/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/help/syscalls.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of RSBAC general system calls */ 00004 /* Author and (C) 1999-2004: Amon Ott <ao@rsbac.org> */ 00005 /* */ 00006 /* Last modified: 28/May/2004 */ 00007 /*************************************************** */ 00008 00009 #include <rsbac/types.h> 00010 #include <rsbac/aci.h> 00011 #include <rsbac/mac.h> 00012 #include <rsbac/pm.h> 00013 #include <rsbac/auth.h> 00014 #include <rsbac/acl.h> 00015 #include <rsbac/reg.h> 00016 #include <rsbac/error.h> 00017 #include <rsbac/debug.h> 00018 #include <rsbac/helpers.h> 00019 #include <rsbac/getname.h> 00020 #include <rsbac/network.h> 00021 #include <asm/segment.h> 00022 #include <asm/semaphore.h> 00023 #include <linux/sched.h> 00024 #include <linux/file.h> 00025 #include <rsbac/rkmem.h> 00026 #include <rsbac/gen_lists.h> 00027 #include <linux/smp_lock.h> 00028 #include <asm/uaccess.h> 00029 00030 #include <rsbac/adf.h> 00031 #include <rsbac/adf_main.h> 00032 #include <rsbac/adf_syshelpers.h> 00033 #include <rsbac/rc.h> 00034 #include <rsbac/syscalls.h> 00035 00036 #ifdef CONFIG_RSBAC_NET_OBJ 00037 #include <rsbac/network.h> 00038 #endif 00039 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00040 #include <linux/namei.h> 00041 #endif 00042 00043 /************************************************************************** */ 00044 /* Global Variables */ 00045 /************************************************************************** */ 00046 00047 extern struct semaphore rsbac_write_sem; 00048 00049 /************************************************* */ 00050 /* Declarations */ 00051 /************************************************* */ 00052 00053 /************************************************* */ 00054 /* General functions */ 00055 /************************************************* */ 00056 00057 /* All functions return 0, if no error occurred, and a negative error code */ 00058 /* otherwise. The error codes are defined in rsbac/error.h. */ 00059 00060 int sys_rsbac_stats(void) 00061 { 00062 union rsbac_target_id_t rsbac_target_id; 00063 union rsbac_attribute_value_t rsbac_attribute_value; 00064 00065 #ifdef CONFIG_RSBAC_DEBUG 00066 if (rsbac_debug_aef) 00067 { 00068 #ifdef CONFIG_RSBAC_RMSG 00069 rsbac_printk(KERN_DEBUG "sys_rsbac_stats(): calling ADF\n"); 00070 #endif 00071 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00072 if (!rsbac_nosyslog) 00073 #endif 00074 printk(KERN_DEBUG "sys_rsbac_stats(): calling ADF\n"); 00075 } 00076 #endif 00077 rsbac_target_id.scd = ST_rsbac; 00078 rsbac_attribute_value.dummy = 0; 00079 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00080 current->pid, 00081 T_SCD, 00082 rsbac_target_id, 00083 A_none, 00084 rsbac_attribute_value)) 00085 { 00086 return -EPERM; 00087 } 00088 00089 return(rsbac_stats()); 00090 }; 00091 00092 long sys_sync(void); 00093 00094 int sys_rsbac_check(int correct, int check_inode) 00095 { 00096 union rsbac_target_id_t rsbac_target_id; 00097 union rsbac_attribute_value_t rsbac_attribute_value; 00098 int result; 00099 00100 #ifdef CONFIG_RSBAC_DEBUG 00101 if (rsbac_debug_aef) 00102 { 00103 #ifdef CONFIG_RSBAC_RMSG 00104 rsbac_printk(KERN_DEBUG "sys_rsbac_check(): calling ADF\n"); 00105 #endif 00106 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00107 if (!rsbac_nosyslog) 00108 #endif 00109 printk(KERN_DEBUG "sys_rsbac_check(): calling ADF\n"); 00110 } 00111 #endif 00112 rsbac_target_id.scd = ST_rsbac; 00113 rsbac_attribute_value.dummy = 0; 00114 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00115 current->pid, 00116 T_SCD, 00117 rsbac_target_id, 00118 A_none, 00119 rsbac_attribute_value)) 00120 { 00121 return -EPERM; 00122 } 00123 00124 #ifdef CONFIG_RSBAC_RMSG 00125 rsbac_printk(KERN_INFO 00126 "sys_rsbac_check(): triggering RSBAC consistency check, correct = %u, check_inode = %u!\n", 00127 correct, check_inode); 00128 #endif 00129 #ifndef CONFIG_RSBAC_RMSG_EXCL 00130 printk(KERN_INFO 00131 "sys_rsbac_check(): triggering RSBAC consistency check, correct = %u, check_inode = %u!\n", 00132 correct, check_inode); 00133 #endif 00134 /* Sync to be sure */ 00135 if(check_inode) 00136 { 00137 #ifdef CONFIG_RSBAC_RMSG 00138 rsbac_printk(KERN_INFO 00139 "sys_rsbac_check(): syncing disks\n"); 00140 #endif 00141 #ifndef CONFIG_RSBAC_RMSG_EXCL 00142 printk(KERN_INFO 00143 "sys_rsbac_check(): syncing disks\n"); 00144 #endif 00145 sys_sync(); 00146 } 00147 00148 lock_kernel(); 00149 /* rsbac write blocking */ 00150 if(check_inode) 00151 down(&rsbac_write_sem); 00152 00153 result = rsbac_check(correct, check_inode); 00154 if(!result) 00155 result=rsbac_check_lists(correct); 00156 /* call other checks */ 00157 #if defined(CONFIG_RSBAC_MAC) 00158 if(!result) 00159 result=rsbac_check_mac(correct, check_inode); 00160 #endif 00161 #if defined(CONFIG_RSBAC_AUTH) 00162 if(!result) 00163 result=rsbac_check_auth(correct, check_inode); 00164 #endif 00165 #if defined(CONFIG_RSBAC_ACL) 00166 if(!result) 00167 result=rsbac_check_acl(correct, check_inode); 00168 #endif 00169 #if defined(CONFIG_RSBAC_REG) 00170 if(!result) 00171 result=rsbac_check_reg(correct, check_inode); 00172 #endif 00173 /* release write blocking */ 00174 if(check_inode) 00175 up(&rsbac_write_sem); 00176 00177 unlock_kernel(); 00178 return(result); 00179 }; 00180 00181 int sys_rsbac_write(void) 00182 { 00183 #if defined(CONFIG_RSBAC_AUTO_WRITE) 00184 union rsbac_target_id_t rsbac_target_id; 00185 union rsbac_attribute_value_t rsbac_attribute_value; 00186 int result; 00187 00188 #ifdef CONFIG_RSBAC_DEBUG 00189 if (rsbac_debug_aef) 00190 { 00191 #ifdef CONFIG_RSBAC_RMSG 00192 rsbac_printk(KERN_DEBUG "sys_rsbac_write(): calling ADF\n"); 00193 #endif 00194 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00195 if (!rsbac_nosyslog) 00196 #endif 00197 printk(KERN_DEBUG "sys_rsbac_write(): calling ADF\n"); 00198 } 00199 #endif 00200 rsbac_target_id.scd = ST_rsbac; 00201 rsbac_attribute_value.dummy = 0; 00202 if (!rsbac_adf_request(R_WRITE, 00203 current->pid, 00204 T_SCD, 00205 rsbac_target_id, 00206 A_none, 00207 rsbac_attribute_value)) 00208 { 00209 return -EPERM; 00210 } 00211 00212 /* lock_kernel(); -> rsbac_write(need_lock) */ 00213 result = rsbac_write(TRUE); 00214 /* unlock_kernel(); */ 00215 return result; 00216 #else 00217 return(0); 00218 #endif /* CONFIG_RSBAC_AUTO_WRITE */ 00219 }; 00220 00221 /************************************************* */ 00222 /* Attribute functions */ 00223 /************************************************* */ 00224 00225 int sys_rsbac_get_attr( 00226 enum rsbac_switch_target_t module, 00227 enum rsbac_target_t target, 00228 union rsbac_target_id_t * tid, 00229 enum rsbac_attribute_t attr, 00230 union rsbac_attribute_value_t * value, 00231 int inherit) 00232 { 00233 union rsbac_target_id_t k_tid; 00234 union rsbac_attribute_value_t k_value; 00235 int err = 0; 00236 boolean i_inherit; 00237 00238 if(module > SW_NONE) 00239 return(-RSBAC_EINVALIDMODULE); 00240 if(!tid || (target >= T_NONE)) 00241 return(-RSBAC_EINVALIDTARGET); 00242 if(!value) 00243 return(-RSBAC_EINVALIDVALUE); 00244 if(attr >= A_none) 00245 return(-RSBAC_EINVALIDATTR); 00246 00247 if(module == SW_NONE) 00248 { 00249 module = get_attr_module(attr); 00250 if(module == SW_NONE) 00251 return(-RSBAC_EINVALIDMODULE); 00252 } 00253 00254 /* get values from user space */ 00255 rsbac_get_user((u_char *) &k_tid, (u_char *) tid, sizeof(k_tid) ); 00256 rsbac_get_user((u_char *) &k_value, (u_char *) value, sizeof(k_value) ); 00257 00258 if(inherit) 00259 i_inherit = TRUE; 00260 else 00261 i_inherit = FALSE; 00262 00263 #ifdef CONFIG_RSBAC_NET_OBJ 00264 /* sanity check before using pointer */ 00265 if( (target == T_NETOBJ) 00266 && ( !k_tid.netobj.sock_p 00267 || k_tid.netobj.remote_addr 00268 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00269 || !k_tid.netobj.sock_p->file 00270 || !k_tid.netobj.sock_p->file->f_dentry 00271 || !k_tid.netobj.sock_p->file->f_dentry->d_inode 00272 || (SOCKET_I(k_tid.netobj.sock_p->file->f_dentry->d_inode) != k_tid.netobj.sock_p) 00273 #else 00274 || !k_tid.netobj.sock_p->inode 00275 || (&(k_tid.netobj.sock_p->inode->u.socket_i) != k_tid.netobj.sock_p) 00276 #endif 00277 ) 00278 ) 00279 return -RSBAC_EINVALIDTARGET; 00280 #endif 00281 00282 /* call ADF */ 00283 #ifdef CONFIG_RSBAC_DEBUG 00284 if (rsbac_debug_aef) 00285 { 00286 #ifdef CONFIG_RSBAC_RMSG 00287 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr(): calling ADF\n"); 00288 #endif 00289 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00290 if (!rsbac_nosyslog) 00291 #endif 00292 printk(KERN_DEBUG "sys_rsbac_get_attr(): calling ADF\n"); 00293 } 00294 #endif 00295 if (!rsbac_adf_request(R_READ_ATTRIBUTE, 00296 current->pid, 00297 target, 00298 k_tid, 00299 attr, 00300 k_value)) 00301 { 00302 return -EPERM; 00303 } 00304 00305 err = rsbac_get_attr(module, target, k_tid, attr, &k_value, i_inherit); 00306 /* put result value to user space */ 00307 if(!err) 00308 { 00309 err = rsbac_put_user((u_char *) &k_value, (u_char *) value, sizeof(k_value) ); 00310 } 00311 return (err); 00312 }; /* end of sys_rsbac_get_attr() */ 00313 00314 00315 int sys_rsbac_get_attr_n( 00316 enum rsbac_switch_target_t module, 00317 enum rsbac_target_t target, 00318 char * t_name, 00319 enum rsbac_attribute_t attr, 00320 union rsbac_attribute_value_t * value, 00321 int inherit) 00322 { 00323 union rsbac_attribute_value_t k_value; 00324 struct dentry * t_dentry; 00325 int err = 0; 00326 union rsbac_target_id_t tid; 00327 /* struct passwd * user_description_p; */ 00328 boolean i_inherit; 00329 struct nameidata nd; 00330 00331 if(module > SW_NONE) 00332 return(-RSBAC_EINVALIDMODULE); 00333 if(!t_name || (target >= T_NONE)) 00334 return(-RSBAC_EINVALIDTARGET); 00335 if(!value) 00336 return(-RSBAC_EINVALIDVALUE); 00337 if(attr >= A_none) 00338 return(-RSBAC_EINVALIDATTR); 00339 00340 if(module == SW_NONE) 00341 { 00342 module = get_attr_module(attr); 00343 if(module == SW_NONE) 00344 return(-RSBAC_EINVALIDMODULE); 00345 } 00346 00347 if(inherit) 00348 i_inherit = TRUE; 00349 else 00350 i_inherit = FALSE; 00351 00352 /* get values from user space */ 00353 rsbac_get_user((u_char *) &k_value, (u_char *) value, sizeof(k_value) ); 00354 00355 /* lookup filename */ 00356 if ((err = user_path_walk_link(t_name, &nd))) 00357 { 00358 #ifdef CONFIG_RSBAC_DEBUG 00359 if (rsbac_debug_aef) 00360 { 00361 #ifdef CONFIG_RSBAC_RMSG 00362 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): call to user_path_walk_link() returned %i\n", err); 00363 #endif 00364 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00365 if (!rsbac_nosyslog) 00366 #endif 00367 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): call to user_path_walk_link() returned %i\n", err); 00368 } 00369 #endif 00370 goto out; 00371 } 00372 t_dentry = nd.dentry; 00373 if (!t_dentry->d_inode) 00374 { 00375 #ifdef CONFIG_RSBAC_DEBUG 00376 if (rsbac_debug_aef) 00377 { 00378 #ifdef CONFIG_RSBAC_RMSG 00379 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): file not found\n"); 00380 #endif 00381 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00382 if (!rsbac_nosyslog) 00383 #endif 00384 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): file not found\n"); 00385 } 00386 #endif 00387 err = -RSBAC_EINVALIDTARGET; 00388 goto out_dput; 00389 } 00390 00391 switch (target) 00392 { 00393 /* is inode of right type? */ 00394 case T_FD: 00395 if(S_ISREG(t_dentry->d_inode->i_mode)) 00396 { 00397 target = T_FILE; 00398 } 00399 else 00400 if(S_ISDIR(t_dentry->d_inode->i_mode)) 00401 { 00402 target = T_DIR; 00403 } 00404 else 00405 if(S_ISLNK(t_dentry->d_inode->i_mode)) 00406 { 00407 target = T_SYMLINK; 00408 } 00409 else 00410 if(S_ISFIFO(t_dentry->d_inode->i_mode)) 00411 { 00412 target = T_FIFO; 00413 } 00414 else 00415 if(S_ISBLK(t_dentry->d_inode->i_mode)) 00416 { 00417 target = T_FILE; 00418 } 00419 else 00420 if(S_ISCHR(t_dentry->d_inode->i_mode)) 00421 { 00422 target = T_FILE; 00423 } 00424 else 00425 { 00426 #ifdef CONFIG_RSBAC_DEBUG 00427 if (rsbac_debug_aef) 00428 { 00429 #ifdef CONFIG_RSBAC_RMSG 00430 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no filesystem object\n"); 00431 #endif 00432 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00433 if (!rsbac_nosyslog) 00434 #endif 00435 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no filesystem object\n"); 00436 } 00437 #endif 00438 err = -RSBAC_EINVALIDTARGET; 00439 goto out_dput; 00440 } 00441 break; 00442 00443 case T_FILE: 00444 if ( !(S_ISREG(t_dentry->d_inode->i_mode)) 00445 && !(S_ISBLK(t_dentry->d_inode->i_mode)) 00446 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 00447 { 00448 #ifdef CONFIG_RSBAC_DEBUG 00449 if (rsbac_debug_aef) 00450 { 00451 #ifdef CONFIG_RSBAC_RMSG 00452 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no file\n"); 00453 #endif 00454 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00455 if (!rsbac_nosyslog) 00456 #endif 00457 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no file\n"); 00458 } 00459 #endif 00460 err = -RSBAC_EINVALIDTARGET; 00461 goto out_dput; 00462 } 00463 break; 00464 00465 case T_DIR: 00466 if ( !(S_ISDIR(t_dentry->d_inode->i_mode)) ) 00467 { 00468 #ifdef CONFIG_RSBAC_DEBUG 00469 if (rsbac_debug_aef) 00470 { 00471 #ifdef CONFIG_RSBAC_RMSG 00472 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no dir\n"); 00473 #endif 00474 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00475 if (!rsbac_nosyslog) 00476 #endif 00477 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no dir\n"); 00478 } 00479 #endif 00480 err = -RSBAC_EINVALIDTARGET; 00481 goto out_dput; 00482 } 00483 break; 00484 00485 case T_FIFO: 00486 /* is inode of type fifo? */ 00487 if ( !(S_ISFIFO(t_dentry->d_inode->i_mode))) 00488 { 00489 #ifdef CONFIG_RSBAC_DEBUG 00490 if (rsbac_debug_aef) 00491 { 00492 #ifdef CONFIG_RSBAC_RMSG 00493 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no fifo\n"); 00494 #endif 00495 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00496 if (!rsbac_nosyslog) 00497 #endif 00498 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no fifo\n"); 00499 } 00500 #endif 00501 err = -RSBAC_EINVALIDTARGET; 00502 goto out_dput; 00503 } 00504 break; 00505 00506 case T_SYMLINK: 00507 if ( !(S_ISLNK(t_dentry->d_inode->i_mode))) 00508 { 00509 #ifdef CONFIG_RSBAC_DEBUG 00510 if (rsbac_debug_aef) 00511 { 00512 #ifdef CONFIG_RSBAC_RMSG 00513 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no symlink\n"); 00514 #endif 00515 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00516 if (!rsbac_nosyslog) 00517 #endif 00518 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no symlink\n"); 00519 } 00520 #endif 00521 err = -RSBAC_EINVALIDTARGET; 00522 goto out_dput; 00523 } 00524 break; 00525 00526 case T_DEV: 00527 if ( !