/linux-2.6.21.1-rsbac-1.3.4/include/rsbac/aci_data_structures.h

Go to the documentation of this file.
00001 /**************************************/
00002 /* Rule Set Based Access Control      */
00003 /* Author and (c) 1999-2007: Amon Ott */
00004 /* Data structures                    */
00005 /* Last modified: 16/Feb/2007         */
00006 /**************************************/
00007 
00008 #ifndef __RSBAC_DATA_STRUC_H
00009 #define __RSBAC_DATA_STRUC_H
00010 
00011 #ifdef __KERNEL__               /* only include in kernel code */
00012 #include <linux/types.h>
00013 #include <linux/fs.h>
00014 #include <linux/wait.h>
00015 #include <linux/interrupt.h>
00016 #include <asm/semaphore.h>
00017 #include <rsbac/types.h>
00018 #include <linux/spinlock.h>
00019 #include <rsbac/pm_types.h>
00020 #include <rsbac/rc_types.h>
00021 #include <rsbac/aci.h>
00022 #include <rsbac/debug.h>
00023 #include <rsbac/lists.h>
00024 #endif                          /* __KERNEL__ */
00025 
00026 /* First of all we define dirname and filenames for saving the ACIs to disk. */
00027 /* The path must be a valid single dir name! Each mounted device gets its    */
00028 /* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'.                  */
00029 /* The dynamic data structures for PM, RC and ACL are kept in their own files.*/
00030 /* All user access to these files will be denied.                            */
00031 /* Backups are kept in FILENAMEb.                                            */
00032 
00033 #ifdef __KERNEL__
00034 #define RSBAC_LOG_BUF_LEN (16384)
00035 
00036 #define RSBAC_ACI_PATH          "rsbac.dat"
00037 
00038 #define RSBAC_GEN_FD_NAME       "fd_gen"
00039 #define RSBAC_GEN_OLD_FD_NAME   "fd_gen."
00040 #define RSBAC_MAC_FD_NAME       "fd_mac"
00041 #define RSBAC_MAC_OLD_FD_NAME   "fd_mac."
00042 #define RSBAC_PM_FD_NAME        "fd_pm"
00043 #define RSBAC_PM_OLD_FD_NAME    "fd_pm."
00044 #define RSBAC_DAZ_FD_NAME       "fd_dazt"
00045 #define RSBAC_DAZ_OLD_FD_NAME   "fd_dazt."
00046 #define RSBAC_DAZ_SCANNED_FD_NAME "fd_dazs"
00047 #define RSBAC_DAZ_SCANNED_OLD_FD_NAME "fd_dazs."
00048 #define RSBAC_FF_FD_NAME        "fd_ff"
00049 #define RSBAC_FF_OLD_FD_NAME    "fd_ff."
00050 #define RSBAC_RC_FD_NAME        "fd_rc"
00051 #define RSBAC_RC_OLD_FD_NAME    "fd_rc."
00052 #define RSBAC_AUTH_FD_NAME      "fd_auth"
00053 #define RSBAC_AUTH_OLD_FD_NAME  "fd_auth."
00054 #define RSBAC_CAP_FD_NAME       "fd_cap"
00055 #define RSBAC_CAP_OLD_FD_NAME   "fd_cap."
00056 #define RSBAC_PAX_FD_NAME       "fd_pax"
00057 #define RSBAC_PAX_OLD_FD_NAME   "fd_pax."
00058 #define RSBAC_RES_FD_NAME       "fd_res"
00059 #define RSBAC_RES_OLD_FD_NAME   "fd_res."
00060 
00061 #define RSBAC_ACI_USER_NAME     "useraci"
00062 /* dir creation mode for discretionary access control: no rights*/
00063 #define RSBAC_ACI_DIR_MODE       (S_IFDIR)
00064 /* file creation mode for discretionary access control: rw for user only*/
00065 #define RSBAC_ACI_FILE_MODE      (S_IFREG | S_IRUSR | S_IWUSR)
00066 /* minimal mem chunk size available to try write_partial_fd_list, else defer */
00067 #define RSBAC_MIN_WRITE_FD_BUF_LEN 32768
00068 /* max size for write_chunks */
00069 #define RSBAC_MAX_WRITE_CHUNK ((1 << 15) - 1)
00070 
00071 #define RSBAC_GEN_NR_FD_LISTS  2
00072 #define RSBAC_MAC_NR_FD_LISTS  4
00073 #define RSBAC_PM_NR_FD_LISTS   2
00074 #define RSBAC_DAZ_NR_FD_LISTS   2
00075 #define RSBAC_DAZ_SCANNED_NR_FD_LISTS 4
00076 #define RSBAC_FF_NR_FD_LISTS   4
00077 #define RSBAC_RC_NR_FD_LISTS   4
00078 #define RSBAC_AUTH_NR_FD_LISTS 2
00079 #define RSBAC_CAP_NR_FD_LISTS  2
00080 #define RSBAC_PAX_NR_FD_LISTS  2
00081 #define RSBAC_RES_NR_FD_LISTS  2
00082 
00083 #ifdef CONFIG_RSBAC_INIT_THREAD
00084 /* Check and set init timeout */
00085 #if CONFIG_RSBAC_MAX_INIT_TIME >= 5
00086 #define RSBAC_MAX_INIT_TIME CONFIG_RSBAC_MAX_INIT_TIME
00087 #else
00088 #define RSBAC_MAX_INIT_TIME 5
00089 #endif
00090 #endif                          /* INIT_THREAD */
00091 
00092 #endif                          /* __KERNEL__ */
00093 
00094 /* The following structures privide attributes for all possible targets.  */
00095 /* The data structures are kept in double linked lists, and are optimized */
00096 /* by hash functions.                                                     */
00097 
00098 /* Only ATTRIBUTES are saved in those structures, that are saved to disk, */
00099 /* because saving sublists means breaking up the structures for every     */
00100 /* single list.                                                           */
00101 /* If a list of policy dependant items is to be stored, this is done in   */
00102 /* the policy dependant data structures. Here only an ID as a handle is   */
00103 /* supported.                                                             */
00104 
00105 /* OK, first we define the file/dir ACI, holding all file/dir information */
00106 /* the ADF needs for decisions.                                           */
00107 
00108 /* Caution: whenever ACI changes, version and old_version should be increased!            */
00109 
00110 // #define CONFIG_RSBAC_FD_CACHE 1
00111 
00112 #ifdef CONFIG_RSBAC_FD_CACHE
00113 #define RSBAC_FD_CACHE_NAME       "fd_cache."
00114 #define RSBAC_FD_CACHE_VERSION 1
00115 #define RSBAC_FD_CACHE_KEY 3626114
00116 //#define RSBAC_FD_CACHE_TTL 3600
00117 struct rsbac_fd_cache_desc_t {
00118         __u32            device;
00119         rsbac_inode_nr_t inode;
00120 };
00121 #endif
00122 
00123 #define RSBAC_GEN_FD_ACI_VERSION 7
00124 #define RSBAC_GEN_FD_ACI_KEY 1001
00125 struct rsbac_gen_fd_aci_t {
00126         rsbac_log_array_t log_array_low;        /* file/dir based logging, */
00127         rsbac_log_array_t log_array_high;       /* high and low bits */
00128         rsbac_request_vector_t log_program_based;       /* Program based logging */
00129         rsbac_enum_t symlink_add_remote_ip;
00130         rsbac_enum_t symlink_add_uid;
00131         rsbac_enum_t symlink_add_mac_level;
00132         rsbac_enum_t symlink_add_rc_role;
00133         rsbac_enum_t linux_dac_disable;
00134         rsbac_fake_root_uid_int_t fake_root_uid;
00135         rsbac_uid_t auid_exempt;
00136 };
00137 #define DEFAULT_GEN_FD_ACI \
00138     { \
00139       .log_array_low = -1, \
00140       .log_array_high = -1, \
00141       .log_program_based = 0, \
00142       .symlink_add_uid = FALSE, \
00143       .symlink_add_mac_level = FALSE, \
00144       .symlink_add_rc_role = FALSE, \
00145       .linux_dac_disable = LDD_inherit, \
00146       .fake_root_uid = FR_off, \
00147       .auid_exempt = RSBAC_NO_USER, \
00148     }
00149 
00150 #define DEFAULT_GEN_ROOT_DIR_ACI \
00151     { \
00152       .log_array_low = -1, \
00153       .log_array_high = -1, \
00154       .log_program_based = 0, \
00155       .symlink_add_uid = FALSE, \
00156       .symlink_add_mac_level = FALSE, \
00157       .symlink_add_rc_role = FALSE, \
00158       .linux_dac_disable = LDD_false, \
00159       .fake_root_uid = FR_off, \
00160       .auid_exempt = RSBAC_NO_USER, \
00161     }
00162 
00163 #define RSBAC_GEN_FD_OLD_ACI_VERSION 6
00164 struct rsbac_gen_fd_old_aci_t {
00165         rsbac_log_array_t log_array_low;        /* file/dir based logging, */
00166         rsbac_log_array_t log_array_high;       /* high and low bits */
00167         rsbac_request_vector_t log_program_based;       /* Program based logging */
00168         rsbac_enum_t symlink_add_uid;
00169         rsbac_enum_t symlink_add_mac_level;
00170         rsbac_enum_t symlink_add_rc_role;
00171         rsbac_enum_t linux_dac_disable;
00172         rsbac_fake_root_uid_int_t fake_root_uid;
00173         rsbac_uid_t auid_exempt;
00174 };
00175 
00176 #define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 5
00177 struct rsbac_gen_fd_old_old_aci_t {
00178         rsbac_log_array_t log_array_low;        /* file/dir based logging, */
00179         rsbac_log_array_t log_array_high;       /* high and low bits */
00180         rsbac_request_vector_t log_program_based;       /* Program based logging */
00181         rsbac_enum_t symlink_add_uid;
00182         rsbac_enum_t symlink_add_mac_level;
00183         rsbac_enum_t symlink_add_rc_role;
00184         rsbac_enum_t linux_dac_disable;
00185         rsbac_fake_root_uid_int_t fake_root_uid;
00186 };
00187 
00188 #define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 4
00189 struct rsbac_gen_fd_old_old_old_aci_t {
00190         rsbac_log_array_t log_array_low;        /* file/dir based logging, */
00191         rsbac_log_array_t log_array_high;       /* high and low bits */
00192         rsbac_request_vector_t log_program_based;       /* Program based logging */
00193         rsbac_enum_t symlink_add_uid;
00194         rsbac_enum_t symlink_add_mac_level;
