/linux-2.6.21.1-rsbac-1.3.4/include/rsbac/acl.h

Go to the documentation of this file.
00001 /************************************ */
00002 /* Rule Set Based Access Control      */
00003 /* Author and (c) 1999-2005: Amon Ott */
00004 /* API: Data structures               */
00005 /* and functions for Access           */
00006 /* Control Information / ACL          */
00007 /* Last modified: 20/Dec/2005         */
00008 /************************************ */
00009 
00010 #ifndef __RSBAC_ACL_H
00011 #define __RSBAC_ACL_H
00012 
00013 #include <linux/init.h>
00014 #include <rsbac/types.h>
00015 
00016 /***************************************************/
00017 /*               General Prototypes                */
00018 /***************************************************/
00019 
00020 /* All functions return 0, if no error occurred, and a negative error code  */
00021 /* otherwise. The error codes are defined in rsbac_error.h.                 */
00022 
00023 /****************************************************************************/
00024 /* Initialization, including ACI restoration for all mounted devices from   */
00025 /* disk. After this call, all ACI is kept in memory for performance reasons,*/
00026 /* but user and file/dir object ACI are written to disk on every change.    */
00027 
00028 #ifdef CONFIG_RSBAC_INIT_DELAY
00029 extern int rsbac_init_acl(void);
00030 #else
00031 extern int rsbac_init_acl(void) __init;
00032 #endif
00033 
00034 /* mounting and umounting */
00035 int rsbac_mount_acl(kdev_t kdev);
00036 int rsbac_umount_acl(kdev_t kdev);
00037 
00038 /* Some information about the current status is also available */
00039 extern int rsbac_stats_acl(void);
00040 
00041 /* Status checking */
00042 extern int rsbac_check_acl(int correct);
00043 
00044 /************************************************* */
00045 /*               Access functions                  */
00046 /************************************************* */
00047 
00048 /* All these procedures handle the spinlocks to protect the targets during */
00049 /* access.                                                                 */
00050 
00051 /* rsbac_acl_set_acl_entry
00052  * Set ACL entry for given target and subject to given rights. If entry does
00053  * not exist, it is created, thus cutting the inheritance from default/parent.
00054  */
00055 
00056 int rsbac_acl_set_acl_entry(rsbac_list_ta_number_t ta_number,
00057                             enum rsbac_target_t target,
00058                             union rsbac_target_id_t tid,
00059                             enum rsbac_acl_subject_type_t subj_type,
00060                             rsbac_acl_subject_id_t subj_id,
00061                             rsbac_acl_rights_vector_t rights,
00062                             rsbac_time_t ttl);
00063 
00064 /* rsbac_acl_remove_acl_entry
00065  * Remove ACL entry for given target and subject. This reactivates the
00066  * inheritance from default/parent.
00067  */
00068 
00069 int rsbac_acl_remove_acl_entry(rsbac_list_ta_number_t ta_number,
00070                                enum rsbac_target_t target,
00071                                union rsbac_target_id_t tid,
00072                                enum rsbac_acl_subject_type_t subj_type,
00073                                rsbac_acl_subject_id_t subj_id);
00074 
00075 /* rsbac_acl_remove_acl
00076  * Remove ACL for given target. For cleanup on delete.
00077  */
00078 
00079 int rsbac_acl_remove_acl(rsbac_list_ta_number_t ta_number,
00080                          enum rsbac_target_t target,
00081                          union rsbac_target_id_t tid);
00082 
00083 /* rsbac_acl_add_to_acl_entry
00084  * Add given rights to ACL entry for given target and subject. If entry does
00085  * not exist, behaviour is exactly like rsbac_acl_set_acl_entry.
00086  */
00087 
00088 int rsbac_acl_add_to_acl_entry(rsbac_list_ta_number_t ta_number,
00089                                enum rsbac_target_t target,
00090                                union rsbac_target_id_t tid,
00091                                enum rsbac_acl_subject_type_t subj_type,
00092                                rsbac_acl_subject_id_t subj_id,
00093                                rsbac_acl_rights_vector_t rights,
00094                                rsbac_time_t ttl);
00095 
00096 /* rsbac_acl_remove_from_acl_entry
00097  * Remove given rights from ACL entry for given target and subject. If entry does
00098  * not exist, nothing happens.
