00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011 #include <linux/string.h>
00012 #include <linux/init.h>
00013 #include <linux/module.h>
00014 #include <rsbac/types.h>
00015 #include <rsbac/aci.h>
00016 #include <rsbac/adf.h>
00017 #include <rsbac/adf_main.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/cap_getname.h>
00022 #include <rsbac/jail_getname.h>
00023 #include <rsbac/rkmem.h>
00024 #include <rsbac/network.h>
00025 #if defined(CONFIG_RSBAC_UM_EXCL)
00026 #include <rsbac/um.h>
00027 #endif
00028
00029 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00030 #include <linux/config.h>
00031 #endif
00032 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00033 #include <linux/nfs_fs.h>
00034 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00035 #include <linux/coda.h>
00036 #endif
00037 #include <linux/coda_psdev.h>
00038 #include <linux/ncp_fs.h>
00039 #include <linux/smb.h>
00040 #endif
00041
00042 #ifdef CONFIG_RSBAC_SECDEL
00043 #include <linux/types.h>
00044 #include <linux/dcache.h>
00045 #include <asm/uaccess.h>
00046 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00047 #include <linux/buffer_head.h>
00048 #endif
00049 #endif
00050
00051
00052
00053
00054
00055 u_long rsbac_adf_request_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00056 u_long rsbac_adf_set_attr_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00057 #ifdef CONFIG_RSBAC_XSTATS
00058 u_long rsbac_adf_request_xcount[T_NONE+1][R_NONE];
00059 u_long rsbac_adf_set_attr_xcount[T_NONE+1][R_NONE];
00060 #endif
00061
00062
00063 #ifdef CONFIG_RSBAC_SWITCH_MAC
00064 rsbac_boolean_t rsbac_switch_mac = TRUE;
00065 #endif
00066
00067
00068 #ifdef CONFIG_RSBAC_SWITCH_PM
00069 rsbac_boolean_t rsbac_switch_pm = TRUE;
00070 #endif
00071
00072
00073 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00074 rsbac_boolean_t rsbac_switch_daz = TRUE;
00075 #endif
00076
00077
00078 #ifdef CONFIG_RSBAC_SWITCH_FF
00079 rsbac_boolean_t rsbac_switch_ff = TRUE;
00080 #endif
00081
00082
00083 #ifdef CONFIG_RSBAC_SWITCH_RC
00084 rsbac_boolean_t rsbac_switch_rc = TRUE;
00085 #endif
00086
00087
00088 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00089 rsbac_boolean_t rsbac_switch_auth = TRUE;
00090 #endif
00091
00092
00093 #ifdef CONFIG_RSBAC_SWITCH_ACL
00094 rsbac_boolean_t rsbac_switch_acl = TRUE;
00095 #endif
00096
00097
00098 #ifdef CONFIG_RSBAC_SWITCH_CAP
00099 rsbac_boolean_t rsbac_switch_cap = TRUE;
00100 #endif
00101
00102
00103 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00104 rsbac_boolean_t rsbac_switch_jail = TRUE;
00105 #endif
00106
00107
00108 #ifdef CONFIG_RSBAC_SWITCH_PAX
00109 rsbac_boolean_t rsbac_switch_pax = TRUE;
00110 #endif
00111
00112
00113 #ifdef CONFIG_RSBAC_SWITCH_RES
00114 rsbac_boolean_t rsbac_switch_res = TRUE;
00115 #endif
00116
00117
00118
00119
00120
00121
00122
00123
00124
00125
00126
00127 #ifdef CONFIG_RSBAC_INIT_DELAY
00128 void rsbac_init_adf(void)
00129 #else
00130 void __init rsbac_init_adf(void)
00131 #endif
00132 {
00133 #if defined(CONFIG_RSBAC_REG)
00134 rsbac_reg_init();
00135 #endif
00136 }
00137
00138 enum rsbac_adf_req_ret_t
00139 adf_and_plus(enum rsbac_adf_req_ret_t res1,
00140 enum rsbac_adf_req_ret_t res2)
00141 {
00142 switch (res1)
00143 {
00144 case DO_NOT_CARE: return (res2);
00145 case GRANTED: if (res2 == DO_NOT_CARE)
00146 return (GRANTED);
00147 else
00148 return (res2);
00149 case NOT_GRANTED: if (res2 == UNDEFINED)
00150 return (UNDEFINED);
00151 else
00152 return (NOT_GRANTED);
00153 default: return (UNDEFINED);
00154 }
00155 }
00156
00157
00158
00159
00160
00161
00162
00163 EXPORT_SYMBOL(rsbac_adf_request_int);
00164 enum rsbac_adf_req_ret_t
00165 rsbac_adf_request_int(enum rsbac_adf_request_t request,
00166 rsbac_pid_t caller_pid,
00167 enum rsbac_target_t target,
00168 union rsbac_target_id_t * tid_p,
00169 enum rsbac_attribute_t attr,
00170 union rsbac_attribute_value_t * attr_val_p,
00171 enum rsbac_switch_target_t ignore_module)
00172 {
00173 union rsbac_target_id_t i_tid;
00174 union rsbac_attribute_value_t i_attr_val;
00175 rsbac_uid_t owner=0;
00176 int tmperr=0;
00177 rsbac_request_vector_t request_vector;
00178 enum rsbac_adf_req_ret_t result = DO_NOT_CARE;
00179 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00180 enum rsbac_adf_req_ret_t ret_result = DO_NOT_CARE;
00181 #endif
00182 #ifndef CONFIG_RSBAC_MAINT
00183 enum rsbac_adf_req_ret_t mod_result[SW_NONE + 1] = {
00184 DO_NOT_CARE,
00185 DO_NOT_CARE,
00186 DO_NOT_CARE,
00187 DO_NOT_CARE,
00188 DO_NOT_CARE,
00189 DO_NOT_CARE,
00190 DO_NOT_CARE,
00191 DO_NOT_CARE,
00192 DO_NOT_CARE,
00193 DO_NOT_CARE,
00194 DO_NOT_CARE,
00195 DO_NOT_CARE,
00196 DO_NOT_CARE,
00197 DO_NOT_CARE,
00198 DO_NOT_CARE,
00199 DO_NOT_CARE,
00200 DO_NOT_CARE,
00201 DO_NOT_CARE
00202 };
00203 #endif
00204 rsbac_boolean_t do_log = FALSE;
00205 rsbac_boolean_t log_on_request = TRUE;
00206
00207 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
00208 union rsbac_attribute_value_t i_attr_val2;
00209 enum rsbac_log_level_t log_level;
00210 #endif
00211 struct super_block * sb_p;
00212 #ifdef CONFIG_RSBAC_SOFTMODE
00213 rsbac_boolean_t rsbac_internal = FALSE;
00214 #endif
00215
00216
00217 if (!rsbac_is_initialized())
00218 return(DO_NOT_CARE);
00219
00220
00221 if ( !caller_pid
00222 #if defined(CONFIG_RSBAC_LOG_REMOTE)
00223 || (caller_pid == rsbaclogd_pid)
00224 #endif
00225 )
00226 return(GRANTED);
00227
00228
00229 if( request >= R_NONE
00230 || target > T_NONE
00231 || attr > A_none)
00232 {
00233 rsbac_printk(KERN_WARNING
00234 "rsbac_adf_request_int(): called with invalid request, target or attribute\n");
00235 return(NOT_GRANTED);
00236 }
00237 request_vector = RSBAC_REQUEST_VECTOR(request);
00238
00239 if (in_interrupt())
00240 {
00241 char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00242
00243 if(request_name)
00244 {
00245 get_request_name(request_name, request);
00246 rsbac_printk(KERN_WARNING "rsbac_adf_request_int(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00247 request_name, caller_pid, attr_val_p->dummy);
00248 kfree(request_name);
00249 }
00250 else
00251 {
00252 rsbac_printk(KERN_WARNING "rsbac_adf_request_int(): called from interrupt: request %u, pid %u!\n",
00253 request, caller_pid);
00254 }
00255
00256 }
00257
00258
00259
00260
00261 if (caller_pid > 1)
00262 {
00263 tmperr = rsbac_get_owner(&owner);
00264 if(tmperr)
00265 {
00266 rsbac_printk(KERN_DEBUG
00267 "rsbac_adf_request_int(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE\n",
00268 caller_pid);
00269 return DO_NOT_CARE;
00270 }
00271 }
00272 else
00273 owner = 0;
00274
00275
00276
00277
00278
00279 switch(target)
00280 {
00281 case T_FILE:
00282 case T_DIR:
00283 case T_FIFO:
00284 case T_SYMLINK:
00285 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00286 if ( ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00287 && ( (sb_p->s_magic == NFS_SUPER_MAGIC)
00288 || (sb_p->s_magic == CODA_SUPER_MAGIC)
00289 || (sb_p->s_magic == NCP_SUPER_MAGIC)
00290 || (sb_p->s_magic == SMB_SUPER_MAGIC)
00291 )
00292 )
00293 {
00294 result = DO_NOT_CARE;
00295 goto log;
00296 }
00297 #endif
00298
00299 if( (target == T_FIFO)
00300 && ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00301 && (sb_p->s_magic == PIPEFS_MAGIC)
00302 )
00303 return DO_NOT_CARE;
00304
00305 switch(request)
00306 {
00307 case R_GET_STATUS_DATA:
00308 case R_GET_PERMISSIONS_DATA:
00309 case R_READ_ATTRIBUTE:
00310 #ifdef CONFIG_RSBAC_DAT_VISIBLE
00311 case R_SEARCH:
00312 case R_READ:
00313 case R_CLOSE:
00314 case R_CHDIR:
00315 #endif
00316 break;
00317
00318 default:
00319 if ((tmperr = rsbac_get_attr(SW_GEN,
00320 target,
00321 *tid_p,
00322 A_internal,
00323 &i_attr_val,
00324 TRUE) ))
00325 {
00326 if(tmperr == -RSBAC_EINVALIDDEV)
00327 {
00328
00329 return(DO_NOT_CARE);
00330 }
00331 else
00332 {
00333 rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00334 return(NOT_GRANTED);
00335 }
00336 }
00337
00338 if (i_attr_val.internal)
00339 {
00340 rsbac_printk(KERN_WARNING
00341 "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00342 result = NOT_GRANTED;
00343 #ifndef CONFIG_RSBAC_MAINT
00344 mod_result[SW_NONE] = NOT_GRANTED;
00345 #endif
00346 #ifdef CONFIG_RSBAC_SOFTMODE
00347 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00348 ret_result = NOT_GRANTED;
00349 #endif
00350 rsbac_internal = TRUE;
00351 #endif
00352 }
00353 }
00354 break;
00355
00356 #if defined(CONFIG_RSBAC_UM_EXCL)
00357 case T_PROCESS:
00358 switch(request)
00359 {
00360 case R_CHANGE_OWNER:
00361 #ifdef CONFIG_RSBAC_DAC_OWNER
00362 case R_CHANGE_DAC_EFF_OWNER:
00363 case R_CHANGE_DAC_FS_OWNER:
00364 #endif
00365 if( (attr == A_owner)
00366 && !rsbac_um_no_excl
00367 && !rsbac_um_user_exists(0, attr_val_p->owner)
00368 )
00369 {
00370 rsbac_printk(KERN_INFO
00371 "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n",
00372 attr_val_p->owner);
00373 result = adf_and_plus(result, NOT_GRANTED);
00374 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00375 ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00376 #endif
00377 }
00378 break;
00379
00380 case R_CHANGE_GROUP:
00381 #ifdef CONFIG_RSBAC_DAC_OWNER
00382 case R_CHANGE_DAC_EFF_GROUP:
00383 case R_CHANGE_DAC_FS_GROUP:
00384 #endif
00385 if( (attr == A_group)
00386 && !rsbac_um_no_excl
00387 && !rsbac_um_group_exists(0, attr_val_p->group)
