/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/acl_data_structures.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of ACL data structures */ 00004 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */ 00005 /* */ 00006 /* Last modified: 16/Jun/2004 */ 00007 /*************************************************** */ 00008 00009 #include <linux/types.h> 00010 #include <linux/sched.h> 00011 #include <linux/mm.h> 00012 #include <linux/init.h> 00013 #include <linux/ext2_fs.h> 00014 #include <asm/uaccess.h> 00015 #include <rsbac/types.h> 00016 #include <rsbac/aci_data_structures.h> 00017 #include <rsbac/acl_data_structures.h> 00018 #include <rsbac/error.h> 00019 #include <rsbac/helpers.h> 00020 #include <rsbac/adf.h> 00021 #include <rsbac/aci.h> 00022 #include <rsbac/acl.h> 00023 #include <rsbac/lists.h> 00024 #include <rsbac/proc_fs.h> 00025 #include <rsbac/getname.h> 00026 #include <rsbac/acl_getname.h> 00027 #include <rsbac/rkmem.h> 00028 #include <rsbac/network.h> 00029 #include <linux/string.h> 00030 #include <linux/smp_lock.h> 00031 00032 /************************************************************************** */ 00033 /* Global Variables */ 00034 /************************************************************************** */ 00035 00036 /* The following global variables are needed for access to ACL data.*/ 00037 00038 static struct rsbac_acl_device_list_head_t device_list_head; 00039 00040 static rsbac_list_handle_t dev_handle = NULL; 00041 static rsbac_list_handle_t scd_handle = NULL; 00042 static rsbac_list_handle_t group_handle = NULL; 00043 static rsbac_list_handle_t gm_handle = NULL; 00044 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 00045 static rsbac_list_handle_t netdev_handle = NULL; 00046 #endif 00047 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 00048 static rsbac_list_handle_t nettemp_nt_handle = NULL; 00049 static rsbac_list_handle_t nettemp_handle = NULL; 00050 static rsbac_list_handle_t netobj_handle = NULL; 00051 #endif 00052 00053 static rsbac_list_handle_t default_fd_handle = NULL; 00054 static rsbac_list_handle_t default_dev_handle = NULL; 00055 static rsbac_list_handle_t default_ipc_handle = NULL; 00056 static rsbac_list_handle_t default_scd_handle = NULL; 00057 static rsbac_list_handle_t default_u_handle = NULL; 00058 static rsbac_list_handle_t default_p_handle = NULL; 00059 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 00060 static rsbac_list_handle_t default_netdev_handle = NULL; 00061 static rsbac_acl_rights_vector_t default_netdev_rights = 0; 00062 #endif 00063 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 00064 static rsbac_list_handle_t default_nettemp_nt_handle = NULL; 00065 static rsbac_list_handle_t default_netobj_handle = NULL; 00066 static rsbac_acl_rights_vector_t default_nettemp_nt_rights = 0; 00067 static rsbac_acl_rights_vector_t default_netobj_rights = 0; 00068 #endif 00069 00070 static rsbac_acl_group_id_t group_last_new = 0; 00071 00072 static rsbac_acl_rights_vector_t default_fd_rights = 0; 00073 static rsbac_acl_rights_vector_t default_dev_rights = 0; 00074 static rsbac_acl_rights_vector_t default_ipc_rights = 0; 00075 static rsbac_acl_rights_vector_t default_scd_rights = 0; 00076 static rsbac_acl_rights_vector_t default_u_rights = 0; 00077 static rsbac_acl_rights_vector_t default_p_rights = 0; 00078 00079 /**************************************************/ 00080 /* Declarations of external functions */ 00081 /**************************************************/ 00082 00083 boolean writable(struct super_block * sb_p); 00084 00085 /**************************************************/ 00086 /* Declarations of internal functions */ 00087 /**************************************************/ 00088 00089 /************************************************* */ 00090 /* Internal Help functions */ 00091 /************************************************* */ 00092 00093 static inline int fd_hash(rsbac_inode_nr_t inode) 00094 { 00095 return(inode % RSBAC_ACL_NR_FD_LISTS); 00096 } 00097 00098 static int entry_compare(void * desc1, void * desc2) 00099 { 00100 int result; 00101 struct rsbac_acl_entry_desc_t * i_desc1 = desc1; 00102 struct rsbac_acl_entry_desc_t * i_desc2 = desc2; 00103 00104 result = memcmp(&i_desc1->subj_type, 00105 &i_desc2->subj_type, 00106 sizeof(i_desc1->subj_type)); 00107 if(result) 00108 return result; 00109 else 00110 return memcmp(&i_desc1->subj_id, 00111 &i_desc2->subj_id, 00112 sizeof(i_desc1->subj_id)); 00113 } 00114 00115 static int dev_compare(void * desc1, void * desc2) 00116 { 00117 int result; 00118 struct rsbac_dev_desc_t * i_desc1 = desc1; 00119 struct rsbac_dev_desc_t * i_desc2 = desc2; 00120 00121 result = memcmp(&i_desc1->type, 00122 &i_desc2->type, 00123 sizeof(i_desc1->type)); 00124 if(result) 00125 return result; 00126 result = memcmp(&i_desc1->major, 00127 &i_desc2->major, 00128 sizeof(i_desc1->major)); 00129 if(result) 00130 return result; 00131 return memcmp(&i_desc1->minor, 00132 &i_desc2->minor, 00133 sizeof(i_desc1->minor)); 00134 } 00135 00136 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 00137 static int netdev_compare(void * desc1, void * desc2) 00138 { 00139 return strncmp(desc1, 00140 desc2, 00141 RSBAC_IFNAMSIZ); 00142 } 00143 #endif 00144 00145 static int dev_conv( 00146 void * old_desc, 00147 void * old_data, 00148 void * new_desc, 00149 void * new_data) 00150 { 00151 struct rsbac_dev_desc_t * new = new_desc; 00152 struct rsbac_dev_t * old = old_desc; 00153 00154 memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t)); 00155 new->type = old->type; 00156 new->major = RSBAC_MAJOR(old->id); 00157 new->minor = RSBAC_MINOR(old->id); 00158 return 0; 00159 } 00160 00161 rsbac_list_conv_function_t * dev_get_conv(rsbac_version_t old_version) 00162 { 00163 switch(old_version) 00164 { 00165 case RSBAC_ACL_DEV_OLD_LIST_VERSION: 00166 return dev_conv; 00167 default: 00168 return NULL; 00169 } 00170 } 00171 00172 static int dev_subconv( 00173 void * old_desc, 00174 void * old_data, 00175 void * new_desc, 00176 void * new_data) 00177 { 00178 memcpy(new_desc, old_desc, sizeof(struct rsbac_acl_entry_desc_t)); 00179 memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t)); 00180 return 0; 00181 } 00182 00183 rsbac_list_conv_function_t * dev_get_subconv(rsbac_version_t old_version) 00184 { 00185 switch(old_version) 00186 { 00187 case RSBAC_ACL_DEV_OLD_LIST_VERSION: 00188 return dev_subconv; 00189 default: 00190 return NULL; 00191 } 00192 } 00193 00194 /* acl_register_fd_lists() */ 00195 /* register fd ACL lists for device */ 00196 00197 static int acl_register_fd_lists(struct rsbac_acl_device_list_item_t * device_p, 00198 kdev_t kdev) 00199 { 00200 char * name; 00201 int err = 0; 00202 int tmperr; 00203 char number[10]; 00204 u_int file_no; 00205 struct rsbac_list_lol_info_t lol_info; 00206 rsbac_acl_rights_vector_t def_mask=RSBAC_ACL_DEFAULT_FD_MASK; 00207 00208 if(!device_p) 00209 return(-RSBAC_EINVALIDPOINTER); 00210 name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00211 if(!name) 00212 return -RSBAC_ENOMEM; 00213 00214 /* register all the ACL lists of lists */ 00215 for (file_no = 0; file_no < RSBAC_ACL_NR_FD_LISTS; file_no++) 00216 { 00217 /* construct name from base name + number */ 00218 strcpy(name, RSBAC_ACL_FD_FILENAME); 00219 strcat(name, inttostr(number,file_no) ); 00220 00221 lol_info.version = RSBAC_ACL_FD_LIST_VERSION; 00222 lol_info.key = RSBAC_ACL_LIST_KEY; 00223 lol_info.desc_size = sizeof(rsbac_inode_nr_t); 00224 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 00225 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 00226 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 00227 lol_info.max_age = 0; 00228 tmperr = rsbac_list_lol_register(RSBAC_LIST_VERSION, 00229 &(device_p->handles[file_no]), 00230 &lol_info, 00231 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA, 00232 rsbac_list_compare_u32, 00233 entry_compare, 00234 NULL, 00235 NULL, 00236 &def_mask, 00237 NULL, 00238 name, 00239 kdev); 00240 if(tmperr) 00241 { 00242 char * tmp; 00243 00244 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00245 if(tmp) 00246 { 00247 #ifdef CONFIG_RSBAC_RMSG 00248 rsbac_printk(KERN_WARNING 00249 "acl_register_fd_lists(): registering list %u for device %02u:%02u failed with error %s!\n", 00250 file_no, 00251 RSBAC_MAJOR(kdev), 00252 RSBAC_MINOR(kdev), 00253 get_error_name(tmp, tmperr)); 00254 #endif 00255 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00256 if (!rsbac_nosyslog) 00257 #endif 00258 printk(KERN_WARNING 00259 "acl_register_fd_lists(): registering list %u for device %02u:%02u failed with error %s!\n", 00260 file_no, 00261 RSBAC_MAJOR(kdev), 00262 RSBAC_MINOR(kdev), 00263 get_error_name(tmp, tmperr)); 00264 rsbac_kfree(tmp); 00265 } 00266 err = tmperr; 00267 } 00268 } 00269 return err; 00270 } 00271 00272 /* acl_detach_fd_lists() */ 00273 /* detach from fd ACL lists for device */ 00274 00275 static int acl_detach_fd_lists(struct rsbac_acl_device_list_item_t * device_p) 00276 { 00277 char * name; 00278 int err = 0; 00279 int tmperr; 00280 char number[10]; 00281 u_int file_no; 00282 00283 if(!device_p) 00284 return(-RSBAC_EINVALIDPOINTER); 00285 name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00286 if(!name) 00287 return -RSBAC_ENOMEM; 00288 00289 /* detach all the ACL lists of lists */ 00290 for (file_no = 0; file_no < RSBAC_ACL_NR_FD_LISTS; file_no++) 00291 { 00292 /* construct name from base name + number */ 00293 strcpy(name, RSBAC_ACL_FD_FILENAME); 00294 strcat(name, inttostr(number,file_no) ); 00295 00296 tmperr = rsbac_list_lol_detach(&device_p->handles[file_no], 00297 RSBAC_ACL_LIST_KEY); 00298 if(tmperr) 00299 { 00300 char * tmp; 00301 00302 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00303 if(tmp) 00304 { 00305 #ifdef CONFIG_RSBAC_RMSG 00306 rsbac_printk(KERN_WARNING 00307 "acl_detach_fd_lists(): detaching from list %u for device %02u:%02u failed with error %s!\n", 00308 file_no, 00309 RSBAC_MAJOR(device_p->id), 00310 RSBAC_MINOR(device_p->id), 00311 get_error_name(tmp, tmperr)); 00312 #endif 00313 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00314 if (!rsbac_nosyslog) 00315 #endif 00316 printk(KERN_WARNING 00317 "acl_detach_fd_lists(): detaching from list %u for device %02u:%02u failed with error %s!\n", 00318 file_no, 00319 RSBAC_MAJOR(device_p->id), 00320 RSBAC_MINOR(device_p->id), 00321 get_error_name(tmp, tmperr)); 00322 rsbac_kfree(tmp); 00323 } 00324 err = tmperr; 00325 } 00326 } 00327 return err; 00328 } 00329 00330 /************************************************************************** */ 00331 /* The lookup functions return NULL, if the item is not found, and a */ 00332 /* pointer to the item otherwise. */ 00333 00334 /* first the device item lookup */ 00335 static struct rsbac_acl_device_list_item_t * acl_lookup_device(kdev_t kdev) 00336 { 00337 struct rsbac_acl_device_list_item_t * curr = device_list_head.curr; 00338 00339 /* if there is no current item or it is not the right one, search... */ 00340 if( !curr 00341 || (RSBAC_MAJOR(curr->id) != RSBAC_MAJOR(kdev)) 00342 || (RSBAC_MINOR(curr->id) != RSBAC_MINOR(kdev)) 00343 ) 00344 { 00345 curr = device_list_head.head; 00346 while( curr 00347 && ( (RSBAC_MAJOR(curr->id) != RSBAC_MAJOR(kdev)) 00348 || (RSBAC_MINOR(curr->id) != RSBAC_MINOR(kdev)) 00349 ) 00350 ) 00351 { 00352 curr = curr->next; 00353 } 00354 if (curr) 00355 device_list_head.curr=curr; 00356 } 00357 /* it is the current item -> return it */ 00358 return (curr); 00359 }; 00360 00361 /************************************************************************** */ 00362 /* The add_item() functions add an item to the list, set head.curr to it, */ 00363 /* and return a pointer to the item. */ 00364 /* These functions will NOT check, if there is already an item under the */ 00365 /* same ID! If this happens, the lookup functions will return the old item! */ 00366 00367 /* Create a device item without adding to list. No locking needed. */ 00368 static struct rsbac_acl_device_list_item_t 00369 * create_device_item(kdev_t kdev) 00370 { 00371 struct rsbac_acl_device_list_item_t * new_item_p; 00372 00373 /* allocate memory for new device, return NULL, if failed */ 00374 if ( !(new_item_p = (struct rsbac_acl_device_list_item_t *) 00375 rsbac_kmalloc(sizeof(*new_item_p)) ) ) 00376 return(NULL); 00377 00378 memset(new_item_p, 0, sizeof(*new_item_p)); 00379 new_item_p->id = kdev; 00380 new_item_p->mount_count = 1; 00381 return(new_item_p); 00382 }; 00383 00384 /* Add an existing device item to list. Locking needed. */ 00385 static struct rsbac_acl_device_list_item_t 00386 * add_device_item(struct rsbac_acl_device_list_item_t * device_p) 00387 { 00388 if (!device_p) 00389 return(NULL); 00390 00391 /* add new device to device list */ 00392 if (!device_list_head.head) 00393 { /* first device */ 00394 device_list_head.head=device_p; 00395 device_list_head.tail=device_p; 00396 device_list_head.curr=device_p; 00397 device_list_head.count=1; 00398 device_p->prev=NULL; 00399 device_p->next=NULL; 00400 } 00401 else 00402 { /* there is another device -> hang to tail */ 00403 device_p->prev=device_list_head.tail; 00404 device_p->next=NULL; 00405 device_list_head.tail->next=device_p; 00406 device_list_head.tail=device_p; 00407 device_list_head.curr=device_p; 00408 device_list_head.count++; 00409 }; 00410 return(device_p); 00411 }; 00412 00413 /************************************************************************** */ 00414 /* The remove_item() functions remove an item from the list. If this item */ 00415 /* is head, tail or curr, these pointers are set accordingly. */ 00416 /* To speed up removing several subsequent items, curr is set to the next */ 00417 /* item, if possible. */ 00418 /* If the item is not found, nothing is done. */ 00419 00420 static void clear_device_item(struct rsbac_acl_device_list_item_t * device_p) 00421 { 00422 if(!device_p) 00423 return; 00424 00425 /* now we can remove the item from memory. This means cleaning up */ 00426 acl_detach_fd_lists(device_p); 00427 /* OK, lets remove the device item itself */ 00428 rsbac_kfree(device_p); 00429 }; /* end of clear_device_item() */ 00430 00431 static void remove_device_item(kdev_t kdev) 00432 { 00433 struct rsbac_acl_device_list_item_t * item_p; 00434 00435 /* first we must locate the item. */ 00436 if ( (item_p = acl_lookup_device(kdev)) ) 00437 { /* ok, item was found */ 00438 if (device_list_head.head == item_p) 00439 { /* item is head */ 00440 if (device_list_head.tail == item_p) 00441 { /* item is head and tail = only item -> list will be empty*/ 00442 device_list_head.head = NULL; 00443 device_list_head.tail = NULL; 00444 } 00445 else 00446 { /* item is head, but not tail -> next item becomes head */ 00447 item_p->next->prev = NULL; 00448 device_list_head.head = item_p->next; 00449 }; 00450 } 00451 else 00452 { /* item is not head */ 00453 if (device_list_head.tail == item_p) 00454 { /*item is not head, but tail -> previous item becomes tail*/ 00455 item_p->prev->next = NULL; 00456 device_list_head.tail = item_p->prev; 00457 } 00458 else 00459 { /* item is neither head nor tail -> item is cut out */ 00460 item_p->prev->next = item_p->next; 00461 item_p->next->prev = item_p->prev; 00462 }; 00463 }; 00464 00465 /* curr is no longer valid -> reset. */ 00466 device_list_head.curr=NULL; 00467 /* adjust counter */ 00468 device_list_head.count--; 00469 00470 /* now we can remove the item from memory. This means cleaning up */ 00471 /* everything below. */ 00472 clear_device_item(item_p); 00473 }; /* end of if: item was found */ 00474 00475 }; /* end of remove_device_item() */ 00476 00477 /************************************************* */ 00478 /* proc functions */ 00479 /************************************************* */ 00480 00481 #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) 00482 static int 00483 acl_devices_proc_info(char *buffer, char **start, off_t offset, int length) 00484 { 00485 int len = 0; 00486 off_t pos = 0; 00487 off_t begin = 0; 00488 struct rsbac_acl_device_list_item_t * device_p; 00489 u_long dflags; 00490 00491 if (!rsbac_is_initialized()) return (-ENOSYS); 00492 00493 len += sprintf(buffer, "%u RSBAC ACL Devices\n-------------------\n", 00494 device_list_head.count); 00495 00496 /* wait for read access to device_list_head */ 00497 rsbac_read_lock(&device_list_head.lock, &dflags); 00498 /* OK, go on */ 00499 for (device_p = device_list_head.head; device_p; device_p = device_p->next) 00500 { 00501 len += sprintf(buffer + len, "%02u:%02u with mount_count = %u\n", 00502 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), 00503 device_p->mount_count); 00504 pos = begin + len; 00505 if (pos < offset) 00506 { 00507 len = 0; 00508 begin = pos; 00509 } 00510 if (pos > offset+length) 00511 break; 00512 } 00513 00514 /* free access to device_list_head */ 00515 rsbac_read_unlock(&device_list_head.lock, &dflags); 00516 00517 *start = buffer + (offset - begin); 00518 len -= (offset - begin); 00519 00520 if (len > length) 00521 len = length; 00522 return len; 00523 } 00524 00525 static int 00526 stats_acl_proc_info(char *buffer, char **start, off_t offset, int length) 00527 { 00528 u_int len = 0; 00529 off_t pos = 0; 00530 off_t begin = 0; 00531 00532 u_int item_count = 0; 00533 u_int member_count = 0; 00534 u_int tmp_count; 00535 u_int i; 00536 u_long dflags; 00537 struct rsbac_acl_device_list_item_t * device_p; 00538 00539 union rsbac_target_id_t rsbac_target_id; 00540 union rsbac_attribute_value_t rsbac_attribute_value; 00541 00542 if (!rsbac_is_initialized) 00543 { 00544 #ifdef CONFIG_RSBAC_RMSG 00545 rsbac_printk(KERN_WARNING "stats_acl_proc_info(): RSBAC not initialized\n"); 00546 #endif 00547 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00548 if (!rsbac_nosyslog) 00549 #endif 00550 printk(KERN_WARNING "stats_acl_proc_info(): RSBAC not initialized\n"); 00551 return(-RSBAC_ENOTINITIALIZED); 00552 } 00553 #ifdef CONFIG_RSBAC_DEBUG 00554 if (rsbac_debug_aef_acl) 00555 { 00556 #ifdef CONFIG_RSBAC_RMSG 00557 rsbac_printk(KERN_DEBUG "stats_acl_proc_info(): calling ADF\n"); 00558 #endif 00559 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00560 if (!rsbac_nosyslog) 00561 #endif 00562 printk(KERN_DEBUG "stats_acl_proc_info(): calling ADF\n"); 00563 } 00564 #endif 00565 rsbac_target_id.scd = ST_rsbac; 00566 rsbac_attribute_value.dummy = 0; 00567 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00568 current->pid, 00569 T_SCD, 00570 rsbac_target_id, 00571 A_none, 00572 rsbac_attribute_value)) 00573 { 00574 return -EPERM; 00575 } 00576 00577 len += sprintf(buffer, "ACL Status\n-----------\n"); 00578 00579 /* protect device list */ 00580 rsbac_read_lock(&device_list_head.lock, &dflags); 00581 device_p = device_list_head.head; 00582 while(device_p) 00583 { 00584 /* reset counters */ 00585 item_count = 0; 00586 member_count = 0; 00587 for(i=0; i<RSBAC_ACL_NR_FD_LISTS; i++) 00588 { 00589 tmp_count = rsbac_list_lol_count(device_p->handles[i]); 00590 if(tmp_count > 0) 00591 item_count+=tmp_count; 00592 tmp_count = rsbac_list_lol_all_subcount(device_p->handles[i]); 00593 if(tmp_count > 0) 00594 member_count += tmp_count; 00595 } 00596 len += sprintf(buffer + len, "device %02u:%02u has %i file ACLs, sum of %i members\n", 00597 RSBAC_MAJOR(device_p->id), 00598 RSBAC_MINOR(device_p->id), 00599 item_count, 00600 member_count); 00601 pos = begin + len; 00602 if (pos < offset) 00603 { 00604 len = 0; 00605 begin = pos; 00606 } 00607 if (pos > offset+length) 00608 { 00609 rsbac_read_unlock(&device_list_head.lock, &dflags); 00610 goto out; 00611 } 00612 device_p = device_p->next; 00613 } 00614 /* unprotect device list */ 00615 rsbac_read_unlock(&device_list_head.lock, &dflags); 00616 00617 /* dev list */ 00618 len += sprintf(buffer + len, "%li device ACL items, sum of %li members\n", 00619 rsbac_list_lol_count(dev_handle), 00620 rsbac_list_lol_all_subcount(dev_handle)); 00621 pos = begin + len; 00622 if (pos < offset) 00623 { 00624 len = 0; 00625 begin = pos; 00626 } 00627 if (pos > offset+length) 00628 goto out; 00629 00630 /* SCD list */ 00631 len += sprintf(buffer + len, "%li scd ACL items, sum of %li members\n", 00632 rsbac_list_lol_count(scd_handle), 00633 rsbac_list_lol_all_subcount(scd_handle)); 00634 pos = begin + len; 00635 if (pos < offset) 00636 { 00637 len = 0; 00638 begin = pos; 00639 } 00640 if (pos > offset+length) 00641 goto out; 00642 00643 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 00644 /* netdev list */ 00645 len += sprintf(buffer + len, "%li network device ACL items, sum of %li members\n", 00646 rsbac_list_lol_count(netdev_handle), 00647 rsbac_list_lol_all_subcount(netdev_handle)); 00648 pos = begin + len; 00649 if (pos < offset) 00650 { 00651 len = 0; 00652 begin = pos; 00653 } 00654 if (pos > offset+length) 00655 goto out; 00656 #endif 00657 00658 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 00659 /* nettemp_nt list */ 00660 len += sprintf(buffer + len, "%li network template NT ACL items, sum of %li members\n", 00661 rsbac_list_lol_count(nettemp_nt_handle), 00662 rsbac_list_lol_all_subcount(nettemp_nt_handle)); 00663 pos = begin + len; 00664 if (pos < offset) 00665 { 00666 len = 0; 00667 begin = pos; 00668 } 00669 if (pos > offset+length) 00670 goto out; 00671 /* nettemp list */ 00672 len += sprintf(buffer + len, "%li network template ACL items, sum of %li members\n", 00673 rsbac_list_lol_count(nettemp_handle), 00674 rsbac_list_lol_all_subcount(nettemp_handle)); 00675 pos = begin + len; 00676 if (pos < offset) 00677 { 00678 len = 0; 00679 begin = pos; 00680 } 00681 if (pos > offset+length) 00682 goto out; 00683 /* netobj list */ 00684 len += sprintf(buffer + len, "%li network object ACL items, sum of %li members\n", 00685 rsbac_list_lol_count(netobj_handle), 00686 rsbac_list_lol_all_subcount(netobj_handle)); 00687 pos = begin + len; 00688 if (pos < offset) 00689 { 00690 len = 0; 00691 begin = pos; 00692 } 00693 if (pos > offset+length) 00694 goto out; 00695 #endif 00696 00697 len += sprintf(buffer + len, "%li groups, last new is %u\n", 00698 rsbac_list_count(group_handle), 00699 group_last_new); 00700 pos = begin + len; 00701 if (pos < offset) 00702 { 00703 len = 0; 00704 begin = pos; 00705 } 00706 if (pos > offset+length) 00707 goto out; 00708 00709 /* protect gm list */ 00710 len += sprintf(buffer + len, "%li group member items, sum of %li group memberships\n", 00711 rsbac_list_lol_count(gm_handle), 00712 rsbac_list_lol_all_subcount(gm_handle)); 00713 pos = begin + len; 00714 if (pos < offset) 00715 { 00716 len = 0; 00717 begin = pos; 00718 } 00719 if (pos > offset+length) 00720 goto out; 00721 00722 out: 00723 *start = buffer + (offset - begin); 00724 len -= (offset - begin); 00725 00726 if (len > length) 00727 len = length; 00728 return len; 00729 } 00730 00731 static int 00732 acl_acllist_proc_info(char *buffer, char **start, off_t offset, int length) 00733 { 00734 u_int len = 0; 00735 off_t pos = 0; 00736 off_t begin = 0; 00737 00738 u_int i,j,k; 00739 char tmp1[80], tmp2[80]; 00740 u_int count = 0; 00741 int tmp_count; 00742 int tmp_sub_count; 00743 u_int member_count = 0; 00744 u_long dflags; 00745 struct rsbac_acl_device_list_item_t * device_p; 00746 rsbac_inode_nr_t * fd_desc_p; 00747 struct rsbac_dev_desc_t * dev_desc_p; 00748 __u8 * scd_desc_p; 00749 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 00750 rsbac_netdev_id_t * netdev_desc_p; 00751 #endif 00752 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 00753 rsbac_net_temp_id_t * nettemp_desc_p; 00754 rsbac_net_obj_id_t * netobj_desc_p; 00755 #endif 00756 struct rsbac_acl_entry_desc_t * sub_desc_p; 00757 rsbac_acl_rights_vector_t rights; 00758 00759 union rsbac_target_id_t rsbac_target_id; 00760 union rsbac_attribute_value_t rsbac_attribute_value; 00761 00762 if (!rsbac_is_initialized) 00763 { 00764 #ifdef CONFIG_RSBAC_RMSG 00765 rsbac_printk(KERN_WARNING "acl_acllist_proc_info(): RSBAC not initialized\n"); 00766 #endif 00767 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00768 if (!rsbac_nosyslog) 00769 #endif 00770 printk(KERN_WARNING "acl_acllist_proc_info(): RSBAC not initialized\n"); 00771 return(-RSBAC_ENOTINITIALIZED); 00772 } 00773 #ifdef CONFIG_RSBAC_DEBUG 00774 if (rsbac_debug_aef_acl) 00775 { 00776 #ifdef CONFIG_RSBAC_RMSG 00777 rsbac_printk(KERN_DEBUG "acl_acllist_proc_info(): calling ADF\n"); 00778 #endif 00779 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00780 if (!rsbac_nosyslog) 00781 printk(KERN_DEBUG "acl_acllist_proc_info(): calling ADF\n"); 00782 #endif 00783 } 00784 #endif 00785 rsbac_target_id.scd = ST_rsbac; 00786 rsbac_attribute_value.dummy = 0; 00787 if (!rsbac_adf_request(R_GET_STATUS_DATA, 00788 current->pid, 00789 T_SCD, 00790 rsbac_target_id, 00791 A_none, 00792 rsbac_attribute_value)) 00793 { 00794 return -EPERM; 00795 } 00796 00797 len += sprintf(buffer, "ACL Lists\n----------\n"); 00798 00799 len += sprintf(buffer + len, 00800 "Default FD ACL: %li members:", 00801 rsbac_list_count(default_fd_handle)); 00802 pos = begin + len; 00803 if (pos < offset) 00804 { 00805 len = 0; 00806 begin = pos; 00807 } 00808 if (pos > offset+length) 00809 goto out; 00810 tmp_count = rsbac_list_get_all_desc(default_fd_handle, (void **) &sub_desc_p); 00811 if(tmp_count > 0) 00812 { 00813 for(i=0; i<tmp_count; i++) 00814 { 00815 len += sprintf(buffer + len, " %s %u,", 00816 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 00817 sub_desc_p[i].subj_id); 00818 pos = begin + len; 00819 if (pos < offset) 00820 { 00821 len = 0; 00822 begin = pos; 00823 } 00824 if (pos > offset+length) 00825 { 00826 rsbac_vfree(sub_desc_p); 00827 goto out; 00828 } 00829 } 00830 rsbac_vfree(sub_desc_p); 00831 } 00832 00833 /* default_dev list */ 00834 len += sprintf(buffer + len, "\nDefault Device ACL: %li members:", 00835 rsbac_list_count(default_dev_handle)); 00836 pos = begin + len; 00837 if (pos < offset) 00838 { 00839 len = 0; 00840 begin = pos; 00841 } 00842 if (pos > offset+length) 00843 goto out; 00844 tmp_count = rsbac_list_get_all_desc(default_dev_handle, (void **) &sub_desc_p); 00845 if(tmp_count > 0) 00846 { 00847 for(i=0; i<tmp_count; i++) 00848 { 00849 len += sprintf(buffer + len, " %s %u,", 00850 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 00851 sub_desc_p[i].subj_id); 00852 pos = begin + len; 00853 if (pos < offset) 00854 { 00855 len = 0; 00856 begin = pos; 00857 } 00858 if (pos > offset+length) 00859 { 00860 rsbac_vfree(sub_desc_p); 00861 goto out; 00862 } 00863 } 00864 rsbac_vfree(sub_desc_p); 00865 } 00866 00867 /* default_ipc_list */ 00868 len += sprintf(buffer + len, "\nDefault IPC ACL: %li members:", 00869 rsbac_list_count(default_ipc_handle)); 00870 pos = begin + len; 00871 if (pos < offset) 00872 { 00873 len = 0; 00874 begin = pos; 00875 } 00876 if (pos > offset+length) 00877 goto out; 00878 tmp_count = rsbac_list_get_all_desc(default_ipc_handle, (void **) &sub_desc_p); 00879 if(tmp_count > 0) 00880 { 00881 for(i=0; i<tmp_count; i++) 00882 { 00883 len += sprintf(buffer + len, " %s %u,", 00884 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 00885 sub_desc_p[i].subj_id); 00886 pos = begin + len; 00887 if (pos < offset) 00888 { 00889 len = 0; 00890 begin = pos; 00891 } 00892 if (pos > offset+length) 00893 { 00894 rsbac_vfree(sub_desc_p); 00895 goto out; 00896 } 00897 } 00898 rsbac_vfree(sub_desc_p); 00899 } 00900 00901 /* default_scd_list */ 00902 len += sprintf(buffer + len, "\nDefault SCD ACL: %li members:", 00903 rsbac_list_count(default_scd_handle)); 00904 pos = begin + len; 00905 if (pos < offset) 00906 { 00907 len = 0; 00908 begin = pos; 00909 } 00910 if (pos > offset+length) 00911 goto out; 00912 tmp_count = rsbac_list_get_all_desc(default_scd_handle, (void **) &sub_desc_p); 00913 if(tmp_count > 0) 00914 { 00915 for(i=0; i<tmp_count; i++) 00916 { 00917 len += sprintf(buffer + len, " %s %u,", 00918 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 00919 sub_desc_p[i].subj_id); 00920 pos = begin + len; 00921 if (pos < offset) 00922 { 00923 len = 0; 00924 begin = pos; 00925 } 00926 if (pos > offset+length) 00927 { 00928 rsbac_vfree(sub_desc_p); 00929 goto out; 00930 } 00931 } 00932 rsbac_vfree(sub_desc_p); 00933 } 00934 00935 /* default_u_list */ 00936 len += sprintf(buffer + len, "\nDefault User ACL: %li members:", 00937 rsbac_list_count(default_u_handle)); 00938 pos = begin + len; 00939 if (pos < offset) 00940 { 00941 len = 0; 00942 begin = pos; 00943 } 00944 if (pos > offset+length) 00945 goto out; 00946 tmp_count = rsbac_list_get_all_desc(default_u_handle, (void **) &sub_desc_p); 00947 if(tmp_count > 0) 00948 { 00949 for(i=0; i<tmp_count; i++) 00950 { 00951 len += sprintf(buffer + len, " %s %u,", 00952 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 00953 sub_desc_p[i].subj_id); 00954 pos = begin + len; 00955 if (pos < offset) 00956 { 00957 len = 0; 00958 begin = pos; 00959 } 00960 if (pos > offset+length) 00961 { 00962 rsbac_vfree(sub_desc_p); 00963 goto out; 00964 } 00965 } 00966 rsbac_vfree(sub_desc_p); 00967 } 00968 00969 /* default_p list */ 00970 len += sprintf(buffer + len, "\nDefault Process ACL: %li members:", 00971 rsbac_list_count(default_p_handle)); 00972 pos = begin + len; 00973 if (pos < offset) 00974 { 00975 len = 0; 00976 begin = pos; 00977 } 00978 if (pos > offset+length) 00979 goto out; 00980 tmp_count = rsbac_list_get_all_desc(default_p_handle, (void **) &sub_desc_p); 00981 if(tmp_count > 0) 00982 { 00983 for(i=0; i<tmp_count; i++) 00984 { 00985 len += sprintf(buffer + len, " %s %u,", 00986 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 00987 sub_desc_p[i].subj_id); 00988 pos = begin + len; 00989 if (pos < offset) 00990 { 00991 len = 0; 00992 begin = pos; 00993 } 00994 if (pos > offset+length) 00995 { 00996 rsbac_vfree(sub_desc_p); 00997 goto out; 00998 } 00999 } 01000 rsbac_vfree(sub_desc_p); 01001 } 01002 01003 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 01004 /* default_netdev list */ 01005 len += sprintf(buffer + len, "\nDefault Network Device ACL: %li members:", 01006 rsbac_list_count(default_netdev_handle)); 01007 pos = begin + len; 01008 if (pos < offset) 01009 { 01010 len = 0; 01011 begin = pos; 01012 } 01013 if (pos > offset+length) 01014 goto out; 01015 tmp_count = rsbac_list_get_all_desc(default_netdev_handle, (void **) &sub_desc_p); 01016 if(tmp_count > 0) 01017 { 01018 for(i=0; i<tmp_count; i++) 01019 { 01020 len += sprintf(buffer + len, " %s %u,", 01021 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 01022 sub_desc_p[i].subj_id); 01023 pos = begin + len; 01024 if (pos < offset) 01025 { 01026 len = 0; 01027 begin = pos; 01028 } 01029 if (pos > offset+length) 01030 { 01031 rsbac_vfree(sub_desc_p); 01032 goto out; 01033 } 01034 } 01035 rsbac_vfree(sub_desc_p); 01036 } 01037 #endif 01038 01039 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 01040 /* default_netdev list */ 01041 len += sprintf(buffer + len, "\nDefault Network Template NT ACL: %li members:", 01042 rsbac_list_count(default_nettemp_nt_handle)); 01043 pos = begin + len; 01044 if (pos < offset) 01045 { 01046 len = 0; 01047 begin = pos; 01048 } 01049 if (pos > offset+length) 01050 goto out; 01051 tmp_count = rsbac_list_get_all_desc(default_nettemp_nt_handle, (void **) &sub_desc_p); 01052 if(tmp_count > 0) 01053 { 01054 for(i=0; i<tmp_count; i++) 01055 { 01056 len += sprintf(buffer + len, " %s %u,", 01057 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 01058 sub_desc_p[i].subj_id); 01059 pos = begin + len; 01060 if (pos < offset) 01061 { 01062 len = 0; 01063 begin = pos; 01064 } 01065 if (pos > offset+length) 01066 { 01067 rsbac_vfree(sub_desc_p); 01068 goto out; 01069 } 01070 } 01071 rsbac_vfree(sub_desc_p); 01072 } 01073 /* default_netobj list */ 01074 len += sprintf(buffer + len, "\nDefault Network Object ACL: %li members:", 01075 rsbac_list_count(default_netobj_handle)); 01076 pos = begin + len; 01077 if (pos < offset) 01078 { 01079 len = 0; 01080 begin = pos; 01081 } 01082 if (pos > offset+length) 01083 goto out; 01084 tmp_count = rsbac_list_get_all_desc(default_netobj_handle, (void **) &sub_desc_p); 01085 if(tmp_count > 0) 