/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/adf/rc/rc_syscalls.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of the Access Control Decision */ 00004 /* Facility (ADF) - Role Compatibility */ 00005 /* File: rsbac/adf/rc/syscalls.c */ 00006 /* */ 00007 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */ 00008 /* */ 00009 /* Last modified: 11/Mar/2004 */ 00010 /*************************************************** */ 00011 00012 #include <linux/string.h> 00013 #include <rsbac/types.h> 00014 #include <rsbac/aci.h> 00015 #include <rsbac/rc.h> 00016 #include <rsbac/adf_main.h> 00017 #include <rsbac/error.h> 00018 #include <rsbac/debug.h> 00019 #include <rsbac/helpers.h> 00020 #include <rsbac/getname.h> 00021 #include <rsbac/rc_getname.h> 00022 00023 /************************************************* */ 00024 /* Global Variables */ 00025 /************************************************* */ 00026 00027 /************************************************* */ 00028 /* Declarations */ 00029 /************************************************* */ 00030 00031 #if !defined(CONFIG_RSBAC_MAINT) 00032 /* from rsbac/adf/rc/main.c */ 00033 int rsbac_rc_test_role_admin(boolean modify); 00034 00035 int rsbac_rc_test_admin_roles(rsbac_rc_role_id_t t_role, boolean modify); 00036 00037 enum rsbac_adf_req_ret_t 00038 rsbac_rc_check_type_comp(enum rsbac_target_t target, 00039 rsbac_rc_type_id_t type, 00040 enum rsbac_adf_request_t request, 00041 rsbac_pid_t caller_pid); 00042 #endif 00043 00044 /************************************************* */ 00045 /* Internal Help functions */ 00046 /************************************************* */ 00047 00048 /************************************************* */ 00049 /* Externally visible functions */ 00050 /************************************************* */ 00051 00052 /* Here we only check access rights and pass on to rc_data_structures */ 00053 00054 /* All roles are always there, so instead of creation, we supply a copy for */ 00055 /* initialization. There is always the well-defined role general to copy. */ 00056 int rsbac_rc_sys_copy_role (rsbac_rc_role_id_t from_role, 00057 rsbac_rc_role_id_t to_role) 00058 { 00059 #if !defined(CONFIG_RSBAC_MAINT) 00060 #ifdef CONFIG_RSBAC_SWITCH 00061 if(rsbac_switch_rc) 00062 #endif 00063 { 00064 int err; 00065 /* test admin_roles of process for source / no modify */ 00066 if ( (err=rsbac_rc_test_admin_roles(from_role, FALSE)) 00067 && rsbac_rc_test_role_admin(FALSE) 00068 ) 00069 { 00070 if(err == -EPERM) 00071 { 00072 rsbac_uid_t user; 00073 00074 if(!rsbac_get_owner(&user)) 00075 { 00076 #ifdef CONFIG_RSBAC_RMSG 00077 rsbac_printk(KERN_INFO 00078 "rsbac_rc_sys_copy_role(): reading role %u denied for pid %u, user %u - not in admin_roles!\n", 00079 from_role, 00080 current->pid, 00081 user); 00082 #endif 00083 #ifndef CONFIG_RSBAC_RMSG_EXCL 00084 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00085 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00086 if (!rsbac_nosyslog) 00087 #endif 00088 printk(KERN_INFO 00089 "rsbac_rc_sys_copy_role(): reading role %u denied for pid %u, user %u - not in admin_roles!\n", 00090 from_role, 00091 current->pid, 00092 user); 00093 #endif 00094 } 00095 #ifdef CONFIG_RSBAC_SOFTMODE 00096 if( !rsbac_softmode 00097 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00098 && !rsbac_ind_softmode[RC] 00099 #endif 00100 ) 00101 #endif 00102 return err; 00103 } 00104 else 00105 return err; 00106 } 00107 /* test admin_roles of process for target / modify */ 00108 if ( (err=rsbac_rc_test_admin_roles(to_role, TRUE)) 00109 && rsbac_rc_test_role_admin(TRUE) 00110 ) 00111 { 00112 if(err == -EPERM) 00113 { 00114 rsbac_uid_t user; 00115 00116 if(!rsbac_get_owner(&user)) 00117 { 00118 #ifdef CONFIG_RSBAC_RMSG 00119 rsbac_printk(KERN_INFO 00120 "rsbac_rc_sys_copy_role(): changing role %u denied for pid %u, user %u - not in admin_roles!\n", 00121 to_role, 00122 current->pid, 00123 user); 00124 #endif 00125 #ifndef CONFIG_RSBAC_RMSG_EXCL 00126 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00127 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00128 if (!rsbac_nosyslog) 00129 #endif 00130 printk(KERN_INFO 00131 "rsbac_rc_sys_copy_role(): changing role %u denied for pid %u, user %u - not in admin_roles!\n", 00132 to_role, 00133 current->pid, 00134 user); 00135 #endif 00136 } 00137 #ifdef CONFIG_RSBAC_SOFTMODE 00138 if( !rsbac_softmode 00139 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00140 && !rsbac_ind_softmode[RC] 00141 #endif 00142 ) 00143 #endif 00144 return err; 00145 } 00146 else 00147 return err; 00148 } 00149 } 00150 #endif /* !MAINT */ 00151 00152 /* pass on */ 00153 return(rsbac_rc_copy_role(from_role, to_role)); 00154 }; 00155 00156 /* Getting values */ 00157 int rsbac_rc_sys_get_item (enum rsbac_rc_target_t target, 00158 union rsbac_rc_target_id_t tid, 00159 union rsbac_rc_target_id_t subtid, 00160 enum rsbac_rc_item_t item, 00161 union rsbac_rc_item_value_t * value_p, 00162 rsbac_time_t * ttl_p) 00163 { 00164 #if !defined(CONFIG_RSBAC_MAINT) 00165 #ifdef CONFIG_RSBAC_SWITCH 00166 if(rsbac_switch_rc) 00167 #endif 00168 { 00169 int err; 00170 00171 switch(item) 00172 { 00173 case RI_name: 00174 case RI_type_fd_name: 00175 case RI_type_dev_name: 00176 case RI_type_ipc_name: 00177 case RI_type_user_name: 00178 case RI_type_process_name: 00179 case RI_type_scd_name: 00180 case RI_type_netdev_name: 00181 case RI_type_nettemp_name: 00182 case RI_type_netobj_name: 00183 /* getting names is always allowed */ 00184 break; 00185 00186 