#include <linux/init.h>
#include <rsbac/types.h>
Go to the source code of this file.
int rsbac_auth_add_to_f_capset | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_auth_file_t | file, | |||
enum rsbac_auth_cap_type_t | cap_type, | |||
struct rsbac_auth_cap_range_t | cap_range, | |||
rsbac_time_t | ttl | |||
) |
Definition at line 2934 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, device_list_lock, rsbac_auth_cap_range_t::first, rsbac_auth_device_list_item_t::handle, rsbac_auth_cap_range_t::last, lookup_device(), NULL, RSBAC_EINVALIDATTR, RSBAC_EINVALIDDEV, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_printk(), and rsbac_ta_list_lol_subadd_ttl().
Referenced by rsbac_auth_add_f_cap().
02939 { 02940 int err = 0; 02941 struct rsbac_auth_device_list_item_t *device_p; 02942 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 02943 u_long dflags; 02944 #endif 02945 02946 if (!rsbac_is_initialized()) { 02947 rsbac_printk(KERN_WARNING "rsbac_auth_add_to_f_capset(): RSBAC not initialized\n"); 02948 return (-RSBAC_ENOTINITIALIZED); 02949 } 02950 if (in_interrupt()) { 02951 rsbac_printk(KERN_WARNING "rsbac_auth_add_to_f_capset(): called from interrupt!\n"); 02952 } 02953 if (cap_range.first > cap_range.last) 02954 return (-RSBAC_EINVALIDVALUE); 02955 02956 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02957 rcu_read_lock(); 02958 #else 02959 rsbac_read_lock(&device_list_lock, &dflags); 02960 #endif 02961 device_p = lookup_device(file.device); 02962 if (!device_p) { 02963 /* trigger rsbac_mount() */ 02964 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02965 rcu_read_unlock(); 02966 #else 02967 rsbac_read_unlock(&device_list_lock, &dflags); 02968 #endif 02969 rsbac_get_super_block(file.device); 02970 /* retry */ 02971 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02972 rcu_read_lock(); 02973 #else 02974 rsbac_read_lock(&device_list_lock, &dflags); 02975 #endif 02976 device_p = lookup_device(file.device); 02977 if (!device_p) { 02978 rsbac_printk(KERN_WARNING "rsbac_auth_add_to_f_capset(): invalid device %02u:%02u!\n", 02979 RSBAC_MAJOR(file.device), 02980 RSBAC_MINOR(file.device)); 02981 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02982 rcu_read_unlock(); 02983 #else 02984 rsbac_read_unlock(&device_list_lock, &dflags); 02985 #endif 02986 return (-RSBAC_EINVALIDDEV); 02987 } 02988 } 02989 02990 switch (cap_type) { 02991 case ACT_real: 02992 err = rsbac_ta_list_lol_subadd_ttl(ta_number, 02993 device_p->handle, 02994 ttl, &file.inode, 02995 &cap_range, NULL); 02996 break; 02997 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 02998 case ACT_eff: 02999 err = rsbac_ta_list_lol_subadd_ttl(ta_number, 03000 device_p->eff_handle, 03001 ttl, &file.inode, 03002 &cap_range, NULL); 03003 break; 03004 case ACT_fs: 03005 err = rsbac_ta_list_lol_subadd_ttl(ta_number, 03006 device_p->fs_handle, 03007 ttl, &file.inode, 03008 &cap_range, NULL); 03009 break; 03010 #endif 03011 #ifdef CONFIG_RSBAC_AUTH_GROUP 03012 case ACT_group_real: 03013 err = rsbac_ta_list_lol_subadd_ttl(ta_number, 03014 device_p->group_handle, 03015 ttl, 03016 &file.inode, &cap_range, 03017 NULL); 03018 break; 03019 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 03020 case ACT_group_eff: 03021 err = rsbac_ta_list_lol_subadd_ttl(ta_number, 03022 device_p->group_eff_handle, 03023 ttl, 03024 &file.inode, &cap_range, 03025 NULL); 03026 break; 03027 case ACT_group_fs: 03028 err = rsbac_ta_list_lol_subadd_ttl(ta_number, 03029 device_p->group_fs_handle, 03030 ttl, 03031 &file.inode, &cap_range, 03032 NULL); 03033 break; 03034 #endif 03035 #endif /* AUTH_GROUP */ 03036 03037 default: 03038 err = -RSBAC_EINVALIDATTR; 03039 } 03040 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03041 rcu_read_unlock(); 03042 #else 03043 rsbac_read_unlock(&device_list_lock, &dflags); 03044 #endif 03045 return (err); 03046 }
int rsbac_auth_add_to_p_capset | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_pid_t | pid, | |||
enum rsbac_auth_cap_type_t | cap_type, | |||
struct rsbac_auth_cap_range_t | cap_range, | |||
rsbac_time_t | ttl | |||
) |
Definition at line 2876 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, rsbac_auth_cap_range_t::first, rsbac_auth_cap_range_t::last, NULL, process_handle, RSBAC_EINVALIDATTR, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_printk(), and rsbac_ta_list_lol_subadd_ttl().
Referenced by rsbac_auth_add_p_cap(), and rsbac_replace_auth_cap().
02881 { 02882 if (!rsbac_is_initialized()) { 02883 rsbac_printk(KERN_WARNING "rsbac_auth_add_to_p_capset(): RSBAC not initialized\n"); 02884 return (-RSBAC_ENOTINITIALIZED); 02885 } 02886 if (in_interrupt()) { 02887 rsbac_printk(KERN_WARNING "rsbac_auth_add_to_p_capset(): called from interrupt!\n"); 02888 } 02889 if (cap_range.first > cap_range.last) 02890 return (-RSBAC_EINVALIDVALUE); 02891 switch (cap_type) { 02892 case ACT_real: 02893 return rsbac_ta_list_lol_subadd_ttl(ta_number, 02894 process_handle, ttl, 02895 &pid, &cap_range, 02896 NULL); 02897 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 02898 case ACT_eff: 02899 return rsbac_ta_list_lol_subadd_ttl(ta_number, 02900 process_eff_handle, 02901 ttl, &pid, &cap_range, 02902 NULL); 02903 case ACT_fs: 02904 return rsbac_ta_list_lol_subadd_ttl(ta_number, 02905 process_fs_handle, ttl, 02906 &pid, &cap_range, 02907 NULL); 02908 #endif 02909 #ifdef CONFIG_RSBAC_AUTH_GROUP 02910 case ACT_group_real: 02911 return rsbac_ta_list_lol_subadd_ttl(ta_number, 02912 process_group_handle, 02913 ttl, &pid, &cap_range, 02914 NULL); 02915 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 02916 case ACT_group_eff: 02917 return rsbac_ta_list_lol_subadd_ttl(ta_number, 02918 process_group_eff_handle, 02919 ttl, &pid, &cap_range, 02920 NULL); 02921 case ACT_group_fs: 02922 return rsbac_ta_list_lol_subadd_ttl(ta_number, 02923 process_group_fs_handle, 02924 ttl, &pid, &cap_range, 02925 NULL); 02926 #endif 02927 #endif /* AUTH_GROUP */ 02928 02929 default: 02930 return -RSBAC_EINVALIDATTR; 02931 } 02932 }
int rsbac_auth_clear_f_capset | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_auth_file_t | file, | |||
enum rsbac_auth_cap_type_t | cap_type | |||
) |
Definition at line 3257 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, device_list_lock, rsbac_auth_device_list_item_t::handle, lookup_device(), RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_printk(), and rsbac_ta_list_lol_remove().
Referenced by rsbac_auth_remove_f_capsets().
03260 { 03261 int err = 0; 03262 struct rsbac_auth_device_list_item_t *device_p; 03263 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03264 u_long dflags; 03265 #endif 03266 03267 if (!rsbac_is_initialized()) { 03268 rsbac_printk(KERN_WARNING "rsbac_auth_clear_f_capset(): RSBAC not initialized\n"); 03269 return (-RSBAC_ENOTINITIALIZED); 03270 } 03271 if (in_interrupt()) { 03272 rsbac_printk(KERN_WARNING "rsbac_auth_clear_f_capset(): called from interrupt!\n"); 03273 } 03274 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03275 rcu_read_lock(); 03276 #else 03277 rsbac_read_lock(&device_list_lock, &dflags); 03278 #endif 03279 device_p = lookup_device(file.device); 03280 if (!device_p) { 03281 /* trigger rsbac_mount() */ 03282 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03283 rcu_read_unlock(); 03284 #else 03285 rsbac_read_unlock(&device_list_lock, &dflags); 03286 #endif 03287 rsbac_get_super_block(file.device); 03288 /* retry */ 03289 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03290 rcu_read_lock(); 03291 #else 03292 rsbac_read_lock(&device_list_lock, &dflags); 03293 #endif 03294 device_p = lookup_device(file.device); 03295 if (!device_p) { 03296 rsbac_printk(KERN_WARNING "rsbac_auth_clear_f_capset(): invalid device %02u:%02u!\n", 03297 RSBAC_MAJOR(file.device), 03298 RSBAC_MINOR(file.device)); 03299 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03300 rcu_read_unlock(); 03301 #else 03302 rsbac_read_unlock(&device_list_lock, &dflags); 03303 #endif 03304 return (-RSBAC_EINVALIDDEV); 03305 } 03306 } 03307 switch (cap_type) { 03308 case ACT_real: 03309 err = rsbac_ta_list_lol_remove(ta_number, 03310 device_p->handle, 03311 &file.inode); 03312 break; 03313 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 03314 case ACT_eff: 03315 err = rsbac_ta_list_lol_remove(ta_number, 03316 device_p->eff_handle, 03317 &file.inode); 03318 break; 03319 case ACT_fs: 03320 err = rsbac_ta_list_lol_remove(ta_number, 03321 device_p->fs_handle, 03322 &file.inode); 03323 break; 03324 #endif 03325 #ifdef CONFIG_RSBAC_AUTH_GROUP 03326 case ACT_group_real: 03327 err = rsbac_ta_list_lol_remove(ta_number, 03328 device_p->group_handle, 03329 &file.inode); 03330 break; 03331 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 03332 case ACT_group_eff: 03333 err = rsbac_ta_list_lol_remove(ta_number, 03334 device_p->group_eff_handle, 03335 &file.inode); 03336 break; 03337 case ACT_group_fs: 03338 err = rsbac_ta_list_lol_remove(ta_number, 03339 device_p-> group_fs_handle, 03340 &file.inode); 03341 break; 03342 #endif 03343 #endif /* AUTH_GROUP */ 03344 03345 default: 03346 err = -RSBAC_EINVALIDTARGET; 03347 } 03348 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03349 rcu_read_unlock(); 03350 #else 03351 rsbac_read_unlock(&device_list_lock, &dflags); 03352 #endif 03353 return (err); 03354 }
int rsbac_auth_clear_p_capset | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_pid_t | pid, | |||
enum rsbac_auth_cap_type_t | cap_type | |||
) |
Definition at line 3212 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, process_handle, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_printk(), and rsbac_ta_list_lol_remove().
