/linux-2.6.21.1-rsbac-1.3.4/include/rsbac/adf.h File Reference

#include <linux/init.h>
#include <linux/binfmts.h>
#include <rsbac/types.h>
#include <rsbac/debug.h>
#include <rsbac/fs.h>
#include <linux/types.h>
#include <linux/dcache.h>

Go to the source code of this file.

Functions

void rsbac_init_adf (void) __init
enum rsbac_adf_req_ret_t rsbac_adf_request_int (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t *tid_p, enum rsbac_attribute_t attr, union rsbac_attribute_value_t *attr_val_p, enum rsbac_switch_target_t ignore_module)
static enum rsbac_adf_req_ret_t rsbac_adf_request (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val)
int rsbac_adf_set_attr (enum rsbac_adf_request_t, rsbac_pid_t, enum rsbac_target_t, union rsbac_target_id_t, enum rsbac_target_t, union rsbac_target_id_t, enum rsbac_attribute_t, union rsbac_attribute_value_t)
int rsbac_sec_del (struct dentry *dentry_p)
int rsbac_sec_trunc (struct dentry *dentry_p, loff_t new_len, loff_t old_len)
char * rsbac_symlink_redirect (struct dentry *dentry_p, const char *name, u_int maxlen)
int rsbac_cap_check_envp (struct linux_binprm *bprm)
int rsbac_handle_filldir (const struct file *file, const char *name, const unsigned int namlen, const ino_t ino)
int rsbac_set_audit_uid (rsbac_uid_t uid)


Function Documentation

static enum rsbac_adf_req_ret_t rsbac_adf_request ( enum rsbac_adf_request_t  request,
rsbac_pid_t  caller_pid,
enum rsbac_target_t  target,
union rsbac_target_id_t  tid,
enum rsbac_attribute_t  attr,
union rsbac_attribute_value_t  attr_val 
) [inline, static]

Definition at line 50 of file adf.h.

References rsbac_adf_request_int(), and SW_NONE.

Referenced by rsbac_handle_filldir(), rsbac_stats_acl(), rsbac_stats_auth(), rsbac_stats_mac(), rsbac_stats_um(), sys_rsbac_adf_log_switch(), sys_rsbac_auth_add_f_cap(), sys_rsbac_auth_get_f_caplist(), sys_rsbac_auth_get_p_caplist(), sys_rsbac_auth_remove_f_cap(), sys_rsbac_check(), sys_rsbac_get_adf_log(), sys_rsbac_get_attr(), sys_rsbac_get_attr_n(), sys_rsbac_get_switch(), sys_rsbac_net_list_all_template(), sys_rsbac_net_template(), sys_rsbac_remove_target(), sys_rsbac_remove_target_n(), sys_rsbac_set_attr(), sys_rsbac_set_attr_n(), sys_rsbac_stats(), sys_rsbac_stats_pm(), sys_rsbac_switch(), sys_rsbac_um_add_gm(), sys_rsbac_um_add_group(), sys_rsbac_um_add_user(), sys_rsbac_um_auth_name(), sys_rsbac_um_auth_uid(), sys_rsbac_um_check_account(), sys_rsbac_um_check_account_name(), sys_rsbac_um_get_gid(), sys_rsbac_um_get_gm_list(), sys_rsbac_um_get_gm_user_list(), sys_rsbac_um_get_group_item(), sys_rsbac_um_get_group_list(), sys_rsbac_um_get_next_user(), sys_rsbac_um_get_uid(), sys_rsbac_um_get_user_item(), sys_rsbac_um_get_user_list(), sys_rsbac_um_group_exists(), sys_rsbac_um_mod_group(), sys_rsbac_um_mod_user(), sys_rsbac_um_remove_gm(), sys_rsbac_um_remove_group(), sys_rsbac_um_remove_user(), sys_rsbac_um_set_group_pass(), sys_rsbac_um_set_pass(), sys_rsbac_um_user_exists(), and sys_rsbac_write().

00056   {
00057     return rsbac_adf_request_int(request,
00058                                  caller_pid,
00059                                  target,
00060                                  &tid,
00061                                  attr,
00062                                  &attr_val,
00063                                  SW_NONE);
00064   }

enum rsbac_adf_req_ret_t rsbac_adf_request_int ( enum rsbac_adf_request_t  request,
rsbac_pid_t  caller_pid,
enum rsbac_target_t  target,
union rsbac_target_id_t tid_p,
enum rsbac_attribute_t  attr,
union rsbac_attribute_value_t attr_val_p,
enum rsbac_switch_target_t  ignore_module 
)

Definition at line 165 of file adf_main.c.

References A_audit_uid, A_local_log_array_high, A_local_log_array_low, A_log_array_high, A_log_array_low, A_log_program_based, A_log_user_based, A_none, A_pseudo, A_remote_ip, A_remote_log_array_high, A_remote_log_array_low, adf_and_plus(), rsbac_attribute_value_t::audit_uid, DO_NOT_CARE, rsbac_attribute_value_t::dummy, FALSE, get_attribute_name(), get_attribute_value_name(), get_request_name(), get_result_name(), get_target_name(), GRANTED, LL_denied, LL_full, LL_request, rsbac_net_obj_desc_t::local_temp, rsbac_attribute_value_t::log_array_high, rsbac_attribute_value_t::log_array_low, rsbac_attribute_value_t::log_program_based, rsbac_attribute_value_t::log_user_based, rsbac_target_id_t::netobj, NIPQUAD, NOT_GRANTED, NULL, rsbac_attribute_value_t::owner, rsbac_target_id_t::process, rsbac_attribute_value_t::pseudo, R_CHANGE_DAC_EFF_GROUP, R_CHANGE_DAC_EFF_OWNER, R_CHANGE_DAC_FS_GROUP, R_CHANGE_DAC_FS_OWNER, R_CHANGE_GROUP, R_CHANGE_OWNER, R_CHDIR, R_CLOSE, R_GET_PERMISSIONS_DATA, R_GET_STATUS_DATA, R_NONE, R_READ, R_READ_ATTRIBUTE, R_SEARCH, R_TERMINATE, rsbac_attribute_value_t::remote_ip, rsbac_net_obj_desc_t::remote_temp, rsbac_adf_request_acl(), rsbac_adf_request_auth(), rsbac_adf_request_cap(), rsbac_adf_request_check(), rsbac_adf_request_count, rsbac_adf_request_daz(), rsbac_adf_request_ff(), rsbac_adf_request_int(), rsbac_adf_request_jail(), rsbac_adf_request_mac(), rsbac_adf_request_pax(), rsbac_adf_request_pm(), rsbac_adf_request_rc(), rsbac_adf_request_reg(), rsbac_adf_request_res(), RSBAC_EINVALIDDEV, rsbac_get_attr, rsbac_get_full_path(), rsbac_get_super_block(), rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), rsbac_log_levels, RSBAC_MAXNAMELEN, rsbac_min, rsbac_net_remote_request(), RSBAC_NO_USER, rsbac_printk(), rsbac_remove_target, RSBAC_REQUEST_VECTOR, rsbac_ta_net_lookup_templates(), rsbac_um_group_exists(), rsbac_um_user_exists(), SW_ACL, SW_AUTH, SW_CAP, SW_DAZ, SW_FF, SW_GEN, SW_JAIL, SW_MAC, SW_NONE, SW_PAX, SW_PM, SW_RC, SW_REG, SW_RES, T_DEV, T_DIR, T_FIFO, T_FILE, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NONE, T_PROCESS, T_SYMLINK, T_UNIXSOCK, T_USER, TRUE, UNDEFINED, and rsbac_target_id_t::user.

Referenced by rsbac_adf_request(), rsbac_adf_request_int(), and rsbac_pm().

