/linux-2.6.21.1-rsbac-1.3.4/rsbac/adf/pax/pax_main.c

Go to the documentation of this file.
00001 /**************************************************** */
00002 /* Rule Set Based Access Control                      */
00003 /* Implementation of the Access Control Decision      */
00004 /* Facility (ADF) - PAX                               */
00005 /* File: rsbac/adf/pax/pax_main.c                     */
00006 /*                                                    */
00007 /* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org>  */
00008 /*                                                    */
00009 /* Last modified: 11/Dec/2006                         */
00010 /**************************************************** */
00011 
00012 #include <linux/string.h>
00013 #include <linux/binfmts.h>
00014 #include <linux/mm.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/adf_main.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/pax_getname.h>
00022 #include <rsbac/debug.h>
00023 
00024 /************************************************* */
00025 /*           Global Variables                      */
00026 /************************************************* */
00027 
00028 /************************************************* */
00029 /*          Internal Help functions                */
00030 /************************************************* */
00031 
00032 /************************************************* */
00033 /*          Externally visible functions           */
00034 /************************************************* */
00035 
00036 /**** PaX set flags func ****/
00037 #if defined(CONFIG_RSBAC_PAX) && (defined(CONFIG_PAX_HAVE_ACL_FLAGS) || defined(CONFIG_PAX_HOOK_ACL_FLAGS))
00038 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,10)
00039 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00040 void pax_set_initial_flags(struct linux_binprm * bprm)
00041 #else
00042 void rsbac_pax_set_flags_func(struct linux_binprm * bprm)
00043 #endif
00044 #else
00045 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00046 void pax_set_flags(struct linux_binprm * bprm)
00047 #else
00048 void rsbac_pax_set_flags_func(struct linux_binprm * bprm)
00049 #endif
00050 #endif
00051   {
00052     int err;
00053     union rsbac_target_id_t tid;
00054     union rsbac_attribute_value_t attr_val;
00055 
00056     if(!rsbac_is_initialized())
00057       return;
00058     tid.file.device = bprm->file->f_dentry->d_sb->s_dev;
00059     tid.file.inode = bprm->file->f_dentry->d_inode->i_ino;
00060     tid.file.dentry_p = bprm->file->f_dentry;
00061     err = rsbac_get_attr(SW_PAX,
00062                          T_FILE,
00063                          tid,
00064                          A_pax_flags,
00065                          &attr_val,
00066                          TRUE);
00067     if(!err)
00068       {
00069         pax_check_flags(&attr_val.pax_flags);
00070 #ifdef CONFIG_RSBAC_DEBUG
00071         if(rsbac_debug_adf_pax)
00072           {
00073             rsbac_printk(KERN_DEBUG
00074                    "rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n",
00075                    current->pid,
00076                    current->flags & RSBAC_PAX_ALL_FLAGS,
00077                    attr_val.pax_flags,
00078                    MAJOR(tid.file.device),MINOR(tid.file.device),
00079                    tid.file.inode);
00080           }
00081 #endif
00082         /* Set flags for process */
00083         current->mm->pax_flags = (current->mm->pax_flags & ~RSBAC_PAX_ALL_FLAGS) | attr_val.pax_flags;
00084       }
00085     else
00086       {
00087         rsbac_printk(KERN_WARNING
00088                "rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n",
00089                MAJOR(tid.file.device),
00090                MINOR(tid.file.device),
00091                tid.file.inode,
00092                err);
00093       }
00094   }
00095 #endif
00096 
00097 
00098 inline enum rsbac_adf_req_ret_t
00099    rsbac_adf_request_pax (enum  rsbac_adf_request_t     request,
00100                                 rsbac_pid_t             caller_pid,
00101                           enum  rsbac_target_t          target,
00102                           union rsbac_target_id_t       tid,
00103                           enum  rsbac_attribute_t       attr,
00104                           union rsbac_attribute_value_t attr_val,
00105                                 rsbac_uid_t             owner)
00106   {
00107     union rsbac_target_id_t       i_tid;
00108     union rsbac_attribute_value_t i_attr_val1;
00109 
00110     switch (request)
00111       {
00112         case R_MODIFY_ATTRIBUTE:
00113             switch(attr)
00114               {
00115                 case A_system_role:
00116                 case A_pax_role:
00117                 case A_pax_flags:
00118                 /* All attributes (remove target!) */
00119                 case A_none:
00120                   /* Security Officer? */
00121                   i_tid.user = owner;
00122                   if (rsbac_get_attr(SW_PAX,
00123                                      T_USER,
00124                                      i_tid,
00125                                      A_pax_role,
