00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
#include <linux/string.h>
00013
#include <linux/binfmts.h>
00014
#include <rsbac/types.h>
00015
#include <rsbac/aci.h>
00016
#include <rsbac/adf_main.h>
00017
#include <rsbac/error.h>
00018
#include <rsbac/helpers.h>
00019
#include <rsbac/getname.h>
00020
#include <rsbac/pax_getname.h>
00021
#include <rsbac/debug.h>
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033
00034
00035
00036
#if defined(CONFIG_RSBAC_PAX) && (defined(CONFIG_PAX_HAVE_ACL_FLAGS) || defined(CONFIG_PAX_HOOK_ACL_FLAGS))
00037
#if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00038
void pax_set_flags(
struct linux_binprm * bprm)
00039 #
else
00040
void rsbac_pax_set_flags_func(
struct linux_binprm * bprm)
00041 #endif
00042 {
00043
int err;
00044
union rsbac_target_id_t tid;
00045
union rsbac_attribute_value_t attr_val;
00046
00047 tid.file.device = bprm->file->f_dentry->d_sb->s_dev;
00048 tid.file.inode = bprm->file->f_dentry->d_inode->i_ino;
00049 tid.file.dentry_p = bprm->file->f_dentry;
00050 err =
rsbac_get_attr(PAX,
00051 T_FILE,
00052 tid,
00053 A_pax_flags,
00054 &attr_val,
00055 TRUE);
00056
if(!err)
00057 {
00058 pax_check_flags(&attr_val.
pax_flags);
00059
#ifdef CONFIG_RSBAC_DEBUG
00060
if(rsbac_debug_adf_pax)
00061 {
00062
#ifdef CONFIG_RSBAC_RMSG
00063
rsbac_printk(KERN_DEBUG
00064
"rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n",
00065 current->pid,
00066 current->flags & RSBAC_PAX_ALL_FLAGS,
00067 attr_val.
pax_flags,
00068 MAJOR(tid.file.device),MINOR(tid.file.device),
00069 tid.file.inode);
00070
#endif
00071
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00072
if (!rsbac_nosyslog)
00073
#endif
00074
printk(KERN_DEBUG
00075
"rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n",
00076 current->pid,
00077 current->flags & RSBAC_PAX_ALL_FLAGS,
00078 attr_val.
pax_flags,
00079 MAJOR(tid.file.device),MINOR(tid.file.device),
00080 tid.file.inode);
00081 }
00082
#endif
00083
00084 current->flags = (current->flags & ~
RSBAC_PAX_ALL_FLAGS) | attr_val.
pax_flags;
00085 }
00086
else
00087 {
00088
#ifdef CONFIG_RSBAC_RMSG
00089
rsbac_printk(KERN_WARNING
00090
"rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n",
00091 MAJOR(tid.file.device),
00092 MINOR(tid.file.device),
00093 tid.file.inode,
00094 err);
00095
#endif
00096
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00097
if (!rsbac_nosyslog)
00098
#endif
00099
printk(KERN_WARNING
00100
"rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n",
00101 MAJOR(tid.file.device),
00102 MINOR(tid.file.device),
00103 tid.file.inode,
00104 err);
00105 }
00106 }
00107
#endif
00108
00109
00110
enum rsbac_adf_req_ret_t
00111 rsbac_adf_request_pax (
enum rsbac_adf_request_t request,
00112
rsbac_pid_t caller_pid,
00113
enum rsbac_target_t target,
00114
union rsbac_target_id_t tid,
00115
enum rsbac_attribute_t attr,
00116
union rsbac_attribute_value_t attr_val,
00117
rsbac_uid_t owner)
00118 {
00119
union rsbac_target_id_t i_tid;
00120
union rsbac_attribute_value_t i_attr_val1;
00121
00122
switch (request)
00123 {
00124
case R_MODIFY_ATTRIBUTE:
00125
switch(attr)
00126 {
00127
case A_system_role:
00128
case A_pax_role:
00129
case A_pax_flags:
00130
#ifdef CONFIG_RSBAC_PAX_AUTH_PROT
00131
case A_auth_may_setuid:
00132
case A_auth_may_set_cap:
00133
case A_auth_start_uid:
00134
case A_auth_program_file:
00135
case A_auth_learn:
00136
case A_auth_add_f_cap:
00137
case A_auth_remove_f_cap:
00138
#endif
00139
00140
case A_none:
00141
00142 i_tid.
