00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
#include <linux/string.h>
00013
#include <rsbac/types.h>
00014
#include <rsbac/aci.h>
00015
#include <rsbac/adf_main.h>
00016
#include <rsbac/error.h>
00017
#include <rsbac/helpers.h>
00018
#include <rsbac/getname.h>
00019
#include <rsbac/network.h>
00020
#include <rsbac/debug.h>
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
static rsbac_jail_id_t
00031 jail_get_id(
enum rsbac_target_t target,
00032
union rsbac_target_id_t tid)
00033 {
00034
int err;
00035
union rsbac_attribute_value_t i_attr_val1;
00036
00037
if ((err=
rsbac_get_attr(
JAIL,
00038 target,
00039 tid,
00040
A_jail_id,
00041 &i_attr_val1,
00042
TRUE)))
00043 {
00044 rsbac_ds_get_error(
"jail_get_id()",
A_jail_id);
00045
return 0;
00046 }
00047
else
00048
return i_attr_val1.
jail_id;
00049 }
00050
00051
static rsbac_jail_id_t
00052 jail_get_id_process(
rsbac_pid_t pid)
00053 {
00054
int err;
00055
union rsbac_target_id_t i_tid;
00056
union rsbac_attribute_value_t i_attr_val1;
00057
00058 i_tid.
process = pid;
00059
if ((err=
rsbac_get_attr(
JAIL,
00060
T_PROCESS,
00061 i_tid,
00062
A_jail_id,
00063 &i_attr_val1,
00064
TRUE)))
00065 {
00066 rsbac_ds_get_error(
"jail_get_id_process()",
A_jail_id);
00067
return 0;
00068 }
00069
else
00070
return i_attr_val1.
jail_id;
00071 }
00072
00073
#if defined(CONFIG_RSBAC_NET_OBJ)
00074
static rsbac_jail_ip_t
00075 jail_get_ip_process(
rsbac_pid_t pid)
00076 {
00077
int err;
00078
union rsbac_target_id_t i_tid;
00079
union rsbac_attribute_value_t i_attr_val1;
00080
00081 i_tid.
process = pid;
00082
if ((err=
rsbac_get_attr(JAIL,
00083 T_PROCESS,
00084 i_tid,
00085 A_jail_ip,
00086 &i_attr_val1,
00087 TRUE)))
00088 {
00089 rsbac_ds_get_error(
"jail_get_ip_process()", A_jail_ip);
00090
return 0;
00091 }
00092
else
00093
return i_attr_val1.
jail_ip;
00094 }
00095
#endif
00096
00097
static rsbac_jail_flags_t
00098 jail_get_flags_process(
rsbac_pid_t pid)
00099 {
00100
int err;
00101
union rsbac_target_id_t i_tid;
00102
union rsbac_attribute_value_t i_attr_val1;
00103
00104 i_tid.
process = pid;
00105
if ((err=
rsbac_get_attr(
JAIL,
00106
T_PROCESS,
00107 i_tid,
00108
A_jail_flags,
00109 &i_attr_val1,
00110
TRUE)))
00111 {
00112 rsbac_ds_get_error(
"jail_get_flags_process()",
A_jail_flags);
00113
return 0;
00114 }
00115
else
00116
return i_attr_val1.
jail_flags;
00117 }
00118
00119
static enum rsbac_adf_req_ret_t
00120 jail_check_sysrole(
rsbac_uid_t owner,
enum rsbac_system_role_t role)
00121 {
00122
union rsbac_target_id_t i_tid;
00123
union rsbac_attribute_value_t i_attr_val1;
00124
00125 i_tid.
user = owner;
00126
if (
rsbac_get_attr(
JAIL,
00127
T_USER,
00128 i_tid,
00129
A_jail_role,
00130 &i_attr_val1,
00131
TRUE))
00132 {
00133 rsbac_ds_get_error(
"jail_check_sysrole()",
A_jail_role);
00134
return(
NOT_GRANTED);
00135 }
00136
00137
if (i_attr_val1.
system_role == role)
00138
return(
GRANTED);
00139
else
00140
return(
NOT_GRANTED);
00141 }
00142
00143
#if defined(CONFIG_RSBAC_NET_OBJ)
00144
enum rsbac_adf_req_ret_t
00145 jail_check_ip(
rsbac_pid_t pid,
union rsbac_target_id_t tid)
00146 {
00147
rsbac_jail_ip_t jail_ip;
00148
rsbac_jail_flags_t jail_flags;
00149
00150
if(!tid.
netobj.
sock_p)
00151 {
00152
#ifdef CONFIG_RSBAC_RMSG
00153
rsbac_printk(KERN_WARNING
00154
"jail_check_ip(): NULL sock_p!\n");
00155
#endif
00156
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00157
if (!rsbac_nosyslog)
00158
#endif
00159
printk(KERN_WARNING
00160
"jail_check_ip(): NULL sock_p!\n");
00161
return NOT_GRANTED;
00162 }
00163
switch(tid.
