/daten/src/linux-2.4.27-rsbac-v1.2.3/include/rsbac/aci_data_structures.h

Go to the documentation of this file.
00001 /**************************************/ 00002 /* Rule Set Based Access Control */ 00003 /* Author and (c) 1999-2004: Amon Ott */ 00004 /* Data structures */ 00005 /* Last modified: 07/Jun/2004 */ 00006 /**************************************/ 00007 00008 #ifndef __RSBAC_DATA_STRUC_H 00009 #define __RSBAC_DATA_STRUC_H 00010 00011 #ifdef __KERNEL__ /* only include in kernel code */ 00012 #include <linux/types.h> 00013 #include <linux/fs.h> 00014 #include <linux/wait.h> 00015 #include <linux/interrupt.h> 00016 #include <asm/semaphore.h> 00017 #include <rsbac/types.h> 00018 #include <linux/spinlock.h> 00019 #include <rsbac/pm_types.h> 00020 #include <rsbac/rc_types.h> 00021 #include <rsbac/aci.h> 00022 #include <rsbac/debug.h> 00023 #include <rsbac/lists.h> 00024 #endif /* __KERNEL__ */ 00025 00026 /* First of all we define dirname and filenames for saving the ACIs to disk. */ 00027 /* The path must be a valid single dir name! Each mounted device gets its */ 00028 /* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'. */ 00029 /* The FD filename gets a suffix for the list number (see RSBAC_NR_FD_LISTS),*/ 00030 /* so we have RSBAC_NR_FD_LISTS files for file/dir ACI and one for user ACI. */ 00031 /* The dynamic data structures for PM, RC and ACL are kept in their own files.*/ 00032 /* All user access to these files will be denied. */ 00033 /* Backups are kept in FILENAMEb. */ 00034 00035 #ifdef __KERNEL__ 00036 #define RSBAC_LOG_BUF_LEN (16384) 00037 00038 #define RSBAC_ACI_PATH "rsbac.dat" 00039 00040 #define RSBAC_GEN_FD_NAME "fd_gen." 00041 #define RSBAC_MAC_FD_NAME "fd_mac." 00042 #define RSBAC_FC_FD_NAME "fd_fc." 00043 #define RSBAC_SIM_FD_NAME "fd_sim." 00044 #define RSBAC_PM_FD_NAME "fd_pm." 00045 #define RSBAC_DAZ_FD_NAME "fd_dazt." 00046 #define RSBAC_DAZ_SCANNED_FD_NAME "fd_dazs." 00047 #define RSBAC_FF_FD_NAME "fd_ff." 00048 #define RSBAC_RC_FD_NAME "fd_rc." 00049 #define RSBAC_AUTH_FD_NAME "fd_auth." 00050 #define RSBAC_CAP_FD_NAME "fd_cap." 00051 #define RSBAC_PAX_FD_NAME "fd_pax." 00052 #define RSBAC_RES_FD_NAME "fd_res." 00053 00054 #define RSBAC_ACI_USER_NAME "useraci" 00055 /* dir creation mode for discretionary access control: no rights*/ 00056 #define RSBAC_ACI_DIR_MODE (S_IFDIR) 00057 /* file creation mode for discretionary access control: rw for user only*/ 00058 #define RSBAC_ACI_FILE_MODE (S_IFREG | S_IRUSR | S_IWUSR) 00059 /* minimal mem chunk size available to try write_partial_fd_list, else defer */ 00060 #define RSBAC_MIN_WRITE_FD_BUF_LEN 32768 00061 /* max size for write_chunks */ 00062 #define RSBAC_MAX_WRITE_CHUNK ((1 << 15) - 1) 00063 00064 /* Since we will use a simple hash function for file/dir aci, we define */ 00065 /* the table size here. WARNING: If this value is changed, aci data on */ 00066 /* disk may become invalid and should be converted explicitly using */ 00067 /* rsbac_change_nr kernel parameter on next boot! */ 00068 /* To remain compliant with all file systems, this value should not */ 00069 /* exceed 100 (8.3 convention: 0-99 + b). */ 00070 00071 #define RSBAC_GEN_NR_FD_LISTS 8 00072 #define RSBAC_MAC_NR_FD_LISTS 32 00073 #define RSBAC_FC_NR_FD_LISTS 8 00074 #define RSBAC_SIM_NR_FD_LISTS 8 00075 #define RSBAC_PM_NR_FD_LISTS 16 00076 #define RSBAC_DAZ_NR_FD_LISTS 2 00077 #define RSBAC_DAZ_SCANNED_NR_FD_LISTS 32 00078 #define RSBAC_FF_NR_FD_LISTS 8 00079 #define RSBAC_RC_NR_FD_LISTS 16 00080 #define RSBAC_AUTH_NR_FD_LISTS 2 00081 #define RSBAC_CAP_NR_FD_LISTS 4 00082 #define RSBAC_PAX_NR_FD_LISTS 2 00083 #define RSBAC_RES_NR_FD_LISTS 4 00084 00085 #ifdef CONFIG_RSBAC_INIT_THREAD 00086 /* Check and set init timeout */ 00087 #if CONFIG_RSBAC_MAX_INIT_TIME >= 5 00088 #define RSBAC_MAX_INIT_TIME CONFIG_RSBAC_MAX_INIT_TIME 00089 #else 00090 #define RSBAC_MAX_INIT_TIME 5 00091 #endif 00092 #endif /* INIT_THREAD */ 00093 00094 #endif /* __KERNEL__ */ 00095 00096 /* The following structures privide attributes for all possible targets. */ 00097 /* The data structures are kept in double linked lists, and are optimized */ 00098 /* by hash functions. */ 00099 00100 /* Only ATTRIBUTES are saved in those structures, that are saved to disk, */ 00101 /* because saving sublists means breaking up the structures for every */ 00102 /* single list. */ 00103 /* If a list of policy dependant items is to be stored, this is done in */ 00104 /* the policy dependant data structures. Here only an ID as a handle is */ 00105 /* supported. */ 00106 00107 /* OK, first we define the file/dir ACI, holding all file/dir information */ 00108 /* the ADF needs for decisions. */ 00109 00110 /* Caution: whenever ACI changes, version and old_version should be increased! */ 00111 00112 #define RSBAC_GEN_FD_ACI_VERSION 5 00113 #define RSBAC_GEN_FD_ACI_KEY 1001 00114 struct rsbac_gen_fd_aci_t 00115 { 00116 rsbac_log_array_t log_array_low; /* file/dir based logging, */ 00117 rsbac_log_array_t log_array_high; /* high and low bits */ 00118 rsbac_request_vector_t log_program_based; /* Program based logging */ 00119 rsbac_enum_t symlink_add_uid; 00120 rsbac_enum_t symlink_add_mac_level; 00121 rsbac_enum_t symlink_add_rc_role; 00122 rsbac_enum_t linux_dac_disable; 00123 rsbac_fake_root_uid_int_t fake_root_uid; 00124 }; 00125 #define DEFAULT_GEN_FD_ACI \ 00126 { \ 00127 -1, /* log_array_low (log request based) */ \ 00128 -1, /* log_array_high (log request based) */ \ 00129 0, /* log_program_based (don't log specially) */ \ 00130 FALSE, /* symlink_add_uid (don't add uid) */ \ 00131 FALSE, /* symlink_add_mac_level (don't add MAC security level) */ \ 00132 FALSE, /* symlink_add_rc_role (don't add RC role) */ \ 00133 LDD_inherit, /* linux_dac_disable (inherit from parent) */ \ 00134 FR_off /* fake_root_uid */ \ 00135 } 00136 00137 #define DEFAULT_GEN_ROOT_DIR_ACI \ 00138 { \ 00139 -1, /* log_array_low (log request based) */ \ 00140 -1, /* log_array_high (log request based) */ \ 00141 0, /* log_program_based (don't log specially) */ \ 00142 FALSE, /* symlink_add_uid (don't add uid) */ \ 00143 FALSE, /* symlink_add_mac_level (don't add MAC security level) */ \ 00144 FALSE, /* symlink_add_rc_role (don't add RC role) */ \ 00145 LDD_false, /* linux_dac_disable (do not disable) */ \ 00146 FR_off /* fake_root_uid */ \ 00147 } 00148 00149 #define RSBAC_GEN_FD_OLD_ACI_VERSION 4 00150 struct rsbac_gen_fd_old_aci_t 00151 { 00152 rsbac_log_array_t log_array_low; /* file/dir based logging, */ 00153 rsbac_log_array_t log_array_high; /* high and low bits */ 00154 rsbac_request_vector_t log_program_based; /* Program based logging */ 00155 rsbac_enum_t symlink_add_uid; 00156 rsbac_enum_t symlink_add_mac_level; 00157 rsbac_enum_t symlink_add_rc_role; 00158 rsbac_enum_t linux_dac_disable; 00159 }; 00160 00161 #define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 3 00162 struct rsbac_gen_fd_old_old_aci_t 00163 { 00164 rsbac_log_array_t log_array_low; /* file/dir based logging, */ 00165 rsbac_log_array_t log_array_high; /* high and low bits */ 00166 rsbac_request_vector_t log_program_based; /* Program based logging */ 00167 rsbac_enum_t symlink_add_uid; 00168 rsbac_enum_t symlink_add_rc_role; 00169 rsbac_enum_t linux_dac_disable; 00170 }; 00171 00172 #define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 2 00173 struct rsbac_gen_fd_old_old_old_aci_t 00174 { 00175 rsbac_log_array_t log_array_low; /* file/dir based logging, */ 00176 rsbac_log_array_t log_array_high; /* high and low bits */ 00177 rsbac_request_vector_t log_program_based; /* Program based logging */ 00178 rsbac_enum_t symlink_add_uid; 00179 }; 00180 00181 #define RSBAC_GEN_FD_OLD_OLD_OLD_OLD_ACI_VERSION 1 00182 struct rsbac_gen_fd_old_old_old_old_aci_t 00183 { 00184 rsbac_log_array_t log_array_low; /* file/dir based logging, */ 00185 rsbac_log_array_t log_array_high; /* high and low bits */ 