00001
00002
00003
00004
00005
00006
00007
00008
00009
#include <linux/types.h>
00010
#include <linux/version.h>
00011
#include <linux/security.h>
00012
#include <linux/ptrace.h>
00013
#include <linux/fs.h>
00014
#include <linux/mount.h>
00015
#include <linux/namei.h>
00016
#include <net/sock.h>
00017
#include <rsbac/types.h>
00018
#include <rsbac/adf.h>
00019
#include <rsbac/aci.h>
00020
00021 static int rsbac_aef_ptrace(
struct task_struct * parent,
struct task_struct * child)
00022 {
00023
union rsbac_target_id_t rsbac_target_id;
00024
union rsbac_attribute_value_t rsbac_attribute_value;
00025
00026
#ifdef CONFIG_RSBAC_DEBUG
00027
if (rsbac_debug_aef)
00028 printk(KERN_DEBUG
"rsbac_aef_ptrace(): calling ADF\n");
00029
#endif
00030
rsbac_target_id.
process = child->pid;
00031 rsbac_attribute_value.trace_request = PTRACE_TRACEME;
00032
if (!
rsbac_adf_request(
R_TRACE,
00033 parent->pid,
00034
T_PROCESS,
00035 rsbac_target_id,
00036 A_trace_request,
00037 rsbac_attribute_value))
00038
return -EPERM;
00039
else
00040
return 0;
00041 }
00042
00043 static int rsbac_aef_statfs(
struct super_block * sb)
00044 {
00045
union rsbac_target_id_t rsbac_target_id;
00046
union rsbac_attribute_value_t rsbac_attribute_value;
00047
00048
#ifdef CONFIG_RSBAC_DEBUG
00049
if (rsbac_debug_aef)
00050 printk(KERN_DEBUG
"rsbac_aef_statfs(): calling ADF\n");
00051
#endif
00052
rsbac_target_id.dev.type =
D_block;
00053 rsbac_target_id.dev.id = sb->s_dev;
00054 rsbac_attribute_value.
dummy = 0;
00055
if (!
rsbac_adf_request(
R_GET_STATUS_DATA,
00056 current->pid,
00057
T_DEV,
00058 rsbac_target_id,
00059
A_none,
00060 rsbac_attribute_value))
00061
return -EPERM;
00062
else
00063
return 0;
00064 }
00065
00066 static int rsbac_aef_inode_follow_link(
struct dentry *dentry,
struct nameidata *nd)
00067 {
00068
union rsbac_target_id_t rsbac_target_id;
00069
union rsbac_attribute_value_t rsbac_attribute_value;
00070
00071
#ifdef CONFIG_RSBAC_DEBUG
00072
if (rsbac_debug_aef)
00073 printk(KERN_DEBUG
"rsbac_aef_inode_follow_link(): calling ADF\n");
00074
#endif
00075
rsbac_target_id.symlink.device = dentry->d_sb->s_dev;
00076 rsbac_target_id.symlink.inode = dentry->d_inode->i_ino;
00077 rsbac_target_id.symlink.dentry_p = dentry;
00078 rsbac_attribute_value.
dummy = 0;
00079
if (!
rsbac_adf_request(
R_SEARCH,
00080 current->pid,
00081
T_SYMLINK,
00082 rsbac_target_id,
00083
A_none,
00084 rsbac_attribute_value))
00085
return -EPERM;
00086
else
00087
return 0;
00088 }
00089
00090 static int rsbac_aef_inode_create(
struct inode *dir,
00091
struct dentry *dentry,
00092
int mode)
00093 {
00094
union rsbac_target_id_t rsbac_target_id;
00095
union rsbac_attribute_value_t rsbac_attribute_value;
00096
00097
#ifdef CONFIG_RSBAC_DEBUG
00098
if (rsbac_debug_aef)
00099 printk(KERN_DEBUG
"rsbac_aef_inode_create(): calling ADF\n");
00100
#endif
00101
rsbac_target_id.dir.device = dir->i_sb->s_dev;
00102 rsbac_target_id.dir.inode = dir->i_ino;
00103 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00104 rsbac_attribute_value.create_data.target =
T_FILE;
00105 rsbac_attribute_value.create_data.dentry_p = dentry;
00106 rsbac_attribute_value.create_data.mode = mode;
00107 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00108
if (!
rsbac_adf_request(
R_CREATE,
00109 current->pid,
00110
T_DIR,
00111 rsbac_target_id,
00112 A_create_data,
00113 rsbac_attribute_value))
00114
return -EPERM;
00115
else
00116
return 0;
00117 }
00118
00119 static void rsbac_aef_inode_post_create(
struct inode *dir,
00120
struct dentry *dentry,
00121
int mode)
00122 {
00123
union rsbac_target_id_t rsbac_target_id;
00124
union rsbac_target_id_t rsbac_new_target_id;
00125
union rsbac_attribute_value_t rsbac_attribute_value;
00126
00127
#ifdef CONFIG_RSBAC_DEBUG
00128
if (rsbac_debug_aef)
00129 printk(KERN_DEBUG
"rsbac_aef_inode_post_create(): notifying ADF\n");
00130
#endif
00131
rsbac_target_id.dir.device = dir->i_sb->s_dev;
00132 rsbac_target_id.dir.inode = dir->i_ino;
00133 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00134 rsbac_attribute_value.create_data.target =
T_FILE;
00135 rsbac_attribute_value.create_data.dentry_p = dentry;
00136 rsbac_attribute_value.create_data.mode = mode;
00137 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00138 rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
00139 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino;
00140 rsbac_new_target_id.file.dentry_p = dentry;
00141
if (
rsbac_adf_set_attr(
R_CREATE,
00142 current->pid,
00143
T_DIR,
00144 rsbac_target_id,
00145
T_FILE,
00146 rsbac_new_target_id,
00147 A_create_data,
00148 rsbac_attribute_value))
00149 {
00150 printk(KERN_WARNING
00151
"rsbac_aef_inode_post_create() [vfs_create() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error");
00152 }
00153 }
00154
00155 static int rsbac_aef_inode_mknod(
struct inode *dir,
struct dentry *dentry,
00156
int mode, dev_t dev)
00157 {
00158
union rsbac_target_id_t rsbac_target_id;
00159
union rsbac_attribute_value_t rsbac_attribute_value;
00160
00161
#ifdef CONFIG_RSBAC_DEBUG
00162
if (rsbac_debug_aef)
00163 printk(KERN_DEBUG
"rsbac_aef_inode_mknod(): calling ADF\n");
00164
#endif
00165
rsbac_target_id.dir.device = dir->i_sb->s_dev;
00166 rsbac_target_id.dir.inode = dir->i_ino;
00167 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00168 rsbac_attribute_value.create_data.target =
T_FILE;
00169 rsbac_attribute_value.create_data.dentry_p = dentry;
00170 rsbac_attribute_value.create_data.mode = mode;
00171 rsbac_attribute_value.create_data.device = dev;
00172
if (!
