#include <linux/string.h>
#include <rsbac/types.h>
#include <rsbac/aci.h>
#include <rsbac/adf_main.h>
#include <rsbac/error.h>
#include <rsbac/helpers.h>
#include <rsbac/getname.h>
#include <rsbac/debug.h>
Go to the source code of this file.
Functions | |
enum rsbac_adf_req_ret_t | rsbac_adf_request_cap (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) |
int | rsbac_adf_set_attr_cap (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_target_t new_target, union rsbac_target_id_t new_tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) |
enum rsbac_adf_req_ret_t rsbac_adf_request_cap | ( | enum rsbac_adf_request_t | request, | |
rsbac_pid_t | caller_pid, | |||
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
enum rsbac_attribute_t | attr, | |||
union rsbac_attribute_value_t | attr_val, | |||
rsbac_uid_t | owner | |||
) | [inline] |
Definition at line 34 of file cap_main.c.
References A_auth_learn, A_auth_may_set_cap, A_auth_may_setuid, A_cap_process_hiding, A_cap_role, A_max_caps, A_max_caps_program, A_max_caps_user, A_min_caps, A_none, A_system_role, rsbac_attribute_value_t::cap_process_hiding, DO_NOT_CARE, GRANTED, NOT_GRANTED, PH_from_other_users, PH_full, rsbac_target_id_t::process, R_CHANGE_GROUP, R_GET_STATUS_DATA, R_MODIFY_ATTRIBUTE, R_MODIFY_SYSTEM_DATA, R_READ_ATTRIBUTE, R_SEND_SIGNAL, R_SWITCH_LOG, R_SWITCH_MODULE, R_TRACE, rsbac_get_attr, SR_administrator, SR_security_officer, SW_AUTH, SW_CAP, SW_FREEZE, SW_SOFTMODE, rsbac_attribute_value_t::system_role, T_NONE, T_PROCESS, T_USER, TRUE, UNDEFINED, and rsbac_target_id_t::user.
Referenced by rsbac_adf_request_int().
00041 { 00042 union rsbac_target_id_t i_tid; 00043 union rsbac_attribute_value_t i_attr_val1; 00044 00045 switch (request) 00046 { 00047 case R_MODIFY_ATTRIBUTE: 00048 switch(attr) 00049 { 00050 case A_system_role: 00051 case A_cap_role: 00052 case A_min_caps: 00053 case A_max_caps: 00054 case A_max_caps_user: 00055 case A_max_caps_program: 00056 case A_cap_process_hiding: 00057 #ifdef CONFIG_RSBAC_CAP_AUTH_PROT 00058 case A_auth_may_setuid: 00059 case A_auth_may_set_cap: 00060 case A_auth_start_uid: 00061 case A_auth_start_euid: 00062 case A_auth_start_gid: 00063 case A_auth_start_egid: 00064 case A_auth_program_file: 00065 case A_auth_learn: 00066 case A_auth_add_f_cap: 00067 case A_auth_remove_f_cap: 00068 #endif 00069 /* All attributes (remove target!) */ 00070 case A_none: 00071 /* Security Officer? */ 00072 i_tid.user = owner; 00073 if (rsbac_get_attr(SW_CAP, 00074 T_USER, 00075 i_tid, 00076 A_cap_role, 00077 &i_attr_val1, 00078 TRUE)) 00079 { 00080 rsbac_ds_get_error("rsbac_adf_request_cap()", A_cap_role); 00081 return(NOT_GRANTED); 00082 } 00083 /* if sec_officer, then grant */ 00084 if (i_attr_val1.system_role == SR_security_officer) 00085 return(GRANTED); 00086 else 00087 return(NOT_GRANTED); 00088 00089 default: 00090 return(DO_NOT_CARE); 00091 } 00092 00093 case R_READ_ATTRIBUTE: 00094 