RI_type_process_remove:
00493
if(target !=
RT_TYPE)
00494
return -
RSBAC_EINVALIDTARGET;
00495
if( (
rsbac_rc_check_type_comp(
T_PROCESS, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00496 && (err=
rsbac_rc_test_role_admin(
TRUE))
00497 )
00498 {
00499
if(err == -EPERM)
00500 {
00501
rsbac_uid_t user;
00502
00503
if(!rsbac_get_owner(&user))
00504 {
00505
#ifdef CONFIG_RSBAC_RMSG
00506
rsbac_printk(KERN_INFO
00507
"rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n",
00508 tid.
type,
00509 current->pid,
00510 user);
00511
#endif
00512
#ifndef CONFIG_RSBAC_RMSG_EXCL
00513
00514
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00515
if (!rsbac_nosyslog)
00516
#endif
00517
printk(KERN_INFO
00518
"rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n",
00519 tid.
type,
00520 current->pid,
00521 user);
00522
#endif
00523
}
00524
#ifdef CONFIG_RSBAC_SOFTMODE
00525
if( !rsbac_softmode
00526
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00527
&& !rsbac_ind_softmode[
RC]
00528
#endif
00529
)
00530
#endif
00531
return err;
00532 }
00533
else
00534
return err;
00535 }
00536
break;
00537
case RI_type_scd_name:
00538
if(target !=
RT_TYPE)
00539
return -
RSBAC_EINVALIDTARGET;
00540
if( (
rsbac_rc_check_type_comp(
T_SCD, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00541 && (err=
rsbac_rc_test_role_admin(
TRUE))
00542 )
00543 {
00544
if(err == -EPERM)
00545 {
00546
rsbac_uid_t user;
00547
00548
if(!rsbac_get_owner(&user))
00549 {
00550
#ifdef CONFIG_RSBAC_RMSG
00551
rsbac_printk(KERN_INFO
00552
"rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n",
00553 tid.
type,
00554 current->pid,
00555 user);
00556
#endif
00557
#ifndef CONFIG_RSBAC_RMSG_EXCL
00558
00559
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00560
if (!rsbac_nosyslog)
00561
#endif
00562
printk(KERN_INFO
00563
"rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n",
00564 tid.
type,
00565 current->pid,
00566 user);
00567
#endif
00568
}
00569
#ifdef CONFIG_RSBAC_SOFTMODE
00570
if( !rsbac_softmode
00571
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00572
&& !rsbac_ind_softmode[
RC]
00573
#endif
00574
)
00575
#endif
00576
return err;
00577 }
00578
else
00579
return err;
00580 }
00581
break;
00582
case RI_type_netdev_name:
00583
case RI_type_netdev_remove:
00584
if(target !=
RT_TYPE)
00585
return -
RSBAC_EINVALIDTARGET;
00586
if( (
rsbac_rc_check_type_comp(
T_NETDEV, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00587 && (err=
rsbac_rc_test_role_admin(
TRUE))
00588 )
00589 {
00590
if(err == -EPERM)
00591 {
00592
rsbac_uid_t user;
00593
00594
if(!rsbac_get_owner(&user))
00595 {
00596
#ifdef CONFIG_RSBAC_RMSG
00597
rsbac_printk(KERN_INFO
00598
"rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00599 tid.
type,
00600 current->pid,
00601 user);
00602
#endif
00603
#ifndef CONFIG_RSBAC_RMSG_EXCL
00604
00605
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00606
if (!rsbac_nosyslog)
00607
#endif
00608
printk(KERN_INFO
00609
"rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00610 tid.
type,
00611 current->pid,
00612 user);
00613
#endif
00614
}
00615
#ifdef CONFIG_RSBAC_SOFTMODE
00616
if( !rsbac_softmode
00617
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00618
&& !rsbac_ind_softmode[
RC]
00619
#endif
00620
)
00621
#endif
00622
return err;
00623 }
00624
else
00625
return err;
00626 }
00627
break;
00628
case RI_type_nettemp_name:
00629
case RI_type_nettemp_remove:
00630
if(target !=
RT_TYPE)
00631
return -
RSBAC_EINVALIDTARGET;
00632
if( (
rsbac_rc_check_type_comp(
T_NETTEMP, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00633 && (err=
rsbac_rc_test_role_admin(
TRUE))
00634 )
00635 {
00636
if(err == -EPERM)
00637 {
00638
rsbac_uid_t user;
00639
00640
if(!rsbac_get_owner(&user))
00641 {
00642
#ifdef CONFIG_RSBAC_RMSG
00643
rsbac_printk(KERN_INFO
00644
"rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n",
00645 tid.