00195         rsbac_enum_t symlink_add_rc_role;
00196         rsbac_enum_t linux_dac_disable;
00197 };
00198 
00199 #if defined(CONFIG_RSBAC_MAC)
00200 #define RSBAC_MAC_FD_ACI_VERSION 5
00201 #define RSBAC_MAC_FD_ACI_KEY 1001
00202 struct rsbac_mac_fd_aci_t {
00203         rsbac_security_level_t sec_level;       /* MAC */
00204         rsbac_mac_category_vector_t mac_categories;     /* MAC category set */
00205         rsbac_mac_auto_int_t mac_auto;  /* auto-adjust current level */
00206         rsbac_boolean_int_t mac_prop_trusted;   /* Keep trusted flag when executing this file */
00207         rsbac_mac_file_flags_t mac_file_flags;  /* allow write_up, read_up etc. to it */
00208 };
00209 
00210 #define RSBAC_MAC_FD_OLD_ACI_VERSION 4
00211 struct rsbac_mac_fd_old_aci_t {
00212         rsbac_security_level_t sec_level;       /* MAC */
00213         rsbac_uid_t mac_trusted_for_user;       /* MAC (for FILE only) */
00214         rsbac_mac_category_vector_t mac_categories;     /* MAC category set */
00215         rsbac_mac_auto_int_t mac_auto;  /* auto-adjust current level */
00216         rsbac_boolean_int_t mac_prop_trusted;   /* Keep trusted flag when executing this file */
00217         rsbac_mac_file_flags_t mac_file_flags;  /* allow write_up, read_up etc. to it */
00218 };
00219 
00220 #define RSBAC_MAC_FD_OLD_OLD_ACI_VERSION 3
00221 struct rsbac_mac_fd_old_old_aci_t {
00222         rsbac_security_level_t sec_level;       /* MAC */
00223         rsbac_uid_t mac_trusted_for_user;       /* MAC (for FILE only) */
00224         rsbac_mac_category_vector_t mac_categories;     /* MAC category set */
00225         rsbac_mac_auto_int_t mac_auto;  /* auto-adjust current level */
00226         rsbac_boolean_int_t mac_prop_trusted;   /* Keep trusted flag when executing this file */
00227         rsbac_boolean_int_t mac_shared; /* Shared dir, i.e., allow write_up to it */
00228 };
00229 
00230 #define RSBAC_MAC_FD_OLD_OLD_OLD_ACI_VERSION 2
00231 struct rsbac_mac_fd_old_old_old_aci_t {
00232         rsbac_security_level_t sec_level;       /* MAC */
00233         rsbac_uid_t mac_trusted_for_user;       /* MAC (for FILE only) */
00234         rsbac_mac_category_vector_t mac_categories;     /* MAC category set */
00235         rsbac_mac_auto_int_t mac_auto;  /* auto-adjust current level */
00236 };
00237 
00238 #define DEFAULT_MAC_FD_ACI_INH \
00239     { \
00240       .sec_level = SL_inherit, \
00241       .mac_categories = RSBAC_MAC_INHERIT_CAT_VECTOR, \
00242       .mac_auto = MA_inherit, \
00243       .mac_prop_trusted = FALSE, \
00244       .mac_file_flags = 0, \
00245     }
00246 #define DEFAULT_MAC_FD_ACI_NO_INH \
00247     { \
00248       .sec_level = SL_unclassified, \
00249       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00250       .mac_auto = MA_yes, \
00251       .mac_prop_trusted = FALSE, \
00252       .mac_file_flags = 0, \
00253     }
00254 
00255 #ifdef CONFIG_RSBAC_MAC_DEF_INHERIT
00256 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_INH
00257 #else
00258 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_NO_INH
00259 #endif                          /* MAC_DEF_INHERIT */
00260 
00261 #define DEFAULT_MAC_ROOT_DIR_ACI \
00262     { \
00263       .sec_level = SL_unclassified, \
00264       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00265       .mac_auto = MA_yes, \
00266       .mac_prop_trusted = FALSE, \
00267       .mac_file_flags = 0, \
00268     }
00269 #endif
00270 
00271 #if defined(CONFIG_RSBAC_PM)
00272 #define RSBAC_PM_FD_ACI_VERSION 1
00273 #define RSBAC_PM_FD_ACI_KEY 1001
00274 struct rsbac_pm_fd_aci_t {
00275         rsbac_pm_object_class_id_t pm_object_class;     /* PM  */
00276         rsbac_pm_tp_id_t pm_tp; /* PM (for FILE only) */
00277         rsbac_pm_object_type_int_t pm_object_type;      /* PM (enum rsbac_pm_object_type_t -> __u8) */
00278 };
00279 
00280 #define DEFAULT_PM_FD_ACI \
00281     { \
00282       .pm_object_class = 0, \
00283       .pm_tp = 0, \
00284       .pm_object_type = PO_none, \
00285     }
00286 #endif
00287 
00288 #if defined(CONFIG_RSBAC_DAZ)
00289 #define RSBAC_DAZ_FD_ACI_VERSION 2
00290 #define RSBAC_DAZ_FD_OLD_ACI_VERSION 1
00291 #define RSBAC_DAZ_FD_ACI_KEY 10535
00292 #define RSBAC_DAZ_CACHE_CLEANUP_INTERVAL 86400
00293 #define RSBAC_DAZ_SCANNED_FD_ACI_VERSION 1
00294 struct rsbac_daz_fd_aci_t            
00295   {
00296     rsbac_daz_scanner_t daz_scanner;       /* DAZ (for FILE only) */
00297     rsbac_daz_do_scan_t daz_do_scan;
00298   };
00299 
00300 struct rsbac_daz_fd_old_aci_t            
00301   {
00302     rsbac_daz_scanner_t   daz_scanner;       /* DAZ (for FILE only) (boolean) */
00303   };
00304 
00305 #define DEFAULT_DAZ_FD_ACI \
00306     { \
00307       .daz_scanner = FALSE, \
00308       .daz_do_scan = DEFAULT_DAZ_FD_DO_SCAN \
00309     }
00310 
00311 #define DEFAULT_DAZ_ROOT_DIR_ACI \
00312     { \
00313       .daz_scanner = FALSE, \
00314       .daz_do_scan = DEFAULT_DAZ_FD_ROOT_DO_SCAN \
00315     }
00316 #endif
00317 
00318 #if defined(CONFIG_RSBAC_FF)
00319 #define RSBAC_FF_FD_ACI_VERSION 1
00320 #define RSBAC_FF_FD_ACI_KEY 1001
00321 #endif
00322 
00323 #if defined(CONFIG_RSBAC_RC)
00324 #define RSBAC_RC_FD_ACI_VERSION 1
00325 #define RSBAC_RC_FD_ACI_KEY 1001
00326 struct rsbac_rc_fd_aci_t {
00327         rsbac_rc_type_id_t rc_type_fd;  /* RC */
00328         rsbac_rc_role_id_t rc_force_role;       /* RC */
00329         rsbac_rc_role_id_t rc_initial_role;     /* RC */
00330 };
00331 
00332 #define DEFAULT_RC_FD_ACI \
00333     { \
00334       .rc_type_fd = RC_type_inherit_parent, \
00335       .rc_force_role = RC_default_force_role, \
00336       .rc_initial_role = RC_default_initial_role, \
00337     }
00338 #define DEFAULT_RC_ROOT_DIR_ACI \
00339     { \
00340       .rc_type_fd = RSBAC_RC_GENERAL_TYPE, \
00341       .rc_force_role = RC_default_root_dir_force_role, \
00342       .rc_initial_role = RC_default_root_dir_initial_role, \
00343     }
00344 #endif
00345 
00346 #if defined(CONFIG_RSBAC_AUTH)
00347 #define RSBAC_AUTH_FD_ACI_VERSION 2
00348 #define RSBAC_AUTH_FD_OLD_ACI_VERSION 1
00349 #define RSBAC_AUTH_FD_ACI_KEY 1001
00350 struct rsbac_auth_fd_aci_t {
00351         __u8 auth_may_setuid;   /* AUTH (enum) */
00352         __u8 auth_may_set_cap;  /* AUTH (boolean) */
00353         __u8 auth_learn;        /* AUTH (boolean) */
00354 };
00355 
00356 struct rsbac_auth_fd_old_aci_t {
00357         __u8 auth_may_setuid;   /* AUTH (boolean) */
00358         __u8 auth_may_set_cap;  /* AUTH (boolean) */
00359 };
00360 
00361 #define DEFAULT_AUTH_FD_ACI \
00362     { \
00363       .auth_may_setuid = FALSE, \
00364       .auth_may_set_cap = FALSE, \
00365       .auth_learn = FALSE, \
00366     }
00367 #endif
00368 
00369 #if defined(CONFIG_RSBAC_CAP)
00370 #define RSBAC_CAP_FD_ACI_VERSION 2
00371 #define RSBAC_CAP_FD_OLD_ACI_VERSION 1
00372 #define RSBAC_CAP_FD_ACI_KEY 1001
00373 struct rsbac_cap_fd_aci_t {
00374         rsbac_cap_vector_t min_caps;    /* Program forced minimum Linux capabilities */
00375         rsbac_cap_vector_t max_caps;    /* Program max Linux capabilities */
00376         rsbac_cap_ld_env_int_t cap_ld_env;
00377 };
00378 
00379 struct rsbac_cap_fd_old_aci_t {
00380         rsbac_cap_vector_t min_caps;    /* Program forced minimum Linux capabilities */
00381         rsbac_cap_vector_t max_caps;    /* Program max Linux capabilities */
00382 };
00383 
00384 #define DEFAULT_CAP_FD_ACI \
00385     { \
00386       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00387       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00388       .cap_ld_env = LD_keep, \
00389     }
00390 #endif
00391 
00392 #if defined(CONFIG_RSBAC_PAX)
00393 #define RSBAC_PAX_FD_ACI_VERSION 1
00394 #define RSBAC_PAX_FD_ACI_KEY 100112
00395 #endif
00396 
00397 #if defined(CONFIG_RSBAC_RES)
00398 #define RSBAC_RES_FD_ACI_VERSION 1
00399 #define RSBAC_RES_FD_ACI_KEY 1002
00400 struct rsbac_res_fd_aci_t {
00401         rsbac_res_array_t res_min;
00402         rsbac_res_array_t res_max;
00403 };
00404 #define DEFAULT_RES_FD_ACI \
00405     { \
00406       .res_min = { \
00407         RSBAC_RES_UNSET,           /* cpu time */ \
00408         RSBAC_RES_UNSET,           /* file size */ \
00409         RSBAC_RES_UNSET,           /* process data segment size */ \
00410         RSBAC_RES_UNSET,           /* stack size */ \
00411         RSBAC_RES_UNSET,           /* core dump size */ \
00412         RSBAC_RES_UNSET,           /* resident memory set size */ \
00413         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00414         RSBAC_RES_UNSET,           /* number of files */ \
00415         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00416         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00417         RSBAC_RES_UNSET            /* maximum file locks */ \