Referenced by rsbac_auth_remove_p_capsets().
03215 { 03216 if (!rsbac_is_initialized()) { 03217 rsbac_printk(KERN_WARNING "rsbac_auth_clear_p_capset(): RSBAC not initialized\n"); 03218 return (-RSBAC_ENOTINITIALIZED); 03219 } 03220 if (in_interrupt()) { 03221 rsbac_printk(KERN_WARNING "rsbac_auth_clear_p_capset(): called from interrupt!\n"); 03222 } 03223 switch (cap_type) { 03224 case ACT_real: 03225 return rsbac_ta_list_lol_remove(ta_number, process_handle, 03226 &pid); 03227 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 03228 case ACT_eff: 03229 return rsbac_ta_list_lol_remove(ta_number, 03230 process_eff_handle, &pid); 03231 case ACT_fs: 03232 return rsbac_ta_list_lol_remove(ta_number, 03233 process_fs_handle, &pid); 03234 #endif 03235 #ifdef CONFIG_RSBAC_AUTH_GROUP 03236 case ACT_group_real: 03237 return rsbac_ta_list_lol_remove(ta_number, 03238 process_group_handle, 03239 &pid); 03240 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 03241 case ACT_group_eff: 03242 return rsbac_ta_list_lol_remove(ta_number, 03243 process_group_eff_handle, 03244 &pid); 03245 case ACT_group_fs: 03246 return rsbac_ta_list_lol_remove(ta_number, 03247 process_group_fs_handle, 03248 &pid); 03249 #endif 03250 #endif /* AUTH_GROUP */ 03251 03252 default: 03253 return -RSBAC_EINVALIDTARGET; 03254 } 03255 }
int rsbac_auth_copy_fp_capset | ( | rsbac_auth_file_t | file, | |
rsbac_pid_t | p_cap_set_id | |||
) |
Definition at line 4119 of file auth_data_structures.c.
References copy_fp_cap_set_item(), device_list_lock, lookup_device(), RSBAC_EINVALIDDEV, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), and rsbac_printk().
Referenced by rsbac_adf_set_attr_auth().
04121 { 04122 struct rsbac_auth_device_list_item_t *device_p; 04123 int err = 0; 04124 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 04125 u_long dflags; 04126 #endif 04127 04128 if (!rsbac_is_initialized()) { 04129 rsbac_printk(KERN_WARNING "rsbac_auth_copy_fp_capset(): RSBAC not initialized\n"); 04130 return (-RSBAC_ENOTINITIALIZED); 04131 } 04132 if (in_interrupt()) { 04133 rsbac_printk(KERN_WARNING "rsbac_auth_copy_fp_capset(): called from interrupt!\n"); 04134 } 04135 /* 04136 rsbac_pr_debug(ds_auth, "Copying file cap set data to process cap set\n"); 04137 */ 04138 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04139 rcu_read_lock(); 04140 #else 04141 rsbac_read_lock(&device_list_lock, &dflags); 04142 #endif 04143 device_p = lookup_device(file.device); 04144 if (!device_p) { 04145 /* trigger rsbac_mount() */ 04146 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04147 rcu_read_unlock(); 04148 #else 04149 rsbac_read_unlock(&device_list_lock, &dflags); 04150 #endif 04151 rsbac_get_super_block(file.device); 04152 /* retry */ 04153 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04154 rcu_read_lock(); 04155 #else 04156 rsbac_read_lock(&device_list_lock, &dflags); 04157 #endif 04158 device_p = lookup_device(file.device); 04159 if (!device_p) { 04160 rsbac_printk(KERN_WARNING "rsbac_auth_copy_fp_capset(): invalid device %02u:%02u!\n", 04161 RSBAC_MAJOR(file.device), 04162 RSBAC_MINOR(file.device)); 04163 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04164 rcu_read_unlock(); 04165 #else 04166 rsbac_read_unlock(&device_list_lock, &dflags); 04167 #endif 04168 return (-RSBAC_EINVALIDDEV); 04169 } 04170 } 04171 /* call the copy function */ 04172 err = copy_fp_cap_set_item(device_p, file, p_cap_set_id); 04173 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04174 rcu_read_unlock(); 04175 #else 04176 rsbac_read_unlock(&device_list_lock, &dflags); 04177 #endif 04178 return (err); 04179 }
int rsbac_auth_copy_pp_capset | ( | rsbac_pid_t | old_p_set_id, | |
rsbac_pid_t | new_p_set_id | |||
) |
Definition at line 4181 of file auth_data_structures.c.
References copy_pp_cap_set_item(), RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), and rsbac_printk().
Referenced by rsbac_adf_set_attr_auth().
04183 { 04184 if (!rsbac_is_initialized()) { 04185 rsbac_printk(KERN_WARNING "rsbac_auth_copy_pp_capset(): RSBAC not initialized\n"); 04186 return (-RSBAC_ENOTINITIALIZED); 04187 } 04188 if (in_interrupt()) { 04189 rsbac_printk(KERN_WARNING "rsbac_auth_copy_pp_capset(): called from interrupt!\n"); 04190 } 04191 /* 04192 rsbac_pr_debug(ds_auth, "Copying process cap set data to process cap set\n"); 04193 */ 04194 /* call the copy function */ 04195 return copy_pp_cap_set_item(old_p_set_id, new_p_set_id); 04196 }
int rsbac_auth_get_f_caplist | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_auth_file_t | file, | |||
enum rsbac_auth_cap_type_t | cap_type, | |||
struct rsbac_auth_cap_range_t ** | caplist_p, | |||
rsbac_time_t ** | ttllist_p | |||
) |
Definition at line 4198 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, device_list_lock, rsbac_auth_device_list_item_t::handle, lookup_device(), RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_printk(), and rsbac_ta_list_lol_get_all_subdesc_ttl().
04203 { 04204 struct rsbac_auth_device_list_item_t *device_p; 04205 long count; 04206 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 04207 u_long dflags; 04208 #endif 04209 04210 if (!rsbac_is_initialized()) { 04211 rsbac_printk(KERN_WARNING "rsbac_auth_get_f_caplist(): RSBAC not initialized\n"); 04212 return (-RSBAC_ENOTINITIALIZED); 04213 } 04214 if (in_interrupt()) { 04215 rsbac_printk(KERN_WARNING "rsbac_auth_get_f_caplist(): called from interrupt!\n"); 04216 } 04217 /* 04218 rsbac_pr_debug(ds_auth, "Getting file/dir cap set list\n"); 04219 */ 04220 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04221 rcu_read_lock(); 04222 #else 04223 rsbac_read_lock(&device_list_lock, &dflags); 04224 #endif 04225 device_p = lookup_device(file.device); 04226 if (!device_p) { 04227 /* trigger rsbac_mount() */ 04228 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04229 rcu_read_unlock(); 04230 #else 04231 rsbac_read_unlock(&device_list_lock, &dflags); 04232 #endif 04233 rsbac_get_super_block(file.device); 04234 /* retry */ 04235 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04236 rcu_read_lock(); 04237 #else 04238 rsbac_read_lock(&device_list_lock, &dflags); 04239 #endif 04240 device_p = lookup_device(file.device); 04241 if (!device_p) { 04242 rsbac_printk(KERN_WARNING "rsbac_auth_get_f_caplist(): invalid device %02u:%02u!\n", 04243 RSBAC_MAJOR(file.device), 04244 RSBAC_MINOR(file.device)); 04245 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04246 rcu_read_unlock(); 04247 #else 04248 rsbac_read_unlock(&device_list_lock, &dflags); 04249 #endif 04250 return (-RSBAC_EINVALIDDEV); 04251 } 04252 } 04253 switch (cap_type) { 04254 case ACT_real: 04255 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04256 device_p->handle, 04257 &file.inode, 04258 (void **) 04259 caplist_p, 04260 ttllist_p); 04261 break; 04262 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 04263 case ACT_eff: 04264 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04265 device_p->eff_handle, 04266 &file.inode, 04267 (void **) 04268 caplist_p, 04269 ttllist_p); 04270 break; 04271 case ACT_fs: 04272 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04273 device_p->fs_handle, 04274 &file.inode, 04275 (void **) 04276 caplist_p, 04277 ttllist_p); 04278 break; 04279 #endif 04280 #ifdef CONFIG_RSBAC_AUTH_GROUP 04281 case ACT_group_real: 04282 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04283 device_p->group_handle, 04284 &file.inode, 04285 (void **) 04286 caplist_p, 04287 ttllist_p); 04288 break; 04289 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 04290 case ACT_group_eff: 04291 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04292 device_p->group_eff_handle, 04293 &file.inode, 04294 (void **) 04295 caplist_p, 04296 ttllist_p); 04297 break; 04298 case ACT_group_fs: 04299 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04300 device_p->group_fs_handle, 04301 &file.inode, 04302 (void **) 04303 caplist_p, 04304 ttllist_p); 04305 break; 04306 #endif 04307 #endif /* AUTH_GROUP */ 04308 04309 default: 04310 count = -RSBAC_EINVALIDTARGET; 04311 } 04312 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04313 rcu_read_unlock(); 04314 #else 04315 rsbac_read_unlock(&device_list_lock, &dflags); 04316 #endif 04317 return (count); 04318 }
int rsbac_auth_get_p_caplist | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_pid_t | pid, | |||
enum rsbac_auth_cap_type_t | cap_type, | |||
struct rsbac_auth_cap_range_t ** | caplist_p, | |||
rsbac_time_t ** | ttllist_p | |||
) |
Definition at line 4320 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, process_handle, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_printk(), and rsbac_ta_list_lol_get_all_subdesc_ttl().