00186 rsbac_request_vector_t log_program_based; /* Program based logging */ 00187 }; 00188 00189 00190 #if defined(CONFIG_RSBAC_MAC) 00191 #define RSBAC_MAC_FD_ACI_VERSION 5 00192 #define RSBAC_MAC_FD_ACI_KEY 1001 00193 struct rsbac_mac_fd_aci_t 00194 { 00195 rsbac_security_level_t sec_level; /* MAC */ 00196 rsbac_mac_category_vector_t mac_categories; /* MAC category set */ 00197 rsbac_mac_auto_int_t mac_auto; /* auto-adjust current level */ 00198 rsbac_boolean_int_t mac_prop_trusted; /* Keep trusted flag when executing this file */ 00199 rsbac_mac_file_flags_t mac_file_flags; /* allow write_up, read_up etc. to it */ 00200 }; 00201 00202 #define RSBAC_MAC_FD_OLD_ACI_VERSION 4 00203 struct rsbac_mac_fd_old_aci_t 00204 { 00205 rsbac_security_level_t sec_level; /* MAC */ 00206 rsbac_uid_t mac_trusted_for_user; /* MAC (for FILE only) */ 00207 rsbac_mac_category_vector_t mac_categories; /* MAC category set */ 00208 rsbac_mac_auto_int_t mac_auto; /* auto-adjust current level */ 00209 rsbac_boolean_int_t mac_prop_trusted; /* Keep trusted flag when executing this file */ 00210 rsbac_mac_file_flags_t mac_file_flags; /* allow write_up, read_up etc. to it */ 00211 }; 00212 00213 #define RSBAC_MAC_FD_OLD_OLD_ACI_VERSION 3 00214 struct rsbac_mac_fd_old_old_aci_t 00215 { 00216 rsbac_security_level_t sec_level; /* MAC */ 00217 rsbac_uid_t mac_trusted_for_user; /* MAC (for FILE only) */ 00218 rsbac_mac_category_vector_t mac_categories; /* MAC category set */ 00219 rsbac_mac_auto_int_t mac_auto; /* auto-adjust current level */ 00220 rsbac_boolean_int_t mac_prop_trusted; /* Keep trusted flag when executing this file */ 00221 rsbac_boolean_int_t mac_shared; /* Shared dir, i.e., allow write_up to it */ 00222 }; 00223 00224 #define RSBAC_MAC_FD_OLD_OLD_OLD_ACI_VERSION 2 00225 struct rsbac_mac_fd_old_old_old_aci_t 00226 { 00227 rsbac_security_level_t sec_level; /* MAC */ 00228 rsbac_uid_t mac_trusted_for_user; /* MAC (for FILE only) */ 00229 rsbac_mac_category_vector_t mac_categories; /* MAC category set */ 00230 rsbac_mac_auto_int_t mac_auto; /* auto-adjust current level */ 00231 }; 00232 00233 #define DEFAULT_MAC_FD_ACI_INH \ 00234 { \ 00235 SL_inherit, /* security_level (MAC) */ \ 00236 RSBAC_MAC_INHERIT_CAT_VECTOR, /* mac_categories (MAC) */ \ 00237 MA_inherit, /* mac_auto (MAC) */ \ 00238 FALSE, /* prop_trusted */ \ 00239 FALSE /* shared */ \ 00240 } 00241 #define DEFAULT_MAC_FD_ACI_NO_INH \ 00242 { \ 00243 SL_unclassified, /* security_level (MAC) */ \ 00244 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories (MAC) */ \ 00245 MA_yes, /* mac_auto (MAC) */ \ 00246 FALSE, /* prop_trusted */ \ 00247 FALSE /* shared */ \ 00248 } 00249 00250 #ifdef CONFIG_RSBAC_MAC_DEF_INHERIT 00251 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_INH 00252 #else 00253 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_NO_INH 00254 #endif /* MAC_DEF_INHERIT */ 00255 00256 #define DEFAULT_MAC_ROOT_DIR_ACI \ 00257 { \ 00258 SL_unclassified, /* security_level (MAC) */ \ 00259 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories (MAC) */ \ 00260 MA_yes, /* mac_auto (MAC) */ \ 00261 FALSE, /* prop_trusted */ \ 00262 FALSE /* shared */ \ 00263 } 00264 #endif 00265 00266 #if defined(CONFIG_RSBAC_FC) 00267 #define RSBAC_FC_FD_ACI_VERSION 1 00268 #define RSBAC_FC_FD_ACI_KEY 1001 00269 #endif 00270 00271 #if defined(CONFIG_RSBAC_SIM) 00272 #define RSBAC_SIM_FD_ACI_VERSION 1 00273 #define RSBAC_SIM_FD_ACI_KEY 1001 00274 #endif 00275 00276 #if defined(CONFIG_RSBAC_PM) 00277 #define RSBAC_PM_FD_ACI_VERSION 1 00278 #define RSBAC_PM_FD_ACI_KEY 1001 00279 struct rsbac_pm_fd_aci_t 00280 { 00281 rsbac_pm_object_class_id_t pm_object_class; /* PM */ 00282 rsbac_pm_tp_id_t pm_tp; /* PM (for FILE only) */ 00283 rsbac_pm_object_type_int_t pm_object_type; /* PM (enum rsbac_pm_object_type_t -> __u8) */ 00284 }; 00285 00286 #define DEFAULT_PM_FD_ACI \ 00287 { \ 00288 0, /* pm_tp_id (PM) */ \ 00289 0, /* pm_object_class_id (PM) */ \ 00290 PO_none, /* pm_object_type (PM) */ \ 00291 } 00292 #endif 00293 00294 #if defined(CONFIG_RSBAC_DAZ) 00295 #define RSBAC_DAZ_FD_ACI_VERSION 1 00296 #define RSBAC_DAZ_FD_ACI_KEY 10535 00297 #define RSBAC_DAZ_CACHE_CLEANUP_INTERVAL 86400 00298 #define RSBAC_DAZ_SCANNED_FD_ACI_VERSION 1 00299 struct rsbac_daz_fd_aci_t 00300 { 00301 rsbac_daz_scanner_t daz_scanner; /* DAZ (for FILE only) (boolean) */ 00302 }; 00303 00304 #define DEFAULT_DAZ_FD_ACI \ 00305 { \ 00306 FALSE /* daz_scanner (DAZ) */ \ 00307 } 00308 00309 #define DEFAULT_DAZ_ROOT_DIR_ACI \ 00310 { \ 00311 FALSE /* daz_scanner (DAZ) */ \ 00312 } 00313 #endif 00314 00315 #if defined(CONFIG_RSBAC_FF) 00316 #define RSBAC_FF_FD_ACI_VERSION 1 00317 #define RSBAC_FF_FD_ACI_KEY 1001 00318 #endif 00319 00320 #if defined(CONFIG_RSBAC_RC) 00321 #define RSBAC_RC_FD_ACI_VERSION 1 00322 #define RSBAC_RC_FD_ACI_KEY 1001 00323 struct rsbac_rc_fd_aci_t 00324 { 00325 rsbac_rc_type_id_t rc_type_fd; /* RC */ 00326 rsbac_rc_role_id_t rc_force_role; /* RC */ 00327 rsbac_rc_role_id_t rc_initial_role; /* RC */ 00328 }; 00329 00330 #define DEFAULT_RC_FD_ACI \ 00331 { \ 00332 RC_type_inherit_parent, /* rc_type (RC): inherit from parent dir */ \ 00333 RC_default_force_role, /* rc_force_role (RC): (see rc_types.h) */ \ 00334 RC_default_initial_role, /* rc_initial_role (RC): (see rc_types.h) */ \ 00335 } 00336 #define DEFAULT_RC_ROOT_DIR_ACI \ 00337 { \ 00338 RSBAC_RC_GENERAL_TYPE, /* rc_type (RC): general fd type */ \ 00339 RC_default_root_dir_force_role, /* rc_force_role (RC): (see rc_types.h) */ \ 00340 RC_default_root_dir_initial_role, /* rc_initial_role (RC): (see rc_types.h) */ \ 00341 } 00342 #endif 00343 00344 #if defined(CONFIG_RSBAC_AUTH) 00345 #define RSBAC_AUTH_FD_ACI_VERSION 2 00346 #define RSBAC_AUTH_FD_OLD_ACI_VERSION 1 00347 #define RSBAC_AUTH_FD_ACI_KEY 1001 00348 struct rsbac_auth_fd_aci_t 00349 { 00350 __u8 auth_may_setuid; /* AUTH (boolean) */ 00351 __u8 auth_may_set_cap; /* AUTH (boolean) */ 00352 __u8 auth_learn; /* AUTH (boolean) */ 00353 }; 00354 00355 struct rsbac_auth_fd_old_aci_t 00356 { 00357 __u8 auth_may_setuid; /* AUTH (boolean) */ 00358 __u8 auth_may_set_cap; /* AUTH (boolean) */ 00359 }; 00360 00361 #define DEFAULT_AUTH_FD_ACI \ 00362 { \ 00363 FALSE, /* auth_may_setuid (AUTH): program may not setuid to any */ \ 00364 FALSE, /* auth_may_set_cap (AUTH): program may not set setuid */ \ 00365 /* capabilities for other processes */ \ 00366 FALSE /* no learning by default */ \ 00367 } 00368 #endif 00369 00370 #if defined(CONFIG_RSBAC_CAP) 00371 #define RSBAC_CAP_FD_ACI_VERSION 1 00372 #define RSBAC_CAP_FD_ACI_KEY 1001 00373 struct rsbac_cap_fd_aci_t 00374 { 00375 rsbac_cap_vector_t min_caps; /* Program forced minimum Linux capabilities */ 00376 rsbac_cap_vector_t max_caps; /* Program max Linux capabilities */ 00377 }; 00378 #define DEFAULT_CAP_FD_ACI \ 00379 { \ 00380 0, /* min_caps (none) */ \ 00381 (rsbac_cap_vector_t) -1 /* max_caps (all) */ \ 00382 } 00383 #endif 00384 00385 #if defined(CONFIG_RSBAC_PAX) 00386 #define RSBAC_PAX_FD_ACI_VERSION 1 00387 #define RSBAC_PAX_FD_ACI_KEY 100112 00388 #endif 00389 00390 #if defined(CONFIG_RSBAC_RES) 00391 #define RSBAC_RES_FD_ACI_VERSION 1 00392 #define RSBAC_RES_FD_ACI_KEY 1002 00393 struct rsbac_res_fd_aci_t 00394 { 00395 rsbac_res_array_t res_min; 00396 rsbac_res_array_t res_max; 00397 }; 00398 #define DEFAULT_RES_FD_ACI \ 00399 { \ 00400 { \ 00401 RSBAC_RES_UNSET, /* cpu time */ \ 00402 RSBAC_RES_UNSET, /* file size */ \ 00403 RSBAC_RES_UNSET, /* process data segment size */ \ 00404 RSBAC_RES_UNSET, /* stack size */ \ 00405 RSBAC_RES_UNSET, /* core dump size */ \ 00406 RSBAC_RES_UNSET, /* resident memory set size */ \ 00407 RSBAC_RES_UNSET, /* number of processes for this user */ \ 00408 RSBAC_RES_UNSET, /* number of files */ \ 00409 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 00410 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 00411 RSBAC_RES_UNSET /* maximum file locks */ \ 00412 }, \ 00413 { \ 00414 RSBAC_RES_UNSET, /* cpu time */ \ 00415 RSBAC_RES_UNSET, /* file size */ \ 00416 RSBAC_RES_UNSET, /* process data segment size */ \ 00417 RSBAC_RES_UNSET, /* stack size */ \ 00418 RSBAC_RES_UNSET, /* core dump size */ \ 00419 RSBAC_RES_UNSET, /* resident memory set size */ \ 00420 RSBAC_RES_UNSET, /* number of processes for this user */ \ 00421 RSBAC_RES_UNSET, /* number of files */ \ 00422 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 00423 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 00424 RSBAC_RES_UNSET /* maximum file locks */ \ 00425 } \ 00426 } 00427 #endif 00428 00429 #define RSBAC_FD_NR_ATTRIBUTES 31 00430 #define RSBAC_FD_ATTR_LIST { \ 00431 A_security_level, \ 00432 A_mac_categories, \ 00433 A_mac_auto, \ 00434 A_mac_prop_trusted, \ 00435 A_mac_file_flags, \ 00436 A_object_category, \ 00437 A_data_type, \ 00438 A_pm_object_class, \ 00439 A_pm_tp, \ 00440 A_pm_object_type, \ 00441 A_daz_scanner, \ 00442 A_ff_flags, \ 00443 A_rc_type_fd, \ 00444 A_rc_force_role, \ 00445 A_rc_initial_role, \ 00446 A_auth_may_setuid, \ 00447 A_auth_may_set_cap, \ 00448 A_auth_learn, \ 00449 A_log_array_low, \ 00450 A_log_array_high, \ 00451 A_log_program_based, \ 00452 A_symlink_add_uid, \ 00453 A_symlink_add_mac_level, \ 00454 A_symlink_add_rc_role, \ 00455 A_linux_dac_disable, \ 00456 A_min_caps, \ 00457 A_max_caps, \ 00458 A_res_min, \ 00459 A_res_max, \ 00460 A_pax_flags, \ 00461 A_fake_root_uid \ 00462 } 00463 00464 #ifdef __KERNEL__ 00465 struct rsbac_fd_list_handles_t 00466 { 00467 rsbac_list_handle_t gen[RSBAC_GEN_NR_FD_LISTS]; 00468 #if defined(CONFIG_RSBAC_MAC) 00469 rsbac_list_handle_t mac[RSBAC_MAC_NR_FD_LISTS]; 00470 #endif 00471 #if defined(CONFIG_RSBAC_FC) 00472 rsbac_list_handle_t fc[RSBAC_FC_NR_FD_LISTS]; 00473 #endif 00474 #if defined(CONFIG_RSBAC_SIM) 00475 rsbac_list_handle_t sim[RSBAC_SIM_NR_FD_LISTS]; 00476 #endif 00477 #if defined(CONFIG_RSBAC_PM) 00478 rsbac_list_handle_t pm[RSBAC_PM_NR_FD_LISTS]; 00479 #endif 00480 #if defined(CONFIG_RSBAC_DAZ) 00481 rsbac_list_handle_t daz[RSBAC_DAZ_NR_FD_LISTS]; 00482 #if defined(CONFIG_RSBAC_DAZ_CACHE) 00483 rsbac_list_handle_t dazs[RSBAC_DAZ_SCANNED_NR_FD_LISTS]; 00484 #endif 00485 #endif 00486 #if defined(CONFIG_RSBAC_FF) 00487 rsbac_list_handle_t ff[RSBAC_FF_NR_FD_LISTS]; 00488 #endif 00489 #if defined(CONFIG_RSBAC_RC) 00490 rsbac_list_handle_t rc[RSBAC_RC_NR_FD_LISTS]; 00491 #endif 00492 #if defined(CONFIG_RSBAC_AUTH) 00493 rsbac_list_handle_t auth[RSBAC_AUTH_NR_FD_LISTS]; 00494 #endif 00495 #if defined(CONFIG_RSBAC_CAP) 00496 rsbac_list_handle_t cap[RSBAC_CAP_NR_FD_LISTS]; 00497 #endif 00498 #if defined(CONFIG_RSBAC_PAX) 00499 rsbac_list_handle_t pax[RSBAC_PAX_NR_FD_LISTS]; 00500 #endif 00501 #if defined(CONFIG_RSBAC_RES) 00502 rsbac_list_handle_t res[RSBAC_RES_NR_FD_LISTS]; 00503 #endif 00504 }; 00505 00506 /* The list of devices is also a double linked list, so we define list */ 00507 /* itedaz and a list head. */ 00508 00509 struct rsbac_device_list_item_t 00510 { 00511 kdev_t id; 00512 struct dentry * d_covers; 00513 u_int mount_count; 00514 struct rsbac_fd_list_handles_t handles; 00515 struct dentry * rsbac_dir_dentry_p; 00516 struct super_block * sb_p; 00517 rsbac_inode_nr_t rsbac_dir_inode; 00518 struct rsbac_device_list_item_t * prev; 00519 struct rsbac_device_list_item_t * next; 00520 }; 00521 00522 /* To provide consistency we use spinlocks for all list accesses. The */ 00523 /* 'curr' entry is used to avoid repeated lookups for the same item. */ 00524 00525 struct rsbac_device_list_head_t 00526 { 00527 struct rsbac_device_list_item_t * head; 00528 struct rsbac_device_list_item_t * tail; 00529 struct rsbac_device_list_item_t * curr; 00530 rwlock_t lock; 00531 u_int count; 00532 }; 00533 00534 #endif /* __KERNEL__ */ 00535 00536 /******************************/ 00537 /* OK, now we define the block/char device ACI, holding all dev information */ 00538 /* the ADF needs for decisions. */ 00539 00540 #define RSBAC_GEN_ACI_DEV_NAME "dev_gen" 00541 #define RSBAC_MAC_ACI_DEV_NAME "dev_mac" 00542 #define RSBAC_FC_ACI_DEV_NAME "dev_fc" 00543 #define RSBAC_SIM_ACI_DEV_NAME "dev_sim" 00544 #define RSBAC_PM_ACI_DEV_NAME "dev_pm" 00545 #define RSBAC_RC_ACI_DEV_NAME "dev_rc" 00546 00547 /* Caution: whenever ACI changes, version should be increased! */ 00548 00549 #define RSBAC_GEN_DEV_ACI_VERSION 2 00550 #define RSBAC_GEN_DEV_OLD_ACI_VERSION 1 00551 #define RSBAC_GEN_DEV_ACI_KEY 1001 00552 00553 struct rsbac_gen_dev_aci_t 00554 { 00555 rsbac_log_array_t log_array_low; /* dev based logging, */ 00556 rsbac_log_array_t log_array_high; /* high and low bits */ 00557 }; 00558 #define DEFAULT_GEN_DEV_ACI \ 00559 { \ 00560 -1, /* log_array_low (adf) (log request based) */ \ 00561 -1 /* log_array_high (adf) (log request based) */ \ 00562 } 00563 00564 #if defined(CONFIG_RSBAC_MAC) 00565 #define RSBAC_MAC_DEV_ACI_VERSION 2 00566 #define RSBAC_MAC_DEV_OLD_ACI_VERSION 1 00567 #define RSBAC_MAC_DEV_ACI_KEY 1001 00568 struct rsbac_mac_dev_aci_t 00569 { 00570 rsbac_security_level_t sec_level; /* MAC */ 00571 rsbac_mac_category_vector_t mac_categories; /* MAC category set */ 00572 __u8 mac_check; /* MAC (boolean) */ 00573 }; 00574 #define DEFAULT_MAC_DEV_ACI \ 00575 { \ 00576 SL_unclassified, /* security_level (MAC) */ \ 00577 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories (MAC) */ \ 00578 FALSE /* mac_check (MAC) */ \ 00579 } 00580 #endif 00581 00582 #if defined(CONFIG_RSBAC_FC) 00583 #define RSBAC_FC_DEV_ACI_VERSION 2 00584 #define RSBAC_FC_DEV_OLD_ACI_VERSION 1 00585 #define RSBAC_FC_DEV_ACI_KEY 1001 00586 #endif 00587 00588 #if defined(CONFIG_RSBAC_SIM) 00589 #define RSBAC_SIM_DEV_ACI_VERSION 2 00590 #define RSBAC_SIM_DEV_OLD_ACI_VERSION 1 00591 #define RSBAC_SIM_DEV_ACI_KEY 1001 00592 #endif 00593 00594 #if defined(CONFIG_RSBAC_PM) 00595 #define RSBAC_PM_DEV_ACI_VERSION 2 00596 #define RSBAC_PM_DEV_OLD_ACI_VERSION 1 00597 #define RSBAC_PM_DEV_ACI_KEY 1001 00598 struct rsbac_pm_dev_aci_t 00599 { 00600 rsbac_pm_object_type_int_t pm_object_type; /* PM (enum rsbac_pm_object_type_t) */ 00601 rsbac_pm_object_class_id_t pm_object_class; /* dev only */ 00602 }; 00603 00604 #define DEFAULT_PM_DEV_ACI \ 00605 { \ 00606 PO_none, /* pm_object_type (PM) */ \ 00607 0 /* pm_object_class_id (PM) */ \ 00608 } 00609 #endif 00610 00611 #if defined(CONFIG_RSBAC_RC) 00612 #define RSBAC_RC_DEV_ACI_VERSION 2 00613 #define RSBAC_RC_DEV_OLD_ACI_VERSION 1 00614 #define RSBAC_RC_DEV_ACI_KEY 1001 00615 #endif 00616 00617 #define RSBAC_DEV_NR_ATTRIBUTES 10 00618 #define RSBAC_DEV_ATTR_LIST { \ 00619 A_security_level, \ 00620 A_mac_categories, \ 00621 A_object_category, \ 00622 A_data_type, \ 00623 A_mac_check, \ 00624 A_pm_object_type, \ 00625 A_pm_object_class, \ 00626 A_rc_type, \ 00627 A_log_array_low, \ 00628 A_log_array_high \ 00629 } 00630 00631 #ifdef __KERNEL__ 00632 struct rsbac_dev_handles_t 00633 { 00634 rsbac_list_handle_t gen; 00635 #if defined(CONFIG_RSBAC_MAC) 00636 rsbac_list_handle_t mac; 00637 #endif 00638 #if defined(CONFIG_RSBAC_FC) 00639 rsbac_list_handle_t fc; 00640 #endif 00641 #if defined(CONFIG_RSBAC_SIM) 00642 rsbac_list_handle_t sim; 00643 #endif 00644 #if defined(CONFIG_RSBAC_PM) 00645 rsbac_list_handle_t pm; 00646 #endif 00647 #if defined(CONFIG_RSBAC_RC) 00648 rsbac_list_handle_t rc; 00649 #endif 00650 }; 00651 #endif /* __KERNEL__ */ 00652 00653 /**************************************************************************/ 00654 /* Next we define the ipc ACI, holding all ipc information */ 00655 /* the ADF needs for decisions. */ 00656 00657 #define RSBAC_MAC_ACI_IPC_NAME "ipc_mac" 00658 #define RSBAC_FC_ACI_IPC_NAME "ipc_fc" 00659 #define RSBAC_SIM_ACI_IPC_NAME "ipc_sim" 00660 #define RSBAC_PM_ACI_IPC_NAME "ipc_pm" 00661 #define RSBAC_RC_ACI_IPC_NAME "ipc_rc" 00662 #define RSBAC_JAIL_ACI_IPC_NAME "ipc_jai" 00663 00664 #if