/daten/src/linux-2.4.27-rsbac-v1.2.3/rsbac/adf/acl/acl_syscalls.c

Go to the documentation of this file.
00001 /*************************************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Implementation of the Access Control Decision */ 00004 /* Facility (ADF) - ACL module */ 00005 /* File: rsbac/adf/acl/syscalls.c */ 00006 /* */ 00007 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */ 00008 /* */ 00009 /* Last modified: 29/Apr/2004 */ 00010 /*************************************************** */ 00011 00012 #include <linux/string.h> 00013 #include <linux/sched.h> 00014 #include <linux/errno.h> 00015 #include <linux/vmalloc.h> 00016 #include <rsbac/types.h> 00017 #include <rsbac/aci.h> 00018 #include <rsbac/error.h> 00019 #include <rsbac/acl.h> 00020 #include <rsbac/getname.h> 00021 #include <rsbac/acl_getname.h> 00022 #include <rsbac/helpers.h> 00023 #include <rsbac/debug.h> 00024 #include <rsbac/rkmem.h> 00025 #include <rsbac/adf_main.h> 00026 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00027 #ifdef CONFIG_RSBAC_NET_OBJ 00028 #include <net/sock.h> 00029 #endif 00030 #endif 00031 00032 /************************************************* */ 00033 /* Global Variables */ 00034 /************************************************* */ 00035 00036 /************************************************* */ 00037 /* Internal Help functions */ 00038 /************************************************* */ 00039 00040 boolean rsbac_acl_check_super(enum rsbac_target_t target, 00041 union rsbac_target_id_t tid, 00042 rsbac_uid_t user) 00043 { 00044 boolean i_result = FALSE; 00045 int err=0, tmperr; 00046 int i; 00047 rsbac_acl_group_id_t * group_p; 00048 #if defined(CONFIG_RSBAC_RC) 00049 union rsbac_target_id_t i_tid; 00050 union rsbac_attribute_value_t i_attr_val1; 00051 #endif 00052 00053 /* Only check implemented targets */ 00054 switch(target) 00055 { 00056 case T_FILE: 00057 case T_DIR: 00058 case T_FIFO: 00059 case T_SYMLINK: 00060 case T_DEV: 00061 case T_IPC: 00062 case T_SCD: 00063 case T_USER: 00064 case T_PROCESS: 00065 case T_NETDEV: 00066 case T_NETTEMP_NT: 00067 case T_NETTEMP: 00068 case T_NETOBJ: 00069 break; 00070 default: 00071 return TRUE; 00072 } 00073 /* own right */ 00074 err = rsbac_acl_get_single_right(target, 00075 tid, 00076 ACLS_USER, 00077 (rsbac_acl_subject_id_t) user, 00078 ACLR_SUPERVISOR, 00079 &i_result); 00080 if(err) 00081 { 00082 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00083 00084 if(tmp) 00085 { 00086 #ifdef CONFIG_RSBAC_RMSG 00087 rsbac_printk(KERN_WARNING 00088 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n", 00089 get_error_name(tmp,err)); 00090 #endif 00091 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00092 if (!rsbac_nosyslog) 00093 #endif 00094 printk(KERN_WARNING 00095 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n", 00096 get_error_name(tmp,err)); 00097 rsbac_kfree(tmp); 00098 } 00099 return FALSE; 00100 } 00101 if(i_result) 00102 return(TRUE); 00103 00104 /* try SUPERVISOR for group and role */ 00105 /* group everyone */ 00106 err = rsbac_acl_get_single_right(target, 00107 tid, 00108 ACLS_GROUP, 00109 RSBAC_ACL_GROUP_EVERYONE, 00110 ACLR_SUPERVISOR, 00111 &i_result); 00112 if(err) 00113 { 00114 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00115 00116 if(tmp) 00117 { 00118 #ifdef CONFIG_RSBAC_RMSG 00119 rsbac_printk(KERN_WARNING 00120 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n", 00121 get_error_name(tmp,err)); 00122 #endif 00123 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00124 if (!rsbac_nosyslog) 00125 #endif 00126 printk(KERN_WARNING 00127 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n", 00128 get_error_name(tmp,err)); 00129 rsbac_kfree(tmp); 00130 } 00131 return FALSE; 00132 } 00133 if(i_result) 00134 return(TRUE); 00135 00136 #if defined(CONFIG_RSBAC_RC) 00137 /* use process role */ 00138 /* first get role */ 00139 i_tid.process = current->pid; 00140 if (rsbac_get_attr(RC, 00141 T_PROCESS, 00142 i_tid, 00143 A_rc_role, 00144 &i_attr_val1, 00145 FALSE)) 00146 { 00147 #ifdef CONFIG_RSBAC_RMSG 00148 rsbac_printk(KERN_WARNING 00149 "rsbac_acl_check_super(): rsbac_get_attr() for process rc_role returned error!\n"); 00150 #endif 00151 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00152 if (!rsbac_nosyslog) 00153 #endif 00154 printk(KERN_WARNING 00155 "rsbac_acl_check_super(): rsbac_get_attr() for process rc_role returned error!\n"); 00156 } 00157 else 00158 { 00159 err = rsbac_acl_get_single_right(target, 00160 tid, 00161 ACLS_ROLE, 00162 i_attr_val1.rc_role, 00163 ACLR_SUPERVISOR, 00164 &i_result); 00165 if(err) 00166 { 00167 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00168 00169 if(tmp) 00170 { 00171 get_error_name(tmp,err); 00172 #ifdef CONFIG_RSBAC_RMSG 00173 rsbac_printk(KERN_WARNING 00174 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n", 00175 tmp); 00176 #endif 00177 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00178 if (!rsbac_nosyslog) 00179 #endif 00180 printk(KERN_WARNING 00181 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n", 00182 tmp); 00183 rsbac_kfree(tmp); 00184 } 00185 return FALSE; 00186 } 00187 if(i_result) 00188 return(TRUE); 00189 } 00190 #endif 00191 00192 /* other groups */ 00193 /* first get user groups */ 00194 group_p = NULL; 00195 err = rsbac_acl_get_user_groups(user, &group_p, NULL); 00196 if(err<0) 00197 { 00198 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00199 00200 if(tmp) 00201 { 00202 #ifdef CONFIG_RSBAC_RMSG 00203 rsbac_printk(KERN_WARNING 00204 "rsbac_acl_check_super(): rsbac_acl_get_user_groups() returned error %s!\n", 00205 get_error_name(tmp,err)); 00206 #endif 00207 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00208 if (!rsbac_nosyslog) 00209 #endif 00210 printk(KERN_WARNING 00211 "rsbac_acl_check_super(): rsbac_acl_get_user_groups() returned error %s!\n", 00212 get_error_name(tmp,err)); 00213 rsbac_kfree(tmp); 00214 } 00215 return err; 00216 } 00217 for(i=0; i<err; i++) 00218 { 00219 tmperr = rsbac_acl_get_single_right(target, 00220 tid, 00221 ACLS_GROUP, 00222 group_p[i], 00223 ACLR_SUPERVISOR, 00224 &i_result); 00225 if(tmperr) 00226 { 00227 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00228 00229 if(tmp) 00230 { 00231 #ifdef CONFIG_RSBAC_RMSG 00232 rsbac_printk(KERN_WARNING 00233 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n", 00234 get_error_name(tmp,tmperr)); 00235 #endif 00236 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00237 if (!rsbac_nosyslog) 00238 #endif 00239 printk(KERN_WARNING 00240 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n", 00241 get_error_name(tmp,tmperr)); 00242 rsbac_kfree(tmp); 00243 } 00244 if(group_p) 00245 rsbac_vfree(group_p); 00246 return FALSE; 00247 } 00248 if(i_result) 00249 { 00250 if(group_p) 00251 rsbac_vfree(group_p); 00252 return(TRUE); 00253 } 00254 } 00255 if(group_p) 00256 rsbac_vfree(group_p); 00257 00258 /* give up */ 00259 return FALSE; 00260 }; 00261 00262 00263 #if !defined(CONFIG_RSBAC_MAINT) 00264 boolean rsbac_acl_check_forward(enum rsbac_target_t target, 00265 union rsbac_target_id_t tid, 00266 rsbac_uid_t user, 00267 rsbac_acl_rights_vector_t rights); 00268 00269 boolean rsbac_acl_check_super(enum rsbac_target_t target, 00270 union rsbac_target_id_t tid, 00271 rsbac_uid_t user); 00272 00273 boolean rsbac_acl_check_right(enum rsbac_target_t target, 00274 union rsbac_target_id_t tid, 00275 rsbac_uid_t user, 00276 rsbac_pid_t caller_pid, 00277 enum rsbac_adf_request_t request); 00278 #endif 00279 00280 /************************************************* */ 00281 /* Externally visible functions */ 00282 /************************************************* */ 00283 00284 int rsbac_acl_sys_set_acl_entry (enum rsbac_target_t target, 00285 union rsbac_target_id_t tid, 00286 enum