type,
00646 current->pid,
00647 user);
00648
#endif
00649
#ifndef CONFIG_RSBAC_RMSG_EXCL
00650
00651
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00652
if (!rsbac_nosyslog)
00653
#endif
00654
printk(KERN_INFO
00655
"rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n",
00656 tid.
type,
00657 current->pid,
00658 user);
00659
#endif
00660
}
00661
#ifdef CONFIG_RSBAC_SOFTMODE
00662
if( !rsbac_softmode
00663
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00664
&& !rsbac_ind_softmode[
RC]
00665
#endif
00666
)
00667
#endif
00668
return err;
00669 }
00670
else
00671
return err;
00672 }
00673
break;
00674
case RI_type_netobj_name:
00675
case RI_type_netobj_remove:
00676
if(target !=
RT_TYPE)
00677
return -
RSBAC_EINVALIDTARGET;
00678
if( (
rsbac_rc_check_type_comp(
T_NETOBJ, tid.
type,
RCR_ADMIN, 0) ==
NOT_GRANTED)
00679 && (err=
rsbac_rc_test_role_admin(
TRUE))
00680 )
00681 {
00682
if(err == -EPERM)
00683 {
00684
rsbac_uid_t user;
00685
00686
if(!rsbac_get_owner(&user))
00687 {
00688
#ifdef CONFIG_RSBAC_RMSG
00689
rsbac_printk(KERN_INFO
00690
"rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n",
00691 tid.
type,
00692 current->pid,
00693 user);
00694
#endif
00695
#ifndef CONFIG_RSBAC_RMSG_EXCL
00696
00697
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00698
if (!rsbac_nosyslog)
00699
#endif
00700
printk(KERN_INFO
00701
"rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n",
00702 tid.
type,
00703 current->pid,
00704 user);
00705
#endif
00706
}
00707
#ifdef CONFIG_RSBAC_SOFTMODE
00708
if( !rsbac_softmode
00709
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00710
&& !rsbac_ind_softmode[
RC]
00711
#endif
00712
)
00713
#endif
00714
return err;
00715 }
00716
else
00717
return err;
00718 }
00719
break;
00720
00721
00722
case RI_role_comp:
00723
00724 {
00725
union rsbac_target_id_t i_tid;
00726
union rsbac_attribute_value_t i_attr_val1;
00727
00728
if(target !=
RT_ROLE)
00729
return -
RSBAC_EINVALIDATTR;
00730
if(!
rsbac_rc_test_role_admin(
TRUE))
00731
break;
00732
00733
if((err=
rsbac_rc_test_admin_roles(tid.
role,
TRUE)))
00734 {
00735
if(err == -EPERM)
00736 {
00737
rsbac_uid_t user;
00738
00739
if(!rsbac_get_owner(&user))
00740 {
00741
#ifdef CONFIG_RSBAC_RMSG
00742
rsbac_printk(KERN_INFO
00743
"rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n",
00744 tid.
role,
00745 current->pid,
00746 user);
00747
#endif
00748
#ifndef CONFIG_RSBAC_RMSG_EXCL
00749
00750
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00751
if (!rsbac_nosyslog)
00752
#endif
00753
printk(KERN_INFO
00754
"rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n",
00755 tid.
role,
00756 current->pid,
00757 user);
00758
#endif
00759
}
00760
#ifdef CONFIG_RSBAC_SOFTMODE
00761
if( !rsbac_softmode
00762
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00763
&& !rsbac_ind_softmode[
RC]
00764
#endif
00765
)
00766
#endif
00767
return err;
00768 }
00769
else
00770
return err;
00771 }
00772
00773
00774 i_tid.
process = current->pid;
00775
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
00776 i_tid,
00777
A_rc_role,
00778 &i_attr_val1,
00779
TRUE)))
00780 {
00781 rsbac_ds_get_error(
"rsbac_rc_sys_set_item()",
A_rc_role);
00782
return -
RSBAC_EREADFAILED;
00783 }
00784
00785
if (!
rsbac_rc_check_comp(i_attr_val1.
rc_role,
00786 tid,
00787
RI_assign_roles,
00788
R_NONE))
00789 {
00790
rsbac_uid_t user;
00791
if(!rsbac_get_owner(&user))
00792 {
00793
#ifdef CONFIG_RSBAC_RMSG
00794
rsbac_printk(KERN_INFO
00795
"rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n",
00796 tid.
