/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/adf/mac/mac_syscalls.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of the Access Control Decision */ 00004 /* Facility (ADF) - Mandatory Access Control */ 00005 /* File: rsbac/adf/mac/syscalls.c */ 00006 /* */ 00007 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */ 00008 /* */ 00009 /* Last modified: 14/Apr/2004 */ 00010 /*************************************************** */ 00011 00012 #include <linux/string.h> 00013 #include <rsbac/types.h> 00014 #include <rsbac/aci.h> 00015 #include <rsbac/mac.h> 00016 #include <rsbac/adf_main.h> 00017 #include <rsbac/error.h> 00018 #include <rsbac/helpers.h> 00019 #include <rsbac/getname.h> 00020 #include <rsbac/debug.h> 00021 #include <rsbac/rkmem.h> 00022 00023 /************************************************* */ 00024 /* Global Variables */ 00025 /************************************************* */ 00026 00027 /************************************************* */ 00028 /* Internal Help functions */ 00029 /************************************************* */ 00030 00031 static int 00032 mac_sys_check_role(enum rsbac_system_role_t role) 00033 { 00034 union rsbac_target_id_t i_tid; 00035 union rsbac_attribute_value_t i_attr_val1; 00036 00037 i_tid.user = current->uid; 00038 if (rsbac_get_attr(MAC, 00039 T_USER, 00040 i_tid, 00041 A_mac_role, 00042 &i_attr_val1, 00043 TRUE)) 00044 { 00045 rsbac_ds_get_error("mac_sys_check_role", A_mac_role); 00046 return -EPERM; 00047 } 00048 /* if correct role, then grant */ 00049 if (i_attr_val1.system_role == role) 00050 return 0; 00051 else 00052 return -EPERM; 00053 } 00054 00055 /************************************************* */ 00056 /* Externally visible functions */ 00057 /************************************************* */ 00058 00059 /*****************************************************************************/ 00060 /* This function allows processes to set their own current security level */ 00061 /* via sys_rsbac_mac_set_curr_seclevel() system call. */ 00062 /* The level must keep within the min_write_open/max_read_open-boundary and */ 00063 /* must not be greater than owner_sec_level. Setting current_sec_level by */ 00064 /* this function also turns off auto-levelling via mac_auto. */ 00065 00066 int rsbac_mac_set_curr_level(rsbac_security_level_t level, 00067 rsbac_mac_category_vector_t categories) 00068 { 00069 union rsbac_target_id_t tid; 00070 union rsbac_attribute_value_t attr_val1; 00071 rsbac_mac_process_flags_t flags; 00072 00073 if( (level > SL_max) 00074 && (level != SL_none) 00075 ) 00076 return -RSBAC_EINVALIDVALUE; 00077 00078 tid.process = current->pid; 00079 00080 #ifndef CONFIG_RSBAC_MAINT 00081 /* check flags */ 00082 if (rsbac_get_attr(MAC, 00083 T_PROCESS, 00084 tid, 00085 A_mac_process_flags, 00086 &attr_val1, 00087 FALSE)) 00088 { /* failed! */ 00089 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00090 return(-RSBAC_EREADFAILED); 00091 } 00092 flags = attr_val1.mac_process_flags; 00093 if( !(flags & MAC_auto) 00094 && !(flags & MAC_trusted) 00095 && !