04325 { 04326 long count; 04327 04328 if (!rsbac_is_initialized()) { 04329 rsbac_printk(KERN_WARNING "rsbac_auth_get_p_caplist(): RSBAC not initialized\n"); 04330 return (-RSBAC_ENOTINITIALIZED); 04331 } 04332 if (in_interrupt()) { 04333 rsbac_printk(KERN_WARNING "rsbac_auth_get_p_caplist(): called from interrupt!\n"); 04334 } 04335 /* 04336 rsbac_pr_debug(ds_auth, "Getting process cap set list\n"); 04337 */ 04338 switch (cap_type) { 04339 case ACT_real: 04340 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04341 process_handle, 04342 &pid, 04343 (void **) 04344 caplist_p, 04345 ttllist_p); 04346 break; 04347 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 04348 case ACT_eff: 04349 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04350 process_eff_handle, 04351 &pid, 04352 (void **) 04353 caplist_p, 04354 ttllist_p); 04355 break; 04356 case ACT_fs: 04357 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04358 process_fs_handle, 04359 &pid, 04360 (void **) 04361 caplist_p, 04362 ttllist_p); 04363 break; 04364 #endif 04365 #ifdef CONFIG_RSBAC_AUTH_GROUP 04366 case ACT_group_real: 04367 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04368 process_group_handle, 04369 &pid, 04370 (void **) 04371 caplist_p, 04372 ttllist_p); 04373 break; 04374 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 04375 case ACT_group_eff: 04376 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04377 process_group_eff_handle, 04378 &pid, 04379 (void **) 04380 caplist_p, 04381 ttllist_p); 04382 break; 04383 case ACT_group_fs: 04384 count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 04385 process_group_fs_handle, 04386 &pid, 04387 (void **) 04388 caplist_p, 04389 ttllist_p); 04390 break; 04391 #endif 04392 #endif /* AUTH_GROUP */ 04393 04394 default: 04395 count = -RSBAC_EINVALIDTARGET; 04396 } 04397 return (count); 04398 }
rsbac_boolean_t rsbac_auth_p_capset_member | ( | rsbac_pid_t | pid, | |
enum rsbac_auth_cap_type_t | cap_type, | |||
rsbac_uid_t | member | |||
) |
Definition at line 3359 of file auth_data_structures.c.
References A_auth_learn, ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, rsbac_attribute_value_t::auth_learn, device_list_lock, FALSE, rsbac_auth_cap_range_t::first, rsbac_auth_device_list_item_t::handle, rsbac_auth_cap_range_t::last, lookup_device(), NULL, rsbac_target_id_t::process, process_handle, RSBAC_AUTH_DAC_GROUP_F_CAP, RSBAC_AUTH_DAC_OWNER_F_CAP, RSBAC_AUTH_GROUP_F_CAP, RSBAC_AUTH_MAX_RANGE_UID, RSBAC_AUTH_OWNER_F_CAP, rsbac_get_attr, rsbac_is_initialized(), rsbac_list_lol_subadd(), rsbac_list_lol_subexist_compare(), rsbac_printk(), single_cap_compare(), SW_AUTH, T_PROCESS, and TRUE.
Referenced by rsbac_adf_request_auth(), and rsbac_replace_auth_cap().
03362 { 03363 rsbac_boolean_t result; 03364 03365 if (!rsbac_is_initialized()) { 03366 rsbac_printk(KERN_WARNING "rsbac_auth_p_capset_member(): RSBAC not initialized\n"); 03367 return FALSE; 03368 } 03369 if (in_interrupt()) { 03370 rsbac_printk(KERN_WARNING "rsbac_auth_p_capset_member(): called from interrupt!\n"); 03371 } 03372 switch (cap_type) { 03373 case ACT_real: 03374 result = 03375 rsbac_list_lol_subexist_compare(process_handle, &pid, 03376 &member, 03377 single_cap_compare); 03378 03379 #if defined(CONFIG_RSBAC_AUTH_LEARN) 03380 if (!result && (member <= RSBAC_AUTH_MAX_RANGE_UID) 03381 ) { 03382 union rsbac_target_id_t tid; 03383 union rsbac_attribute_value_t attr_val; 03384 rsbac_boolean_t learn; 03385 03386 learn = rsbac_auth_learn; 03387 if (!learn) { 03388 tid.process = pid; 03389 /* check learn on process */ 03390 if (!rsbac_get_attr 03391 (SW_AUTH, T_PROCESS, tid, A_auth_learn, 03392 &attr_val, FALSE)) 03393 learn = attr_val.auth_learn; 03394 } 03395 if (learn) { 03396 struct rsbac_auth_cap_range_t range; 03397 03398 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH capability for uid %u to process %u (%.15s)!\n", 03399 member, pid, current->comm); 03400 range.first = member; 03401 range.last = member; 03402 rsbac_list_lol_subadd(process_handle, &pid, 03403 &range, NULL); 03404 03405 tid.process = pid; 03406 if (!rsbac_get_attr 03407 (SW_AUTH, T_PROCESS, tid, 03408 A_auth_program_file, &attr_val, 03409 FALSE)) { 03410 struct 03411 rsbac_auth_device_list_item_t 03412 *device_p; 03413 union rsbac_attribute_value_t 03414 attr_val2; 03415 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03416 u_long dflags; 03417 #endif 03418 03419 if (!rsbac_get_attr 03420 (SW_AUTH, T_PROCESS, tid, 03421 A_auth_start_uid, &attr_val2, 03422 FALSE) 03423 && (range.first == 03424 attr_val2.auth_start_uid) 03425 ) { 03426 range.first = 03427 RSBAC_AUTH_OWNER_F_CAP; 03428 range.last = range.first; 03429 } 03430 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH capability for uid %u to file %u on device %02u:%02u!\n", 03431 range.first, 03432 attr_val. 03433 auth_program_file. 03434 inode, 03435 MAJOR(attr_val. 03436 auth_program_file. 03437 device), 03438 MINOR(attr_val. 03439 auth_program_file. 03440 device)); 03441 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03442 rcu_read_lock(); 03443 #else 03444 rsbac_read_lock(&device_list_lock, &dflags); 03445 #endif 03446 device_p = 03447 lookup_device(attr_val. 03448 auth_program_file. 03449 device); 03450 if (device_p) { 03451 rsbac_list_lol_subadd 03452 (device_p->handle, 03453 &attr_val. 03454 auth_program_file. 03455 inode, &range, NULL); 03456 } else { 03457 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): unknown device %02u:%02u!\n", 03458 MAJOR 03459 (attr_val. 03460 auth_program_file. 03461 device), 03462 MINOR 03463 (attr_val. 03464 auth_program_file. 03465 device)); 03466 } 03467 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03468 rcu_read_unlock(); 03469 #else 03470 rsbac_read_unlock(&device_list_lock, &dflags); 03471 #endif 03472 } 03473 result = TRUE; 03474 } 03475 } 03476 #endif 03477 break; 03478 03479 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 03480 case ACT_eff: 03481 result = 03482 rsbac_list_lol_subexist_compare(process_eff_handle, 03483 &pid, &member, 03484 single_cap_compare); 03485 03486 #if defined(CONFIG_RSBAC_AUTH_LEARN) 03487 if (!result && (member <= RSBAC_AUTH_MAX_RANGE_UID) 03488 ) { 03489 union rsbac_target_id_t tid; 03490 union rsbac_attribute_value_t attr_val; 03491 rsbac_boolean_t learn; 03492 03493 learn = rsbac_auth_learn; 03494 if (!learn) { 03495 tid.process = pid; 03496 /* check learn on process */ 03497 if (!rsbac_get_attr 03498 (SW_AUTH, T_PROCESS, tid, A_auth_learn, 03499 &attr_val, FALSE)) 03500 learn = attr_val.auth_learn; 03501 } 03502 if (learn) { 03503 struct rsbac_auth_cap_range_t range; 03504 03505 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH eff capability for uid %u to process %u (%.15s)!\n", 03506 member, pid, current->comm); 03507 range.first = member; 03508 range.last = member; 03509 rsbac_list_lol_subadd(process_eff_handle, 03510 &pid, &range, NULL); 03511 03512 tid.process = pid; 03513 if (!rsbac_get_attr 03514 (SW_AUTH, T_PROCESS, tid, 03515 A_auth_program_file, &attr_val, 03516 FALSE)) { 03517 struct 03518 rsbac_auth_device_list_item_t 03519 *device_p; 03520 union rsbac_attribute_value_t 03521 attr_val2; 03522 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03523 u_long dflags; 03524 #endif 03525 03526 if (!rsbac_get_attr 03527 (SW_AUTH, T_PROCESS, tid, 03528 A_auth_start_uid, &attr_val2, 03529 FALSE) 03530 && (range.first == 03531 attr_val2.auth_start_uid) 03532 ) { 03533 range.first = 03534 RSBAC_AUTH_OWNER_F_CAP; 03535 range.last = range.first; 03536 } else 03537 if (!rsbac_get_attr 03538 (SW_AUTH, T_PROCESS, tid, 03539 A_auth_start_euid, 03540 &attr_val2, FALSE) 03541 && (range.first == 03542 attr_val2. 