case RI_type_fd_need_secdel: 00187 if(target != RT_TYPE) 00188 return -RSBAC_EINVALIDTARGET; 00189 if( (err=rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0)) 00190 && (err=rsbac_rc_test_role_admin(FALSE)) 00191 ) 00192 { 00193 if(err == -EPERM) 00194 { 00195 rsbac_uid_t user; 00196 00197 if(!rsbac_get_owner(&user)) 00198 { 00199 #ifdef CONFIG_RSBAC_RMSG 00200 rsbac_printk(KERN_INFO 00201 "rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n", 00202 tid.type, 00203 current->pid, 00204 user); 00205 #endif 00206 #ifndef CONFIG_RSBAC_RMSG_EXCL 00207 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00208 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00209 if (!rsbac_nosyslog) 00210 #endif 00211 printk(KERN_INFO 00212 "rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n", 00213 tid.type, 00214 current->pid, 00215 user); 00216 #endif 00217 } 00218 #ifdef CONFIG_RSBAC_SOFTMODE 00219 if( !rsbac_softmode 00220 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00221 && !rsbac_ind_softmode[RC] 00222 #endif 00223 ) 00224 #endif 00225 return err; 00226 } 00227 else 00228 return err; 00229 } 00230 break; 00231 00232 default: 00233 if(target != RT_ROLE) 00234 return -RSBAC_EINVALIDATTR; 00235 /* test admin_roles or admin_type of process' role / no modify */ 00236 if ( (err=rsbac_rc_test_admin_roles(tid.role, FALSE)) 00237 && (err=rsbac_rc_test_role_admin(FALSE)) 00238 ) 00239 { 00240 if(err == -EPERM) 00241 { 00242 rsbac_uid_t user; 00243 00244 if(!rsbac_get_owner(&user)) 00245 { 00246 #ifdef CONFIG_RSBAC_RMSG 00247 rsbac_printk(KERN_INFO 00248 "rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n", 00249 tid.role, 00250 current->pid, 00251 user); 00252 #endif 00253 #ifndef CONFIG_RSBAC_RMSG_EXCL 00254 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00255 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00256 if (!rsbac_nosyslog) 00257 #endif 00258 printk(KERN_INFO 00259 "rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n", 00260 tid.role, 00261 current->pid, 00262 user); 00263 #endif 00264 } 00265 #ifdef CONFIG_RSBAC_SOFTMODE 00266 if( !rsbac_softmode 00267 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00268 && !rsbac_ind_softmode[RC] 00269 #endif 00270 ) 00271 #endif 00272 return err; 00273 } 00274 else 00275 return err; 00276 } 00277 } 00278 } 00279 #endif /* !MAINT */ 00280 00281 /* pass on */ 00282 return(rsbac_rc_get_item(target, tid, subtid, item, value_p, ttl_p)); 00283 }; 00284 00285 /* Setting values */ 00286 int rsbac_rc_sys_set_item (enum rsbac_rc_target_t target, 00287 union rsbac_rc_target_id_t tid, 00288 union rsbac_rc_target_id_t subtid, 00289 enum rsbac_rc_item_t item, 00290 union rsbac_rc_item_value_t value, 00291 rsbac_time_t ttl) 00292 { 00293 #if !defined(CONFIG_RSBAC_MAINT) 00294 #ifdef CONFIG_RSBAC_SWITCH 00295 if(rsbac_switch_rc) 00296 #endif 00297 { 00298 int err; 00299 00300 switch(item) 00301 { 00302 /* type targets */ 00303 case RI_type_fd_name: 00304 case RI_type_fd_need_secdel: 00305 case RI_type_fd_remove: 00306 if(target != RT_TYPE) 00307 return -RSBAC_EINVALIDTARGET; 00308 if( (rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00309 && (err=rsbac_rc_test_role_admin(TRUE)) 00310 ) 00311 { 00312 if(err == -EPERM) 00313 { 00314 rsbac_uid_t user; 00315 char tmp[80]; 00316 00317 if(!rsbac_get_owner(&user)) 00318 { 00319 #ifdef CONFIG_RSBAC_RMSG 00320 rsbac_printk(KERN_INFO 00321 "rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n", 00322 get_rc_item_name(tmp, item), 00323 tid.type, 00324 current->pid, 00325 user); 00326 #endif 00327 #ifndef CONFIG_RSBAC_RMSG_EXCL 00328 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00329 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00330 if (!rsbac_nosyslog) 00331 #endif 00332 printk(KERN_INFO 00333 "rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n", 00334 get_rc_item_name(tmp, item), 00335 tid.type, 00336 current->pid, 00337 user); 00338 #endif 00339 } 00340 #ifdef CONFIG_RSBAC_SOFTMODE 00341 if( !rsbac_softmode 00342 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00343 && !rsbac_ind_softmode[RC] 00344 #endif 00345 ) 00346 #endif 00347 return err; 00348 } 00349 else 00350 return err; 00351 } 00352 break; 00353 case RI_type_dev_name: 00354 case RI_type_dev_remove: 00355 if(target != RT_TYPE) 00356 return -RSBAC_EINVALIDTARGET; 00357 if( (rsbac_rc_check_type_comp(T_DEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00358 && (err=rsbac_rc_test_role_admin(TRUE)) 00359 ) 00360 { 00361 if(err == -EPERM) 00362 { 00363 rsbac_uid_t user; 00364 00365 if(!rsbac_get_owner(&user)) 00366 { 00367 #ifdef CONFIG_RSBAC_RMSG 00368 rsbac_printk(KERN_INFO 00369 "rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n", 00370 tid.type, 00371 current->pid, 00372 user); 00373 #endif 00374 #ifndef CONFIG_RSBAC_RMSG_EXCL 00375 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00376 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00377 if (!rsbac_nosyslog) 00378 #endif 00379 printk(KERN_INFO 00380 "rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n", 00381 tid.type, 00382 current->pid, 00383 user); 00384 #endif 00385 } 00386 #ifdef CONFIG_RSBAC_SOFTMODE 00387 if( !rsbac_softmode 00388 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00389 && !rsbac_ind_softmode[RC] 00390 #endif 00391 ) 00392 #endif 00393 return err; 00394 } 00395 else 00396 return err; 00397 } 00398 break; 00399 case RI_type_ipc_name: 00400 case RI_type_ipc_remove: 00401 if(target != RT_TYPE) 00402 return -RSBAC_EINVALIDTARGET; 00403 