switch(attr) 00095 { 00096 case A_system_role: 00097 case A_cap_role: 00098 case A_min_caps: 00099 case A_max_caps: 00100 case A_max_caps_user: 00101 case A_max_caps_program: 00102 case A_cap_process_hiding: 00103 /* All attributes (remove target!) */ 00104 case A_none: 00105 /* Security Officer or Admin? */ 00106 i_tid.user = owner; 00107 if (rsbac_get_attr(SW_CAP, 00108 T_USER, 00109 i_tid, 00110 A_cap_role, 00111 &i_attr_val1, 00112 TRUE)) 00113 { 00114 rsbac_ds_get_error("rsbac_adf_request_cap()", A_cap_role); 00115 return(NOT_GRANTED); 00116 } 00117 /* if sec_officer, then grant */ 00118 if( (i_attr_val1.system_role == SR_security_officer) 00119 || (i_attr_val1.system_role == SR_administrator) 00120 ) 00121 return(GRANTED); 00122 else 00123 return(NOT_GRANTED); 00124 00125 default: 00126 return(DO_NOT_CARE); 00127 } 00128 00129 case R_SWITCH_LOG: 00130 switch(target) 00131 { 00132 case T_NONE: 00133 /* test owner's cap_role */ 00134 i_tid.user = owner; 00135 if (rsbac_get_attr(SW_CAP, 00136 T_USER, 00137 i_tid, 00138 A_cap_role, 00139 &i_attr_val1, 00140 TRUE)) 00141 { 00142 rsbac_ds_get_error("rsbac_adf_request_cap()", A_cap_role); 00143 return(NOT_GRANTED); 00144 } 00145 /* security officer? -> grant */ 00146 if (i_attr_val1.system_role == SR_security_officer) 00147 return(GRANTED); 00148 else 00149 return(NOT_GRANTED); 00150 00151 /* all other cases are unknown */ 00152 default: return(DO_NOT_CARE); 00153 } 00154 00155 case R_SWITCH_MODULE: 00156 switch(target) 00157 { 00158 case T_NONE: 00159 /* we need the switch_target */ 00160 if(attr != A_switch_target) 00161 return(UNDEFINED); 00162 /* do not care for other modules */ 00163 if( (attr_val.switch_target != SW_CAP) 00164 #ifdef CONFIG_RSBAC_CAP_AUTH_PROT 00165 && (attr_val.switch_target != SW_AUTH) 00166 #endif 00167 #ifdef CONFIG_RSBAC_SOFTMODE 00168 && (attr_val.switch_target != SW_SOFTMODE) 00169 #endif 00170 #ifdef CONFIG_RSBAC_FREEZE 00171 && (attr_val.switch_target != SW_FREEZE) 00172 #endif 00173 ) 00174 return(DO_NOT_CARE); 00175 /* test owner's cap_role */ 00176 i_tid.user = owner; 00177 if (rsbac_get_attr(SW_CAP, 00178 T_USER, 00179 i_tid, 00180 A_cap_role, 00181 &i_attr_val1, 00182 TRUE)) 00183 { 00184 rsbac_ds_get_error("rsbac_adf_request_cap()", A_cap_role); 00185 return(NOT_GRANTED); 00186 } 00187 /* security officer? -> grant */ 00188 if (i_attr_val1.system_role == SR_security_officer) 00189 return(GRANTED); 00190 else 00191 return(NOT_GRANTED); 00192 00193 /* all other cases are unknown */ 00194 default: return(DO_NOT_CARE); 00195 } 00196 00197 #ifdef CONFIG_RSBAC_CAP_PROC_HIDE 00198 case R_CHANGE_GROUP: 00199 case R_GET_STATUS_DATA: 00200 case R_MODIFY_SYSTEM_DATA: 00201 case R_SEND_SIGNAL: 00202 case R_TRACE: 00203 switch(target) 00204 { 00205 case T_PROCESS: 00206 if(caller_pid == tid.process) 00207 return GRANTED; 00208 if (rsbac_get_attr(SW_CAP, 00209 target, 00210 tid, 00211 A_cap_process_hiding, 00212 &i_attr_val1, 00213 TRUE)) 00214 { 00215 rsbac_ds_get_error("rsbac_adf_request_cap()", A_cap_process_hiding); 00216 return(NOT_GRANTED); /* something weird happened */ 00217 } 00218 switch(i_attr_val1.cap_process_hiding) 00219 { 00220 case PH_full: 00221 /* Security Officer or Admin? */ 00222 i_tid.user = owner; 00223 if (rsbac_get_attr(SW_CAP, 00224 T_USER, 00225 i_tid, 00226 A_cap_role, 00227 &i_attr_val1, 00228 TRUE)) 00229 { 00230 rsbac_ds_get_error("rsbac_adf_request_cap()", A_cap_role); 00231 return(NOT_GRANTED); 00232 } 00233 /* if sec_officer, then grant */ 00234 if(i_attr_val1.system_role == SR_security_officer) 00235 return(GRANTED); 00236 else 00237 return(NOT_GRANTED); 00238 case PH_from_other_users: 00239 { 00240 struct task_struct * task_p; 00241 enum rsbac_adf_req_ret_t result; 00242 00243 read_lock(&tasklist_lock); 00244 task_p = find_task_by_pid(tid.process); 00245 if( task_p 00246 && (task_p->uid != owner) 00247 ) 00248 result = NOT_GRANTED; 00249 else 00250 result = GRANTED; 00251 read_unlock(&tasklist_lock); 00252 if(result == GRANTED) 00253 return GRANTED; 00254 /* Security Officer or Admin? */ 00255 i_tid.user = owner; 00256 if (rsbac_get_attr(SW_CAP, 00257 T_USER, 00258 i_tid, 00259 A_cap_role, 00260 &i_attr_val1, 00261 TRUE)) 00262 { 00263 rsbac_ds_get_error("rsbac_adf_request_cap()", A_cap_role); 00264 return(NOT_GRANTED); 00265 } 00266 /* if sec_officer or admin, then grant */ 00267 if( (i_attr_val1.system_role == SR_security_officer) 00268 || (i_attr_val1.system_role == SR_administrator) 00269 ) 00270 return(GRANTED); 00271 else 00272 return(NOT_GRANTED); 00273 } 00274 default: 00275 return DO_NOT_CARE; 00276 } 00277 00278 default: 00279 return DO_NOT_CARE; 00280 } 00281 #endif 00282 00283 /*********************/ 00284 default: return DO_NOT_CARE; 00285 } 00286 00287 return(DO_NOT_CARE); 00288 } /* end of rsbac_adf_request_cap() */
int rsbac_adf_set_attr_cap | ( | enum rsbac_adf_request_t | request, | |
rsbac_pid_t | caller_pid, | |||
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
enum rsbac_target_t | new_target, | |||
union rsbac_target_id_t | new_tid, | |||
enum rsbac_attribute_t | attr, | |||
union rsbac_attribute_value_t | attr_val, | |||
rsbac_uid_t | owner | |||
) | [inline] |
Definition at line 301 of file cap_main.c.
References A_cap_ld_env, A_cap_process_hiding, A_max_caps, A_max_caps_program, A_max_caps_user, A_min_caps, rsbac_attribute_value_t::cap_ld_env, rsbac_attribute_value_t::cap_process_hiding, FALSE, LD_keep, rsbac_attribute_value_t::max_caps, rsbac_attribute_value_t::max_caps_program, rsbac_attribute_value_t::max_caps_user, rsbac_attribute_value_t::min_caps, rsbac_attribute_value_t::owner, rsbac_target_id_t::process, R_CHANGE_OWNER, R_CLONE, R_EXECUTE, RSBAC_CAP_DEFAULT_MAX, RSBAC_EINVALIDATTR, rsbac_get_attr, rsbac_printk(), rsbac_set_attr, SW_CAP, T_FILE, T_PROCESS, T_USER, and rsbac_target_id_t::user.
Referenced by rsbac_adf_set_attr().