00172   {
00173     union rsbac_target_id_t        i_tid;
00174     union rsbac_attribute_value_t  i_attr_val;
00175           rsbac_uid_t              owner=0;
00176     int tmperr=0;
00177     rsbac_request_vector_t      request_vector;
00178     enum rsbac_adf_req_ret_t   result = DO_NOT_CARE;
00179 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00180     enum rsbac_adf_req_ret_t   ret_result = DO_NOT_CARE;
00181 #endif
00182 #ifndef CONFIG_RSBAC_MAINT
00183     enum rsbac_adf_req_ret_t   mod_result[SW_NONE + 1] = {
00184                                    DO_NOT_CARE,
00185                                    DO_NOT_CARE,
00186                                    DO_NOT_CARE,
00187                                    DO_NOT_CARE,
00188                                    DO_NOT_CARE,
00189                                    DO_NOT_CARE,
00190                                    DO_NOT_CARE,
00191                                    DO_NOT_CARE,
00192                                    DO_NOT_CARE,
00193                                    DO_NOT_CARE,
00194                                    DO_NOT_CARE,
00195                                    DO_NOT_CARE,
00196                                    DO_NOT_CARE,
00197                                    DO_NOT_CARE,
00198                                    DO_NOT_CARE,
00199                                    DO_NOT_CARE,
00200                                    DO_NOT_CARE,
00201                                    DO_NOT_CARE
00202                                  };
00203 #endif
00204     rsbac_boolean_t do_log = FALSE;
00205     rsbac_boolean_t log_on_request = TRUE;
00206 /* only if individual logging is enabled */
00207 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
00208     union rsbac_attribute_value_t  i_attr_val2;
00209     enum rsbac_log_level_t log_level;
00210 #endif
00211     struct super_block * sb_p;
00212 #ifdef CONFIG_RSBAC_SOFTMODE
00213     rsbac_boolean_t rsbac_internal = FALSE;
00214 #endif
00215 
00216 /* No decision possible before init (called at boot time) -> don't care */
00217     if (!rsbac_is_initialized())
00218       return(DO_NOT_CARE);
00219 
00220 /* Always granted for kernel (pid 0) and logging daemon */
00221     if (   !caller_pid
00222         #if defined(CONFIG_RSBAC_LOG_REMOTE)
00223         || (caller_pid == rsbaclogd_pid)
00224         #endif
00225        )
00226       return(GRANTED);
00227 
00228 /* Checking base values */
00229     if(   request >= R_NONE
00230        || target > T_NONE
00231        || attr > A_none)
00232       {
00233         rsbac_printk(KERN_WARNING
00234                "rsbac_adf_request_int(): called with invalid request, target or attribute\n");
00235         return(NOT_GRANTED);
00236       }
00237     request_vector = RSBAC_REQUEST_VECTOR(request);
00238 
00239     if (in_interrupt())
00240       {
00241         char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00242 
00243         if(request_name)
00244           {
00245             get_request_name(request_name, request);
00246             rsbac_printk(KERN_WARNING "rsbac_adf_request_int(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00247                    request_name, caller_pid, attr_val_p->dummy);
00248             kfree(request_name);
00249           }
00250         else
00251           {
00252             rsbac_printk(KERN_WARNING "rsbac_adf_request_int(): called from interrupt: request %u, pid %u!\n",
00253                    request, caller_pid);
00254           }
00255 //        return DO_NOT_CARE;
00256       }
00257 
00258 /* Getting basic information about this request */
00259 
00260     /* only useful for real process, not idle or init */
00261     if (caller_pid > 1)
00262       {
00263         tmperr = rsbac_get_owner(&owner);
00264         if(tmperr)
00265           {
00266             rsbac_printk(KERN_DEBUG
00267                    "rsbac_adf_request_int(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE\n",
00268                    caller_pid);
00269             return DO_NOT_CARE;      /* Startup-Sequence (see above) */
00270           }
00271       }
00272     else  /* caller_pid = 1 -> init, always owned by root */
00273       owner = 0;
00274 
00275 
00276 /******************************************************/
00277 /* General work for all modules - before module calls */
00278     /* test target on rsbac_internal */
00279     switch(target)
00280       {
00281         case T_FILE:
00282         case T_DIR:
00283         case T_FIFO:
00284         case T_SYMLINK:
00285 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00286           if (   ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00287               && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
00288                   || (sb_p->s_magic == CODA_SUPER_MAGIC)
00289                   || (sb_p->s_magic == NCP_SUPER_MAGIC)
00290                   || (sb_p->s_magic == SMB_SUPER_MAGIC)
00291                  )
00292              )
00293             {
00294               result = DO_NOT_CARE;
00295               goto log;
00296             }
00297 #endif
00298           /* No decision on pseudo pipefs */
00299           if(   (target == T_FIFO)
00300              && ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00301              && (sb_p->s_magic == PIPEFS_MAGIC)
00302             )
00303             return DO_NOT_CARE;
00304 
00305           switch(request)
00306             {
00307               case R_GET_STATUS_DATA:
00308               case R_GET_PERMISSIONS_DATA:
00309               case R_READ_ATTRIBUTE:
00310 #ifdef CONFIG_RSBAC_DAT_VISIBLE
00311               case R_SEARCH:
00312               case R_READ:
00313               case R_CLOSE:
00314               case R_CHDIR:
00315 #endif
00316                 break;
00317 
00318               default:
00319                 if ((tmperr = rsbac_get_attr(SW_GEN,
00320                                              target,
00321                                              *tid_p,
00322                                              A_internal,
00323                                              &i_attr_val,
00324                                              TRUE) ))
00325                   {
00326                     if(tmperr == -RSBAC_EINVALIDDEV)
00327                       {
00328 //                        rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00329                         return(DO_NOT_CARE);  /* last calls on shutdown */
00330                       }
00331                     else
00332                       {
00333                         rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00334                         return(NOT_GRANTED);  /* something weird happened */
00335                       }
00336                   }
00337                 /* no access to rsbac_internal objects is granted in any case */
00338                 if (i_attr_val.internal)
00339                   {
00340                     rsbac_printk(KERN_WARNING
00341                            "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00342                     result = NOT_GRANTED;
00343                     #ifndef CONFIG_RSBAC_MAINT
00344                     mod_result[SW_NONE] = NOT_GRANTED;
00345                     #endif
00346                     #ifdef CONFIG_RSBAC_SOFTMODE
00347                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00348                     ret_result = NOT_GRANTED;
00349                     #endif
00350                     rsbac_internal = TRUE;
00351                     #endif
00352                   }
00353             }
00354           break;
00355 
00356 #if defined(CONFIG_RSBAC_UM_EXCL)
00357         case T_PROCESS:
00358           switch(request)
00359             {
00360               case R_CHANGE_OWNER:
00361 #ifdef CONFIG_RSBAC_DAC_OWNER
00362               case R_CHANGE_DAC_EFF_OWNER:
00363               case R_CHANGE_DAC_FS_OWNER:
00364 #endif
00365                 if(   (attr == A_owner)
00366                    && !rsbac_um_no_excl
00367                    && !rsbac_um_user_exists(0, attr_val_p->owner)
00368                   )
00369                   {
00370                     rsbac_printk(KERN_INFO
00371                                  "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n",
00372                                  attr_val_p->owner);
00373                     result = adf_and_plus(result, NOT_GRANTED);
00374 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00375                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00376 #endif
00377                   }
00378                 break;
00379 
00380               case R_CHANGE_GROUP:
00381 #ifdef CONFIG_RSBAC_DAC_OWNER
00382               case R_CHANGE_DAC_EFF_GROUP:
00383               case R_CHANGE_DAC_FS_GROUP:
00384 #endif
00385                 if(   (attr == A_group)
00386                    && !rsbac_um_no_excl
00387                    && !rsbac_um_group_exists(0, attr_val_p->group)
00388                   )
00389                   {
00390                     rsbac_printk(KERN_INFO
00391                                  "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n",
00392                                  attr_val_p->group);
00393                     result = adf_and_plus(result, NOT_GRANTED);
00394 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00395                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00396 #endif
00397                   }
00398                 break;
00399 
00400               default:
00401                 break;
00402             }
00403           break;
00404 #endif /* UM_EXCL */
00405 
00406 #ifdef CONFIG_RSBAC_NET_OBJ
00407 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG) || defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_RC)
00408         case T_NETOBJ:
00409                 if(rsbac_net_remote_request(request)) {
00410                         tid_p->netobj.local_temp = 0;
00411                         rsbac_ta_net_lookup_templates(0,
00412                                                       &tid_p->
00413                                                       netobj, NULL,
00414                                                       &tid_p->netobj.remote_temp);
00415                 } else {
00416                         tid_p->netobj.remote_temp = 0;
00417                         rsbac_ta_net_lookup_templates(0,
00418                                                       &tid_p->
00419                                                       netobj,
00420                                                       &tid_p->netobj.local_temp,
00421                                                       NULL);
00422                 }
00423 #endif
00424 #endif
00425 
00426         default:
00427           break;
00428       }
00429       
00430 /**********************************************************/
00431 /* calling all decision modules, building a common result */
00432 
00433 #ifdef CONFIG_RSBAC_DEBUG
00434 /* first, check for valid request/target combination      */
00435 /* (undefined should only happen in _check and means a real bug!) */
00436   result = adf_and_plus(result,rsbac_adf_request_check(request,
00437                                                        caller_pid,
00438                                                        target,
00439                                                        tid_p,
00440                                                        attr,
00441                                                        attr_val_p,
00442                                                        owner) );
00443 #endif
00444 
00445 #if !defined(CONFIG_RSBAC_MAINT)
00446 /******* MAC ********/
00447 #if defined(CONFIG_RSBAC_MAC)
00448 #ifdef CONFIG_RSBAC_SWITCH_MAC
00449 if (rsbac_switch_mac)
00450 #endif
00451   /* no need to call module, if to be ignored */
00452   if(ignore_module != SW_MAC && (request_vector & RSBAC_MAC_REQUEST_VECTOR)) {
00453         mod_result[SW_MAC] = rsbac_adf_request_mac(request,
00454                                               caller_pid,
00455                                               target,
00456                                               *tid_p,
00457                                               attr,
00458                                               *attr_val_p,
00459                                               owner);
00460         result = adf_and_plus(result, mod_result[SW_MAC]);
00461 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00462         if(!rsbac_ind_softmode[SW_MAC])
00463           ret_result = adf_and_plus(ret_result, mod_result[SW_MAC]);
00464 #endif
00465     }
00466 #endif  /* MAC */
00467 
00468 /******* PM ********/
00469 #if defined(CONFIG_RSBAC_PM)
00470 #ifdef CONFIG_RSBAC_SWITCH_PM
00471 if (rsbac_switch_pm)
00472 #endif
00473   /* no need to call module, if to be ignored */
00474   if(ignore_module != SW_PM && (request_vector & RSBAC_PM_REQUEST_VECTOR))
00475     {
00476       mod_result[SW_PM]  = rsbac_adf_request_pm (request,
00477                                               caller_pid,
00478                                               target,
00479                                               *tid_p,
00480                                               attr,
00481                                               *attr_val_p,
00482                                               owner);
00483       result = adf_and_plus(result, mod_result[SW_PM]);
00484 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00485       if(!rsbac_ind_softmode[SW_PM])
00486         ret_result = adf_and_plus(ret_result, mod_result[SW_PM]);
00487 #endif
00488     }
00489 #endif  /* PM */
00490 
00491 /******* DAZ ********/
00492 #if defined(CONFIG_RSBAC_DAZ)
00493 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00494 if (rsbac_switch_daz)
00495 #endif
00496   /* no need to call module, if to be ignored */
00497   if(ignore_module != SW_DAZ && (request_vector & RSBAC_DAZ_REQUEST_VECTOR))
00498     {
00499       mod_result[SW_DAZ]  = rsbac_adf_request_daz (request,
00500                                               caller_pid,
00501                                               target,
00502                                               *tid_p,
00503                                               attr,
00504                                               *attr_val_p,
00505                                               owner);
00506       result = adf_and_plus(result, mod_result[SW_DAZ]);
00507 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00508       if(!rsbac_ind_softmode[SW_DAZ])
00509         ret_result = adf_and_plus(ret_result, mod_result[SW_DAZ]);
00510 #endif
00511     }
00512 #endif  /* DAZ */
00513 
00514 /******* FF ********/
00515 #if defined(CONFIG_RSBAC_FF)
00516 #ifdef CONFIG_RSBAC_SWITCH_FF
00517 if (rsbac_switch_ff)
00518 #endif
00519   /* no need to call module, if to be ignored */
00520   if(ignore_module != SW_FF && (request_vector & RSBAC_FF_REQUEST_VECTOR))
00521     {
00522       mod_result[SW_FF]  = rsbac_adf_request_ff (request,
00523                                               caller_pid,
00524                                               target,
00525                                               *tid_p,
00526                                               attr,
00527                                               *attr_val_p,
00528                                               owner);
00529       result = adf_and_plus(result, mod_result[SW_FF]);
00530 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00531       if(!rsbac_ind_softmode[SW_FF])
00532         ret_result = adf_and_plus(ret_result, mod_result[SW_FF]);
00533 #endif
00534     }
00535 #endif  /* FF */
00536 
00537 /******* RC ********/
00538 #if defined(CONFIG_RSBAC_RC)
00539 #ifdef CONFIG_RSBAC_SWITCH_RC
00540 if (rsbac_switch_rc)
00541 #endif
00542   /* no need to call module, if to be ignored */
00543   if(ignore_module != SW_RC)
00544     {
00545       mod_result[SW_RC]  = rsbac_adf_request_rc (request,
00546                                               caller_pid,