00388 )
00389 {
00390 rsbac_printk(KERN_INFO
00391 "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n",
00392 attr_val_p->group);
00393 result = adf_and_plus(result, NOT_GRANTED);
00394 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00395 ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00396 #endif
00397 }
00398 break;
00399
00400 default:
00401 break;
00402 }
00403 break;
00404 #endif
00405
00406 #ifdef CONFIG_RSBAC_NET_OBJ
00407 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG) || defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_RC)
00408 case T_NETOBJ:
00409 if(rsbac_net_remote_request(request)) {
00410 tid_p->netobj.local_temp = 0;
00411 rsbac_ta_net_lookup_templates(0,
00412 &tid_p->
00413 netobj, NULL,
00414 &tid_p->netobj.remote_temp);
00415 } else {
00416 tid_p->netobj.remote_temp = 0;
00417 rsbac_ta_net_lookup_templates(0,
00418 &tid_p->
00419 netobj,
00420 &tid_p->netobj.local_temp,
00421 NULL);
00422 }
00423 #endif
00424 #endif
00425
00426 default:
00427 break;
00428 }
00429
00430
00431
00432
00433 #ifdef CONFIG_RSBAC_DEBUG
00434
00435
00436 result = adf_and_plus(result,rsbac_adf_request_check(request,
00437 caller_pid,
00438 target,
00439 tid_p,
00440 attr,
00441 attr_val_p,
00442 owner) );
00443 #endif
00444
00445 #if !defined(CONFIG_RSBAC_MAINT)
00446
00447 #if defined(CONFIG_RSBAC_MAC)
00448 #ifdef CONFIG_RSBAC_SWITCH_MAC
00449 if (rsbac_switch_mac)
00450 #endif
00451
00452 if(ignore_module != SW_MAC && (request_vector & RSBAC_MAC_REQUEST_VECTOR)) {
00453 mod_result[SW_MAC] = rsbac_adf_request_mac(request,
00454 caller_pid,
00455 target,
00456 *tid_p,
00457 attr,
00458 *attr_val_p,
00459 owner);
00460 result = adf_and_plus(result, mod_result[SW_MAC]);
00461 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00462 if(!rsbac_ind_softmode[SW_MAC])
00463 ret_result = adf_and_plus(ret_result, mod_result[SW_MAC]);
00464 #endif
00465 }
00466 #endif
00467
00468
00469 #if defined(CONFIG_RSBAC_PM)
00470 #ifdef CONFIG_RSBAC_SWITCH_PM
00471 if (rsbac_switch_pm)
00472 #endif
00473
00474 if(ignore_module != SW_PM && (request_vector & RSBAC_PM_REQUEST_VECTOR))
00475 {
00476 mod_result[SW_PM] = rsbac_adf_request_pm (request,
00477 caller_pid,
00478 target,
00479 *tid_p,
00480 attr,
00481 *attr_val_p,
00482 owner);
00483 result = adf_and_plus(result, mod_result[SW_PM]);
00484 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00485 if(!rsbac_ind_softmode[SW_PM])
00486 ret_result = adf_and_plus(ret_result, mod_result[SW_PM]);
00487 #endif
00488 }
00489 #endif
00490
00491
00492 #if defined(CONFIG_RSBAC_DAZ)
00493 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00494 if (rsbac_switch_daz)
00495 #endif
00496
00497 if(ignore_module != SW_DAZ && (request_vector & RSBAC_DAZ_REQUEST_VECTOR))
00498 {
00499 mod_result[SW_DAZ] = rsbac_adf_request_daz (request,
00500 caller_pid,
00501 target,
00502 *tid_p,
00503 attr,
00504 *attr_val_p,
00505 owner);
00506 result = adf_and_plus(result, mod_result[SW_DAZ]);
00507 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00508 if(!rsbac_ind_softmode[SW_DAZ])
00509 ret_result = adf_and_plus(ret_result, mod_result[SW_DAZ]);
00510 #endif
00511 }
00512 #endif
00513
00514
00515 #if defined(CONFIG_RSBAC_FF)
00516 #ifdef CONFIG_RSBAC_SWITCH_FF
00517 if (rsbac_switch_ff)
00518 #endif
00519
00520 if(ignore_module != SW_FF && (request_vector & RSBAC_FF_REQUEST_VECTOR))
00521 {
00522 mod_result[SW_FF] = rsbac_adf_request_ff (request,
00523 caller_pid,
00524 target,
00525 *tid_p,
00526 attr,
00527 *attr_val_p,
00528 owner);
00529 result = adf_and_plus(result, mod_result[SW_FF]);
00530 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00531 if(!rsbac_ind_softmode[SW_FF])
00532 ret_result = adf_and_plus(ret_result, mod_result[SW_FF]);
00533 #endif
00534 }
00535 #endif
00536
00537
00538 #if defined(CONFIG_RSBAC_RC)
00539 #ifdef CONFIG_RSBAC_SWITCH_RC
00540 if (rsbac_switch_rc)
00541 #endif
00542
00543 if(ignore_module != SW_RC)
00544 {
00545 mod_result[SW_RC] = rsbac_adf_request_rc (request,
00546 caller_pid,
00547 target,
00548 *tid_p,
00549 attr,
00550 *attr_val_p,
00551 owner);
00552 result = adf_and_plus(result, mod_result[SW_RC]);
00553 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00554 if(!rsbac_ind_softmode[SW_RC])
00555 ret_result = adf_and_plus(ret_result, mod_result[SW_RC]);
00556 #endif
00557 }
00558 #endif
00559
00560
00561 #if defined(CONFIG_RSBAC_AUTH)
00562 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00563 if (rsbac_switch_auth)
00564 #endif
00565
00566 if(ignore_module != SW_AUTH && (request_vector & RSBAC_AUTH_REQUEST_VECTOR))
00567 {
00568 mod_result[SW_AUTH]= rsbac_adf_request_auth(request,
00569 caller_pid,
00570 target,
00571 *tid_p,
00572 attr,
00573 *attr_val_p,
00574 owner);
00575 result = adf_and_plus(result, mod_result[SW_AUTH]);
00576 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00577 if(!rsbac_ind_softmode[SW_AUTH])
00578 ret_result = adf_and_plus(ret_result, mod_result[SW_AUTH]);
00579 #endif
00580 }
00581 #endif
00582
00583
00584 #if defined(CONFIG_RSBAC_ACL)
00585 #ifdef CONFIG_RSBAC_SWITCH_ACL
00586 if (rsbac_switch_acl)
00587 #endif
00588
00589 if(ignore_module != SW_ACL)
00590 {
00591 mod_result[SW_ACL] = rsbac_adf_request_acl(request,
00592 caller_pid,
00593 target,
00594 *tid_p,
00595 attr,
00596 *attr_val_p,
00597 owner);
00598 result = adf_and_plus(result, mod_result[SW_ACL]);
00599 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00600 if(!rsbac_ind_softmode[SW_ACL])
00601 ret_result = adf_and_plus(ret_result, mod_result[SW_ACL]);
00602 #endif
00603 }
00604 #endif
00605
00606
00607 #if defined(CONFIG_RSBAC_CAP)
00608 #ifdef CONFIG_RSBAC_SWITCH_CAP
00609 if (rsbac_switch_cap)
00610 #endif
00611
00612 if(ignore_module != SW_CAP && (request_vector & RSBAC_CAP_REQUEST_VECTOR))
00613 {
00614 mod_result[SW_CAP] = rsbac_adf_request_cap(request,
00615 caller_pid,
00616 target,
00617 *tid_p,
00618 attr,
00619 *attr_val_p,
00620 owner);
00621 result = adf_and_plus(result, mod_result[SW_CAP]);
00622 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00623 if(!rsbac_ind_softmode[SW_CAP])
00624 ret_result = adf_and_plus(ret_result, mod_result[SW_CAP]);
00625 #endif
00626 }
00627 #endif
00628
00629
00630 #if defined(CONFIG_RSBAC_JAIL)
00631 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00632 if (rsbac_switch_jail)
00633 #endif
00634
00635 if(ignore_module != SW_JAIL && (request_vector & RSBAC_JAIL_REQUEST_VECTOR))
00636 {
00637 mod_result[SW_JAIL]= rsbac_adf_request_jail(request,
00638 caller_pid,
00639 target,
00640 *tid_p,
00641 attr,
00642 *attr_val_p,
00643 owner);
00644 result = adf_and_plus(result, mod_result[SW_JAIL]);
00645 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00646 if(!rsbac_ind_softmode[SW_JAIL])
00647 ret_result = adf_and_plus(ret_result, mod_result[SW_JAIL]);
00648 #endif
00649 }
00650 #endif
00651
00652
00653 #if defined(CONFIG_RSBAC_PAX)
00654 #ifdef CONFIG_RSBAC_SWITCH_PAX
00655 if (rsbac_switch_pax)
00656 #endif
00657
00658 if(ignore_module != SW_PAX && (request_vector & RSBAC_PAX_REQUEST_VECTOR))
00659 {
00660 mod_result[SW_PAX] = rsbac_adf_request_pax (request,
00661 caller_pid,
00662 target,
00663 *tid_p,
00664 attr,
00665 *attr_val_p,
00666 owner);
00667 result = adf_and_plus(result, mod_result[SW_PAX]);
00668 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00669 if(!rsbac_ind_softmode[SW_PAX])
00670 ret_result = adf_and_plus(ret_result, mod_result[SW_PAX]);
00671 #endif
00672 }
00673 #endif
00674
00675
00676 #if defined(CONFIG_RSBAC_RES)
00677 #ifdef CONFIG_RSBAC_SWITCH_RES
00678 if (rsbac_switch_res)
00679 #endif
00680
00681 if(ignore_module != SW_RES && (request_vector & RSBAC_RES_REQUEST_VECTOR))
00682 {
00683 mod_result[SW_RES] = rsbac_adf_request_res(request,
00684 caller_pid,
00685 target,
00686 *tid_p,
00687 attr,
00688 *attr_val_p,
00689 owner);
00690 result = adf_and_plus(result, mod_result[SW_RES]);
00691 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00692 if(!rsbac_ind_softmode[SW_RES])
00693 ret_result = adf_and_plus(ret_result, mod_result[SW_RES]);
00694 #endif
00695 }
00696 #endif
00697
00698
00699 #if defined(CONFIG_RSBAC_REG)
00700 if(ignore_module != SW_REG)
00701 {
00702 mod_result[SW_REG]= rsbac_adf_request_reg (request,
00703 caller_pid,
00704 target,
00705 *tid_p,
00706 attr,
00707 *attr_val_p,
00708 owner);
00709 result = adf_and_plus(result, mod_result[SW_REG]);
00710 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00711 if(!rsbac_ind_softmode[SW_REG])
00712 ret_result = adf_and_plus(ret_result, mod_result[SW_REG]);
00713 #endif
00714 }
00715 #endif
00716
00717 #endif
00718
00719
00720
00721 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
00722 if( rsbac_debug_adf_net
00723 && ( (target == T_NETDEV)
00724 || (target == T_NETTEMP)
00725 || (target == T_NETOBJ)
00726 )
00727 )
00728 do_log = TRUE;
00729 #endif
00730
00731
00732 #ifdef CONFIG_RSBAC_IND_USER_LOG
00733 i_tid.user = owner;
00734 if (rsbac_get_attr(SW_GEN,
00735 T_USER,
00736 i_tid,
00737 A_log_user_based,
00738 &i_attr_val,
00739 FALSE))
00740 {
00741 rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based);
00742 }
00743 else
00744 {
00745 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based)
00746 do_log = TRUE;
00747 }
00748 #endif
00749
00750
00751 #ifdef CONFIG_RSBAC_IND_PROG_LOG