if( (rsbac_rc_check_type_comp(T_IPC, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00404 && (err=rsbac_rc_test_role_admin(TRUE)) 00405 ) 00406 { 00407 if(err == -EPERM) 00408 { 00409 rsbac_uid_t user; 00410 00411 if(!rsbac_get_owner(&user)) 00412 { 00413 #ifdef CONFIG_RSBAC_RMSG 00414 rsbac_printk(KERN_INFO 00415 "rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n", 00416 tid.type, 00417 current->pid, 00418 user); 00419 #endif 00420 #ifndef CONFIG_RSBAC_RMSG_EXCL 00421 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00422 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00423 if (!rsbac_nosyslog) 00424 #endif 00425 printk(KERN_INFO 00426 "rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n", 00427 tid.type, 00428 current->pid, 00429 user); 00430 #endif 00431 } 00432 #ifdef CONFIG_RSBAC_SOFTMODE 00433 if( !rsbac_softmode 00434 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00435 && !rsbac_ind_softmode[RC] 00436 #endif 00437 ) 00438 #endif 00439 return err; 00440 } 00441 else 00442 return err; 00443 } 00444 break; 00445 case RI_type_user_name: 00446 case RI_type_user_remove: 00447 if(target != RT_TYPE) 00448 return -RSBAC_EINVALIDTARGET; 00449 if( (rsbac_rc_check_type_comp(T_USER, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00450 && (err=rsbac_rc_test_role_admin(TRUE)) 00451 ) 00452 { 00453 if(err == -EPERM) 00454 { 00455 rsbac_uid_t user; 00456 00457 if(!rsbac_get_owner(&user)) 00458 { 00459 #ifdef CONFIG_RSBAC_RMSG 00460 rsbac_printk(KERN_INFO 00461 "rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n", 00462 tid.type, 00463 current->pid, 00464 user); 00465 #endif 00466 #ifndef CONFIG_RSBAC_RMSG_EXCL 00467 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00468 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00469 if (!rsbac_nosyslog) 00470 #endif 00471 printk(KERN_INFO 00472 "rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n", 00473 tid.type, 00474 current->pid, 00475 user); 00476 #endif 00477 } 00478 #ifdef CONFIG_RSBAC_SOFTMODE 00479 if( !rsbac_softmode 00480 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00481 && !rsbac_ind_softmode[RC] 00482 #endif 00483 ) 00484 #endif 00485 return err; 00486 } 00487 else 00488 return err; 00489 } 00490 break; 00491 case RI_type_process_name: 00492 case RI_type_process_remove: 00493 if(target != RT_TYPE) 00494 return -RSBAC_EINVALIDTARGET; 00495 if( (rsbac_rc_check_type_comp(T_PROCESS, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00496 && (err=rsbac_rc_test_role_admin(TRUE)) 00497 ) 00498 { 00499 if(err == -EPERM) 00500 { 00501 rsbac_uid_t user; 00502 00503 if(!rsbac_get_owner(&user)) 00504 { 00505 #ifdef CONFIG_RSBAC_RMSG 00506 rsbac_printk(KERN_INFO 00507 "rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n", 00508 tid.type, 00509 current->pid, 00510 user); 00511 #endif 00512 #ifndef CONFIG_RSBAC_RMSG_EXCL 00513 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00514 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00515 if (!rsbac_nosyslog) 00516 #endif 00517 printk(KERN_INFO 00518 "rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n", 00519 tid.type, 00520 current->pid, 00521 user); 00522 #endif 00523 } 00524 #ifdef CONFIG_RSBAC_SOFTMODE 00525 if( !rsbac_softmode 00526 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00527 && !rsbac_ind_softmode[RC] 00528 #endif 00529 ) 00530 #endif 00531 return err; 00532 } 00533 else 00534 return err; 00535 } 00536 break; 00537 case RI_type_scd_name: 00538 if(target != RT_TYPE) 00539 return -RSBAC_EINVALIDTARGET; 00540 if( (rsbac_rc_check_type_comp(T_SCD, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00541 && (err=rsbac_rc_test_role_admin(TRUE)) 00542 ) 00543 { 00544 if(err == -EPERM) 00545 { 00546 rsbac_uid_t user; 00547 00548 if(!rsbac_get_owner(&user)) 00549 { 00550 #ifdef CONFIG_RSBAC_RMSG 00551 rsbac_printk(KERN_INFO 00552 "rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n", 00553 tid.type, 00554 current->pid, 00555 user); 00556 #endif 00557 #ifndef CONFIG_RSBAC_RMSG_EXCL 00558 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00559 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00560 if (!rsbac_nosyslog) 00561 #endif 00562 printk(KERN_INFO 00563 "rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n", 00564 tid.type, 00565 current->pid, 00566 user); 00567 #endif 00568 } 00569 #ifdef CONFIG_RSBAC_SOFTMODE 00570 if( !rsbac_softmode 00571 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00572 && !rsbac_ind_softmode[RC] 00573 #endif 00574 ) 00575 #endif 00576 return err; 00577 } 00578 else 00579 return err; 00580 } 00581 break; 00582 case RI_type_netdev_name: 00583 case RI_type_netdev_remove: 00584 if(target != RT_TYPE) 00585 return -RSBAC_EINVALIDTARGET; 00586 if( (rsbac_rc_check_type_comp(T_NETDEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00587 && (err=rsbac_rc_test_role_admin(TRUE)) 00588 ) 00589 { 00590 if(err == -EPERM) 00591 { 00592 rsbac_uid_t user; 00593 00594 if(!rsbac_get_owner(&user)) 00595 { 00596 #ifdef CONFIG_RSBAC_RMSG 00597 rsbac_printk(KERN_INFO 00598 "rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n", 00599 tid.type, 00600 current->pid, 00601 user); 00602 #endif 00603 #ifndef CONFIG_RSBAC_RMSG_EXCL 00604 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00605 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00606 if (!rsbac_nosyslog) 00607 #endif 00608 printk(KERN_INFO 00609 "rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n", 00610 tid.type, 00611 current->pid, 00612 user); 00613 #endif 00614 } 00615 #ifdef CONFIG_RSBAC_SOFTMODE 00616 if( !rsbac_softmode 