role,
00797 user,
00798 i_attr_val1.
rc_role);
00799
#endif
00800
#ifndef CONFIG_RSBAC_RMSG_EXCL
00801
00802
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00803
if (!rsbac_nosyslog)
00804
#endif
00805
printk(KERN_INFO
00806
"rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n",
00807 tid.
role,
00808 user,
00809 i_attr_val1.
rc_role);
00810
#endif
00811
}
00812
#ifdef CONFIG_RSBAC_SOFTMODE
00813
if( !rsbac_softmode
00814
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00815
&& !rsbac_ind_softmode[
RC]
00816
#endif
00817
)
00818
#endif
00819
return -EPERM;
00820 }
00821 }
00822
break;
00823
00824
case RI_admin_type:
00825
case RI_admin_roles:
00826
case RI_assign_roles:
00827
case RI_boot_role:
00828
00829
if((err=
rsbac_rc_test_role_admin(
TRUE)))
00830 {
00831
if(err == -EPERM)
00832 {
00833
rsbac_uid_t user;
00834
char tmp[80];
00835
00836
if(!rsbac_get_owner(&user))
00837 {
00838
#ifdef CONFIG_RSBAC_RMSG
00839
rsbac_printk(KERN_INFO
00840
"rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n",
00841
get_rc_item_name(tmp, item),
00842 tid.
role,
00843 current->pid,
00844 user);
00845
#endif
00846
#ifndef CONFIG_RSBAC_RMSG_EXCL
00847
00848
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00849
if (!rsbac_nosyslog)
00850
#endif
00851
printk(KERN_INFO
00852
"rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n",
00853
get_rc_item_name(tmp, item),
00854 tid.
role,
00855 current->pid,
00856 user);
00857
#endif
00858
}
00859
#ifdef CONFIG_RSBAC_SOFTMODE
00860
if( !rsbac_softmode
00861
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00862
&& !rsbac_ind_softmode[
RC]
00863
#endif
00864
)
00865
#endif
00866
return err;
00867 }
00868
else
00869
return err;
00870 }
00871
break;
00872
case RI_name:
00873
case RI_remove_role:
00874
00875
00876
if( (err=
rsbac_rc_test_admin_roles(tid.
role,
TRUE))
00877 && (err=
rsbac_rc_test_role_admin(
TRUE))
00878 )
00879 {
00880
if(err == -EPERM)
00881 {
00882
rsbac_uid_t user;
00883
00884
if(!rsbac_get_owner(&user))
00885 {
00886
#ifdef CONFIG_RSBAC_RMSG
00887
rsbac_printk(KERN_INFO
00888
"rsbac_rc_sys_set_item(): changing name or removing of role %u denied for pid %u, user %u - not in admin_roles!\n",
00889 tid.
role,
00890 current->pid,
00891 user);
00892
#endif
00893
#ifndef CONFIG_RSBAC_RMSG_EXCL
00894
00895
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00896
if (!rsbac_nosyslog)
00897
#endif
00898
printk(KERN_INFO
00899
"rsbac_rc_sys_set_item(): changing name or removing of role %u denied for pid %u, user %u - not in admin_roles!\n",
00900 tid.
role,
00901 current->pid,
00902 user);
00903
#endif
00904
}
00905
#ifdef CONFIG_RSBAC_SOFTMODE
00906
if( !rsbac_softmode
00907
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00908
&& !rsbac_ind_softmode[
RC]
00909
#endif
00910
)
00911
#endif
00912
return err;
00913 }
00914
else
00915
return err;
00916 }
00917
break;
00918
00919
case RI_def_fd_create_type:
00920
00921
00922
if( (err=
rsbac_rc_test_admin_roles(tid.
role,
TRUE))
00923 && (err=
rsbac_rc_test_role_admin(
TRUE))
00924 )
00925 {
00926
if(err == -EPERM)
00927 {
00928
rsbac_uid_t user;
00929
00930
if(!rsbac_get_owner(&user))
00931 {
00932
#ifdef CONFIG_RSBAC_RMSG
00933
rsbac_printk(KERN_INFO
00934
"rsbac_rc_sys_set_item(): changing def_fd_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00935 tid.
role,
00936 current->pid,
00937 user);
00938
#endif
00939
#ifndef CONFIG_RSBAC_RMSG_EXCL
00940
00941
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00942
if (!rsbac_nosyslog)
00943
#endif
00944
printk(KERN_INFO
00945
"rsbac_rc_sys_set_item(): changing def_fd_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00946 tid.