defined(CONFIG_RSBAC_MAC) 00665 #define RSBAC_MAC_IPC_ACI_VERSION 1 00666 #define RSBAC_MAC_IPC_ACI_KEY 1001 00667 struct rsbac_mac_ipc_aci_t 00668 { 00669 rsbac_security_level_t sec_level; /* enum old_rsbac_security_level_t / __u8 */ 00670 rsbac_mac_category_vector_t mac_categories; /* MAC category set */ 00671 }; 00672 #define DEFAULT_MAC_IPC_ACI \ 00673 { \ 00674 SL_unclassified, /* security_level (MAC) */ \ 00675 RSBAC_MAC_DEF_CAT_VECTOR /* mac_categories (MAC) */ \ 00676 } 00677 #endif 00678 00679 #if defined(CONFIG_RSBAC_FC) 00680 #define RSBAC_FC_IPC_ACI_VERSION 1 00681 #define RSBAC_FC_IPC_ACI_KEY 1001 00682 #endif 00683 00684 #if defined(CONFIG_RSBAC_SIM) 00685 #define RSBAC_SIM_IPC_ACI_VERSION 1 00686 #define RSBAC_SIM_IPC_ACI_KEY 1001 00687 #endif 00688 00689 #if defined(CONFIG_RSBAC_PM) 00690 #define RSBAC_PM_IPC_ACI_VERSION 1 00691 #define RSBAC_PM_IPC_ACI_KEY 1001 00692 struct rsbac_pm_ipc_aci_t 00693 { 00694 rsbac_pm_object_class_id_t pm_object_class; /* ipc only */ 00695 rsbac_pm_purpose_id_t pm_ipc_purpose; 00696 rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */ 00697 }; 00698 #define DEFAULT_PM_IPC_ACI \ 00699 { \ 00700 RSBAC_PM_IPC_OBJECT_CLASS_ID, /* pm_object_class_id (PM) */ \ 00701 0, /* pm_ipc_purpose (PM) */ \ 00702 PO_ipc /* pm_object_type (PM) */ \ 00703 } 00704 #endif 00705 00706 #if defined(CONFIG_RSBAC_RC) 00707 #define RSBAC_RC_IPC_ACI_VERSION 1 00708 #define RSBAC_RC_IPC_ACI_KEY 1001 00709 #endif 00710 00711 #if defined(CONFIG_RSBAC_JAIL) 00712 #define RSBAC_JAIL_IPC_ACI_VERSION 1 00713 #define RSBAC_JAIL_IPC_ACI_KEY 1001 00714 #endif 00715 00716 #define RSBAC_IPC_NR_ATTRIBUTES 9 00717 #define RSBAC_IPC_ATTR_LIST { \ 00718 A_security_level, \ 00719 A_mac_categories, \ 00720 A_object_category, \ 00721 A_data_type, \ 00722 A_pm_object_class, \ 00723 A_pm_ipc_purpose, \ 00724 A_pm_object_type, \ 00725 A_rc_type, \ 00726 A_jail_id \ 00727 } 00728 00729 #ifdef __KERNEL__ 00730 struct rsbac_ipc_handles_t 00731 { 00732 #if defined(CONFIG_RSBAC_MAC) 00733 rsbac_list_handle_t mac; 00734 #endif 00735 #if defined(CONFIG_RSBAC_FC) 00736 rsbac_list_handle_t fc; 00737 #endif 00738 #if defined(CONFIG_RSBAC_SIM) 00739 rsbac_list_handle_t sim; 00740 #endif 00741 #if defined(CONFIG_RSBAC_PM) 00742 rsbac_list_handle_t pm; 00743 #endif 00744 #if defined(CONFIG_RSBAC_RC) 00745 rsbac_list_handle_t rc; 00746 #endif 00747 #if defined(CONFIG_RSBAC_JAIL) 00748 rsbac_list_handle_t jail; 00749 #endif 00750 }; 00751 #endif /* __KERNEL__ */ 00752 00753 /*************************************/ 00754 /* The user ACI holds all user information the ADF needs. */ 00755 00756 #define RSBAC_GEN_ACI_USER_NAME "u_gen" 00757 #define RSBAC_MAC_ACI_USER_NAME "u_mac" 00758 #define RSBAC_FC_ACI_USER_NAME "u_fc" 00759 #define RSBAC_SIM_ACI_USER_NAME "u_sim" 00760 #define RSBAC_PM_ACI_USER_NAME "u_pm" 00761 #define RSBAC_DAZ_ACI_USER_NAME "u_daz" 00762 #define RSBAC_FF_ACI_USER_NAME "u_ff" 00763 #define RSBAC_RC_ACI_USER_NAME "u_rc" 00764 #define RSBAC_AUTH_ACI_USER_NAME "u_auth" 00765 #define RSBAC_CAP_ACI_USER_NAME "u_cap" 00766 #define RSBAC_JAIL_ACI_USER_NAME "u_jail" 00767 #define RSBAC_PAX_ACI_USER_NAME "u_pax" 00768 #define RSBAC_RES_ACI_USER_NAME "u_res" 00769 00770 #define RSBAC_GEN_USER_ACI_VERSION 1 00771 #define RSBAC_GEN_USER_ACI_KEY 1001 00772 struct rsbac_gen_user_aci_t 00773 { 00774 rsbac_pseudo_t pseudo; 00775 rsbac_request_vector_t log_user_based; /* User based logging */ 00776 }; 00777 #define DEFAULT_GEN_U_ACI \ 00778 { \ 00779 (rsbac_pseudo_t) 0, /* pseudo (logging) */ \ 00780 0 /* log_user_based (adf): no logging */ \ 00781 } 00782 00783 #if defined(CONFIG_RSBAC_MAC) 00784 #define RSBAC_MAC_USER_ACI_VERSION 4 00785 #define RSBAC_MAC_USER_OLD_ACI_VERSION 3 00786 #define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 2 00787 #define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 1 00788 #define RSBAC_MAC_USER_ACI_KEY 1001 00789 struct rsbac_mac_user_aci_t 00790 { 00791 rsbac_security_level_t security_level; /* maximum level */ 00792 rsbac_security_level_t initial_security_level; /* maximum level */ 00793 rsbac_security_level_t min_security_level; /* minimum level / __u8 */ 00794 rsbac_mac_category_vector_t mac_categories; /* MAC max category set */ 00795 rsbac_mac_category_vector_t mac_initial_categories; /* MAC max category set */ 00796 rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */ 00797 rsbac_system_role_int_t system_role; /* enum rsbac_system_role_t */ 00798 rsbac_mac_user_flags_t mac_user_flags; /* flags (override, trusted, allow_auto etc.) */ 00799 }; 00800 struct rsbac_mac_user_old_aci_t 00801 { 00802 rsbac_security_level_t access_appr; /* maximum level */ 00803 rsbac_security_level_t min_access_appr; /* minimum level / __u8 */ 00804 rsbac_mac_category_vector_t mac_categories; /* MAC max category set */ 00805 rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */ 00806 rsbac_system_role_int_t system_role; /* enum rsbac_system_role_t */ 00807 rsbac_boolean_int_t mac_allow_auto; /* allow to auto-adjust current level */ 00808 }; 00809 struct rsbac_mac_user_old_old_aci_t 00810 { 00811 rsbac_security_level_t access_appr; /* maximum level */ 00812 rsbac_security_level_t min_access_appr; /* minimum level / __u8 */ 00813 rsbac_mac_category_vector_t mac_categories; /* MAC max category set */ 00814 rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */ 00815 rsbac_system_role_int_t system_role; /* enum rsbac_system_role_t */ 00816 }; 00817 struct rsbac_mac_user_old_old_old_aci_t 00818 { 00819 rsbac_security_level_t access_appr; /* enum old_rsbac_security_level_t / __u8 */ 00820 rsbac_mac_category_vector_t mac_categories; /* MAC category set */ 00821 rsbac_system_role_int_t system_role; /* enum rsbac_system_role_t */ 00822 }; 00823 #define DEFAULT_MAC_U_ACI \ 00824 { \ 00825 SL_unclassified, /* security_level (MAC) */ \ 00826 SL_unclassified, /* initial_security_level (MAC) */ \ 00827 SL_unclassified, /* min_security_level (MAC) */ \ 00828 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories (MAC) */ \ 00829 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_initial_categories (MAC) */ \ 00830 RSBAC_MAC_MIN_CAT_VECTOR, /* mac_min_categories (MAC) */ \ 00831 SR_user, /* system_role (MAC) */ \ 00832 RSBAC_MAC_DEF_U_FLAGS /* mac_user_flags */ \ 00833 } 00834 #define DEFAULT_MAC_U_SYSADM_ACI \ 00835 { \ 00836 SL_unclassified, /* security_level (MAC) */ \ 00837 SL_unclassified, /* initial_security_level (MAC) */ \ 00838 SL_unclassified, /* min_security_level (MAC) */ \ 00839 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories (MAC) */ \ 00840 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_initial_categories (MAC) */ \ 00841 RSBAC_MAC_MIN_CAT_VECTOR, /* mac_min_categories (MAC) */ \ 00842 SR_administrator, /* system_role (MAC) */ \ 00843 RSBAC_MAC_DEF_SYSADM_U_FLAGS /* mac_user_flags */ \ 00844 } 00845 #define DEFAULT_MAC_U_SECOFF_ACI \ 00846 { \ 00847 SL_unclassified, /* security_level (MAC) */ \ 00848 SL_unclassified, /* initial_security_level (MAC) */ \ 00849 SL_unclassified, /* min_security_level (MAC) */ \ 00850 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories (MAC) */ \ 00851 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_initial_categories (MAC) */ \ 00852 RSBAC_MAC_MIN_CAT_VECTOR, /* mac_min_categories (MAC) */ \ 00853 SR_security_officer, /* system_role (MAC) */ \ 00854 RSBAC_MAC_DEF_SECOFF_U_FLAGS /* mac_user_flags */ \ 00855 } 00856 #define DEFAULT_MAC_U_AUDITOR_ACI \ 00857 { \ 00858 SL_unclassified, /* security_level (MAC) */ \ 00859 SL_unclassified, /* initial_security_level (MAC) */ \ 00860 SL_unclassified, /* min_security_level (MAC) */ \ 00861 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories (MAC) */ \ 00862 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_initial_categories (MAC) */ \ 00863 RSBAC_MAC_MIN_CAT_VECTOR, /* mac_min_categories (MAC) */ \ 00864 