(flags & MAC_override) 00096 ) 00097 { 00098 #ifdef CONFIG_RSBAC_RMSG 00099 rsbac_printk(KERN_INFO 00100 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: no auto, trusted or override -> not granted \n", 00101 current->uid, 00102 current->pid, 00103 current->comm); 00104 #endif 00105 #ifndef CONFIG_RSBAC_RMSG_EXCL 00106 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00107 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00108 if (!rsbac_nosyslog) 00109 #endif 00110 printk(KERN_INFO 00111 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: no auto, trusted or override -> not granted \n", 00112 current->uid, 00113 current->pid, 00114 current->comm); 00115 #endif 00116 #ifdef CONFIG_RSBAC_SOFTMODE 00117 if( !rsbac_softmode 00118 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00119 && !rsbac_ind_softmode[MAC] 00120 #endif 00121 ) 00122 #endif 00123 return -EPERM; 00124 } 00125 00126 /* override allows full range */ 00127 if(!(flags & MAC_override)) 00128 { 00129 if(level != SL_none) 00130 { 00131 /* get maximum security level */ 00132 tid.process = current->pid; 00133 if (rsbac_get_attr(MAC, 00134 T_PROCESS, 00135 tid, 00136 A_security_level, 00137 &attr_val1, 00138 FALSE)) 00139 { /* failed! */ 00140 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00141 return(-RSBAC_EREADFAILED); 00142 } 00143 /* if level is too high -> error */ 00144 if (level > attr_val1.security_level) 00145 { 00146 #ifdef CONFIG_RSBAC_RMSG 00147 rsbac_printk(KERN_INFO 00148 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over max level %u, no override -> not granted \n", 00149 current->uid, 00150 current->pid, 00151 current->comm, 00152 level, 00153 attr_val1.security_level); 00154 #endif 00155 #ifndef CONFIG_RSBAC_RMSG_EXCL 00156 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00157 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00158 if (!rsbac_nosyslog) 00159 #endif 00160 printk(KERN_INFO 00161 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over max level %u, no override -> not granted \n", 00162 current->uid, 00163 current->pid, 00164 current->comm, 00165 level, 00166 attr_val1.security_level); 00167 #endif 00168 #ifdef CONFIG_RSBAC_SOFTMODE 00169 if( !rsbac_softmode 00170 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00171 && !rsbac_ind_softmode[MAC] 00172 #endif 00173 ) 00174 #endif 00175 return -EPERM; 00176 } 00177 /* get minimum security level */ 00178 tid.process = current->pid; 00179 if (rsbac_get_attr(MAC, 00180 T_PROCESS, 00181 tid, 00182 A_min_security_level, 00183 &attr_val1, 00184 FALSE)) 00185 { /* failed! */ 00186 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00187 return(-RSBAC_EREADFAILED); 00188 } 00189 /* if level is too low -> error */ 00190 if (level < attr_val1.security_level) 00191 { 00192 #ifdef CONFIG_RSBAC_RMSG 00193 rsbac_printk(KERN_INFO 00194 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u under min level %u, no override -> not granted \n", 00195 current->uid, 00196 current->pid, 00197 current->comm, 00198 level, 00199 attr_val1.security_level); 00200 #endif 00201 #ifndef CONFIG_RSBAC_RMSG_EXCL 00202 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00203 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00204 if (!rsbac_nosyslog) 00205 #endif 00206 printk(KERN_INFO 00207 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u under min level %u, no override -> not granted \n", 00208 current->uid, 00209 current->pid, 00210 current->comm, 00211 level, 00212 attr_val1.security_level); 00213 #endif 00214 #ifdef CONFIG_RSBAC_SOFTMODE 00215 if( !rsbac_softmode 00216 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00217 && !rsbac_ind_softmode[MAC] 00218 #endif 00219 ) 00220 #endif 00221 return -EPERM; 00222 } 00223 00224 /* auto needed? -> stay inside boundaries */ 00225 if(!flags & MAC_trusted) 00226 { 00227 /* check against upper/write boundary */ 00228 if (rsbac_get_attr(MAC, 00229 T_PROCESS, 00230 tid, 00231 A_min_write_open, 00232 &attr_val1, 00233 FALSE)) 00234 { /* failed! */ 00235 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00236 return(-RSBAC_EREADFAILED); 00237 } 00238 if (level > attr_val1.min_write_open) 00239 { 00240 #ifdef CONFIG_RSBAC_RMSG 00241 rsbac_printk(KERN_INFO 00242 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over min_write_open %u, no override or trusted -> not granted \n", 00243 current->uid, 00244 current->pid, 00245 current->comm, 00246 level, 00247 attr_val1.min_write_open); 00248 #endif 00249 #ifndef CONFIG_RSBAC_RMSG_EXCL 00250 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00251 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00252 if (!rsbac_nosyslog) 00253 #endif 00254 printk(KERN_INFO 00255 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over min_write_open %u, no override or trusted -> not granted \n", 00256 current->uid, 00257 current->pid, 00258 current->comm, 00259 level, 00260 attr_val1.min_write_open); 00261 #endif 00262 #ifdef CONFIG_RSBAC_SOFTMODE 00263 if( !rsbac_softmode 00264 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00265 && !rsbac_ind_softmode[MAC] 00266 #endif 00267 ) 00268 #endif 00269 return -EPERM; 00270 } 00271 00272 /* check against lower/read boundary */ 00273 if (rsbac_get_attr(MAC, 00274 T_PROCESS, 00275 tid, 00276 A_max_read_open, 00277 &attr_val1, 00278 FALSE)) 00279 { /* failed! */ 00280 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00281 return(-RSBAC_EREADFAILED); 00282 } 00283 if (level < attr_val1.max_read_open) 00284 return(-EPERM); 00285 } 00286 } 00287 if(categories != RSBAC_MAC_MIN_CAT_VECTOR) 00288 { 00289 /* get maximum categories */ 00290 tid.process = current->pid; 00291 if (rsbac_get_attr(MAC, 00292 T_PROCESS, 00293 tid, 00294 A_mac_categories, 00295 &attr_val1, 00296 FALSE)) 00297 { /* failed! */ 00298 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00299 return(-RSBAC_EREADFAILED); 00300 } 00301 /* if categories are no subset -> error */ 00302 if ((categories & attr_val1.mac_categories) != categories) 00303 { 00304 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00305 00306 if(tmp) 00307 { 00308 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00309 00310 if(tmp2) 00311 { 00312 #ifdef CONFIG_RSBAC_RMSG 00313 rsbac_printk(KERN_INFO 00314 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over max categories %s, no override -> not granted \n", 00315 current->uid, 00316 current->pid, 00317 current->comm, 00318 u64tostrmac(tmp, categories), 00319 u64tostrmac(tmp2, attr_val1.mac_categories)); 00320 #endif 00321 #ifndef CONFIG_RSBAC_RMSG_EXCL 00322 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00323 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00324 if (!rsbac_nosyslog) 00325 #endif 00326 printk(KERN_INFO 00327 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over max categories %s, no override -> not granted \n", 00328 current->uid, 00329 current->pid, 00330 current->comm, 00331 u64tostrmac(tmp, categories), 00332 u64tostrmac(tmp2, attr_val1.mac_categories)); 00333 #endif 00334 rsbac_kfree(tmp2); 00335 } 00336 rsbac_kfree(tmp); 00337 } 00338 #ifdef CONFIG_RSBAC_SOFTMODE 00339 if( !rsbac_softmode 00340 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00341 && !rsbac_ind_softmode[MAC] 00342 #endif 00343 ) 00344 #endif 00345 return -EPERM; 00346 } 00347 /* get minimum categories */ 00348 tid.process = current->pid; 00349 if (rsbac_get_attr(MAC, 00350 T_PROCESS, 00351 tid, 00352 A_mac_min_categories, 00353 &attr_val1, 00354 FALSE)) 00355 { /* failed! */ 00356 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00357 