role,
00947 current->pid,
00948 user);
00949
#endif
00950
}
00951
#ifdef CONFIG_RSBAC_SOFTMODE
00952
if( !rsbac_softmode
00953
#ifdef CONFIG_RSBAC_SOFTMODE_IND
00954
&& !rsbac_ind_softmode[
RC]
00955
#endif
00956
)
00957
#endif
00958
return err;
00959 }
00960
else
00961
return err;
00962 }
00963
else
00964 {
00965
enum rsbac_adf_req_ret_t result;
00966
00967 result =
rsbac_rc_check_type_comp(
T_FILE, value.
type_id,
RCR_ASSIGN, 0);
00968
if( ( (result ==
NOT_GRANTED)
00969 || (result ==
UNDEFINED)
00970 )
00971 && (err=
rsbac_rc_test_role_admin(
TRUE))
00972 )
00973 {
00974
rsbac_uid_t user;
00975
00976
if(!rsbac_get_owner(&user))
00977 {
00978
#ifdef CONFIG_RSBAC_RMSG
00979
rsbac_printk(KERN_INFO
00980
"rsbac_rc_sys_set_item(): changing def_fd_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
00981 tid.
role,
00982 value.
type_id,
00983 user);
00984
#endif
00985
#ifndef CONFIG_RSBAC_RMSG_EXCL
00986
00987
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00988
if (!rsbac_nosyslog)
00989
#endif
00990
printk(KERN_INFO
00991
"rsbac_rc_sys_set_item(): changing def_fd_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
00992 tid.
role,
00993 value.
type_id,
00994 user);
00995
#endif
00996
}
00997
#ifdef CONFIG_RSBAC_SOFTMODE
00998
if( !rsbac_softmode
00999
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01000
&& !rsbac_ind_softmode[
RC]
01001
#endif
01002
)
01003
#endif
01004
return -EPERM;
01005 }
01006 }
01007
break;
01008
case RI_def_user_create_type:
01009
01010
01011
if( (err=
rsbac_rc_test_admin_roles(tid.
role,
TRUE))
01012 && (err=
rsbac_rc_test_role_admin(
TRUE))
01013 )
01014 {
01015
if(err == -EPERM)
01016 {
01017
rsbac_uid_t user;
01018
01019
if(!rsbac_get_owner(&user))
01020 {
01021
#ifdef CONFIG_RSBAC_RMSG
01022
rsbac_printk(KERN_INFO
01023
"rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01024 tid.
role,
01025 current->pid,
01026 user);
01027
#endif
01028
#ifndef CONFIG_RSBAC_RMSG_EXCL
01029
01030
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01031
if (!rsbac_nosyslog)
01032
#endif
01033
printk(KERN_INFO
01034
"rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01035 tid.
role,
01036 current->pid,
01037 user);
01038
#endif
01039
}
01040
#ifdef CONFIG_RSBAC_SOFTMODE
01041
if( !rsbac_softmode
01042
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01043
&& !rsbac_ind_softmode[
RC]
01044
#endif
01045
)
01046
#endif
01047
return err;
01048 }
01049
else
01050
return err;
01051 }
01052
else
01053 {
01054
enum rsbac_adf_req_ret_t result;
01055
01056 result =
rsbac_rc_check_type_comp(
T_USER, value.
type_id,
RCR_ASSIGN, 0);
01057
if( ( (result ==
NOT_GRANTED)
01058 || (result ==
UNDEFINED)
01059 )
01060 && (err=
rsbac_rc_test_role_admin(
TRUE))
01061 )
01062 {
01063
rsbac_uid_t user;
01064
01065
if(!rsbac_get_owner(&user))
01066 {
01067
#ifdef CONFIG_RSBAC_RMSG
01068
rsbac_printk(KERN_INFO
01069
"rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01070 tid.
role,
01071 value.
type_id,
01072 user);
01073
#endif
01074
#ifndef CONFIG_RSBAC_RMSG_EXCL
01075
01076
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01077
if (!rsbac_nosyslog)
01078
#endif
01079
printk(KERN_INFO
01080
"rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01081 tid.
role,
01082 value.
type_id,
01083 user);
01084
#endif
01085
}
01086
#ifdef CONFIG_RSBAC_SOFTMODE
01087
if( !rsbac_softmode
01088
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01089
&& !rsbac_ind_softmode[
RC]
01090
#endif
01091
)
01092
#endif
01093
return -EPERM;
01094 }
01095 }
01096
break;
01097
01098
case RI_def_process_create_type:
01099
case RI_def_process_chown_type:
01100
case RI_def_process_execute_type:
01101
01102
01103
if( (err=
rsbac_rc_test_admin_roles(tid.