00311 { 00312 union rsbac_target_id_t i_tid; 00313 union rsbac_attribute_value_t i_attr_val1; 00314 00315 switch (request) 00316 { 00317 case R_CHANGE_OWNER: 00318 switch(target) 00319 { 00320 case T_PROCESS: 00321 if(attr != A_owner) 00322 return(-RSBAC_EINVALIDATTR); 00323 i_tid.user = attr_val.owner; 00324 if (rsbac_get_attr(SW_CAP, 00325 T_USER, 00326 i_tid, 00327 A_cap_ld_env, 00328 &i_attr_val1, FALSE)) { 00329 rsbac_ds_get_error 00330 ("rsbac_adf_set_attr_cap()", 00331 A_max_caps); 00332 } else { 00333 if (i_attr_val1.cap_ld_env == LD_keep) { 00334 i_tid.process = caller_pid; 00335 if (rsbac_get_attr(SW_CAP, 00336 T_PROCESS, 00337 i_tid, 00338 A_cap_ld_env, 00339 &i_attr_val1, FALSE)) { 00340 rsbac_ds_set_error 00341 ("rsbac_adf_set_attr_cap()", 00342 A_cap_ld_env); 00343 } else { 00344 if (rsbac_set_attr(SW_CAP, 00345 T_PROCESS, 00346 tid, 00347 A_cap_ld_env, 00348 i_attr_val1)) { 00349 rsbac_ds_set_error 00350 ("rsbac_adf_set_attr_cap()", 00351 A_cap_ld_env); 00352 } 00353 } 00354 } 00355 } 00356 /* Adjust Linux caps */ 00357 i_tid.user = attr_val.owner; 00358 if (rsbac_get_attr(SW_CAP, 00359 T_USER, 00360 i_tid, 00361 A_max_caps, 00362 &i_attr_val1, 00363 FALSE)) 00364 { 00365 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", A_max_caps); 00366 } 00367 else 00368 { 00369 #ifdef CONFIG_RSBAC_SOFTMODE 00370 if( rsbac_softmode 00371 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00372 || rsbac_ind_softmode[SW_CAP] 00373 #endif 00374 ) 00375 { /* Warn */ 00376 if(i_attr_val1.max_caps != RSBAC_CAP_DEFAULT_MAX) 00377 { 00378 rsbac_printk(KERN_NOTICE 00379 "rsbac_adf_set_attr_cap(): running in softmode, max_caps of user %u not applied to process %u(%.15s)!\n", 00380 owner, 00381 caller_pid, 00382 current->comm); 00383 } 00384 } 00385 else 00386 #endif 00387 { 00388 extern spinlock_t task_capability_lock; 00389 00390 /* set caps for process */ 00391 spin_lock(&task_capability_lock); 00392 current->cap_permitted &= i_attr_val1.max_caps; 00393 current->cap_effective &= i_attr_val1.max_caps; 00394 current->cap_inheritable &= i_attr_val1.max_caps; 00395 spin_unlock(&task_capability_lock); 00396 00397 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING 00398 /* set max_caps_user for process */ 00399 if (rsbac_set_attr(SW_CAP, 00400 target, 00401 tid, 00402 A_max_caps_user, 00403 i_attr_val1)) 00404 { 00405 rsbac_ds_set_error("rsbac_adf_set_attr_cap()", A_max_caps_user); 00406 } 00407 #endif 00408 } 00409 } 00410 if (rsbac_get_attr(SW_CAP, 00411 T_USER, 00412 i_tid, 00413 A_min_caps, 00414 &i_attr_val1, 00415 FALSE)) 00416 { 00417 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", A_min_caps); 00418 } 00419 else 00420 { 00421 extern spinlock_t task_capability_lock; 00422 00423 /* set caps for process */ 00424 spin_lock(&task_capability_lock); 00425 current->cap_permitted |= i_attr_val1.min_caps; 00426 current->cap_effective |= i_attr_val1.min_caps; 00427 current->cap_inheritable |= i_attr_val1.min_caps; 00428 spin_unlock(&task_capability_lock); 00429 } 00430 return 0; 00431 00432 /* all other cases are unknown */ 00433 default: 00434 return(0); 00435 } 00436 break; 00437 00438 #if defined (CONFIG_RSBAC_CAP_PROC_HIDE) || defined(CONFIG_RSBAC_CAP_LOG_MISSING) 00439 case R_CLONE: 00440 switch(target) 00441 { 00442 case T_PROCESS: 00443 i_tid.process = caller_pid; 00444 if (rsbac_get_attr(SW_CAP, 00445 target, 00446 i_tid, 00447 A_cap_ld_env, 00448 &i_attr_val1, FALSE)) { 00449 rsbac_ds_get_error 00450 ("rsbac_adf_set_attr_cap()", 00451 A_cap_ld_env); 00452 } else { 00453 if (rsbac_set_attr(SW_CAP, 