00418       }, \
00419       .res_max = { \
00420         RSBAC_RES_UNSET,           /* cpu time */ \
00421         RSBAC_RES_UNSET,           /* file size */ \
00422         RSBAC_RES_UNSET,           /* process data segment size */ \
00423         RSBAC_RES_UNSET,           /* stack size */ \
00424         RSBAC_RES_UNSET,           /* core dump size */ \
00425         RSBAC_RES_UNSET,           /* resident memory set size */ \
00426         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00427         RSBAC_RES_UNSET,           /* number of files */ \
00428         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00429         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00430         RSBAC_RES_UNSET            /* maximum file locks */ \
00431       } \
00432     }
00433 #endif
00434 
00435 #define RSBAC_FD_NR_ATTRIBUTES 33
00436 #define RSBAC_FD_ATTR_LIST { \
00437       A_security_level, \
00438       A_mac_categories, \
00439       A_mac_auto, \
00440       A_mac_prop_trusted, \
00441       A_mac_file_flags, \
00442       A_pm_object_class, \
00443       A_pm_tp, \
00444       A_pm_object_type, \
00445       A_daz_scanner, \
00446       A_ff_flags, \
00447       A_rc_type_fd, \
00448       A_rc_force_role, \
00449       A_rc_initial_role, \
00450       A_auth_may_setuid, \
00451       A_auth_may_set_cap, \
00452       A_auth_learn, \
00453       A_log_array_low, \
00454       A_log_array_high, \
00455       A_log_program_based, \
00456       A_symlink_add_remote_ip, \
00457       A_symlink_add_uid, \
00458       A_symlink_add_mac_level, \
00459       A_symlink_add_rc_role, \
00460       A_linux_dac_disable, \
00461       A_min_caps, \
00462       A_max_caps, \
00463       A_cap_ld_env, \
00464       A_res_min, \
00465       A_res_max, \
00466       A_pax_flags, \
00467       A_fake_root_uid, \
00468       A_auid_exempt, \
00469       A_daz_do_scan \
00470       }
00471 
00472 #ifdef __KERNEL__
00473 struct rsbac_fd_list_handles_t {
00474         rsbac_list_handle_t gen;
00475 #if defined(CONFIG_RSBAC_MAC)
00476         rsbac_list_handle_t mac;
00477 #endif
00478 #if defined(CONFIG_RSBAC_PM)
00479         rsbac_list_handle_t pm;
00480 #endif
00481 #if defined(CONFIG_RSBAC_DAZ)
00482         rsbac_list_handle_t daz;
00483 #if defined(CONFIG_RSBAC_DAZ_CACHE)
00484         rsbac_list_handle_t dazs;
00485 #endif
00486 #endif
00487 #if defined(CONFIG_RSBAC_FF)
00488         rsbac_list_handle_t ff;
00489 #endif
00490 #if defined(CONFIG_RSBAC_RC)
00491         rsbac_list_handle_t rc;
00492 #endif
00493 #if defined(CONFIG_RSBAC_AUTH)
00494         rsbac_list_handle_t auth;
00495 #endif
00496 #if defined(CONFIG_RSBAC_CAP)
00497         rsbac_list_handle_t cap;
00498 #endif
00499 #if defined(CONFIG_RSBAC_PAX)
00500         rsbac_list_handle_t pax;
00501 #endif
00502 #if defined(CONFIG_RSBAC_RES)
00503         rsbac_list_handle_t res;
00504 #endif
00505 };
00506 
00507 /* The list of devices is also a double linked list, so we define list    */
00508 /* items and a list head.                                                 */
00509 
00510 /* Hash size. Must be power of 2. */
00511 
00512 #define RSBAC_NR_DEVICE_LISTS 8
00513 
00514 struct rsbac_device_list_item_t {
00515         kdev_t id;
00516         struct dentry *d_covers;
00517         u_int mount_count;
00518         struct rsbac_fd_list_handles_t handles;
00519         struct dentry *rsbac_dir_dentry_p;
00520         struct super_block *sb_p;
00521         rsbac_inode_nr_t rsbac_dir_inode;
00522         struct rsbac_device_list_item_t *prev;
00523         struct rsbac_device_list_item_t *next;
00524 };
00525 
00526 /* To provide consistency we use spinlocks for all list accesses. The     */
00527 /* 'curr' entry is used to avoid repeated lookups for the same item.       */
00528 
00529 struct rsbac_device_list_head_t {
00530         struct rsbac_device_list_item_t *head;
00531         struct rsbac_device_list_item_t *tail;
00532         struct rsbac_device_list_item_t *curr;
00533         u_int count;
00534 };
00535 
00536 #endif                          /* __KERNEL__ */
00537 
00538 /******************************/
00539 /* OK, now we define the block/char device ACI, holding all dev information */
00540 /* the ADF needs for decisions.                                           */
00541 
00542 #define RSBAC_GEN_ACI_DEV_NAME       "dev_gen"
00543 #define RSBAC_MAC_ACI_DEV_NAME       "dev_mac"
00544 #define RSBAC_PM_ACI_DEV_NAME        "dev_pm"
00545 #define RSBAC_RC_ACI_DEV_MAJOR_NAME  "devm_rc"
00546 #define RSBAC_RC_ACI_DEV_NAME        "dev_rc"
00547 
00548 /* Caution: whenever ACI changes, version should be increased!            */
00549 
00550 #define RSBAC_GEN_DEV_ACI_VERSION 2
00551 #define RSBAC_GEN_DEV_OLD_ACI_VERSION 1
00552 #define RSBAC_GEN_DEV_ACI_KEY 1001
00553 
00554 struct rsbac_gen_dev_aci_t {
00555         rsbac_log_array_t log_array_low;        /* dev based logging, */
00556         rsbac_log_array_t log_array_high;       /* high and low bits */
00557 };
00558 #define DEFAULT_GEN_DEV_ACI \
00559     { \
00560       .log_array_low = -1, \
00561       .log_array_high = -1, \
00562     }
00563 
00564 #if defined(CONFIG_RSBAC_MAC)
00565 #define RSBAC_MAC_DEV_ACI_VERSION 2
00566 #define RSBAC_MAC_DEV_OLD_ACI_VERSION 1
00567 #define RSBAC_MAC_DEV_ACI_KEY 1001
00568 struct rsbac_mac_dev_aci_t {
00569         rsbac_security_level_t sec_level;       /* MAC */
00570         rsbac_mac_category_vector_t mac_categories;     /* MAC category set */
00571         __u8 mac_check;         /* MAC (boolean) */
00572 };
00573 #define DEFAULT_MAC_DEV_ACI \
00574     { \
00575       .sec_level = SL_unclassified, \
00576       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00577       .mac_check = FALSE, \
00578     }
00579 #endif
00580 
00581 #if defined(CONFIG_RSBAC_PM)
00582 #define RSBAC_PM_DEV_ACI_VERSION 2
00583 #define RSBAC_PM_DEV_OLD_ACI_VERSION 1
00584 #define RSBAC_PM_DEV_ACI_KEY 1001
00585 struct rsbac_pm_dev_aci_t {
00586         rsbac_pm_object_type_int_t pm_object_type;      /* PM (enum rsbac_pm_object_type_t) */
00587         rsbac_pm_object_class_id_t pm_object_class;     /* dev only */
00588 };
00589 
00590 #define DEFAULT_PM_DEV_ACI \
00591     { \
00592       .pm_object_type = PO_none, \
00593       .pm_object_class = 0, \
00594     }
00595 #endif
00596 
00597 #if defined(CONFIG_RSBAC_RC)
00598 #define RSBAC_RC_DEV_ACI_VERSION 2
00599 #define RSBAC_RC_DEV_OLD_ACI_VERSION 1
00600 #define RSBAC_RC_DEV_ACI_KEY 1001
00601 #endif
00602 
00603 #define RSBAC_DEV_NR_ATTRIBUTES 8
00604 #define RSBAC_DEV_ATTR_LIST { \
00605       A_security_level, \
00606       A_mac_categories, \
00607       A_mac_check, \
00608       A_pm_object_type, \
00609       A_pm_object_class, \
00610       A_rc_type, \
00611       A_log_array_low, \
00612       A_log_array_high \
00613       }
00614 
00615 #ifdef __KERNEL__
00616 struct rsbac_dev_handles_t {
00617         rsbac_list_handle_t gen;
00618 #if defined(CONFIG_RSBAC_MAC)
00619         rsbac_list_handle_t mac;
00620 #endif
00621 #if defined(CONFIG_RSBAC_PM)
00622         rsbac_list_handle_t pm;
00623 #endif
00624 #if defined(CONFIG_RSBAC_RC)
00625         rsbac_list_handle_t rc;
00626 #endif
00627 };
00628 #endif                          /* __KERNEL__ */
00629 
00630 /**************************************************************************/
00631 /* Next we define the ipc ACI, holding all ipc information                */
00632 /* the ADF needs for decisions.                                           */
00633 
00634 #define RSBAC_MAC_ACI_IPC_NAME   "ipc_mac"
00635 #define RSBAC_PM_ACI_IPC_NAME    "ipc_pm"
00636 #define RSBAC_RC_ACI_IPC_NAME    "ipc_rc"
00637 #define RSBAC_JAIL_ACI_IPC_NAME  "ipc_jai"
00638 
00639 #if defined(CONFIG_RSBAC_MAC)
00640 #define RSBAC_MAC_IPC_ACI_VERSION 1
00641 #define RSBAC_MAC_IPC_ACI_KEY 1001
00642 struct rsbac_mac_ipc_aci_t {
00643         rsbac_security_level_t sec_level;       /* enum old_rsbac_security_level_t / __u8 */
00644         rsbac_mac_category_vector_t mac_categories;     /* MAC category set */
00645 };
00646 #define DEFAULT_MAC_IPC_ACI \
00647     { \
00648       .sec_level = SL_unclassified, \
00649       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00650     }
00651 #endif
00652 
00653 #if defined(CONFIG_RSBAC_PM)
00654 #define RSBAC_PM_IPC_ACI_VERSION 1
00655 #define RSBAC_PM_IPC_ACI_KEY 1001
00656 struct rsbac_pm_ipc_aci_t {
00657         rsbac_pm_object_class_id_t pm_object_class;     /* ipc only */
00658         rsbac_pm_purpose_id_t pm_ipc_purpose;
00659         rsbac_pm_object_type_int_t pm_object_type;      /* enum rsbac_pm_object_type_t */
00660 };
00661 #define DEFAULT_PM_IPC_ACI \
00662     { \