03543 auth_start_euid) 03544 ) { 03545 range.first = 03546 RSBAC_AUTH_DAC_OWNER_F_CAP; 03547 range.last = range.first; 03548 } 03549 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH eff capability for uid %u to file %u on device %02u:%02u!\n", 03550 range.first, 03551 attr_val. 03552 auth_program_file. 03553 inode, 03554 MAJOR(attr_val. 03555 auth_program_file. 03556 device), 03557 MINOR(attr_val. 03558 auth_program_file. 03559 device)); 03560 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03561 rcu_read_lock(); 03562 #else 03563 rsbac_read_lock(&device_list_lock, &dflags); 03564 #endif 03565 device_p = 03566 lookup_device(attr_val. 03567 auth_program_file. 03568 device); 03569 if (device_p) { 03570 rsbac_list_lol_subadd 03571 (device_p->eff_handle, 03572 &attr_val. 03573 auth_program_file. 03574 inode, &range, NULL); 03575 } else { 03576 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): unknown device %02u:%02u!\n", 03577 MAJOR 03578 (attr_val. 03579 auth_program_file. 03580 device), 03581 MINOR 03582 (attr_val. 03583 auth_program_file. 03584 device)); 03585 } 03586 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03587 rcu_read_unlock(); 03588 #else 03589 rsbac_read_unlock(&device_list_lock, &dflags); 03590 #endif 03591 } 03592 result = TRUE; 03593 } 03594 } 03595 #endif 03596 break; 03597 03598 case ACT_fs: 03599 result = 03600 rsbac_list_lol_subexist_compare(process_fs_handle, 03601 &pid, &member, 03602 single_cap_compare); 03603 03604 #if defined(CONFIG_RSBAC_AUTH_LEARN) 03605 if (!result && (member <= RSBAC_AUTH_MAX_RANGE_UID) 03606 ) { 03607 union rsbac_target_id_t tid; 03608 union rsbac_attribute_value_t attr_val; 03609 rsbac_boolean_t learn; 03610 03611 learn = rsbac_auth_learn; 03612 if (!learn) { 03613 tid.process = pid; 03614 /* check learn on process */ 03615 if (!rsbac_get_attr 03616 (SW_AUTH, T_PROCESS, tid, A_auth_learn, 03617 &attr_val, FALSE)) 03618 learn = attr_val.auth_learn; 03619 } 03620 if (learn) { 03621 struct rsbac_auth_cap_range_t range; 03622 03623 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH fs capability for uid %u to process %u (%.15s)!\n", 03624 member, pid, current->comm); 03625 range.first = member; 03626 range.last = member; 03627 rsbac_list_lol_subadd(process_fs_handle, 03628 &pid, &range, NULL); 03629 03630 tid.process = pid; 03631 if (!rsbac_get_attr 03632 (SW_AUTH, T_PROCESS, tid, 03633 A_auth_program_file, &attr_val, 03634 FALSE)) { 03635 struct 03636 rsbac_auth_device_list_item_t 03637 *device_p; 03638 union rsbac_attribute_value_t 03639 attr_val2; 03640 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03641 u_long dflags; 03642 #endif 03643 03644 if (!rsbac_get_attr 03645 (SW_AUTH, T_PROCESS, tid, 03646 A_auth_start_uid, &attr_val2, 03647 FALSE) 03648 && (range.first == 03649 attr_val2.auth_start_uid) 03650 ) { 03651 range.first = 03652 RSBAC_AUTH_OWNER_F_CAP; 03653 range.last = range.first; 03654 } else 03655 if (!rsbac_get_attr 03656 (SW_AUTH, T_PROCESS, tid, 03657 A_auth_start_euid, 03658 &attr_val2, FALSE) 03659 && (range.first == 03660 attr_val2. 03661 auth_start_euid) 03662 ) { 03663 range.first = 03664 RSBAC_AUTH_DAC_OWNER_F_CAP; 03665 range.last = range.first; 03666 } 03667 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH fs capability for uid %u to file %u on device %02u:%02u!\n", 03668 range.first, 03669 attr_val. 03670 auth_program_file. 03671 inode, 03672 MAJOR(attr_val. 03673 auth_program_file. 03674 device), 03675 MINOR(attr_val. 03676 auth_program_file. 03677 device)); 03678 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03679 rcu_read_lock(); 03680 #else 03681 rsbac_read_lock(&device_list_lock, &dflags); 03682 #endif 03683 device_p = 03684 lookup_device(attr_val. 03685 auth_program_file. 03686 device); 03687 if (device_p) { 03688 rsbac_list_lol_subadd 03689 (device_p->fs_handle, 03690 &attr_val. 03691 auth_program_file. 03692 inode, &range, NULL); 03693 } else { 03694 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): unknown device %02u:%02u!\n", 03695 MAJOR 03696 (attr_val. 03697 auth_program_file. 03698 device), 03699 MINOR 03700 (attr_val. 03701 auth_program_file. 03702 device)); 03703 } 03704 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03705 rcu_read_unlock(); 03706 #else 03707 rsbac_read_unlock(&device_list_lock, &dflags); 03708 #endif 03709 } 03710 result = TRUE; 03711 } 03712 } 03713 #endif 03714 break; 03715 #endif /* AUTH_DAC_OWNER */ 03716 03717 #ifdef CONFIG_RSBAC_AUTH_GROUP 03718 case ACT_group_real: 03719 result = 03720 rsbac_list_lol_subexist_compare(process_group_handle, 03721 &pid, &member, 03722 single_cap_compare); 03723 03724 #if defined(CONFIG_RSBAC_AUTH_LEARN) 03725 if (!result && (member <= RSBAC_AUTH_MAX_RANGE_UID) 03726 ) { 03727 union rsbac_target_id_t tid; 03728 union rsbac_attribute_value_t attr_val; 03729 rsbac_boolean_t learn; 03730 03731 learn = rsbac_auth_learn; 03732 if (!learn) { 03733 tid.process = pid; 03734 /* check learn on process */ 03735 if (!rsbac_get_attr 03736 (SW_AUTH, T_PROCESS, tid, A_auth_learn, 03737 &attr_val, FALSE)) 03738 learn = attr_val.auth_learn; 03739 } 03740 if (learn) { 03741 struct rsbac_auth_cap_range_t range; 03742 03743 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH group capability for gid %u to process %u (%.15s)!\n", 03744 member, pid, current->comm); 03745 range.first = member; 03746 range.last = member; 03747 rsbac_list_lol_subadd(process_group_handle, 03748 &pid, &range, NULL); 03749 03750 tid.process = pid; 03751 if (!rsbac_get_attr 03752 (SW_AUTH, T_PROCESS, tid, 03753 A_auth_program_file, &attr_val, 03754 FALSE)) { 03755 struct 03756 rsbac_auth_device_list_item_t 03757 *device_p; 03758 union rsbac_attribute_value_t 03759 attr_val2; 03760 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03761 u_long dflags; 03762 #endif 03763 03764 if (!rsbac_get_attr 03765 (SW_AUTH, T_PROCESS, tid, 03766 A_auth_start_gid, &attr_val2, 03767 FALSE) 03768 && (range.first == 03769 attr_val2.auth_start_gid) 03770 ) { 03771 range.first = 03772 RSBAC_AUTH_GROUP_F_CAP; 03773 range.last = range.first; 03774 } 03775 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH group capability for gid %u to file %u on device %02u:%02u!\n", 03776 range.first, 03777 attr_val. 03778 auth_program_file. 03779 inode, 03780 MAJOR(attr_val. 03781 auth_program_file. 03782 device), 03783 MINOR(attr_val. 03784 auth_program_file. 03785 device)); 03786 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03787 rcu_read_lock(); 03788 #else 03789 rsbac_read_lock(&device_list_lock, &dflags); 03790 #endif 03791 device_p = 03792 lookup_device(attr_val. 03793 auth_program_file. 03794 device); 03795 if (device_p) { 03796 rsbac_list_lol_subadd 03797 (device_p->group_handle, 03798 &attr_val. 03799 auth_program_file. 03800 inode, &range, NULL); 03801 } else { 03802 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): unknown device %02u:%02u!\n", 03803 MAJOR 03804 (attr_val. 03805 auth_program_file. 03806 device), 03807 MINOR 03808 (attr_val. 03809 auth_program_file. 03810 device)); 03811 } 03812 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03813 rcu_read_unlock(); 03814 #else 03815 rsbac_read_unlock(&device_list_lock, &dflags); 03816 #endif 03817 } 03818 result = TRUE; 03819 } 03820 } 03821 #endif 03822 break; 03823 03824 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 03825 case ACT_group_eff: 03826 result = 03827 rsbac_list_lol_subexist_compare 03828 (process_group_eff_handle, &pid, &member, 03829 single_cap_compare); 03830 03831 #if defined(CONFIG_RSBAC_AUTH_LEARN) 03832 if (!result && (member <= RSBAC_AUTH_MAX_RANGE_UID) 03833 ) { 03834 union rsbac_target_id_t tid; 03835 union rsbac_attribute_value_t attr_val; 03836 rsbac_boolean_t learn; 03837 03838 learn = rsbac_auth_learn; 03839 if (!learn) { 03840 tid.process = pid; 03841 /* check learn on process */ 03842 if (!rsbac_get_attr 03843 (SW_AUTH, T_PROCESS, tid, A_auth_learn, 03844 &attr_val, FALSE)) 03845 learn = attr_val.auth_learn; 03846 } 03847 if (learn) { 03848 struct rsbac_auth_cap_range_t range; 03849 03850 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH group eff capability for gid %u to process %u (%.15s)!