/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/adf/adf_main.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of the Access Control Decision */ 00004 /* Facility (ADF) - Main file main.c */ 00005 /* */ 00006 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */ 00007 /* */ 00008 /* Last modified: 27/Apr/2004 */ 00009 /*************************************************** */ 00010 00011 #include <linux/string.h> 00012 #include <linux/init.h> 00013 #include <linux/config.h> 00014 #include <linux/module.h> 00015 #include <rsbac/types.h> 00016 #include <rsbac/aci.h> 00017 #include <rsbac/adf.h> 00018 #include <rsbac/adf_main.h> 00019 #include <rsbac/error.h> 00020 #include <rsbac/helpers.h> 00021 #include <rsbac/getname.h> 00022 #include <rsbac/rkmem.h> 00023 #include <rsbac/network.h> 00024 00025 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 00026 #include <linux/nfs_fs.h> 00027 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00028 #include <linux/coda.h> 00029 #endif 00030 #include <linux/coda_psdev.h> 00031 #include <linux/ncp_fs.h> 00032 #include <linux/smb.h> 00033 #endif 00034 00035 #ifdef CONFIG_RSBAC_SECDEL 00036 #include <linux/types.h> 00037 #include <linux/dcache.h> 00038 #include <asm/uaccess.h> 00039 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00040 #include <linux/buffer_head.h> 00041 #endif 00042 #endif /* SECDEL */ 00043 00044 /************************************************* */ 00045 /* Global Variables */ 00046 /************************************************* */ 00047 00048 u_long rsbac_adf_request_count[T_NONE+1] = {0,0,0,0,0,0,0,0}; 00049 u_long rsbac_adf_set_attr_count[T_NONE+1] = {0,0,0,0,0,0,0,0}; 00050 #ifdef CONFIG_RSBAC_XSTATS 00051 u_long rsbac_adf_request_xcount[T_NONE+1][R_NONE]; 00052 u_long rsbac_adf_set_attr_xcount[T_NONE+1][R_NONE]; 00053 #endif 00054 00055 #ifdef CONFIG_RSBAC_SWITCH 00056 00057 /******* MAC ********/ 00058 #ifdef CONFIG_RSBAC_MAC 00059 boolean rsbac_switch_mac = TRUE; 00060 #endif /* MAC */ 00061 00062 /******* FC ********/ 00063 #ifdef CONFIG_RSBAC_FC 00064 boolean rsbac_switch_fc = TRUE; 00065 #endif /* FC */ 00066 00067 /******* SIM ********/ 00068 #ifdef CONFIG_RSBAC_SIM 00069 boolean rsbac_switch_sim = TRUE; 00070 #endif /* SIM */ 00071 00072 /******* PM ********/ 00073 #ifdef CONFIG_RSBAC_PM 00074 boolean rsbac_switch_pm = TRUE; 00075 #endif /* PM */ 00076 00077 /******* DAZ ********/ 00078 #ifdef CONFIG_RSBAC_DAZ 00079 boolean rsbac_switch_daz = TRUE; 00080 #endif /* DAZ */ 00081 00082 /******* FF ********/ 00083 #ifdef CONFIG_RSBAC_FF 00084 boolean rsbac_switch_ff = TRUE; 00085 #endif /* FF */ 00086 00087 /******* RC ********/ 00088 #ifdef CONFIG_RSBAC_RC 00089 boolean rsbac_switch_rc = TRUE; 00090 #endif /* RC */ 00091 00092 /****** AUTH *******/ 00093 #ifdef CONFIG_RSBAC_AUTH 00094 boolean rsbac_switch_auth = TRUE; 00095 #endif /* AUTH */ 00096 00097 /****** ACL *******/ 00098 #ifdef CONFIG_RSBAC_ACL 00099 boolean rsbac_switch_acl = TRUE; 00100 #endif /* ACL */ 00101 00102 /****** CAP *******/ 00103 #ifdef CONFIG_RSBAC_CAP 00104 boolean rsbac_switch_cap = TRUE; 00105 #endif /* CAP */ 00106 00107 /****** JAIL *******/ 00108 #ifdef CONFIG_RSBAC_JAIL 00109 boolean rsbac_switch_jail = TRUE; 00110 #endif /* JAIL */ 00111 00112 /****** PAX ********/ 00113 #ifdef CONFIG_RSBAC_PAX 00114 boolean rsbac_switch_pax = TRUE; 00115 #endif /* PAX */ 00116 00117 /****** RES *******/ 00118 #ifdef CONFIG_RSBAC_RES 00119 boolean rsbac_switch_res = TRUE; 00120 #endif /* RES */ 00121 00122 #endif /* SWITCH */ 00123 00124 /************************************************* */ 00125 /* Internal Help functions */ 00126 /************************************************* */ 00127 00128 /************************************************* */ 00129 /* Externally visible functions */ 00130 /************************************************* */ 00131 00132 /* Init function, calls inits for all sub-modules */ 00133 00134 #ifdef CONFIG_RSBAC_INIT_DELAY 00135 void rsbac_init_adf(void) 00136 #else 00137 void __init rsbac_init_adf(void) 00138 #endif 00139 { 00140 #if defined(CONFIG_RSBAC_REG) 00141 rsbac_reg_init(); 00142 #endif 00143 }; 00144 00145 enum rsbac_adf_req_ret_t 00146 adf_and_plus(enum rsbac_adf_req_ret_t res1, 00147 enum rsbac_adf_req_ret_t res2) 00148 { 00149 switch (res1) 00150 { 00151 case GRANTED: if (res2 == DO_NOT_CARE) 00152 return (GRANTED); 00153 else 00154 return (res2); 00155 case NOT_GRANTED: if (res2 == UNDEFINED) 00156 return (UNDEFINED); 00157 else 00158 return (NOT_GRANTED); 00159 case DO_NOT_CARE: return (res2); 00160 default: return (UNDEFINED); 00161 } 00162 }; 00163 00164 /*********************************************************************/ 00165 /* rsbac_adf_request() */ 00166 /* This function is the main decision function, called from the AEF. */ 00167 00168 EXPORT_SYMBOL(rsbac_adf_request_int); 00169 enum rsbac_adf_req_ret_t 00170 rsbac_adf_request_int(enum rsbac_adf_request_t request, 00171 rsbac_pid_t caller_pid, 00172 enum rsbac_target_t target, 00173 union rsbac_target_id_t tid, 00174 enum rsbac_attribute_t attr, 00175 union rsbac_attribute_value_t attr_val, 00176 enum rsbac_switch_target_t ignore_module) 00177 { 00178 union rsbac_target_id_t i_tid; 00179 union rsbac_attribute_value_t i_attr_val; 00180 rsbac_uid_t owner=0; 00181 int tmperr=0; 00182 enum rsbac_adf_req_ret_t result = DO_NOT_CARE; 00183 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00184 enum rsbac_adf_req_ret_t ret_result = DO_NOT_CARE; 00185 #endif 00186 #ifndef CONFIG_RSBAC_MAINT 00187 enum rsbac_adf_req_ret_t mod_result[SW_NONE + 1] = { 00188 DO_NOT_CARE, 00189 DO_NOT_CARE, 00190 DO_NOT_CARE, 00191 DO_NOT_CARE, 00192 DO_NOT_CARE, 00193 DO_NOT_CARE, 00194 DO_NOT_CARE, 00195 DO_NOT_CARE, 00196 DO_NOT_CARE, 00197 DO_NOT_CARE, 00198 DO_NOT_CARE, 00199 DO_NOT_CARE, 00200 DO_NOT_CARE, 00201 DO_NOT_CARE, 00202 DO_NOT_CARE, 00203 DO_NOT_CARE, 00204 DO_NOT_CARE, 00205 DO_NOT_CARE 00206 }; 00207 #endif 00208 boolean do_log = FALSE; 00209 boolean log_on_request = TRUE; 00210 /* only if individual logging is enabled */ 00211 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG) 00212 union rsbac_attribute_value_t i_attr_val2; 00213 enum rsbac_log_level_t log_level; 00214 #endif 00215 struct super_block * sb_p; 00216 #ifdef CONFIG_RSBAC_SOFTMODE 00217 boolean rsbac_internal = FALSE; 00218 #endif 00219 00220 /* No decision possible before init (called at boot time) -> don't care */ 00221 if (!rsbac_is_initialized()) 00222 return(DO_NOT_CARE); 00223 00224 /* Always granted for kernel (pid 0) and logging daemon */ 00225 if ( !caller_pid 00226 #if defined(CONFIG_RSBAC_LOG_REMOTE) 00227 || (caller_pid == rsbaclogd_pid) 00228 #endif 00229 ) 00230 return(GRANTED); 00231 00232 /* Checking base values */ 00233 if( request >= R_NONE 00234 || target > T_NONE 00235 || attr > A_none) 00236 { 00237 #ifdef CONFIG_RSBAC_RMSG 00238 rsbac_printk(KERN_WARNING 00239 "rsbac_adf_request(): called with invalid request, target or attribute\n"); 00240 #endif 00241 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00242 if (!rsbac_nosyslog) 00243 #endif 00244 printk(KERN_WARNING 00245 "rsbac_adf_request(): called with invalid request, target or attribute\n"); 00246 return(NOT_GRANTED); 00247 } 00248 00249 if (in_interrupt()) 00250 { 00251 char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00252 00253 if(request_name) 00254 { 00255 get_request_name(request_name, request); 00256 #ifdef CONFIG_RSBAC_RMSG 00257 rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n", 00258 request_name, caller_pid, attr_val.dummy); 00259 #endif 00260 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00261 if (!rsbac_nosyslog) 00262 #endif 00263 printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n", 00264 request_name, caller_pid, attr_val.dummy); 00265 kfree(request_name); 00266 } 00267 else 00268 { 00269 #ifdef CONFIG_RSBAC_RMSG 00270 rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %u, pid %u!\n", 00271 request, caller_pid); 00272 #endif 00273 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00274 if (!rsbac_nosyslog) 00275 #endif 00276 printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %u, pid %u!\n", 00277 request, caller_pid); 00278 } 00279 // return DO_NOT_CARE; 00280 } 00281 00282 /* Getting basic information about this request */ 00283 00284 /* only useful for real process, not idle or init */ 00285 if (caller_pid > 1) 00286 { 00287 tmperr = rsbac_get_owner(&owner); 00288 if(tmperr) 00289 { 00290 #ifdef CONFIG_RSBAC_RMSG 00291 rsbac_printk(KERN_DEBUG 00292 "rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE", 00293 caller_pid); 00294 #endif 00295 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00296 if (!rsbac_nosyslog) 00297 #endif 00298 printk(KERN_DEBUG 00299 "rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE", 00300 caller_pid); 00301 return(DO_NOT_CARE); /* Startup-Sequence (see above) */ 00302 } 00303 } 00304 else /* caller_pid = 1 -> init, always owned by root */ 00305 owner = 0; 00306 00307 00308 /******************************************************/ 00309 /* General work for all modules - before module calls */ 00310 /* test target on rsbac_internal */ 00311 switch(target) 00312 { 00313 case T_FILE: 00314 case T_DIR: 00315 case T_FIFO: 00316 case T_SYMLINK: 00317 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 00318 if ( ((sb_p = rsbac_get_super_block(tid.file.device))) 00319 && ( (sb_p->s_magic == NFS_SUPER_MAGIC) 00320 || (sb_p->s_magic == CODA_SUPER_MAGIC) 00321 || (sb_p->s_magic == NCP_SUPER_MAGIC) 00322 || (sb_p->s_magic == SMB_SUPER_MAGIC) 00323 ) 00324 ) 00325 { 00326 result = DO_NOT_CARE; 00327 goto log; 00328 } 00329 #endif 00330 /* No decision on pseudo pipefs */ 00331 if( (target == T_FIFO) 00332 && ((sb_p = rsbac_get_super_block(tid.file.device))) 00333 && (sb_p->s_magic == PIPEFS_MAGIC) 00334 ) 00335 return DO_NOT_CARE; 00336 