(S_ISBLK(t_dentry->d_inode->i_mode)) 00528 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 00529 { 00530 #ifdef CONFIG_RSBAC_DEBUG 00531 if (rsbac_debug_aef) 00532 { 00533 #ifdef CONFIG_RSBAC_RMSG 00534 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no dev\n"); 00535 #endif 00536 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00537 if (!rsbac_nosyslog) 00538 #endif 00539 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): no dev\n"); 00540 } 00541 #endif 00542 err = -RSBAC_EINVALIDTARGET; 00543 goto out_dput; 00544 } 00545 break; 00546 00547 default: 00548 err = -RSBAC_EINVALIDTARGET; 00549 goto out_dput; 00550 } 00551 00552 if(target == T_DEV) 00553 { 00554 if(S_ISBLK(t_dentry->d_inode->i_mode)) 00555 tid.dev.type = D_block; 00556 else 00557 tid.dev.type = D_char; 00558 tid.dev.id = t_dentry->d_inode->i_rdev; 00559 } 00560 else 00561 { 00562 /* fill target id and call internal function */ 00563 tid.file.device = t_dentry->d_sb->s_dev; 00564 tid.file.inode = t_dentry->d_inode->i_ino; 00565 tid.file.dentry_p = t_dentry; 00566 } 00567 /* call ADF */ 00568 #ifdef CONFIG_RSBAC_DEBUG 00569 if (rsbac_debug_aef) 00570 { 00571 #ifdef CONFIG_RSBAC_RMSG 00572 rsbac_printk(KERN_DEBUG "sys_rsbac_get_attr_n(): calling ADF\n"); 00573 #endif 00574 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00575 if (!rsbac_nosyslog) 00576 #endif 00577 printk(KERN_DEBUG "sys_rsbac_get_attr_n(): calling ADF\n"); 00578 } 00579 #endif 00580 if (!rsbac_adf_request(R_READ_ATTRIBUTE, 00581 current->pid, 00582 target, 00583 tid, 00584 attr, 00585 k_value)) 00586 { 00587 err = -EPERM; 00588 } 00589 else 00590 { 00591 err = rsbac_get_attr(module, target, tid, attr, &k_value, i_inherit); 00592 /* put result value to user space */ 00593 if(!err) 00594 rsbac_put_user((u_char *) &k_value, (u_char *) value, sizeof(k_value) ); 00595 } 00596 00597 out_dput: 00598 path_release(&nd); 00599 00600 out: 00601 return(err); 00602 }; /* end of sys_rsbac_get_attr_n() */ 00603 00604 /************************************************************************** */ 00605 00606 int sys_rsbac_set_attr( 00607 enum rsbac_switch_target_t module, 00608 enum rsbac_target_t target, 00609 union rsbac_target_id_t * tid, 00610 enum rsbac_attribute_t attr, 00611 union rsbac_attribute_value_t * value) 00612 00613 { 00614 union rsbac_target_id_t k_tid; 00615 union rsbac_attribute_value_t k_value; 00616 int err = 0; 00617 struct task_struct * task_p; 00618 00619 if(module > SW_NONE) 00620 return(-RSBAC_EINVALIDMODULE); 00621 if(!tid || (target >= T_NONE)) 00622 return(-RSBAC_EINVALIDTARGET); 00623 if(!value) 00624 return(-RSBAC_EINVALIDVALUE); 00625 if(attr >= A_none) 00626 return(-RSBAC_EINVALIDATTR); 00627 00628 if(module == SW_NONE) 00629 { 00630 module = get_attr_module(attr); 00631 if(module == SW_NONE) 00632 return(-RSBAC_EINVALIDMODULE); 00633 } 00634 00635 /* get values from user space */ 00636 rsbac_get_user((u_char *) &k_tid, (u_char *) tid, sizeof(k_tid) ); 00637 rsbac_get_user((u_char *) &k_value, (u_char *) value, sizeof(k_value) ); 00638 00639 00640 switch(target) 00641 { 00642 case T_PROCESS: 00643 read_lock(&tasklist_lock); 00644 task_p = find_task_by_pid(k_tid.process); 00645 read_unlock(&tasklist_lock); 00646 if(!task_p) 00647 return(-RSBAC_EINVALIDTARGET); 00648 break; 00649 00650 #ifdef CONFIG_RSBAC_NET_OBJ 00651 /* sanity check before using pointer */ 00652 case T_NETOBJ: 00653 if( !k_tid.netobj.sock_p 00654 || k_tid.netobj.remote_addr 00655 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00656 || !k_tid.netobj.sock_p->file 00657 || !k_tid.netobj.sock_p->file->f_dentry 00658 || !k_tid.netobj.sock_p->file->f_dentry->d_inode 00659 || (SOCKET_I(k_tid.netobj.sock_p->file->f_dentry->d_inode) != k_tid.netobj.sock_p) 00660 #else 00661 || !k_tid.netobj.sock_p->inode 00662 || (&(k_tid.netobj.sock_p->inode->u.socket_i) != k_tid.netobj.sock_p) 00663 #endif 00664 ) 00665 return -RSBAC_EINVALIDTARGET; 00666 #endif 00667 00668 00669 default: 00670 break; 00671 } 00672 00673 /* call ADF */ 00674 #ifdef CONFIG_RSBAC_DEBUG 00675 if (rsbac_debug_aef) 00676 printk(KERN_DEBUG 00677 "sys_rsbac_set_attr(): calling ADF\n"); 00678 #endif 00679 if (!rsbac_adf_request(R_MODIFY_ATTRIBUTE, 00680 current->pid, 00681 target, 00682 k_tid, 00683 attr, 00684 k_value)) 00685 { 00686 return -EPERM; 00687 } 00688 err = rsbac_set_attr(module, target, k_tid, attr, k_value); 00689 return (err); 00690 }; /* end of sys_rsbac_set_attr() */ 00691 00692 int sys_rsbac_set_attr_n( 00693 enum rsbac_switch_target_t module, 00694 enum rsbac_target_t target, 00695 char * t_name, 00696 enum rsbac_attribute_t attr, 00697 union rsbac_attribute_value_t * value) 00698 00699 { 00700 struct dentry * t_dentry; 00701 int err = 0; 00702 union rsbac_attribute_value_t k_value; 00703 union rsbac_target_id_t tid; 00704 struct nameidata nd; 00705 00706 if(module > SW_NONE) 00707 return(-RSBAC_EINVALIDMODULE); 00708 if(!t_name || (target >= T_NONE)) 00709 return(-RSBAC_EINVALIDTARGET); 00710 if(!value) 00711 return(-RSBAC_EINVALIDVALUE); 00712 if(attr >= A_none) 00713 return(-RSBAC_EINVALIDATTR); 00714 00715 if(module == SW_NONE) 00716 { 00717 module = get_attr_module(attr); 00718 if(module == SW_NONE) 00719 return(-RSBAC_EINVALIDMODULE); 00720 } 00721 00722 /* get values from user space */ 00723 rsbac_get_user((u_char *) &k_value, (u_char *) value, sizeof(k_value) ); 00724 00725 /* lookup filename */ 00726 if ((err = user_path_walk_link(t_name, &nd))) 00727 { 00728 #ifdef CONFIG_RSBAC_DEBUG 00729 if (rsbac_debug_aef) 00730 printk(KERN_DEBUG "sys_rsbac_set_attr_n(): call to user_path_walk_link() returned %i\n", err); 00731 #endif 00732 goto out; 00733 } 00734 t_dentry = nd.dentry; 00735 if (!t_dentry->d_inode) 00736 { 00737 #ifdef CONFIG_RSBAC_DEBUG 00738 if (rsbac_debug_aef) 00739 printk(KERN_DEBUG "sys_rsbac_set_attr_n(): file not found\n"); 00740 #endif 00741 err = -RSBAC_EINVALIDTARGET; 00742 goto out_dput; 00743 } 00744 00745 switch (target) 00746 { 00747 /* is inode of right type? */ 00748 case T_FD: 00749 if(S_ISREG(t_dentry->d_inode->i_mode)) 00750 { 00751 target = T_FILE; 00752 } 00753 else 00754 if(S_ISDIR(t_dentry->d_inode->i_mode)) 00755 { 00756 target = T_DIR; 00757 } 00758 else 00759 if(S_ISLNK(t_dentry->d_inode->i_mode)) 00760 { 00761 target = T_SYMLINK; 00762 } 00763 else 00764 if(S_ISFIFO(t_dentry->d_inode->i_mode)) 00765 { 00766 target = T_FIFO; 00767 } 00768 else 00769 if(S_ISBLK(t_dentry->d_inode->i_mode)) 00770 { 00771 target = T_FILE; 00772 } 00773 else 00774 if(S_ISCHR(t_dentry->d_inode->i_mode)) 00775 { 00776 target = T_FILE; 00777 } 00778 else 00779 { 00780 #ifdef CONFIG_RSBAC_DEBUG 00781 if (rsbac_debug_aef) 00782 printk(KERN_DEBUG "sys_rsbac_set_attr_n(): no filesystem object\n"); 00783 #endif 00784 err = -RSBAC_EINVALIDTARGET; 00785 goto out_dput; 00786 } 00787 break; 00788 00789 case T_FILE: 00790 if ( !(S_ISREG(t_dentry->d_inode->i_mode)) 00791 && !(S_ISBLK(t_dentry->d_inode->i_mode)) 00792 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 00793 { 00794 #ifdef CONFIG_RSBAC_DEBUG 00795 if (rsbac_debug_aef) 00796 printk(KERN_DEBUG "sys_rsbac_set_attr_n(): no file\n"); 00797 #endif 00798 err = -RSBAC_EINVALIDTARGET; 00799 goto out_dput; 00800 } 00801 break; 00802 00803 case T_DIR: 00804 if ( !(S_ISDIR(t_dentry->d_inode->i_mode)) ) 00805 { 00806 #ifdef CONFIG_RSBAC_DEBUG 00807 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_get_attr(): no dir\n"); 00808 #endif 00809 err = -RSBAC_EINVALIDTARGET; 00810 goto out_dput; 00811 } 00812 break; 00813 00814 case T_FIFO: 00815 /* is inode of type fifo? */ 00816 if ( !(S_ISFIFO(t_dentry->d_inode->i_mode))) 00817 { 00818 #ifdef CONFIG_RSBAC_DEBUG 00819 if (rsbac_debug_aef) 00820 printk(KERN_DEBUG "sys_rsbac_set_attr_n(): no fifo\n"); 00821 #endif 00822 err = -RSBAC_EINVALIDTARGET; 00823 goto out_dput; 00824 } 00825 break; 00826 00827 case T_SYMLINK: 00828 if ( !(S_ISLNK(t_dentry->d_inode->i_mode))) 00829 { 00830 #ifdef CONFIG_RSBAC_DEBUG 00831 if (rsbac_debug_aef) 00832 printk(KERN_DEBUG "sys_rsbac_set_attr_n(): no symlink\n"); 00833 #endif 00834 err = -RSBAC_EINVALIDTARGET; 00835 goto out_dput; 00836 } 00837 break; 00838 00839 case T_DEV: 00840 if ( !(S_ISBLK(t_dentry->d_inode->i_mode)) 00841 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 00842 { 00843 #ifdef CONFIG_RSBAC_DEBUG 00844 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_set_attr_n(): no dev\n"); 00845 #endif 00846 err = -RSBAC_EINVALIDTARGET; 00847 goto out_dput; 00848 } 00849 break; 00850 00851 default: 00852 err = -RSBAC_EINVALIDTARGET; 00853 goto out_dput; 00854 } 00855 00856 if(target == T_DEV) 00857 { 00858 if(S_ISBLK(t_dentry->d_inode->i_mode)) 00859 tid.dev.type = D_block; 00860 else 00861 tid.dev.type = D_char; 00862 tid.dev.id = t_dentry->d_inode->i_rdev; 00863 } 00864 else 00865 { 00866 /* fill target id and call internal function */ 00867 tid.file.device = t_dentry->d_sb->s_dev; 00868 tid.file.inode = t_dentry->d_inode->i_ino; 00869 tid.file.dentry_p = t_dentry; 00870 } 00871 /* call ADF */ 00872 #ifdef CONFIG_RSBAC_DEBUG 00873 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_set_attr_n(): calling ADF\n"); 00874 #endif 00875 if (!rsbac_adf_request(R_MODIFY_ATTRIBUTE, 00876 current->pid, 00877 target, 00878 tid, 00879 attr, 00880 k_value)) 00881 { 00882 err = -EPERM; 00883 } 00884 else 00885 { 00886 err = rsbac_set_attr(module, target, tid, attr, k_value); 00887 } 00888 00889 out_dput: 00890 path_release(&nd); 00891 00892 out: 00893 return(err); 00894 }; /* end of sys_rsbac_set_attr_n() */ 00895 00896 /************************************************************************** */ 00897 00898 int sys_rsbac_remove_target( 00899 enum rsbac_target_t target, 00900 union rsbac_target_id_t * tid) 00901 { 00902 union rsbac_target_id_t k_tid; 00903 int err = 0; 00904 00905 /* for adf_request */ 00906 union rsbac_attribute_value_t rsbac_attribute_value; 00907 00908 if(!tid || (target >= T_NONE)) 00909 return(-RSBAC_EINVALIDTARGET); 00910 00911 /* get values from user space */ 00912 rsbac_get_user((u_char *) &k_tid, (u_char *) tid, sizeof(k_tid) ); 00913 00914 /* call ADF */ 00915 #ifdef CONFIG_RSBAC_DEBUG 00916 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_remove_target(): calling ADF\n"); 00917 #endif 00918 rsbac_attribute_value.dummy = 0; 00919 if (!rsbac_adf_request(R_MODIFY_ATTRIBUTE, 00920 current->pid, 00921 target, 00922 k_tid, 00923 A_none, 00924 rsbac_attribute_value)) 00925 { 00926 return -EPERM; 00927 } 00928 err = rsbac_remove_target(target, k_tid); 00929 return (err); 00930 }; /* end of sys_rsbac_remove_target() */ 00931 00932 int sys_rsbac_remove_target_n(enum rsbac_target_t target, 00933 char * t_name) 00934 { 00935 struct dentry * t_dentry; 00936 int err = 0; 00937 union rsbac_target_id_t tid; 00938 00939 /* for adf_request */ 00940 union rsbac_attribute_value_t rsbac_attribute_value; 00941 00942 /* struct passwd * user_description_p; */ 00943 00944 struct nameidata nd; 00945 00946 if(!t_name || (target >= T_NONE)) 00947 return(-RSBAC_EINVALIDTARGET); 00948 00949 /* lookup filename */ 00950 if ((err = user_path_walk_link(t_name, &nd))) 00951 { 00952 #ifdef CONFIG_RSBAC_DEBUG 00953 if (rsbac_debug_aef) 00954 printk(KERN_DEBUG "sys_rsbac_remove_target_n(): call to user_path_walk_link() returned %i\n", err); 00955 #endif 00956 goto out; 00957 } 00958 t_dentry = nd.dentry; 00959 if (!t_dentry->d_inode) 00960 { 00961 #ifdef CONFIG_RSBAC_DEBUG 00962 if (rsbac_debug_aef) 00963 printk(KERN_DEBUG "sys_rsbac_remove_target_n(): file not found\n"); 00964 #endif 00965 err = -RSBAC_EINVALIDTARGET; 00966 goto out_dput; 00967 } 00968 00969 switch (target) 00970 { 00971 /* is inode of right type? */ 00972 case T_FD: 00973 if(S_ISREG(t_dentry->d_inode->i_mode)) 00974 { 00975 target = T_FILE; 00976 } 00977 else 00978 if(S_ISDIR(t_dentry->d_inode->i_mode)) 00979 { 00980 target = T_DIR; 00981 } 00982 else 00983 if(S_ISLNK(t_dentry->d_inode->i_mode)) 00984 { 00985 target = T_SYMLINK; 00986 } 00987 else 00988 if(S_ISFIFO(t_dentry->d_inode->i_mode)) 00989 { 00990 target = T_FIFO; 00991 } 00992 else 00993 if(S_ISBLK(t_dentry->d_inode->i_mode)) 00994 { 00995 target = T_FILE; 00996 } 00997 else 00998 if(S_ISCHR(t_dentry->d_inode->i_mode)) 00999 { 01000 target = T_FILE; 01001 } 01002 else 01003 { 01004 #ifdef CONFIG_RSBAC_DEBUG 01005 if (rsbac_debug_aef) 01006 printk(KERN_DEBUG "sys_rsbac_remove_target_n(): no filesystem object\n"); 01007 #endif 01008 err = -RSBAC_EINVALIDTARGET; 01009 goto out_dput; 01010 } 01011 break; 01012 01013 case T_FILE: 01014 if ( !(S_ISREG(t_dentry->d_inode->i_mode)) 01015 && !(S_ISBLK(t_dentry->d_inode->i_mode)) 01016 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 01017 { 01018 #ifdef CONFIG_RSBAC_DEBUG 01019 if (rsbac_debug_aef) 01020 printk(KERN_DEBUG "sys_rsbac_remove_target_n(): no file\n"); 01021 #endif 01022 err = -RSBAC_EINVALIDTARGET; 01023 goto out_dput; 01024 } 01025 break; 01026 01027 case T_DIR: 01028 if ( !(S_ISDIR(t_dentry->d_inode->i_mode)) ) 01029 { 01030 #ifdef CONFIG_RSBAC_DEBUG 01031 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_get_attr(): no dir\n"); 01032 #endif 01033 err = -RSBAC_EINVALIDTARGET; 01034 goto out_dput; 01035 } 01036 break; 01037 01038 case T_FIFO: 01039 /* is inode of type fifo? */ 01040 if ( !(S_ISFIFO(t_dentry->d_inode->i_mode))) 01041 { 01042 #ifdef CONFIG_RSBAC_DEBUG 01043 if (rsbac_debug_aef) 01044 printk(KERN_DEBUG "sys_rsbac_remove_target_n(): no fifo\n"); 01045 #endif 01046 err = -RSBAC_EINVALIDTARGET; 01047 goto out_dput; 01048 } 01049 break; 01050 01051 case T_SYMLINK: 01052 if ( !(S_ISLNK(t_dentry->d_inode->i_mode))) 01053 { 01054 #ifdef CONFIG_RSBAC_DEBUG 01055 if (rsbac_debug_aef) 01056 printk(KERN_DEBUG "sys_rsbac_remove_target_n(): no symlink\n"); 01057 #endif 01058 err = -RSBAC_EINVALIDTARGET; 01059 goto out_dput; 01060 } 01061 break; 01062 01063 case T_DEV: 01064 if ( !