00547                                               target,
00548                                               *tid_p,
00549                                               attr,
00550                                               *attr_val_p,
00551                                               owner);
00552       result = adf_and_plus(result, mod_result[SW_RC]);
00553 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00554       if(!rsbac_ind_softmode[SW_RC])
00555         ret_result = adf_and_plus(ret_result, mod_result[SW_RC]);
00556 #endif
00557     }
00558 #endif  /* RC */
00559 
00560 /****** AUTH *******/
00561 #if defined(CONFIG_RSBAC_AUTH)
00562 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00563 if (rsbac_switch_auth)
00564 #endif
00565   /* no need to call module, if to be ignored */
00566   if(ignore_module != SW_AUTH && (request_vector & RSBAC_AUTH_REQUEST_VECTOR))
00567     {
00568       mod_result[SW_AUTH]= rsbac_adf_request_auth(request,
00569                                               caller_pid,
00570                                               target,
00571                                               *tid_p,
00572                                               attr,
00573                                               *attr_val_p,
00574                                               owner);
00575       result = adf_and_plus(result, mod_result[SW_AUTH]);
00576 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00577       if(!rsbac_ind_softmode[SW_AUTH])
00578         ret_result = adf_and_plus(ret_result, mod_result[SW_AUTH]);
00579 #endif
00580     }
00581 #endif  /* AUTH */
00582 
00583 /****** ACL *******/
00584 #if defined(CONFIG_RSBAC_ACL)
00585 #ifdef CONFIG_RSBAC_SWITCH_ACL
00586 if (rsbac_switch_acl)
00587 #endif
00588   /* no need to call module, if to be ignored */
00589   if(ignore_module != SW_ACL)
00590     {
00591       mod_result[SW_ACL] = rsbac_adf_request_acl(request,
00592                                               caller_pid,
00593                                               target,
00594                                               *tid_p,
00595                                               attr,
00596                                               *attr_val_p,
00597                                               owner);
00598       result = adf_and_plus(result, mod_result[SW_ACL]);
00599 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00600       if(!rsbac_ind_softmode[SW_ACL])
00601         ret_result = adf_and_plus(ret_result, mod_result[SW_ACL]);
00602 #endif
00603     }
00604 #endif  /* ACL */
00605 
00606 /****** CAP *******/
00607 #if defined(CONFIG_RSBAC_CAP)
00608 #ifdef CONFIG_RSBAC_SWITCH_CAP
00609 if (rsbac_switch_cap)
00610 #endif
00611   /* no need to call module, if to be ignored */
00612   if(ignore_module != SW_CAP && (request_vector & RSBAC_CAP_REQUEST_VECTOR))
00613     {
00614       mod_result[SW_CAP] = rsbac_adf_request_cap(request,
00615                                               caller_pid,
00616                                               target,
00617                                               *tid_p,
00618                                               attr,
00619                                               *attr_val_p,
00620                                               owner);
00621       result = adf_and_plus(result, mod_result[SW_CAP]);
00622 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00623       if(!rsbac_ind_softmode[SW_CAP])
00624         ret_result = adf_and_plus(ret_result, mod_result[SW_CAP]);
00625 #endif
00626     }
00627 #endif  /* CAP */
00628 
00629 /****** JAIL *******/
00630 #if defined(CONFIG_RSBAC_JAIL)
00631 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00632 if (rsbac_switch_jail)
00633 #endif
00634   /* no need to call module, if to be ignored */
00635   if(ignore_module != SW_JAIL && (request_vector & RSBAC_JAIL_REQUEST_VECTOR))
00636     {
00637       mod_result[SW_JAIL]= rsbac_adf_request_jail(request,
00638                                               caller_pid,
00639                                               target,
00640                                               *tid_p,
00641                                               attr,
00642                                               *attr_val_p,
00643                                               owner);
00644       result = adf_and_plus(result, mod_result[SW_JAIL]);
00645 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00646       if(!rsbac_ind_softmode[SW_JAIL])
00647         ret_result = adf_and_plus(ret_result, mod_result[SW_JAIL]);
00648 #endif
00649     }
00650 #endif  /* JAIL */
00651 
00652 /******* PAX ********/
00653 #if defined(CONFIG_RSBAC_PAX)
00654 #ifdef CONFIG_RSBAC_SWITCH_PAX
00655 if (rsbac_switch_pax)
00656 #endif
00657   /* no need to call module, if to be ignored */
00658   if(ignore_module != SW_PAX && (request_vector & RSBAC_PAX_REQUEST_VECTOR))
00659     {
00660       mod_result[SW_PAX]  = rsbac_adf_request_pax (request,
00661                                               caller_pid,
00662                                               target,
00663                                               *tid_p,
00664                                               attr,
00665                                               *attr_val_p,
00666                                               owner);
00667       result = adf_and_plus(result, mod_result[SW_PAX]);
00668 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00669       if(!rsbac_ind_softmode[SW_PAX])
00670         ret_result = adf_and_plus(ret_result, mod_result[SW_PAX]);
00671 #endif
00672     }
00673 #endif  /* PAX */
00674 
00675 /****** RES *******/
00676 #if defined(CONFIG_RSBAC_RES)
00677 #ifdef CONFIG_RSBAC_SWITCH_RES
00678 if (rsbac_switch_res)
00679 #endif
00680   /* no need to call module, if to be ignored */
00681   if(ignore_module != SW_RES && (request_vector & RSBAC_RES_REQUEST_VECTOR))
00682     {
00683       mod_result[SW_RES] = rsbac_adf_request_res(request,
00684                                               caller_pid,
00685                                               target,
00686                                               *tid_p,
00687                                               attr,
00688                                               *attr_val_p,
00689                                               owner);
00690       result = adf_and_plus(result, mod_result[SW_RES]);
00691 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00692       if(!rsbac_ind_softmode[SW_RES])
00693         ret_result = adf_and_plus(ret_result, mod_result[SW_RES]);
00694 #endif
00695     }
00696 #endif  /* RES */
00697 
00698 /****** REG *******/
00699 #if defined(CONFIG_RSBAC_REG)
00700 if(ignore_module != SW_REG)
00701   {
00702     mod_result[SW_REG]= rsbac_adf_request_reg (request,
00703                                             caller_pid,
00704                                             target,
00705                                             *tid_p,
00706                                             attr,
00707                                             *attr_val_p,
00708                                             owner);
00709     result = adf_and_plus(result, mod_result[SW_REG]);
00710 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00711     if(!rsbac_ind_softmode[SW_REG])
00712       ret_result = adf_and_plus(ret_result, mod_result[SW_REG]);
00713 #endif
00714   }
00715 #endif  /* REG */
00716 
00717 #endif /* !MAINT */
00718 
00719 /****************************/
00720 
00721 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
00722     if(    rsbac_debug_adf_net
00723        && (   (target == T_NETDEV)
00724            || (target == T_NETTEMP)
00725            || (target == T_NETOBJ)
00726           )
00727       )
00728       do_log = TRUE;
00729 #endif
00730 
00731 /* log based on process owner */
00732 #ifdef CONFIG_RSBAC_IND_USER_LOG
00733     i_tid.user = owner;
00734     if (rsbac_get_attr(SW_GEN,
00735                        T_USER,
00736                        i_tid,
00737                        A_log_user_based,
00738                        &i_attr_val,
00739                        FALSE))
00740       {
00741         rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based);
00742       }
00743     else
00744       {
00745         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based)
00746           do_log = TRUE;
00747       }
00748 #endif /* CONFIG_RSBAC_IND_USER_LOG */
00749 
00750 /* log based on program */
00751 #ifdef CONFIG_RSBAC_IND_PROG_LOG
00752     if(!do_log)
00753       {
00754         i_tid.process = caller_pid;
00755         if (rsbac_get_attr(SW_GEN,
00756                            T_PROCESS,
00757                            i_tid,
00758                            A_log_program_based,
00759                            &i_attr_val,
00760                            FALSE))
00761           {
00762             rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based);
00763           }
00764         else
00765           {
00766             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
00767               do_log = TRUE;
00768           }
00769       }
00770 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
00771 
00772 /*****************************************************/
00773 /* General work for all modules - after module calls */
00774 /* Note: the process' individual logging attributes are needed above */
00775     switch(request)
00776       {
00777         case R_TERMINATE:
00778             if (target == T_PROCESS)
00779               rsbac_remove_target(T_PROCESS,*tid_p);
00780             break;
00781 
00782 #ifdef CONFIG_RSBAC_USER_CHOWN
00783         case R_CHANGE_OWNER:
00784                 if (target == T_PROCESS) {
00785                         i_tid.user = attr_val_p->owner;
00786                         i_attr_val.process = tid_p->process;
00787                         result = adf_and_plus(result,
00788                                 rsbac_adf_request_int(request,
00789                                         caller_pid,
00790                                         T_USER,
00791                                         &i_tid,
00792                                         A_process,
00793                                         &i_attr_val,
00794                                         ignore_module));
00795                 }
00796                 break;
00797 #endif
00798 
00799         default:
00800             break;
00801       }
00802 
00803 /* logging request on info level, if requested by file/dir/dev attributes */
00804 /* log_array_low/high, or, if that is requested, if enabled for this request */
00805 /* type (attributes state level, or that request based level is to be taken) */
00806 /* loglevel 2: log everything */
00807 /* loglevel 1: log, if denied */
00808 /* loglevel 0: log nothing */
00809 
00810 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
00811     /* if file/dir/dev, depend log on log_arrays */
00812     /* (but not for file.device = 0) */
00813     /* log_on_request is TRUE */
00814     if(   !do_log
00815        && (   (   (   (target == T_FILE)
00816                    || (target == T_DIR)
00817                    || (target == T_FIFO)
00818                    || (target == T_SYMLINK)
00819                    || (target == T_UNIXSOCK)
00820                   )
00821                && RSBAC_MAJOR(tid_p->file.device)
00822                && RSBAC_MINOR(tid_p->file.device)
00823               )
00824            || (target == T_DEV)
00825           )
00826       )
00827       {
00828         if (rsbac_get_attr(SW_GEN,
00829                            target,
00830                            *tid_p,
00831                            A_log_array_low,
00832                            &i_attr_val,
00833                            FALSE))
00834           {
00835             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00836           }
00837         else
00838           {
00839             if (rsbac_get_attr(SW_GEN,
00840                                target,
00841                                *tid_p,
00842                                A_log_array_high,
00843                                &i_attr_val2,
00844                                FALSE))
00845               {
00846                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00847               }
00848             else
00849               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00850                 /* WARNING: we deal with u64 here, only logical operations and */
00851                 /* shifts work correctly! */
00852                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00853                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00854                 if (   log_level == LL_full
00855                     || (   log_level == LL_denied
00856                         && (result == NOT_GRANTED
00857                             || result == UNDEFINED)) )
00858                   {
00859                     do_log = TRUE;
00860                   }
00861                 if(log_level != LL_request)
00862                   log_on_request = FALSE;
00863               }
00864           }
00865       }
00866 #endif /* CONFIG_RSBAC_IND_LOG */
00867 
00868 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */
00869     /* if netdev, depend log on log_arrays */
00870     /* log_on_request is TRUE */
00871     if(   !do_log
00872        && (target == T_NETDEV)
00873       )
00874       {
00875         if (rsbac_get_attr(SW_GEN,
00876                            target,
00877                            *tid_p,
00878                            A_log_array_low,
00879                            &i_attr_val,
00880                            FALSE))
00881           {
00882             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00883           }
00884         else
00885           {
00886             if (rsbac_get_attr(SW_GEN,
00887                                target,
00888                                *tid_p,
00889                                A_log_array_high,
00890                                &i_attr_val2,
00891                                FALSE))
00892               {
00893                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00894               }
00895             else
00896               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00897                 /* WARNING: we deal with u64 here, only logical operations and */
00898                 /* shifts work correctly! */
00899                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00900                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00901                 if (   log_level == LL_full
00902                     || (   log_level == LL_denied
00903                         && (result == NOT_GRANTED
00904                             || result == UNDEFINED)) )
00905                   {
00906                     do_log = TRUE;
00907                   }
00908                 if(log_level != LL_request)
00909                   log_on_request = FALSE;
00910               }
00911           }
00912       }
00913 #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */
00914 
00915 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */
00916     /* if nettemp, netobj, depend log on log_arrays */
00917     /* (but not for file.device = 0) */
00918     /* log_on_request is TRUE */
00919     if(   !do_log
00920        && (   (target == T_NETTEMP)
00921            || (target == T_NETOBJ)
00922           )
00923       )
00924       {
00925         enum rsbac_attribute_t i_attr1, i_attr2;
00926 
00927         if(target == T_NETOBJ)
00928           {
00929             if(rsbac_net_remote_request(request))
00930               {
00931                 i_attr1 = A_remote_log_array_low;
00932                 i_attr2 = A_remote_log_array_high;
00933               }
00934             else
00935               {
00936                 i_attr1 = A_local_log_array_low;
00937                 i_attr2 = A_local_log_array_high;