00752 if(!do_log)
00753 {
00754 i_tid.process = caller_pid;
00755 if (rsbac_get_attr(SW_GEN,
00756 T_PROCESS,
00757 i_tid,
00758 A_log_program_based,
00759 &i_attr_val,
00760 FALSE))
00761 {
00762 rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based);
00763 }
00764 else
00765 {
00766 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based)
00767 do_log = TRUE;
00768 }
00769 }
00770 #endif
00771
00772
00773
00774
00775 switch(request)
00776 {
00777 case R_TERMINATE:
00778 if (target == T_PROCESS)
00779 rsbac_remove_target(T_PROCESS,*tid_p);
00780 break;
00781
00782 #ifdef CONFIG_RSBAC_USER_CHOWN
00783 case R_CHANGE_OWNER:
00784 if (target == T_PROCESS) {
00785 i_tid.user = attr_val_p->owner;
00786 i_attr_val.process = tid_p->process;
00787 result = adf_and_plus(result,
00788 rsbac_adf_request_int(request,
00789 caller_pid,
00790 T_USER,
00791 &i_tid,
00792 A_process,
00793 &i_attr_val,
00794 ignore_module));
00795 }
00796 break;
00797 #endif
00798
00799 default:
00800 break;
00801 }
00802
00803
00804
00805
00806
00807
00808
00809
00810 #ifdef CONFIG_RSBAC_IND_LOG
00811
00812
00813
00814 if( !do_log
00815 && ( ( ( (target == T_FILE)
00816 || (target == T_DIR)
00817 || (target == T_FIFO)
00818 || (target == T_SYMLINK)
00819 || (target == T_UNIXSOCK)
00820 )
00821 && RSBAC_MAJOR(tid_p->file.device)
00822 && RSBAC_MINOR(tid_p->file.device)
00823 )
00824 || (target == T_DEV)
00825 )
00826 )
00827 {
00828 if (rsbac_get_attr(SW_GEN,
00829 target,
00830 *tid_p,
00831 A_log_array_low,
00832 &i_attr_val,
00833 FALSE))
00834 {
00835 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00836 }
00837 else
00838 {
00839 if (rsbac_get_attr(SW_GEN,
00840 target,
00841 *tid_p,
00842 A_log_array_high,
00843 &i_attr_val2,
00844 FALSE))
00845 {
00846 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00847 }
00848 else
00849 {
00850
00851
00852 log_level = ((i_attr_val.log_array_low >> request) & 1)
00853 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00854 if ( log_level == LL_full
00855 || ( log_level == LL_denied
00856 && (result == NOT_GRANTED
00857 || result == UNDEFINED)) )
00858 {
00859 do_log = TRUE;
00860 }
00861 if(log_level != LL_request)
00862 log_on_request = FALSE;
00863 }
00864 }
00865 }
00866 #endif
00867
00868 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG
00869
00870
00871 if( !do_log
00872 && (target == T_NETDEV)
00873 )
00874 {
00875 if (rsbac_get_attr(SW_GEN,
00876 target,
00877 *tid_p,
00878 A_log_array_low,
00879 &i_attr_val,
00880 FALSE))
00881 {
00882 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00883 }
00884 else
00885 {
00886 if (rsbac_get_attr(SW_GEN,
00887 target,
00888 *tid_p,
00889 A_log_array_high,
00890 &i_attr_val2,
00891 FALSE))
00892 {
00893 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00894 }
00895 else
00896 {
00897
00898
00899 log_level = ((i_attr_val.log_array_low >> request) & 1)
00900 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00901 if ( log_level == LL_full
00902 || ( log_level == LL_denied
00903 && (result == NOT_GRANTED
00904 || result == UNDEFINED)) )
00905 {
00906 do_log = TRUE;
00907 }
00908 if(log_level != LL_request)
00909 log_on_request = FALSE;
00910 }
00911 }
00912 }
00913 #endif
00914
00915 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG
00916
00917
00918
00919 if( !do_log
00920 && ( (target == T_NETTEMP)
00921 || (target == T_NETOBJ)
00922 )
00923 )
00924 {
00925 enum rsbac_attribute_t i_attr1, i_attr2;
00926
00927 if(target == T_NETOBJ)
00928 {
00929 if(rsbac_net_remote_request(request))
00930 {
00931 i_attr1 = A_remote_log_array_low;
00932 i_attr2 = A_remote_log_array_high;
00933 }
00934 else
00935 {
00936 i_attr1 = A_local_log_array_low;
00937 i_attr2 = A_local_log_array_high;
00938 }
00939 }
00940 else
00941 {
00942 i_attr1 = A_log_array_low;
00943 i_attr2 = A_log_array_high;
00944 }
00945 if (rsbac_get_attr(SW_GEN,
00946 target,
00947 *tid_p,
00948 i_attr1,
00949 &i_attr_val,
00950 FALSE))
00951 {
00952 rsbac_ds_get_error("rsbac_adf_request()", i_attr1);
00953 }
00954 else
00955 {
00956 if (rsbac_get_attr(SW_GEN,
00957 target,
00958 *tid_p,
00959 i_attr2,
00960 &i_attr_val2,
00961 FALSE))
00962 {
00963 rsbac_ds_get_error("rsbac_adf_request()", i_attr2);
00964 }
00965 else
00966 {
00967
00968
00969 log_level = ((i_attr_val.log_array_low >> request) & 1)
00970 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00971 if ( log_level == LL_full
00972 || ( log_level == LL_denied
00973 && (result == NOT_GRANTED
00974 || result == UNDEFINED)) )
00975 {
00976 do_log = TRUE;
00977 }
00978 if(log_level != LL_request)
00979 log_on_request = FALSE;
00980 }
00981 }
00982 }
00983 #endif
00984
00985 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00986 log:
00987 #endif
00988
00989 if ( !do_log
00990 && log_on_request
00991 && ( rsbac_log_levels[request][target] == LL_full
00992 || ( rsbac_log_levels[request][target] == LL_denied
00993 && (result == NOT_GRANTED
00994 || result == UNDEFINED)) ) )
00995 do_log = TRUE;
00996
00997 if(do_log)
00998 {
00999 char * request_name;
01000 char * res_name;
01001 char * res_mods;
01002 char * target_type_name;
01003 char * target_id_name;
01004 char * attr_name;
01005 char * attr_val_name;
01006 #ifdef CONFIG_RSBAC_NET_OBJ
01007 char * remote_ip_name;
01008 #else
01009 char remote_ip_name[1];
01010 #endif
01011 char * audit_uid_name;
01012 char command[17];
01013 rsbac_pid_t parent_pid = 0;
01014 rsbac_uid_t audit_uid;
01015 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01016 rsbac_pseudo_t pseudo = 0;
01017 #endif
01018 char * program_path;
01019
01020
01021 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01022 if(current->parent)
01023 parent_pid = current->parent->pid;
01024 #else
01025 if(current->p_pptr)
01026 parent_pid = current->p_pptr->pid;
01027 #endif
01028
01029
01030 request_name = rsbac_kmalloc(32);
01031 res_name = rsbac_kmalloc(32);
01032 res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01033 target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01034 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01035 target_id_name
01036 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01037
01038 #else
01039 target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01040
01041 #endif
01042 #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01043 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01044 program_path
01045 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01046
01047 #else
01048 program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01049
01050 #endif
01051 #else
01052 program_path = rsbac_kmalloc(2);
01053 #endif
01054 attr_name = rsbac_kmalloc(32);
01055 attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01056 #ifdef CONFIG_RSBAC_NET_OBJ
01057 remote_ip_name = rsbac_kmalloc(32);
01058 #endif
01059 audit_uid_name = rsbac_kmalloc(32);
01060
01061 request_name[0] = (char) 0;
01062 target_type_name[0] = (char) 0;
01063 target_id_name[0] = (char) 0;
01064 program_path[0] = (char) 0;
01065 attr_name[0] = (char) 0;
01066 attr_val_name[0] = (char) 0;
01067 remote_ip_name[0] = (char) 0;
01068 audit_uid_name[0] = (char) 0;
01069 res_name[0] = (char) 0;
01070 res_mods[0] = (char) 0;
01071 command[0] = (char) 0;
01072 get_request_name(request_name, request);
01073 #if !defined(CONFIG_RSBAC_MAINT)
01074
01075
01076
01077
01078
01079
01080 #if defined(CONFIG_RSBAC_MAC)
01081 if(result == mod_result[SW_MAC])
01082 {
01083 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01084 if(rsbac_ind_softmode[SW_MAC])
01085 strcat(res_mods, " MAC(Softmode)");
01086 else
01087 #endif
01088 strcat(res_mods, " MAC");
01089 }
01090 #endif
01091 #if defined(CONFIG_RSBAC_PM)
01092 if(result == mod_result[SW_PM])
01093 {
01094 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01095 if(rsbac_ind_softmode[SW_PM])
01096 strcat(res_mods, " PM(Softmode)");
01097 else
01098 #endif
01099 strcat(res_mods, " PM");
01100 }
01101 #endif
01102 #if defined(CONFIG_RSBAC_DAZ)
01103 if(result == mod_result[SW_DAZ])
01104 {
01105 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01106 if(rsbac_ind_softmode[SW_DAZ])
01107 strcat(res_mods, " DAZ(Softmode)");
01108 else
01109 #endif
01110 strcat(res_mods, " DAZ");
01111 }
01112 #endif
01113 #ifdef CONFIG_RSBAC_FF
01114 if(result == mod_result[SW_FF])
01115 {
01116 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01117 if(rsbac_ind_softmode[SW_FF])
01118 strcat(res_mods, " FF(Softmode)");
01119 else
01120 #endif
01121 strcat(res_mods, " FF");
01122 }
01123 #endif
01124 #ifdef CONFIG_RSBAC_RC
01125 if(result == mod_result[SW_RC])
01126 {
01127 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01128 if(rsbac_ind_softmode[SW_RC])
01129 strcat(res_mods, " RC(Softmode)");
01130 else
01131 #endif
01132 strcat(res_mods, " RC");
01133 }
01134 #endif
01135 #ifdef CONFIG_RSBAC_AUTH
01136 if(result == mod_result[SW_AUTH])
01137 {
01138 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01139 if(rsbac_ind_softmode[SW_AUTH])
01140 strcat(res_mods, " AUTH(Softmode)");
01141 else
01142 #endif
01143 strcat(res_mods, " AUTH");
01144 }
01145 #endif
01146 #ifdef CONFIG_RSBAC_ACL
01147 if(result == mod_result[SW_ACL])
01148 {
01149 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01150 if(rsbac_ind_softmode[SW_ACL])
01151 strcat(res_mods, " ACL(Softmode)");
01152 else