\n", 03851 member, pid, current->comm); 03852 range.first = member; 03853 range.last = member; 03854 rsbac_list_lol_subadd 03855 (process_group_eff_handle, &pid, 03856 &range, NULL); 03857 03858 tid.process = pid; 03859 if (!rsbac_get_attr 03860 (SW_AUTH, T_PROCESS, tid, 03861 A_auth_program_file, &attr_val, 03862 FALSE)) { 03863 struct 03864 rsbac_auth_device_list_item_t 03865 *device_p; 03866 union rsbac_attribute_value_t 03867 attr_val2; 03868 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03869 u_long dflags; 03870 #endif 03871 03872 if (!rsbac_get_attr 03873 (SW_AUTH, T_PROCESS, tid, 03874 A_auth_start_gid, &attr_val2, 03875 FALSE) 03876 && (range.first == 03877 attr_val2.auth_start_gid) 03878 ) { 03879 range.first = 03880 RSBAC_AUTH_GROUP_F_CAP; 03881 range.last = range.first; 03882 } else 03883 if (!rsbac_get_attr 03884 (SW_AUTH, T_PROCESS, tid, 03885 A_auth_start_egid, 03886 &attr_val2, FALSE) 03887 && (range.first == 03888 attr_val2. 03889 auth_start_egid) 03890 ) { 03891 range.first = 03892 RSBAC_AUTH_DAC_GROUP_F_CAP; 03893 range.last = range.first; 03894 } 03895 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH group eff capability for gid %u to file %u on device %02u:%02u!\n", 03896 range.first, 03897 attr_val. 03898 auth_program_file. 03899 inode, 03900 MAJOR(attr_val. 03901 auth_program_file. 03902 device), 03903 MINOR(attr_val. 03904 auth_program_file. 03905 device)); 03906 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03907 rcu_read_lock(); 03908 #else 03909 rsbac_read_lock(&device_list_lock, &dflags); 03910 #endif 03911 device_p = 03912 lookup_device(attr_val. 03913 auth_program_file. 03914 device); 03915 if (device_p) { 03916 rsbac_list_lol_subadd 03917 (device_p->group_eff_handle, 03918 &attr_val. 03919 auth_program_file. 03920 inode, &range, NULL); 03921 } else { 03922 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): unknown device %02u:%02u!\n", 03923 MAJOR 03924 (attr_val. 03925 auth_program_file. 03926 device), 03927 MINOR 03928 (attr_val. 03929 auth_program_file. 03930 device)); 03931 } 03932 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03933 rcu_read_unlock(); 03934 #else 03935 rsbac_read_unlock(&device_list_lock, &dflags); 03936 #endif 03937 } 03938 result = TRUE; 03939 } 03940 } 03941 #endif 03942 break; 03943 03944 case ACT_group_fs: 03945 result = 03946 rsbac_list_lol_subexist_compare 03947 (process_group_fs_handle, &pid, &member, 03948 single_cap_compare); 03949 03950 #if defined(CONFIG_RSBAC_AUTH_LEARN) 03951 if (!result && (member <= RSBAC_AUTH_MAX_RANGE_UID) 03952 ) { 03953 union rsbac_target_id_t tid; 03954 union rsbac_attribute_value_t attr_val; 03955 rsbac_boolean_t learn; 03956 03957 learn = rsbac_auth_learn; 03958 if (!learn) { 03959 tid.process = pid; 03960 /* check learn on process */ 03961 if (!rsbac_get_attr 03962 (SW_AUTH, T_PROCESS, tid, A_auth_learn, 03963 &attr_val, FALSE)) 03964 learn = attr_val.auth_learn; 03965 } 03966 if (learn) { 03967 struct rsbac_auth_cap_range_t range; 03968 03969 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH group fs capability for gid %u to process %u (%.15s)!\n", 03970 member, pid, current->comm); 03971 range.first = member; 03972 range.last = member; 03973 rsbac_list_lol_subadd 03974 (process_group_fs_handle, &pid, &range, 03975 NULL); 03976 03977 tid.process = pid; 03978 if (!rsbac_get_attr 03979 (SW_AUTH, T_PROCESS, tid, 03980 A_auth_program_file, &attr_val, 03981 FALSE)) { 03982 struct 03983 rsbac_auth_device_list_item_t 03984 *device_p; 03985 union rsbac_attribute_value_t 03986 attr_val2; 03987 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03988 u_long dflags; 03989 #endif 03990 03991 if (!rsbac_get_attr 03992 (SW_AUTH, T_PROCESS, tid, 03993 A_auth_start_gid, &attr_val2, 03994 FALSE) 03995 && (range.first == 03996 attr_val2.auth_start_gid) 03997 ) { 03998 range.first = 03999 RSBAC_AUTH_GROUP_F_CAP; 04000 range.last = range.first; 04001 } else 04002 if (!rsbac_get_attr 04003 (SW_AUTH, T_PROCESS, tid, 04004 A_auth_start_egid, 04005 &attr_val2, FALSE) 04006 && (range.first == 04007 attr_val2. 04008 auth_start_egid) 04009 ) { 04010 range.first = 04011 RSBAC_AUTH_DAC_GROUP_F_CAP; 04012 range.last = range.first; 04013 } 04014 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): adding AUTH group fs capability for gid %u to file %u on device %02u:%02u!\n", 04015 range.first, 04016 attr_val. 04017 auth_program_file. 04018 inode, 04019 MAJOR(attr_val. 04020 auth_program_file. 04021 device), 04022 MINOR(attr_val. 04023 auth_program_file. 04024 device)); 04025 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04026 rcu_read_lock(); 04027 #else 04028 rsbac_read_lock(&device_list_lock, &dflags); 04029 #endif 04030 device_p = 04031 lookup_device(attr_val. 04032 auth_program_file. 04033 device); 04034 if (device_p) { 04035 rsbac_list_lol_subadd 04036 (device_p->group_fs_handle, 04037 &attr_val. 04038 auth_program_file. 04039 inode, &range, NULL); 04040 } else { 04041 rsbac_printk(KERN_INFO "rsbac_auth_p_capset_member(): unknown device %02u:%02u!\n", 04042 MAJOR 04043 (attr_val. 04044 auth_program_file. 04045 device), 04046 MINOR 04047 (attr_val. 04048 auth_program_file. 04049 device)); 04050 } 04051 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04052 rcu_read_unlock(); 04053 #else 04054 rsbac_read_unlock(&device_list_lock, &dflags); 04055 #endif 04056 } 04057 result = TRUE; 04058 } 04059 } 04060 #endif 04061 break; 04062 #endif /* AUTH_DAC_GROUP */ 04063 #endif /* AUTH_GROUP */ 04064 04065 default: 04066 return FALSE; 04067 } 04068 return result; 04069 }
int rsbac_auth_remove_f_capsets | ( | rsbac_auth_file_t | file | ) |
Definition at line 4095 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, and rsbac_auth_clear_f_capset().
Referenced by rsbac_adf_set_attr_auth(), and rsbac_ta_remove_target().
04096 { 04097 int err; 04098 04099 err = rsbac_auth_clear_f_capset(0, file, ACT_real); 04100 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 04101 if (!err) 04102 err = rsbac_auth_clear_f_capset(0, file, ACT_eff); 04103 if (!err) 04104 err = rsbac_auth_clear_f_capset(0, file, ACT_fs); 04105 #endif 04106 #ifdef CONFIG_RSBAC_AUTH_GROUP 04107 err = rsbac_auth_clear_f_capset(0, file, ACT_group_real); 04108 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 04109 if (!err) 04110 err = rsbac_auth_clear_f_capset(0, file, ACT_group_eff); 04111 if (!err) 04112 err = rsbac_auth_clear_f_capset(0, file, ACT_group_fs); 04113 #endif 04114 #endif /* AUTH_GROUP */ 04115 04116 return err; 04117 }
int rsbac_auth_remove_from_f_capset | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_auth_file_t | file, | |||
enum rsbac_auth_cap_type_t | cap_type, | |||
struct rsbac_auth_cap_range_t | cap_range | |||
) |
Definition at line 3104 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, device_list_lock, rsbac_auth_cap_range_t::first, rsbac_auth_device_list_item_t::handle, rsbac_auth_cap_range_t::last, lookup_device(), RSBAC_EINVALIDATTR, RSBAC_EINVALIDDEV, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_printk(), and rsbac_ta_list_lol_subremove().
