/linux-2.6.21.1-rsbac-1.3.4/rsbac/data_structures/acl_data_structures.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of ACL data structures             */
00004 /* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org> */
00005 /*                                                   */
00006 /* Last modified: 23/Nov/2006                        */
00007 /*************************************************** */
00008 
00009 #include <linux/types.h>
00010 #include <linux/sched.h>
00011 #include <linux/mm.h>
00012 #include <linux/init.h>
00013 #include <linux/ext2_fs.h>
00014 #include <asm/uaccess.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci_data_structures.h>
00017 #include <rsbac/acl_data_structures.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/adf.h>
00021 #include <rsbac/aci.h>
00022 #include <rsbac/acl.h>
00023 #include <rsbac/lists.h>
00024 #include <rsbac/proc_fs.h>
00025 #include <rsbac/getname.h>
00026 #include <rsbac/acl_getname.h>
00027 #include <rsbac/rkmem.h>
00028 #include <rsbac/network.h>
00029 #include <linux/string.h>
00030 #include <linux/smp_lock.h>
00031 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00032 #include <linux/rcupdate.h>
00033 #else
00034 #define rcu_dereference(x) x
00035 #endif
00036 
00037 /************************************************************************** */
00038 /*                          Global Variables                                */
00039 /************************************************************************** */
00040 
00041 /* The following global variables are needed for access to ACL data.*/
00042 
00043 static struct rsbac_acl_device_list_head_t * device_list_head_p;
00044 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00045 static spinlock_t device_list_lock;
00046 #else
00047 static rwlock_t device_list_lock;
00048 #endif
00049 
00050 static rsbac_list_handle_t dev_handle = NULL;
00051 static rsbac_list_handle_t dev_major_handle = NULL;
00052 static rsbac_list_handle_t scd_handle = NULL;
00053 static rsbac_list_handle_t group_handle = NULL;
00054 static rsbac_list_handle_t gm_handle = NULL;
00055 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
00056 static rsbac_list_handle_t netdev_handle = NULL;
00057 #endif
00058 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00059 static rsbac_list_handle_t nettemp_nt_handle = NULL;
00060 static rsbac_list_handle_t nettemp_handle = NULL;
00061 static rsbac_list_handle_t netobj_handle = NULL;
00062 #endif
00063 
00064 static rsbac_list_handle_t default_fd_handle = NULL;
00065 static rsbac_list_handle_t default_dev_handle = NULL;
00066 static rsbac_list_handle_t default_ipc_handle = NULL;
00067 static rsbac_list_handle_t default_scd_handle = NULL;
00068 static rsbac_list_handle_t u_handle = NULL;
00069 static rsbac_list_handle_t default_u_handle = NULL;
00070 static rsbac_list_handle_t default_p_handle = NULL;
00071 #ifdef CONFIG_RSBAC_ACL_UM_PROT
00072 static rsbac_list_handle_t g_handle = NULL;
00073 static rsbac_list_handle_t default_g_handle = NULL;
00074 #endif
00075 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
00076 static rsbac_list_handle_t default_netdev_handle = NULL;
00077 static rsbac_acl_rights_vector_t default_netdev_rights = 0;
00078 #endif
00079 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00080 static rsbac_list_handle_t default_nettemp_nt_handle = NULL;
00081 static rsbac_list_handle_t default_netobj_handle = NULL;
00082 static rsbac_acl_rights_vector_t default_nettemp_nt_rights = 0;
00083 static rsbac_acl_rights_vector_t default_netobj_rights = 0;
00084 #endif
00085 
00086 static rsbac_acl_group_id_t group_last_new = 0;
00087 
00088 static rsbac_acl_rights_vector_t default_fd_rights = 0;
00089 static rsbac_acl_rights_vector_t default_dev_rights = 0;
00090 static rsbac_acl_rights_vector_t default_ipc_rights = 0;
00091 static rsbac_acl_rights_vector_t default_scd_rights = 0;
00092 static rsbac_acl_rights_vector_t default_u_rights = 0;
00093 #ifdef CONFIG_RSBAC_ACL_UM_PROT
00094 static rsbac_acl_rights_vector_t default_g_rights = 0;
00095 #endif
00096 static rsbac_acl_rights_vector_t default_p_rights = 0;
00097 
00098 /**************************************************/
00099 /*       Declarations of external functions       */
00100 /**************************************************/
00101 
00102 rsbac_boolean_t writable(struct super_block *sb_p);
00103 
00104 /**************************************************/
00105 /*       Declarations of internal functions       */
00106 /**************************************************/
00107 
00108 /************************************************* */
00109 /*               Internal Help functions           */
00110 /************************************************* */
00111 
00112 /* nr_hashes is always 2^n, no matter what the macros say */
00113 
00114 static u_int nr_fd_hashes = RSBAC_ACL_NR_FD_LISTS;
00115 
00116 static u_int group_hash(void * desc, __u32 nr_hashes)
00117 {
00118         return (*((rsbac_acl_group_id_t *) desc) & (nr_hashes - 1));
00119 }
00120 
00121 static int entry_compare(void *desc1, void *desc2)
00122 {
00123         int result;
00124         struct rsbac_acl_entry_desc_t *i_desc1 = desc1;
00125         struct rsbac_acl_entry_desc_t *i_desc2 = desc2;
00126 
00127         result = memcmp(&i_desc1->subj_type,
00128                         &i_desc2->subj_type, sizeof(i_desc1->subj_type));
00129         if (result)
00130                 return result;
00131         else
00132                 return memcmp(&i_desc1->subj_id,
00133                               &i_desc2->subj_id, sizeof(i_desc1->subj_id));
00134 }
00135 
00136 static int dev_compare(void *desc1, void *desc2)
00137 {
00138         int result;
00139         struct rsbac_dev_desc_t *i_desc1 = desc1;
00140         struct rsbac_dev_desc_t *i_desc2 = desc2;
00141 
00142         result = memcmp(&i_desc1->type,
00143                         &i_desc2->type, sizeof(i_desc1->type));
00144         if (result)
00145                 return result;
00146         result = memcmp(&i_desc1->major,
00147                         &i_desc2->major, sizeof(i_desc1->major));
00148         if (result)
00149                 return result;
00150         return memcmp(&i_desc1->minor,
00151                       &i_desc2->minor, sizeof(i_desc1->minor));
00152 }
00153 
00154 static int dev_major_compare(void *desc1, void *desc2)
00155 {
00156         int result;
00157         struct rsbac_dev_desc_t *i_desc1 = desc1;
00158         struct rsbac_dev_desc_t *i_desc2 = desc2;
00159 
00160         result = memcmp(&i_desc1->type,
00161                         &i_desc2->type, sizeof(i_desc1->type));
00162         if (result)
00163                 return result;
00164         return memcmp(&i_desc1->major,
00165                       &i_desc2->major, sizeof(i_desc1->major));
00166 }
00167 
00168 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
00169 static int netdev_compare(void *desc1, void *desc2)
00170 {
00171         return strncmp(desc1, desc2, RSBAC_IFNAMSIZ);
00172 }
00173 #endif
00174 
00175 static int fd_conv(void *old_desc,
00176                    void *old_data, void *new_desc, void *new_data)
00177 {
00178         rsbac_acl_rights_vector_t *new = new_data;
00179         rsbac_acl_rights_vector_t *old = old_data;
00180 
00181         memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
00182         *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00183             | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00184                (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00185                 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00186         return 0;
00187 }
00188 
00189 rsbac_list_conv_function_t *fd_get_conv(rsbac_version_t old_version)
00190 {
00191         switch (old_version) {
00192         case RSBAC_ACL_FD_OLD_LIST_VERSION:
00193                 return fd_conv;
00194         default:
00195                 return NULL;
00196         }
00197 }
00198 
00199 static int dev_conv(void *old_desc,
00200                     void *old_data, void *new_desc, void *new_data)
00201 {
00202         rsbac_acl_rights_vector_t *new = new_data;
00203         rsbac_acl_rights_vector_t *old = old_data;
00204 
00205         memcpy(new_desc, old_desc, sizeof(struct rsbac_dev_desc_t));
00206         *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00207             | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00208                (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00209                 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00210         return 0;
00211 }
00212 
00213 static int dev_old_conv(void *old_desc,
00214                         void *old_data, void *new_desc, void *new_data)
00215 {
00216         struct rsbac_dev_desc_t *new = new_desc;
00217         struct rsbac_dev_t *old = old_desc;
00218         rsbac_acl_rights_vector_t *newd = new_data;
00219         rsbac_acl_rights_vector_t *oldd = old_data;
00220 
00221 
00222         memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
00223         new->type = old->type;
00224         new->major = RSBAC_MAJOR(old->id);
00225         new->minor = RSBAC_MINOR(old->id);
00226         *newd = (*oldd & RSBAC_ALL_REQUEST_VECTOR)
00227             | ((*oldd & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00228                (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00229                 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00230         return 0;
00231 }
00232 
00233 rsbac_list_conv_function_t *dev_get_conv(rsbac_version_t old_version)
00234 {
00235         switch (old_version) {
00236         case RSBAC_ACL_DEV_OLD_LIST_VERSION:
00237                 return dev_conv;
00238         case RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION:
00239                 return dev_old_conv;
00240         default:
00241                 return NULL;
00242         }
00243 }
00244 
00245 static int scd_conv(void *old_desc,
00246                     void *old_data, void *new_desc, void *new_data)
00247 {
00248         rsbac_acl_rights_vector_t *new = new_data;
00249         rsbac_acl_rights_vector_t *old = old_data;
00250 
00251         memcpy(new_desc, old_desc, sizeof(__u8));
00252         *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00253             | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00254                (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00255                 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00256         return 0;
00257 }
00258 
00259 rsbac_list_conv_function_t *scd_get_conv(rsbac_version_t old_version)
00260 {
00261         switch (old_version) {
00262         case RSBAC_ACL_SCD_OLD_LIST_VERSION:
00263                 return scd_conv;
00264         default:
00265                 return NULL;
00266         }
00267 }
00268 
00269 static int netdev_conv(void *old_desc,
00270                        void *old_data, void *new_desc, void *new_data)
00271 {
00272         rsbac_acl_rights_vector_t *new = new_data;
00273         rsbac_acl_rights_vector_t *old = old_data;
00274 
00275         memcpy(new_desc, old_desc, sizeof(rsbac_netdev_id_t));
00276         *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00277             | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00278                (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00279                 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00280         return 0;
00281 }
00282 
00283 rsbac_list_conv_function_t *netdev_get_conv(rsbac_version_t old_version)
00284 {
00285         switch (old_version) {
00286         case RSBAC_ACL_NETDEV_OLD_LIST_VERSION:
00287                 return netdev_conv;
00288         default:
00289                 return NULL;
00290         }
00291 }
00292 
00293 static int nettemp_nt_conv(void *old_desc,
00294                            void *old_data, void *new_desc, void *new_data)
00295 {
00296         rsbac_acl_rights_vector_t *new = new_data;
00297         rsbac_acl_rights_vector_t *old = old_data;
00298 
00299         memcpy(new_desc, old_desc, sizeof(rsbac_net_temp_id_t));
00300         *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00301             | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00302                (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00303                 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00304         return 0;
00305 }
00306 
00307 rsbac_list_conv_function_t *nettemp_nt_get_conv(rsbac_version_t
00308                                                 old_version)
00309 {
00310         switch (old_version) {
00311         case RSBAC_ACL_NETTEMP_NT_OLD_LIST_VERSION:
00312                 return nettemp_nt_conv;
00313         default:
00314                 return NULL;
00315         }
00316 }
00317 
00318 static int nettemp_conv(void *old_desc,
00319                         void *old_data, void *new_desc, void *new_data)
00320 {
00321         rsbac_acl_rights_vector_t *new = new_data;
00322         rsbac_acl_rights_vector_t *old = old_data;
00323 
00324         memcpy(new_desc, old_desc, sizeof(rsbac_net_temp_id_t));
00325         *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00326             | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00327                (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00328                 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00329         return 0;
00330 }
00331 
00332 rsbac_list_conv_function_t *nettemp_get_conv(rsbac_version_t old_version)
00333 {
00334         switch (old_version) {
00335         case RSBAC_ACL_NETTEMP_OLD_LIST_VERSION:
00336                 return nettemp_conv;
00337         default:
00338                 return NULL;