01153 #endif
01154 strcat(res_mods, " ACL");
01155 }
01156 #endif
01157 #ifdef CONFIG_RSBAC_CAP
01158 if(result == mod_result[SW_CAP])
01159 {
01160 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01161 if(rsbac_ind_softmode[SW_CAP])
01162 strcat(res_mods, " CAP(Softmode)");
01163 else
01164 #endif
01165 strcat(res_mods, " CAP");
01166 }
01167 #endif
01168 #ifdef CONFIG_RSBAC_JAIL
01169 if(result == mod_result[SW_JAIL])
01170 {
01171 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01172 if(rsbac_ind_softmode[SW_JAIL])
01173 strcat(res_mods, " JAIL(Softmode)");
01174 else
01175 #endif
01176 strcat(res_mods, " JAIL");
01177 }
01178 #endif
01179 #ifdef CONFIG_RSBAC_RES
01180 if(result == mod_result[SW_RES])
01181 {
01182 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01183 if(rsbac_ind_softmode[SW_RES])
01184 strcat(res_mods, " RES(Softmode)");
01185 else
01186 #endif
01187 strcat(res_mods, " RES");
01188 }
01189 #endif
01190 #ifdef CONFIG_RSBAC_REG
01191 if(result == mod_result[SW_REG])
01192 {
01193 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01194 if(rsbac_ind_softmode[SW_REG])
01195 strcat(res_mods, " REG(Softmode)");
01196 else
01197 #endif
01198 strcat(res_mods, " REG");
01199 }
01200 #endif
01201 #endif
01202 if(!res_mods[0])
01203 strcat(res_mods, " ADF");
01204
01205
01206 i_tid.process = caller_pid;
01207 if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
01208 {
01209 rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid);
01210 return(NOT_GRANTED);
01211 }
01212 audit_uid = i_attr_val.audit_uid;
01213 if(audit_uid == RSBAC_NO_USER)
01214 audit_uid = owner;
01215 else
01216 sprintf(audit_uid_name, "audit uid %u, ", audit_uid);
01217 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01218
01219 i_tid.user = audit_uid;
01220 if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
01221 {
01222 rsbac_ds_get_error("rsbac_adf_request()", A_pseudo);
01223 return(NOT_GRANTED);
01224 }
01225
01226 pseudo = i_attr_val.pseudo;
01227 #endif
01228
01229 #ifdef CONFIG_RSBAC_NET_OBJ
01230
01231 i_tid.process = caller_pid;
01232 if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE))
01233 {
01234 rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip);
01235 return(NOT_GRANTED);
01236 }
01237 if(i_attr_val.remote_ip)
01238 sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip));
01239 #endif
01240
01241 #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01242 {
01243 struct mm_struct * mm;
01244 struct vm_area_struct * vma;
01245 struct dentry * dentry_p = NULL;
01246
01247 mm = current->mm;
01248 if(mm)
01249 {
01250 atomic_inc(&mm->mm_users);
01251 if(!down_read_trylock(&mm->mmap_sem))
01252 goto down_failed;
01253 vma = mm->mmap;
01254 while (vma)
01255 {
01256 if( (vma->vm_flags & VM_EXECUTABLE)
01257 && vma->vm_file)
01258 {
01259 dentry_p = dget(vma->vm_file->f_dentry);
01260 break;
01261 }
01262 vma = vma->vm_next;
01263 }
01264 up_read(&mm->mmap_sem);
01265 if(dentry_p)
01266 {
01267 char * p = program_path;
01268
01269 p += sprintf(program_path, ", prog_file ");
01270 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01271 rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN);
01272 #else
01273 int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN);
01274
01275 strncpy(p, dentry_p->d_name.name, namelen);
01276 p[namelen]=0;
01277 #endif
01278 dput(dentry_p);
01279 }
01280 down_failed:
01281 mmput(mm);
01282 }
01283 }
01284 #endif
01285 get_target_name(target_type_name, target, target_id_name, *tid_p);
01286 get_attribute_name(attr_name, attr);
01287 get_attribute_value_name(attr_val_name, attr, attr_val_p);
01288 get_result_name(res_name, result);
01289 if ((current) && (current->comm))
01290 {
01291 strncpy(command,current->comm,16);
01292 command[16] = (char) 0;
01293 }
01294
01295 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01296
01297 if (pseudo)
01298 {
01299 #ifdef CONFIG_RSBAC_SOFTMODE
01300 if(rsbac_softmode)
01301 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01302 request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01303 else
01304 #endif
01305 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01306 request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01307 }
01308 else
01309 #endif
01310 {
01311 #ifdef CONFIG_RSBAC_SOFTMODE
01312 if(rsbac_softmode)
01313 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01314 request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01315 else
01316 #endif
01317 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01318 request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01319 }
01320
01321 rsbac_kfree(request_name);
01322 rsbac_kfree(res_name);
01323 rsbac_kfree(res_mods);
01324 rsbac_kfree(target_type_name);
01325 rsbac_kfree(target_id_name);
01326 rsbac_kfree(program_path);
01327 rsbac_kfree(attr_name);
01328 rsbac_kfree(attr_val_name);
01329 #ifdef CONFIG_RSBAC_NET_OBJ
01330 rsbac_kfree(remote_ip_name);
01331 #endif
01332 rsbac_kfree(audit_uid_name);
01333 }
01334
01335
01336 if(result == UNDEFINED)
01337 result = NOT_GRANTED;
01338
01339
01340 rsbac_adf_request_count[target]++;
01341 #ifdef CONFIG_RSBAC_XSTATS
01342 rsbac_adf_request_xcount[target][request]++;
01343 #endif
01344
01345
01346 #ifdef CONFIG_RSBAC_SOFTMODE
01347 if(rsbac_softmode && !rsbac_internal)
01348 return DO_NOT_CARE;
01349 else
01350 #endif
01351 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01352 return ret_result;
01353 #else
01354 return result;
01355 #endif
01356 }
01357
01358
01359
01360
01361
01362
01363
01364
01365
01366 EXPORT_SYMBOL(rsbac_adf_set_attr);
01367 int rsbac_adf_set_attr(
01368 enum rsbac_adf_request_t request,
01369 rsbac_pid_t caller_pid,
01370 enum rsbac_target_t target,
01371 union rsbac_target_id_t tid,
01372 enum rsbac_target_t new_target,
01373 union rsbac_target_id_t new_tid,
01374 enum rsbac_attribute_t attr,
01375 union rsbac_attribute_value_t attr_val)
01376 {
01377 union rsbac_target_id_t i_tid;
01378 rsbac_uid_t owner;
01379 int error = 0;
01380 rsbac_request_vector_t request_vector;
01381 rsbac_boolean_t do_log = FALSE;
01382 rsbac_boolean_t log_on_request = TRUE;
01383 union rsbac_attribute_value_t i_attr_val;
01384 #ifdef CONFIG_RSBAC_IND_LOG
01385 union rsbac_attribute_value_t i_attr_val2;
01386 enum rsbac_log_level_t log_level;
01387 #endif
01388 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01389 struct super_block * sb_p;
01390 #endif
01391
01392
01393
01394 if (!rsbac_is_initialized())
01395 return 0;
01396
01397
01398 if ( !caller_pid
01399 #if defined(CONFIG_RSBAC_LOG_REMOTE)
01400 || (caller_pid == rsbaclogd_pid)
01401 #endif
01402 )
01403 return 0;
01404
01405
01406 if( request >= R_NONE
01407 || target > T_NONE
01408 || new_target > T_NONE
01409 || attr > A_none)
01410 {
01411 rsbac_printk(KERN_WARNING
01412 "rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01413 return(-RSBAC_EINVALIDVALUE);
01414 }
01415 request_vector = RSBAC_REQUEST_VECTOR(request);
01416
01417
01418
01419 owner = RSBAC_NO_USER;
01420
01421 if (caller_pid > 1)
01422 {
01423 error = rsbac_get_owner(&owner);
01424 if(error)
01425 {
01426 rsbac_printk(KERN_DEBUG
01427 "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01428 caller_pid);
01429 return(0);
01430 }
01431 }
01432 else
01433 owner = 0;
01434
01435
01436
01437 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT) || defined(CONFIG_RSBAC_FD_CACHE)
01438 switch (target) {
01439 case T_DIR:
01440 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT)
01441 if ((sb_p = rsbac_get_super_block(tid.file.device))
01442 && ( (sb_p->s_magic == NFS_SUPER_MAGIC)
01443 || (sb_p->s_magic == CODA_SUPER_MAGIC)
01444 || (sb_p->s_magic == NCP_SUPER_MAGIC)
01445 || (sb_p->s_magic == SMB_SUPER_MAGIC)
01446 )
01447 ) {
01448 error = 0;
01449 goto log;
01450 }
01451 #endif
01452 #if defined(CONFIG_RSBAC_FD_CACHE)
01453 if (request == R_RENAME)
01454 rsbac_fd_cache_invalidate_all();
01455 #endif
01456 break;
01457
01458 case T_FILE:
01459 case T_FIFO:
01460 case T_SYMLINK:
01461 case T_UNIXSOCK:
01462 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT)
01463 if ((sb_p = rsbac_get_super_block(tid.file.device))
01464 && ( (sb_p->s_magic == NFS_SUPER_MAGIC)
01465 || (sb_p->s_magic == CODA_SUPER_MAGIC)
01466 || (sb_p->s_magic == NCP_SUPER_MAGIC)
01467 || (sb_p->s_magic == SMB_SUPER_MAGIC)
01468 )
01469 ) {
01470 error = 0;
01471 goto log;
01472 }
01473 #endif
01474 #if defined(CONFIG_RSBAC_FD_CACHE)
01475 if (request == R_RENAME)
01476 rsbac_fd_cache_invalidate(&tid.file);
01477 #endif
01478 break;
01479
01480 default:
01481 break;
01482 }
01483 #endif
01484
01485
01486
01487
01488
01489 #ifdef CONFIG_RSBAC_DEBUG
01490
01491 error |= rsbac_adf_set_attr_check(request,
01492 caller_pid,
01493 target,
01494 tid,
01495 new_target,
01496 new_tid,
01497 attr,
01498 attr_val,
01499 owner);
01500 if(error)
01501 goto general_work;
01502 #endif
01503
01504 #if !defined(CONFIG_RSBAC_MAINT)
01505
01506 #if defined(CONFIG_RSBAC_MAC)
01507 #ifdef CONFIG_RSBAC_SWITCH_MAC
01508 if (rsbac_switch_mac)
01509 #endif
01510 if(request_vector & RSBAC_MAC_SET_ATTR_VECTOR)
01511 error |= rsbac_adf_set_attr_mac(request,
01512 caller_pid,
01513 target,
01514 tid,
01515 new_target,
01516 new_tid,
01517 attr,
01518 attr_val,
01519 owner);
01520 #endif
01521
01522
01523 #ifdef CONFIG_RSBAC_PM