(S_ISBLK(t_dentry->d_inode->i_mode)) 01065 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 01066 { 01067 #ifdef CONFIG_RSBAC_DEBUG 01068 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_remove_target_n(): no dev\n"); 01069 #endif 01070 err = -RSBAC_EINVALIDTARGET; 01071 goto out_dput; 01072 } 01073 break; 01074 01075 default: 01076 err = -RSBAC_EINVALIDTARGET; 01077 goto out_dput; 01078 } 01079 01080 if(target == T_DEV) 01081 { 01082 if(S_ISBLK(t_dentry->d_inode->i_mode)) 01083 tid.dev.type = D_block; 01084 else 01085 tid.dev.type = D_char; 01086 tid.dev.id = t_dentry->d_inode->i_rdev; 01087 } 01088 else 01089 { 01090 /* fill target id and call internal function */ 01091 tid.file.device = t_dentry->d_sb->s_dev; 01092 tid.file.inode = t_dentry->d_inode->i_ino; 01093 tid.file.dentry_p = t_dentry; 01094 } 01095 /* call ADF */ 01096 #ifdef CONFIG_RSBAC_DEBUG 01097 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_remove_target_n(): calling ADF\n"); 01098 #endif 01099 rsbac_attribute_value.dummy = 0; 01100 if (!rsbac_adf_request(R_MODIFY_ATTRIBUTE, 01101 current->pid, 01102 target, 01103 tid, 01104 A_none, 01105 rsbac_attribute_value)) 01106 { 01107 err = -EPERM; 01108 } 01109 else 01110 { 01111 err = rsbac_remove_target(target, tid); 01112 } 01113 01114 out_dput: 01115 path_release(&nd); 01116 01117 out: 01118 return(err); 01119 }; /* end of sys_rsbac_remove_target_n() */ 01120 01121 int sys_rsbac_net_list_all_netdev(rsbac_netdev_id_t * id_p, u_long maxnum) 01122 { 01123 #ifdef CONFIG_RSBAC_NET_DEV 01124 int err=0; 01125 long count; 01126 01127 if(id_p && maxnum) 01128 { 01129 rsbac_netdev_id_t * k_id_p = NULL; 01130 01131 count = rsbac_net_list_all_netdev(&k_id_p); 01132 if(count <= 0) 01133 return count; 01134 if(count > maxnum) 01135 count = maxnum; 01136 01137 err = rsbac_put_user((u_char *) k_id_p, (u_char *) id_p, count * sizeof(*k_id_p) ); 01138 01139 rsbac_vfree(k_id_p); 01140 01141 if(err) 01142 return err; 01143 else 01144 return count; 01145 } 01146 else 01147 return rsbac_net_list_all_netdev(NULL); 01148 01149 #else 01150 return -RSBAC_EINVALIDREQUEST; 01151 #endif /* CONFIG_RSBAC_NET_DEV */ 01152 } 01153 01154 int sys_rsbac_net_template(enum rsbac_net_temp_syscall_t call, 01155 rsbac_net_temp_id_t id, 01156 union rsbac_net_temp_syscall_data_t * data_p) 01157 { 01158 #ifdef CONFIG_RSBAC_NET_OBJ 01159 union rsbac_net_temp_syscall_data_t k_data; 01160 int err = 0; 01161 /* for adf_request */ 01162 #ifndef CONFIG_RSBAC_MAINT 01163 union rsbac_target_id_t i_tid; 01164 union rsbac_attribute_value_t i_attr_val; 01165 #endif 01166 01167 if(!id) 01168 return -RSBAC_EINVALIDVALUE; 01169 if(!data_p) 01170 return -RSBAC_EINVALIDPOINTER; 01171 01172 /* get data values from user space */ 01173 switch(call) 01174 { 01175 case NTS_set_address: 01176 case NTS_set_address_family: 01177 case NTS_set_valid_len: 01178 case NTS_set_type: 01179 case NTS_set_protocol: 01180 case NTS_set_netdev: 01181 case NTS_set_min_port: 01182 case NTS_set_max_port: 01183 case NTS_set_name: 01184 case NTS_new_template: 01185 case NTS_copy_template: 01186 err = rsbac_get_user((u_char *) &k_data, (u_char *) data_p, sizeof(k_data) ); 01187 if(err) 01188 return err; 01189 break; 01190 case NTS_delete_template: 01191 case NTS_check_id: 01192 case NTS_get_address: 01193 case NTS_get_address_family: 01194 case NTS_get_valid_len: 01195 case NTS_get_type: 01196 case NTS_get_protocol: 01197 case NTS_get_netdev: 01198 case NTS_get_min_port: 01199 case NTS_get_max_port: 01200 case NTS_get_name: 01201 break; 01202 01203 default: 01204 return -RSBAC_EINVALIDREQUEST; 01205 } 01206 01207 #ifndef CONFIG_RSBAC_MAINT 01208 #ifdef CONFIG_RSBAC_DEBUG 01209 if (rsbac_debug_aef) 01210 printk(KERN_DEBUG "sys_rsbac_net_temp(): calling ADF\n"); 01211 #endif 01212 i_tid.nettemp = id; 01213 i_attr_val.dummy = 0; 01214 switch(call) 01215 { 01216 case NTS_new_template: 01217 if (!rsbac_adf_request(R_CREATE, 01218 current->pid, 01219 T_NETTEMP, 01220 i_tid, 01221 A_none, 01222 i_attr_val)) 01223 #ifdef CONFIG_RSBAC_SOFTMODE 01224 if(!rsbac_softmode) 01225 #endif 01226 return -EPERM; 01227 break; 01228 01229 case NTS_copy_template: 01230 if(!rsbac_net_template_exist(id)) 01231 { 01232 if(!rsbac_adf_request(R_CREATE, 01233 current->pid, 01234 T_NETTEMP, 01235 i_tid, 01236 A_none, 01237 i_attr_val)) 01238 #ifdef CONFIG_RSBAC_SOFTMODE 01239 if(!rsbac_softmode) 01240 #endif 01241 return -EPERM; 01242 } 01243 else 01244 { 01245 if(!rsbac_adf_request(R_WRITE, 01246 current->pid, 01247 T_NETTEMP, 01248 i_tid, 01249 A_none, 01250 i_attr_val)) 01251 #ifdef CONFIG_RSBAC_SOFTMODE 01252 if(!rsbac_softmode) 01253 #endif 01254 return -EPERM; 01255 } 01256 i_tid.nettemp = k_data.id; 01257 if (!rsbac_adf_request(R_READ, 01258 current->pid, 01259 T_NETTEMP, 01260 i_tid, 01261 A_none, 01262 i_attr_val)) 01263 #ifdef CONFIG_RSBAC_SOFTMODE 01264 if(!rsbac_softmode) 01265 #endif 01266 return -EPERM; 01267 break; 01268 01269 case NTS_delete_template: 01270 if (!rsbac_adf_request(R_DELETE, 01271 current->pid, 01272 T_NETTEMP, 01273 i_tid, 01274 A_none, 01275 i_attr_val)) 01276 #ifdef CONFIG_RSBAC_SOFTMODE 01277 if(!rsbac_softmode) 01278 #endif 01279 return -EPERM; 01280 break; 01281 01282 case NTS_get_address: 01283 case NTS_get_address_family: 01284 case NTS_get_valid_len: 01285 case NTS_get_type: 01286 case NTS_get_protocol: 01287 case NTS_get_netdev: 01288 case NTS_get_min_port: 01289 case NTS_get_max_port: 01290 if (!rsbac_adf_request(R_READ, 01291 current->pid, 01292 T_NETTEMP, 01293 i_tid, 01294 A_none, 01295 i_attr_val)) 01296 #ifdef CONFIG_RSBAC_SOFTMODE 01297 if(!rsbac_softmode) 01298 #endif 01299 return -EPERM; 01300 break; 01301 01302 case NTS_set_address: 01303 case NTS_set_address_family: 01304 case NTS_set_valid_len: 01305 case NTS_set_type: 01306 case NTS_set_protocol: 01307 case NTS_set_netdev: 01308 case NTS_set_min_port: 01309 case NTS_set_max_port: 01310 case NTS_set_name: 01311 if (!rsbac_adf_request(R_WRITE, 01312 current->pid, 01313 T_NETTEMP, 01314 i_tid, 01315 A_none, 01316 i_attr_val)) 01317 #ifdef CONFIG_RSBAC_SOFTMODE 01318 if(!rsbac_softmode) 01319 #endif 01320 return -EPERM; 01321 break; 01322 01323 default: 01324 break; 01325 } 01326 #endif /* !MAINT */ 01327 01328 err = rsbac_net_template(call, id, &k_data); 01329 if(!err) 01330 { 01331 /* put data values to user space */ 01332 switch(call) 01333 { 01334 case NTS_check_id: 01335 case NTS_get_address: 01336 case NTS_get_address_family: 01337 case NTS_get_valid_len: 01338 case NTS_get_type: 01339 case NTS_get_protocol: 01340 case NTS_get_netdev: 01341 case NTS_get_min_port: 01342 case NTS_get_max_port: 01343 case NTS_get_name: 01344 err = rsbac_put_user((u_char *) &k_data, (u_char *) data_p, sizeof(k_data) ); 01345 break; 01346 default: 01347 break; 01348 } 01349 } 01350 return err; 01351 01352 #else 01353 return -RSBAC_EINVALIDREQUEST; 01354 #endif /* NET_OBJ */ 01355 } 01356 01357 int sys_rsbac_net_list_all_template(rsbac_net_temp_id_t * id_p, u_long maxnum) 01358 { 01359 #ifdef CONFIG_RSBAC_NET_OBJ 01360 int err=0; 01361 int count; 01362 union rsbac_target_id_t i_tid; 01363 union rsbac_attribute_value_t i_attr_val; 01364 01365 i_tid.nettemp = 0; 01366 i_attr_val.dummy = 0; 01367 if (!rsbac_adf_request(R_READ, 01368 current->pid, 01369 T_NETTEMP, 01370 i_tid, 01371 A_none, 01372 i_attr_val)) 01373 return -EPERM; 01374 if(id_p && maxnum) 01375 { 01376 rsbac_net_temp_id_t * k_id_p = NULL; 01377 01378 count = rsbac_net_list_all_template(&k_id_p); 01379 if(count <= 0) 01380 return count; 01381 if(count > maxnum) 01382 count = maxnum; 01383 01384 err = rsbac_put_user((u_char *) k_id_p, (u_char *) id_p, count * sizeof(*k_id_p) ); 01385 01386 rsbac_vfree(k_id_p); 01387 01388 if(err) 01389 return err; 01390 else 01391 return count; 01392 } 01393 else 01394 return rsbac_net_list_all_template(NULL); 01395 01396 #else 01397 return -RSBAC_EINVALIDREQUEST; 01398 #endif /* CONFIG_RSBAC_NET_OBJ */ 01399 } 01400 01401 01402 /************************************************* */ 01403 /* ADF functions */ 01404 /************************************************* */ 01405 01406 int sys_rsbac_switch(enum rsbac_switch_target_t target, int value) 01407 { 01408 #ifdef CONFIG_RSBAC_SWITCH 01409 union rsbac_target_id_t rsbac_target_id; 01410 union rsbac_attribute_value_t rsbac_attribute_value; 01411 char * switch_name; 01412 01413 /* call ADF */ 01414 if(target >= SW_NONE) 01415 return(-RSBAC_EINVALIDTARGET); 01416 if ( (value < 0) 01417 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01418 || (value > 3) 01419 #else 01420 || (value > 1) 01421 #endif 01422 ) 01423 return (-RSBAC_EINVALIDVALUE); 01424 #ifdef CONFIG_RSBAC_DEBUG 01425 if (rsbac_debug_aef) 01426 printk(KERN_DEBUG "sys_rsbac_switch(): calling ADF\n"); 01427 #endif 01428 rsbac_target_id.dummy = 0; 01429 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE 01430 if(target == DAC_DISABLE) 01431 { 01432 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01433 if(value > 1) 01434 return -RSBAC_EINVALIDVALUE; 01435 #endif 01436 rsbac_attribute_value.dummy = 0; 01437 if (!rsbac_adf_request(R_MODIFY_PERMISSIONS_DATA, 01438 current->pid, 01439 T_NONE, 01440 rsbac_target_id, 01441 A_none, 01442 rsbac_attribute_value)) 01443 { 01444 return -EPERM; 01445 } 01446 } 01447 else 01448 #endif 01449 { 01450 rsbac_attribute_value.switch_target = target; 01451 if (!rsbac_adf_request(R_SWITCH_MODULE, 01452 current->pid, 01453 T_NONE, 01454 rsbac_target_id, 01455 A_switch_target, 01456 rsbac_attribute_value)) 01457 { 01458 return -EPERM; 01459 } 01460 } 01461 switch_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01462 if(switch_name) 01463 { 01464 int show_value = value; 01465 01466 get_switch_target_name(switch_name,target); 01467 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01468 switch(value) 01469 { 01470 case 2: 01471 case 3: 01472 strcat(switch_name, " softmode"); 01473 show_value -= 2; 01474 break; 01475 default: 01476 break; 01477 } 01478 #endif 01479 #ifdef CONFIG_RSBAC_RMSG 01480 rsbac_printk(KERN_WARNING 01481 "sys_rsbac_switch(): switching RSBAC module %s to %i!\n", 01482 switch_name, show_value); 01483 #endif 01484 #ifndef CONFIG_RSBAC_RMSG_EXCL 01485 printk(KERN_WARNING 01486 "sys_rsbac_switch(): switching RSBAC module %s to %i!\n", 01487 switch_name, show_value); 01488 #endif 01489 rsbac_kfree(switch_name); 01490 } 01491 01492 switch(value) 01493 { 01494 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01495 case 2: 01496 case 3: 01497 rsbac_ind_softmode[target] = value - 2; 01498 break; 01499 #endif 01500 01501 default: 01502 switch (target) 01503 { 01504 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_FULL 01505 case DAC_DISABLE: rsbac_dac_disable = value; 01506 break; 01507 #endif 01508 #ifdef CONFIG_RSBAC_SOFTMODE 01509 case SOFTMODE: rsbac_softmode = value; 01510 break; 01511 #endif 01512 #ifdef CONFIG_RSBAC_MAC 01513 case MAC: rsbac_switch_mac = value; 01514 break; 01515 #endif 01516 #ifdef CONFIG_RSBAC_FC 01517 case FC: rsbac_switch_fc = value; 01518 break; 01519 #endif 01520 #ifdef CONFIG_RSBAC_SIM 01521 case SIM: rsbac_switch_sim = value; 01522 break; 01523 #endif 01524 #ifdef CONFIG_RSBAC_PM 01525 case PM: rsbac_switch_pm = value; 01526 break; 01527 #endif 01528 #ifdef CONFIG_RSBAC_DAZ 01529 case DAZ: rsbac_switch_daz = value; 01530 break; 01531 #endif 01532 #ifdef CONFIG_RSBAC_FF 01533 case FF: rsbac_switch_ff = value; 01534 break; 01535 #endif 01536 #if defined(CONFIG_RSBAC_RC) 01537 case RC: rsbac_switch_rc = value; 01538 break; 01539 #endif 01540 #if defined(CONFIG_RSBAC_AUTH) 01541 case AUTH: rsbac_switch_auth = value; 01542 break; 01543 #endif 01544 #if defined(CONFIG_RSBAC_ACL) 01545 case ACL: rsbac_switch_acl = value; 01546 break; 01547 #endif 01548 #if defined(CONFIG_RSBAC_CAP) 01549 case CAP: rsbac_switch_cap = value; 01550 break; 01551 #endif 01552 #if defined(CONFIG_RSBAC_JAIL) 01553 case JAIL: rsbac_switch_jail = value; 01554 break; 01555 #endif 01556 #if defined(CONFIG_RSBAC_RES) 01557 case RES: rsbac_switch_res = value; 01558 break; 01559 #endif 01560 default: 01561 return (-RSBAC_EINVALIDMODULE); 01562 } 01563 } 01564 #endif /* SWITCH */ 01565 return(0); 01566 } 01567 01568 /************** MAC ***************/ 01569 01570 int sys_rsbac_mac_set_curr_level(rsbac_security_level_t level, 01571 rsbac_mac_category_vector_t * categories_p) 01572 { 01573 #ifdef CONFIG_RSBAC_MAC 01574 rsbac_mac_category_vector_t k_categories; 01575 int err; 01576 01577 if(!categories_p) 01578 return -RSBAC_EINVALIDPOINTER; 01579 err = rsbac_get_user((char *) &k_categories, (char *) categories_p, sizeof(k_categories)); 01580 if(err) 01581 return err; 01582 return (rsbac_mac_set_curr_level(level, k_categories)); 01583 #else 01584 return (-RSBAC_EINVALIDMODULE); 01585 #endif 01586 } 01587 01588 int sys_rsbac_mac_get_curr_level(rsbac_security_level_t * level_p, 01589 rsbac_mac_category_vector_t * categories_p) 01590 { 01591 #ifdef CONFIG_RSBAC_MAC 01592 int err = 0; 01593 rsbac_security_level_t k_level; 01594 rsbac_mac_category_vector_t k_categories; 01595 01596 err = rsbac_mac_get_curr_level(&k_level, &k_categories); 01597 if(err) 01598 return err; 01599 if(level_p) 01600 { 01601 err = rsbac_put_user((u_char *) &k_level, (u_char *) level_p, sizeof(k_level)); 01602 if(err) 01603 return err; 01604 } 01605 if(categories_p) 01606 { 01607 err = rsbac_put_user((u_char *) &k_categories, (u_char *) categories_p, sizeof(k_categories)); 01608 } 01609 return err; 01610 #else 01611 return (-RSBAC_EINVALIDMODULE); 01612 #endif 01613 } 01614 01615 int sys_rsbac_mac_get_max_level(rsbac_security_level_t * level_p, 01616 rsbac_mac_category_vector_t * categories_p) 01617 { 01618 #ifdef CONFIG_RSBAC_MAC 01619 int err = 0; 01620 rsbac_security_level_t k_level; 01621 rsbac_mac_category_vector_t k_categories; 01622 01623 err = rsbac_mac_get_max_level(&k_level, &k_categories); 01624 if(err) 01625 return err; 01626 if(level_p) 01627 { 01628 err = rsbac_put_user((u_char *) &k_level, (u_char *) level_p, sizeof(k_level)); 01629 if(err) 01630 return err; 01631 } 01632 if(categories_p) 01633 { 01634 err = rsbac_put_user((u_char *) &k_categories, (u_char *) categories_p, sizeof(k_categories)); 01635 } 01636 return err; 01637 #else 01638 return (-RSBAC_EINVALIDMODULE); 01639 #endif 01640 } 01641 01642 int sys_rsbac_mac_get_min_level(rsbac_security_level_t * level_p, 01643 rsbac_mac_category_vector_t * categories_p) 01644 { 01645 #ifdef CONFIG_RSBAC_MAC 01646 int err = 0; 01647 rsbac_security_level_t k_level; 01648 rsbac_mac_category_vector_t k_categories; 01649 01650 err = rsbac_mac_get_min_level(&k_level, &k_categories); 01651 if(err) 01652 return err; 01653 if(level_p) 01654 { 01655 err = rsbac_put_user((u_char *) &k_level, (u_char *) level_p, sizeof(k_level)); 01656 if(err) 01657 return err; 01658 } 01659 if(categories_p) 01660 { 01661 err = rsbac_put_user((u_char *) &k_categories, (u_char *) categories_p, sizeof(k_categories)); 01662 } 01663 return err; 01664 #else 01665 return (-RSBAC_EINVALIDMODULE); 01666 #endif 01667 } 01668 01669 /* Provide means for adding and removing of capabilities */ 01670 int sys_rsbac_mac_add_p_tru(rsbac_pid_t pid, 01671 rsbac_uid_t uid, 01672 rsbac_time_t ttl) 01673 { 01674 #if defined(CONFIG_RSBAC_MAC) 01675 struct task_struct * task_p; 01676 01677 read_lock(&tasklist_lock); 01678 task_p = find_task_by_pid(pid); 01679 read_unlock(&tasklist_lock); 01680 if(!task_p) 01681 return(-RSBAC_EINVALIDTARGET); 01682 01683 return(rsbac_mac_add_p_tru(pid, uid, ttl)); 01684 #else 01685 return (-RSBAC_EINVALIDMODULE); 01686 #endif 01687 }; 01688 01689 int sys_rsbac_mac_remove_p_tru(rsbac_pid_t pid, 01690 rsbac_uid_t uid) 01691 { 01692 #if defined(CONFIG_RSBAC_MAC) 01693 struct task_struct * task_p; 01694 01695 read_lock(&tasklist_lock); 01696 task_p = find_task_by_pid(pid); 01697 read_unlock(&tasklist_lock); 01698 if(!task_p) 01699 return(-RSBAC_EINVALIDTARGET); 01700 return(rsbac_mac_remove_p_tru(pid, uid)); 01701 #else 01702 return (-RSBAC_EINVALIDMODULE); 01703 #endif 01704 }; 01705 01706 int sys_rsbac_mac_add_f_tru(char * filename, 01707 rsbac_uid_t uid, 01708 rsbac_time_t ttl) 01709 { 01710 #if defined(CONFIG_RSBAC_MAC) 01711 struct dentry * t_dentry; 01712 int err = 0; 01713 enum rsbac_target_t target; 01714 union rsbac_target_id_t tid; 01715 01716 struct nameidata nd; 01717 01718 if(!filename) 01719 return(-RSBAC_EINVALIDTARGET); 01720 01721 if ((err = user_path_walk_link(filename, &nd))) 01722 { 01723 #ifdef CONFIG_RSBAC_DEBUG 01724 if (rsbac_debug_aef_auth) 01725 printk(KERN_DEBUG "sys_rsbac_mac_add_f_tru(): call to user_path_walk_link() returned %i\n", err); 01726 #endif 01727 goto out; 01728 } 01729 t_dentry = nd.dentry; 01730 if (!t_dentry->d_inode) 01731 { 01732 err = -RSBAC_EINVALIDTARGET; 01733 goto out_dput; 01734 } 01735 /* is inode of type file? */ 01736 if(S_ISREG(t_dentry->d_inode->i_mode)) 01737 target = T_FILE; 01738 else 01739 if(S_ISDIR(t_dentry->d_inode->i_mode)) 01740 target = T_DIR; 01741 else 01742 { /* This is no file or dir */ 01743 err = -RSBAC_EINVALIDTARGET; 01744 goto out_dput; 01745 } 01746 tid.file.device = t_dentry->d_sb->s_dev; 01747 tid.file.inode = t_dentry->d_inode->i_ino; 01748 tid.file.dentry_p = t_dentry; 01749 01750 err = rsbac_mac_add_f_tru(tid.file, uid, ttl); 01751 01752 out_dput: 01753 path_release(&nd); 01754 out: 01755 return(err); 01756 01757 #else 01758 return (-RSBAC_EINVALIDMODULE); 01759 #endif 01760 }; 01761 01762 int sys_rsbac_mac_remove_f_tru(char * filename, 01763 rsbac_uid_t uid) 01764 { 01765 #if defined(CONFIG_RSBAC_MAC) 01766 struct dentry * t_dentry; 01767 int err = 0; 01768 enum rsbac_target_t target; 01769 union rsbac_target_id_t tid; 01770 01771 struct nameidata nd; 01772 01773 if(!filename) 01774 return(-RSBAC_EINVALIDTARGET); 01775 01776 if ((err = user_path_walk_link(filename, &nd))) 