00339         }
00340 }
00341 
00342 
00343 static int common_subconv(void *old_desc,
00344                           void *old_data, void *new_desc, void *new_data)
00345 {
00346         rsbac_acl_rights_vector_t *new = new_data;
00347         rsbac_acl_rights_vector_t *old = old_data;
00348 
00349         memcpy(new_desc, old_desc, sizeof(struct rsbac_acl_entry_desc_t));
00350         *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00351             | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00352                (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00353                 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00354         return 0;
00355 }
00356 
00357 rsbac_list_conv_function_t *fd_get_subconv(rsbac_version_t old_version)
00358 {
00359         switch (old_version) {
00360         case RSBAC_ACL_FD_OLD_LIST_VERSION:
00361                 return common_subconv;
00362         default:
00363                 return NULL;
00364         }
00365 }
00366 
00367 rsbac_list_conv_function_t *dev_get_subconv(rsbac_version_t old_version)
00368 {
00369         switch (old_version) {
00370         case RSBAC_ACL_DEV_OLD_LIST_VERSION:
00371                 return common_subconv;
00372         case RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION:
00373                 return common_subconv;
00374         default:
00375                 return NULL;
00376         }
00377 }
00378 
00379 rsbac_list_conv_function_t *scd_get_subconv(rsbac_version_t old_version)
00380 {
00381         switch (old_version) {
00382         case RSBAC_ACL_SCD_OLD_LIST_VERSION:
00383                 return common_subconv;
00384         default:
00385                 return NULL;
00386         }
00387 }
00388 
00389 rsbac_list_conv_function_t *netdev_get_subconv(rsbac_version_t old_version)
00390 {
00391         switch (old_version) {
00392         case RSBAC_ACL_NETDEV_OLD_LIST_VERSION:
00393                 return common_subconv;
00394         default:
00395                 return NULL;
00396         }
00397 }
00398 
00399 rsbac_list_conv_function_t *nettemp_nt_get_subconv(rsbac_version_t
00400                                                    old_version)
00401 {
00402         switch (old_version) {
00403         case RSBAC_ACL_NETTEMP_NT_OLD_LIST_VERSION:
00404                 return common_subconv;
00405         default:
00406                 return NULL;
00407         }
00408 }
00409 
00410 rsbac_list_conv_function_t *nettemp_get_subconv(rsbac_version_t
00411                                                 old_version)
00412 {
00413         switch (old_version) {
00414         case RSBAC_ACL_NETTEMP_OLD_LIST_VERSION:
00415                 return common_subconv;
00416         default:
00417                 return NULL;
00418         }
00419 }
00420 
00421 rsbac_list_conv_function_t *def_fd_get_conv(rsbac_version_t old_version)
00422 {
00423         switch (old_version) {
00424         case RSBAC_ACL_DEF_FD_OLD_LIST_VERSION:
00425                 return common_subconv;
00426         default:
00427                 return NULL;
00428         }
00429 }
00430 
00431 rsbac_list_conv_function_t *def_dev_get_conv(rsbac_version_t old_version)
00432 {
00433         switch (old_version) {
00434         case RSBAC_ACL_DEF_DEV_OLD_LIST_VERSION:
00435                 return common_subconv;
00436         default:
00437                 return NULL;
00438         }
00439 }
00440 
00441 rsbac_list_conv_function_t *def_ipc_get_conv(rsbac_version_t old_version)
00442 {
00443         switch (old_version) {
00444         case RSBAC_ACL_DEF_IPC_OLD_LIST_VERSION:
00445                 return common_subconv;
00446         default:
00447                 return NULL;
00448         }
00449 }
00450 
00451 rsbac_list_conv_function_t *def_scd_get_conv(rsbac_version_t old_version)
00452 {
00453         switch (old_version) {
00454         case RSBAC_ACL_DEF_SCD_OLD_LIST_VERSION:
00455                 return common_subconv;
00456         default:
00457                 return NULL;
00458         }
00459 }
00460 
00461 rsbac_list_conv_function_t *def_u_get_conv(rsbac_version_t old_version)
00462 {
00463         switch (old_version) {
00464         case RSBAC_ACL_DEF_U_OLD_LIST_VERSION:
00465                 return common_subconv;
00466         default:
00467                 return NULL;
00468         }
00469 }
00470 
00471 rsbac_list_conv_function_t *def_p_get_conv(rsbac_version_t old_version)
00472 {
00473         switch (old_version) {
00474         case RSBAC_ACL_DEF_P_OLD_LIST_VERSION:
00475                 return common_subconv;
00476         default:
00477                 return NULL;
00478         }
00479 }
00480 
00481 rsbac_list_conv_function_t *def_g_get_conv(rsbac_version_t old_version)
00482 {
00483         switch (old_version) {
00484         case RSBAC_ACL_DEF_G_OLD_LIST_VERSION:
00485                 return common_subconv;
00486         default:
00487                 return NULL;
00488         }
00489 }
00490 
00491 rsbac_list_conv_function_t *def_netdev_get_conv(rsbac_version_t
00492                                                 old_version)
00493 {
00494         switch (old_version) {
00495         case RSBAC_ACL_DEF_NETDEV_OLD_LIST_VERSION:
00496                 return common_subconv;
00497         default:
00498                 return NULL;
00499         }
00500 }
00501 
00502 rsbac_list_conv_function_t *def_nettemp_nt_get_conv(rsbac_version_t
00503                                                     old_version)
00504 {
00505         switch (old_version) {
00506         case RSBAC_ACL_DEF_NETTEMP_NT_OLD_LIST_VERSION:
00507                 return common_subconv;
00508         default:
00509                 return NULL;
00510         }
00511 }
00512 
00513 rsbac_list_conv_function_t *def_netobj_get_conv(rsbac_version_t
00514                                                 old_version)
00515 {
00516         switch (old_version) {
00517         case RSBAC_ACL_DEF_NETOBJ_OLD_LIST_VERSION:
00518                 return common_subconv;
00519         default:
00520                 return NULL;
00521         }
00522 }
00523 
00524 
00525 /* acl_register_fd_lists() */
00526 /* register fd ACL lists for device */
00527 
00528 static int acl_register_fd_lists(struct rsbac_acl_device_list_item_t
00529                                  *device_p, kdev_t kdev)
00530 {
00531         char *name;
00532         int err = 0;
00533         int tmperr;
00534         struct rsbac_list_lol_info_t lol_info;
00535         rsbac_acl_rights_vector_t def_mask = RSBAC_ACL_DEFAULT_FD_MASK;
00536 
00537         if (!device_p)
00538                 return (-RSBAC_EINVALIDPOINTER);
00539         name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00540         if (!name)
00541                 return -RSBAC_ENOMEM;
00542 
00543         /* register all the ACL lists of lists */
00544         lol_info.version = RSBAC_ACL_FD_LIST_VERSION;
00545         lol_info.key = RSBAC_ACL_LIST_KEY;
00546         lol_info.desc_size = sizeof(rsbac_inode_nr_t);
00547         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
00548         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
00549         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
00550         lol_info.max_age = 0;
00551         tmperr = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
00552                                          &device_p->handle,
00553                                          &lol_info,
00554                                          RSBAC_LIST_PERSIST |
00555                                          RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
00556                                          NULL,
00557                                          entry_compare,
00558                                          fd_get_conv,
00559                                          fd_get_subconv, &def_mask,
00560                                          NULL,
00561                                          RSBAC_ACL_FD_FILENAME, kdev,
00562                                          nr_fd_hashes,
00563                                          (nr_fd_hashes > 0) ? rsbac_list_hash_fd : NULL,
00564                                          RSBAC_ACL_FD_OLD_FILENAME);
00565         if (tmperr) {
00566                 char *tmp;
00567 
00568                 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00569                 if (tmp) {
00570                         rsbac_printk(KERN_WARNING "acl_register_fd_lists(): registering list %s for device %02u:%02u failed with error %s!\n",
00571                                      RSBAC_ACL_FD_FILENAME,
00572                                      RSBAC_MAJOR(kdev),
00573                                      RSBAC_MINOR(kdev),
00574                                      get_error_name(tmp, tmperr));
00575                         rsbac_kfree(tmp);
00576                 }
00577                 err = tmperr;
00578         }
00579         return err;
00580 }
00581 
00582 /* acl_detach_fd_lists() */
00583 /* detach from fd ACL lists for device */
00584 
00585 static int acl_detach_fd_lists(struct rsbac_acl_device_list_item_t
00586                                *device_p)
00587 {
00588         char *name;
00589         int err = 0;
00590         int tmperr;
00591 
00592         if (!device_p)
00593                 return (-RSBAC_EINVALIDPOINTER);
00594         name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00595         if (!name)
00596                 return -RSBAC_ENOMEM;
00597 
00598         /* detach all the ACL lists of lists */
00599         tmperr = rsbac_list_lol_detach(&device_p->handle,
00600                                        RSBAC_ACL_LIST_KEY);
00601         if (tmperr) {
00602                 char *tmp;
00603 
00604                 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00605                 if (tmp) {
00606                         rsbac_printk(KERN_WARNING "acl_detach_fd_lists(): detaching from list %s for device %02u:%02u failed with error %s!\n",
00607                                      RSBAC_ACL_FD_FILENAME,
00608                                      RSBAC_MAJOR(device_p->id),
00609                                      RSBAC_MINOR(device_p->id),
00610                                      get_error_name(tmp, tmperr));
00611                         rsbac_kfree(tmp);
00612                 }
00613                 err = tmperr;
00614         }
00615         return err;
00616 }
00617 
00618 /************************************************************************** */
00619 /* The lookup functions return NULL, if the item is not found, and a        */
00620 /* pointer to the item otherwise.                                           */
00621 
00622 /* first the device item lookup */
00623 static struct rsbac_acl_device_list_item_t *acl_lookup_device(kdev_t kdev)
00624 {
00625         struct rsbac_acl_device_list_item_t *curr = rcu_dereference(device_list_head_p)->curr;
00626 
00627         /* if there is no current item or it is not the right one, search... */
00628         if (!curr || (RSBAC_MAJOR(curr->id) != RSBAC_MAJOR(kdev))
00629             || (RSBAC_MINOR(curr->id) != RSBAC_MINOR(kdev))
00630             ) {
00631                 curr = rcu_dereference(device_list_head_p)->head;
00632                 while (curr
00633                        && ((RSBAC_MAJOR(curr->id) != RSBAC_MAJOR(kdev))
00634                            || (RSBAC_MINOR(curr->id) != RSBAC_MINOR(kdev))
00635                        )
00636                     ) {
00637                         curr = curr->next;
00638                 }
00639                 if (curr)
00640                         rcu_dereference(device_list_head_p)->curr = curr;
00641         }
00642         /* it is the current item -> return it */
00643         return (curr);
00644 }
00645 
00646 /************************************************************************** */
00647 /* The add_item() functions add an item to the list, set head.curr to it,   */
00648 /* and return a pointer to the item.                                        */
00649 /* These functions will NOT check, if there is already an item under the    */
00650 /* same ID! If this happens, the lookup functions will return the old item! */
00651 
00652 /* Create a device item without adding to list. No locking needed. */
00653 static struct rsbac_acl_device_list_item_t
00654 *create_device_item(kdev_t kdev)
00655 {
00656         struct rsbac_acl_device_list_item_t *new_item_p;
00657 
00658         /* allocate memory for new device, return NULL, if failed */
00659         if (!(new_item_p = (struct rsbac_acl_device_list_item_t *)
00660               rsbac_kmalloc(sizeof(*new_item_p))))
00661                 return (NULL);
00662 
00663         memset(new_item_p, 0, sizeof(*new_item_p));
00664         new_item_p->id = kdev;
00665         new_item_p->mount_count = 1;
00666         return (new_item_p);
00667 }
00668 
00669 /* Add an existing device item to list. Locking needed. */
00670 static struct rsbac_acl_device_list_item_t
00671 *add_device_item(struct rsbac_acl_device_list_item_t *device_p)
00672 {
00673         struct rsbac_acl_device_list_head_t * new_p;
00674 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00675         struct rsbac_acl_device_list_head_t * old_p;
00676 #else
00677         u_long flags;
00678 #endif
00679 
00680         if (!device_p)
00681                 return (NULL);
00682 
00683 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00684         spin_lock(&device_list_lock);
00685         old_p = device_list_head_p;
00686         new_p = rsbac_kmalloc(sizeof(*new_p));
00687         *new_p = *old_p;
00688 #else
00689         rsbac_write_lock(&device_list_lock, &flags);
00690         new_p = device_list_head_p;
00691 #endif