00938               }
00939           }
00940         else
00941           {
00942             i_attr1 = A_log_array_low;
00943             i_attr2 = A_log_array_high;
00944           }
00945         if (rsbac_get_attr(SW_GEN,
00946                            target,
00947                            *tid_p,
00948                            i_attr1,
00949                            &i_attr_val,
00950                            FALSE))
00951           {
00952             rsbac_ds_get_error("rsbac_adf_request()", i_attr1);
00953           }
00954         else
00955           {
00956             if (rsbac_get_attr(SW_GEN,
00957                                target,
00958                                *tid_p,
00959                                i_attr2,
00960                                &i_attr_val2,
00961                                FALSE))
00962               {
00963                 rsbac_ds_get_error("rsbac_adf_request()", i_attr2);
00964               }
00965             else
00966               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00967                 /* WARNING: we deal with u64 here, only logical operations and */
00968                 /* shifts work correctly! */
00969                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00970                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00971                 if (   log_level == LL_full
00972                     || (   log_level == LL_denied
00973                         && (result == NOT_GRANTED
00974                             || result == UNDEFINED)) )
00975                   {
00976                     do_log = TRUE;
00977                   }
00978                 if(log_level != LL_request)
00979                   log_on_request = FALSE;
00980               }
00981           }
00982       }
00983 #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */
00984 
00985 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00986 log:
00987 #endif
00988     /* if enabled, try request based log level */
00989     if (   !do_log
00990         && log_on_request
00991         && (   rsbac_log_levels[request][target] == LL_full
00992             || (   rsbac_log_levels[request][target] == LL_denied
00993                 && (result == NOT_GRANTED
00994                     || result == UNDEFINED)) ) )
00995       do_log = TRUE;
00996 
00997     if(do_log)
00998       {
00999         char * request_name;
01000         char * res_name;
01001         char * res_mods;
01002         char * target_type_name;
01003         char * target_id_name;
01004         char * attr_name;
01005         char * attr_val_name;
01006 #ifdef CONFIG_RSBAC_NET_OBJ
01007         char * remote_ip_name;
01008 #else
01009         char remote_ip_name[1];
01010 #endif
01011         char * audit_uid_name;
01012         char  command[17];
01013         rsbac_pid_t parent_pid = 0;
01014         rsbac_uid_t audit_uid;
01015 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01016         rsbac_pseudo_t  pseudo = 0;
01017 #endif
01018         char * program_path;
01019 
01020         /* parent pid */
01021         #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01022         if(current->parent)
01023           parent_pid = current->parent->pid;
01024         #else
01025         if(current->p_pptr)
01026           parent_pid = current->p_pptr->pid;
01027         #endif
01028 
01029         /* rsbac_kmalloc all memory */
01030         request_name = rsbac_kmalloc(32);
01031         res_name = rsbac_kmalloc(32);
01032         res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01033         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01034         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01035         target_id_name
01036          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01037            /* max. path name len + some extra */
01038         #else
01039         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01040            /* max. file name len + some extra */
01041         #endif
01042         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01043         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01044         program_path
01045          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01046            /* max. path name len + some extra */
01047         #else
01048         program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01049            /* max. file name len + some extra */
01050         #endif
01051         #else
01052         program_path = rsbac_kmalloc(2);
01053         #endif
01054         attr_name = rsbac_kmalloc(32);
01055         attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01056 #ifdef CONFIG_RSBAC_NET_OBJ
01057         remote_ip_name = rsbac_kmalloc(32);
01058 #endif
01059         audit_uid_name = rsbac_kmalloc(32);
01060 
01061         request_name[0] = (char) 0;
01062         target_type_name[0] = (char) 0;
01063         target_id_name[0] = (char) 0;
01064         program_path[0] = (char) 0;
01065         attr_name[0] = (char) 0;
01066         attr_val_name[0] = (char) 0;
01067         remote_ip_name[0] = (char) 0;
01068         audit_uid_name[0] = (char) 0;
01069         res_name[0] = (char) 0;
01070         res_mods[0] = (char) 0;
01071         command[0] = (char) 0;
01072         get_request_name(request_name, request);
01073     #if !defined(CONFIG_RSBAC_MAINT)
01074 /*
01075         if(result == mod_result[SW_NONE])
01076           {
01077             strcat(res_mods, " SW_GEN");
01078           }
01079 */
01080     #if defined(CONFIG_RSBAC_MAC)
01081         if(result == mod_result[SW_MAC])
01082           {
01083             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01084             if(rsbac_ind_softmode[SW_MAC])
01085               strcat(res_mods, " MAC(Softmode)");
01086             else
01087             #endif
01088               strcat(res_mods, " MAC");
01089           }
01090     #endif
01091     #if defined(CONFIG_RSBAC_PM)
01092         if(result == mod_result[SW_PM])
01093           {
01094             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01095             if(rsbac_ind_softmode[SW_PM])
01096               strcat(res_mods, " PM(Softmode)");
01097             else
01098             #endif
01099               strcat(res_mods, " PM");
01100           }
01101     #endif
01102     #if defined(CONFIG_RSBAC_DAZ)
01103         if(result == mod_result[SW_DAZ])
01104           {
01105             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01106             if(rsbac_ind_softmode[SW_DAZ])
01107               strcat(res_mods, " DAZ(Softmode)");
01108             else
01109             #endif
01110               strcat(res_mods, " DAZ");
01111           }
01112     #endif
01113     #ifdef CONFIG_RSBAC_FF
01114         if(result == mod_result[SW_FF])
01115           {
01116             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01117             if(rsbac_ind_softmode[SW_FF])
01118               strcat(res_mods, " FF(Softmode)");
01119             else
01120             #endif
01121               strcat(res_mods, " FF");
01122           }
01123     #endif
01124     #ifdef CONFIG_RSBAC_RC
01125         if(result == mod_result[SW_RC])
01126           {
01127             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01128             if(rsbac_ind_softmode[SW_RC])
01129               strcat(res_mods, " RC(Softmode)");
01130             else
01131             #endif
01132               strcat(res_mods, " RC");
01133           }
01134     #endif
01135     #ifdef CONFIG_RSBAC_AUTH
01136         if(result == mod_result[SW_AUTH])
01137           {
01138             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01139             if(rsbac_ind_softmode[SW_AUTH])
01140               strcat(res_mods, " AUTH(Softmode)");
01141             else
01142             #endif
01143               strcat(res_mods, " AUTH");
01144           }
01145     #endif
01146     #ifdef CONFIG_RSBAC_ACL
01147         if(result == mod_result[SW_ACL])
01148           {
01149             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01150             if(rsbac_ind_softmode[SW_ACL])
01151               strcat(res_mods, " ACL(Softmode)");
01152             else
01153             #endif
01154               strcat(res_mods, " ACL");
01155           }
01156     #endif
01157     #ifdef CONFIG_RSBAC_CAP
01158         if(result == mod_result[SW_CAP])
01159           {
01160             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01161             if(rsbac_ind_softmode[SW_CAP])
01162               strcat(res_mods, " CAP(Softmode)");
01163             else
01164             #endif
01165               strcat(res_mods, " CAP");
01166           }
01167     #endif
01168     #ifdef CONFIG_RSBAC_JAIL
01169         if(result == mod_result[SW_JAIL])
01170           {
01171             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01172             if(rsbac_ind_softmode[SW_JAIL])
01173               strcat(res_mods, " JAIL(Softmode)");
01174             else
01175             #endif
01176               strcat(res_mods, " JAIL");
01177           }
01178     #endif
01179     #ifdef CONFIG_RSBAC_RES
01180         if(result == mod_result[SW_RES])
01181           {
01182             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01183             if(rsbac_ind_softmode[SW_RES])
01184               strcat(res_mods, " RES(Softmode)");
01185             else
01186             #endif
01187               strcat(res_mods, " RES");
01188           }
01189     #endif
01190     #ifdef CONFIG_RSBAC_REG
01191         if(result == mod_result[SW_REG])
01192           {
01193             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01194             if(rsbac_ind_softmode[SW_REG])
01195               strcat(res_mods, " REG(Softmode)");
01196             else
01197             #endif
01198               strcat(res_mods, " REG");
01199           }
01200     #endif
01201     #endif /* !MAINT */
01202         if(!res_mods[0])
01203           strcat(res_mods, " ADF");
01204 
01205         /* Get process audit_uid */
01206         i_tid.process = caller_pid;
01207         if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
01208           {
01209             rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid);
01210             return(NOT_GRANTED);  /* something weird happened */
01211           }
01212         audit_uid = i_attr_val.audit_uid;
01213         if(audit_uid == RSBAC_NO_USER)
01214           audit_uid = owner;
01215         else
01216           sprintf(audit_uid_name, "audit uid %u, ", audit_uid);
01217 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01218         /* Get owner's logging pseudo */
01219         i_tid.user = audit_uid;
01220         if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
01221           {
01222             rsbac_ds_get_error("rsbac_adf_request()", A_pseudo);
01223             return(NOT_GRANTED);  /* something weird happened */
01224           }
01225         /* if pseudo is not registered, return attribute value is 0 (see later) */
01226         pseudo = i_attr_val.pseudo;
01227 #endif
01228 
01229 #ifdef CONFIG_RSBAC_NET_OBJ
01230         /* Get process remote_ip */
01231         i_tid.process = caller_pid;
01232         if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE))
01233           {
01234             rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip);
01235             return(NOT_GRANTED);  /* something weird happened */
01236           }
01237         if(i_attr_val.remote_ip)
01238           sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip));
01239 #endif
01240 
01241         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01242         {
01243           struct mm_struct * mm;
01244           struct vm_area_struct * vma;
01245           struct dentry * dentry_p = NULL;
01246 
01247           mm = current->mm;
01248           if(mm)
01249             {
01250               atomic_inc(&mm->mm_users);
01251               if(!down_read_trylock(&mm->mmap_sem))
01252                 goto down_failed;
01253               vma = mm->mmap;
01254               while (vma)
01255                 {
01256                   if(   (vma->vm_flags & VM_EXECUTABLE)
01257                      && vma->vm_file)
01258                     {
01259                       dentry_p = dget(vma->vm_file->f_dentry);
01260                       break;
01261                     }
01262                   vma = vma->vm_next;
01263                 }
01264               up_read(&mm->mmap_sem);
01265               if(dentry_p)
01266                 {
01267                   char * p = program_path;
01268 
01269                   p += sprintf(program_path, ", prog_file ");
01270                   #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01271                   rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN);
01272                   #else
01273                   int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN);
01274 
01275                   strncpy(p, dentry_p->d_name.name, namelen);
01276                   p[namelen]=0;
01277                   #endif
01278                   dput(dentry_p);
01279                 }
01280 down_failed:
01281               mmput(mm);
01282             }
01283         }
01284         #endif
01285         get_target_name(target_type_name, target, target_id_name, *tid_p);
01286         get_attribute_name(attr_name, attr);
01287         get_attribute_value_name(attr_val_name, attr, attr_val_p);
01288         get_result_name(res_name, result);
01289         if ((current) && (current->comm))
01290           {
01291             strncpy(command,current->comm,16);          
01292             command[16] = (char) 0;
01293           }
01294 
01295 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01296         /* if pseudo is set, its value is != 0, else -> use id */
01297         if (pseudo)
01298           {
01299     #ifdef CONFIG_RSBAC_SOFTMODE
01300             if(rsbac_softmode)
01301               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01302                            request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01303             else
01304     #endif
01305               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01306                            request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01307           }
01308         else
01309 #endif
01310           {
01311     #ifdef CONFIG_RSBAC_SOFTMODE
01312             if(rsbac_softmode)
01313               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01314                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01315             else
01316     #endif
01317               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01318                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01319           }
01320         /* rsbac_kfree all helper mem */
01321         rsbac_kfree(request_name);
01322         rsbac_kfree(res_name);
01323         rsbac_kfree(res_mods);
01324         rsbac_kfree(target_type_name);
01325         rsbac_kfree(target_id_name);
01326         rsbac_kfree(program_path);
01327         rsbac_kfree(attr_name);
01328         rsbac_kfree(attr_val_name);
01329 #ifdef CONFIG_RSBAC_NET_OBJ
01330         rsbac_kfree(remote_ip_name);
01331 #endif
01332         rsbac_kfree(audit_uid_name);
01333       }
01334 
01335 /* UNDEFINED must never be returned -> change result */
01336     if(result == UNDEFINED)
01337       result = NOT_GRANTED;
01338 
01339 /* count */
01340     rsbac_adf_request_count[target]++;
01341 #ifdef CONFIG_RSBAC_XSTATS
01342     rsbac_adf_request_xcount[target][request]++;
01343 #endif
01344 
01345 /* return result */
01346     #ifdef CONFIG_RSBAC_SOFTMODE
01347     if(rsbac_softmode && !rsbac_internal)
01348       return DO_NOT_CARE;
01349     else
01350     #endif
01351     #ifdef CONFIG_RSBAC_SOFTMODE_IND
01352       return ret_result;
01353     #else
01354       return result; /* change for debugging! */
01355     #endif
01356   } /* end of rsbac_adf_request_int() */