user = owner;
00143
if (
rsbac_get_attr(
PAX,
00144
T_USER,
00145 i_tid,
00146
A_pax_role,
00147 &i_attr_val1,
00148
TRUE))
00149 {
00150 rsbac_ds_get_error(
"rsbac_adf_request_pax()",
A_pax_role);
00151
return(
NOT_GRANTED);
00152 }
00153
00154
if (i_attr_val1.
system_role ==
SR_security_officer)
00155
return(
GRANTED);
00156
else
00157
return(
NOT_GRANTED);
00158
00159
default:
00160
return(
DO_NOT_CARE);
00161 }
00162
00163
case R_READ_ATTRIBUTE:
00164
switch(attr)
00165 {
00166
case A_system_role:
00167
case A_pax_role:
00168
case A_pax_flags:
00169
00170
case A_none:
00171
00172 i_tid.
user = owner;
00173
if (
rsbac_get_attr(
PAX,
00174
T_USER,
00175 i_tid,
00176
A_pax_role,
00177 &i_attr_val1,
00178
TRUE))
00179 {
00180 rsbac_ds_get_error(
"rsbac_adf_request_pax()",
A_pax_role);
00181
return(
NOT_GRANTED);
00182 }
00183
00184
if( (i_attr_val1.
system_role ==
SR_security_officer)
00185 || (i_attr_val1.
system_role ==
SR_administrator)
00186 )
00187
return(
GRANTED);
00188
else
00189
return(
NOT_GRANTED);
00190
00191
default:
00192
return(
DO_NOT_CARE);
00193 }
00194
00195
case R_SWITCH_LOG:
00196
switch(target)
00197 {
00198
case T_NONE:
00199
00200 i_tid.
user = owner;
00201
if (
rsbac_get_attr(
PAX,
00202
T_USER,
00203 i_tid,
00204
A_pax_role,
00205 &i_attr_val1,
00206
TRUE))
00207 {
00208 rsbac_ds_get_error(
"rsbac_adf_request_pax()",
A_pax_role);
00209
return(
NOT_GRANTED);
00210 }
00211
00212
if (i_attr_val1.
system_role ==
SR_security_officer)
00213
return(
GRANTED);
00214
else
00215
return(
NOT_GRANTED);
00216
00217
00218
default:
return(
DO_NOT_CARE);
00219 }
00220
00221
case R_SWITCH_MODULE:
00222
switch(target)
00223 {
00224
case T_NONE:
00225
00226
if(attr != A_switch_target)
00227
return(
UNDEFINED);
00228
00229
if( (attr_val.switch_target !=
PAX)
00230
#ifdef CONFIG_RSBAC_PAX_AUTH_PROT
00231
&& (attr_val.switch_target !=
AUTH)
00232
#endif
00233
#ifdef CONFIG_RSBAC_SOFTMODE
00234
&& (attr_val.switch_target !=
SOFTMODE)
00235
#endif
00236
)
00237
return(
DO_NOT_CARE);
00238
00239 i_tid.
user = owner;
00240
if (
rsbac_get_attr(
PAX,
00241
T_USER,
00242 i_tid,
00243
A_pax_role,
00244 &i_attr_val1,
00245
TRUE))
00246 {
00247 rsbac_ds_get_error(
"rsbac_adf_request_pax()",
A_pax_role);
00248
return(
NOT_GRANTED);
00249 }
00250
00251
if (i_attr_val1.
system_role ==
SR_security_officer)
00252
return(
GRANTED);
00253
else
00254
return(
NOT_GRANTED);
00255
00256
00257
default:
return(
DO_NOT_CARE);
00258 }
00259
00260
00261
default:
return DO_NOT_CARE;
00262 }
00263
00264
return(
DO_NOT_CARE);
00265 };
00266
00267
00268
00269
00270
00271
00272
00273
00274
00275
00276
00277
00278 int rsbac_adf_set_attr_pax(
00279
enum rsbac_adf_request_t request,
00280
rsbac_pid_t caller_pid,
00281
enum rsbac_target_t target,
00282
union rsbac_target_id_t tid,
00283
enum rsbac_target_t new_target,
00284
union rsbac_target_id_t new_tid,
00285
enum rsbac_attribute_t attr,
00286
union rsbac_attribute_value_t attr_val,
00287
rsbac_uid_t owner)
00288 {
00289
return 0;
00290 };
00291
00292