rsbac_adf_request(
R_CREATE,
00173 current->pid,
00174
T_DIR,
00175 rsbac_target_id,
00176 A_create_data,
00177 rsbac_attribute_value))
00178
return -EPERM;
00179
else
00180
return 0;
00181 }
00182
00183 static void rsbac_aef_inode_post_mknod(
struct inode *dir,
struct dentry *dentry,
00184
int mode, dev_t dev)
00185 {
00186
union rsbac_target_id_t rsbac_target_id;
00187
union rsbac_target_id_t rsbac_new_target_id;
00188
union rsbac_attribute_value_t rsbac_attribute_value;
00189
00190
#ifdef CONFIG_RSBAC_DEBUG
00191
if (rsbac_debug_aef)
00192 printk(KERN_DEBUG
"rsbac_aef_inode_post_mknod(): notifying ADF\n");
00193
#endif
00194
rsbac_target_id.dir.device = dir->i_sb->s_dev;
00195 rsbac_target_id.dir.inode = dir->i_ino;
00196 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00197 rsbac_attribute_value.create_data.target =
T_FILE;
00198 rsbac_attribute_value.create_data.dentry_p = dentry;
00199 rsbac_attribute_value.create_data.mode = mode;
00200 rsbac_attribute_value.create_data.device = dev;
00201 rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
00202 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino;
00203 rsbac_new_target_id.file.dentry_p = dentry;
00204
if (
rsbac_adf_set_attr(
R_CREATE,
00205 current->pid,
00206
T_DIR,
00207 rsbac_target_id,
00208
T_FILE,
00209 rsbac_new_target_id,
00210 A_create_data,
00211 rsbac_attribute_value))
00212 {
00213 printk(KERN_WARNING
00214
"rsbac_aef_inode_post_mknod() [vfs_mknod() [sys_mknod()]: rsbac_adf_set_attr() returned error");
00215 }
00216 }
00217
00218 static int rsbac_aef_inode_mkdir(
struct inode *dir,
00219
struct dentry *dentry,
00220
int mode)
00221 {
00222
union rsbac_target_id_t rsbac_target_id;
00223
union rsbac_attribute_value_t rsbac_attribute_value;
00224
00225
#ifdef CONFIG_RSBAC_DEBUG
00226
if (rsbac_debug_aef)
00227 printk(KERN_DEBUG
"rsbac_aef_inode_mkdir(): calling ADF\n");
00228
#endif
00229
rsbac_target_id.dir.device = dir->i_sb->s_dev;
00230 rsbac_target_id.dir.inode = dir->i_ino;
00231 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00232 rsbac_attribute_value.create_data.target =
T_FILE;
00233 rsbac_attribute_value.create_data.dentry_p = dentry;
00234 rsbac_attribute_value.create_data.mode = mode;
00235 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00236
if (!
rsbac_adf_request(
R_CREATE,
00237 current->pid,
00238
T_DIR,
00239 rsbac_target_id,
00240 A_create_data,
00241 rsbac_attribute_value))
00242
return -EPERM;
00243
else
00244
return 0;
00245 }
00246
00247 static void rsbac_aef_inode_post_mkdir(
struct inode *dir,
00248
struct dentry *dentry,
00249
int mode)
00250 {
00251
union rsbac_target_id_t rsbac_target_id;
00252
union rsbac_target_id_t rsbac_new_target_id;
00253
union rsbac_attribute_value_t rsbac_attribute_value;
00254
00255
#ifdef CONFIG_RSBAC_DEBUG
00256
if (rsbac_debug_aef)
00257 printk(KERN_DEBUG
"rsbac_aef_inode_post_mkdir(): notifying ADF\n");
00258
#endif
00259
rsbac_target_id.dir.device = dir->i_sb->s_dev;
00260 rsbac_target_id.dir.inode = dir->i_ino;
00261 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00262 rsbac_attribute_value.create_data.target =
T_FILE;
00263 rsbac_attribute_value.create_data.dentry_p = dentry;
00264 rsbac_attribute_value.create_data.mode = mode;
00265 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00266 rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
00267 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino;
00268 rsbac_new_target_id.file.dentry_p = dentry;
00269
if (
rsbac_adf_set_attr(
R_CREATE,
00270 current->pid,
00271
T_DIR,
00272 rsbac_target_id,
00273
T_FILE,
00274 rsbac_new_target_id,
00275 A_create_data,
00276 rsbac_attribute_value))
00277 {
00278 printk(KERN_WARNING
00279
"rsbac_aef_inode_post_mkdir() [vfs_mkdir() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error");
00280 }
00281 }
00282
00283 static int rsbac_aef_inode_symlink(
struct inode *dir,
00284
struct dentry *dentry,
00285
const char *old_name)
00286 {
00287
union rsbac_target_id_t rsbac_target_id;
00288
union rsbac_attribute_value_t rsbac_attribute_value;
00289
00290
#ifdef CONFIG_RSBAC_DEBUG
00291
if (rsbac_debug_aef)
00292 printk(KERN_DEBUG
"rsbac_aef_inode_symlink(): calling ADF\n");
00293
#endif
00294
rsbac_target_id.dir.device = dir->i_sb->s_dev;
00295 rsbac_target_id.dir.inode = dir->i_ino;
00296 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00297 rsbac_attribute_value.create_data.target =
T_SYMLINK;
00298 rsbac_attribute_value.create_data.dentry_p = dentry;
00299 rsbac_attribute_value.create_data.mode = 0;
00300 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00301
if (!