00617 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00618 && !rsbac_ind_softmode[RC] 00619 #endif 00620 ) 00621 #endif 00622 return err; 00623 } 00624 else 00625 return err; 00626 } 00627 break; 00628 case RI_type_nettemp_name: 00629 case RI_type_nettemp_remove: 00630 if(target != RT_TYPE) 00631 return -RSBAC_EINVALIDTARGET; 00632 if( (rsbac_rc_check_type_comp(T_NETTEMP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00633 && (err=rsbac_rc_test_role_admin(TRUE)) 00634 ) 00635 { 00636 if(err == -EPERM) 00637 { 00638 rsbac_uid_t user; 00639 00640 if(!rsbac_get_owner(&user)) 00641 { 00642 #ifdef CONFIG_RSBAC_RMSG 00643 rsbac_printk(KERN_INFO 00644 "rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n", 00645 tid.type, 00646 current->pid, 00647 user); 00648 #endif 00649 #ifndef CONFIG_RSBAC_RMSG_EXCL 00650 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00651 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00652 if (!rsbac_nosyslog) 00653 #endif 00654 printk(KERN_INFO 00655 "rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n", 00656 tid.type, 00657 current->pid, 00658 user); 00659 #endif 00660 } 00661 #ifdef CONFIG_RSBAC_SOFTMODE 00662 if( !rsbac_softmode 00663 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00664 && !rsbac_ind_softmode[RC] 00665 #endif 00666 ) 00667 #endif 00668 return err; 00669 } 00670 else 00671 return err; 00672 } 00673 break; 00674 case RI_type_netobj_name: 00675 case RI_type_netobj_remove: 00676 if(target != RT_TYPE) 00677 return -RSBAC_EINVALIDTARGET; 00678 if( (rsbac_rc_check_type_comp(T_NETOBJ, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00679 && (err=rsbac_rc_test_role_admin(TRUE)) 00680 ) 00681 { 00682 if(err == -EPERM) 00683 { 00684 rsbac_uid_t user; 00685 00686 if(!rsbac_get_owner(&user)) 00687 { 00688 #ifdef CONFIG_RSBAC_RMSG 00689 rsbac_printk(KERN_INFO 00690 "rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n", 00691 tid.type, 00692 current->pid, 00693 user); 00694 #endif 00695 #ifndef CONFIG_RSBAC_RMSG_EXCL 00696 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00697 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00698 if (!rsbac_nosyslog) 00699 #endif 00700 printk(KERN_INFO 00701 "rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n", 00702 tid.type, 00703 current->pid, 00704 user); 00705 #endif 00706 } 00707 #ifdef CONFIG_RSBAC_SOFTMODE 00708 if( !rsbac_softmode 00709 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00710 && !rsbac_ind_softmode[RC] 00711 #endif 00712 ) 00713 #endif 00714 return err; 00715 } 00716 else 00717 return err; 00718 } 00719 break; 00720 00721 /* roles only from here */ 00722 case RI_role_comp: 00723 /* need admin for this role, assign for changed compatible roles */ 00724 { 00725 union rsbac_target_id_t i_tid; 00726 union rsbac_attribute_value_t i_attr_val1; 00727 00728 if(target != RT_ROLE) 00729 return -RSBAC_EINVALIDATTR; 00730 if(!rsbac_rc_test_role_admin(TRUE)) 00731 break; 00732 /* test admin_role of process / modify */ 00733 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE))) 00734 { 00735 if(err == -EPERM) 00736 { 00737 rsbac_uid_t user; 00738 00739 if(!rsbac_get_owner(&user)) 00740 { 00741 #ifdef CONFIG_RSBAC_RMSG 00742 rsbac_printk(KERN_INFO 00743 "rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n", 00744 tid.role, 00745 current->pid, 00746 user); 00747 #endif 00748 #ifndef CONFIG_RSBAC_RMSG_EXCL 00749 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00750 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00751 if (!rsbac_nosyslog) 00752 #endif 00753 printk(KERN_INFO 00754 "rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n", 00755 tid.role, 00756 current->pid, 00757 user); 00758 #endif 00759 } 00760 #ifdef CONFIG_RSBAC_SOFTMODE 00761 if( !rsbac_softmode 00762 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00763 && !rsbac_ind_softmode[RC] 00764 #endif 00765 ) 00766 #endif 00767 return err; 00768 } 00769 else 00770 return err; 00771 } 00772 /* now check assign for changed comp role. */ 00773 /* get rc_role of process */ 00774 i_tid.process = current->pid; 00775 if ((err=rsbac_get_attr(RC, T_PROCESS, 00776 i_tid, 00777 A_rc_role, 00778 &i_attr_val1, 00779 TRUE))) 00780 { 00781 rsbac_ds_get_error("rsbac_rc_sys_set_item()", A_rc_role); 00782 return -RSBAC_EREADFAILED; 00783 } 00784 /* check assign_roles of role */ 00785 if (!rsbac_rc_check_comp(i_attr_val1.rc_role, 00786 tid, 00787 RI_assign_roles, 00788 R_NONE)) 00789 { 00790 rsbac_uid_t user; 00791 if(!rsbac_get_owner(&user)) 00792 { 00793 #ifdef CONFIG_RSBAC_RMSG 00794 rsbac_printk(KERN_INFO 00795 "rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n", 00796 tid.role, 00797 user, 00798 i_attr_val1.rc_role); 00799 #endif 00800 #ifndef CONFIG_RSBAC_RMSG_EXCL 00801 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00802 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00803 if (!rsbac_nosyslog) 00804 #endif 00805 printk(KERN_INFO 00806 "rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n", 00807 tid.role, 00808 user, 00809 i_attr_val1.rc_role); 00810 #endif 00811 } 00812 #ifdef CONFIG_RSBAC_SOFTMODE 00813 if( !rsbac_softmode 00814 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00815 && !rsbac_ind_softmode[RC] 00816 #endif 00817 ) 00818 #endif 00819 return -EPERM; 00820 } 00821 } 00822 break; 00823 00824 case RI_admin_type: 00825 case RI_admin_roles: 00826 case RI_assign_roles: 00827 case RI_boot_role: 00828 /* admin_type role_admin */ 00829 if((err=rsbac_rc_test_role_admin(TRUE))) 00830 { 00831 if(err == -EPERM) 00832 { 