role,
TRUE))
01104 && (err=
rsbac_rc_test_role_admin(
TRUE))
01105 )
01106 {
01107
if(err == -EPERM)
01108 {
01109
rsbac_uid_t user;
01110
char tmp[80];
01111
01112
if(!rsbac_get_owner(&user))
01113 {
01114
#ifdef CONFIG_RSBAC_RMSG
01115
rsbac_printk(KERN_INFO
01116
"rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01117
get_rc_item_name(tmp, item),
01118 tid.
role,
01119 current->pid,
01120 user);
01121
#endif
01122
#ifndef CONFIG_RSBAC_RMSG_EXCL
01123
01124
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01125
if (!rsbac_nosyslog)
01126
#endif
01127
printk(KERN_INFO
01128
"rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01129
get_rc_item_name(tmp, item),
01130 tid.
role,
01131 current->pid,
01132 user);
01133
#endif
01134
}
01135
#ifdef CONFIG_RSBAC_SOFTMODE
01136
if( !rsbac_softmode
01137
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01138
&& !rsbac_ind_softmode[
RC]
01139
#endif
01140
)
01141
#endif
01142
return err;
01143 }
01144
else
01145
return err;
01146 }
01147
else
01148 {
01149
enum rsbac_adf_req_ret_t result;
01150
01151 result =
rsbac_rc_check_type_comp(
T_PROCESS, value.
type_id,
RCR_ASSIGN, 0);
01152
if( ( (result ==
NOT_GRANTED)
01153 || (result ==
UNDEFINED)
01154 )
01155 && (err=
rsbac_rc_test_role_admin(
TRUE))
01156 )
01157 {
01158
rsbac_uid_t user;
01159
01160
if(!rsbac_get_owner(&user))
01161 {
01162
#ifdef CONFIG_RSBAC_RMSG
01163
rsbac_printk(KERN_INFO
01164
"rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01165 tid.
role,
01166 value.
type_id,
01167 user);
01168
#endif
01169
#ifndef CONFIG_RSBAC_RMSG_EXCL
01170
01171
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01172
if (!rsbac_nosyslog)
01173
#endif
01174
printk(KERN_INFO
01175
"rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01176 tid.
role,
01177 value.
type_id,
01178 user);
01179
#endif
01180
}
01181
#ifdef CONFIG_RSBAC_SOFTMODE
01182
if( !rsbac_softmode
01183
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01184
&& !rsbac_ind_softmode[
RC]
01185
#endif
01186
)
01187
#endif
01188
return -EPERM;
01189 }
01190 }
01191
break;
01192
case RI_def_ipc_create_type:
01193
01194
01195
if( (err=
rsbac_rc_test_admin_roles(tid.
role,
TRUE))
01196 && (err=
rsbac_rc_test_role_admin(
TRUE))
01197 )
01198 {
01199
if(err == -EPERM)
01200 {
01201
rsbac_uid_t user;
01202
01203
if(!rsbac_get_owner(&user))
01204 {
01205
#ifdef CONFIG_RSBAC_RMSG
01206
rsbac_printk(KERN_INFO
01207
"rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01208 tid.
role,
01209 current->pid,
01210 user);
01211
#endif
01212
#ifndef CONFIG_RSBAC_RMSG_EXCL
01213
01214
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01215
if (!rsbac_nosyslog)
01216
#endif
01217
printk(KERN_INFO
01218
"rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01219 tid.
role,
01220 current->pid,
01221 user);
01222
#endif
01223
}
01224
#ifdef CONFIG_RSBAC_SOFTMODE
01225
if( !rsbac_softmode
01226
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01227
&& !rsbac_ind_softmode[
RC]
01228
#endif
01229
)
01230
#endif
01231
return err;
01232 }
01233
else
01234
return err;
01235 }
01236
else
01237 {
01238
enum rsbac_adf_req_ret_t result;
01239
01240 result =
rsbac_rc_check_type_comp(
T_IPC, value.
type_id,
RCR_ASSIGN, 0);
01241
if( ( (result ==
NOT_GRANTED)
01242 || (result ==
UNDEFINED)
01243 )
01244 && (err=
rsbac_rc_test_role_admin(
TRUE))
01245 )
01246 {
01247
rsbac_uid_t user;
01248
01249
if(!rsbac_get_owner(&user))
01250 {
01251
#ifdef CONFIG_RSBAC_RMSG
01252
rsbac_printk(KERN_INFO
01253
"rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01254 tid.