00663       .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
00664       .pm_ipc_purpose = 0, \
00665       .pm_object_type = PO_ipc, \
00666     }
00667 #endif
00668 
00669 #if defined(CONFIG_RSBAC_RC)
00670 #define RSBAC_RC_IPC_ACI_VERSION 1
00671 #define RSBAC_RC_IPC_ACI_KEY 1001
00672 #endif
00673 
00674 #if defined(CONFIG_RSBAC_JAIL)
00675 #define RSBAC_JAIL_IPC_ACI_VERSION 1
00676 #define RSBAC_JAIL_IPC_ACI_KEY 1001
00677 #endif
00678 
00679 #define RSBAC_IPC_NR_ATTRIBUTES 7
00680 #define RSBAC_IPC_ATTR_LIST { \
00681       A_security_level, \
00682       A_mac_categories, \
00683       A_pm_object_class, \
00684       A_pm_ipc_purpose, \
00685       A_pm_object_type, \
00686       A_rc_type, \
00687       A_jail_id \
00688       }
00689 
00690 #ifdef __KERNEL__
00691 struct rsbac_ipc_handles_t {
00692 #if defined(CONFIG_RSBAC_MAC)
00693         rsbac_list_handle_t mac;
00694 #endif
00695 #if defined(CONFIG_RSBAC_PM)
00696         rsbac_list_handle_t pm;
00697 #endif
00698 #if defined(CONFIG_RSBAC_RC)
00699         rsbac_list_handle_t rc;
00700 #endif
00701 #if defined(CONFIG_RSBAC_JAIL)
00702         rsbac_list_handle_t jail;
00703 #endif
00704 };
00705 #endif                          /* __KERNEL__ */
00706 
00707 /*************************************/
00708 /* The user ACI holds all user information the ADF needs. */
00709 
00710 #define RSBAC_GEN_ACI_USER_NAME   "u_gen"
00711 #define RSBAC_MAC_ACI_USER_NAME   "u_mac"
00712 #define RSBAC_PM_ACI_USER_NAME    "u_pm"
00713 #define RSBAC_DAZ_ACI_USER_NAME    "u_daz"
00714 #define RSBAC_FF_ACI_USER_NAME    "u_ff"
00715 #define RSBAC_RC_ACI_USER_NAME    "u_rc"
00716 #define RSBAC_AUTH_ACI_USER_NAME  "u_auth"
00717 #define RSBAC_CAP_ACI_USER_NAME   "u_cap"
00718 #define RSBAC_JAIL_ACI_USER_NAME  "u_jail"
00719 #define RSBAC_PAX_ACI_USER_NAME   "u_pax"
00720 #define RSBAC_RES_ACI_USER_NAME   "u_res"
00721 
00722 #define RSBAC_GEN_USER_ACI_VERSION 1
00723 #define RSBAC_GEN_USER_ACI_KEY 1001
00724 struct rsbac_gen_user_aci_t {
00725         rsbac_pseudo_t pseudo;
00726         rsbac_request_vector_t log_user_based;  /* User based logging */
00727 };
00728 #define DEFAULT_GEN_U_ACI \
00729     { \
00730       .pseudo = (rsbac_pseudo_t) 0, \
00731       .log_user_based = 0, \
00732     }
00733 
00734 #if defined(CONFIG_RSBAC_MAC)
00735 #define RSBAC_MAC_USER_ACI_VERSION 4
00736 #define RSBAC_MAC_USER_OLD_ACI_VERSION 3
00737 #define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 2
00738 #define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 1
00739 #define RSBAC_MAC_USER_ACI_KEY 1001
00740 struct rsbac_mac_user_aci_t {
00741         rsbac_security_level_t security_level;  /* maximum level */
00742         rsbac_security_level_t initial_security_level;  /* maximum level */
00743         rsbac_security_level_t min_security_level;      /* minimum level / __u8 */
00744         rsbac_mac_category_vector_t mac_categories;     /* MAC max category set */
00745         rsbac_mac_category_vector_t mac_initial_categories;     /* MAC max category set */
00746         rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */
00747         rsbac_system_role_int_t system_role;    /* enum rsbac_system_role_t */
00748         rsbac_mac_user_flags_t mac_user_flags;  /* flags (override, trusted, allow_auto etc.) */
00749 };
00750 struct rsbac_mac_user_old_aci_t {
00751         rsbac_security_level_t access_appr;     /* maximum level */
00752         rsbac_security_level_t min_access_appr; /* minimum level / __u8 */
00753         rsbac_mac_category_vector_t mac_categories;     /* MAC max category set */
00754         rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */
00755         rsbac_system_role_int_t system_role;    /* enum rsbac_system_role_t */
00756         rsbac_boolean_int_t mac_allow_auto;     /* allow to auto-adjust current level */
00757 };
00758 struct rsbac_mac_user_old_old_aci_t {
00759         rsbac_security_level_t access_appr;     /* maximum level */
00760         rsbac_security_level_t min_access_appr; /* minimum level / __u8 */
00761         rsbac_mac_category_vector_t mac_categories;     /* MAC max category set */
00762         rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */
00763         rsbac_system_role_int_t system_role;    /* enum rsbac_system_role_t */
00764 };
00765 struct rsbac_mac_user_old_old_old_aci_t {
00766         rsbac_security_level_t access_appr;     /* enum old_rsbac_security_level_t / __u8 */
00767         rsbac_mac_category_vector_t mac_categories;     /* MAC category set */
00768         rsbac_system_role_int_t system_role;    /* enum rsbac_system_role_t */
00769 };
00770 #define DEFAULT_MAC_U_ACI \
00771     { \
00772       .security_level = SL_unclassified, \
00773       .initial_security_level = SL_unclassified, \
00774       .min_security_level = SL_unclassified, \
00775       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00776       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00777       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00778       .system_role = SR_user, \
00779       .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
00780     }
00781 #define DEFAULT_MAC_U_SYSADM_ACI \
00782     { \
00783       .security_level = SL_unclassified, \
00784       .initial_security_level = SL_unclassified, \
00785       .min_security_level = SL_unclassified, \
00786       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00787       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00788       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00789       .system_role = SR_administrator, \
00790       .mac_user_flags = RSBAC_MAC_DEF_SYSADM_U_FLAGS, \
00791     }
00792 #define DEFAULT_MAC_U_SECOFF_ACI \
00793     { \
00794       .security_level = SL_unclassified, \
00795       .initial_security_level = SL_unclassified, \
00796       .min_security_level = SL_unclassified, \
00797       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00798       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00799       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00800       .system_role = SR_security_officer, \
00801       .mac_user_flags = RSBAC_MAC_DEF_SECOFF_U_FLAGS, \
00802     }
00803 #define DEFAULT_MAC_U_AUDITOR_ACI \
00804     { \
00805       .security_level = SL_unclassified, \
00806       .initial_security_level = SL_unclassified, \
00807       .min_security_level = SL_unclassified, \
00808       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00809       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00810       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00811       .system_role = SR_auditor, \
00812       .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
00813     }
00814 #endif
00815 
00816 #if defined(CONFIG_RSBAC_PM)
00817 #define RSBAC_PM_USER_ACI_VERSION 1
00818 #define RSBAC_PM_USER_ACI_KEY 1001
00819 struct rsbac_pm_user_aci_t {
00820         rsbac_pm_task_set_id_t pm_task_set;
00821         rsbac_pm_role_int_t pm_role;    /* enum rsbac_pm_role_t */
00822 };
00823 #define DEFAULT_PM_U_ACI \
00824     { \
00825       .pm_task_set = 0, \
00826       .pm_role = PR_user, \
00827     }
00828 #define DEFAULT_PM_U_SYSADM_ACI \
00829     { \
00830       .pm_task_set = 0, \
00831       .pm_role = PR_system_admin, \
00832     }
00833 #define DEFAULT_PM_U_SECOFF_ACI \
00834     { \
00835       .pm_task_set = 0, \
00836       .pm_role = PR_security_officer, \
00837     }
00838 #define DEFAULT_PM_U_DATAPROT_ACI \
00839     { \
00840       .pm_task_set = 0, \
00841       .pm_role = PR_data_protection_officer, \
00842     }
00843 #define DEFAULT_PM_U_TPMAN_ACI \
00844     { \
00845       .pm_task_set = 0, \
00846       .pm_role = PR_tp_manager, \
00847     }
00848 #endif
00849 
00850 #if defined(CONFIG_RSBAC_DAZ)
00851 #define RSBAC_DAZ_USER_ACI_VERSION 1
00852 #define RSBAC_DAZ_USER_ACI_KEY 1001
00853 #endif
00854 
00855 #if defined(CONFIG_RSBAC_FF)
00856 #define RSBAC_FF_USER_ACI_VERSION 1
00857 #define RSBAC_FF_USER_ACI_KEY 1001
00858 #endif
00859 
00860 #if defined(CONFIG_RSBAC_RC)
00861 #define RSBAC_RC_USER_ACI_VERSION 2
00862 #define RSBAC_RC_USER_OLD_ACI_VERSION 1
00863 #define RSBAC_RC_USER_ACI_KEY 1001
00864 struct rsbac_rc_user_aci_t {
00865         rsbac_rc_role_id_t rc_role;
00866         rsbac_rc_type_id_t rc_type;
00867 };
00868 #define DEFAULT_RC_U_ACI \
00869     { \
00870       .rc_role = RSBAC_RC_GENERAL_ROLE, \
00871       .rc_type = RSBAC_RC_GENERAL_TYPE, \
00872     }
00873 #define DEFAULT_RC_U_SYSADM_ACI \
00874     { \
00875       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC) */ \
00876       .rc_type = RSBAC_RC_SYS_TYPE, \
00877     }
00878 #define DEFAULT_RC_U_SECOFF_ACI \
00879     { \
00880       .rc_role = RSBAC_RC_ROLE_ADMIN_ROLE, /* rc_role (RC) */ \