netobj.
sock_p->ops->family)
00164 {
00165
case AF_UNIX:
00166
return(
GRANTED);
00167
00168
case AF_INET:
00169
switch(tid.
netobj.
sock_p->type)
00170 {
00171
case SOCK_STREAM:
00172
case SOCK_DGRAM:
00173
case SOCK_RDM:
00174 jail_ip = jail_get_ip_process(pid);
00175
if(jail_ip == INADDR_ANY)
00176
return GRANTED;
00177 jail_flags =
jail_get_flags_process(pid);
00178
if(tid.
netobj.
local_addr)
00179 {
00180
struct sockaddr_in * addr = tid.
netobj.
local_addr;
00181
00182
if( (jail_ip == addr->sin_addr.s_addr)
00183 || ( (jail_flags &
JAIL_allow_inet_localhost)
00184 && (addr->sin_addr.s_addr ==
RSBAC_JAIL_LOCALHOST)
00185 )
00186
#if defined(CONFIG_RSBAC_JAIL_NET_ADJUST)
00187
|| ( (jail_flags &
JAIL_auto_adjust_inet_any)
00188 && (addr->sin_addr.s_addr == INADDR_ANY)
00189 )
00190
#endif
00191
)
00192
return GRANTED;
00193
else
00194 {
00195
#ifdef CONFIG_RSBAC_DEBUG
00196
if(rsbac_debug_adf_jail)
00197 {
00198
#ifdef CONFIG_RSBAC_RMSG
00199
rsbac_printk(KERN_DEBUG
00200
"jail_check_ip(): local_addr does not match jail_ip -> NOT_GRANTED!\n");
00201
#endif
00202
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00203
if (!rsbac_nosyslog)
00204
#endif
00205
printk(KERN_DEBUG
00206
"jail_check_ip(): local_addr does not match jail_ip -> NOT_GRANTED!\n");
00207 }
00208
#endif
00209
return NOT_GRANTED;
00210 }
00211 }
00212
else
00213
if( (tid.
netobj.
remote_addr)
00214 && (jail_flags &
JAIL_allow_inet_localhost)
00215 && ( ((
struct sockaddr_in *) tid.
netobj.
remote_addr)->sin_addr.s_addr
00216 ==
RSBAC_JAIL_LOCALHOST)
00217 )
00218
return GRANTED;
00219
else
00220 {
00221
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00222
if( ( (jail_ip == inet_sk(tid.
netobj.
sock_p->sk)->rcv_saddr)
00223 && (jail_ip == inet_sk(tid.
netobj.
sock_p->sk)->saddr)
00224 )
00225 || ( (jail_flags &
JAIL_allow_inet_localhost)
00226 && ( (inet_sk(tid.
netobj.
sock_p->sk)->saddr ==
RSBAC_JAIL_LOCALHOST)
00227 || (inet_sk(tid.
netobj.
sock_p->sk)->daddr ==
RSBAC_JAIL_LOCALHOST)
00228 )
00229 )
00230
#if defined(CONFIG_RSBAC_JAIL_NET_ADJUST)
00231
|| ( (jail_flags &
JAIL_auto_adjust_inet_any)
00232 && (inet_sk(tid.
netobj.
sock_p->sk)->rcv_saddr == INADDR_ANY)
00233 && (inet_sk(tid.
netobj.
sock_p->sk)->saddr == INADDR_ANY)
00234 )
00235
#endif
00236
)
00237
#else
00238
if( ( (jail_ip == tid.
netobj.
sock_p->sk->rcv_saddr)
00239 && (jail_ip == tid.
netobj.
sock_p->sk->saddr)
00240 )
00241 || ( (jail_flags &
JAIL_allow_inet_localhost)
00242 && ( (tid.
netobj.
sock_p->sk->saddr ==
RSBAC_JAIL_LOCALHOST)
00243 || (tid.
netobj.
sock_p->sk->daddr ==
RSBAC_JAIL_LOCALHOST)
00244 )
00245 )
00246
#if defined(CONFIG_RSBAC_JAIL_NET_ADJUST)
00247
|| ( (jail_flags &
JAIL_auto_adjust_inet_any)
00248 && (tid.
netobj.
sock_p->sk->rcv_saddr == INADDR_ANY)
00249 && (tid.
netobj.