role,
01255 value.
type_id,
01256 user);
01257
#endif
01258
#ifndef CONFIG_RSBAC_RMSG_EXCL
01259
01260
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01261
if (!rsbac_nosyslog)
01262
#endif
01263
printk(KERN_INFO
01264
"rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01265 tid.
role,
01266 value.
type_id,
01267 user);
01268
#endif
01269
}
01270
#ifdef CONFIG_RSBAC_SOFTMODE
01271
if( !rsbac_softmode
01272
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01273
&& !rsbac_ind_softmode[
RC]
01274
#endif
01275
)
01276
#endif
01277
return -EPERM;
01278 }
01279 }
01280
break;
01281
01282
case RI_type_comp_fd:
01283
case RI_type_comp_dev:
01284
case RI_type_comp_user:
01285
case RI_type_comp_process:
01286
case RI_type_comp_ipc:
01287
case RI_type_comp_scd:
01288
case RI_type_comp_netdev:
01289
case RI_type_comp_nettemp:
01290
case RI_type_comp_netobj:
01291 {
01292
union rsbac_rc_item_value_t old_value, my_value;
01293
union rsbac_target_id_t i_tid;
01294
union rsbac_attribute_value_t i_attr_val1;
01295
union rsbac_rc_target_id_t i_rc_tid;
01296
01297
if(target !=
RT_ROLE)
01298
return -
RSBAC_EINVALIDATTR;
01299
if(!
rsbac_rc_test_role_admin(
TRUE))
01300
break;
01301
01302
if((err=
rsbac_rc_test_admin_roles(tid.
role,
TRUE)))
01303 {
01304
if(err == -EPERM)
01305 {
01306
rsbac_uid_t user;
01307
char tmp[80];
01308
01309
if(!rsbac_get_owner(&user))
01310 {
01311
#ifdef CONFIG_RSBAC_RMSG
01312
rsbac_printk(KERN_INFO
01313
"rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01314
get_rc_item_name(tmp, item),
01315 tid.
role,
01316 current->pid,
01317 user);
01318
#endif
01319
#ifndef CONFIG_RSBAC_RMSG_EXCL
01320
01321
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01322
if (!rsbac_nosyslog)
01323
#endif
01324
printk(KERN_INFO
01325
"rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01326
get_rc_item_name(tmp, item),
01327 tid.
role,
01328 current->pid,
01329 user);
01330
#endif
01331
}
01332
#ifdef CONFIG_RSBAC_SOFTMODE
01333
if( !rsbac_softmode
01334
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01335
&& !rsbac_ind_softmode[
RC]
01336
#endif
01337
)
01338
#endif
01339
return err;
01340 }
01341
else
01342
return err;
01343 }
01344
01345
01346
01347 err =
rsbac_rc_get_item(target, tid, subtid, item, &old_value,
NULL);
01348
if(err)
01349
return(err);
01350
01351
01352 i_tid.
process = current->pid;
01353
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01354 i_tid,
01355
A_rc_role,
01356 &i_attr_val1,
01357
TRUE)))
01358 {
01359 rsbac_ds_get_error(
"rsbac_rc_sys_set_item()",
A_rc_role);
01360
return err;
01361 }
01362
01363 i_rc_tid.
role = i_attr_val1.
rc_role;
01364
if ((err=
rsbac_rc_get_item(
RT_ROLE,
01365 i_rc_tid,
01366 subtid,
01367 item,
01368 &my_value,
01369
NULL)))
01370 {
01371 rsbac_rc_ds_get_error(
"rsbac_rc_sys_set_item()", item);
01372
return err;
01373 }
01374
01375
01376
if(
01377 ( ( (old_value.
rights &
RSBAC_ALL_REQUEST_VECTOR)
01378 != (value.
rights &
RSBAC_ALL_REQUEST_VECTOR)
01379 )
01380 && (!(my_value.
rights &
RSBAC_RC_RIGHTS_VECTOR(
RCR_ACCESS_CONTROL)))
01381 )
01382 ||
01383
01384 ( ( (old_value.
rights &
RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01385 != (value.
rights &
RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01386 )
01387 && (!(my_value.