01524 #ifdef CONFIG_RSBAC_SWITCH_PM
01525 if (rsbac_switch_pm)
01526 #endif
01527 if(request_vector & RSBAC_PM_SET_ATTR_VECTOR)
01528 error |= rsbac_adf_set_attr_pm (request,
01529 caller_pid,
01530 target,
01531 tid,
01532 new_target,
01533 new_tid,
01534 attr,
01535 attr_val,
01536 owner);
01537 #endif
01538
01539
01540 #ifdef CONFIG_RSBAC_DAZ
01541 #ifdef CONFIG_RSBAC_SWITCH_DAZ
01542 if (rsbac_switch_daz)
01543 #endif
01544 if(request_vector & RSBAC_DAZ_SET_ATTR_VECTOR)
01545 error |= rsbac_adf_set_attr_daz (request,
01546 caller_pid,
01547 target,
01548 tid,
01549 new_target,
01550 new_tid,
01551 attr,
01552 attr_val,
01553 owner);
01554 #endif
01555
01556
01557 #ifdef CONFIG_RSBAC_RC
01558 #ifdef CONFIG_RSBAC_SWITCH_RC
01559 if (rsbac_switch_rc)
01560 #endif
01561 error |= rsbac_adf_set_attr_rc (request,
01562 caller_pid,
01563 target,
01564 tid,
01565 new_target,
01566 new_tid,
01567 attr,
01568 attr_val,
01569 owner);
01570 #endif
01571
01572
01573 #ifdef CONFIG_RSBAC_AUTH
01574 #ifdef CONFIG_RSBAC_SWITCH_AUTH
01575 if (rsbac_switch_auth)
01576 #endif
01577 if(request_vector & RSBAC_AUTH_SET_ATTR_VECTOR)
01578 error |= rsbac_adf_set_attr_auth(request,
01579 caller_pid,
01580 target,
01581 tid,
01582 new_target,
01583 new_tid,
01584 attr,
01585 attr_val,
01586 owner);
01587 #endif
01588
01589
01590 #ifdef CONFIG_RSBAC_CAP
01591 #ifdef CONFIG_RSBAC_SWITCH_CAP
01592 if (rsbac_switch_cap)
01593 #endif
01594 if(request_vector & RSBAC_CAP_SET_ATTR_VECTOR)
01595 error |= rsbac_adf_set_attr_cap (request,
01596 caller_pid,
01597 target,
01598 tid,
01599 new_target,
01600 new_tid,
01601 attr,
01602 attr_val,
01603 owner);
01604 #endif
01605
01606
01607 #ifdef CONFIG_RSBAC_JAIL
01608 #ifdef CONFIG_RSBAC_SWITCH_JAIL
01609 if (rsbac_switch_jail)
01610 #endif
01611 if(request_vector & RSBAC_JAIL_SET_ATTR_VECTOR)
01612 error |= rsbac_adf_set_attr_jail(request,
01613 caller_pid,
01614 target,
01615 tid,
01616 new_target,
01617 new_tid,
01618 attr,
01619 attr_val,
01620 owner);
01621 #endif
01622
01623
01624 #ifdef CONFIG_RSBAC_RES
01625 #ifdef CONFIG_RSBAC_SWITCH_RES
01626 if (rsbac_switch_res)
01627 #endif
01628 if(request_vector & RSBAC_RES_SET_ATTR_VECTOR)
01629 error |= rsbac_adf_set_attr_res (request,
01630 caller_pid,
01631 target,
01632 tid,
01633 new_target,
01634 new_tid,
01635 attr,
01636 attr_val,
01637 owner);
01638 #endif
01639
01640
01641 #ifdef CONFIG_RSBAC_REG
01642 error |= rsbac_adf_set_attr_reg (request,
01643 caller_pid,
01644 target,
01645 tid,
01646 new_target,
01647 new_tid,
01648 attr,
01649 attr_val,
01650 owner);
01651 #endif
01652 #endif
01653
01654
01655 #ifdef CONFIG_RSBAC_DEBUG
01656 general_work:
01657 #endif
01658 switch(request)
01659 {
01660
01661 case R_DELETE :
01662 switch (target)
01663 {
01664 case T_FILE:
01665 case T_FIFO:
01666 case T_SYMLINK:
01667
01668 if ( (attr == A_nlink)
01669 && (attr_val.nlink > 1)
01670 )
01671 break;
01672
01673 case T_DIR:
01674 rsbac_remove_target(target,tid);
01675 break;
01676 case T_IPC:
01677
01678 if(tid.ipc.type != I_shm)
01679 rsbac_remove_target(target,tid);
01680 break;
01681 default:
01682 break;
01683 }
01684 break;
01685
01686 case R_CLONE:
01687 switch (target)
01688 {
01689 case T_PROCESS:
01690 #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01691
01692 if (rsbac_get_attr(SW_GEN,
01693 target,
01694 tid,
01695 A_log_program_based,
01696 &i_attr_val,
01697 FALSE))
01698 {
01699 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01700 }
01701 else
01702 {
01703 if(i_attr_val.log_program_based)
01704 {
01705
01706 if (rsbac_set_attr(SW_GEN, new_target,
01707 new_tid,
01708 A_log_program_based,
01709 i_attr_val))
01710 {
01711 rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01712 }
01713 }
01714 }
01715 #endif
01716 #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01717
01718 if (rsbac_get_attr(SW_GEN,
01719 target,
01720 tid,
01721 A_fake_root_uid,
01722 &i_attr_val,
01723 FALSE))
01724 {
01725 rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01726 }
01727 else
01728 {
01729 if(i_attr_val.fake_root_uid)
01730 {
01731
01732 if (rsbac_set_attr(SW_GEN, new_target,
01733 new_tid,
01734 A_fake_root_uid,
01735 i_attr_val))
01736 {
01737 rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01738 }
01739 }
01740 }
01741 #endif
01742 #if defined(CONFIG_RSBAC_NET)
01743
01744 if (rsbac_get_attr(SW_GEN,
01745 target,
01746 tid,
01747 A_remote_ip,
01748 &i_attr_val,
01749 FALSE))
01750 {
01751 rsbac_ds_get_error("rsbac_adf_set_attr()", A_remote_ip);
01752 }
01753 else
01754 {
01755 if(i_attr_val.remote_ip)
01756 {
01757
01758 if (rsbac_set_attr(SW_GEN, new_target,
01759 new_tid,
01760 A_remote_ip,
01761 i_attr_val))
01762 {
01763 rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01764 }
01765 }
01766 }
01767 #endif
01768
01769 if (rsbac_get_attr(SW_GEN,
01770 target,
01771 tid,
01772 A_kernel_thread,
01773 &i_attr_val, FALSE)) {
01774 rsbac_ds_get_error("rsbac_adf_set_attr()",
01775 A_kernel_thread);
01776 } else {
01777 if (i_attr_val.kernel_thread) {
01778 if (rsbac_set_attr(SW_GEN, new_target,
01779 new_tid,
01780 A_kernel_thread,
01781 i_attr_val)) {
01782 rsbac_ds_set_error
01783 ("rsbac_adf_set_attr()",
01784 A_kernel_thread);
01785 }
01786 }
01787 }
01788
01789
01790 if (rsbac_get_attr(SW_GEN,
01791 target,
01792 tid,
01793 A_audit_uid,
01794 &i_attr_val,
01795 FALSE))
01796 {
01797 rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
01798 }
01799 else
01800 {
01801 if(i_attr_val.audit_uid != RSBAC_NO_USER)
01802 {
01803
01804 if (rsbac_set_attr(SW_GEN,
01805 new_target,
01806 new_tid,
01807 A_audit_uid,
01808 i_attr_val))
01809 {
01810 rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid);
01811 }
01812 }
01813 }
01814
01815 if (rsbac_get_attr(SW_GEN,
01816 target,
01817 tid,
01818 A_auid_exempt,
01819 &i_attr_val,
01820 FALSE))
01821 {
01822 rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01823 }
01824 else
01825 {
01826 if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01827 {
01828
01829 if (rsbac_set_attr(SW_GEN,
01830 new_target,
01831 new_tid,
01832 A_auid_exempt,
01833 i_attr_val))
01834 {
01835 rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01836 }
01837 }
01838 }
01839 break;
01840
01841 default:
01842 break;
01843 }
01844 break;
01845
01846 case R_CLOSE:
01847 switch (target) {
01848 case T_IPC:
01849 if(tid.ipc.type == I_anonunix)
01850 rsbac_remove_target(target, tid);
01851 break;
01852 #ifdef CONFIG_RSBAC_NET_OBJ
01853 case T_NETOBJ:
01854 rsbac_remove_target(target, tid);
01855 break;
01856 #endif
01857 default:
01858 break;
01859 }
01860 break;
01861
01862 case R_CREATE:
01863 switch (target) {
01864 case T_IPC:
01865 if(!tid.ipc.id.id_nr)
01866 error |= -RSBAC_EINVALIDVALUE;
01867 break;
01868 default:
01869 break;
01870 }
01871 break;
01872
01873 #ifdef CONFIG_RSBAC_NET_OBJ
01874 case R_ACCEPT:
01875 switch (target)
01876 {
01877 case T_NETOBJ:
01878
01879 if( tid.netobj.sock_p
01880 && tid.netobj.sock_p->ops
01881 && tid.netobj.sock_p->sk
01882 && (tid.netobj.sock_p->ops->family == AF_INET)
01883 )
01884 {
01885 i_tid.process = caller_pid;
01886 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01887 i_attr_val.remote_ip = inet_sk(tid.netobj.sock_p->sk)->daddr;
01888 #else
01889 i_attr_val.remote_ip = tid.netobj.sock_p->sk->daddr;
01890 #endif
01891
01892 if (rsbac_set_attr(SW_GEN,
01893 T_PROCESS,
01894 i_tid,
01895 A_remote_ip,
01896 i_attr_val))
01897 {
01898 rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01899 }
01900 }
01901 break;
01902
01903 default:
01904 break;
01905 }
01906 break;
01907 #endif
01908
01909 case R_EXECUTE :
01910 switch (target)
01911 {
01912 case T_FILE:
01913 #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01914
01915 if (rsbac_get_attr(SW_GEN,
01916 target,
01917 tid,
01918 A_log_program_based,
01919 &i_attr_val,
01920 FALSE))
01921 {
01922 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01923 }
01924 else
01925 {
01926
01927 i_tid.process = caller_pid;
01928 if (rsbac_set_attr(SW_GEN, T_PROCESS,
01929 i_tid,
01930 A_log_program_based,
01931 i_attr_val))
01932 {
01933 rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01934 }
01935 }
01936 #endif
01937 #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01938
01939 if (rsbac_get_attr(SW_GEN,
01940 target,
01941 tid,
01942 A_fake_root_uid,
01943 &i_attr_val,
01944 FALSE))
01945 {
01946 rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01947 }
01948 else
01949 {
01950
01951 if(i_attr_val.fake_root_uid)
01952 {
01953 i_tid.process = caller_pid;
01954 if (rsbac_set_attr(SW_GEN, T_PROCESS,
01955 i_tid,
01956 A_fake_root_uid,
01957 i_attr_val))
01958 {
01959 rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01960 }
01961 }
01962 }
01963 #endif
01964
01965 if (rsbac_get_attr(SW_GEN,
01966 target,
01967 tid,
01968 A_auid_exempt,
01969 &i_attr_val,
01970 FALSE))
01971 {
01972 rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01973 }
01974 else
01975 {
01976 if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01977 {
01978
01979 i_tid.process = caller_pid;
01980 if (rsbac_set_attr(SW_GEN, T_PROCESS,
01981 i_tid,
01982 A_auid_exempt,
01983 i_attr_val))
01984 {
01985 rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01986 }
01987 }
01988 }
01989 break;
01990
01991 default:
01992 break;
01993 }
01994 break;
01995