01086 { 01087 for(i=0; i<tmp_count; i++) 01088 { 01089 len += sprintf(buffer + len, " %s %u,", 01090 get_acl_subject_type_name(tmp1,sub_desc_p[i].subj_type), 01091 sub_desc_p[i].subj_id); 01092 pos = begin + len; 01093 if (pos < offset) 01094 { 01095 len = 0; 01096 begin = pos; 01097 } 01098 if (pos > offset+length) 01099 { 01100 rsbac_vfree(sub_desc_p); 01101 goto out; 01102 } 01103 } 01104 rsbac_vfree(sub_desc_p); 01105 } 01106 #endif 01107 01108 len += sprintf(buffer + len, "\n\nFile/Dir/Fifo/Symlink ACLs:\n"); 01109 pos = begin + len; 01110 if (pos < offset) 01111 { 01112 len = 0; 01113 begin = pos; 01114 } 01115 if (pos > offset+length) 01116 goto out; 01117 01118 /* protect device list */ 01119 rsbac_read_lock(&device_list_head.lock, &dflags); 01120 device_p = device_list_head.head; 01121 while(device_p) 01122 { 01123 /* reset counters */ 01124 count = 0; 01125 member_count = 0; 01126 len += sprintf(buffer + len, "\nDevice %02u:%02u\n inode count mask+members", 01127 RSBAC_MAJOR(device_p->id), 01128 RSBAC_MINOR(device_p->id)); 01129 pos = begin + len; 01130 if (pos < offset) 01131 { 01132 len = 0; 01133 begin = pos; 01134 } 01135 if (pos > offset+length) 01136 { 01137 rsbac_read_unlock(&device_list_head.lock, &dflags); 01138 goto out; 01139 } 01140 for(i=0; i<RSBAC_ACL_NR_FD_LISTS; i++) 01141 { 01142 tmp_count = rsbac_list_lol_get_all_desc(device_p->handles[i], (void **) &fd_desc_p); 01143 if(tmp_count > 0) 01144 { 01145 for(j=0; j<tmp_count; j++) 01146 { 01147 len += sprintf(buffer + len, "\n%6u\t %li\t", 01148 fd_desc_p[j], 01149 rsbac_list_lol_subcount(device_p->handles[i], &fd_desc_p[j])); 01150 pos = begin + len; 01151 if (pos < offset) 01152 { 01153 len = 0; 01154 begin = pos; 01155 } 01156 if (pos > offset+length) 01157 { 01158 rsbac_vfree(fd_desc_p); 01159 rsbac_read_unlock(&device_list_head.lock, &dflags); 01160 goto out; 01161 } 01162 if(!rsbac_list_lol_get_data(device_p->handles[i], &fd_desc_p[j], &rights)) 01163 { 01164 len += sprintf(buffer + len, "%s\n\t\t", 01165 u64tostracl(tmp1, rights)); 01166 pos = begin + len; 01167 if (pos < offset) 01168 { 01169 len = 0; 01170 begin = pos; 01171 } 01172 if (pos > offset+length) 01173 { 01174 rsbac_vfree(fd_desc_p); 01175 rsbac_read_unlock(&device_list_head.lock, &dflags); 01176 goto out; 01177 } 01178 } 01179 01180 tmp_sub_count = rsbac_list_lol_get_all_subdesc(device_p->handles[i], &fd_desc_p[j], (void **) &sub_desc_p); 01181 if(tmp_sub_count > 0) 01182 { 01183 for(k=0; k<tmp_sub_count; k++) 01184 { 01185 len += sprintf(buffer + len, "%s %u, ", 01186 get_acl_subject_type_name(tmp1, sub_desc_p[k].subj_type), 01187 sub_desc_p[k].subj_id); 01188 pos = begin + len; 01189 if (pos < offset) 01190 { 01191 len = 0; 01192 begin = pos; 01193 } 01194 if (pos > offset+length) 01195 { 01196 rsbac_vfree(sub_desc_p); 01197 rsbac_vfree(fd_desc_p); 01198 rsbac_read_unlock(&device_list_head.lock, &dflags); 01199 goto out; 01200 } 01201 } 01202 rsbac_vfree(sub_desc_p); 01203 member_count += tmp_sub_count; 01204 } 01205 } 01206 count += tmp_count; 01207 rsbac_vfree(fd_desc_p); 01208 } 01209 } 01210 len += sprintf(buffer + len, "\n%u file ACLs, sum of %u members\n", 01211 count,member_count); 01212 pos = begin + len; 01213 if (pos < offset) 01214 { 01215 len = 0; 01216 begin = pos; 01217 } 01218 if (pos > offset+length) 01219 { 01220 rsbac_read_unlock(&device_list_head.lock, &dflags); 01221 goto out; 01222 } 01223 device_p = device_p->next; 01224 } 01225 /* unprotect device list */ 01226 rsbac_read_unlock(&device_list_head.lock, &dflags); 01227 01228 /* dev list */ 01229 len += sprintf(buffer + len, "\nDevice ACLs:\ntype+id count mask+members"); 01230 pos = begin + len; 01231 if (pos < offset) 01232 { 01233 len = 0; 01234 begin = pos; 01235 } 01236 if (pos > offset+length) 01237 goto out; 01238 01239 member_count = 0; 01240 tmp_count = rsbac_list_lol_get_all_desc(dev_handle, (void **) &dev_desc_p); 01241 if(tmp_count > 0) 01242 { 01243 for(i=0; i<tmp_count; i++) 01244 { 01245 if(!rsbac_list_lol_get_data(dev_handle, &dev_desc_p[i], &rights)) 01246 { 01247 len += sprintf(buffer + len, "\n%c%02u:%02u\t %3li\t%s\n\t\t", 01248 'B' + dev_desc_p[i].type, 01249 dev_desc_p[i].major, 01250 dev_desc_p[i].minor, 01251 rsbac_list_lol_subcount(dev_handle, &dev_desc_p[i]), 01252 u64tostracl(tmp1, rights)); 01253 pos = begin + len; 01254 if (pos < offset) 01255 { 01256 len = 0; 01257 begin = pos; 01258 } 01259 if (pos > offset+length) 01260 { 01261 rsbac_vfree(dev_desc_p); 01262 goto out; 01263 } 01264 } 01265 tmp_sub_count = rsbac_list_lol_get_all_subdesc(dev_handle, &dev_desc_p[i], (void **) &sub_desc_p); 01266 if(tmp_sub_count > 0) 01267 { 01268 for(j=0; j<tmp_sub_count; j++) 01269 { 01270 len += sprintf(buffer + len, "%s %u, ", 01271 get_acl_subject_type_name(tmp1,sub_desc_p[j].subj_type), 01272 sub_desc_p[j].subj_id); 01273 pos = begin + len; 01274 if (pos < offset) 01275 { 01276 len = 0; 01277 begin = pos; 01278 } 01279 if (pos > offset+length) 01280 { 01281 rsbac_vfree(sub_desc_p); 01282 rsbac_vfree(dev_desc_p); 01283 goto out; 01284 } 01285 } 01286 rsbac_vfree(sub_desc_p); 01287 member_count += tmp_sub_count; 01288 } 01289 } 01290 rsbac_vfree(dev_desc_p); 01291 }; 01292 len += sprintf(buffer + len, "\n\n%i device ACL items, sum of %u members\n", 01293 tmp_count, member_count); 01294 pos = begin + len; 01295 if (pos < offset) 01296 { 01297 len = 0; 01298 begin = pos; 01299 } 01300 if (pos > offset+length) 01301 goto out; 01302 01303 /* scd list */ 01304 member_count = 0; 01305 len += sprintf(buffer + len, "\nSCD ACLs:\nname count mask+members"); 01306 pos = begin + len; 01307 if (pos < offset) 01308 { 01309 len = 0; 01310 begin = pos; 01311 } 01312 if (pos > offset+length) 01313 goto out; 01314 01315 tmp_count = rsbac_list_lol_get_all_desc(scd_handle, (void **) &scd_desc_p); 01316 if(tmp_count > 0) 01317 { 01318 for(i=0; i<tmp_count; i++) 01319 { 01320 if(!rsbac_list_lol_get_data(scd_handle, &scd_desc_p[i], &rights)) 01321 { 01322 len += sprintf(buffer + len, "\n%-16s %3li\t%s\n\t\t\t", 01323 get_acl_scd_type_name(tmp1, scd_desc_p[i]), 01324 rsbac_list_lol_subcount(scd_handle, &scd_desc_p[i]), 01325 u64tostracl(tmp2, rights)); 01326 pos = begin + len; 01327 if (pos < offset) 01328 { 01329 len = 0; 01330 begin = pos; 01331 } 01332 if (pos > offset+length) 01333 { 01334 rsbac_vfree(scd_desc_p); 01335 goto out; 01336 } 01337 } 01338 tmp_sub_count = rsbac_list_lol_get_all_subdesc(scd_handle, &scd_desc_p[i], (void **) &sub_desc_p); 01339 if(tmp_sub_count > 0) 01340 { 01341 for(j=0; j<tmp_sub_count; j++) 01342 { 01343 len += sprintf(buffer + len, "%s %u, ", 01344 get_acl_subject_type_name(tmp1,sub_desc_p[j].subj_type), 01345 sub_desc_p[j].subj_id); 01346 pos = begin + len; 01347 if (pos < offset) 01348 { 01349 len = 0; 01350 begin = pos; 01351 } 01352 if (pos > offset+length) 01353 { 01354 rsbac_vfree(sub_desc_p); 01355 rsbac_vfree(scd_desc_p); 01356 goto out; 01357 } 01358 } 01359 rsbac_vfree(sub_desc_p); 01360 member_count += tmp_sub_count; 01361 } 01362 } 01363 rsbac_vfree(scd_desc_p); 01364 }; 01365 len += sprintf(buffer + len, "\n\n%u SCD ACL items, sum of %u members\n", 01366 tmp_count, member_count); 01367 pos = begin + len; 01368 if (pos < offset) 01369 { 01370 len = 0; 01371 begin = pos; 01372 } 01373 if (pos > offset+length) 01374 goto out; 01375 01376 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 01377 /* netdev list */ 01378 len += sprintf(buffer + len, "\nNetwork Device ACLs:\nname\t\t count mask+members"); 01379 pos = begin + len; 01380 if (pos < offset) 01381 { 01382 len = 0; 01383 begin = pos; 01384 } 01385 if (pos > offset+length) 01386 goto out; 01387 01388 member_count = 0; 01389 tmp_count = rsbac_list_lol_get_all_desc(netdev_handle, (void **) &netdev_desc_p); 01390 if(tmp_count > 0) 01391 { 01392 for(i=0; i<tmp_count; i++) 01393 { 01394 if(!rsbac_list_lol_get_data(netdev_handle, &netdev_desc_p[i], &rights)) 01395 { 01396 len += sprintf(buffer + len, "\n%-16s %3li\t %s\n\t\t", 01397 netdev_desc_p[i], 01398 rsbac_list_lol_subcount(netdev_handle, &netdev_desc_p[i]), 01399 u64tostracl(tmp1, rights)); 01400 pos = begin + len; 01401 if (pos < offset) 01402 { 01403 len = 0; 01404 begin = pos; 01405 } 01406 if (pos > offset+length) 01407 { 01408 rsbac_vfree(netdev_desc_p); 01409 goto out; 01410 } 01411 } 01412 tmp_sub_count = rsbac_list_lol_get_all_subdesc(netdev_handle, &netdev_desc_p[i], (void **) &sub_desc_p); 01413 if(tmp_sub_count > 0) 01414 { 01415 for(j=0; j<tmp_sub_count; j++) 01416 { 01417 len += sprintf(buffer + len, "%s %u, ", 01418 get_acl_subject_type_name(tmp1,sub_desc_p[j].subj_type), 01419 sub_desc_p[j].subj_id); 01420 pos = begin + len; 01421 if (pos < offset) 01422 { 01423 len = 0; 01424 begin = pos; 01425 } 01426 if (pos > offset+length) 01427 { 01428 rsbac_vfree(sub_desc_p); 01429 rsbac_vfree(netdev_desc_p); 01430 goto out; 01431 } 01432 } 01433 rsbac_vfree(sub_desc_p); 01434 member_count += tmp_sub_count; 01435 } 01436 } 01437 rsbac_vfree(netdev_desc_p); 01438 }; 01439 len += sprintf(buffer + len, "\n\n%i network device ACL items, sum of %u members\n", 01440 tmp_count, member_count); 01441 pos = begin + len; 01442 if (pos < offset) 01443 { 01444 len = 0; 01445 begin = pos; 01446 } 01447 if (pos > offset+length) 01448 goto out; 01449 #endif 01450 01451 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 01452 /* nettemp_nt list */ 01453 len += sprintf(buffer + len, "\nNetwork Template NT (template protection) ACLs:\nTemplate count mask+members"); 01454 pos = begin + len; 01455 if (pos < offset) 01456 { 01457 len = 0; 01458 begin = pos; 01459 } 01460 if (pos > offset+length) 01461 goto out; 01462 01463 member_count = 0; 01464 tmp_count = rsbac_list_lol_get_all_desc(nettemp_nt_handle, (void **) &nettemp_desc_p); 01465 if(tmp_count > 0) 01466 { 01467 for(i=0; i<tmp_count; i++) 01468 { 01469 if(!rsbac_list_lol_get_data(nettemp_nt_handle, &nettemp_desc_p[i], &rights)) 01470 { 01471 len += sprintf(buffer + len, "\n%10u %3li\t%s\n\t\t", 01472 nettemp_desc_p[i], 01473 rsbac_list_lol_subcount(nettemp_nt_handle, &nettemp_desc_p[i]), 01474 u64tostracl(tmp1, rights)); 01475 pos = begin + len; 01476 if (pos < offset) 01477 { 01478 len = 0; 01479 begin = pos; 01480 } 01481 if (pos > offset+length) 01482 { 01483 rsbac_vfree(nettemp_desc_p); 01484 goto out; 01485 } 01486 } 01487 tmp_sub_count = rsbac_list_lol_get_all_subdesc(nettemp_nt_handle, &nettemp_desc_p[i], (void **) &sub_desc_p); 01488 if(tmp_sub_count > 0) 01489 { 01490 for(j=0; j<tmp_sub_count; j++) 01491 { 01492 len += sprintf(buffer + len, "%s %u, ", 01493 get_acl_subject_type_name(tmp1,sub_desc_p[j].subj_type), 01494 sub_desc_p[j].subj_id); 01495 pos = begin + len; 01496 if (pos < offset) 01497 { 01498 len = 0; 01499 begin = pos; 01500 } 01501 if (pos > offset+length) 01502 { 01503 rsbac_vfree(sub_desc_p); 01504 rsbac_vfree(nettemp_desc_p); 01505 goto out; 01506 } 01507 } 01508 rsbac_vfree(sub_desc_p); 01509 member_count += tmp_sub_count; 01510 } 01511 } 01512 rsbac_vfree(nettemp_desc_p); 01513 }; 01514 len += sprintf(buffer + len, "\n\n%i network template NT ACL items, sum of %u members\n", 01515 tmp_count, member_count); 01516 pos = begin + len; 01517 if (pos < offset) 01518 { 01519 len = 0; 01520 begin = pos; 01521 } 01522 if (pos > offset+length) 01523 goto out; 01524 01525 /* nettemp list */ 01526 len += sprintf(buffer + len, "\nNetwork Template (netobj protection) ACLs:\nTemplate count mask+members"); 01527 pos = begin + len; 01528 if (pos < offset) 01529 { 01530 len = 0; 01531 begin = pos; 01532 } 01533 if (pos > offset+length) 01534 goto out; 01535 01536 member_count = 0; 01537 tmp_count = rsbac_list_lol_get_all_desc(nettemp_handle, (void **) &nettemp_desc_p); 01538 if(tmp_count > 0) 01539 { 01540 for(i=0; i<tmp_count; i++) 01541 { 01542 if(!rsbac_list_lol_get_data(nettemp_handle, &nettemp_desc_p[i], &rights)) 01543 { 01544 len += sprintf(buffer + len, "\n%10u %3li\t%s\n\t\t", 01545 nettemp_desc_p[i], 01546 rsbac_list_lol_subcount(nettemp_handle, &nettemp_desc_p[i]), 01547 u64tostracl(tmp1, rights)); 01548 pos = begin + len; 01549 if (pos < offset) 01550 { 01551 len = 0; 01552 begin = pos; 01553 } 01554 if (pos > offset+length) 01555 { 01556 rsbac_vfree(nettemp_desc_p); 01557 goto out; 01558 } 01559 } 01560 tmp_sub_count = rsbac_list_lol_get_all_subdesc(nettemp_handle, &nettemp_desc_p[i], (void **) &sub_desc_p); 01561 if(tmp_sub_count > 0) 01562 { 01563 for(j=0; j<tmp_sub_count; j++) 01564 { 01565 len += sprintf(buffer + len, "%s %u, ", 01566 get_acl_subject_type_name(tmp1,sub_desc_p[j].subj_type), 01567 sub_desc_p[j].subj_id); 01568 pos = begin + len; 01569 if (pos < offset) 01570 { 01571 len = 0; 01572 begin = pos; 01573 } 01574 if (pos > offset+length) 01575 { 01576 rsbac_vfree(sub_desc_p); 01577 rsbac_vfree(nettemp_desc_p); 01578 goto out; 01579 } 01580 } 01581 rsbac_vfree(sub_desc_p); 01582 member_count += tmp_sub_count; 01583 } 01584 } 01585 rsbac_vfree(nettemp_desc_p); 01586 }; 01587 len += sprintf(buffer + len, "\n\n%i network template ACL items, sum of %u members\n", 01588 tmp_count, member_count); 01589 pos = begin + len; 01590 if (pos < offset) 01591 { 01592 len = 0; 01593 begin = pos; 01594 } 01595 if (pos > offset+length) 01596 goto out; 01597 01598 /* netobj list */ 01599 len += sprintf(buffer + len, "\nNetwork Object ACLs:\nObject-ID count mask+members"); 01600 pos = begin + len; 01601 if (pos < offset) 01602 { 01603 len = 0; 01604 begin = pos; 01605 } 01606 if (pos > offset+length) 01607 goto out; 01608 01609 member_count = 0; 01610 tmp_count = rsbac_list_lol_get_all_desc(netobj_handle, (void **) &netobj_desc_p); 01611 if(tmp_count > 0) 01612 { 01613 for(i=0; i<tmp_count; i++) 01614 { 01615 if(!rsbac_list_lol_get_data(netobj_handle, &netobj_desc_p[i], &rights)) 01616 { 01617 len += sprintf(buffer + len, "\n%p %3li\t%s\n\t\t", 01618 netobj_desc_p[i], 01619 rsbac_list_lol_subcount(netobj_handle, &netobj_desc_p[i]), 01620 u64tostracl(tmp1, rights)); 01621 pos = begin + len; 01622 if (pos < offset) 01623 { 01624 len = 0; 01625 begin = pos; 01626 } 01627 if (pos > offset+length) 01628 { 01629 rsbac_vfree(netobj_desc_p); 01630 goto out; 01631 } 01632 } 01633 tmp_sub_count = rsbac_list_lol_get_all_subdesc(netobj_handle, &netobj_desc_p[i], (void **) &sub_desc_p); 01634 if(tmp_sub_count > 0) 01635 { 01636 for(j=0; j<tmp_sub_count; j++) 01637 { 01638 len += sprintf(buffer + len, "%s %u, ", 01639 get_acl_subject_type_name(tmp1,sub_desc_p[j].subj_type), 01640 sub_desc_p[j].subj_id); 01641 pos = begin + len; 01642 if (pos < offset) 01643 { 01644 len = 0; 01645 begin = pos; 01646 } 01647 if (pos > offset+length) 01648 { 01649 rsbac_vfree(sub_desc_p); 01650 rsbac_vfree(netobj_desc_p); 01651 goto out; 01652 } 01653 } 01654 rsbac_vfree(sub_desc_p); 01655 member_count += tmp_sub_count; 01656 } 01657 } 01658 rsbac_vfree(netobj_desc_p); 01659 }; 01660 len += sprintf(buffer + len, "\n\n%i network object ACL items, sum of %u members\n", 01661 tmp_count, member_count); 01662 pos = begin + len; 01663 if (pos < offset) 01664 { 01665 len = 0; 01666 begin = pos; 01667 } 01668 if (pos > offset+length) 01669 goto out; 01670 #endif 01671 01672 out: 01673 *start = buffer + (offset - begin); 01674 len -= (offset - begin); 01675 01676 if (len > length) 01677 len = length; 01678 return len; 01679 } 01680 01681 static int 01682 acl_grouplist_proc_info(char *buffer, char **start, off_t offset, int length) 01683 { 01684 u_int len = 0; 01685 off_t pos = 0; 01686 off_t begin = 0; 01687 01688 char type; 01689 int count, sub_count; 01690 int i,j; 01691 u_int member_count = 0; 01692 struct rsbac_acl_group_entry_t * entry_p; 01693 rsbac_uid_t * user_p; 01694 rsbac_acl_group_id_t * group_p; 01695 rsbac_time_t * ttl_p; 01696 01697 union rsbac_target_id_t rsbac_target_id; 01698 union rsbac_attribute_value_t rsbac_attribute_value; 01699 01700 if (!rsbac_is_initialized) 01701 { 01702 #ifdef CONFIG_RSBAC_RMSG 01703 rsbac_printk(KERN_WARNING "acl_grouplist_proc_info(): RSBAC not initialized\n"); 01704 #endif 01705 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01706 if (!rsbac_nosyslog) 01707 #endif 01708 printk(KERN_WARNING "acl_grouplist_proc_info(): RSBAC not initialized\n"); 01709 return(-RSBAC_ENOTINITIALIZED); 01710 } 01711 #ifdef CONFIG_RSBAC_DEBUG 01712 if (rsbac_debug_aef_acl) 01713 { 01714 #ifdef CONFIG_RSBAC_RMSG 01715 rsbac_printk(KERN_DEBUG "acl_grouplist_proc_info(): calling ADF\n"); 01716 #endif 01717 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01718 if (!rsbac_nosyslog) 01719 #endif 01720 printk(KERN_DEBUG "acl_grouplist_proc_info(): calling ADF\n"); 01721 } 01722 #endif 01723 rsbac_target_id.scd = ST_rsbac; 01724 rsbac_attribute_value.dummy = 0; 01725 if (!rsbac_adf_request(R_GET_STATUS_DATA, 01726 current->pid, 01727 T_SCD, 01728 rsbac_target_id, 01729 A_none, 01730 rsbac_attribute_value)) 01731 { 01732 return -EPERM; 01733 } 01734 01735 len += sprintf(buffer, "ACL Groups\n----------\n"); 01736 01737 /* group list */ 01738 len += sprintf(buffer + len, "Group list: %li groups, last new is %u\nID\ttype name\t\towner\n", 01739 rsbac_list_count(group_handle), group_last_new); 01740 pos = begin + len; 01741 if (pos < offset) 01742 { 01743 len = 0; 01744 begin = pos; 01745 } 01746 if (pos > offset+length) 01747 { 01748 goto out; 01749 } 01750 01751 count = rsbac_list_get_all_data(group_handle, (void **) &entry_p); 01752 if(count > 0) 01753 { 01754 for(i=0; i<count; i++) 01755 { 01756 if(entry_p[i].type == ACLG_GLOBAL) 01757 type = 'G'; 01758 else 01759 type = 'P'; 01760 len += sprintf(buffer + len, "%u\t%c %-18s %u\n", 01761 entry_p[i].id, 01762 type, 01763 entry_p[i].name, 01764 entry_p[i].owner); 01765 pos = begin + len; 01766 if (pos < offset) 01767 { 01768 len = 0; 01769 begin = pos; 01770 } 01771 if (pos > offset+length) 01772 { 01773 rsbac_vfree(entry_p); 01774 goto out; 01775 } 01776 } 01777 rsbac_vfree(entry_p); 01778 } 01779 01780 /* group member list */ 01781 member_count = 0; 01782 len += sprintf(buffer + len, "\nGroup memberships:\nuser count\tgroups"); 01783 pos = begin + len; 01784 if (pos < offset) 01785 { 01786 len = 0; 01787 begin = pos; 01788 } 01789 if (pos > offset+length) 01790 { 01791 goto out; 01792 } 01793 01794 count = rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p); 01795 if(count > 0) 01796 { 01797 for(i=0; i<count; i++) 01798 { 01799 sub_count = rsbac_list_lol_get_all_subdesc_ttl(gm_handle, 01800 &user_p[i], 01801 (void **) &group_p, 01802 &ttl_p); 01803 len += sprintf(buffer + len, "\n%u\t%i\t", 01804 user_p[i], 01805 sub_count); 01806 pos = begin + len; 01807 if (pos < offset) 01808 { 01809 len = 0; 01810 begin = pos; 01811 } 01812 if (pos > offset+length) 01813 { 01814 rsbac_vfree(user_p); 01815 goto out; 01816 } 01817 01818 if(sub_count > 0) 01819 { 01820 for(j=0; j<sub_count; j++) 01821 { 01822 if(ttl_p[j]) 01823 len += sprintf(buffer + len, "%u(ttl:%i) ", 01824 group_p[j], ttl_p[j]); 01825 else 01826 len += sprintf(buffer + len, "%u ", 01827 group_p[j]); 01828 pos = begin + len; 01829 if (pos < offset) 01830 { 01831 len = 0; 01832 begin = pos; 01833 } 01834 if (pos > offset+length) 01835 { 01836 rsbac_vfree(group_p); 01837 rsbac_vfree(user_p); 01838 goto out; 01839 } 01840 } 01841 member_count+=sub_count; 01842 rsbac_vfree(group_p); 01843 rsbac_vfree(ttl_p); 01844 } 01845 } 01846 rsbac_vfree(user_p); 01847 } 01848 len += sprintf(buffer + len, "\n\n%u user items, sum of %u memberships\n", 01849 count,member_count); 01850 pos = begin + len; 01851 if (pos < offset) 01852 { 01853 len = 0; 01854 begin = pos; 01855 } 01856 if (pos > offset+length) 01857 goto out; 01858 01859 out: 01860 *start = buffer + (offset - begin); 01861 len -= (offset - begin); 01862 01863 if (len > length) 01864 len = length; 01865 return len; 01866 } 01867 01868 #endif /* CONFIG_PROC_FS && CONFIG_RSBAC_PROC */ 01869 01870 01871 /************************************************* */ 01872 /* Init functions */ 01873 /************************************************* */ 01874 01875 /* All functions return 0, if no error occurred, and a negative error code */ 01876 /* otherwise. The error codes are defined in rsbac/error.h. */ 01877 01878 /************************************************************************** */ 01879 /* Initialization of all ACL data structures. After this call, all ACL */ 01880 /* data is kept in memory for performance reasons, but is written to disk */ 01881 /* on every change. */ 01882 01883 #ifdef CONFIG_RSBAC_INIT_DELAY 01884 static void registration_error(int err, char * listname) 01885 #else 01886 static void __init registration_error(int err, char * listname) 01887 #endif 01888 { 01889 if(err) 01890 { 01891 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01892 01893 if(tmp) 01894 { 01895 #ifdef CONFIG_RSBAC_RMSG 01896 rsbac_printk(KERN_WARNING 01897 "rsbac_init_acl(): Registering ACL %s list failed with error %s\n", 01898 listname, 01899 get_error_name(tmp, err)); 01900 #endif 01901 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01902 if (!rsbac_nosyslog) 01903 #endif 01904 printk(KERN_WARNING 01905 "rsbac_init_acl(): Registering ACL %s list failed with error %s\n", 01906 listname, 01907 get_error_name(tmp, err)); 01908 rsbac_kfree(tmp); 01909 } 01910 } 01911 } 01912 01913 /* Because there can be no access to aci data structures before init, */ 01914 /* rsbac_init_acl() will initialize all rw-spinlocks to unlocked. */ 01915 01916 #ifdef CONFIG_RSBAC_INIT_DELAY 01917 int rsbac_init_acl(void) 01918 #else 01919 int __init rsbac_init_acl(void) 01920 #endif 01921 { 01922 int err = 0; 01923 struct rsbac_acl_device_list_item_t * device_p = NULL; 01924 char tmp[80]; 01925 u_long flags; 01926 struct proc_dir_entry * tmp_entry_p; 01927 struct rsbac_list_lol_info_t lol_info; 01928 struct rsbac_list_info_t list_info; 01929 rsbac_acl_rights_vector_t def_mask; 01930 01931 if (rsbac_is_initialized()) 01932 { 01933 printk(KERN_WARNING "rsbac_init_acl(): RSBAC already initialized\n"); 01934 return(-RSBAC_EREINIT); 01935 } 01936 01937 /* set rw-spinlocks to unlocked status and init data structures */ 01938 #ifdef CONFIG_RSBAC_RMSG 01939 rsbac_printk(KERN_INFO "rsbac_init_acl(): Initializing RSBAC: ACL subsystem\n"); 01940 #endif 01941 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01942 if (!rsbac_nosyslog) 01943 #endif 01944 printk(KERN_INFO "rsbac_init_acl(): Initializing RSBAC: ACL subsystem\n"); 01945 01946 /* Init device list */ 01947 device_list_head.lock = RW_LOCK_UNLOCKED; 01948 device_list_head.head = NULL; 01949 device_list_head.tail = NULL; 01950 device_list_head.curr = NULL; 01951 device_list_head.count = 0; 01952 01953 /* register ACL lists */ 01954 #ifdef CONFIG_RSBAC_DEBUG 01955 if (rsbac_debug_ds_acl) 01956 { 01957 #ifdef CONFIG_RSBAC_RMSG 01958 rsbac_printk(KERN_DEBUG "rsbac_init_acl(): Registering lists\n"); 01959 #endif 01960 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01961 if (!rsbac_nosyslog) 01962 #endif 01963 printk(KERN_DEBUG "rsbac_init_acl(): Registering lists\n"); 01964 } 01965 #endif 01966 device_p = create_device_item(rsbac_root_dev); 01967 if (!device_p) 01968 { 01969 #ifdef CONFIG_RSBAC_RMSG 01970 rsbac_printk(KERN_CRIT "rsbac_init_acl(): Could not create device!\n"); 01971 #endif 01972 printk(KERN_CRIT "rsbac_init_acl(): Could not create device!\n"); 01973 return(-RSBAC_ECOULDNOTADDDEVICE); 01974 } 01975 if((err = acl_register_fd_lists(device_p,rsbac_root_dev))) 01976 { 01977 #ifdef CONFIG_RSBAC_RMSG 01978 rsbac_printk(KERN_WARNING 01979 "rsbac_init_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 01980 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev), get_error_name(tmp,err)); 01981 #endif 01982 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01983 if (!rsbac_nosyslog) 01984 #endif 01985 printk(KERN_WARNING 01986 "rsbac_init_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 01987 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev), get_error_name(tmp,err)); 01988 } 01989 /* wait for write access to device_list_head */ 01990 rsbac_write_lock_irq(&device_list_head.lock, &flags); 01991 device_p = add_device_item(device_p); 01992 /* device was added, allow access */ 01993 rsbac_write_unlock_irq(&device_list_head.lock, &flags); 01994 if (!device_p) 01995 { 01996 #ifdef CONFIG_RSBAC_RMSG 01997 rsbac_printk(KERN_CRIT "rsbac_init_acl(): Could not add device!\n"); 01998 #endif 01999 printk(KERN_CRIT "rsbac_init_acl(): Could not add device!\n"); 02000 return(-RSBAC_ECOULDNOTADDDEVICE); 02001 } 02002 02003 list_info.version = RSBAC_ACL_DEF_FD_LIST_VERSION; 02004 list_info.key = RSBAC_ACL_LIST_KEY; 02005 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02006 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02007 list_info.max_age = 0; 02008 err = rsbac_list_register(RSBAC_LIST_VERSION, 02009 &default_fd_handle, 02010 &list_info, 02011 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02012 RSBAC_LIST_BACKUP | 02013 #endif 02014 RSBAC_LIST_PERSIST, 02015 entry_compare, 02016 NULL, 02017 NULL, 02018 RSBAC_ACL_DEF_FD_FILENAME, 02019 RSBAC_AUTO_DEV); 02020 if(err) 02021 { 02022 registration_error(err, "default fd"); 02023 } 02024 if(!rsbac_no_defaults && !rsbac_list_count(default_fd_handle)) 02025 { 02026 struct rsbac_acl_entry_desc_t desc; 02027 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_FD_ENTRY; 02028 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_FD_ENTRY; 02029 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_FD_ENTRY; 02030 02031 #ifdef CONFIG_RSBAC_RMSG 02032 rsbac_printk(KERN_WARNING 02033 "rsbac_init_acl(): File/Dir default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02034 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02035 #endif 02036 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02037 if (!rsbac_nosyslog) 02038 #endif 02039 printk(KERN_WARNING 02040 "rsbac_init_acl(): File/Dir default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02041 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02042 desc.subj_type = acman_entry.subj_type; 02043 desc.subj_id = acman_entry.subj_id; 02044 rsbac_list_add(default_fd_handle, &desc, &acman_entry.rights); 02045 desc.subj_type = sysadm_entry.subj_type; 02046 desc.subj_id = sysadm_entry.subj_id; 02047 rsbac_list_add(default_fd_handle, &desc, &sysadm_entry.rights); 02048 desc.subj_type = gen_entry.subj_type; 02049 desc.subj_id = gen_entry.subj_id; 02050 rsbac_list_add(default_fd_handle, &desc, &gen_entry.rights); 02051 } 02052 02053 lol_info.version = RSBAC_ACL_DEV_LIST_VERSION; 02054 lol_info.key = RSBAC_ACL_LIST_KEY; 02055 lol_info.desc_size = sizeof(struct rsbac_dev_desc_t); 02056 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 02057 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02058 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02059 lol_info.max_age = 0; 02060 def_mask=RSBAC_ACL_DEFAULT_DEV_MASK; 02061 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 02062 &dev_handle, 02063 &lol_info, 02064 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02065 RSBAC_LIST_BACKUP | 02066 #endif 02067 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA, 02068 dev_compare, 02069 entry_compare, 02070 dev_get_conv, 02071 dev_get_subconv, 02072 &def_mask, 02073 NULL, 02074 RSBAC_ACL_DEV_FILENAME, 02075 RSBAC_AUTO_DEV); 02076 if(err) 02077 { 02078 registration_error(err, "dev"); 02079 } 02080 list_info.version = RSBAC_ACL_DEF_DEV_LIST_VERSION; 02081 list_info.key = RSBAC_ACL_LIST_KEY; 02082 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02083 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02084 list_info.max_age = 0; 02085 err = rsbac_list_register(RSBAC_LIST_VERSION, 02086 &default_dev_handle, 02087 &list_info, 02088 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02089 RSBAC_LIST_BACKUP | 02090 #endif 02091 RSBAC_LIST_PERSIST, 02092 entry_compare, 02093 NULL, 02094 NULL, 02095 RSBAC_ACL_DEF_DEV_FILENAME, 02096 RSBAC_AUTO_DEV); 02097 if(err) 02098 { 02099 registration_error(err, "default dev"); 02100 } 02101 if(!rsbac_no_defaults && !rsbac_list_count(default_dev_handle)) 02102 { 02103 struct rsbac_acl_entry_desc_t desc; 02104 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_DEV_ENTRY; 02105 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_DEV_ENTRY; 02106 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_DEV_ENTRY; 02107 02108 #ifdef CONFIG_RSBAC_RMSG 02109 rsbac_printk(KERN_WARNING 02110 "rsbac_init_acl(): Device default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02111 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02112 #endif 02113 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02114 if (!rsbac_nosyslog) 02115 #endif 02116 printk(KERN_WARNING 02117 "rsbac_init_acl(): Device default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02118 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02119 desc.subj_type = acman_entry.subj_type; 02120 desc.subj_id = acman_entry.subj_id; 02121 rsbac_list_add(default_dev_handle, &desc, &acman_entry.rights); 02122 desc.subj_type = sysadm_entry.subj_type; 02123 desc.subj_id = sysadm_entry.subj_id; 02124 rsbac_list_add(default_dev_handle, &desc, &sysadm_entry.rights); 02125 desc.subj_type = gen_entry.subj_type; 02126 desc.subj_id = gen_entry.subj_id; 02127 rsbac_list_add(default_dev_handle, &desc, &gen_entry.rights); 02128 } 02129 02130 list_info.version = RSBAC_ACL_DEF_IPC_LIST_VERSION; 02131 list_info.key = RSBAC_ACL_LIST_KEY; 02132 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02133 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02134 list_info.max_age = 0; 02135 err = rsbac_list_register(RSBAC_LIST_VERSION, 02136 &default_ipc_handle, 02137 &list_info, 02138 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02139 RSBAC_LIST_BACKUP | 02140 #endif 02141 RSBAC_LIST_PERSIST, 02142 entry_compare, 02143 NULL, 02144 NULL, 02145 RSBAC_ACL_DEF_IPC_FILENAME, 02146 RSBAC_AUTO_DEV); 02147 if(err) 02148 { 02149 registration_error(err, "default ipc"); 02150 } 02151 if(!rsbac_no_defaults && !rsbac_list_count(default_ipc_handle)) 02152 { 02153 struct rsbac_acl_entry_desc_t desc; 02154 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_IPC_ENTRY; 02155 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_IPC_ENTRY; 02156 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_IPC_ENTRY; 02157 02158 #ifdef CONFIG_RSBAC_RMSG 02159 rsbac_printk(KERN_WARNING 02160 "rsbac_init_acl(): IPC default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02161 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02162 #endif 02163 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02164 if (!rsbac_nosyslog) 02165 #endif 02166 printk(KERN_WARNING 02167 "rsbac_init_acl(): IPC default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02168 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02169 desc.subj_type = acman_entry.subj_type; 02170 desc.subj_id = acman_entry.subj_id; 02171 rsbac_list_add(default_ipc_handle, &desc, &acman_entry.rights); 02172 desc.subj_type = sysadm_entry.subj_type; 02173 desc.subj_id = sysadm_entry.subj_id; 02174 rsbac_list_add(default_ipc_handle, &desc, &sysadm_entry.rights); 02175 desc.subj_type = gen_entry.subj_type; 02176 desc.subj_id = gen_entry.subj_id; 02177 rsbac_list_add(default_ipc_handle, &desc, &gen_entry.rights); 02178 } 02179 02180 lol_info.version = RSBAC_ACL_SCD_LIST_VERSION; 02181 lol_info.key = RSBAC_ACL_LIST_KEY; 02182 lol_info.desc_size = sizeof(__u8); 02183 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 02184 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02185 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02186 lol_info.max_age = 0; 02187 def_mask=RSBAC_ACL_DEFAULT_SCD_MASK; 02188 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 02189 &scd_handle, 02190 &lol_info, 02191 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02192 RSBAC_LIST_BACKUP | 02193 #endif 02194 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA, 02195 NULL, 02196 entry_compare, 02197 NULL, 02198 NULL, 02199 &def_mask, 02200 NULL, 02201 RSBAC_ACL_SCD_FILENAME, 02202 RSBAC_AUTO_DEV); 02203 if(err) 02204 { 02205 registration_error(err, "scd"); 02206 } 02207 if(!rsbac_no_defaults && !rsbac_list_lol_count(scd_handle)) 02208 { 02209 struct rsbac_acl_entry_desc_t desc; 02210 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_SCD_MASK; 02211 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_SCD_ENTRY; 02212 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM 02213 struct rsbac_acl_entry_t gen_ioports_entry = RSBAC_ACL_GENERAL_SCD_IOPORTS_ENTRY; 02214 #endif 02215 struct rsbac_acl_entry_t gen_other_entry = RSBAC_ACL_GENERAL_SCD_OTHER_ENTRY; 02216 struct rsbac_acl_entry_t gen_network_entry = RSBAC_ACL_GENERAL_SCD_NETWORK_ENTRY; 02217 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_SCD_ENTRY; 02218 struct rsbac_acl_entry_t sysadm_other_entry = RSBAC_ACL_SYSADM_SCD_OTHER_ENTRY; 02219 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM 02220 struct rsbac_acl_entry_t sysadm_kmem_entry = RSBAC_ACL_SYSADM_SCD_KMEM_ENTRY; 02221 #endif 02222 struct rsbac_acl_entry_t acman_other_entry = RSBAC_ACL_ACMAN_SCD_OTHER_ENTRY; 02223 struct rsbac_acl_entry_t auditor_rsbaclog_entry = RSBAC_ACL_AUDITOR_SCD_RSBACLOG_ENTRY; 02224 __u8 scd; 02225 02226 #ifdef CONFIG_RSBAC_RMSG 02227 rsbac_printk(KERN_WARNING 02228 "rsbac_init_acl(): SCD ACLs empty on dev %02u:%02u, generating standard entries!