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 00337 /* No decision on pseudo sockfs */ 00338 if( (target == T_FILE) 00339 && (!RSBAC_MAJOR(tid.file.device)) 00340 && (!RSBAC_MINOR(tid.file.device)) 00341 ) 00342 return DO_NOT_CARE; 00343 #endif 00344 switch(request) 00345 { 00346 case R_GET_STATUS_DATA: 00347 case R_READ_ATTRIBUTE: 00348 #ifdef CONFIG_RSBAC_DAT_VISIBLE 00349 case R_SEARCH: 00350 case R_READ: 00351 case R_CLOSE: 00352 case R_CHDIR: 00353 case R_GET_PERMISSIONS_DATA: 00354 #endif 00355 break; 00356 00357 default: 00358 if ((tmperr = rsbac_get_attr(GEN, 00359 target, 00360 tid, 00361 A_internal, 00362 &i_attr_val, 00363 TRUE) )) 00364 { 00365 if(tmperr == -RSBAC_EINVALIDDEV) 00366 { 00367 rsbac_ds_get_error("rsbac_adf_request()", A_internal); 00368 return(DO_NOT_CARE); /* last calls on shutdown */ 00369 } 00370 else 00371 { 00372 rsbac_ds_get_error("rsbac_adf_request()", A_internal); 00373 return(NOT_GRANTED); /* something weird happened */ 00374 } 00375 } 00376 /* no access to rsbac_internal objects is granted in any case */ 00377 if (i_attr_val.internal) 00378 { 00379 #ifdef CONFIG_RSBAC_RMSG 00380 rsbac_printk(KERN_WARNING 00381 "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n"); 00382 #endif 00383 #ifndef CONFIG_RSBAC_RMSG_EXCL 00384 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00385 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00386 if (!rsbac_nosyslog) 00387 #endif 00388 printk(KERN_WARNING 00389 "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n"); 00390 #endif 00391 result = NOT_GRANTED; 00392 #ifndef CONFIG_RSBAC_MAINT 00393 mod_result[SW_NONE] = NOT_GRANTED; 00394 #endif 00395 #ifdef CONFIG_RSBAC_SOFTMODE 00396 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00397 ret_result = NOT_GRANTED; 00398 #endif 00399 rsbac_internal = TRUE; 00400 #endif 00401 } 00402 } 00403 break; 00404 00405 default: 00406 break; 00407 } 00408 00409 /**********************************************************/ 00410 /* calling all decision modules, building a common result */ 00411 00412 #ifdef CONFIG_RSBAC_DEBUG 00413 /* first, check for valid request/target combination */ 00414 /* (undefined should only happen in _check and means a real bug!) */ 00415 result = adf_and_plus(result,rsbac_adf_request_check(request, 00416 caller_pid, 00417 target, 00418 tid, 00419 attr, 00420 attr_val, 00421 owner) ); 00422 00423 if(result == UNDEFINED) 00424 goto log; 00425 #endif 00426 00427 #if !defined(CONFIG_RSBAC_MAINT) 00428 /******* MAC ********/ 00429 #if defined(CONFIG_RSBAC_MAC) 00430 #ifdef CONFIG_RSBAC_SWITCH 00431 if (rsbac_switch_mac) 00432 #endif 00433 /* no need to call module, if to be ignored */ 00434 if(ignore_module != MAC) 00435 { 00436 mod_result[MAC] = rsbac_adf_request_mac(request, 00437 caller_pid, 00438 target, 00439 tid, 00440 attr, 00441 attr_val, 00442 owner); 00443 result = adf_and_plus(result, mod_result[MAC]); 00444 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00445 if(!rsbac_ind_softmode[MAC]) 00446 ret_result = adf_and_plus(ret_result, mod_result[MAC]); 00447 #endif 00448 } 00449 #endif /* MAC */ 00450 00451 /******* FC ********/ 00452 #if defined(CONFIG_RSBAC_FC) 00453 #ifdef CONFIG_RSBAC_SWITCH 00454 if (rsbac_switch_fc) 00455 #endif 00456 /* no need to call module, if to be ignored */ 00457 if(ignore_module != FC) 00458 { 00459 mod_result[FC] = rsbac_adf_request_fc (request, 00460 caller_pid, 00461 target, 00462 tid, 00463 attr, 00464 attr_val, 00465 owner); 00466 result = adf_and_plus(result, mod_result[FC]); 00467 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00468 if(!rsbac_ind_softmode[FC]) 00469 ret_result = adf_and_plus(ret_result, mod_result[FC]); 00470 #endif 00471 } 00472 #endif /* FC */ 00473 00474 /******* SIM ********/ 00475 #if defined(CONFIG_RSBAC_SIM) 00476 #ifdef CONFIG_RSBAC_SWITCH 00477 if (rsbac_switch_sim) 00478 #endif 00479 /* no need to call module, if to be ignored */ 00480 if(ignore_module != SIM) 00481 { 00482 mod_result[SIM] = rsbac_adf_request_sim(request, 00483 caller_pid, 00484 target, 00485 tid, 00486 attr, 00487 attr_val, 00488 owner); 00489 result = adf_and_plus(result, mod_result[SIM]); 00490 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00491 if(!rsbac_ind_softmode[SIM]) 00492 ret_result = adf_and_plus(ret_result, mod_result[SIM]); 00493 #endif 00494 } 00495 #endif /* SIM */ 00496 00497 /******* PM ********/ 00498 #if defined(CONFIG_RSBAC_PM) 00499 #ifdef CONFIG_RSBAC_SWITCH 00500 if (rsbac_switch_pm) 00501 #endif 00502 /* no need to call module, if to be ignored */ 00503 if(ignore_module != PM) 00504 { 00505 mod_result[PM] = rsbac_adf_request_pm (request, 00506 caller_pid, 00507 target, 00508 tid, 00509 attr, 00510 attr_val, 00511 owner); 00512 result = adf_and_plus(result, mod_result[PM]); 00513 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00514 if(!rsbac_ind_softmode[PM]) 00515 ret_result = adf_and_plus(ret_result, mod_result[PM]); 00516 #endif 00517 } 00518 #endif /* PM */ 00519 00520 /******* DAZ ********/ 00521 #if defined(CONFIG_RSBAC_DAZ) 00522 #ifdef CONFIG_RSBAC_SWITCH 00523 if (rsbac_switch_daz) 00524 #endif 00525 /* no need to call module, if to be ignored */ 00526 if(ignore_module != DAZ) 00527 { 00528 mod_result[DAZ] = rsbac_adf_request_daz (request, 00529 caller_pid, 00530 target, 00531 tid, 00532 attr, 00533 attr_val, 00534 owner); 00535 result = adf_and_plus(result, mod_result[DAZ]); 00536 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00537 if(!rsbac_ind_softmode[DAZ]) 00538 ret_result = adf_and_plus(ret_result, mod_result[DAZ]); 00539 #endif 00540 } 00541 #endif /* DAZ */ 00542 00543 /******* FF ********/ 00544 #if defined(CONFIG_RSBAC_FF) 00545 #ifdef CONFIG_RSBAC_SWITCH 00546 if (rsbac_switch_ff) 00547 #endif 00548 /* no need to call module, if to be ignored */ 00549 if(ignore_module != FF) 00550 { 00551 mod_result[FF] = rsbac_adf_request_ff (request, 00552 caller_pid, 00553 target, 00554 tid, 00555 attr, 00556 attr_val, 00557 owner); 00558 result = adf_and_plus(result, mod_result[FF]); 00559 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00560 if(!rsbac_ind_softmode[FF]) 00561 ret_result = adf_and_plus(ret_result, mod_result[FF]); 00562 #endif 00563 } 00564 #endif /* FF */ 00565 00566 /******* RC ********/ 00567 #if defined(CONFIG_RSBAC_RC) 00568 #ifdef CONFIG_RSBAC_SWITCH 00569 if (rsbac_switch_rc) 00570 #endif 00571 /* no need to call module, if to be ignored */ 00572 if(ignore_module != RC) 00573 { 00574 mod_result[RC] = rsbac_adf_request_rc (request, 00575 caller_pid, 00576 target, 00577 tid, 00578 attr, 00579 attr_val, 00580 owner); 00581 result = adf_and_plus(result, mod_result[RC]); 00582 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00583 if(!rsbac_ind_softmode[RC]) 00584 ret_result = adf_and_plus(ret_result, mod_result[RC]); 00585 #endif 00586 } 00587 #endif /* RC */ 00588 00589 /****** AUTH *******/ 00590 #if defined(CONFIG_RSBAC_AUTH) 00591 #ifdef CONFIG_RSBAC_SWITCH 00592 if (rsbac_switch_auth) 00593 #endif 00594 /* no need to call module, if to be ignored */ 00595 if(ignore_module != AUTH) 00596 { 00597 mod_result[AUTH]= rsbac_adf_request_auth(request, 00598 caller_pid, 00599 target, 00600 tid, 00601 attr, 00602 attr_val, 00603 owner); 00604 result = adf_and_plus(result, mod_result[AUTH]); 00605 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00606 if(!rsbac_ind_softmode[AUTH]) 00607 ret_result = adf_and_plus(ret_result, mod_result[AUTH]); 00608 #endif 00609 } 00610 #endif /* AUTH */ 00611 00612 /****** ACL *******/ 00613 #if defined(CONFIG_RSBAC_ACL) 00614 #ifdef CONFIG_RSBAC_SWITCH 00615 if (rsbac_switch_acl) 00616 #endif 00617 /* no need to call module, if to be ignored */ 00618 if(ignore_module != ACL) 00619 { 00620 mod_result[ACL] = rsbac_adf_request_acl(request, 00621 caller_pid, 00622 target, 00623 tid, 00624 attr, 00625 attr_val, 00626 owner); 00627 result = adf_and_plus(result, mod_result[ACL]); 00628 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00629 if(!rsbac_ind_softmode[ACL]) 00630 ret_result = adf_and_plus(ret_result, mod_result[ACL]); 00631 #endif 00632 } 00633 #endif /* ACL */ 00634 00635 /****** CAP *******/ 00636 #if defined(CONFIG_RSBAC_CAP) 00637 #ifdef CONFIG_RSBAC_SWITCH 00638 if (rsbac_switch_cap) 00639 #endif 00640 /* no need to call module, if to be ignored */ 00641 if(ignore_module != CAP) 00642 { 00643 mod_result[CAP] = rsbac_adf_request_cap(request, 00644 caller_pid, 00645 target, 00646 tid, 00647 attr, 00648 attr_val, 00649 owner); 00650 result = adf_and_plus(result, mod_result[CAP]); 00651 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00652 if(!rsbac_ind_softmode[CAP]) 00653 ret_result = adf_and_plus(ret_result, mod_result[CAP]); 00654 #endif 00655 } 00656 #endif /* CAP */ 00657 00658 /****** JAIL *******/ 00659 #if defined(CONFIG_RSBAC_JAIL) 00660 #ifdef CONFIG_RSBAC_SWITCH 00661 if (rsbac_switch_jail) 00662 #endif 00663 /* no need to call module, if to be ignored */ 00664 if(ignore_module != JAIL) 00665 { 00666 mod_result[JAIL]= rsbac_adf_request_jail(request, 00667 caller_pid, 00668 target, 00669 tid, 00670 attr, 00671 attr_val, 00672 owner); 00673 result = adf_and_plus(result, mod_result[JAIL]); 00674 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00675 if(!rsbac_ind_softmode[JAIL]) 00676 ret_result = adf_and_plus(ret_result, mod_result[JAIL]); 00677 #endif 00678 } 00679 #endif /* JAIL */ 00680 00681 /******* PAX ********/ 00682 #if defined(CONFIG_RSBAC_PAX) 00683 #ifdef CONFIG_RSBAC_SWITCH 00684 if (rsbac_switch_pax) 00685 #endif 00686 /* no need to call module, if to be ignored */ 00687 if(ignore_module != PAX) 00688 { 00689 mod_result[PAX] = rsbac_adf_request_pax (request, 00690 caller_pid, 00691 target, 00692 tid, 00693 attr, 00694 attr_val, 00695 owner); 00696 result = adf_and_plus(result, mod_result[PAX]); 00697 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00698 if(!rsbac_ind_softmode[PAX]) 00699 ret_result = adf_and_plus(ret_result, mod_result[PAX]); 00700 #endif 00701 } 00702 #endif /* PAX */ 00703 00704 /****** RES *******/ 00705 #if defined(CONFIG_RSBAC_RES) 00706 #ifdef CONFIG_RSBAC_SWITCH 00707 if (rsbac_switch_res) 00708 #endif 00709 /* no need to call module, if to be ignored */ 00710 if(ignore_module != RES) 00711 { 00712 mod_result[RES] = rsbac_adf_request_res(request, 00713 caller_pid, 00714 target, 00715 tid, 00716 attr, 00717 attr_val, 00718 owner); 00719 result = adf_and_plus(result, mod_result[RES]); 00720 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00721 if(!rsbac_ind_softmode[RES]) 00722 ret_result = adf_and_plus(ret_result, mod_result[RES]); 00723 #endif 00724 } 00725 #endif /* RES */ 00726 00727 /****** REG *******/ 00728 #if defined(CONFIG_RSBAC_REG) 00729 if(ignore_module != REG) 00730 { 00731 mod_result[REG]= rsbac_adf_request_reg (request, 00732 caller_pid, 00733 target, 00734 tid, 00735 attr, 00736 attr_val, 00737 owner); 00738 result = adf_and_plus(result, mod_result[REG]); 00739 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00740 if(!rsbac_ind_softmode[REG]) 00741 ret_result = adf_and_plus(ret_result, mod_result[REG]); 00742 #endif 00743 } 00744 #endif /* REG */ 00745 00746 #endif /* !MAINT */ 00747 00748 /****************************/ 00749 00750 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET) 00751 if( rsbac_debug_adf_net 00752 && ( (target == T_NETDEV) 00753 || (target == T_NETTEMP) 00754 || (target == T_NETOBJ) 00755 ) 00756 ) 00757 do_log = TRUE; 00758 #endif 00759 00760 /* log based on process owner */ 00761 #ifdef CONFIG_RSBAC_IND_USER_LOG 00762 i_tid.user = owner; 00763 if (rsbac_get_attr(GEN, 00764 T_USER, 00765 i_tid, 00766 A_log_user_based, 00767 &i_attr_val, 00768 FALSE)) 00769 { 00770 rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based); 00771 } 00772 else 00773 { 00774 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 00775 do_log = TRUE; 00776 } 00777 #endif /* CONFIG_RSBAC_IND_USER_LOG */ 00778 00779 /* log based on program */ 00780 #ifdef CONFIG_RSBAC_IND_PROG_LOG 00781 if(!do_log) 00782 { 00783 i_tid.process = caller_pid; 00784 if (rsbac_get_attr(GEN, 00785 T_PROCESS, 00786 i_tid, 00787 A_log_program_based, 00788 &i_attr_val, 00789 FALSE)) 00790 { 00791 rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based); 00792 } 00793 else 00794 { 00795 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 00796 do_log = TRUE; 00797 } 00798 } 00799 #endif /* CONFIG_RSBAC_IND_PROG_LOG */ 00800 00801 /*****************************************************/ 00802 /* General work for all modules - after module calls */ 00803 /* Note: the process' individual logging attributes are needed above */ 00804 switch(request) 00805 { 00806 case R_TERMINATE: 00807 if (target == T_PROCESS) 00808 rsbac_remove_target(T_PROCESS,tid); 00809 break; 00810 default: 00811 break; 00812 } 00813 00814 /* logging request on info level, if requested by file/dir/dev attributes */ 00815 /* log_array_low/high, or, if that is requested, if enabled for this request */ 00816 /* type (attributes state level, or that request based level is to be taken) */ 00817 /* loglevel 2: log everything */ 00818 /* loglevel 1: log, if denied */ 00819 /* loglevel 0: log nothing */ 00820 00821 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */ 00822 /* if file/dir/dev, depend log on log_arrays */ 00823 /* (but not for file.device = 0) */ 00824 /* log_on_request is TRUE */ 00825 if( !do_log 00826 && ( ( ( (target == T_FILE) 00827 || (target == T_DIR) 00828 || (target == T_FIFO) 00829 || (target == T_SYMLINK) 00830 ) 00831 && RSBAC_MAJOR(tid.file.device) 00832 && RSBAC_MINOR(tid.file.device) 00833 ) 00834 || (target == T_DEV) 00835 ) 00836 ) 00837 { 00838 if (rsbac_get_attr(GEN, 00839 target, 00840 tid, 00841 A_log_array_low, 00842 &i_attr_val, 00843 FALSE)) 00844 { 00845 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low); 00846 } 00847 else 00848 { 00849 if (rsbac_get_attr(GEN, 00850 target, 00851 tid, 00852 A_log_array_high, 00853 &i_attr_val2, 00854 FALSE)) 00855 { 00856 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high); 00857 } 00858 else 00859 { /* ll = low-bit for request | (high-bit for request as bit 1) */ 00860 /* WARNING: we deal with u64 here, only logical operations and */ 00861 /* shifts work correctly! */ 00862 log_level = ((i_attr_val.log_array_low >> request) & 1) 00863 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); 00864 if ( log_level == LL_full 00865 || ( log_level == LL_denied 00866 && (result == NOT_GRANTED 00867 || result == UNDEFINED)) ) 00868 { 00869 do_log = TRUE; 00870 } 00871 if(log_level != LL_request) 00872 log_on_request = FALSE; 00873 } 00874 } 00875 } 00876 #endif /* CONFIG_RSBAC_IND_LOG */ 00877 00878 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */ 00879 /* if netdev, depend log on log_arrays */ 00880 /* log_on_request is TRUE */ 00881 if( !do_log 00882 && (target == T_NETDEV) 00883 ) 00884 { 00885 if (rsbac_get_attr(GEN, 00886 target, 00887 tid, 00888 A_log_array_low, 00889 &i_attr_val, 00890 FALSE)) 00891 { 00892 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low); 00893 } 00894 else 00895 { 00896 if (rsbac_get_attr(GEN, 00897 target, 00898 tid, 00899 A_log_array_high, 00900 &i_attr_val2, 00901 FALSE)) 00902 { 00903 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high); 00904 } 00905 else 00906 { /* ll = low-bit for request | (high-bit for request as bit 1) */ 00907 /* WARNING: we deal with u64 here, only logical operations and */ 00908 /* shifts work correctly! */ 00909 log_level = ((i_attr_val.log_array_low >> request) & 1) 00910 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); 00911 if ( log_level == LL_full 00912 || ( log_level == LL_denied 00913 && (result == NOT_GRANTED 00914 || result == UNDEFINED)) ) 00915 { 00916 do_log = TRUE; 00917 } 00918 if(log_level != LL_request) 00919 log_on_request = FALSE; 00920 } 00921 } 00922 } 00923 #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */ 00924 00925 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */ 00926 /* if nettemp, netobj, depend log on log_arrays */ 00927 /* (but not for file.device = 0) */ 00928 /* log_on_request is TRUE */ 00929 if( !do_log 00930 && ( (target == T_NETTEMP) 00931 || (target == T_NETOBJ) 00932 ) 00933 ) 00934 { 00935 enum rsbac_attribute_t i_attr1, i_attr2; 00936 00937 if(target == T_NETOBJ) 00938 { 00939 if(rsbac_net_remote_request(request)) 00940 { 00941 i_attr1 = A_remote_log_array_low; 00942 i_attr2 = A_remote_log_array_high; 00943 } 00944 else 00945 { 00946 i_attr1 = A_local_log_array_low; 00947 i_attr2 = A_local_log_array_high; 00948 } 00949 } 00950 else 00951 { 00952 i_attr1 = A_log_array_low; 00953 i_attr2 = A_log_array_high; 00954 } 00955 if (rsbac_get_attr(GEN, 00956 target, 00957 tid, 00958 i_attr1, 00959 &i_attr_val, 00960 FALSE)) 00961 { 00962 rsbac_ds_get_error("rsbac_adf_request()", i_attr1); 00963 } 00964 else 00965 { 00966 if (rsbac_get_attr(GEN, 00967 target, 00968 tid, 00969 i_attr2, 00970 &i_attr_val2, 00971 FALSE)) 00972 { 00973 rsbac_ds_get_error("rsbac_adf_request()", i_attr2); 00974 } 00975 else 00976 { /* ll = low-bit for request | (high-bit for request as bit 1) */ 00977 /* WARNING: we deal with u64 here, only logical operations and */ 00978 /* shifts work correctly! */ 00979 log_level = ((i_attr_val.log_array_low >> request) & 1) 00980 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); 00981 if ( log_level == LL_full 00982 || ( log_level == LL_denied 00983 && (result == NOT_GRANTED 00984 || result == UNDEFINED)) ) 00985 { 00986 do_log = TRUE; 00987 } 00988 if(log_level != LL_request) 00989 log_on_request = FALSE; 00990 } 00991 } 00992 } 00993 #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */ 00994 00995 log: 00996 /* if enabled, try request based log level */ 00997 if ( !do_log 00998 && log_on_request 00999 && ( rsbac_log_levels[request][target] == LL_full 01000 || ( rsbac_log_levels[request][target] == LL_denied 01001 && (result == NOT_GRANTED 01002 || result == UNDEFINED)) ) ) 01003 do_log = TRUE; 01004 01005 if(do_log) 01006 { 01007 char * request_name; 01008 char * res_name; 01009 char * res_mods; 01010 char * target_type_name; 01011 char * target_id_name; 01012 char * attr_name; 01013 char * new_target_name; 01014 char command[17]; 01015 rsbac_pseudo_t pseudo = 0; 01016 rsbac_pid_t parent_pid = 0; 01017 01018 /* Get owner's logging pseudo */ 01019 if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE)) 01020 { 01021 rsbac_ds_get_error("rsbac_adf_request()", A_pseudo); 01022 return(NOT_GRANTED); /* something weird happened */ 01023 } 01024 /* if pseudo is not registered, return attribute value is 0 (see later) */ 01025 pseudo = i_attr_val.pseudo; 01026 01027 /* parent pid */ 01028 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 01029 if(current->parent) 01030 parent_pid = current->parent->pid; 01031 #else 01032 if(current->p_pptr) 01033 parent_pid = current->p_pptr->pid; 01034 #endif 01035 /* rsbac_kmalloc all memory */ 01036 request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01037 res_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01038 res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01039 target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01040 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 01041 target_id_name 01042 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 01043 /* max. path name len + some extra */ 01044 #else 01045 target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 01046 /* max. file name len + some extra */ 01047 #endif 01048 attr_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01049 new_target_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01050 01051 request_name[0] = (char) 0; 01052 target_type_name[0] = (char) 0; 01053 target_id_name[0] = (char) 0; 01054 attr_name[0] = (char) 0; 01055 new_target_name[0] = (char) 0; 01056 