rsbac_adf_request(
R_CREATE,
00302 current->pid,
00303
T_DIR,
00304 rsbac_target_id,
00305 A_create_data,
00306 rsbac_attribute_value))
00307
return -EPERM;
00308
else
00309
return 0;
00310 }
00311
00312 static void rsbac_aef_inode_post_symlink(
struct inode *dir,
00313
struct dentry *dentry,
00314
const char *old_name)
00315 {
00316
union rsbac_target_id_t rsbac_target_id;
00317
union rsbac_target_id_t rsbac_new_target_id;
00318
union rsbac_attribute_value_t rsbac_attribute_value;
00319
00320
#ifdef CONFIG_RSBAC_DEBUG
00321
if (rsbac_debug_aef)
00322 printk(KERN_DEBUG
"rsbac_aef_inode_post_symlink(): notifying ADF\n");
00323
#endif
00324
rsbac_target_id.dir.device = dir->i_sb->s_dev;
00325 rsbac_target_id.dir.inode = dir->i_ino;
00326 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00327 rsbac_attribute_value.create_data.target =
T_FILE;
00328 rsbac_attribute_value.create_data.dentry_p = dentry;
00329 rsbac_attribute_value.create_data.mode = 0;
00330 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00331 rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
00332 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino;
00333 rsbac_new_target_id.file.dentry_p = dentry;
00334
if (
rsbac_adf_set_attr(
R_CREATE,
00335 current->pid,
00336
T_DIR,
00337 rsbac_target_id,
00338
T_SYMLINK,
00339 rsbac_new_target_id,
00340 A_create_data,
00341 rsbac_attribute_value))
00342 {
00343 printk(KERN_WARNING
00344
"rsbac_aef_inode_post_symlink() [vfs_symlink() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error");
00345 }
00346 }
00347
00348 static int rsbac_aef_inode_link(
struct dentry *old_dentry,
00349
struct inode *dir,
00350
struct dentry *new_dentry)
00351 {
00352
enum rsbac_target_t rsbac_target;
00353
union rsbac_target_id_t rsbac_target_id;
00354
union rsbac_attribute_value_t rsbac_attribute_value;
00355
00356
#ifdef CONFIG_RSBAC_DEBUG
00357
if (rsbac_debug_aef)
00358 printk(KERN_DEBUG
"rsbac_aef_inode_link(): calling ADF\n");
00359
#endif
00360
rsbac_target =
T_FILE;
00361
if (S_ISDIR (old_dentry->d_inode->i_mode))
00362 rsbac_target =
T_DIR;
00363
else if (S_ISFIFO (old_dentry->d_inode->i_mode))
00364 rsbac_target =
T_FIFO;
00365
else if (S_ISLNK (old_dentry->d_inode->i_mode))
00366 rsbac_target =
T_SYMLINK;
00367 rsbac_target_id.dir.device = old_dentry->d_sb->s_dev;
00368 rsbac_target_id.dir.inode = old_dentry->d_inode->i_ino;
00369 rsbac_target_id.dir.dentry_p = old_dentry;
00370 rsbac_attribute_value.
dummy = 0;
00371
if (!
rsbac_adf_request(
R_LINK_HARD,
00372 current->pid,
00373 rsbac_target,
00374 rsbac_target_id,
00375
A_none,
00376 rsbac_attribute_value))
00377
return -EPERM;
00378
else
00379
return 0;
00380 }
00381
00382 static int rsbac_aef_inode_rename(
struct inode *old_dir,
struct dentry *old_dentry,
00383
struct inode *new_dir,
struct dentry *new_dentry)
00384 {
00385
enum rsbac_target_t rsbac_target;
00386
union rsbac_target_id_t rsbac_target_id;
00387
union rsbac_attribute_value_t rsbac_attribute_value;
00388
00389
#ifdef CONFIG_RSBAC_DEBUG
00390
if (rsbac_debug_aef)
00391 printk(KERN_DEBUG
"rsbac_aef_inode_rename(): calling ADF\n");
00392
#endif
00393
rsbac_target =
T_FILE;
00394
if (S_ISDIR(old_dentry->d_inode->i_mode))
00395 rsbac_target =
T_DIR;
00396
else if (S_ISFIFO (old_dentry->d_inode->i_mode))
00397 rsbac_target =
T_FIFO;
00398
else if (S_ISLNK (old_dentry->d_inode->i_mode))
00399 rsbac_target =
T_SYMLINK;
00400 rsbac_target_id.file.device = old_dentry->d_sb->s_dev;
00401 rsbac_target_id.file.inode = old_dentry->d_inode->i_ino;
00402 rsbac_target_id.file.dentry_p = old_dentry;
00403 rsbac_attribute_value.new_dir_dentry_p = new_dentry->d_parent;
00404
if (!
rsbac_adf_request(
R_RENAME,
00405 current->pid,
00406 rsbac_target,
00407 rsbac_target_id,
00408 A_new_dir_dentry_p,
00409 rsbac_attribute_value))
00410
return -EPERM;
00411
00412
#ifdef CONFIG_RSBAC_DEBUG
00413
if (rsbac_debug_aef)
00414 printk(KERN_DEBUG
"rsbac_aef_inode_rename(): calling ADF for WRITE on new dir\n");
00415
#endif
00416
rsbac_target_id.dir.device = new_dir->i_sb->s_dev;
00417 rsbac_target_id.dir.inode = new_dir->i_ino;
00418 rsbac_target_id.dir.dentry_p = new_dentry->d_parent;
00419 rsbac_attribute_value.
dummy = 0;
00420
if (!
rsbac_adf_request(
R_WRITE,
00421 current->pid,
00422
T_DIR,
00423 rsbac_target_id,
00424
A_none,
00425 rsbac_attribute_value))
00426
return -EPERM;
00427
00428
return 0;
00429 }
00430
00431 static int rsbac_aef_sb_umount(
struct vfsmount * mnt,
int flags)
00432 {
00433
struct super_block * sb = mnt->mnt_sb;
00434
union rsbac_target_id_t rsbac_target_id;
00435
union rsbac_attribute_value_t rsbac_attribute_value;
00436
00437
#ifdef CONFIG_RSBAC_DEBUG
00438
if (rsbac_debug_aef)
00439 printk(KERN_DEBUG
"rsbac_aef_sb_umount(): calling ADF for DIR\n");
00440
#endif
00441
rsbac_target_id.dir.device = sb->s_dev;
00442 rsbac_target_id.dir.inode = sb->s_root->d_inode->i_ino;
00443 rsbac_target_id.dir.dentry_p = sb->s_root;
00444 rsbac_attribute_value.
dummy = 0;
00445
if (!
rsbac_adf_request(
R_UMOUNT,
00446 current->pid,
00447
T_DIR,
00448 rsbac_target_id,
00449
A_none,
00450 rsbac_attribute_value))
00451
return -EPERM;
00452
00453
#ifdef CONFIG_RSBAC_DEBUG
00454
if (rsbac_debug_aef)
00455 printk(KERN_DEBUG
"rsbac_aef_sb_umount(): calling ADF for DEV\n");
00456
#endif
00457
rsbac_target_id.dev.type =
D_block;
00458 rsbac_target_id.dev.id = sb->s_dev;
00459 rsbac_attribute_value.
dummy = 0;
00460
if (!