\n", 02229 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02230 #endif 02231 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02232 if (!rsbac_nosyslog) 02233 #endif 02234 printk(KERN_WARNING 02235 "rsbac_init_acl(): SCD ACLs empty on dev %02u:%02u, generating standard entries!\n", 02236 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02237 scd = ST_rlimit; 02238 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02239 { 02240 desc.subj_type = gen_entry.subj_type; 02241 desc.subj_id = gen_entry.subj_id; 02242 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_entry.rights); 02243 } 02244 for(scd=ST_time_strucs; scd<=ST_rsbac; scd++) 02245 { 02246 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02247 { 02248 desc.subj_type = sysadm_entry.subj_type; 02249 desc.subj_id = sysadm_entry.subj_id; 02250 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights); 02251 } 02252 } 02253 scd = ST_rsbaclog; 02254 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02255 { 02256 desc.subj_type = auditor_rsbaclog_entry.subj_type; 02257 desc.subj_id = auditor_rsbaclog_entry.subj_id; 02258 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &auditor_rsbaclog_entry.rights); 02259 } 02260 scd=ST_network; 02261 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02262 { 02263 desc.subj_type = sysadm_entry.subj_type; 02264 desc.subj_id = sysadm_entry.subj_id; 02265 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights); 02266 desc.subj_type = gen_network_entry.subj_type; 02267 desc.subj_id = gen_network_entry.subj_id; 02268 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_network_entry.rights); 02269 } 02270 scd=ST_firewall; 02271 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02272 { 02273 desc.subj_type = sysadm_entry.subj_type; 02274 desc.subj_id = sysadm_entry.subj_id; 02275 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights); 02276 desc.subj_type = gen_network_entry.subj_type; 02277 desc.subj_id = gen_network_entry.subj_id; 02278 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_network_entry.rights); 02279 } 02280 scd=ST_priority; 02281 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02282 { 02283 desc.subj_type = sysadm_entry.subj_type; 02284 desc.subj_id = sysadm_entry.subj_id; 02285 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights); 02286 } 02287 scd=ST_sysfs; 02288 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02289 { 02290 desc.subj_type = sysadm_entry.subj_type; 02291 desc.subj_id = sysadm_entry.subj_id; 02292 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights); 02293 } 02294 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM 02295 scd = ST_ioports; 02296 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02297 { 02298 desc.subj_type = gen_ioports_entry.subj_type; 02299 desc.subj_id = gen_ioports_entry.subj_id; 02300 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_ioports_entry.rights); 02301 } 02302 scd = ST_kmem; 02303 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02304 { 02305 desc.subj_type = sysadm_kmem_entry.subj_type; 02306 desc.subj_id = sysadm_kmem_entry.subj_id; 02307 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_kmem_entry.rights); 02308 } 02309 #endif 02310 02311 scd = ST_other; 02312 if(!rsbac_list_lol_add(scd_handle, &scd, &mask)) 02313 { 02314 desc.subj_type = sysadm_other_entry.subj_type; 02315 desc.subj_id = sysadm_other_entry.subj_id; 02316 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_other_entry.rights); 02317 desc.subj_type = acman_other_entry.subj_type; 02318 desc.subj_id = acman_other_entry.subj_id; 02319 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &acman_other_entry.rights); 02320 desc.subj_type = gen_other_entry.subj_type; 02321 desc.subj_id = gen_other_entry.subj_id; 02322 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_other_entry.rights); 02323 } 02324 } 02325 02326 list_info.version = RSBAC_ACL_DEF_SCD_LIST_VERSION; 02327 list_info.key = RSBAC_ACL_LIST_KEY; 02328 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02329 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02330 list_info.max_age = 0; 02331 err = rsbac_list_register(RSBAC_LIST_VERSION, 02332 &default_scd_handle, 02333 &list_info, 02334 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02335 RSBAC_LIST_BACKUP | 02336 #endif 02337 RSBAC_LIST_PERSIST, 02338 entry_compare, 02339 NULL, 02340 NULL, 02341 RSBAC_ACL_DEF_SCD_FILENAME, 02342 RSBAC_AUTO_DEV); 02343 if(err) 02344 { 02345 registration_error(err, "default scd"); 02346 } 02347 if(!rsbac_no_defaults && !rsbac_list_count(default_scd_handle)) 02348 { 02349 struct rsbac_acl_entry_desc_t desc; 02350 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_SCD_ENTRY; 02351 02352 #ifdef CONFIG_RSBAC_RMSG 02353 rsbac_printk(KERN_WARNING 02354 "rsbac_init_acl(): SCD default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02355 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02356 #endif 02357 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02358 if (!rsbac_nosyslog) 02359 #endif 02360 printk(KERN_WARNING 02361 "rsbac_init_acl(): SCD default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02362 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02363 desc.subj_type = acman_entry.subj_type; 02364 desc.subj_id = acman_entry.subj_id; 02365 rsbac_list_add(default_scd_handle, &desc, &acman_entry.rights); 02366 } 02367 02368 list_info.version = RSBAC_ACL_DEF_U_LIST_VERSION; 02369 list_info.key = RSBAC_ACL_LIST_KEY; 02370 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02371 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02372 list_info.max_age = 0; 02373 err = rsbac_list_register(RSBAC_LIST_VERSION, 02374 &default_u_handle, 02375 &list_info, 02376 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02377 RSBAC_LIST_BACKUP | 02378 #endif 02379 RSBAC_LIST_PERSIST, 02380 entry_compare, 02381 NULL, 02382 NULL, 02383 RSBAC_ACL_DEF_U_FILENAME, 02384 RSBAC_AUTO_DEV); 02385 if(err) 02386 { 02387 registration_error(err, "default user"); 02388 } 02389 if(!rsbac_no_defaults && !rsbac_list_count(default_u_handle)) 02390 { 02391 struct rsbac_acl_entry_desc_t desc; 02392 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_U_ENTRY; 02393 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_U_ENTRY; 02394 02395 #ifdef CONFIG_RSBAC_RMSG 02396 rsbac_printk(KERN_WARNING 02397 "rsbac_init_acl(): User default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02398 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02399 #endif 02400 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02401 if (!rsbac_nosyslog) 02402 #endif 02403 printk(KERN_WARNING 02404 "rsbac_init_acl(): User default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02405 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02406 desc.subj_type = sysadm_entry.subj_type; 02407 desc.subj_id = sysadm_entry.subj_id; 02408 rsbac_list_add(default_u_handle, &desc, &sysadm_entry.rights); 02409 desc.subj_type = acman_entry.subj_type; 02410 desc.subj_id = acman_entry.subj_id; 02411 rsbac_list_add(default_u_handle, &desc, &acman_entry.rights); 02412 } 02413 02414 list_info.version = RSBAC_ACL_DEF_P_LIST_VERSION; 02415 list_info.key = RSBAC_ACL_LIST_KEY; 02416 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02417 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02418 list_info.max_age = 0; 02419 err = rsbac_list_register(RSBAC_LIST_VERSION, 02420 &default_p_handle, 02421 &list_info, 02422 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02423 RSBAC_LIST_BACKUP | 02424 #endif 02425 RSBAC_LIST_PERSIST, 02426 entry_compare, 02427 NULL, 02428 NULL, 02429 RSBAC_ACL_DEF_P_FILENAME, 02430 RSBAC_AUTO_DEV); 02431 if(err) 02432 { 02433 registration_error(err, "default process"); 02434 } 02435 if(!rsbac_no_defaults && !rsbac_list_count(default_p_handle)) 02436 { 02437 struct rsbac_acl_entry_desc_t desc; 02438 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_P_ENTRY; 02439 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_P_ENTRY; 02440 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_P_ENTRY; 02441 02442 #ifdef CONFIG_RSBAC_RMSG 02443 rsbac_printk(KERN_WARNING 02444 "rsbac_init_acl(): Process default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02445 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02446 #endif 02447 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02448 if (!rsbac_nosyslog) 02449 #endif 02450 printk(KERN_WARNING 02451 "rsbac_init_acl(): Process default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02452 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02453 desc.subj_type = sysadm_entry.subj_type; 02454 desc.subj_id = sysadm_entry.subj_id; 02455 rsbac_list_add(default_p_handle, &desc, &sysadm_entry.rights); 02456 desc.subj_type = acman_entry.subj_type; 02457 desc.subj_id = acman_entry.subj_id; 02458 rsbac_list_add(default_p_handle, &desc, &acman_entry.rights); 02459 desc.subj_type = gen_entry.subj_type; 02460 desc.subj_id = gen_entry.subj_id; 02461 rsbac_list_add(default_p_handle, &desc, &gen_entry.rights); 02462 } 02463 02464 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 02465 lol_info.version = RSBAC_ACL_NETDEV_LIST_VERSION; 02466 lol_info.key = RSBAC_ACL_LIST_KEY; 02467 lol_info.desc_size = sizeof(rsbac_netdev_id_t); 02468 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 02469 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02470 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02471 lol_info.max_age = 0; 02472 def_mask=RSBAC_ACL_DEFAULT_NETDEV_MASK; 02473 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 02474 &netdev_handle, 02475 &lol_info, 02476 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02477 RSBAC_LIST_BACKUP | 02478 #endif 02479 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA, 02480 netdev_compare, 02481 entry_compare, 02482 NULL, 02483 NULL, 02484 &def_mask, 02485 NULL, 02486 RSBAC_ACL_NETDEV_FILENAME, 02487 RSBAC_AUTO_DEV); 02488 if(err) 02489 { 02490 registration_error(err, "netdev"); 02491 } 02492 list_info.version = RSBAC_ACL_DEF_NETDEV_LIST_VERSION; 02493 list_info.key = RSBAC_ACL_LIST_KEY; 02494 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02495 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02496 list_info.max_age = 0; 02497 err = rsbac_list_register(RSBAC_LIST_VERSION, 02498 &default_netdev_handle, 02499 &list_info, 02500 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02501 RSBAC_LIST_BACKUP | 02502 #endif 02503 RSBAC_LIST_PERSIST, 02504 entry_compare, 02505 NULL, 02506 NULL, 02507 RSBAC_ACL_DEF_NETDEV_FILENAME, 02508 RSBAC_AUTO_DEV); 02509 if(err) 02510 { 02511 registration_error(err, "default netdev"); 02512 } 02513 if(!rsbac_no_defaults && !rsbac_list_count(default_netdev_handle)) 02514 { 02515 struct rsbac_acl_entry_desc_t desc; 02516 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_NETDEV_ENTRY; 02517 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_NETDEV_ENTRY; 02518 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_NETDEV_ENTRY; 02519 02520 #ifdef CONFIG_RSBAC_RMSG 02521 rsbac_printk(KERN_WARNING 02522 "rsbac_init_acl(): Network Device default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02523 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02524 #endif 02525 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02526 if (!rsbac_nosyslog) 02527 #endif 02528 printk(KERN_WARNING 02529 "rsbac_init_acl(): Network Device default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02530 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02531 desc.subj_type = acman_entry.subj_type; 02532 desc.subj_id = acman_entry.subj_id; 02533 rsbac_list_add(default_netdev_handle, &desc, &acman_entry.rights); 02534 desc.subj_type = sysadm_entry.subj_type; 02535 desc.subj_id = sysadm_entry.subj_id; 02536 rsbac_list_add(default_netdev_handle, &desc, &sysadm_entry.rights); 02537 desc.subj_type = gen_entry.subj_type; 02538 desc.subj_id = gen_entry.subj_id; 02539 rsbac_list_add(default_netdev_handle, &desc, &gen_entry.rights); 02540 } 02541 #endif 02542 02543 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 02544 lol_info.version = RSBAC_ACL_NETTEMP_NT_LIST_VERSION; 02545 lol_info.key = RSBAC_ACL_LIST_KEY; 02546 lol_info.desc_size = sizeof(rsbac_net_temp_id_t); 02547 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 02548 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02549 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02550 lol_info.max_age = 0; 02551 def_mask=RSBAC_ACL_DEFAULT_NETTEMP_MASK; 02552 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 02553 &nettemp_nt_handle, 02554 &lol_info, 02555 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02556 RSBAC_LIST_BACKUP | 02557 #endif 02558 RSBAC_LIST_PERSIST, 02559 rsbac_list_compare_u32, 02560 entry_compare, 02561 NULL, 02562 NULL, 02563 &def_mask, 02564 NULL, 02565 RSBAC_ACL_NETTEMP_NT_FILENAME, 02566 RSBAC_AUTO_DEV); 02567 if(err) 02568 { 02569 registration_error(err, "nettemp_nt"); 02570 } 02571 list_info.version = RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION; 02572 list_info.key = RSBAC_ACL_LIST_KEY; 02573 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02574 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02575 list_info.max_age = 0; 02576 err = rsbac_list_register(RSBAC_LIST_VERSION, 02577 &default_nettemp_nt_handle, 02578 &list_info, 02579 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02580 RSBAC_LIST_BACKUP | 02581 #endif 02582 RSBAC_LIST_PERSIST, 02583 entry_compare, 02584 NULL, 02585 NULL, 02586 RSBAC_ACL_DEF_NETTEMP_NT_FILENAME, 02587 RSBAC_AUTO_DEV); 02588 if(err) 02589 { 02590 registration_error(err, "default nettemp_nt"); 02591 } 02592 if(!rsbac_no_defaults && !rsbac_list_count(default_nettemp_nt_handle)) 02593 { 02594 struct rsbac_acl_entry_desc_t desc; 02595 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_NETTEMP_NT_ENTRY; 02596 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_NETTEMP_NT_ENTRY; 02597 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_NETTEMP_NT_ENTRY; 02598 02599 #ifdef CONFIG_RSBAC_RMSG 02600 rsbac_printk(KERN_WARNING 02601 "rsbac_init_acl(): Network Template NT (template protection) default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02602 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02603 #endif 02604 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02605 if (!rsbac_nosyslog) 02606 #endif 02607 printk(KERN_WARNING 02608 "rsbac_init_acl(): Network Template NT (template protection) default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02609 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02610 desc.subj_type = acman_entry.subj_type; 02611 desc.subj_id = acman_entry.subj_id; 02612 rsbac_list_add(default_nettemp_nt_handle, &desc, &acman_entry.rights); 02613 desc.subj_type = sysadm_entry.subj_type; 02614 desc.subj_id = sysadm_entry.subj_id; 02615 rsbac_list_add(default_nettemp_nt_handle, &desc, &sysadm_entry.rights); 02616 desc.subj_type = gen_entry.subj_type; 02617 desc.subj_id = gen_entry.subj_id; 02618 rsbac_list_add(default_nettemp_nt_handle, &desc, &gen_entry.rights); 02619 } 02620 lol_info.version = RSBAC_ACL_NETTEMP_LIST_VERSION; 02621 lol_info.key = RSBAC_ACL_LIST_KEY; 02622 lol_info.desc_size = sizeof(rsbac_net_temp_id_t); 02623 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 02624 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02625 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02626 lol_info.max_age = 0; 02627 def_mask=RSBAC_ACL_DEFAULT_NETOBJ_MASK; 02628 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 02629 &nettemp_handle, 02630 &lol_info, 02631 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02632 RSBAC_LIST_BACKUP | 02633 #endif 02634 RSBAC_LIST_PERSIST, 02635 rsbac_list_compare_u32, 02636 entry_compare, 02637 NULL, 02638 NULL, 02639 &def_mask, 02640 NULL, 02641 RSBAC_ACL_NETTEMP_FILENAME, 02642 RSBAC_AUTO_DEV); 02643 if(err) 02644 { 02645 registration_error(err, "nettemp"); 02646 } 02647 lol_info.version = RSBAC_ACL_NETOBJ_LIST_VERSION; 02648 lol_info.key = RSBAC_ACL_LIST_KEY; 02649 lol_info.desc_size = sizeof(rsbac_net_obj_id_t); 02650 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 02651 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02652 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02653 lol_info.max_age = 0; 02654 def_mask=RSBAC_ACL_DEFAULT_NETOBJ_MASK; 02655 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 02656 &netobj_handle, 02657 &lol_info, 02658 0, 02659 rsbac_list_compare_u32, 02660 entry_compare, 02661 NULL, 02662 NULL, 02663 &def_mask, 02664 NULL, 02665 RSBAC_ACL_NETOBJ_FILENAME, 02666 RSBAC_AUTO_DEV); 02667 if(err) 02668 { 02669 registration_error(err, "netobj"); 02670 } 02671 list_info.version = RSBAC_ACL_DEF_NETOBJ_LIST_VERSION; 02672 list_info.key = RSBAC_ACL_LIST_KEY; 02673 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 02674 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 02675 list_info.max_age = 0; 02676 err = rsbac_list_register(RSBAC_LIST_VERSION, 02677 &default_netobj_handle, 02678 &list_info, 02679 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02680 RSBAC_LIST_BACKUP | 02681 #endif 02682 RSBAC_LIST_PERSIST, 02683 entry_compare, 02684 NULL, 02685 NULL, 02686 RSBAC_ACL_DEF_NETOBJ_FILENAME, 02687 RSBAC_AUTO_DEV); 02688 if(err) 02689 { 02690 registration_error(err, "default netobj"); 02691 } 02692 if(!rsbac_no_defaults && !rsbac_list_count(default_netobj_handle)) 02693 { 02694 struct rsbac_acl_entry_desc_t desc; 02695 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_NETOBJ_ENTRY; 02696 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_NETOBJ_ENTRY; 02697 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_NETOBJ_ENTRY; 02698 02699 #ifdef CONFIG_RSBAC_RMSG 02700 rsbac_printk(KERN_WARNING 02701 "rsbac_init_acl(): Network Object default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02702 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02703 #endif 02704 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02705 if (!rsbac_nosyslog) 02706 #endif 02707 printk(KERN_WARNING 02708 "rsbac_init_acl(): Network Object default ACL empty on dev %02u:%02u, generating standard ACL!\n", 02709 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02710 desc.subj_type = acman_entry.subj_type; 02711 desc.subj_id = acman_entry.subj_id; 02712 rsbac_list_add(default_netobj_handle, &desc, &acman_entry.rights); 02713 desc.subj_type = sysadm_entry.subj_type; 02714 desc.subj_id = sysadm_entry.subj_id; 02715 rsbac_list_add(default_netobj_handle, &desc, &sysadm_entry.rights); 02716 desc.subj_type = gen_entry.subj_type; 02717 desc.subj_id = gen_entry.subj_id; 02718 rsbac_list_add(default_netobj_handle, &desc, &gen_entry.rights); 02719 } 02720 #endif /* NET_OBJ_PROT */ 02721 02722 /* groups */ 02723 list_info.version = RSBAC_ACL_GROUP_VERSION; 02724 list_info.key = RSBAC_ACL_LIST_KEY; 02725 list_info.desc_size = sizeof(rsbac_acl_group_id_t); 02726 list_info.data_size = sizeof(struct rsbac_acl_group_entry_t); 02727 list_info.max_age = 0; 02728 err = rsbac_list_register(RSBAC_LIST_VERSION, 02729 &group_handle, 02730 &list_info, 02731 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02732 RSBAC_LIST_BACKUP | 02733 #endif 02734 RSBAC_LIST_PERSIST, 02735 rsbac_list_compare_u32, 02736 NULL, 02737 NULL, 02738 RSBAC_ACL_GROUP_FILENAME, 02739 RSBAC_AUTO_DEV); 02740 if(err) 02741 { 02742 registration_error(err, "group"); 02743 } 02744 if(!rsbac_no_defaults && !rsbac_list_count(group_handle)) 02745 { 02746 #ifdef CONFIG_RSBAC_RMSG 02747 rsbac_printk(KERN_WARNING 02748 "rsbac_init_acl(): Group list empty on dev %02u:%02u!\n", 02749 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02750 #endif 02751 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02752 if (!rsbac_nosyslog) 02753 #endif 02754 printk(KERN_WARNING 02755 "rsbac_init_acl(): Group list empty on dev %02u:%02u!\n", 02756 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02757 } 02758 else 02759 { 02760 rsbac_list_get_max_desc(group_handle, &group_last_new); 02761 } 02762 02763 /* group memberships */ 02764 lol_info.version = RSBAC_ACL_GM_VERSION; 02765 lol_info.key = RSBAC_ACL_LIST_KEY; 02766 lol_info.desc_size = sizeof(rsbac_uid_t); 02767 lol_info.data_size = 0; 02768 lol_info.subdesc_size = sizeof(rsbac_acl_group_id_t); 02769 lol_info.subdata_size = 0; 02770 lol_info.max_age = 0; 02771 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 02772 &gm_handle, 02773 &lol_info, 02774 #if defined(CONFIG_RSBAC_ACL_BACKUP) 02775 RSBAC_LIST_BACKUP | 02776 #endif 02777 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA, 02778 rsbac_list_compare_u32, 02779 rsbac_list_compare_u32, 02780 NULL, 02781 NULL, 02782 NULL, 02783 NULL, 02784 RSBAC_ACL_GM_FILENAME, 02785 RSBAC_AUTO_DEV); 02786 if(err) 02787 { 02788 registration_error(err, "gm"); 02789 } 02790 if(!rsbac_no_defaults && !rsbac_list_lol_count(gm_handle)) 02791 { 02792 #ifdef CONFIG_RSBAC_RMSG 02793 rsbac_printk(KERN_WARNING 02794 "rsbac_init_acl(): Group membership list empty on dev %02u:%02u!\n", 02795 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02796 #endif 02797 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02798 if (!rsbac_nosyslog) 02799 #endif 02800 printk(KERN_WARNING 02801 "rsbac_init_acl(): Group membership list empty on dev %02u:%02u!\n", 02802 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev)); 02803 } 02804 02805 #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) 02806 tmp_entry_p = create_proc_entry("acl_devices", 02807 S_IFREG | S_IRUGO, 02808 proc_rsbac_root_p); 02809 if(tmp_entry_p) 02810 { 02811 tmp_entry_p->get_info = acl_devices_proc_info; 02812 } 02813 tmp_entry_p = create_proc_entry("stats_acl", 02814 S_IFREG | S_IRUGO, 02815 proc_rsbac_root_p); 02816 if(tmp_entry_p) 02817 { 02818 tmp_entry_p->get_info = stats_acl_proc_info; 02819 } 02820 tmp_entry_p = create_proc_entry("acl_acllist", 02821 S_IFREG | S_IRUGO, 02822 proc_rsbac_root_p); 02823 if(tmp_entry_p) 02824 { 02825 tmp_entry_p->get_info = acl_acllist_proc_info; 02826 } 02827 tmp_entry_p = create_proc_entry("acl_grouplist", 02828 S_IFREG | S_IRUGO, 02829 proc_rsbac_root_p); 02830 if(tmp_entry_p) 02831 { 02832 tmp_entry_p->get_info = acl_grouplist_proc_info; 02833 } 02834 #endif 02835 02836 #ifdef CONFIG_RSBAC_DEBUG 02837 if (rsbac_debug_ds_acl) 02838 { 02839 #ifdef CONFIG_RSBAC_RMSG 02840 rsbac_printk(KERN_DEBUG "rsbac_init_acl(): Ready.\n"); 02841 #endif 02842 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02843 if (!rsbac_nosyslog) 02844 #endif 02845 printk(KERN_DEBUG "rsbac_init_acl(): Ready.\n"); 02846 } 02847 #endif 02848 return(err); 02849 }; 02850 02851 int rsbac_mount_acl(kdev_t kdev) 02852 { 02853 int err = 0; 02854 struct rsbac_acl_device_list_item_t * device_p; 02855 struct rsbac_acl_device_list_item_t * new_device_p; 02856 u_long flags; 02857 02858 if (!rsbac_is_initialized()) 02859 { 02860 #ifdef CONFIG_RSBAC_RMSG 02861 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): RSBAC not initialized\n"); 02862 #endif 02863 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02864 if (!rsbac_nosyslog) 02865 #endif 02866 printk(KERN_WARNING "rsbac_mount_acl(): RSBAC not initialized\n"); 02867 return(-RSBAC_ENOTINITIALIZED); 02868 } 02869 #ifdef CONFIG_RSBAC_DEBUG 02870 if (rsbac_debug_ds_acl) 02871 { 02872 #ifdef CONFIG_RSBAC_RMSG 02873 rsbac_printk(KERN_DEBUG "rsbac_mount_acl(): mounting device %02u:%02u\n", 02874 RSBAC_MAJOR(kdev),RSBAC_MINOR(kdev)); 02875 #endif 02876 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02877 if (!rsbac_nosyslog) 02878 #endif 02879 printk(KERN_DEBUG "rsbac_mount_acl(): mounting device %02u:%02u\n", 02880 RSBAC_MAJOR(kdev),RSBAC_MINOR(kdev)); 02881 } 02882 #endif 02883 /* wait for read access to device_list_head */ 02884 rsbac_read_lock(&device_list_head.lock, &flags); 02885 device_p = acl_lookup_device(kdev); 02886 /* repeated mount? */ 02887 if(device_p) 02888 { 02889 #ifdef CONFIG_RSBAC_RMSG 02890 rsbac_printk(KERN_INFO "rsbac_mount_acl: repeated mount %u of device %02u:%02u\n", 02891 device_p->mount_count, RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02892 #endif 02893 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02894 if (!rsbac_nosyslog) 02895 #endif 02896 printk(KERN_INFO "rsbac_mount_acl: repeated mount %u of device %02u:%02u\n", 02897 device_p->mount_count, RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02898 device_p->mount_count++; 02899 rsbac_read_unlock(&device_list_head.lock, &flags); 02900 return 0; 02901 } 02902 rsbac_read_unlock(&device_list_head.lock, &flags); 02903 /* OK, go on */ 02904 new_device_p = create_device_item(kdev); 02905 if(!new_device_p) 02906 return -RSBAC_ECOULDNOTADDDEVICE; 02907 02908 if((err = acl_register_fd_lists(new_device_p, kdev))) 02909 { 02910 char * tmp; 02911 02912 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02913 if(tmp) 02914 { 02915 #ifdef CONFIG_RSBAC_RMSG 02916 rsbac_printk(KERN_WARNING 02917 "rsbac_mount_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 02918 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev), get_error_name(tmp,err)); 02919 #endif 02920 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02921 if (!rsbac_nosyslog) 02922 #endif 02923 printk(KERN_WARNING 02924 "rsbac_mount_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 02925 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev), get_error_name(tmp,err)); 02926 rsbac_kfree(tmp); 02927 } 02928 } 02929 02930 /* wait for read access to device_list_head */ 02931 rsbac_read_lock(&device_list_head.lock, &flags); 02932 /* make sure to only add, if this device item has not been added in the meantime */ 02933 device_p = acl_lookup_device(kdev); 02934 if(device_p) 02935 { 02936 #ifdef CONFIG_RSBAC_RMSG 02937 rsbac_printk(KERN_WARNING 02938 "rsbac_mount_acl(): mount race for device %02u:%02u detected!\n", 02939 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02940 #endif 02941 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02942 if (!rsbac_nosyslog) 02943 #endif 02944 printk(KERN_WARNING 02945 "rsbac_mount_acl(): mount race for device %02u:%02u detected!\n", 02946 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02947 device_p->mount_count++; 02948 /* also detaches lists */ 02949 clear_device_item(new_device_p); 02950 rsbac_read_unlock(&device_list_head.lock, &flags); 02951 } 02952 else 02953 { 02954 rsbac_read_unlock(&device_list_head.lock, &flags); 02955 rsbac_write_lock_irq(&device_list_head.lock, &flags); 02956 device_p = add_device_item(new_device_p); 02957 rsbac_write_unlock_irq(&device_list_head.lock, &flags); 02958 if(!device_p) 02959 { 02960 #ifdef CONFIG_RSBAC_RMSG 02961 rsbac_printk(KERN_WARNING "rsbac_mount_acl: adding device %02u:%02u failed!\n", 02962 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02963 #endif 02964 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02965 if (!rsbac_nosyslog) 02966 #endif 02967 printk(KERN_WARNING "rsbac_mount_acl: adding device %02u:%02u failed!\n", 02968 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02969 /* also detaches lists */ 02970 clear_device_item(new_device_p); 02971 err = -RSBAC_ECOULDNOTADDDEVICE; 02972 } 02973 } 02974 02975 return(err); 02976 }; 02977 02978 /* When umounting a device, its file/dir ACLs must be removed. */ 02979 02980 int rsbac_umount_acl(kdev_t kdev) 02981 { 02982 u_long flags; 02983 struct rsbac_acl_device_list_item_t * device_p; 02984 02985 if (!rsbac_is_initialized()) 02986 { 02987 #ifdef CONFIG_RSBAC_RMSG 02988 rsbac_printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n"); 02989 #endif 02990 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02991 if (!rsbac_nosyslog) 02992 #endif 02993 printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n"); 02994 return(-RSBAC_ENOTINITIALIZED); 02995 } 02996 02997 #ifdef CONFIG_RSBAC_DEBUG 02998 if (rsbac_debug_ds) 02999 { 03000 #ifdef CONFIG_RSBAC_RMSG 03001 rsbac_printk(KERN_DEBUG "rsbac_umount_acl(): umounting device %02u:%02u\n", 03002 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 03003 #endif 03004 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03005 if (!rsbac_nosyslog) 03006 #endif 03007 printk(KERN_DEBUG "rsbac_umount_acl(): umounting device %02u:%02u\n", 03008 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 03009 } 03010 #endif 03011 /* sync of attribute lists was done in rsbac_umount */ 03012 /* wait for write access to device_list_head */ 03013 rsbac_write_lock(&device_list_head.lock, &flags); 03014 /* OK, nobody else is working on it... */ 03015 device_p = acl_lookup_device(kdev); 03016 if(device_p) 03017 { 03018 if(device_p->mount_count == 1) 03019 remove_device_item(kdev); 03020 else 03021 { 03022 if(device_p->mount_count > 1) 03023 { 03024 device_p->mount_count--; 03025 } 03026 else 03027 { 03028 #ifdef CONFIG_RSBAC_RMSG 03029 rsbac_printk(KERN_WARNING "rsbac_umount_acl: device %02u:%02u has mount_count < 1!\n", 03030 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 03031 #endif 03032 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03033 if (!rsbac_nosyslog) 03034 #endif 03035 printk(KERN_WARNING "rsbac_umount_acl: device %02u:%02u has mount_count < 1!