01996 default:
01997 break;
01998 }
01999
02000 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
02001 if( rsbac_debug_adf_net
02002 && ( (target == T_NETDEV)
02003 || (target == T_NETTEMP)
02004 || (target == T_NETOBJ)
02005 )
02006 )
02007 do_log = TRUE;
02008 #endif
02009
02010
02011 #ifdef CONFIG_RSBAC_IND_USER_LOG
02012 i_tid.user = owner;
02013 if (rsbac_get_attr(SW_GEN,
02014 T_USER,
02015 i_tid,
02016 A_log_user_based,
02017 &i_attr_val,
02018 FALSE))
02019 {
02020 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based);
02021 }
02022 else
02023 {
02024 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based)
02025 do_log = TRUE;
02026 }
02027 #endif
02028
02029
02030 #ifdef CONFIG_RSBAC_IND_PROG_LOG
02031 if(!do_log)
02032 {
02033 i_tid.process = caller_pid;
02034 if (rsbac_get_attr(SW_GEN,
02035 T_PROCESS,
02036 i_tid,
02037 A_log_program_based,
02038 &i_attr_val,
02039 FALSE))
02040 {
02041 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
02042 }
02043 else
02044 {
02045 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based)
02046 do_log = TRUE;
02047 }
02048 }
02049 #endif
02050
02051
02052
02053
02054
02055
02056
02057
02058
02059 #ifdef CONFIG_RSBAC_IND_LOG
02060
02061
02062
02063 if(!do_log)
02064 {
02065 if( ( ( (target == T_FILE)
02066 || (target == T_DIR)
02067 || (target == T_FIFO)
02068 || (target == T_SYMLINK)
02069 )
02070 && RSBAC_MAJOR(tid.file.device)
02071 && RSBAC_MINOR(tid.file.device)
02072 )
02073 || (target == T_DEV)
02074 )
02075 {
02076 if (rsbac_get_attr(SW_GEN,
02077 target,
02078 tid,
02079 A_log_array_low,
02080 &i_attr_val,
02081 FALSE))
02082 {
02083 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low);
02084 }
02085 else
02086 {
02087 if (rsbac_get_attr(SW_GEN,
02088 target,
02089 tid,
02090 A_log_array_high,
02091 &i_attr_val2,
02092 FALSE))
02093 {
02094 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high);
02095 }
02096 else
02097 {
02098 log_level = ((i_attr_val.log_array_low >> request) & 1)
02099 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
02100 if ( log_level == LL_full
02101 || ( log_level == LL_denied
02102 && error) )
02103 {
02104 do_log = TRUE;
02105 }
02106 if(log_level != LL_request)
02107 log_on_request = FALSE;
02108 }
02109 }
02110 }
02111 }
02112 #endif
02113
02114 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
02115 log:
02116 #endif
02117
02118 if (log_on_request
02119 && ( rsbac_log_levels[request][target] == LL_full
02120 || ( rsbac_log_levels[request][target] == LL_denied
02121 && error) ) )
02122 do_log = TRUE;
02123
02124 if(do_log)
02125 {
02126 char * request_name;
02127 char * target_type_name;
02128 char * new_target_type_name;
02129 char * target_id_name;
02130 char * new_target_id_name;
02131 char * attr_name;
02132 rsbac_uid_t audit_uid;
02133 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02134 rsbac_pseudo_t pseudo = 0;
02135 #endif
02136
02137
02138 i_tid.process = caller_pid;
02139 if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
02140 {
02141 rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
02142 return -RSBAC_EREADFAILED;
02143 }
02144 audit_uid = i_attr_val.audit_uid;
02145 if(audit_uid == RSBAC_NO_USER)
02146 audit_uid = owner;
02147 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02148
02149 i_tid.user = audit_uid;
02150 if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
02151 {
02152 rsbac_ds_get_error("rsbac_adf_set_attr()", A_pseudo);
02153 return -RSBAC_EREADFAILED;
02154 }
02155
02156 pseudo = i_attr_val.pseudo;
02157 #endif
02158
02159
02160 request_name = rsbac_kmalloc(32);
02161 target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02162 new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02163 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
02164 target_id_name
02165 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02166 new_target_id_name
02167 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02168
02169 #else
02170 target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02171 new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02172
02173 #endif
02174 attr_name = rsbac_kmalloc(32);
02175
02176
02177 request_name[0] = (char) 0;
02178 target_type_name[0] = (char) 0;
02179 target_id_name[0] = (char) 0;
02180 new_target_type_name[0] = (char) 0;
02181 new_target_id_name[0] = (char) 0;
02182 attr_name[0] = (char) 0;
02183 get_request_name(request_name, request);
02184 get_target_name(target_type_name, target, target_id_name, tid);
02185 get_target_name(new_target_type_name, new_target,
02186 new_target_id_name, new_tid);
02187 get_attribute_name(attr_name, attr);
02188
02189 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02190 if(pseudo)
02191 rsbac_printk(KERN_INFO
02192 "rsbac_adf_set_attr(): request %s, pid %u, pseudo %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02193 request_name, (u_int) caller_pid, pseudo, target_type_name, target_id_name,
02194 new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02195 else
02196 #endif
02197 rsbac_printk(KERN_INFO
02198 "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02199 request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name,
02200 new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02201
02202 rsbac_kfree(request_name);
02203 rsbac_kfree(target_type_name);
02204 rsbac_kfree(new_target_type_name);
02205 rsbac_kfree(target_id_name);
02206 rsbac_kfree(new_target_id_name);
02207 rsbac_kfree(attr_name);
02208 }
02209
02210
02211 rsbac_adf_set_attr_count[target]++;
02212 #ifdef CONFIG_RSBAC_XSTATS
02213 rsbac_adf_set_attr_xcount[target][request]++;
02214 #endif
02215
02216 return(error);
02217 }
02218
02219
02220
02221
02222
02223
02224
02225
02226 #ifdef CONFIG_RSBAC_SECDEL
02227
02228
02229
02230
02231
02232 static int open_by_dentry(struct dentry * file_dentry_p, struct file * file_p)
02233 {
02234 int tmperr;
02235
02236 if ( !(S_ISREG(file_dentry_p->d_inode->i_mode)) )
02237 {
02238 rsbac_printk(KERN_WARNING
02239 "open_by_dentry(): expected file is not a file!\n");
02240 return (-RSBAC_EWRITEFAILED);
02241 }
02242
02243
02244 if ((tmperr = init_private_file(file_p, file_dentry_p, O_WRONLY | O_SYNC)))
02245 {
02246 rsbac_printk(KERN_WARNING
02247 "open_by_dentry(): could not open file!\n");
02248 return (-RSBAC_EWRITEFAILED);
02249 }
02250
02251 if ((!file_p->f_op) || (!file_p->f_op->write))
02252 {
02253 rsbac_printk(KERN_WARNING
02254 "open_by_dentry(): file write function missing!\n");
02255 if (file_p->f_op && file_p->f_op->release)
02256 file_p->f_op->release(file_dentry_p->d_inode,file_p);
02257 return(-RSBAC_EWRITEFAILED);
02258 }
02259
02260
02261
02262
02263
02264
02265
02266
02267
02268
02269
02270 return 0;
02271 }
02272
02273
02274
02275
02276
02277 rsbac_boolean_t writable(struct super_block * sb_p);
02278
02279 static int do_rsbac_sec_trunc(struct dentry * dentry_p,
02280 loff_t new_len,
02281 loff_t old_len,
02282 rsbac_boolean_t need_lock)
02283 {
02284 #if defined(CONFIG_RSBAC_MAINT)
02285 return 0;
02286 #else
02287 int err = 0;
02288 rsbac_boolean_t need_overwrite = FALSE;
02289
02290 if (!rsbac_is_initialized())
02291 return 0;
02292
02293 if( !dentry_p
02294 || !dentry_p->d_inode)
02295 return -RSBAC_EINVALIDPOINTER;
02296 if(!S_ISREG(dentry_p->d_inode->i_mode))
02297 return -RSBAC_EINVALIDTARGET;
02298 if(dentry_p->d_sb->s_magic == PIPEFS_MAGIC)
02299 return 0;
02300 if(new_len >= old_len)
02301 return 0;
02302
02303 if(dentry_p->d_inode && !writable(dentry_p->d_inode->i_sb))
02304 {
02305 #ifdef CONFIG_RSBAC_DEBUG
02306 if(rsbac_debug_write)
02307 {
02308 rsbac_printk(KERN_DEBUG
02309 "do_rsbac_sec_trunc(): ignoring file %lu on network device %02u:%02u!\n",
02310 dentry_p->d_inode->i_ino,
02311 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02312 MINOR(dentry_p->d_inode->i_sb->s_dev));
02313 }
02314 #endif
02315 return 0;
02316 }
02317
02318
02319 #ifdef CONFIG_RSBAC_PM
02320 #ifdef CONFIG_RSBAC_SWITCH_PM
02321 if (rsbac_switch_pm)
02322 #endif
02323
02324 if(!need_overwrite)
02325 need_overwrite = rsbac_need_overwrite_pm(dentry_p);
02326 #endif
02327
02328
02329 #ifdef CONFIG_RSBAC_FF
02330 #ifdef CONFIG_RSBAC_SWITCH_FF
02331 if (rsbac_switch_ff)
02332 #endif
02333
02334 if(!need_overwrite)
02335 need_overwrite = rsbac_need_overwrite_ff(dentry_p);
02336 #endif
02337
02338
02339 #ifdef CONFIG_RSBAC_RC
02340 #ifdef CONFIG_RSBAC_SWITCH_RC
02341 if (rsbac_switch_rc)
02342 #endif
02343
02344 if(!need_overwrite)
02345 need_overwrite = rsbac_need_overwrite_rc(dentry_p);
02346 #endif
02347
02348
02349 #ifdef CONFIG_RSBAC_RES
02350 #ifdef CONFIG_RSBAC_SWITCH_RES
02351 if (rsbac_switch_res)
02352 #endif
02353
02354 if(!need_overwrite)
02355 need_overwrite = rsbac_need_overwrite_res(dentry_p);
02356 #endif
02357
02358
02359 #ifdef CONFIG_RSBAC_REG
02360 if(!need_overwrite)
02361 need_overwrite = rsbac_need_overwrite_reg(dentry_p);
02362 #endif
02363
02364 if(need_overwrite)
02365 {
02366 char * buffer;
02367 rsbac_boolean_t vmalloc_used;
02368 struct file file;
02369 int tmperr = 0;
02370 int len;
02371 mm_segment_t oldfs;
02372
02373 buffer = rsbac_vkmalloc(RSBAC_SEC_DEL_CHUNK_SIZE, &vmalloc_used);
02374 if(!buffer)
02375 return -RSBAC_ENOMEM;
02376
02377 #ifdef CONFIG_RSBAC_DEBUG
02378 if(rsbac_debug_write)
02379 {
02380 rsbac_printk(KERN_DEBUG