01777 { 01778 #ifdef CONFIG_RSBAC_DEBUG 01779 if (rsbac_debug_aef_auth) 01780 printk(KERN_DEBUG "sys_rsbac_mac_remove_f_tru(): call to user_path_walk_link() returned %i\n", err); 01781 #endif 01782 goto out; 01783 } 01784 t_dentry = nd.dentry; 01785 if (!t_dentry->d_inode) 01786 { 01787 err = -RSBAC_EINVALIDTARGET; 01788 goto out_dput; 01789 } 01790 /* is inode of type file or dir? */ 01791 if(S_ISREG(t_dentry->d_inode->i_mode)) 01792 target = T_FILE; 01793 else 01794 if(S_ISDIR(t_dentry->d_inode->i_mode)) 01795 target = T_DIR; 01796 else 01797 { /* This is no file or dir */ 01798 err = -RSBAC_EINVALIDTARGET; 01799 goto out_dput; 01800 } 01801 tid.file.device = t_dentry->d_sb->s_dev; 01802 tid.file.inode = t_dentry->d_inode->i_ino; 01803 tid.file.dentry_p = t_dentry; 01804 01805 err = rsbac_mac_remove_f_tru(tid.file, uid); 01806 01807 out_dput: 01808 path_release(&nd); 01809 out: 01810 return(err); 01811 01812 #else 01813 return (-RSBAC_EINVALIDMODULE); 01814 #endif 01815 }; 01816 01817 /* trulist must have space for maxnum rsbac_uid_t entries! */ 01818 int sys_rsbac_mac_get_f_trulist(char * filename, 01819 rsbac_uid_t trulist[], 01820 rsbac_time_t ttllist[], 01821 u_int maxnum) 01822 { 01823 #if defined(CONFIG_RSBAC_MAC) 01824 struct dentry * t_dentry; 01825 int err = 0, tmperr = 0; 01826 enum rsbac_target_t target; 01827 union rsbac_target_id_t tid; 01828 rsbac_uid_t * k_trulist; 01829 rsbac_time_t * k_ttllist; 01830 01831 struct nameidata nd; 01832 01833 if(!filename) 01834 return(-RSBAC_EINVALIDTARGET); 01835 if(!trulist) 01836 return(-RSBAC_EINVALIDPOINTER); 01837 if(maxnum <= 0) 01838 return(-RSBAC_EINVALIDVALUE); 01839 if(maxnum > RSBAC_MAC_MAX_MAXNUM) 01840 maxnum = RSBAC_MAC_MAX_MAXNUM; 01841 01842 if ((err = user_path_walk_link(filename, &nd))) 01843 { 01844 #ifdef CONFIG_RSBAC_DEBUG 01845 if (rsbac_debug_aef_auth) 01846 printk(KERN_DEBUG "sys_rsbac_mac_get_f_trulist(): call to user_path_walk_link() returned %i\n", err); 01847 #endif 01848 goto out; 01849 } 01850 t_dentry = nd.dentry; 01851 if (!t_dentry->d_inode) 01852 { 01853 err = -RSBAC_EINVALIDTARGET; 01854 goto out_dput; 01855 } 01856 /* is inode of type file or dir? */ 01857 if(S_ISREG(t_dentry->d_inode->i_mode)) 01858 target = T_FILE; 01859 else 01860 if(S_ISDIR(t_dentry->d_inode->i_mode)) 01861 target = T_DIR; 01862 else 01863 { /* This is no file or dir */ 01864 err = -RSBAC_EINVALIDTARGET; 01865 goto out_dput; 01866 } 01867 tid.file.device = t_dentry->d_sb->s_dev; 01868 tid.file.inode = t_dentry->d_inode->i_ino; 01869 tid.file.dentry_p = t_dentry; 01870 01871 err = rsbac_mac_get_f_trulist(tid.file, &k_trulist, &k_ttllist); 01872 if(err>0) 01873 { 01874 if(err > maxnum) 01875 err = maxnum; 01876 tmperr = rsbac_put_user((u_char *) k_trulist, (u_char *) trulist, 01877 sizeof(rsbac_uid_t) * err); 01878 if(tmperr < 0) 01879 err = tmperr; 01880 else 01881 { 01882 if(ttllist) 01883 { 01884 tmperr = rsbac_put_user((u_char *) k_ttllist, (u_char *) ttllist, 01885 sizeof(rsbac_time_t) * err); 01886 if(tmperr < 0) 01887 err = tmperr; 01888 } 01889 } 01890 rsbac_vfree(k_trulist); 01891 rsbac_vfree(k_ttllist); 01892 } 01893 01894 out_dput: 01895 path_release(&nd); 01896 out: 01897 return(err); 01898 01899 #else 01900 return (-RSBAC_EINVALIDMODULE); 01901 #endif 01902 }; 01903 01904 int sys_rsbac_mac_get_p_trulist(rsbac_pid_t pid, 01905 rsbac_uid_t trulist[], 01906 rsbac_time_t ttllist[], 01907 u_int maxnum) 01908 { 01909 #if defined(CONFIG_RSBAC_MAC) 01910 int err = 0, tmperr = 0; 01911 union rsbac_target_id_t tid; 01912 rsbac_uid_t * k_trulist; 01913 rsbac_time_t * k_ttllist; 01914 01915 if(!pid) 01916 return(-RSBAC_EINVALIDTARGET); 01917 if(!trulist) 01918 return(-RSBAC_EINVALIDPOINTER); 01919 if(maxnum <= 0) 01920 return(-RSBAC_EINVALIDVALUE); 01921 if(maxnum > RSBAC_MAC_MAX_MAXNUM) 01922 maxnum = RSBAC_MAC_MAX_MAXNUM; 01923 01924 tid.process = pid; 01925 01926 err = rsbac_mac_get_p_trulist(tid.process, &k_trulist, &k_ttllist); 01927 if(err>0) 01928 { 01929 if(err > maxnum) 01930 err = maxnum; 01931 tmperr = rsbac_put_user((u_char *) k_trulist, (u_char *) trulist, 01932 sizeof(rsbac_uid_t) * err); 01933 if(tmperr < 0) 01934 err = tmperr; 01935 else 01936 { 01937 if(ttllist) 01938 { 01939 tmperr = rsbac_put_user((u_char *) k_ttllist, (u_char *) ttllist, 01940 sizeof(rsbac_time_t) * err); 01941 if(tmperr < 0) 01942 err = tmperr; 01943 } 01944 } 01945 rsbac_vfree(k_trulist); 01946 rsbac_vfree(k_ttllist); 01947 } 01948 01949 return(err); 01950 01951 #else 01952 return (-RSBAC_EINVALIDMODULE); 01953 #endif 01954 }; 01955 01956 /************** PM ***************/ 01957 01958 int sys_rsbac_stats_pm(void) 01959 { 01960 #ifndef CONFIG_RSBAC_PM 01961 return (0); 01962 #else 01963 union rsbac_target_id_t rsbac_target_id; 01964 union rsbac_attribute_value_t rsbac_attribute_value; 01965 01966 #ifdef CONFIG_RSBAC_DEBUG 01967 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_stats_pm(): calling ADF\n"); 01968 #endif 01969 rsbac_target_id.scd = ST_rsbac; 01970 rsbac_attribute_value.dummy = 0; 01971 if (!rsbac_adf_request(R_GET_STATUS_DATA, 01972 current->pid, 01973 T_SCD, 01974 rsbac_target_id, 01975 A_none, 01976 rsbac_attribute_value)) 01977 { 01978 return -EPERM; 01979 } 01980 01981 #ifdef CONFIG_RSBAC_DEBUG 01982 if (rsbac_debug_aef_pm) 01983 printk(KERN_DEBUG "sys_rsbac_stats_pm(): getting RSBAC status!\n"); 01984 #endif 01985 return(rsbac_stats_pm()); 01986 #endif 01987 }; 01988 01989 int sys_rsbac_pm(enum rsbac_pm_function_type_t function, 01990 union rsbac_pm_function_param_t * param_p, 01991 rsbac_pm_tkt_id_t ticket) 01992 { 01993 #ifndef CONFIG_RSBAC_PM 01994 return (-RSBAC_EINVALIDMODULE); 01995 #else 01996 union rsbac_pm_function_param_t k_param; 01997 int result; 01998 01999 if(function >= PF_none) 02000 return(-RSBAC_EINVALIDREQUEST); 02001 if(!param_p) 02002 return(-RSBAC_EINVALIDPOINTER); 02003 #ifdef CONFIG_RSBAC_DEBUG 02004 if (rsbac_debug_aef_pm) 02005 printk(KERN_DEBUG "sys_rsbac_pm(): called for function %i!\n", 02006 function); 02007 #endif 02008 /* get parameters from user space */ 02009 rsbac_get_user((u_char *) &k_param, (u_char *) param_p, sizeof(k_param) ); 02010 /* call pm function and return its result */ 02011 lock_kernel(); 02012 result = rsbac_pm(function, k_param, ticket); 02013 unlock_kernel(); 02014 return result; 02015 #endif 02016 } 02017 02018 int sys_rsbac_pm_change_current_task(rsbac_pm_task_id_t task) 02019 { 02020 #ifndef CONFIG_RSBAC_PM 02021 return (0); 02022 #else 02023 #ifdef CONFIG_RSBAC_DEBUG 02024 if (rsbac_debug_aef_pm) 02025 printk(KERN_DEBUG 02026 "sys_rsbac_pm_change_current_task(): called for task %i!\n", 02027 task); 02028 #endif 02029 /* call pm function and return its result */ 02030 return(rsbac_pm_change_current_task(task)); 02031 #endif 02032 } 02033 02034 int sys_rsbac_pm_create_file(const char * filename, 02035 int mode, 02036 rsbac_pm_object_class_id_t class) 02037 { 02038 #ifndef CONFIG_RSBAC_PM 02039 return (-RSBAC_EINVALIDMODULE); 02040 #else 02041 if(!filename) 02042 return(-RSBAC_EINVALIDPOINTER); 02043 #ifdef CONFIG_RSBAC_DEBUG 02044 if (rsbac_debug_aef_pm) 02045 printk(KERN_DEBUG 02046 "sys_rsbac_pm_create_file(): called with class %i!\n", 02047 class); 02048 #endif 02049 /* call pm function and return its result */ 02050 return(rsbac_pm_create_file(filename, mode, class)); 02051 #endif 02052 } 02053 02054 /************** DAZ ***************/ 02055 02056 int sys_rsbac_daz_flush_cache(void) 02057 { 02058 #ifndef CONFIG_RSBAC_DAZ_CACHE 02059 return (0); 02060 #else 02061 #ifndef CONFIG_RSBAC_MAINT 02062 union rsbac_target_id_t i_tid; 02063 union rsbac_attribute_value_t i_attr_val1; 02064 02065 /* Security Officer or admin? */ 02066 i_tid.user = current->uid; 02067 if (rsbac_get_attr(DAZ, 02068 T_USER, 02069 i_tid, 02070 A_daz_role, 02071 &i_attr_val1, 02072 TRUE)) 02073 { 02074 #ifdef CONFIG_RSBAC_RMSG 02075 rsbac_printk(KERN_WARNING 02076 "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); 02077 #endif 02078 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02079 if (!rsbac_nosyslog) 02080 #endif 02081 printk(KERN_WARNING 02082 "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); 02083 return -EPERM; 02084 } 02085 /* if nor sec_officer or admin, deny */ 02086 if ( (i_attr_val1.system_role != SR_security_officer) 02087 && (i_attr_val1.system_role != SR_administrator) 02088 ) 02089 #ifdef CONFIG_RSBAC_SOFTMODE 02090 if( !rsbac_softmode 02091 #ifdef CONFIG_RSBAC_SOFTMODE_IND 02092 && !rsbac_ind_softmode[DAZ] 02093 #endif 02094 ) 02095 #endif 02096 return -EPERM; 02097 #endif 02098 02099 printk(KERN_INFO 02100 "sys_rsbac_daz_flush_cache(): flushing DAZuko result cache!\n"); 02101 02102 return(rsbac_daz_flush_cache()); 02103 #endif 02104 }; 02105 02106 02107 /************** RC ***************/ 02108 02109 int sys_rsbac_rc_copy_role (rsbac_rc_role_id_t from_role, 02110 rsbac_rc_role_id_t to_role) 02111 { 02112 #if defined(CONFIG_RSBAC_RC) 02113 if( (from_role > RC_role_max_value) 02114 || (from_role > RC_role_max_value)) 02115 return(-RSBAC_EINVALIDVALUE); 02116 #ifdef CONFIG_RSBAC_DEBUG 02117 if (rsbac_debug_aef_rc) 02118 printk(KERN_DEBUG 02119 "sys_rsbac_rc_copy_role(): from %i, to %i!\n", 02120 from_role, to_role); 02121 #endif 02122 /* call rc function and return its result */ 02123 return(rsbac_rc_sys_copy_role(from_role, to_role)); 02124 #else 02125 return (-RSBAC_EINVALIDMODULE); 02126 #endif 02127 }; 02128 02129 /* Getting values */ 02130 int sys_rsbac_rc_get_item (enum rsbac_rc_target_t target, 02131 union rsbac_rc_target_id_t * tid_p, 02132 union rsbac_rc_target_id_t * subtid_p, 02133 enum rsbac_rc_item_t item, 02134 union rsbac_rc_item_value_t * value_p, 02135 rsbac_time_t * ttl_p) 02136 { 02137 #if defined(CONFIG_RSBAC_RC) 02138 union rsbac_rc_target_id_t k_tid; 02139 union rsbac_rc_target_id_t k_subtid; 02140 union rsbac_rc_item_value_t k_value; 02141 rsbac_time_t k_ttl; 02142 int err = 0; 02143 02144 if( (target >= RT_NONE) 02145 || (item >= RI_none)) 02146 return(-RSBAC_EINVALIDVALUE); 02147 /* get values from user space */ 02148 rsbac_get_user((u_char *) &k_tid, (u_char *) tid_p, sizeof(k_tid) ); 02149 rsbac_get_user((u_char *) &k_subtid, (u_char *) subtid_p, sizeof(k_subtid) ); 02150 rsbac_get_user((u_char *) &k_value, (u_char *) value_p, sizeof(k_value) ); 02151 #ifdef CONFIG_RSBAC_DEBUG 02152 if (rsbac_debug_aef_rc) 02153 printk(KERN_DEBUG 02154 "sys_rsbac_rc_get_item(): target %i, item %i!\n", 02155 target, item); 02156 #endif 02157 /* call rc function and return its result */ 02158 err = rsbac_rc_sys_get_item(target, k_tid, k_subtid, item, &k_value, &k_ttl); 02159 /* put result value to user space */ 02160 if(!err) 02161 { 02162 err = rsbac_put_user((u_char *) &k_value, (u_char *) value_p, sizeof(k_value) ); 02163 if(!err && ttl_p) 02164 err = rsbac_put_user((u_char *) &k_ttl, (u_char *) ttl_p, sizeof(k_ttl) ); 02165 } 02166 return (err); 02167 #else 02168 return (-RSBAC_EINVALIDMODULE); 02169 #endif 02170 }; 02171 02172 /* Setting values */ 02173 int sys_rsbac_rc_set_item (enum rsbac_rc_target_t target, 02174 union rsbac_rc_target_id_t * tid_p, 02175 union rsbac_rc_target_id_t * subtid_p, 02176 enum rsbac_rc_item_t item, 02177 union rsbac_rc_item_value_t * value_p, 02178 rsbac_time_t ttl) 02179 { 02180 #if defined(CONFIG_RSBAC_RC) 02181 union rsbac_rc_target_id_t k_tid; 02182 union rsbac_rc_target_id_t k_subtid; 02183 union rsbac_rc_item_value_t k_value; 02184 02185 if( (target >= RT_NONE) 02186 || (item >= RI_none)) 02187 return(-RSBAC_EINVALIDVALUE); 02188 /* get values from user space */ 02189 rsbac_get_user((u_char *) &k_tid, (u_char *) tid_p, sizeof(k_tid) ); 02190 rsbac_get_user((u_char *) &k_subtid, (u_char *) subtid_p, sizeof(k_subtid) ); 02191 rsbac_get_user((u_char *) &k_value, (u_char *) value_p, sizeof(k_value) ); 02192 #ifdef CONFIG_RSBAC_DEBUG 02193 if (rsbac_debug_aef_rc) 02194 printk(KERN_DEBUG 02195 "sys_rsbac_rc_set_item(): target %i, item %i!\n", 02196 target, item); 02197 #endif 02198 /* call rc function and return its result */ 02199 return rsbac_rc_sys_set_item(target, k_tid, k_subtid, item, k_value, ttl); 02200 #else 02201 return (-RSBAC_EINVALIDMODULE); 02202 #endif 02203 }; 02204 02205 int sys_rsbac_rc_get_list(enum rsbac_rc_target_t target, 02206 union rsbac_rc_target_id_t * tid_p, 02207 enum rsbac_rc_item_t item, 02208 u_int maxnum, 02209 __u32 * array_p, 02210 rsbac_time_t * ttl_array_p) 02211 02212 { 02213 #if defined(CONFIG_RSBAC_RC) 02214 union rsbac_rc_target_id_t k_tid; 02215 int err; 02216 02217 rsbac_get_user((u_char *) &k_tid, (u_char *) tid_p, sizeof(k_tid) ); 02218 if(array_p) 02219 { 02220 __u32 * k_array_p; 02221 rsbac_time_t * k_ttl_array_p; 02222 02223 if(!maxnum) 02224 return -RSBAC_EINVALIDVALUE; 02225 /* call rc function and return its result */ 02226 err = rsbac_rc_get_list(target, k_tid, item, &k_array_p, &k_ttl_array_p); 02227 /* put result value to user space */ 02228 if(err > 0) 02229 { 02230 int tmperr; 02231 02232 if(err > maxnum) 02233 err = maxnum; 02234 tmperr = rsbac_put_user((u_char *) k_array_p, (u_char *) array_p, err * sizeof(*k_array_p) ); 02235 if(tmperr) 02236 err=tmperr; 02237 rsbac_vfree(k_array_p); 02238 if(k_ttl_array_p && ttl_array_p) 02239 { 02240 tmperr = rsbac_put_user((u_char *) k_ttl_array_p, (u_char *) ttl_array_p, err * sizeof(*k_ttl_array_p) ); 02241 if(tmperr) 02242 err=tmperr; 02243 } 02244 rsbac_vfree(k_ttl_array_p); 02245 } 02246 return (err); 02247 } 02248 else 02249 return rsbac_rc_get_list(target, k_tid, item, NULL, NULL); 02250 #else 02251 return (-RSBAC_EINVALIDMODULE); 02252 #endif 02253 }; 02254 02255 /* Set own role */ 02256 int sys_rsbac_rc_change_role (rsbac_rc_role_id_t role) 02257 { 02258 #if defined(CONFIG_RSBAC_RC) 02259 if(role > RC_role_max_value) 02260 return(-RSBAC_EINVALIDVALUE); 02261 #ifdef CONFIG_RSBAC_DEBUG 02262 if (rsbac_debug_aef_rc) 02263 printk(KERN_DEBUG 02264 "sys_rsbac_rc_change_role(): role %i!\n", 02265 role); 02266 #endif 02267 /* call rc function and return its result */ 02268 return rsbac_rc_sys_change_role(role); 02269 #else 02270 return (-RSBAC_EINVALIDMODULE); 02271 #endif 02272 }; 02273 02274 /* Getting own effective rights */ 02275 int sys_rsbac_rc_get_eff_rights_n(enum rsbac_target_t target, 02276 char * t_name, 02277 rsbac_rc_request_vector_t * request_vector_p, 02278 rsbac_time_t * ttl_p) 02279 { 02280 #if defined(CONFIG_RSBAC_RC) 02281 struct dentry * t_dentry; 02282 int err = 0; 02283 rsbac_rc_request_vector_t k_req_vec; 02284 rsbac_time_t k_ttl; 02285 union rsbac_target_id_t tid; 02286 02287 struct nameidata nd; 02288 02289 if(!t_name || (target >= T_NONE)) 02290 return(-RSBAC_EINVALIDTARGET); 02291 02292 if ((err = user_path_walk_link(t_name, &nd))) 02293 { 02294 #ifdef CONFIG_RSBAC_DEBUG 02295 if (rsbac_debug_aef_rc) 02296 printk(KERN_DEBUG "sys_rsbac_rc_get_eff_rights_n(): call to user_path_walk_link() returned %i\n", err); 02297 #endif 02298 goto out; 02299 } 02300 t_dentry = nd.dentry; 02301 if (!t_dentry->d_inode) 02302 { 02303 err = -RSBAC_EINVALIDTARGET; 02304 goto out_dput; 02305 } 02306 02307 switch (target) 02308 { 02309 case T_FD: 02310 if(S_ISREG(t_dentry->d_inode->i_mode)) 02311 { 02312 target = T_FILE; 02313 } 02314 else 02315 if(S_ISDIR(t_dentry->d_inode->i_mode)) 02316 { 02317 target = T_DIR; 02318 } 02319 else 02320 if(S_ISLNK(t_dentry->d_inode->i_mode)) 02321 { 02322 target = T_SYMLINK; 02323 } 02324 else 02325 if(S_ISFIFO(t_dentry->d_inode->i_mode)) 02326 { 02327 target = T_FIFO; 02328 } 02329 else 02330 if(S_ISBLK(t_dentry->d_inode->i_mode)) 02331 { 02332 target = T_FILE; 02333 } 02334 else 02335 if(S_ISCHR(t_dentry->d_inode->i_mode)) 02336 { 02337 target = T_FILE; 02338 } 02339 else 02340 { 02341 #ifdef CONFIG_RSBAC_DEBUG 02342 if (rsbac_debug_aef) 02343 printk(KERN_DEBUG "sys_rsbac_rc_get_eff_rights_n(): no filesystem object\n"); 02344 #endif 02345 err = -RSBAC_EINVALIDTARGET; 02346 goto out_dput; 02347 } 02348 break; 02349 02350 case T_FILE: 02351 /* is inode of type file, symlink or block/char device? */ 02352 if ( !