rsbac_acl_subject_type_t subj_type, 00287 rsbac_acl_subject_id_t subj_id, 00288 rsbac_acl_rights_vector_t rights, 00289 rsbac_time_t ttl) 00290 { 00291 int err=0; 00292 00293 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 00294 /* sanity check before using pointer */ 00295 if( (target == T_NETOBJ) 00296 && tid.netobj.sock_p 00297 && ( tid.netobj.remote_addr 00298 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00299 || !tid.netobj.sock_p->file 00300 || !tid.netobj.sock_p->file->f_dentry 00301 || !tid.netobj.sock_p->file->f_dentry->d_inode 00302 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p) 00303 #else 00304 || !tid.netobj.sock_p->inode 00305 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p) 00306 #endif 00307 ) 00308 ) 00309 return -RSBAC_EINVALIDTARGET; 00310 #endif 00311 00312 /* check only in non-maint mode */ 00313 #if !defined(CONFIG_RSBAC_MAINT) 00314 #ifdef CONFIG_RSBAC_SWITCH 00315 if(rsbac_switch_acl) 00316 #endif 00317 { 00318 rsbac_uid_t user; 00319 00320 if(rsbac_get_owner(&user)) 00321 return -RSBAC_EREADFAILED; 00322 /* first try access control right (SUPERVISOR try is included) */ 00323 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL)) 00324 { 00325 /* no access control -> try forward for these rights */ 00326 /* but only, if no ttl requested */ 00327 if( (ttl != RSBAC_LIST_TTL_KEEP) 00328 || !rsbac_acl_check_forward(target, tid, user, rights) 00329 ) 00330 { 00331 char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00332 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00333 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00334 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 00335 char * target_id_name 00336 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 00337 /* max. path name len + some extra */ 00338 #else 00339 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 00340 /* max. file name len + some extra */ 00341 #endif 00342 00343 u64tostracl(rights_string, rights); 00344 get_acl_subject_type_name(subject_type_name, subj_type); 00345 get_target_name(target_type_name, target, target_id_name, tid); 00346 #ifdef CONFIG_RSBAC_RMSG 00347 rsbac_printk(KERN_INFO 00348 "rsbac_acl_sys_set_acl_entry(): setting rights %s for %s %u to %s %s denied for user %u!\n", 00349 rights_string, 00350 subject_type_name, 00351 subj_id, 00352 target_type_name, 00353 target_id_name, 00354 user); 00355 #endif 00356 #ifndef CONFIG_RSBAC_RMSG_EXCL 00357 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00358 if (!rsbac_nosyslog) 00359 #endif 00360 printk(KERN_INFO 00361 "rsbac_acl_sys_set_acl_entry(): setting rights %s for %s %u to %s %s denied for user %u!\n", 00362 rights_string, 00363 subject_type_name, 00364 subj_id, 00365 target_type_name, 00366 target_id_name, 00367 user); 00368 #endif 00369 rsbac_kfree(rights_string); 00370 rsbac_kfree(subject_type_name); 00371 rsbac_kfree(target_type_name); 00372 rsbac_kfree(target_id_name); 00373 00374 #ifdef CONFIG_RSBAC_SOFTMODE 00375 if( !rsbac_softmode 00376 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00377 && !rsbac_ind_softmode[ACL] 00378 #endif 00379 ) 00380 #endif 00381 return(-EPERM); 00382 } 00383 } 00384 if(rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR) 00385 { 00386 /* you must have SUPERVISOR to set SUPERVISOR */ 00387 if(!rsbac_acl_check_super(target, tid, user)) 00388 { 00389 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00390 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00391 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 00392 char * target_id_name 00393 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 00394 /* max. path name len + some extra */ 00395 #else 00396 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 00397 /* max. file name len + some extra */ 00398 #endif 00399 00400 get_acl_subject_type_name(subject_type_name, subj_type); 00401 get_target_name(target_type_name, target, target_id_name, tid); 00402 #ifdef CONFIG_RSBAC_RMSG 00403 rsbac_printk(KERN_INFO 00404 "rsbac_acl_sys_set_acl_entry(): setting SUPERVISOR for %s %u to %s %s denied for user %u!\n", 00405 subject_type_name, 00406 subj_id, 00407 target_type_name, 00408 target_id_name, 00409 user); 00410 #endif 00411 #ifndef CONFIG_RSBAC_RMSG_EXCL 00412 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00413 if (!rsbac_nosyslog) 00414 #endif 00415 printk(KERN_INFO 00416 "rsbac_acl_sys_set_acl_entry(): setting SUPERVISOR for %s %u to %s %s denied for user %u!\n", 00417 subject_type_name, 00418 subj_id, 00419 target_type_name, 00420 target_id_name, 00421 user); 00422 #endif 00423 rsbac_kfree(subject_type_name); 00424 rsbac_kfree(target_type_name); 00425 rsbac_kfree(target_id_name); 00426 #ifdef CONFIG_RSBAC_SOFTMODE 00427 if( !rsbac_softmode 00428 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00429 && !rsbac_ind_softmode[ACL] 00430 #endif 00431 ) 00432 #endif 00433 return(-EPERM); 00434 } 00435 } 00436 } 00437 #endif /* !MAINT */ 00438 00439 /* OK, check passed. Set ACL. */ 00440 err = rsbac_acl_set_acl_entry(target, tid, subj_type, subj_id, rights, ttl); 00441 if(err) 00442 { 00443 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00444 00445 if(tmp) 00446 { 00447 #ifdef CONFIG_RSBAC_RMSG 00448 rsbac_printk(KERN_WARNING 00449 "rsbac_acl_sys_set_acl_entry(): rsbac_acl_set_acl_entry() returned error %s!\n", 00450 get_error_name(tmp,err)); 00451 #endif 00452 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00453 if (!rsbac_nosyslog) 00454 #endif 00455 printk(KERN_WARNING 00456 "rsbac_acl_sys_set_acl_entry(): rsbac_acl_set_acl_entry() returned error %s!\n", 00457 get_error_name(tmp,err)); 00458 rsbac_kfree(tmp); 00459 } 00460 } 00461 return err; 00462 } 00463 00464 int rsbac_acl_sys_remove_acl_entry (enum rsbac_target_t target, 00465 union rsbac_target_id_t tid, 00466 enum rsbac_acl_subject_type_t subj_type, 00467 rsbac_acl_subject_id_t subj_id) 00468 { 00469 int err=0; 00470 00471 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 00472 /* sanity check before using pointer */ 00473 if( (target == T_NETOBJ) 00474 && tid.netobj.sock_p 00475 && ( tid.netobj.remote_addr 00476 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00477 || !tid.netobj.sock_p->file 00478 || !tid.netobj.sock_p->file->f_dentry 00479 || !tid.netobj.sock_p->file->f_dentry->d_inode 00480 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p) 00481 #else 00482 || !tid.netobj.sock_p->inode 00483 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p) 00484 #endif 00485 ) 00486 ) 00487 return -RSBAC_EINVALIDTARGET; 00488 #endif 00489 00490 /* check only in non-maint mode */ 00491 #if !defined(CONFIG_RSBAC_MAINT) 00492 #ifdef CONFIG_RSBAC_SWITCH 00493 if(rsbac_switch_acl) 00494 #endif 00495 { 00496 rsbac_uid_t user; 00497 rsbac_acl_rights_vector_t res_rights = 0; 00498 00499 if(rsbac_get_owner(&user)) 00500 return -RSBAC_EREADFAILED; 00501 /* first try access control right (SUPERVISOR is included) */ 00502 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL)) 00503 { 00504 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00505 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00506 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 00507 char * target_id_name 00508 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 00509 /* max. path name len + some extra */ 00510 #else 00511 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 00512 /* max. file name len + some extra */ 00513 #endif 00514 00515 get_acl_subject_type_name(subject_type_name, subj_type); 00516 get_target_name(target_type_name, target, target_id_name, tid); 00517 #ifdef CONFIG_RSBAC_RMSG 00518 rsbac_printk(KERN_INFO 00519 "rsbac_acl_sys_remove_acl_entry(): removing ACL entry for %s %u at %s %s denied for user %u!