00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012 #include <linux/string.h>
00013 #include <linux/binfmts.h>
00014 #include <linux/mm.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/adf_main.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/pax_getname.h>
00022 #include <rsbac/debug.h>
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033
00034
00035
00036
00037 #if defined(CONFIG_RSBAC_PAX) && (defined(CONFIG_PAX_HAVE_ACL_FLAGS) || defined(CONFIG_PAX_HOOK_ACL_FLAGS))
00038 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,10)
00039 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00040 void pax_set_initial_flags(struct linux_binprm * bprm)
00041 #else
00042 void rsbac_pax_set_flags_func(struct linux_binprm * bprm)
00043 #endif
00044 #else
00045 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00046 void pax_set_flags(struct linux_binprm * bprm)
00047 #else
00048 void rsbac_pax_set_flags_func(struct linux_binprm * bprm)
00049 #endif
00050 #endif
00051 {
00052 int err;
00053 union rsbac_target_id_t tid;
00054 union rsbac_attribute_value_t attr_val;
00055
00056 if(!rsbac_is_initialized())
00057 return;
00058 tid.file.device = bprm->file->f_dentry->d_sb->s_dev;
00059 tid.file.inode = bprm->file->f_dentry->d_inode->i_ino;
00060 tid.file.dentry_p = bprm->file->f_dentry;
00061 err = rsbac_get_attr(SW_PAX,
00062 T_FILE,
00063 tid,
00064 A_pax_flags,
00065 &attr_val,
00066 TRUE);
00067 if(!err)
00068 {
00069 pax_check_flags(&attr_val.pax_flags);
00070 #ifdef CONFIG_RSBAC_DEBUG
00071 if(rsbac_debug_adf_pax)
00072 {
00073 rsbac_printk(KERN_DEBUG
00074 "rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n",
00075 current->pid,
00076 current->flags & RSBAC_PAX_ALL_FLAGS,
00077 attr_val.pax_flags,
00078 MAJOR(tid.file.device),MINOR(tid.file.device),
00079 tid.file.inode);
00080 }
00081 #endif
00082
00083 current->mm->pax_flags = (current->mm->pax_flags & ~RSBAC_PAX_ALL_FLAGS) | attr_val.pax_flags;
00084 }
00085 else
00086 {
00087 rsbac_printk(KERN_WARNING
00088 "rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n",
00089 MAJOR(tid.file.device),
00090 MINOR(tid.file.device),
00091 tid.file.inode,
00092 err);
00093 }
00094 }
00095 #endif
00096
00097
00098 inline enum rsbac_adf_req_ret_t
00099 rsbac_adf_request_pax (enum rsbac_adf_request_t request,
00100 rsbac_pid_t caller_pid,
00101 enum rsbac_target_t target,
00102 union rsbac_target_id_t tid,
00103 enum rsbac_attribute_t attr,
00104 union rsbac_attribute_value_t attr_val,
00105 rsbac_uid_t owner)
00106 {
00107 union rsbac_target_id_t i_tid;
00108 union rsbac_attribute_value_t i_attr_val1;
00109
00110 switch (request)
00111 {
00112 case R_MODIFY_ATTRIBUTE:
00113 switch(attr)
00114 {
00115 case A_system_role:
00116 case A_pax_role:
00117 case A_pax_flags:
00118
00119 case A_none:
00120
00121 i_tid.user = owner;
00122 if (rsbac_get_attr(SW_PAX,
00123 T_USER,
00124 i_tid,
00125 A_pax_role,
00126 &i_attr_val1,
00127 TRUE))
00128 {
00129 rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00130 return(NOT_GRANTED);
00131 }
00132
00133 if (i_attr_val1.system_role == SR_security_officer)
00134 return(GRANTED);
00135 else
00136 return(NOT_GRANTED);
00137
00138 default:
00139 return(DO_NOT_CARE);
00140 }
00141
00142 case R_READ_ATTRIBUTE:
00143 switch(attr)
00144 {
00145 case A_system_role:
00146 case A_pax_role:
00147 case A_pax_flags:
00148
00149 case A_none:
00150
00151 i_tid.user = owner;
00152 if (rsbac_get_attr(SW_PAX,
00153 T_USER,
00154 i_tid,
00155 A_pax_role,
00156 &i_attr_val1,
00157 TRUE))
00158 {
00159 rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00160 return(NOT_GRANTED);
00161 }
00162
00163 if( (i_attr_val1.system_role == SR_security_officer)
00164 || (i_attr_val1.system_role == SR_administrator)
00165 )
00166 return(GRANTED);
00167 else
00168 return(NOT_GRANTED);
00169
00170 default:
00171 return(DO_NOT_CARE);
00172 }
00173
00174 case R_SWITCH_LOG:
00175 switch(target)
00176 {
00177 case T_NONE:
00178
00179 i_tid.user = owner;
00180 if (rsbac_get_attr(SW_PAX,
00181 T_USER,
00182 i_tid,
00183 A_pax_role,
00184 &i_attr_val1,
00185 TRUE))
00186 {
00187 rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00188 return(NOT_GRANTED);
00189 }
00190
00191 if (i_attr_val1.system_role == SR_security_officer)
00192 return(GRANTED);
00193 else
00194 return(NOT_GRANTED);
00195
00196
00197 default: return(DO_NOT_CARE);
00198 }
00199
00200 case R_SWITCH_MODULE:
00201 switch(target)
00202 {
00203 case T_NONE:
00204
00205 if(attr != A_switch_target)
00206 return(UNDEFINED);
00207
00208 if( (attr_val.switch_target != SW_PAX)
00209 #ifdef CONFIG_RSBAC_SOFTMODE
00210 && (attr_val.switch_target != SW_SOFTMODE)
00211 #endif
00212 #ifdef CONFIG_RSBAC_FREEZE
00213 && (attr_val.switch_target != SW_FREEZE)
00214 #endif
00215 )
00216 return(DO_NOT_CARE);
00217
00218 i_tid.user = owner;
00219 if (rsbac_get_attr(SW_PAX,
00220 T_USER,
00221 i_tid,
00222 A_pax_role,
00223 &i_attr_val1,
00224 TRUE))
00225 {
00226 rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00227 return(NOT_GRANTED);
00228 }
00229
00230 if (i_attr_val1.system_role == SR_security_officer)
00231 return(GRANTED);
00232 else
00233 return(NOT_GRANTED);
00234
00235
00236 default: return(DO_NOT_CARE);
00237 }
00238
00239
00240 default: return DO_NOT_CARE;
00241 }
00242
00243 return DO_NOT_CARE;
00244 }
00245
00246
00247