(S_ISREG(t_dentry->d_inode->i_mode)) 02353 && !(S_ISBLK(t_dentry->d_inode->i_mode)) 02354 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 02355 { /* This is no file or device */ 02356 err = -RSBAC_EINVALIDTARGET; 02357 goto out_dput; 02358 } 02359 break; 02360 02361 case T_DIR: 02362 if ( !(S_ISDIR(t_dentry->d_inode->i_mode)) ) 02363 { /* This is no file */ 02364 err = -RSBAC_EINVALIDTARGET; 02365 goto out_dput; 02366 } 02367 break; 02368 02369 case T_FIFO: 02370 /* is inode of type fifo? */ 02371 if ( !(S_ISFIFO(t_dentry->d_inode->i_mode))) 02372 { /* This is no file or device */ 02373 err = -RSBAC_EINVALIDTARGET; 02374 goto out_dput; 02375 } 02376 break; 02377 02378 case T_SYMLINK: 02379 /* is inode of type symlink? */ 02380 if ( !(S_ISLNK(t_dentry->d_inode->i_mode))) 02381 { /* This is no file or device */ 02382 err = -RSBAC_EINVALIDTARGET; 02383 goto out_dput; 02384 } 02385 break; 02386 02387 case T_DEV: 02388 /* is inode of type block/char device? */ 02389 if ( !(S_ISBLK(t_dentry->d_inode->i_mode)) 02390 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 02391 { /* This is no dev */ 02392 err = -RSBAC_EINVALIDTARGET; 02393 goto out_dput; 02394 } 02395 break; 02396 02397 default: 02398 err = -RSBAC_EINVALIDTARGET; 02399 goto out_dput; 02400 } 02401 02402 if(target == T_DEV) 02403 { 02404 if(S_ISBLK(t_dentry->d_inode->i_mode)) 02405 tid.dev.type = D_block; 02406 else 02407 tid.dev.type = D_char; 02408 tid.dev.id = t_dentry->d_inode->i_rdev; 02409 } 02410 else 02411 { 02412 /* fill target id and call internal function */ 02413 tid.file.device = t_dentry->d_sb->s_dev; 02414 tid.file.inode = t_dentry->d_inode->i_ino; 02415 tid.file.dentry_p = t_dentry; 02416 } 02417 err = rsbac_rc_sys_get_eff_rights(target, tid, &k_req_vec, &k_ttl); 02418 /* put result value to user space */ 02419 if(!err) 02420 { 02421 err = rsbac_put_user((u_char *) &k_req_vec, (u_char *) request_vector_p, sizeof(k_req_vec) ); 02422 if(!err && ttl_p) 02423 err = rsbac_put_user((u_char *) &k_ttl, (u_char *) ttl_p, sizeof(k_ttl) ); 02424 } 02425 02426 out_dput: 02427 path_release(&nd); 02428 02429 out: 02430 return(err); 02431 #else 02432 return (-RSBAC_EINVALIDMODULE); 02433 #endif 02434 }; 02435 02436 /* Get current process role */ 02437 int sys_rsbac_rc_get_current_role (rsbac_rc_role_id_t * role_p) 02438 { 02439 #if defined(CONFIG_RSBAC_RC) 02440 rsbac_rc_role_id_t k_role; 02441 int err; 02442 02443 if(!role_p) 02444 return(-RSBAC_EINVALIDPOINTER); 02445 /* call rc function and return its result */ 02446 err = rsbac_rc_sys_get_current_role(&k_role); 02447 if(!err) 02448 { 02449 err = rsbac_put_user((u_char *) &k_role, (u_char *) role_p, sizeof(k_role) ); 02450 } 02451 return err; 02452 #else 02453 return (-RSBAC_EINVALIDMODULE); 02454 #endif 02455 }; 02456 02457 02458 /************** AUTH ***************/ 02459 02460 /* Provide means for adding and removing of capabilities */ 02461 int sys_rsbac_auth_add_p_cap(rsbac_pid_t pid, 02462 enum rsbac_auth_cap_type_t cap_type, 02463 struct rsbac_auth_cap_range_t cap_range, 02464 rsbac_time_t ttl) 02465 { 02466 #if defined(CONFIG_RSBAC_AUTH) 02467 struct task_struct * task_p; 02468 02469 if(cap_type >= ACT_none) 02470 return(-RSBAC_EINVALIDTARGET); 02471 if(cap_range.first > cap_range.last) 02472 return(-RSBAC_EINVALIDVALUE); 02473 read_lock(&tasklist_lock); 02474 task_p = find_task_by_pid(pid); 02475 read_unlock(&tasklist_lock); 02476 if(!task_p) 02477 return(-RSBAC_EINVALIDTARGET); 02478 02479 /* call auth function and return its result */ 02480 /* permission checking is done there */ 02481 return(rsbac_auth_add_p_cap(pid, cap_type, cap_range, ttl)); 02482 #else 02483 return (-RSBAC_EINVALIDMODULE); 02484 #endif 02485 }; 02486 02487 int sys_rsbac_auth_remove_p_cap(rsbac_pid_t pid, 02488 enum rsbac_auth_cap_type_t cap_type, 02489 struct rsbac_auth_cap_range_t cap_range) 02490 { 02491 #if defined(CONFIG_RSBAC_AUTH) 02492 struct task_struct * task_p; 02493 02494 if(cap_type >= ACT_none) 02495 return(-RSBAC_EINVALIDTARGET); 02496 if(cap_range.first > cap_range.last) 02497 return(-RSBAC_EINVALIDVALUE); 02498 read_lock(&tasklist_lock); 02499 task_p = find_task_by_pid(pid); 02500 read_unlock(&tasklist_lock); 02501 if(!task_p) 02502 return(-RSBAC_EINVALIDTARGET); 02503 /* call auth function and return its result */ 02504 /* permission checking is done there */ 02505 return(rsbac_auth_remove_p_cap(pid, cap_type, cap_range)); 02506 #else 02507 return (-RSBAC_EINVALIDMODULE); 02508 #endif 02509 }; 02510 02511 int sys_rsbac_auth_add_f_cap(char * filename, 02512 enum rsbac_auth_cap_type_t cap_type, 02513 struct rsbac_auth_cap_range_t cap_range, 02514 rsbac_time_t ttl) 02515 { 02516 #if defined(CONFIG_RSBAC_AUTH) 02517 struct dentry * t_dentry; 02518 int err = 0; 02519 enum rsbac_target_t target; 02520 union rsbac_target_id_t tid; 02521 02522 /* for adf_request */ 02523 #if defined(CONFIG_RSBAC_AUTH) && !defined(CONFIG_RSBAC_MAINT) 02524 union rsbac_attribute_value_t rsbac_attribute_value; 02525 #endif 02526 02527 struct nameidata nd; 02528 02529 if(!filename) 02530 return(-RSBAC_EINVALIDTARGET); 02531 if(cap_type >= ACT_none) 02532 return(-RSBAC_EINVALIDTARGET); 02533 if(cap_range.first > cap_range.last) 02534 return(-RSBAC_EINVALIDVALUE); 02535 02536 if ((err = user_path_walk_link(filename, &nd))) 02537 { 02538 #ifdef CONFIG_RSBAC_DEBUG 02539 if (rsbac_debug_aef_auth) 02540 printk(KERN_DEBUG "sys_rsbac_auth_add_f_cap(): call to user_path_walk_link() returned %i\n", err); 02541 #endif 02542 goto out; 02543 } 02544 t_dentry = nd.dentry; 02545 if (!t_dentry->d_inode) 02546 { 02547 err = -RSBAC_EINVALIDTARGET; 02548 goto out_dput; 02549 } 02550 /* is inode of type file? */ 02551 if(S_ISREG(t_dentry->d_inode->i_mode)) 02552 target = T_FILE; 02553 else 02554 if(S_ISDIR(t_dentry->d_inode->i_mode)) 02555 target = T_DIR; 02556 else 02557 { /* This is no file or dir */ 02558 err = -RSBAC_EINVALIDTARGET; 02559 goto out_dput; 02560 } 02561 tid.file.device = t_dentry->d_sb->s_dev; 02562 tid.file.inode = t_dentry->d_inode->i_ino; 02563 tid.file.dentry_p = t_dentry; 02564 #if defined(CONFIG_RSBAC_AUTH) && !defined(CONFIG_RSBAC_MAINT) 02565 /* call ADF */ 02566 #ifdef CONFIG_RSBAC_DEBUG 02567 if (rsbac_debug_aef) 02568 printk(KERN_DEBUG "sys_rsbac_auth_add_f_cap(): calling ADF\n"); 02569 #endif 02570 rsbac_attribute_value.auth_cap_range = cap_range; 02571 if (!rsbac_adf_request(R_MODIFY_ATTRIBUTE, 02572 current->pid, 02573 target, 02574 tid, 02575 A_auth_add_f_cap, 02576 rsbac_attribute_value)) 02577 { 02578 err = -EPERM; 02579 } 02580 else 02581 #endif 02582 err = rsbac_auth_add_f_cap(tid.file, cap_type, cap_range, ttl); 02583 02584 out_dput: 02585 path_release(&nd); 02586 out: 02587 return(err); 02588 02589 #else 02590 return (-RSBAC_EINVALIDMODULE); 02591 #endif 02592 }; 02593 02594 int sys_rsbac_auth_remove_f_cap(char * filename, 02595 enum rsbac_auth_cap_type_t cap_type, 02596 struct rsbac_auth_cap_range_t cap_range) 02597 { 02598 #if defined(CONFIG_RSBAC_AUTH) 02599 struct dentry * t_dentry; 02600 int err = 0; 02601 enum rsbac_target_t target; 02602 union rsbac_target_id_t tid; 02603 02604 /* for adf_request */ 02605 #if defined(CONFIG_RSBAC_AUTH) && !defined(CONFIG_RSBAC_MAINT) 02606 union rsbac_attribute_value_t rsbac_attribute_value; 02607 #endif 02608 02609 struct nameidata nd; 02610 02611 if(!filename) 02612 return(-RSBAC_EINVALIDTARGET); 02613 if(cap_type >= ACT_none) 02614 return(-RSBAC_EINVALIDTARGET); 02615 if(cap_range.first > cap_range.last) 02616 return(-RSBAC_EINVALIDVALUE); 02617 02618 if ((err = user_path_walk_link(filename, &nd))) 02619 { 02620 #ifdef CONFIG_RSBAC_DEBUG 02621 if (rsbac_debug_aef_auth) 02622 printk(KERN_DEBUG "sys_rsbac_auth_remove_f_cap(): call to user_path_walk_link() returned %i\n", err); 02623 #endif 02624 goto out; 02625 } 02626 t_dentry = nd.dentry; 02627 if (!t_dentry->d_inode) 02628 { 02629 err = -RSBAC_EINVALIDTARGET; 02630 goto out_dput; 02631 } 02632 /* is inode of type file or dir? */ 02633 if(S_ISREG(t_dentry->d_inode->i_mode)) 02634 target = T_FILE; 02635 else 02636 if(S_ISDIR(t_dentry->d_inode->i_mode)) 02637 target = T_DIR; 02638 else 02639 { /* This is no file or dir */ 02640 err = -RSBAC_EINVALIDTARGET; 02641 goto out_dput; 02642 } 02643 tid.file.device = t_dentry->d_sb->s_dev; 02644 tid.file.inode = t_dentry->d_inode->i_ino; 02645 tid.file.dentry_p = t_dentry; 02646 #if defined(CONFIG_RSBAC_AUTH) && !defined(CONFIG_RSBAC_MAINT) 02647 /* call ADF */ 02648 #ifdef CONFIG_RSBAC_DEBUG 02649 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_auth_add_f_cap(): calling ADF\n"); 02650 #endif 02651 rsbac_attribute_value.auth_cap_range = cap_range; 02652 if (!rsbac_adf_request(R_MODIFY_ATTRIBUTE, 02653 current->pid, 02654 target, 02655 tid, 02656 A_auth_remove_f_cap, 02657 rsbac_attribute_value)) 02658 { 02659 err = -EPERM; 02660 } 02661 else 02662 #endif 02663 err = rsbac_auth_remove_f_cap(tid.file, cap_type, cap_range); 02664 02665 out_dput: 02666 path_release(&nd); 02667 out: 02668 return(err); 02669 02670 #else 02671 return (-RSBAC_EINVALIDMODULE); 02672 #endif 02673 }; 02674 02675 /* caplist must have space for maxnum auth_cap_range entries - first and last each! */ 02676 int sys_rsbac_auth_get_f_caplist(char * filename, 02677 enum rsbac_auth_cap_type_t cap_type, 02678 struct rsbac_auth_cap_range_t caplist[], 02679 rsbac_time_t ttllist[], 02680 u_int maxnum) 02681 { 02682 #if defined(CONFIG_RSBAC_AUTH) 02683 struct dentry * t_dentry; 02684 int err = 0, tmperr = 0; 02685 enum rsbac_target_t target; 02686 union rsbac_target_id_t tid; 02687 struct rsbac_auth_cap_range_t * k_caplist; 02688 rsbac_time_t * k_ttllist; 02689 02690 /* for adf_request */ 02691 #if defined(CONFIG_RSBAC_AUTH) && !defined(CONFIG_RSBAC_MAINT) 02692 union rsbac_attribute_value_t rsbac_attribute_value; 02693 #endif 02694 02695 struct nameidata nd; 02696 02697 if(!filename) 02698 return(-RSBAC_EINVALIDTARGET); 02699 if(cap_type >= ACT_none) 02700 return(-RSBAC_EINVALIDTARGET); 02701 if(!caplist) 02702 return(-RSBAC_EINVALIDPOINTER); 02703 if(maxnum <= 0) 02704 return(-RSBAC_EINVALIDVALUE); 02705 if(maxnum > RSBAC_AUTH_MAX_MAXNUM) 02706 maxnum = RSBAC_AUTH_MAX_MAXNUM; 02707 02708 if ((err = user_path_walk_link(filename, &nd))) 02709 { 02710 #ifdef CONFIG_RSBAC_DEBUG 02711 if (rsbac_debug_aef_auth) 02712 printk(KERN_DEBUG "sys_rsbac_auth_get_f_caplist(): call to user_path_walk_link() returned %i\n", err); 02713 #endif 02714 goto out; 02715 } 02716 t_dentry = nd.dentry; 02717 if (!t_dentry->d_inode) 02718 { 02719 err = -RSBAC_EINVALIDTARGET; 02720 goto out_dput; 02721 } 02722 /* is inode of type file or dir? */ 02723 if(S_ISREG(t_dentry->d_inode->i_mode)) 02724 target = T_FILE; 02725 else 02726 if(S_ISDIR(t_dentry->d_inode->i_mode)) 02727 target = T_DIR; 02728 else 02729 { /* This is no file or dir */ 02730 err = -RSBAC_EINVALIDTARGET; 02731 goto out_dput; 02732 } 02733 tid.file.device = t_dentry->d_sb->s_dev; 02734 tid.file.inode = t_dentry->d_inode->i_ino; 02735 tid.file.dentry_p = t_dentry; 02736 #if defined(CONFIG_RSBAC_AUTH) && !defined(CONFIG_RSBAC_MAINT) 02737 /* call ADF */ 02738 #ifdef CONFIG_RSBAC_DEBUG 02739 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_auth_get_f_caplist(): calling ADF\n"); 02740 #endif 02741 rsbac_attribute_value.dummy = 0; 02742 if (!rsbac_adf_request(R_READ_ATTRIBUTE, 02743 current->pid, 02744 target, 02745 tid, 02746 A_auth_get_caplist, 02747 rsbac_attribute_value)) 02748 { 02749 err = -EPERM; 02750 goto out_dput; 02751 } 02752 #endif 02753 err = rsbac_auth_get_f_caplist(tid.file, cap_type, &k_caplist, &k_ttllist); 02754 if(err>0) 02755 { 02756 if(err > maxnum) 02757 err = maxnum; 02758 tmperr = rsbac_put_user((u_char *) k_caplist, (u_char *) caplist, 02759 sizeof(struct rsbac_auth_cap_range_t) * err); 02760 if(tmperr < 0) 02761 err = tmperr; 02762 else 02763 { 02764 if(ttllist) 02765 { 02766 tmperr = rsbac_put_user((u_char *) k_ttllist, (u_char *) ttllist, 02767 sizeof(rsbac_time_t) * err); 02768 if(tmperr < 0) 02769 err = tmperr; 02770 } 02771 } 02772 rsbac_vfree(k_caplist); 02773 rsbac_vfree(k_ttllist); 02774 } 02775 02776 out_dput: 02777 path_release(&nd); 02778 out: 02779 return(err); 02780 02781 #else 02782 return (-RSBAC_EINVALIDMODULE); 02783 #endif 02784 }; 02785 02786 int sys_rsbac_auth_get_p_caplist(rsbac_pid_t pid, 02787 enum rsbac_auth_cap_type_t cap_type, 02788 struct rsbac_auth_cap_range_t caplist[], 02789 rsbac_time_t ttllist[], 02790 u_int maxnum) 02791 { 02792 #if defined(CONFIG_RSBAC_AUTH) 02793 int err = 0, tmperr = 0; 02794 union rsbac_target_id_t tid; 02795 struct rsbac_auth_cap_range_t * k_caplist; 02796 rsbac_time_t * k_ttllist; 02797 02798 /* for adf_request */ 02799 #if defined(CONFIG_RSBAC_AUTH) && !defined(CONFIG_RSBAC_MAINT) 02800 union rsbac_attribute_value_t rsbac_attribute_value; 02801 #endif 02802 02803 if(!pid) 02804 return(-RSBAC_EINVALIDTARGET); 02805 if(cap_type >= ACT_none) 02806 return(-RSBAC_EINVALIDTARGET); 02807 if(!caplist) 02808 return(-RSBAC_EINVALIDPOINTER); 02809 if(maxnum <= 0) 02810 return(-RSBAC_EINVALIDVALUE); 02811 if(maxnum > RSBAC_AUTH_MAX_MAXNUM) 02812 maxnum = RSBAC_AUTH_MAX_MAXNUM; 02813 02814 tid.process = pid; 02815 #if defined(CONFIG_RSBAC_AUTH) && !defined(CONFIG_RSBAC_MAINT) 02816 /* call ADF */ 02817 #ifdef CONFIG_RSBAC_DEBUG 02818 if (rsbac_debug_aef) printk(KERN_DEBUG "sys_rsbac_auth_get_p_caplist(): calling ADF\n"); 02819 #endif 02820 rsbac_attribute_value.dummy = 0; 02821 if (!rsbac_adf_request(R_READ_ATTRIBUTE, 02822 current->pid, 02823 T_PROCESS, 02824 tid, 02825 A_auth_get_caplist, 02826 rsbac_attribute_value)) 02827 { 02828 return -EPERM; 02829 } 02830 #endif 02831 err = rsbac_auth_get_p_caplist(tid.process, cap_type, &k_caplist, &k_ttllist); 02832 if(err>0) 02833 { 02834 if(err > maxnum) 02835 err = maxnum; 02836 tmperr = rsbac_put_user((u_char *) k_caplist, (u_char *) caplist, 02837 sizeof(struct rsbac_auth_cap_range_t) * err); 02838 if(tmperr < 0) 02839 err = tmperr; 02840 else 02841 { 02842 if(ttllist) 02843 { 02844 tmperr = rsbac_put_user((u_char *) k_ttllist, (u_char *) ttllist, 02845 sizeof(rsbac_time_t) * err); 02846 if(tmperr < 0) 02847 err = tmperr; 02848 } 02849 } 02850 rsbac_vfree(k_caplist); 02851 rsbac_vfree(k_ttllist); 02852 } 02853 02854 return(err); 02855 02856 #else 02857 return (-RSBAC_EINVALIDMODULE); 02858 #endif 02859 }; 02860 02861 /**********************************/ 02862 /************** REG ***************/ 02863 02864 int sys_rsbac_reg(rsbac_reg_handle_t handle, 02865 void * arg) 02866 { 02867 #if defined(CONFIG_RSBAC_REG) 02868 return rsbac_reg_syscall(handle, arg); 02869 #else 02870 return (-RSBAC_EINVALIDMODULE); 02871 #endif 02872 } 02873 02874 02875 /**********************************/ 02876 /************** ACL ***************/ 02877 02878 int sys_rsbac_acl(enum rsbac_acl_syscall_type_t call, 02879 struct rsbac_acl_syscall_arg_t * arg) 02880 { 02881 #if defined(CONFIG_RSBAC_ACL) 02882 struct rsbac_acl_syscall_arg_t k_arg; 02883 /* union rsbac_target_id_t i_tid; */ 02884 int err = 0; 02885 02886 if(call >= ACLC_none) 02887 return(-RSBAC_EINVALIDREQUEST); 02888 if(!arg) 02889 return(-RSBAC_EINVALIDPOINTER); 02890 02891 /* get values from user space */ 02892 err = rsbac_get_user((u_char *) &k_arg, (u_char *) arg, sizeof(k_arg) ); 02893 if(err < 0) 02894 return err; 02895 02896 if(k_arg.target >= T_NONE) 02897 return(-RSBAC_EINVALIDTARGET); 02898 /* printk(KERN_DEBUG "sys_rsbac_acl(): target = %u, call = %u, subj_type = %u, subj_id = %u!