00881       .rc_type = RSBAC_RC_SEC_TYPE, \
00882     }
00883 #define DEFAULT_RC_U_AUDITOR_ACI \
00884     { \
00885       .rc_role = RSBAC_RC_AUDITOR_ROLE, /* rc_role (RC) */ \
00886       .rc_type = RSBAC_RC_SEC_TYPE, \
00887     }
00888 #endif
00889 
00890 #if defined(CONFIG_RSBAC_AUTH)
00891 #define RSBAC_AUTH_USER_ACI_VERSION 1
00892 #define RSBAC_AUTH_USER_ACI_KEY 1001
00893 
00894 #endif                          /* AUTH */
00895 
00896 #if defined(CONFIG_RSBAC_CAP)
00897 #define RSBAC_CAP_USER_ACI_VERSION 2
00898 #define RSBAC_CAP_USER_OLD_ACI_VERSION 1
00899 #define RSBAC_CAP_USER_ACI_KEY 1001
00900 struct rsbac_cap_user_aci_t {
00901         rsbac_system_role_int_t cap_role;       /* System role for CAP administration */
00902         rsbac_cap_vector_t min_caps;            /* User forced minimum Linux capabilities */
00903         rsbac_cap_vector_t max_caps;            /* User max Linux capabilities */
00904         rsbac_cap_ld_env_int_t cap_ld_env;
00905 };
00906 
00907 struct rsbac_cap_user_old_aci_t {
00908         rsbac_system_role_int_t cap_role;       /* System role for CAP administration */
00909         rsbac_cap_vector_t min_caps;            /* User forced minimum Linux capabilities */
00910         rsbac_cap_vector_t max_caps;            /* User max Linux capabilities */
00911 };
00912 
00913 #define DEFAULT_CAP_U_ACI \
00914     { \
00915       .cap_role = SR_user, \
00916       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00917       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00918       .cap_ld_env = LD_keep, \
00919     }
00920 #define DEFAULT_CAP_U_SYSADM_ACI \
00921     { \
00922       .cap_role = SR_administrator, \
00923       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00924       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00925       .cap_ld_env = LD_keep, \
00926     }
00927 #define DEFAULT_CAP_U_SECOFF_ACI \
00928     { \
00929       .cap_role = SR_security_officer, \
00930       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00931       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00932       .cap_ld_env = LD_keep, \
00933     }
00934 #define DEFAULT_CAP_U_AUDITOR_ACI \
00935     { \
00936       .cap_role = SR_auditor, \
00937       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00938       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00939       .cap_ld_env = LD_keep, \
00940     }
00941 #endif
00942 
00943 #if defined(CONFIG_RSBAC_JAIL)
00944 #define RSBAC_JAIL_USER_ACI_VERSION 1
00945 #define RSBAC_JAIL_USER_ACI_KEY 1001
00946 #endif
00947 
00948 #if defined(CONFIG_RSBAC_PAX)
00949 #define RSBAC_PAX_USER_ACI_VERSION 1
00950 #define RSBAC_PAX_USER_ACI_KEY 1001221
00951 #endif
00952 
00953 #if defined(CONFIG_RSBAC_RES)
00954 #define RSBAC_RES_USER_ACI_VERSION 1
00955 #define RSBAC_RES_USER_ACI_KEY 1002
00956 struct rsbac_res_user_aci_t {
00957         rsbac_system_role_int_t res_role;       /* System role for RES administration */
00958         rsbac_res_array_t res_min;
00959         rsbac_res_array_t res_max;
00960 };
00961 #define DEFAULT_RES_U_ACI \
00962     { \
00963       .res_role = SR_user, \
00964       .res_min = { \
00965         RSBAC_RES_UNSET,           /* cpu time */ \
00966         RSBAC_RES_UNSET,           /* file size */ \
00967         RSBAC_RES_UNSET,           /* process data segment size */ \
00968         RSBAC_RES_UNSET,           /* stack size */ \
00969         RSBAC_RES_UNSET,           /* core dump size */ \
00970         RSBAC_RES_UNSET,           /* resident memory set size */ \
00971         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00972         RSBAC_RES_UNSET,           /* number of files */ \
00973         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00974         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00975         RSBAC_RES_UNSET            /* maximum file locks */ \
00976       }, \
00977       .res_max = { \
00978         RSBAC_RES_UNSET,           /* cpu time */ \
00979         RSBAC_RES_UNSET,           /* file size */ \
00980         RSBAC_RES_UNSET,           /* process data segment size */ \
00981         RSBAC_RES_UNSET,           /* stack size */ \
00982         RSBAC_RES_UNSET,           /* core dump size */ \
00983         RSBAC_RES_UNSET,           /* resident memory set size */ \
00984         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00985         RSBAC_RES_UNSET,           /* number of files */ \
00986         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00987         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00988         RSBAC_RES_UNSET            /* maximum file locks */ \
00989       }, \
00990     }
00991 #define DEFAULT_RES_U_SYSADM_ACI \
00992     { \
00993       .res_role = SR_administrator, \
00994       .res_min = { \
00995         RSBAC_RES_UNSET,           /* cpu time */ \
00996         RSBAC_RES_UNSET,           /* file size */ \
00997         RSBAC_RES_UNSET,           /* process data segment size */ \
00998         RSBAC_RES_UNSET,           /* stack size */ \
00999         RSBAC_RES_UNSET,           /* core dump size */ \
01000         RSBAC_RES_UNSET,           /* resident memory set size */ \
01001         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01002         RSBAC_RES_UNSET,           /* number of files */ \
01003         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01004         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01005         RSBAC_RES_UNSET            /* maximum file locks */ \
01006       }, \
01007       .res_max = { \
01008         RSBAC_RES_UNSET,           /* cpu time */ \
01009         RSBAC_RES_UNSET,           /* file size */ \
01010         RSBAC_RES_UNSET,           /* process data segment size */ \
01011         RSBAC_RES_UNSET,           /* stack size */ \
01012         RSBAC_RES_UNSET,           /* core dump size */ \
01013         RSBAC_RES_UNSET,           /* resident memory set size */ \
01014         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01015         RSBAC_RES_UNSET,           /* number of files */ \
01016         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01017         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01018         RSBAC_RES_UNSET            /* maximum file locks */ \
01019       } \
01020     }
01021 #define DEFAULT_RES_U_SECOFF_ACI \
01022     { \
01023       .res_role = SR_security_officer, \
01024       .res_min = { \
01025         RSBAC_RES_UNSET,           /* cpu time */ \
01026         RSBAC_RES_UNSET,           /* file size */ \
01027         RSBAC_RES_UNSET,           /* process data segment size */ \
01028         RSBAC_RES_UNSET,           /* stack size */ \
01029         RSBAC_RES_UNSET,           /* core dump size */ \
01030         RSBAC_RES_UNSET,           /* resident memory set size */ \
01031         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01032         RSBAC_RES_UNSET,           /* number of files */ \
01033         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01034         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01035         RSBAC_RES_UNSET            /* maximum file locks */ \
01036       }, \
01037       .res_max = { \
01038         RSBAC_RES_UNSET,           /* cpu time */ \
01039         RSBAC_RES_UNSET,           /* file size */ \
01040         RSBAC_RES_UNSET,           /* process data segment size */ \
01041         RSBAC_RES_UNSET,           /* stack size */ \
01042         RSBAC_RES_UNSET,           /* core dump size */ \
01043         RSBAC_RES_UNSET,           /* resident memory set size */ \
01044         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01045         RSBAC_RES_UNSET,           /* number of files */ \
01046         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01047         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01048         RSBAC_RES_UNSET            /* maximum file locks */ \
01049       } \
01050     }
01051 #define DEFAULT_RES_U_AUDITOR_ACI \
01052     { \
01053       .res_role = SR_auditor, \
01054       .res_min = { \
01055         RSBAC_RES_UNSET,           /* cpu time */ \
01056         RSBAC_RES_UNSET,           /* file size */ \
01057         RSBAC_RES_UNSET,           /* process data segment size */ \
01058         RSBAC_RES_UNSET,           /* stack size */ \
01059         RSBAC_RES_UNSET,           /* core dump size */ \
01060         RSBAC_RES_UNSET,           /* resident memory set size */ \
01061         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01062         RSBAC_RES_UNSET,           /* number of files */ \
01063         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01064         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01065         RSBAC_RES_UNSET            /* maximum file locks */ \