00833 rsbac_uid_t user; 00834 char tmp[80]; 00835 00836 if(!rsbac_get_owner(&user)) 00837 { 00838 #ifdef CONFIG_RSBAC_RMSG 00839 rsbac_printk(KERN_INFO 00840 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n", 00841 get_rc_item_name(tmp, item), 00842 tid.role, 00843 current->pid, 00844 user); 00845 #endif 00846 #ifndef CONFIG_RSBAC_RMSG_EXCL 00847 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00848 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00849 if (!rsbac_nosyslog) 00850 #endif 00851 printk(KERN_INFO 00852 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n", 00853 get_rc_item_name(tmp, item), 00854 tid.role, 00855 current->pid, 00856 user); 00857 #endif 00858 } 00859 #ifdef CONFIG_RSBAC_SOFTMODE 00860 if( !rsbac_softmode 00861 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00862 && !rsbac_ind_softmode[RC] 00863 #endif 00864 ) 00865 #endif 00866 return err; 00867 } 00868 else 00869 return err; 00870 } 00871 break; 00872 case RI_name: 00873 case RI_remove_role: 00874 /* admin for this role */ 00875 /* test admin_role of process / modify */ 00876 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 00877 && (err=rsbac_rc_test_role_admin(TRUE)) 00878 ) 00879 { 00880 if(err == -EPERM) 00881 { 00882 rsbac_uid_t user; 00883 00884 if(!rsbac_get_owner(&user)) 00885 { 00886 #ifdef CONFIG_RSBAC_RMSG 00887 rsbac_printk(KERN_INFO 00888 "rsbac_rc_sys_set_item(): changing name or removing of role %u denied for pid %u, user %u - not in admin_roles!\n", 00889 tid.role, 00890 current->pid, 00891 user); 00892 #endif 00893 #ifndef CONFIG_RSBAC_RMSG_EXCL 00894 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00895 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00896 if (!rsbac_nosyslog) 00897 #endif 00898 printk(KERN_INFO 00899 "rsbac_rc_sys_set_item(): changing name or removing of role %u denied for pid %u, user %u - not in admin_roles!\n", 00900 tid.role, 00901 current->pid, 00902 user); 00903 #endif 00904 } 00905 #ifdef CONFIG_RSBAC_SOFTMODE 00906 if( !rsbac_softmode 00907 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00908 && !rsbac_ind_softmode[RC] 00909 #endif 00910 ) 00911 #endif 00912 return err; 00913 } 00914 else 00915 return err; 00916 } 00917 break; 00918 00919 case RI_def_fd_create_type: 00920 /* admin for this role and assign for target type */ 00921 /* test admin_role of process / modify */ 00922 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 00923 && (err=rsbac_rc_test_role_admin(TRUE)) 00924 ) 00925 { 00926 if(err == -EPERM) 00927 { 00928 rsbac_uid_t user; 00929 00930 if(!rsbac_get_owner(&user)) 00931 { 00932 #ifdef CONFIG_RSBAC_RMSG 00933 rsbac_printk(KERN_INFO 00934 "rsbac_rc_sys_set_item(): changing def_fd_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 00935 tid.role, 00936 current->pid, 00937 user); 00938 #endif 00939 #ifndef CONFIG_RSBAC_RMSG_EXCL 00940 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00941 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00942 if (!rsbac_nosyslog) 00943 #endif 00944 printk(KERN_INFO 00945 "rsbac_rc_sys_set_item(): changing def_fd_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 00946 tid.role, 00947 current->pid, 00948 user); 00949 #endif 00950 } 00951 #ifdef CONFIG_RSBAC_SOFTMODE 00952 if( !rsbac_softmode 00953 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00954 && !rsbac_ind_softmode[RC] 00955 #endif 00956 ) 00957 #endif 00958 return err; 00959 } 00960 else 00961 return err; 00962 } 00963 else 00964 { 00965 enum rsbac_adf_req_ret_t result; 00966 00967 result = rsbac_rc_check_type_comp(T_FILE, value.type_id, RCR_ASSIGN, 0); 00968 if( ( (result == NOT_GRANTED) 00969 || (result == UNDEFINED) 00970 ) 00971 && (err=rsbac_rc_test_role_admin(TRUE)) 00972 ) 00973 { 00974 rsbac_uid_t user; 00975 00976 if(!rsbac_get_owner(&user)) 00977 { 00978 #ifdef CONFIG_RSBAC_RMSG 00979 rsbac_printk(KERN_INFO 00980 "rsbac_rc_sys_set_item(): changing def_fd_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 00981 tid.role, 00982 value.type_id, 00983 user); 00984 #endif 00985 #ifndef CONFIG_RSBAC_RMSG_EXCL 00986 /* only log to standard syslog, if not disabled by kernel boot parameter */ 00987 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00988 if (!rsbac_nosyslog) 00989 #endif 00990 printk(KERN_INFO 00991 "rsbac_rc_sys_set_item(): changing def_fd_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 00992 tid.role, 00993 value.type_id, 00994 user); 00995 #endif 00996 } 00997 #ifdef CONFIG_RSBAC_SOFTMODE 00998 if( !rsbac_softmode 00999 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01000 && !rsbac_ind_softmode[RC] 01001 #endif 01002 ) 01003 #endif 01004 return -EPERM; 01005 } 01006 } 01007 break; 01008 case RI_def_user_create_type: 01009 /* admin for this role and assign for target type */ 01010 /* test admin_role of process / modify */ 01011 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 01012 && (err=rsbac_rc_test_role_admin(TRUE)) 01013 ) 01014 { 01015 if(err == -EPERM) 01016 { 01017 rsbac_uid_t user; 01018 01019 if(!rsbac_get_owner(&user)) 01020 { 01021 #ifdef CONFIG_RSBAC_RMSG 01022 rsbac_printk(KERN_INFO 01023 "rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 01024 tid.role, 01025 current->pid, 01026 user); 01027 #endif 01028 #ifndef CONFIG_RSBAC_RMSG_EXCL 01029 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01030 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01031 if (!rsbac_nosyslog) 01032 #endif 01033 printk(KERN_INFO 01034 "rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 01035 tid.role, 01036 current->pid, 