00454 new_target, 00455 new_tid, 00456 A_cap_ld_env, 00457 i_attr_val1)) { 00458 rsbac_ds_get_error 00459 ("rsbac_adf_set_attr_cap()", 00460 A_cap_ld_env); 00461 } 00462 } 00463 #ifdef CONFIG_RSBAC_CAP_PROC_HIDE 00464 /* get process hiding from old process */ 00465 if (rsbac_get_attr(SW_CAP, 00466 target, 00467 tid, 00468 A_cap_process_hiding, 00469 &i_attr_val1, 00470 FALSE)) 00471 { 00472 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", A_cap_process_hiding); 00473 } 00474 else 00475 { /* only set, of not default value 0 */ 00476 if(i_attr_val1.cap_process_hiding) 00477 { 00478 /* set program based log for new process */ 00479 if (rsbac_set_attr(SW_CAP, 00480 new_target, 00481 new_tid, 00482 A_cap_process_hiding, 00483 i_attr_val1)) 00484 { 00485 rsbac_ds_set_error("rsbac_adf_set_attr_cap()", A_cap_process_hiding); 00486 } 00487 } 00488 } 00489 #endif 00490 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING 00491 /* get max_caps_user from old process */ 00492 if (rsbac_get_attr(SW_CAP, 00493 target, 00494 tid, 00495 A_max_caps_user, 00496 &i_attr_val1, 00497 FALSE)) 00498 { 00499 rsbac_ds_get_error("rsbac_adf_set_attr_cap():CLONE", A_max_caps_user); 00500 } 00501 else 00502 { /* only set, of not default value */ 00503 if(i_attr_val1.max_caps_user != RSBAC_CAP_DEFAULT_MAX) 00504 { 00505 if (rsbac_set_attr(SW_CAP, 00506 new_target, 00507 new_tid, 00508 A_max_caps_user, 00509 i_attr_val1)) 00510 { 00511 rsbac_ds_set_error("rsbac_adf_set_attr_cap():CLONE", A_max_caps_user); 00512 } 00513 } 00514 } 00515 /* get max_caps_program from old process */ 00516 if (rsbac_get_attr(SW_CAP, 00517 target, 00518 tid, 00519 A_max_caps_program, 00520 &i_attr_val1, 00521 FALSE)) 00522 { 00523 rsbac_ds_get_error("rsbac_adf_set_attr_cap():CLONE", A_max_caps_program); 00524 } 00525 else 00526 { /* only set, of not default value */ 00527 if(i_attr_val1.max_caps_program != RSBAC_CAP_DEFAULT_MAX) 00528 { 00529 if (rsbac_set_attr(SW_CAP, 00530 new_target, 00531 new_tid, 00532 A_max_caps_program, 00533 i_attr_val1)) 00534 { 00535 rsbac_ds_set_error("rsbac_adf_set_attr_cap():CLONE", A_max_caps_program); 00536 } 00537 } 00538 } 00539 #endif 00540 return 0; 00541 00542 /* all other cases are unknown */ 00543 default: 00544 return(0); 00545 } 00546 #endif /* PROC_HIDE || LOG_MISSING */ 00547 00548 case R_EXECUTE: 00549 switch(target) 00550 { 00551 case T_FILE: 00552 i_tid.user = owner; 00553 if (rsbac_get_attr(SW_CAP, 00554 T_USER, 00555 i_tid, 00556 A_cap_ld_env, 00557 &i_attr_val1, FALSE)) { 00558 rsbac_ds_get_error("rsbac_adf_set_attr_cap()",A_cap_ld_env); 00559 } else { 00560 if (i_attr_val1.cap_ld_env == LD_keep) { 00561 i_tid.process = caller_pid; 00562 if (rsbac_get_attr(SW_CAP, 00563 T_PROCESS, 00564 i_tid, 00565 A_cap_ld_env, 00566 &i_attr_val1, FALSE)) { 00567 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", 00568 A_cap_ld_env); 00569 } 00570 i_tid.process = caller_pid; 00571 if (rsbac_set_attr(SW_CAP, 00572 T_PROCESS, 00573 i_tid, 00574 A_cap_ld_env, 00575 i_attr_val1)) { 00576 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", 00577 A_cap_ld_env); 00578 } 00579 } 00580 } 00581 /* Adjust Linux caps - first user, then program based */ 00582 /* User must be redone, because caps are cleared by Linux kernel */ 00583 if (rsbac_get_attr(SW_CAP, 00584 T_USER, 00585 i_tid, 00586 A_max_caps, 00587 &i_attr_val1, 00588 FALSE)) 00589 { 00590 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", A_max_caps); 00591 } 00592 else 00593 { 00594 #ifdef CONFIG_RSBAC_SOFTMODE 00595 if( rsbac_softmode 00596 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00597 || rsbac_ind_softmode[SW_CAP] 00598 #endif 00599 ) 00600 { /* Warn */ 00601 if(i_attr_val1.max_caps != RSBAC_CAP_DEFAULT_MAX) 00602 { 00603 rsbac_printk(KERN_NOTICE 00604 "rsbac_adf_set_attr_cap(): running in softmode, max_caps of user %u not applied to process %u(%.15s)!