res_name[0] = (char) 0; 01057 res_mods[0] = (char) 0; 01058 command[0] = (char) 0; 01059 get_request_name(request_name, request); 01060 #if !defined(CONFIG_RSBAC_MAINT) 01061 if(result == mod_result[SW_NONE]) 01062 { 01063 strcat(res_mods, " GEN"); 01064 } 01065 #if defined(CONFIG_RSBAC_MAC) 01066 if(result == mod_result[MAC]) 01067 { 01068 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01069 if(rsbac_ind_softmode[MAC]) 01070 strcat(res_mods, " MAC(Softmode)"); 01071 else 01072 #endif 01073 strcat(res_mods, " MAC"); 01074 } 01075 #endif 01076 #if defined(CONFIG_RSBAC_FC) 01077 if(result == mod_result[FC]) 01078 { 01079 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01080 if(rsbac_ind_softmode[FC]) 01081 strcat(res_mods, " FC(Softmode)"); 01082 else 01083 #endif 01084 strcat(res_mods, " FC"); 01085 } 01086 #endif 01087 #if defined(CONFIG_RSBAC_SIM) 01088 if(result == mod_result[SIM]) 01089 { 01090 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01091 if(rsbac_ind_softmode[SIM]) 01092 strcat(res_mods, " SIM(Softmode)"); 01093 else 01094 #endif 01095 strcat(res_mods, " SIM"); 01096 } 01097 #endif 01098 #if defined(CONFIG_RSBAC_PM) 01099 if(result == mod_result[PM]) 01100 { 01101 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01102 if(rsbac_ind_softmode[PM]) 01103 strcat(res_mods, " PM(Softmode)"); 01104 else 01105 #endif 01106 strcat(res_mods, " PM"); 01107 } 01108 #endif 01109 #if defined(CONFIG_RSBAC_DAZ) 01110 if(result == mod_result[DAZ]) 01111 { 01112 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01113 if(rsbac_ind_softmode[DAZ]) 01114 strcat(res_mods, " DAZ(Softmode)"); 01115 else 01116 #endif 01117 strcat(res_mods, " DAZ"); 01118 } 01119 #endif 01120 #ifdef CONFIG_RSBAC_FF 01121 if(result == mod_result[FF]) 01122 { 01123 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01124 if(rsbac_ind_softmode[FF]) 01125 strcat(res_mods, " FF(Softmode)"); 01126 else 01127 #endif 01128 strcat(res_mods, " FF"); 01129 } 01130 #endif 01131 #ifdef CONFIG_RSBAC_RC 01132 if(result == mod_result[RC]) 01133 { 01134 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01135 if(rsbac_ind_softmode[RC]) 01136 strcat(res_mods, " RC(Softmode)"); 01137 else 01138 #endif 01139 strcat(res_mods, " RC"); 01140 } 01141 #endif 01142 #ifdef CONFIG_RSBAC_AUTH 01143 if(result == mod_result[AUTH]) 01144 { 01145 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01146 if(rsbac_ind_softmode[AUTH]) 01147 strcat(res_mods, " AUTH(Softmode)"); 01148 else 01149 #endif 01150 strcat(res_mods, " AUTH"); 01151 } 01152 #endif 01153 #ifdef CONFIG_RSBAC_ACL 01154 if(result == mod_result[ACL]) 01155 { 01156 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01157 if(rsbac_ind_softmode[ACL]) 01158 strcat(res_mods, " ACL(Softmode)"); 01159 else 01160 #endif 01161 strcat(res_mods, " ACL"); 01162 } 01163 #endif 01164 #ifdef CONFIG_RSBAC_CAP 01165 if(result == mod_result[CAP]) 01166 { 01167 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01168 if(rsbac_ind_softmode[CAP]) 01169 strcat(res_mods, " CAP(Softmode)"); 01170 else 01171 #endif 01172 strcat(res_mods, " CAP"); 01173 } 01174 #endif 01175 #ifdef CONFIG_RSBAC_JAIL 01176 if(result == mod_result[JAIL]) 01177 { 01178 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01179 if(rsbac_ind_softmode[JAIL]) 01180 strcat(res_mods, " JAIL(Softmode)"); 01181 else 01182 #endif 01183 strcat(res_mods, " JAIL"); 01184 } 01185 #endif 01186 #ifdef CONFIG_RSBAC_RES 01187 if(result == mod_result[RES]) 01188 { 01189 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01190 if(rsbac_ind_softmode[RES]) 01191 strcat(res_mods, " RES(Softmode)"); 01192 else 01193 #endif 01194 strcat(res_mods, " RES"); 01195 } 01196 #endif 01197 #ifdef CONFIG_RSBAC_REG 01198 if(result == mod_result[REG]) 01199 { 01200 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01201 if(rsbac_ind_softmode[REG]) 01202 strcat(res_mods, " REG(Softmode)"); 01203 else 01204 #endif 01205 strcat(res_mods, " REG"); 01206 } 01207 #endif 01208 #endif /* !MAINT */ 01209 if(!res_mods[0]) 01210 strcat(res_mods, " ADF"); 01211 get_target_name(target_type_name, target, target_id_name, tid); 01212 get_attribute_name(attr_name, attr); 01213 get_result_name(res_name, result); 01214 if ((current) && (current->comm)) 01215 { 01216 strncpy(command,current->comm,16); 01217 command[16] = (char) 0; 01218 } 01219 if( (request == R_CREATE) 01220 && (target == T_DIR) 01221 && (attr == A_create_data) 01222 ) 01223 { 01224 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01225 01226 if(tmp) 01227 { 01228 if(attr_val.create_data.dentry_p) 01229 snprintf(new_target_name, RSBAC_MAXNAMELEN, 01230 ", new_object %s %s, mode %o", 01231 get_target_name_only(tmp, attr_val.create_data.target), 01232 attr_val.create_data.dentry_p->d_name.name, 01233 attr_val.create_data.mode & S_IALLUGO); 01234 else 01235 snprintf(new_target_name, RSBAC_MAXNAMELEN, 01236 ", new_object %s, mode %o", 01237 get_target_name_only(tmp, attr_val.create_data.target), 01238 attr_val.create_data.mode & S_IALLUGO); 01239 rsbac_kfree(tmp); 01240 } 01241 } 01242 01243 #ifdef CONFIG_RSBAC_RMSG 01244 /* if pseudo is set, its value is != 0, else -> use id */ 01245 if (pseudo) 01246 { 01247 #ifdef CONFIG_RSBAC_SOFTMODE 01248 if(rsbac_softmode) 01249 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, pseudo %u, target_type %s, tid %s, attr %s, value %u%s, result %s (Softmode) by%s\n", 01250 request_name, caller_pid, parent_pid, command, i_attr_val.pseudo, target_type_name, target_id_name, attr_name, attr_val.dummy, new_target_name, res_name, res_mods); 01251 else 01252 #endif 01253 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, pseudo %u, target_type %s, tid %s, attr %s, value %u%s, result %s by%s\n", 01254 request_name, caller_pid, parent_pid, command, i_attr_val.pseudo, target_type_name, target_id_name, attr_name, attr_val.dummy, new_target_name, res_name, res_mods); 01255 } 01256 else 01257 { 01258 #ifdef CONFIG_RSBAC_SOFTMODE 01259 if(rsbac_softmode) 01260 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, uid %u, target_type %s, tid %s, attr %s, value %u%s, result %s (Softmode) by%s\n", 01261 request_name, caller_pid, parent_pid, command, owner, target_type_name, target_id_name, attr_name, attr_val.dummy, new_target_name, res_name, res_mods); 01262 else 01263 #endif 01264 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, uid %u, target_type %s, tid %s, attr %s, value %u%s, result %s by%s\n", 01265 request_name, caller_pid, parent_pid, command, owner, target_type_name, target_id_name, attr_name, attr_val.dummy, new_target_name, res_name, res_mods); 01266 } 01267 #endif 01268 #ifndef CONFIG_RSBAC_RMSG_EXCL 01269 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01270 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01271 if (!rsbac_nosyslog) 01272 #endif 01273 { 01274 /* if pseudo is set, its value is != 0, else -> use id */ 01275 if (pseudo) 01276 { 01277 #ifdef CONFIG_RSBAC_SOFTMODE 01278 if(rsbac_softmode) 01279 printk(KERN_INFO 01280 "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, pseudo %u, target_type %s, tid %s, attr %s, value %u%s, result %s (Softmode) by%s\n", 01281 request_name, caller_pid, parent_pid, command, i_attr_val.pseudo, target_type_name, target_id_name, attr_name, attr_val.dummy, new_target_name, res_name, res_mods); 01282 else 01283 #endif 01284 printk(KERN_INFO 01285 "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, pseudo %u, target_type %s, tid %s, attr %s, value %u%s, result %s by%s\n", 01286 request_name, caller_pid, parent_pid, command, i_attr_val.pseudo, target_type_name, target_id_name, attr_name, attr_val.dummy, new_target_name, res_name, res_mods); 01287 } 01288 else 01289 { 01290 #ifdef CONFIG_RSBAC_SOFTMODE 01291 if(rsbac_softmode) 01292 printk(KERN_INFO 01293 "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, uid %u, target_type %s, tid %s, attr %s, value %u%s, result %s (Softmode) by%s\n", 01294 request_name, caller_pid, parent_pid, command, owner, target_type_name, target_id_name, attr_name, attr_val.dummy, new_target_name, res_name, res_mods); 01295 else 01296 #endif 01297 printk(KERN_INFO 01298 "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s, uid %u, target_type %s, tid %s, attr %s, value %u%s, result %s by%s\n", 01299 request_name, caller_pid, parent_pid, command, owner, target_type_name, target_id_name, attr_name, attr_val.dummy, new_target_name, res_name, res_mods); 01300 } 01301 } 01302 #endif 01303 /* rsbac_kfree all helper mem */ 01304 rsbac_kfree(request_name); 01305 rsbac_kfree(res_name); 01306 rsbac_kfree(res_mods); 01307 rsbac_kfree(target_type_name); 01308 rsbac_kfree(target_id_name); 01309 rsbac_kfree(attr_name); 01310 rsbac_kfree(new_target_name); 01311 } 01312 01313 /* UNDEFINED must never be returned -> change result */ 01314 if(result == UNDEFINED) 01315 result = NOT_GRANTED; 01316 01317 /* count */ 01318 rsbac_adf_request_count[target]++; 01319 #ifdef CONFIG_RSBAC_XSTATS 01320 rsbac_adf_request_xcount[target][request]++; 01321 #endif 01322 01323 /* return result */ 01324 #ifdef CONFIG_RSBAC_SOFTMODE 01325 if(rsbac_softmode && !rsbac_internal) 01326 return DO_NOT_CARE; 01327 else 01328 #endif 01329 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01330 return ret_result; 01331 #else 01332 return result; /* change for debugging! */ 01333 #endif 01334 }; /* end of rsbac_adf_request_int() */ 01335 01336 01337 /*********************************************************************/ 01338 /* rsbac_adf_request() */ 01339 /* This function is the main decision function, called from the AEF. */ 01340 /* It is a simple wrapper to the internal function, setting */ 01341 /* ignore_module to SW_NONE. */ 01342 01343 EXPORT_SYMBOL(rsbac_adf_request); 01344 enum rsbac_adf_req_ret_t 01345 rsbac_adf_request( enum rsbac_adf_request_t request, 01346 rsbac_pid_t caller_pid, 01347 enum rsbac_target_t target, 01348 union rsbac_target_id_t