\n", 00520 subject_type_name, 00521 subj_id, 00522 target_type_name, 00523 target_id_name, 00524 user); 00525 #endif 00526 #ifndef CONFIG_RSBAC_RMSG_EXCL 00527 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00528 if (!rsbac_nosyslog) 00529 #endif 00530 printk(KERN_INFO 00531 "rsbac_acl_sys_remove_acl_entry(): removing ACL entry for %s %u at %s %s denied for user %u!\n", 00532 subject_type_name, 00533 subj_id, 00534 target_type_name, 00535 target_id_name, 00536 user); 00537 #endif 00538 rsbac_kfree(subject_type_name); 00539 rsbac_kfree(target_type_name); 00540 rsbac_kfree(target_id_name); 00541 #ifdef CONFIG_RSBAC_SOFTMODE 00542 if( !rsbac_softmode 00543 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00544 && !rsbac_ind_softmode[ACL] 00545 #endif 00546 ) 00547 #endif 00548 return(-EPERM); 00549 } 00550 00551 err = rsbac_acl_get_rights(target, tid, subj_type, subj_id, &res_rights, FALSE); 00552 if(err) 00553 { 00554 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00555 00556 if(tmp) 00557 { 00558 #ifdef CONFIG_RSBAC_RMSG 00559 rsbac_printk(KERN_WARNING 00560 "rsbac_acl_sys_remove_acl_entry(): rsbac_acl_get_rights() returned error %s!\n", 00561 get_error_name(tmp,err)); 00562 #endif 00563 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00564 if (!rsbac_nosyslog) 00565 #endif 00566 printk(KERN_WARNING 00567 "rsbac_acl_sys_remove_acl_entry(): rsbac_acl_get_rights() returned error %s!\n", 00568 get_error_name(tmp,err)); 00569 rsbac_kfree(tmp); 00570 } 00571 return err; 00572 } 00573 if(res_rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR) 00574 { 00575 /* you must have SUPERVISOR to remove an entry with SUPERVISOR */ 00576 if(!rsbac_acl_check_super(target, tid, user)) 00577 { 00578 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00579 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00580 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 00581 char * target_id_name 00582 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 00583 /* max. path name len + some extra */ 00584 #else 00585 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 00586 /* max. file name len + some extra */ 00587 #endif 00588 00589 get_acl_subject_type_name(subject_type_name, subj_type); 00590 get_target_name(target_type_name, target, target_id_name, tid); 00591 #ifdef CONFIG_RSBAC_RMSG 00592 rsbac_printk(KERN_INFO 00593 "rsbac_acl_sys_remove_acl_entry(): removing ACL entry with SUPERVISOR for %s %u at %s %s denied for user %u!\n", 00594 subject_type_name, 00595 subj_id, 00596 target_type_name, 00597 target_id_name, 00598 user); 00599 #endif 00600 #ifndef CONFIG_RSBAC_RMSG_EXCL 00601 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00602 if (!rsbac_nosyslog) 00603 #endif 00604 printk(KERN_INFO 00605 "rsbac_acl_sys_remove_acl_entry(): removing ACL entry with SUPERVISOR for %s %u at %s %s denied for user %u!\n", 00606 subject_type_name, 00607 subj_id, 00608 target_type_name, 00609 target_id_name, 00610 user); 00611 #endif 00612 rsbac_kfree(subject_type_name); 00613 rsbac_kfree(target_type_name); 00614 rsbac_kfree(target_id_name); 00615 #ifdef CONFIG_RSBAC_SOFTMODE 00616 if( !rsbac_softmode 00617 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00618 && !rsbac_ind_softmode[ACL] 00619 #endif 00620 ) 00621 #endif 00622 return(-EPERM); 00623 } 00624 } 00625 } 00626 #endif /* !MAINT */ 00627 00628 /* OK, check passed. Set ACL. */ 00629 err = rsbac_acl_remove_acl_entry(target, tid, subj_type, subj_id); 00630 if(err) 00631 { 00632 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00633 00634 if(tmp) 00635 { 00636 #ifdef CONFIG_RSBAC_RMSG 00637 rsbac_printk(KERN_WARNING 00638 "rsbac_acl_sys_remove_acl_entry(): rsbac_acl_remove_acl_entry() returned error %s!\n", 00639 get_error_name(tmp,err)); 00640 #endif 00641 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00642 if (!rsbac_nosyslog) 00643 #endif 00644 printk(KERN_WARNING 00645 "rsbac_acl_sys_remove_acl_entry(): rsbac_acl_remove_acl_entry() returned error %s!\n", 00646 get_error_name(tmp,err)); 00647 rsbac_kfree(tmp); 00648 } 00649 } 00650 return err; 00651 } 00652 00653 int rsbac_acl_sys_remove_acl (enum rsbac_target_t target, 00654 union rsbac_target_id_t tid) 00655 { 00656 int err=0; 00657 00658 /* check only in non-maint mode */ 00659 #if !defined(CONFIG_RSBAC_MAINT) 00660 #ifdef CONFIG_RSBAC_SWITCH 00661 if(rsbac_switch_acl) 00662 #endif 00663 { 00664 rsbac_uid_t user; 00665 00666 if(rsbac_get_owner(&user)) 00667 return -RSBAC_EREADFAILED; 00668 /* check SUPERVISOR */ 00669 if(!rsbac_acl_check_super(target, tid, user)) 00670 { 00671 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00672 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 00673 char * target_id_name 00674 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 00675 /* max. path name len + some extra */ 00676 #else 00677 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 00678 /* max. file name len + some extra */ 00679 #endif 00680 00681 get_target_name(target_type_name, target, target_id_name, tid); 00682 #ifdef CONFIG_RSBAC_RMSG 00683 rsbac_printk(KERN_INFO 00684 "rsbac_acl_sys_remove_acl(): removing ACL from %s %s denied for user %u!\n", 00685 target_type_name, 00686 target_id_name, 00687 user); 00688 #endif 00689 #ifndef CONFIG_RSBAC_RMSG_EXCL 00690 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00691 if (!rsbac_nosyslog) 00692 #endif 00693 printk(KERN_INFO 00694 "rsbac_acl_sys_remove_acl(): removing ACL from %s %s denied for user %u!\n", 00695 target_type_name, 00696 target_id_name, 00697 user); 00698 #endif 00699 rsbac_kfree(target_type_name); 00700 rsbac_kfree(target_id_name); 00701 #ifdef CONFIG_RSBAC_SOFTMODE 00702 if( !rsbac_softmode 00703 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00704 && !rsbac_ind_softmode[ACL] 00705 #endif 00706 ) 00707 #endif 00708 return(-EPERM); 00709 } 00710 } 00711 #endif /* !MAINT */ 00712 00713 /* OK, check passed. Set ACL. */ 00714 err = rsbac_acl_remove_acl(target, tid); 00715 if(err) 00716 { 00717 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00718 00719 if(tmp) 00720 { 00721 #ifdef CONFIG_RSBAC_RMSG 00722 rsbac_printk(KERN_WARNING 00723 "rsbac_acl_sys_remove_acl(): rsbac_acl_remove_acl() returned error %s!\n", 00724 get_error_name(tmp,err)); 00725 #endif 00726 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00727 if (!rsbac_nosyslog) 00728 #endif 00729 printk(KERN_WARNING 00730 "rsbac_acl_sys_remove_acl(): rsbac_acl_remove_acl() returned error %s!\n", 00731 get_error_name(tmp,err)); 00732 rsbac_kfree(tmp); 00733 } 00734 } 00735 return err; 00736 } 00737 00738 int rsbac_acl_sys_add_to_acl_entry (enum rsbac_target_t target, 00739 union rsbac_target_id_t tid, 00740 enum rsbac_acl_subject_type_t subj_type, 00741 rsbac_acl_subject_id_t subj_id, 00742 rsbac_acl_rights_vector_t rights, 00743 rsbac_time_t ttl) 00744 { 00745 int err=0; 00746 00747 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 00748 /* sanity check before using pointer */ 00749 if( (target == T_NETOBJ) 00750 && tid.netobj.sock_p 00751 && ( tid.netobj.remote_addr 00752 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00753 || !tid.netobj.sock_p->file 00754 || !tid.netobj.sock_p->file->f_dentry 00755 || !tid.netobj.sock_p->file->f_dentry->d_inode 00756 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p) 00757 #else 00758 || !tid.netobj.sock_p->inode 00759 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p) 00760 #endif 00761 ) 00762 ) 00763 return -RSBAC_EINVALIDTARGET; 00764 #endif 00765 00766 /* check only in non-maint mode */ 00767 #if !defined(CONFIG_RSBAC_MAINT) 00768 #ifdef CONFIG_RSBAC_SWITCH 00769 if(rsbac_switch_acl) 00770 #endif 00771 { 00772 rsbac_uid_t user; 00773 00774 if(rsbac_get_owner(&user)) 00775 return -RSBAC_EREADFAILED; 00776 /* first try access control right (SUPERVISOR is included) */ 00777 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL)) 00778 { 00779 /* no access control -> try forward for these rights */ 00780 /* but only, if no ttl requested */ 00781 if( (ttl != RSBAC_LIST_TTL_KEEP) 00782 || !rsbac_acl_check_forward(target, tid, user, rights) 00783 ) 00784 { 00785 char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00786 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00787 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00788 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 00789 char * target_id_name 00790 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 00791 /* max. path name len + some extra */ 00792 #else 00793 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 00794 /* max. file name len + some extra */ 00795 #endif 00796 00797 u64tostracl(rights_string, rights); 00798 get_acl_subject_type_name(subject_type_name, subj_type); 00799 get_target_name(target_type_name, target, target_id_name, tid); 00800 #ifdef CONFIG_RSBAC_RMSG 00801 rsbac_printk(KERN_INFO 00802 "rsbac_acl_sys_add_to_acl_entry(): adding rights %s for %s %u to %s %s denied for user %u!