01037 user); 01038 #endif 01039 } 01040 #ifdef CONFIG_RSBAC_SOFTMODE 01041 if( !rsbac_softmode 01042 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01043 && !rsbac_ind_softmode[RC] 01044 #endif 01045 ) 01046 #endif 01047 return err; 01048 } 01049 else 01050 return err; 01051 } 01052 else 01053 { 01054 enum rsbac_adf_req_ret_t result; 01055 01056 result = rsbac_rc_check_type_comp(T_USER, value.type_id, RCR_ASSIGN, 0); 01057 if( ( (result == NOT_GRANTED) 01058 || (result == UNDEFINED) 01059 ) 01060 && (err=rsbac_rc_test_role_admin(TRUE)) 01061 ) 01062 { 01063 rsbac_uid_t user; 01064 01065 if(!rsbac_get_owner(&user)) 01066 { 01067 #ifdef CONFIG_RSBAC_RMSG 01068 rsbac_printk(KERN_INFO 01069 "rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01070 tid.role, 01071 value.type_id, 01072 user); 01073 #endif 01074 #ifndef CONFIG_RSBAC_RMSG_EXCL 01075 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01076 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01077 if (!rsbac_nosyslog) 01078 #endif 01079 printk(KERN_INFO 01080 "rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01081 tid.role, 01082 value.type_id, 01083 user); 01084 #endif 01085 } 01086 #ifdef CONFIG_RSBAC_SOFTMODE 01087 if( !rsbac_softmode 01088 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01089 && !rsbac_ind_softmode[RC] 01090 #endif 01091 ) 01092 #endif 01093 return -EPERM; 01094 } 01095 } 01096 break; 01097 01098 case RI_def_process_create_type: 01099 case RI_def_process_chown_type: 01100 case RI_def_process_execute_type: 01101 /* admin for this role and assign for target type */ 01102 /* test admin_role of process / modify */ 01103 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 01104 && (err=rsbac_rc_test_role_admin(TRUE)) 01105 ) 01106 { 01107 if(err == -EPERM) 01108 { 01109 rsbac_uid_t user; 01110 char tmp[80]; 01111 01112 if(!rsbac_get_owner(&user)) 01113 { 01114 #ifdef CONFIG_RSBAC_RMSG 01115 rsbac_printk(KERN_INFO 01116 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n", 01117 get_rc_item_name(tmp, item), 01118 tid.role, 01119 current->pid, 01120 user); 01121 #endif 01122 #ifndef CONFIG_RSBAC_RMSG_EXCL 01123 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01124 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01125 if (!rsbac_nosyslog) 01126 #endif 01127 printk(KERN_INFO 01128 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n", 01129 get_rc_item_name(tmp, item), 01130 tid.role, 01131 current->pid, 01132 user); 01133 #endif 01134 } 01135 #ifdef CONFIG_RSBAC_SOFTMODE 01136 if( !rsbac_softmode 01137 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01138 && !rsbac_ind_softmode[RC] 01139 #endif 01140 ) 01141 #endif 01142 return err; 01143 } 01144 else 01145 return err; 01146 } 01147 else 01148 { 01149 enum rsbac_adf_req_ret_t result; 01150 01151 result = rsbac_rc_check_type_comp(T_PROCESS, value.type_id, RCR_ASSIGN, 0); 01152 if( ( (result == NOT_GRANTED) 01153 || (result == UNDEFINED) 01154 ) 01155 && (err=rsbac_rc_test_role_admin(TRUE)) 01156 ) 01157 { 01158 rsbac_uid_t user; 01159 01160 if(!rsbac_get_owner(&user)) 01161 { 01162 #ifdef CONFIG_RSBAC_RMSG 01163 rsbac_printk(KERN_INFO 01164 "rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01165 tid.role, 01166 value.type_id, 01167 user); 01168 #endif 01169 #ifndef CONFIG_RSBAC_RMSG_EXCL 01170 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01171 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01172 if (!rsbac_nosyslog) 01173 #endif 01174 printk(KERN_INFO 01175 "rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01176 tid.role, 01177 value.type_id, 01178 user); 01179 #endif 01180 } 01181 #ifdef CONFIG_RSBAC_SOFTMODE 01182 if( !rsbac_softmode 01183 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01184 && !rsbac_ind_softmode[RC] 01185 #endif 01186 ) 01187 #endif 01188 return -EPERM; 01189 } 01190 } 01191 break; 01192 case RI_def_ipc_create_type: 01193 /* admin for this role and assign for target type */ 01194 /* test admin_role of process / modify */ 01195 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 01196 && (err=rsbac_rc_test_role_admin(TRUE)) 01197 ) 01198 { 01199 if(err == -EPERM) 01200 { 01201 rsbac_uid_t user; 01202 01203 if(!rsbac_get_owner(&user)) 01204 { 01205 #ifdef CONFIG_RSBAC_RMSG 01206 rsbac_printk(KERN_INFO 01207 "rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 01208 tid.role, 01209 current->pid, 01210 user); 01211 #endif 01212 #ifndef CONFIG_RSBAC_RMSG_EXCL 01213 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01214 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01215 if (!rsbac_nosyslog) 01216 #endif 01217 printk(KERN_INFO 01218 "rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 01219 tid.role, 01220 current->pid, 01221 user); 01222 #endif 01223 } 01224 #ifdef CONFIG_RSBAC_SOFTMODE 01225 if( !rsbac_softmode 01226 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01227 && !rsbac_ind_softmode[RC] 01228 #endif 01229 ) 01230 #endif 01231 return err; 01232 } 01233 else 01234 return err; 01235 } 01236 else 01237 { 01238 enum rsbac_adf_req_ret_t result; 01239 01240 result = rsbac_rc_check_type_comp(T_IPC, value.type_id, RCR_ASSIGN, 0); 01241 if( ( (result == NOT_GRANTED) 01242 || (result == UNDEFINED) 01243 ) 01244 && (err=rsbac_rc_test_role_admin(TRUE)) 01245 ) 01246 { 01247 rsbac_uid_t user; 01248 01249 if(!rsbac_get_owner(&user)) 01250 { 01251 #ifdef CONFIG_RSBAC_RMSG 01252 rsbac_printk(KERN_INFO 01253 "rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01254 tid.role, 01255 value.type_id, 01256 user); 01257 #endif 01258 #ifndef CONFIG_RSBAC_RMSG_EXCL 01259 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01260 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01261 if (!rsbac_nosyslog) 01262 #endif 01263 printk(KERN_INFO 01264 "rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01265 tid.role, 01266 value.type_id, 01267 user); 01268 #endif 01269 } 01270 #ifdef CONFIG_RSBAC_SOFTMODE 01271 if( !rsbac_softmode 01272 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01273 && !rsbac_ind_softmode[RC] 01274 #endif 01275 ) 01276 #endif 01277 return -EPERM; 01278 } 01279 } 01280 break; 01281 01282 case RI_type_comp_fd: 01283 case RI_type_comp_dev: 01284 case RI_type_comp_user: 01285 case RI_type_comp_process: 01286 case RI_type_comp_ipc: 01287 case RI_type_comp_scd: 01288 case RI_type_comp_netdev: 01289 case RI_type_comp_nettemp: 01290 case RI_type_comp_netobj: 01291 { 01292 union rsbac_rc_item_value_t old_value, my_value; 01293 union rsbac_target_id_t i_tid; 01294 union rsbac_attribute_value_t i_attr_val1; 01295 union rsbac_rc_target_id_t i_rc_tid; 01296 01297 if(target != RT_ROLE) 01298 return -RSBAC_EINVALIDATTR; 01299 if(!rsbac_rc_test_role_admin(TRUE)) 01300 break; 01301 /* test admin_role of process / modify */ 01302 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE))) 01303 { 01304 if(err == -EPERM) 01305 { 01306 rsbac_uid_t user; 01307 char tmp[80]; 01308 01309 if(!rsbac_get_owner(&user)) 01310 { 01311 #ifdef CONFIG_RSBAC_RMSG 01312 rsbac_printk(KERN_INFO 01313 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n", 01314 get_rc_item_name(tmp, item), 01315 tid.role, 01316 current->pid, 01317 user); 01318 #endif 01319 #ifndef CONFIG_RSBAC_RMSG_EXCL 01320 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01321 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01322 if (!rsbac_nosyslog) 01323 #endif 01324 printk(KERN_INFO 01325 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n", 01326 get_rc_item_name(tmp, item), 01327 tid.role, 01328 current->pid, 01329 user); 01330 #endif 01331 } 01332 #ifdef CONFIG_RSBAC_SOFTMODE 01333 if( !rsbac_softmode 01334 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01335 && !rsbac_ind_softmode[RC] 01336 #endif 01337 ) 01338 #endif 01339 return err; 01340 } 01341 else 01342 return err; 01343 } 01344 /* test caller's RCR_ACCESS_CONTROL for the type, if we change normal access */ 01345 /* and caller's RCR_SUPERVISOR for the type, if we change special rights */ 01346 /* first get old setting */ 01347 err = rsbac_rc_get_item(target, tid, subtid, item, &old_value, NULL); 01348 if(err) 01349 return(err); 01350 01351 /* get rc_role of process */ 01352 i_tid.process = current->pid; 01353 if ((err=rsbac_get_attr(RC, T_PROCESS, 01354 i_tid, 01355 A_rc_role, 01356 &i_attr_val1, 01357 TRUE))) 01358 { 01359 rsbac_ds_get_error("rsbac_rc_sys_set_item()", A_rc_role); 01360 return err; 01361 } 01362 /* get item of process role */ 01363 i_rc_tid.role = i_attr_val1.rc_role; 01364 if ((err=rsbac_rc_get_item(RT_ROLE, 01365 i_rc_tid, 01366 subtid, 01367 item, 01368 &my_value, 01369 NULL))) 01370 { 01371 rsbac_rc_ds_get_error("rsbac_rc_sys_set_item()", item); 01372 return err; 01373 } 01374 01375 /* check planned changes for type */ 01376 if( /* Want to change normal rights to this type? Need RCR_ACCESS_CONTROL. */ 01377 ( ( (old_value.rights & RSBAC_ALL_REQUEST_VECTOR) 01378 != (value.rights & RSBAC_ALL_REQUEST_VECTOR) 01379 ) 01380 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL))) 01381 ) 01382 || 01383 /* Want to change special rights to this type? Need RCR_SUPERVISOR. */ 01384 ( ( (old_value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR) 01385 != (value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR) 01386 ) 01387 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR))) 01388 ) 01389 ) 01390 { 01391 /* check failed. Last resort: Classical admin_type. */ 01392 if((err=rsbac_rc_test_role_admin(TRUE))) 01393 { 01394 if(err == -EPERM) 01395 { 01396 rsbac_uid_t user; 01397 char tmp[80]; 01398 01399 if(!rsbac_get_owner(&user)) 01400 { 01401 #ifdef CONFIG_RSBAC_RMSG 01402 rsbac_printk(KERN_INFO 01403 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - insufficent rights!\n", 01404 get_rc_item_name(tmp, item), 01405 tid.role, 01406 current->pid, 01407 user); 01408 #endif 01409 #ifndef CONFIG_RSBAC_RMSG_EXCL 01410 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01411 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01412 if (!rsbac_nosyslog) 01413 #endif 01414 printk(KERN_INFO 01415 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - insufficent rights!\n", 01416 get_rc_item_name(tmp, item), 01417 tid.role, 01418 current->pid, 01419 user); 01420 #endif 01421 } 01422 #ifdef CONFIG_RSBAC_SOFTMODE 01423 if( !rsbac_softmode 01424 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01425 && !rsbac_ind_softmode[RC] 01426 #endif 01427 ) 01428 #endif 01429 return err; 01430 } 01431 else 01432 return err; 01433 } 01434 } 01435 } 01436 break; 01437 01438 default: 01439 return -RSBAC_EINVALIDATTR; 01440 } 01441 } 01442 #endif /* !MAINT */ 01443 01444 /* pass on */ 01445 return(rsbac_rc_set_item(target, tid, subtid, item, value, ttl)); 01446 }; 01447 01448 /* Set own role, if allowed ( = in role_comp vector of current role) */ 01449 int rsbac_rc_sys_change_role (rsbac_rc_role_id_t role) 01450 { 01451 union rsbac_target_id_t i_tid; 01452 union rsbac_attribute_value_t i_attr_val1; 01453 #if !defined(CONFIG_RSBAC_MAINT) 01454 #ifdef CONFIG_RSBAC_SWITCH 01455 if(rsbac_switch_rc) 01456 #endif 01457 { 01458 int err; 01459 union rsbac_rc_target_id_t i_rc_subtid; 01460 01461 i_tid.process = current->pid; 01462 /* get rc_role of process */ 01463 if ((err=rsbac_get_attr(RC, 01464 T_PROCESS, 01465 i_tid, 01466 A_rc_role, 01467 &i_attr_val1, 01468 TRUE))) 01469 { 01470 printk(KERN_WARNING 01471 "rsbac_rc_sys_change_role(): rsbac_get_attr() returned error %i!