Referenced by rsbac_auth_remove_f_cap().
03109 { 03110 int err = 0; 03111 struct rsbac_auth_device_list_item_t *device_p; 03112 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03113 u_long dflags; 03114 #endif 03115 03116 if (!rsbac_is_initialized()) { 03117 rsbac_printk(KERN_WARNING "rsbac_auth_remove_from_f_capset(): RSBAC not initialized\n"); 03118 return (-RSBAC_ENOTINITIALIZED); 03119 } 03120 if (in_interrupt()) { 03121 rsbac_printk(KERN_WARNING "rsbac_auth_remove_from_f_capset(): called from interrupt!\n"); 03122 } 03123 if (cap_range.first > cap_range.last) 03124 return (-RSBAC_EINVALIDVALUE); 03125 03126 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03127 rcu_read_lock(); 03128 #else 03129 rsbac_read_lock(&device_list_lock, &dflags); 03130 #endif 03131 device_p = lookup_device(file.device); 03132 if (!device_p) { 03133 /* trigger rsbac_mount() */ 03134 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03135 rcu_read_unlock(); 03136 #else 03137 rsbac_read_unlock(&device_list_lock, &dflags); 03138 #endif 03139 rsbac_get_super_block(file.device); 03140 /* retry */ 03141 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03142 rcu_read_lock(); 03143 #else 03144 rsbac_read_lock(&device_list_lock, &dflags); 03145 #endif 03146 device_p = lookup_device(file.device); 03147 if (!device_p) { 03148 rsbac_printk(KERN_WARNING "rsbac_auth_remove_from_f_capset(): invalid device %02u:%02u!\n", 03149 RSBAC_MAJOR(file.device), 03150 RSBAC_MINOR(file.device)); 03151 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03152 rcu_read_unlock(); 03153 #else 03154 rsbac_read_unlock(&device_list_lock, &dflags); 03155 #endif 03156 return (-RSBAC_EINVALIDDEV); 03157 } 03158 } 03159 switch (cap_type) { 03160 case ACT_real: 03161 err = rsbac_ta_list_lol_subremove(ta_number, 03162 device_p->handle, 03163 &file.inode, &cap_range); 03164 break; 03165 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 03166 case ACT_eff: 03167 err = rsbac_ta_list_lol_subremove(ta_number, 03168 device_p->eff_handle, 03169 &file.inode, &cap_range); 03170 break; 03171 case ACT_fs: 03172 err = rsbac_ta_list_lol_subremove(ta_number, 03173 device_p->fs_handle, 03174 &file.inode, &cap_range); 03175 break; 03176 #endif 03177 #ifdef CONFIG_RSBAC_AUTH_GROUP 03178 case ACT_group_real: 03179 err = rsbac_ta_list_lol_subremove(ta_number, 03180 device_p->group_handle, 03181 &file.inode, &cap_range); 03182 break; 03183 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 03184 case ACT_group_eff: 03185 err = rsbac_ta_list_lol_subremove(ta_number, 03186 device_p->group_eff_handle, 03187 &file.inode, &cap_range); 03188 break; 03189 case ACT_group_fs: 03190 err = rsbac_ta_list_lol_subremove(ta_number, 03191 device_p->group_fs_handle, 03192 &file.inode, &cap_range); 03193 break; 03194 #endif 03195 #endif /* AUTH_GROUP */ 03196 03197 default: 03198 err = -RSBAC_EINVALIDATTR; 03199 } 03200 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03201 rcu_read_unlock(); 03202 #else 03203 rsbac_read_unlock(&device_list_lock, &dflags); 03204 #endif 03205 return (err); 03206 }
int rsbac_auth_remove_from_p_capset | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_pid_t | pid, | |||
enum rsbac_auth_cap_type_t | cap_type, | |||
struct rsbac_auth_cap_range_t | cap_range | |||
) |
Definition at line 3052 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, rsbac_auth_cap_range_t::first, rsbac_auth_cap_range_t::last, process_handle, RSBAC_EINVALIDATTR, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_printk(), and rsbac_ta_list_lol_subremove().
Referenced by rsbac_auth_remove_p_cap(), and rsbac_replace_auth_cap().
03057 { 03058 if (!rsbac_is_initialized()) { 03059 rsbac_printk(KERN_WARNING "rsbac_auth_remove_from_p_capset(): RSBAC not initialized\n"); 03060 return (-RSBAC_ENOTINITIALIZED); 03061 } 03062 if (in_interrupt()) { 03063 rsbac_printk(KERN_WARNING "rsbac_auth_remove_from_p_capset(): called from interrupt!\n"); 03064 } 03065 if (cap_range.first > cap_range.last) 03066 return (-RSBAC_EINVALIDVALUE); 03067 switch (cap_type) { 03068 case ACT_real: 03069 return rsbac_ta_list_lol_subremove(ta_number, 03070 process_handle, &pid, 03071 &cap_range); 03072 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 03073 case ACT_eff: 03074 return rsbac_ta_list_lol_subremove(ta_number, 03075 process_eff_handle, 03076 &pid, &cap_range); 03077 case ACT_fs: 03078 return rsbac_ta_list_lol_subremove(ta_number, 03079 process_fs_handle, &pid, 03080 &cap_range); 03081 #endif 03082 #ifdef CONFIG_RSBAC_AUTH_GROUP 03083 case ACT_group_real: 03084 return rsbac_ta_list_lol_subremove(ta_number, 03085 process_group_handle, 03086 &pid, &cap_range); 03087 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 03088 case ACT_group_eff: 03089 return rsbac_ta_list_lol_subremove(ta_number, 03090 process_group_eff_handle, 03091 &pid, &cap_range); 03092 case ACT_group_fs: 03093 return rsbac_ta_list_lol_subremove(ta_number, 03094 process_group_fs_handle, 03095 &pid, &cap_range); 03096 #endif 03097 #endif /* AUTH_GROUP */ 03098 03099 default: 03100 return -RSBAC_EINVALIDATTR; 03101 } 03102 }
int rsbac_auth_remove_p_capsets | ( | rsbac_pid_t | pid | ) |
Definition at line 4075 of file auth_data_structures.c.
References ACT_eff, ACT_fs, ACT_group_eff, ACT_group_fs, ACT_group_real, ACT_real, and rsbac_auth_clear_p_capset().
Referenced by rsbac_ta_remove_target().
04076 { 04077 int err; 04078 04079 err = rsbac_auth_clear_p_capset(0, pid, ACT_real); 04080 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 04081 err = rsbac_auth_clear_p_capset(0, pid, ACT_eff); 04082 err = rsbac_auth_clear_p_capset(0, pid, ACT_fs); 04083 #endif 04084 #ifdef CONFIG_RSBAC_AUTH_GROUP 04085 err = rsbac_auth_clear_p_capset(0, pid, ACT_group_real); 04086 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 04087 err = rsbac_auth_clear_p_capset(0, pid, ACT_group_eff); 04088 err = rsbac_auth_clear_p_capset(0, pid, ACT_group_fs); 04089 #endif 04090 #endif /* AUTH_GROUP */ 04091 04092 return err; 04093 }
int rsbac_check_auth | ( | int | correct, | |
int | check_inode | |||
) |
int rsbac_init_auth | ( | void | ) |
Definition at line 2395 of file auth_data_structures.c.
References add_device_item(), auth_register_fd_lists(), cap_compare(), create_device_item(), rsbac_list_lol_info_t::data_size, rsbac_list_lol_info_t::desc_size, device_list_head_p, device_list_lock, get_error_name(), rsbac_list_lol_info_t::key, rsbac_list_lol_info_t::max_age, NULL, proc_rsbac_root_p, process_handle, RSBAC_AUTH_LIST_KEY, RSBAC_AUTH_P_EFF_LIST_NAME, RSBAC_AUTH_P_FS_LIST_NAME, RSBAC_AUTH_P_GROUP_EFF_LIST_NAME, RSBAC_AUTH_P_GROUP_FS_LIST_NAME, RSBAC_AUTH_P_GROUP_LIST_NAME, RSBAC_AUTH_P_LIST_NAME, RSBAC_AUTH_P_LIST_VERSION, RSBAC_ECOULDNOTADDDEVICE, RSBAC_EREINIT, rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), RSBAC_LIST_AUTO_HASH_RESIZE, RSBAC_LIST_DEF_DATA, rsbac_list_hash_pid(), rsbac_list_lol_register_hashed(), RSBAC_LIST_MIN_MAX_HASHES, RSBAC_LIST_VERSION, RSBAC_MAXNAMELEN, rsbac_pr_debug, rsbac_printk(), rsbac_root_dev, rsbac_list_lol_info_t::subdata_size, rsbac_list_lol_info_t::subdesc_size, and rsbac_list_lol_info_t::version.
Referenced by rsbac_do_init().