\n", 03036 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 03037 } 03038 } 03039 } 03040 /* allow access */ 03041 rsbac_write_unlock(&device_list_head.lock, &flags); 03042 return(0); 03043 }; 03044 03045 /***************************************************/ 03046 /* We also need some status information... */ 03047 03048 int rsbac_stats_acl(void) 03049 { 03050 u_int item_count = 0; 03051 u_int member_count = 0; 03052 int tmp_count; 03053 u_int i; 03054 u_long dflags; 03055 struct rsbac_acl_device_list_item_t * device_p; 03056 03057 union rsbac_target_id_t rsbac_target_id; 03058 union rsbac_attribute_value_t rsbac_attribute_value; 03059 03060 if (!rsbac_is_initialized) 03061 { 03062 printk(KERN_WARNING "rsbac_stats_acl(): RSBAC not initialized\n"); 03063 return(-RSBAC_ENOTINITIALIZED); 03064 } 03065 #ifdef CONFIG_RSBAC_DEBUG 03066 if (rsbac_debug_aef_acl) 03067 { 03068 #ifdef CONFIG_RSBAC_RMSG 03069 rsbac_printk(KERN_DEBUG "rsbac_stats_acl(): calling ADF\n"); 03070 #endif 03071 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03072 if (!rsbac_nosyslog) 03073 #endif 03074 printk(KERN_DEBUG "rsbac_stats_acl(): calling ADF\n"); 03075 } 03076 #endif 03077 rsbac_target_id.scd = ST_rsbac; 03078 rsbac_attribute_value.dummy = 0; 03079 if (!rsbac_adf_request(R_GET_STATUS_DATA, 03080 current->pid, 03081 T_SCD, 03082 rsbac_target_id, 03083 A_none, 03084 rsbac_attribute_value)) 03085 { 03086 return -EPERM; 03087 } 03088 03089 printk(KERN_INFO "ACL Status\n-----------\n"); 03090 03091 /* protect device list */ 03092 rsbac_read_lock(&device_list_head.lock, &dflags); 03093 device_p = device_list_head.head; 03094 while(device_p) 03095 { 03096 /* reset counters */ 03097 item_count = 0; 03098 member_count = 0; 03099 for(i=0; i<RSBAC_ACL_NR_FD_LISTS; i++) 03100 { 03101 tmp_count = rsbac_list_lol_count(device_p->handles[i]); 03102 if(tmp_count > 0) 03103 item_count+=tmp_count; 03104 tmp_count = rsbac_list_lol_all_subcount(device_p->handles[i]); 03105 if(tmp_count > 0) 03106 member_count += tmp_count; 03107 } 03108 printk(KERN_INFO 03109 "device %02u:%02u has %u file ACLs, sum of %u members\n", 03110 RSBAC_MAJOR(device_p->id), 03111 RSBAC_MINOR(device_p->id), 03112 item_count, 03113 member_count); 03114 device_p = device_p->next; 03115 } 03116 /* unprotect device list */ 03117 rsbac_read_unlock(&device_list_head.lock, &dflags); 03118 03119 /* dev list */ 03120 printk(KERN_INFO 03121 "%li device ACL items, sum of %li members\n", 03122 rsbac_list_lol_count(dev_handle), 03123 rsbac_list_lol_all_subcount(dev_handle)); 03124 03125 /* SCD list */ 03126 printk(KERN_INFO 03127 "%li scd ACL items, sum of %li members\n", 03128 rsbac_list_lol_count(scd_handle), 03129 rsbac_list_lol_all_subcount(scd_handle)); 03130 03131 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 03132 /* netdev list */ 03133 printk(KERN_INFO 03134 "%li network device ACL items, sum of %li members\n", 03135 rsbac_list_lol_count(netdev_handle), 03136 rsbac_list_lol_all_subcount(netdev_handle)); 03137 #endif 03138 03139 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 03140 /* nettemp_nt list */ 03141 printk(KERN_INFO 03142 "%li network template NT ACL items, sum of %li members\n", 03143 rsbac_list_lol_count(nettemp_nt_handle), 03144 rsbac_list_lol_all_subcount(nettemp_nt_handle)); 03145 /* nettemp list */ 03146 printk(KERN_INFO 03147 "%li network template ACL items, sum of %li members\n", 03148 rsbac_list_lol_count(nettemp_handle), 03149 rsbac_list_lol_all_subcount(nettemp_handle)); 03150 /* netobj list */ 03151 printk(KERN_INFO 03152 "%li network object ACL items, sum of %li members\n", 03153 rsbac_list_lol_count(netobj_handle), 03154 rsbac_list_lol_all_subcount(netobj_handle)); 03155 #endif 03156 03157 printk(KERN_INFO 03158 "%li groups, last new is %u\n", 03159 rsbac_list_count(group_handle), 03160 group_last_new); 03161 03162 /* protect gm list */ 03163 printk(KERN_INFO 03164 "%li group member items, sum of %li group memberships\n", 03165 rsbac_list_lol_count(gm_handle), 03166 rsbac_list_lol_all_subcount(gm_handle)); 03167 03168 return(0); 03169 }; 03170 03171 /***************************************************/ 03172 /* consistency checking (as far as possible) */ 03173 03174 int rsbac_check_acl(int correct, int check_inode) 03175 { 03176 struct rsbac_acl_device_list_item_t * device_p; 03177 u_long f_count = 0, f_sum = 0, tmp_count, 03178 r_count, u_count, b_count, no_member_count; 03179 int list_no; 03180 u_long dflags; 03181 long desc_count; 03182 long sub_desc_count; 03183 rsbac_inode_nr_t * fd_desc_p; 03184 struct rsbac_dev_desc_t * dev_desc_p; 03185 __u8 * scd_desc_p; 03186 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 03187 rsbac_netdev_id_t * netdev_desc_p; 03188 #endif 03189 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 03190 rsbac_net_temp_id_t * nettemp_desc_p; 03191 rsbac_net_obj_id_t * netobj_desc_p; 03192 #endif 03193 struct rsbac_acl_entry_desc_t * sub_desc_p; 03194 struct super_block * sb_p; 03195 struct inode * inode_p; 03196 rsbac_uid_t * user_p; 03197 rsbac_acl_group_id_t * group_p; 03198 u_int i,j; 03199 03200 if (!rsbac_is_initialized()) 03201 { 03202 #ifdef CONFIG_RSBAC_RMSG 03203 rsbac_printk(KERN_WARNING "rsbac_check_acl(): RSBAC not initialized\n"); 03204 #endif 03205 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03206 if (!rsbac_nosyslog) 03207 #endif 03208 printk(KERN_WARNING "rsbac_check_acl(): RSBAC not initialized\n"); 03209 return(-RSBAC_ENOTINITIALIZED); 03210 } 03211 03212 /* group membership list */ 03213 tmp_count = 0; 03214 desc_count = rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p); 03215 if(desc_count > 0) 03216 { 03217 for(i=0; i<desc_count; i++) 03218 { 03219 sub_desc_count = rsbac_list_lol_get_all_subdesc(gm_handle, &user_p[i], (void **) &group_p); 03220 if(sub_desc_count > 0) 03221 { 03222 for(j=0; j<sub_desc_count; j++) 03223 { 03224 if(!rsbac_list_exist(group_handle, &group_p[j])) 03225 { 03226 #ifdef CONFIG_RSBAC_RMSG 03227 rsbac_printk(KERN_WARNING 03228 "rsbac_check_acl(): removing user %u membership in non-existent group %u!\n", 03229 user_p[i], group_p[j]); 03230 #endif 03231 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03232 if (!rsbac_nosyslog) 03233 #endif 03234 printk(KERN_WARNING 03235 "rsbac_check_acl(): removing user %u membership in non-existent group %u!\n", 03236 user_p[i], group_p[j]); 03237 rsbac_list_lol_subremove(gm_handle, &user_p[i], &group_p[j]); 03238 } 03239 } 03240 rsbac_vfree(group_p); 03241 } 03242 else 03243 { 03244 /* remove empty membership list */ 03245 if(!sub_desc_count) 03246 rsbac_list_lol_remove(gm_handle, &user_p[i]); 03247 } 03248 } 03249 rsbac_vfree(user_p); 03250 } 03251 /* recalculated values! */ 03252 #ifdef CONFIG_RSBAC_RMSG 03253 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group membership items\n", 03254 rsbac_list_lol_count(gm_handle)); 03255 #endif 03256 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03257 if (!rsbac_nosyslog) 03258 #endif 03259 printk(KERN_INFO "rsbac_check_acl(): %li group membership items\n", 03260 rsbac_list_lol_count(gm_handle)); 03261 03262 /* group list */ 03263 #ifdef CONFIG_RSBAC_RMSG 03264 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group items\n", 03265 rsbac_list_count(group_handle)); 03266 #endif 03267 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03268 if (!rsbac_nosyslog) 03269 #endif 03270 printk(KERN_INFO "rsbac_check_acl(): %li group items\n", 03271 rsbac_list_count(group_handle)); 03272 03273 03274 /* wait for read access to device_list_head */ 03275 rsbac_read_lock(&device_list_head.lock, &dflags); 03276 /* OK, go on */ 03277 /* printk(KERN_INFO "rsbac_check_acl(): currently %u processes working on file/dir aci\n", 03278 device_list_head.lock.lock); */ 03279 device_p = device_list_head.head; 03280 while (device_p) 03281 { /* for all sublists */ 03282 f_count = 0; 03283 r_count = 0; 03284 u_count = 0; 03285 b_count = 0; 03286 no_member_count = 0; 03287 if(check_inode) 03288 { 03289 sb_p = rsbac_get_super_block(device_p->id); 03290 if(!sb_p) 03291 { 03292 #ifdef CONFIG_RSBAC_RMSG 03293 rsbac_printk(KERN_WARNING "rsbac_check_acl(): no super block for device %02u:%02u!\n", 03294 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id)); 03295 #endif 03296 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03297 if (!rsbac_nosyslog) 03298 #endif 03299 printk(KERN_WARNING "rsbac_check_acl(): no super block for device %02u:%02u!\n", 03300 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id)); 03301 } 03302 } 03303 else 03304 sb_p = NULL; 03305 03306 /* OK, go ahead */ 03307 for(list_no = 0; list_no < RSBAC_ACL_NR_FD_LISTS; list_no++) 03308 { 03309 /* printk(KERN_INFO "rsbac_check_acl(): list %u\n", 03310 list_no); */ 03311 tmp_count = 0; 03312 desc_count = rsbac_list_lol_get_all_desc(device_p->handles[list_no], (void **) &fd_desc_p); 03313 if(desc_count > 0) 03314 { 03315 for(i=0; i<desc_count; i++) 03316 { 03317 /* check for inode on disk (but not for reiserfs, because of 64bit inode numbers) */ 03318 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03319 if(sb_p) 03320 #else 03321 if(sb_p && !sb_p->s_op->read_inode2) 03322 #endif 03323 { 03324 inode_p = iget(sb_p, fd_desc_p[i]); 03325 if(is_bad_inode(inode_p)) 03326 { /* inode is bad -> remove */ 03327 b_count++; 03328 if(correct) 03329 { 03330 #ifdef CONFIG_RSBAC_RMSG 03331 rsbac_printk(KERN_INFO 03332 "rsbac_check_acl(): fd_item for bad inode %u on device %02u:%02u, list %u, removing!\n", 03333 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03334 #endif 03335 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03336 if (!rsbac_nosyslog) 03337 #endif 03338 printk(KERN_INFO 03339 "rsbac_check_acl(): fd_item for bad inode %u on device %02u:%02u, list %u, removing!\n", 03340 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03341 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]); 03342 continue; 03343 } 03344 else 03345 { 03346 #ifdef CONFIG_RSBAC_RMSG 03347 rsbac_printk(KERN_INFO 03348 "rsbac_check_acl(): fd_item for bad inode %u on device %02u:%02u, list %u!\n", 03349 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03350 #endif 03351 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03352 if (!rsbac_nosyslog) 03353 #endif 03354 printk(KERN_INFO 03355 "rsbac_check_acl(): fd_item for bad inode %u on device %02u:%02u, list %u!\n", 03356 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03357 } 03358 } /* end of bad_inode */ 03359 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03360 else 03361 { /* good inode */ 03362 /* currently only deletion checking of ext2 inodes is possible */ 03363 if(sb_p->s_magic == EXT2_SUPER_MAGIC) 03364 { 03365 if(inode_p->u.ext2_i.i_dtime) 03366 { /* inode has been deleted -> remove */ 03367 r_count++; 03368 if(correct) 03369 { 03370 #ifdef CONFIG_RSBAC_RMSG 03371 rsbac_printk(KERN_INFO 03372 "rsbac_check_acl(): fd_item for deleted inode %u on device %02u:%02u, list %u, removing!\n", 03373 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03374 #endif 03375 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03376 if (!rsbac_nosyslog) 03377 #endif 03378 printk(KERN_INFO 03379 "rsbac_check_acl(): fd_item for deleted inode %u on device %02u:%02u, list %u, removing!\n", 03380 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03381 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]); 03382 continue; 03383 } 03384 else 03385 { 03386 #ifdef CONFIG_RSBAC_RMSG 03387 rsbac_printk(KERN_INFO 03388 "rsbac_check_acl(): fd_item for deleted inode %u on device %02u:%02u, list %u!\n", 03389 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03390 #endif 03391 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03392 if (!rsbac_nosyslog) 03393 #endif 03394 printk(KERN_INFO 03395 "rsbac_check_acl(): fd_item for deleted inode %u on device %02u:%02u, list %u!\n", 03396 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03397 } 03398 } 03399 else 03400 { 03401 if(inode_p->i_nlink <= 0) 03402 { /* inode has been unlinked, but no dtime is set -> warn */ 03403 u_count++; 03404 if(correct >= 2) 03405 { 03406 #ifdef CONFIG_RSBAC_RMSG 03407 rsbac_printk(KERN_INFO 03408 "rsbac_check_acl(): fd_item for inode %u with nlink <= 0 on device %02u:%02u, list %u, removing!\n", 03409 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03410 #endif 03411 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03412 if (!rsbac_nosyslog) 03413 #endif 03414 printk(KERN_INFO 03415 "rsbac_check_acl(): fd_item for inode %u with nlink <= 0 on device %02u:%02u, list %u, removing!\n", 03416 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03417 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]); 03418 continue; 03419 } 03420 else 03421 { 03422 #ifdef CONFIG_RSBAC_RMSG 03423 rsbac_printk(KERN_INFO 03424 "rsbac_check_acl(): deleted inode %u on device %02u:%02u, list %u, has no dtime!\n", 03425 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03426 #endif 03427 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03428 if (!rsbac_nosyslog) 03429 #endif 03430 printk(KERN_INFO 03431 "rsbac_check_acl(): deleted inode %u on device %02u:%02u, list %u, has no dtime!\n", 03432 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no); 03433 } 03434 } 03435 } 03436 } 03437 } /* end of is_good_inode */ 03438 #endif /* VERSION < 2.6.0 */ 03439 iput(inode_p); 03440 } /* end of sb_p */ 03441 03442 /* check for group existence of all ACL entries for groups */ 03443 sub_desc_count = rsbac_list_lol_get_all_subdesc(device_p->handles[list_no], 03444 &fd_desc_p[i], 03445 (void **) &sub_desc_p); 03446 if(sub_desc_count > 0) 03447 { 03448 for(j=0; j<sub_desc_count; j++) 03449 { 03450 if( (sub_desc_p[j].subj_type == ACLS_GROUP) 03451 && sub_desc_p[j].subj_id 03452 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id)) 03453 { 03454 if(correct) 03455 { 03456 /* remove sub item and complain */ 03457 #ifdef CONFIG_RSBAC_DEBUG 03458 if(rsbac_debug_ds) 03459 { 03460 #ifdef CONFIG_RSBAC_RMSG 03461 rsbac_printk(KERN_DEBUG 03462 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid group %u in ACL -> removing entry!\n", 03463 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id); 03464 #endif 03465 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03466 if (!rsbac_nosyslog) 03467 #endif 03468 printk(KERN_DEBUG 03469 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid group %u in ACL -> removing entry!\n", 03470 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id); 03471 } 03472 #endif 03473 rsbac_list_lol_subremove(device_p->handles[list_no], 03474 &fd_desc_p[i], &sub_desc_p[j]); 03475 } 03476 else 03477 { 03478 /* complain */ 03479 #ifdef CONFIG_RSBAC_DEBUG 03480 if(rsbac_debug_ds) 03481 { 03482 #ifdef CONFIG_RSBAC_RMSG 03483 rsbac_printk(KERN_DEBUG 03484 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid group %u in ACL!\n", 03485 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id); 03486 #endif 03487 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03488 if (!rsbac_nosyslog) 03489 #endif 03490 printk(KERN_DEBUG 03491 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid group %u in ACL!\n", 03492 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id); 03493 } 03494 #endif 03495 } 03496 } 03497 #if defined(CONFIG_RSBAC_RC) 03498 else 03499 if( (sub_desc_p[j].subj_type == ACLS_ROLE) 03500 && (sub_desc_p[j].subj_id > RC_role_max_value) 03501 ) 03502 { 03503 if(correct) 03504 { 03505 /* remove sub item and complain */ 03506 #ifdef CONFIG_RSBAC_DEBUG 03507 if(rsbac_debug_ds) 03508 { 03509 #ifdef CONFIG_RSBAC_RMSG 03510 rsbac_printk(KERN_DEBUG 03511 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid RC role %u in ACL -> removing entry!\n", 03512 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id); 03513 #endif 03514 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03515 if (!rsbac_nosyslog) 03516 #endif 03517 printk(KERN_DEBUG 03518 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid RC role %u in ACL -> removing entry!\n", 03519 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id); 03520 } 03521 #endif 03522 rsbac_list_lol_subremove(device_p->handles[list_no], 03523 &fd_desc_p[i], &sub_desc_p[j]); 03524 } 03525 else 03526 { 03527 /* complain */ 03528 #ifdef CONFIG_RSBAC_DEBUG 03529 if(rsbac_debug_ds) 03530 { 03531 #ifdef CONFIG_RSBAC_RMSG 03532 rsbac_printk(KERN_DEBUG 03533 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid role %u in ACL!\n", 03534 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id); 03535 #endif 03536 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03537 if (!rsbac_nosyslog) 03538 #endif 03539 printk(KERN_DEBUG 03540 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid role %u in ACL!\n", 03541 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id); 03542 } 03543 #endif 03544 } 03545 } 03546 #endif 03547 } 03548 rsbac_vfree(sub_desc_p); 03549 } 03550 } 03551 tmp_count++; 03552 rsbac_vfree(fd_desc_p); 03553 f_count += desc_count; 03554 } 03555 } /* end of for-fd-list-array */ 03556 03557 switch(correct) 03558 { 03559 case 2: 03560 #ifdef CONFIG_RSBAC_RMSG 03561 rsbac_printk(KERN_INFO 03562 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n", 03563 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + u_count + no_member_count, 03564 b_count, r_count, u_count, no_member_count); 03565 #endif 03566 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03567 if (!rsbac_nosyslog) 03568 #endif 03569 printk(KERN_INFO 03570 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n", 03571 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + u_count + no_member_count, 03572 b_count, r_count, u_count, no_member_count); 03573 break; 03574 case 1: 03575 #ifdef CONFIG_RSBAC_RMSG 03576 rsbac_printk(KERN_INFO 03577 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n", 03578 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + no_member_count, 03579 b_count, r_count, no_member_count, u_count); 03580 #endif 03581 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03582 if (!rsbac_nosyslog) 03583 #endif 03584 printk(KERN_INFO 03585 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n", 03586 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + no_member_count, 03587 b_count, r_count, no_member_count, u_count); 03588 break; 03589 default: 03590 #ifdef CONFIG_RSBAC_RMSG 03591 rsbac_printk(KERN_INFO 03592 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n", 03593 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, 03594 b_count, r_count, u_count, no_member_count); 03595 #endif 03596 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03597 if (!rsbac_nosyslog) 03598 #endif 03599 printk(KERN_INFO 03600 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n", 03601 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, 03602 b_count, r_count, u_count, no_member_count); 03603 } 03604 f_sum += f_count; 03605 /* go on */ 03606 device_p = device_p->next; 03607 } 03608 #ifdef CONFIG_RSBAC_RMSG 03609 rsbac_printk(KERN_INFO "rsbac_check_acl(): Sum of %u Devices with %lu file/dir ACLs\n", 03610 device_list_head.count, f_sum); 03611 #endif 03612 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03613 if (!rsbac_nosyslog) 03614 #endif 03615 printk(KERN_INFO "rsbac_check_acl(): Sum of %u Devices with %lu file/dir ACLs\n", 03616 device_list_head.count, f_sum); 03617 /* free access to device_list_head */ 03618 rsbac_read_unlock(&device_list_head.lock, &dflags); 03619 03620 /* dev list */ 03621 tmp_count = 0; 03622 desc_count = rsbac_list_lol_get_all_desc(dev_handle, (void **) &dev_desc_p); 03623 if(desc_count > 0) 03624 { 03625 for(i=0; i<desc_count; i++) 03626 { 03627 /* check for group existence of all ACL entries for groups */ 03628 sub_desc_count = rsbac_list_lol_get_all_subdesc(dev_handle, 03629 &dev_desc_p[i], 03630 (void **) &sub_desc_p); 03631 if(sub_desc_count > 0) 03632 { 03633 for(j=0; j<sub_desc_count; j++) 03634 { 03635 if( (sub_desc_p[j].subj_type == ACLS_GROUP) 03636 && sub_desc_p[j].subj_id 03637 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id)) 03638 { 03639 if(correct) 03640 { 03641 /* remove sub item and complain */ 03642 #ifdef CONFIG_RSBAC_DEBUG 03643 if(rsbac_debug_ds) 03644 { 03645 #ifdef CONFIG_RSBAC_RMSG 03646 rsbac_printk(KERN_DEBUG 03647 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n", 03648 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id); 03649 #endif 03650 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03651 if (!rsbac_nosyslog) 03652 #endif 03653 printk(KERN_DEBUG 03654 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n", 03655 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id); 03656 } 03657 #endif 03658 rsbac_list_lol_subremove(dev_handle, &dev_desc_p[i], &sub_desc_p[j]); 03659 } 03660 else 03661 { 03662 #ifdef CONFIG_RSBAC_DEBUG 03663 /* complain */ 03664 if(rsbac_debug_ds) 03665 { 03666 #ifdef CONFIG_RSBAC_RMSG 03667 rsbac_printk(KERN_DEBUG 03668 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid group %u in ACL!\n", 03669 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id); 03670 #endif 03671 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03672 if (!rsbac_nosyslog) 03673 #endif 03674 printk(KERN_DEBUG 03675 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid group %u in ACL!\n", 03676 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id); 03677 } 03678 #endif 03679 } 03680 } 03681 #if defined(CONFIG_RSBAC_RC) 03682 else 03683 if( (sub_desc_p[j].subj_type == ACLS_ROLE) 03684 && (sub_desc_p[j].subj_id > RC_role_max_value) 03685 ) 03686 { 03687 if(correct) 03688 { 03689 /* remove sub item and complain */ 03690 #ifdef CONFIG_RSBAC_DEBUG 03691 if(rsbac_debug_ds) 03692 { 03693 #ifdef CONFIG_RSBAC_RMSG 03694 rsbac_printk(KERN_DEBUG 03695 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n", 03696 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id); 03697 #endif 03698 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03699 if (!rsbac_nosyslog) 03700 #endif 03701 printk(KERN_DEBUG 03702 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n", 03703 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id); 03704 } 03705 #endif 03706 rsbac_list_lol_subremove(dev_handle, &dev_desc_p[i], &sub_desc_p[j]); 03707 } 03708 else 03709 { 03710 #ifdef CONFIG_RSBAC_DEBUG 03711 /* complain */ 03712 if(rsbac_debug_ds) 03713 { 03714 #ifdef CONFIG_RSBAC_RMSG 03715 rsbac_printk(KERN_DEBUG 03716 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid role %u in ACL!\n", 03717 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id); 03718 #endif 03719 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03720 if (!rsbac_nosyslog) 03721 #endif 03722 printk(KERN_DEBUG 03723 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid role %u in ACL!\n", 03724 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id); 03725 } 03726 #endif 03727 } 03728 } 03729 #endif 03730 } 03731 rsbac_vfree(sub_desc_p); 03732 } 03733 } 03734 rsbac_vfree(dev_desc_p); 03735 f_sum += desc_count; 03736 } 03737 #ifdef CONFIG_RSBAC_RMSG 03738 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n", 03739 desc_count); 03740 #endif 03741 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03742 if (!rsbac_nosyslog) 03743 #endif 03744 printk(KERN_INFO "rsbac_check_acl(): %li device items\n", 03745 desc_count); 03746 03747 /* SCD list */ 03748 tmp_count = 0; 03749 desc_count = rsbac_list_lol_get_all_desc(scd_handle, (void **) &scd_desc_p); 03750 if(desc_count > 0) 03751 { 03752 for(i=0; i<desc_count; i++) 03753 { 03754 /* check for group existence of all ACL entries for groups */ 03755 sub_desc_count = rsbac_list_lol_get_all_subdesc(scd_handle, 03756 &scd_desc_p[i], 03757 (void **) &sub_desc_p); 03758 if(sub_desc_count > 0) 03759 { 03760 for(j=0; j<sub_desc_count; j++) 03761 { 03762 if( (sub_desc_p[j].subj_type == ACLS_GROUP) 03763 && sub_desc_p[j].subj_id 03764 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id)) 03765 { 03766 if(correct) 03767 { 03768 /* remove sub item and complain */ 03769 #ifdef CONFIG_RSBAC_DEBUG 03770 if(rsbac_debug_ds) 03771 { 03772 #ifdef CONFIG_RSBAC_RMSG 03773 rsbac_printk(KERN_DEBUG 03774 "rsbac_check_acl(): scd_item %u has invalid group %u in ACL -> removing entry!\n", 03775 scd_desc_p[i], sub_desc_p[j].subj_id); 03776 #endif 03777 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03778 if (!rsbac_nosyslog) 03779 #endif 03780 printk(KERN_DEBUG 03781 "rsbac_check_acl(): scd_item %u has invalid group %u in ACL -> removing entry!\n", 03782 scd_desc_p[i], sub_desc_p[j].subj_id); 03783 } 03784 #endif 03785 rsbac_list_lol_subremove(scd_handle, &scd_desc_p[i], &sub_desc_p[j]); 03786 } 03787 else 03788 { 03789 #ifdef CONFIG_RSBAC_DEBUG 03790 /* complain */ 03791 if(rsbac_debug_ds) 03792 { 03793 #ifdef CONFIG_RSBAC_RMSG 03794 rsbac_printk(KERN_DEBUG 03795 "rsbac_check_acl(): scd_item %u has invalid group %u in ACL!\n", 03796 scd_desc_p[i], sub_desc_p[j].subj_id); 03797 #endif 03798 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03799 if (!rsbac_nosyslog) 03800 #endif 03801 printk(KERN_DEBUG 03802 "rsbac_check_acl(): scd_item %u has invalid group %u in ACL!\n", 03803 scd_desc_p[i], sub_desc_p[j].subj_id); 03804 } 03805 #endif 03806 } 03807 } 03808 #if defined(CONFIG_RSBAC_RC) 03809 else 03810 if( (sub_desc_p[j].subj_type == ACLS_ROLE) 03811 && (sub_desc_p[j].subj_id > RC_role_max_value) 03812 ) 03813 { 03814 if(correct) 03815 { 03816 /* remove sub item and complain */ 03817 #ifdef CONFIG_RSBAC_DEBUG 03818 if(rsbac_debug_ds) 03819 { 03820 #ifdef CONFIG_RSBAC_RMSG 03821 rsbac_printk(KERN_DEBUG 03822 "rsbac_check_acl(): scd_item %u has invalid role %u in ACL -> removing entry!\n", 03823 scd_desc_p[i], sub_desc_p[j].subj_id); 03824 #endif 03825 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03826 if (!rsbac_nosyslog) 03827 #endif 03828 printk(KERN_DEBUG 03829 "rsbac_check_acl(): scd_item %u has invalid role %u in ACL -> removing entry!\n", 03830 scd_desc_p[i], sub_desc_p[j].subj_id); 03831 } 03832 #endif 03833 rsbac_list_lol_subremove(scd_handle, &scd_desc_p[i], &sub_desc_p[j]); 03834 } 03835 else 03836 { 03837 #ifdef CONFIG_RSBAC_DEBUG 03838 /* complain */ 03839 if(rsbac_debug_ds) 03840 { 03841 #ifdef CONFIG_RSBAC_RMSG 03842 rsbac_printk(KERN_DEBUG 03843 "rsbac_check_acl(): scd_item %u has invalid role %u in ACL!\n", 03844 scd_desc_p[i], sub_desc_p[j].subj_id); 03845 #endif 03846 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03847 if (!rsbac_nosyslog) 03848 #endif 03849 printk(KERN_DEBUG 03850 "rsbac_check_acl(): scd_item %u has invalid role %u in ACL!\n", 03851 scd_desc_p[i], sub_desc_p[j].subj_id); 03852 } 03853 #endif 03854 } 03855 } 03856 #endif 03857 } 03858 rsbac_vfree(sub_desc_p); 03859 } 03860 } 03861 rsbac_vfree(scd_desc_p); 03862 f_sum += desc_count; 03863 } 03864 #ifdef CONFIG_RSBAC_RMSG 03865 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li SCD items\n", 03866 desc_count); 03867 #endif 03868 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03869 if (!rsbac_nosyslog) 03870 #endif 03871 printk(KERN_INFO "rsbac_check_acl(): %li SCD items\n", 03872 desc_count); 03873 03874 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 03875 /* netdev list */ 03876 tmp_count = 0; 03877 desc_count = rsbac_list_lol_get_all_desc(netdev_handle, (void **) &netdev_desc_p); 03878 if(desc_count > 0) 03879 { 03880 for(i=0; i<desc_count; i++) 03881 { 03882 /* check for group existence of all ACL entries for groups */ 03883 sub_desc_count = rsbac_list_lol_get_all_subdesc(netdev_handle, 03884 &netdev_desc_p[i], 03885 (void **) &sub_desc_p); 03886 if(sub_desc_count > 0) 03887 { 03888 for(j=0; j<sub_desc_count; j++) 03889 { 03890 if( (sub_desc_p[j].subj_type == ACLS_GROUP) 03891 && sub_desc_p[j].subj_id 03892 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id)) 03893 { 03894 if(correct) 03895 { 03896 /* remove sub item and complain */ 03897 #ifdef CONFIG_RSBAC_DEBUG 03898 if(rsbac_debug_ds) 03899 { 03900 #ifdef CONFIG_RSBAC_RMSG 03901 rsbac_printk(KERN_DEBUG 03902 "rsbac_check_acl(): netdev_item %s has invalid group %u in ACL -> removing entry!\n", 03903 netdev_desc_p[i], sub_desc_p[j].subj_id); 03904 #endif 03905 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03906 if (!rsbac_nosyslog) 03907 #endif 03908 printk(KERN_DEBUG 03909 "rsbac_check_acl(): netdev_item %s has invalid group %u in ACL -> removing entry!\n", 03910 netdev_desc_p[i], sub_desc_p[j].subj_id); 03911 } 03912 #endif 03913 rsbac_list_lol_subremove(netdev_handle, &netdev_desc_p[i], &sub_desc_p[j]); 03914 } 03915 else 03916 { 03917 #ifdef CONFIG_RSBAC_DEBUG 03918 /* complain */ 03919 if(rsbac_debug_ds) 03920 { 03921 #ifdef CONFIG_RSBAC_RMSG 03922 rsbac_printk(KERN_DEBUG 03923 "rsbac_check_acl(): netdev_item %s has invalid group %u in ACL!\n", 03924 netdev_desc_p[i], sub_desc_p[j].subj_id); 03925 #endif 03926 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03927 if (!rsbac_nosyslog) 03928 #endif 03929 printk(KERN_DEBUG 03930 "rsbac_check_acl(): netdev_item %s has invalid group %u in ACL!\n", 03931 netdev_desc_p[i], sub_desc_p[j].subj_id); 03932 } 03933 #endif 03934 } 03935 } 03936 #if defined(CONFIG_RSBAC_RC) 03937 else 03938 if( (sub_desc_p[j].subj_type == ACLS_ROLE) 03939 && (sub_desc_p[j].subj_id > RC_role_max_value) 03940 ) 03941 { 03942 if(correct) 03943 { 03944 /* remove sub item and complain */ 03945 #ifdef CONFIG_RSBAC_DEBUG 03946 if(rsbac_debug_ds) 03947 { 03948 #ifdef CONFIG_RSBAC_RMSG 03949 rsbac_printk(KERN_DEBUG 03950 "rsbac_check_acl(): netdev_item %s has invalid role %u in ACL -> removing entry!\n", 03951 netdev_desc_p[i], sub_desc_p[j].subj_id); 03952 #endif 03953 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03954 if (!rsbac_nosyslog) 03955 #endif 03956 printk(KERN_DEBUG 03957 "rsbac_check_acl(): netdev_item %s has invalid role %u in ACL -> removing entry!\n", 03958 netdev_desc_p[i], sub_desc_p[j].subj_id); 03959 } 03960 #endif 03961 rsbac_list_lol_subremove(netdev_handle, &netdev_desc_p[i], &sub_desc_p[j]); 03962 } 03963 else 03964 { 03965 #ifdef CONFIG_RSBAC_DEBUG 03966 /* complain */ 03967 if(rsbac_debug_ds) 03968 { 03969 #ifdef CONFIG_RSBAC_RMSG 03970 rsbac_printk(KERN_DEBUG 03971 "rsbac_check_acl(): netdev_item %s has invalid role %u in ACL!\n", 03972 netdev_desc_p[i], sub_desc_p[j].subj_id); 03973 #endif 03974 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03975 if (!rsbac_nosyslog) 03976 #endif 03977 printk(KERN_DEBUG 03978 "rsbac_check_acl(): netdev_item %s has invalid role %u in ACL!\n", 03979 netdev_desc_p[i], sub_desc_p[j].subj_id); 03980 } 03981 #endif 03982 } 03983 } 03984 #endif 03985 } 03986 rsbac_vfree(sub_desc_p); 03987 } 03988 } 03989 rsbac_vfree(netdev_desc_p); 03990 f_sum += desc_count; 03991 } 03992 #ifdef CONFIG_RSBAC_RMSG 03993 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network device items\n", 03994 desc_count); 03995 #endif 03996 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 03997 if (!rsbac_nosyslog) 03998 #endif 03999 printk(KERN_INFO "rsbac_check_acl(): %li network device items\n", 04000 desc_count); 04001 #endif /* NET_DEV_PROT */ 04002 04003 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 04004 /* nettemp_nt list */ 04005 tmp_count = 0; 04006 desc_count = rsbac_list_lol_get_all_desc(nettemp_nt_handle, (void **) &nettemp_desc_p); 04007 if(desc_count > 0) 04008 { 04009 for(i=0; i<desc_count; i++) 04010 { 04011 /* check for group existence of all ACL entries for groups */ 04012 sub_desc_count = rsbac_list_lol_get_all_subdesc(nettemp_nt_handle, 04013 &nettemp_desc_p[i], 04014 (void **) &sub_desc_p); 04015 if(sub_desc_count > 0) 04016 { 04017 for(j=0; j<sub_desc_count; j++) 04018 { 04019 if( (sub_desc_p[j].subj_type == ACLS_GROUP) 04020 && sub_desc_p[j].subj_id 04021 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id)) 04022 { 04023 if(correct) 04024 { 04025 /* remove sub item and complain */ 04026 #ifdef CONFIG_RSBAC_DEBUG 04027 if(rsbac_debug_ds) 04028 { 04029 #ifdef CONFIG_RSBAC_RMSG 04030 rsbac_printk(KERN_DEBUG 04031 "rsbac_check_acl(): nettemp_nt_item %u has invalid group %u in ACL -> removing entry!\n", 04032 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04033 #endif 04034 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04035 if (!rsbac_nosyslog) 04036 #endif 04037 printk(KERN_DEBUG 04038 "rsbac_check_acl(): nettemp_nt_item %u has invalid group %u in ACL -> removing entry!\n", 04039 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04040 } 04041 #endif 04042 rsbac_list_lol_subremove(nettemp_nt_handle, &nettemp_desc_p[i], &sub_desc_p[j]); 04043 } 04044 else 04045 { 04046 #ifdef CONFIG_RSBAC_DEBUG 04047 /* complain */ 04048 if(rsbac_debug_ds) 04049 { 04050 #ifdef CONFIG_RSBAC_RMSG 04051 rsbac_printk(KERN_DEBUG 04052 "rsbac_check_acl(): nettemp_nt_item %u has invalid group %u in ACL!\n", 04053 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04054 #endif 04055 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04056 if (!rsbac_nosyslog) 04057 #endif 04058 printk(KERN_DEBUG 04059 "rsbac_check_acl(): nettemp_nt_item %u has invalid group %u in ACL!\n", 04060 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04061 } 04062 #endif 04063 } 04064 } 04065 #if defined(CONFIG_RSBAC_RC) 04066 else 04067 if( (sub_desc_p[j].subj_type == ACLS_ROLE) 04068 && (sub_desc_p[j].subj_id > RC_role_max_value) 04069 ) 04070 { 04071 if(correct) 04072 { 04073 /* remove sub item and complain */ 04074 #ifdef CONFIG_RSBAC_DEBUG 04075 if(rsbac_debug_ds) 04076 { 04077 #ifdef CONFIG_RSBAC_RMSG 04078 rsbac_printk(KERN_DEBUG 04079 "rsbac_check_acl(): nettemp_nt_item %u has invalid role %u in ACL -> removing entry!\n", 04080 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04081 #endif 04082 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04083 if (!rsbac_nosyslog) 04084 #endif 04085 printk(KERN_DEBUG 04086 "rsbac_check_acl(): nettemp_nt_item %u has invalid role %u in ACL -> removing entry!