00692         /* add new device to device list */
00693         if (!new_p->head) {     /* first device */
00694                 new_p->head = device_p;
00695                 new_p->tail = device_p;
00696                 new_p->curr = device_p;
00697                 new_p->count = 1;
00698                 device_p->prev = NULL;
00699                 device_p->next = NULL;
00700         } else {                /* there is another device -> hang to tail */
00701                 device_p->prev = new_p->tail;
00702                 device_p->next = NULL;
00703                 new_p->tail->next = device_p;
00704                 new_p->tail = device_p;
00705                 new_p->curr = device_p;
00706                 new_p->count++;
00707         }
00708 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00709         rcu_assign_pointer(device_list_head_p, new_p);
00710         spin_unlock(&device_list_lock);
00711         synchronize_rcu();
00712         rsbac_kfree(old_p);
00713 #else
00714         rsbac_write_unlock(&device_list_lock, &flags);
00715 #endif
00716         return (device_p);
00717 }
00718 
00719 /************************************************************************** */
00720 /* The remove_item() functions remove an item from the list. If this item   */
00721 /* is head, tail or curr, these pointers are set accordingly.               */
00722 /* To speed up removing several subsequent items, curr is set to the next   */
00723 /* item, if possible.                                                       */
00724 /* If the item is not found, nothing is done.                               */
00725 
00726 static void clear_device_item(struct rsbac_acl_device_list_item_t
00727                               *device_p)
00728 {
00729         if (!device_p)
00730                 return;
00731 
00732         /* now we can remove the item from memory. This means cleaning up */
00733         acl_detach_fd_lists(device_p);
00734         /* OK, lets remove the device item itself */
00735         rsbac_kfree(device_p);
00736 }                               /* end of clear_device_item() */
00737 
00738 static void remove_device_item(kdev_t kdev)
00739 {
00740         struct rsbac_acl_device_list_item_t *item_p;
00741         struct rsbac_acl_device_list_head_t * new_p;
00742         #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00743         struct rsbac_acl_device_list_head_t * old_p;
00744         #endif
00745                
00746 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00747         old_p = device_list_head_p;
00748         new_p = rsbac_kmalloc(sizeof(*new_p));
00749         *new_p = *old_p;
00750 #else
00751         new_p = device_list_head_p;
00752 #endif
00753 
00754         /* first we must locate the item. */
00755         if ((item_p = acl_lookup_device(kdev))) {       /* ok, item was found */
00756                 if (new_p->head == item_p) {    /* item is head */
00757                         if (new_p->tail == item_p) {    /* item is head and tail = only item -> list will be empty */
00758                                 new_p->head = NULL;
00759                                 new_p->tail = NULL;
00760                         } else {        /* item is head, but not tail -> next item becomes head */
00761                                 item_p->next->prev = NULL;
00762                                 new_p->head = item_p->next;
00763                         }
00764                 } else {        /* item is not head */
00765                         if (new_p->tail == item_p) {    /*item is not head, but tail -> previous item becomes tail */
00766                                 item_p->prev->next = NULL;
00767                                 new_p->tail = item_p->prev;
00768                         } else {        /* item is neither head nor tail -> item is cut out */
00769                                 item_p->prev->next = item_p->next;
00770                                 item_p->next->prev = item_p->prev;
00771                         }
00772                 }
00773 
00774                 /* curr is no longer valid -> reset.                              */
00775                 new_p->curr = NULL;
00776                 /* adjust counter */
00777                 new_p->count--;
00778 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00779                 rcu_assign_pointer(device_list_head_p, new_p);
00780                 spin_unlock(&device_list_lock);
00781                 synchronize_rcu();
00782                 rsbac_kfree(old_p);
00783 #endif
00784 
00785                 /* now we can remove the item from memory. This means cleaning up */
00786                 /* everything below. */
00787                 clear_device_item(item_p);
00788         }                       /* end of if: item was found */
00789 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00790         else
00791                 spin_unlock(&device_list_lock);
00792 #endif
00793 }
00794 
00795 /************************************************* */
00796 /*               proc functions                    */
00797 /************************************************* */
00798 
00799 #if defined(CONFIG_RSBAC_PROC)
00800 static int
00801 acl_devices_proc_info(char *buffer, char **start, off_t offset, int length)
00802 {
00803         int len = 0;
00804         off_t pos = 0;
00805         off_t begin = 0;
00806         struct rsbac_acl_device_list_item_t *device_p;
00807 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00808         u_long dflags;
00809 #endif
00810 
00811         if (!rsbac_is_initialized())
00812                 return (-ENOSYS);
00813 
00814         len +=
00815             sprintf(buffer, "%u RSBAC ACL Devices\n-------------------\n",
00816                     rcu_dereference(device_list_head_p)->count);
00817 
00818         /* wait for read access to device_list_head */
00819 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00820         rcu_read_lock();
00821 #else
00822         rsbac_read_lock(&device_list_lock, &dflags);
00823 #endif
00824         /* OK, go on */
00825         for (device_p = rcu_dereference(device_list_head_p)->head; device_p;
00826              device_p = device_p->next) {
00827                 len +=
00828                     sprintf(buffer + len,
00829                             "%02u:%02u with mount_count = %u\n",
00830                             RSBAC_MAJOR(device_p->id),
00831                             RSBAC_MINOR(device_p->id),
00832                             device_p->mount_count);
00833                 pos = begin + len;
00834                 if (pos < offset) {
00835                         len = 0;
00836                         begin = pos;
00837                 }
00838                 if (pos > offset + length)
00839                         break;
00840         }
00841 
00842 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00843         rcu_read_unlock();
00844 #else
00845         rsbac_read_unlock(&device_list_lock, &dflags);
00846 #endif
00847 
00848         *start = buffer + (offset - begin);
00849         len -= (offset - begin);
00850 
00851         if (len > length)
00852                 len = length;
00853         return len;
00854 }
00855 
00856 static int
00857 stats_acl_proc_info(char *buffer, char **start, off_t offset, int length)
00858 {
00859         u_int len = 0;
00860         off_t pos = 0;
00861         off_t begin = 0;
00862         u_int item_count = 0;
00863         u_int member_count = 0;
00864         struct rsbac_acl_device_list_item_t *device_p;
00865         union rsbac_target_id_t rsbac_target_id;
00866         union rsbac_attribute_value_t rsbac_attribute_value;
00867 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00868         u_long dflags;
00869 #endif
00870 
00871         if (!rsbac_is_initialized()) {
00872                 rsbac_printk(KERN_WARNING "stats_acl_proc_info(): RSBAC not initialized\n");
00873                 return (-RSBAC_ENOTINITIALIZED);
00874         }
00875         rsbac_pr_debug(aef_acl, "calling ADF\n");
00876         rsbac_target_id.scd = ST_rsbac;
00877         rsbac_attribute_value.dummy = 0;
00878         if (!rsbac_adf_request(R_GET_STATUS_DATA,
00879                                current->pid,
00880                                T_SCD,
00881                                rsbac_target_id,
00882                                A_none, rsbac_attribute_value)) {
00883                 return -EPERM;
00884         }
00885 
00886         len += sprintf(buffer, "ACL Status\n-----------\n");
00887 
00888         /* protect device list */
00889 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00890         rcu_read_lock();
00891 #else
00892         rsbac_read_lock(&device_list_lock, &dflags);
00893 #endif
00894         device_p = rcu_dereference(device_list_head_p)->head;
00895         while (device_p) {
00896                 item_count = rsbac_list_lol_count(device_p->handle);
00897                 member_count = rsbac_list_lol_all_subcount(device_p->handle);
00898                 len +=
00899                     sprintf(buffer + len,
00900                             "device %02u:%02u has %i file ACLs, sum of %i members\n",
00901                             RSBAC_MAJOR(device_p->id),
00902                             RSBAC_MINOR(device_p->id), item_count,
00903                             member_count);
00904                 pos = begin + len;
00905                 if (pos < offset) {
00906                         len = 0;
00907                         begin = pos;
00908                 }
00909                 if (pos > offset + length) {
00910 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00911                         rcu_read_unlock();
00912 #else
00913                         rsbac_read_unlock(&device_list_lock, &dflags);
00914 #endif
00915                         goto out;
00916                 }
00917                 device_p = device_p->next;
00918         }
00919         /* unprotect device list */
00920 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00921         rcu_read_unlock();
00922 #else
00923         rsbac_read_unlock(&device_list_lock, &dflags);
00924 #endif
00925 
00926         /* dev list */
00927         len +=
00928             sprintf(buffer + len,
00929                     "%li device ACL items, sum of %li members\n",
00930                     rsbac_list_lol_count(dev_handle),
00931                     rsbac_list_lol_all_subcount(dev_handle));
00932         pos = begin + len;
00933         if (pos < offset) {
00934                 len = 0;
00935                 begin = pos;
00936         }
00937         if (pos > offset + length)
00938                 goto out;
00939         len +=
00940             sprintf(buffer + len,
00941                     "%li device major ACL items, sum of %li members\n",
00942                     rsbac_list_lol_count(dev_major_handle),
00943                     rsbac_list_lol_all_subcount(dev_major_handle));
00944         pos = begin + len;
00945         if (pos < offset) {
00946                 len = 0;
00947                 begin = pos;
00948         }
00949         if (pos > offset + length)
00950                 goto out;
00951 
00952         /* SCD list */
00953         len +=
00954             sprintf(buffer + len,
00955                     "%li scd ACL items, sum of %li members\n",
00956                     rsbac_list_lol_count(scd_handle),
00957                     rsbac_list_lol_all_subcount(scd_handle));
00958         pos = begin + len;
00959         if (pos < offset) {
00960                 len = 0;
00961                 begin = pos;
00962         }
00963         if (pos > offset + length)
00964                 goto out;
00965 
00966         /* user list */
00967         len +=
00968             sprintf(buffer + len,
00969                     "%li user ACL items, sum of %li members\n",
00970                     rsbac_list_lol_count(u_handle),
00971                     rsbac_list_lol_all_subcount(u_handle));
00972         pos = begin + len;
00973         if (pos < offset) {
00974                 len = 0;
00975                 begin = pos;
00976         }
00977         if (pos > offset + length)
00978                 goto out;
00979 
00980 #ifdef CONFIG_RSBAC_ACL_UM_PROT
00981         /* Linux group list */
00982         len +=
00983             sprintf(buffer + len,
00984                     "%li Linux group ACL items, sum of %li members\n",
00985                     rsbac_list_lol_count(g_handle),
00986                     rsbac_list_lol_all_subcount(g_handle));
00987         pos = begin + len;
00988         if (pos < offset) {
00989                 len = 0;
00990                 begin = pos;
00991         }
00992         if (pos > offset + length)
00993                 goto out;
00994 #endif
00995 
00996 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
00997         /* netdev list */
00998         len +=
00999             sprintf(buffer + len,
01000                     "%li network device ACL items, sum of %li members\n",
01001                     rsbac_list_lol_count(netdev_handle),
01002                     rsbac_list_lol_all_subcount(netdev_handle));
01003         pos = begin + len;
01004         if (pos < offset) {
01005                 len = 0;
01006                 begin = pos;
01007         }
01008         if (pos > offset + length)
01009                 goto out;
01010 #endif
01011 
01012 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
01013         /* nettemp_nt list */
01014         len +=
01015             sprintf(buffer + len,
01016                     "%li network template NT ACL items, sum of %li members\n",
01017                     rsbac_list_lol_count(nettemp_nt_handle),
01018                     rsbac_list_lol_all_subcount(nettemp_nt_handle));
01019         pos = begin + len;