tid, 01349 enum rsbac_attribute_t attr, 01350 union rsbac_attribute_value_t attr_val) 01351 { 01352 return(rsbac_adf_request_int(request, 01353 caller_pid, 01354 target, 01355 tid, 01356 attr, 01357 attr_val, 01358 SW_NONE)); 01359 } 01360 01361 /*****************************************************************************/ 01362 /* If the request returned granted and the operation is performed, */ 01363 /* the following function is called by the AEF to get all aci set correctly. */ 01364 /* The second instance of target specification is the new target, if one has */ 01365 /* been created, otherwise its values are ignored. */ 01366 /* It returns 0 on success and an error from error.h otherwise. */ 01367 01368 EXPORT_SYMBOL(rsbac_adf_set_attr); 01369 int rsbac_adf_set_attr( 01370 enum rsbac_adf_request_t request, 01371 rsbac_pid_t caller_pid, 01372 enum rsbac_target_t target, 01373 union rsbac_target_id_t tid, 01374 enum rsbac_target_t new_target, 01375 union rsbac_target_id_t new_tid, 01376 enum rsbac_attribute_t attr, 01377 union rsbac_attribute_value_t attr_val) 01378 { 01379 #if defined(CONFIG_RSBAC_IND_PROG_LOG) || defined(CONFIG_RSBAC_IND_USER_LOG) 01380 union rsbac_target_id_t i_tid; 01381 #endif 01382 rsbac_uid_t owner; 01383 int error = 0; 01384 boolean do_log = FALSE; 01385 boolean log_on_request = TRUE; 01386 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */ 01387 union rsbac_attribute_value_t i_attr_val,i_attr_val2; 01388 enum rsbac_log_level_t log_level; 01389 #endif 01390 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 01391 struct super_block * sb_p; 01392 #endif 01393 01394 /* No attribute setting possible before init (called at boot time) */ 01395 01396 if (!rsbac_is_initialized()) 01397 return(0); 01398 01399 /* kernel (pid 0) is ignored */ 01400 if ( !caller_pid 01401 #if defined(CONFIG_RSBAC_LOG_REMOTE) 01402 || (caller_pid == rsbaclogd_pid) 01403 #endif 01404 ) 01405 return(0); 01406 01407 /* Checking base values */ 01408 if( request >= R_NONE 01409 || target > T_NONE 01410 || new_target > T_NONE 01411 || attr > A_none) 01412 { 01413 #ifdef CONFIG_RSBAC_RMSG 01414 rsbac_printk(KERN_WARNING 01415 "rsbac_adf_set_attr(): called with invalid request, target or attribute\n"); 01416 #endif 01417 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01418 if (!rsbac_nosyslog) 01419 #endif 01420 printk(KERN_WARNING 01421 "rsbac_adf_set_attr(): called with invalid request, target or attribute\n"); 01422 return(-RSBAC_EINVALIDVALUE); 01423 } 01424 01425 /* Getting basic information about this adf_set_attr-call */ 01426 01427 owner = RSBAC_NO_USER; 01428 /* only useful for real process, not idle or init */ 01429 if (caller_pid > 1) 01430 { 01431 error = rsbac_get_owner(&owner); 01432 if(error) 01433 { 01434 #ifdef CONFIG_RSBAC_RMSG 01435 rsbac_printk(KERN_DEBUG 01436 "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0", 01437 caller_pid); 01438 #endif 01439 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01440 if (!rsbac_nosyslog) 01441 #endif 01442 printk(KERN_DEBUG 01443 "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0", 01444 caller_pid); 01445 return(0); /* Startup-Sequence (see above) */ 01446 } 01447 } 01448 else /* caller_pid = 1 -> init -> owner = root */ 01449 owner = 0; 01450 01451 /*************************************************/ 01452 /* General work for all modules - before modules */ 01453 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 01454 if ( ( (target == T_FILE) 01455 || (target == T_DIR) 01456 || (target == T_FIFO) 01457 || (target == T_SYMLINK) 01458 ) 01459 && ((sb_p = rsbac_get_super_block(tid.file.device))) 01460 && ( (sb_p->s_magic == NFS_SUPER_MAGIC) 01461 || (sb_p->s_magic == CODA_SUPER_MAGIC) 01462 || (sb_p->s_magic == NCP_SUPER_MAGIC) 01463 || (sb_p->s_magic == SMB_SUPER_MAGIC) 01464 ) 01465 ) 01466 { 01467 error = 0; 01468 goto log; 01469 } 01470 #endif 01471 01472 /**********************************************************/ 01473 /* calling all decision modules, building a common result */ 01474 01475 01476 #ifdef CONFIG_RSBAC_DEBUG 01477 /* first, check for valid request/target combination */ 01478 error |= rsbac_adf_set_attr_check(request, 01479 caller_pid, 01480 target, 01481 tid, 01482 new_target, 01483 new_tid, 01484 attr, 01485 attr_val, 01486 owner); 01487 if(error) 01488 goto general_work; 01489 #endif 01490 01491 #if !defined(CONFIG_RSBAC_MAINT) 01492 /******* MAC ********/ 01493 #if defined(CONFIG_RSBAC_MAC) 01494 #ifdef CONFIG_RSBAC_SWITCH 01495 if (rsbac_switch_mac) 01496 #endif 01497 error |= rsbac_adf_set_attr_mac(request, 01498 caller_pid, 01499 target, 01500 tid, 01501 new_target, 01502 new_tid, 01503 attr, 01504 attr_val, 01505 owner); 01506 #endif /* MAC */ 01507 01508 /******* FC ********/ 01509 #ifdef CONFIG_RSBAC_FC 01510 #ifdef CONFIG_RSBAC_SWITCH 01511 if (rsbac_switch_fc) 01512 #endif 01513 error |= rsbac_adf_set_attr_fc (request, 01514 caller_pid, 01515 target, 01516 tid, 01517 new_target, 01518 new_tid, 01519 attr, 01520 attr_val, 01521 owner); 01522 #endif /* FC */ 01523 01524 /******* SIM ********/ 01525 #ifdef CONFIG_RSBAC_SIM 01526 #ifdef CONFIG_RSBAC_SWITCH 01527 if (rsbac_switch_sim) 01528 #endif 01529 error |= rsbac_adf_set_attr_sim(request, 01530 caller_pid, 01531 target, 01532 tid, 01533 new_target, 01534 new_tid, 01535 attr, 01536 attr_val, 01537 owner); 01538 #endif /* SIM */ 01539 01540 /******* PM ********/ 01541 #ifdef CONFIG_RSBAC_PM 01542 #ifdef CONFIG_RSBAC_SWITCH 01543 if (rsbac_switch_pm) 01544 #endif 01545 error |= rsbac_adf_set_attr_pm (request, 01546 caller_pid, 01547 target, 01548 tid, 01549 new_target, 01550 new_tid, 01551 attr, 01552 attr_val, 01553 owner); 01554 #endif /* PM */ 01555 01556 /******* DAZ ********/ 01557 #ifdef CONFIG_RSBAC_DAZ 01558 #ifdef CONFIG_RSBAC_SWITCH 01559 if (rsbac_switch_daz) 01560 #endif 01561 error |= rsbac_adf_set_attr_daz (request, 01562 caller_pid, 01563 target, 01564 tid, 01565 new_target, 01566 new_tid, 01567 attr, 01568 attr_val, 01569 owner); 01570 #endif /* DAZ */ 01571 01572 /******* FF ********/ 01573 #if 0 /* Nothing to do in there */ 01574 #ifdef CONFIG_RSBAC_FF 01575 #ifdef CONFIG_RSBAC_SWITCH 01576 if (rsbac_switch_ff) 01577 #endif 01578 error |= rsbac_adf_set_attr_ff (request, 01579 caller_pid, 01580 target, 01581 tid, 01582 new_target, 01583 new_tid, 01584 attr, 01585 attr_val, 01586 owner); 01587 #endif /* FF */ 01588 #endif /* 0 */ 01589 01590 /******* RC ********/ 01591 #ifdef CONFIG_RSBAC_RC 01592 #ifdef CONFIG_RSBAC_SWITCH 01593 if (rsbac_switch_rc) 01594 #endif 01595 error |= rsbac_adf_set_attr_rc (request, 01596 caller_pid, 01597 target, 01598 tid, 01599 new_target, 01600 new_tid, 01601 attr, 01602 attr_val, 01603 owner); 01604 #endif /* RC */ 01605 01606 /****** AUTH *******/ 01607 #ifdef CONFIG_RSBAC_AUTH 01608 #ifdef CONFIG_RSBAC_SWITCH 01609 if (rsbac_switch_auth) 01610 #endif 01611 error |= rsbac_adf_set_attr_auth(request, 01612 caller_pid, 01613 target, 01614 tid, 01615 new_target, 01616 new_tid, 01617 attr, 01618 attr_val, 01619 owner); 01620 #endif /* AUTH */ 01621 01622 /****** ACL *******/ 01623 #ifdef CONFIG_RSBAC_ACL 01624 #ifdef CONFIG_RSBAC_SWITCH 01625 if (rsbac_switch_acl) 01626 #endif 01627 error |= rsbac_adf_set_attr_acl (request, 01628 caller_pid, 01629 target, 01630 tid, 01631 new_target, 01632 new_tid, 01633 attr, 01634 attr_val, 01635 owner); 01636 #endif /* ACL */ 01637 01638 /****** CAP *******/ 01639 #ifdef CONFIG_RSBAC_CAP 01640 #ifdef CONFIG_RSBAC_SWITCH 01641 if (rsbac_switch_cap) 01642 #endif 01643 error |= rsbac_adf_set_attr_cap (request, 01644 caller_pid, 01645 target, 01646 tid, 01647 new_target, 01648 new_tid, 01649 attr, 01650 attr_val, 01651 owner); 01652 #endif /* CAP */ 01653 01654 /****** JAIL *******/ 01655 #ifdef CONFIG_RSBAC_JAIL 01656 #ifdef CONFIG_RSBAC_SWITCH 01657 if (rsbac_switch_jail) 01658 #endif 01659 error |= rsbac_adf_set_attr_jail(request, 01660 caller_pid, 01661 target, 01662 tid, 01663 new_target, 01664 new_tid, 01665 attr, 01666 attr_val, 01667 owner); 01668 #endif /* JAIL */ 01669 01670 /******* PAX ********/ 01671 #ifdef CONFIG_RSBAC_PAX 01672 #ifdef CONFIG_RSBAC_SWITCH 01673 if (rsbac_switch_pax) 01674 #endif 01675 error |= rsbac_adf_set_attr_pax (request, 01676 caller_pid, 01677 target, 01678 tid, 01679 new_target, 01680 new_tid, 01681 attr, 01682 attr_val, 01683 owner); 01684 #endif /* PAX */ 01685 01686 /****** RES *******/ 01687 #ifdef CONFIG_RSBAC_RES 01688 #ifdef CONFIG_RSBAC_SWITCH 01689 if (rsbac_switch_res) 01690 #endif 01691 error |= rsbac_adf_set_attr_res (request, 01692 caller_pid, 01693 target, 01694 tid, 01695 new_target, 01696 new_tid, 01697 attr, 01698 attr_val, 01699 owner); 01700 #endif /* RES */ 01701 01702 /****** REG *******/ 01703 #ifdef CONFIG_RSBAC_REG 01704 error |= rsbac_adf_set_attr_reg (request, 01705 caller_pid, 01706 target, 01707 tid, 01708 new_target, 01709 new_tid, 01710 attr, 01711 attr_val, 01712 owner); 01713 #endif /* REG */ 01714 #endif /* !MAINT */ 01715 01716 /* General work for all modules (after set_attr call) */ 01717 #ifdef CONFIG_RSBAC_DEBUG 01718 general_work: 01719 #endif 01720 switch(request) 01721 { 01722 /* remove deleted item from rsbac data */ 01723 case R_DELETE : 01724 switch (target) 01725 { 01726 case T_FILE: 01727 case T_FIFO: 01728 case T_SYMLINK: 01729 /* Only remove file/fifo target on deletion of last link */ 01730 if ( (attr == A_nlink) 01731 && (attr_val.nlink > 1) 01732 ) 01733 break; 01734 /* fall through */ 01735 case T_DIR: 01736 rsbac_remove_target(target,tid); 01737 break; 01738 case T_IPC: 01739 /* shm removal delayed and removed directly, when destroyed */ 01740 if(tid.ipc.type != I_shm) 01741 rsbac_remove_target(target,tid); 01742 break; 01743 default: 01744 break; 01745 } 01746 break; 01747 01748 #if defined(CONFIG_RSBAC_IND_PROG_LOG) || defined(CONFIG_RSBAC_FAKE_ROOT_UID) 01749 case R_CLONE: 01750 switch (target) 01751 { 01752 case