return(-RSBAC_EREADFAILED); 00358 } 00359 /* if level is too low -> error */ 00360 if ((categories & attr_val1.mac_categories) != attr_val1.mac_categories) 00361 { 00362 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00363 00364 if(tmp) 00365 { 00366 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00367 00368 if(tmp2) 00369 { 00370 #ifdef CONFIG_RSBAC_RMSG 00371 rsbac_printk(KERN_INFO 00372 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under min categories %s, no override -> not granted \n", 00373 current->uid, 00374 current->pid, 00375 current->comm, 00376 u64tostrmac(tmp, categories), 00377 u64tostrmac(tmp2, attr_val1.mac_categories)); 00378 #endif 00379 #ifndef CONFIG_RSBAC_RMSG_EXCL 00380 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00381 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00382 if (!rsbac_nosyslog) 00383 #endif 00384 printk(KERN_INFO 00385 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under min categories %s, no override -> not granted \n", 00386 current->uid, 00387 current->pid, 00388 current->comm, 00389 u64tostrmac(tmp, categories), 00390 u64tostrmac(tmp2, attr_val1.mac_categories)); 00391 #endif 00392 rsbac_kfree(tmp2); 00393 } 00394 rsbac_kfree(tmp); 00395 } 00396 #ifdef CONFIG_RSBAC_SOFTMODE 00397 if( !rsbac_softmode 00398 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00399 && !rsbac_ind_softmode[MAC] 00400 #endif 00401 ) 00402 #endif 00403 return -EPERM; 00404 } 00405 00406 /* auto needed? -> stay inside boundaries */ 00407 if(!flags & MAC_trusted) 00408 { 00409 /* check against upper/write boundary */ 00410 if (rsbac_get_attr(MAC, 00411 T_PROCESS, 00412 tid, 00413 A_min_write_categories, 00414 &attr_val1, 00415 FALSE)) 00416 { /* failed! */ 00417 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00418 return(-RSBAC_EREADFAILED); 00419 } 00420 if ((categories & attr_val1.mac_categories) != categories) 00421 { 00422 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00423 00424 if(tmp) 00425 { 00426 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00427 00428 if(tmp2) 00429 { 00430 #ifdef CONFIG_RSBAC_RMSG 00431 rsbac_printk(KERN_INFO 00432 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over min_write categories %s, no override or trusted -> not granted \n", 00433 current->uid, 00434 current->pid, 00435 current->comm, 00436 u64tostrmac(tmp, categories), 00437 u64tostrmac(tmp2, attr_val1.mac_categories)); 00438 #endif 00439 #ifndef CONFIG_RSBAC_RMSG_EXCL 00440 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00441 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00442 if (!rsbac_nosyslog) 00443 #endif 00444 printk(KERN_INFO 00445 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over min_write categories %s, no override or trusted -> not granted \n", 00446 current->uid, 00447 current->pid, 00448 current->comm, 00449 u64tostrmac(tmp, categories), 00450 u64tostrmac(tmp2, attr_val1.mac_categories)); 00451 #endif 00452 rsbac_kfree(tmp2); 00453 } 00454 rsbac_kfree(tmp); 00455 } 00456 #ifdef CONFIG_RSBAC_SOFTMODE 00457 if( !rsbac_softmode 00458 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00459 && !rsbac_ind_softmode[MAC] 00460 #endif 00461 ) 00462 #endif 00463 return -EPERM; 00464 } 00465 /* check against lower/read boundary */ 00466 if (rsbac_get_attr(MAC, 00467 T_PROCESS, 00468 tid, 00469 A_max_read_categories, 00470 &attr_val1, 00471 FALSE)) 00472 { /* failed! */ 00473 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none); 00474 return(-RSBAC_EREADFAILED); 00475 } 00476 