sock_p->sk->saddr == INADDR_ANY)
00250 )
00251
#endif
00252
)
00253
#endif
00254
return GRANTED;
00255
else
00256 {
00257
#ifdef CONFIG_RSBAC_DEBUG
00258
if(rsbac_debug_adf_jail)
00259 {
00260
#ifdef CONFIG_RSBAC_RMSG
00261
rsbac_printk(KERN_DEBUG
00262
"jail_check_ip(): sk->rcv_saddr or sk->saddr does not match jail_ip -> NOT_GRANTED!\n");
00263
#endif
00264
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00265
if (!rsbac_nosyslog)
00266
#endif
00267
printk(KERN_DEBUG
00268
"jail_check_ip(): sk->rcv_saddr or sk->saddr does not match jail_ip -> NOT_GRANTED!\n");
00269 }
00270
#endif
00271
return NOT_GRANTED;
00272 }
00273 }
00274
00275
case SOCK_RAW:
00276
if(
jail_get_flags_process(pid) &
JAIL_allow_inet_raw)
00277
return(
GRANTED);
00278
else
00279 {
00280
#ifdef CONFIG_RSBAC_DEBUG
00281
if(rsbac_debug_adf_jail)
00282 {
00283
#ifdef CONFIG_RSBAC_RMSG
00284
rsbac_printk(KERN_DEBUG
00285
"jail_check_ip(): network type is raw and allow_inet_raw is not set -> NOT_GRANTED!\n");
00286
#endif
00287
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00288
if (!rsbac_nosyslog)
00289
#endif
00290
printk(KERN_DEBUG
00291
"jail_check_ip(): network type is raw and allow_inet_raw is not set -> NOT_GRANTED!\n");
00292 }
00293
#endif
00294
return(
NOT_GRANTED);
00295 }
00296
00297
default:
00298
#ifdef CONFIG_RSBAC_DEBUG
00299
if(rsbac_debug_adf_jail)
00300 {
00301
#ifdef CONFIG_RSBAC_RMSG
00302
rsbac_printk(KERN_DEBUG
00303
"jail_check_ip(): network type not STREAM, DGRAM, RDM or RAW -> NOT_GRANTED!\n");
00304
#endif
00305
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00306
if (!rsbac_nosyslog)
00307
#endif
00308
printk(KERN_DEBUG
00309
"jail_check_ip(): network type not STREAM, DGRAM, RDM or RAW -> NOT_GRANTED!\n");
00310 }
00311
#endif
00312
return(
NOT_GRANTED);
00313 }
00314
00315
default:
00316
if(
jail_get_flags_process(pid) &
JAIL_allow_all_net_family)
00317
return(
GRANTED);
00318
else
00319 {
00320
#ifdef CONFIG_RSBAC_DEBUG
00321
if(rsbac_debug_adf_jail)
00322 {
00323
#ifdef CONFIG_RSBAC_RMSG
00324
rsbac_printk(KERN_DEBUG
00325
"jail_check_ip(): network family not UNIX or INET and allow_all_net_family not set -> NOT_GRANTED!\n");
00326
#endif
00327
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00328
if (!rsbac_nosyslog)
00329
#endif
00330
printk(KERN_DEBUG
00331
"jail_check_ip(): network family not UNIX or INET and allow_all_net_family not set -> NOT_GRANTED!\n");
00332 }
00333
#endif
00334
return NOT_GRANTED;
00335 }
00336 }
00337 }
00338
#endif
00339
00340
00341
00342
00343
00344
enum rsbac_adf_req_ret_t
00345 rsbac_adf_request_jail (
enum rsbac_adf_request_t request,
00346
rsbac_pid_t caller_pid,
00347
enum rsbac_target_t target,
00348
union rsbac_target_id_t tid,
00349
enum rsbac_attribute_t attr,
00350
union rsbac_attribute_value_t attr_val,
00351
rsbac_uid_t owner)
00352 {
00353
rsbac_jail_id_t jail_id;
00354
rsbac_jail_flags_t jail_flags;
00355
00356
switch (request)
00357 {
00358
case R_ADD_TO_KERNEL:
00359
case R_REMOVE_FROM_KERNEL:
00360
case R_SHUTDOWN:
00361
switch(target)
00362 {
00363
case T_NONE:
00364
if(
jail_get_id_process(caller_pid))
00365
return NOT_GRANTED;
00366
else
00367
return GRANTED;
00368
00369
00370
default:
00371
return(
DO_NOT_CARE);
00372 }
00373
case R_MOUNT:
00374
case R_UMOUNT:
00375
switch(target)
00376 {
00377
case T_FILE:
00378
case T_DIR:
00379
case T_DEV:
00380
if(
jail_get_id_process(caller_pid))
00381
return NOT_GRANTED;
00382
else
00383
return GRANTED;
00384
00385
00386
default:
00387
return(
DO_NOT_CARE);
00388 }
00389
case R_CREATE:
00390
switch(target)
00391 {
00392
case T_DIR:
00393
if(!
jail_get_id_process(caller_pid))
00394
return GRANTED;
00395
00396
if( (attr == A_create_data)
00397 && ( S_ISCHR(attr_val.create_data.mode)
00398 || S_ISBLK(attr_val.create_data.mode)
00399 )
00400 )
00401
return NOT_GRANTED;
00402
else
00403
return GRANTED;
00404
00405
case T_IPC:
00406
return GRANTED;
00407
00408
#ifdef CONFIG_RSBAC_NET_OBJ
00409
case T_NETTEMP:
00410
if(!