01020         if (pos < offset) {
01021                 len = 0;
01022                 begin = pos;
01023         }
01024         if (pos > offset + length)
01025                 goto out;
01026         /* nettemp list */
01027         len +=
01028             sprintf(buffer + len,
01029                     "%li network template ACL items, sum of %li members\n",
01030                     rsbac_list_lol_count(nettemp_handle),
01031                     rsbac_list_lol_all_subcount(nettemp_handle));
01032         pos = begin + len;
01033         if (pos < offset) {
01034                 len = 0;
01035                 begin = pos;
01036         }
01037         if (pos > offset + length)
01038                 goto out;
01039         /* netobj list */
01040         len +=
01041             sprintf(buffer + len,
01042                     "%li network object ACL items, sum of %li members\n",
01043                     rsbac_list_lol_count(netobj_handle),
01044                     rsbac_list_lol_all_subcount(netobj_handle));
01045         pos = begin + len;
01046         if (pos < offset) {
01047                 len = 0;
01048                 begin = pos;
01049         }
01050         if (pos > offset + length)
01051                 goto out;
01052 #endif
01053 
01054         len += sprintf(buffer + len, "%li groups, last new is %u\n",
01055                        rsbac_list_count(group_handle), group_last_new);
01056         pos = begin + len;
01057         if (pos < offset) {
01058                 len = 0;
01059                 begin = pos;
01060         }
01061         if (pos > offset + length)
01062                 goto out;
01063 
01064         /* protect gm list */
01065         len +=
01066             sprintf(buffer + len,
01067                     "%li group member items, sum of %li group memberships\n",
01068                     rsbac_list_lol_count(gm_handle),
01069                     rsbac_list_lol_all_subcount(gm_handle));
01070         pos = begin + len;
01071         if (pos < offset) {
01072                 len = 0;
01073                 begin = pos;
01074         }
01075         if (pos > offset + length)
01076                 goto out;
01077 
01078       out:
01079         *start = buffer + (offset - begin);
01080         len -= (offset - begin);
01081 
01082         if (len > length)
01083                 len = length;
01084         return len;
01085 }
01086 
01087 static int
01088 acl_acllist_proc_info(char *buffer, char **start, off_t offset, int length)
01089 {
01090         u_int len = 0;
01091         off_t pos = 0;
01092         off_t begin = 0;
01093 
01094         u_int i, j, k;
01095         char tmp1[80], tmp2[80];
01096         u_int count = 0;
01097         int tmp_count;
01098         int tmp_sub_count;
01099         u_int member_count = 0;
01100         struct rsbac_acl_device_list_item_t *device_p;
01101         rsbac_inode_nr_t *fd_desc_p;
01102         struct rsbac_dev_desc_t *dev_desc_p;
01103         __u8 *scd_desc_p;
01104         rsbac_uid_t *u_desc_p;
01105 #ifdef CONFIG_RSBAC_ACL_UM_PROT
01106         rsbac_gid_t *g_desc_p;
01107 #endif
01108 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
01109         rsbac_netdev_id_t *netdev_desc_p;
01110 #endif
01111 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
01112         rsbac_net_temp_id_t *nettemp_desc_p;
01113         rsbac_net_obj_id_t *netobj_desc_p;
01114 #endif
01115         struct rsbac_acl_entry_desc_t *sub_desc_p;
01116         rsbac_acl_rights_vector_t rights;
01117         union rsbac_target_id_t rsbac_target_id;
01118         union rsbac_attribute_value_t rsbac_attribute_value;
01119 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
01120         u_long dflags;
01121 #endif
01122 
01123         if (!rsbac_is_initialized()) {
01124                 rsbac_printk(KERN_WARNING "acl_acllist_proc_info(): RSBAC not initialized\n");
01125                 return (-RSBAC_ENOTINITIALIZED);
01126         }
01127         rsbac_pr_debug(aef_acl, "calling ADF\n");
01128         rsbac_target_id.scd = ST_rsbac;
01129         rsbac_attribute_value.dummy = 0;
01130         if (!rsbac_adf_request(R_GET_STATUS_DATA,
01131                                current->pid,
01132                                T_SCD,
01133                                rsbac_target_id,
01134                                A_none, rsbac_attribute_value)) {
01135                 return -EPERM;
01136         }
01137 
01138         len += sprintf(buffer, "ACL Lists\n----------\n");
01139 
01140         len += sprintf(buffer + len,
01141                        "Default FD ACL:          %li members:",
01142                        rsbac_list_count(default_fd_handle));
01143         pos = begin + len;
01144         if (pos < offset) {
01145                 len = 0;
01146                 begin = pos;
01147         }
01148         if (pos > offset + length)
01149                 goto out;
01150         tmp_count =
01151             rsbac_list_get_all_desc(default_fd_handle,
01152                                     (void **) &sub_desc_p);
01153         if (tmp_count > 0) {
01154                 for (i = 0; i < tmp_count; i++) {
01155                         len += sprintf(buffer + len, " %s %u,",
01156                                        get_acl_subject_type_name(tmp1,
01157                                                                  sub_desc_p
01158                                                                  [i].
01159                                                                  subj_type),
01160                                        sub_desc_p[i].subj_id);
01161                         pos = begin + len;
01162                         if (pos < offset) {
01163                                 len = 0;
01164                                 begin = pos;
01165                         }
01166                         if (pos > offset + length) {
01167                                 rsbac_vfree(sub_desc_p);
01168                                 goto out;
01169                         }
01170                 }
01171                 rsbac_vfree(sub_desc_p);
01172         }
01173 
01174         /* default_dev list */
01175         len +=
01176             sprintf(buffer + len,
01177                     "\nDefault Device ACL:      %li members:",
01178                     rsbac_list_count(default_dev_handle));
01179         pos = begin + len;
01180         if (pos < offset) {
01181                 len = 0;
01182                 begin = pos;
01183         }
01184         if (pos > offset + length)
01185                 goto out;
01186         tmp_count =
01187             rsbac_list_get_all_desc(default_dev_handle,
01188                                     (void **) &sub_desc_p);
01189         if (tmp_count > 0) {
01190                 for (i = 0; i < tmp_count; i++) {
01191                         len += sprintf(buffer + len, " %s %u,",
01192                                        get_acl_subject_type_name(tmp1,
01193                                                                  sub_desc_p
01194                                                                  [i].
01195                                                                  subj_type),
01196                                        sub_desc_p[i].subj_id);
01197                         pos = begin + len;
01198                         if (pos < offset) {
01199                                 len = 0;
01200                                 begin = pos;
01201                         }
01202                         if (pos > offset + length) {
01203                                 rsbac_vfree(sub_desc_p);
01204                                 goto out;
01205                         }
01206                 }
01207                 rsbac_vfree(sub_desc_p);
01208         }
01209 
01210         /* default_ipc_list */
01211         len +=
01212             sprintf(buffer + len,
01213                     "\nDefault IPC ACL:         %li members:",
01214                     rsbac_list_count(default_ipc_handle));
01215         pos = begin + len;
01216         if (pos < offset) {
01217                 len = 0;
01218                 begin = pos;
01219         }
01220         if (pos > offset + length)
01221                 goto out;
01222         tmp_count =
01223             rsbac_list_get_all_desc(default_ipc_handle,
01224                                     (void **) &sub_desc_p);
01225         if (tmp_count > 0) {
01226                 for (i = 0; i < tmp_count; i++) {
01227                         len += sprintf(buffer + len, " %s %u,",
01228                                        get_acl_subject_type_name(tmp1,
01229                                                                  sub_desc_p
01230                                                                  [i].
01231                                                                  subj_type),
01232                                        sub_desc_p[i].subj_id);
01233                         pos = begin + len;
01234                         if (pos < offset) {
01235                                 len = 0;
01236                                 begin = pos;
01237                         }
01238                         if (pos > offset + length) {
01239                                 rsbac_vfree(sub_desc_p);
01240                                 goto out;
01241                         }
01242                 }
01243                 rsbac_vfree(sub_desc_p);
01244         }
01245 
01246         /* default_scd_list */
01247         len +=
01248             sprintf(buffer + len,
01249                     "\nDefault SCD ACL:         %li members:",
01250                     rsbac_list_count(default_scd_handle));
01251         pos = begin + len;
01252         if (pos < offset) {
01253                 len = 0;
01254                 begin = pos;
01255         }
01256         if (pos > offset + length)
01257                 goto out;
01258         tmp_count =
01259             rsbac_list_get_all_desc(default_scd_handle,
01260                                     (void **) &sub_desc_p);
01261         if (tmp_count > 0) {
01262                 for (i = 0; i < tmp_count; i++) {
01263                         len += sprintf(buffer + len, " %s %u,",
01264                                        get_acl_subject_type_name(tmp1,
01265                                                                  sub_desc_p
01266                                                                  [i].
01267                                                                  subj_type),
01268                                        sub_desc_p[i].subj_id);
01269                         pos = begin + len;
01270                         if (pos < offset) {
01271                                 len = 0;
01272                                 begin = pos;
01273                         }
01274                         if (pos > offset + length) {
01275                                 rsbac_vfree(sub_desc_p);
01276                                 goto out;
01277                         }
01278                 }
01279                 rsbac_vfree(sub_desc_p);
01280         }
01281 
01282         /* default_u_list */
01283         len +=
01284             sprintf(buffer + len,
01285                     "\nDefault User ACL:        %li members:",
01286                     rsbac_list_count(default_u_handle));
01287         pos = begin + len;
01288         if (pos < offset) {
01289                 len = 0;
01290                 begin = pos;
01291         }
01292         if (pos > offset + length)
01293                 goto out;
01294         tmp_count =
01295             rsbac_list_get_all_desc(default_u_handle,
01296                                     (void **) &sub_desc_p);
01297         if (tmp_count > 0) {
01298                 for (i = 0; i < tmp_count; i++) {
01299                         len += sprintf(buffer + len, " %s %u,",
01300                                        get_acl_subject_type_name(tmp1,
01301                                                                  sub_desc_p
01302                                                                  [i].
01303                                                                  subj_type),
01304                                        sub_desc_p[i].subj_id);
01305                         pos = begin + len;
01306                         if (pos < offset) {
01307                                 len = 0;
01308                                 begin = pos;
01309                         }
01310                         if (pos > offset + length) {
01311                                 rsbac_vfree(sub_desc_p);
01312                                 goto out;
01313                         }
01314                 }
01315                 rsbac_vfree(sub_desc_p);
01316         }
01317 
01318         /* default_p list */
01319         len +=
01320             sprintf(buffer + len,
01321                     "\nDefault Process ACL:     %li members:",
01322                     rsbac_list_count(default_p_handle));
01323         pos = begin + len;
01324         if (pos < offset) {
01325                 len = 0;
01326                 begin = pos;
01327         }
01328         if (pos > offset + length)
01329                 goto out;
01330         tmp_count =
01331             rsbac_list_get_all_desc(default_p_handle,
01332                                     (void **) &sub_desc_p);
01333         if (tmp_count > 0) {
01334                 for (i = 0; i < tmp_count; i++) {
01335                         len += sprintf(buffer + len, " %s %u,",
01336                                        get_acl_subject_type_name(tmp1,
01337                                                                  sub_desc_p
01338                                                                  [i].