\n", 04087 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04088 } 04089 #endif 04090 rsbac_list_lol_subremove(nettemp_nt_handle, &nettemp_desc_p[i], &sub_desc_p[j]); 04091 } 04092 else 04093 { 04094 #ifdef CONFIG_RSBAC_DEBUG 04095 /* complain */ 04096 if(rsbac_debug_ds) 04097 { 04098 #ifdef CONFIG_RSBAC_RMSG 04099 rsbac_printk(KERN_DEBUG 04100 "rsbac_check_acl(): nettemp_nt_item %u has invalid role %u in ACL!\n", 04101 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04102 #endif 04103 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04104 if (!rsbac_nosyslog) 04105 #endif 04106 printk(KERN_DEBUG 04107 "rsbac_check_acl(): nettemp_nt_item %u has invalid role %u in ACL!\n", 04108 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04109 } 04110 #endif 04111 } 04112 } 04113 #endif 04114 } 04115 rsbac_vfree(sub_desc_p); 04116 } 04117 } 04118 rsbac_vfree(nettemp_desc_p); 04119 f_sum += desc_count; 04120 } 04121 #ifdef CONFIG_RSBAC_RMSG 04122 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template NT items\n", 04123 desc_count); 04124 #endif 04125 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04126 if (!rsbac_nosyslog) 04127 #endif 04128 printk(KERN_INFO "rsbac_check_acl(): %li network template NT items\n", 04129 desc_count); 04130 04131 /* nettemp list */ 04132 tmp_count = 0; 04133 desc_count = rsbac_list_lol_get_all_desc(nettemp_handle, (void **) &nettemp_desc_p); 04134 if(desc_count > 0) 04135 { 04136 for(i=0; i<desc_count; i++) 04137 { 04138 /* check for group existence of all ACL entries for groups */ 04139 sub_desc_count = rsbac_list_lol_get_all_subdesc(nettemp_handle, 04140 &nettemp_desc_p[i], 04141 (void **) &sub_desc_p); 04142 if(sub_desc_count > 0) 04143 { 04144 for(j=0; j<sub_desc_count; j++) 04145 { 04146 if( (sub_desc_p[j].subj_type == ACLS_GROUP) 04147 && sub_desc_p[j].subj_id 04148 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id)) 04149 { 04150 if(correct) 04151 { 04152 /* remove sub item and complain */ 04153 #ifdef CONFIG_RSBAC_DEBUG 04154 if(rsbac_debug_ds) 04155 { 04156 #ifdef CONFIG_RSBAC_RMSG 04157 rsbac_printk(KERN_DEBUG 04158 "rsbac_check_acl(): nettemp_item %u has invalid group %u in ACL -> removing entry!\n", 04159 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04160 #endif 04161 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04162 if (!rsbac_nosyslog) 04163 #endif 04164 printk(KERN_DEBUG 04165 "rsbac_check_acl(): nettemp_item %u has invalid group %u in ACL -> removing entry!\n", 04166 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04167 } 04168 #endif 04169 rsbac_list_lol_subremove(nettemp_handle, &nettemp_desc_p[i], &sub_desc_p[j]); 04170 } 04171 else 04172 { 04173 #ifdef CONFIG_RSBAC_DEBUG 04174 /* complain */ 04175 if(rsbac_debug_ds) 04176 { 04177 #ifdef CONFIG_RSBAC_RMSG 04178 rsbac_printk(KERN_DEBUG 04179 "rsbac_check_acl(): nettemp_item %u has invalid group %u in ACL!\n", 04180 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04181 #endif 04182 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04183 if (!rsbac_nosyslog) 04184 #endif 04185 printk(KERN_DEBUG 04186 "rsbac_check_acl(): nettemp_item %u has invalid group %u in ACL!\n", 04187 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04188 } 04189 #endif 04190 } 04191 } 04192 #if defined(CONFIG_RSBAC_RC) 04193 else 04194 if( (sub_desc_p[j].subj_type == ACLS_ROLE) 04195 && (sub_desc_p[j].subj_id > RC_role_max_value) 04196 ) 04197 { 04198 if(correct) 04199 { 04200 /* remove sub item and complain */ 04201 #ifdef CONFIG_RSBAC_DEBUG 04202 if(rsbac_debug_ds) 04203 { 04204 #ifdef CONFIG_RSBAC_RMSG 04205 rsbac_printk(KERN_DEBUG 04206 "rsbac_check_acl(): nettemp_item %u has invalid role %u in ACL -> removing entry!\n", 04207 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04208 #endif 04209 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04210 if (!rsbac_nosyslog) 04211 #endif 04212 printk(KERN_DEBUG 04213 "rsbac_check_acl(): nettemp_item %u has invalid role %u in ACL -> removing entry!\n", 04214 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04215 } 04216 #endif 04217 rsbac_list_lol_subremove(nettemp_handle, &nettemp_desc_p[i], &sub_desc_p[j]); 04218 } 04219 else 04220 { 04221 #ifdef CONFIG_RSBAC_DEBUG 04222 /* complain */ 04223 if(rsbac_debug_ds) 04224 { 04225 #ifdef CONFIG_RSBAC_RMSG 04226 rsbac_printk(KERN_DEBUG 04227 "rsbac_check_acl(): nettemp_item %u has invalid role %u in ACL!\n", 04228 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04229 #endif 04230 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04231 if (!rsbac_nosyslog) 04232 #endif 04233 printk(KERN_DEBUG 04234 "rsbac_check_acl(): nettemp_item %u has invalid role %u in ACL!\n", 04235 nettemp_desc_p[i], sub_desc_p[j].subj_id); 04236 } 04237 #endif 04238 } 04239 } 04240 #endif 04241 } 04242 rsbac_vfree(sub_desc_p); 04243 } 04244 } 04245 rsbac_vfree(nettemp_desc_p); 04246 f_sum += desc_count; 04247 } 04248 #ifdef CONFIG_RSBAC_RMSG 04249 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template items\n", 04250 desc_count); 04251 #endif 04252 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04253 if (!rsbac_nosyslog) 04254 #endif 04255 printk(KERN_INFO "rsbac_check_acl(): %li network template items\n", 04256 desc_count); 04257 04258 /* netobj list */ 04259 tmp_count = 0; 04260 desc_count = rsbac_list_lol_get_all_desc(netobj_handle, (void **) &netobj_desc_p); 04261 if(desc_count > 0) 04262 { 04263 for(i=0; i<desc_count; i++) 04264 { 04265 /* check for group existence of all ACL entries for groups */ 04266 sub_desc_count = rsbac_list_lol_get_all_subdesc(netobj_handle, 04267 &netobj_desc_p[i], 04268 (void **) &sub_desc_p); 04269 if(sub_desc_count > 0) 04270 { 04271 for(j=0; j<sub_desc_count; j++) 04272 { 04273 if( (sub_desc_p[j].subj_type == ACLS_GROUP) 04274 && sub_desc_p[j].subj_id 04275 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id)) 04276 { 04277 if(correct) 04278 { 04279 /* remove sub item and complain */ 04280 #ifdef CONFIG_RSBAC_DEBUG 04281 if(rsbac_debug_ds) 04282 { 04283 #ifdef CONFIG_RSBAC_RMSG 04284 rsbac_printk(KERN_DEBUG 04285 "rsbac_check_acl(): netobj_item %p has invalid group %u in ACL -> removing entry!\n", 04286 netobj_desc_p[i], sub_desc_p[j].subj_id); 04287 #endif 04288 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04289 if (!rsbac_nosyslog) 04290 #endif 04291 printk(KERN_DEBUG 04292 "rsbac_check_acl(): netobj_item %p has invalid group %u in ACL -> removing entry!\n", 04293 netobj_desc_p[i], sub_desc_p[j].subj_id); 04294 } 04295 #endif 04296 rsbac_list_lol_subremove(netobj_handle, &netobj_desc_p[i], &sub_desc_p[j]); 04297 } 04298 else 04299 { 04300 #ifdef CONFIG_RSBAC_DEBUG 04301 /* complain */ 04302 if(rsbac_debug_ds) 04303 { 04304 #ifdef CONFIG_RSBAC_RMSG 04305 rsbac_printk(KERN_DEBUG 04306 "rsbac_check_acl(): netobj_item %p has invalid group %u in ACL!\n", 04307 netobj_desc_p[i], sub_desc_p[j].subj_id); 04308 #endif 04309 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04310 if (!rsbac_nosyslog) 04311 #endif 04312 printk(KERN_DEBUG 04313 "rsbac_check_acl(): netobj_item %p has invalid group %u in ACL!\n", 04314 netobj_desc_p[i], sub_desc_p[j].subj_id); 04315 } 04316 #endif 04317 } 04318 } 04319 #if defined(CONFIG_RSBAC_RC) 04320 else 04321 if( (sub_desc_p[j].subj_type == ACLS_ROLE) 04322 && (sub_desc_p[j].subj_id > RC_role_max_value) 04323 ) 04324 { 04325 if(correct) 04326 { 04327 /* remove sub item and complain */ 04328 #ifdef CONFIG_RSBAC_DEBUG 04329 if(rsbac_debug_ds) 04330 { 04331 #ifdef CONFIG_RSBAC_RMSG 04332 rsbac_printk(KERN_DEBUG 04333 "rsbac_check_acl(): netobj_item %p has invalid role %u in ACL -> removing entry!\n", 04334 netobj_desc_p[i], sub_desc_p[j].subj_id); 04335 #endif 04336 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04337 if (!rsbac_nosyslog) 04338 #endif 04339 printk(KERN_DEBUG 04340 "rsbac_check_acl(): netobj_item %p has invalid role %u in ACL -> removing entry!\n", 04341 netobj_desc_p[i], sub_desc_p[j].subj_id); 04342 } 04343 #endif 04344 rsbac_list_lol_subremove(netobj_handle, &netobj_desc_p[i], &sub_desc_p[j]); 04345 } 04346 else 04347 { 04348 #ifdef CONFIG_RSBAC_DEBUG 04349 /* complain */ 04350 if(rsbac_debug_ds) 04351 { 04352 #ifdef CONFIG_RSBAC_RMSG 04353 rsbac_printk(KERN_DEBUG 04354 "rsbac_check_acl(): netobj_item %p has invalid role %u in ACL!\n", 04355 netobj_desc_p[i], sub_desc_p[j].subj_id); 04356 #endif 04357 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04358 if (!rsbac_nosyslog) 04359 #endif 04360 printk(KERN_DEBUG 04361 "rsbac_check_acl(): netobj_item %p has invalid role %u in ACL!\n", 04362 netobj_desc_p[i], sub_desc_p[j].subj_id); 04363 } 04364 #endif 04365 } 04366 } 04367 #endif 04368 } 04369 rsbac_vfree(sub_desc_p); 04370 } 04371 } 04372 rsbac_vfree(netobj_desc_p); 04373 f_sum += desc_count; 04374 } 04375 #ifdef CONFIG_RSBAC_RMSG 04376 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network object items\n", 04377 desc_count); 04378 #endif 04379 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04380 if (!rsbac_nosyslog) 04381 #endif 04382 printk(KERN_INFO "rsbac_check_acl(): %li network object items\n", 04383 desc_count); 04384 #endif /* NET_OBJ_PROT */ 04385 04386 #ifdef CONFIG_RSBAC_RMSG 04387 rsbac_printk(KERN_INFO 04388 "rsbac_check_acl(): Total of %lu registered ACLs\n", 04389 f_sum); 04390 #endif 04391 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04392 if (!rsbac_nosyslog) 04393 #endif 04394 printk(KERN_INFO 04395 "rsbac_check_acl(): Total of %lu registered ACLs\n", 04396 f_sum); 04397 04398 return(0); 04399 }; 04400 04401 /************************************************* */ 04402 /* Access functions */ 04403 /************************************************* */ 04404 04405 /* All these procedures handle the spinlocks to protect the targets during */ 04406 /* access. */ 04407 04408 /* rsbac_acl_set_acl_entry 04409 * Set ACL entry for given target and subject to given rights. If entry does 04410 * not exist, it is created, thus cutting the inheritance from default/parent. 04411 */ 04412 04413 int rsbac_acl_set_acl_entry (enum rsbac_target_t target, 04414 union rsbac_target_id_t tid, 04415 enum rsbac_acl_subject_type_t subj_type, 04416 rsbac_acl_subject_id_t subj_id, 04417 rsbac_acl_rights_vector_t rights, 04418 rsbac_time_t ttl) 04419 { 04420 int err = 0; 04421 int list_no; 04422 struct rsbac_acl_device_list_item_t * device_p; 04423 struct rsbac_acl_entry_desc_t desc; 04424 u_long dflags; 04425 04426 if (!rsbac_is_initialized()) 04427 { 04428 printk(KERN_WARNING "rsbac_acl_set_acl_entry(): RSBAC not initialized\n"); 04429 return(-RSBAC_ENOTINITIALIZED); 04430 } 04431 if (subj_type >= ACLS_NONE) 04432 return(-RSBAC_EINVALIDVALUE); 04433 #ifdef CONFIG_RSBAC_DEBUG 04434 if (in_interrupt()) 04435 { 04436 #ifdef CONFIG_RSBAC_RMSG 04437 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): called from interrupt!\n"); 04438 #endif 04439 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04440 if (!rsbac_nosyslog) 04441 #endif 04442 printk(KERN_WARNING "rsbac_acl_set_acl_entry(): called from interrupt!\n"); 04443 } 04444 #endif 04445 desc.subj_type = subj_type; 04446 desc.subj_id = subj_id; 04447 04448 switch (target) 04449 { 04450 case T_FILE: 04451 case T_DIR: 04452 case T_FIFO: 04453 case T_SYMLINK: 04454 #ifdef CONFIG_RSBAC_DEBUG 04455 if (rsbac_debug_ds_acl) 04456 { 04457 #ifdef CONFIG_RSBAC_RMSG 04458 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n", 04459 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 04460 #endif 04461 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04462 if (!rsbac_nosyslog) 04463 #endif 04464 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n", 04465 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 04466 } 04467 #endif 04468 /* default entry? */ 04469 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 04470 return rsbac_list_add_ttl(default_fd_handle, ttl, &desc, &rights); 04471 /* wait for read access to device_list_head */ 04472 rsbac_read_lock(&device_list_head.lock, &dflags); 04473 /* OK, go on */ 04474 /* lookup device */ 04475 device_p = acl_lookup_device(tid.file.device); 04476 if (!device_p) 04477 { 04478 /* trigger rsbac_mount() */ 04479 rsbac_read_unlock(&device_list_head.lock, &dflags); 04480 rsbac_get_super_block(tid.file.device); 04481 /* retry */ 04482 rsbac_read_lock(&device_list_head.lock, &dflags); 04483 device_p = acl_lookup_device(tid.file.device); 04484 if(!device_p) 04485 { 04486 #ifdef CONFIG_RSBAC_RMSG 04487 rsbac_printk(KERN_WARNING 04488 "rsbac_acl_set_acl_entry(): Could not lookup device!\n"); 04489 #endif 04490 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04491 if (!rsbac_nosyslog) 04492 #endif 04493 printk(KERN_WARNING 04494 "rsbac_acl_set_acl_entry(): Could not lookup device!\n"); 04495 /* free read lock */ 04496 rsbac_read_unlock(&device_list_head.lock, &dflags); 04497 return(-RSBAC_EINVALIDDEV); 04498 } 04499 } 04500 list_no = fd_hash(tid.file.inode); 04501 if(!rsbac_list_lol_exist(device_p->handles[list_no], &tid.file.inode)) 04502 { 04503 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_FD_MASK; 04504 04505 err = rsbac_list_lol_add(device_p->handles[list_no], &tid.file.inode, &mask); 04506 if(err) 04507 { 04508 rsbac_read_unlock(&device_list_head.lock, &dflags); 04509 return err; 04510 } 04511 } 04512 err = rsbac_list_lol_subadd_ttl(device_p->handles[list_no], ttl, &tid.file.inode, &desc, &rights); 04513 rsbac_read_unlock(&device_list_head.lock, &dflags); 04514 /* ready. */ 04515 return err; 04516 04517 case T_DEV: 04518 #ifdef CONFIG_RSBAC_DEBUG 04519 if (rsbac_debug_ds_acl) 04520 { 04521 #ifdef CONFIG_RSBAC_RMSG 04522 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting device ACL for dev %c %02u:%02u\n", 04523 'B'+tid.dev.type, 04524 RSBAC_MAJOR(tid.dev.id), 04525 RSBAC_MINOR(tid.dev.id)); 04526 #endif 04527 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04528 if (!rsbac_nosyslog) 04529 #endif 04530 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting device ACL for dev %c %02u:%02u\n", 04531 'B'+tid.dev.type, 04532 RSBAC_MAJOR(tid.dev.id), 04533 RSBAC_MINOR(tid.dev.id)); 04534 } 04535 #endif 04536 /* default entry? */ 04537 if((tid.dev.type == D_none) && RSBAC_IS_ZERO_DEV(tid.dev.id)) 04538 return rsbac_list_add_ttl(default_dev_handle, ttl, &desc, &rights); 04539 04540 { 04541 struct rsbac_dev_desc_t dev_desc; 04542 04543 dev_desc.type = tid.dev.type; 04544 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 04545 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 04546 if(!rsbac_list_lol_exist(dev_handle, &dev_desc)) 04547 { 04548 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_DEV_MASK; 04549 04550 err = rsbac_list_lol_add(dev_handle, &dev_desc, &mask); 04551 if(err) 04552 return err; 04553 } 04554 return rsbac_list_lol_subadd_ttl(dev_handle, ttl, &dev_desc, &desc, &rights); 04555 } 04556 04557 case T_IPC: 04558 /* 04559 #ifdef CONFIG_RSBAC_DEBUG 04560 if (rsbac_debug_ds_acl) 04561 { 04562 #ifdef CONFIG_RSBAC_RMSG 04563 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting IPC ACL for type %u\n", 04564 tid.ipc.type); 04565 #endif 04566 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04567 if (!rsbac_nosyslog) 04568 #endif 04569 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting IPC ACL for type %u\n", 04570 tid.ipc.type); 04571 } 04572 #endif 04573 */ 04574 /* default entry? */ 04575 if(tid.ipc.type == I_none) 04576 return rsbac_list_add_ttl(default_ipc_handle, ttl, &desc, &rights); 04577 else 04578 return -RSBAC_EINVALIDTARGET; 04579 04580 case T_SCD: 04581 /* 04582 #ifdef CONFIG_RSBAC_DEBUG 04583 if (rsbac_debug_ds_acl) 04584 { 04585 char tmp[80]; 04586 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting SCD ACL for %s\n", 04587 get_acl_scd_type_name(tmp, tid.scd)); 04588 } 04589 #endif 04590 */ 04591 /* default entry? */ 04592 if(tid.scd == AST_none) 04593 return rsbac_list_add_ttl(default_scd_handle, ttl, &desc, &rights); 04594 04595 if(!rsbac_list_lol_exist(scd_handle, &tid.scd)) 04596 { 04597 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_SCD_MASK; 04598 04599 err = rsbac_list_lol_add(scd_handle, &tid.scd, &mask); 04600 if(err) 04601 return err; 04602 } 04603 return rsbac_list_lol_subadd_ttl(scd_handle, ttl, &tid.scd, &desc, &rights); 04604 04605 case T_USER: 04606 /* 04607 #ifdef CONFIG_RSBAC_DEBUG 04608 if (rsbac_debug_ds_acl) 04609 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting user ACL for user %u\n", 04610 tid.user); 04611 #endif 04612 */ 04613 /* default entry? */ 04614 if(tid.user == RSBAC_NO_USER) 04615 return rsbac_list_add_ttl(default_u_handle, ttl, &desc, &rights); 04616 else 04617 return -RSBAC_EINVALIDTARGET; 04618 04619 case T_PROCESS: 04620 /* 04621 #ifdef CONFIG_RSBAC_DEBUG 04622 if (rsbac_debug_ds_acl) 04623 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting process ACL for pid %u\n", 04624 tid.process); 04625 #endif 04626 */ 04627 /* default entry? */ 04628 if(!tid.process) 04629 return rsbac_list_add_ttl(default_p_handle, ttl, &desc, &rights); 04630 else 04631 return -RSBAC_EINVALIDTARGET; 04632 04633 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 04634 case T_NETDEV: 04635 #ifdef CONFIG_RSBAC_DEBUG 04636 if (rsbac_debug_ds_acl) 04637 { 04638 #ifdef CONFIG_RSBAC_RMSG 04639 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network device ACL for netdev %s\n", 04640 tid.netdev); 04641 #endif 04642 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04643 if (!rsbac_nosyslog) 04644 #endif 04645 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network device ACL for netdev %s\n", 04646 tid.netdev); 04647 } 04648 #endif 04649 /* default entry? */ 04650 if(!tid.netdev[0]) 04651 return rsbac_list_add_ttl(default_netdev_handle, ttl, &desc, &rights); 04652 04653 if(!rsbac_list_lol_exist(netdev_handle, &tid.netdev)) 04654 { 04655 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETDEV_MASK; 04656 04657 err = rsbac_list_lol_add(netdev_handle, &tid.netdev, &mask); 04658 if(err) 04659 return err; 04660 } 04661 return rsbac_list_lol_subadd_ttl(netdev_handle, ttl, &tid.netdev, &desc, &rights); 04662 #endif 04663 04664 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 04665 case T_NETTEMP_NT: 04666 #ifdef CONFIG_RSBAC_DEBUG 04667 if (rsbac_debug_ds_acl) 04668 { 04669 #ifdef CONFIG_RSBAC_RMSG 04670 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network template NT ACL for nettemp_nt %u\n", 04671 tid.nettemp); 04672 #endif 04673 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04674 if (!rsbac_nosyslog) 04675 #endif 04676 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network template NT ACL for nettemp_nt %u\n", 04677 tid.nettemp); 04678 } 04679 #endif 04680 /* default entry? */ 04681 if(!tid.nettemp) 04682 return rsbac_list_add_ttl(default_nettemp_nt_handle, ttl, &desc, &rights); 04683 04684 if(!rsbac_list_lol_exist(nettemp_nt_handle, &tid.nettemp)) 04685 { 04686 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK; 04687 04688 err = rsbac_list_lol_add(nettemp_nt_handle, &tid.nettemp, &mask); 04689 if(err) 04690 return err; 04691 } 04692 return rsbac_list_lol_subadd_ttl(nettemp_nt_handle, ttl, &tid.nettemp, &desc, &rights); 04693 04694 case T_NETTEMP: 04695 #ifdef CONFIG_RSBAC_DEBUG 04696 if (rsbac_debug_ds_acl) 04697 { 04698 #ifdef CONFIG_RSBAC_RMSG 04699 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network template ACL for nettemp %u\n", 04700 tid.nettemp); 04701 #endif 04702 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04703 if (!rsbac_nosyslog) 04704 #endif 04705 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network template ACL for nettemp %u\n", 04706 tid.nettemp); 04707 } 04708 #endif 04709 /* default entry? */ 04710 if(!tid.nettemp) 04711 return -RSBAC_EINVALIDTARGET; 04712 if(!rsbac_net_template_exist(tid.nettemp)) 04713 return -RSBAC_EINVALIDTARGET; 04714 04715 if(!rsbac_list_lol_exist(nettemp_handle, &tid.nettemp)) 04716 { 04717 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 04718 04719 err = rsbac_list_lol_add(nettemp_handle, &tid.nettemp, &mask); 04720 if(err) 04721 return err; 04722 } 04723 return rsbac_list_lol_subadd_ttl(nettemp_handle, ttl, &tid.nettemp, &desc, &rights); 04724 04725 case T_NETOBJ: 04726 #ifdef CONFIG_RSBAC_DEBUG 04727 if (rsbac_debug_ds_acl) 04728 { 04729 #ifdef CONFIG_RSBAC_RMSG 04730 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network object ACL for netobj %p\n", 04731 tid.netobj.sock_p); 04732 #endif 04733 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04734 if (!rsbac_nosyslog) 04735 #endif 04736 printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network object ACL for netobj %p\n", 04737 tid.netobj.sock_p); 04738 } 04739 #endif 04740 /* default entry? */ 04741 if(!tid.netobj.sock_p) 04742 return rsbac_list_add_ttl(default_netobj_handle, ttl, &desc, &rights); 04743 04744 if(!rsbac_list_lol_exist(netobj_handle, &tid.netobj.sock_p)) 04745 { 04746 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 04747 04748 err = rsbac_list_lol_add(netobj_handle, &tid.netobj.sock_p, &mask); 04749 if(err) 04750 return err; 04751 } 04752 return rsbac_list_lol_subadd_ttl(netobj_handle, ttl, &tid.netobj.sock_p, &desc, &rights); 04753 #endif /* NET_OBJ_PROT */ 04754 04755 04756 default: 04757 err = -RSBAC_EINVALIDTARGET; 04758 } 04759 return(err); 04760 } 04761 04762 /* rsbac_acl_remove_acl_entry 04763 * Remove ACL entry for given target and subject. This reactivates the 04764 * inheritance from default/parent. 04765 */ 04766 04767 int rsbac_acl_remove_acl_entry (enum rsbac_target_t target, 04768 union rsbac_target_id_t tid, 04769 enum rsbac_acl_subject_type_t subj_type, 04770 rsbac_acl_subject_id_t subj_id) 04771 { 04772 int err = 0; 04773 int list_no; 04774 struct rsbac_acl_device_list_item_t * device_p; 04775 struct rsbac_acl_entry_desc_t desc; 04776 u_long dflags; 04777 rsbac_acl_rights_vector_t mask; 04778 04779 if (!rsbac_is_initialized()) 04780 { 04781 printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): RSBAC not initialized\n"); 04782 return(-RSBAC_ENOTINITIALIZED); 04783 } 04784 if (subj_type >= ACLS_NONE) 04785 return(-RSBAC_EINVALIDVALUE); 04786 #ifdef CONFIG_RSBAC_DEBUG 04787 if (in_interrupt()) 04788 { 04789 printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): called from interrupt!\n"); 04790 } 04791 #endif 04792 desc.subj_type = subj_type; 04793 desc.subj_id = subj_id; 04794 04795 switch (target) 04796 { 04797 case T_FILE: 04798 case T_DIR: 04799 case T_FIFO: 04800 case T_SYMLINK: 04801 #ifdef CONFIG_RSBAC_DEBUG 04802 if (rsbac_debug_ds_acl) 04803 { 04804 char tmp[RSBAC_MAXNAMELEN]; 04805 04806 #ifdef CONFIG_RSBAC_RMSG 04807 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing file/dir/fifo/symlink ACL entry %s %u for device %02u:%02u, inode %u\n", 04808 get_acl_subject_type_name(tmp,desc.subj_type), desc.subj_id, 04809 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 04810 #endif 04811 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04812 if (!rsbac_nosyslog) 04813 #endif 04814 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing file/dir/fifo/symlink ACL entry %s %u for device %02u:%02u, inode %u\n", 04815 get_acl_subject_type_name(tmp,desc.subj_type), desc.subj_id, 04816 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 04817 } 04818 #endif 04819 /* default entry? */ 04820 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 04821 return rsbac_list_remove(default_fd_handle, &desc); 04822 04823 /* wait for read access to device_list_head */ 04824 rsbac_read_lock(&device_list_head.lock, &dflags); 04825 /* OK, go on */ 04826 /* lookup device */ 04827 device_p = acl_lookup_device(tid.file.device); 04828 if (!device_p) 04829 { 04830 /* trigger rsbac_mount() */ 04831 rsbac_read_unlock(&device_list_head.lock, &dflags); 04832 rsbac_get_super_block(tid.file.device); 04833 /* retry */ 04834 rsbac_read_lock(&device_list_head.lock, &dflags); 04835 device_p = acl_lookup_device(tid.file.device); 04836 if(!device_p) 04837 { 04838 printk(KERN_WARNING 04839 "rsbac_acl_remove_acl_entry(): Could not lookup device!\n"); 04840 /* free read lock */ 04841 rsbac_read_unlock(&device_list_head.lock, &dflags); 04842 return(-RSBAC_EINVALIDDEV); 04843 } 04844 } 04845 list_no = fd_hash(tid.file.inode); 04846 err = rsbac_list_lol_subremove(device_p->handles[list_no], &tid.file.inode, &desc); 04847 /* if ACL is empty, remove it */ 04848 if( !err 04849 && !rsbac_list_lol_subcount(device_p->handles[list_no], &tid.file.inode) 04850 && !rsbac_list_lol_get_data(device_p->handles[list_no], 04851 &tid.file.inode, 04852 &mask) 04853 && (mask == RSBAC_ACL_DEFAULT_FD_MASK) 04854 ) 04855 { 04856 err = rsbac_list_lol_remove(device_p->handles[list_no], &tid.file.inode); 04857 } 04858 rsbac_read_unlock(&device_list_head.lock, &dflags); 04859 /* ready. */ 04860 return err; 04861 04862 case T_DEV: 04863 #ifdef CONFIG_RSBAC_DEBUG 04864 if (rsbac_debug_ds_acl) 04865 { 04866 #ifdef CONFIG_RSBAC_RMSG 04867 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing device ACL entry for dev %c %02u:%02u\n", 04868 'B'+tid.dev.type, 04869 RSBAC_MAJOR(tid.dev.id), 04870 RSBAC_MINOR(tid.dev.id)); 04871 #endif 04872 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04873 if (!rsbac_nosyslog) 04874 #endif 04875 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing device ACL entry for dev %c %02u:%02u\n", 04876 'B'+tid.dev.type, 04877 RSBAC_MAJOR(tid.dev.id), 04878 RSBAC_MINOR(tid.dev.id)); 04879 } 04880 #endif 04881 /* default entry? */ 04882 if((tid.dev.type == D_none) && RSBAC_IS_ZERO_DEV(tid.dev.id)) 04883 return rsbac_list_remove(default_dev_handle, &desc); 04884 04885 { 04886 struct rsbac_dev_desc_t dev_desc; 04887 04888 dev_desc.type = tid.dev.type; 04889 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 04890 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 04891 err = rsbac_list_lol_subremove(dev_handle, &dev_desc, &desc); 04892 /* if ACL is empty, remove it */ 04893 if( !err 04894 && !rsbac_list_lol_subcount(dev_handle, &dev_desc) 04895 && !rsbac_list_lol_get_data(dev_handle, 04896 &dev_desc, 04897 &mask) 04898 && (mask == RSBAC_ACL_DEFAULT_DEV_MASK) 04899 ) 04900 { 04901 err = rsbac_list_lol_remove(dev_handle, &dev_desc); 04902 } 04903 return err; 04904 } 04905 04906 case T_IPC: 04907 #ifdef CONFIG_RSBAC_DEBUG 04908 if (rsbac_debug_ds_acl) 04909 { 04910 #ifdef CONFIG_RSBAC_RMSG 04911 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing IPC ACL for type %u\n", 04912 tid.ipc.type); 04913 #endif 04914 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04915 if (!rsbac_nosyslog) 04916 #endif 04917 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing IPC ACL for type %u\n", 04918 tid.ipc.type); 04919 } 04920 #endif 04921 /* default entry? */ 04922 if(tid.ipc.type == I_none) 04923 return rsbac_list_remove(default_ipc_handle, &desc); 04924 else 04925 return -RSBAC_EINVALIDTARGET; 04926 04927 case T_SCD: 04928 #ifdef CONFIG_RSBAC_DEBUG 04929 if (rsbac_debug_ds_acl) 04930 { 04931 char tmp[80]; 04932 04933 get_acl_scd_type_name(tmp, tid.scd); 04934 #ifdef CONFIG_RSBAC_RMSG 04935 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing SCD ACL entry for %s\n", 04936 tmp); 04937 #endif 04938 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04939 if (!rsbac_nosyslog) 04940 #endif 04941 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing SCD ACL entry for %s\n", 04942 tmp); 04943 } 04944 #endif 04945 /* default entry? */ 04946 if(tid.scd == AST_none) 04947 return rsbac_list_remove(default_scd_handle, &desc); 04948 err = rsbac_list_lol_subremove(scd_handle, &tid.scd, &desc); 04949 /* if ACL is empty, remove it */ 04950 if( !err 04951 && !rsbac_list_lol_subcount(scd_handle, &tid.scd) 04952 && !rsbac_list_lol_get_data(scd_handle, 04953 &tid.scd, 04954 &mask) 04955 && (mask == RSBAC_ACL_DEFAULT_SCD_MASK) 04956 ) 04957 { 04958 err = rsbac_list_lol_remove(scd_handle, &tid.scd); 04959 } 04960 return err; 04961 04962 case T_USER: 04963 #ifdef CONFIG_RSBAC_DEBUG 04964 if (rsbac_debug_ds_acl) 04965 { 04966 #ifdef CONFIG_RSBAC_RMSG 04967 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing user ACL for user %u\n", 04968 tid.user); 04969 #endif 04970 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04971 if (!rsbac_nosyslog) 04972 #endif 04973 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing user ACL for user %u\n", 04974 tid.user); 04975 } 04976 #endif 04977 /* default entry? */ 04978 if(tid.user == RSBAC_NO_USER) 04979 return rsbac_list_remove(default_u_handle, &desc); 04980 else 04981 return -RSBAC_EINVALIDTARGET; 04982 04983 case T_PROCESS: 04984 #ifdef CONFIG_RSBAC_DEBUG 04985 if (rsbac_debug_ds_acl) 04986 { 04987 #ifdef CONFIG_RSBAC_RMSG 04988 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing process ACL for pid %u\n", 04989 tid.process); 04990 #endif 04991 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 04992 if (!rsbac_nosyslog) 04993 #endif 04994 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing process ACL for pid %u\n", 04995 tid.process); 04996 } 04997 #endif 04998 /* default entry? */ 04999 if(!tid.process) 05000 return rsbac_list_remove(default_p_handle, &desc); 05001 else 05002 return -RSBAC_EINVALIDTARGET; 05003 05004 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 05005 case T_NETDEV: 05006 #ifdef CONFIG_RSBAC_DEBUG 05007 if (rsbac_debug_ds_acl) 05008 { 05009 #ifdef CONFIG_RSBAC_RMSG 05010 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network device ACL entry for netdev %s\n", 05011 tid.netdev); 05012 #endif 05013 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05014 if (!rsbac_nosyslog) 05015 #endif 05016 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network device ACL entry for netdev %s\n", 05017 tid.netdev); 05018 } 05019 #endif 05020 /* default entry? */ 05021 if(!tid.netdev[0]) 05022 return rsbac_list_remove(default_netdev_handle, &desc); 05023 05024 err = rsbac_list_lol_subremove(netdev_handle, &tid.netdev, &desc); 05025 /* if ACL is empty, remove it */ 05026 if( !err 05027 && !rsbac_list_lol_subcount(netdev_handle, &tid.netdev) 05028 && !rsbac_list_lol_get_data(netdev_handle, 05029 &tid.netdev, 05030 &mask) 05031 && (mask == RSBAC_ACL_DEFAULT_NETDEV_MASK) 05032 ) 05033 { 05034 err = rsbac_list_lol_remove(netdev_handle, &tid.netdev); 05035 } 05036 return err; 05037 #endif 05038 05039 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 05040 case T_NETTEMP_NT: 05041 #ifdef CONFIG_RSBAC_DEBUG 05042 if (rsbac_debug_ds_acl) 05043 { 05044 #ifdef CONFIG_RSBAC_RMSG 05045 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network template NT ACL entry for nettemp_nt %u\n", 05046 tid.nettemp); 05047 #endif 05048 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05049 if (!rsbac_nosyslog) 05050 #endif 05051 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network template NT ACL entry for nettemp_nt %u\n", 05052 tid.nettemp); 05053 } 05054 #endif 05055 /* default entry? */ 05056 if(!tid.nettemp) 05057 return rsbac_list_remove(default_nettemp_nt_handle, &desc); 05058 if(!rsbac_net_template_exist(tid.nettemp)) 05059 return -RSBAC_EINVALIDTARGET; 05060 05061 err = rsbac_list_lol_subremove(nettemp_nt_handle, &tid.nettemp, &desc); 05062 /* if ACL is empty, remove it */ 05063 if( !err 05064 && !rsbac_list_lol_subcount(nettemp_nt_handle, &tid.nettemp) 05065 && !rsbac_list_lol_get_data(nettemp_nt_handle, 05066 &tid.nettemp, 05067 &mask) 05068 && (mask == RSBAC_ACL_DEFAULT_NETTEMP_MASK) 05069 ) 05070 { 05071 err = rsbac_list_lol_remove(nettemp_nt_handle, &tid.nettemp); 05072 } 05073 return err; 05074 05075 case T_NETTEMP: 05076 #ifdef CONFIG_RSBAC_DEBUG 05077 if (rsbac_debug_ds_acl) 05078 { 05079 #ifdef CONFIG_RSBAC_RMSG 05080 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network template ACL entry for nettemp_nt %u\n", 05081 tid.nettemp); 05082 #endif 05083 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05084 if (!rsbac_nosyslog) 05085 #endif 05086 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network template ACL entry for nettemp_nt %u\n", 05087 tid.nettemp); 05088 } 05089 #endif 05090 /* default entry? */ 05091 if(!tid.nettemp) 05092 return -RSBAC_EINVALIDTARGET; 05093 if(!rsbac_net_template_exist(tid.nettemp)) 05094 return -RSBAC_EINVALIDTARGET; 05095 05096 err = rsbac_list_lol_subremove(nettemp_handle, &tid.nettemp, &desc); 05097 /* if ACL is empty, remove it */ 05098 if( !err 05099 && !rsbac_list_lol_subcount(nettemp_handle, &tid.nettemp) 05100 && !rsbac_list_lol_get_data(nettemp_handle, 05101 &tid.nettemp, 05102 &mask) 05103 && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK) 05104 ) 05105 { 05106 err = rsbac_list_lol_remove(nettemp_handle, &tid.nettemp); 05107 } 05108 return err; 05109 05110 case T_NETOBJ: 05111 #ifdef CONFIG_RSBAC_DEBUG 05112 if (rsbac_debug_ds_acl) 05113 { 05114 #ifdef CONFIG_RSBAC_RMSG 05115 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network object ACL entry for netobj %p\n", 05116 tid.netobj.sock_p); 05117 #endif 05118 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05119 if (!rsbac_nosyslog) 05120 #endif 05121 printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network object ACL entry for netobj %p\n", 05122 tid.netobj.sock_p); 05123 } 05124 #endif 05125 /* default entry? */ 05126 if(!tid.netobj.sock_p) 05127 return rsbac_list_remove(default_netobj_handle, &desc); 05128 05129 err = rsbac_list_lol_subremove(netobj_handle, &tid.netobj.sock_p, &desc); 05130 /* if ACL is empty, remove it */ 05131 if( !err 05132 && !rsbac_list_lol_subcount(netobj_handle, &tid.netobj.sock_p) 05133 && !rsbac_list_lol_get_data(netobj_handle, 05134 &tid.netobj, 05135 &mask) 05136 && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK) 05137 ) 05138 { 05139 err = rsbac_list_lol_remove(netobj_handle, &tid.netobj.sock_p); 05140 } 05141 return err; 05142 #endif /* NET_OBJ_PROT */ 05143 05144 default: 05145 return -RSBAC_EINVALIDTARGET; 05146 } 05147 } 05148 05149 /* rsbac_acl_remove_acl 05150 * Remove ACL for given target. For cleanup on delete. 