rsbac_adf_request(
R_UMOUNT,
00461 current->pid,
00462
T_DEV,
00463 rsbac_target_id,
00464
A_none,
00465 rsbac_attribute_value))
00466
return -EPERM;
00467
00468
if (! (mnt == current->fs->rootmnt && !(flags & MNT_DETACH)) )
00469 {
00470
#ifdef CONFIG_RSBAC_DEBUG
00471
if (rsbac_debug_ds)
00472 printk(KERN_DEBUG
"rsbac_aef_sb_umount(): calling rsbac_umount for Device %02u:%02u\n",
00473 MAJOR(sb->s_dev), MINOR(sb->s_dev));
00474
#endif
00475
rsbac_umount(sb, mnt->mnt_mountpoint);
00476 }
00477
return 0;
00478 }
00479
00480 static void rsbac_aef_sb_umount_busy(
struct vfsmount * mnt)
00481 {
00482
00483
#ifdef CONFIG_RSBAC_DEBUG
00484
if (rsbac_debug_ds)
00485 printk(KERN_DEBUG
00486
"rsbac_aef_sb_umount_busy: umount failed, calling rsbac_mount for Device %02u:%02u\n",
00487 MAJOR(mnt->mnt_sb->s_dev), MINOR(mnt->mnt_sb->s_dev));
00488
#endif
00489
rsbac_mount(mnt->mnt_sb, mnt->mnt_mountpoint);
00490 }
00491
00492 static void rsbac_aef_sb_post_addmount(
struct vfsmount * mnt,
00493
struct nameidata * mountpoint_nd)
00494 {
00495
00496
#ifdef CONFIG_RSBAC_DEBUG
00497
if (rsbac_debug_ds)
00498 printk(KERN_DEBUG
00499
"rsbac_aef_sb_post_addmount: calling rsbac_mount for Device %02u:%02u\n",
00500 MAJOR(mnt->mnt_sb->s_dev), MINOR(mnt->mnt_sb->s_dev));
00501
#endif
00502
rsbac_mount(mnt->mnt_sb, mnt->mnt_mountpoint);
00503 }
00504
00505 static int rsbac_aef_sb_mount(
char *dev_name,
struct nameidata * nd,
00506
char *type,
unsigned long flags,
void *data)
00507 {
00508
struct super_block * sb = nd->mnt->mnt_sb;
00509
union rsbac_target_id_t rsbac_target_id;
00510
union rsbac_attribute_value_t rsbac_attribute_value;
00511
00512
#ifdef CONFIG_RSBAC_DEBUG
00513
if (rsbac_debug_aef)
00514 printk(KERN_DEBUG
"rsbac_aef_sb_mount(): calling ADF for DIR\n");
00515
#endif
00516
rsbac_target_id.dir.device = sb->s_dev;
00517 rsbac_target_id.dir.inode = sb->s_root->d_inode->i_ino;
00518 rsbac_target_id.dir.dentry_p = sb->s_root;
00519 rsbac_attribute_value.
dummy = 0;
00520
if (!
rsbac_adf_request(
R_MOUNT,
00521 current->pid,
00522
T_DIR,
00523 rsbac_target_id,
00524
A_none,
00525 rsbac_attribute_value))
00526
return -EPERM;
00527
00528
#ifdef CONFIG_RSBAC_DEBUG
00529
if (rsbac_debug_aef)
00530 printk(KERN_DEBUG
"rsbac_aef_sb_mount(): calling ADF for DEV\n");
00531
#endif
00532
rsbac_target_id.dev.type =
D_block;
00533 rsbac_target_id.dev.id = sb->s_dev;
00534 rsbac_attribute_value.
dummy = 0;
00535
if (!
rsbac_adf_request(
R_MOUNT,
00536 current->pid,
00537
T_DEV,
00538 rsbac_target_id,
00539
A_none,
00540 rsbac_attribute_value))
00541
return -EPERM;
00542
return 0;
00543 }
00544
00545 static int rsbac_aef_sb_pivotroot(
struct nameidata * old_nd,
00546
struct nameidata * new_nd)
00547 {
00548
union rsbac_target_id_t rsbac_target_id;
00549
union rsbac_attribute_value_t rsbac_attribute_value;
00550
00551
#ifdef CONFIG_RSBAC_DEBUG
00552
if (rsbac_debug_aef)
00553 printk(KERN_DEBUG
"rsbac_aef_sb_pivotroot(): calling ADF for MOUNT on put_old\n");
00554
#endif
00555
rsbac_target_id.dir.device = old_nd->dentry->d_sb->s_dev;
00556 rsbac_target_id.dir.inode = old_nd->dentry->d_inode->i_ino;
00557 rsbac_target_id.dir.dentry_p = old_nd->dentry;
00558 rsbac_attribute_value.
dummy = 0;
00559
if (!
rsbac_adf_request(
R_MOUNT,
00560 current->pid,
00561
T_DIR,
00562 rsbac_target_id,
00563
A_none,
00564 rsbac_attribute_value))
00565
return -EPERM;
00566
00567
#ifdef CONFIG_RSBAC_DEBUG
00568
if (rsbac_debug_aef)
00569 printk(KERN_DEBUG
"rsbac_aef_sb_pivotroot(): calling ADF for MOUNT on root DIR\n");
00570
#endif
00571
rsbac_target_id.dir.device = current->fs->rootmnt->mnt_sb->s_dev;
00572 rsbac_target_id.dir.inode = current->fs->root->d_inode->i_ino;
00573 rsbac_target_id.dir.dentry_p = current->fs->root;
00574 rsbac_attribute_value.
dummy = 0;
00575
if (!
rsbac_adf_request(
R_MOUNT,
00576 current->pid,
00577
T_DIR,
00578 rsbac_target_id,
00579
A_none,
00580 rsbac_attribute_value))
00581
return -EPERM;
00582
00583
return 0;
00584 }
00585
00586 static int rsbac_aef_inode_getattr(
struct vfsmount *mnt,
struct dentry *dentry)
00587 {
00588
enum rsbac_target_t rsbac_target;
00589
union rsbac_target_id_t rsbac_target_id;
00590
union rsbac_attribute_value_t rsbac_attribute_value;
00591
00592
#ifdef CONFIG_RSBAC_DEBUG
00593
if (rsbac_debug_aef)
00594 printk(KERN_DEBUG
"rsbac_aef_inode_getattr(): calling ADF\n");
00595
#endif
00596
rsbac_target =
T_FILE;
00597
if (S_ISDIR (dentry->d_inode->i_mode))
00598 rsbac_target =
T_DIR;
00599
else if (S_ISFIFO (dentry->d_inode->i_mode))
00600 rsbac_target =
T_FIFO;
00601
else if (S_ISLNK (dentry->d_inode->i_mode))
00602 rsbac_target =
T_SYMLINK;
00603 rsbac_target_id.dir.device = dentry->d_sb->s_dev;
00604 rsbac_target_id.dir.inode = dentry->d_inode->i_ino;
00605 rsbac_target_id.dir.dentry_p = dentry;
00606 rsbac_attribute_value.
dummy = 0;
00607
if (!
rsbac_adf_request(
R_GET_STATUS_DATA,
00608 current->pid,
00609 rsbac_target,
00610 rsbac_target_id,
00611
A_none,
00612 rsbac_attribute_value))
00613
return -EPERM;
00614
else
00615
return 0;
00616 }
00617
00618 static int rsbac_aef_inode_readlink(
struct dentry *dentry)
00619 {
00620
union rsbac_target_id_t rsbac_target_id;
00621
union rsbac_attribute_value_t rsbac_attribute_value;
00622
00623
#ifdef CONFIG_RSBAC_DEBUG
00624
if (rsbac_debug_aef)
00625 printk(KERN_DEBUG
"rsbac_aef_inode_readlink(): calling ADF\n");
00626
#endif
00627
rsbac_target_id.dir.device = dentry->d_sb->s_dev;
00628 rsbac_target_id.dir.inode = dentry->d_inode->i_ino;
00629 rsbac_target_id.dir.dentry_p = dentry;
00630 rsbac_attribute_value.