02397 { 02398 int err = 0; 02399 struct rsbac_auth_device_list_item_t *device_p = NULL; 02400 struct proc_dir_entry *tmp_entry_p; 02401 struct rsbac_list_lol_info_t lol_info; 02402 02403 if (rsbac_is_initialized()) { 02404 rsbac_printk(KERN_WARNING "rsbac_init_auth(): RSBAC already initialized\n"); 02405 return (-RSBAC_EREINIT); 02406 } 02407 02408 rsbac_printk(KERN_INFO "rsbac_init_auth(): Initializing RSBAC: AUTH subsystem\n"); 02409 02410 lol_info.version = RSBAC_AUTH_P_LIST_VERSION; 02411 lol_info.key = RSBAC_AUTH_LIST_KEY; 02412 lol_info.desc_size = sizeof(rsbac_pid_t); 02413 lol_info.data_size = 0; 02414 lol_info.subdesc_size = sizeof(struct rsbac_auth_cap_range_t); 02415 lol_info.subdata_size = 0; 02416 lol_info.max_age = 0; 02417 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 02418 &process_handle, 02419 &lol_info, 02420 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 02421 NULL, 02422 cap_compare, 02423 NULL, 02424 NULL, 02425 NULL, 02426 NULL, 02427 RSBAC_AUTH_P_LIST_NAME, 02428 RSBAC_AUTO_DEV, 02429 RSBAC_LIST_MIN_MAX_HASHES, 02430 rsbac_list_hash_pid, 02431 NULL); 02432 if (err) { 02433 char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02434 02435 if (tmp) { 02436 rsbac_printk(KERN_WARNING "rsbac_init_auth(): Registering AUTH process cap list failed with error %s\n", 02437 get_error_name(tmp, err)); 02438 rsbac_kfree(tmp); 02439 } 02440 } 02441 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER 02442 lol_info.version = RSBAC_AUTH_P_LIST_VERSION; 02443 lol_info.key = RSBAC_AUTH_LIST_KEY; 02444 lol_info.desc_size = sizeof(rsbac_pid_t); 02445 lol_info.data_size = 0; 02446 lol_info.subdesc_size = sizeof(struct rsbac_auth_cap_range_t); 02447 lol_info.subdata_size = 0; 02448 lol_info.max_age = 0; 02449 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 02450 &process_eff_handle, 02451 &lol_info, 02452 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 02453 NULL, 02454 cap_compare, 02455 NULL, 02456 NULL, 02457 NULL, 02458 NULL, 02459 RSBAC_AUTH_P_EFF_LIST_NAME, 02460 RSBAC_AUTO_DEV, 02461 RSBAC_LIST_MIN_MAX_HASHES, 02462 rsbac_list_hash_pid, 02463 NULL); 02464 if (err) { 02465 char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02466 02467 if (tmp) { 02468 rsbac_printk(KERN_WARNING "rsbac_init_auth(): Registering AUTH process eff cap list failed with error %s\n", 02469 get_error_name(tmp, err)); 02470 rsbac_kfree(tmp); 02471 } 02472 } 02473 lol_info.version = RSBAC_AUTH_P_LIST_VERSION; 02474 lol_info.key = RSBAC_AUTH_LIST_KEY; 02475 lol_info.desc_size = sizeof(rsbac_pid_t); 02476 lol_info.data_size = 0; 02477 lol_info.subdesc_size = sizeof(struct rsbac_auth_cap_range_t); 02478 lol_info.subdata_size = 0; 02479 lol_info.max_age = 0; 02480 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 02481 &process_fs_handle, 02482 &lol_info, 02483 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 02484 NULL, 02485 cap_compare, 02486 NULL, 02487 NULL, 02488 NULL, 02489 NULL, 02490 RSBAC_AUTH_P_FS_LIST_NAME, 02491 RSBAC_AUTO_DEV, 02492 RSBAC_LIST_MIN_MAX_HASHES, 02493 rsbac_list_hash_pid, 02494 NULL); 02495 if (err) { 02496 char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02497 02498 if (tmp) { 02499 rsbac_printk(KERN_WARNING "rsbac_init_auth(): Registering AUTH process fs cap list failed with error %s\n", 02500 get_error_name(tmp, err)); 02501 rsbac_kfree(tmp); 02502 } 02503 } 02504 #endif 02505 02506 #ifdef CONFIG_RSBAC_AUTH_GROUP 02507 lol_info.version = RSBAC_AUTH_P_LIST_VERSION; 02508 lol_info.key = RSBAC_AUTH_LIST_KEY; 02509 lol_info.desc_size = sizeof(rsbac_pid_t); 02510 lol_info.data_size = 0; 02511 lol_info.subdesc_size = sizeof(struct rsbac_auth_cap_range_t); 02512 lol_info.subdata_size = 0; 02513 lol_info.max_age = 0; 02514 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 02515 &process_group_handle, 02516 &lol_info, 02517 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 02518 NULL, 02519 cap_compare, 02520 NULL, 02521 NULL, 02522 NULL, 02523 NULL, 02524 RSBAC_AUTH_P_GROUP_LIST_NAME, 02525 RSBAC_AUTO_DEV, 02526 RSBAC_LIST_MIN_MAX_HASHES, 02527 rsbac_list_hash_pid, 02528 NULL); 02529 if (err) { 02530 char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02531 02532 if (tmp) { 02533 rsbac_printk(KERN_WARNING "rsbac_init_auth(): Registering AUTH process group cap list failed with error %s\n", 02534 get_error_name(tmp, err)); 02535 rsbac_kfree(tmp); 02536 } 02537 } 02538 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP 02539 lol_info.version = RSBAC_AUTH_P_LIST_VERSION; 02540 lol_info.key = RSBAC_AUTH_LIST_KEY; 02541 lol_info.desc_size = sizeof(rsbac_pid_t); 02542 lol_info.data_size = 0; 02543 lol_info.subdesc_size = sizeof(struct rsbac_auth_cap_range_t); 02544 lol_info.subdata_size = 0; 02545 lol_info.max_age = 0; 02546 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 02547 &process_group_eff_handle, 02548 &lol_info, 02549 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 02550 NULL, 02551 cap_compare, 02552 NULL, 02553 NULL, 02554 NULL, 02555 NULL, 02556 RSBAC_AUTH_P_GROUP_EFF_LIST_NAME, 02557 RSBAC_AUTO_DEV, 02558 RSBAC_LIST_MIN_MAX_HASHES, 02559 rsbac_list_hash_pid, 02560 NULL); 02561 if (err) { 02562 char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02563 02564 if (tmp) { 02565 rsbac_printk(KERN_WARNING "rsbac_init_auth(): Registering AUTH process group eff cap list failed with error %s\n", 02566 get_error_name(tmp, err)); 02567 rsbac_kfree(tmp); 02568 } 02569 } 02570 lol_info.version = RSBAC_AUTH_P_LIST_VERSION; 02571 lol_info.key = RSBAC_AUTH_LIST_KEY; 02572 lol_info.desc_size = sizeof(rsbac_pid_t); 02573 lol_info.data_size = 0; 02574 lol_info.subdesc_size = sizeof(struct rsbac_auth_cap_range_t); 02575 lol_info.subdata_size = 0; 02576 lol_info.max_age = 0; 02577 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 02578 &process_group_fs_handle, 02579 &lol_info, 02580 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 02581 NULL, 02582 cap_compare, 02583 NULL, 02584 NULL, 02585 NULL, 02586 NULL, 02587 RSBAC_AUTH_P_GROUP_FS_LIST_NAME, 02588 RSBAC_AUTO_DEV, 02589 RSBAC_LIST_MIN_MAX_HASHES, 02590 rsbac_list_hash_pid, 02591 NULL); 02592 if (err) { 02593 char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02594 02595 if (tmp) { 02596 rsbac_printk(KERN_WARNING "rsbac_init_auth(): Registering AUTH process group fs cap list failed with error %s\n", 02597 get_error_name(tmp, err)); 02598 rsbac_kfree(tmp); 02599 } 02600 } 02601 #endif 02602 #endif /* AUTH_GROUP */ 02603 02604 /* Init FD lists */ 02605 device_list_head_p = kmalloc(sizeof(*device_list_head_p), GFP_KERNEL); 02606 if (!device_list_head_p) { 02607 rsbac_printk(KERN_WARNING 02608 "rsbac_init_auth(): Failed to allocate device_list_head\n"); 02609 return -ENOMEM; 02610 } 02611 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02612 spin_lock_init(&device_list_lock); 02613 #else 02614 rwlock_init(&device_list_lock); 02615 #endif 02616 device_list_head_p->head = NULL; 02617 device_list_head_p->tail = NULL; 02618 device_list_head_p->curr = NULL; 02619 device_list_head_p->count = 0; 02620 02621 /* read all data */ 02622 rsbac_pr_debug(ds_auth, "rsbac_init_auth(): Registering FD lists\n"); 02623 device_p = create_device_item(rsbac_root_dev); 02624 if (!device_p) { 02625 rsbac_printk(KERN_CRIT 02626 "rsbac_init_auth(): Could not add device!\n"); 02627 return (-RSBAC_ECOULDNOTADDDEVICE); 02628 } 02629 if ((err = auth_register_fd_lists(device_p, rsbac_root_dev))) { 02630 char tmp[RSBAC_MAXNAMELEN]; 02631 02632 rsbac_printk(KERN_WARNING "rsbac_init_auth(): File/Dir cap set registration failed for dev %02u:%02u, err %s!\n", 02633 RSBAC_MAJOR(rsbac_root_dev), 02634 RSBAC_MINOR(rsbac_root_dev), 02635 get_error_name(tmp, err)); 02636 } 02637 device_p = add_device_item(device_p); 02638 if (!device_p) { 02639 rsbac_printk(KERN_CRIT 02640 "rsbac_init_auth(): Could not add device!\n"); 02641 return (-RSBAC_ECOULDNOTADDDEVICE); 02642 } 02643 #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) 02644 tmp_entry_p = create_proc_entry("auth_devices", 02645 S_IFREG | S_IRUGO, 02646 proc_rsbac_root_p); 02647 if (tmp_entry_p) { 02648 tmp_entry_p->get_info = auth_devices_proc_info; 02649 } 02650 tmp_entry_p = create_proc_entry("stats_auth", 02651 S_IFREG | S_IRUGO, 02652 proc_rsbac_root_p); 02653 if (tmp_entry_p) { 02654 tmp_entry_p->get_info = stats_auth_proc_info; 02655 } 02656 tmp_entry_p = create_proc_entry("auth_caplist", 02657 S_IFREG | S_IRUGO, 02658 proc_rsbac_root_p); 02659 if (tmp_entry_p) { 02660 tmp_entry_p->get_info = auth_caplist_proc_info; 02661 } 02662 #endif 02663 02664 rsbac_pr_debug(ds_auth, "Ready.\n"); 02665 return (err); 02666 }
int rsbac_mount_auth | ( | kdev_t | kdev | ) |
Definition at line 2668 of file auth_data_structures.c.