05151 */ 05152 05153 int rsbac_acl_remove_acl (enum rsbac_target_t target, 05154 union rsbac_target_id_t tid) 05155 { 05156 int err = 0; 05157 int list_no; 05158 struct rsbac_acl_device_list_item_t * device_p; 05159 u_long dflags; 05160 05161 if (!rsbac_is_initialized()) 05162 { 05163 printk(KERN_WARNING "rsbac_acl_remove_acl(): RSBAC not initialized\n"); 05164 return(-RSBAC_ENOTINITIALIZED); 05165 } 05166 #ifdef CONFIG_RSBAC_DEBUG 05167 if (in_interrupt()) 05168 { 05169 #ifdef CONFIG_RSBAC_RMSG 05170 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): called from interrupt!\n"); 05171 #endif 05172 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05173 if (!rsbac_nosyslog) 05174 #endif 05175 printk(KERN_WARNING "rsbac_acl_remove_acl(): called from interrupt!\n"); 05176 } 05177 #endif 05178 switch (target) 05179 { 05180 case T_FILE: 05181 case T_DIR: 05182 case T_FIFO: 05183 case T_SYMLINK: 05184 #ifdef CONFIG_RSBAC_DEBUG 05185 if (rsbac_debug_ds_acl) 05186 { 05187 #ifdef CONFIG_RSBAC_RMSG 05188 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n", 05189 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 05190 #endif 05191 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05192 if (!rsbac_nosyslog) 05193 #endif 05194 printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n", 05195 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 05196 } 05197 #endif 05198 /* default entry? */ 05199 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 05200 return -RSBAC_EINVALIDTARGET; 05201 05202 /* wait for read access to device_list_head */ 05203 rsbac_read_lock(&device_list_head.lock, &dflags); 05204 /* OK, go on */ 05205 /* lookup device */ 05206 device_p = acl_lookup_device(tid.file.device); 05207 if (!device_p) 05208 { 05209 /* trigger rsbac_mount() */ 05210 rsbac_read_unlock(&device_list_head.lock, &dflags); 05211 rsbac_get_super_block(tid.file.device); 05212 /* retry */ 05213 rsbac_read_lock(&device_list_head.lock, &dflags); 05214 device_p = acl_lookup_device(tid.file.device); 05215 if(!device_p) 05216 { 05217 printk(KERN_WARNING 05218 "rsbac_acl_remove_acl(): Could not lookup device!\n"); 05219 rsbac_read_unlock(&device_list_head.lock, &dflags); 05220 return -RSBAC_EINVALIDDEV; 05221 } 05222 } 05223 list_no = fd_hash(tid.file.inode); 05224 err = rsbac_list_lol_remove(device_p->handles[list_no], &tid.file.inode); 05225 rsbac_read_unlock(&device_list_head.lock, &dflags); 05226 return err; 05227 05228 case T_DEV: 05229 #ifdef CONFIG_RSBAC_DEBUG 05230 if (rsbac_debug_ds_acl) 05231 { 05232 #ifdef CONFIG_RSBAC_RMSG 05233 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing device ACL for dev %c %02u:%02u\n", 05234 'B'+tid.dev.type, 05235 RSBAC_MAJOR(tid.dev.id), 05236 RSBAC_MINOR(tid.dev.id)); 05237 #endif 05238 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05239 if (!rsbac_nosyslog) 05240 #endif 05241 printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing device ACL for dev %c %02u:%02u\n", 05242 'B'+tid.dev.type, 05243 RSBAC_MAJOR(tid.dev.id), 05244 RSBAC_MINOR(tid.dev.id)); 05245 } 05246 #endif 05247 /* default entry? */ 05248 if((tid.dev.type == D_none) && RSBAC_IS_ZERO_DEV(tid.dev.id)) 05249 return -RSBAC_EINVALIDTARGET; 05250 else 05251 { 05252 struct rsbac_dev_desc_t dev_desc; 05253 05254 dev_desc.type = tid.dev.type; 05255 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 05256 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 05257 return rsbac_list_lol_remove(dev_handle, &dev_desc); 05258 } 05259 05260 case T_SCD: 05261 #ifdef CONFIG_RSBAC_DEBUG 05262 if (rsbac_debug_ds_acl) 05263 { 05264 char tmp[80]; 05265 05266 get_acl_scd_type_name(tmp, tid.scd); 05267 #ifdef CONFIG_RSBAC_RMSG 05268 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing SCD ACL for %s\n", 05269 tmp); 05270 #endif 05271 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05272 if (!rsbac_nosyslog) 05273 #endif 05274 printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing SCD ACL for %s\n", 05275 tmp); 05276 } 05277 #endif 05278 /* default entry? */ 05279 if(tid.scd == AST_none) 05280 return -RSBAC_EINVALIDTARGET; 05281 else 05282 return rsbac_list_lol_remove(scd_handle, &tid.scd); 05283 05284 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 05285 case T_NETDEV: 05286 #ifdef CONFIG_RSBAC_DEBUG 05287 if (rsbac_debug_ds_acl) 05288 { 05289 #ifdef CONFIG_RSBAC_RMSG 05290 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network device ACL for netdev %s\n", 05291 tid.netdev); 05292 #endif 05293 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05294 if (!rsbac_nosyslog) 05295 #endif 05296 printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network device ACL for netdev %s\n", 05297 tid.netdev); 05298 } 05299 #endif 05300 /* default entry? */ 05301 if(!tid.netdev[0]) 05302 return -RSBAC_EINVALIDTARGET; 05303 else 05304 return rsbac_list_lol_remove(netdev_handle, &tid.netdev); 05305 #endif 05306 05307 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 05308 case T_NETTEMP_NT: 05309 #ifdef CONFIG_RSBAC_DEBUG 05310 if (rsbac_debug_ds_acl) 05311 { 05312 #ifdef CONFIG_RSBAC_RMSG 05313 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network template NT ACL for nettemp_nt %u\n", 05314 tid.nettemp); 05315 #endif 05316 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05317 if (!rsbac_nosyslog) 05318 #endif 05319 printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network template NT ACL for nettemp_nt %u\n", 05320 tid.nettemp); 05321 } 05322 #endif 05323 /* default entry? */ 05324 if(!tid.nettemp) 05325 return -RSBAC_EINVALIDTARGET; 05326 else 05327 return rsbac_list_lol_remove(nettemp_nt_handle, &tid.nettemp); 05328 case T_NETTEMP: 05329 #ifdef CONFIG_RSBAC_DEBUG 05330 if (rsbac_debug_ds_acl) 05331 { 05332 #ifdef CONFIG_RSBAC_RMSG 05333 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network template ACL for nettemp %u\n", 05334 tid.nettemp); 05335 #endif 05336 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05337 if (!rsbac_nosyslog) 05338 #endif 05339 printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network template ACL for nettemp %u\n", 05340 tid.nettemp); 05341 } 05342 #endif 05343 /* default entry? */ 05344 if(!tid.nettemp) 05345 return -RSBAC_EINVALIDTARGET; 05346 else 05347 return rsbac_list_lol_remove(nettemp_handle, &tid.nettemp); 05348 case T_NETOBJ: 05349 #ifdef CONFIG_RSBAC_DEBUG 05350 if (rsbac_debug_ds_acl) 05351 { 05352 #ifdef CONFIG_RSBAC_RMSG 05353 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network object ACL for netobj %p\n", 05354 tid.netobj.sock_p); 05355 #endif 05356 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05357 if (!rsbac_nosyslog) 05358 #endif 05359 printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network object ACL for netobj %p\n", 05360 tid.netobj.sock_p); 05361 } 05362 #endif 05363 /* default entry? */ 05364 if(!tid.netobj.sock_p) 05365 return -RSBAC_EINVALIDTARGET; 05366 else 05367 return rsbac_list_lol_remove(netobj_handle, &tid.netobj.sock_p); 05368 #endif 05369 05370 default: 05371 err = -RSBAC_EINVALIDTARGET; 05372 } 05373 return(err); 05374 } 05375 05376 /* rsbac_acl_add_to_acl_entry 05377 * Add given rights to ACL entry for given target and subject. If entry does 05378 * not exist, behaviour is exactly like rsbac_acl_set_acl_entry. 05379 */ 05380 05381 int rsbac_acl_add_to_acl_entry (enum rsbac_target_t target, 05382 union rsbac_target_id_t tid, 05383 enum rsbac_acl_subject_type_t subj_type, 05384 rsbac_acl_subject_id_t subj_id, 05385 rsbac_acl_rights_vector_t rights, 05386 rsbac_time_t ttl) 05387 { 05388 int err = 0; 05389 int list_no; 05390 struct rsbac_acl_device_list_item_t * device_p; 05391 rsbac_acl_rights_vector_t old_rights; 05392 struct rsbac_acl_entry_desc_t desc; 05393 u_long dflags; 05394 05395 if (!rsbac_is_initialized()) 05396 { 05397 printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): RSBAC not initialized\n"); 05398 return(-RSBAC_ENOTINITIALIZED); 05399 } 05400 if (subj_type >= ACLS_NONE) 05401 return(-RSBAC_EINVALIDVALUE); 05402 #ifdef CONFIG_RSBAC_DEBUG 05403 if (in_interrupt()) 05404 { 05405 #ifdef CONFIG_RSBAC_RMSG 05406 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): called from interrupt!\n"); 05407 #endif 05408 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05409 if (!rsbac_nosyslog) 05410 #endif 05411 printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): called from interrupt!\n"); 05412 } 05413 #endif 05414 desc.subj_type = subj_type; 05415 desc.subj_id = subj_id; 05416 05417 switch (target) 05418 { 05419 case T_FILE: 05420 case T_DIR: 05421 case T_FIFO: 05422 case T_SYMLINK: 05423 /* 05424 #ifdef CONFIG_RSBAC_DEBUG 05425 if (rsbac_debug_ds_acl) 05426 { 05427 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n", 05428 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 05429 } 05430 #endif 05431 */ 05432 /* default entry? */ 05433 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 05434 { 05435 if(!rsbac_list_get_data(default_fd_handle, &desc, &old_rights)) 05436 rights |= old_rights; 05437 return rsbac_list_add_ttl(default_fd_handle, ttl, &desc, &rights); 05438 } 05439 /* wait for read access to device_list_head */ 05440 rsbac_read_lock(&device_list_head.lock, &dflags); 05441 /* OK, go on */ 05442 /* lookup device */ 05443 device_p = acl_lookup_device(tid.file.device); 05444 if (!device_p) 05445 { 05446 /* trigger rsbac_mount() */ 05447 rsbac_read_unlock(&device_list_head.lock, &dflags); 05448 rsbac_get_super_block(tid.file.device); 05449 /* retry */ 05450 rsbac_read_lock(&device_list_head.lock, &dflags); 05451 device_p = acl_lookup_device(tid.file.device); 05452 if(!device_p) 05453 { 05454 printk(KERN_WARNING 05455 "rsbac_acl_set_acl_entry(): Could not lookup device!\n"); 05456 /* free read lock */ 05457 rsbac_read_unlock(&device_list_head.lock, &dflags); 05458 return(-RSBAC_EINVALIDDEV); 05459 } 05460 } 05461 /* protect this list */ 05462 list_no = fd_hash(tid.file.inode); 05463 if(!rsbac_list_lol_exist(device_p->handles[list_no], &tid.file.inode)) 05464 { /* new acl */ 05465 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_FD_MASK; 05466 05467 err = rsbac_list_lol_add(device_p->handles[list_no], &tid.file.inode, &mask); 05468 if(err) 05469 { 05470 rsbac_read_unlock(&device_list_head.lock, &dflags); 05471 return err; 05472 } 05473 } 05474 else 05475 { /* old entry? */ 05476 if(!rsbac_list_lol_get_subdata(device_p->handles[list_no], 05477 &tid.file.inode, 05478 &desc, 05479 &old_rights)) 05480 rights |= old_rights; 05481 } 05482 err = rsbac_list_lol_subadd_ttl(device_p->handles[list_no], 05483 ttl, 05484 &tid.file.inode, 05485 &desc, 05486 &rights); 05487 rsbac_read_unlock(&device_list_head.lock, &dflags); 05488 /* ready. */ 05489 return err; 05490 05491 case T_DEV: 05492 /* 05493 #ifdef CONFIG_RSBAC_DEBUG 05494 if (rsbac_debug_ds_acl) 05495 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to device ACL entry for dev %c %02u:%02u\n", 05496 'B'+tid.dev.type, 05497 RSBAC_MAJOR(tid.dev.id), 05498 RSBAC_MINOR(tid.dev.id)); 05499 #endif 05500 */ 05501 /* default entry? */ 05502 if((tid.dev.type == D_none) && RSBAC_IS_ZERO_DEV(tid.dev.id)) 05503 { 05504 if(!rsbac_list_get_data(default_dev_handle, &desc, &old_rights)) 05505 rights |= old_rights; 05506 return rsbac_list_add_ttl(default_dev_handle, ttl, &desc, &rights); 05507 } 05508 { 05509 struct rsbac_dev_desc_t dev_desc; 05510 05511 dev_desc.type = tid.dev.type; 05512 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 05513 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 05514 if(!rsbac_list_lol_exist(dev_handle, &dev_desc)) 05515 { /* new acl */ 05516 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_DEV_MASK; 05517 05518 err = rsbac_list_lol_add(dev_handle, &dev_desc, &mask); 05519 if(err) 05520 return err; 05521 } 05522 else 05523 { /* old entry? */ 05524 if(!rsbac_list_lol_get_subdata(dev_handle, 05525 &dev_desc, 05526 &desc, 05527 &old_rights)) 05528 rights |= old_rights; 05529 } 05530 return rsbac_list_lol_subadd_ttl(dev_handle, 05531 ttl, 05532 &dev_desc, 05533 &desc, 05534 &rights); 05535 } 05536 05537 case T_IPC: 05538 /* 05539 #ifdef CONFIG_RSBAC_DEBUG 05540 if (rsbac_debug_ds_acl) 05541 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to IPC ACL for type %u\n", 05542 tid.ipc.type); 05543 #endif 05544 */ 05545 /* default entry? */ 05546 if(tid.ipc.type == I_none) 05547 { 05548 if(!rsbac_list_get_data(default_ipc_handle, &desc, &old_rights)) 05549 rights |= old_rights; 05550 return rsbac_list_add_ttl(default_ipc_handle, ttl, &desc, &rights); 05551 } 05552 else 05553 return -RSBAC_EINVALIDTARGET; 05554 05555 case T_SCD: 05556 /* 05557 #ifdef CONFIG_RSBAC_DEBUG 05558 if (rsbac_debug_ds_acl) 05559 { 05560 char tmp[80]; 05561 05562 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to SCD ACL entry for %s\n", 05563 get_acl_scd_type_name(tmp, tid.scd)); 05564 } 05565 #endif 05566 */ 05567 /* default entry? */ 05568 if(tid.scd == AST_none) 05569 { 05570 if(!rsbac_list_get_data(default_scd_handle, &desc, &old_rights)) 05571 rights |= old_rights; 05572 return rsbac_list_add_ttl(default_scd_handle, ttl, &desc, &rights); 05573 } 05574 if(!rsbac_list_lol_exist(scd_handle, &tid.scd)) 05575 { /* new acl */ 05576 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_SCD_MASK; 05577 05578 err = rsbac_list_lol_add(scd_handle, &tid.scd, &mask); 05579 if(err) 05580 return err; 05581 } 05582 else 05583 { /* old entry? */ 05584 if(!rsbac_list_lol_get_subdata(scd_handle, 05585 &tid.scd, 05586 &desc, 05587 &old_rights)) 05588 rights |= old_rights; 05589 } 05590 return rsbac_list_lol_subadd_ttl(scd_handle, 05591 ttl, 05592 &tid.scd, 05593 &desc, 05594 &rights); 05595 05596 case T_USER: 05597 /* 05598 #ifdef CONFIG_RSBAC_DEBUG 05599 if (rsbac_debug_ds_acl) 05600 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to user ACL for user %u\n", 05601 tid.user); 05602 #endif 05603 */ 05604 /* default entry? */ 05605 if(tid.user == RSBAC_NO_USER) 05606 { 05607 if(!rsbac_list_get_data(default_u_handle, &desc, &old_rights)) 05608 rights |= old_rights; 05609 return rsbac_list_add_ttl(default_u_handle, ttl, &desc, &rights); 05610 } 05611 else 05612 return -RSBAC_EINVALIDTARGET; 05613 05614 case T_PROCESS: 05615 /* 05616 #ifdef CONFIG_RSBAC_DEBUG 05617 if (rsbac_debug_ds_acl) 05618 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to process ACL for pid %u\n", 05619 tid.process); 05620 #endif 05621 */ 05622 /* default entry? */ 05623 if(!tid.process) 05624 { 05625 if(!rsbac_list_get_data(default_p_handle, &desc, &old_rights)) 05626 rights |= old_rights; 05627 return rsbac_list_add_ttl(default_p_handle, ttl, &desc, &rights); 05628 } 05629 else 05630 return -RSBAC_EINVALIDTARGET; 05631 05632 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 05633 case T_NETDEV: 05634 /* 05635 #ifdef CONFIG_RSBAC_DEBUG 05636 if (rsbac_debug_ds_acl) 05637 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to network device ACL entry for netdev %s\n", 05638 tid.netdev); 05639 #endif 05640 */ 05641 /* default entry? */ 05642 if(!tid.netdev[0]) 05643 { 05644 if(!rsbac_list_get_data(default_netdev_handle, &desc, &old_rights)) 05645 rights |= old_rights; 05646 return rsbac_list_add_ttl(default_netdev_handle, ttl, &desc, &rights); 05647 } 05648 if(!rsbac_list_lol_exist(netdev_handle, &tid.netdev)) 05649 { /* new acl */ 05650 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETDEV_MASK; 05651 05652 err = rsbac_list_lol_add(netdev_handle, &tid.netdev, &mask); 05653 if(err) 05654 return err; 05655 } 05656 else 05657 { /* old entry? */ 05658 if(!rsbac_list_lol_get_subdata(netdev_handle, 05659 &tid.netdev, 05660 &desc, 05661 &old_rights)) 05662 rights |= old_rights; 05663 } 05664 return rsbac_list_lol_subadd_ttl(netdev_handle, 05665 ttl, 05666 &tid.netdev, 05667 &desc, 05668 &rights); 05669 #endif 05670 05671 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 05672 case T_NETTEMP_NT: 05673 /* 05674 #ifdef CONFIG_RSBAC_DEBUG 05675 if (rsbac_debug_ds_acl) 05676 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to network template NT ACL entry for nettemp_nt %u\n", 05677 tid.nettemp); 05678 #endif 05679 */ 05680 /* default entry? */ 05681 if(!tid.nettemp) 05682 { 05683 if(!rsbac_list_get_data(default_nettemp_nt_handle, &desc, &old_rights)) 05684 rights |= old_rights; 05685 return rsbac_list_add_ttl(default_nettemp_nt_handle, ttl, &desc, &rights); 05686 } 05687 if(!rsbac_net_template_exist(tid.nettemp)) 05688 return -RSBAC_EINVALIDTARGET; 05689 if(!rsbac_list_lol_exist(nettemp_nt_handle, &tid.nettemp)) 05690 { /* new acl */ 05691 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK; 05692 05693 err = rsbac_list_lol_add(nettemp_nt_handle, &tid.nettemp, &mask); 05694 if(err) 05695 return err; 05696 } 05697 else 05698 { /* old entry? */ 05699 if(!rsbac_list_lol_get_subdata(nettemp_nt_handle, 05700 &tid.nettemp, 05701 &desc, 05702 &old_rights)) 05703 rights |= old_rights; 05704 } 05705 return rsbac_list_lol_subadd_ttl(nettemp_nt_handle, 05706 ttl, 05707 &tid.nettemp, 05708 &desc, 05709 &rights); 05710 case T_NETTEMP: 05711 /* 05712 #ifdef CONFIG_RSBAC_DEBUG 05713 if (rsbac_debug_ds_acl) 05714 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to network template ACL entry for nettemp %u\n", 05715 tid.nettemp); 05716 #endif 05717 */ 05718 /* default entry? */ 05719 if(!tid.nettemp) 05720 { 05721 return -RSBAC_EINVALIDTARGET; 05722 } 05723 if(!rsbac_net_template_exist(tid.nettemp)) 05724 return -RSBAC_EINVALIDTARGET; 05725 if(!rsbac_list_lol_exist(nettemp_handle, &tid.nettemp)) 05726 { /* new acl */ 05727 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 05728 05729 err = rsbac_list_lol_add(nettemp_handle, &tid.nettemp, &mask); 05730 if(err) 05731 return err; 05732 } 05733 else 05734 { /* old entry? */ 05735 if(!rsbac_list_lol_get_subdata(nettemp_handle, 05736 &tid.nettemp, 05737 &desc, 05738 &old_rights)) 05739 rights |= old_rights; 05740 } 05741 return rsbac_list_lol_subadd_ttl(nettemp_handle, 05742 ttl, 05743 &tid.nettemp, 05744 &desc, 05745 &rights); 05746 case T_NETOBJ: 05747 /* 05748 #ifdef CONFIG_RSBAC_DEBUG 05749 if (rsbac_debug_ds_acl) 05750 printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to network object ACL entry for netobj %p\n", 05751 tid.netobj.sock_p); 05752 #endif 05753 */ 05754 /* default entry? */ 05755 if(!tid.netobj.sock_p) 05756 { 05757 if(!rsbac_list_get_data(default_netobj_handle, &desc, &old_rights)) 05758 rights |= old_rights; 05759 return rsbac_list_add_ttl(default_netobj_handle, ttl,&desc, &rights); 05760 } 05761 if(!rsbac_list_lol_exist(netobj_handle, &tid.netobj.sock_p)) 05762 { /* new acl */ 05763 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 05764 05765 err = rsbac_list_lol_add(netobj_handle, &tid.netobj.sock_p, &mask); 05766 if(err) 05767 return err; 05768 } 05769 else 05770 { /* old entry? */ 05771 if(!rsbac_list_lol_get_subdata(netobj_handle, 05772 &tid.netobj.sock_p, 05773 &desc, 05774 &old_rights)) 05775 rights |= old_rights; 05776 } 05777 return rsbac_list_lol_subadd_ttl(netobj_handle, 05778 ttl, 05779 &tid.netobj.sock_p, 05780 &desc, 05781 &rights); 05782 #endif /* NET_OBJ_PROT */ 05783 05784 default: 05785 return -RSBAC_EINVALIDTARGET; 05786 } 05787 } 05788 05789 /* rsbac_acl_remove_from_acl_entry 05790 * Remove given rights from ACL entry for given target and subject. If entry does 05791 * not exist, nothing happens. 05792 * This function does NOT remove the ACL entry, so removing all rights results in 05793 * NO rights for this subject/target combination! 05794 */ 05795 05796 int rsbac_acl_remove_from_acl_entry(enum rsbac_target_t target, 05797 union rsbac_target_id_t tid, 05798 enum rsbac_acl_subject_type_t subj_type, 05799 rsbac_acl_subject_id_t subj_id, 05800 rsbac_acl_rights_vector_t rights) 05801 { 05802 int err = 0; 05803 int list_no; 05804 struct rsbac_acl_device_list_item_t * device_p; 05805 rsbac_acl_rights_vector_t old_rights; 05806 struct rsbac_acl_entry_desc_t desc; 05807 u_long dflags; 05808 05809 if (!rsbac_is_initialized()) 05810 { 05811 printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): RSBAC not initialized\n"); 05812 return(-RSBAC_ENOTINITIALIZED); 05813 } 05814 if (subj_type >= ACLS_NONE) 05815 return(-RSBAC_EINVALIDVALUE); 05816 #ifdef CONFIG_RSBAC_DEBUG 05817 if (in_interrupt()) 05818 { 05819 #ifdef CONFIG_RSBAC_RMSG 05820 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): called from interrupt!\n"); 05821 #endif 05822 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 05823 if (!rsbac_nosyslog) 05824 #endif 05825 printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): called from interrupt!\n"); 05826 } 05827 #endif 05828 desc.subj_type = subj_type; 05829 desc.subj_id = subj_id; 05830 05831 switch (target) 05832 { 05833 case T_FILE: 05834 case T_DIR: 05835 case T_FIFO: 05836 case T_SYMLINK: 05837 /* 05838 #ifdef CONFIG_RSBAC_DEBUG 05839 if (rsbac_debug_ds_acl) 05840 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n", 05841 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 05842 #endif 05843 */ 05844 /* default entry? */ 05845 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 05846 { 05847 if(!rsbac_list_get_data(default_fd_handle, &desc, &old_rights)) 05848 { 05849 old_rights &= ~rights; 05850 return rsbac_list_add(default_fd_handle, &desc, &old_rights); 05851 } 05852 else 05853 return 0; 05854 } 05855 /* wait for read access to device_list_head */ 05856 rsbac_read_lock(&device_list_head.lock, &dflags); 05857 /* OK, go on */ 05858 /* lookup device */ 05859 device_p = acl_lookup_device(tid.file.device); 05860 if (!device_p) 05861 { 05862 /* trigger rsbac_mount() */ 05863 rsbac_read_unlock(&device_list_head.lock, &dflags); 05864 rsbac_get_super_block(tid.file.device); 05865 /* retry */ 05866 rsbac_read_lock(&device_list_head.lock, &dflags); 05867 device_p = acl_lookup_device(tid.file.device); 05868 if(!device_p) 05869 { 05870 printk(KERN_WARNING 05871 "rsbac_acl_remove_from_acl_entry(): Could not lookup device!\n"); 05872 /* free read lock */ 05873 rsbac_read_unlock(&device_list_head.lock, &dflags); 05874 return(-RSBAC_EINVALIDDEV); 05875 } 05876 } 05877 list_no = fd_hash(tid.file.inode); 05878 if(!rsbac_list_lol_get_subdata(device_p->handles[list_no], 05879 &tid.file.inode, 05880 &desc, 05881 &old_rights)) 05882 { 05883 old_rights &= ~rights; 05884 err = rsbac_list_lol_subadd(device_p->handles[list_no], 05885 &tid.file.inode, 05886 &desc, 05887 &old_rights); 05888 } 05889 else 05890 err = 0; 05891 rsbac_read_unlock(&device_list_head.lock, &dflags); 05892 return err; 05893 05894 case T_DEV: 05895 /* 05896 #ifdef CONFIG_RSBAC_DEBUG 05897 if (rsbac_debug_ds_acl) 05898 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from device ACL entry for dev %c %02u:%02u\n", 05899 'B'+tid.dev.type, 05900 RSBAC_MAJOR(tid.dev.id), 05901 RSBAC_MINOR(tid.dev.id)); 05902 #endif 05903 */ 05904 /* default entry? */ 05905 if((tid.dev.type == D_none) && RSBAC_IS_ZERO_DEV(tid.dev.id)) 05906 { 05907 if(!rsbac_list_get_data(default_dev_handle, &desc, &old_rights)) 05908 { 05909 old_rights &= ~rights; 05910 return rsbac_list_add(default_dev_handle, &desc, &old_rights); 05911 } 05912 else 05913 return 0; 05914 } 05915 { 05916 struct rsbac_dev_desc_t dev_desc; 05917 05918 dev_desc.type = tid.dev.type; 05919 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 05920 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 05921 if(!rsbac_list_lol_get_subdata(dev_handle, 05922 &dev_desc, 05923 &desc, 05924 &old_rights)) 05925 { 05926 old_rights &= ~rights; 05927 return rsbac_list_lol_subadd(dev_handle, 05928 &dev_desc, 05929 &desc, 05930 &old_rights); 05931 } 05932 else 05933 return 0; 05934 } 05935 05936 case T_IPC: 05937 /* 05938 #ifdef CONFIG_RSBAC_DEBUG 05939 if (rsbac_debug_ds_acl) 05940 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from IPC ACL for type %u\n", 05941 tid.ipc.type); 05942 #endif 05943 */ 05944 /* default entry? */ 05945 if(tid.ipc.type == I_none) 05946 { 05947 if(!rsbac_list_get_data(default_ipc_handle, &desc, &old_rights)) 05948 { 05949 old_rights &= ~rights; 05950 return rsbac_list_add(default_ipc_handle, &desc, &old_rights); 05951 } 05952 else 05953 return 0; 05954 } 05955 else 05956 return -RSBAC_EINVALIDTARGET; 05957 05958 case T_SCD: 05959 /* 05960 #ifdef CONFIG_RSBAC_DEBUG 05961 if (rsbac_debug_ds_acl) 05962 { 05963 char tmp[80]; 05964 05965 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from SCD ACL entry for %s\n", 05966 get_acl_scd_type_name(tmp, tid.dev.id)); 05967 } 05968 #endif 05969 */ 05970 /* default entry? */ 05971 if(tid.scd == AST_none) 05972 { 05973 if(!rsbac_list_get_data(default_scd_handle, &desc, &old_rights)) 05974 { 05975 old_rights &= ~rights; 05976 return rsbac_list_add(default_scd_handle, &desc, &old_rights); 05977 } 05978 else 05979 return 0; 05980 } 05981 if(!rsbac_list_lol_get_subdata(scd_handle, 05982 &tid.scd, 05983 &desc, 05984 &old_rights)) 05985 { 05986 old_rights &= ~rights; 05987 return rsbac_list_lol_subadd(scd_handle, 05988 &tid.scd, 05989 &desc, 05990 &old_rights); 05991 } 05992 else 05993 return 0; 05994 05995 case T_USER: 05996 /* 05997 #ifdef CONFIG_RSBAC_DEBUG 05998 if (rsbac_debug_ds_acl) 05999 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from user ACL for user %u\n", 06000 tid.user); 06001 #endif 06002 */ 06003 /* default entry? */ 06004 if(tid.user == RSBAC_NO_USER) 06005 { 06006 if(!rsbac_list_get_data(default_u_handle, &desc, &old_rights)) 06007 { 06008 old_rights &= ~rights; 06009 return rsbac_list_add(default_u_handle, &desc, &old_rights); 06010 } 06011 else 06012 return 0; 06013 } 06014 else 06015 return -RSBAC_EINVALIDTARGET; 06016 06017 case T_PROCESS: 06018 /* 06019 #ifdef CONFIG_RSBAC_DEBUG 06020 if (rsbac_debug_ds_acl) 06021 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from process ACL for pid %u\n", 06022 tid.process); 06023 #endif 06024 */ 06025 /* default entry? */ 06026 if(!tid.process) 06027 { 06028 if(!rsbac_list_get_data(default_p_handle, &desc, &old_rights)) 06029 { 06030 old_rights &= ~rights; 06031 return rsbac_list_add(default_p_handle, &desc, &old_rights); 06032 } 06033 else 06034 return 0; 06035 } 06036 else 06037 return -RSBAC_EINVALIDTARGET; 06038 06039 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 06040 case T_NETDEV: 06041 /* 06042 #ifdef CONFIG_RSBAC_DEBUG 06043 if (rsbac_debug_ds_acl) 06044 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from network device ACL entry for netdev %s\n", 06045 tid.netdev); 06046 #endif 06047 */ 06048 /* default entry? */ 06049 if(!tid.netdev[0]) 06050 { 06051 if(!rsbac_list_get_data(default_netdev_handle, &desc, &old_rights)) 06052 { 06053 old_rights &= ~rights; 06054 return rsbac_list_add(default_netdev_handle, &desc, &old_rights); 06055 } 06056 else 06057 return 0; 06058 } 06059 if(!rsbac_list_lol_get_subdata(netdev_handle, 06060 &tid.netdev, 06061 &desc, 06062 &old_rights)) 06063 { 06064 old_rights &= ~rights; 06065 return rsbac_list_lol_subadd(netdev_handle, 06066 &tid.netdev, 06067 &desc, 06068 &old_rights); 06069 } 06070 else 06071 return 0; 06072 #endif 06073 06074 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 06075 case T_NETTEMP_NT: 06076 /* 06077 #ifdef CONFIG_RSBAC_DEBUG 06078 if (rsbac_debug_ds_acl) 06079 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from network template NT ACL entry for nettemp_nt %u\n", 06080 tid.nettemp); 06081 #endif 06082 */ 06083 /* default entry? */ 06084 if(!tid.nettemp) 06085 { 06086 if(!rsbac_list_get_data(default_nettemp_nt_handle, &desc, &old_rights)) 06087 { 06088 old_rights &= ~rights; 06089 return rsbac_list_add(default_nettemp_nt_handle, &desc, &old_rights); 06090 } 06091 else 06092 return 0; 06093 } 06094 if(!rsbac_net_template_exist(tid.nettemp)) 06095 return -RSBAC_EINVALIDTARGET; 06096 if(!rsbac_list_lol_get_subdata(nettemp_nt_handle, 06097 &tid.nettemp, 06098 &desc, 06099 &old_rights)) 06100 { 06101 old_rights &= ~rights; 06102 return rsbac_list_lol_subadd(nettemp_nt_handle, 06103 &tid.nettemp, 06104 &desc, 06105 &old_rights); 06106 } 06107 else 06108 return 0; 06109 case T_NETTEMP: 06110 /* 06111 #ifdef CONFIG_RSBAC_DEBUG 06112 if (rsbac_debug_ds_acl) 06113 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from network template ACL entry for nettemp %u\n", 06114 tid.nettemp); 06115 #endif 06116 */ 06117 /* default entry? */ 06118 if(!tid.nettemp) 06119 { 06120 return -RSBAC_EINVALIDTARGET; 06121 } 06122 if(!rsbac_net_template_exist(tid.nettemp)) 06123 return -RSBAC_EINVALIDTARGET; 06124 if(!rsbac_list_lol_get_subdata(nettemp_handle, 06125 &tid.nettemp, 06126 &desc, 06127 &old_rights)) 06128 { 06129 old_rights &= ~rights; 06130 return rsbac_list_lol_subadd(nettemp_handle, 06131 &tid.nettemp, 06132 &desc, 06133 &old_rights); 06134 } 06135 else 06136 return 0; 06137 case T_NETOBJ: 06138 /* 06139 #ifdef CONFIG_RSBAC_DEBUG 06140 if (rsbac_debug_ds_acl) 06141 printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from network object ACL entry for netobj %p\n", 06142 tid.netobj.sock_p); 06143 #endif 06144 */ 06145 /* default entry? */ 06146 if(!tid.netobj.sock_p) 06147 { 06148 if(!rsbac_list_get_data(default_netobj_handle, &desc, &old_rights)) 06149 { 06150 old_rights &= ~rights; 06151 return rsbac_list_add(default_netobj_handle, &desc, &old_rights); 06152 } 06153 else 06154 return 0; 06155 } 06156 if(!rsbac_list_lol_get_subdata(netobj_handle, 06157 &tid.netobj.sock_p, 06158 &desc, 06159 &old_rights)) 06160 { 06161 old_rights &= ~rights; 06162 return rsbac_list_lol_subadd(netobj_handle, 06163 &tid.netobj.sock_p, 06164 &desc, 06165 &old_rights); 06166 } 06167 else 06168 return 0; 06169 #endif /* NET_OBJ_PROT */ 06170 06171 default: 06172 return -RSBAC_EINVALIDTARGET; 06173 } 06174 } 06175 06176 /* rsbac_acl_set_mask 06177 * Set inheritance mask for given target to given rights. If item does 06178 * not exist, it is created. 06179 */ 06180 06181 int rsbac_acl_set_mask (enum rsbac_target_t target, 06182 union rsbac_target_id_t tid, 06183 rsbac_acl_rights_vector_t mask) 06184 { 06185 int err = 0; 06186 int list_no; 06187 struct rsbac_acl_device_list_item_t * device_p; 06188 u_long dflags; 06189 06190 if (!rsbac_is_initialized()) 06191 { 06192 printk(KERN_WARNING "rsbac_acl_set_mask(): RSBAC not initialized\n"); 06193 return(-RSBAC_ENOTINITIALIZED); 06194 } 06195 if (target >= T_NONE) 06196 return(-RSBAC_EINVALIDTARGET); 06197 #ifdef CONFIG_RSBAC_DEBUG 06198 if (in_interrupt()) 06199 { 06200 #ifdef CONFIG_RSBAC_RMSG 06201 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): called from interrupt!