01066       }, \
01067       .res_max = { \
01068         RSBAC_RES_UNSET,           /* cpu time */ \
01069         RSBAC_RES_UNSET,           /* file size */ \
01070         RSBAC_RES_UNSET,           /* process data segment size */ \
01071         RSBAC_RES_UNSET,           /* stack size */ \
01072         RSBAC_RES_UNSET,           /* core dump size */ \
01073         RSBAC_RES_UNSET,           /* resident memory set size */ \
01074         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01075         RSBAC_RES_UNSET,           /* number of files */ \
01076         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01077         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01078         RSBAC_RES_UNSET            /* maximum file locks */ \
01079       } \
01080     }
01081 #endif
01082 
01083 #define RSBAC_USER_NR_ATTRIBUTES 24
01084 #define RSBAC_USER_ATTR_LIST { \
01085       A_pseudo, \
01086       A_log_user_based, \
01087       A_security_level, \
01088       A_initial_security_level, \
01089       A_min_security_level, \
01090       A_mac_categories, \
01091       A_mac_initial_categories, \
01092       A_mac_min_categories, \
01093       A_mac_role, \
01094       A_mac_user_flags, \
01095       A_daz_role, \
01096       A_ff_role, \
01097       A_auth_role, \
01098       A_pm_task_set, \
01099       A_pm_role, \
01100       A_rc_def_role, \
01101       A_rc_type, \
01102       A_min_caps, \
01103       A_max_caps, \
01104       A_cap_role, \
01105       A_cap_ld_env, \
01106       A_jail_role, \
01107       A_res_role, \
01108       A_pax_role \
01109       }
01110 
01111 #ifdef __KERNEL__
01112 struct rsbac_user_handles_t {
01113         rsbac_list_handle_t gen;
01114 #if defined(CONFIG_RSBAC_MAC)
01115         rsbac_list_handle_t mac;
01116 #endif
01117 #if defined(CONFIG_RSBAC_PM)
01118         rsbac_list_handle_t pm;
01119 #endif
01120 #if defined(CONFIG_RSBAC_DAZ)
01121         rsbac_list_handle_t daz;
01122 #endif
01123 #if defined(CONFIG_RSBAC_FF)
01124         rsbac_list_handle_t ff;
01125 #endif
01126 #if defined(CONFIG_RSBAC_RC)
01127         rsbac_list_handle_t rc;
01128 #endif
01129 #if defined(CONFIG_RSBAC_AUTH)
01130         rsbac_list_handle_t auth;
01131 #endif
01132 #if defined(CONFIG_RSBAC_CAP)
01133         rsbac_list_handle_t cap;
01134 #endif
01135 #if defined(CONFIG_RSBAC_JAIL)
01136         rsbac_list_handle_t jail;
01137 #endif
01138 #if defined(CONFIG_RSBAC_PAX)
01139         rsbac_list_handle_t pax;
01140 #endif
01141 #if defined(CONFIG_RSBAC_RES)
01142         rsbac_list_handle_t res;
01143 #endif
01144 };
01145 #endif
01146 
01147 /********************************/
01148 /* Process ACI. */
01149 
01150 #define RSBAC_GEN_ACI_PROCESS_NAME   "process_gen"
01151 #define RSBAC_MAC_ACI_PROCESS_NAME   "process_mac"
01152 #define RSBAC_PM_ACI_PROCESS_NAME    "process_pm"
01153 #define RSBAC_DAZ_ACI_PROCESS_NAME    "process_daz"
01154 #define RSBAC_RC_ACI_PROCESS_NAME    "process_rc"
01155 #define RSBAC_AUTH_ACI_PROCESS_NAME    "process_auth"
01156 #define RSBAC_CAP_ACI_PROCESS_NAME    "process_cap"
01157 #define RSBAC_JAIL_ACI_PROCESS_NAME    "process_jail"
01158 
01159 #define RSBAC_GEN_PROCESS_ACI_VERSION 2
01160 #define RSBAC_GEN_PROCESS_ACI_KEY 1001
01161 struct rsbac_gen_process_aci_t {
01162         rsbac_request_vector_t log_program_based;
01163         rsbac_fake_root_uid_int_t fake_root_uid;
01164         rsbac_uid_t audit_uid;
01165         rsbac_uid_t auid_exempt;
01166         __u32 remote_ip;
01167         rsbac_boolean_t kernel_thread;
01168 };
01169 #define DEFAULT_GEN_P_ACI \
01170     { \
01171       .log_program_based = 0, \
01172       .fake_root_uid = FR_off, \
01173       .audit_uid = RSBAC_NO_USER, \
01174       .auid_exempt = RSBAC_NO_USER, \
01175       .remote_ip = 0, \
01176       .kernel_thread = 0, \
01177     }
01178 
01179 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01180 #define RSBAC_MAC_PROCESS_ACI_VERSION 1
01181 #define RSBAC_MAC_PROCESS_ACI_KEY 1001
01182 struct rsbac_mac_process_aci_t {
01183         rsbac_security_level_t owner_sec_level; /* enum old_rsbac_security_level_t */
01184         rsbac_security_level_t owner_initial_sec_level; /* enum old_rsbac_security_level_t */
01185         rsbac_security_level_t owner_min_sec_level;     /* enum old_rsbac_security_level_t */
01186         rsbac_mac_category_vector_t mac_owner_categories;       /* MAC category set */
01187         rsbac_mac_category_vector_t mac_owner_initial_categories;       /* MAC category set */
01188         rsbac_mac_category_vector_t mac_owner_min_categories;   /* MAC category set */
01189         rsbac_security_level_t current_sec_level;       /* enum rsbac_security_level_t */
01190         rsbac_mac_category_vector_t mac_curr_categories;        /* MAC current category set */
01191         rsbac_security_level_t min_write_open;  /* for *-property, enum rsbac_security_level_t */
01192         rsbac_mac_category_vector_t min_write_categories;       /* MAC, for *-property */
01193         rsbac_security_level_t max_read_open;   /* for *-property, enum rsbac_security_level_t */
01194         rsbac_mac_category_vector_t max_read_categories;        /* MAC, for *-property */
01195         rsbac_mac_process_flags_t mac_process_flags;    /* flags (override, trusted, auto etc.) */
01196 };
01197 #define DEFAULT_MAC_P_ACI \
01198     { \
01199       .owner_sec_level = SL_unclassified, \
01200       .owner_initial_sec_level = SL_unclassified, \
01201       .owner_min_sec_level = SL_unclassified, \
01202       .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01203       .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01204       .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01205       .current_sec_level = SL_unclassified, \
01206       .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01207       .min_write_open = SL_max, \
01208       .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
01209       .max_read_open = SL_unclassified, \
01210       .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01211       .mac_process_flags = RSBAC_MAC_DEF_P_FLAGS, \
01212     }
01213 #define DEFAULT_MAC_P_INIT_ACI \
01214     { \
01215       .owner_sec_level = SL_unclassified, \
01216       .owner_initial_sec_level = SL_unclassified, \
01217       .owner_min_sec_level = SL_unclassified, \
01218       .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01219       .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01220       .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01221       .current_sec_level = SL_unclassified, \
01222       .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01223       .min_write_open = SL_max, \
01224       .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
01225       .max_read_open = SL_unclassified, \
01226       .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01227       .mac_process_flags = RSBAC_MAC_DEF_INIT_P_FLAGS, \
01228     }
01229 #endif
01230 
01231 #if defined(CONFIG_RSBAC_PM)
01232 #define RSBAC_PM_PROCESS_ACI_VERSION 1
01233 #define RSBAC_PM_PROCESS_ACI_KEY 1001
01234 struct rsbac_pm_process_aci_t {
01235         rsbac_pm_tp_id_t pm_tp;
01236         rsbac_pm_task_id_t pm_current_task;
01237         rsbac_pm_process_type_int_t pm_process_type;    /* enum rsbac_pm_process_type_t */
01238 };
01239 #define DEFAULT_PM_P_ACI \
01240     { \
01241       .pm_tp = 0, \
01242       .pm_current_task = 0, \
01243       .pm_process_type = PP_none, \
01244     }
01245 #endif
01246 
01247 #if defined(CONFIG_RSBAC_DAZ)
01248 #define RSBAC_DAZ_PROCESS_ACI_VERSION 1
01249 #define RSBAC_DAZ_PROCESS_ACI_KEY 1001
01250 struct rsbac_daz_process_aci_t {
01251         rsbac_boolean_int_t daz_scanner;        /* DAZ, boolean */
01252 };
01253 #define DEFAULT_DAZ_P_ACI \
01254     { \
01255       .daz_scanner = FALSE, \
01256     }
01257 #endif
01258 
01259 #if defined(CONFIG_RSBAC_RC)
01260 #define RSBAC_RC_PROCESS_ACI_VERSION 1
01261 #define RSBAC_RC_PROCESS_ACI_KEY 1001
01262 struct rsbac_rc_process_aci_t {
01263         rsbac_rc_role_id_t rc_role;     /* RC */
01264         rsbac_rc_type_id_t rc_type;     /* RC */
01265         rsbac_rc_role_id_t rc_force_role;       /* RC */
01266         rsbac_rc_type_id_t rc_select_type; /* RC */
01267 };
01268 #define DEFAULT_RC_P_ACI \
01269     { \
01270       .rc_role = RSBAC_RC_GENERAL_ROLE, \
01271       .rc_type = RSBAC_RC_GENERAL_TYPE, \
01272       .rc_force_role = RC_default_force_role, \
01273       .rc_select_type = RC_type_use_fd, \
01274     }
01275 #define DEFAULT_RC_P_INIT_ACI \
01276     { \
01277       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
01278       .rc_type = RSBAC_RC_GENERAL_TYPE, \