dummy = 0;
00631
if (!
rsbac_adf_request(
R_GET_STATUS_DATA,
00632 current->pid,
00633
T_SYMLINK,
00634 rsbac_target_id,
00635
A_none,
00636 rsbac_attribute_value))
00637
return -EPERM;
00638
else
00639
return 0;
00640 }
00641
00642 static int rsbac_aef_file_permission(
struct file * file,
int mask)
00643 {
00644
enum rsbac_adf_request_t rsbac_request;
00645
enum rsbac_target_t rsbac_target =
T_NONE;
00646
union rsbac_target_id_t rsbac_target_id;
00647
union rsbac_attribute_value_t rsbac_attribute_value;
00648
00649
#ifdef CONFIG_RSBAC_DEBUG
00650
if (rsbac_debug_aef)
00651 printk(KERN_DEBUG
"rsbac_aef_file_permission(): calling ADF\n");
00652
#endif
00653
if(mask & MAY_WRITE)
00654 rsbac_request =
R_WRITE;
00655
else
00656 rsbac_request =
R_READ;
00657
#ifdef CONFIG_RSBAC_NET_OBJ_RW
00658
if(S_ISSOCK(file->f_dentry->d_inode->i_mode))
00659 {
00660
#if !defined(CONFIG_RSBAC_NET_OBJ_UNIX)
00661
if( file->f_dentry->d_inode->u.socket_i.ops
00662 && (file->f_dentry->d_inode->u.socket_i.ops->family != AF_UNIX)
00663 )
00664
#endif
00665
{
00666 rsbac_target =
T_NETOBJ;
00667 rsbac_target_id.
netobj.
sock_p
00668 = SOCKET_I(file->f_dentry->d_inode);
00669 rsbac_target_id.
netobj.
local_addr =
NULL;
00670 rsbac_target_id.
netobj.
local_len = 0;
00671 rsbac_target_id.
netobj.
remote_addr =
NULL;
00672 rsbac_target_id.
netobj.
remote_len = 0;
00673 }
00674 }
00675
else
00676
#endif
00677
#ifdef CONFIG_RSBAC_RW
00678
if( S_ISFIFO(file->f_dentry->d_inode->i_mode)
00679
00680 && (file->f_dentry->d_sb->s_magic != PIPEFS_MAGIC)
00681 )
00682 {
00683 rsbac_target =
T_FIFO;
00684 rsbac_target_id.file.device = file->f_dentry->d_sb->s_dev;
00685 rsbac_target_id.fifo.inode = file->f_dentry->d_inode->i_ino;
00686 rsbac_target_id.fifo.dentry_p = file->f_dentry;
00687 }
00688
else
00689
if(S_ISREG(file->f_dentry->d_inode->i_mode))
00690 {
00691 rsbac_target =
T_FILE;
00692 rsbac_target_id.file.device = file->f_dentry->d_sb->s_dev;
00693 rsbac_target_id.file.inode = file->f_dentry->d_inode->i_ino;
00694 rsbac_target_id.file.dentry_p = file->f_dentry;
00695 }
00696
else
00697
if(S_ISBLK(file->f_dentry->d_inode->i_mode))
00698 {
00699 rsbac_target =
T_DEV;
00700 rsbac_target_id.dev.type =
D_block;
00701 rsbac_target_id.dev.id = file->f_dentry->d_inode->i_rdev;
00702 }
00703
else
00704
if(S_ISCHR(file->f_dentry->d_inode->i_mode))
00705 {
00706 rsbac_target =
T_DEV;
00707 rsbac_target_id.dev.type =
D_char;
00708 rsbac_target_id.dev.id = file->f_dentry->d_inode->i_rdev;
00709 }
00710
else
00711
#endif
00712
if(S_ISDIR(file->f_dentry->d_inode->i_mode))
00713 {
00714 rsbac_target =
T_DIR;
00715 rsbac_target_id.dir.device = file->f_dentry->d_sb->s_dev;
00716 rsbac_target_id.dir.inode = file->f_dentry->d_inode->i_ino;
00717 rsbac_target_id.dir.dentry_p = file->f_dentry;
00718 }
00719 rsbac_attribute_value.
dummy = 0;
00720
if ( (rsbac_target !=
T_NONE)
00721 && !
rsbac_adf_request(rsbac_request,
00722 current->pid,
00723 rsbac_target,
00724 rsbac_target_id,
00725
A_none,
00726 rsbac_attribute_value))
00727
return -EPERM;
00728
else
00729
return 0;
00730 }
00731
00732 static int rsbac_aef_task_setgid(gid_t id0, gid_t id1, gid_t id2,
int flags)
00733 {
00734
union rsbac_target_id_t rsbac_target_id;
00735
union rsbac_attribute_value_t rsbac_attribute_value;
00736
00737
#ifdef CONFIG_RSBAC_DEBUG
00738
if (rsbac_debug_aef)
00739 printk(KERN_DEBUG
"rsbac_aef_task_setgid(): calling ADF\n");
00740
#endif
00741
rsbac_target_id.
process = current->pid;
00742
switch(flags)
00743 {
00744
case LSM_SETID_RE:
00745
case LSM_SETID_ID:
00746
case LSM_SETID_RES:
00747
if(id0 != (gid_t) -1)
00748 {
00749 rsbac_attribute_value.group = id0;
00750
if (!
rsbac_adf_request(
R_CHANGE_GROUP,
00751 current->pid,
00752
T_PROCESS,
00753 rsbac_target_id,
00754 A_group,
00755 rsbac_attribute_value))
00756
return -EPERM;
00757 }
00758
break;
00759
case LSM_SETID_FS:
00760
break;
00761
00762
default:
00763 printk(KERN_WARNING
"rsbac_aef_task_setgid(): called with unknown flags value!\n");
00764
break;
00765 }
00766
return 0;
00767 }
00768
00769 static int rsbac_aef_task_setuid(uid_t id0, uid_t id1, uid_t id2,
int flags)
00770 {
00771
union rsbac_target_id_t rsbac_target_id;
00772
union rsbac_attribute_value_t rsbac_attribute_value;
00773
00774
#ifdef CONFIG_RSBAC_DEBUG
00775
if (rsbac_debug_aef)
00776 printk(KERN_DEBUG
"rsbac_aef_task_setuid(): calling ADF\n");
00777
#endif
00778
rsbac_target_id.
process = current->pid;
00779
switch(flags)
00780 {
00781
case LSM_SETID_RE:
00782
if(id0 != (uid_t) -1)
00783 {
00784 rsbac_attribute_value.
owner = id0;
00785
if (!
rsbac_adf_request(
R_CHANGE_OWNER,
00786 current->pid,
00787
T_PROCESS,
00788 rsbac_target_id,
00789 A_owner,
00790 rsbac_attribute_value))
00791
return -EPERM;
00792 }
00793
#ifdef CONFIG_RSBAC_DAC_OWNER
00794
if(id1 != (uid_t) -1)
00795 {
00796 rsbac_attribute_value.