01339                                                                  subj_type),
01340                                        sub_desc_p[i].subj_id);
01341                         pos = begin + len;
01342                         if (pos < offset) {
01343                                 len = 0;
01344                                 begin = pos;
01345                         }
01346                         if (pos > offset + length) {
01347                                 rsbac_vfree(sub_desc_p);
01348                                 goto out;
01349                         }
01350                 }
01351                 rsbac_vfree(sub_desc_p);
01352         }
01353 #ifdef CONFIG_RSBAC_ACL_UM_PROT
01354         /* default_g_list */
01355         len +=
01356             sprintf(buffer + len,
01357                     "\nDefault Linux Group ACL: %li members:",
01358                     rsbac_list_count(default_g_handle));
01359         pos = begin + len;
01360         if (pos < offset) {
01361                 len = 0;
01362                 begin = pos;
01363         }
01364         if (pos > offset + length)
01365                 goto out;
01366         tmp_count =
01367             rsbac_list_get_all_desc(default_g_handle,
01368                                     (void **) &sub_desc_p);
01369         if (tmp_count > 0) {
01370                 for (i = 0; i < tmp_count; i++) {
01371                         len += sprintf(buffer + len, " %s %u,",
01372                                        get_acl_subject_type_name(tmp1,
01373                                                                  sub_desc_p
01374                                                                  [i].
01375                                                                  subj_type),
01376                                        sub_desc_p[i].subj_id);
01377                         pos = begin + len;
01378                         if (pos < offset) {
01379                                 len = 0;
01380                                 begin = pos;
01381                         }
01382                         if (pos > offset + length) {
01383                                 rsbac_vfree(sub_desc_p);
01384                                 goto out;
01385                         }
01386                 }
01387                 rsbac_vfree(sub_desc_p);
01388         }
01389 #endif
01390 
01391 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
01392         /* default_netdev list */
01393         len +=
01394             sprintf(buffer + len,
01395                     "\nDefault Network Device ACL:      %li members:",
01396                     rsbac_list_count(default_netdev_handle));
01397         pos = begin + len;
01398         if (pos < offset) {
01399                 len = 0;
01400                 begin = pos;
01401         }
01402         if (pos > offset + length)
01403                 goto out;
01404         tmp_count =
01405             rsbac_list_get_all_desc(default_netdev_handle,
01406                                     (void **) &sub_desc_p);
01407         if (tmp_count > 0) {
01408                 for (i = 0; i < tmp_count; i++) {
01409                         len += sprintf(buffer + len, " %s %u,",
01410                                        get_acl_subject_type_name(tmp1,
01411                                                                  sub_desc_p
01412                                                                  [i].
01413                                                                  subj_type),
01414                                        sub_desc_p[i].subj_id);
01415                         pos = begin + len;
01416                         if (pos < offset) {
01417                                 len = 0;
01418                                 begin = pos;
01419                         }
01420                         if (pos > offset + length) {
01421                                 rsbac_vfree(sub_desc_p);
01422                                 goto out;
01423                         }
01424                 }
01425                 rsbac_vfree(sub_desc_p);
01426         }
01427 #endif
01428 
01429 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
01430         /* default_netdev list */
01431         len +=
01432             sprintf(buffer + len,
01433                     "\nDefault Network Template NT ACL: %li members:",
01434                     rsbac_list_count(default_nettemp_nt_handle));
01435         pos = begin + len;
01436         if (pos < offset) {
01437                 len = 0;
01438                 begin = pos;
01439         }
01440         if (pos > offset + length)
01441                 goto out;
01442         tmp_count =
01443             rsbac_list_get_all_desc(default_nettemp_nt_handle,
01444                                     (void **) &sub_desc_p);
01445         if (tmp_count > 0) {
01446                 for (i = 0; i < tmp_count; i++) {
01447                         len += sprintf(buffer + len, " %s %u,",
01448                                        get_acl_subject_type_name(tmp1,
01449                                                                  sub_desc_p
01450                                                                  [i].
01451                                                                  subj_type),
01452                                        sub_desc_p[i].subj_id);
01453                         pos = begin + len;
01454                         if (pos < offset) {
01455                                 len = 0;
01456                                 begin = pos;
01457                         }
01458                         if (pos > offset + length) {
01459                                 rsbac_vfree(sub_desc_p);
01460                                 goto out;
01461                         }
01462                 }
01463                 rsbac_vfree(sub_desc_p);
01464         }
01465         /* default_netobj list */
01466         len +=
01467             sprintf(buffer + len,
01468                     "\nDefault Network Object ACL:      %li members:",
01469                     rsbac_list_count(default_netobj_handle));
01470         pos = begin + len;
01471         if (pos < offset) {
01472                 len = 0;
01473                 begin = pos;
01474         }
01475         if (pos > offset + length)
01476                 goto out;
01477         tmp_count =
01478             rsbac_list_get_all_desc(default_netobj_handle,
01479                                     (void **) &sub_desc_p);
01480         if (tmp_count > 0) {
01481                 for (i = 0; i < tmp_count; i++) {
01482                         len += sprintf(buffer + len, " %s %u,",
01483                                        get_acl_subject_type_name(tmp1,
01484                                                                  sub_desc_p
01485                                                                  [i].
01486                                                                  subj_type),
01487                                        sub_desc_p[i].subj_id);
01488                         pos = begin + len;
01489                         if (pos < offset) {
01490                                 len = 0;
01491                                 begin = pos;
01492                         }
01493                         if (pos > offset + length) {
01494                                 rsbac_vfree(sub_desc_p);
01495                                 goto out;
01496                         }
01497                 }
01498                 rsbac_vfree(sub_desc_p);
01499         }
01500 #endif
01501 
01502         len += sprintf(buffer + len, "\n\nFile/Dir/Fifo/Symlink ACLs:\n");
01503         pos = begin + len;
01504         if (pos < offset) {
01505                 len = 0;
01506                 begin = pos;
01507         }
01508         if (pos > offset + length)
01509                 goto out;
01510 
01511         /* protect device list */
01512 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01513         rcu_read_lock();
01514 #else
01515         rsbac_read_lock(&device_list_lock, &dflags);
01516 #endif
01517         device_p = rcu_dereference(device_list_head_p)->head;
01518         while (device_p) {
01519                 /* reset counters */
01520                 count = 0;
01521                 member_count = 0;
01522                 len +=
01523                     sprintf(buffer + len,
01524                             "\nDevice %02u:%02u\n inode  count   mask+members",
01525                             RSBAC_MAJOR(device_p->id),
01526                             RSBAC_MINOR(device_p->id));
01527                 pos = begin + len;
01528                 if (pos < offset) {
01529                         len = 0;
01530                         begin = pos;
01531                 }
01532                 if (pos > offset + length) {
01533 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01534                         rcu_read_unlock();
01535 #else
01536                         rsbac_read_unlock(&device_list_lock, &dflags);
01537 #endif
01538                         goto out;
01539                 }
01540                 tmp_count = rsbac_list_lol_get_all_desc(device_p->handle,
01541                                                         (void **)
01542                                                         &fd_desc_p);
01543                 if (tmp_count > 0) {
01544                         for (j = 0; j < tmp_count; j++) {
01545                                 len +=
01546                                     sprintf(buffer + len,
01547                                             "\n%6u\t  %li\t",
01548                                             fd_desc_p[j],
01549                                             rsbac_list_lol_subcount
01550                                             (device_p->handle,
01551                                              &fd_desc_p[j]));
01552                                 pos = begin + len;
01553                                 if (pos < offset) {
01554                                         len = 0;
01555                                         begin = pos;
01556                                 }
01557                                 if (pos > offset + length) {
01558                                         rsbac_vfree(fd_desc_p);
01559 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01560                                         rcu_read_unlock();
01561 #else
01562                                         rsbac_read_unlock(&device_list_lock, &dflags);
01563 #endif
01564                                         goto out;
01565                                 }
01566                                 if (!rsbac_list_lol_get_data
01567                                     (device_p->handle,
01568                                      &fd_desc_p[j], &rights)) {
01569                                         len +=
01570                                             sprintf(buffer + len,
01571                                                     "%s\n\t\t",
01572                                                     u64tostracl
01573                                                     (tmp1,
01574                                                      rights));
01575                                         pos = begin + len;
01576                                         if (pos < offset) {
01577                                                 len = 0;
01578                                                 begin = pos;
01579                                         }
01580                                         if (pos > offset + length) {
01581                                                 rsbac_vfree
01582                                                     (fd_desc_p);
01583 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01584                                                 rcu_read_unlock();
01585 #else
01586                                                 rsbac_read_unlock(&device_list_lock, &dflags);
01587 #endif
01588                                                 goto out;
01589                                         }
01590                                 }
01591                                         tmp_sub_count =
01592                                     rsbac_list_lol_get_all_subdesc
01593                                     (device_p->handle,
01594                                      &fd_desc_p[j],
01595                                      (void **) &sub_desc_p);
01596                                 if (tmp_sub_count > 0) {
01597                                         for (k = 0;
01598                                              k < tmp_sub_count;
01599                                              k++) {
01600                                                 len +=
01601                                                     sprintf(buffer
01602                                                             + len,
01603                                                             "%s %u, ",
01604                                                             get_acl_subject_type_name
01605                                                             (tmp1,
01606                                                              sub_desc_p
01607                                                              [k].
01608                                                              subj_type),
01609                                                             sub_desc_p
01610                                                             [k].
01611                                                             subj_id);
01612                                                 pos = begin + len;
01613                                                 if (pos < offset) {
01614                                                         len = 0;
01615                                                         begin =
01616                                                             pos;
01617                                                 }
01618                                                 if (pos >
01619                                                     offset +
01620                                                     length) {
01621                                                         rsbac_vfree
01622                                                             (sub_desc_p);
01623                                                         rsbac_vfree
01624                                                             (fd_desc_p);
01625 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01626                                                         rcu_read_unlock();
01627 #else
01628                                                         rsbac_read_unlock(&device_list_lock, &dflags);
01629 #endif
01630                                                         goto out;
01631                                                 }
01632                                         }
01633                                         rsbac_vfree(sub_desc_p);
01634                                         member_count +=
01635                                             tmp_sub_count;
01636                                 }
01637                         }
01638                         count += tmp_count;
01639                         rsbac_vfree(fd_desc_p);
01640                 }
01641                 len +=
01642                     sprintf(buffer + len,
01643                             "\n%u file ACLs, sum of %u members\n", count,
01644                             member_count);
01645                 pos = begin + len;
01646                 if (pos < offset) {
01647                         len = 0;
01648                         begin = pos;
01649                 }
01650                 if (pos > offset + length) {
01651 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01652                         rcu_read_unlock();
01653 #else
01654                         rsbac_read_unlock(&device_list_lock, &dflags);
01655 #endif
01656                         goto out;
01657                 }
01658                 device_p = device_p->next;
01659         }
01660         /* unprotect device list */
01661 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01662         rcu_read_unlock();
01663 #else
01664         rsbac_read_unlock(&device_list_lock, &dflags);
01665 #endif
01666 
01667         /* dev list */
01668         len +=
01669             sprintf(buffer + len,
01670                     "\nDevice ACLs:\ntype+id  count  mask+members");
01671         pos = begin + len;
01672         if (pos < offset) {
01673                 len = 0;
01674                 begin = pos;
01675         }
01676         if (pos > offset + length)
01677                 goto out;
01678 
01679         member_count = 0;
01680         tmp_count =
01681             rsbac_list_lol_get_all_desc(dev_handle, (void **) &dev_desc_p);
01682         if (tmp_count > 0) {
01683                 for (i = 0; i < tmp_count; i++) {
01684                         if (!rsbac_list_lol_get_data
01685                             (dev_handle, &dev_desc_p[i], &rights)) {
01686                                 len +=
01687                                     sprintf(buffer + len,
01688                                             "\n%c%02u:%02u\t  %3li\t%s\n\t\t",
01689                                             'B' + dev_desc_p[i].type,
01690                                             dev_desc_p[i].major,
01691                                             dev_desc_p[i].minor,
01692                                             rsbac_list_lol_subcount
01693                                             (dev_handle, &dev_desc_p[i]),
01694                                             u64tostracl(tmp1, rights));
01695                                 pos = begin + len;
01696                                 if (pos < offset) {
01697                                         len = 0;
01698                                         begin = pos;
01699                                 }
01700                                 if (pos > offset + length) {
01701                                         rsbac_vfree(dev_desc_p);
01702                                         goto out;
01703                                 }
01704                         }
01705                         tmp_sub_count =
01706                             rsbac_list_lol_get_all_subdesc(dev_handle,
01707                                                            &dev_desc_p[i],
01708                                                            (void **)
01709                                                            &sub_desc_p);
01710                         if (tmp_sub_count > 0) {
01711                                 for (j = 0; j < tmp_sub_count; j++) {
01712                                         len +=
01713                                             sprintf(buffer + len,
01714                                                     "%s %u, ",
01715                                                     get_acl_subject_type_name
01716                                                     (tmp1,
01717                                                      sub_desc_p[j].