if ((categories & attr_val1.mac_categories) != attr_val1.mac_categories) 00477 { 00478 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00479 00480 if(tmp) 00481 { 00482 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00483 00484 if(tmp2) 00485 { 00486 #ifdef CONFIG_RSBAC_RMSG 00487 rsbac_printk(KERN_INFO 00488 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under max_read categories %s, no override or trusted -> not granted \n", 00489 current->uid, 00490 current->pid, 00491 current->comm, 00492 u64tostrmac(tmp, categories), 00493 u64tostrmac(tmp2, attr_val1.mac_categories)); 00494 #endif 00495 #ifndef CONFIG_RSBAC_RMSG_EXCL 00496 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00497 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00498 if (!rsbac_nosyslog) 00499 #endif 00500 printk(KERN_INFO 00501 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under max_read categories %s, no override or trusted -> not granted \n", 00502 current->uid, 00503 current->pid, 00504 current->comm, 00505 u64tostrmac(tmp, categories), 00506 u64tostrmac(tmp2, attr_val1.mac_categories)); 00507 #endif 00508 rsbac_kfree(tmp2); 00509 } 00510 rsbac_kfree(tmp); 00511 } 00512 #ifdef CONFIG_RSBAC_SOFTMODE 00513 if( !rsbac_softmode 00514 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00515 && !rsbac_ind_softmode[MAC] 00516 #endif 00517 ) 00518 #endif 00519 return -EPERM; 00520 } 00521 } 00522 } 00523 } 00524 #endif /* ifndef CONFIG_RSBAC_MAINT */ 00525 00526 /* OK, checks passed: set values */ 00527 if(level != SL_none) 00528 { 00529 attr_val1.current_sec_level = level; 00530 if (rsbac_set_attr(MAC, 00531 T_PROCESS, 00532 tid, 00533 A_current_sec_level, 00534 attr_val1)) 00535 { /* failed! */ 00536 rsbac_ds_set_error("rsbac_mac_set_curr_level", A_none); 00537 return(-RSBAC_EWRITEFAILED); 00538 } 00539 } 00540 if(categories != RSBAC_MAC_MIN_CAT_VECTOR) 00541 { 00542 attr_val1.mac_categories = categories; 00543 if (rsbac_set_attr(MAC, 00544 T_PROCESS, 00545 tid, 00546 A_mac_curr_categories, 00547 attr_val1)) 00548 { /* failed! */ 00549 rsbac_ds_set_error("rsbac_mac_set_curr_level", A_none); 00550 return(-RSBAC_EWRITEFAILED); 00551 } 00552 } 00553 return(0); 00554 } 00555 00556 /* getting own levels as well - no restrictions */ 00557 int rsbac_mac_get_curr_level(rsbac_security_level_t * level_p, 00558 rsbac_mac_category_vector_t * categories_p) 00559 { 00560 union rsbac_target_id_t tid; 00561 union rsbac_attribute_value_t attr_val; 00562 00563 tid.process = current->pid; 00564 if(level_p) 00565 { 00566 if (rsbac_get_attr(MAC, 00567 T_PROCESS, 00568 tid, 00569 A_current_sec_level, 00570 &attr_val, 00571 FALSE)) 00572 { /* failed! */ 00573 rsbac_ds_get_error("rsbac_mac_get_curr_level", A_none); 00574 return(-RSBAC_EREADFAILED); 00575 } 00576 *level_p = attr_val.current_sec_level; 00577 } 00578 if(categories_p) 00579 { 00580 if (rsbac_get_attr(MAC, 00581 T_PROCESS, 00582 tid, 00583 A_mac_curr_categories, 00584 &attr_val, 00585 FALSE)) 00586 { /* failed! */ 00587 rsbac_ds_get_error("rsbac_mac_get_curr_level", A_none); 00588 return(-RSBAC_EREADFAILED); 00589 } 00590 *categories_p = attr_val.mac_categories; 00591 } 00592 return 0; 00593 } 00594 00595 int rsbac_mac_get_max_level(rsbac_security_level_t * level_p, 00596 rsbac_mac_category_vector_t * categories_p) 00597 { 00598 union rsbac_target_id_t tid; 00599 union rsbac_attribute_value_t attr_val; 00600 00601 tid.process = current->pid; 00602 if(level_p) 00603 { 00604 if (rsbac_get_attr(MAC, 00605 T_PROCESS, 00606 tid, 00607 A_security_level, 