owner = id1;
00797
if (!
rsbac_adf_request(
R_CHANGE_DAC_EFF_OWNER,
00798 current->pid,
00799
T_PROCESS,
00800 rsbac_target_id,
00801 A_owner,
00802 rsbac_attribute_value))
00803
return -EPERM;
00804 }
00805
#endif
00806
break;
00807
case LSM_SETID_ID:
00808 rsbac_attribute_value.
owner = id0;
00809
if (!
rsbac_adf_request(
R_CHANGE_OWNER,
00810 current->pid,
00811
T_PROCESS,
00812 rsbac_target_id,
00813 A_owner,
00814 rsbac_attribute_value))
00815
return -EPERM;
00816
#ifdef CONFIG_RSBAC_DAC_OWNER
00817
if (!
rsbac_adf_request(
R_CHANGE_DAC_EFF_OWNER,
00818 current->pid,
00819
T_PROCESS,
00820 rsbac_target_id,
00821 A_owner,
00822 rsbac_attribute_value))
00823
return -EPERM;
00824
if (!
rsbac_adf_request(
R_CHANGE_DAC_FS_OWNER,
00825 current->pid,
00826
T_PROCESS,
00827 rsbac_target_id,
00828 A_owner,
00829 rsbac_attribute_value))
00830
return -EPERM;
00831
#endif
00832
break;
00833
case LSM_SETID_RES:
00834
if(id0 != (uid_t) -1)
00835 {
00836 rsbac_attribute_value.group = id0;
00837
if (!
rsbac_adf_request(
R_GET_STATUS_DATA,
00838 current->pid,
00839
T_PROCESS,
00840 rsbac_target_id,
00841 A_group,
00842 rsbac_attribute_value))
00843
return -EPERM;
00844 }
00845
#ifdef CONFIG_RSBAC_DAC_OWNER
00846
if(id1 != (uid_t) -1)
00847 {
00848 rsbac_attribute_value.
owner = id1;
00849
if (!
rsbac_adf_request(
R_CHANGE_DAC_EFF_OWNER,
00850 current->pid,
00851
T_PROCESS,
00852 rsbac_target_id,
00853 A_owner,
00854 rsbac_attribute_value))
00855
return -EPERM;
00856 }
00857
else
00858 rsbac_attribute_value.
owner = current->euid;
00859
if (!
rsbac_adf_request(
R_CHANGE_DAC_FS_OWNER,
00860 current->pid,
00861
T_PROCESS,
00862 rsbac_target_id,
00863 A_owner,
00864 rsbac_attribute_value))
00865
return -EPERM;
00866
#endif
00867
break;
00868
case LSM_SETID_FS:
00869
#ifdef CONFIG_RSBAC_DAC_OWNER
00870
rsbac_attribute_value.
owner = id0;
00871
if (!
rsbac_adf_request(
R_CHANGE_DAC_FS_OWNER,
00872 current->pid,
00873
T_PROCESS,
00874 rsbac_target_id,
00875 A_owner,
00876 rsbac_attribute_value))
00877
return -EPERM;
00878
#endif
00879
break;
00880
00881
default:
00882 printk(KERN_WARNING
"rsbac_aef_task_setuid(): called with unknown flags value!\n");
00883
break;
00884 }
00885
return 0;
00886 }
00887
00888 static int rsbac_aef_task_setgroups(
int gidsetsize, gid_t * grouplist)
00889 {
00890
union rsbac_target_id_t rsbac_target_id;
00891
union rsbac_attribute_value_t rsbac_attribute_value;
00892
00893
#ifdef CONFIG_RSBAC_DEBUG
00894
if (rsbac_debug_aef)
00895 printk(KERN_DEBUG
"rsbac_aef_task_setgroups(): calling ADF\n");
00896
#endif
00897
rsbac_target_id.
process = current->pid;
00898 rsbac_attribute_value.
dummy = 0;
00899
if (!
rsbac_adf_request(
R_CHANGE_GROUP,
00900 current->pid,
00901
T_PROCESS,
00902 rsbac_target_id,
00903
A_none,
00904 rsbac_attribute_value))
00905
return -EPERM;
00906
else
00907
return 0;
00908 }
00909
00910 static int rsbac_aef_task_setrlimit(
unsigned int resource,
struct rlimit * new_rlim)
00911 {
00912
union rsbac_target_id_t rsbac_target_id;
00913
union rsbac_attribute_value_t rsbac_attribute_value;
00914
00915
#ifdef CONFIG_RSBAC_DEBUG
00916
if (rsbac_debug_aef)
00917 printk(KERN_DEBUG
"rsbac_aef_task_setrlimit(): calling ADF\n");
00918
#endif
00919
rsbac_target_id.
scd =
ST_rlimit;
00920 rsbac_attribute_value.
dummy = 0;
00921
if (!
rsbac_adf_request(
R_MODIFY_SYSTEM_DATA,
00922 current->pid,
00923
T_SCD,
00924 rsbac_target_id,
00925
A_none,
00926 rsbac_attribute_value))
00927
return -EPERM;
00928
else
00929
return 0;
00930 }
00931
00932 static int rsbac_aef_task_kill(
struct task_struct * p,
00933
struct siginfo * info,
int sig)
00934 {
00935
union rsbac_target_id_t rsbac_target_id;
00936
union rsbac_attribute_value_t rsbac_attribute_value;
00937
00938
#if 0
00939
if( (!info || ((
unsigned long)info != 1 &&
00940 (
unsigned long)info != 2 && SI_FROMUSER(info)))
00941 && ((sig != SIGCONT) || (current->session != p->session))
00942 )
00943
#endif
00944
{
00945
if(in_interrupt())
00946 printk(KERN_DEBUG
"signal in interrupt, caller_pid %u, target pid %u, signal %u\n",
00947 current->pid, p->pid, sig);
00948
#ifdef CONFIG_RSBAC_DEBUG
00949
if (rsbac_debug_aef)
00950 printk(KERN_DEBUG
"rsbac_aef_task_kill(): calling ADF\n");
00951
#endif
00952
rsbac_target_id.
process = p->pid;
00953 rsbac_attribute_value.signal = sig;
00954
if (!