\n",err); 01472 return err; 01473 } 01474 01475 /* check role_comp of role */ 01476 i_rc_subtid.role = role; 01477 if (!rsbac_rc_check_comp(i_attr_val1.rc_role, 01478 i_rc_subtid, 01479 RI_role_comp, 01480 0)) 01481 { 01482 rsbac_uid_t user; 01483 01484 if(!rsbac_get_owner(&user)) 01485 { 01486 #ifdef CONFIG_RSBAC_RMSG 01487 rsbac_printk(KERN_INFO 01488 "rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible!\n", 01489 i_attr_val1.rc_role, 01490 role, 01491 i_tid.process, 01492 user, 01493 i_attr_val1.rc_role); 01494 #endif 01495 #ifndef CONFIG_RSBAC_RMSG_EXCL 01496 /* only log to standard syslog, if not disabled by kernel boot parameter */ 01497 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01498 if (!rsbac_nosyslog) 01499 #endif 01500 printk(KERN_INFO 01501 "rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible!\n", 01502 i_attr_val1.rc_role, 01503 role, 01504 i_tid.process, 01505 user, 01506 i_attr_val1.rc_role); 01507 #endif 01508 } 01509 #ifdef CONFIG_RSBAC_SOFTMODE 01510 if( !rsbac_softmode 01511 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01512 && !rsbac_ind_softmode[RC] 01513 #endif 01514 ) 01515 #endif 01516 return -EPERM; 01517 } 01518 } 01519 #endif /* !MAINT */ 01520 01521 /* OK, check passed. Set role. */ 01522 i_tid.process = current->pid; 01523 i_attr_val1.rc_role = role; 01524 if (rsbac_set_attr(RC, T_PROCESS, 01525 i_tid, 01526 A_rc_role, 01527 i_attr_val1)) 01528 { /* failed! */ 01529 printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_set_attr() returned error!\n"); 01530 return(-RSBAC_EWRITEFAILED); 01531 } 01532 /* Ready. */ 01533 return(0); 01534 }; 01535 01536 /* Getting own effective rights */ 01537 int rsbac_rc_sys_get_eff_rights (enum rsbac_target_t target, 01538 union rsbac_target_id_t tid, 01539 rsbac_rc_request_vector_t * request_vector, 01540 rsbac_time_t * ttl_p) 01541 { 01542 union rsbac_target_id_t i_tid; 01543 enum rsbac_attribute_t i_attr = A_none; 01544 union rsbac_attribute_value_t i_attr_val1; 01545 union rsbac_attribute_value_t i_attr_val2; 01546 int err; 01547 enum rsbac_rc_item_t i_rc_item; 01548 union rsbac_rc_target_id_t i_rc_tid; 01549 union rsbac_rc_target_id_t i_rc_subtid; 01550 union rsbac_rc_item_value_t i_rc_item_val1; 01551 01552 i_tid.process = current->pid; 01553 /* get rc_role of process */ 01554 if ((err=rsbac_get_attr(RC, T_PROCESS, 01555 i_tid, 01556 A_rc_role, 01557 &i_attr_val1, 01558 TRUE))) 01559 { 01560 printk(KERN_WARNING 01561 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err); 01562 return -RSBAC_EREADFAILED; 01563 } 01564 01565 switch(target) 01566 { 01567 case T_FILE: 01568 case T_DIR: 01569 case T_FIFO: 01570 case T_SYMLINK: 01571 i_attr = A_rc_type_fd; 01572 i_rc_item = RI_type_comp_fd; 01573 break; 01574 case T_DEV: 01575 i_attr = A_rc_type; 01576 i_rc_item = RI_type_comp_dev; 01577 break; 01578 case T_IPC: 01579 i_attr = A_rc_type; 01580 i_rc_item = RI_type_comp_ipc; 01581 break; 01582 case T_PROCESS: 01583 i_attr = A_rc_type; 01584 i_rc_item = RI_type_comp_process; 01585 break; 01586 case T_SCD: /* special case! */ 01587 if(tid.scd >= RST_none) 01588 return -RSBAC_EINVALIDTARGET; 01589 i_rc_item = RI_type_comp_scd; 01590 break; 01591 case T_NETDEV: 01592 i_attr = A_rc_type; 01593 i_rc_item = RI_type_comp_netdev; 01594 break; 01595 case T_NETTEMP: 01596 i_attr = A_rc_type_nt; 01597 i_rc_item = RI_type_comp_nettemp; 01598 break; 01599 case T_NETOBJ: 01600 i_attr = A_rc_type; 01601 i_rc_item = RI_type_comp_netobj; 01602 break; 01603 default: 01604 return -RSBAC_EINVALIDTARGET; 01605 } 01606 /* get rc_type of target */ 01607 if(target == T_SCD) 01608 { 01609 i_attr_val2.rc_type = tid.scd; 01610 } 01611 else 01612 { 01613 if ((err=rsbac_get_attr(RC, 01614 target, 01615 tid, 01616 i_attr, 01617 &i_attr_val2, 01618 TRUE))) 01619 { 01620 printk(KERN_WARNING 01621 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err); 01622 return -RSBAC_EREADFAILED; 01623 } 01624 } 01625 /* get type_comp_xxx of role for type and target */ 01626 i_rc_tid.role = i_attr_val1.rc_role; 01627 i_rc_subtid.type = i_attr_val2.rc_type; 01628 if ((err=rsbac_rc_get_item(RT_ROLE, 01629 i_rc_tid, 01630 i_rc_subtid, 01631 i_rc_item, 01632 &i_rc_item_val1, 01633 ttl_p))) 01634 { 01635 printk(KERN_WARNING 01636 "rsbac_rc_sys_get_eff_rights(): rsbac_rc_get_item() returned error %i!\n",err); 01637 return -RSBAC_EREADFAILED; 01638 } 01639 /* extract value */ 01640 *request_vector = i_rc_item_val1.rights; 01641 /* Ready. */ 01642 return(0); 01643 }; 01644 01645 int rsbac_rc_sys_get_current_role (rsbac_rc_role_id_t * role_p) 01646 { 01647 union rsbac_target_id_t i_tid; 01648 union rsbac_attribute_value_t i_attr_val1; 01649 int err; 01650 01651 /* get rc_role of process */ 01652 i_tid.process = current->pid; 01653 if ((err=rsbac_get_attr(RC, T_PROCESS, 01654 i_tid, 01655 A_rc_role, 01656 &i_attr_val1, 01657 TRUE))) 01658 { 01659 printk(KERN_WARNING 01660 "rsbac_rc_sys_get_current_role(): rsbac_get_attr() returned error %i!\n",err); 01661 return -RSBAC_EREADFAILED; 01662 } 01663 *role_p = i_attr_val1.rc_role; 01664 /* Ready. */ 01665 return(0); 01666 }; 01667 01668 /* end of rsbac/adf/rc/syscalls.c */

Generated on Tue Aug 31 10:05:24 2004 for RSBAC by doxygen 1.3.8