SR_auditor, /* system_role (MAC) */ \ 00865 RSBAC_MAC_DEF_U_FLAGS /* mac_user_flags */ \ 00866 } 00867 #endif 00868 00869 #if defined(CONFIG_RSBAC_FC) 00870 #define RSBAC_FC_USER_ACI_VERSION 1 00871 #define RSBAC_FC_USER_ACI_KEY 1001 00872 #endif 00873 00874 #if defined(CONFIG_RSBAC_SIM) 00875 #define RSBAC_SIM_USER_ACI_VERSION 1 00876 #define RSBAC_SIM_USER_ACI_KEY 1001 00877 #endif 00878 00879 #if defined(CONFIG_RSBAC_PM) 00880 #define RSBAC_PM_USER_ACI_VERSION 1 00881 #define RSBAC_PM_USER_ACI_KEY 1001 00882 struct rsbac_pm_user_aci_t 00883 { 00884 rsbac_pm_task_set_id_t pm_task_set; 00885 rsbac_pm_role_int_t pm_role; /* enum rsbac_pm_role_t */ 00886 }; 00887 #define DEFAULT_PM_U_ACI \ 00888 { \ 00889 0, /* pm_task_set_id (PM) */ \ 00890 PR_user /* pm_role (PM) */ \ 00891 } 00892 #define DEFAULT_PM_U_SYSADM_ACI \ 00893 { \ 00894 0, /* pm_task_set_id (PM) */ \ 00895 PR_system_admin /* pm_role (PM) */ \ 00896 } 00897 #define DEFAULT_PM_U_SECOFF_ACI \ 00898 { \ 00899 0, /* pm_task_set_id (PM) */ \ 00900 PR_security_officer /* pm_role (PM) */ \ 00901 } 00902 #define DEFAULT_PM_U_DATAPROT_ACI \ 00903 { \ 00904 0, /* pm_task_set_id (PM) */ \ 00905 PR_data_protection_officer /* pm_role (PM) */ \ 00906 } 00907 #define DEFAULT_PM_U_TPMAN_ACI \ 00908 { \ 00909 0, /* pm_task_set_id (PM) */ \ 00910 PR_tp_manager /* pm_role (PM) */ \ 00911 } 00912 #endif 00913 00914 #if defined(CONFIG_RSBAC_DAZ) 00915 #define RSBAC_DAZ_USER_ACI_VERSION 1 00916 #define RSBAC_DAZ_USER_ACI_KEY 1001 00917 #endif 00918 00919 #if defined(CONFIG_RSBAC_FF) 00920 #define RSBAC_FF_USER_ACI_VERSION 1 00921 #define RSBAC_FF_USER_ACI_KEY 1001 00922 #endif 00923 00924 #if defined(CONFIG_RSBAC_RC) 00925 #define RSBAC_RC_USER_ACI_VERSION 2 00926 #define RSBAC_RC_USER_OLD_ACI_VERSION 1 00927 #define RSBAC_RC_USER_ACI_KEY 1001 00928 struct rsbac_rc_user_aci_t 00929 { 00930 rsbac_rc_role_id_t rc_role; 00931 rsbac_rc_type_id_t rc_type; 00932 }; 00933 #define DEFAULT_RC_U_ACI \ 00934 { \ 00935 RSBAC_RC_GENERAL_ROLE, /* rc_role (RC) */ \ 00936 RSBAC_RC_GENERAL_TYPE /* rc_type (RC) */ \ 00937 } 00938 #define DEFAULT_RC_U_SYSADM_ACI \ 00939 { \ 00940 RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC) */ \ 00941 RSBAC_RC_SYS_TYPE /* rc_type (RC) */ \ 00942 } 00943 #define DEFAULT_RC_U_SECOFF_ACI \ 00944 { \ 00945 RSBAC_RC_ROLE_ADMIN_ROLE, /* rc_role (RC) */ \ 00946 RSBAC_RC_SEC_TYPE /* rc_type (RC) */ \ 00947 } 00948 #define DEFAULT_RC_U_AUDITOR_ACI \ 00949 { \ 00950 RSBAC_RC_AUDITOR_ROLE, /* rc_role (RC) */ \ 00951 RSBAC_RC_SEC_TYPE /* rc_type (RC) */ \ 00952 } 00953 #endif 00954 00955 #if defined(CONFIG_RSBAC_AUTH) 00956 #define RSBAC_AUTH_USER_ACI_VERSION 1 00957 #define RSBAC_AUTH_USER_ACI_KEY 1001 00958 #endif 00959 00960 #if defined(CONFIG_RSBAC_CAP) 00961 #define RSBAC_CAP_USER_ACI_VERSION 1 00962 #define RSBAC_CAP_USER_ACI_KEY 1001 00963 struct rsbac_cap_user_aci_t 00964 { 00965 rsbac_system_role_int_t cap_role; /* System role for CAP administration */ 00966 rsbac_cap_vector_t min_caps; /* User forced minimum Linux capabilities */ 00967 rsbac_cap_vector_t max_caps; /* User max Linux capabilities */ 00968 }; 00969 #define DEFAULT_CAP_U_ACI \ 00970 { \ 00971 SR_user, \ 00972 0, /* min_caps (none) */ \ 00973 (rsbac_cap_vector_t) -1 /* max_caps (all) */ \ 00974 } 00975 #define DEFAULT_CAP_U_SYSADM_ACI \ 00976 { \ 00977 SR_administrator, \ 00978 0, /* min_caps (none) */ \ 00979 -1 /* max_caps (all) */ \ 00980 } 00981 #define DEFAULT_CAP_U_SECOFF_ACI \ 00982 { \ 00983 SR_security_officer, \ 00984 0, /* min_caps (none) */ \ 00985 -1 /* max_caps (all) */ \ 00986 } 00987 #define DEFAULT_CAP_U_AUDITOR_ACI \ 00988 { \ 00989 SR_auditor, \ 00990 0, /* min_caps (none) */ \ 00991 -1 /* max_caps (all) */ \ 00992 } 00993 #endif 00994 00995 #if defined(CONFIG_RSBAC_JAIL) 00996 #define RSBAC_JAIL_USER_ACI_VERSION 1 00997 #define RSBAC_JAIL_USER_ACI_KEY 1001 00998 #endif 00999 01000 #if defined(CONFIG_RSBAC_PAX) 01001 #define RSBAC_PAX_USER_ACI_VERSION 1 01002 #define RSBAC_PAX_USER_ACI_KEY 1001221 01003 #endif 01004 01005 #if defined(CONFIG_RSBAC_RES) 01006 #define RSBAC_RES_USER_ACI_VERSION 1 01007 #define RSBAC_RES_USER_ACI_KEY 1002 01008 struct rsbac_res_user_aci_t 01009 { 01010 rsbac_system_role_int_t res_role; /* System role for RES administration */ 01011 rsbac_res_array_t res_min; 01012 rsbac_res_array_t res_max; 01013 }; 01014 #define DEFAULT_RES_U_ACI \ 01015 { \ 01016 SR_user, \ 01017 { \ 01018 RSBAC_RES_UNSET, /* cpu time */ \ 01019 RSBAC_RES_UNSET, /* file size */ \ 01020 RSBAC_RES_UNSET, /* process data segment size */ \ 01021 RSBAC_RES_UNSET, /* stack size */ \ 01022 RSBAC_RES_UNSET, /* core dump size */ \ 01023 RSBAC_RES_UNSET, /* resident memory set size */ \ 01024 RSBAC_RES_UNSET, /* number of processes for this user */ \ 01025 RSBAC_RES_UNSET, /* number of files */ \ 01026 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 01027 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 01028 RSBAC_RES_UNSET /* maximum file locks */ \ 01029 }, \ 01030 { \ 01031 RSBAC_RES_UNSET, /* cpu time */ \ 01032 RSBAC_RES_UNSET, /* file size */ \ 01033 RSBAC_RES_UNSET, /* process data segment size */ \ 01034 RSBAC_RES_UNSET, /* stack size */ \ 01035 RSBAC_RES_UNSET, /* core dump size */ \ 01036 RSBAC_RES_UNSET, /* resident memory set size */ \ 01037 RSBAC_RES_UNSET, /* number of processes for this user */ \ 01038 RSBAC_RES_UNSET, /* number of files */ \ 01039 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 01040 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 01041 RSBAC_RES_UNSET /* maximum file locks */ \ 01042 } \ 01043 } 01044 #define DEFAULT_RES_U_SYSADM_ACI \ 01045 { \ 01046 SR_administrator, \ 01047 { \ 01048 RSBAC_RES_UNSET, /* cpu time */ \ 01049 RSBAC_RES_UNSET, /* file size */ \ 01050 RSBAC_RES_UNSET, /* process data segment size */ \ 01051 RSBAC_RES_UNSET, /* stack size */ \ 01052 RSBAC_RES_UNSET, /* core dump size */ \ 01053 RSBAC_RES_UNSET, /* resident memory set size */ \ 01054 RSBAC_RES_UNSET, /* number of processes for this user */ \ 01055 RSBAC_RES_UNSET, /* number of files */ \ 01056 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 01057 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 01058 RSBAC_RES_UNSET /* maximum file locks */ \ 01059 }, \ 01060 { \ 01061 RSBAC_RES_UNSET, /* cpu time */ \ 01062 RSBAC_RES_UNSET, /* file size */ \ 01063 RSBAC_RES_UNSET, /* process data segment size */ \ 01064 RSBAC_RES_UNSET, /* stack size */ \ 01065 RSBAC_RES_UNSET, /* core dump size */ \ 01066 RSBAC_RES_UNSET, /* resident memory set size */ \ 01067 RSBAC_RES_UNSET, /* number of processes for this user */ \ 01068 RSBAC_RES_UNSET, /* number of files */ \ 01069 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 01070 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 01071 RSBAC_RES_UNSET /* maximum file locks */ \ 01072 } \ 01073 } 01074 #define DEFAULT_RES_U_SECOFF_ACI \ 01075 { \ 01076 SR_security_officer, \ 01077 { \ 01078 RSBAC_RES_UNSET, /* cpu time */ \ 01079 RSBAC_RES_UNSET, /* file size */ \ 01080 RSBAC_RES_UNSET, /* process data segment size */ \ 01081 RSBAC_RES_UNSET, /* stack size */ \ 01082 RSBAC_RES_UNSET, /* core dump size */ \ 01083 RSBAC_RES_UNSET, /* resident memory set size */ \ 01084 RSBAC_RES_UNSET, /* number of processes for this user */ \ 01085 RSBAC_RES_UNSET, /* number of files */ \ 01086 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 01087 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 01088 RSBAC_RES_UNSET /* maximum file locks */ \ 01089 }, \ 01090 { \ 01091 RSBAC_RES_UNSET, /* cpu time */ \ 01092 RSBAC_RES_UNSET, /* file size */ \ 01093 RSBAC_RES_UNSET, /* process data segment size */ \ 01094 RSBAC_RES_UNSET, /* stack size */ \ 01095 RSBAC_RES_UNSET, /* core dump size */ \ 01096 RSBAC_RES_UNSET, /* resident memory set size */ \ 01097 RSBAC_RES_UNSET, /* number of processes for this user */ \ 01098 RSBAC_RES_UNSET, /* number of