02381 "rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n",
02382 dentry_p->d_inode->i_ino,
02383 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02384 MINOR(dentry_p->d_inode->i_sb->s_dev),
02385 (u_long) new_len,
02386 (u_long) old_len-1);
02387 }
02388 #endif
02389
02390 err = open_by_dentry(dentry_p, &file);
02391 if(err)
02392 {
02393 rsbac_vkfree(buffer, vmalloc_used);
02394 return(err);
02395 }
02396
02397 #ifdef CONFIG_RSBAC_DEBUG
02398 if(rsbac_debug_write)
02399 {
02400 rsbac_printk(KERN_DEBUG
02401 "rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n",
02402 dentry_p->d_inode->i_ino,
02403 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02404 MINOR(dentry_p->d_inode->i_sb->s_dev),
02405 (u_long) new_len);
02406 }
02407 #endif
02408
02409
02410
02411
02412
02413
02414 oldfs = get_fs();
02415 set_fs(KERNEL_DS);
02416
02417 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02418 if(file.f_op->llseek)
02419 file.f_op->llseek(&file,new_len,0);
02420 else
02421 #endif
02422 {
02423 file.f_pos = new_len;
02424 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02425 file.f_reada = 0;
02426 #endif
02427 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02428 file.f_version = ++event;
02429 #else
02430 file.f_version = 0;
02431 #endif
02432 }
02433 memset(buffer,0,RSBAC_SEC_DEL_CHUNK_SIZE);
02434
02435 #ifdef CONFIG_RSBAC_DEBUG
02436 if(rsbac_debug_write)
02437 {
02438 rsbac_printk(KERN_DEBUG
02439 "rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n",
02440 dentry_p->d_inode->i_ino,
02441 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02442 MINOR(dentry_p->d_inode->i_sb->s_dev));
02443 }
02444 #endif
02445
02446 while(new_len < old_len)
02447 {
02448 len = rsbac_min(RSBAC_SEC_DEL_CHUNK_SIZE, old_len-new_len);
02449 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02450 tmperr = file.f_op->write(&file,
02451 buffer,
02452 len,
02453 &file.f_pos);
02454 #else
02455 if(need_lock)
02456 tmperr = file.f_op->write(&file,
02457 buffer,
02458 len,
02459 &file.f_pos);
02460 else
02461 {
02462 struct iovec local_iov = { .iov_base = (void __user *)buffer,
02463 .iov_len = len };
02464 struct kiocb kiocb;
02465 init_sync_kiocb(&kiocb, &file);
02466 kiocb.ki_pos = file.f_pos;
02467
02468 tmperr = generic_file_aio_write_nolock(&kiocb,
02469 &local_iov,
02470 1,
02471 file.f_pos);
02472 }
02473 #endif
02474
02475 if (tmperr <= 0)
02476 {
02477 rsbac_printk(KERN_WARNING
02478 "rsbac_sec_trunc(): write error on file!\n");
02479 err = -RSBAC_EWRITEFAILED;
02480 goto out;
02481 }
02482 new_len += tmperr;
02483 }
02484
02485 out:
02486
02487
02488 set_fs(oldfs);
02489
02490 #ifdef CONFIG_RSBAC_DEBUG
02491 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0))
02492 if(need_lock)
02493 #endif
02494 if(rsbac_debug_write)
02495 {
02496 rsbac_printk(KERN_DEBUG
02497 "rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n",
02498 dentry_p->d_inode->i_ino,
02499 MAJOR(dentry_p->d_inode->i_sb->s_dev),
02500 MINOR(dentry_p->d_inode->i_sb->s_dev));
02501 }
02502 #endif
02503
02504
02505 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02506 err = fsync_inode_data_buffers(dentry_p->d_inode);
02507 #else
02508 if(need_lock)
02509 err = file_fsync(&file, dentry_p, 1);
02510 #endif
02511
02512
02513
02514
02515
02516
02517
02518
02519
02520
02521 rsbac_vkfree(buffer, vmalloc_used);
02522 }
02523
02524
02525 return(err);
02526
02527 #endif
02528 }
02529
02530 EXPORT_SYMBOL(rsbac_sec_trunc);
02531 int rsbac_sec_trunc(struct dentry * dentry_p,
02532 loff_t new_len, loff_t old_len)
02533 {
02534 return do_rsbac_sec_trunc(dentry_p, new_len, old_len, TRUE);
02535 }
02536
02537 EXPORT_SYMBOL(rsbac_sec_del);
02538 int rsbac_sec_del(struct dentry * dentry_p)
02539 {
02540 return do_rsbac_sec_trunc(dentry_p,
02541 0,
02542 dentry_p->d_inode->i_size,
02543 FALSE);
02544 }
02545
02546 #else
02547 EXPORT_SYMBOL(rsbac_sec_trunc);
02548 int rsbac_sec_trunc(struct dentry * dentry_p,
02549 loff_t new_len, loff_t old_len)
02550 {
02551 return 0;
02552 }
02553 EXPORT_SYMBOL(rsbac_sec_del);
02554 int rsbac_sec_del(struct dentry * dentry_p)
02555 {
02556 return 0;
02557 }
02558 #endif
02559
02560 #ifdef CONFIG_RSBAC_SYM_REDIR
02561 EXPORT_SYMBOL(rsbac_symlink_redirect);
02562
02563
02564
02565
02566
02567 char * rsbac_symlink_redirect(
02568 struct dentry * dentry_p,
02569 const char * name,
02570 u_int maxlen)
02571 {
02572 union rsbac_target_id_t i_tid;
02573 char * new_name = NULL;
02574 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) || defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC) || defined(CONFIG_RSBAC_SYM_REDIR_UID)
02575 int err;
02576 union rsbac_target_id_t i_tid2;
02577 union rsbac_attribute_value_t i_attr_val;
02578 #endif
02579
02580 if(!name)
02581 return NULL;
02582 if(!dentry_p || !dentry_p->d_inode)
02583 return NULL;
02584 if (!rsbac_is_initialized())
02585 return NULL;
02586
02587 if(!S_ISLNK(dentry_p->d_inode->i_mode))
02588 {
02589 rsbac_printk(KERN_DEBUG
02590 "rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n",
02591 i_tid.symlink.inode,
02592 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02593 return NULL;
02594 }
02595
02596 i_tid.symlink.device = dentry_p->d_inode->i_sb->s_dev;
02597 i_tid.symlink.inode = dentry_p->d_inode->i_ino;
02598 i_tid.symlink.dentry_p = dentry_p;
02599 #ifdef CONFIG_RSBAC_DEBUG
02600 if (rsbac_debug_aef)
02601 {
02602 rsbac_printk(KERN_DEBUG
02603 "rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n",
02604 i_tid.symlink.inode,
02605 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02606 }
02607 #endif
02608
02609 #ifdef CONFIG_RSBAC_SYM_REDIR_REMOTE_IP
02610 if ((err = rsbac_get_attr(SW_GEN,
02611 T_SYMLINK,
02612 i_tid,
02613 A_symlink_add_remote_ip,
02614 &i_attr_val,
02615 FALSE) ))
02616 {
02617 rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_remote_ip, err);
02618 if(new_name)
02619 kfree(new_name);
02620 return NULL;
02621 }
02622 if(i_attr_val.symlink_add_remote_ip)
02623 {
02624 u_int len;
02625 rsbac_enum_t add_remote_ip;
02626 __u32 addr;
02627
02628 len = strlen(name);
02629 while( len
02630 && (name[len-1] >= '0')
02631 && (name[len-1] <= '9')
02632 )
02633 len--;
02634 if(len > (maxlen - 20))
02635 {
02636 if(new_name)
02637 kfree(new_name);
02638 rsbac_printk(KERN_DEBUG
02639 "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02640 i_tid.symlink.inode,
02641 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02642 return NULL;
02643 }
02644 add_remote_ip = i_attr_val.symlink_add_remote_ip;
02645 i_tid2.process = current->pid;
02646 if ((err = rsbac_get_attr(SW_GEN,
02647 T_PROCESS,
02648 i_tid2,
02649 A_remote_ip,
02650 &i_attr_val,
02651 FALSE) ))
02652 {
02653 rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_remote_ip, err);
02654 if(new_name)
02655 kfree(new_name);
02656 return NULL;
02657 }
02658 addr = i_attr_val.remote_ip;
02659 if(!new_name)
02660 {
02661 new_name = kmalloc(maxlen, GFP_KERNEL);
02662 if(!new_name)
02663 {
02664 rsbac_printk(KERN_DEBUG
02665 "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02666 i_tid.symlink.inode,
02667 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02668 return NULL;
02669 }
02670 strcpy(new_name, name);
02671 }
02672 switch(add_remote_ip)
02673 {
02674 case 1:
02675 sprintf(new_name+len, "%u",
02676 ((unsigned char *)&addr)[0]);
02677 break;
02678 case 2:
02679 sprintf(new_name+len, "%u.%u",
02680 ((unsigned char *)&addr)[0],
02681 ((unsigned char *)&addr)[1]);
02682 break;
02683 case 3:
02684 sprintf(new_name+len, "%u.%u.%u",
02685 ((unsigned char *)&addr)[0],
02686 ((unsigned char *)&addr)[1],
02687 ((unsigned char *)&addr)[2]);
02688 break;
02689 default:
02690 sprintf(new_name+len, "%u.%u.%u.%u",
02691 ((unsigned char *)&addr)[0],
02692 ((unsigned char *)&addr)[1],
02693 ((unsigned char *)&addr)[2],
02694 ((unsigned char *)&addr)[3]);
02695 }
02696 }
02697 #endif
02698
02699 #ifdef CONFIG_RSBAC_SYM_REDIR_UID
02700 if ((err = rsbac_get_attr(SW_GEN,
02701 T_SYMLINK,
02702 i_tid,
02703 A_symlink_add_uid,
02704 &i_attr_val,
02705 FALSE) ))
02706 {
02707 rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_uid, err);
02708 if(new_name)
02709 kfree(new_name);
02710 rsbac_printk(KERN_DEBUG
02711 "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02712 i_tid.symlink.inode,
02713 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02714 return NULL;
02715 }
02716 if(i_attr_val.symlink_add_uid)
02717 {
02718 rsbac_uid_t user;
02719 u_int len;
02720
02721 len = strlen(name);
02722 while( len
02723 && (name[len-1] >= '0')
02724 && (name[len-1] <= '9')
02725 )
02726 len--;
02727 if(len > (maxlen - 20))
02728 {
02729 if(new_name)
02730 kfree(new_name);
02731 rsbac_printk(KERN_DEBUG
02732 "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02733 i_tid.symlink.inode,
02734 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02735 return NULL;
02736 }
02737 if(!rsbac_get_owner(&user))
02738 {
02739 if(!new_name)
02740 {
02741 new_name = kmalloc(maxlen, GFP_KERNEL);
02742 if(!new_name)
02743 {
02744 rsbac_printk(KERN_DEBUG
02745 "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02746 i_tid.symlink.inode,
02747 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02748 return NULL;
02749 }
02750 strcpy(new_name, name);
02751 }
02752 ulongtostr(new_name+len, user);
02753 }
02754 }
02755 #endif
02756