00608 &attr_val, 00609 FALSE)) 00610 { /* failed! */ 00611 rsbac_ds_get_error("rsbac_mac_get_max_level", A_none); 00612 return(-RSBAC_EREADFAILED); 00613 } 00614 *level_p = attr_val.security_level; 00615 } 00616 if(categories_p) 00617 { 00618 if (rsbac_get_attr(MAC, 00619 T_PROCESS, 00620 tid, 00621 A_mac_categories, 00622 &attr_val, 00623 FALSE)) 00624 { /* failed! */ 00625 rsbac_ds_get_error("rsbac_mac_get_max_level", A_none); 00626 return(-RSBAC_EREADFAILED); 00627 } 00628 *categories_p = attr_val.mac_categories; 00629 } 00630 return 0; 00631 } 00632 00633 00634 int rsbac_mac_get_min_level(rsbac_security_level_t * level_p, 00635 rsbac_mac_category_vector_t * categories_p) 00636 { 00637 union rsbac_target_id_t tid; 00638 union rsbac_attribute_value_t attr_val; 00639 00640 tid.process = current->pid; 00641 if(level_p) 00642 { 00643 if (rsbac_get_attr(MAC, 00644 T_PROCESS, 00645 tid, 00646 A_min_security_level, 00647 &attr_val, 00648 FALSE)) 00649 { /* failed! */ 00650 rsbac_ds_get_error("rsbac_mac_get_min_level", A_none); 00651 return(-RSBAC_EREADFAILED); 00652 } 00653 *level_p = attr_val.security_level; 00654 } 00655 if(categories_p) 00656 { 00657 if (rsbac_get_attr(MAC, 00658 T_PROCESS, 00659 tid, 00660 A_mac_min_categories, 00661 &attr_val, 00662 FALSE)) 00663 { /* failed! */ 00664 rsbac_ds_get_error("rsbac_mac_get_min_level", A_none); 00665 return(-RSBAC_EREADFAILED); 00666 } 00667 *categories_p = attr_val.mac_categories; 00668 } 00669 return 0; 00670 } 00671 00672 int rsbac_mac_add_p_tru(rsbac_pid_t pid, 00673 rsbac_uid_t uid, 00674 rsbac_time_t ttl) 00675 { 00676 /* check only in non-maint mode */ 00677 #if !defined(CONFIG_RSBAC_MAINT) 00678 #ifdef CONFIG_RSBAC_SWITCH 00679 if(rsbac_switch_mac) 00680 #endif 00681 { 00682 if(mac_sys_check_role(SR_security_officer)) 00683 { 00684 #ifdef CONFIG_RSBAC_RMSG 00685 rsbac_printk(KERN_INFO 00686 "rsbac_mac_add_p_tru(): adding MAC trusted user %u to process %u denied for process %u!\n", 00687 uid, 00688 pid, 00689 current->pid); 00690 #endif 00691 #ifndef CONFIG_RSBAC_RMSG_EXCL 00692 printk(KERN_INFO 00693 "rsbac_mac_add_p_tru(): adding MAC trusted user %u to process %u denied for process %u!\n", 00694 uid, 00695 pid, 00696 current->pid); 00697 #endif 00698 #ifdef CONFIG_RSBAC_SOFTMODE 00699 if( !rsbac_softmode 00700 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00701 && !rsbac_ind_softmode[MAC] 00702 #endif 00703 ) 00704 #endif 00705 return(-EPERM); 00706 } 00707 } 00708 #endif 00709 00710 /* OK, check passed. Add the truability. */ 00711 if(rsbac_mac_add_to_p_truset(pid, uid, ttl)) 00712 { 00713 #ifdef CONFIG_RSBAC_RMSG 00714 rsbac_printk(KERN_WARNING 00715 "rsbac_mac_add_p_tru(): rsbac_mac_add_to_p_truset() returned error!\n"); 00716 #endif 00717 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00718 if (!rsbac_nosyslog) 00719 #endif 00720 printk(KERN_WARNING 00721 "rsbac_mac_add_p_tru(): rsbac_mac_add_to_p_truset() returned error!\n"); 00722 return(-RSBAC_EWRITEFAILED); 00723 } 00724 return 0; 00725 } 00726 00727 int rsbac_mac_remove_p_tru(rsbac_pid_t pid, 00728 rsbac_uid_t uid) 00729 { 00730 /* check only in non-maint mode */ 00731 #if !defined(CONFIG_RSBAC_MAINT) 00732 #ifdef CONFIG_RSBAC_SWITCH 00733 if(rsbac_switch_mac) 00734 #endif 00735 { 00736 if(mac_sys_check_role(SR_security_officer)) 00737 { 00738 #ifdef CONFIG_RSBAC_RMSG 00739 rsbac_printk(KERN_INFO 00740 "rsbac_mac_remove_p_tru(): removing MAC trusted user %u from process %u denied for process %u!