\n"); 06202 #endif 06203 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06204 if (!rsbac_nosyslog) 06205 #endif 06206 printk(KERN_WARNING "rsbac_acl_set_mask(): called from interrupt!\n"); 06207 } 06208 #endif 06209 switch (target) 06210 { 06211 case T_FILE: 06212 case T_DIR: 06213 case T_FIFO: 06214 case T_SYMLINK: 06215 /* default entry? */ 06216 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 06217 { 06218 return -RSBAC_EINVALIDTARGET; 06219 } 06220 #ifdef CONFIG_RSBAC_DEBUG 06221 if (rsbac_debug_ds_acl) 06222 { 06223 #ifdef CONFIG_RSBAC_RMSG 06224 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting file/dir/fifo/symlink inheritance mask for device %02u:%02u, inode %u\n", 06225 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 06226 #endif 06227 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06228 if (!rsbac_nosyslog) 06229 #endif 06230 printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting file/dir/fifo/symlink inheritance mask for device %02u:%02u, inode %u\n", 06231 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 06232 } 06233 #endif 06234 /* wait for read access to device_list_head */ 06235 rsbac_read_lock(&device_list_head.lock, &dflags); 06236 /* OK, go on */ 06237 /* lookup device */ 06238 device_p = acl_lookup_device(tid.file.device); 06239 if (!device_p) 06240 { 06241 /* trigger rsbac_mount() */ 06242 rsbac_read_unlock(&device_list_head.lock, &dflags); 06243 rsbac_get_super_block(tid.file.device); 06244 /* retry */ 06245 rsbac_read_lock(&device_list_head.lock, &dflags); 06246 device_p = acl_lookup_device(tid.file.device); 06247 if(!device_p) 06248 { 06249 printk(KERN_WARNING 06250 "rsbac_acl_set_mask(): Could not lookup device!\n"); 06251 /* free read lock */ 06252 rsbac_read_unlock(&device_list_head.lock, &dflags); 06253 return(-RSBAC_EINVALIDDEV); 06254 } 06255 } 06256 list_no = fd_hash(tid.file.inode); 06257 err = rsbac_list_lol_add(device_p->handles[list_no], &tid.file.inode, &mask); 06258 rsbac_read_unlock(&device_list_head.lock, &dflags); 06259 /* ready. */ 06260 return err; 06261 06262 case T_DEV: 06263 /* default entry? */ 06264 if(tid.dev.type == D_none) 06265 { 06266 return -RSBAC_EINVALIDTARGET; 06267 } 06268 #ifdef CONFIG_RSBAC_DEBUG 06269 if (rsbac_debug_ds_acl) 06270 { 06271 #ifdef CONFIG_RSBAC_RMSG 06272 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting device inheritance mask for dev %c %02u:%02u\n", 06273 'B'+tid.dev.type, 06274 RSBAC_MAJOR(tid.dev.id), 06275 RSBAC_MINOR(tid.dev.id)); 06276 #endif 06277 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06278 if (!rsbac_nosyslog) 06279 #endif 06280 printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting device inheritance mask for dev %c %02u:%02u\n", 06281 'B'+tid.dev.type, 06282 RSBAC_MAJOR(tid.dev.id), 06283 RSBAC_MINOR(tid.dev.id)); 06284 } 06285 #endif 06286 { 06287 struct rsbac_dev_desc_t dev_desc; 06288 06289 dev_desc.type = tid.dev.type; 06290 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 06291 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 06292 return rsbac_list_lol_add(dev_handle, &dev_desc, &mask); 06293 } 06294 06295 case T_SCD: 06296 /* default entry? */ 06297 if(tid.scd == AST_none) 06298 { 06299 return -RSBAC_EINVALIDTARGET; 06300 } 06301 #ifdef CONFIG_RSBAC_DEBUG 06302 if (rsbac_debug_ds_acl) 06303 { 06304 char tmp[80]; 06305 06306 get_acl_scd_type_name(tmp, tid.scd); 06307 #ifdef CONFIG_RSBAC_RMSG 06308 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting SCD inheritance mask for %s\n", 06309 tmp); 06310 #endif 06311 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06312 if (!rsbac_nosyslog) 06313 #endif 06314 printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting SCD inheritance mask for %s\n", 06315 tmp); 06316 } 06317 #endif 06318 return rsbac_list_lol_add(scd_handle, &tid.scd, &mask); 06319 06320 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 06321 case T_NETDEV: 06322 /* default entry? */ 06323 if(!tid.netdev[0]) 06324 { 06325 return -RSBAC_EINVALIDTARGET; 06326 } 06327 #ifdef CONFIG_RSBAC_DEBUG 06328 if (rsbac_debug_ds_acl) 06329 { 06330 #ifdef CONFIG_RSBAC_RMSG 06331 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network device inheritance mask for netdev %s\n", 06332 tid.netdev); 06333 #endif 06334 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06335 if (!rsbac_nosyslog) 06336 #endif 06337 printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network device inheritance mask for netdev %s\n", 06338 tid.netdev); 06339 } 06340 #endif 06341 return rsbac_list_lol_add(netdev_handle, &tid.netdev, &mask); 06342 #endif 06343 06344 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 06345 case T_NETTEMP_NT: 06346 /* default entry? */ 06347 if(!tid.nettemp) 06348 { 06349 return -RSBAC_EINVALIDTARGET; 06350 } 06351 if(!rsbac_net_template_exist(tid.nettemp)) 06352 return -RSBAC_EINVALIDTARGET; 06353 #ifdef CONFIG_RSBAC_DEBUG 06354 if (rsbac_debug_ds_acl) 06355 { 06356 #ifdef CONFIG_RSBAC_RMSG 06357 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network template NT inheritance mask for nettemp %u\n", 06358 tid.nettemp); 06359 #endif 06360 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06361 if (!rsbac_nosyslog) 06362 #endif 06363 printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network template NT inheritance mask for nettemp %u\n", 06364 tid.nettemp); 06365 } 06366 #endif 06367 return rsbac_list_lol_add(nettemp_nt_handle, &tid.nettemp, &mask); 06368 06369 case T_NETTEMP: 06370 /* default entry? */ 06371 if(!tid.nettemp) 06372 { 06373 return -RSBAC_EINVALIDTARGET; 06374 } 06375 if(!rsbac_net_template_exist(tid.nettemp)) 06376 return -RSBAC_EINVALIDTARGET; 06377 #ifdef CONFIG_RSBAC_DEBUG 06378 if (rsbac_debug_ds_acl) 06379 { 06380 #ifdef CONFIG_RSBAC_RMSG 06381 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network template inheritance mask for nettemp %u\n", 06382 tid.nettemp); 06383 #endif 06384 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06385 if (!rsbac_nosyslog) 06386 #endif 06387 printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network template inheritance mask for nettemp %u\n", 06388 tid.nettemp); 06389 } 06390 #endif 06391 return rsbac_list_lol_add(nettemp_handle, &tid.nettemp, &mask); 06392 06393 case T_NETOBJ: 06394 /* default entry? */ 06395 if(!tid.netobj.sock_p) 06396 { 06397 return -RSBAC_EINVALIDTARGET; 06398 } 06399 #ifdef CONFIG_RSBAC_DEBUG 06400 if (rsbac_debug_ds_acl) 06401 { 06402 #ifdef CONFIG_RSBAC_RMSG 06403 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network object inheritance mask for netobj %p\n", 06404 tid.netobj.sock_p); 06405 #endif 06406 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06407 if (!rsbac_nosyslog) 06408 #endif 06409 printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network object inheritance mask for netobj %p\n", 06410 tid.netobj.sock_p); 06411 } 06412 #endif 06413 return rsbac_list_lol_add(netobj_handle, &tid.netobj.sock_p, &mask); 06414 #endif /* NET_OBJ_PROT */ 06415 06416 default: 06417 err = -RSBAC_EINVALIDTARGET; 06418 } 06419 return(err); 06420 } 06421 06422 /* rsbac_acl_get_mask 06423 * Get inheritance mask for given target. If item does 06424 * not exist, default mask is returned. 06425 */ 06426 06427 int rsbac_acl_get_mask (enum rsbac_target_t target, 06428 union rsbac_target_id_t tid, 06429 rsbac_acl_rights_vector_t * mask_p) 06430 { 06431 int err = 0; 06432 int list_no; 06433 struct rsbac_acl_device_list_item_t * device_p; 06434 u_long dflags; 06435 06436 if (!rsbac_is_initialized()) 06437 { 06438 printk(KERN_WARNING "rsbac_acl_get_mask(): RSBAC not initialized\n"); 06439 return(-RSBAC_ENOTINITIALIZED); 06440 } 06441 if (target >= T_NONE) 06442 return(-RSBAC_EINVALIDTARGET); 06443 #ifdef CONFIG_RSBAC_DEBUG 06444 if (in_interrupt()) 06445 { 06446 #ifdef CONFIG_RSBAC_RMSG 06447 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): called from interrupt!\n"); 06448 #endif 06449 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06450 if (!rsbac_nosyslog) 06451 #endif 06452 printk(KERN_WARNING "rsbac_acl_get_mask(): called from interrupt!\n"); 06453 } 06454 #endif 06455 switch (target) 06456 { 06457 case T_FILE: 06458 case T_DIR: 06459 case T_FIFO: 06460 case T_SYMLINK: 06461 /* default entry? */ 06462 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 06463 { 06464 return -RSBAC_EINVALIDTARGET; 06465 } 06466 /* 06467 #ifdef CONFIG_RSBAC_DEBUG 06468 if (rsbac_debug_ds_acl) 06469 printk(KERN_DEBUG "rsbac_acl_get_mask(): Getting file/dir/fifo/symlink inheritance mask for device %02u:%02u, inode %u\n", 06470 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 06471 #endif 06472 */ 06473 /* wait for read access to device_list_head */ 06474 rsbac_read_lock(&device_list_head.lock, &dflags); 06475 /* OK, go on */ 06476 /* lookup device */ 06477 device_p = acl_lookup_device(tid.file.device); 06478 if (!device_p) 06479 { 06480 /* trigger rsbac_mount() */ 06481 rsbac_read_unlock(&device_list_head.lock, &dflags); 06482 rsbac_get_super_block(tid.file.device); 06483 /* retry */ 06484 rsbac_read_lock(&device_list_head.lock, &dflags); 06485 device_p = acl_lookup_device(tid.file.device); 06486 if(!device_p) 06487 { 06488 printk(KERN_WARNING 06489 "rsbac_acl_get_mask(): Could not lookup device!\n"); 06490 /* free read lock */ 06491 rsbac_read_unlock(&device_list_head.lock, &dflags); 06492 return(-RSBAC_EINVALIDDEV); 06493 } 06494 } 06495 list_no = fd_hash(tid.file.inode); 06496 err = rsbac_list_lol_get_data(device_p->handles[list_no], &tid.file.inode, mask_p); 06497 /* unlock */ 06498 rsbac_read_unlock(&device_list_head.lock, &dflags); 06499 if(err == -RSBAC_ENOTFOUND) 06500 { 06501 *mask_p = RSBAC_ACL_DEFAULT_FD_MASK; 06502 err = 0; 06503 } 06504 /* ready. */ 06505 return err; 06506 06507 case T_DEV: 06508 /* default entry? */ 06509 if(tid.dev.type == D_none) 06510 { 06511 return -RSBAC_EINVALIDTARGET; 06512 } 06513 /* 06514 #ifdef CONFIG_RSBAC_DEBUG 06515 if (rsbac_debug_ds_acl) 06516 printk(KERN_DEBUG "rsbac_acl_get_mask(): Getting device inheritance mask for dev %c %02u:%02u\n", 06517 'B'+tid.dev.type, 06518 RSBAC_MAJOR(tid.dev.id), 06519 RSBAC_MINOR(tid.dev.id)); 06520 #endif 06521 */ 06522 { 06523 struct rsbac_dev_desc_t dev_desc; 06524 06525 dev_desc.type = tid.dev.type; 06526 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 06527 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 06528 err = rsbac_list_lol_get_data(dev_handle, &dev_desc, mask_p); 06529 } 06530 if(err == -RSBAC_ENOTFOUND) 06531 { 06532 *mask_p = RSBAC_ACL_DEFAULT_DEV_MASK; 06533 err = 0; 06534 } 06535 /* ready. */ 06536 return err; 06537 06538 case T_SCD: 06539 /* default entry? */ 06540 if(tid.scd == AST_none) 06541 { 06542 return -RSBAC_EINVALIDTARGET; 06543 } 06544 /* 06545 #ifdef CONFIG_RSBAC_DEBUG 06546 if (rsbac_debug_ds_acl) 06547 { 06548 char tmp[80]; 06549 06550 printk(KERN_DEBUG 06551 "rsbac_acl_get_mask(): Getting SCD inheritance mask for %s\n", 06552 get_acl_scd_type_name(tmp, tid.scd)); 06553 } 06554 #endif 06555 */ 06556 err = rsbac_list_lol_get_data(scd_handle, &tid.scd, mask_p); 06557 if(err == -RSBAC_ENOTFOUND) 06558 { 06559 *mask_p = RSBAC_ACL_DEFAULT_SCD_MASK; 06560 err = 0; 06561 } 06562 /* ready. */ 06563 return err; 06564 06565 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 06566 case T_NETDEV: 06567 /* default entry? */ 06568 if(!tid.netdev[0]) 06569 { 06570 return -RSBAC_EINVALIDTARGET; 06571 } 06572 /* 06573 #ifdef CONFIG_RSBAC_DEBUG 06574 if (rsbac_debug_ds_acl) 06575 printk(KERN_DEBUG 06576 "rsbac_acl_get_mask(): Getting network device inheritance mask for netdev %s\n", 06577 tid.netdev); 06578 #endif 06579 */ 06580 err = rsbac_list_lol_get_data(netdev_handle, &tid.netdev, mask_p); 06581 if(err == -RSBAC_ENOTFOUND) 06582 { 06583 *mask_p = RSBAC_ACL_DEFAULT_NETDEV_MASK; 06584 err = 0; 06585 } 06586 /* ready. */ 06587 return err; 06588 #endif 06589 06590 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 06591 case T_NETTEMP_NT: 06592 /* default entry? */ 06593 if(!tid.nettemp) 06594 { 06595 return -RSBAC_EINVALIDTARGET; 06596 } 06597 if(!rsbac_net_template_exist(tid.nettemp)) 06598 return -RSBAC_EINVALIDTARGET; 06599 /* 06600 #ifdef CONFIG_RSBAC_DEBUG 06601 if (rsbac_debug_ds_acl) 06602 printk(KERN_DEBUG 06603 "rsbac_acl_get_mask(): Getting network template NT inheritance mask for nettemp %u\n", 06604 tid.nettemp); 06605 #endif 06606 */ 06607 err = rsbac_list_lol_get_data(nettemp_nt_handle, &tid.nettemp, mask_p); 06608 if(err == -RSBAC_ENOTFOUND) 06609 { 06610 *mask_p = RSBAC_ACL_DEFAULT_NETTEMP_MASK; 06611 err = 0; 06612 } 06613 /* ready. */ 06614 return err; 06615 case T_NETTEMP: 06616 /* default entry? */ 06617 if(!tid.nettemp) 06618 { 06619 return -RSBAC_EINVALIDTARGET; 06620 } 06621 if(!rsbac_net_template_exist(tid.nettemp)) 06622 return -RSBAC_EINVALIDTARGET; 06623 /* 06624 #ifdef CONFIG_RSBAC_DEBUG 06625 if (rsbac_debug_ds_acl) 06626 printk(KERN_DEBUG 06627 "rsbac_acl_get_mask(): Getting network template inheritance mask for nettemp %u\n", 06628 tid.nettemp); 06629 #endif 06630 */ 06631 err = rsbac_list_lol_get_data(nettemp_handle, &tid.nettemp, mask_p); 06632 if(err == -RSBAC_ENOTFOUND) 06633 { 06634 *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 06635 err = 0; 06636 } 06637 /* ready. */ 06638 return err; 06639 case T_NETOBJ: 06640 /* default entry? */ 06641 if(!tid.netobj.sock_p) 06642 { 06643 return -RSBAC_EINVALIDTARGET; 06644 } 06645 /* 06646 #ifdef CONFIG_RSBAC_DEBUG 06647 if (rsbac_debug_ds_acl) 06648 printk(KERN_DEBUG 06649 "rsbac_acl_get_mask(): Getting network object inheritance mask for netobj %p\n", 06650 tid.netobj.sock_p); 06651 #endif 06652 */ 06653 err = rsbac_list_lol_get_data(netobj_handle, &tid.netobj.sock_p, mask_p); 06654 if(err == -RSBAC_ENOTFOUND) 06655 { 06656 *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 06657 err = 0; 06658 } 06659 /* ready. */ 06660 return err; 06661 #endif 06662 06663 default: 06664 err = -RSBAC_EINVALIDTARGET; 06665 } 06666 return(err); 06667 } 06668 06669 /* rsbac_acl_get_rights 06670 * Get rights from ACL entry for given target and subject. 06671 * If entry does not exist and inherit is on, inherited rights are used. 06672 * If there is no parent, the default rights vector for this target type is returned. 06673 * This function does NOT add role or group rights to user rights! 06674 */ 06675 06676 int rsbac_acl_get_rights (enum rsbac_target_t target, 06677 union rsbac_target_id_t tid, 06678 enum rsbac_acl_subject_type_t subj_type, 06679 rsbac_acl_subject_id_t subj_id, 06680 rsbac_acl_rights_vector_t * rights_p, 06681 boolean inherit) 06682 { 06683 int err = 0; 06684 int list_no; 06685 struct rsbac_acl_device_list_item_t * device_p; 06686 u_long dflags; 06687 struct rsbac_acl_entry_desc_t desc; 06688 rsbac_acl_rights_vector_t i_rights = 0; 06689 rsbac_acl_rights_vector_t mask = -1; 06690 06691 if (!rsbac_is_initialized()) 06692 { 06693 printk(KERN_WARNING "rsbac_acl_get_rights(): RSBAC not initialized\n"); 06694 return(-RSBAC_ENOTINITIALIZED); 06695 } 06696 if (!rights_p) 06697 return(-RSBAC_EINVALIDPOINTER); 06698 if (subj_type >= ACLS_NONE) 06699 return(-RSBAC_EINVALIDVALUE); 06700 #ifdef CONFIG_RSBAC_DEBUG 06701 if (in_interrupt()) 06702 { 06703 #ifdef CONFIG_RSBAC_RMSG 06704 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): called from interrupt!\n"); 06705 #endif 06706 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 06707 if (!rsbac_nosyslog) 06708 #endif 06709 printk(KERN_WARNING "rsbac_acl_get_rights(): called from interrupt!\n"); 06710 } 06711 #endif 06712 desc.subj_type = subj_type; 06713 desc.subj_id = subj_id; 06714 06715 switch (target) 06716 { 06717 case T_FILE: 06718 case T_DIR: 06719 case T_FIFO: 06720 case T_SYMLINK: 06721 /* 06722 #ifdef CONFIG_RSBAC_DEBUG 06723 if (rsbac_debug_ds_acl) 06724 { 06725 char tmp[20]; 06726 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting rights of %s %u for device %02u:%02u, inode %u\n", 06727 get_acl_subject_type_name(tmp,subj_type), subj_id, RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 06728 } 06729 #endif 06730 */ 06731 /* default entry? */ 06732 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 06733 { 06734 if(rsbac_list_get_data(default_fd_handle, &desc, rights_p)) 06735 { 06736 /* last resort: default rights */ 06737 *rights_p = default_fd_rights; 06738 } 06739 return 0; 06740 } 06741 *rights_p = 0; 06742 /* wait for read access to device_list_head */ 06743 rsbac_read_lock(&device_list_head.lock, &dflags); 06744 /* OK, go on */ 06745 /* use loop for inheritance - used to be recursive calls */ 06746 for (;;) 06747 { 06748 /* lookup device */ 06749 device_p = acl_lookup_device(tid.file.device); 06750 if (!device_p) 06751 { 06752 /* trigger rsbac_mount() */ 06753 rsbac_read_unlock(&device_list_head.lock, &dflags); 06754 rsbac_get_super_block(tid.file.device); 06755 /* retry */ 06756 rsbac_read_lock(&device_list_head.lock, &dflags); 06757 device_p = acl_lookup_device(tid.file.device); 06758 if(!device_p) 06759 { 06760 printk(KERN_WARNING 06761 "rsbac_acl_get_rights(): Could not lookup device %02u:%02u!\n", 06762 RSBAC_MAJOR(tid.file.device),RSBAC_MINOR(tid.file.device)); 06763 /* free read lock */ 06764 rsbac_read_unlock(&device_list_head.lock, &dflags); 06765 return(-RSBAC_EINVALIDDEV); 06766 } 06767 } 06768 list_no = fd_hash(tid.file.inode); 06769 if(!rsbac_list_lol_get_subdata(device_p->handles[list_no], 06770 &tid.file.inode, 06771 &desc, 06772 &i_rights)) 06773 { 06774 *rights_p |= (i_rights & mask); 06775 /* leave loop */ 06776 break; 06777 } 06778 else 06779 if(inherit) 06780 { 06781 enum rsbac_target_t parent_target; 06782 union rsbac_target_id_t parent_tid; 06783 rsbac_acl_rights_vector_t i_mask; 06784 06785 /* get mask to filter through in next round */ 06786 if(rsbac_list_lol_get_data(device_p->handles[list_no], 06787 &tid.file.inode, 06788 &i_mask)) 06789 { 06790 /* no mask found, set default */ 06791 i_mask = RSBAC_ACL_DEFAULT_FD_MASK; 06792 } 06793 /* mask into cumulative mask */ 06794 mask &= i_mask; 06795 06796 /* inheritance possible? */ 06797 if(!rsbac_get_parent(target, tid, &parent_target, &parent_tid)) 06798 { 06799 target = parent_target; 06800 tid = parent_tid; 06801 /* next round */ 06802 continue; 06803 } 06804 else 06805 { 06806 /* no inheritance possible -> try default_fd_acl */ 06807 if(!rsbac_list_get_data(default_fd_handle, 06808 &desc, 06809 &i_rights)) 06810 { 06811 /* found, use it */ 06812 *rights_p |= (i_rights & mask); 06813 } 06814 else 06815 { 06816 /* last resort: default rights */ 06817 *rights_p |= (default_fd_rights & mask); 06818 } 06819 } 06820 /* leave loop */ 06821 break; 06822 } 06823 else /* do not inherit */ 06824 { 06825 /* last resort: default rights */ 06826 *rights_p |= default_fd_rights; 06827 /* leave loop */ 06828 break; 06829 } 06830 } /* end of for(;;) inheritance loop */ 06831 /* unprotect */ 06832 rsbac_read_unlock(&device_list_head.lock, &dflags); 06833 return err; 06834 06835 case T_DEV: 06836 /* default entry? */ 06837 /* 06838 #ifdef CONFIG_RSBAC_DEBUG 06839 if (rsbac_debug_ds_acl) 06840 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting device rights for dev %c %02u:%02u\n", 06841 'B'+tid.dev.type, 06842 RSBAC_MAJOR(tid.dev.id), 06843 RSBAC_MINOR(tid.dev.id)); 06844 #endif 06845 */ 06846 if((tid.dev.type == D_none) && RSBAC_IS_ZERO_DEV(tid.dev.id)) 06847 { 06848 if(rsbac_list_get_data(default_dev_handle, &desc, rights_p)) 06849 { 06850 /* last resort: default rights */ 06851 *rights_p = default_dev_rights; 06852 } 06853 return 0; 06854 } 06855 { 06856 struct rsbac_dev_desc_t dev_desc; 06857 06858 dev_desc.type = tid.dev.type; 06859 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 06860 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 06861 if(!rsbac_list_lol_get_subdata(dev_handle, 06862 &dev_desc, 06863 &desc, 06864 &i_rights)) 06865 { 06866 *rights_p |= i_rights; 06867 } 06868 else 06869 { 06870 rsbac_acl_rights_vector_t mask; 06871 06872 /* get mask to filter through */ 06873 if(rsbac_list_lol_get_data(dev_handle, 06874 &dev_desc, 06875 &mask)) 06876 { 06877 /* no mask found, set default */ 06878 mask = RSBAC_ACL_DEFAULT_DEV_MASK; 06879 } 06880 /* try default_dev_acl */ 06881 if(!rsbac_list_get_data(default_dev_handle, &desc, rights_p)) 06882 { 06883 *rights_p &= mask; 06884 } 06885 else 06886 { 06887 /* last resort: default rights */ 06888 *rights_p = default_dev_rights & mask; 06889 } 06890 } 06891 } 06892 return 0; 06893 06894 case T_IPC: 06895 /* 06896 #ifdef CONFIG_RSBAC_DEBUG 06897 if (rsbac_debug_ds_acl) 06898 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting IPC rights for type %u\n", 06899 tid.ipc.type); 06900 #endif 06901 */ 06902 /* Use default ACL */ 06903 if(rsbac_list_get_data(default_ipc_handle, &desc, rights_p)) 06904 { 06905 /* last resort: default rights */ 06906 *rights_p = default_ipc_rights; 06907 } 06908 return 0; 06909 06910 case T_SCD: 06911 /* default entry? */ 06912 /* 06913 #ifdef CONFIG_RSBAC_DEBUG 06914 if (rsbac_debug_ds_acl) 06915 { 06916 char tmp[80]; 06917 printk(KERN_DEBUG 06918 "rsbac_acl_get_rights(): Getting SCD rights for %s\n", 06919 get_acl_scd_type_name(tmp, tid.scd)); 06920 } 06921 #endif 06922 */ 06923 if( (tid.scd == AST_none) 06924 || (tid.scd == ST_none) 06925 ) 06926 { 06927 if(rsbac_list_get_data(default_scd_handle, &desc, rights_p)) 06928 { 06929 /* last resort: default rights */ 06930 *rights_p = default_scd_rights; 06931 } 06932 return 0; 06933 } 06934 if(!rsbac_list_lol_get_subdata(scd_handle, 06935 &tid.scd, 06936 &desc, 06937 &i_rights)) 06938 { 06939 *rights_p |= i_rights; 06940 } 06941 else 06942 { 06943 rsbac_acl_rights_vector_t mask; 06944 06945 /* get mask to filter through */ 06946 if(rsbac_list_lol_get_data(scd_handle, 06947 &tid.scd, 06948 &mask)) 06949 { 06950 /* no mask found, set default */ 06951 mask = RSBAC_ACL_DEFAULT_SCD_MASK; 06952 } 06953 /* try default_dev_acl */ 06954 if(!rsbac_list_get_data(default_scd_handle, &desc, rights_p)) 06955 { 06956 *rights_p &= mask; 06957 } 06958 else 06959 { 06960 /* last resort: default rights */ 06961 *rights_p = default_scd_rights & mask; 06962 } 06963 } 06964 return 0; 06965 06966 case T_USER: 06967 /* 06968 #ifdef CONFIG_RSBAC_DEBUG 06969 if (rsbac_debug_ds_acl) 06970 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting user rights for user %u\n", 06971 tid.user); 06972 #endif 06973 */ 06974 /* Use default entry */ 06975 if(rsbac_list_get_data(default_u_handle, &desc, rights_p)) 06976 { 06977 /* last resort: default rights */ 06978 *rights_p = default_u_rights; 06979 } 06980 return 0; 06981 06982 case T_PROCESS: 06983 /* 06984 #ifdef CONFIG_RSBAC_DEBUG 06985 if (rsbac_debug_ds_acl) 06986 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting process rights for pid %u\n", 06987 tid.process); 06988 #endif 06989 */ 06990 /* Use default entry */ 06991 if(rsbac_list_get_data(default_p_handle, &desc, rights_p)) 06992 { 06993 /* last resort: default rights */ 06994 *rights_p = default_p_rights; 06995 } 06996 return 0; 06997 06998 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 06999 case T_NETDEV: 07000 /* default entry? */ 07001 /* 07002 #ifdef CONFIG_RSBAC_DEBUG 07003 if (rsbac_debug_ds_acl) 07004 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting network device rights for netdev %s\n", 07005 tid.netdev); 07006 #endif 07007 */ 07008 if(!tid.netdev[0]) 07009 { 07010 if(rsbac_list_get_data(default_netdev_handle, &desc, rights_p)) 07011 { 07012 /* last resort: default rights */ 07013 *rights_p = default_netdev_rights; 07014 } 07015 return 0; 07016 } 07017 if(!rsbac_list_lol_get_subdata(netdev_handle, 07018 &tid.netdev, 07019 &desc, 07020 &i_rights)) 07021 { 07022 *rights_p |= i_rights; 07023 } 07024 else 07025 { 07026 rsbac_acl_rights_vector_t mask; 07027 07028 /* get mask to filter through */ 07029 if(rsbac_list_lol_get_data(netdev_handle, 07030 &tid.netdev, 07031 &mask)) 07032 { 07033 /* no mask found, set default */ 07034 mask = RSBAC_ACL_DEFAULT_NETDEV_MASK; 07035 } 07036 /* try default_dev_acl */ 07037 if(!rsbac_list_get_data(default_netdev_handle, &desc, rights_p)) 07038 { 07039 *rights_p &= mask; 07040 } 07041 else 07042 { 07043 /* last resort: default rights */ 07044 *rights_p = default_netdev_rights & mask; 07045 } 07046 } 07047 return 0; 07048 #endif 07049 07050 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 07051 /* rights to template itself */ 07052 case T_NETTEMP_NT: 07053 /* default entry? */ 07054 /* 07055 #ifdef CONFIG_RSBAC_DEBUG 07056 if (rsbac_debug_ds_acl) 07057 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting network template NT rights for nettemp %u\n", 07058 tid.nettemp); 07059 #endif 07060 */ 07061 if(!tid.nettemp) 07062 { 07063 if(rsbac_list_get_data(default_nettemp_nt_handle, &desc, rights_p)) 07064 { 07065 /* last resort: default rights */ 07066 *rights_p = default_nettemp_nt_rights; 07067 } 07068 return 0; 07069 } 07070 if(!rsbac_net_template_exist(tid.nettemp)) 07071 return -RSBAC_EINVALIDTARGET; 07072 if(!rsbac_list_lol_get_subdata(nettemp_nt_handle, 07073 &tid.nettemp, 07074 &desc, 07075 &i_rights)) 07076 { 07077 *rights_p |= i_rights; 07078 } 07079 else 07080 { 07081 rsbac_acl_rights_vector_t mask; 07082 07083 /* get mask to filter through */ 07084 if(rsbac_list_lol_get_data(nettemp_nt_handle, 07085 &tid.nettemp, 07086 &mask)) 07087 { 07088 /* no mask found, set default */ 07089 mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK; 07090 } 07091 /* try default_dev_acl */ 07092 if(!rsbac_list_get_data(default_nettemp_nt_handle, &desc, rights_p)) 07093 { 07094 *rights_p &= mask; 07095 } 07096 else 07097 { 07098 /* last resort: default rights */ 07099 *rights_p = default_nettemp_nt_rights & mask; 07100 } 07101 } 07102 return 0; 07103 07104 /* rights to netobjs fitting this template */ 07105 case T_NETTEMP: 07106 /* default entry? */ 07107 /* 07108 #ifdef CONFIG_RSBAC_DEBUG 07109 if (rsbac_debug_ds_acl) 07110 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting network template rights for nettemp %u\n", 07111 tid.nettemp); 07112 #endif 07113 */ 07114 if(!tid.nettemp) 07115 { 07116 if(rsbac_list_get_data(default_netobj_handle, &desc, rights_p)) 07117 { 07118 /* last resort: default rights */ 07119 *rights_p = default_netobj_rights; 07120 } 07121 return 0; 07122 } 07123 if(!rsbac_net_template_exist(tid.nettemp)) 07124 return -RSBAC_EINVALIDTARGET; 07125 if(!rsbac_list_lol_get_subdata(nettemp_handle, 07126 &tid.nettemp, 07127 &desc, 07128 &i_rights)) 07129 { 07130 *rights_p |= i_rights; 07131 } 07132 else 07133 { 07134 rsbac_acl_rights_vector_t mask; 07135 07136 /* get mask to filter through */ 07137 if(rsbac_list_lol_get_data(nettemp_handle, 07138 &tid.nettemp, 07139 &mask)) 07140 { 07141 /* no mask found, set default */ 07142 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 07143 } 07144 /* try default_dev_acl */ 07145 if(!rsbac_list_get_data(default_netobj_handle, &desc, rights_p)) 07146 { 07147 *rights_p &= mask; 07148 } 07149 else 07150 { 07151 /* last resort: default rights */ 07152 *rights_p = default_netobj_rights & mask; 07153 } 07154 } 07155 return 0; 07156 07157 case T_NETOBJ: 07158 /* default entry? */ 07159 /* 07160 #ifdef CONFIG_RSBAC_DEBUG 07161 if (rsbac_debug_ds_acl) 07162 printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting network object rights for netobj %p\n", 07163 tid.netobj.sock_p); 07164 #endif 07165 */ 07166 if(!tid.nettemp) 07167 { 07168 if(rsbac_list_get_data(default_netobj_handle, &desc, rights_p)) 07169 { 07170 /* last resort: default rights */ 07171 *rights_p = default_netobj_rights; 07172 } 07173 return 0; 07174 } 07175 if(!rsbac_list_lol_get_subdata(netobj_handle, 07176 &tid.netobj.sock_p, 07177 &desc, 07178 &i_rights)) 07179 { 07180 *rights_p |= i_rights; 07181 } 07182 else 07183 { 07184 rsbac_acl_rights_vector_t mask; 07185 rsbac_net_temp_id_t temp = 0; 07186 07187 /* get mask to filter through */ 07188 if(rsbac_list_lol_get_data(nettemp_handle, 07189 &temp, 07190 &mask)) 07191 { 07192 /* no mask found, set default */ 07193 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 07194 } 07195 /* try nettemp_acl */ 07196 rsbac_net_lookup_templates(tid.netobj, 07197 &temp, 07198 NULL); 07199 07200 if( temp 07201 && !rsbac_list_lol_get_subdata(nettemp_handle, 07202 &temp, 07203 &desc, 07204 &i_rights)) 07205 { 07206 *rights_p |= i_rights; 07207 } 07208 else 07209 { 07210 /* get mask to filter through */ 07211 if( temp 07212 && rsbac_list_lol_get_data(nettemp_handle, 07213 &temp, 07214 &mask)) 07215 { 07216 /* no mask found, set default */ 07217 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 07218 } 07219 /* try default_netobj_acl */ 07220 if(!rsbac_list_get_data(default_netobj_handle, &desc, rights_p)) 07221 { 07222 *rights_p &= mask; 07223 } 07224 else 07225 { 07226 /* last resort: default rights */ 07227 *rights_p = default_netobj_rights & mask; 07228 } 07229 } 07230 } 07231 return 0; 07232 #endif /* NET_OBJ_PROT */ 07233 07234 default: 07235 return -RSBAC_EINVALIDTARGET; 07236 } 07237 } 07238 07239 /* rsbac_acl_get_single_right 07240 * Show, whether individual right is set for given target and subject. 07241 * If right is not set, it is checked at all parents, unless it has been 07242 * masked out. (Special case SUPERVISOR: unless 07243 * CONFIG_RSBAC_ACL_SUPER_FILTER is set *and* supervisor has been masked out) 07244 */ 07245 07246 int rsbac_acl_get_single_right (enum rsbac_target_t target, 07247 union rsbac_target_id_t tid, 07248 enum rsbac_acl_subject_type_t subj_type, 07249 rsbac_acl_subject_id_t subj_id, 07250 enum rsbac_adf_request_t right, 07251 boolean * result) 07252 { 07253 int list_no; 07254 struct rsbac_acl_device_list_item_t * device_p; 07255 u_long dflags; 07256 rsbac_acl_rights_vector_t i_rvec; 07257 rsbac_acl_rights_vector_t i_rights; 07258 struct rsbac_acl_entry_desc_t desc; 07259 07260 if (!rsbac_is_initialized()) 07261 { 07262 printk(KERN_WARNING "rsbac_acl_get_single_right(): RSBAC not initialized\n"); 07263 return(-RSBAC_ENOTINITIALIZED); 07264 } 07265 if (!result) 07266 return(-RSBAC_EINVALIDPOINTER); 07267 if ( (subj_type >= ACLS_NONE) 07268 || (right >= ACLR_NONE) 07269 ) 07270 return(-RSBAC_EINVALIDVALUE); 07271 #ifdef CONFIG_RSBAC_DEBUG 07272 if (in_interrupt()) 07273 { 07274 #ifdef CONFIG_RSBAC_RMSG 07275 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): called from interrupt!\n"); 07276 #endif 07277 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 07278 if (!rsbac_nosyslog) 07279 #endif 07280 printk(KERN_WARNING "rsbac_acl_get_single_right(): called from interrupt!\n"); 07281 } 07282 #endif 07283 i_rvec = (rsbac_acl_rights_vector_t) 1 << right; 07284 07285 desc.subj_type = subj_type; 07286 desc.subj_id = subj_id; 07287 07288 switch (target) 07289 { 07290 case T_FILE: 07291 case T_DIR: 07292 case T_FIFO: 07293 case T_SYMLINK: 07294 /* 07295 #ifdef CONFIG_RSBAC_DEBUG 07296 if (rsbac_debug_ds_acl) 07297 printk(KERN_DEBUG "rsbac_acl_get_single_right(): Checking right of subject %u,%u for device %02u:%02u, inode %u\n", 07298 subj_type, subj_id, RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 07299 #endif 07300 */ 07301 /* default entry? */ 07302 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 07303 { 07304 if(!rsbac_list_get_data(default_fd_handle, &desc, &i_rights)) 07305 { 07306 if(i_rights & i_rvec) 07307 { 07308 *result = TRUE; 07309 return 0; 07310 } 07311 else 07312 { 07313 *result = FALSE; 07314 return 0; 07315 } 07316 } 07317 else 07318 { 07319 if(default_fd_rights & i_rvec) 07320 { 07321 *result = TRUE; 07322 return 0; 07323 } 07324 else 07325 { 07326 *result = FALSE; 07327 return 0; 07328 } 07329 } 07330 } 07331 /* wait for read access to device_list_head */ 07332 rsbac_read_lock(&device_list_head.lock, &dflags); 07333 /* OK, go on */ 07334 /* use loop for inheritance - used to be recursive calls */ 07335 for (;;) 07336 { 07337 /* lookup device */ 07338 device_p = acl_lookup_device(tid.file.device); 07339 if (!device_p) 07340 { 07341 /* trigger rsbac_mount() */ 07342 rsbac_read_unlock(&device_list_head.lock, &dflags); 07343 rsbac_get_super_block(tid.file.device); 07344 /* retry */ 07345 rsbac_read_lock(&device_list_head.lock, &dflags); 07346 device_p = acl_lookup_device(tid.file.device); 07347 if(!device_p) 07348 { 07349 #ifdef CONFIG_RSBAC_RMSG 07350 rsbac_printk(KERN_WARNING 07351 "rsbac_acl_get_single_right(): Could not lookup device, blindly granting access!