01279       .rc_force_role = RC_default_force_role, \
01280       .rc_select_type = RC_type_use_fd, \
01281     }
01282 #define DEFAULT_RC_P_KERNEL_ACI \
01283     { \
01284       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
01285       .rc_type = CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE, \
01286       .rc_force_role = RC_default_force_role, \
01287       .rc_select_type = RC_type_use_fd, \
01288     }
01289 #endif
01290 
01291 #if defined(CONFIG_RSBAC_AUTH)
01292 #define RSBAC_AUTH_PROCESS_ACI_VERSION 1
01293 #define RSBAC_AUTH_PROCESS_ACI_KEY 1001
01294 struct rsbac_auth_process_aci_t {
01295         __u8 auth_may_setuid;   /* AUTH (boolean) */
01296         __u8 auth_may_set_cap;  /* AUTH (boolean) */
01297         rsbac_uid_t auth_last_auth;
01298 #if defined(CONFIG_RSBAC_AUTH_LEARN) && defined(__KERNEL__)
01299         struct rsbac_fs_file_t auth_program_file;
01300         rsbac_uid_t auth_start_uid;
01301 #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER
01302         rsbac_uid_t auth_start_euid;
01303 #endif
01304 #ifdef CONFIG_RSBAC_AUTH_GROUP
01305         rsbac_gid_t auth_start_gid;
01306 #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP
01307         rsbac_gid_t auth_start_egid;
01308 #endif
01309 #endif
01310         __u8 auth_learn;        /* AUTH (boolean) */
01311 #endif
01312 };
01313 
01314 #if defined(CONFIG_RSBAC_AUTH_LEARN)
01315 #define DEFAULT_AUTH_P_ACI \
01316     { \
01317       .auth_may_setuid = FALSE, \
01318       .auth_may_set_cap = FALSE, \
01319       .auth_last_auth = RSBAC_NO_USER, \
01320       .auth_program_file = { RSBAC_ZERO_DEV, 0, NULL }, \
01321       .auth_start_uid = 0, \
01322       .auth_learn = 0, \
01323     }
01324 #else
01325 #define DEFAULT_AUTH_P_ACI \
01326     { \
01327       .auth_may_setuid = FALSE, \
01328       .auth_may_set_cap = FALSE, \
01329       .auth_last_auth = RSBAC_NO_USER, \
01330     }
01331 #endif
01332 #endif
01333 
01334 
01335 #if defined(CONFIG_RSBAC_CAP)
01336 #define RSBAC_CAP_PROCESS_ACI_VERSION 2
01337 #define RSBAC_CAP_PROCESS_ACI_KEY 10013283
01338 struct rsbac_cap_process_aci_t {
01339         rsbac_cap_process_hiding_int_t cap_process_hiding;
01340 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING
01341         rsbac_cap_vector_t max_caps_user;
01342         rsbac_cap_vector_t max_caps_program;
01343 #endif
01344         rsbac_cap_ld_env_int_t cap_ld_env;
01345 };
01346 
01347 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING
01348 #define DEFAULT_CAP_P_ACI \
01349     { \
01350       .cap_process_hiding = PH_off, \
01351       .max_caps_user = RSBAC_CAP_DEFAULT_MAX, \
01352       .max_caps_program = RSBAC_CAP_DEFAULT_MAX, \
01353       .cap_ld_env = LD_allow, \
01354     }
01355 #else
01356 #define DEFAULT_CAP_P_ACI \
01357     { \
01358       .cap_process_hiding = PH_off, \
01359       .cap_ld_env = LD_allow, \
01360     }
01361 #endif
01362 #endif
01363 
01364 #if defined(CONFIG_RSBAC_JAIL)
01365 #define RSBAC_JAIL_PROCESS_ACI_VERSION 1
01366 #define RSBAC_JAIL_PROCESS_ACI_KEY 1001
01367 struct rsbac_jail_process_aci_t {
01368         rsbac_jail_id_t id;
01369         rsbac_jail_id_t parent;
01370         rsbac_jail_ip_t ip;
01371         rsbac_jail_flags_t flags;
01372         rsbac_cap_vector_t max_caps;    /* Program max Linux capabilities */
01373         rsbac_jail_scd_vector_t scd_get;        /* SCD targets GET_STATUS_DATA */
01374         rsbac_jail_scd_vector_t scd_modify;     /* SCD targets MODIFY_SYSTEM_DATA */
01375 };
01376 #define DEFAULT_JAIL_P_ACI \
01377     { \
01378       .id = 0, \
01379       .parent = 0, \
01380       .ip = 0, \
01381       .flags = 0, \
01382       .max_caps = -1, \
01383       .scd_get = 0, \
01384       .scd_modify = 0, \
01385     }
01386 #endif
01387 
01388 #define RSBAC_PROCESS_NR_ATTRIBUTES 38
01389 #define RSBAC_PROCESS_ATTR_LIST { \
01390       A_security_level, \
01391       A_min_security_level, \
01392       A_mac_categories, \
01393       A_mac_min_categories, \
01394       A_current_sec_level, \
01395       A_mac_curr_categories, \
01396       A_min_write_open, \
01397       A_min_write_categories, \
01398       A_max_read_open, \
01399       A_max_read_categories, \
01400       A_mac_process_flags, \
01401       A_pm_tp, \
01402       A_pm_current_task, \
01403       A_pm_process_type, \
01404       A_daz_scanner, \
01405       A_rc_role, \
01406       A_rc_type, \
01407       A_rc_force_role, \
01408       A_rc_select_type, \
01409       A_auth_may_setuid, \
01410       A_auth_may_set_cap, \
01411       A_auth_learn, \
01412       A_cap_process_hiding, \
01413       A_max_caps_user, \
01414       A_max_caps_program, \
01415       A_cap_ld_env, \
01416       A_jail_id, \
01417       A_jail_ip, \
01418       A_jail_flags, \
01419       A_jail_max_caps, \
01420       A_jail_scd_get, \
01421       A_jail_scd_modify, \
01422       A_log_program_based, \
01423       A_fake_root_uid, \
01424       A_audit_uid, \
01425       A_auid_exempt, \
01426       A_auth_last_auth, \
01427       A_remote_ip \
01428       }
01429 
01430 #ifdef __KERNEL__
01431 struct rsbac_process_handles_t {
01432         rsbac_list_handle_t gen;
01433 #if defined(CONFIG_RSBAC_MAC)
01434         rsbac_list_handle_t mac;
01435 #endif
01436 #if defined(CONFIG_RSBAC_PM)
01437         rsbac_list_handle_t pm;
01438 #endif
01439 #if defined(CONFIG_RSBAC_DAZ)
01440         rsbac_list_handle_t daz;
01441 #endif
01442 #if defined(CONFIG_RSBAC_RC)
01443         rsbac_list_handle_t rc;
01444 #endif
01445 #if defined(CONFIG_RSBAC_AUTH)
01446         rsbac_list_handle_t auth;
01447 #endif
01448 #if defined(CONFIG_RSBAC_CAP)
01449         rsbac_list_handle_t cap;
01450 #endif
01451 #if defined(CONFIG_RSBAC_JAIL)
01452         rsbac_list_handle_t jail;
01453 #endif
01454 };
01455 #endif                          /* __KERNEL__ */
01456 
01457 
01458 /******************************/
01459 /* OK, now we define the UM group ACI, holding all information */
01460 /* the ADF needs for decisions.                                */
01461 
01462 #define RSBAC_RC_ACI_GROUP_NAME    "grouprc"
01463 
01464 /* Caution: whenever ACI changes, version should be increased!            */
01465 
01466 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01467 #define RSBAC_RC_GROUP_ACI_VERSION 1
01468 #define RSBAC_RC_GROUP_ACI_KEY 13276142
01469 #endif
01470 
01471 #define RSBAC_GROUP_NR_ATTRIBUTES 1
01472 #define RSBAC_GROUP_ATTR_LIST { \
01473       A_rc_type \
01474       }
01475 
01476 #ifdef __KERNEL__
01477 struct rsbac_group_handles_t {
01478 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01479         rsbac_list_handle_t rc;
01480 #endif
01481 };
01482 #endif                          /* __KERNEL__ */
01483 
01484 /********************************/
01485 /* NETDEV ACI */
01486 
01487 #define RSBAC_GEN_ACI_NETDEV_NAME   "nd_gen"
01488 #define RSBAC_RC_ACI_NETDEV_NAME    "nd_rc"
01489 
01490 #define RSBAC_GEN_NETDEV_ACI_VERSION 1
01491 #define RSBAC_GEN_NETDEV_ACI_KEY 1001
01492 struct rsbac_gen_netdev_aci_t {
01493         rsbac_log_array_t log_array_low;        /* netdev based logging, */
01494         rsbac_log_array_t log_array_high;       /* high and low bits */
01495 };
01496 #define DEFAULT_GEN_NETDEV_ACI \
01497     { \
01498       .log_array_low = -1, \
01499       .log_array_high = -1, \
01500     }
01501 
01502 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01503 #define RSBAC_RC_NETDEV_ACI_VERSION 1
01504 #define RSBAC_RC_NETDEV_ACI_KEY 1001
01505 #endif
01506 
01507 #define RSBAC_NETDEV_NR_ATTRIBUTES 3
01508 #define RSBAC_NETDEV_ATTR_LIST { \
01509       A_rc_type, \
01510       A_log_array_low, \
01511       A_log_array_high \
01512       }
01513 
01514 #ifdef __KERNEL__
01515 struct rsbac_netdev_handles_t {
01516 #if defined(CONFIG_RSBAC_IND_NETDEV_LOG)
01517         rsbac_list_handle_t gen;
01518 #endif
01519 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01520         rsbac_list_handle_t rc;
01521 #endif
01522 };
01523 #endif                          /* __KERNEL__ */
01524 
01525 /********************************/
01526 /* NETTEMP ACI */
01527 
01528 #define RSBAC_GEN_ACI_NETTEMP_NAME   "nt_gen"
01529 #define RSBAC_MAC_ACI_NETTEMP_NAME   "nt_mac"
01530 #define RSBAC_PM_ACI_NETTEMP_NAME    "nt_pm"
01531 #define RSBAC_RC_ACI_NETTEMP_NAME    "nt_rc"
01532 
01533 #define RSBAC_MAC_ACI_LNETOBJ_NAME   "lnetobj_mac"
01534 #define RSBAC_PM_ACI_LNETOBJ_NAME    "lnetobj_pm"
01535 #define RSBAC_RC_ACI_LNETOBJ_NAME    "lnetobj_rc"
01536 #define RSBAC_MAC_ACI_RNETOBJ_NAME   "rnetobj_mac"
01537 #define RSBAC_PM_ACI_RNETOBJ_NAME    "rnetobj_pm"
01538 #define RSBAC_RC_ACI_RNETOBJ_NAME    "rnetobj_rc"
01539 
01540 #define RSBAC_GEN_NETOBJ_ACI_VERSION 1