00099  * This function does NOT remove the ACL entry, so removing all rights results in
00100  * NO rights for this subject/target combination!
00101  */
00102 
00103 int rsbac_acl_remove_from_acl_entry(rsbac_list_ta_number_t ta_number,
00104                                     enum rsbac_target_t target,
00105                                     union rsbac_target_id_t tid,
00106                                     enum rsbac_acl_subject_type_t
00107                                     subj_type,
00108                                     rsbac_acl_subject_id_t subj_id,
00109                                     rsbac_acl_rights_vector_t rights);
00110 
00111 /* rsbac_acl_set_mask
00112  * Set inheritance mask for given target to given rights. If item does
00113  * not exist, it is created.
00114  */
00115 
00116 int rsbac_acl_set_mask(rsbac_list_ta_number_t ta_number,
00117                        enum rsbac_target_t target,
00118                        union rsbac_target_id_t tid,
00119                        rsbac_acl_rights_vector_t mask);
00120 
00121 /* rsbac_acl_get_mask
00122  * Get inheritance mask for given target to given rights. If item does
00123  * not exist, default mask is returned.
00124  */
00125 
00126 int rsbac_acl_get_mask(rsbac_list_ta_number_t ta_number,
00127                        enum rsbac_target_t target,
00128                        union rsbac_target_id_t tid,
00129                        rsbac_acl_rights_vector_t * mask_p);
00130 
00131 /* rsbac_acl_get_rights
00132  * Get effective rights from ACL entry for given target and subject.
00133  * If entry does not exist, inherited rights are used. If there is no parent,
00134  * the default rights vector for this target type is returned.
00135  * This function does NOT add role or group rights to user rights!
00136  */
00137 
00138 int rsbac_acl_get_rights(rsbac_list_ta_number_t ta_number,
00139                          enum rsbac_target_t target,
00140                          union rsbac_target_id_t tid,
00141                          enum rsbac_acl_subject_type_t subj_type,
00142                          rsbac_acl_subject_id_t subj_id,
00143                          rsbac_acl_rights_vector_t * rights_p,
00144                          rsbac_boolean_t inherit);
00145 
00146 /* rsbac_acl_get_single_right
00147  * Show, whether a right is set for given target and subject.
00148  * If right is not set, it is checked at all parents, unless it has been
00149  * masked out *or* it is SUPERVISOR, CONFIG_RSBAC_ACL_SUPER_FILTER is set
00150  * and supervisor is masked out.
00151  */
00152 
00153 int rsbac_acl_get_single_right(enum rsbac_target_t target,
00154                                union rsbac_target_id_t tid,
00155                                enum rsbac_acl_subject_type_t subj_type,
00156                                rsbac_acl_subject_id_t subj_id,
00157                                enum rsbac_adf_request_t right,
00158                                rsbac_boolean_t * result);
00159 
00160 
00161 /************************************************************************** */
00162 /* The rsbac_acl_copy_fd_acl() function copies a file/dir ACL to another    */
00163 /* file/dir ACL. The old ACL of fd2 is erased before copying.               */
00164 
00165 int rsbac_acl_copy_fd_acl(struct rsbac_fs_file_t file1,
00166                           struct rsbac_fs_file_t file2);
00167 
00168 /************************************************************************** */
00169 /* The rsbac_acl_copy_pp_acl() function copies a process acl to another     */
00170 
00171 int rsbac_acl_copy_pp_acl(rsbac_pid_t old_pid, rsbac_pid_t new_pid);
00172 
00173 /*************************************************
00174  * rsbac_acl_get_tlist
00175  * Get subjects from ACL entries for given target.