jail_get_id_process(caller_pid))
00411
return GRANTED;
00412
else
00413
return NOT_GRANTED;
00414
00415
case T_NETOBJ:
00416
if(!
jail_get_id_process(caller_pid))
00417
return GRANTED;
00418
if(!tid.
netobj.
sock_p)
00419 {
00420
#ifdef CONFIG_RSBAC_RMSG
00421
rsbac_printk(KERN_WARNING
00422
"rsbac_adf_request_jail(): NULL sock_p on CREATE!\n");
00423
#endif
00424
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00425
if (!rsbac_nosyslog)
00426
#endif
00427
printk(KERN_WARNING
00428
"rsbac_adf_request_jail(): NULL sock_p on CREATE!\n");
00429
return NOT_GRANTED;
00430 }
00431
switch(tid.
netobj.
sock_p->ops->family)
00432 {
00433
case AF_UNIX:
00434
return(
GRANTED);
00435
00436
case AF_INET:
00437
switch(tid.
netobj.
sock_p->type)
00438 {
00439
case SOCK_STREAM:
00440
case SOCK_DGRAM:
00441
case SOCK_RDM:
00442
if( tid.
netobj.
sock_p->sk
00443
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00444
&& (tid.
netobj.
sock_p->sk->sk_protocol == IPPROTO_RAW)
00445
#else
00446
&& (tid.
netobj.
sock_p->sk->protocol == IPPROTO_RAW)
00447
#endif
00448
)
00449 {
00450 jail_flags =
jail_get_flags_process(caller_pid);
00451
if(jail_flags &
JAIL_allow_inet_raw)
00452
return(
GRANTED);
00453
else
00454
return NOT_GRANTED;
00455 }
00456
else
00457
return GRANTED;
00458
00459
case SOCK_RAW:
00460 jail_flags =
jail_get_flags_process(caller_pid);
00461
if(jail_flags &
JAIL_allow_inet_raw)
00462
return(
GRANTED);
00463
else
00464
return NOT_GRANTED;
00465
00466
default:
00467
return(
NOT_GRANTED);
00468 }
00469
00470
default:
00471 jail_flags =
jail_get_flags_process(caller_pid);
00472
if(jail_flags &
JAIL_allow_all_net_family)
00473
return(
GRANTED);
00474
else
00475
return(
NOT_GRANTED);
00476 }
00477
#endif
00478
00479
00480
default:
return(
DO_NOT_CARE);
00481 }
00482
00483
case R_DELETE:
00484
switch(target)
00485 {
00486
case T_IPC:
00487 jail_id =
jail_get_id_process(caller_pid);
00488
if( !jail_id
00489 || (jail_id ==
jail_get_id(target,tid))
00490 || (
jail_get_flags_process(caller_pid) &
JAIL_allow_external_ipc)
00491 )
00492
return GRANTED;
00493
else
00494
return NOT_GRANTED;
00495
00496
#ifdef CONFIG_RSBAC_NET_OBJ
00497
case T_NETTEMP:
00498
if(!
jail_get_id_process(caller_pid))
00499
return GRANTED;
00500
else
00501
return NOT_GRANTED;
00502
#endif
00503
00504
default:
return(
DO_NOT_CARE);
00505 }
00506
00507
case R_MODIFY_ATTRIBUTE:
00508
switch(attr)
00509 {
00510
case A_system_role:
00511
case A_jail_role:
00512
case A_jail_id:
00513
case A_jail_ip:
00514
case A_jail_flags:
00515
case A_jail_max_caps:
00516
00517
case A_none:
00518
if(
jail_get_id_process(caller_pid))
00519
return NOT_GRANTED;
00520
00521
00522
return jail_check_sysrole(owner,
SR_security_officer);
00523
00524
default:
00525
return(
DO_NOT_CARE);
00526 }
00527
00528
case R_READ_ATTRIBUTE:
00529
switch(attr)
00530 {
00531
case A_system_role:
00532
case A_jail_role:
00533
case A_jail_id:
00534
case A_jail_ip:
00535
case A_jail_flags:
00536
case A_jail_max_caps:
00537
00538
case A_none:
00539
if(
jail_get_id_process(caller_pid))
00540
return NOT_GRANTED;
00541
00542
00543
if(
jail_check_sysrole(owner,
SR_administrator) ==
NOT_GRANTED)
00544
return jail_check_sysrole(owner,
SR_security_officer);
00545
else
00546
return GRANTED;
00547
00548
default:
00549
return(
DO_NOT_CARE);
00550 }
00551
00552
case R_SEND_SIGNAL:
00553
case R_TRACE:
00554
if (target ==
T_PROCESS)
00555 {
00556 jail_id =
jail_get_id_process(caller_pid);
00557
if( !jail_id
00558 || (jail_id ==
jail_get_id(target,tid))
00559 )
00560
return GRANTED;
00561