01718                                                      subj_type),
01719                                                     sub_desc_p[j].subj_id);
01720                                         pos = begin + len;
01721                                         if (pos < offset) {
01722                                                 len = 0;
01723                                                 begin = pos;
01724                                         }
01725                                         if (pos > offset + length) {
01726                                                 rsbac_vfree(sub_desc_p);
01727                                                 rsbac_vfree(dev_desc_p);
01728                                                 goto out;
01729                                         }
01730                                 }
01731                                 rsbac_vfree(sub_desc_p);
01732                                 member_count += tmp_sub_count;
01733                         }
01734                 }
01735                 rsbac_vfree(dev_desc_p);
01736         }
01737         len +=
01738             sprintf(buffer + len,
01739                     "\n\n%i device ACL items, sum of %u members\n",
01740                     tmp_count, member_count);
01741         pos = begin + len;
01742         if (pos < offset) {
01743                 len = 0;
01744                 begin = pos;
01745         }
01746         if (pos > offset + length)
01747                 goto out;
01748 
01749         /* dev major list */
01750         len +=
01751             sprintf(buffer + len,
01752                     "\nDevice major ACLs:\ntype+id  count  mask+members");
01753         pos = begin + len;
01754         if (pos < offset) {
01755                 len = 0;
01756                 begin = pos;
01757         }
01758         if (pos > offset + length)
01759                 goto out;
01760 
01761         member_count = 0;
01762         tmp_count =
01763             rsbac_list_lol_get_all_desc(dev_major_handle,
01764                                         (void **) &dev_desc_p);
01765         if (tmp_count > 0) {
01766                 for (i = 0; i < tmp_count; i++) {
01767                         if (!rsbac_list_lol_get_data
01768                             (dev_major_handle, &dev_desc_p[i], &rights)) {
01769                                 len +=
01770                                     sprintf(buffer + len,
01771                                             "\n%c%02u\t  %3li\t%s\n\t\t",
01772                                             'B' + dev_desc_p[i].type,
01773                                             dev_desc_p[i].major,
01774                                             rsbac_list_lol_subcount
01775                                             (dev_major_handle,
01776                                              &dev_desc_p[i]),
01777                                             u64tostracl(tmp1, rights));
01778                                 pos = begin + len;
01779                                 if (pos < offset) {
01780                                         len = 0;
01781                                         begin = pos;
01782                                 }
01783                                 if (pos > offset + length) {
01784                                         rsbac_vfree(dev_desc_p);
01785                                         goto out;
01786                                 }
01787                         }
01788                         tmp_sub_count =
01789                             rsbac_list_lol_get_all_subdesc
01790                             (dev_major_handle, &dev_desc_p[i],
01791                              (void **) &sub_desc_p);
01792                         if (tmp_sub_count > 0) {
01793                                 for (j = 0; j < tmp_sub_count; j++) {
01794                                         len +=
01795                                             sprintf(buffer + len,
01796                                                     "%s %u, ",
01797                                                     get_acl_subject_type_name
01798                                                     (tmp1,
01799                                                      sub_desc_p[j].
01800                                                      subj_type),
01801                                                     sub_desc_p[j].subj_id);
01802                                         pos = begin + len;
01803                                         if (pos < offset) {
01804                                                 len = 0;
01805                                                 begin = pos;
01806                                         }
01807                                         if (pos > offset + length) {
01808                                                 rsbac_vfree(sub_desc_p);
01809                                                 rsbac_vfree(dev_desc_p);
01810                                                 goto out;
01811                                         }
01812                                 }
01813                                 rsbac_vfree(sub_desc_p);
01814                                 member_count += tmp_sub_count;
01815                         }
01816                 }
01817                 rsbac_vfree(dev_desc_p);
01818         }
01819         len +=
01820             sprintf(buffer + len,
01821                     "\n\n%i device major ACL items, sum of %u members\n",
01822                     tmp_count, member_count);
01823         pos = begin + len;
01824         if (pos < offset) {
01825                 len = 0;
01826                 begin = pos;
01827         }
01828         if (pos > offset + length)
01829                 goto out;
01830 
01831         /* scd list */
01832         member_count = 0;
01833         len +=
01834             sprintf(buffer + len,
01835                     "\nSCD ACLs:\nname             count  mask+members");
01836         pos = begin + len;
01837         if (pos < offset) {
01838                 len = 0;
01839                 begin = pos;
01840         }
01841         if (pos > offset + length)
01842                 goto out;
01843 
01844         tmp_count =
01845             rsbac_list_lol_get_all_desc(scd_handle, (void **) &scd_desc_p);
01846         if (tmp_count > 0) {
01847                 for (i = 0; i < tmp_count; i++) {
01848                         if (!rsbac_list_lol_get_data
01849                             (scd_handle, &scd_desc_p[i], &rights)) {
01850                                 len +=
01851                                     sprintf(buffer + len,
01852                                             "\n%-16s  %3li\t%s\n\t\t\t",
01853                                             get_acl_scd_type_name(tmp1,
01854                                                                   scd_desc_p
01855                                                                   [i]),
01856                                             rsbac_list_lol_subcount
01857                                             (scd_handle, &scd_desc_p[i]),
01858                                             u64tostracl(tmp2, rights));
01859                                 pos = begin + len;
01860                                 if (pos < offset) {
01861                                         len = 0;
01862                                         begin = pos;
01863                                 }
01864                                 if (pos > offset + length) {
01865                                         rsbac_vfree(scd_desc_p);
01866                                         goto out;
01867                                 }
01868                         }
01869                         tmp_sub_count =
01870                             rsbac_list_lol_get_all_subdesc(scd_handle,
01871                                                            &scd_desc_p[i],
01872                                                            (void **)
01873                                                            &sub_desc_p);
01874                         if (tmp_sub_count > 0) {
01875                                 for (j = 0; j < tmp_sub_count; j++) {
01876                                         len +=
01877                                             sprintf(buffer + len,
01878                                                     "%s %u, ",
01879                                                     get_acl_subject_type_name
01880                                                     (tmp1,
01881                                                      sub_desc_p[j].
01882                                                      subj_type),
01883                                                     sub_desc_p[j].subj_id);
01884                                         pos = begin + len;
01885                                         if (pos < offset) {
01886                                                 len = 0;
01887                                                 begin = pos;
01888                                         }
01889                                         if (pos > offset + length) {
01890                                                 rsbac_vfree(sub_desc_p);
01891                                                 rsbac_vfree(scd_desc_p);
01892                                                 goto out;
01893                                         }
01894                                 }
01895                                 rsbac_vfree(sub_desc_p);
01896                                 member_count += tmp_sub_count;
01897                         }
01898                 }
01899                 rsbac_vfree(scd_desc_p);
01900         }
01901         len +=
01902             sprintf(buffer + len,
01903                     "\n\n%u SCD ACL items, sum of %u members\n", tmp_count,
01904                     member_count);
01905         pos = begin + len;
01906         if (pos < offset) {
01907                 len = 0;
01908                 begin = pos;
01909         }
01910         if (pos > offset + length)
01911                 goto out;
01912 
01913         /* user list */
01914         len +=
01915             sprintf(buffer + len,
01916                     "\nUser ACLs:\nuid      count  mask+members");
01917         pos = begin + len;
01918         if (pos < offset) {
01919                 len = 0;
01920                 begin = pos;
01921         }
01922         if (pos > offset + length)
01923                 goto out;
01924 
01925         member_count = 0;
01926         tmp_count =
01927             rsbac_list_lol_get_all_desc(u_handle, (void **) &u_desc_p);
01928         if (tmp_count > 0) {
01929                 for (i = 0; i < tmp_count; i++) {
01930                         if (!rsbac_list_lol_get_data
01931                             (u_handle, &u_desc_p[i], &rights)) {
01932                                 len +=
01933                                     sprintf(buffer + len,
01934                                             "\n%u\t  %3li\t%s\n\t\t",
01935                                             u_desc_p[i],
01936                                             rsbac_list_lol_subcount
01937                                             (u_handle, &u_desc_p[i]),
01938                                             u64tostracl(tmp1, rights));
01939                                 pos = begin + len;
01940                                 if (pos < offset) {
01941                                         len = 0;
01942                                         begin = pos;
01943                                 }
01944                                 if (pos > offset + length) {
01945                                         rsbac_vfree(dev_desc_p);
01946                                         goto out;
01947                                 }
01948                         }
01949                         tmp_sub_count =
01950                             rsbac_list_lol_get_all_subdesc(u_handle,
01951                                                            &u_desc_p[i],
01952                                                            (void **)
01953                                                            &sub_desc_p);
01954                         if (tmp_sub_count > 0) {
01955                                 for (j = 0; j < tmp_sub_count; j++) {
01956                                         len +=
01957                                             sprintf(buffer + len,
01958                                                     "%s %u, ",
01959                                                     get_acl_subject_type_name
01960                                                     (tmp1,
01961                                                      sub_desc_p[j].
01962                                                      subj_type),
01963                                                     sub_desc_p[j].subj_id);
01964                                         pos = begin + len;
01965                                         if (pos < offset) {
01966                                                 len = 0;
01967                                                 begin = pos;
01968                                         }
01969                                         if (pos > offset + length) {
01970                                                 rsbac_vfree(sub_desc_p);
01971                                                 rsbac_vfree(dev_desc_p);
01972                                                 goto out;
01973                                         }
01974                                 }
01975                                 rsbac_vfree(sub_desc_p);
01976                                 member_count += tmp_sub_count;
01977                         }
01978                 }
01979                 rsbac_vfree(u_desc_p);
01980         }
01981         len +=
01982             sprintf(buffer + len,
01983                     "\n\n%i user ACL items, sum of %u members\n",
01984                     tmp_count, member_count);
01985         pos = begin + len;
01986         if (pos < offset) {
01987                 len = 0;
01988                 begin = pos;
01989         }
01990         if (pos > offset + length)
01991                 goto out;
01992 
01993 #ifdef CONFIG_RSBAC_ACL_UM_PROT
01994         /* Linux group list */
01995         len +=
01996             sprintf(buffer + len,
01997                     "\nLinux group ACLs:\ngid      count  mask+members");
01998         pos = begin + len;
01999         if (pos < offset) {
02000                 len = 0;
02001                 begin = pos;
02002         }
02003         if (pos > offset + length)
02004                 goto out;
02005 
02006         member_count = 0;
02007         tmp_count =
02008             rsbac_list_lol_get_all_desc(g_handle, (void **) &g_desc_p);
02009         if (tmp_count > 0) {
02010                 for (i = 0; i < tmp_count; i++) {
02011                         if (!rsbac_list_lol_get_data
02012                             (g_handle, &g_desc_p[i], &rights)) {
02013                                 len +=
02014                                     sprintf(buffer + len,
02015                                             "\n%u\t  %3li\t%s\n\t\t",
02016                                             g_desc_p[i],
02017                                             rsbac_list_lol_subcount
02018                                             (g_handle, &g_desc_p[i]),
02019                                             u64tostracl(tmp1, rights));
02020                                 pos = begin + len;
02021                                 if (pos < offset) {
02022                                         len = 0;
02023                                         begin = pos;
02024                                 }
02025                                 if (pos > offset + length) {
02026                                         rsbac_vfree(dev_desc_p);
02027                                         goto out;
02028                                 }
02029                         }
02030                         tmp_sub_count =
02031                             rsbac_list_lol_get_all_subdesc(g_handle,
02032                                                            &g_desc_p[i],
02033                                                            (void **)
02034                                                            &sub_desc_p);
02035                         if (tmp_sub_count > 0) {
02036                                 for (j = 0; j < tmp_sub_count; j++) {
02037                                         len +=
02038                                             sprintf(buffer + len,
02039                                                     "%s %u, ",
02040                                                     get_acl_subject_type_name
02041                                                     (tmp1,
02042                                                      sub_desc_p[j].