\n", 02899 k_arg.target, call, k_arg.subj_type, k_arg.subj_id); */ 02900 if(call != ACLC_set_mask) 02901 { 02902 switch(k_arg.subj_type) 02903 { 02904 case ACLS_USER: 02905 break; 02906 case ACLS_GROUP: 02907 if(k_arg.subj_id != RSBAC_ACL_GROUP_EVERYONE) 02908 { 02909 struct rsbac_acl_group_entry_t entry; 02910 rsbac_uid_t caller; 02911 02912 if( rsbac_acl_get_group_entry(k_arg.subj_id, &entry) 02913 || rsbac_get_owner(&caller) 02914 || ( (entry.owner != caller) 02915 && (entry.type != ACLG_GLOBAL) 02916 ) 02917 ) 02918 return(-RSBAC_EINVALIDVALUE); 02919 } 02920 break; 02921 #if defined(CONFIG_RSBAC_RC) 02922 case ACLS_ROLE: 02923 if(k_arg.subj_id > RC_role_max_value) 02924 { 02925 #ifdef CONFIG_RSBAC_RMSG 02926 rsbac_printk(KERN_DEBUG "sys_rsbac_acl(): Invalid role %u!\n", k_arg.subj_id); 02927 #endif 02928 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02929 if (!rsbac_nosyslog) 02930 #endif 02931 printk(KERN_DEBUG "sys_rsbac_acl(): Invalid role %u!\n", k_arg.subj_id); 02932 return(-RSBAC_EINVALIDVALUE); 02933 } 02934 break; 02935 #endif 02936 default: 02937 #ifdef CONFIG_RSBAC_RMSG 02938 rsbac_printk(KERN_DEBUG "sys_rsbac_acl(): Invalid subject type %u!\n", k_arg.subj_type); 02939 #endif 02940 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02941 if (!rsbac_nosyslog) 02942 #endif 02943 printk(KERN_DEBUG "sys_rsbac_acl(): Invalid subject type %u!\n", k_arg.subj_type); 02944 return(-RSBAC_EINVALIDVALUE); 02945 } 02946 if( (call == ACLC_remove_user) 02947 && (k_arg.target != T_USER) 02948 ) 02949 return -RSBAC_EINVALIDTARGET; 02950 02951 } 02952 02953 /* call acl function */ 02954 switch(call) 02955 { 02956 case ACLC_set_acl_entry: 02957 err = rsbac_acl_sys_set_acl_entry(k_arg.target, 02958 k_arg.tid, 02959 k_arg.subj_type, 02960 k_arg.subj_id, 02961 k_arg.rights, 02962 k_arg.ttl); 02963 break; 02964 case ACLC_remove_acl_entry: 02965 err = rsbac_acl_sys_remove_acl_entry(k_arg.target, 02966 k_arg.tid, 02967 k_arg.subj_type, 02968 k_arg.subj_id); 02969 break; 02970 case ACLC_remove_acl: 02971 err = rsbac_acl_sys_remove_acl(k_arg.target, 02972 k_arg.tid); 02973 break; 02974 case ACLC_add_to_acl_entry: 02975 err = rsbac_acl_sys_add_to_acl_entry(k_arg.target, 02976 k_arg.tid, 02977 k_arg.subj_type, 02978 k_arg.subj_id, 02979 k_arg.rights, 02980 k_arg.ttl); 02981 break; 02982 case ACLC_remove_from_acl_entry: 02983 err = rsbac_acl_sys_remove_from_acl_entry(k_arg.target, 02984 k_arg.tid, 02985 k_arg.subj_type, 02986 k_arg.subj_id, 02987 k_arg.rights); 02988 break; 02989 case ACLC_set_mask: 02990 err = rsbac_acl_sys_set_mask(k_arg.target, 02991 k_arg.tid, 02992 k_arg.rights); 02993 break; 02994 case ACLC_remove_user: 02995 err = rsbac_acl_sys_remove_user(k_arg.tid.user); 02996 break; 02997 02998 default: 02999 err=-RSBAC_EINVALIDREQUEST; 03000 } 03001 return (err); 03002 #else 03003 return (-RSBAC_EINVALIDMODULE); 03004 #endif 03005 }; /* end of sys_rsbac_acl() */ 03006 03007 03008 int sys_rsbac_acl_n(enum rsbac_acl_syscall_type_t call, 03009 struct rsbac_acl_syscall_n_arg_t * arg) 03010 { 03011 #if defined(CONFIG_RSBAC_ACL) 03012 struct dentry * t_dentry = NULL; 03013 int err = 0; 03014 union rsbac_target_id_t tid; 03015 struct rsbac_acl_syscall_n_arg_t k_arg; 03016 03017 struct nameidata nd; 03018 03019 if(call >= ACLC_none) 03020 return(-RSBAC_EINVALIDREQUEST); 03021 if(!arg) 03022 return(-RSBAC_EINVALIDPOINTER); 03023 03024 /* get values from user space */ 03025 err = rsbac_get_user((u_char *) &k_arg, (u_char *) arg, sizeof(k_arg) ); 03026 if(err < 0) 03027 return err; 03028 03029 if(k_arg.target >= T_NONE) 03030 return(-RSBAC_EINVALIDTARGET); 03031 if(call != ACLC_set_mask) 03032 { 03033 switch(k_arg.subj_type) 03034 { 03035 case ACLS_USER: 03036 break; 03037 case ACLS_GROUP: 03038 if(k_arg.subj_id != RSBAC_ACL_GROUP_EVERYONE) 03039 { 03040 struct rsbac_acl_group_entry_t entry; 03041 rsbac_uid_t caller; 03042 03043 if( rsbac_acl_get_group_entry(k_arg.subj_id, &entry) 03044 || rsbac_get_owner(&caller) 03045 || ( (entry.owner != caller) 03046 && (entry.type != ACLG_GLOBAL) 03047 ) 03048 ) 03049 return(-RSBAC_EINVALIDVALUE); 03050 } 03051 break; 03052 #if defined(CONFIG_RSBAC_RC) 03053 case ACLS_ROLE: 03054 if(k_arg.subj_id > RC_role_max_value) 03055 return(-RSBAC_EINVALIDVALUE); 03056 break; 03057 #endif 03058 default: 03059 return(-RSBAC_EINVALIDVALUE); 03060 } 03061 } 03062 03063 if(k_arg.name) 03064 { 03065 /* lookup filename */ 03066 if ((err = user_path_walk_link(k_arg.name, &nd))) 03067 { 03068 #ifdef CONFIG_RSBAC_DEBUG 03069 if (rsbac_debug_aef) 03070 printk(KERN_DEBUG "sys_rsbac_acl_n(): call to user_path_walk_link() returned %i\n", err); 03071 #endif 03072 goto out; 03073 } 03074 t_dentry = nd.dentry; 03075 if (!t_dentry->d_inode) 03076 { 03077 #ifdef CONFIG_RSBAC_DEBUG 03078 if (rsbac_debug_aef) 03079 printk(KERN_DEBUG "sys_rsbac_acl_n(): file not found\n"); 03080 #endif 03081 err = -RSBAC_EINVALIDTARGET; 03082 goto out_dput; 03083 } 03084 tid.file.device = t_dentry->d_sb->s_dev; 03085 tid.file.inode = t_dentry->d_inode->i_ino; 03086 tid.file.dentry_p = t_dentry; 03087 } 03088 else 03089 { 03090 tid.file.device = RSBAC_ZERO_DEV; 03091 tid.file.inode = 0; 03092 tid.file.dentry_p = NULL; 03093 } 03094 03095 switch (k_arg.target) 03096 { 03097 case T_FD: 03098 if(k_arg.name) 03099 { 03100 if(S_ISREG(t_dentry->d_inode->i_mode)) 03101 { 03102 k_arg.target = T_FILE; 03103 } 03104 else 03105 if(S_ISDIR(t_dentry->d_inode->i_mode)) 03106 { 03107 k_arg.target = T_DIR; 03108 } 03109 else 03110 if(S_ISLNK(t_dentry->d_inode->i_mode)) 03111 { 03112 k_arg.target = T_SYMLINK; 03113 } 03114 else 03115 if(S_ISFIFO(t_dentry->d_inode->i_mode)) 03116 { 03117 k_arg.target = T_FIFO; 03118 } 03119 else 03120 if(S_ISBLK(t_dentry->d_inode->i_mode)) 03121 { 03122 k_arg.target = T_FILE; 03123 } 03124 else 03125 if(S_ISCHR(t_dentry->d_inode->i_mode)) 03126 { 03127 k_arg.target = T_FILE; 03128 } 03129 else 03130 { 03131 #ifdef CONFIG_RSBAC_DEBUG 03132 if (rsbac_debug_aef) 03133 printk(KERN_DEBUG "sys_rsbac_acl_n(): no filesystem object\n"); 03134 #endif 03135 err = -RSBAC_EINVALIDTARGET; 03136 goto out_dput; 03137 } 03138 } 03139 else 03140 k_arg.target = T_FILE; 03141 break; 03142 03143 case T_FILE: 03144 if(k_arg.name) 03145 { 03146 /* is inode of type file, symlink or block/char device? */ 03147 if ( !(S_ISREG(t_dentry->d_inode->i_mode)) 03148 && !(S_ISBLK(t_dentry->d_inode->i_mode)) 03149 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 03150 { /* This is no file or device */ 03151 err = -RSBAC_EINVALIDTARGET; 03152 goto out_dput; 03153 } 03154 } 03155 break; 03156 03157 case T_DIR: 03158 if(k_arg.name) 03159 { 03160 if ( !(S_ISDIR(t_dentry->d_inode->i_mode)) ) 03161 { /* This is no dir */ 03162 err = -RSBAC_EINVALIDTARGET; 03163 goto out_dput; 03164 } 03165 } 03166 break; 03167 03168 case T_FIFO: 03169 if(k_arg.name) 03170 { 03171 /* is inode of type fifo? */ 03172 if ( !(S_ISFIFO(t_dentry->d_inode->i_mode))) 03173 { /* This is no file or device */ 03174 err = -RSBAC_EINVALIDTARGET; 03175 goto out_dput; 03176 } 03177 } 03178 break; 03179 03180 case T_SYMLINK: 03181 if(k_arg.name) 03182 { 03183 /* is inode of type symlink? */ 03184 if ( !(S_ISLNK(t_dentry->d_inode->i_mode))) 03185 { /* This is no file or device */ 03186 err = -RSBAC_EINVALIDTARGET; 03187 goto out_dput; 03188 } 03189 } 03190 break; 03191 03192 case T_DEV: 03193 if(k_arg.name) 03194 { 03195 /* is inode of type block/char device? */ 03196 if ( !(S_ISBLK(t_dentry->d_inode->i_mode)) 03197 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 03198 { /* This is no file or device */ 03199 err = -RSBAC_EINVALIDTARGET; 03200 goto out_dput; 03201 } 03202 /* fill target id and call internal function */ 03203 if(S_ISBLK(t_dentry->d_inode->i_mode)) 03204 tid.dev.type = D_block; 03205 else 03206 tid.dev.type = D_char; 03207 tid.dev.id = t_dentry->d_inode->i_rdev; 03208 } 03209 else 03210 { 03211 tid.dev.type = D_none; 03212 tid.dev.id = RSBAC_ZERO_DEV; 03213 } 03214 break; 03215 03216 default: 03217 err = -RSBAC_EINVALIDTARGET; 03218 goto out_dput; 03219 } 03220 /* call acl function */ 03221 switch(call) 03222 { 03223 case ACLC_set_acl_entry: 03224 err = rsbac_acl_sys_set_acl_entry(k_arg.target, 03225 tid, 03226 k_arg.subj_type, 03227 k_arg.subj_id, 03228 k_arg.rights, 03229 k_arg.ttl); 03230 break; 03231 case ACLC_remove_acl_entry: 03232 err = rsbac_acl_sys_remove_acl_entry(k_arg.target, 03233 tid, 03234 k_arg.subj_type, 03235 k_arg.subj_id); 03236 break; 03237 case ACLC_remove_acl: 03238 err = rsbac_acl_sys_remove_acl(k_arg.target, 03239 tid); 03240 break; 03241 case ACLC_add_to_acl_entry: 03242 err = rsbac_acl_sys_add_to_acl_entry(k_arg.target, 03243 tid, 03244 k_arg.subj_type, 03245 k_arg.subj_id, 03246 k_arg.rights, 03247 k_arg.ttl); 03248 break; 03249 case ACLC_remove_from_acl_entry: 03250 err = rsbac_acl_sys_remove_from_acl_entry(k_arg.target, 03251 tid, 03252 k_arg.subj_type, 03253 k_arg.subj_id, 03254 k_arg.rights); 03255 break; 03256 case ACLC_set_mask: 03257 err = rsbac_acl_sys_set_mask(k_arg.target, 03258 tid, 03259 k_arg.rights); 03260 break; 03261 03262 default: 03263 err=-RSBAC_EINVALIDREQUEST; 03264 } 03265 03266 out_dput: 03267 if(k_arg.name) 03268 { 03269 path_release(&nd); 03270 } 03271 03272 out: 03273 return(err); 03274 #else 03275 return (-RSBAC_EINVALIDMODULE); 03276 #endif 03277 }; /* end of sys_rsbac_acl_n() */ 03278 03279 /************************************************************************** */ 03280 03281 int sys_rsbac_acl_get_rights (struct rsbac_acl_syscall_arg_t * arg, 03282 rsbac_acl_rights_vector_t * rights_p, 03283 u_int effective) 03284 { 03285 #if defined(CONFIG_RSBAC_ACL) 03286 struct rsbac_acl_syscall_arg_t k_arg; 03287 rsbac_acl_rights_vector_t k_rights = 0; 03288 int err = 0; 03289 03290 if(!arg || !rights_p) 03291 return(-RSBAC_EINVALIDPOINTER); 03292 /* get values from user space */ 03293 rsbac_get_user((u_char *) &k_arg, (u_char *) arg, sizeof(k_arg) ); 03294 03295 if(k_arg.target >= T_NONE) 03296 return(-RSBAC_EINVALIDTARGET); 03297 /* printk(KERN_DEBUG "sys_rsbac_acl_get_rights(): target = %u, subj_type = %u, subj_id = %u!\n", 03298 k_arg.target, k_arg.subj_type, k_arg.subj_id); */ 03299 switch(k_arg.subj_type) 03300 { 03301 case ACLS_USER: 03302 break; 03303 case ACLS_GROUP: 03304 if(k_arg.subj_id != RSBAC_ACL_GROUP_EVERYONE) 03305 { 03306 struct rsbac_acl_group_entry_t entry; 03307 rsbac_uid_t caller; 03308 03309 if( rsbac_acl_get_group_entry(k_arg.subj_id, &entry) 03310 || rsbac_get_owner(&caller) 03311 || ( (entry.owner != caller) 03312 && (entry.type != ACLG_GLOBAL) 03313 ) 03314 ) 03315 return(-RSBAC_EINVALIDVALUE); 03316 } 03317 break; 03318 case ACLS_ROLE: 03319 #if defined(CONFIG_RSBAC_RC) 03320 if(k_arg.subj_id > RC_role_max_value) 03321 return(-RSBAC_EINVALIDVALUE); 03322 #endif 03323 break; 03324 default: 03325 #ifdef CONFIG_RSBAC_RMSG 03326 rsbac_printk(KERN_DEBUG "sys_rsbac_acl_get_rights(): Invalid subject type %u!\n", k_arg.subj_type); 03327 #endif 03328 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03329 if (!rsbac_nosyslog) 03330 #endif 03331 printk(KERN_DEBUG "sys_rsbac_acl_get_rights(): Invalid subject type %u!\n", k_arg.subj_type); 03332 return(-RSBAC_EINVALIDVALUE); 03333 } 03334 03335 /* call acl function */ 03336 err = rsbac_acl_sys_get_rights(k_arg.target, 03337 k_arg.tid, 03338 k_arg.subj_type, 03339 k_arg.subj_id, 03340 &k_rights, 03341 effective); 03342 if(!err) 03343 { 03344 err = rsbac_put_user((u_char *) &k_rights, (u_char *) rights_p, sizeof(k_rights) ); 03345 } 03346 return (err); 03347 #else 03348 return (-RSBAC_EINVALIDMODULE); 03349 #endif 03350 }; /* end of sys_rsbac_acl_get_rights() */ 03351 03352 03353 int sys_rsbac_acl_get_rights_n(struct rsbac_acl_syscall_n_arg_t * arg, 03354 rsbac_acl_rights_vector_t * rights_p, 03355 u_int effective) 03356 { 03357 #if defined(CONFIG_RSBAC_ACL) 03358 struct dentry * t_dentry = NULL; 03359 boolean need_put = FALSE; 03360 int err = 0; 03361 union rsbac_target_id_t tid; 03362 struct rsbac_acl_syscall_n_arg_t k_arg; 03363 rsbac_acl_rights_vector_t k_rights = 0; 03364 03365 struct nameidata nd; 03366 03367 if(!arg || !rights_p) 03368 return(-RSBAC_EINVALIDPOINTER); 03369 /* get values from user space */ 03370 rsbac_get_user((u_char *) &k_arg, (u_char *) arg, sizeof(k_arg) ); 03371 03372 if(k_arg.target >= T_NONE) 03373 return(-RSBAC_EINVALIDTARGET); 03374 switch(k_arg.subj_type) 03375 { 03376 case ACLS_USER: 03377 break; 03378 case ACLS_GROUP: 03379 if(k_arg.subj_id != RSBAC_ACL_GROUP_EVERYONE) 03380 { 03381 struct rsbac_acl_group_entry_t entry; 03382 rsbac_uid_t caller; 03383 03384 if( rsbac_acl_get_group_entry(k_arg.subj_id, &entry) 03385 || rsbac_get_owner(&caller) 03386 || ( (entry.owner != caller) 03387 && (entry.type != ACLG_GLOBAL) 03388 ) 03389 ) 03390 return(-RSBAC_EINVALIDVALUE); 03391 } 03392 break; 03393 case ACLS_ROLE: 03394 #if defined(CONFIG_RSBAC_RC) 03395 if(k_arg.subj_id > RC_role_max_value) 03396 return(-RSBAC_EINVALIDVALUE); 03397 #endif 03398 break; 03399 default: 03400 return(-RSBAC_EINVALIDVALUE); 03401 } 03402 03403 switch (k_arg.target) 03404 { 03405 case T_FD: 03406 case T_FILE: 03407 case T_DIR: 03408 case T_FIFO: 03409 case T_SYMLINK: 03410 if(k_arg.name) 03411 { 03412 if ((err = user_path_walk_link(k_arg.name, &nd))) 03413 { 03414 #ifdef CONFIG_RSBAC_DEBUG 03415 if (rsbac_debug_aef_acl) 03416 printk(KERN_DEBUG "sys_rsbac_acl_get_rights_n(): call to user_path_walk_link() returned %i\n", err); 03417 #endif 03418 goto out; 03419 } 03420 t_dentry = nd.dentry; 03421 need_put = TRUE; 03422 if (!t_dentry->d_inode) 03423 { 03424 err = -RSBAC_EINVALIDTARGET; 03425 goto out_dput; 03426 } 03427 /* is inode of type file, symlink or block/char device? */ 03428 switch(k_arg.target) 03429 { 03430 case T_FD: 03431 if(S_ISREG(t_dentry->d_inode->i_mode)) 03432 { 03433 k_arg.target = T_FILE; 03434 } 03435 else 03436 if(S_ISDIR(t_dentry->d_inode->i_mode)) 03437 { 03438 k_arg.target = T_DIR; 03439 } 03440 else 03441 if(S_ISLNK(t_dentry->d_inode->i_mode)) 03442 { 03443 k_arg.target = T_SYMLINK; 03444 } 03445 else 03446 if(S_ISFIFO(t_dentry->d_inode->i_mode)) 03447 { 03448 k_arg.target = T_FIFO; 03449 } 03450 else 03451 if(S_ISBLK(t_dentry->d_inode->i_mode)) 03452 { 03453 k_arg.target = T_FILE; 03454 } 03455 else 03456 if(S_ISCHR(t_dentry->d_inode->i_mode)) 03457 { 03458 k_arg.target = T_FILE; 03459 } 03460 else 03461 { /* This is no file or device */ 03462 err = -RSBAC_EINVALIDTARGET; 03463 goto out_dput; 03464 } 03465 break; 03466 case T_FILE: 03467 if ( !(S_ISREG(t_dentry->d_inode->i_mode)) 03468 && !(S_ISBLK(t_dentry->d_inode->i_mode)) 03469 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 03470 { /* This is no file or device */ 03471 err = -RSBAC_EINVALIDTARGET; 03472 goto out_dput; 03473 } 03474 break; 03475 case T_DIR: 03476 if ( !(S_ISDIR(t_dentry->d_inode->i_mode)) ) 03477 { /* This is no dir */ 03478 err = -RSBAC_EINVALIDTARGET; 03479 goto out_dput; 03480 } 03481 break; 03482 case T_FIFO: 03483 /* is inode of type fifo? */ 03484 if ( !