files */ \ 01099 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 01100 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 01101 RSBAC_RES_UNSET /* maximum file locks */ \ 01102 } \ 01103 } 01104 #define DEFAULT_RES_U_AUDITOR_ACI \ 01105 { \ 01106 SR_auditor, \ 01107 { \ 01108 RSBAC_RES_UNSET, /* cpu time */ \ 01109 RSBAC_RES_UNSET, /* file size */ \ 01110 RSBAC_RES_UNSET, /* process data segment size */ \ 01111 RSBAC_RES_UNSET, /* stack size */ \ 01112 RSBAC_RES_UNSET, /* core dump size */ \ 01113 RSBAC_RES_UNSET, /* resident memory set size */ \ 01114 RSBAC_RES_UNSET, /* number of processes for this user */ \ 01115 RSBAC_RES_UNSET, /* number of files */ \ 01116 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 01117 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 01118 RSBAC_RES_UNSET /* maximum file locks */ \ 01119 }, \ 01120 { \ 01121 RSBAC_RES_UNSET, /* cpu time */ \ 01122 RSBAC_RES_UNSET, /* file size */ \ 01123 RSBAC_RES_UNSET, /* process data segment size */ \ 01124 RSBAC_RES_UNSET, /* stack size */ \ 01125 RSBAC_RES_UNSET, /* core dump size */ \ 01126 RSBAC_RES_UNSET, /* resident memory set size */ \ 01127 RSBAC_RES_UNSET, /* number of processes for this user */ \ 01128 RSBAC_RES_UNSET, /* number of files */ \ 01129 RSBAC_RES_UNSET, /* locked-in-memory address space */ \ 01130 RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ 01131 RSBAC_RES_UNSET /* maximum file locks */ \ 01132 } \ 01133 } 01134 #endif 01135 01136 01137 #define RSBAC_USER_NR_ATTRIBUTES 28 01138 #define RSBAC_USER_ATTR_LIST { \ 01139 A_pseudo, \ 01140 A_log_user_based, \ 01141 A_security_level, \ 01142 A_initial_security_level, \ 01143 A_min_security_level, \ 01144 A_mac_categories, \ 01145 A_mac_initial_categories, \ 01146 A_mac_min_categories, \ 01147 A_mac_role, \ 01148 A_mac_user_flags, \ 01149 A_fc_role, \ 01150 A_sim_role, \ 01151 A_daz_role, \ 01152 A_ff_role, \ 01153 A_auth_role, \ 01154 A_pm_task_set, \ 01155 A_pm_role, \ 01156 A_rc_def_role, \ 01157 A_min_caps, \ 01158 A_max_caps, \ 01159 A_cap_role, \ 01160 A_jail_role, \ 01161 A_res_role, \ 01162 A_pax_role \ 01163 } 01164 01165 #ifdef __KERNEL__ 01166 struct rsbac_user_handles_t 01167 { 01168 rsbac_list_handle_t gen; 01169 #if defined(CONFIG_RSBAC_MAC) 01170 rsbac_list_handle_t mac; 01171 #endif 01172 #if defined(CONFIG_RSBAC_FC) 01173 rsbac_list_handle_t fc; 01174 #endif 01175 #if defined(CONFIG_RSBAC_SIM) 01176 rsbac_list_handle_t sim; 01177 #endif 01178 #if defined(CONFIG_RSBAC_PM) 01179 rsbac_list_handle_t pm; 01180 #endif 01181 #if defined(CONFIG_RSBAC_DAZ) 01182 rsbac_list_handle_t daz; 01183 #endif 01184 #if defined(CONFIG_RSBAC_FF) 01185 rsbac_list_handle_t ff; 01186 #endif 01187 #if defined(CONFIG_RSBAC_RC) 01188 rsbac_list_handle_t rc; 01189 #endif 01190 #if defined(CONFIG_RSBAC_AUTH) 01191 rsbac_list_handle_t auth; 01192 #endif 01193 #if defined(CONFIG_RSBAC_CAP) 01194 rsbac_list_handle_t cap; 01195 #endif 01196 #if defined(CONFIG_RSBAC_JAIL) 01197 rsbac_list_handle_t jail; 01198 #endif 01199 #if defined(CONFIG_RSBAC_PAX) 01200 rsbac_list_handle_t pax; 01201 #endif 01202 #if defined(CONFIG_RSBAC_RES) 01203 rsbac_list_handle_t res; 01204 #endif 01205 }; 01206 #endif 01207 01208 /********************************/ 01209 /* Process ACI. */ 01210 01211 #define RSBAC_GEN_ACI_PROCESS_NAME "process_gen" 01212 #define RSBAC_MAC_ACI_PROCESS_NAME "process_mac." 01213 #define RSBAC_PM_ACI_PROCESS_NAME "process_pm" 01214 #define RSBAC_DAZ_ACI_PROCESS_NAME "process_daz" 01215 #define RSBAC_RC_ACI_PROCESS_NAME "process_rc." 01216 #define RSBAC_AUTH_ACI_PROCESS_NAME "process_auth" 01217 #define RSBAC_CAP_ACI_PROCESS_NAME "process_cap" 01218 #define RSBAC_JAIL_ACI_PROCESS_NAME "process_jail" 01219 01220 #define RSBAC_GEN_PROCESS_ACI_VERSION 1 01221 #define RSBAC_GEN_PROCESS_ACI_KEY 1001 01222 struct rsbac_gen_process_aci_t 01223 { 01224 rsbac_request_vector_t log_program_based; 01225 rsbac_fake_root_uid_int_t fake_root_uid; 01226 }; 01227 #define DEFAULT_GEN_P_ACI \ 01228 { \ 01229 0, /* log_program_based */ \ 01230 FR_off /* fake_rood_uid */ \ 01231 } 01232 01233 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) 01234 #define RSBAC_MAC_PROCESS_ACI_VERSION 1 01235 #define RSBAC_MAC_PROCESS_ACI_KEY 1001 01236 struct rsbac_mac_process_aci_t 01237 { 01238 rsbac_security_level_t owner_sec_level; /* enum old_rsbac_security_level_t */ 01239 rsbac_security_level_t owner_initial_sec_level; /* enum old_rsbac_security_level_t */ 01240 rsbac_security_level_t owner_min_sec_level; /* enum old_rsbac_security_level_t */ 01241 rsbac_mac_category_vector_t mac_owner_categories; /* MAC category set */ 01242 rsbac_mac_category_vector_t mac_owner_initial_categories; /* MAC category set */ 01243 rsbac_mac_category_vector_t mac_owner_min_categories; /* MAC category set */ 01244 rsbac_security_level_t current_sec_level; /* enum rsbac_security_level_t */ 01245 rsbac_mac_category_vector_t mac_curr_categories; /* MAC current category set */ 01246 rsbac_security_level_t min_write_open; /* for *-property, enum rsbac_security_level_t */ 01247 rsbac_mac_category_vector_t min_write_categories; /* MAC, for *-property */ 01248 rsbac_security_level_t max_read_open; /* for *-property, enum rsbac_security_level_t */ 01249 rsbac_mac_category_vector_t max_read_categories; /* MAC, for *-property */ 01250 rsbac_mac_process_flags_t mac_process_flags; /* flags (override, trusted, auto etc.) */ 01251 }; 01252 #define DEFAULT_MAC_P_ACI \ 01253 { \ 01254 SL_unclassified, /* owner-sec-level (MAC) */ \ 01255 SL_unclassified, /* owner-initial_sec-level (MAC) */ \ 01256 SL_unclassified, /* owner-min-sec-level (MAC) */ \ 01257 RSBAC_MAC_DEF_CAT_VECTOR, /* owner_categories (MAC) */ \ 01258 RSBAC_MAC_DEF_CAT_VECTOR, /* owner_initial_categories (MAC) */ \ 01259 RSBAC_MAC_MIN_CAT_VECTOR, /* owner_min_categories (MAC) */ \ 01260 SL_unclassified, /* current-sec-level (MAC) */ \ 01261 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_curr_categories (MAC) */ \ 01262 SL_max, /* min-write-open (MAC) */ \ 01263 RSBAC_MAC_MAX_CAT_VECTOR, /* min_write_categories (MAC) */ \ 01264 SL_unclassified, /* max-read-open (MAC) */ \ 01265 RSBAC_MAC_MIN_CAT_VECTOR, /* max_read_categories (MAC) */ \ 01266 RSBAC_MAC_DEF_P_FLAGS /* mac_process_flags */ \ 01267 } 01268 #define DEFAULT_MAC_P_INIT_ACI \ 01269 { \ 01270 SL_unclassified, /* owner-sec-level (MAC) */ \ 01271 SL_unclassified, /* owner-initial_sec-level (MAC) */ \ 01272 SL_unclassified, /* owner-min-sec-level (MAC) */ \ 01273 RSBAC_MAC_DEF_CAT_VECTOR, /* owner_categories (MAC) */ \ 01274 RSBAC_MAC_DEF_CAT_VECTOR, /* owner_initial_categories (MAC) */ \ 01275 RSBAC_MAC_MIN_CAT_VECTOR, /* owner_min_categories (MAC) */ \ 01276 SL_unclassified, /* current-sec-level (MAC) */ \ 01277 RSBAC_MAC_DEF_CAT_VECTOR, /* mac_curr_categories (MAC) */ \ 01278 SL_max, /* min-write-open (MAC) */ \ 01279 RSBAC_MAC_MAX_CAT_VECTOR, /* min_write_categories (MAC) */ \ 01280 SL_unclassified, /* max-read-open (MAC) */ \ 01281 RSBAC_MAC_MIN_CAT_VECTOR, /* max_read_categories (MAC) */ \ 01282 RSBAC_MAC_DEF_INIT_P_FLAGS /* mac_process_flags */ \ 01283 } 01284 #endif 01285 01286 #if defined(CONFIG_RSBAC_PM) 01287 #define RSBAC_PM_PROCESS_ACI_VERSION 1 01288 #define RSBAC_PM_PROCESS_ACI_KEY 1001 01289 struct rsbac_pm_process_aci_t 01290 { 01291 rsbac_pm_tp_id_t pm_tp; 01292 rsbac_pm_task_id_t pm_current_task; 01293 rsbac_pm_process_type_int_t pm_process_type; /* enum rsbac_pm_process_type_t */ 01294 }; 01295 #define DEFAULT_PM_P_ACI \ 01296 { \ 01297 0, /* PM-TP (PM) */ \ 01298 0, /* PM-current-task (PM) */ \ 01299 PP_none /* PM-proc-type (PM) */ \ 01300 } 01301 #endif 01302 01303 #if defined(CONFIG_RSBAC_DAZ) 01304 #define RSBAC_DAZ_PROCESS_ACI_VERSION 1 01305 #define RSBAC_DAZ_PROCESS_ACI_KEY 1001 01306 struct rsbac_daz_process_aci_t 01307 { 01308 rsbac_boolean_int_t daz_scanner; /* DAZ, boolean */ 01309 }; 01310 #define DEFAULT_DAZ_P_ACI \ 01311 { \ 01312 FALSE /* daz_scanner (DAZ) */ \ 01313 } 01314 #endif 01315 01316 #if defined(CONFIG_RSBAC_RC) 01317 #define RSBAC_RC_PROCESS_ACI_VERSION 1 01318 #define RSBAC_RC_PROCESS_ACI_KEY 1001 01319 struct rsbac_rc_process_aci_t 01320 { 01321 rsbac_rc_role_id_t rc_role; /* RC */ 01322 rsbac_rc_type_id_t rc_type; /* RC */ 01323 rsbac_rc_role_id_t rc_force_role; /* RC */ 01324 }; 01325 #define DEFAULT_RC_P_ACI \ 01326 { \ 01327 RSBAC_RC_GENERAL_ROLE, /* rc_role (RC): general role */ \ 01328 RSBAC_RC_GENERAL_TYPE, /* rc_type (RC): general process type */ \ 01329 RC_default_force_role /* rc_force_role (RC): (see rc_types.h) */ \ 01330 } 01331 #define DEFAULT_RC_P_INIT_ACI \ 01332 { \ 01333 RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC): general role */ \ 01334 RSBAC_RC_GENERAL_TYPE, /* rc_type (RC): general process type */ \ 01335 RC_default_force_role /* rc_force_role (RC): (see rc_types.h) */ \ 01336 } 01337 #define DEFAULT_RC_P_KERNEL_ACI \ 01338 { \ 01339 RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC): general role */ \ 01340 CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE, /* rc_type (RC): kernel process type */ \ 01341 RC_default_force_role /* rc_force_role (RC): (see rc_types.h) */ \ 01342 } 01343 #endif 01344 01345 #if defined(CONFIG_RSBAC_AUTH) 01346 #define RSBAC_AUTH_PROCESS_ACI_VERSION 1 01347 #define RSBAC_AUTH_PROCESS_ACI_KEY 1001 01348 struct rsbac_auth_process_aci_t 01349 { 01350 __u8 auth_may_setuid; /* AUTH (boolean) */ 01351 __u8 auth_may_set_cap; /* AUTH (boolean) */ 01352 #if defined(CONFIG_RSBAC_AUTH_LEARN) && defined(__KERNEL__) 01353 struct rsbac_fs_file_t auth_program_file; 01354 rsbac_uid_t auth_start_uid; 01355 __u8 auth_learn; /* AUTH (boolean) */ 01356 #endif 01357 }; 01358 01359 #if defined(CONFIG_RSBAC_AUTH_LEARN) 01360 #define DEFAULT_AUTH_P_ACI \ 01361 { \ 01362 FALSE, /* auth_may_setuid (AUTH): program may not setuid to any */ \ 01363 FALSE, /* auth_may_set_cap (AUTH): program may not set setuid */ \ 01364 /* capabilities for other processes */ \ 01365 { RSBAC_ZERO_DEV, 0, NULL }, \ 01366 0 \ 01367 } 01368 #else 01369 #define DEFAULT_AUTH_P_ACI \ 01370 { \ 01371 FALSE, /* auth_may_setuid (AUTH): program may not setuid to any */ \ 01372 FALSE /* auth_may_set_cap (AUTH): program may not set setuid */ \ 01373 /* capabilities for other processes */ \ 01374 } 01375 #endif 01376 #endif 01377 01378 01379 #if defined(CONFIG_RSBAC_CAP) 01380 #define RSBAC_CAP_PROCESS_ACI_VERSION 1 01381 #define RSBAC_CAP_PROCESS_ACI_KEY 1001 01382 struct rsbac_cap_process_aci_t 01383 { 01384 rsbac_cap_process_hiding_int_t cap_process_hiding; 01385 }; 01386 #define DEFAULT_CAP_P_ACI \ 01387 { \ 01388 PH_off /* cap_process_hiding */ \ 01389 } 01390 #endif 01391 01392 #if defined(CONFIG_RSBAC_JAIL) 01393 #define RSBAC_JAIL_PROCESS_ACI_VERSION 1 01394 #define RSBAC_JAIL_PROCESS_ACI_KEY 1001 01395 struct rsbac_jail_process_aci_t 01396 { 01397 rsbac_jail_id_t id; 01398 rsbac_jail_ip_t ip; 01399 rsbac_jail_flags_t flags; 01400 rsbac_cap_vector_t max_caps; /* Program max Linux capabilities */ 01401 }; 01402 #define DEFAULT_JAIL_P_ACI \ 01403 { \ 01404 0, /* jail_id (JAIL): process is not jailed */ \ 01405 0, /* jail_ip (JAIL): process is not IP bound */ \ 01406 0, /* jail_flags (JAIL): process has no flags */ \ 01407 -1 /* jail_max_caps (JAIL): process may have all caps */ \ 01408 } 01409 #endif 01410 01411 #define RSBAC_PROCESS_NR_ATTRIBUTES 28 01412 #define RSBAC_PROCESS_ATTR_LIST { \ 01413 A_security_level, \ 01414 A_min_security_level, \ 01415 A_mac_categories, \ 01416 A_mac_min_categories, \ 01417 A_current_sec_level, \ 01418 A_mac_curr_categories, \ 01419 A_min_write_open, \ 01420 A_min_write_categories, \ 01421 A_max_read_open, \ 01422 A_max_read_categories, \ 01423 A_mac_process_flags, \ 01424 A_pm_tp, \ 01425 A_pm_current_task, \ 01426 A_pm_process_type, \ 01427 A_daz_scanner, \ 01428 A_rc_role, \ 01429 A_rc_type, \ 01430 A_rc_force_role, \ 01431 A_auth_may_setuid, \ 01432 A_auth_may_set_cap, \ 01433 A_auth_learn, \ 01434 A_cap_process_hiding, \ 01435 A_jail_id, \ 01436 A_jail_ip, \ 01437 A_jail_flags, \ 01438 A_jail_max_caps, \ 01439 A_log_program_based, \ 01440 A_fake_root_uid \ 01441 } 01442 01443 #ifdef __KERNEL__ 01444 struct rsbac_process_handles_t 01445 { 01446 rsbac_list_handle_t gen; 01447 #if defined(CONFIG_RSBAC_MAC) 01448 rsbac_list_handle_t mac[CONFIG_RSBAC_MAC_NR_P_LISTS]; 01449 #endif 01450 #if defined(CONFIG_RSBAC_PM) 01451 rsbac_list_handle_t pm; 01452 #endif 01453 #if defined(CONFIG_RSBAC_DAZ) 01454 rsbac_list_handle_t daz; 01455 #endif 01456 #if defined(CONFIG_RSBAC_RC) 01457 rsbac_list_handle_t rc[CONFIG_RSBAC_RC_NR_P_LISTS]; 01458 #endif 01459 #if defined(CONFIG_RSBAC_AUTH) 01460 rsbac_list_handle_t auth; 01461 #endif 01462 #if defined(CONFIG_RSBAC_CAP) 01463 rsbac_list_handle_t cap; 01464 #endif 01465 #if defined(CONFIG_RSBAC_JAIL) 01466 rsbac_list_handle_t jail[CONFIG_RSBAC_JAIL_NR_P_LISTS]; 01467 #endif 01468 }; 01469 #endif /* __KERNEL__ */ 01470 01471 01472 /********************************/ 01473 /* NETDEV ACI */ 01474 01475 #define RSBAC_GEN_ACI_NETDEV_NAME "nd_gen" 01476 #define RSBAC_RC_ACI_NETDEV_NAME "nd_rc" 01477 01478 #define RSBAC_GEN_NETDEV_ACI_VERSION 1 01479 #define RSBAC_GEN_NETDEV_ACI_KEY 1001 01480 struct rsbac_gen_netdev_aci_t 01481 { 01482 rsbac_log_array_t log_array_low; /* netdev based logging, */ 01483 rsbac_log_array_t log_array_high; /* high and low bits */ 01484 }; 01485 #define DEFAULT_GEN_NETDEV_ACI \ 01486 { \ 01487 -1, /* log_array_low (log request based) */ \ 01488 -1 /* log_array_high (log request based) */ \ 01489 } 01490 01491 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) 01492 #define RSBAC_RC_NETDEV_ACI_VERSION 1 01493 #define RSBAC_RC_NETDEV_ACI_KEY 1001 01494 #endif 01495 01496 #define RSBAC_NETDEV_NR_ATTRIBUTES 3 01497 #define RSBAC_NETDEV_ATTR_LIST { \ 01498 A_rc_type, \ 01499 A_log_array_low, \ 01500 A_log_array_high \ 01501 } 01502 01503 #ifdef __KERNEL__ 01504 struct rsbac_netdev_handles_t 01505 { 01506 #if defined(CONFIG_RSBAC_IND_NETDEV_LOG) 01507 rsbac_list_handle_t gen; 01508 #endif 01509 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) 01510 rsbac_list_handle_t rc; 01511 #endif 01512 }; 01513 #endif /* __KERNEL__ */ 01514 01515 /********************************/ 01516 /* NETTEMP ACI */ 01517 01518 #define RSBAC_GEN_ACI_NETTEMP_NAME "nt_gen" 01519 #define RSBAC_MAC_ACI_NETTEMP_NAME "nt_mac" 01520 #define RSBAC_FC_ACI_NETTEMP_NAME "nt_fc" 01521 #define RSBAC_SIM_ACI_NETTEMP_NAME "nt_sim" 01522 #define RSBAC_PM_ACI_NETTEMP_NAME "nt_pm" 01523 #define RSBAC_RC_ACI_NETTEMP_NAME "nt_rc" 01524 01525 #define RSBAC_MAC_ACI_LNETOBJ_NAME "lnetobj_mac" 01526 #define RSBAC_FC_ACI_LNETOBJ_NAME "lnetobj_fc" 01527 #define RSBAC_SIM_ACI_LNETOBJ_NAME "lnetobj_sim" 01528 #define RSBAC_PM_ACI_LNETOBJ_NAME "lnetobj_pm" 01529 #define RSBAC_RC_ACI_LNETOBJ_NAME "lnetobj_rc" 01530 #define RSBAC_MAC_ACI_RNETOBJ_NAME "rnetobj_mac" 01531 #define RSBAC_FC_ACI_RNETOBJ_NAME "rnetobj_fc" 01532 #define RSBAC_SIM_ACI_RNETOBJ_NAME "rnetobj_sim" 01533 #define RSBAC_PM_ACI_RNETOBJ_NAME "rnetobj_pm" 01534 #define RSBAC_RC_ACI_RNETOBJ_NAME "rnetobj_rc" 01535 01536 #define RSBAC_GEN_NETOBJ_ACI_VERSION 1 01537 #define RSBAC_GEN_NETOBJ_ACI_KEY 1001 01538 struct rsbac_gen_netobj_aci_t 01539 { 01540 rsbac_log_array_t log_array_low; /* nettemp/netobj based logging, */ 01541 rsbac_log_array_t log_array_high; /* high and low bits */ 01542 }; 01543 #define DEFAULT_GEN_NETOBJ_ACI \ 01544 { \ 01545 -1, /* log_array_low (log request based) */ \ 01546 -1 /* log_array_high (log request based) */ \ 01547 } 01548 01549 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) 01550 #define RSBAC_MAC_NETOBJ_ACI_VERSION 1 01551 #define RSBAC_MAC_NETOBJ_ACI_KEY 1001 01552 struct rsbac_mac_netobj_aci_t 01553 { 01554 rsbac_security_level_t sec_level; /* enum old_rsbac_security_level_t / __u8 */ 01555 rsbac_mac_category_vector_t mac_categories; /* MAC category set */ 01556 }; 01557 #define DEFAULT_MAC_NETOBJ_ACI \ 01558 { \ 01559 SL_unclassified, /* security_level (MAC) */ \ 01560 RSBAC_MAC_DEF_CAT_VECTOR /* mac_categories (MAC) */ \ 01561 } 01562 #endif 01563 01564 #if defined(CONFIG_RSBAC_FC) || defined(CONFIG_RSBAC_FC_MAINT) 01565 #define RSBAC_FC_NETOBJ_ACI_VERSION 1 01566 #define RSBAC_FC_NETOBJ_ACI_KEY 1001 01567 #endif 01568 01569 #if defined(CONFIG_RSBAC_SIM) || defined(CONFIG_RSBAC_SIM_MAINT) 01570 #define RSBAC_SIM_NETOBJ_ACI_VERSION 1 01571 #define RSBAC_SIM_NETOBJ_ACI_KEY 1001 01572 #endif 01573 01574 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) 01575 #define RSBAC_PM_NETOBJ_ACI_VERSION 1 01576 #define RSBAC_PM_NETOBJ_ACI_KEY 1001 01577 struct rsbac_pm_netobj_aci_t 01578 { 01579 rsbac_pm_object_class_id_t pm_object_class; /* netobj only */ 01580 rsbac_pm_purpose_id_t pm_ipc_purpose; 01581 rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */ 01582 }; 01583 #define DEFAULT_PM_NETOBJ_ACI \ 01584 { \ 01585 RSBAC_PM_IPC_OBJECT_CLASS_ID, /* pm_object_class_id (PM) */ \ 01586 0, /* pm_ipc_purpose (PM) */ \ 01587 PO_ipc /* pm_object_type (PM) */ \ 01588 } 01589 #endif 01590 01591 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) 01592 #define RSBAC_RC_NETOBJ_ACI_VERSION 1 01593 #define RSBAC_RC_NETOBJ_ACI_KEY 1001 01594 #define RSBAC_RC_NETTEMP_ACI_VERSION 1 01595 #define RSBAC_RC_NETTEMP_ACI_KEY 1002 01596 01597 struct rsbac_rc_nettemp_aci_t 01598 { 01599 rsbac_rc_type_id_t netobj_type; /* type inherited to netobj */ 01600 rsbac_rc_type_id_t nettemp_type; /* type of this tenplate */ 01601 }; 01602 #define DEFAULT_RC_NETTEMP_ACI \ 01603 { \ 01604 RSBAC_RC_GENERAL_TYPE, \ 01605 RSBAC_RC_GENERAL_TYPE \ 01606 } 01607 #endif 01608 01609 #define RSBAC_NETTEMP_NR_ATTRIBUTES 11 01610 #define RSBAC_NETTEMP_ATTR_LIST { \ 01611 A_security_level, \ 01612 A_mac_categories, \ 01613 A_object_category, \ 01614 A_data_type, \ 01615 A_pm_object_class, \ 01616 A_pm_ipc_purpose, \ 01617 A_pm_object_type, \ 01618 A_rc_type, \ 01619 A_rc_type_nt, \ 01620 A_log_array_low, \ 01621 A_log_array_high \ 01622 } 01623 01624 #define RSBAC_NETOBJ_NR_ATTRIBUTES 20 01625 #define RSBAC_NETOBJ_ATTR_LIST { \ 01626 A_local_sec_level, \ 01627 A_remote_sec_level, \ 01628 A_local_mac_categories, \ 01629 A_remote_mac_categories, \ 01630 A_local_object_category, \ 01631 A_remote_object_category, \ 01632 A_local_data_type, \ 01633 A_remote_data_type, \ 01634 A_local_pm_object_class, \ 01635 A_remote_pm_object_class, \ 01636 A_local_pm_ipc_purpose, \ 01637 A_remote_pm_ipc_purpose, \ 01638 A_local_pm_object_type, \ 01639 A_remote_pm_object_type, \ 01640 A_local_rc_type, \ 01641 A_remote_rc_type, \ 01642 A_local_log_array_low, \ 01643 A_remote_log_array_low, \ 01644 A_local_log_array_high, \ 01645 A_remote_log_array_high \ 01646 } 01647 01648 #ifdef __KERNEL__ 01649 struct rsbac_nettemp_handles_t 01650 { 01651 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG) 01652 rsbac_list_handle_t gen; 01653 #endif 01654 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) 01655 rsbac_list_handle_t mac; 01656 #endif 01657 #if defined(CONFIG_RSBAC_FC) || defined(CONFIG_RSBAC_FC_MAINT) 01658 rsbac_list_handle_t fc; 01659 #endif 01660 #if defined(CONFIG_RSBAC_SIM) || defined(CONFIG_RSBAC_SIM_MAINT) 01661 rsbac_list_handle_t sim; 01662 #endif 01663 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) 01664 rsbac_list_handle_t pm; 01665 #endif 01666 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) 01667 rsbac_list_handle_t rc; 01668 #endif 01669 }; 01670 01671 struct rsbac_lnetobj_handles_t 01672 { 01673 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) 01674 rsbac_list_handle_t mac; 01675 #endif 01676 #if defined(CONFIG_RSBAC_FC) || defined(CONFIG_RSBAC_FC_MAINT) 01677 rsbac_list_handle_t fc; 01678 #endif 01679 #if defined(CONFIG_RSBAC_SIM) || defined(CONFIG_RSBAC_SIM_MAINT) 01680 rsbac_list_handle_t sim; 01681 #endif 01682 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) 01683 rsbac_list_handle_t pm; 01684 #endif 01685 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) 01686 rsbac_list_handle_t rc; 01687 #endif 01688 }; 01689 struct rsbac_rnetobj_handles_t 01690 { 01691 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) 01692 rsbac_list_handle_t mac; 01693 #endif 01694 #if defined(CONFIG_RSBAC_FC) || defined(CONFIG_RSBAC_FC_MAINT) 01695 rsbac_list_handle_t fc; 01696 #endif 01697 #if defined(CONFIG_RSBAC_SIM) || defined(CONFIG_RSBAC_SIM_MAINT) 01698 rsbac_list_handle_t sim; 01699 #endif 01700 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) 01701 rsbac_list_handle_t pm; 01702 #endif 01703 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) 01704 rsbac_list_handle_t rc; 01705 #endif 01706 }; 01707 #endif /* __KERNEL__ */ 01708 01709 01710 /**********************************************/ 01711 /* Declarations */ 01712 /**********************************************/ 01713 01714 #ifdef __KERNEL__ 01715 extern kdev_t rsbac_root_dev; 01716 01717 int rsbac_read_open (char *, 01718 struct file *, /* file */ 01719 kdev_t); 01720 01721 int rsbac_write_open(char *, 01722 struct file *, /* file */ 01723 kdev_t); 01724 01725 void rsbac_read_close(struct file *); 01726 01727 void rsbac_write_close(struct file *); 01728 01729 extern struct semaphore rsbac_write_sem; 01730 01731 /**********************************************/ 01732 /* Locks */ 01733 /**********************************************/ 01734 01735 extern inline void rsbac_read_lock(rwlock_t * lock_p, u_long * flags_p) 01736 { 01737 read_lock(lock_p); 01738 }; 01739 01740 extern inline void rsbac_read_unlock(rwlock_t * lock_p, u_long * flags_p) 01741 { 01742 read_unlock(lock_p); 01743 }; 01744 01745 extern inline void rsbac_write_lock(rwlock_t * lock_p, u_long * flags_p) 01746 { 01747 write_lock(lock_p); 01748 }; 01749 01750 extern inline void rsbac_write_unlock(rwlock_t * lock_p, u_long * flags_p) 01751 { 01752 write_unlock(lock_p); 01753 }; 01754 01755 extern inline void rsbac_write_lock_irq(rwlock_t * lock_p, u_long * flags_p) 01756 { 01757 write_lock_irq(lock_p); 01758 }; 01759 01760 extern inline void rsbac_write_unlock_irq(rwlock_t * lock_p, u_long * flags_p) 01761 { 01762 write_unlock_irq(lock_p); 01763 }; 01764 01765 #endif /* __KERNEL__ */ 01766 01767 /**********************************************/ 01768 /* External Declarations */ 01769 /**********************************************/ 01770 01771 #ifdef __KERNEL__ 01772 01773 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 01774 static inline struct dentry *lock_parent(struct dentry *dentry) 01775 { 01776 struct dentry *dir = dget(dentry->d_parent); 01777 01778 down(&dir->d_inode->i_sem); 01779 return dir; 01780 } 01781 01782 static inline void unlock_dir(struct dentry *dir) 01783 { 01784 up(&dir->d_inode->i_sem); 01785 dput(dir); 01786 } 01787 01788 static inline void double_down(struct semaphore *s1, struct semaphore *s2) 01789 { 01790 if (s1 != s2) { 01791 if ((unsigned long) s1 < (unsigned long) s2) { 01792 struct semaphore *tmp = s2; 01793 s2 = s1; s1 = tmp; 01794 } 01795 down(s1); 01796 } 01797 down(s2); 01798 } 01799 01800 static inline void double_up(struct semaphore *s1, struct semaphore *s2) 01801 { 01802 up(s1); 01803 if (s1 != s2) 01804 up(s2); 01805 } 01806 01807 static inline void double_lock(struct dentry *d1, struct dentry *d2) 01808 { 01809 double_down(&d1->d_inode->i_sem, &d2->d_inode->i_sem); 01810 } 01811 01812 static inline void double_unlock(struct dentry *d1, struct dentry *d2) 01813 { 01814 double_up(&d1->d_inode->i_sem,&d2->d_inode->i_sem); 01815 dput(d1); 01816 dput(d2); 01817 } 01818 #else 01819 extern inline struct dentry *lock_parent(struct dentry *dentry); 01820 #endif 01821 01822 #endif /* __KERNEL__ */ 01823 01824 #endif

Generated on Tue Aug 31 10:05:22 2004 for RSBAC by doxygen 1.3.8