02757 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC
02758 if ((err = rsbac_get_attr(SW_GEN,
02759 T_SYMLINK,
02760 i_tid,
02761 A_symlink_add_mac_level,
02762 &i_attr_val,
02763 FALSE) ))
02764 {
02765 rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_mac_level, err);
02766 if(new_name)
02767 kfree(new_name);
02768 return NULL;
02769 }
02770 if(i_attr_val.symlink_add_mac_level)
02771 {
02772 u_int len;
02773
02774 len = strlen(name);
02775 while( len
02776 && ( ( (name[len-1] >= '0')
02777 && (name[len-1] <= '9')
02778 )
02779 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02780 || (name[len-1] == ':')
02781 #endif
02782 )
02783 )
02784 len--;
02785 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02786 if(len > (maxlen - 85))
02787 #else
02788 if(len > (maxlen - 20))
02789 #endif
02790 {
02791 if(new_name)
02792 kfree(new_name);
02793 rsbac_printk(KERN_DEBUG
02794 "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02795 i_tid.symlink.inode,
02796 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02797 return NULL;
02798 }
02799
02800 i_tid2.process = current->pid;
02801 if ((err = rsbac_get_attr(SW_MAC,
02802 T_PROCESS,
02803 i_tid2,
02804 A_current_sec_level,
02805 &i_attr_val,
02806 FALSE) ))
02807 {
02808 rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_current_sec_level, err);
02809 if(new_name)
02810 kfree(new_name);
02811 return NULL;
02812 }
02813
02814 if(!new_name)
02815 {
02816 new_name = kmalloc(maxlen, GFP_KERNEL);
02817 if(!new_name)
02818 {
02819 rsbac_printk(KERN_DEBUG
02820 "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02821 i_tid.symlink.inode,
02822 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02823 return NULL;
02824 }
02825 strcpy(new_name, name);
02826 }
02827 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02828 len+=sprintf(new_name+len, "%u:", i_attr_val.current_sec_level);
02829 #else
02830 len+=sprintf(new_name+len, "%u", i_attr_val.current_sec_level);
02831 #endif
02832
02833 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02834 if ((err = rsbac_get_attr(SW_MAC,
02835 T_PROCESS,
02836 i_tid2,
02837 A_mac_curr_categories,
02838 &i_attr_val,
02839 FALSE) ))
02840 {
02841 rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_mac_curr_categories, err);
02842 if(new_name)
02843 kfree(new_name);
02844 return NULL;
02845 }
02846 u64tostrmac(new_name+len, i_attr_val.mac_categories);
02847 #endif
02848 }
02849 #endif
02850
02851 #ifdef CONFIG_RSBAC_SYM_REDIR_RC
02852 if ((err = rsbac_get_attr(SW_GEN,
02853 T_SYMLINK,
02854 i_tid,
02855 A_symlink_add_rc_role,
02856 &i_attr_val,
02857 FALSE) ))
02858 {
02859 rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_rc_role, err);
02860 if(new_name)
02861 kfree(new_name);
02862 return NULL;
02863 }
02864 if(i_attr_val.symlink_add_rc_role)
02865 {
02866 u_int len;
02867
02868 len = strlen(name);
02869 while( len
02870 && (name[len-1] >= '0')
02871 && (name[len-1] <= '9')
02872 )
02873 len--;
02874 if(len > (maxlen - 20))
02875 {
02876 if(new_name)
02877 kfree(new_name);
02878 rsbac_printk(KERN_DEBUG
02879 "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02880 i_tid.symlink.inode,
02881 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02882 return NULL;
02883 }
02884
02885 i_tid2.process = current->pid;
02886 if ((err = rsbac_get_attr(SW_RC,
02887 T_PROCESS,
02888 i_tid2,
02889 A_rc_role,
02890 &i_attr_val,
02891 FALSE) ))
02892 {
02893 rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_rc_role, err);
02894 if(new_name)
02895 kfree(new_name);
02896 return NULL;
02897 }
02898
02899 if(!new_name)
02900 {
02901 new_name = kmalloc(maxlen, GFP_KERNEL);
02902 if(!new_name)
02903 {
02904 rsbac_printk(KERN_DEBUG
02905 "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02906 i_tid.symlink.inode,
02907 RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02908 return NULL;
02909 }
02910 strcpy(new_name, name);
02911 }
02912 ulongtostr(new_name+len, i_attr_val.rc_role);
02913 }
02914 #endif
02915
02916 return new_name;
02917 }
02918 #endif
02919
02920 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
02921 int rsbac_dac_part_disabled(struct dentry * dentry_p)
02922 {
02923 int err;
02924 enum rsbac_target_t i_target;
02925 union rsbac_target_id_t i_tid;
02926 union rsbac_attribute_value_t i_attr_val;
02927
02928 if(!dentry_p || !dentry_p->d_inode || !dentry_p->d_inode->i_sb->s_dev || !rsbac_is_initialized())
02929 return FALSE;
02930
02931 if(S_ISREG(dentry_p->d_inode->i_mode))
02932 i_target = T_FILE;
02933 else
02934 if(S_ISDIR(dentry_p->d_inode->i_mode))
02935 i_target = T_DIR;
02936 else
02937 if(S_ISFIFO(dentry_p->d_inode->i_mode))
02938 i_target = T_FIFO;
02939 else
02940 if(S_ISLNK(dentry_p->d_inode->i_mode))
02941 i_target = T_SYMLINK;
02942 else
02943 return FALSE;
02944
02945 i_tid.file.device = dentry_p->d_sb->s_dev;
02946 i_tid.file.inode = dentry_p->d_inode->i_ino;
02947 i_tid.file.dentry_p = dentry_p;
02948
02949 #ifdef CONFIG_RSBAC_DEBUG
02950 if (rsbac_debug_aef)
02951 {
02952 rsbac_printk(KERN_DEBUG
02953 "rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n",
02954 i_tid.file.inode,
02955 RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device),
02956 i_tid.file.dentry_p );
02957 }
02958 #endif
02959
02960 if ((err = rsbac_get_attr(SW_GEN,
02961 i_target,
02962 i_tid,
02963 A_linux_dac_disable,
02964 &i_attr_val,
02965 TRUE) ))
02966 {
02967 rsbac_printk(KERN_WARNING
02968 "rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n",
02969 err);
02970 return FALSE;
02971 }
02972 if(i_attr_val.linux_dac_disable == LDD_true)
02973 return TRUE;
02974 else
02975 return FALSE;
02976 }
02977 #endif
02978
02979 #ifdef CONFIG_RSBAC_FAKE_ROOT_UID
02980 rsbac_uid_t rsbac_fake_uid(void)
02981 {
02982 int err;
02983 union rsbac_target_id_t i_tid;
02984 union rsbac_attribute_value_t i_attr_val;
02985
02986 if(!current->uid)
02987 return 0;
02988 if (!rsbac_is_initialized())
02989 return current->uid;
02990
02991 i_tid.process = current->pid;
02992 if ((err = rsbac_get_attr(SW_GEN,
02993 T_PROCESS,
02994 i_tid,
02995 A_fake_root_uid,
02996 &i_attr_val,
02997 FALSE) ))
02998 {
02999 rsbac_ds_get_error("rsbac_fake_uid()", A_fake_root_uid);
03000 return current->uid;
03001 }
03002 switch(i_attr_val.fake_root_uid)
03003 {
03004 case FR_both:
03005 case FR_uid_only:
03006 return 0;
03007 default:
03008 return current->uid;
03009 }
03010 }
03011
03012 rsbac_uid_t rsbac_fake_euid(void)
03013 {
03014 int err;
03015 union rsbac_target_id_t i_tid;
03016 union rsbac_attribute_value_t i_attr_val;
03017
03018 if(!current->euid)
03019 return 0;
03020 if (!rsbac_is_initialized())
03021 return current->euid;
03022
03023 i_tid.process = current->pid;
03024 if ((err = rsbac_get_attr(SW_GEN,
03025 T_PROCESS,
03026 i_tid,
03027 A_fake_root_uid,
03028 &i_attr_val,
03029 FALSE) ))
03030 {
03031 rsbac_ds_get_error("rsbac_fake_euid()", A_fake_root_uid);
03032 return current->euid;
03033 }
03034 switch(i_attr_val.fake_root_uid)
03035 {
03036 case FR_both:
03037 case FR_euid_only:
03038 return 0;
03039 default:
03040 return current->euid;
03041 }
03042 }
03043
03044 int rsbac_uid_faked(void)
03045 {
03046 int err;
03047 union rsbac_target_id_t i_tid;
03048 union rsbac_attribute_value_t i_attr_val;
03049
03050 if (!rsbac_is_initialized())
03051 return 0;
03052
03053 i_tid.process = current->pid;
03054 if ((err = rsbac_get_attr(SW_GEN,
03055 T_PROCESS,
03056 i_tid,
03057 A_fake_root_uid,
03058 &i_attr_val,
03059 FALSE) ))
03060 {
03061 rsbac_ds_get_error("rsbac_uid_faked()", A_fake_root_uid);
03062 return 0;
03063 }
03064 switch(i_attr_val.fake_root_uid)
03065 {
03066 case FR_both:
03067 case FR_uid_only:
03068 return 1;
03069 default:
03070 return 0;
03071 }
03072 }
03073
03074 #endif
03075
03076 int rsbac_set_audit_uid(rsbac_uid_t uid)
03077 {
03078 union rsbac_target_id_t tid;
03079 union rsbac_attribute_value_t attr_val;
03080
03081 if(!uid || (uid == current->uid))
03082 return 0;
03083 tid.process = current->pid;
03084 if (rsbac_get_attr(SW_GEN,
03085 T_PROCESS,
03086 tid,
03087 A_audit_uid,
03088 &attr_val,
03089 FALSE))
03090 {
03091 rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid);
03092 return -RSBAC_EREADFAILED;
03093 }
03094 if(attr_val.audit_uid != RSBAC_NO_USER)
03095 return 0;
03096
03097 if (rsbac_get_attr(SW_GEN,
03098 T_PROCESS,
03099 tid,
03100 A_auid_exempt,
03101 &attr_val,
03102 FALSE))
03103 {
03104 rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt);
03105 return -RSBAC_EREADFAILED;
03106 }
03107 if(attr_val.auid_exempt == uid)
03108 return 0;
03109
03110 attr_val.audit_uid = uid;
03111 if (rsbac_set_attr(SW_GEN,
03112 T_PROCESS,
03113 tid,
03114 A_audit_uid,
03115 attr_val))
03116 {
03117 rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid);
03118 return -RSBAC_EWRITEFAILED;
03119 }
03120 return 0;
03121 }
03122
03123 #if defined(CONFIG_RSBAC_CAP_LOG_MISSING) || defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
03124 EXPORT_SYMBOL(rsbac_log_missing_cap);
03125
03126 void rsbac_log_missing_cap(int cap)
03127 {
03128 #if defined(CONFIG_RSBAC_CAP_LOG_MISSING)
03129 if(rsbac_cap_log_missing)
03130 rsbac_cap_log_missing_cap(cap);
03131 #endif
03132 #if defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
03133 if(rsbac_jail_log_missing)
03134 rsbac_jail_log_missing_cap(cap);
03135 #endif
03136 }
03137 #endif
03138
03139