T_PROCESS: 01753 #if defined(CONFIG_RSBAC_IND_PROG_LOG) 01754 /* get program based log from old process */ 01755 if (rsbac_get_attr(GEN, 01756 target, 01757 tid, 01758 A_log_program_based, 01759 &i_attr_val, 01760 FALSE)) 01761 { 01762 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); 01763 } 01764 else 01765 { /* only set, of not default value 0 */ 01766 if(i_attr_val.log_program_based) 01767 { 01768 /* set program based log for new process */ 01769 if (rsbac_set_attr(GEN, new_target, 01770 new_tid, 01771 A_log_program_based, 01772 i_attr_val)) 01773 { 01774 rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based); 01775 } 01776 } 01777 } 01778 #endif 01779 #if defined(CONFIG_RSBAC_FAKE_ROOT_UID) 01780 /* get program based log from old process */ 01781 if (rsbac_get_attr(GEN, 01782 target, 01783 tid, 01784 A_fake_root_uid, 01785 &i_attr_val, 01786 FALSE)) 01787 { 01788 rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid); 01789 } 01790 else 01791 { /* only set, of not default value 0 */ 01792 if(i_attr_val.fake_root_uid) 01793 { 01794 /* set program based log for new process */ 01795 if (rsbac_set_attr(GEN, new_target, 01796 new_tid, 01797 A_fake_root_uid, 01798 i_attr_val)) 01799 { 01800 rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid); 01801 } 01802 } 01803 } 01804 #endif 01805 break; 01806 01807 default: 01808 break; 01809 } 01810 break; 01811 #endif /* CONFIG_RSBAC_IND_PROG_LOG || CONFIG_RSBAC_FAKE_ROOT_UID */ 01812 01813 #ifdef CONFIG_RSBAC_NET_OBJ 01814 case R_CLOSE: 01815 switch (target) 01816 { 01817 case T_NETOBJ: 01818 rsbac_remove_target(target,tid); 01819 break; 01820 01821 default: 01822 break; 01823 } 01824 break; 01825 #endif /* CONFIG_RSBAC_NET_OBJ */ 01826 01827 #if defined(CONFIG_RSBAC_IND_PROG_LOG) || defined(CONFIG_RSBAC_FAKE_ROOT_UID) 01828 case R_EXECUTE : 01829 switch (target) 01830 { 01831 case T_FILE: 01832 #if defined(CONFIG_RSBAC_IND_PROG_LOG) 01833 /* get program based log from file */ 01834 if (rsbac_get_attr(GEN, 01835 target, 01836 tid, 01837 A_log_program_based, 01838 &i_attr_val, 01839 FALSE)) 01840 { 01841 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); 01842 } 01843 else 01844 { 01845 /* set program based log for process */ 01846 i_tid.process = caller_pid; 01847 if (rsbac_set_attr(GEN, T_PROCESS, 01848 i_tid, 01849 A_log_program_based, 01850 i_attr_val)) 01851 { 01852 rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based); 01853 } 01854 } 01855 #endif 01856 #if defined(CONFIG_RSBAC_FAKE_ROOT_UID) 01857 /* get fake_root_uid from file */ 01858 if (rsbac_get_attr(GEN, 01859 target, 01860 tid, 01861 A_fake_root_uid, 01862 &i_attr_val, 01863 FALSE)) 01864 { 01865 rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid); 01866 } 01867 else 01868 { 01869 /* set fake_root_uid for process */ 01870 i_tid.process = caller_pid; 01871 if (rsbac_set_attr(GEN, T_PROCESS, 01872 i_tid, 01873 A_fake_root_uid, 01874 i_attr_val)) 01875 { 01876 rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid); 01877 } 01878 } 01879 #endif 01880 break; 01881 01882 default: 01883 break; 01884 } 01885 break; 01886 #endif /* CONFIG_RSBAC_IND_PROG_LOG || CONFIG_RSBAC_FAKE_ROOT_UID */ 01887 01888 default: 01889 break; 01890 } 01891 01892 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET) 01893 if( rsbac_debug_adf_net 01894 && ( (target == T_NETDEV) 01895 || (target == T_NETTEMP) 01896 || (target == T_NETOBJ) 01897 ) 01898 ) 01899 do_log = TRUE; 01900 #endif 01901 01902 /* log based on process owner */ 01903 #ifdef CONFIG_RSBAC_IND_USER_LOG 01904 i_tid.user = owner; 01905 if (rsbac_get_attr(GEN, 01906 T_USER, 01907 i_tid, 01908 A_log_user_based, 01909 &i_attr_val, 01910 FALSE)) 01911 { 01912 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based); 01913 } 01914 else 01915 { 01916 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 01917 do_log = TRUE; 01918 } 01919 #endif /* CONFIG_RSBAC_IND_USER_LOG */ 01920 01921 /* log based on program */ 01922 #ifdef CONFIG_RSBAC_IND_PROG_LOG 01923 if(!do_log) 01924 { 01925 i_tid.process = caller_pid; 01926 if (rsbac_get_attr(GEN, 01927 T_PROCESS, 01928 i_tid, 01929 A_log_program_based, 01930 &i_attr_val, 01931 FALSE)) 01932 { 01933 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); 01934 } 01935 else 01936 { 01937 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 01938 do_log = TRUE; 01939 } 01940 } 01941 #endif /* CONFIG_RSBAC_IND_PROG_LOG */ 01942 01943 01944 /* logging request on info level, if requested by file/dir/dev attributes */ 01945 /* log_array_low/high, or, if that is requested, if enabled for this request */ 01946 /* type (attributes state level, or that request based level is to be taken) */ 01947 /* loglevel 2: log everything */ 01948 /* loglevel 1: log, if denied */ 01949 /* loglevel 0: log nothing */ 01950 01951 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */ 01952 /* if file/dir/dev, depend log on log_arrays */ 01953 /* (but not for file.device = 0) */ 01954 /* log_on_request is TRUE */ 01955 if(!do_log) 01956 { 01957 if( ( ( (target == T_FILE) 01958 || (target == T_DIR) 01959 || (target == T_FIFO) 01960 || (target == T_SYMLINK) 01961 ) 01962 && RSBAC_MAJOR(tid.file.device) 01963 && RSBAC_MINOR(tid.file.device) 01964 ) 01965 || (target == T_DEV) 01966 ) 01967 { 01968 if (rsbac_get_attr(GEN, 01969 target, 01970 tid, 01971 A_log_array_low, 01972 &i_attr_val, 01973 FALSE)) 01974 { 01975 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low); 01976 } 01977 else 01978 { 01979 if (rsbac_get_attr(GEN, 01980 target, 01981 tid, 01982 A_log_array_high, 01983 &i_attr_val2, 01984 FALSE)) 01985 { 01986 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high); 01987 } 01988 else 01989 { /* ll = low-bit for request | (high-bit for request as bit 1) */ 01990 log_level = ((i_attr_val.log_array_low >> request) & 1) 01991 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); 01992 if ( log_level == LL_full 01993 || ( log_level == LL_denied 01994 && error) ) 01995 { 01996 do_log = TRUE; 01997 } 01998 if(log_level != LL_request) 01999 log_on_request = FALSE; 02000 } 02001 } 02002 } 02003 } 02004 #endif /* CONFIG_RSBAC_IND_LOG */ 02005 02006 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 02007 log: 02008 #endif 02009 /* if enabled, try request based log level */ 02010 if (log_on_request 02011 && ( rsbac_log_levels[request][target] == LL_full 02012 || ( rsbac_log_levels[request][target] == LL_denied 02013 && error) ) ) 02014 do_log = TRUE; 02015 02016 if(do_log) 02017 { 02018 char * request_name; 02019 char * target_type_name; 02020 char * new_target_type_name; 02021 char * target_id_name; 02022 char * new_target_id_name; 02023 char * attr_name; 02024 02025 /* rsbac_kmalloc all memory */ 02026 request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02027 target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02028 new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02029 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 02030 target_id_name 02031 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 02032 new_target_id_name 02033 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 02034 /* max. path name len + some extra */ 02035 #else 02036 target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 02037 new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 02038 /* max. file name len + some extra */ 02039 #endif 02040 attr_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02041 02042 /* Getting basic information about this request */ 02043 request_name[0] = (char) 0; 02044 target_type_name[0] = (char) 0; 02045 target_id_name[0] = (char) 0; 02046 new_target_type_name[0] = (char) 0; 02047 new_target_id_name[0] = (char) 0; 02048 attr_name[0] = (char) 0; 02049 get_request_name(request_name, request); 02050 get_target_name(target_type_name, target, target_id_name, tid); 02051 get_target_name(new_target_type_name, new_target, 02052 new_target_id_name, new_tid); 02053 get_attribute_name(attr_name, attr); 02054 02055 #ifdef CONFIG_RSBAC_RMSG 02056 /* Logging without pseudo or user id, see previous request log */ 02057 rsbac_printk(KERN_INFO 02058 "rsbac_adf_set_attr(): request %s, pid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n", 02059 request_name, (u_int) caller_pid, target_type_name, target_id_name, 02060 new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error); 02061 #endif 02062 #ifndef CONFIG_RSBAC_RMSG_EXCL 02063 /* Logging without pseudo or user id, see previous request log */ 02064 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02065 if (!rsbac_nosyslog) 02066 #endif 02067 printk(KERN_INFO 02068 "rsbac_adf_set_attr(): request %s, pid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n", 02069 request_name, (u_int) caller_pid, target_type_name, target_id_name, 02070 new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error); 02071 #endif 02072 /* rsbac_kfree all helper mem */ 02073 rsbac_kfree(request_name); 02074 rsbac_kfree(target_type_name); 02075 rsbac_kfree(new_target_type_name); 02076 rsbac_kfree(target_id_name); 02077 rsbac_kfree(new_target_id_name); 02078 rsbac_kfree(attr_name); 02079 } 02080 02081 /* count */ 02082 rsbac_adf_set_attr_count[target]++; 02083 #ifdef CONFIG_RSBAC_XSTATS 02084 rsbac_adf_set_attr_xcount[target][request]++; 02085 #endif 02086 02087 return(error); 02088 }; /* end of rsbac_adf_set_attr() */ 02089 02090 02091 /**************** 02092 * 02093 * Secure Delete 02094 * 02095 ****************/ 02096 02097 #ifdef CONFIG_RSBAC_SECDEL 02098 02099 /* open_by_dentry */ 02100 /* This is done by hand (copy from rsbac_read_open), because system calls */ 02101 /* are currently blocked by rsbac */ 02102 02103 static int open_by_dentry(struct dentry * file_dentry_p, struct file * file_p) 02104 { 02105 int tmperr; 02106 02107 if ( !(S_ISREG(file_dentry_p->d_inode->i_mode)) ) 02108 { /* this is not a file! -> error! */ 02109 #ifdef CONFIG_RSBAC_RMSG 02110 rsbac_printk(KERN_WARNING 02111 "open_by_dentry(): expected file is not a file!