else
00562
return NOT_GRANTED;
00563 }
00564
else
00565
return(
DO_NOT_CARE);
00566
00567
case R_MODIFY_PERMISSIONS_DATA:
00568
switch(target)
00569 {
00570
00571
case T_FILE:
00572
case T_DIR:
00573
case T_FIFO:
00574
case T_SYMLINK:
00575
if(
jail_get_id_process(caller_pid)
00576 && (attr == A_mode)
00577 && (attr_val.mode & (S_ISUID | S_ISGID))
00578 )
00579
return NOT_GRANTED;
00580
else
00581
return GRANTED;
00582
00583
case T_IPC:
00584 jail_id =
jail_get_id_process(caller_pid);
00585
if( !jail_id
00586 || (jail_id ==
jail_get_id(target,tid))
00587 || (
jail_get_flags_process(caller_pid) &
JAIL_allow_external_ipc)
00588 )
00589
return GRANTED;
00590
else
00591
return NOT_GRANTED;
00592
00593
case T_SCD:
00594
#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE
00595
00596
case T_NONE:
00597
#endif
00598
if(
jail_get_id_process(caller_pid))
00599
return NOT_GRANTED;
00600
else
00601
return GRANTED;
00602
00603
00604
default:
return(
DO_NOT_CARE);
00605 }
00606
00607
case R_GET_STATUS_DATA:
00608
switch(target)
00609 {
00610
case T_PROCESS:
00611 jail_id =
jail_get_id_process(caller_pid);
00612
if( !jail_id
00613 || (jail_id ==
jail_get_id(target,tid))
00614 )
00615
return GRANTED;
00616
else
00617
return NOT_GRANTED;
00618
00619
case T_IPC:
00620 jail_id =
jail_get_id_process(caller_pid);
00621
if( !jail_id
00622 || (jail_id ==
jail_get_id(target,tid))
00623 || (
jail_get_flags_process(caller_pid) &
JAIL_allow_external_ipc)
00624 )
00625
return GRANTED;
00626
else
00627
return NOT_GRANTED;
00628
00629
case T_SCD:
00630
if(
jail_get_id_process(caller_pid))
00631 {
00632
00633
if (tid.
scd ==
ST_rlimit)
00634
return(
GRANTED);
00635
else
00636
return NOT_GRANTED;
00637 }
00638
else
00639
return GRANTED;
00640
00641
00642
default:
return(
DO_NOT_CARE);
00643 }
00644
00645
case R_MODIFY_SYSTEM_DATA:
00646
switch(target)
00647 {
00648
case T_SCD:
00649
if(
jail_get_id_process(caller_pid))
00650 {
00651 jail_flags =
jail_get_flags_process(caller_pid);
00652
00653
00654
if ( (tid.
scd ==
ST_rlimit)
00655 && (jail_flags &
JAIL_allow_rlimit)
00656 )
00657
return(
GRANTED);
00658
else
00659
00660
if ( (tid.
scd ==
ST_clock)
00661 && (jail_flags &
JAIL_allow_clock)
00662 )
00663
return(
GRANTED);
00664
else
00665
return NOT_GRANTED;
00666 }
00667
else
00668
return GRANTED;
00669
00670
case T_PROCESS:
00671 jail_id =
jail_get_id_process(caller_pid);
00672
if(!jail_id)
00673
return GRANTED;
00674
if( attr == A_kernel_thread
00675 && (attr_val.kernel_thread)
00676 )
00677
return NOT_GRANTED;
00678
if(jail_id !=
jail_get_id(target,tid))
00679
return NOT_GRANTED;
00680
return GRANTED;
00681
00682
#ifdef CONFIG_RSBAC_JAIL_NET_DEV_PROT
00683
case T_NETDEV:
00684
if(
jail_get_id_process(caller_pid))
00685
return NOT_GRANTED;
00686
else
00687
return GRANTED;
00688
#endif
00689
00690
00691
default:
return(
DO_NOT_CARE);
00692 }
00693
00694
case R_READ:
00695
switch(target)
00696 {
00697
#ifdef CONFIG_RSBAC_RW
00698
case T_IPC:
00699 jail_id =
jail_get_id_process(caller_pid);
00700
if( !jail_id
00701 || (jail_id ==
jail_get_id(target,tid))
00702 || (
jail_get_flags_process(caller_pid) &
JAIL_allow_external_ipc)
00703 )
00704
return GRANTED;
00705
else
00706
return NOT_GRANTED;
00707
#endif
00708
#if defined(CONFIG_RSBAC_NET_OBJ)
00709
case T_NETTEMP:
00710
if(
jail_get_id_process(caller_pid))
00711
return NOT_GRANTED;
00712
if(
jail_check_sysrole(owner,
SR_security_officer) ==
GRANTED)
00713
return GRANTED;
00714
return jail_check_sysrole(owner,
SR_administrator);
00715
00716
case T_NETOBJ:
00717
if(!