\n", 00803 rights_string, 00804 subject_type_name, 00805 subj_id, 00806 target_type_name, 00807 target_id_name, 00808 user); 00809 #endif 00810 #ifndef CONFIG_RSBAC_RMSG_EXCL 00811 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00812 if (!rsbac_nosyslog) 00813 #endif 00814 printk(KERN_INFO 00815 "rsbac_acl_sys_add_to_acl_entry(): adding rights %s for %s %u to %s %s denied for user %u!\n", 00816 rights_string, 00817 subject_type_name, 00818 subj_id, 00819 target_type_name, 00820 target_id_name, 00821 user); 00822 #endif 00823 rsbac_kfree(rights_string); 00824 rsbac_kfree(subject_type_name); 00825 rsbac_kfree(target_type_name); 00826 rsbac_kfree(target_id_name); 00827 #ifdef CONFIG_RSBAC_SOFTMODE 00828 if( !rsbac_softmode 00829 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00830 && !rsbac_ind_softmode[ACL] 00831 #endif 00832 ) 00833 #endif 00834 return(-EPERM); 00835 } 00836 } 00837 if(rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR) 00838 { 00839 /* you must have SUPERVISOR to add SUPERVISOR */ 00840 if(!rsbac_acl_check_super(target, tid, user)) 00841 { 00842 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00843 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00844 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 00845 char * target_id_name 00846 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 00847 /* max. path name len + some extra */ 00848 #else 00849 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 00850 /* max. file name len + some extra */ 00851 #endif 00852 00853 get_acl_subject_type_name(subject_type_name, subj_type); 00854 get_target_name(target_type_name, target, target_id_name, tid); 00855 #ifdef CONFIG_RSBAC_RMSG 00856 rsbac_printk(KERN_INFO 00857 "rsbac_acl_sys_add_to_acl_entry(): adding SUPERVISOR for %s %u to %s %s denied for user %u!\n", 00858 subject_type_name, 00859 subj_id, 00860 target_type_name, 00861 target_id_name, 00862 user); 00863 #endif 00864 #ifndef CONFIG_RSBAC_RMSG_EXCL 00865 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00866 if (!rsbac_nosyslog) 00867 #endif 00868 printk(KERN_INFO 00869 "rsbac_acl_sys_add_to_acl_entry(): adding SUPERVISOR for %s %u to %s %s denied for user %u!\n", 00870 subject_type_name, 00871 subj_id, 00872 target_type_name, 00873 target_id_name, 00874 user); 00875 #endif 00876 rsbac_kfree(subject_type_name); 00877 rsbac_kfree(target_type_name); 00878 rsbac_kfree(target_id_name); 00879 #ifdef CONFIG_RSBAC_SOFTMODE 00880 if( !rsbac_softmode 00881 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00882 && !rsbac_ind_softmode[ACL] 00883 #endif 00884 ) 00885 #endif 00886 return(-EPERM); 00887 } 00888 } 00889 } 00890 #endif /* !MAINT */ 00891 00892 /* OK, check passed. Set ACL. */ 00893 err = rsbac_acl_add_to_acl_entry(target, tid, subj_type, subj_id, rights, ttl); 00894 if(err) 00895 { 00896 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00897 00898 if(tmp) 00899 { 00900 #ifdef CONFIG_RSBAC_RMSG 00901 rsbac_printk(KERN_WARNING 00902 "rsbac_acl_sys_add_to_acl_entry(): rsbac_acl_add_to_acl_entry() returned error %s!\n", 00903 get_error_name(tmp,err)); 00904 #endif 00905 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00906 if (!rsbac_nosyslog) 00907 #endif 00908 printk(KERN_WARNING 00909 "rsbac_acl_sys_add_to_acl_entry(): rsbac_acl_add_to_acl_entry() returned error %s!\n", 00910 get_error_name(tmp,err)); 00911 rsbac_kfree(tmp); 00912 } 00913 } 00914 return err; 00915 } 00916 00917 int rsbac_acl_sys_remove_from_acl_entry (enum rsbac_target_t target, 00918 union rsbac_target_id_t tid, 00919 enum rsbac_acl_subject_type_t subj_type, 00920 rsbac_acl_subject_id_t subj_id, 00921 rsbac_acl_rights_vector_t rights) 00922 { 00923 int err=0; 00924 00925 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 00926 /* sanity check before using pointer */ 00927 if( (target == T_NETOBJ) 00928 && tid.netobj.sock_p 00929 && ( tid.netobj.remote_addr 00930 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00931 || !tid.netobj.sock_p->file 00932 || !tid.netobj.sock_p->file->f_dentry 00933 || !tid.netobj.sock_p->file->f_dentry->d_inode 00934 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p) 00935 #else 00936 || !tid.netobj.sock_p->inode 00937 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p) 00938 #endif 00939 ) 00940 ) 00941 return -RSBAC_EINVALIDTARGET; 00942 #endif 00943 00944 /* check only in non-maint mode */ 00945 #if !defined(CONFIG_RSBAC_MAINT) 00946 #ifdef CONFIG_RSBAC_SWITCH 00947 if(rsbac_switch_acl) 00948 #endif 00949 { 00950 rsbac_uid_t user; 00951 00952 if(rsbac_get_owner(&user)) 00953 return -RSBAC_EREADFAILED; 00954 /* first try access control right (SUPERVISOR is included) */ 00955 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL)) 00956 { 00957 char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00958 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00959 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00960 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 00961 char * target_id_name 00962 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 00963 /* max. path name len + some extra */ 00964 #else 00965 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 00966 /* max. file name len + some extra */ 00967 #endif 00968 00969 u64tostracl(rights_string, rights); 00970 get_acl_subject_type_name(subject_type_name, subj_type); 00971 get_target_name(target_type_name, target, target_id_name, tid); 00972 #ifdef CONFIG_RSBAC_RMSG 00973 rsbac_printk(KERN_INFO 00974 "rsbac_acl_sys_remove_from_acl_entry(): removing rights %s for %s %u to %s %s denied for user %u!\n", 00975 rights_string, 00976 subject_type_name, 00977 subj_id, 00978 target_type_name, 00979 target_id_name, 00980 user); 00981 #endif 00982 #ifndef CONFIG_RSBAC_RMSG_EXCL 00983 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 00984 if (!rsbac_nosyslog) 00985 #endif 00986 printk(KERN_INFO 00987 "rsbac_acl_sys_remove_from_acl_entry(): removing rights %s for %s %u to %s %s denied for user %u!\n", 00988 rights_string, 00989 subject_type_name, 00990 subj_id, 00991 target_type_name, 00992 target_id_name, 00993 user); 00994 #endif 00995 rsbac_kfree(rights_string); 00996 rsbac_kfree(subject_type_name); 00997 rsbac_kfree(target_type_name); 00998 rsbac_kfree(target_id_name); 00999 #ifdef CONFIG_RSBAC_SOFTMODE 01000 if( !rsbac_softmode 01001 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01002 && !rsbac_ind_softmode[ACL] 01003 #endif 01004 ) 01005 #endif 01006 return(-EPERM); 01007 } 01008 if(rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR) 01009 { 01010 /* you must have SUPERVISOR to revoke SUPERVISOR */ 01011 if(!rsbac_acl_check_super(target, tid, user)) 01012 { 01013 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01014 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01015 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 01016 char * target_id_name 01017 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 01018 /* max. path name len + some extra */ 01019 #else 01020 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 01021 /* max. file name len + some extra */ 01022 #endif 01023 01024 get_acl_subject_type_name(subject_type_name, subj_type); 01025 get_target_name(target_type_name, target, target_id_name, tid); 01026 #ifdef CONFIG_RSBAC_RMSG 01027 rsbac_printk(KERN_INFO 01028 "rsbac_acl_sys_remove_from_acl_entry(): removing SUPERVISOR for %s %u to %s %s denied for user %u!