02043                                                      subj_type),
02044                                                     sub_desc_p[j].subj_id);
02045                                         pos = begin + len;
02046                                         if (pos < offset) {
02047                                                 len = 0;
02048                                                 begin = pos;
02049                                         }
02050                                         if (pos > offset + length) {
02051                                                 rsbac_vfree(sub_desc_p);
02052                                                 rsbac_vfree(dev_desc_p);
02053                                                 goto out;
02054                                         }
02055                                 }
02056                                 rsbac_vfree(sub_desc_p);
02057                                 member_count += tmp_sub_count;
02058                         }
02059                 }
02060                 rsbac_vfree(g_desc_p);
02061         }
02062         len +=
02063             sprintf(buffer + len,
02064                     "\n\n%i Linux group ACL items, sum of %u members\n",
02065                     tmp_count, member_count);
02066         pos = begin + len;
02067         if (pos < offset) {
02068                 len = 0;
02069                 begin = pos;
02070         }
02071         if (pos > offset + length)
02072                 goto out;
02073 #endif
02074 
02075 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
02076         /* netdev list */
02077         len +=
02078             sprintf(buffer + len,
02079                     "\nNetwork Device ACLs:\nname\t\t count  mask+members");
02080         pos = begin + len;
02081         if (pos < offset) {
02082                 len = 0;
02083                 begin = pos;
02084         }
02085         if (pos > offset + length)
02086                 goto out;
02087 
02088         member_count = 0;
02089         tmp_count =
02090             rsbac_list_lol_get_all_desc(netdev_handle,
02091                                         (void **) &netdev_desc_p);
02092         if (tmp_count > 0) {
02093                 for (i = 0; i < tmp_count; i++) {
02094                         if (!rsbac_list_lol_get_data
02095                             (netdev_handle, &netdev_desc_p[i], &rights)) {
02096                                 len +=
02097                                     sprintf(buffer + len,
02098                                             "\n%-16s  %3li\t  %s\n\t\t",
02099                                             netdev_desc_p[i],
02100                                             rsbac_list_lol_subcount
02101                                             (netdev_handle,
02102                                              &netdev_desc_p[i]),
02103                                             u64tostracl(tmp1, rights));
02104                                 pos = begin + len;
02105                                 if (pos < offset) {
02106                                         len = 0;
02107                                         begin = pos;
02108                                 }
02109                                 if (pos > offset + length) {
02110                                         rsbac_vfree(netdev_desc_p);
02111                                         goto out;
02112                                 }
02113                         }
02114                         tmp_sub_count =
02115                             rsbac_list_lol_get_all_subdesc(netdev_handle,
02116                                                            &netdev_desc_p
02117                                                            [i],
02118                                                            (void **)
02119                                                            &sub_desc_p);
02120                         if (tmp_sub_count > 0) {
02121                                 for (j = 0; j < tmp_sub_count; j++) {
02122                                         len +=
02123                                             sprintf(buffer + len,
02124                                                     "%s %u, ",
02125                                                     get_acl_subject_type_name
02126                                                     (tmp1,
02127                                                      sub_desc_p[j].
02128                                                      subj_type),
02129                                                     sub_desc_p[j].subj_id);
02130                                         pos = begin + len;
02131                                         if (pos < offset) {
02132                                                 len = 0;
02133                                                 begin = pos;
02134                                         }
02135                                         if (pos > offset + length) {
02136                                                 rsbac_vfree(sub_desc_p);
02137                                                 rsbac_vfree(netdev_desc_p);
02138                                                 goto out;
02139                                         }
02140                                 }
02141                                 rsbac_vfree(sub_desc_p);
02142                                 member_count += tmp_sub_count;
02143                         }
02144                 }
02145                 rsbac_vfree(netdev_desc_p);
02146         }
02147         len +=
02148             sprintf(buffer + len,
02149                     "\n\n%i network device ACL items, sum of %u members\n",
02150                     tmp_count, member_count);
02151         pos = begin + len;
02152         if (pos < offset) {
02153                 len = 0;
02154                 begin = pos;
02155         }
02156         if (pos > offset + length)
02157                 goto out;
02158 #endif
02159 
02160 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
02161         /* nettemp_nt list */
02162         len +=
02163             sprintf(buffer + len,
02164                     "\nNetwork Template NT (template protection) ACLs:\nTemplate   count  mask+members");
02165         pos = begin + len;
02166         if (pos < offset) {
02167                 len = 0;
02168                 begin = pos;
02169         }
02170         if (pos > offset + length)
02171                 goto out;
02172 
02173         member_count = 0;
02174         tmp_count =
02175             rsbac_list_lol_get_all_desc(nettemp_nt_handle,
02176                                         (void **) &nettemp_desc_p);
02177         if (tmp_count > 0) {
02178                 for (i = 0; i < tmp_count; i++) {
02179                         if (!rsbac_list_lol_get_data
02180                             (nettemp_nt_handle, &nettemp_desc_p[i],
02181                              &rights)) {
02182                                 len +=
02183                                     sprintf(buffer + len,
02184                                             "\n%10u %3li\t%s\n\t\t",
02185                                             nettemp_desc_p[i],
02186                                             rsbac_list_lol_subcount
02187                                             (nettemp_nt_handle,
02188                                              &nettemp_desc_p[i]),
02189                                             u64tostracl(tmp1, rights));
02190                                 pos = begin + len;
02191                                 if (pos < offset) {
02192                                         len = 0;
02193                                         begin = pos;
02194                                 }
02195                                 if (pos > offset + length) {
02196                                         rsbac_vfree(nettemp_desc_p);
02197                                         goto out;
02198                                 }
02199                         }
02200                         tmp_sub_count =
02201                             rsbac_list_lol_get_all_subdesc
02202                             (nettemp_nt_handle, &nettemp_desc_p[i],
02203                              (void **) &sub_desc_p);
02204                         if (tmp_sub_count > 0) {
02205                                 for (j = 0; j < tmp_sub_count; j++) {
02206                                         len +=
02207                                             sprintf(buffer + len,
02208                                                     "%s %u, ",
02209                                                     get_acl_subject_type_name
02210                                                     (tmp1,
02211                                                      sub_desc_p[j].
02212                                                      subj_type),
02213                                                     sub_desc_p[j].subj_id);
02214                                         pos = begin + len;
02215                                         if (pos < offset) {
02216                                                 len = 0;
02217                                                 begin = pos;
02218                                         }
02219                                         if (pos > offset + length) {
02220                                                 rsbac_vfree(sub_desc_p);
02221                                                 rsbac_vfree
02222                                                     (nettemp_desc_p);
02223                                                 goto out;
02224                                         }
02225                                 }
02226                                 rsbac_vfree(sub_desc_p);
02227                                 member_count += tmp_sub_count;
02228                         }
02229                 }
02230                 rsbac_vfree(nettemp_desc_p);
02231         }
02232         len +=
02233             sprintf(buffer + len,
02234                     "\n\n%i network template NT ACL items, sum of %u members\n",
02235                     tmp_count, member_count);
02236         pos = begin + len;
02237         if (pos < offset) {
02238                 len = 0;
02239                 begin = pos;
02240         }
02241         if (pos > offset + length)
02242                 goto out;
02243 
02244         /* nettemp list */
02245         len +=
02246             sprintf(buffer + len,
02247                     "\nNetwork Template (netobj protection) ACLs:\nTemplate   count  mask+members");
02248         pos = begin + len;
02249         if (pos < offset) {
02250                 len = 0;
02251                 begin = pos;
02252         }
02253         if (pos > offset + length)
02254                 goto out;
02255 
02256         member_count = 0;
02257         tmp_count =
02258             rsbac_list_lol_get_all_desc(nettemp_handle,
02259                                         (void **) &nettemp_desc_p);
02260         if (tmp_count > 0) {
02261                 for (i = 0; i < tmp_count; i++) {
02262                         if (!rsbac_list_lol_get_data
02263                             (nettemp_handle, &nettemp_desc_p[i],
02264                              &rights)) {
02265                                 len +=
02266                                     sprintf(buffer + len,
02267                                             "\n%10u %3li\t%s\n\t\t",
02268                                             nettemp_desc_p[i],
02269                                             rsbac_list_lol_subcount
02270                                             (nettemp_handle,
02271                                              &nettemp_desc_p[i]),
02272                                             u64tostracl(tmp1, rights));
02273                                 pos = begin + len;
02274                                 if (pos < offset) {
02275                                         len = 0;
02276                                         begin = pos;
02277                                 }
02278                                 if (pos > offset + length) {
02279                                         rsbac_vfree(nettemp_desc_p);
02280                                         goto out;
02281                                 }
02282                         }
02283                         tmp_sub_count =
02284                             rsbac_list_lol_get_all_subdesc(nettemp_handle,
02285                                                            &nettemp_desc_p
02286                                                            [i],
02287                                                            (void **)
02288                                                            &sub_desc_p);
02289                         if (tmp_sub_count > 0) {
02290                                 for (j = 0; j < tmp_sub_count; j++) {
02291                                         len +=
02292                                             sprintf(buffer + len,
02293                                                     "%s %u, ",
02294                                                     get_acl_subject_type_name
02295                                                     (tmp1,
02296                                                      sub_desc_p[j].
02297                                                      subj_type),
02298                                                     sub_desc_p[j].subj_id);
02299                                         pos = begin + len;
02300                                         if (pos < offset) {
02301                                                 len = 0;
02302                                                 begin = pos;
02303                                         }
02304                                         if (pos > offset + length) {
02305                                                 rsbac_vfree(sub_desc_p);
02306                                                 rsbac_vfree
02307                                                     (nettemp_desc_p);
02308                                                 goto out;
02309                                         }
02310                                 }
02311                                 rsbac_vfree(sub_desc_p);
02312                                 member_count += tmp_sub_count;
02313                         }
02314                 }
02315                 rsbac_vfree(nettemp_desc_p);
02316         }
02317         len +=
02318             sprintf(buffer + len,
02319                     "\n\n%i network template ACL items, sum of %u members\n",
02320                     tmp_count, member_count);
02321         pos = begin + len;
02322         if (pos < offset) {
02323                 len = 0;
02324                 begin = pos;
02325         }
02326         if (pos > offset + length)
02327                 goto out;
02328 
02329         /* netobj list */
02330         len +=
02331             sprintf(buffer + len,
02332                     "\nNetwork Object ACLs:\nObject-ID count  mask+members");
02333         pos = begin + len;
02334         if (pos < offset) {
02335                 len = 0;
02336                 begin = pos;
02337         }
02338         if (pos > offset + length)
02339                 goto out;
02340 
02341         member_count = 0;
02342         tmp_count =
02343             rsbac_list_lol_get_all_desc(netobj_handle,
02344                                         (void **) &netobj_desc_p);
02345         if (tmp_count > 0) {
02346                 for (i = 0; i < tmp_count; i++) {
02347                         if (!rsbac_list_lol_get_data
02348                             (netobj_handle, &netobj_desc_p[i], &rights)) {
02349                                 len +=
02350                                     sprintf(buffer + len,
02351                                             "\n%p   %3li\t%s\n\t\t",
02352                                             netobj_desc_p[i],
02353                                             rsbac_list_lol_subcount
02354                                             (netobj_handle,
02355                                              &netobj_desc_p[i]),
02356                                             u64tostracl(tmp1, rights));
02357                                 pos = begin + len;
02358                                 if (pos < offset) {
02359                                         len = 0;
02360                                         begin = pos;
02361                                 }
02362                                 if (pos > offset + length) {
02363                                         rsbac_vfree(netobj_desc_p);
02364                                         goto out;
02365                                 }
02366                         }
02367                         tmp_sub_count =
02368                             rsbac_list_lol_get_all_subdesc(netobj_handle,
02369                                                            &netobj_desc_p
02370                                                            [i],
02371                                                            (void **)
02372                                                            &sub_desc_p);
02373                         if (tmp_sub_count > 0) {
02374                                 for (j = 0; j < tmp_sub_count; j++) {
02375                                         len +=
02376                                             sprintf(buffer + len,
02377                                                     "%s %u, ",
02378                                                     get_acl_subject_type_name
02379                                                     (tmp1,
02380                                                      sub_desc_p[j].