\n", 00605 owner, 00606 caller_pid, 00607 current->comm); 00608 } 00609 } 00610 else 00611 #endif 00612 { 00613 extern spinlock_t task_capability_lock; 00614 00615 /* set caps for process */ 00616 spin_lock(&task_capability_lock); 00617 current->cap_permitted &= i_attr_val1.max_caps; 00618 current->cap_effective &= i_attr_val1.max_caps; 00619 current->cap_inheritable &= i_attr_val1.max_caps; 00620 spin_unlock(&task_capability_lock); 00621 } 00622 } 00623 if (rsbac_get_attr(SW_CAP, 00624 T_USER, 00625 i_tid, 00626 A_min_caps, 00627 &i_attr_val1, 00628 FALSE)) 00629 { 00630 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", A_min_caps); 00631 } 00632 else 00633 { 00634 extern spinlock_t task_capability_lock; 00635 00636 /* set caps for process */ 00637 spin_lock(&task_capability_lock); 00638 current->cap_permitted |= i_attr_val1.min_caps; 00639 current->cap_effective |= i_attr_val1.min_caps; 00640 current->cap_inheritable |= i_attr_val1.min_caps; 00641 spin_unlock(&task_capability_lock); 00642 } 00643 if (rsbac_get_attr(SW_CAP, 00644 target, 00645 tid, 00646 A_max_caps, 00647 &i_attr_val1, 00648 FALSE)) 00649 { 00650 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", A_max_caps); 00651 } 00652 else 00653 { 00654 #ifdef CONFIG_RSBAC_SOFTMODE 00655 if( rsbac_softmode 00656 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00657 || rsbac_ind_softmode[SW_CAP] 00658 #endif 00659 ) 00660 { /* Warn */ 00661 if(i_attr_val1.max_caps != RSBAC_CAP_DEFAULT_MAX) 00662 { 00663 rsbac_printk(KERN_NOTICE 00664 "rsbac_adf_set_attr_cap(): running in softmode, max_caps of program not applied to process %u(%.15s)!\n", 00665 caller_pid, 00666 current->comm); 00667 } 00668 } 00669 else 00670 #endif 00671 { 00672 extern spinlock_t task_capability_lock; 00673 00674 /* set caps for process */ 00675 spin_lock(&task_capability_lock); 00676 current->cap_permitted &= i_attr_val1.max_caps; 00677 current->cap_effective &= i_attr_val1.max_caps; 00678 current->cap_inheritable &= i_attr_val1.max_caps; 00679 spin_unlock(&task_capability_lock); 00680 00681 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING 00682 i_tid.process = caller_pid; 00683 /* set max_caps_program for process */ 00684 if (rsbac_set_attr(SW_CAP, 00685 T_PROCESS, 00686 i_tid, 00687 A_max_caps_program, 00688 i_attr_val1)) 00689 { 00690 rsbac_ds_set_error("rsbac_adf_set_attr_cap():EXECUTE", A_max_caps_program); 00691 } 00692 #endif 00693 } 00694 } 00695 if (rsbac_get_attr(SW_CAP, 00696 target, 00697 tid, 00698 A_min_caps, 00699 &i_attr_val1, 00700 FALSE)) 00701 { 00702 rsbac_ds_get_error("rsbac_adf_set_attr_cap()", A_min_caps); 00703 } 00704 else 00705 { 00706 extern spinlock_t task_capability_lock; 00707 00708 /* set caps for process */ 00709 spin_lock(&task_capability_lock); 00710 current->cap_permitted |= i_attr_val1.min_caps; 00711 current->cap_effective |= i_attr_val1.min_caps; 00712 current->cap_inheritable |= i_attr_val1.min_caps; 00713 spin_unlock(&task_capability_lock); 00714 } 00715 return 0; 00716 00717 /* all other cases are unknown */ 00718 default: 00719 return 0; 00720 } 00721 break; 00722 00723 /*********************/ 00724 default: return 0; 00725 } 00726 00727 return 0; 00728 } /* end of rsbac_adf_set_attr_cap() */