\n", 01029 subject_type_name, 01030 subj_id, 01031 target_type_name, 01032 target_id_name, 01033 user); 01034 #endif 01035 #ifndef CONFIG_RSBAC_RMSG_EXCL 01036 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01037 if (!rsbac_nosyslog) 01038 #endif 01039 printk(KERN_INFO 01040 "rsbac_acl_sys_remove_from_acl_entry(): removing SUPERVISOR for %s %u to %s %s denied for user %u!\n", 01041 subject_type_name, 01042 subj_id, 01043 target_type_name, 01044 target_id_name, 01045 user); 01046 #endif 01047 rsbac_kfree(subject_type_name); 01048 rsbac_kfree(target_type_name); 01049 rsbac_kfree(target_id_name); 01050 #ifdef CONFIG_RSBAC_SOFTMODE 01051 if( !rsbac_softmode 01052 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01053 && !rsbac_ind_softmode[ACL] 01054 #endif 01055 ) 01056 #endif 01057 return(-EPERM); 01058 } 01059 } 01060 } 01061 #endif /* !MAINT */ 01062 01063 /* OK, check passed. Remove ACL. */ 01064 err = rsbac_acl_remove_from_acl_entry(target, tid, subj_type, subj_id, rights); 01065 if(err) 01066 { 01067 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01068 01069 if(tmp) 01070 { 01071 #ifdef CONFIG_RSBAC_RMSG 01072 rsbac_printk(KERN_WARNING 01073 "rsbac_acl_sys_remove_from_acl_entry(): rsbac_acl_remove_from_acl_entry() returned error %s!\n", 01074 get_error_name(tmp,err)); 01075 #endif 01076 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01077 if (!rsbac_nosyslog) 01078 #endif 01079 printk(KERN_WARNING 01080 "rsbac_acl_sys_remove_from_acl_entry(): rsbac_acl_remove_from_acl_entry() returned error %s!\n", 01081 get_error_name(tmp,err)); 01082 rsbac_kfree(tmp); 01083 } 01084 } 01085 return err; 01086 } 01087 01088 int rsbac_acl_sys_set_mask (enum rsbac_target_t target, 01089 union rsbac_target_id_t tid, 01090 rsbac_acl_rights_vector_t mask) 01091 { 01092 int err=0; 01093 01094 /* check only in non-maint mode */ 01095 #if !defined(CONFIG_RSBAC_MAINT) || defined (CONFIG_RSBAC_ACL_SUPER_FILTER) 01096 rsbac_uid_t user; 01097 01098 if(rsbac_get_owner(&user)) 01099 return -RSBAC_EREADFAILED; 01100 #endif 01101 01102 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 01103 /* sanity check before using pointer */ 01104 if( (target == T_NETOBJ) 01105 && tid.netobj.sock_p 01106 && ( tid.netobj.remote_addr 01107 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 01108 || !tid.netobj.sock_p->file 01109 || !tid.netobj.sock_p->file->f_dentry 01110 || !tid.netobj.sock_p->file->f_dentry->d_inode 01111 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p) 01112 #else 01113 || !tid.netobj.sock_p->inode 01114 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p) 01115 #endif 01116 ) 01117 ) 01118 return -RSBAC_EINVALIDTARGET; 01119 #endif 01120 01121 #if !defined(CONFIG_RSBAC_MAINT) 01122 #ifdef CONFIG_RSBAC_SWITCH 01123 if(rsbac_switch_acl) 01124 #endif 01125 { 01126 /* first try access control right (SUPERVISOR is included) */ 01127 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL)) 01128 { 01129 char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01130 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01131 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 01132 char * target_id_name 01133 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 01134 /* max. path name len + some extra */ 01135 #else 01136 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 01137 /* max. file name len + some extra */ 01138 #endif 01139 01140 u64tostracl(rights_string, mask); 01141 get_target_name(target_type_name, target, target_id_name, tid); 01142 #ifdef CONFIG_RSBAC_RMSG 01143 rsbac_printk(KERN_INFO 01144 "rsbac_acl_sys_set_mask(): setting mask %s for %s %s denied for user %u!\n", 01145 rights_string, 01146 target_type_name, 01147 target_id_name, 01148 user); 01149 #endif 01150 #ifndef CONFIG_RSBAC_RMSG_EXCL 01151 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01152 if (!rsbac_nosyslog) 01153 #endif 01154 printk(KERN_INFO 01155 "rsbac_acl_sys_set_mask(): setting mask %s for %s %s denied for user %u!\n", 01156 rights_string, 01157 target_type_name, 01158 target_id_name, 01159 user); 01160 #endif 01161 rsbac_kfree(rights_string); 01162 rsbac_kfree(target_type_name); 01163 rsbac_kfree(target_id_name); 01164 #ifdef CONFIG_RSBAC_SOFTMODE 01165 if( !rsbac_softmode 01166 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01167 && !rsbac_ind_softmode[ACL] 01168 #endif 01169 ) 01170 #endif 01171 return(-EPERM); 01172 } 01173 } 01174 #endif /* !MAINT */ 01175 01176 #ifdef CONFIG_RSBAC_ACL_SUPER_FILTER 01177 if(!(mask & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)) 01178 { /* trial to mask out SUPERVISOR */ 01179 rsbac_acl_rights_vector_t res_rights = 0; 01180 01181 /* you must have direct SUPERVISOR as a USER to set a mask without SUPERVISOR */ 01182 /* get direct own rights (still uses default_fd_rights) */ 01183 err = rsbac_acl_get_rights(target, tid, ACLS_USER, user, &res_rights, FALSE); 01184 if(err) 01185 return -RSBAC_EREADFAILED; 01186 if(!(res_rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)) 01187 mask |= RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR; 01188 } 01189 #else 01190 /* SUPERVISOR must never be masked out */ 01191 mask |= RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR; 01192 #endif 01193 01194 /* OK, checks passed. Set mask. */ 01195 err = rsbac_acl_set_mask(target, tid, mask); 01196 if(err) 01197 { 01198 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01199 01200 if(tmp) 01201 { 01202 #ifdef CONFIG_RSBAC_RMSG 01203 rsbac_printk(KERN_WARNING 01204 "rsbac_acl_sys_set_mask(): rsbac_acl_set_mask() returned error %s!\n", 01205 get_error_name(tmp,err)); 01206 #endif 01207 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01208 if (!rsbac_nosyslog) 01209 #endif 01210 printk(KERN_WARNING 01211 "rsbac_acl_sys_set_mask(): rsbac_acl_set_mask() returned error %s!\n", 01212 get_error_name(tmp,err)); 01213 rsbac_kfree(tmp); 01214 } 01215 } 01216 return err; 01217 } 01218 01219 int rsbac_acl_sys_remove_user(rsbac_uid_t uid) 01220 { 01221 int err=0; 01222 01223 /* check only in non-maint mode */ 01224 #if !defined(CONFIG_RSBAC_MAINT) 01225 #ifdef CONFIG_RSBAC_SWITCH 01226 if(rsbac_switch_acl) 01227 #endif 01228 { 01229 rsbac_uid_t user; 01230 union rsbac_target_id_t tid; 01231 01232 if(rsbac_get_owner(&user)) 01233 return -RSBAC_EREADFAILED; 01234 tid.user = uid; 01235 /* first try access control right (SUPERVISOR is included) */ 01236 if(!rsbac_acl_check_right(T_USER, tid, user, current->pid, R_DELETE)) 01237 { 01238 #ifdef CONFIG_RSBAC_RMSG 01239 rsbac_printk(KERN_INFO 01240 "rsbac_acl_sys_remove_user(): removing all data for user %u denied for user %u!\n", 01241 uid, 01242 user); 01243 #endif 01244 #ifndef CONFIG_RSBAC_RMSG_EXCL 01245 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01246 if (!rsbac_nosyslog) 01247 #endif 01248 printk(KERN_INFO 01249 "rsbac_acl_sys_remove_user(): removing all data for user %u denied for user %u!\n", 01250 uid, 01251 user); 01252 #endif 01253 #ifdef CONFIG_RSBAC_SOFTMODE 01254 if( !rsbac_softmode 01255 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01256 && !rsbac_ind_softmode[ACL] 01257 #endif 01258 ) 01259 #endif 01260 return(-EPERM); 01261 } 01262 } 01263 #endif /* !MAINT */ 01264 01265 #ifdef CONFIG_RSBAC_RMSG 01266 rsbac_printk(KERN_INFO 01267 "rsbac_acl_sys_remove_user(): removing all data for user %u!