References add_device_item(), auth_register_fd_lists(), clear_device_item(), create_device_item(), device_list_lock, get_error_name(), lookup_device(), rsbac_auth_device_list_item_t::mount_count, RSBAC_ECOULDNOTADDDEVICE, RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), RSBAC_MAXNAMELEN, rsbac_pr_debug, and rsbac_printk().
Referenced by rsbac_mount().
02669 { 02670 int err = 0; 02671 struct rsbac_auth_device_list_item_t *device_p; 02672 struct rsbac_auth_device_list_item_t *new_device_p; 02673 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 02674 u_long dflags; 02675 #endif 02676 02677 if (!rsbac_is_initialized()) { 02678 rsbac_printk(KERN_WARNING "rsbac_mount_auth(): RSBAC not initialized\n"); 02679 return (-RSBAC_ENOTINITIALIZED); 02680 } 02681 rsbac_pr_debug(ds_auth, "mounting device %02u:%02u\n", 02682 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02683 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02684 rcu_read_lock(); 02685 #else 02686 rsbac_read_lock(&device_list_lock, &dflags); 02687 #endif 02688 device_p = lookup_device(kdev); 02689 /* repeated mount? */ 02690 if (device_p) { 02691 rsbac_printk(KERN_WARNING "rsbac_mount_auth: repeated mount %u of device %02u:%02u\n", 02692 device_p->mount_count, RSBAC_MAJOR(kdev), 02693 RSBAC_MINOR(kdev)); 02694 device_p->mount_count++; 02695 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02696 rcu_read_unlock(); 02697 #else 02698 rsbac_read_unlock(&device_list_lock, &dflags); 02699 #endif 02700 return 0; 02701 } 02702 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02703 rcu_read_unlock(); 02704 #else 02705 rsbac_read_unlock(&device_list_lock, &dflags); 02706 #endif 02707 02708 new_device_p = create_device_item(kdev); 02709 if (!new_device_p) 02710 return -RSBAC_ECOULDNOTADDDEVICE; 02711 02712 /* register lists */ 02713 if ((err = auth_register_fd_lists(new_device_p, kdev))) { 02714 char tmp[RSBAC_MAXNAMELEN]; 02715 02716 rsbac_printk(KERN_WARNING "rsbac_mount_auth(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 02717 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev), 02718 get_error_name(tmp, err)); 02719 } 02720 02721 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02722 rcu_read_lock(); 02723 #else 02724 rsbac_read_lock(&device_list_lock, &dflags); 02725 #endif 02726 /* make sure to only add, if this device item has not been added in the meantime */ 02727 device_p = lookup_device(kdev); 02728 if (device_p) { 02729 rsbac_printk(KERN_WARNING "rsbac_mount_auth(): mount race for device %02u:%02u detected!\n", 02730 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02731 device_p->mount_count++; 02732 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02733 rcu_read_unlock(); 02734 #else 02735 rsbac_read_unlock(&device_list_lock, &dflags); 02736 #endif 02737 clear_device_item(new_device_p); 02738 } else { 02739 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02740 rcu_read_unlock(); 02741 #else 02742 rsbac_read_unlock(&device_list_lock, &dflags); 02743 #endif 02744 device_p = add_device_item(new_device_p); 02745 if (!device_p) { 02746 rsbac_printk(KERN_WARNING "rsbac_mount_auth: adding device %02u:%02u failed!\n", 02747 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02748 clear_device_item(new_device_p); 02749 err = -RSBAC_ECOULDNOTADDDEVICE; 02750 } 02751 } 02752 return err; 02753 }
int rsbac_stats_auth | ( | void | ) |
Definition at line 2808 of file auth_data_structures.c.
References A_none, device_list_head_p, device_list_lock, rsbac_attribute_value_t::dummy, rsbac_auth_device_list_item_t::handle, rsbac_auth_device_list_item_t::id, rsbac_auth_device_list_item_t::next, process_handle, R_GET_STATUS_DATA, rsbac_adf_request(), RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_list_lol_all_subcount(), rsbac_list_lol_count(), rsbac_pr_debug, rsbac_printk(), rsbac_target_id_t::scd, ST_rsbac, and T_SCD.
Referenced by rsbac_stats().
02809 { 02810 u_int cap_set_count = 0; 02811 u_int member_count = 0; 02812 struct rsbac_auth_device_list_item_t *device_p; 02813 union rsbac_target_id_t rsbac_target_id; 02814 union rsbac_attribute_value_t rsbac_attribute_value; 02815 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 02816 u_long dflags; 02817 #endif 02818 02819 if (!rsbac_is_initialized()) { 02820 rsbac_printk(KERN_WARNING "rsbac_stats_auth(): RSBAC not initialized\n"); 02821 return (-RSBAC_ENOTINITIALIZED); 02822 } 02823 rsbac_pr_debug(aef_auth, "calling ADF\n"); 02824 rsbac_target_id.scd = ST_rsbac; 02825 rsbac_attribute_value.dummy = 0; 02826 if (!rsbac_adf_request(R_GET_STATUS_DATA, 02827 current->pid, 02828 T_SCD, 02829 rsbac_target_id, 02830 A_none, rsbac_attribute_value)) { 02831 return -EPERM; 02832 } 02833 02834 rsbac_printk(KERN_INFO "AUTH Status\n-----------\n"); 02835 02836 rsbac_printk(KERN_INFO "%lu process cap set items, sum of %lu members\n", 02837 rsbac_list_lol_count(process_handle), 02838 rsbac_list_lol_all_subcount(process_handle)); 02839 02840 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02841 rcu_read_lock(); 02842 #else 02843 rsbac_read_lock(&device_list_lock, &dflags); 02844 #endif 02845 device_p = rcu_dereference(device_list_head_p)->head; 02846 while (device_p) { 02847 /* reset counters */ 02848 cap_set_count = rsbac_list_lol_count(device_p->handle); 02849 member_count = rsbac_list_lol_all_subcount(device_p->handle); 02850 rsbac_printk(KERN_INFO "device %02u:%02u has %u file cap set items, sum of %u members\n", 02851 RSBAC_MAJOR(device_p->id), 02852 RSBAC_MINOR(device_p->id), cap_set_count, 02853 member_count); 02854 device_p = device_p->next; 02855 } 02856 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02857 rcu_read_unlock(); 02858 #else 02859 rsbac_read_unlock(&device_list_lock, &dflags); 02860 #endif 02861 return 0; 02862 }
int rsbac_umount_auth | ( | kdev_t | kdev | ) |
Definition at line 2757 of file auth_data_structures.c.
References device_list_lock, lookup_device(), rsbac_auth_device_list_item_t::mount_count, remove_device_item(), RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_pr_debug, and rsbac_printk().
Referenced by rsbac_umount().
02758 { 02759 struct rsbac_auth_device_list_item_t *device_p; 02760 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 02761 u_long flags; 02762 #endif 02763 02764 if (!rsbac_is_initialized()) { 02765 rsbac_printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n"); 02766 return (-RSBAC_ENOTINITIALIZED); 02767 } 02768 rsbac_pr_debug(ds_auth, "umounting device %02u:%02u\n", 02769 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 02770 /* sync of attribute lists was done in rsbac_umount */ 02771 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02772 spin_lock(&device_list_lock); 02773 #else 02774 rsbac_write_lock(&device_list_lock, &flags); 02775 #endif 02776 device_p = lookup_device(kdev); 02777 if (device_p) { 02778 if (device_p->mount_count == 1) 02779 remove_device_item(kdev); 02780 else { 02781 if (device_p->mount_count > 1) { 02782 device_p->mount_count--; 02783 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02784 spin_unlock(&device_list_lock); 02785 #endif 02786 } else { 02787 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02788 spin_unlock(&device_list_lock); 02789 #endif 02790 rsbac_printk(KERN_WARNING "rsbac_mount_auth: device %02u:%02u has mount_count < 1!\n", 02791 RSBAC_MAJOR(kdev), 02792 RSBAC_MINOR(kdev)); 02793 } 02794 } 02795 } 02796 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 02797 else 02798 spin_unlock(&device_list_lock); 02799 #else 02800 rsbac_write_unlock(&device_list_lock, &flags); 02801 #endif 02802 return 0; 02803 }