01541 #define RSBAC_GEN_NETOBJ_ACI_KEY 1001
01542 struct rsbac_gen_netobj_aci_t {
01543         rsbac_log_array_t log_array_low;        /* nettemp/netobj based logging, */
01544         rsbac_log_array_t log_array_high;       /* high and low bits */
01545 };
01546 #define DEFAULT_GEN_NETOBJ_ACI \
01547     { \
01548       .log_array_low = -1, \
01549       .log_array_high = -1, \
01550     }
01551 
01552 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01553 #define RSBAC_MAC_NETOBJ_ACI_VERSION 1
01554 #define RSBAC_MAC_NETOBJ_ACI_KEY 1001
01555 struct rsbac_mac_netobj_aci_t {
01556         rsbac_security_level_t sec_level;       /* enum old_rsbac_security_level_t / __u8 */
01557         rsbac_mac_category_vector_t mac_categories;     /* MAC category set */
01558 };
01559 #define DEFAULT_MAC_NETOBJ_ACI \
01560     { \
01561       .sec_level = SL_unclassified,  /* security_level (MAC) */ \
01562       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01563     }
01564 #endif
01565 
01566 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01567 #define RSBAC_PM_NETOBJ_ACI_VERSION 1
01568 #define RSBAC_PM_NETOBJ_ACI_KEY 1001
01569 struct rsbac_pm_netobj_aci_t {
01570         rsbac_pm_object_class_id_t pm_object_class;     /* netobj only */
01571         rsbac_pm_purpose_id_t pm_ipc_purpose;
01572         rsbac_pm_object_type_int_t pm_object_type;      /* enum rsbac_pm_object_type_t */
01573 };
01574 #define DEFAULT_PM_NETOBJ_ACI \
01575     { \
01576       .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
01577       .pm_ipc_purpose = 0, \
01578       .pm_object_type = PO_ipc, \
01579     }
01580 #endif
01581 
01582 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01583 #define RSBAC_RC_NETOBJ_ACI_VERSION 1
01584 #define RSBAC_RC_NETOBJ_ACI_KEY 1001
01585 #define RSBAC_RC_NETTEMP_ACI_VERSION 1
01586 #define RSBAC_RC_NETTEMP_ACI_KEY 1002
01587 
01588 struct rsbac_rc_nettemp_aci_t {
01589         rsbac_rc_type_id_t netobj_type; /* type inherited to netobj */
01590         rsbac_rc_type_id_t nettemp_type;        /* type of this tenplate */
01591 };
01592 #define DEFAULT_RC_NETTEMP_ACI \
01593     { \
01594       .netobj_type = RSBAC_RC_GENERAL_TYPE, \
01595       .nettemp_type = RSBAC_RC_GENERAL_TYPE, \
01596     }
01597 #endif
01598 
01599 #define RSBAC_NETTEMP_NR_ATTRIBUTES 9
01600 #define RSBAC_NETTEMP_ATTR_LIST { \
01601       A_security_level, \
01602       A_mac_categories, \
01603       A_pm_object_class, \
01604       A_pm_ipc_purpose, \
01605       A_pm_object_type, \
01606       A_rc_type, \
01607       A_rc_type_nt, \
01608       A_log_array_low, \
01609       A_log_array_high \
01610       }
01611 
01612 #define RSBAC_NETOBJ_NR_ATTRIBUTES 16
01613 #define RSBAC_NETOBJ_ATTR_LIST { \
01614       A_local_sec_level, \
01615       A_remote_sec_level, \
01616       A_local_mac_categories, \
01617       A_remote_mac_categories, \
01618       A_local_pm_object_class, \
01619       A_remote_pm_object_class, \
01620       A_local_pm_ipc_purpose, \
01621       A_remote_pm_ipc_purpose, \
01622       A_local_pm_object_type, \
01623       A_remote_pm_object_type, \
01624       A_local_rc_type, \
01625       A_remote_rc_type, \
01626       A_local_log_array_low, \
01627       A_remote_log_array_low, \
01628       A_local_log_array_high, \
01629       A_remote_log_array_high \
01630       }
01631 
01632 #ifdef __KERNEL__
01633 struct rsbac_nettemp_handles_t {
01634 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
01635         rsbac_list_handle_t gen;
01636 #endif
01637 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01638         rsbac_list_handle_t mac;
01639 #endif
01640 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01641         rsbac_list_handle_t pm;
01642 #endif
01643 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01644         rsbac_list_handle_t rc;
01645 #endif
01646 };
01647 
01648 struct rsbac_lnetobj_handles_t {
01649 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01650         rsbac_list_handle_t mac;
01651 #endif
01652 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01653         rsbac_list_handle_t pm;
01654 #endif
01655 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01656         rsbac_list_handle_t rc;
01657 #endif
01658 };
01659 struct rsbac_rnetobj_handles_t {
01660 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01661         rsbac_list_handle_t mac;
01662 #endif
01663 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01664         rsbac_list_handle_t pm;
01665 #endif
01666 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01667         rsbac_list_handle_t rc;
01668 #endif
01669 };
01670 #endif                          /* __KERNEL__ */
01671 
01672 
01673 /**********************************************/
01674 /*              Declarations                  */
01675 /**********************************************/
01676 
01677 #ifdef __KERNEL__
01678 extern kdev_t rsbac_root_dev;
01679 
01680 int rsbac_read_open(char *, struct file *,      /* file */
01681                     kdev_t);
01682 
01683 int rsbac_write_open(char *, struct file *,     /* file */
01684                      kdev_t);
01685 
01686 void rsbac_read_close(struct file *);
01687 
01688 void rsbac_write_close(struct file *);
01689 
01690 extern struct semaphore rsbac_write_sem;
01691 
01692 /**********************************************/
01693 /*              Locks                         */
01694 /**********************************************/
01695 
01696 extern inline void rsbac_read_lock(rwlock_t * lock_p, u_long * flags_p)
01697 {
01698         read_lock(lock_p);
01699 };
01700 
01701 extern inline void rsbac_read_unlock(rwlock_t * lock_p, u_long * flags_p)
01702 {
01703         read_unlock(lock_p);
01704 };
01705 
01706 extern inline void rsbac_write_lock(rwlock_t * lock_p, u_long * flags_p)
01707 {
01708         write_lock(lock_p);
01709 };
01710 
01711 extern inline void rsbac_write_unlock(rwlock_t * lock_p, u_long * flags_p)
01712 {
01713         write_unlock(lock_p);
01714 };
01715 
01716 extern inline void rsbac_write_lock_irq(rwlock_t * lock_p,
01717                                         u_long * flags_p)
01718 {
01719         write_lock_irq(lock_p);
01720 };
01721 
01722 extern inline void rsbac_write_unlock_irq(rwlock_t * lock_p,
01723                                           u_long * flags_p)
01724 {
01725         write_unlock_irq(lock_p);
01726 };
01727 
01728 #endif                          /* __KERNEL__ */
01729 
01730 /**********************************************/
01731 /*          External Declarations             */
01732 /**********************************************/
01733 
01734 #ifdef __KERNEL__
01735 
01736 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01737 static inline struct dentry *lock_parent(struct dentry *dentry)
01738 {
01739         struct dentry *dir = dget(dentry->d_parent);
01740 
01741         mutex_lock(&dir->d_inode->i_mutex);
01742         return dir;
01743 }
01744 
01745 static inline void unlock_dir(struct dentry *dir)
01746 {
01747         mutex_unlock(&dir->d_inode->i_mutex);
01748         dput(dir);
01749 }
01750 
01751 static inline void double_mutex_lock(struct mutex *m1, struct mutex *m2)
01752 {
01753         if (m1 != m2) {
01754                 if ((unsigned long) m1 < (unsigned long) m2) {
01755                         struct mutex *tmp = m2;
01756                         m2 = m1;
01757                         m1 = tmp;
01758                 }
01759                 mutex_lock(m1);
01760         }
01761         mutex_lock(m2);
01762 }
01763 
01764 static inline void double_mutex_unlock(struct mutex *m1, struct mutex *m2)
01765 {
01766         mutex_unlock(m1);
01767         if (m1 != m2)
01768                 mutex_unlock(m2);
01769 }
01770 
01771 static inline void double_lock(struct dentry *d1, struct dentry *d2)
01772 {
01773         double_mutex_lock(&d1->d_inode->i_mutex, &d2->d_inode->i_mutex);
01774 }
01775 
01776 static inline void double_unlock(struct dentry *d1, struct dentry *d2)
01777 {
01778         double_mutex_unlock(&d1->d_inode->i_mutex, &d2->d_inode->i_mutex);
01779         dput(d1);
01780         dput(d2);
01781 }
01782 #else
01783 extern inline struct dentry *lock_parent(struct dentry *dentry);
01784 #endif
01785 
01786 #ifdef CONFIG_RSBAC_DEBUG
01787 static inline unsigned long rsbac_stack_free_space(void)
01788 {
01789         unsigned long *n = (unsigned long *)(current + 1);
01790         while (!*n)
01791                 n++;
01792         return (unsigned long)n - (unsigned long)(current + 1);
01793 }
01794 #else
01795 #define rsbac_stack_free_space() 0
01796 #endif
01797 
01798 #endif                          /* __KERNEL__ */
01799 
01800 #endif

Generated on Wed May 16 11:53:26 2007 for RSBAC by  doxygen 1.5.1