\n"); 07352 #endif 07353 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 07354 if (!rsbac_nosyslog) 07355 #endif 07356 printk(KERN_WARNING 07357 "rsbac_acl_get_single_right(): Could not lookup device, blindly granting access!\n"); 07358 /* free read lock */ 07359 rsbac_read_unlock(&device_list_head.lock, &dflags); 07360 *result = TRUE; 07361 return 0; 07362 } 07363 } 07364 list_no = fd_hash(tid.file.inode); 07365 if( !rsbac_list_lol_get_subdata(device_p->handles[list_no], 07366 &tid.file.inode, 07367 &desc, 07368 &i_rights) 07369 && (i_rights & i_rvec) 07370 ) 07371 { 07372 rsbac_read_unlock(&device_list_head.lock, &dflags); 07373 *result = TRUE; 07374 return 0; 07375 } 07376 07377 { 07378 enum rsbac_target_t parent_target; 07379 union rsbac_target_id_t parent_tid; 07380 07381 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07382 if(right != ACLR_SUPERVISOR) 07383 #endif 07384 { 07385 rsbac_acl_rights_vector_t mask; 07386 07387 /* get mask to filter through */ 07388 if( !rsbac_list_lol_get_data(device_p->handles[list_no], 07389 &tid.file.inode, 07390 &mask) 07391 && !(mask & i_rvec) 07392 ) 07393 { 07394 rsbac_read_unlock(&device_list_head.lock, &dflags); 07395 *result = FALSE; 07396 return 0; 07397 } 07398 } 07399 07400 /* inheritance possible? */ 07401 if(!rsbac_get_parent(target, tid, &parent_target, &parent_tid)) 07402 { 07403 target = parent_target; 07404 tid = parent_tid; 07405 continue; 07406 } 07407 else 07408 { 07409 /* no inheritance possible -> try default_fd_acl */ 07410 if( !rsbac_list_get_data(default_fd_handle, 07411 &desc, 07412 &i_rights) 07413 && (i_rights & i_rvec) 07414 ) 07415 { 07416 *result = TRUE; 07417 } 07418 else 07419 { 07420 if(default_fd_rights & i_rvec) 07421 *result = TRUE; 07422 else 07423 *result = FALSE; 07424 } 07425 /* free access to device_list_head - see above */ 07426 rsbac_read_unlock(&device_list_head.lock, &dflags); 07427 return 0; 07428 } 07429 } 07430 } /* end of for(;;) for inheritance */ 07431 07432 case T_DEV: 07433 /* 07434 #ifdef CONFIG_RSBAC_DEBUG 07435 if (rsbac_debug_ds_acl) 07436 printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for dev %c %02u:%02u\n", 07437 'B'+tid.dev.type, 07438 RSBAC_MAJOR(tid.dev.id), 07439 RSBAC_MINOR(tid.dev.id)); 07440 #endif 07441 */ 07442 if((tid.dev.type == D_none) && RSBAC_IS_ZERO_DEV(tid.dev.id)) 07443 { 07444 if(!rsbac_list_get_data(default_dev_handle, &desc, &i_rights)) 07445 { 07446 if(i_rights & i_rvec) 07447 { 07448 *result = TRUE; 07449 return 0; 07450 } 07451 else 07452 { 07453 *result = FALSE; 07454 return 0; 07455 } 07456 } 07457 else 07458 { 07459 if(default_dev_rights & i_rvec) 07460 { 07461 *result = TRUE; 07462 return 0; 07463 } 07464 else 07465 { 07466 *result = FALSE; 07467 return 0; 07468 } 07469 } 07470 } 07471 07472 { 07473 struct rsbac_dev_desc_t dev_desc; 07474 07475 dev_desc.type = tid.dev.type; 07476 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 07477 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 07478 if( !rsbac_list_lol_get_subdata(dev_handle, 07479 &dev_desc, 07480 &desc, 07481 &i_rights) 07482 && (i_rights & i_rvec) 07483 ) 07484 { 07485 *result = TRUE; 07486 return 0; 07487 } 07488 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07489 if(right != ACLR_SUPERVISOR) 07490 #endif 07491 { 07492 rsbac_acl_rights_vector_t mask; 07493 07494 /* get mask to filter through */ 07495 if( !rsbac_list_lol_get_data(dev_handle, 07496 &dev_desc, 07497 &mask) 07498 && !(mask & i_rvec) 07499 ) 07500 { 07501 *result = FALSE; 07502 return 0; 07503 } 07504 } 07505 } 07506 /* no inheritance possible -> try default acl */ 07507 if( !rsbac_list_get_data(default_dev_handle, 07508 &desc, 07509 &i_rights) 07510 && (i_rights & i_rvec) 07511 ) 07512 { 07513 *result = TRUE; 07514 } 07515 else 07516 { 07517 if(default_dev_rights & i_rvec) 07518 *result = TRUE; 07519 else 07520 *result = FALSE; 07521 } 07522 return 0; 07523 07524 case T_IPC: 07525 /* 07526 #ifdef CONFIG_RSBAC_DEBUG 07527 if (rsbac_debug_ds_acl) 07528 printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for type %u\n", 07529 tid.ipc.type); 07530 #endif 07531 */ 07532 /* Use default entry */ 07533 if(!rsbac_list_get_data(default_ipc_handle, &desc, &i_rights)) 07534 { 07535 if(i_rights & i_rvec) 07536 { 07537 *result = TRUE; 07538 return 0; 07539 } 07540 else 07541 { 07542 *result = FALSE; 07543 return 0; 07544 } 07545 } 07546 else 07547 { 07548 if(default_ipc_rights & i_rvec) 07549 { 07550 *result = TRUE; 07551 return 0; 07552 } 07553 else 07554 { 07555 *result = FALSE; 07556 return 0; 07557 } 07558 } 07559 07560 case T_SCD: 07561 /* 07562 #ifdef CONFIG_RSBAC_DEBUG 07563 if (rsbac_debug_ds_acl) 07564 { 07565 char tmp[80]; 07566 07567 printk(KERN_DEBUG 07568 "rsbac_acl_get_single_right(): Getting right for SCD %s\n", 07569 get_acl_scd_type_name(tmp, tid.scd)); 07570 } 07571 #endif 07572 */ 07573 if(tid.scd == AST_none) 07574 { 07575 if(!rsbac_list_get_data(default_scd_handle, &desc, &i_rights)) 07576 { 07577 if(i_rights & i_rvec) 07578 { 07579 *result = TRUE; 07580 return 0; 07581 } 07582 else 07583 { 07584 *result = FALSE; 07585 return 0; 07586 } 07587 } 07588 else 07589 { 07590 if(default_scd_rights & i_rvec) 07591 { 07592 *result = TRUE; 07593 return 0; 07594 } 07595 else 07596 { 07597 *result = FALSE; 07598 return 0; 07599 } 07600 } 07601 } 07602 07603 if( !rsbac_list_lol_get_subdata(scd_handle, 07604 &tid.scd, 07605 &desc, 07606 &i_rights) 07607 && (i_rights & i_rvec) 07608 ) 07609 { 07610 *result = TRUE; 07611 return 0; 07612 } 07613 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07614 if(right != ACLR_SUPERVISOR) 07615 #endif 07616 { 07617 rsbac_acl_rights_vector_t mask; 07618 07619 /* get mask to filter through */ 07620 if( !rsbac_list_lol_get_data(scd_handle, 07621 &tid.scd, 07622 &mask) 07623 && !(mask & i_rvec) 07624 ) 07625 { 07626 *result = FALSE; 07627 return 0; 07628 } 07629 } 07630 07631 /* no inheritance possible -> try default acl */ 07632 if( !rsbac_list_get_data(default_scd_handle, 07633 &desc, 07634 &i_rights) 07635 && (i_rights & i_rvec) 07636 ) 07637 { 07638 *result = TRUE; 07639 } 07640 else 07641 { 07642 if(default_scd_rights & i_rvec) 07643 *result = TRUE; 07644 else 07645 *result = FALSE; 07646 } 07647 return 0; 07648 07649 case T_USER: 07650 /* 07651 #ifdef CONFIG_RSBAC_DEBUG 07652 if (rsbac_debug_ds_acl) 07653 printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting user right for user %u\n", 07654 tid.user); 07655 #endif 07656 */ 07657 /* Use default entry */ 07658 if(!rsbac_list_get_data(default_u_handle, &desc, &i_rights)) 07659 { 07660 if(i_rights & i_rvec) 07661 { 07662 *result = TRUE; 07663 return 0; 07664 } 07665 else 07666 { 07667 *result = FALSE; 07668 return 0; 07669 } 07670 } 07671 else 07672 { 07673 if(default_u_rights & i_rvec) 07674 { 07675 *result = TRUE; 07676 return 0; 07677 } 07678 else 07679 { 07680 *result = FALSE; 07681 return 0; 07682 } 07683 } 07684 07685 case T_PROCESS: 07686 /* 07687 #ifdef CONFIG_RSBAC_DEBUG 07688 if (rsbac_debug_ds_acl) 07689 printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting process right for pid %u\n", 07690 tid.process); 07691 #endif 07692 */ 07693 /* Use default entry */ 07694 if(!rsbac_list_get_data(default_p_handle, &desc, &i_rights)) 07695 { 07696 if(i_rights & i_rvec) 07697 { 07698 *result = TRUE; 07699 return 0; 07700 } 07701 else 07702 { 07703 *result = FALSE; 07704 return 0; 07705 } 07706 } 07707 else 07708 { 07709 if(default_p_rights & i_rvec) 07710 { 07711 *result = TRUE; 07712 return 0; 07713 } 07714 else 07715 { 07716 *result = FALSE; 07717 return 0; 07718 } 07719 } 07720 07721 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT) 07722 case T_NETDEV: 07723 /* 07724 #ifdef CONFIG_RSBAC_DEBUG 07725 if (rsbac_debug_ds_acl) 07726 printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for netdev %s\n", 07727 tid.netdev); 07728 #endif 07729 */ 07730 if(!tid.netdev[0]) 07731 { 07732 if(!rsbac_list_get_data(default_netdev_handle, &desc, &i_rights)) 07733 { 07734 if(i_rights & i_rvec) 07735 { 07736 *result = TRUE; 07737 return 0; 07738 } 07739 else 07740 { 07741 *result = FALSE; 07742 return 0; 07743 } 07744 } 07745 else 07746 { 07747 if(default_netdev_rights & i_rvec) 07748 { 07749 *result = TRUE; 07750 return 0; 07751 } 07752 else 07753 { 07754 *result = FALSE; 07755 return 0; 07756 } 07757 } 07758 } 07759 07760 if( !rsbac_list_lol_get_subdata(netdev_handle, 07761 &tid.netdev, 07762 &desc, 07763 &i_rights) 07764 && (i_rights & i_rvec) 07765 ) 07766 { 07767 *result = TRUE; 07768 return 0; 07769 } 07770 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07771 if(right != ACLR_SUPERVISOR) 07772 #endif 07773 { 07774 rsbac_acl_rights_vector_t mask; 07775 07776 /* get mask to filter through */ 07777 if( !rsbac_list_lol_get_data(netdev_handle, 07778 &tid.netdev, 07779 &mask) 07780 && !(mask & i_rvec) 07781 ) 07782 { 07783 *result = FALSE; 07784 return 0; 07785 } 07786 } 07787 07788 /* no inheritance possible -> try default acl */ 07789 if( !rsbac_list_get_data(default_netdev_handle, 07790 &desc, 07791 &i_rights) 07792 && (i_rights & i_rvec) 07793 ) 07794 { 07795 *result = TRUE; 07796 } 07797 else 07798 { 07799 if(default_netdev_rights & i_rvec) 07800 *result = TRUE; 07801 else 07802 *result = FALSE; 07803 } 07804 return 0; 07805 #endif 07806 07807 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT) 07808 case T_NETTEMP_NT: 07809 case T_NETTEMP: 07810 /* 07811 #ifdef CONFIG_RSBAC_DEBUG 07812 if (rsbac_debug_ds_acl) 07813 printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for nettemp %u\n", 07814 tid.nettemp); 07815 #endif 07816 */ 07817 if(!tid.nettemp) 07818 { 07819 if(!rsbac_list_get_data(default_nettemp_nt_handle, &desc, &i_rights)) 07820 { 07821 if(i_rights & i_rvec) 07822 { 07823 *result = TRUE; 07824 return 0; 07825 } 07826 else 07827 { 07828 *result = FALSE; 07829 return 0; 07830 } 07831 } 07832 else 07833 { 07834 if(default_nettemp_nt_rights & i_rvec) 07835 { 07836 *result = TRUE; 07837 return 0; 07838 } 07839 else 07840 { 07841 *result = FALSE; 07842 return 0; 07843 } 07844 } 07845 } 07846 07847 /* There should be no template, which is to be created, so skip nettemp_nt list */ 07848 if(right != R_CREATE) 07849 { 07850 if(!rsbac_net_template_exist(tid.nettemp)) 07851 return FALSE; 07852 if( !rsbac_list_lol_get_subdata(nettemp_nt_handle, 07853 &tid.nettemp, 07854 &desc, 07855 &i_rights) 07856 && (i_rights & i_rvec) 07857 ) 07858 { 07859 *result = TRUE; 07860 return 0; 07861 } 07862 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07863 if(right != ACLR_SUPERVISOR) 07864 #endif 07865 { 07866 rsbac_acl_rights_vector_t mask; 07867 07868 /* get mask to filter through */ 07869 if( !rsbac_list_lol_get_data(nettemp_nt_handle, 07870 &tid.nettemp, 07871 &mask) 07872 && !(mask & i_rvec) 07873 ) 07874 { 07875 *result = FALSE; 07876 return 0; 07877 } 07878 } 07879 } 07880 07881 /* no inheritance possible -> try default acl */ 07882 if( !rsbac_list_get_data(default_nettemp_nt_handle, 07883 &desc, 07884 &i_rights) 07885 && (i_rights & i_rvec) 07886 ) 07887 { 07888 *result = TRUE; 07889 } 07890 else 07891 { 07892 if(default_nettemp_nt_rights & i_rvec) 07893 *result = TRUE; 07894 else 07895 *result = FALSE; 07896 } 07897 return 0; 07898 07899 case T_NETOBJ: 07900 /* 07901 #ifdef CONFIG_RSBAC_DEBUG 07902 if (rsbac_debug_ds_acl) 07903 printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for netobj %p\n", 07904 tid.netobj.sock_p); 07905 #endif 07906 */ 07907 if(!tid.netobj.sock_p) 07908 { 07909 if(!rsbac_list_get_data(default_netobj_handle, &desc, &i_rights)) 07910 { 07911 if(i_rights & i_rvec) 07912 { 07913 *result = TRUE; 07914 return 0; 07915 } 07916 else 07917 { 07918 *result = FALSE; 07919 return 0; 07920 } 07921 } 07922 else 07923 { 07924 if(default_netobj_rights & i_rvec) 07925 { 07926 *result = TRUE; 07927 return 0; 07928 } 07929 else 07930 { 07931 *result = FALSE; 07932 return 0; 07933 } 07934 } 07935 } 07936 07937 if( !rsbac_list_lol_get_subdata(netobj_handle, 07938 &tid.netobj.sock_p, 07939 &desc, 07940 &i_rights) 07941 && (i_rights & i_rvec) 07942 ) 07943 { 07944 *result = TRUE; 07945 return 0; 07946 } 07947 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07948 if(right != ACLR_SUPERVISOR) 07949 #endif 07950 { 07951 rsbac_acl_rights_vector_t mask; 07952 07953 /* get mask to filter through */ 07954 if( !rsbac_list_lol_get_data(netobj_handle, 07955 &tid.netobj.sock_p, 07956 &mask) 07957 && !(mask & i_rvec) 07958 ) 07959 { 07960 *result = FALSE; 07961 return 0; 07962 } 07963 } 07964 /* Try net template */ 07965 { 07966 rsbac_net_temp_id_t temp = 0; 07967 07968 if(rsbac_net_remote_request(right)) 07969 rsbac_net_lookup_templates(tid.netobj, 07970 NULL, 07971 &temp); 07972 else 07973 rsbac_net_lookup_templates(tid.netobj, 07974 &temp, 07975 NULL); 07976 if( temp 07977 && !rsbac_list_lol_get_subdata(nettemp_handle, 07978 &temp, 07979 &desc, 07980 &i_rights) 07981 && (i_rights & i_rvec) 07982 ) 07983 { 07984 *result = TRUE; 07985 return 0; 07986 } 07987 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07988 if(right != ACLR_SUPERVISOR) 07989 #endif 07990 { 07991 rsbac_acl_rights_vector_t mask; 07992 07993 /* get mask from template to filter through */ 07994 if( !rsbac_list_lol_get_data(nettemp_handle, 07995 &temp, 07996 &mask) 07997 && !(mask & i_rvec) 07998 ) 07999 { 08000 *result = FALSE; 08001 return 0; 08002 } 08003 } 08004 } 08005 08006 /* no inheritance possible -> try default acl */ 08007 if( !rsbac_list_get_data(default_netobj_handle, 08008 &desc, 08009 &i_rights) 08010 && (i_rights & i_rvec) 08011 ) 08012 { 08013 *result = TRUE; 08014 } 08015 else 08016 { 08017 if(default_netobj_rights & i_rvec) 08018 *result = TRUE; 08019 else 08020 *result = FALSE; 08021 } 08022 return 0; 08023 #endif /* NET_OBJ_PROT */ 08024 08025 default: 08026 return -RSBAC_EINVALIDTARGET; 08027 } 08028 } 08029 08030 /************************************************* 08031 * rsbac_acl_get_tlist 08032 * Get subjects from ACL entries for given target. 08033 */ 08034 08035 int rsbac_acl_get_tlist (enum rsbac_target_t target, 08036 union rsbac_target_id_t tid, 08037 struct rsbac_acl_entry_t ** entry_pp, 08038 rsbac_time_t ** ttl_pp) 08039 { 08040 int count = 0; 08041 int list_no; 08042 struct rsbac_acl_device_list_item_t * device_p; 08043 u_long dflags; 08044 08045 if (!rsbac_is_initialized()) 08046 { 08047 printk(KERN_WARNING "rsbac_acl_get_tlist(): RSBAC not initialized\n"); 08048 return(-RSBAC_ENOTINITIALIZED); 08049 } 08050 if (!entry_pp) 08051 return(-RSBAC_EINVALIDPOINTER); 08052 #ifdef CONFIG_RSBAC_DEBUG 08053 if (in_interrupt()) 08054 { 08055 #ifdef CONFIG_RSBAC_RMSG 08056 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): called from interrupt!\n"); 08057 #endif 08058 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 08059 if (!rsbac_nosyslog) 08060 #endif 08061 printk(KERN_WARNING "rsbac_acl_get_tlist(): called from interrupt!\n"); 08062 } 08063 #endif 08064 switch (target) 08065 { 08066 case T_FD: 08067 case T_FILE: 08068 case T_DIR: 08069 case T_FIFO: 08070 case T_SYMLINK: 08071 /* 08072 #ifdef CONFIG_RSBAC_DEBUG 08073 if (rsbac_debug_ds_acl) 08074 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for device %02u:%02u, inode %u\n", 08075 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); 08076 #endif 08077 */ 08078 /* default entry? */ 08079 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p) 08080 return rsbac_list_get_all_items_ttl(default_fd_handle, 08081 (void **) entry_pp, 08082 ttl_pp); 08083 /* wait for read access to device_list_head */ 08084 rsbac_read_lock(&device_list_head.lock, &dflags); 08085 /* OK, go on */ 08086 /* lookup device */ 08087 device_p = acl_lookup_device(tid.file.device); 08088 if (!device_p) 08089 { 08090 /* trigger rsbac_mount() */ 08091 rsbac_read_unlock(&device_list_head.lock, &dflags); 08092 rsbac_get_super_block(tid.file.device); 08093 /* retry */ 08094 rsbac_read_lock(&device_list_head.lock, &dflags); 08095 device_p = acl_lookup_device(tid.file.device); 08096 if(!device_p) 08097 { 08098 #ifdef CONFIG_RSBAC_RMSG 08099 rsbac_printk(KERN_WARNING 08100 "rsbac_acl_get_tlist(): Could not lookup device!\n"); 08101 #endif 08102 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 08103 if (!rsbac_nosyslog) 08104 #endif 08105 printk(KERN_WARNING 08106 "rsbac_acl_get_tlist(): Could not lookup device!\n"); 08107 /* free read lock */ 08108 rsbac_read_unlock(&device_list_head.lock, &dflags); 08109 return(-RSBAC_EINVALIDDEV); 08110 } 08111 } 08112 /* protect this list */ 08113 list_no = fd_hash(tid.file.inode); 08114 count = rsbac_list_lol_get_all_subitems_ttl(device_p->handles[list_no], 08115 &tid.file.inode, 08116 (void **) entry_pp, 08117 ttl_pp); 08118 rsbac_read_unlock(&device_list_head.lock, &dflags); 08119 /* ready. */ 08120 return count; 08121 08122 case T_DEV: 08123 /* 08124 #ifdef CONFIG_RSBAC_DEBUG 08125 if (rsbac_debug_ds_acl) 08126 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for dev %c %02u:%02u\n", 08127 'B'+tid.dev.type, 08128 RSBAC_MAJOR(tid.dev.id), 08129 RSBAC_MINOR(tid.dev.id)); 08130 #endif 08131 */ 08132 if((tid.dev.type == D_none) && RSBAC_IS_ZERO_DEV(tid.dev.id)) 08133 return rsbac_list_get_all_items_ttl(default_dev_handle, 08134 (void **) entry_pp, 08135 ttl_pp); 08136 else 08137 { 08138 struct rsbac_dev_desc_t dev_desc; 08139 08140 dev_desc.type = tid.dev.type; 08141 dev_desc.major = RSBAC_MAJOR(tid.dev.id); 08142 dev_desc.minor = RSBAC_MINOR(tid.dev.id); 08143 return rsbac_list_lol_get_all_subitems_ttl(dev_handle, 08144 &dev_desc, 08145 (void **) entry_pp, 08146 ttl_pp); 08147 } 08148 08149 case T_IPC: 08150 /* 08151 #ifdef CONFIG_RSBAC_DEBUG 08152 if (rsbac_debug_ds_acl) 08153 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for IPC type %u\n", 08154 tid.ipc.type); 08155 #endif 08156 */ 08157 /* default entry */ 08158 return rsbac_list_get_all_items_ttl(default_ipc_handle, 08159 (void **) entry_pp, 08160 ttl_pp); 08161 08162 case T_SCD: 08163 /* 08164 #ifdef CONFIG_RSBAC_DEBUG 08165 if (rsbac_debug_ds_acl) 08166 { 08167 char tmp[80]; 08168 08169 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for SCD %s\n", 08170 get_acl_scd_type_name(tmp, tid.scd)); 08171 } 08172 #endif 08173 */ 08174 if( (tid.scd == AST_none) 08175 || (tid.scd == ST_none) 08176 ) 08177 return rsbac_list_get_all_items_ttl(default_scd_handle, 08178 (void **) entry_pp, 08179 ttl_pp); 08180 else 08181 return rsbac_list_lol_get_all_subitems_ttl(scd_handle, 08182 &tid.scd, 08183 (void **) entry_pp, 08184 ttl_pp); 08185 08186 case T_USER: 08187 /* 08188 #ifdef CONFIG_RSBAC_DEBUG 08189 if (rsbac_debug_ds_acl) 08190 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for pid %u\n", 08191 tid.process); 08192 #endif 08193 */ 08194 /* default entry */ 08195 return rsbac_list_get_all_items_ttl(default_u_handle, 08196 (void **) entry_pp, 08197 ttl_pp); 08198 08199 case T_PROCESS: 08200 /* 08201 #ifdef CONFIG_RSBAC_DEBUG 08202 if (rsbac_debug_ds_acl) 08203 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for pid %u\n", 08204 tid.process); 08205 #endif 08206 */ 08207 /* default entry */ 08208 return rsbac_list_get_all_items_ttl(default_p_handle, 08209 (void **) entry_pp, 08210 ttl_pp); 08211 08212 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT) 08213 case T_NETDEV: 08214 /* 08215 #ifdef CONFIG_RSBAC_DEBUG 08216 if (rsbac_debug_ds_acl) 08217 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for netdev %s\n", 08218 tid.netdev); 08219 #endif 08220 */ 08221 if(!tid.netdev[0]) 08222 return rsbac_list_get_all_items_ttl(default_netdev_handle, 08223 (void **) entry_pp, 08224 ttl_pp); 08225 else 08226 return rsbac_list_lol_get_all_subitems_ttl(netdev_handle, 08227 &tid.netdev, 08228 (void **) entry_pp, 08229 ttl_pp); 08230 #endif 08231 08232 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT) 08233 case T_NETTEMP_NT: 08234 /* 08235 #ifdef CONFIG_RSBAC_DEBUG 08236 if (rsbac_debug_ds_acl) 08237 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for nettemp_nt %u\n", 08238 tid.nettemp); 08239 #endif 08240 */ 08241 if(!tid.nettemp) 08242 return rsbac_list_get_all_items_ttl(default_nettemp_nt_handle, 08243 (void **) entry_pp, 08244 ttl_pp); 08245 if(!rsbac_net_template_exist(tid.nettemp)) 08246 return -RSBAC_EINVALIDTARGET; 08247 return rsbac_list_lol_get_all_subitems_ttl(nettemp_nt_handle, 08248 &tid.nettemp, 08249 (void **) entry_pp, 08250 ttl_pp); 08251 08252 case T_NETTEMP: 08253 /* 08254 #ifdef CONFIG_RSBAC_DEBUG 08255 if (rsbac_debug_ds_acl) 08256 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for nettemp %u\n", 08257 tid.nettemp); 08258 #endif 08259 */ 08260 if(!tid.nettemp) 08261 return -RSBAC_EINVALIDTARGET; 08262 if(!rsbac_net_template_exist(tid.nettemp)) 08263 return -RSBAC_EINVALIDTARGET; 08264 return rsbac_list_lol_get_all_subitems_ttl(nettemp_handle, 08265 &tid.nettemp, 08266 (void **) entry_pp, 08267 ttl_pp); 08268 08269 case T_NETOBJ: 08270 /* 08271 #ifdef CONFIG_RSBAC_DEBUG 08272 if (rsbac_debug_ds_acl) 08273 printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for netobj %p\n", 08274 tid.netobj.sock_p); 08275 #endif 08276 */ 08277 if(!tid.nettemp) 08278 return rsbac_list_get_all_items_ttl(default_netobj_handle, 08279 (void **) entry_pp, 08280 ttl_pp); 08281 else 08282 return rsbac_list_lol_get_all_subitems_ttl(netobj_handle, 08283 &tid.netobj.sock_p, 08284 (void **) entry_pp, 08285 ttl_pp); 08286 #endif /* NET_OBJ_PROT */ 08287 08288 default: 08289 return -RSBAC_EINVALIDTARGET; 08290 } 08291 } 08292 08293 /* Remove a subject from all acls (but not from group memberships, see remove_user) */ 08294 int rsbac_acl_remove_subject(struct rsbac_acl_entry_desc_t desc) 08295 { 08296 struct rsbac_acl_device_list_item_t * device_p; 08297 u_long dflags; 08298 u_int i; 08299 08300 if(desc.subj_type >= ACLS_NONE) 08301 return -RSBAC_EINVALIDVALUE; 08302 08303 /* remove from default ACLs */ 08304 rsbac_list_remove(default_fd_handle, &desc); 08305 rsbac_list_remove(default_dev_handle, &desc); 08306 rsbac_list_remove(default_ipc_handle, &desc); 08307 rsbac_list_remove(default_scd_handle, &desc); 08308 rsbac_list_remove(default_u_handle, &desc); 08309 rsbac_list_remove(default_p_handle, &desc); 08310 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 08311 rsbac_list_remove(default_netdev_handle, &desc); 08312 #endif 08313 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 08314 rsbac_list_remove(default_nettemp_nt_handle, &desc); 08315 rsbac_list_remove(default_netobj_handle, &desc); 08316 #endif 08317 08318 /* protect device list */ 08319 rsbac_read_lock(&device_list_head.lock, &dflags); 08320 device_p = device_list_head.head; 08321 while(device_p) 08322 { 08323 for(i=0; i<RSBAC_ACL_NR_FD_LISTS; i++) 08324 { 08325 rsbac_list_lol_subremove_from_all(device_p->handles[i], 08326 &desc); 08327 } 08328 device_p = device_p->next; 08329 } 08330 /* unprotect device list */ 08331 rsbac_read_unlock(&device_list_head.lock, &dflags); 08332 08333 /* dev list */ 08334 rsbac_list_lol_subremove_from_all(dev_handle, 08335 &desc); 08336 08337 /* scd list */ 08338 rsbac_list_lol_subremove_from_all(scd_handle, 08339 &desc); 08340 08341 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 08342 /* netdev list */ 08343 rsbac_list_lol_subremove_from_all(netdev_handle, 08344 &desc); 08345 #endif 08346 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 08347 rsbac_list_lol_subremove_from_all(nettemp_nt_handle, 08348 &desc); 08349 rsbac_list_lol_subremove_from_all(nettemp_handle, 08350 &desc); 08351 rsbac_list_lol_subremove_from_all(netobj_handle, 08352 &desc); 08353 #endif 08354 08355 return 0; 08356 } 08357 08358 /* add a group with new id and fill this id into *group_id_p */ 08359 /* if old content of group_id_p is 0, make new id, else try given id */ 08360 int rsbac_acl_add_group(rsbac_uid_t owner, enum rsbac_acl_group_type_t type, char * name, 08361 rsbac_acl_group_id_t * group_id_p) 08362 { 08363 struct rsbac_acl_group_entry_t entry; 08364 int err=0; 08365 08366 if(type >= ACLG_NONE) 08367 return -RSBAC_EINVALIDVALUE; 08368 if(!name || !group_id_p) 08369 return -RSBAC_EINVALIDPOINTER; 08370 if(!name[0]) 08371 return -RSBAC_EINVALIDVALUE; 08372 entry.owner = owner; 08373 entry.type = type; 08374 strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN-1); 08375 entry.name[RSBAC_ACL_GROUP_NAMELEN-1] = 0; 08376 if(!*group_id_p) 08377 { 08378 /* step new group counter */ 08379 group_last_new++; 08380 /* Just in case the counter has wrapped. It is almost impossible that all IDs are in use. */ 08381 while(!group_last_new || rsbac_list_exist(group_handle, &group_last_new)) 08382 group_last_new++; 08383 08384 entry.id = group_last_new; 08385 } 08386 else 08387 { 08388 if(rsbac_list_exist(group_handle, group_id_p)) 08389 { 08390 return(-RSBAC_EEXISTS); 08391 } 08392 else 08393 entry.id = *group_id_p; 08394 } 08395 if(rsbac_list_add(group_handle, &entry.id, &entry)) 08396 err = -RSBAC_ECOULDNOTADDITEM; 08397 else 08398 { 08399 *group_id_p = entry.id; 08400 } 08401 return(err); 08402 } 08403 08404 int rsbac_acl_change_group( rsbac_acl_group_id_t id, 08405 rsbac_uid_t owner, 08406 enum rsbac_acl_group_type_t type, 08407 char * name) 08408 { 08409 struct rsbac_acl_group_entry_t entry; 08410 08411 if(!id) 08412 return -RSBAC_EINVALIDVALUE; 08413 if(!rsbac_list_exist(group_handle, &id)) 08414 return(-RSBAC_ENOTFOUND); 08415 if(!name) 08416 return -RSBAC_EINVALIDPOINTER; 08417 if(!name[0]) 08418 return -RSBAC_EINVALIDVALUE; 08419 entry.id = id; 08420 entry.owner = owner; 08421 entry.type = type; 08422 strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN); 08423 entry.name[RSBAC_ACL_GROUP_NAMELEN-1] = 0; 08424 return rsbac_list_add(group_handle, &entry.id, &entry); 08425 } 08426 08427 int rsbac_acl_remove_group(rsbac_acl_group_id_t id) 08428 { 08429 int err=0; 08430 08431 if(!id) 08432 return -RSBAC_EINVALIDVALUE; 08433 08434 err = rsbac_list_remove(group_handle, &id); 08435 if(!err) 08436 { 08437 struct rsbac_acl_entry_desc_t desc; 08438 08439 /* cleanup group memberships */ 08440 rsbac_list_lol_subremove_from_all(gm_handle, 08441 &id); 08442 desc.subj_type = ACLS_GROUP; 08443 desc.subj_id = id; 08444 err = rsbac_acl_remove_subject(desc); 08445 } 08446 return(err); 08447 } 08448 08449 int rsbac_acl_get_group_entry(rsbac_acl_group_id_t group, struct rsbac_acl_group_entry_t * entry_p) 08450 { 08451 if(!group) 08452 return -RSBAC_EINVALIDVALUE; 08453 if(!entry_p) 08454 return -RSBAC_EINVALIDPOINTER; 08455 return rsbac_list_get_data(group_handle, &group, entry_p); 08456 } 08457 08458 int rsbac_acl_list_groups(rsbac_uid_t owner, 08459 boolean include_global, 08460 struct rsbac_acl_group_entry_t ** entry_pp) 08461 { 08462 long count; 08463 struct rsbac_acl_group_entry_t * local_entry_p; 08464 08465 if(!entry_pp) 08466 return -RSBAC_EINVALIDPOINTER; 08467 count = rsbac_list_get_all_data(group_handle, (void **) &local_entry_p); 08468 if(count > 0) 08469 { 08470 long i; 08471 long rescount = 0; 08472 08473 *entry_pp = rsbac_vmalloc(count * sizeof(**entry_pp)); 08474 if(!*entry_pp) 08475 { 08476 rsbac_vfree(local_entry_p); 08477 return -RSBAC_ENOMEM; 08478 } 08479 for(i=0; i<count; i++) 08480 { 08481 if( (local_entry_p[i].owner == owner) 08482 || ( include_global 08483 && (local_entry_p[i].type == ACLG_GLOBAL) 08484 ) 08485 ) 08486 { 08487 memcpy(&(*entry_pp)[rescount], &local_entry_p[i], sizeof(local_entry_p[i])); 08488 rescount++; 08489 } 08490 } 08491 rsbac_vfree(local_entry_p); 08492 count = rescount; 08493 } 08494 return count; 08495 } 08496 08497 /* check group existence */ 08498 boolean rsbac_acl_group_exist(rsbac_acl_group_id_t group) 08499 { 08500 if(!group) 08501 return TRUE; 08502 return rsbac_list_exist(group_handle, &group); 08503 } 08504 08505 int rsbac_acl_add_group_member(rsbac_acl_group_id_t group, rsbac_uid_t user, rsbac_time_t ttl) 08506 { 08507 int err=0; 08508 08509 if(!group) 08510 return -RSBAC_EINVALIDVALUE; 08511 if(!rsbac_list_exist(group_handle, &group)) 08512 return -RSBAC_EINVALIDVALUE; 08513 08514 if(!rsbac_list_lol_exist(gm_handle, &user)) 08515 { 08516 err = rsbac_list_lol_add(gm_handle, &user, NULL); 08517 if(err) 08518 return err; 08519 } 08520 return rsbac_list_lol_subadd_ttl(gm_handle, ttl, &user, &group, NULL); 08521 } 08522 08523 int rsbac_acl_remove_group_member(rsbac_acl_group_id_t group, rsbac_uid_t user) 08524 { 08525 int err; 08526 08527 if(!group) 08528 return -RSBAC_EINVALIDVALUE; 08529 if(!rsbac_list_exist(group_handle, &group)) 08530 return -RSBAC_EINVALIDVALUE; 08531 08532 err = rsbac_list_lol_subremove(gm_handle, &user, &group); 08533 /* cleanup empty gm items */ 08534 if( !err 08535 && !rsbac_list_lol_subcount(gm_handle, &user) 08536 ) 08537 err = rsbac_list_lol_remove(gm_handle, &user); 08538 08539 return err; 08540 } 08541 08542 /* check membership */ 08543 boolean rsbac_acl_group_member(rsbac_acl_group_id_t group, rsbac_uid_t user) 08544 { 08545 return rsbac_list_lol_subexist(gm_handle, &user, &group); 08546 } 08547 08548 /* build vmalloc'd array of all group memberships of the given user */ 08549 /* returns number of groups or negative error */ 08550 /* Attention: memory deallocation with rsbac_vfree (if result > 0) must be done by caller! */ 08551 int rsbac_acl_get_user_groups(rsbac_uid_t user, 08552 rsbac_acl_group_id_t ** group_pp, 08553 rsbac_time_t ** ttl_pp) 08554 { 08555 return rsbac_list_lol_get_all_subdesc_ttl(gm_handle, 08556 &user, 08557 (void **) group_pp, 08558 ttl_pp); 08559 } 08560 08561 /* Returns number of members or negative error */ 08562 int rsbac_acl_get_group_members(rsbac_acl_group_id_t group, 08563 rsbac_uid_t user_array[], 08564 rsbac_time_t ttl_array[], 08565 int maxnum) 08566 { 08567 long desc_count; 08568 long i; 08569 rsbac_uid_t * user_p; 08570 int err = 0; 08571 08572 if(!group || (maxnum <= 0)) 08573 return -RSBAC_EINVALIDVALUE; 08574 if(!rsbac_list_exist(group_handle, &group)) 08575 return -RSBAC_EINVALIDVALUE; 08576 if(!user_array) 08577 return -RSBAC_EINVALIDPOINTER; 08578 08579 /* traverse group memberships */ 08580 desc_count = rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p); 08581 if(desc_count > 0) 08582 { 08583 rsbac_time_t ttl; 08584 08585 for(i=0; i<desc_count; i++) 08586 { 08587 if(!rsbac_list_lol_get_subdata_ttl(gm_handle, &ttl, &user_p[i], &group, NULL)) 08588 { 08589 user_array[err] = user_p[i]; 08590 if(ttl_array) 08591 ttl_array[err] = ttl; 08592 err++; 08593 if(err >= maxnum) 08594 break; 08595 } 08596 } 08597 rsbac_vfree(user_p); 08598 } 08599 return(err); 08600 } 08601 08602 /********************************************/ 08603 /* remove user from all groups and all ACLs */ 08604 int rsbac_acl_remove_user(rsbac_uid_t user) 08605 { 08606 u_long i; 08607 struct rsbac_acl_group_entry_t * entry_p; 08608 long desc_count; 08609 struct rsbac_acl_entry_desc_t desc; 08610 08611 rsbac_list_lol_remove(gm_handle, &user); 08612 /* traverse groups for this owner */ 08613 desc_count = rsbac_list_get_all_data(group_handle, (void **) &entry_p); 08614 if(desc_count > 0) 08615 { 08616 for(i=0; i<desc_count; i++) 08617 { 08618 if(entry_p[i].owner == user) 08619 { 08620 rsbac_list_remove(group_handle, &entry_p[i].id); 08621 /* cleanup group memberships */ 08622 rsbac_list_lol_subremove_from_all(gm_handle, 08623 &entry_p[i].id); 08624 } 08625 } 08626 rsbac_vfree(entry_p); 08627 } 08628 08629 desc.subj_type = ACLS_USER; 08630 desc.subj_id = user; 08631 08632 return rsbac_acl_remove_subject(desc); 08633 } 08634 08635 /* end of acl_data_structures.c */

Generated on Tue Aug 31 10:05:25 2004 for RSBAC by doxygen 1.3.8