int rsbac_adf_set_attr ( enum  rsbac_adf_request_t,
rsbac_pid_t  ,
enum  rsbac_target_t,
union  rsbac_target_id_t,
enum  rsbac_target_t,
union  rsbac_target_id_t,
enum  rsbac_attribute_t,
union  rsbac_attribute_value_t 
)

Definition at line 1367 of file adf_main.c.

References A_audit_uid, A_auid_exempt, A_fake_root_uid, A_log_array_high, A_log_array_low, A_log_program_based, A_log_user_based, A_none, A_pseudo, A_remote_ip, rsbac_attribute_value_t::audit_uid, rsbac_attribute_value_t::auid_exempt, rsbac_attribute_value_t::dummy, rsbac_attribute_value_t::fake_root_uid, FALSE, get_attribute_name(), get_request_name(), get_target_name(), I_anonunix, I_shm, rsbac_ipc_t::id, rsbac_ipc_id_t::id_nr, rsbac_target_id_t::ipc, LL_denied, LL_full, LL_request, rsbac_attribute_value_t::log_array_high, rsbac_attribute_value_t::log_array_low, rsbac_attribute_value_t::log_program_based, rsbac_attribute_value_t::log_user_based, rsbac_target_id_t::netobj, rsbac_target_id_t::process, rsbac_attribute_value_t::pseudo, R_ACCEPT, R_CLONE, R_CLOSE, R_CREATE, R_DELETE, R_EXECUTE, R_NONE, R_RENAME, rsbac_attribute_value_t::remote_ip, rsbac_adf_set_attr_auth(), rsbac_adf_set_attr_cap(), rsbac_adf_set_attr_check(), rsbac_adf_set_attr_count, rsbac_adf_set_attr_daz(), rsbac_adf_set_attr_jail(), rsbac_adf_set_attr_mac(), rsbac_adf_set_attr_pm(), rsbac_adf_set_attr_rc(), rsbac_adf_set_attr_reg(), rsbac_adf_set_attr_res(), RSBAC_EINVALIDVALUE, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), rsbac_log_levels, RSBAC_MAXNAMELEN, RSBAC_NO_USER, rsbac_printk(), rsbac_remove_target, RSBAC_REQUEST_VECTOR, rsbac_set_attr, rsbac_net_obj_desc_t::sock_p, SW_GEN, T_DEV, T_DIR, T_FIFO, T_FILE, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NONE, T_PROCESS, T_SYMLINK, T_UNIXSOCK, T_USER, TRUE, rsbac_ipc_t::type, and rsbac_target_id_t::user.

Referenced by sys_rsbac_um_add_group(), sys_rsbac_um_add_user(), sys_rsbac_um_remove_group(), and sys_rsbac_um_remove_user().