rights &
RSBAC_RC_RIGHTS_VECTOR(
RCR_SUPERVISOR)))
01388 )
01389 )
01390 {
01391
01392
if((err=
rsbac_rc_test_role_admin(
TRUE)))
01393 {
01394
if(err == -EPERM)
01395 {
01396
rsbac_uid_t user;
01397
char tmp[80];
01398
01399
if(!rsbac_get_owner(&user))
01400 {
01401
#ifdef CONFIG_RSBAC_RMSG
01402
rsbac_printk(KERN_INFO
01403
"rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - insufficent rights!\n",
01404
get_rc_item_name(tmp, item),
01405 tid.
role,
01406 current->pid,
01407 user);
01408
#endif
01409
#ifndef CONFIG_RSBAC_RMSG_EXCL
01410
01411
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01412
if (!rsbac_nosyslog)
01413
#endif
01414
printk(KERN_INFO
01415
"rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - insufficent rights!\n",
01416
get_rc_item_name(tmp, item),
01417 tid.
role,
01418 current->pid,
01419 user);
01420
#endif
01421
}
01422
#ifdef CONFIG_RSBAC_SOFTMODE
01423
if( !rsbac_softmode
01424
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01425
&& !rsbac_ind_softmode[
RC]
01426
#endif
01427
)
01428
#endif
01429
return err;
01430 }
01431
else
01432
return err;
01433 }
01434 }
01435 }
01436
break;
01437
01438
default:
01439
return -
RSBAC_EINVALIDATTR;
01440 }
01441 }
01442
#endif
01443
01444
01445
return(
rsbac_rc_set_item(target, tid, subtid, item, value, ttl));
01446 };
01447
01448
01449 int rsbac_rc_sys_change_role (
rsbac_rc_role_id_t role)
01450 {
01451
union rsbac_target_id_t i_tid;
01452
union rsbac_attribute_value_t i_attr_val1;
01453
#if !defined(CONFIG_RSBAC_MAINT)
01454
#ifdef CONFIG_RSBAC_SWITCH
01455
if(rsbac_switch_rc)
01456
#endif
01457
{
01458
int err;
01459
union rsbac_rc_target_id_t i_rc_subtid;
01460
01461 i_tid.
process = current->pid;
01462
01463
if ((err=
rsbac_get_attr(
RC,
01464
T_PROCESS,
01465 i_tid,
01466
A_rc_role,
01467 &i_attr_val1,
01468
TRUE)))
01469 {
01470 printk(KERN_WARNING
01471
"rsbac_rc_sys_change_role(): rsbac_get_attr() returned error %i!\n",err);
01472
return err;
01473 }
01474
01475
01476 i_rc_subtid.
role = role;
01477
if (!
rsbac_rc_check_comp(i_attr_val1.
rc_role,
01478 i_rc_subtid,
01479
RI_role_comp,
01480 0))
01481 {
01482
rsbac_uid_t user;
01483
01484
if(!rsbac_get_owner(&user))
01485 {
01486
#ifdef CONFIG_RSBAC_RMSG
01487
rsbac_printk(KERN_INFO
01488
"rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible!\n",
01489 i_attr_val1.
rc_role,
01490 role,
01491 i_tid.
process,
01492 user,
01493 i_attr_val1.
rc_role);
01494
#endif
01495
#ifndef CONFIG_RSBAC_RMSG_EXCL
01496
01497
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01498
if (!rsbac_nosyslog)
01499
#endif
01500
printk(KERN_INFO
01501
"rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible!\n",
01502 i_attr_val1.
rc_role,
01503 role,
01504 i_tid.
process,
01505 user,
01506 i_attr_val1.
rc_role);
01507
#endif
01508
}
01509
#ifdef CONFIG_RSBAC_SOFTMODE
01510
if( !rsbac_softmode
01511
#ifdef CONFIG_RSBAC_SOFTMODE_IND
01512
&& !rsbac_ind_softmode[
RC]
01513
#endif
01514
)
01515
#endif
01516
return -EPERM;
01517 }
01518 }
01519
#endif
01520
01521
01522 i_tid.
process = current->pid;
01523 i_attr_val1.