00176  */
00177 
00178 int rsbac_acl_get_tlist(rsbac_list_ta_number_t ta_number,
00179                         enum rsbac_target_t target,
00180                         union rsbac_target_id_t tid,
00181                         struct rsbac_acl_entry_t **entry_pp,
00182                         rsbac_time_t ** ttl_pp);
00183 
00184 /*************************************************
00185  * Group management
00186  */
00187 
00188 /* add a group with new id and fill this id into *group_id_p */
00189 int rsbac_acl_add_group(rsbac_list_ta_number_t ta_number,
00190                         rsbac_uid_t owner,
00191                         enum rsbac_acl_group_type_t type,
00192                         char *name, rsbac_acl_group_id_t * group_id_p);
00193 
00194 int rsbac_acl_change_group(rsbac_list_ta_number_t ta_number,
00195                            rsbac_acl_group_id_t id,
00196                            rsbac_uid_t owner,
00197                            enum rsbac_acl_group_type_t type, char *name);
00198 
00199 int rsbac_acl_remove_group(rsbac_list_ta_number_t ta_number,
00200                            rsbac_acl_group_id_t id);
00201 
00202 int rsbac_acl_get_group_entry(rsbac_list_ta_number_t ta_number,
00203                               rsbac_acl_group_id_t group,
00204                               struct rsbac_acl_group_entry_t *entry_p);
00205 
00206 int rsbac_acl_list_groups(rsbac_list_ta_number_t ta_number,
00207                           rsbac_uid_t owner,
00208                           rsbac_boolean_t include_global,
00209                           struct rsbac_acl_group_entry_t **entry_pp);
00210 
00211 /* check group existence */
00212 rsbac_boolean_t rsbac_acl_group_exist(rsbac_acl_group_id_t group);
00213 
00214 int rsbac_acl_add_group_member(rsbac_list_ta_number_t ta_number,
00215                                rsbac_acl_group_id_t group,
00216                                rsbac_uid_t user, rsbac_time_t ttl);
00217 
00218 int rsbac_acl_remove_group_member(rsbac_list_ta_number_t ta_number,
00219                                   rsbac_acl_group_id_t group,
00220                                   rsbac_uid_t user);
00221 
00222 /* check membership */
00223 rsbac_boolean_t rsbac_acl_group_member(rsbac_acl_group_id_t group,
00224                                        rsbac_uid_t user);
00225 
00226 /* build vmalloc'd array of all group memberships of the given user */
00227 /* returns number of groups or negative error */
00228 /* Attention: memory deallocation with vfree must be done by caller! */
00229 int rsbac_acl_get_user_groups(rsbac_list_ta_number_t ta_number,
00230                               rsbac_uid_t user,
00231                               rsbac_acl_group_id_t ** group_pp,
00232                               rsbac_time_t ** ttl_pp);
00233 
00234 /* Returns number of members or negative error */
00235 int rsbac_acl_get_group_members(rsbac_list_ta_number_t ta_number,
00236                                 rsbac_acl_group_id_t group,
00237                                 rsbac_uid_t user_array[],
00238                                 rsbac_time_t ttl_array[], int maxnum);
00239 
00240 /* Remove subject from all ACLs */
00241 int rsbac_acl_remove_subject(rsbac_list_ta_number_t ta_number,
00242                              struct rsbac_acl_entry_desc_t desc);
00243 
00244 /*************************************************/
00245 /* remove user from all groups and from all ACLs */
00246 int rsbac_acl_remove_user(rsbac_list_ta_number_t ta_number,
00247                           rsbac_uid_t user);
00248 
00249 /* Get list of all device entries */
00250 
00251 int rsbac_acl_list_all_dev(rsbac_list_ta_number_t ta_number,
00252                            struct rsbac_dev_desc_t **id_pp);
00253 
00254 int rsbac_acl_list_all_major_dev(rsbac_list_ta_number_t ta_number,
00255                                  struct rsbac_dev_desc_t **id_pp);
00256 
00257 int rsbac_acl_list_all_user(rsbac_list_ta_number_t ta_number,
00258                             rsbac_uid_t ** id_pp);
00259 
00260 int rsbac_acl_list_all_group(rsbac_list_ta_number_t ta_number,
00261                              rsbac_gid_t ** id_pp);
00262 
00263 int rsbac_acl_list_all_ipc(rsbac_list_ta_number_t ta_number,
00264                            struct rsbac_ipc_t ** id_pp);
00265 
00266 #endif

Generated on Wed May 16 11:53:26 2007 for RSBAC by  doxygen 1.5.1