(S_ISFIFO(t_dentry->d_inode->i_mode))) 03485 { /* This is no fifo */ 03486 err = -RSBAC_EINVALIDTARGET; 03487 goto out_dput; 03488 } 03489 break; 03490 case T_SYMLINK: 03491 /* is inode of type symlink? */ 03492 if ( !(S_ISLNK(t_dentry->d_inode->i_mode))) 03493 { /* This is no symlink */ 03494 err = -RSBAC_EINVALIDTARGET; 03495 goto out_dput; 03496 } 03497 break; 03498 default: 03499 err = -RSBAC_EINVALIDTARGET; 03500 goto out_dput; 03501 } 03502 tid.file.device = t_dentry->d_sb->s_dev; 03503 tid.file.inode = t_dentry->d_inode->i_ino; 03504 tid.file.dentry_p = t_dentry; 03505 } 03506 else 03507 { 03508 if(k_arg.target == T_FD) 03509 k_arg.target = T_FILE; 03510 tid.file.device = RSBAC_ZERO_DEV; 03511 tid.file.inode = 0; 03512 tid.file.dentry_p = NULL; 03513 } 03514 break; 03515 03516 case T_DEV: 03517 if(k_arg.name) 03518 { 03519 if ((err = user_path_walk_link(k_arg.name, &nd))) 03520 { 03521 #ifdef CONFIG_RSBAC_DEBUG 03522 if (rsbac_debug_aef_acl) 03523 printk(KERN_DEBUG "sys_rsbac_acl_get_rights_n(): call to user_path_walk_link() returned %i\n", err); 03524 #endif 03525 goto out; 03526 } 03527 t_dentry = nd.dentry; 03528 need_put = TRUE; 03529 if (!t_dentry->d_inode) 03530 { 03531 err = -RSBAC_EINVALIDTARGET; 03532 goto out_dput; 03533 } 03534 /* is inode of type file, symlink or block/char device? */ 03535 if ( !(S_ISBLK(t_dentry->d_inode->i_mode)) 03536 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 03537 { /* This is no file or device */ 03538 err = -RSBAC_EINVALIDTARGET; 03539 goto out_dput; 03540 } 03541 /* fill target id and call internal function */ 03542 if(S_ISBLK(t_dentry->d_inode->i_mode)) 03543 tid.dev.type = D_block; 03544 else 03545 tid.dev.type = D_char; 03546 tid.dev.id = t_dentry->d_inode->i_rdev; 03547 } 03548 else 03549 { 03550 tid.dev.type = D_none; 03551 tid.dev.id = RSBAC_ZERO_DEV; 03552 } 03553 break; 03554 03555 default: 03556 return -RSBAC_EINVALIDTARGET; 03557 } 03558 03559 /* call acl function */ 03560 err = rsbac_acl_sys_get_rights(k_arg.target, 03561 tid, 03562 k_arg.subj_type, 03563 k_arg.subj_id, 03564 &k_rights, 03565 effective); 03566 03567 out_dput: 03568 if(need_put) 03569 path_release(&nd); 03570 out: 03571 if(!err) 03572 { 03573 rsbac_put_user((u_char *) &k_rights, (u_char *) rights_p, sizeof(k_rights) ); 03574 } 03575 return(err); 03576 #else 03577 return (-RSBAC_EINVALIDMODULE); 03578 #endif 03579 }; /* end of sys_rsbac_acl_get_rights_n() */ 03580 03581 /************************************************************************** */ 03582 03583 int sys_rsbac_acl_get_tlist (enum rsbac_target_t target, 03584 union rsbac_target_id_t * tid, 03585 struct rsbac_acl_entry_t entry_array[], 03586 rsbac_time_t ttl_array[], 03587 u_int maxnum) 03588 { 03589 #if defined(CONFIG_RSBAC_ACL) 03590 union rsbac_target_id_t k_tid; 03591 struct rsbac_acl_entry_t * k_entry_p; 03592 rsbac_time_t * k_ttl_p; 03593 int err = 0; 03594 03595 if(!tid || (target >= T_NONE)) 03596 return(-RSBAC_EINVALIDTARGET); 03597 if(!entry_array) 03598 return(-RSBAC_EINVALIDPOINTER); 03599 if(!maxnum) 03600 return(-RSBAC_EINVALIDVALUE); 03601 if(maxnum > RSBAC_ACL_MAX_MAXNUM) 03602 maxnum = RSBAC_ACL_MAX_MAXNUM; 03603 03604 /* get values from user space */ 03605 err = rsbac_get_user((u_char *) &k_tid, (u_char *) tid, sizeof(k_tid) ); 03606 if(err) 03607 return err; 03608 03609 /* call acl function */ 03610 err = rsbac_acl_sys_get_tlist(target, k_tid, &k_entry_p, &k_ttl_p); 03611 if(err>0) 03612 { 03613 if(err > maxnum) 03614 err = maxnum; 03615 rsbac_put_user((u_char *) k_entry_p, 03616 (u_char *) entry_array, 03617 err * sizeof(*k_entry_p) ); 03618 if(ttl_array) 03619 { 03620 rsbac_put_user((u_char *) k_ttl_p, 03621 (u_char *) ttl_array, 03622 err * sizeof(*k_ttl_p) ); 03623 } 03624 rsbac_vfree(k_entry_p); 03625 rsbac_vfree(k_ttl_p); 03626 } 03627 return (err); 03628 #else 03629 return (-RSBAC_EINVALIDMODULE); 03630 #endif 03631 }; /* end of sys_rsbac_acl_get_tlist() */ 03632 03633 int sys_rsbac_acl_get_tlist_n(enum rsbac_target_t target, 03634 char * t_name, 03635 struct rsbac_acl_entry_t entry_array[], 03636 rsbac_time_t ttl_array[], 03637 u_int maxnum) 03638 { 03639 #if defined(CONFIG_RSBAC_ACL) 03640 struct dentry * t_dentry = NULL; 03641 struct rsbac_acl_entry_t * k_entry_p; 03642 rsbac_time_t * k_ttl_p; 03643 boolean need_put = FALSE; 03644 int err = 0; 03645 union rsbac_target_id_t tid; 03646 03647 struct nameidata nd; 03648 03649 if(target >= T_NONE) 03650 return(-RSBAC_EINVALIDTARGET); 03651 if(!entry_array) 03652 return(-RSBAC_EINVALIDPOINTER); 03653 03654 switch (target) 03655 { 03656 case T_FD: 03657 case T_FILE: 03658 case T_DIR: 03659 case T_FIFO: 03660 case T_SYMLINK: 03661 if(t_name) 03662 { 03663 if ((err = user_path_walk_link(t_name, &nd))) 03664 { 03665 #ifdef CONFIG_RSBAC_DEBUG 03666 if (rsbac_debug_aef_acl) 03667 printk(KERN_DEBUG "sys_rsbac_acl_get_tlist_n(): call to user_path_walk_link() returned %i\n", err); 03668 #endif 03669 goto out; 03670 } 03671 t_dentry = nd.dentry; 03672 need_put = TRUE; 03673 if (!t_dentry->d_inode) 03674 { 03675 err = -RSBAC_EINVALIDTARGET; 03676 goto out_dput; 03677 } 03678 /* is inode of type file, symlink or block/char device? */ 03679 switch(target) 03680 { 03681 case T_FD: 03682 if(S_ISREG(t_dentry->d_inode->i_mode)) 03683 { 03684 target = T_FILE; 03685 } 03686 else 03687 if(S_ISDIR(t_dentry->d_inode->i_mode)) 03688 { 03689 target = T_DIR; 03690 } 03691 else 03692 if(S_ISLNK(t_dentry->d_inode->i_mode)) 03693 { 03694 target = T_SYMLINK; 03695 } 03696 else 03697 if(S_ISFIFO(t_dentry->d_inode->i_mode)) 03698 { 03699 target = T_FIFO; 03700 } 03701 else 03702 if(S_ISBLK(t_dentry->d_inode->i_mode)) 03703 { 03704 target = T_FILE; 03705 } 03706 else 03707 if(S_ISCHR(t_dentry->d_inode->i_mode)) 03708 { 03709 target = T_FILE; 03710 } 03711 else 03712 { /* This is no file or device */ 03713 err = -RSBAC_EINVALIDTARGET; 03714 goto out_dput; 03715 } 03716 break; 03717 case T_FILE: 03718 if ( !(S_ISREG(t_dentry->d_inode->i_mode)) 03719 && !(S_ISBLK(t_dentry->d_inode->i_mode)) 03720 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 03721 { /* This is no file or device */ 03722 err = -RSBAC_EINVALIDTARGET; 03723 goto out_dput; 03724 } 03725 break; 03726 case T_DIR: 03727 if ( !(S_ISDIR(t_dentry->d_inode->i_mode)) ) 03728 { /* This is no dir */ 03729 err = -RSBAC_EINVALIDTARGET; 03730 goto out_dput; 03731 } 03732 break; 03733 case T_FIFO: 03734 /* is inode of type fifo? */ 03735 if ( !(S_ISFIFO(t_dentry->d_inode->i_mode))) 03736 { /* This is no fifo */ 03737 err = -RSBAC_EINVALIDTARGET; 03738 goto out_dput; 03739 } 03740 break; 03741 case T_SYMLINK: 03742 /* is inode of type symlink? */ 03743 if ( !(S_ISLNK(t_dentry->d_inode->i_mode))) 03744 { /* This is no symlink */ 03745 err = -RSBAC_EINVALIDTARGET; 03746 goto out_dput; 03747 } 03748 break; 03749 default: 03750 err = -RSBAC_EINVALIDTARGET; 03751 goto out_dput; 03752 } 03753 tid.file.device = t_dentry->d_sb->s_dev; 03754 tid.file.inode = t_dentry->d_inode->i_ino; 03755 tid.file.dentry_p = t_dentry; 03756 } 03757 else 03758 { 03759 if(target == T_FD) 03760 target = T_FILE; 03761 tid.file.device = RSBAC_ZERO_DEV; 03762 tid.file.inode = 0; 03763 tid.file.dentry_p = NULL; 03764 } 03765 break; 03766 03767 case T_DEV: 03768 if(t_name) 03769 { 03770 if ((err = user_path_walk_link(t_name, &nd))) 03771 { 03772 #ifdef CONFIG_RSBAC_DEBUG 03773 if (rsbac_debug_aef_acl) 03774 printk(KERN_DEBUG "sys_rsbac_acl_get_tlist_n(): call to user_path_walk_link() returned %i\n", err); 03775 #endif 03776 goto out; 03777 } 03778 t_dentry = nd.dentry; 03779 need_put = TRUE; 03780 if (!t_dentry->d_inode) 03781 { 03782 err = -RSBAC_EINVALIDTARGET; 03783 goto out_dput; 03784 } 03785 /* is inode of type file, symlink or block/char device? */ 03786 if ( !(S_ISBLK(t_dentry->d_inode->i_mode)) 03787 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 03788 { /* This is no file or device */ 03789 err = -RSBAC_EINVALIDTARGET; 03790 goto out_dput; 03791 } 03792 /* fill target id and call internal function */ 03793 if(S_ISBLK(t_dentry->d_inode->i_mode)) 03794 tid.dev.type = D_block; 03795 else 03796 tid.dev.type = D_char; 03797 tid.dev.id = t_dentry->d_inode->i_rdev; 03798 } 03799 else 03800 { 03801 tid.dev.type = D_none; 03802 tid.dev.id = RSBAC_ZERO_DEV; 03803 } 03804 break; 03805 03806 default: 03807 return -RSBAC_EINVALIDTARGET; 03808 } 03809 /* call ACL function */ 03810 err = rsbac_acl_sys_get_tlist(target, tid, &k_entry_p, &k_ttl_p); 03811 03812 out_dput: 03813 if(need_put) 03814 path_release(&nd); 03815 out: 03816 if(err>0) 03817 { 03818 if(err > maxnum) 03819 err = maxnum; 03820 rsbac_put_user((u_char *) k_entry_p, 03821 (u_char *) entry_array, 03822 err * sizeof(*k_entry_p) ); 03823 if(ttl_array) 03824 { 03825 rsbac_put_user((u_char *) k_ttl_p, 03826 (u_char *) ttl_array, 03827 err * sizeof(*k_ttl_p) ); 03828 } 03829 rsbac_vfree(k_entry_p); 03830 rsbac_vfree(k_ttl_p); 03831 } 03832 return(err); 03833 03834 #else 03835 return (-RSBAC_EINVALIDMODULE); 03836 #endif 03837 }; /* end of sys_rsbac_acl_get_tlist_n() */ 03838 03839 /************************************************************************** */ 03840 03841 int sys_rsbac_acl_get_mask (enum rsbac_target_t target, 03842 union rsbac_target_id_t * tid, 03843 rsbac_acl_rights_vector_t * mask_p) 03844 { 03845 #if defined(CONFIG_RSBAC_ACL) 03846 union rsbac_target_id_t k_tid; 03847 rsbac_acl_rights_vector_t k_mask; 03848 int err = 0; 03849 03850 if(!tid || (target >= T_NONE)) 03851 return(-RSBAC_EINVALIDTARGET); 03852 if(!mask_p) 03853 return(-RSBAC_EINVALIDPOINTER); 03854 03855 /* get values from user space */ 03856 rsbac_get_user((u_char *) &k_tid, (u_char *) tid, sizeof(k_tid) ); 03857 03858 /* call acl function */ 03859 err = rsbac_acl_sys_get_mask(target, k_tid, &k_mask); 03860 if(!err) 03861 { 03862 rsbac_put_user((u_char *) &k_mask, 03863 (u_char *) mask_p, 03864 sizeof(k_mask) ); 03865 } 03866 return (err); 03867 #else 03868 return (-RSBAC_EINVALIDMODULE); 03869 #endif 03870 }; /* end of sys_rsbac_acl_get_mask() */ 03871 03872 int sys_rsbac_acl_get_mask_n(enum rsbac_target_t target, 03873 char * t_name, 03874 rsbac_acl_rights_vector_t * mask_p) 03875 { 03876 #if defined(CONFIG_RSBAC_ACL) 03877 struct dentry * t_dentry = NULL; 03878 rsbac_acl_rights_vector_t k_mask; 03879 boolean need_put = FALSE; 03880 int err = 0; 03881 union rsbac_target_id_t tid; 03882 03883 struct nameidata nd; 03884 03885 if(target >= T_NONE) 03886 return(-RSBAC_EINVALIDTARGET); 03887 if(!mask_p) 03888 return(-RSBAC_EINVALIDPOINTER); 03889 03890 switch (target) 03891 { 03892 case T_FD: 03893 case T_FILE: 03894 case T_DIR: 03895 case T_FIFO: 03896 case T_SYMLINK: 03897 if(t_name) 03898 { 03899 if ((err = user_path_walk_link(t_name, &nd))) 03900 { 03901 #ifdef CONFIG_RSBAC_DEBUG 03902 if (rsbac_debug_aef_acl) 03903 printk(KERN_DEBUG "sys_rsbac_acl_get_mask_n(): call to user_path_walk_link() returned %i\n", err); 03904 #endif 03905 goto out; 03906 } 03907 t_dentry = nd.dentry; 03908 need_put = TRUE; 03909 if (!t_dentry->d_inode) 03910 { 03911 err = -RSBAC_EINVALIDTARGET; 03912 goto out_dput; 03913 } 03914 /* is inode of type file, symlink or block/char device? */ 03915 switch(target) 03916 { 03917 case T_FD: 03918 if(S_ISREG(t_dentry->d_inode->i_mode)) 03919 { 03920 target = T_FILE; 03921 } 03922 else 03923 if(S_ISDIR(t_dentry->d_inode->i_mode)) 03924 { 03925 target = T_DIR; 03926 } 03927 else 03928 if(S_ISLNK(t_dentry->d_inode->i_mode)) 03929 { 03930 target = T_SYMLINK; 03931 } 03932 else 03933 if(S_ISFIFO(t_dentry->d_inode->i_mode)) 03934 { 03935 target = T_FIFO; 03936 } 03937 else 03938 if(S_ISBLK(t_dentry->d_inode->i_mode)) 03939 { 03940 target = T_FILE; 03941 } 03942 else 03943 if(S_ISCHR(t_dentry->d_inode->i_mode)) 03944 { 03945 target = T_FILE; 03946 } 03947 else 03948 { /* This is no file or device */ 03949 err = -RSBAC_EINVALIDTARGET; 03950 goto out_dput; 03951 } 03952 break; 03953 case T_FILE: 03954 if ( !(S_ISREG(t_dentry->d_inode->i_mode)) 03955 && !(S_ISBLK(t_dentry->d_inode->i_mode)) 03956 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 03957 { /* This is no file or device */ 03958 err = -RSBAC_EINVALIDTARGET; 03959 goto out_dput; 03960 } 03961 break; 03962 case T_DIR: 03963 if ( !(S_ISDIR(t_dentry->d_inode->i_mode)) ) 03964 { /* This is no dir */ 03965 err = -RSBAC_EINVALIDTARGET; 03966 goto out_dput; 03967 } 03968 break; 03969 case T_FIFO: 03970 /* is inode of type fifo? */ 03971 if ( !(S_ISFIFO(t_dentry->d_inode->i_mode))) 03972 { /* This is no fifo */ 03973 err = -RSBAC_EINVALIDTARGET; 03974 goto out_dput; 03975 } 03976 break; 03977 case T_SYMLINK: 03978 /* is inode of type symlink? */ 03979 if ( !(S_ISLNK(t_dentry->d_inode->i_mode))) 03980 { /* This is no symlink */ 03981 err = -RSBAC_EINVALIDTARGET; 03982 goto out_dput; 03983 } 03984 break; 03985 default: 03986 err = -RSBAC_EINVALIDTARGET; 03987 goto out_dput; 03988 } 03989 tid.file.device = t_dentry->d_sb->s_dev; 03990 tid.file.inode = t_dentry->d_inode->i_ino; 03991 tid.file.dentry_p = t_dentry; 03992 } 03993 else 03994 { 03995 if(target == T_FD) 03996 target = T_FILE; 03997 tid.file.device = RSBAC_ZERO_DEV; 03998 tid.file.inode = 0; 03999 tid.file.dentry_p = NULL; 04000 } 04001 break; 04002 04003 case T_DEV: 04004 if(t_name) 04005 { 04006 if ((err = user_path_walk_link(t_name, &nd))) 04007 { 04008 #ifdef CONFIG_RSBAC_DEBUG 04009 if (rsbac_debug_aef_acl) 04010 printk(KERN_DEBUG "sys_rsbac_acl_get_mask_n(): call to user_path_walk_link() returned %i\n", err); 04011 #endif 04012 goto out; 04013 } 04014 t_dentry = nd.dentry; 04015 need_put = TRUE; 04016 if (!t_dentry->d_inode) 04017 { 04018 err = -RSBAC_EINVALIDTARGET; 04019 goto out_dput; 04020 } 04021 /* is inode of type block/char device? */ 04022 if ( !(S_ISBLK(t_dentry->d_inode->i_mode)) 04023 && !(S_ISCHR(t_dentry->d_inode->i_mode)) ) 04024 { /* This is no file or device */ 04025 err = -RSBAC_EINVALIDTARGET; 04026 goto out_dput; 04027 } 04028 /* fill target id and call internal function */ 04029 if(S_ISBLK(t_dentry->d_inode->i_mode)) 04030 tid.dev.type = D_block; 04031 else 04032 tid.dev.type = D_char; 04033 tid.dev.id = t_dentry->d_inode->i_rdev; 04034 } 04035 else 04036 { 04037 tid.dev.type = D_none; 04038 tid.dev.id = RSBAC_ZERO_DEV; 04039 } 04040 break; 04041 04042 default: 04043 return -RSBAC_EINVALIDTARGET; 04044 } 04045 /* call ACL function */ 04046 err = rsbac_acl_sys_get_mask(target, tid, &k_mask); 04047 04048 out_dput: 04049 if(need_put) 04050 path_release(&nd); 04051 out: 04052 if(!err) 04053 { 04054 rsbac_put_user((u_char *) &k_mask, 04055 (u_char *) mask_p, 04056 sizeof(k_mask) ); 04057 } 04058 return(err); 04059 04060 #else 04061 return (-RSBAC_EINVALIDMODULE); 04062 #endif 04063 }; /* end of sys_rsbac_acl_get_mask_n() */ 04064 04065 /******** ACL groups *********/ 04066 04067 int sys_rsbac_acl_group(enum rsbac_acl_group_syscall_type_t call, 04068 union rsbac_acl_group_syscall_arg_t * arg_p) 04069 { 04070 #if defined(CONFIG_RSBAC_ACL) 04071 union rsbac_acl_group_syscall_arg_t k_arg; 04072 int err = 0; 04073 04074 if(call >= ACLGS_none) 04075 return(-RSBAC_EINVALIDREQUEST); 04076 if(!arg_p) 04077 return(-RSBAC_EINVALIDPOINTER); 04078 04079 /* get values from user space */ 04080 err = rsbac_get_user((u_char *) &k_arg, (u_char *) arg_p, sizeof(k_arg) ); 04081 04082 /* call acl function */ 04083 if(err >= 0) 04084 err = rsbac_acl_sys_group(call, k_arg); 04085 return (err); 04086 #else 04087 return (-RSBAC_EINVALIDMODULE); 04088 #endif 04089 }; /* end of sys_rsbac_acl() */ 04090 04091 /******** JAIL *********/ 04092 04093 int sys_rsbac_jail(rsbac_version_t version, 04094 char * path, 04095 rsbac_jail_ip_t ip, 04096 rsbac_jail_flags_t flags, 04097 rsbac_cap_vector_t max_caps) 04098 { 04099 #if defined(CONFIG_RSBAC_JAIL) 04100 return rsbac_jail_sys_jail(version, path, ip, flags, max_caps); 04101 #else 04102 return (-RSBAC_EINVALIDMODULE); 04103 #endif 04104 } 04105 04106 04107 /************************************************* */ 04108 /* DEBUG/LOG functions */ 04109 /************************************************* */ 04110 04111 int sys_rsbac_adf_log_switch(enum rsbac_adf_request_t request, 04112 enum rsbac_target_t target, 04113 u_int value) 04114 { 04115 union rsbac_target_id_t rsbac_target_id; 04116 union rsbac_attribute_value_t rsbac_attribute_value; 04117 04118 if ((value != LL_none) && (value != LL_denied) && (value != LL_full)) 04119 return (-RSBAC_EINVALIDVALUE); 04120 if(request >= R_NONE) 04121 return(-RSBAC_EINVALIDREQUEST); 04122 if( (target == T_FD) 04123 || (target > T_NONE) 04124 ) 04125 return(-RSBAC_EINVALIDTARGET); 04126 /* call ADF */ 04127 #ifdef CONFIG_RSBAC_DEBUG 04128 if (rsbac_debug_aef) 04129 printk(KERN_DEBUG "sys_rsbac_adf_log_switch(): calling ADF\n"); 04130 #endif 04131 rsbac_target_id.dummy = 0; 04132 rsbac_attribute_value.request = target; 04133 if (!rsbac_adf_request(R_SWITCH_LOG, 04134 current->pid, 04135 T_NONE, 04136 rsbac_target_id, 04137 A_request, 04138 rsbac_attribute_value)) 04139 { 04140 return -EPERM; 04141 } 04142 #ifdef CONFIG_RSBAC_DEBUG 04143 if (rsbac_debug_aef) 04144 { 04145 char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 04146 if(request_name) 04147 { 04148 get_request_name(request_name,target); 04149 #ifdef CONFIG_RSBAC_RMSG 04150 rsbac_printk(KERN_INFO "sys_rsbac_adf_log_switch(): switching RSBAC module logging for request %s (No. %i) to %i!