jail_get_id_process(caller_pid))
00718
return GRANTED;
00719
return(jail_check_ip(caller_pid, tid));
00720
#endif
00721
00722
00723
default:
return(
DO_NOT_CARE);
00724 }
00725
00726
case R_SWITCH_LOG:
00727
switch(target)
00728 {
00729
case T_NONE:
00730
if(
jail_get_id_process(caller_pid))
00731
return NOT_GRANTED;
00732
00733
return jail_check_sysrole(owner,
SR_security_officer);
00734
00735
00736
default:
return(
DO_NOT_CARE);
00737 }
00738
00739
case R_SWITCH_MODULE:
00740
switch(target)
00741 {
00742
case T_NONE:
00743
00744
if(attr != A_switch_target)
00745
return(
UNDEFINED);
00746
00747
if( (attr_val.switch_target !=
JAIL)
00748
#ifdef CONFIG_RSBAC_SOFTMODE
00749
&& (attr_val.switch_target !=
SOFTMODE)
00750
#endif
00751
)
00752
return(
DO_NOT_CARE);
00753
if(
jail_get_id_process(caller_pid))
00754
return NOT_GRANTED;
00755
00756
return jail_check_sysrole(owner,
SR_security_officer);
00757
00758
00759
default:
return(
DO_NOT_CARE);
00760 }
00761
00762
case R_WRITE:
00763
switch(target)
00764 {
00765
#ifdef CONFIG_RSBAC_RW
00766
case T_IPC:
00767 jail_id =
jail_get_id_process(caller_pid);
00768
if( !jail_id
00769 || (jail_id ==
jail_get_id(target,tid))
00770 || (
jail_get_flags_process(caller_pid) &
JAIL_allow_external_ipc)
00771 )
00772
return GRANTED;
00773
else
00774
return NOT_GRANTED;
00775
#endif
00776
00777
#if defined(CONFIG_RSBAC_NET_OBJ)
00778
case T_NETTEMP:
00779
if(
jail_get_id_process(caller_pid))
00780
return NOT_GRANTED;
00781
return DO_NOT_CARE;
00782
00783
case T_NETOBJ:
00784
if(!
jail_get_id_process(caller_pid))
00785
return GRANTED;
00786
return(jail_check_ip(caller_pid, tid));
00787
#endif
00788
00789
00790
default:
return(
DO_NOT_CARE);
00791 }
00792
00793
#ifdef CONFIG_RSBAC_NET
00794
case R_BIND:
00795
switch(target)
00796 {
00797
#ifdef CONFIG_RSBAC_JAIL_NET_DEV_PROT
00798
case T_NETDEV:
00799
if(
jail_get_id_process(caller_pid))
00800
return NOT_GRANTED;
00801
else
00802
return GRANTED;
00803
#endif
00804
#ifdef CONFIG_RSBAC_NET_OBJ
00805
case T_NETOBJ:
00806
if(!
jail_get_id_process(caller_pid))
00807
return GRANTED;
00808
return(jail_check_ip(caller_pid, tid));
00809
#endif
00810
00811
default:
00812
return(
DO_NOT_CARE);
00813 }
00814
#endif
00815
#ifdef CONFIG_RSBAC_NET_OBJ
00816
case R_CONNECT:
00817
case R_LISTEN:
00818
case R_ACCEPT:
00819
case R_SEND:
00820
case R_RECEIVE:
00821
switch(target)
00822 {
00823
case T_NETOBJ:
00824
if(!
jail_get_id_process(caller_pid))
00825
return GRANTED;
00826
#if defined(CONFIG_RSBAC_NET_OBJ_UNIX)
00827
if( tid.
netobj.
sock_p
00828 && tid.
netobj.
sock_p->ops
00829 && (tid.
netobj.
sock_p->ops->family == AF_UNIX)
00830 && tid.
netobj.
sock_p->sk
00831
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00832
&& tid.
netobj.
sock_p->sk->sk_peercred.pid
00833
#else
00834
&& tid.
netobj.
sock_p->sk->peercred.pid
00835
#endif
00836
)
00837 {
00838
union rsbac_target_id_t i_tid;
00839
00840
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00841
i_tid.
process = tid.
netobj.
sock_p->sk->sk_peercred.pid;
00842
#else
00843
i_tid.
process = tid.
netobj.
