/linux-2.6.21.1-rsbac-1.3.4/rsbac/adf/auth/auth_syscalls.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Authentification module          */
00005 /* File: rsbac/adf/auth/syscalls.c                   */
00006 /*                                                   */
00007 /* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
00008 /*                                                   */
00009 /* Last modified: 11/Apr/2007                        */
00010 /*************************************************** */
00011 
00012 #include <linux/string.h>
00013 #include <linux/sched.h>
00014 #include <linux/errno.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/error.h>
00018 #include <rsbac/auth.h>
00019 #include <rsbac/debug.h>
00020 #include <rsbac/helpers.h>
00021 #include <rsbac/adf_main.h>
00022 
00023 /************************************************* */
00024 /*           Global Variables                      */
00025 /************************************************* */
00026 
00027 /************************************************* */
00028 /*          Internal Help functions                */
00029 /************************************************* */
00030 
00031 /************************************************* */
00032 /*          Externally visible functions           */
00033 /************************************************* */
00034 
00035 int rsbac_auth_add_p_cap(
00036          rsbac_list_ta_number_t ta_number,
00037          rsbac_pid_t pid,
00038   enum   rsbac_auth_cap_type_t cap_type,
00039   struct rsbac_auth_cap_range_t cap_range,
00040          rsbac_time_t ttl)
00041   {
00042 /* check only in non-maint mode */
00043 #if !defined(CONFIG_RSBAC_MAINT)
00044 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00045     if(rsbac_switch_auth)
00046 #endif
00047       {
00048         union rsbac_target_id_t       i_tid;
00049         union rsbac_attribute_value_t i_attr_val1;
00050 
00051         /* check auth_may_set_cap of calling process */
00052         i_tid.process = current->pid;
00053         if (rsbac_get_attr(SW_AUTH,
00054                            T_PROCESS,
00055                            i_tid,
00056                            A_auth_may_set_cap,
00057                            &i_attr_val1,
00058                            FALSE))
00059           {
00060             rsbac_pr_get_error(A_auth_may_set_cap);
00061             return -RSBAC_EREADFAILED;
00062           }
00063         /* if auth_may_set_cap is not set, then reject */
00064         if (!i_attr_val1.auth_may_set_cap)
00065           {
00066             rsbac_printk(KERN_INFO
00067                    "rsbac_auth_add_p_cap(): adding AUTH cap %u:%u to process %u denied for process %u!\n",
00068                    cap_range.first,
00069                    cap_range.last,
00070                    pid,
00071                    current->pid);
00072             #ifdef CONFIG_RSBAC_SOFTMODE
00073             if(   !rsbac_softmode
00074             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00075                && !rsbac_ind_softmode[SW_AUTH]
00076             #endif
00077               )
00078             #endif
00079               return(-EPERM);
00080           }
00081       }
00082 #endif
00083 
00084     /* OK, check passed. Add the capability. */
00085     return rsbac_auth_add_to_p_capset(ta_number, pid, cap_type, cap_range, ttl);
00086   }
00087 
00088 int rsbac_auth_remove_p_cap(
00089          rsbac_list_ta_number_t ta_number,
00090          rsbac_pid_t pid,
00091   enum   rsbac_auth_cap_type_t cap_type,
00092   struct rsbac_auth_cap_range_t cap_range)
00093   {
00094 /* check only in non-maint mode */
00095 #if !defined(CONFIG_RSBAC_MAINT)
00096 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00097     if(rsbac_switch_auth)
00098 #endif
00099       {
00100         union rsbac_target_id_t       i_tid;
00101         union rsbac_attribute_value_t i_attr_val1;
00102 
00103         /* check auth_may_set_cap of calling process */
00104         i_tid.process = current->pid;
00105         if (rsbac_get_attr(SW_AUTH,
00106                            T_PROCESS,
00107                            i_tid,
00108                            A_auth_may_set_cap,
00109                            &i_attr_val1,
00110                            FALSE))
00111           {
00112             rsbac_pr_get_error(A_auth_may_set_cap);
00113             return -RSBAC_EREADFAILED;
00114           }
00115         /* if auth_may_set_cap is not set, then reject */
00116         if (!i_attr_val1.auth_may_set_cap)
00117           {
00118             rsbac_printk(KERN_INFO
00119                    "rsbac_auth_remove_p_cap(): removing AUTH cap %u:%u from process %u denied for process %u!\n",
00120                    cap_range.first,
00121                    cap_range.last,
00122                    pid,
00123                    current->pid);
00124             #ifdef CONFIG_RSBAC_SOFTMODE
00125             if(   !rsbac_softmode
00126             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00127                && !rsbac_ind_softmode[SW_AUTH]
00128             #endif
00129               )
00130             #endif
00131               return(-EPERM);
00132           }
00133       }
00134 #endif
00135 
00136     /* OK, check passed. Try to remove the capability. */
00137     return rsbac_auth_remove_from_p_capset(ta_number, pid, cap_type, cap_range);
00138   }
00139 
00140 int rsbac_auth_add_f_cap(
00141          rsbac_list_ta_number_t ta_number,
00142          rsbac_auth_file_t file,
00143   enum   rsbac_auth_cap_type_t cap_type,
00144   struct rsbac_auth_cap_range_t cap_range,
00145          rsbac_time_t ttl)
00146   {
00147     /* check has been done in help/syscalls.c: sys_rsbac_auth_add_f_cap */
00148     return rsbac_auth_add_to_f_capset(ta_number, file, cap_type, cap_range, ttl);
00149   }
00150 
00151 int rsbac_auth_remove_f_cap(
00152          rsbac_list_ta_number_t ta_number,
00153          rsbac_auth_file_t file,
00154   enum   rsbac_auth_cap_type_t cap_type,
00155   struct rsbac_auth_cap_range_t cap_range)
00156   {
00157     /* check has been done in help/syscalls.c: sys_rsbac_auth_remove_f_cap */
00158     return rsbac_auth_remove_from_f_capset(ta_number, file, cap_type, cap_range);
00159   }
00160 
00161 /* end of rsbac/adf/auth/syscalls.c */

Generated on Wed May 16 11:53:29 2007 for RSBAC by  doxygen 1.5.1