\n", 04151 request_name, target, value); 04152 #endif 04153 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04154 if (!rsbac_nosyslog) 04155 #endif 04156 printk(KERN_INFO "sys_rsbac_adf_log_switch(): switching RSBAC module logging for request %s (No. %i) to %i!\n", 04157 request_name, target, value); 04158 rsbac_kfree(request_name); 04159 } 04160 } 04161 #endif 04162 rsbac_adf_log_switch(request,target,value); 04163 return(0); 04164 } 04165 04166 int sys_rsbac_get_adf_log(enum rsbac_adf_request_t request, 04167 enum rsbac_target_t target, 04168 u_int * value_p) 04169 { 04170 union rsbac_target_id_t rsbac_target_id; 04171 union rsbac_attribute_value_t rsbac_attribute_value; 04172 u_int k_value; 04173 int err; 04174 04175 if(request >= R_NONE) 04176 return(-RSBAC_EINVALIDREQUEST); 04177 if( (target == T_FD) 04178 || (target > T_NONE) 04179 ) 04180 return(-RSBAC_EINVALIDTARGET); 04181 if(!value_p) 04182 return(-RSBAC_EINVALIDPOINTER); 04183 /* call ADF */ 04184 #ifdef CONFIG_RSBAC_DEBUG 04185 if (rsbac_debug_aef) 04186 printk(KERN_DEBUG "sys_rsbac_get_adf_log(): calling ADF\n"); 04187 #endif 04188 rsbac_target_id.scd = ST_rsbac; 04189 rsbac_attribute_value.request = request; 04190 if (!rsbac_adf_request(R_GET_STATUS_DATA, 04191 current->pid, 04192 T_SCD, 04193 rsbac_target_id, 04194 A_request, 04195 rsbac_attribute_value)) 04196 { 04197 return -EPERM; 04198 } 04199 #ifdef CONFIG_RSBAC_DEBUG 04200 if (rsbac_debug_aef) 04201 { 04202 char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 04203 if(request_name) 04204 { 04205 get_request_name(request_name,target); 04206 printk(KERN_DEBUG "sys_rsbac_get_adf_log(): getting RSBAC module logging for request %s (No. %i)!\n", 04207 request_name, target); 04208 rsbac_kfree(request_name); 04209 } 04210 } 04211 #endif 04212 err = rsbac_get_adf_log(request, target, &k_value); 04213 if(!err) 04214 { 04215 rsbac_put_user((u_char *) &k_value, 04216 (u_char *) value_p, 04217 sizeof(k_value) ); 04218 } 04219 return(err); 04220 } 04221 04222 /* 04223 * Commands to sys_rsbac_log: 04224 * 04225 * 0 -- Close the log. Currently a NOP. 04226 * 1 -- Open the log. Currently a NOP. 04227 * 2 -- Read from the log. 04228 * 3 -- Read up to the last 4k of messages in the ring buffer. 04229 * 4 -- Read and clear last 4k of messages in the ring buffer 04230 * 5 -- Clear ring buffer. 04231 */ 04232 int sys_rsbac_log(int type, 04233 char * buf, 04234 int len) 04235 { 04236 #if defined(CONFIG_RSBAC_RMSG) 04237 /* lock_kernel is done in rsbac_log */ 04238 return(rsbac_log(type,buf,len)); 04239 #else 04240 return(0); 04241 #endif /* RMSG */ 04242 } 04243 04244 #if defined(CONFIG_RSBAC_INIT_DELAY) 04245 int sys_rsbac_init(char * path) 04246 { 04247 struct dentry * t_dentry = NULL; 04248 boolean need_put = FALSE; 04249 int err = 0; 04250 04251 struct nameidata nd; 04252 04253 if(!path) 04254 return rsbac_init(ROOT_DEV); 04255 04256 if ((err = user_path_walk_link(path, &nd))) 04257 { 04258 goto out; 04259 } 04260 t_dentry = nd.dentry; 04261 need_put = TRUE; 04262 if (!t_dentry->d_inode) 04263 { 04264 err = -RSBAC_EINVALIDTARGET; 04265 goto out_dput; 04266 } 04267 /* is inode of type file, symlink or block/char device? */ 04268 if(!S_ISBLK(t_dentry->d_inode->i_mode)) 04269 { /* This is no file or device */ 04270 err = -RSBAC_EINVALIDTARGET; 04271 goto out_dput; 04272 } 04273 err = rsbac_init(t_dentry->d_sb->s_dev); 04274 04275 out_dput: 04276 if(need_put) 04277 path_release(&nd); 04278 out: 04279 return(err); 04280 } 04281 #endif 04282 04283 /* Big dispatcher for all syscalls */ 04284 #ifdef rsbac_syscall4 04285 asmlinkage int sys_rsbac(int dummy, 04286 rsbac_version_t version, 04287 enum rsbac_syscall_t call, 04288 union rsbac_syscall_arg_t * arg_p) 04289 #else 04290 asmlinkage int sys_rsbac(rsbac_version_t version, 04291 enum rsbac_syscall_t call, 04292 union rsbac_syscall_arg_t * arg_p) 04293 #endif 04294 { 04295 union rsbac_syscall_arg_t k_arg; 04296 int err; 04297 04298 if(version != RSBAC_VERSION_NR) 04299 return -RSBAC_EINVALIDVERSION; 04300 04301 if(call >= RSYS_none) 04302 return -RSBAC_EINVALIDREQUEST; 04303 04304 /* get values from user space */ 04305 if(arg_p) 04306 { 04307 err = rsbac_get_user((u_char *) &k_arg, (u_char *) arg_p, sizeof(k_arg) ); 04308 if(err) 04309 return err; 04310 } 04311 else 04312 { 04313 memset(&k_arg, 0, sizeof(k_arg)); 04314 } 04315 04316 switch(call) 04317 { 04318 case RSYS_stats: 04319 return sys_rsbac_stats(); 04320 case RSYS_check: 04321 return sys_rsbac_check(k_arg.check.correct, k_arg.check.check_inode); 04322 case RSYS_get_attr: 04323 return sys_rsbac_get_attr(k_arg.get_attr.module, 04324 k_arg.get_attr.target, 04325 k_arg.get_attr.tid, 04326 k_arg.get_attr.attr, 04327 k_arg.get_attr.value, 04328 k_arg.get_attr.inherit); 04329 case RSYS_get_attr_n: 04330 return sys_rsbac_get_attr_n(k_arg.get_attr_n.module, 04331 k_arg.get_attr_n.target, 04332 k_arg.get_attr_n.t_name, 04333 k_arg.get_attr_n.attr, 04334 k_arg.get_attr_n.value, 04335 k_arg.get_attr_n.inherit); 04336 case RSYS_set_attr: 04337 return sys_rsbac_set_attr(k_arg.set_attr.module, 04338 k_arg.set_attr.target, 04339 k_arg.set_attr.tid, 04340 k_arg.set_attr.attr, 04341 k_arg.set_attr.value); 04342 case RSYS_set_attr_n: 04343 return sys_rsbac_set_attr_n(k_arg.set_attr_n.module, 04344 k_arg.set_attr_n.target, 04345 k_arg.set_attr_n.t_name, 04346 k_arg.set_attr_n.attr, 04347 k_arg.set_attr_n.value); 04348 case RSYS_remove_target: 04349 return sys_rsbac_remove_target(k_arg.remove_target.target, 04350 k_arg.remove_target.tid); 04351 case RSYS_remove_target_n: 04352 return sys_rsbac_remove_target_n(k_arg.remove_target_n.target, 04353 k_arg.remove_target_n.t_name); 04354 case RSYS_net_list_all_netdev: 04355 return sys_rsbac_net_list_all_netdev(k_arg.net_list_all_netdev.id_p, 04356 k_arg.net_list_all_netdev.maxnum); 04357 case RSYS_net_template: 04358 return sys_rsbac_net_template(k_arg.net_template.call, 04359 k_arg.net_template.id, 04360 k_arg.net_template.data_p); 04361 case RSYS_net_list_all_template: 04362 return sys_rsbac_net_list_all_template(k_arg.net_list_all_template.id_p, 04363 k_arg.net_list_all_template.maxnum); 04364 case RSYS_switch: 04365 return sys_rsbac_switch(k_arg.switch_module.target, 04366 k_arg.switch_module.value); 04367 case RSYS_adf_log_switch: 04368 return sys_rsbac_adf_log_switch(k_arg.adf_log_switch.request, 04369 k_arg.adf_log_switch.target, 04370 k_arg.adf_log_switch.value); 04371 case RSYS_get_adf_log: 04372 return sys_rsbac_get_adf_log(k_arg.get_adf_log.request, 04373 k_arg.get_adf_log.target, 04374 k_arg.get_adf_log.value_p); 04375 case RSYS_write: 04376 return sys_rsbac_write(); 04377 case RSYS_log: 04378 return sys_rsbac_log(k_arg.log.type, 04379 k_arg.log.buf, 04380 k_arg.log.len); 04381 case RSYS_mac_set_curr_level: 04382 return sys_rsbac_mac_set_curr_level(k_arg.mac_set_curr_level.level, 04383 k_arg.mac_set_curr_level.categories_p); 04384 case RSYS_mac_get_curr_level: 04385 return sys_rsbac_mac_get_curr_level(k_arg.mac_get_curr_level.level_p, 04386 k_arg.mac_get_curr_level.categories_p); 04387 case RSYS_mac_get_max_level: 04388 return sys_rsbac_mac_get_max_level(k_arg.mac_get_max_level.level_p, 04389 k_arg.mac_get_max_level.categories_p); 04390 case RSYS_mac_get_min_level: 04391 return sys_rsbac_mac_get_min_level(k_arg.mac_get_min_level.level_p, 04392 k_arg.mac_get_min_level.categories_p); 04393 case RSYS_mac_add_p_tru: 04394 return sys_rsbac_mac_add_p_tru(k_arg.mac_add_p_tru.pid, 04395 k_arg.mac_add_p_tru.uid, 04396 k_arg.mac_add_p_tru.ttl); 04397 case RSYS_mac_remove_p_tru: 04398 return sys_rsbac_mac_remove_p_tru(k_arg.mac_remove_p_tru.pid, 04399 k_arg.mac_add_p_tru.uid); 04400 case RSYS_mac_add_f_tru: 04401 return sys_rsbac_mac_add_f_tru(k_arg.mac_add_f_tru.filename, 04402 k_arg.mac_add_p_tru.uid, 04403 k_arg.mac_add_f_tru.ttl); 04404 case RSYS_mac_remove_f_tru: 04405 return sys_rsbac_mac_remove_f_tru(k_arg.mac_remove_f_tru.filename, 04406 k_arg.mac_add_p_tru.uid); 04407 case RSYS_mac_get_f_trulist: 04408 return sys_rsbac_mac_get_f_trulist(k_arg.mac_get_f_trulist.filename, 04409 k_arg.mac_get_f_trulist.trulist, 04410 k_arg.mac_get_f_trulist.ttllist, 04411 k_arg.mac_get_f_trulist.maxnum); 04412 case RSYS_mac_get_p_trulist: 04413 return sys_rsbac_mac_get_p_trulist(k_arg.mac_get_p_trulist.pid, 04414 k_arg.mac_get_p_trulist.trulist, 04415 k_arg.mac_get_p_trulist.ttllist, 04416 k_arg.mac_get_p_trulist.maxnum); 04417 case RSYS_stats_pm: 04418 return sys_rsbac_stats_pm(); 04419 case RSYS_pm: 04420 return sys_rsbac_pm(k_arg.pm.function, 04421 k_arg.pm.param_p, 04422 k_arg.pm.ticket); 04423 case RSYS_pm_change_current_task: 04424 return sys_rsbac_pm_change_current_task(k_arg.pm_change_current_task.task); 04425 case RSYS_pm_create_file: 04426 return sys_rsbac_pm_create_file(k_arg.pm_create_file.filename, 04427 k_arg.pm_create_file.mode, 04428 k_arg.pm_create_file.object_class); 04429 case RSYS_daz_flush_cache: 04430 return sys_rsbac_daz_flush_cache(); 04431 case RSYS_rc_copy_role: 04432 return sys_rsbac_rc_copy_role(k_arg.rc_copy_role.from_role, 04433 k_arg.rc_copy_role.to_role); 04434 case RSYS_rc_get_item: 04435 return sys_rsbac_rc_get_item(k_arg.rc_get_item.target, 04436 k_arg.rc_get_item.tid_p, 04437 k_arg.rc_get_item.subtid_p, 04438 k_arg.rc_get_item.item, 04439 k_arg.rc_get_item.value_p, 04440 k_arg.rc_get_item.ttl_p); 04441 case RSYS_rc_set_item: 04442 return sys_rsbac_rc_set_item(k_arg.rc_set_item.target, 04443 k_arg.rc_set_item.tid_p, 04444 k_arg.rc_set_item.subtid_p, 04445 k_arg.rc_set_item.item, 04446 k_arg.rc_set_item.value_p, 04447 k_arg.rc_set_item.ttl); 04448 case RSYS_rc_change_role: 04449 return sys_rsbac_rc_change_role(k_arg.rc_change_role.role); 04450 case RSYS_rc_get_eff_rights_n: 04451 return sys_rsbac_rc_get_eff_rights_n(k_arg.rc_get_eff_rights_n.target, 04452 k_arg.rc_get_eff_rights_n.t_name, 04453 k_arg.rc_get_eff_rights_n.request_vector_p, 04454 k_arg.rc_get_eff_rights_n.ttl_p); 04455 case RSYS_rc_get_list: 04456 return sys_rsbac_rc_get_list(k_arg.rc_get_list.target, 04457 k_arg.rc_get_list.tid_p, 04458 k_arg.rc_get_list.item, 04459 k_arg.rc_get_list.maxnum, 04460 k_arg.rc_get_list.array_p, 04461 k_arg.rc_get_list.ttl_array_p); 04462 case RSYS_rc_get_current_role: 04463 return sys_rsbac_rc_get_current_role(k_arg.rc_get_current_role.role_p); 04464 case RSYS_auth_add_p_cap: 04465 return sys_rsbac_auth_add_p_cap(k_arg.auth_add_p_cap.pid, 04466 k_arg.auth_add_p_cap.cap_type, 04467 k_arg.auth_add_p_cap.cap_range, 04468 k_arg.auth_add_p_cap.ttl); 04469 case RSYS_auth_remove_p_cap: 04470 return sys_rsbac_auth_remove_p_cap(k_arg.auth_remove_p_cap.pid, 04471 k_arg.auth_remove_p_cap.cap_type, 04472 k_arg.auth_remove_p_cap.cap_range); 04473 case RSYS_auth_add_f_cap: 04474 return sys_rsbac_auth_add_f_cap(k_arg.auth_add_f_cap.filename, 04475 k_arg.auth_add_f_cap.cap_type, 04476 k_arg.auth_add_f_cap.cap_range, 04477 k_arg.auth_add_f_cap.ttl); 04478 case RSYS_auth_remove_f_cap: 04479 return sys_rsbac_auth_remove_f_cap(k_arg.auth_remove_f_cap.filename, 04480 k_arg.auth_remove_f_cap.cap_type, 04481 k_arg.auth_remove_f_cap.cap_range); 04482 case RSYS_auth_get_f_caplist: 04483 return sys_rsbac_auth_get_f_caplist(k_arg.auth_get_f_caplist.filename, 04484 k_arg.auth_get_f_caplist.cap_type, 04485 k_arg.auth_get_f_caplist.caplist, 04486 k_arg.auth_get_f_caplist.ttllist, 04487 k_arg.auth_get_f_caplist.maxnum); 04488 case RSYS_auth_get_p_caplist: 04489 return sys_rsbac_auth_get_p_caplist(k_arg.auth_get_p_caplist.pid, 04490 k_arg.auth_get_p_caplist.cap_type, 04491 k_arg.auth_get_p_caplist.caplist, 04492 k_arg.auth_get_p_caplist.ttllist, 04493 k_arg.auth_get_p_caplist.maxnum); 04494 case RSYS_acl: 04495 return sys_rsbac_acl(k_arg.acl.call, 04496 k_arg.acl.arg); 04497 case RSYS_acl_n: 04498 return sys_rsbac_acl_n(k_arg.acl_n.call, 04499 k_arg.acl_n.arg); 04500 case RSYS_acl_get_rights: 04501 return sys_rsbac_acl_get_rights(k_arg.acl_get_rights.arg, 04502 k_arg.acl_get_rights.rights_p, 04503 k_arg.acl_get_rights.effective); 04504 case RSYS_acl_get_rights_n: 04505 return sys_rsbac_acl_get_rights_n(k_arg.acl_get_rights_n.arg, 04506 k_arg.acl_get_rights_n.rights_p, 04507 k_arg.acl_get_rights_n.effective); 04508 case RSYS_acl_get_tlist: 04509 return sys_rsbac_acl_get_tlist(k_arg.acl_get_tlist.target, 04510 k_arg.acl_get_tlist.tid, 04511 k_arg.acl_get_tlist.entry_array, 04512 k_arg.acl_get_tlist.ttl_array, 04513 k_arg.acl_get_tlist.maxnum); 04514 case RSYS_acl_get_tlist_n: 04515 return sys_rsbac_acl_get_tlist_n(k_arg.acl_get_tlist_n.target, 04516 k_arg.acl_get_tlist_n.t_name, 04517 k_arg.acl_get_tlist_n.entry_array, 04518 k_arg.acl_get_tlist_n.ttl_array, 04519 k_arg.acl_get_tlist_n.maxnum); 04520 case RSYS_acl_get_mask: 04521 return sys_rsbac_acl_get_mask(k_arg.acl_get_mask.target, 04522 k_arg.acl_get_mask.tid, 04523 k_arg.acl_get_mask.mask_p); 04524 case RSYS_acl_get_mask_n: 04525 return sys_rsbac_acl_get_mask_n(k_arg.acl_get_mask_n.target, 04526 k_arg.acl_get_mask_n.t_name, 04527 k_arg.acl_get_mask_n.mask_p); 04528 case RSYS_acl_group: 04529 return sys_rsbac_acl_group(k_arg.acl_group.call, 04530 k_arg.acl_group.arg_p); 04531 case RSYS_reg: 04532 return sys_rsbac_reg(k_arg.reg.handle, 04533 k_arg.reg.arg); 04534 case RSYS_jail: 04535 #ifdef CONFIG_RSBAC_JAIL 04536 return rsbac_jail_sys_jail(k_arg.jail.version, 04537 k_arg.jail.path, 04538 k_arg.jail.ip, 04539 k_arg.jail.flags, 04540 k_arg.jail.max_caps); 04541 #else 04542 return -RSBAC_EINVALIDMODULE; 04543 #endif 04544 04545 #if defined(CONFIG_RSBAC_INIT_DELAY) 04546 case RSYS_init: 04547 return sys_rsbac_init(k_arg.init.root_dev); 04548 #endif 04549 04550 default: 04551 return -RSBAC_EINVALIDREQUEST; 04552 } 04553 }; 04554 04555 04556 /* end of syscalls.c */

Generated on Tue Aug 31 10:05:26 2004 for RSBAC by doxygen 1.3.8