sock_p->sk->peercred.pid;
00844
#endif
00845
jail_id =
jail_get_id_process(caller_pid);
00846
if( !jail_id
00847 || (jail_id ==
jail_get_id(
T_PROCESS,i_tid))
00848 )
00849
return GRANTED;
00850
else
00851
if(
jail_get_flags_process(caller_pid) &
JAIL_allow_external_ipc)
00852
return GRANTED;
00853
else
00854
return NOT_GRANTED;
00855 }
00856
else
00857
#endif
00858
return(jail_check_ip(caller_pid, tid));
00859
00860
00861
default:
00862
return(
DO_NOT_CARE);
00863 }
00864
#endif
00865
00866
default:
00867
00868
switch(target)
00869 {
00870
case T_IPC:
00871 jail_id =
jail_get_id_process(caller_pid);
00872
if( !jail_id
00873 || (jail_id ==
jail_get_id(target,tid))
00874 || (
jail_get_flags_process(caller_pid) &
JAIL_allow_external_ipc)
00875 )
00876
return GRANTED;
00877
else
00878
return NOT_GRANTED;
00879
00880
00881
default:
return(
DO_NOT_CARE);
00882 }
00883 }
00884 };
00885
00886
00887
00888
00889
00890
00891
00892
00893
00894
00895
00896
00897 int rsbac_adf_set_attr_jail(
00898
enum rsbac_adf_request_t request,
00899
rsbac_pid_t caller_pid,
00900
enum rsbac_target_t target,
00901
union rsbac_target_id_t tid,
00902
enum rsbac_target_t new_target,
00903
union rsbac_target_id_t new_tid,
00904
enum rsbac_attribute_t attr,
00905
union rsbac_attribute_value_t attr_val,
00906
rsbac_uid_t owner)
00907 {
00908
#ifdef CONFIG_RSBAC_JAIL_NET_ADJUST
00909
int err;
00910
#endif
00911
union rsbac_target_id_t i_tid;
00912
union rsbac_attribute_value_t i_attr_val1;
00913
union rsbac_attribute_value_t i_attr_val2;
00914
00915
switch (request)
00916 {
00917
case R_CHANGE_OWNER:
00918
switch(target)
00919 {
00920
case T_PROCESS:
00921
if(attr != A_owner)
00922
return(-
RSBAC_EINVALIDATTR);
00923
00924 i_tid.
process = caller_pid;
00925
#ifdef CONFIG_RSBAC_SOFTMODE
00926
if(!rsbac_softmode)
00927
#endif
00928
{
00929
if (
rsbac_get_attr(
JAIL,
00930
T_PROCESS,
00931 i_tid,
00932
A_jail_max_caps,
00933 &i_attr_val1,
00934
FALSE))
00935 {
00936 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_max_caps);
00937 }
00938
else
00939 {
00940
extern spinlock_t task_capability_lock;
00941
00942
00943 spin_lock(&task_capability_lock);
00944 current->cap_permitted &= i_attr_val1.
jail_max_caps;
00945 current->cap_effective &= i_attr_val1.
jail_max_caps;
00946 current->cap_inheritable &= i_attr_val1.
jail_max_caps;
00947 spin_unlock(&task_capability_lock);
00948 }
00949 }
00950
return 0;
00951
00952
00953
default:
00954
return(0);
00955 }
00956
00957
case R_CLONE:
00958
if (target ==
T_PROCESS)
00959 {
00960
union rsbac_attribute_value_t i_attr_val3;
00961
union rsbac_attribute_value_t i_attr_val4;
00962
00963
00964
if (
rsbac_get_attr(
JAIL,
00965
T_PROCESS,
00966 tid,
00967
A_jail_id,
00968 &i_attr_val1,
00969
FALSE))
00970 {
00971 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_id);
00972
return(-
RSBAC_EREADFAILED);
00973 }
00974
00975
if (
rsbac_get_attr(
JAIL,
00976
T_PROCESS,
00977 tid,
00978
A_jail_ip,
00979 &i_attr_val2,
00980
FALSE))
00981 {
00982 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_ip);
00983
return(-
RSBAC_EREADFAILED);
00984 }
00985
00986
if (
rsbac_get_attr(
JAIL,
00987
T_PROCESS,
00988 tid,
00989
A_jail_flags,
00990 &i_attr_val3,
00991
FALSE))
00992 {
00993 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_flags);
00994
return(-
RSBAC_EREADFAILED);
00995 }
00996
00997
if (
rsbac_get_attr(
JAIL,
00998
T_PROCESS,
00999 tid,
01000
A_jail_max_caps,
01001 &i_attr_val4,
01002
FALSE))
01003 {
01004 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_max_caps);
01005
return(-
RSBAC_EREADFAILED);
01006 }
01007
01008
if (
rsbac_set_attr(
JAIL,
01009
T_PROCESS,
01010 new_tid,
01011
A_jail_id,
01012 i_attr_val1))
01013 {
01014 rsbac_ds_set_error(
"rsbac_adf_set_attr_jail()",
A_jail_id);
01015
return(-
RSBAC_EWRITEFAILED);
01016 }
01017
01018
if (
rsbac_set_attr(
JAIL,
01019
T_PROCESS,
01020 new_tid,
01021
A_jail_ip,
01022 i_attr_val2))
01023 {
01024 rsbac_ds_set_error(
"rsbac_adf_set_attr_jail()",
A_jail_ip);
01025
return(-
RSBAC_EWRITEFAILED);
01026 }
01027
01028
if (
rsbac_set_attr(
JAIL,
01029
T_PROCESS,
01030 new_tid,
01031
A_jail_flags,
01032 i_attr_val3))
01033 {
01034 rsbac_ds_set_error(
"rsbac_adf_set_attr_jail()",
A_jail_flags);
01035
return(-
RSBAC_EWRITEFAILED);
01036 }
01037
01038
if (
rsbac_set_attr(
JAIL,
01039
T_PROCESS,
01040 new_tid,
01041
A_jail_max_caps,
01042 i_attr_val4))
01043 {
01044 rsbac_ds_set_error(
"rsbac_adf_set_attr_jail()",
A_jail_max_caps);
01045
return(-
RSBAC_EWRITEFAILED);
01046 }
01047
return(0);
01048 }
01049
else
01050
return(0);
01051
01052
case R_EXECUTE:
01053
switch(target)
01054 {
01055
case T_FILE:
01056
01057 i_tid.