\n", 01268 uid); 01269 #endif 01270 #ifndef CONFIG_RSBAC_RMSG_EXCL 01271 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01272 if (!rsbac_nosyslog) 01273 #endif 01274 printk(KERN_INFO 01275 "rsbac_acl_sys_remove_user(): removing all data for user %u!\n", 01276 uid); 01277 #endif 01278 /* OK, checks passed. Set mask. */ 01279 err = rsbac_acl_remove_user(uid); 01280 if(err) 01281 { 01282 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01283 01284 if(tmp) 01285 { 01286 #ifdef CONFIG_RSBAC_RMSG 01287 rsbac_printk(KERN_WARNING 01288 "rsbac_acl_sys_remove_user(): rsbac_acl_remove_user() returned error %s!\n", 01289 get_error_name(tmp,err)); 01290 #endif 01291 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01292 if (!rsbac_nosyslog) 01293 #endif 01294 printk(KERN_WARNING 01295 "rsbac_acl_sys_remove_user(): rsbac_acl_remove_user() returned error %s!\n", 01296 get_error_name(tmp,err)); 01297 rsbac_kfree(tmp); 01298 } 01299 } 01300 return err; 01301 } 01302 01303 /*********/ 01304 01305 int rsbac_acl_sys_get_mask (enum rsbac_target_t target, 01306 union rsbac_target_id_t tid, 01307 rsbac_acl_rights_vector_t * mask_p) 01308 { 01309 int err=0; 01310 01311 /* no check */ 01312 01313 /* OK, check passed. Get mask. */ 01314 err = rsbac_acl_get_mask(target, tid, mask_p); 01315 if(err) 01316 { 01317 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01318 01319 if(tmp) 01320 { 01321 #ifdef CONFIG_RSBAC_RMSG 01322 rsbac_printk(KERN_WARNING 01323 "rsbac_acl_sys_get_mask(): rsbac_acl_get_mask() returned error %s!\n", 01324 get_error_name(tmp,err)); 01325 #endif 01326 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01327 if (!rsbac_nosyslog) 01328 #endif 01329 printk(KERN_WARNING 01330 "rsbac_acl_sys_get_mask(): rsbac_acl_get_mask() returned error %s!\n", 01331 get_error_name(tmp,err)); 01332 rsbac_kfree(tmp); 01333 } 01334 } 01335 return err; 01336 } 01337 01338 int rsbac_acl_sys_get_rights (enum rsbac_target_t target, 01339 union rsbac_target_id_t tid, 01340 enum rsbac_acl_subject_type_t subj_type, 01341 rsbac_acl_subject_id_t subj_id, 01342 rsbac_acl_rights_vector_t * rights_p, 01343 boolean effective) 01344 { 01345 int err=0; 01346 rsbac_acl_rights_vector_t res_rights; 01347 #if defined(CONFIG_RSBAC_RC) 01348 union rsbac_target_id_t i_tid; 01349 union rsbac_attribute_value_t i_attr_val1; 01350 #endif 01351 01352 /* no check (Attention: rsbac_acl_check_forward depends on this to be allowed!) */ 01353 01354 if( (subj_type == ACLS_USER) 01355 && (subj_id == RSBAC_NO_USER) 01356 ) 01357 rsbac_get_owner((rsbac_uid_t *) &subj_id); 01358 /* OK, check passed. Call ACL. */ 01359 if(effective) 01360 { 01361 /* inherited own rights */ 01362 res_rights = 0; 01363 err = rsbac_acl_get_rights(target, tid, subj_type, subj_id, &res_rights, TRUE); 01364 if(err) 01365 { 01366 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01367 01368 if(tmp) 01369 { 01370 #ifdef CONFIG_RSBAC_RMSG 01371 rsbac_printk(KERN_WARNING 01372 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n", 01373 get_error_name(tmp,err)); 01374 #endif 01375 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01376 if (!rsbac_nosyslog) 01377 #endif 01378 printk(KERN_WARNING 01379 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n", 01380 get_error_name(tmp,err)); 01381 rsbac_kfree(tmp); 01382 } 01383 return err; 01384 } 01385 *rights_p = res_rights; 01386 /* add group and role rights, if normal user */ 01387 if(subj_type == ACLS_USER) 01388 { 01389 rsbac_acl_group_id_t * group_p; 01390 int i; 01391 int tmperr; 01392 01393 /* group everyone */ 01394 res_rights = 0; 01395 err = rsbac_acl_get_rights(target, tid, ACLS_GROUP, RSBAC_ACL_GROUP_EVERYONE, 01396 &res_rights, TRUE); 01397 if(err) 01398 { 01399 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01400 01401 if(tmp) 01402 { 01403 #ifdef CONFIG_RSBAC_RMSG 01404 rsbac_printk(KERN_WARNING 01405 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n", 01406 get_error_name(tmp,err)); 01407 #endif 01408 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01409 if (!rsbac_nosyslog) 01410 #endif 01411 printk(KERN_WARNING 01412 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n", 01413 get_error_name(tmp,err)); 01414 rsbac_kfree(tmp); 01415 } 01416 return err; 01417 } 01418 *rights_p |= res_rights; 01419 01420 /* other groups */ 01421 /* first get user groups */ 01422 group_p = NULL; 01423 err = rsbac_acl_get_user_groups(subj_id, &group_p, NULL); 01424 if(err<0) 01425 { 01426 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01427 01428 if(tmp) 01429 { 01430 #ifdef CONFIG_RSBAC_RMSG 01431 rsbac_printk(KERN_WARNING 01432 "rsbac_acl_sys_get_rights(): rsbac_acl_get_user_groups() returned error %s!\n", 01433 get_error_name(tmp,err)); 01434 #endif 01435 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01436 if (!rsbac_nosyslog) 01437 #endif 01438 printk(KERN_WARNING 01439 "rsbac_acl_sys_get_rights(): rsbac_acl_get_user_groups() returned error %s!\n", 01440 get_error_name(tmp,err)); 01441 rsbac_kfree(tmp); 01442 } 01443 return err; 01444 } 01445 for(i=0; i<err; i++) 01446 { 01447 res_rights = 0; 01448 tmperr = rsbac_acl_get_rights(target, tid, ACLS_GROUP, group_p[i], 01449 &res_rights, TRUE); 01450 if(tmperr) 01451 { 01452 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01453 01454 if(tmp) 01455 { 01456 #ifdef CONFIG_RSBAC_RMSG 01457 rsbac_printk(KERN_WARNING 01458 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n", 01459 get_error_name(tmp,err)); 01460 #endif 01461 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01462 if (!rsbac_nosyslog) 01463 #endif 01464 printk(KERN_WARNING 01465 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n", 01466 get_error_name(tmp,err)); 01467 rsbac_kfree(tmp); 01468 } 01469 if(group_p) 01470 rsbac_vfree(group_p); 01471 return tmperr; 01472 } 01473 *rights_p |= res_rights; 01474 } 01475 err = 0; 01476 if(group_p) 01477 rsbac_vfree(group_p); 01478 01479 #if defined(CONFIG_RSBAC_RC) 01480 /* use user role */ 01481 /* first get role */ 01482 i_tid.user = subj_id; 01483 if (rsbac_get_attr(RC, 01484 T_USER, 01485 i_tid, 01486 A_rc_def_role, 01487 &i_attr_val1, 01488 FALSE)) 01489 { 01490 #ifdef CONFIG_RSBAC_RMSG 01491 rsbac_printk(KERN_WARNING 01492 "rsbac_acl_sys_get_rights(): rsbac_get_attr() for process rc_role returned error!\n"); 01493 #endif 01494 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01495 if (!rsbac_nosyslog) 01496 #endif 01497 printk(KERN_WARNING 01498 "rsbac_acl_sys_get_rights(): rsbac_get_attr() for process rc_role returned error!\n"); 01499 } 01500 else 01501 { 01502 res_rights = 0; 01503 err = rsbac_acl_get_rights(target, tid, ACLS_ROLE, i_attr_val1.rc_role, 01504 &res_rights, TRUE); 01505 if(err) 01506 { 01507 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01508 01509 if(tmp) 01510 { 01511 get_error_name(tmp,err); 01512 #ifdef CONFIG_RSBAC_RMSG 01513 rsbac_printk(KERN_WARNING 01514 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n", 01515 tmp); 01516 #endif 01517 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01518 if (!rsbac_nosyslog) 01519 #endif 01520 printk(KERN_WARNING 01521 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n", 01522 tmp); 01523 rsbac_kfree(tmp); 01524 } 01525 return err; 01526 } 01527 *rights_p |= res_rights; 01528 } 01529 #endif 01530 01531 /* check for SUPERVISOR right, if not yet there */ 01532 if( !(*rights_p & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR) 01533 && rsbac_acl_check_super(target, tid, subj_id) 01534 ) 01535 *rights_p |= RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR; 01536 } 01537 else /* not ACLS_USER */ 01538 { 01539 if(!