rsbac_adf_request(
R_SEND_SIGNAL,
00955 current->pid,
00956
T_PROCESS,
00957 rsbac_target_id,
00958 A_signal,
00959 rsbac_attribute_value))
00960
return -EPERM;
00961 }
00962
return 0;
00963 }
00964
00965
#ifdef CONFIG_RSBAC_SYSLOG
00966
static int rsbac_aef_syslog(
int type)
00967 {
00968
enum rsbac_adf_request_t rsbac_request;
00969
union rsbac_target_id_t rsbac_target_id;
00970
union rsbac_attribute_value_t rsbac_attribute_value;
00971
00972
#ifdef CONFIG_RSBAC_DEBUG
00973
if (rsbac_debug_aef)
00974 printk(KERN_DEBUG
"rsbac_aef_syslog(): calling ADF\n");
00975
#endif
00976
switch(type)
00977 {
00978
case 2:
00979
case 3:
00980 rsbac_request =
R_GET_STATUS_DATA;
00981
break;
00982
case 4:
00983
case 5:
00984
case 6:
00985
case 7:
00986
case 8:
00987 rsbac_request =
R_MODIFY_SYSTEM_DATA;
00988
break;
00989
00990
default:
00991
return 0;
00992 }
00993 rsbac_target_id.
scd =
ST_syslog;
00994 rsbac_attribute_value.
dummy = 0;
00995
if (!
rsbac_adf_request(rsbac_request,
00996 current->pid,
00997 T_SCD,
00998 rsbac_target_id,
00999 A_signal,
01000 rsbac_attribute_value))
01001
return -EPERM;
01002
else
01003
return 0;
01004 }
01005
#endif
01006
01007 static int rsbac_aef_sysctl(ctl_table * table,
int op)
01008 {
01009
union rsbac_target_id_t rsbac_target_id;
01010
union rsbac_attribute_value_t rsbac_attribute_value;
01011
01012
#ifdef CONFIG_RSBAC_DEBUG
01013
if (rsbac_debug_aef)
01014 printk(KERN_DEBUG
"rsbac_aef_sysctl(): calling ADF\n");
01015
#endif
01016
if(!(op & S_IWUGO))
01017
return 0;
01018
switch(table->ctl_name)
01019 {
01020
case KERN_NODENAME:
01021 rsbac_target_id.
scd =
ST_host_id;
01022
break;
01023
case KERN_DOMAINNAME:
01024 rsbac_target_id.
scd =
ST_net_id;
01025
break;
01026
default:
01027 rsbac_target_id.
scd =
ST_other;
01028 }
01029 rsbac_attribute_value.
dummy = 0;
01030
if (!
rsbac_adf_request(
R_MODIFY_SYSTEM_DATA,
01031 current->pid,
01032
T_SCD,
01033 rsbac_target_id,
01034 A_signal,
01035 rsbac_attribute_value))
01036
return -EPERM;
01037
else
01038
return 0;
01039 }
01040
01041 static int rsbac_aef_msg_queue_alloc_security(
struct msg_queue * msq)
01042 {
01043
union rsbac_target_id_t rsbac_target_id;
01044
union rsbac_attribute_value_t rsbac_attribute_value;
01045
01046
#ifdef CONFIG_RSBAC_DEBUG
01047
if (rsbac_debug_aef)
01048 printk(KERN_DEBUG
"rsbac_aef_msg_queue_alloc_security(): calling ADF\n");
01049
#endif
01050
rsbac_target_id.
ipc.
type =
I_msg;
01051 rsbac_target_id.
ipc.
id.
id_nr = 0;
01052 rsbac_attribute_value.
dummy = 0;
01053
if (!
rsbac_adf_request(
R_CREATE,
01054 current->pid,
01055
T_IPC,
01056 rsbac_target_id,
01057
A_none,
01058 rsbac_attribute_value))
01059
return -EPERM;
01060
else
01061
return 0;
01062 }
01063
01064 static void rsbac_aef_shm_free_security(
struct shmid_kernel * shp)
01065 {
01066
union rsbac_target_id_t rsbac_target_id;
01067
01068
#ifdef CONFIG_RSBAC_DEBUG
01069
if (rsbac_debug_aef)
01070 printk(KERN_DEBUG
"rsbac_aef_shm_free_security: calling ACI remove_target()\n");
01071
#endif
01072
rsbac_target_id.
ipc.
type =
I_shm;
01073 rsbac_target_id.
ipc.
id.
id_nr = shp->id;
01074
rsbac_remove_target(
T_IPC, rsbac_target_id);
01075 }
01076
01077 static int rsbac_aef_shm_alloc_security(
struct shmid_kernel * shp)
01078 {
01079
union rsbac_target_id_t rsbac_target_id;
01080
union rsbac_attribute_value_t rsbac_attribute_value;
01081
01082
#ifdef CONFIG_RSBAC_DEBUG
01083
if (rsbac_debug_aef)
01084 printk(KERN_DEBUG
"rsbac_aef_shm_alloc_security(): calling ADF\n");
01085
#endif
01086
rsbac_target_id.
ipc.
type =
I_shm;
01087 rsbac_target_id.
ipc.
id.
id_nr = 0;
01088 rsbac_attribute_value.
dummy = 0;
01089
if (!
rsbac_adf_request(
R_CREATE,
01090 current->pid,
01091
T_IPC,
01092 rsbac_target_id,
01093
A_none,
01094 rsbac_attribute_value))
01095
return -EPERM;
01096
else
01097
return 0;
01098 }
01099
01100 static int rsbac_aef_shm_shmat(
struct shmid_kernel * shp,
01101
char *shmaddr,
int shmflg)
01102 {
01103
enum rsbac_adf_request_t rsbac_request;
01104
union rsbac_target_id_t rsbac_target_id;
01105
union rsbac_attribute_value_t rsbac_attribute_value;
01106
01107
#ifdef CONFIG_RSBAC_DEBUG
01108
if (rsbac_debug_aef)
01109 printk(KERN_DEBUG
"rsbac_aef_shm_shmat(): calling ADF\n");
01110
#endif
01111
if ((shmflg & SHM_RDONLY))
01112 rsbac_request =
R_READ_OPEN;
01113
else
01114 rsbac_request =
R_READ_WRITE_OPEN;
01115 rsbac_target_id.
ipc.
type =
I_shm;
01116 rsbac_target_id.
ipc.
id.
id_nr = shp->id;
01117 rsbac_attribute_value.
dummy = 0;
01118
if (!
rsbac_adf_request(rsbac_request,
01119 current->pid,
01120
T_IPC,
01121 rsbac_target_id,
01122
A_none,
01123 rsbac_attribute_value))
01124
return -EPERM;
01125
else
01126
return 0;
01127 }
01128
01129
#ifdef CONFIG_RSBAC_IPC_SEM
01130
static int rsbac_aef_sem_alloc_security(
struct sem_array * sma)
01131 {
01132
union rsbac_target_id_t rsbac_target_id;
01133
union rsbac_attribute_value_t rsbac_attribute_value;
01134
01135
#ifdef CONFIG_RSBAC_DEBUG
01136
if (rsbac_debug_aef)
01137 printk(KERN_DEBUG
"rsbac_aef_sem_alloc_security(): calling ADF\n");
01138
#endif
01139
rsbac_target_id.
ipc.
type =
I_sem;
01140 rsbac_target_id.
ipc.
id.
id_nr = 0;
01141 rsbac_attribute_value.
dummy = 0;
01142
if (!