\n"); 02112 #endif 02113 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02114 if (!rsbac_nosyslog) 02115 #endif 02116 printk(KERN_WARNING 02117 "open_by_dentry(): expected file is not a file!\n"); 02118 return (-RSBAC_EWRITEFAILED); 02119 } 02120 /* Now we fill the file structure, and */ 02121 /* if there is an open func, use it, otherwise ignore */ 02122 if ((tmperr = init_private_file(file_p, file_dentry_p, O_WRONLY))) 02123 { 02124 #ifdef CONFIG_RSBAC_RMSG 02125 rsbac_printk(KERN_WARNING 02126 "open_by_dentry(): could not open file!\n"); 02127 #endif 02128 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02129 if (!rsbac_nosyslog) 02130 #endif 02131 printk(KERN_WARNING 02132 "open_by_dentry(): could not open file!\n"); 02133 return (-RSBAC_EWRITEFAILED); 02134 } 02135 /* Without a write function we get into troubles -> error */ 02136 if ((!file_p->f_op) || (!file_p->f_op->write)) 02137 { 02138 #ifdef CONFIG_RSBAC_RMSG 02139 rsbac_printk(KERN_WARNING 02140 "open_by_dentry(): file write function missing!\n"); 02141 #endif 02142 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02143 if (!rsbac_nosyslog) 02144 #endif 02145 printk(KERN_WARNING 02146 "open_by_dentry(): file write function missing!\n"); 02147 if (file_p->f_op && file_p->f_op->release) 02148 file_p->f_op->release(file_dentry_p->d_inode,file_p); 02149 return(-RSBAC_EWRITEFAILED); 02150 } 02151 /* trying to get write access */ 02152 /* 02153 if (get_write_access(file_dentry_p->d_inode)) 02154 { 02155 #ifdef CONFIG_RSBAC_RMSG 02156 rsbac_printk(KERN_WARNING 02157 "rsbac_write_open(): could not get write access!\n"); 02158 #endif 02159 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02160 if (!rsbac_nosyslog) 02161 #endif 02162 printk(KERN_WARNING 02163 "rsbac_write_open(): could not get write access!\n"); 02164 if (file_p->f_op->release) 02165 file_p->f_op->release(file_dentry_p->d_inode,file_p); 02166 return(-RSBAC_EWRITEFAILED); 02167 } 02168 */ 02169 return 0; 02170 } 02171 02172 /* 02173 ********************** 02174 * Secure File Truncation 02175 */ 02176 02177 EXPORT_SYMBOL(rsbac_sec_trunc); 02178 int rsbac_sec_trunc(struct dentry * dentry_p, 02179 loff_t new_len, loff_t old_len) 02180 { 02181 #if defined(CONFIG_RSBAC_MAINT) 02182 return 0; 02183 #else 02184 int err = 0; 02185 boolean need_overwrite = FALSE; 02186 02187 if (!rsbac_is_initialized()) 02188 return 0; 02189 /* security checks */ 02190 if( !dentry_p 02191 || !dentry_p->d_inode) 02192 return -RSBAC_EINVALIDPOINTER; 02193 if(!S_ISREG(dentry_p->d_inode->i_mode)) 02194 return -RSBAC_EINVALIDTARGET; 02195 if(new_len >= old_len) 02196 return 0; 02197 02198 02199 /******* PM ********/ 02200 #ifdef CONFIG_RSBAC_PM 02201 #ifdef CONFIG_RSBAC_SWITCH 02202 if (rsbac_switch_pm) 02203 #endif 02204 /* no need to call module, if already need_overwrite */ 02205 if(!need_overwrite) 02206 need_overwrite = rsbac_need_overwrite_pm(dentry_p); 02207 #endif /* PM */ 02208 02209 /******* FF ********/ 02210 #ifdef CONFIG_RSBAC_FF 02211 #ifdef CONFIG_RSBAC_SWITCH 02212 if (rsbac_switch_ff) 02213 #endif 02214 /* no need to call module, if already need_overwrite */ 02215 if(!need_overwrite) 02216 need_overwrite = rsbac_need_overwrite_ff(dentry_p); 02217 #endif /* FF */ 02218 02219 /******* RC ********/ 02220 #ifdef CONFIG_RSBAC_RC 02221 #ifdef CONFIG_RSBAC_SWITCH 02222 if (rsbac_switch_rc) 02223 #endif 02224 /* no need to call module, if already need_overwrite */ 02225 if(!need_overwrite) 02226 need_overwrite = rsbac_need_overwrite_rc(dentry_p); 02227 #endif /* RC */ 02228 02229 /****** RES *******/ 02230 #ifdef CONFIG_RSBAC_RES 02231 #ifdef CONFIG_RSBAC_SWITCH 02232 if (rsbac_switch_res) 02233 #endif 02234 /* no need to call module, if already need_overwrite */ 02235 if(!need_overwrite) 02236 need_overwrite = rsbac_need_overwrite_res(dentry_p); 02237 #endif /* RES */ 02238 02239 /****** REG *******/ 02240 #ifdef CONFIG_RSBAC_REG 02241 if(!need_overwrite) 02242 need_overwrite = rsbac_need_overwrite_reg(dentry_p); 02243 #endif /* REG */ 02244 02245 if(need_overwrite) 02246 { 02247 char * buffer; 02248 boolean vmalloc_used; 02249 struct file file; 02250 int tmperr = 0; 02251 int len; 02252 mm_segment_t oldfs; 02253 02254 buffer = rsbac_vkmalloc(RSBAC_SEC_DEL_CHUNK_SIZE, &vmalloc_used); 02255 if(!buffer) 02256 return -RSBAC_ENOMEM; 02257 02258 #ifdef CONFIG_RSBAC_DEBUG 02259 if(rsbac_debug_write) 02260 { 02261 #ifdef CONFIG_RSBAC_RMSG 02262 rsbac_printk(KERN_DEBUG 02263 "rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n", 02264 dentry_p->d_inode->i_ino, 02265 MAJOR(dentry_p->d_inode->i_sb->s_dev), 02266 MINOR(dentry_p->d_inode->i_sb->s_dev), 02267 (u_long) new_len, 02268 (u_long) old_len-1); 02269 #endif 02270 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02271 if (!rsbac_nosyslog) 02272 #endif 02273 printk(KERN_DEBUG 02274 "rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n", 02275 dentry_p->d_inode->i_ino, 02276 MAJOR(dentry_p->d_inode->i_sb->s_dev), 02277 MINOR(dentry_p->d_inode->i_sb->s_dev), 02278 (u_long) new_len, 02279 (u_long) old_len-1); 02280 } 02281 #endif 02282 /* open */ 02283 err = open_by_dentry(dentry_p, &file); 02284 if(err) 02285 { 02286 rsbac_vkfree(buffer, vmalloc_used); 02287 return(err); 02288 } 02289 02290 #ifdef CONFIG_RSBAC_DEBUG 02291 if(rsbac_debug_write) 02292 { 02293 #ifdef CONFIG_RSBAC_RMSG 02294 rsbac_printk(KERN_DEBUG 02295 "rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n", 02296 dentry_p->d_inode->i_ino, 02297 MAJOR(dentry_p->d_inode->i_sb->s_dev), 02298 MINOR(dentry_p->d_inode->i_sb->s_dev), 02299 (u_long) new_len); 02300 #endif 02301 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02302 if (!rsbac_nosyslog) 02303 #endif 02304 printk(KERN_DEBUG 02305 "rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n", 02306 dentry_p->d_inode->i_ino, 02307 MAJOR(dentry_p->d_inode->i_sb->s_dev), 02308 MINOR(dentry_p->d_inode->i_sb->s_dev), 02309 (u_long) new_len); 02310 } 02311 #endif 02312 02313 /* OK, now we can start writing */ 02314 02315 /* Set current user space to kernel space, because write() reads 02316 * from user space 02317 */ 02318 oldfs = get_fs(); 02319 set_fs(KERNEL_DS); 02320 02321 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)) 02322 if(file.f_op->llseek) 02323 file.f_op->llseek(&file,new_len,0); 02324 else 02325 #endif 02326 { /* taken from fs/read_write.c */ 02327 file.f_pos = new_len; 02328 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)) 02329 file.f_reada = 0; 02330 #endif 02331 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)) 02332 file.f_version = ++event; 02333 #else 02334 file.f_version = 0; 02335 #endif 02336 } 02337 memset(buffer,0,RSBAC_SEC_DEL_CHUNK_SIZE); 02338 02339 #ifdef CONFIG_RSBAC_DEBUG 02340 if(rsbac_debug_write) 02341 { 02342 #ifdef CONFIG_RSBAC_RMSG 02343 rsbac_printk(KERN_DEBUG 02344 "rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n", 02345 dentry_p->d_inode->i_ino, 02346 MAJOR(dentry_p->d_inode->i_sb->s_dev), 02347 MINOR(dentry_p->d_inode->i_sb->s_dev)); 02348 #endif 02349 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02350 if (!rsbac_nosyslog) 02351 #endif 02352 printk(KERN_DEBUG 02353 "rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n", 02354 dentry_p->d_inode->i_ino, 02355 MAJOR(dentry_p->d_inode->i_sb->s_dev), 02356 MINOR(dentry_p->d_inode->i_sb->s_dev)); 02357 } 02358 #endif 02359 02360 while(new_len < old_len) 02361 { 02362 len = rsbac_min(RSBAC_SEC_DEL_CHUNK_SIZE, old_len-new_len); 02363 tmperr = file.f_op->write(&file, 02364 buffer, 02365 len, 02366 &file.f_pos); 02367 /* if none written, end of file is reached -> complain and return */ 02368 if (tmperr <= 0) 02369 { 02370 #ifdef CONFIG_RSBAC_RMSG 02371 rsbac_printk(KERN_WARNING 02372 "rsbac_sec_trunc(): write error on file!\n"); 02373 #endif 02374 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02375 if (!rsbac_nosyslog) 02376 #endif 02377 printk(KERN_WARNING 02378 "rsbac_sec_trunc(): write error on file!\n"); 02379 err = -RSBAC_EWRITEFAILED; 02380 goto out; 02381 } 02382 new_len += tmperr; 02383 } 02384 02385 out: 02386 /* Set current user space back to user space, because read() writes */ 02387 /* to user space */ 02388 set_fs(oldfs); 02389 02390 #ifdef CONFIG_RSBAC_DEBUG 02391 if(rsbac_debug_write) 02392 { 02393 #ifdef CONFIG_RSBAC_RMSG 02394 rsbac_printk(KERN_DEBUG 02395 "rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n", 02396 dentry_p->d_inode->i_ino, 02397 MAJOR(dentry_p->d_inode->i_sb->s_dev), 02398 MINOR(dentry_p->d_inode->i_sb->s_dev)); 02399 #endif 02400 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02401 if (!rsbac_nosyslog) 02402 #endif 02403 printk(KERN_DEBUG 02404 "rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n", 02405 dentry_p->d_inode->i_ino, 02406 MAJOR(dentry_p->d_inode->i_sb->s_dev), 02407 MINOR(dentry_p->d_inode->i_sb->s_dev)); 02408 } 02409 #endif 02410 02411 // err = fsync_inode_buffers(dentry_p->d_inode); 02412 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)) 02413 err = fsync_inode_data_buffers(dentry_p->d_inode); 02414 #else 02415 err = file_fsync(&file, dentry_p, 1); 02416 #endif 02417 02418 /* 02419 if (file.f_op->flush) 02420 file.f_op->flush(&file); 02421 if (file.f_op->release) 02422 file.f_op->release(dentry_p->d_inode,&file); 02423 */ 02424 /* End of write access */ 02425 // put_write_access(dentry_p->d_inode); 02426 02427 rsbac_vkfree(buffer, vmalloc_used); 02428 } 02429 02430 /* Ready. */ 02431 return(err); 02432 02433 #endif /* else of MAINT */ 02434 } 02435 02436 EXPORT_SYMBOL(rsbac_sec_del); 02437 int rsbac_sec_del(struct dentry * dentry_p) 02438 { 02439 return(rsbac_sec_trunc(dentry_p, 02440 0, 02441 dentry_p->d_inode->i_size)); 02442 } 02443 02444 #else /* no SECDEL */ 02445 EXPORT_SYMBOL(rsbac_sec_trunc); 02446 int rsbac_sec_trunc(struct dentry * dentry_p, 02447 loff_t new_len, loff_t