(*rights_p & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)) 01540 { 01541 boolean i_result = FALSE; 01542 01543 /* check for SUPERVISOR right */ 01544 /* own right */ 01545 err = rsbac_acl_get_single_right(target, 01546 tid, 01547 subj_type, 01548 subj_id, 01549 ACLR_SUPERVISOR, 01550 &i_result); 01551 if(err) 01552 { 01553 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01554 01555 if(tmp) 01556 { 01557 #ifdef CONFIG_RSBAC_RMSG 01558 rsbac_printk(KERN_WARNING 01559 "rsbac_acl_sys_get_rights(): rsbac_acl_get_right() returned error %s!\n", 01560 get_error_name(tmp,err)); 01561 #endif 01562 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01563 if (!rsbac_nosyslog) 01564 #endif 01565 printk(KERN_WARNING 01566 "rsbac_acl_sys_get_rights(): rsbac_acl_get_right() returned error %s!\n", 01567 get_error_name(tmp,err)); 01568 rsbac_kfree(tmp); 01569 } 01570 } 01571 else 01572 if(i_result) 01573 *rights_p |= RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR; 01574 } 01575 } 01576 } 01577 else /* not effective = direct */ 01578 { 01579 /* direct own rights (still uses default_fd_rights) */ 01580 res_rights = 0; 01581 err = rsbac_acl_get_rights(target, tid, subj_type, subj_id, &res_rights, FALSE); 01582 if(!err) 01583 *rights_p = res_rights; 01584 } 01585 return err; 01586 } 01587 01588 int rsbac_acl_sys_get_tlist (enum rsbac_target_t target, 01589 union rsbac_target_id_t tid, 01590 struct rsbac_acl_entry_t ** entry_pp, 01591 rsbac_time_t ** ttl_pp) 01592 { 01593 int err=0; 01594 01595 /* no check */ 01596 01597 /* OK, check passed. Call ACL. */ 01598 err = rsbac_acl_get_tlist(target, tid, entry_pp, ttl_pp); 01599 if(err == -RSBAC_ENOTFOUND) 01600 err = 0; 01601 else 01602 if(err<0) 01603 { 01604 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01605 01606 if(tmp) 01607 { 01608 #ifdef CONFIG_RSBAC_RMSG 01609 rsbac_printk(KERN_WARNING 01610 "rsbac_acl_sys_get_tlist(): rsbac_acl_get_tlist() returned error %s!\n", 01611 get_error_name(tmp,err)); 01612 #endif 01613 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01614 if (!rsbac_nosyslog) 01615 #endif 01616 printk(KERN_WARNING 01617 "rsbac_acl_sys_get_tlist(): rsbac_acl_get_tlist() returned error %s!\n", 01618 get_error_name(tmp,err)); 01619 rsbac_kfree(tmp); 01620 } 01621 } 01622 return err; 01623 } 01624 01625 /*********** Groups ***********/ 01626 01627 int rsbac_acl_sys_group(enum rsbac_acl_group_syscall_type_t call, 01628 union rsbac_acl_group_syscall_arg_t arg) 01629 { 01630 int err = -RSBAC_EINVALIDREQUEST; 01631 char * k_name; 01632 rsbac_acl_group_id_t k_group; 01633 struct rsbac_acl_group_entry_t entry; 01634 rsbac_uid_t caller; 01635 01636 if(call >= ACLGS_none) 01637 return -RSBAC_EINVALIDREQUEST; 01638 if(rsbac_get_owner(&caller)) 01639 return -RSBAC_EREADFAILED; 01640 01641 #ifdef CONFIG_RSBAC_DEBUG 01642 if(rsbac_debug_aef_acl) 01643 { 01644 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01645 01646 if(tmp) 01647 { 01648 #ifdef CONFIG_RSBAC_RMSG 01649 rsbac_printk(KERN_DEBUG 01650 "rsbac_acl_sys_group(): %s called\n", 01651 get_acl_group_syscall_name(tmp,call)); 01652 #endif 01653 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01654 if (!rsbac_nosyslog) 01655 #endif 01656 printk(KERN_DEBUG 01657 "rsbac_acl_sys_group(): %s called\n", 01658 get_acl_group_syscall_name(tmp,call)); 01659 rsbac_kfree(tmp); 01660 } 01661 } 01662 #endif 01663 01664 switch(call) 01665 { 01666 case ACLGS_add_group: 01667 if(arg.add_group.type >= ACLG_NONE) 01668 { 01669 err = -RSBAC_EINVALIDVALUE; 01670 break; 01671 } 01672 k_name = rsbac_getname(arg.add_group.name); 01673 if(!k_name) 01674 { 01675 err = -RSBAC_EINVALIDVALUE; 01676 break; 01677 } 01678 err = rsbac_get_user((char *)&k_group, (char *)arg.add_group.group_id_p, sizeof(k_group)); 01679 if(err) 01680 break; 01681 err = rsbac_acl_add_group(caller, 01682 arg.add_group.type, 01683 k_name, 01684 &k_group); 01685 rsbac_putname(k_name); 01686 if(!err) 01687 err = rsbac_put_user((char *)&k_group, (char *) arg.add_group.group_id_p, sizeof(k_group)); 01688 break; 01689 01690 case ACLGS_change_group: 01691 if(arg.change_group.type >= ACLG_NONE) 01692 { 01693 err = -RSBAC_EINVALIDVALUE; 01694 break; 01695 } 01696 err = rsbac_acl_get_group_entry(arg.change_group.id, &entry); 01697 if(err) 01698 break; 01699 /* check owner only, if non-maint */ 01700 #if !defined(CONFIG_RSBAC_MAINT) 01701 #ifdef CONFIG_RSBAC_SWITCH 01702 if(rsbac_switch_acl) 01703 #endif 01704 { 01705 if(entry.owner != caller) 01706 { 01707 #ifdef CONFIG_RSBAC_RMSG 01708 rsbac_printk(KERN_INFO 01709 "rsbac_acl_group(): changing group %u denied for user %u - not owner!\n", 01710 entry.id, 01711 caller); 01712 #endif 01713 #ifndef CONFIG_RSBAC_RMSG_EXCL 01714 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01715 if (!rsbac_nosyslog) 01716 #endif 01717 printk(KERN_INFO 01718 "rsbac_acl_group(): changing group %u denied for user %u - not owner!\n", 01719 entry.id, 01720 caller); 01721 #endif 01722 err = -EPERM; 01723 break; 01724 } 01725 } 01726 #endif /* !MAINT */ 01727 { 01728 char * k_name; 01729 01730 k_name = rsbac_getname(arg.change_group.name); 01731 if(k_name) 01732 { 01733 err = rsbac_acl_change_group(arg.change_group.id, 01734 arg.change_group.owner, 01735 arg.change_group.type, 01736 k_name); 01737 putname(k_name); 01738 } 01739 else 01740 err = -RSBAC_EINVALIDVALUE; 01741 } 01742 break; 01743 01744 case ACLGS_remove_group: 01745 err = rsbac_acl_get_group_entry(arg.remove_group.id, &entry); 01746 if(err) 01747 break; 01748 /* check owner only, if non-maint */ 01749 #if !defined(CONFIG_RSBAC_MAINT) 01750 #ifdef CONFIG_RSBAC_SWITCH 01751 if(rsbac_switch_acl) 01752 #endif 01753 { 01754 if(entry.owner != caller) 01755 { 01756 #ifdef CONFIG_RSBAC_RMSG 01757 rsbac_printk(KERN_INFO 01758 "rsbac_acl_group(): removing group %u denied for user %u - not owner!\n", 01759 entry.id, 01760 caller); 01761 #endif 01762 #ifndef CONFIG_RSBAC_RMSG_EXCL 01763 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01764 if (!rsbac_nosyslog) 01765 #endif 01766 printk(KERN_INFO 01767 "rsbac_acl_group(): removing group %u denied for user %u - not owner!\n", 01768 entry.id, 01769 caller); 01770 #endif 01771 err = -EPERM; 01772 break; 01773 } 01774 } 01775 #endif /* !MAINT */ 01776 err = rsbac_acl_remove_group(arg.remove_group.id); 01777 break; 01778 01779 case ACLGS_get_group_entry: 01780 if(!arg.get_group_entry.entry_p) 01781 { 01782 err = -RSBAC_EINVALIDPOINTER; 01783 break; 01784 } 01785 if(!arg.get_group_entry.id) 01786 { /* Everyone -> fill by hand */ 01787 entry.id=0; 01788 entry.owner=RSBAC_NO_USER; 01789 entry.type=ACLG_GLOBAL; 01790 strcpy(entry.name, "Everyone"); 01791 err=0; 01792 } 01793 else 01794 { 01795 err = rsbac_acl_get_group_entry(arg.get_group_entry.id, 01796 &entry); 01797 } 01798 if(!err) 01799 { 01800 if( (entry.owner != caller) 01801 &&(entry.type != ACLG_GLOBAL) 01802 ) 01803 { 01804 #ifdef CONFIG_RSBAC_RMSG 01805 rsbac_printk(KERN_INFO 01806 "rsbac_acl_group(): getting group entry %u denied for user %u - neither owner nor global!\n", 01807 entry.id, 01808 caller); 01809 #endif 01810 #ifndef CONFIG_RSBAC_RMSG_EXCL 01811 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01812 if (!rsbac_nosyslog) 01813 #endif 01814 printk(KERN_INFO 01815 "rsbac_acl_group(): getting group entry %u denied for user %u - neither owner nor global!