01376   {
01377     union rsbac_target_id_t i_tid;
01378     rsbac_uid_t owner;
01379     int   error = 0;
01380     rsbac_request_vector_t      request_vector;
01381     rsbac_boolean_t do_log = FALSE;
01382     rsbac_boolean_t log_on_request = TRUE;
01383     union rsbac_attribute_value_t i_attr_val;
01384 #ifdef CONFIG_RSBAC_IND_LOG
01385     union rsbac_attribute_value_t i_attr_val2;
01386     enum rsbac_log_level_t log_level;
01387 #endif
01388 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01389     struct super_block * sb_p;
01390 #endif
01391 
01392 /* No attribute setting possible before init (called at boot time) */
01393 
01394    if (!rsbac_is_initialized())
01395       return 0;
01396 
01397 /* kernel (pid 0) is ignored */
01398     if (   !caller_pid
01399         #if defined(CONFIG_RSBAC_LOG_REMOTE)
01400         || (caller_pid == rsbaclogd_pid)
01401         #endif
01402        )
01403       return 0;
01404 
01405 /* Checking base values */
01406     if(   request >= R_NONE
01407        || target > T_NONE
01408        || new_target > T_NONE
01409        || attr > A_none)
01410       {
01411         rsbac_printk(KERN_WARNING
01412                "rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01413         return(-RSBAC_EINVALIDVALUE);
01414       }
01415     request_vector = RSBAC_REQUEST_VECTOR(request);
01416 
01417 /* Getting basic information about this adf_set_attr-call */
01418 
01419     owner = RSBAC_NO_USER;
01420     /* only useful for real process, not idle or init */
01421     if (caller_pid > 1)
01422       {
01423         error = rsbac_get_owner(&owner);
01424         if(error)
01425           {
01426             rsbac_printk(KERN_DEBUG
01427                    "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01428                    caller_pid);
01429             return(0);      /* Startup-Sequence (see above) */
01430           }
01431       }
01432     else /* caller_pid = 1  -> init -> owner = root */
01433       owner = 0;
01434 
01435 /*************************************************/
01436 /* General work for all modules - before modules */
01437 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT) || defined(CONFIG_RSBAC_FD_CACHE)
01438     switch (target) {
01439       case T_DIR:
01440 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT)
01441         if ((sb_p = rsbac_get_super_block(tid.file.device))
01442             && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
01443                 || (sb_p->s_magic == CODA_SUPER_MAGIC)
01444                 || (sb_p->s_magic == NCP_SUPER_MAGIC)
01445                 || (sb_p->s_magic == SMB_SUPER_MAGIC)
01446                )
01447         ) {
01448           error = 0;
01449           goto log;
01450         }
01451 #endif
01452 #if defined(CONFIG_RSBAC_FD_CACHE)
01453         if (request == R_RENAME)
01454           rsbac_fd_cache_invalidate_all();
01455 #endif
01456         break;
01457 
01458       case T_FILE:
01459       case T_FIFO:
01460       case T_SYMLINK:
01461       case T_UNIXSOCK:
01462 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT)
01463         if ((sb_p = rsbac_get_super_block(tid.file.device))
01464             && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
01465                 || (sb_p->s_magic == CODA_SUPER_MAGIC)
01466                 || (sb_p->s_magic == NCP_SUPER_MAGIC)
01467                 || (sb_p->s_magic == SMB_SUPER_MAGIC)
01468                )
01469           ) {
01470           error = 0;
01471           goto log;
01472         }
01473 #endif
01474 #if defined(CONFIG_RSBAC_FD_CACHE)
01475         if (request == R_RENAME)
01476           rsbac_fd_cache_invalidate(&tid.file);
01477 #endif
01478         break;
01479 
01480       default:
01481         break;
01482     }
01483 #endif
01484 
01485 /**********************************************************/
01486 /* calling all decision modules, building a common result */
01487 
01488 
01489 #ifdef CONFIG_RSBAC_DEBUG
01490 /* first, check for valid request/target combination      */
01491 error |= rsbac_adf_set_attr_check(request,
01492                                   caller_pid,
01493                                   target,
01494                                   tid,
01495                                   new_target,
01496                                   new_tid,
01497                                   attr,
01498                                   attr_val,
01499                                   owner);
01500 if(error)
01501   goto general_work;
01502 #endif
01503 
01504 #if !defined(CONFIG_RSBAC_MAINT)
01505 /******* MAC ********/
01506 #if defined(CONFIG_RSBAC_MAC)
01507 #ifdef CONFIG_RSBAC_SWITCH_MAC
01508 if (rsbac_switch_mac)
01509 #endif
01510   if(request_vector & RSBAC_MAC_SET_ATTR_VECTOR)
01511     error |= rsbac_adf_set_attr_mac(request,
01512                                   caller_pid,
01513                                   target,
01514                                   tid,
01515                                   new_target,
01516                                   new_tid,
01517                                   attr,
01518                                   attr_val,
01519                                   owner);
01520 #endif  /* MAC */
01521 
01522 /******* PM ********/
01523 #ifdef CONFIG_RSBAC_PM
01524 #ifdef CONFIG_RSBAC_SWITCH_PM
01525 if (rsbac_switch_pm)
01526 #endif
01527   if(request_vector & RSBAC_PM_SET_ATTR_VECTOR)
01528     error |= rsbac_adf_set_attr_pm (request,
01529                                   caller_pid,
01530                                   target,
01531                                   tid,
01532                                   new_target,
01533                                   new_tid,
01534                                   attr,
01535                                   attr_val,
01536                                   owner);
01537 #endif  /* PM */
01538 
01539 /******* DAZ ********/
01540 #ifdef CONFIG_RSBAC_DAZ
01541 #ifdef CONFIG_RSBAC_SWITCH_DAZ
01542 if (rsbac_switch_daz)
01543 #endif
01544   if(request_vector & RSBAC_DAZ_SET_ATTR_VECTOR)
01545     error |= rsbac_adf_set_attr_daz (request,
01546                                   caller_pid,
01547                                   target,
01548                                   tid,
01549                                   new_target,
01550                                   new_tid,
01551                                   attr,
01552                                   attr_val,
01553                                   owner);
01554 #endif  /* DAZ */
01555 
01556 /******* RC ********/
01557 #ifdef CONFIG_RSBAC_RC
01558 #ifdef CONFIG_RSBAC_SWITCH_RC
01559 if (rsbac_switch_rc)
01560 #endif
01561   error |= rsbac_adf_set_attr_rc (request,
01562                                   caller_pid,
01563                                   target,
01564                                   tid,
01565                                   new_target,
01566                                   new_tid,
01567                                   attr,
01568                                   attr_val,
01569                                   owner);
01570 #endif  /* RC */
01571 
01572 /****** AUTH *******/
01573 #ifdef CONFIG_RSBAC_AUTH
01574 #ifdef CONFIG_RSBAC_SWITCH_AUTH
01575 if (rsbac_switch_auth)
01576 #endif
01577   if(request_vector & RSBAC_AUTH_SET_ATTR_VECTOR)
01578     error |= rsbac_adf_set_attr_auth(request,
01579                                    caller_pid,
01580                                    target,
01581                                    tid,
01582                                    new_target,
01583                                    new_tid,
01584                                    attr,
01585                                    attr_val,
01586                                    owner);
01587 #endif  /* AUTH */
01588 
01589 /****** CAP *******/
01590 #ifdef CONFIG_RSBAC_CAP
01591 #ifdef CONFIG_RSBAC_SWITCH_CAP
01592 if (rsbac_switch_cap)
01593 #endif
01594   if(request_vector & RSBAC_CAP_SET_ATTR_VECTOR)
01595     error |= rsbac_adf_set_attr_cap (request,
01596                                    caller_pid,
01597                                    target,
01598                                    tid,
01599                                    new_target,
01600                                    new_tid,
01601                                    attr,
01602                                    attr_val,
01603                                    owner);
01604 #endif  /* CAP */
01605 
01606 /****** JAIL *******/
01607 #ifdef CONFIG_RSBAC_JAIL
01608 #ifdef CONFIG_RSBAC_SWITCH_JAIL
01609 if (rsbac_switch_jail)
01610 #endif
01611   if(request_vector & RSBAC_JAIL_SET_ATTR_VECTOR)
01612     error |= rsbac_adf_set_attr_jail(request,
01613                                    caller_pid,
01614                                    target,
01615                                    tid,
01616                                    new_target,
01617                                    new_tid,
01618                                    attr,
01619                                    attr_val,
01620                                    owner);
01621 #endif  /* JAIL */
01622 
01623 /****** RES *******/
01624 #ifdef CONFIG_RSBAC_RES
01625 #ifdef CONFIG_RSBAC_SWITCH_RES
01626 if (rsbac_switch_res)
01627 #endif
01628   if(request_vector & RSBAC_RES_SET_ATTR_VECTOR)
01629     error |= rsbac_adf_set_attr_res (request,
01630                                    caller_pid,
01631                                    target,
01632                                    tid,
01633                                    new_target,
01634                                    new_tid,
01635                                    attr,
01636                                    attr_val,
01637                                    owner);
01638 #endif  /* RES */
01639 
01640 /****** REG *******/
01641 #ifdef CONFIG_RSBAC_REG
01642   error |= rsbac_adf_set_attr_reg (request,
01643                                    caller_pid,
01644                                    target,
01645                                    tid,
01646                                    new_target,
01647                                    new_tid,
01648                                    attr,
01649                                    attr_val,
01650                                    owner);
01651 #endif  /* REG */
01652 #endif /* !MAINT */
01653 
01654 /* General work for all modules (after set_attr call) */
01655 #ifdef CONFIG_RSBAC_DEBUG
01656 general_work:
01657 #endif
01658     switch(request)
01659       {
01660         /* remove deleted item from rsbac data */
01661         case R_DELETE :
01662             switch (target)
01663               {
01664                 case T_FILE:
01665                 case T_FIFO:
01666                 case T_SYMLINK:
01667                   /* Only remove file/fifo target on deletion of last link */
01668                   if (   (attr == A_nlink)
01669                       && (attr_val.nlink > 1)
01670                      )
01671                      break;
01672                   /* fall through */
01673                 case T_DIR:
01674                   rsbac_remove_target(target,tid);
01675                   break;
01676                 case T_IPC:
01677                   /* shm removal delayed and removed directly, when destroyed */
01678                   if(tid.ipc.type != I_shm)
01679                     rsbac_remove_target(target,tid);
01680                   break;
01681                 default:
01682                   break;
01683               }
01684             break;
01685 
01686         case R_CLONE:
01687             switch (target)
01688               {
01689                 case T_PROCESS:
01690                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01691                   /* get program based log from old process */
01692                   if (rsbac_get_attr(SW_GEN,
01693                                      target,
01694                                      tid,
01695                                      A_log_program_based,
01696                                      &i_attr_val,
01697                                      FALSE))
01698                     {
01699                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01700                     }
01701                   else
01702                     { /* only set, of not default value 0 */
01703                       if(i_attr_val.log_program_based)
01704                         {
01705                           /* set program based log for new process */
01706                           if (rsbac_set_attr(SW_GEN, new_target,
01707                                              new_tid,
01708                                              A_log_program_based,
01709                                              i_attr_val))
01710                             {
01711                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01712                             }
01713                         }
01714                     }
01715                   #endif
01716                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01717                   /* get fake_root_uid from old process */
01718                   if (rsbac_get_attr(SW_GEN,
01719                                      target,
01720                                      tid,
01721                                      A_fake_root_uid,
01722                                      &i_attr_val,
01723                                      FALSE))
01724                     {
01725                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01726                     }
01727                   else
01728                     { /* only set, of not default value 0 */
01729                       if(i_attr_val.fake_root_uid)
01730                         {
01731                           /* set program based log for new process */
01732                           if (rsbac_set_attr(SW_GEN, new_target,
01733                                              new_tid,
01734                                              A_fake_root_uid,
01735                                              i_attr_val))
01736                             {
01737                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01738                             }
01739                         }
01740                     }
01741                   #endif
01742                   #if defined(CONFIG_RSBAC_NET)
01743                   /* get remote_ip from old process */
01744                   if (rsbac_get_attr(SW_GEN,
01745                                      target,
01746                                      tid,
01747                                      A_remote_ip,
01748                                      &i_attr_val,
01749                                      FALSE))
01750                     {
01751                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_remote_ip);
01752                     }
01753                   else
01754                     { /* only set, of not default value 0 */
01755                       if(i_attr_val.remote_ip)
01756                         {
01757                           /* set program based log for new process */
01758                           if (rsbac_set_attr(SW_GEN, new_target,
01759                                              new_tid,
01760                                              A_remote_ip,
01761                                              i_attr_val))
01762                             {
01763                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01764                             }
01765                         }
01766                     }
01767                   #endif
01768                         /* get kernel_thread from old process */
01769                         if (rsbac_get_attr(SW_GEN,
01770                                         target,
01771                                         tid,
01772                                         A_kernel_thread,
01773                                         &i_attr_val, FALSE)) {
01774                                 rsbac_ds_get_error("rsbac_adf_set_attr()",
01775                                                 A_kernel_thread);
01776                         } else {
01777                                 if (i_attr_val.kernel_thread) {
01778                                         if (rsbac_set_attr(SW_GEN, new_target,
01779                                                         new_tid,
01780                                                         A_kernel_thread,
01781                                                         i_attr_val)) {
01782                                                 rsbac_ds_set_error
01783                                                         ("rsbac_adf_set_attr()",
01784                                                          A_kernel_thread);
01785                                         }
01786                                 }
01787                         }
01788 
01789                   /* get audit_uid from old process */
01790                   if (rsbac_get_attr(SW_GEN,
01791                                      target,
01792                                      tid,
01793                                      A_audit_uid,
01794                                      &i_attr_val,
01795                                      FALSE))
01796                     {
01797                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
01798                     }
01799                   else
01800                     { /* only set, of not default value NO_USER */
01801                       if(i_attr_val.audit_uid != RSBAC_NO_USER)