rc_role = role;
01524
if (
rsbac_set_attr(
RC,
T_PROCESS,
01525 i_tid,
01526
A_rc_role,
01527 i_attr_val1))
01528 {
01529 printk(KERN_WARNING
"rsbac_rc_sys_change_role(): rsbac_set_attr() returned error!\n");
01530
return(-
RSBAC_EWRITEFAILED);
01531 }
01532
01533
return(0);
01534 };
01535
01536
01537 int rsbac_rc_sys_get_eff_rights (
enum rsbac_target_t target,
01538
union rsbac_target_id_t tid,
01539
rsbac_rc_request_vector_t * request_vector,
01540
rsbac_time_t * ttl_p)
01541 {
01542
union rsbac_target_id_t i_tid;
01543
enum rsbac_attribute_t i_attr =
A_none;
01544
union rsbac_attribute_value_t i_attr_val1;
01545
union rsbac_attribute_value_t i_attr_val2;
01546
int err;
01547
enum rsbac_rc_item_t i_rc_item;
01548
union rsbac_rc_target_id_t i_rc_tid;
01549
union rsbac_rc_target_id_t i_rc_subtid;
01550
union rsbac_rc_item_value_t i_rc_item_val1;
01551
01552 i_tid.
process = current->pid;
01553
01554
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01555 i_tid,
01556
A_rc_role,
01557 &i_attr_val1,
01558
TRUE)))
01559 {
01560 printk(KERN_WARNING
01561
"rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01562
return -
RSBAC_EREADFAILED;
01563 }
01564
01565
switch(target)
01566 {
01567
case T_FILE:
01568
case T_DIR:
01569
case T_FIFO:
01570
case T_SYMLINK:
01571 i_attr =
A_rc_type_fd;
01572 i_rc_item =
RI_type_comp_fd;
01573
break;
01574
case T_DEV:
01575 i_attr =
A_rc_type;
01576 i_rc_item =
RI_type_comp_dev;
01577
break;
01578
case T_IPC:
01579 i_attr =
A_rc_type;
01580 i_rc_item =
RI_type_comp_ipc;
01581
break;
01582
case T_PROCESS:
01583 i_attr =
A_rc_type;
01584 i_rc_item =
RI_type_comp_process;
01585
break;
01586
case T_SCD:
01587
if(tid.
scd >=
RST_none)
01588
return -
RSBAC_EINVALIDTARGET;
01589 i_rc_item =
RI_type_comp_scd;
01590
break;
01591
case T_NETDEV:
01592 i_attr =
A_rc_type;
01593 i_rc_item =
RI_type_comp_netdev;
01594
break;
01595
case T_NETTEMP:
01596 i_attr =
A_rc_type_nt;
01597 i_rc_item =
RI_type_comp_nettemp;
01598
break;
01599
case T_NETOBJ:
01600 i_attr =
A_rc_type;
01601 i_rc_item =
RI_type_comp_netobj;
01602
break;
01603
default:
01604
return -
RSBAC_EINVALIDTARGET;
01605 }
01606
01607
if(target ==
T_SCD)
01608 {
01609 i_attr_val2.
rc_type = tid.
scd;
01610 }
01611
else
01612 {
01613
if ((err=
rsbac_get_attr(
RC,
01614 target,
01615 tid,
01616 i_attr,
01617 &i_attr_val2,
01618
TRUE)))
01619 {
01620 printk(KERN_WARNING
01621
"rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01622
return -
RSBAC_EREADFAILED;
01623 }
01624 }
01625
01626 i_rc_tid.
role = i_attr_val1.
rc_role;
01627 i_rc_subtid.
type = i_attr_val2.
rc_type;
01628
if ((err=
rsbac_rc_get_item(
RT_ROLE,
01629 i_rc_tid,
01630 i_rc_subtid,
01631 i_rc_item,
01632 &i_rc_item_val1,
01633 ttl_p)))
01634 {
01635 printk(KERN_WARNING
01636
"rsbac_rc_sys_get_eff_rights(): rsbac_rc_get_item() returned error %i!\n",err);
01637
return -
RSBAC_EREADFAILED;
01638 }
01639
01640 *request_vector = i_rc_item_val1.
rights;
01641
01642
return(0);
01643 };
01644
01645 int rsbac_rc_sys_get_current_role (
rsbac_rc_role_id_t * role_p)
01646 {
01647
union rsbac_target_id_t i_tid;
01648
union rsbac_attribute_value_t i_attr_val1;
01649
int err;
01650
01651
01652 i_tid.
process = current->pid;
01653
if ((err=
rsbac_get_attr(
RC,
T_PROCESS,
01654 i_tid,
01655
A_rc_role,
01656 &i_attr_val1,
01657
TRUE)))
01658 {
01659 printk(KERN_WARNING
01660
"rsbac_rc_sys_get_current_role(): rsbac_get_attr() returned error %i!\n",err);
01661
return -
RSBAC_EREADFAILED;
01662 }
01663 *role_p = i_attr_val1.
rc_role;
01664
01665
return(0);
01666 };
01667
01668