rsbac_adf_request(R_CREATE,
01143 current->pid,
01144 T_IPC,
01145 rsbac_target_id,
01146 A_none,
01147 rsbac_attribute_value))
01148
return -EPERM;
01149
else
01150
return 0;
01151 }
01152
#endif
01153
01154
#ifdef CONFIG_RSBAC_NET_OBJ
01155
static int rsbac_aef_socket_accept(
struct socket * sock,
struct socket * newsock)
01156 {
01157
union rsbac_target_id_t rsbac_target_id;
01158
union rsbac_attribute_value_t rsbac_attribute_value;
01159
01160
#if !defined(CONFIG_RSBAC_NET_OBJ_UNIX)
01161
if( sock->ops
01162 && (sock->ops->family != AF_UNIX)
01163 )
01164
#endif
01165
{
01166
#ifdef CONFIG_RSBAC_DEBUG
01167
if (rsbac_debug_aef)
01168 printk(KERN_DEBUG
"rsbac_aef_socket_accept(): calling ADF\n");
01169
#endif
01170
rsbac_target_id.
netobj.
sock_p = newsock;
01171 rsbac_target_id.
netobj.
local_addr =
NULL;
01172 rsbac_target_id.
netobj.
local_len = 0;
01173 rsbac_target_id.
netobj.
remote_addr =
NULL;
01174 rsbac_target_id.
netobj.
remote_len = 0;
01175 rsbac_attribute_value.
dummy = 0;
01176
if (!
rsbac_adf_request(R_ACCEPT,
01177 current->pid,
01178 T_NETOBJ,
01179 rsbac_target_id,
01180 A_none,
01181 rsbac_attribute_value))
01182 {
01183
#ifdef CONFIG_RSBAC_DEBUG
01184
if (rsbac_debug_aef)
01185 printk(KERN_DEBUG
"rsbac_aef_socket_accept(): ADF returned NOT_GRANTED\n");
01186
#endif
01187
return -EPERM;
01188 }
01189 }
01190
return 0;
01191 }
01192
01193
static void rsbac_aef_socket_post_accept(
struct socket * sock,
struct socket * newsock)
01194 {
01195
union rsbac_target_id_t rsbac_target_id;
01196
union rsbac_target_id_t rsbac_new_target_id;
01197
union rsbac_attribute_value_t rsbac_attribute_value;
01198
01199
#if !defined(CONFIG_RSBAC_NET_OBJ_UNIX)
01200
if( sock->ops
01201 && (sock->ops->family != AF_UNIX)
01202 )
01203
#endif
01204
{
01205 rsbac_target_id.
netobj.
sock_p = newsock;
01206 rsbac_target_id.
netobj.
local_addr =
NULL;
01207 rsbac_target_id.
netobj.
local_len = 0;
01208 rsbac_target_id.
netobj.
remote_addr =
NULL;
01209 rsbac_target_id.
netobj.
remote_len = 0;
01210 rsbac_attribute_value.
dummy = 0;
01211 rsbac_new_target_id.
dummy = 0;
01212
if (
rsbac_adf_set_attr(R_ACCEPT,
01213 current->pid,
01214 T_NETOBJ,
01215 rsbac_target_id,
01216 T_NONE,
01217 rsbac_new_target_id,
01218 A_none,
01219 rsbac_attribute_value))
01220 {
01221 printk(KERN_WARNING
01222
"rsbac_aef_socket_post_accept(): rsbac_adf_set_attr() returned error\n");
01223 }
01224 }
01225 }
01226
#endif
01227
01228
#ifdef CONFIG_RSBAC_INIT_DELAY
01229
static struct security_operations
rsbac_sec_ops = {
01230
#else
01231 static struct security_operations
rsbac_sec_ops = {
01232
#endif
01233
.ptrace =
rsbac_aef_ptrace,
01234 .sb_statfs =
rsbac_aef_statfs,
01235 .inode_follow_link =
rsbac_aef_inode_follow_link,
01236 .inode_create =
rsbac_aef_inode_create,
01237 .inode_post_create =
rsbac_aef_inode_post_create,
01238 .inode_mknod =
rsbac_aef_inode_mknod,
01239 .inode_post_mknod =
rsbac_aef_inode_post_mknod,
01240 .inode_mkdir =
rsbac_aef_inode_mkdir,
01241 .inode_post_mkdir =
rsbac_aef_inode_post_mkdir,
01242 .inode_symlink =
rsbac_aef_inode_symlink,
01243 .inode_post_symlink =
rsbac_aef_inode_post_symlink,
01244 .inode_link =
rsbac_aef_inode_link,
01245 .inode_rename =
rsbac_aef_inode_rename,
01246 .sb_umount =
rsbac_aef_sb_umount,
01247 .sb_umount_busy =
rsbac_aef_sb_umount_busy,
01248 .sb_post_addmount =
rsbac_aef_sb_post_addmount,
01249 .sb_mount =
rsbac_aef_sb_mount,
01250 .sb_pivotroot =
rsbac_aef_sb_pivotroot,
01251 .inode_getattr =
rsbac_aef_inode_getattr,
01252 .inode_readlink =
rsbac_aef_inode_readlink,
01253 .file_permission =
rsbac_aef_file_permission,
01254 .task_setgid =
rsbac_aef_task_setgid,
01255 .task_setuid =
rsbac_aef_task_setuid,
01256 .task_setgroups =
rsbac_aef_task_setgroups,
01257 .task_setrlimit =
rsbac_aef_task_setrlimit,
01258 .task_kill =
rsbac_aef_task_kill,
01259
#ifdef CONFIG_RSBAC_SYSLOG
01260
.syslog = rsbac_aef_syslog,
01261
#endif
01262
.sysctl =
rsbac_aef_sysctl,
01263 .msg_queue_alloc_security =
rsbac_aef_msg_queue_alloc_security,
01264 .shm_free_security =
rsbac_aef_shm_free_security,
01265 .shm_alloc_security =
rsbac_aef_shm_alloc_security,
01266
#ifdef CONFIG_RSBAC_IPC_SEM
01267
.sem_alloc_security = rsbac_aef_sem_alloc_security,
01268
#endif
01269
#ifdef CONFIG_RSBAC_NET_OBJ
01270
.socket_accept = rsbac_aef_socket_accept,
01271 .socket_post_accept = rsbac_aef_socket_post_accept,
01272
#endif
01273
.shm_shmat =
rsbac_aef_shm_shmat
01274 };
01275
01276 int rsbac_lsm_register(
void)
01277 {
01278
if (register_security (&
rsbac_sec_ops))
01279 {
01280 printk (KERN_INFO
01281
"Failure registering RSBAC with LSM, trying to stack on primary module\n");
01282
01283
if (mod_reg_security (
"RSBAC", &
rsbac_sec_ops))
01284 {
01285 printk (KERN_ERR
"Failure registering RSBAC "
01286
"with primary LSM security module, interceptions missing!\n");
01287
return -EINVAL;
01288 }
01289 }
01290
return 0;
01291 }