01802                         {
01803                           /* set audit uid for new process */
01804                           if (rsbac_set_attr(SW_GEN,
01805                                              new_target,
01806                                              new_tid,
01807                                              A_audit_uid,
01808                                              i_attr_val))
01809                             {
01810                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid);
01811                             }
01812                         }
01813                     }
01814                   /* get auid_exempt from old process */
01815                   if (rsbac_get_attr(SW_GEN,
01816                                      target,
01817                                      tid,
01818                                      A_auid_exempt,
01819                                      &i_attr_val,
01820                                      FALSE))
01821                     {
01822                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01823                     }
01824                   else
01825                     { /* only set, of not default value NO_USER */
01826                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01827                         {
01828                           /* set program based log for new process */
01829                           if (rsbac_set_attr(SW_GEN,
01830                                              new_target,
01831                                              new_tid,
01832                                              A_auid_exempt,
01833                                              i_attr_val))
01834                             {
01835                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01836                             }
01837                         }
01838                     }
01839                   break;
01840 
01841                 default:
01842                   break;
01843               }
01844             break;
01845 
01846         case R_CLOSE:
01847                 switch (target) {
01848                 case T_IPC:
01849                         if(tid.ipc.type == I_anonunix)
01850                                 rsbac_remove_target(target, tid);
01851                         break;
01852 #ifdef CONFIG_RSBAC_NET_OBJ
01853                 case T_NETOBJ:
01854                         rsbac_remove_target(target, tid);
01855                         break;
01856 #endif
01857                 default:
01858                         break;
01859                 }
01860                 break;
01861 
01862         case R_CREATE:
01863                 switch (target) {
01864                 case T_IPC:
01865                         if(!tid.ipc.id.id_nr)
01866                                 error |= -RSBAC_EINVALIDVALUE;
01867                         break;
01868                 default:
01869                         break;
01870                 }
01871                 break;
01872 
01873 #ifdef CONFIG_RSBAC_NET_OBJ
01874         case R_ACCEPT:
01875             switch (target)
01876               {
01877                 case T_NETOBJ:
01878                   /* store remote IP */
01879                   if(   tid.netobj.sock_p
01880                      && tid.netobj.sock_p->ops
01881                      && tid.netobj.sock_p->sk
01882                      && (tid.netobj.sock_p->ops->family == AF_INET)
01883                     )
01884                     {
01885                       i_tid.process = caller_pid;
01886 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01887                       i_attr_val.remote_ip = inet_sk(tid.netobj.sock_p->sk)->daddr;
01888 #else
01889                       i_attr_val.remote_ip = tid.netobj.sock_p->sk->daddr;
01890 #endif
01891                       /* set program based log for new process */
01892                       if (rsbac_set_attr(SW_GEN,
01893                                          T_PROCESS,
01894                                          i_tid,
01895                                          A_remote_ip,
01896                                          i_attr_val))
01897                         {
01898                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01899                         }
01900                     }
01901                   break;
01902 
01903                 default:
01904                   break;
01905               }
01906             break;
01907 #endif /* CONFIG_RSBAC_NET_OBJ */
01908 
01909         case R_EXECUTE :
01910             switch (target)
01911               {
01912                 case T_FILE:
01913                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01914                   /* get program based log from file */
01915                   if (rsbac_get_attr(SW_GEN,
01916                                      target,
01917                                      tid,
01918                                      A_log_program_based,
01919                                      &i_attr_val,
01920                                      FALSE))
01921                     {
01922                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01923                     }
01924                   else
01925                     {
01926                       /* set program based log for process */
01927                       i_tid.process = caller_pid;
01928                       if (rsbac_set_attr(SW_GEN, T_PROCESS,
01929                                          i_tid,
01930                                          A_log_program_based,
01931                                          i_attr_val))
01932                         {
01933                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01934                         }
01935                     }
01936                   #endif
01937                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01938                   /* get fake_root_uid from file */
01939                   if (rsbac_get_attr(SW_GEN,
01940                                      target,
01941                                      tid,
01942                                      A_fake_root_uid,
01943                                      &i_attr_val,
01944                                      FALSE))
01945                     {
01946                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01947                     }
01948                   else
01949                     {
01950                       /* set fake_root_uid for process */
01951                       if(i_attr_val.fake_root_uid)
01952                         {
01953                           i_tid.process = caller_pid;
01954                           if (rsbac_set_attr(SW_GEN, T_PROCESS,
01955                                              i_tid,
01956                                              A_fake_root_uid,
01957                                              i_attr_val))
01958                             {
01959                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01960                             }
01961                         }
01962                     }
01963                   #endif
01964                   /* get auid_exempt from file */
01965                   if (rsbac_get_attr(SW_GEN,
01966                                      target,
01967                                      tid,
01968                                      A_auid_exempt,
01969                                      &i_attr_val,
01970                                      FALSE))
01971                     {
01972                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01973                     }
01974                   else
01975                     {
01976                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01977                         {
01978                           /* set auid_exempt for process */
01979                           i_tid.process = caller_pid;
01980                           if (rsbac_set_attr(SW_GEN, T_PROCESS,
01981                                              i_tid,
01982                                              A_auid_exempt,
01983                                              i_attr_val))
01984                             {
01985                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01986                             }
01987                         }
01988                     }
01989                   break;
01990 
01991                 default:
01992                   break;
01993               }
01994             break;
01995 
01996         default:
01997             break;
01998       }
01999 
02000 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
02001     if(    rsbac_debug_adf_net
02002        && (   (target == T_NETDEV)
02003            || (target == T_NETTEMP)
02004            || (target == T_NETOBJ)
02005           )
02006       )
02007       do_log = TRUE;
02008 #endif
02009 
02010 /* log based on process owner */
02011 #ifdef CONFIG_RSBAC_IND_USER_LOG
02012     i_tid.user = owner;
02013     if (rsbac_get_attr(SW_GEN,
02014                        T_USER,
02015                        i_tid,
02016                        A_log_user_based,
02017                        &i_attr_val,
02018                        FALSE))
02019       {
02020         rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based);
02021       }
02022     else
02023       {
02024         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 
02025           do_log = TRUE;
02026       }
02027 #endif /* CONFIG_RSBAC_IND_USER_LOG */
02028 
02029 /* log based on program */
02030 #ifdef CONFIG_RSBAC_IND_PROG_LOG
02031     if(!do_log)
02032       {
02033         i_tid.process = caller_pid;
02034         if (rsbac_get_attr(SW_GEN,
02035                            T_PROCESS,
02036                            i_tid,
02037                            A_log_program_based,
02038                            &i_attr_val,
02039                            FALSE))
02040           {
02041             rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
02042           }
02043         else
02044           {
02045             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
02046               do_log = TRUE;
02047           }
02048       }
02049 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
02050 
02051 
02052 /* logging request on info level, if requested by file/dir/dev attributes */
02053 /* log_array_low/high, or, if that is requested, if enabled for this request */
02054 /* type (attributes state level, or that request based level is to be taken) */
02055 /* loglevel 2: log everything */
02056 /* loglevel 1: log, if denied */
02057 /* loglevel 0: log nothing */
02058 
02059 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
02060     /* if file/dir/dev, depend log on log_arrays */
02061     /* (but not for file.device = 0) */
02062     /* log_on_request is TRUE */
02063     if(!do_log)
02064       {
02065         if(   (   (   (target == T_FILE)
02066                    || (target == T_DIR)
02067                    || (target == T_FIFO)
02068                    || (target == T_SYMLINK)
02069                   )
02070                && RSBAC_MAJOR(tid.file.device)
02071                && RSBAC_MINOR(tid.file.device)
02072               )
02073            || (target == T_DEV)
02074           )
02075           {
02076             if (rsbac_get_attr(SW_GEN,
02077                                target,
02078                                tid,
02079                                A_log_array_low,
02080                                &i_attr_val,
02081                                FALSE))
02082               {
02083                 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low);
02084               }
02085             else
02086               {
02087                 if (rsbac_get_attr(SW_GEN,
02088                                    target,
02089                                    tid,
02090                                    A_log_array_high,
02091                                    &i_attr_val2,
02092                                    FALSE))
02093                   {
02094                     rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high);
02095                   }
02096                 else
02097                   { /* ll = low-bit for request | (high-bit for request as bit 1) */
02098                     log_level =   ((i_attr_val.log_array_low   >> request) & 1)
02099                               | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
02100                     if (   log_level == LL_full
02101                         || (   log_level == LL_denied
02102                             && error) )
02103                       {
02104                         do_log = TRUE;
02105                       }
02106                     if(log_level != LL_request)
02107                       log_on_request = FALSE;
02108                   }
02109               }
02110           }
02111       }
02112 #endif /* CONFIG_RSBAC_IND_LOG */
02113 
02114 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
02115 log:
02116 #endif
02117     /* if enabled, try request based log level */
02118     if (log_on_request
02119         && (   rsbac_log_levels[request][target] == LL_full
02120             || (   rsbac_log_levels[request][target] == LL_denied
02121                 && error) ) )
02122       do_log = TRUE;
02123 
02124     if(do_log)
02125       {
02126         char * request_name;
02127         char * target_type_name;
02128         char * new_target_type_name;
02129         char * target_id_name;
02130         char * new_target_id_name;
02131         char * attr_name;
02132         rsbac_uid_t audit_uid;
02133 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02134         rsbac_pseudo_t  pseudo = 0;
02135 #endif
02136 
02137         /* Get process audit_uid */
02138         i_tid.process = caller_pid;
02139         if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
02140           {
02141             rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
02142             return -RSBAC_EREADFAILED;  /* something weird happened */
02143           }
02144         audit_uid = i_attr_val.audit_uid;
02145         if(audit_uid == RSBAC_NO_USER)
02146           audit_uid = owner;
02147 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02148         /* Get owner's logging pseudo */
02149         i_tid.user = audit_uid;
02150         if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
02151           {
02152             rsbac_ds_get_error("rsbac_adf_set_attr()", A_pseudo);
02153             return -RSBAC_EREADFAILED;  /* something weird happened */
02154           }
02155         /* if pseudo is not registered, return attribute value is 0 (see later) */
02156         pseudo = i_attr_val.pseudo;
02157 #endif
02158 
02159         /* rsbac_kmalloc all memory */
02160         request_name = rsbac_kmalloc(32);
02161         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02162         new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02163         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
02164         target_id_name
02165          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02166         new_target_id_name
02167          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02168            /* max. path name len + some extra */
02169         #else
02170         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02171         new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02172            /* max. file name len + some extra */
02173         #endif
02174         attr_name = rsbac_kmalloc(32);
02175 
02176         /* Getting basic information about this request */
02177         request_name[0] = (char) 0;
02178         target_type_name[0] = (char) 0;
02179         target_id_name[0] = (char) 0;
02180         new_target_type_name[0] = (char) 0;
02181         new_target_id_name[0] = (char) 0;
02182         attr_name[0] = (char) 0;
02183         get_request_name(request_name, request);
02184         get_target_name(target_type_name, target, target_id_name, tid);
02185         get_target_name(new_target_type_name, new_target,
02186                         new_target_id_name, new_tid);
02187         get_attribute_name(attr_name, attr);
02188 
02189 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02190         if(pseudo)
02191           rsbac_printk(KERN_INFO
02192                        "rsbac_adf_set_attr(): request %s, pid %u, pseudo %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02193                        request_name, (u_int) caller_pid, pseudo, target_type_name, target_id_name,
02194                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02195         else
02196 #endif
02197           rsbac_printk(KERN_INFO
02198                        "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02199                        request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name,
02200                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02201         /* rsbac_kfree all helper mem */
02202         rsbac_kfree(request_name);
02203         rsbac_kfree(target_type_name);
02204         rsbac_kfree(new_target_type_name);
02205         rsbac_kfree(target_id_name);
02206         rsbac_kfree(new_target_id_name);
02207         rsbac_kfree(attr_name);
02208       }
02209 
02210 /* count */
02211     rsbac_adf_set_attr_count[target]++;
02212 #ifdef CONFIG_RSBAC_XSTATS
02213     rsbac_adf_set_attr_xcount[target][request]++;
02214 #endif
02215 
02216     return(error);
02217   } /* end of rsbac_adf_set_attr() */