old_len) 02448 { 02449 return 0; 02450 } 02451 EXPORT_SYMBOL(rsbac_sec_del); 02452 int rsbac_sec_del(struct dentry * dentry_p) 02453 { 02454 return 0; 02455 } 02456 #endif /* SECDEL */ 02457 02458 #ifdef CONFIG_RSBAC_SYM_REDIR 02459 void rsbac_symlink_redirect(struct dentry * dentry_p, char * name) 02460 { 02461 int err; 02462 union rsbac_target_id_t i_tid; 02463 #if defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC) 02464 union rsbac_target_id_t i_tid2; 02465 #endif 02466 union rsbac_attribute_value_t i_attr_val; 02467 02468 if(!name || !dentry_p || !dentry_p->d_inode) 02469 return; 02470 if (!rsbac_is_initialized()) 02471 return; 02472 02473 i_tid.symlink.device = dentry_p->d_inode->i_sb->s_dev; 02474 i_tid.symlink.inode = dentry_p->d_inode->i_ino; 02475 i_tid.symlink.dentry_p = dentry_p; 02476 if(!S_ISLNK(dentry_p->d_inode->i_mode)) 02477 { 02478 #ifdef CONFIG_RSBAC_RMSG 02479 rsbac_printk(KERN_DEBUG 02480 "rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n", 02481 i_tid.symlink.inode, 02482 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) ); 02483 #endif 02484 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02485 if (!rsbac_nosyslog) 02486 #endif 02487 printk(KERN_DEBUG 02488 "rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n", 02489 i_tid.symlink.inode, 02490 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) ); 02491 return; 02492 } 02493 02494 #ifdef CONFIG_RSBAC_DEBUG 02495 if (rsbac_debug_aef) 02496 { 02497 #ifdef CONFIG_RSBAC_RMSG 02498 rsbac_printk(KERN_DEBUG 02499 "rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n", 02500 i_tid.symlink.inode, 02501 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) ); 02502 #endif 02503 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02504 if (!rsbac_nosyslog) 02505 #endif 02506 printk(KERN_DEBUG 02507 "rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n", 02508 i_tid.symlink.inode, 02509 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) ); 02510 } 02511 #endif 02512 02513 #ifdef CONFIG_RSBAC_SYM_REDIR_UID 02514 if ((err = rsbac_get_attr(GEN, 02515 T_SYMLINK, 02516 i_tid, 02517 A_symlink_add_uid, 02518 &i_attr_val, 02519 FALSE) )) 02520 { 02521 rsbac_ds_get_error("rsbac_symlink_redirect()", A_symlink_add_uid); 02522 return; /* something weird happened */ 02523 } 02524 if(i_attr_val.symlink_add_uid) 02525 { 02526 rsbac_uid_t user; 02527 u_int len; 02528 02529 len = strlen(name); 02530 while( len 02531 && (name[len-1] >= '0') 02532 && (name[len-1] <= '9') 02533 ) 02534 len--; 02535 if(len > (PAGE_SIZE - 20)) 02536 return; 02537 if(!rsbac_get_owner(&user)) 02538 ulongtostr(name+len, user); 02539 } 02540 #endif 02541 02542 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC 02543 if ((err = rsbac_get_attr(GEN, 02544 T_SYMLINK, 02545 i_tid, 02546 A_symlink_add_mac_level, 02547 &i_attr_val, 02548 FALSE) )) 02549 { 02550 rsbac_ds_get_error("rsbac_symlink_redirect()", A_symlink_add_mac_level); 02551 return; /* something weird happened */ 02552 } 02553 if(i_attr_val.symlink_add_mac_level) 02554 { 02555 u_int len; 02556 02557 len = strlen(name); 02558 while( len 02559 && ( ( (name[len-1] >= '0') 02560 && (name[len-1] <= '9') 02561 ) 02562 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT 02563 || (name[len-1] == ':') 02564 #endif 02565 ) 02566 ) 02567 len--; 02568 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT 02569 if(len > (PAGE_SIZE - 85)) 02570 #else 02571 if(len > (PAGE_SIZE - 20)) 02572 #endif 02573 return; 02574 02575 i_tid2.process = current->pid; 02576 if ((err = rsbac_get_attr(MAC, 02577 T_PROCESS, 02578 i_tid2, 02579 A_current_sec_level, 02580 &i_attr_val, 02581 FALSE) )) 02582 { 02583 rsbac_ds_get_error("rsbac_symlink_redirect()", A_current_sec_level); 02584 return; /* something weird happened */ 02585 } 02586 02587 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT 02588 len+=sprintf(name+len, "%u:", i_attr_val.current_sec_level); 02589 #else 02590 len+=sprintf(name+len, "%u", i_attr_val.current_sec_level); 02591 #endif 02592 02593 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT 02594 if ((err = rsbac_get_attr(MAC, 02595 T_PROCESS, 02596 i_tid2, 02597 A_mac_curr_categories, 02598 &i_attr_val, 02599 FALSE) )) 02600 { 02601 rsbac_ds_get_error("rsbac_symlink_redirect()", A_mac_curr_categories); 02602 return; /* something weird happened */ 02603 } 02604 u64tostrmac(name+len, i_attr_val.mac_categories); 02605 #endif 02606 } 02607 #endif 02608 02609 #ifdef CONFIG_RSBAC_SYM_REDIR_RC 02610 if ((err = rsbac_get_attr(GEN, 02611 T_SYMLINK, 02612 i_tid, 02613 A_symlink_add_rc_role, 02614 &i_attr_val, 02615 FALSE) )) 02616 { 02617 rsbac_ds_get_error("rsbac_symlink_redirect()", A_symlink_add_rc_role); 02618 return; /* something weird happened */ 02619 } 02620 if(i_attr_val.symlink_add_rc_role) 02621 { 02622 u_int len; 02623 02624 len = strlen(name); 02625 while( len 02626 && (name[len-1] >= '0') 02627 && (name[len-1] <= '9') 02628 ) 02629 len--; 02630 if(len > (PAGE_SIZE - 20)) 02631 return; 02632 02633 i_tid2.process = current->pid; 02634 if ((err = rsbac_get_attr(RC, 02635 T_PROCESS, 02636 i_tid2, 02637 A_rc_role, 02638 &i_attr_val, 02639 FALSE) )) 02640 { 02641 rsbac_ds_get_error("rsbac_symlink_redirect()", A_rc_role); 02642 return; /* something weird happened */ 02643 } 02644 02645 ulongtostr(name+len, i_attr_val.rc_role); 02646 } 02647 #endif 02648 02649 return; 02650 } 02651 #endif 02652 02653 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART 02654 int rsbac_dac_part_disabled(struct dentry * dentry_p) 02655 { 02656 int err; 02657 enum rsbac_target_t i_target; 02658 union rsbac_target_id_t i_tid; 02659 union rsbac_attribute_value_t i_attr_val; 02660 02661 if(!dentry_p || !dentry_p->d_inode || !dentry_p->d_inode->i_sb->s_dev || !rsbac_is_initialized()) 02662 return FALSE; 02663 02664 if(S_ISREG(dentry_p->d_inode->i_mode)) 02665 i_target = T_FILE; 02666 else 02667 if(S_ISDIR(dentry_p->d_inode->i_mode)) 02668 i_target = T_DIR; 02669 else 02670 if(S_ISFIFO(dentry_p->d_inode->i_mode)) 02671 i_target = T_FIFO; 02672 else 02673 if(S_ISLNK(dentry_p->d_inode->i_mode)) 02674 i_target = T_SYMLINK; 02675 else 02676 return FALSE; 02677 02678 i_tid.file.device = dentry_p->d_sb->s_dev; 02679 i_tid.file.inode = dentry_p->d_inode->i_ino; 02680 i_tid.file.dentry_p = dentry_p; 02681 02682 #ifdef CONFIG_RSBAC_DEBUG 02683 if (rsbac_debug_aef) 02684 { 02685 #ifdef CONFIG_RSBAC_RMSG 02686 rsbac_printk(KERN_DEBUG 02687 "rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n", 02688 i_tid.file.inode, 02689 RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device), 02690 i_tid.file.dentry_p ); 02691 #endif 02692 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02693 if (!rsbac_nosyslog) 02694 #endif 02695 printk(KERN_DEBUG 02696 "rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n", 02697 i_tid.file.inode, 02698 RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device), 02699 i_tid.file.dentry_p ); 02700 } 02701 #endif 02702 02703 if ((err = rsbac_get_attr(GEN, 02704 i_target, 02705 i_tid, 02706 A_linux_dac_disable, 02707 &i_attr_val, 02708 TRUE) )) 02709 { 02710 #ifdef CONFIG_RSBAC_RMSG 02711 rsbac_printk(KERN_WARNING 02712 "rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n", 02713 err); 02714 #endif 02715 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02716 if (!rsbac_nosyslog) 02717 #endif 02718 printk(KERN_WARNING 02719 "rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n", 02720 err); 02721 return FALSE; /* something weird happened */ 02722 } 02723 if(i_attr_val.linux_dac_disable == LDD_true) 02724 return TRUE; 02725 else 02726 return FALSE; 02727 } 02728 #endif 02729 02730 #ifdef CONFIG_RSBAC_FAKE_ROOT_UID 02731 rsbac_uid_t rsbac_fake_uid(void) 02732 { 02733 int err; 02734 union rsbac_target_id_t i_tid; 02735 union rsbac_attribute_value_t i_attr_val; 02736 02737 if(!current->uid) 02738 return 0; 02739 if (!rsbac_is_initialized()) 02740 return current->uid; 02741 02742 i_tid.process = current->pid; 02743 if ((err = rsbac_get_attr(GEN, 02744 T_PROCESS, 02745 i_tid, 02746 A_fake_root_uid, 02747 &i_attr_val, 02748 FALSE) )) 02749 { 02750 rsbac_ds_get_error("rsbac_fake_uid()", A_fake_root_uid); 02751 return current->uid; /* something weird happened */ 02752 } 02753 switch(i_attr_val.fake_root_uid) 02754 { 02755 case FR_both: 02756 case FR_uid_only: 02757 return 0; 02758 default: 02759 return current->uid; 02760 } 02761 } 02762 02763 rsbac_uid_t rsbac_fake_euid(void) 02764 { 02765 int err; 02766 union rsbac_target_id_t i_tid; 02767 union rsbac_attribute_value_t i_attr_val; 02768 02769 if(!current->euid) 02770 return 0; 02771 if (!rsbac_is_initialized()) 02772 return current->euid; 02773 02774 i_tid.process = current->pid; 02775 if ((err = rsbac_get_attr(GEN, 02776 T_PROCESS, 02777 i_tid, 02778 A_fake_root_uid, 02779 &i_attr_val, 02780 FALSE) )) 02781 { 02782 rsbac_ds_get_error("rsbac_fake_euid()", A_fake_root_uid); 02783 return current->euid; /* something weird happened */ 02784 } 02785 switch(i_attr_val.fake_root_uid) 02786 { 02787 case FR_both: 02788 case FR_euid_only: 02789 return 0; 02790 default: 02791 return current->euid; 02792 } 02793 } 02794 02795 int rsbac_uid_faked(void) 02796 { 02797 int err; 02798 union rsbac_target_id_t i_tid; 02799 union rsbac_attribute_value_t i_attr_val; 02800 02801 if (!rsbac_is_initialized()) 02802 return 0; 02803 02804 i_tid.process = current->pid; 02805 if ((err = rsbac_get_attr(GEN, 02806 T_PROCESS, 02807 i_tid, 02808 A_fake_root_uid, 02809 &i_attr_val, 02810 FALSE) )) 02811 { 02812 rsbac_ds_get_error("rsbac_uid_faked()", A_fake_root_uid); 02813 return 0; /* something weird happened */ 02814 } 02815 switch(i_attr_val.fake_root_uid) 02816 { 02817 case FR_both: 02818 case FR_uid_only: 02819 return 1; 02820 default: 02821 return 0; 02822 } 02823 } 02824 02825 #endif 02826 02827 /* end of rsbac/adf/main.c */

Generated on Tue Aug 31 10:05:23 2004 for RSBAC by doxygen 1.3.8