\n", 00741 uid, 00742 pid, 00743 current->pid); 00744 #endif 00745 #ifndef CONFIG_RSBAC_RMSG_EXCL 00746 printk(KERN_INFO 00747 "rsbac_mac_remove_p_tru(): removing MAC trusted user %u from process %u denied for process %u!\n", 00748 uid, 00749 pid, 00750 current->pid); 00751 #endif 00752 #ifdef CONFIG_RSBAC_SOFTMODE 00753 if( !rsbac_softmode 00754 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00755 && !rsbac_ind_softmode[MAC] 00756 #endif 00757 ) 00758 #endif 00759 return(-EPERM); 00760 } 00761 } 00762 #endif 00763 /* OK, check passed. Try to remove the trusted user */ 00764 return(rsbac_mac_remove_from_p_truset(pid, uid)); 00765 } 00766 00767 int rsbac_mac_add_f_tru(rsbac_mac_file_t file, 00768 rsbac_uid_t uid, 00769 rsbac_time_t ttl) 00770 { 00771 /* check only in non-maint mode */ 00772 #if !defined(CONFIG_RSBAC_MAINT) 00773 #ifdef CONFIG_RSBAC_SWITCH 00774 if(rsbac_switch_mac) 00775 #endif 00776 { 00777 if(mac_sys_check_role(SR_security_officer)) 00778 { 00779 #ifdef CONFIG_RSBAC_RMSG 00780 rsbac_printk(KERN_INFO 00781 "rsbac_mac_add_f_tru(): adding MAC trusted user %u to file %u on device %02u:%02u denied for process %u!\n", 00782 uid, 00783 file.inode, 00784 MAJOR(file.device), 00785 MINOR(file.device), 00786 current->pid); 00787 #endif 00788 #ifndef CONFIG_RSBAC_RMSG_EXCL 00789 printk(KERN_INFO 00790 "rsbac_mac_add_f_tru(): adding MAC trusted user %u to file %u on device %02u:%02u denied for process %u!\n", 00791 uid, 00792 file.inode, 00793 MAJOR(file.device), 00794 MINOR(file.device), 00795 current->pid); 00796 #endif 00797 #ifdef CONFIG_RSBAC_SOFTMODE 00798 if( !rsbac_softmode 00799 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00800 && !rsbac_ind_softmode[MAC] 00801 #endif 00802 ) 00803 #endif 00804 return(-EPERM); 00805 } 00806 } 00807 #endif 00808 00809 if(rsbac_mac_add_to_f_truset(file, uid, ttl)) 00810 { 00811 #ifdef CONFIG_RSBAC_RMSG 00812 rsbac_printk(KERN_WARNING 00813 "rsbac_mac_add_f_tru(): rsbac_mac_add_to_f_truset() returned error!\n"); 00814 #endif 00815 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00816 if (!rsbac_nosyslog) 00817 #endif 00818 printk(KERN_WARNING 00819 "rsbac_mac_add_f_tru(): rsbac_mac_add_to_f_truset() returned error!\n"); 00820 return(-RSBAC_EWRITEFAILED); 00821 } 00822 return 0; 00823 } 00824 00825 int rsbac_mac_remove_f_tru(rsbac_mac_file_t file, 00826 rsbac_uid_t uid) 00827 { 00828 /* check only in non-maint mode */ 00829 #if !defined(CONFIG_RSBAC_MAINT) 00830 #ifdef CONFIG_RSBAC_SWITCH 00831 if(rsbac_switch_mac) 00832 #endif 00833 { 00834 if(mac_sys_check_role(SR_security_officer)) 00835 { 00836 #ifdef CONFIG_RSBAC_RMSG 00837 rsbac_printk(KERN_INFO 00838 "rsbac_mac_remove_f_tru(): removing MAC trusted user %u from file %u on device %02u:%02u denied for process %u!\n", 00839 uid, 00840 file.inode, 00841 MAJOR(file.device), 00842 MINOR(file.device), 00843 current->pid); 00844 #endif 00845 #ifndef CONFIG_RSBAC_RMSG_EXCL 00846 printk(KERN_INFO 00847 "rsbac_mac_remove_f_tru(): removing MAC trusted user %u from file %u on device %02u:%02u denied for process %u!\n", 00848 uid, 00849 file.inode, 00850 MAJOR(file.device), 00851 MINOR(file.device), 00852 current->pid); 00853 #endif 00854 #ifdef CONFIG_RSBAC_SOFTMODE 00855 if( !rsbac_softmode 00856 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00857 && !rsbac_ind_softmode[MAC] 00858 #endif 00859 ) 00860 #endif 00861 return(-EPERM); 00862 } 00863 } 00864 #endif 00865 00866 return(rsbac_mac_remove_from_f_truset(file, uid)); 00867 } 00868 00869 00870 /* end of rsbac/adf/mac/syscalls.c */

Generated on Tue Aug 31 10:05:23 2004 for RSBAC by doxygen 1.3.8