int rsbac_cap_check_envp ( struct linux_binprm *  bprm  ) 

int rsbac_handle_filldir ( const struct file *  file,
const char *  name,
const unsigned int  namlen,
const ino_t  ino 
)

Definition at line 982 of file helpers.c.

References A_none, D_block, D_char, rsbac_target_id_t::dev, rsbac_attribute_value_t::dummy, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, NULL, R_SEARCH, rsbac_adf_request(), rsbac_lookup_one_len(), rsbac_pr_debug, SOCKFS_MAGIC, T_DEV, T_DIR, T_FIFO, T_FILE, T_NONE, T_SYMLINK, T_UNIXSOCK, and rsbac_dev_desc_t::type.

00983 {
00984         enum   rsbac_target_t          rsbac_target = T_NONE;
00985         union  rsbac_target_id_t       rsbac_target_id;
00986         union  rsbac_attribute_value_t rsbac_attribute_value;
00987         struct dentry *obj_dentry = NULL;
00988         int err = 1;
00989 
00990         if(!file || !file->f_dentry || !file->f_dentry->d_sb
00991                  || !MAJOR(file->f_dentry->d_sb->s_dev))
00992                 goto old_func;
00993         obj_dentry = rsbac_lookup_one_len(name, file->f_dentry, namlen);
00994         if (!obj_dentry || IS_ERR(obj_dentry)) {
00995                 goto old_func;
00996         }
00997         if (!obj_dentry->d_inode || IS_ERR(obj_dentry->d_inode)) {
00998                 goto out_dput;
00999         }
01000         if (!obj_dentry->d_inode->i_mode || !obj_dentry->d_inode->i_sb || !obj_dentry->d_inode->i_sb->s_dev || !ino) {
01001                 goto out_dput;
01002         }
01003         if (!obj_dentry->d_sb || !obj_dentry->d_sb->s_magic) {
01004                 goto out_dput;
01005         }
01006         rsbac_pr_debug(aef, "[readdir(), sys_getdents()]: calling ADF\n");
01007 
01008         if (S_ISFIFO(obj_dentry->d_inode->i_mode)) {
01009                 if(obj_dentry->d_sb->s_magic != PIPEFS_MAGIC) {
01010                         rsbac_target = T_FIFO;
01011                         rsbac_target_id.fifo.device = obj_dentry->d_inode->i_sb->s_dev;
01012                         rsbac_target_id.fifo.inode  = ino;
01013                         rsbac_target_id.fifo.dentry_p = obj_dentry;
01014                 }
01015         } else
01016         if (S_ISDIR(obj_dentry->d_inode->i_mode)) {
01017                 rsbac_target = T_DIR;
01018                 rsbac_target_id.dir.device = obj_dentry->d_inode->i_sb->s_dev;
01019                 rsbac_target_id.dir.inode = ino;
01020                 rsbac_target_id.dir.dentry_p = obj_dentry;
01021         } else
01022         if (S_ISREG(obj_dentry->d_inode->i_mode)) {
01023                 rsbac_target = T_FILE;
01024                 rsbac_target_id.file.device = obj_dentry->d_inode->i_sb->s_dev;
01025                 rsbac_target_id.file.inode  = ino;
01026                 rsbac_target_id.file.dentry_p = obj_dentry;
01027         } else
01028         if (S_ISLNK(obj_dentry->d_inode->i_mode)) {
01029                 rsbac_target = T_SYMLINK;
01030                 rsbac_target_id.file.device = obj_dentry->d_inode->i_sb->s_dev;
01031                 rsbac_target_id.file.inode = ino;
01032                 rsbac_target_id.file.dentry_p = obj_dentry;
01033         } else
01034         if (S_ISSOCK(obj_dentry->d_inode->i_mode)) {
01035 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01036                 struct socket * sock = SOCKET_I(obj_dentry->d_inode);
01037 #else
01038                 struct socket * sock = &(obj_dentry->d_inode->u.socket_i);
01039 #endif
01040                 if (sock->ops && sock->ops->family == AF_UNIX) {
01041                         if (obj_dentry->d_inode->i_sb->s_magic != SOCKFS_MAGIC) {
01042                                 rsbac_target = T_UNIXSOCK;
01043                                 rsbac_target_id.unixsock.device = obj_dentry->d_inode->i_sb->s_dev;
01044                                 rsbac_target_id.unixsock.inode = ino;
01045                                 rsbac_target_id.unixsock.dentry_p = obj_dentry;
01046                         }
01047                 }
01048                 rsbac_target = T_UNIXSOCK;
01049                 rsbac_target_id.file.device = obj_dentry->d_inode->i_sb->s_dev;
01050                 rsbac_target_id.file.inode = ino;
01051                 rsbac_target_id.file.dentry_p = obj_dentry;
01052         } else
01053         if (S_ISBLK(obj_dentry->d_inode->i_mode)) {
01054                 rsbac_target = T_DEV;
01055                 rsbac_target_id.dev.type = D_block;
01056                 rsbac_target_id.dev.major = RSBAC_MAJOR(obj_dentry->d_inode->i_rdev);
01057                 rsbac_target_id.dev.minor = RSBAC_MINOR(obj_dentry->d_inode->i_rdev);
01058         } else
01059         if (S_ISCHR(obj_dentry->d_inode->i_mode)) {
01060                 rsbac_target = T_DEV;
01061                 rsbac_target_id.dev.type = D_char;
01062                 rsbac_target_id.dev.major = RSBAC_MAJOR(obj_dentry->d_inode->i_rdev);
01063                 rsbac_target_id.dev.minor = RSBAC_MINOR(obj_dentry->d_inode->i_rdev);
01064         }
01065         rsbac_attribute_value.dummy = 0;
01066         if (rsbac_target != T_NONE)
01067                 if (!rsbac_adf_request(R_SEARCH,
01068                                         current->pid,
01069                                         rsbac_target,
01070                                         rsbac_target_id,
01071                                         A_none,
01072                                         rsbac_attribute_value))
01073                 {
01074                         err = 0;
01075                         goto out_dput;
01076                 }
01077 
01078 out_dput:
01079         if (obj_dentry)
01080                 dput(obj_dentry);
01081 old_func:
01082         return err;
01083 }

void rsbac_init_adf ( void   ) 

Definition at line 130 of file adf_main.c.

References rsbac_reg_init().

Referenced by rsbac_do_init().

00132   {
00133     #if defined(CONFIG_RSBAC_REG)
00134     rsbac_reg_init();
00135     #endif
00136   }

int rsbac_sec_del ( struct dentry *  dentry_p  ) 

Definition at line 2554 of file adf_main.c.

02555   {
02556     return 0;
02557   }

int rsbac_sec_trunc ( struct dentry *  dentry_p,
loff_t  new_len,
loff_t  old_len 
)

Definition at line 2548 of file adf_main.c.

02550   {
02551     return 0;
02552   }

int rsbac_set_audit_uid ( rsbac_uid_t  uid  ) 

Definition at line 3076 of file adf_main.c.

References A_audit_uid, A_auid_exempt, rsbac_attribute_value_t::audit_uid, rsbac_attribute_value_t::auid_exempt, FALSE, rsbac_target_id_t::process, RSBAC_EREADFAILED, RSBAC_EWRITEFAILED, rsbac_get_attr, RSBAC_NO_USER, rsbac_set_attr, SW_GEN, and T_PROCESS.

03077   {
03078     union rsbac_target_id_t       tid;
03079     union rsbac_attribute_value_t attr_val;
03080 
03081     if(!uid || (uid == current->uid))
03082       return 0;
03083     tid.process = current->pid;
03084     if (rsbac_get_attr(SW_GEN,
03085                        T_PROCESS,
03086                        tid,
03087                        A_audit_uid,
03088                        &attr_val,
03089                        FALSE))
03090       {
03091         rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid);
03092         return -RSBAC_EREADFAILED;
03093       }
03094     if(attr_val.audit_uid != RSBAC_NO_USER)
03095       return 0;
03096 
03097     if (rsbac_get_attr(SW_GEN,
03098                        T_PROCESS,
03099                        tid,
03100                        A_auid_exempt,
03101                        &attr_val,
03102                        FALSE))
03103       {
03104         rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt);
03105         return -RSBAC_EREADFAILED;
03106       }
03107     if(attr_val.auid_exempt == uid)
03108       return 0;
03109 
03110     attr_val.audit_uid = uid;
03111     if (rsbac_set_attr(SW_GEN,
03112                        T_PROCESS,
03113                        tid,
03114                        A_audit_uid,
03115                        attr_val))
03116       {
03117         rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid);
03118         return -RSBAC_EWRITEFAILED;
03119       }
03120     return 0;
03121   }

char* rsbac_symlink_redirect ( struct dentry *  dentry_p,
const char *  name,
u_int  maxlen 
)


Generated on Wed May 16 11:53:54 2007 for RSBAC by  doxygen 1.5.1