00126                                      &i_attr_val1,
00127                                      TRUE))
00128                     {
00129                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00130                       return(NOT_GRANTED);
00131                     }
00132                   /* if sec_officer, then grant */
00133                   if (i_attr_val1.system_role == SR_security_officer)
00134                     return(GRANTED);
00135                   else
00136                     return(NOT_GRANTED);
00137 
00138                 default:
00139                   return(DO_NOT_CARE);
00140               }
00141 
00142         case R_READ_ATTRIBUTE:
00143             switch(attr)
00144               {
00145                 case A_system_role:
00146                 case A_pax_role:
00147                 case A_pax_flags:
00148                 /* All attributes (remove target!) */
00149                 case A_none:
00150                   /* Security Officer or Admin? */
00151                   i_tid.user = owner;
00152                   if (rsbac_get_attr(SW_PAX,
00153                                      T_USER,
00154                                      i_tid,
00155                                      A_pax_role,
00156                                      &i_attr_val1,
00157                                      TRUE))
00158                     {
00159                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00160                       return(NOT_GRANTED);
00161                     }
00162                   /* if sec_officer, then grant */
00163                   if(   (i_attr_val1.system_role == SR_security_officer)
00164                      || (i_attr_val1.system_role == SR_administrator)
00165                     )
00166                     return(GRANTED);
00167                   else
00168                     return(NOT_GRANTED);
00169 
00170                 default:
00171                   return(DO_NOT_CARE);
00172               }
00173 
00174         case R_SWITCH_LOG:
00175             switch(target)
00176               {
00177                 case T_NONE:
00178                   /* test owner's pax_role */
00179                   i_tid.user = owner;
00180                   if (rsbac_get_attr(SW_PAX,
00181                                      T_USER,
00182                                      i_tid,
00183                                      A_pax_role,
00184                                      &i_attr_val1,
00185                                      TRUE))
00186                     {
00187                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00188                       return(NOT_GRANTED);
00189                     }
00190                   /* security officer? -> grant  */
00191                   if (i_attr_val1.system_role == SR_security_officer)
00192                     return(GRANTED);
00193                   else
00194                     return(NOT_GRANTED);
00195 
00196                 /* all other cases are unknown */
00197                 default: return(DO_NOT_CARE);
00198               }
00199 
00200         case R_SWITCH_MODULE:
00201             switch(target)
00202               {
00203                 case T_NONE:
00204                   /* we need the switch_target */
00205                   if(attr != A_switch_target)
00206                     return(UNDEFINED);
00207                   /* do not care for other modules */
00208                   if(   (attr_val.switch_target != SW_PAX)
00209                      #ifdef CONFIG_RSBAC_SOFTMODE
00210                      && (attr_val.switch_target != SW_SOFTMODE)
00211                      #endif
00212                      #ifdef CONFIG_RSBAC_FREEZE
00213                      && (attr_val.switch_target != SW_FREEZE)
00214                      #endif
00215                     )
00216                     return(DO_NOT_CARE);
00217                   /* test owner's pax_role */
00218                   i_tid.user = owner;
00219                   if (rsbac_get_attr(SW_PAX,
00220                                      T_USER,
00221                                      i_tid,
00222                                      A_pax_role,
00223                                      &i_attr_val1,
00224                                      TRUE))
00225                     {
00226                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00227                       return(NOT_GRANTED);
00228                     }
00229                   /* security officer? -> grant  */
00230                   if (i_attr_val1.system_role == SR_security_officer)
00231                     return(GRANTED);
00232                   else
00233                     return(NOT_GRANTED);
00234 
00235                 /* all other cases are unknown */
00236                 default: return(DO_NOT_CARE);
00237               }
00238 
00239 /*********************/
00240         default: return DO_NOT_CARE;
00241       }
00242 
00243     return DO_NOT_CARE;
00244   } /* end of rsbac_adf_request_pax() */
00245 
00246 
00247 /* end of rsbac/adf/pax/pax_main.c */

Generated on Wed May 16 11:53:33 2007 for RSBAC by  doxygen 1.5.1