process = caller_pid;
01058
#ifdef CONFIG_RSBAC_SOFTMODE
01059
if(!rsbac_softmode)
01060
#endif
01061
{
01062
if (
rsbac_get_attr(
JAIL,
01063
T_PROCESS,
01064 i_tid,
01065
A_jail_max_caps,
01066 &i_attr_val1,
01067
FALSE))
01068 {
01069 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_max_caps);
01070 }
01071
else
01072 {
01073
extern spinlock_t task_capability_lock;
01074
01075
01076 spin_lock(&task_capability_lock);
01077 current->cap_permitted &= i_attr_val1.
jail_max_caps;
01078 current->cap_effective &= i_attr_val1.
jail_max_caps;
01079 current->cap_inheritable &= i_attr_val1.
jail_max_caps;
01080 spin_unlock(&task_capability_lock);
01081 }
01082 }
01083
return 0;
01084
01085
01086
default:
01087
return(0);
01088 }
01089
01090
case R_CREATE:
01091
if (target ==
T_IPC)
01092 {
01093
01094 i_tid.
process = caller_pid;
01095
if (
rsbac_get_attr(
JAIL,
01096
T_PROCESS,
01097 i_tid,
01098
A_jail_id,
01099 &i_attr_val1,
01100
FALSE))
01101 {
01102 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_id);
01103
return(-
RSBAC_EREADFAILED);
01104 }
01105
01106
if (
rsbac_set_attr(
JAIL,
01107
T_IPC,
01108 tid,
01109
A_jail_id,
01110 i_attr_val1))
01111 {
01112 rsbac_ds_set_error(
"rsbac_adf_set_attr_jail()",
A_jail_id);
01113
return(-
RSBAC_EWRITEFAILED);
01114 }
01115
return(0);
01116 }
01117
01118
01119
#ifdef CONFIG_RSBAC_JAIL_NET_ADJUST
01120
case R_BIND:
01121
if(target !=
T_NETOBJ)
01122
return 0;
01123
if(!tid.
netobj.
sock_p)
01124 {
01125
#ifdef CONFIG_RSBAC_RMSG
01126
rsbac_printk(KERN_WARNING
01127
"rsbac_adf_set_attr_jail(): NULL sock_p!\n");
01128
return 0;
01129
#endif
01130
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01131
if (!rsbac_nosyslog)
01132
#endif
01133
printk(KERN_WARNING
01134
"rsbac_adf_set_attr_jail(): NULL sock_p!\n");
01135
return 0;
01136 }
01137
switch(tid.
netobj.
sock_p->ops->family)
01138 {
01139
case AF_INET:
01140 i_tid.
process = caller_pid;
01141
if ((err=
rsbac_get_attr(
JAIL,
01142
T_PROCESS,
01143 i_tid,
01144
A_jail_ip,
01145 &i_attr_val1,
01146
TRUE)))
01147 {
01148 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_ip);
01149
return -
RSBAC_EREADFAILED;
01150 }
01151
if(i_attr_val1.
jail_ip == INADDR_ANY)
01152
return 0;
01153
if ((err=
rsbac_get_attr(
JAIL,
01154
T_PROCESS,
01155 i_tid,
01156
A_jail_flags,
01157 &i_attr_val2,
01158
TRUE)))
01159 {
01160 rsbac_ds_get_error(
"rsbac_adf_set_attr_jail()",
A_jail_flags);
01161
return -
RSBAC_EREADFAILED;
01162 }
01163
if(i_attr_val2.
jail_flags &
JAIL_auto_adjust_inet_any)
01164 {
01165
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01166
inet_sk(tid.
netobj.
sock_p->sk)->rcv_saddr = i_attr_val1.
jail_ip;
01167 inet_sk(tid.
netobj.
sock_p->sk)->saddr = i_attr_val1.
jail_ip;
01168
#else
01169
tid.
netobj.
sock_p->sk->rcv_saddr = i_attr_val1.
jail_ip;
01170 tid.
netobj.
sock_p->sk->saddr = i_attr_val1.
jail_ip;
01171
#endif
01172
}
01173
return 0;
01174
01175
default:
01176
break;
01177 }
01178
#endif
01179
return 0;
01180
01181
01182
default:
return(0);
01183 }
01184
01185
return(0);
01186 };
01187
01188