\n", 01816 entry.id, 01817 caller); 01818 #endif 01819 err = -EPERM; 01820 } 01821 else 01822 err = rsbac_put_user((char *)&entry, (char *)arg.get_group_entry.entry_p, sizeof(entry)); 01823 } 01824 break; 01825 01826 case ACLGS_list_groups: 01827 if(arg.list_groups.maxnum <= 0) 01828 { 01829 err = -RSBAC_EINVALIDVALUE; 01830 break; 01831 } 01832 if(!arg.list_groups.group_entry_array) 01833 { 01834 err = -RSBAC_EINVALIDPOINTER; 01835 break; 01836 } 01837 { 01838 struct rsbac_acl_group_entry_t * entry_p; 01839 int tmperr=0; 01840 01841 if(arg.list_groups.include_global) 01842 { 01843 struct rsbac_acl_group_entry_t entry_0; 01844 01845 entry_0.id=0; 01846 entry_0.owner=RSBAC_NO_USER; 01847 entry_0.type=ACLG_GLOBAL; 01848 strcpy(entry_0.name, "Everyone"); 01849 tmperr = rsbac_put_user((char *) &entry_0, 01850 (char *) arg.list_groups.group_entry_array, 01851 sizeof(entry_0)); 01852 if(tmperr) 01853 { 01854 err = tmperr; 01855 break; 01856 } 01857 else 01858 err = 1; 01859 arg.list_groups.maxnum--; 01860 arg.list_groups.group_entry_array++; 01861 } 01862 else 01863 err = 0; 01864 01865 if(arg.list_groups.maxnum) 01866 { 01867 long count; 01868 01869 count = rsbac_acl_list_groups(caller, 01870 arg.list_groups.include_global, 01871 &entry_p); 01872 if(count>0) 01873 { 01874 if(count > arg.list_groups.maxnum) 01875 count = arg.list_groups.maxnum; 01876 err+=count; 01877 tmperr = rsbac_put_user((char *)entry_p, 01878 ((char *)arg.list_groups.group_entry_array), 01879 count * sizeof(*entry_p)); 01880 if(tmperr) 01881 err=tmperr; 01882 rsbac_vfree(entry_p); 01883 } 01884 else 01885 if(count < 0) 01886 err=count; 01887 } 01888 } 01889 break; 01890 01891 case ACLGS_add_member: 01892 /* check owner only, if non-maint */ 01893 #if !defined(CONFIG_RSBAC_MAINT) 01894 #ifdef CONFIG_RSBAC_SWITCH 01895 if(rsbac_switch_acl) 01896 #endif 01897 { 01898 err = rsbac_acl_get_group_entry(arg.add_member.group, &entry); 01899 if(err) 01900 break; 01901 if(entry.owner != caller) 01902 { 01903 #ifdef CONFIG_RSBAC_RMSG 01904 rsbac_printk(KERN_INFO 01905 "rsbac_acl_group(): adding group member to group %u denied for user %u - not owner!\n", 01906 entry.id, 01907 caller); 01908 #endif 01909 #ifndef CONFIG_RSBAC_RMSG_EXCL 01910 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01911 if (!rsbac_nosyslog) 01912 #endif 01913 printk(KERN_INFO 01914 "rsbac_acl_group(): adding group member to group %u denied for user %u - not owner!\n", 01915 entry.id, 01916 caller); 01917 #endif 01918 err = -EPERM; 01919 break; 01920 } 01921 } 01922 #endif /* !MAINT */ 01923 err = rsbac_acl_add_group_member(arg.add_member.group, 01924 arg.add_member.user, 01925 arg.add_member.ttl); 01926 break; 01927 01928 case ACLGS_remove_member: 01929 /* check owner only, if non-maint */ 01930 #if !defined(CONFIG_RSBAC_MAINT) 01931 #ifdef CONFIG_RSBAC_SWITCH 01932 if(rsbac_switch_acl) 01933 #endif 01934 { 01935 err = rsbac_acl_get_group_entry(arg.remove_member.group, &entry); 01936 if(err) 01937 break; 01938 if(entry.owner != caller) 01939 { 01940 #ifdef CONFIG_RSBAC_RMSG 01941 rsbac_printk(KERN_INFO 01942 "rsbac_acl_group(): removing group member from group %u denied for user %u - not owner!\n", 01943 entry.id, 01944 caller); 01945 #endif 01946 #ifndef CONFIG_RSBAC_RMSG_EXCL 01947 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01948 if (!rsbac_nosyslog) 01949 #endif 01950 printk(KERN_INFO 01951 "rsbac_acl_group(): removing group member from group %u denied for user %u - not owner!\n", 01952 entry.id, 01953 caller); 01954 #endif 01955 err = -EPERM; 01956 break; 01957 } 01958 } 01959 #endif /* !MAINT */ 01960 err = rsbac_acl_remove_group_member(arg.remove_member.group, arg.remove_member.user); 01961 break; 01962 01963 case ACLGS_get_user_groups: 01964 { 01965 rsbac_acl_group_id_t * group_p = NULL; 01966 rsbac_time_t * ttl_p = NULL; 01967 01968 if(arg.get_user_groups.maxnum <= 0) 01969 { 01970 err = -RSBAC_EINVALIDVALUE; 01971 break; 01972 } 01973 if(!arg.get_user_groups.group_array) 01974 { 01975 err = -RSBAC_EINVALIDPOINTER; 01976 break; 01977 } 01978 if(arg.get_user_groups.user == RSBAC_NO_USER) 01979 arg.get_user_groups.user = caller; 01980 #if !defined(CONFIG_RSBAC_MAINT) 01981 else 01982 #ifdef CONFIG_RSBAC_SWITCH 01983 if(rsbac_switch_acl) 01984 #endif 01985 { 01986 if(arg.get_user_groups.user != caller) 01987 { 01988 #ifdef CONFIG_RSBAC_RMSG 01989 rsbac_printk(KERN_INFO 01990 "rsbac_acl_group(): getting user groups for user %u denied for user %u!\n", 01991 arg.get_user_groups.user, 01992 caller); 01993 #endif 01994 #ifndef CONFIG_RSBAC_RMSG_EXCL 01995 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 01996 if (!rsbac_nosyslog) 01997 #endif 01998 printk(KERN_INFO 01999 "rsbac_acl_group(): getting user groups for user %u denied for user %u!\n", 02000 arg.get_user_groups.user, 02001 caller); 02002 #endif 02003 err = -EPERM; 02004 break; 02005 } 02006 } 02007 #endif /* !MAINT */ 02008 err = rsbac_acl_get_user_groups(arg.get_user_groups.user, &group_p, &ttl_p); 02009 if(err>0) 02010 { 02011 int tmperr; 02012 02013 err = rsbac_min(err, arg.get_user_groups.maxnum); 02014 tmperr = rsbac_put_user((char *)group_p, 02015 (char *)arg.get_user_groups.group_array, 02016 err * sizeof(*group_p)); 02017 if(tmperr) 02018 err=tmperr; 02019 if(arg.get_user_groups.ttl_array) 02020 { 02021 tmperr = rsbac_put_user((char *)ttl_p, 02022 (char *)arg.get_user_groups.ttl_array, 02023 err * sizeof(*ttl_p)); 02024 if(tmperr) 02025 err=tmperr; 02026 } 02027 } 02028 if(group_p) 02029 rsbac_vfree(group_p); 02030 if(ttl_p) 02031 rsbac_vfree(ttl_p); 02032 break; 02033 } 02034 02035 case ACLGS_get_group_members: 02036 if( (arg.get_group_members.maxnum <= 0) 02037 || !arg.get_group_members.group 02038 ) 02039 { 02040 err = -RSBAC_EINVALIDVALUE; 02041 break; 02042 } 02043 if(arg.get_group_members.maxnum > RSBAC_ACL_MAX_MAXNUM) 02044 arg.get_group_members.maxnum = RSBAC_ACL_MAX_MAXNUM; 02045 if(!arg.get_group_members.user_array) 02046 { 02047 err = -RSBAC_EINVALIDPOINTER; 02048 break; 02049 } 02050 err = rsbac_acl_get_group_entry(arg.get_group_members.group, 02051 &entry); 02052 if(err) 02053 break; 02054 if( (entry.owner != caller) 02055 &&(entry.type != ACLG_GLOBAL) 02056 ) 02057 { 02058 #ifdef CONFIG_RSBAC_RMSG 02059 rsbac_printk(KERN_INFO 02060 "rsbac_acl_group(): getting group members of group %u denied for user %u - neither owner nor global!\n", 02061 entry.id, 02062 caller); 02063 #endif 02064 #ifndef CONFIG_RSBAC_RMSG_EXCL 02065 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG 02066 if (!rsbac_nosyslog) 02067 #endif 02068 printk(KERN_INFO 02069 "rsbac_acl_group(): getting group members of group %u denied for user %u - neither owner nor global!\n", 02070 entry.id, 02071 caller); 02072 #endif 02073 err = -EPERM; 02074 break; 02075 } 02076 { 02077 rsbac_uid_t * user_array; 02078 rsbac_time_t * ttl_array; 02079 02080 user_array = rsbac_vmalloc(sizeof(*user_array) * arg.get_group_members.maxnum); 02081 if(!user_array) 02082 return -RSBAC_ENOMEM; 02083 ttl_array = rsbac_vmalloc(sizeof(*ttl_array) * arg.get_group_members.maxnum); 02084 if(!ttl_array) 02085 { 02086 rsbac_vfree(user_array); 02087 return -RSBAC_ENOMEM; 02088 } 02089 02090 err = rsbac_acl_get_group_members(arg.get_group_members.group, 02091 user_array, 02092 ttl_array, 02093 arg.get_group_members.maxnum); 02094 if(err>0) 02095 { 02096 int tmperr; 02097 02098 tmperr = rsbac_put_user((char *)user_array, 02099 (char *)arg.get_group_members.user_array, 02100 err * sizeof(*user_array)); 02101 if(tmperr) 02102 err=tmperr; 02103 if(arg.get_group_members.ttl_array) 02104 { 02105 tmperr = rsbac_put_user((char *)ttl_array, 02106 (char *)arg.get_group_members.ttl_array, 02107 err * sizeof(*ttl_array)); 02108 if(tmperr) 02109 err=tmperr; 02110 } 02111 } 02112 rsbac_vfree(user_array); 02113 rsbac_vfree(ttl_array); 02114 } 02115 break; 02116 02117 default: 02118 break; 02119 } 02120 #ifdef CONFIG_RSBAC_SOFTMODE 02121 if( ( rsbac_softmode 02122 #ifdef CONFIG_RSBAC_SOFTMODE_IND 02123 || rsbac_ind_softmode[ACL] 02124 #endif 02125 ) 02126 && (err == -EPERM) 02127 ) 02128 return 0; 02129 else 02130 #endif 02131 return(err); 02132 }; 02133 02134 /* end of rsbac/adf/acl/syscalls.c */

Generated on Tue Aug 31 10:05:23 2004 for RSBAC by doxygen 1.3.8