02381                                                      subj_type),
02382                                                     sub_desc_p[j].subj_id);
02383                                         pos = begin + len;
02384                                         if (pos < offset) {
02385                                                 len = 0;
02386                                                 begin = pos;
02387                                         }
02388                                         if (pos > offset + length) {
02389                                                 rsbac_vfree(sub_desc_p);
02390                                                 rsbac_vfree(netobj_desc_p);
02391                                                 goto out;
02392                                         }
02393                                 }
02394                                 rsbac_vfree(sub_desc_p);
02395                                 member_count += tmp_sub_count;
02396                         }
02397                 }
02398                 rsbac_vfree(netobj_desc_p);
02399         }
02400         len +=
02401             sprintf(buffer + len,
02402                     "\n\n%i network object ACL items, sum of %u members\n",
02403                     tmp_count, member_count);
02404         pos = begin + len;
02405         if (pos < offset) {
02406                 len = 0;
02407                 begin = pos;
02408         }
02409         if (pos > offset + length)
02410                 goto out;
02411 #endif
02412 
02413       out:
02414         *start = buffer + (offset - begin);
02415         len -= (offset - begin);
02416 
02417         if (len > length)
02418                 len = length;
02419         return len;
02420 }
02421 
02422 static int
02423 acl_grouplist_proc_info(char *buffer, char **start, off_t offset,
02424                         int length)
02425 {
02426         u_int len = 0;
02427         off_t pos = 0;
02428         off_t begin = 0;
02429 
02430         char type;
02431         int count, sub_count;
02432         int i, j;
02433         u_int member_count = 0;
02434         struct rsbac_acl_group_entry_t *entry_p;
02435         rsbac_uid_t *user_p;
02436         rsbac_acl_group_id_t *group_p;
02437         rsbac_time_t *ttl_p;
02438 
02439         union rsbac_target_id_t rsbac_target_id;
02440         union rsbac_attribute_value_t rsbac_attribute_value;
02441 
02442         if (!rsbac_is_initialized()) {
02443                 rsbac_printk(KERN_WARNING "acl_grouplist_proc_info(): RSBAC not initialized\n");
02444                 return (-RSBAC_ENOTINITIALIZED);
02445         }
02446         rsbac_pr_debug(aef_acl, "calling ADF\n");
02447         rsbac_target_id.scd = ST_rsbac;
02448         rsbac_attribute_value.dummy = 0;
02449         if (!rsbac_adf_request(R_GET_STATUS_DATA,
02450                                current->pid,
02451                                T_SCD,
02452                                rsbac_target_id,
02453                                A_none, rsbac_attribute_value)) {
02454                 return -EPERM;
02455         }
02456 
02457         len += sprintf(buffer, "ACL Groups\n----------\n");
02458 
02459         /* group list */
02460         len +=
02461             sprintf(buffer + len,
02462                     "Group list:  %li groups, last new is %u\nID\ttype name\t\towner\n",
02463                     rsbac_list_count(group_handle), group_last_new);
02464         pos = begin + len;
02465         if (pos < offset) {
02466                 len = 0;
02467                 begin = pos;
02468         }
02469         if (pos > offset + length) {
02470                 goto out;
02471         }
02472 
02473         count = rsbac_list_get_all_data(group_handle, (void **) &entry_p);
02474         if (count > 0) {
02475                 for (i = 0; i < count; i++) {
02476                         if (entry_p[i].type == ACLG_GLOBAL)
02477                                 type = 'G';
02478                         else
02479                                 type = 'P';
02480                         len +=
02481                             sprintf(buffer + len, "%u\t%c    %-18s %u\n",
02482                                     entry_p[i].id, type, entry_p[i].name,
02483                                     entry_p[i].owner);
02484                         pos = begin + len;
02485                         if (pos < offset) {
02486                                 len = 0;
02487                                 begin = pos;
02488                         }
02489                         if (pos > offset + length) {
02490                                 rsbac_vfree(entry_p);
02491                                 goto out;
02492                         }
02493                 }
02494                 rsbac_vfree(entry_p);
02495         }
02496 
02497         /* group member list */
02498         member_count = 0;
02499         len +=
02500             sprintf(buffer + len,
02501                     "\nGroup memberships:\nuser   count\tgroups");
02502         pos = begin + len;
02503         if (pos < offset) {
02504                 len = 0;
02505                 begin = pos;
02506         }
02507         if (pos > offset + length) {
02508                 goto out;
02509         }
02510 
02511         count = rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p);
02512         if (count > 0) {
02513                 for (i = 0; i < count; i++) {
02514                         sub_count =
02515                             rsbac_list_lol_get_all_subdesc_ttl(gm_handle,
02516                                                                &user_p[i],
02517                                                                (void **)
02518                                                                &group_p,
02519                                                                &ttl_p);
02520                         len +=
02521                             sprintf(buffer + len, "\n%u\t%i\t", user_p[i],
02522                                     sub_count);
02523                         pos = begin + len;
02524                         if (pos < offset) {
02525                                 len = 0;
02526                                 begin = pos;
02527                         }
02528                         if (pos > offset + length) {
02529                                 rsbac_vfree(user_p);
02530                                 goto out;
02531                         }
02532 
02533                         if (sub_count > 0) {
02534                                 for (j = 0; j < sub_count; j++) {
02535                                         if (ttl_p[j])
02536                                                 len +=
02537                                                     sprintf(buffer + len,
02538                                                             "%u(ttl:%i) ",
02539                                                             group_p[j],
02540                                                             ttl_p[j]);
02541                                         else
02542                                                 len +=
02543                                                     sprintf(buffer + len,
02544                                                             "%u ",
02545                                                             group_p[j]);
02546                                         pos = begin + len;
02547                                         if (pos < offset) {
02548                                                 len = 0;
02549                                                 begin = pos;
02550                                         }
02551                                         if (pos > offset + length) {
02552                                                 rsbac_vfree(group_p);
02553                                                 rsbac_vfree(user_p);
02554                                                 goto out;
02555                                         }
02556                                 }
02557                                 member_count += sub_count;
02558                                 rsbac_vfree(group_p);
02559                                 rsbac_vfree(ttl_p);
02560                         }
02561                 }
02562                 rsbac_vfree(user_p);
02563         }
02564         len +=
02565             sprintf(buffer + len,
02566                     "\n\n%u user items, sum of %u memberships\n", count,
02567                     member_count);
02568         pos = begin + len;
02569         if (pos < offset) {
02570                 len = 0;
02571                 begin = pos;
02572         }
02573         if (pos > offset + length)
02574                 goto out;
02575 
02576       out:
02577         *start = buffer + (offset - begin);
02578         len -= (offset - begin);
02579 
02580         if (len > length)
02581                 len = length;
02582         return len;
02583 }
02584 
02585 #endif
02586 
02587 
02588 /************************************************* */
02589 /*               Init functions                    */
02590 /************************************************* */
02591 
02592 /* All functions return 0, if no error occurred, and a negative error code  */
02593 /* otherwise. The error codes are defined in rsbac/error.h.                 */
02594 
02595 /************************************************************************** */
02596 /* Initialization of all ACL data structures. After this call, all ACL    */
02597 /* data is kept in memory for performance reasons, but is written to disk   */
02598 /* on every change. */
02599 
02600 #ifdef CONFIG_RSBAC_INIT_DELAY
02601 static void registration_error(int err, char *listname)
02602 #else
02603 static void __init registration_error(int err, char *listname)
02604 #endif
02605 {
02606         if (err) {
02607                 char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02608 
02609                 if (tmp) {
02610                         rsbac_printk(KERN_WARNING "rsbac_init_acl(): Registering ACL %s list failed with error %s\n",
02611                                      listname, get_error_name(tmp, err));
02612                         rsbac_kfree(tmp);
02613                 }
02614         }
02615 }
02616 
02617 
02618 #ifdef CONFIG_RSBAC_INIT_DELAY
02619 void acl_create_def(void)
02620 #else
02621 void __init acl_create_def(void)
02622 #endif
02623 {
02624         if (!rsbac_list_count(default_fd_handle)) {
02625                 struct rsbac_acl_entry_desc_t desc;
02626                 struct rsbac_acl_entry_t acman_entry =
02627                     RSBAC_ACL_ACMAN_FD_ENTRY;
02628                 struct rsbac_acl_entry_t sysadm_entry =
02629                     RSBAC_ACL_SYSADM_FD_ENTRY;
02630                 struct rsbac_acl_entry_t gen_entry =
02631                     RSBAC_ACL_GENERAL_FD_ENTRY;
02632 
02633                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): File/Dir default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02634                              RSBAC_MAJOR(rsbac_root_dev),
02635                              RSBAC_MINOR(rsbac_root_dev));
02636                 desc.subj_type = acman_entry.subj_type;
02637                 desc.subj_id = acman_entry.subj_id;
02638                 rsbac_list_add(default_fd_handle, &desc,
02639                                &acman_entry.rights);
02640                 desc.subj_type = sysadm_entry.subj_type;
02641                 desc.subj_id = sysadm_entry.subj_id;
02642                 rsbac_list_add(default_fd_handle, &desc,
02643                                &sysadm_entry.rights);
02644                 desc.subj_type = gen_entry.subj_type;
02645                 desc.subj_id = gen_entry.subj_id;
02646                 rsbac_list_add(default_fd_handle, &desc,
02647                                &gen_entry.rights);
02648         }
02649         if (!rsbac_list_count(default_dev_handle)) {
02650                 struct rsbac_acl_entry_desc_t desc;
02651                 struct rsbac_acl_entry_t acman_entry =
02652                     RSBAC_ACL_ACMAN_DEV_ENTRY;
02653                 struct rsbac_acl_entry_t sysadm_entry =
02654                     RSBAC_ACL_SYSADM_DEV_ENTRY;
02655                 struct rsbac_acl_entry_t gen_entry =
02656                     RSBAC_ACL_GENERAL_DEV_ENTRY;
02657 
02658                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Device default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02659                              RSBAC_MAJOR(rsbac_root_dev),
02660                              RSBAC_MINOR(rsbac_root_dev));
02661                 desc.subj_type = acman_entry.subj_type;
02662                 desc.subj_id = acman_entry.subj_id;
02663                 rsbac_list_add(default_dev_handle, &desc,
02664                                &acman_entry.rights);
02665                 desc.subj_type = sysadm_entry.subj_type;
02666                 desc.subj_id = sysadm_entry.subj_id;
02667                 rsbac_list_add(default_dev_handle, &desc,
02668                                &sysadm_entry.rights);
02669                 desc.subj_type = gen_entry.subj_type;
02670                 desc.subj_id = gen_entry.subj_id;
02671                 rsbac_list_add(default_dev_handle, &desc,
02672                                &gen_entry.rights);
02673         }
02674         if (!rsbac_list_count(default_ipc_handle)) {
02675                 struct rsbac_acl_entry_desc_t desc;
02676                 struct rsbac_acl_entry_t acman_entry =
02677                     RSBAC_ACL_ACMAN_IPC_ENTRY;
02678                 struct rsbac_acl_entry_t sysadm_entry =
02679                     RSBAC_ACL_SYSADM_IPC_ENTRY;
02680                 struct rsbac_acl_entry_t gen_entry =
02681                     RSBAC_ACL_GENERAL_IPC_ENTRY;
02682 
02683                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): IPC default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02684                              RSBAC_MAJOR(rsbac_root_dev),
02685                              RSBAC_MINOR(rsbac_root_dev));
02686                 desc.subj_type = acman_entry.subj_type;
02687                 desc.subj_id = acman_entry.subj_id;
02688                 rsbac_list_add(default_ipc_handle, &desc,
02689                                &acman_entry.rights);
02690                 desc.subj_type = sysadm_entry.subj_type;
02691                 desc.subj_id = sysadm_entry.subj_id;
02692                 rsbac_list_add(default_ipc_handle, &desc,
02693                                &sysadm_entry.rights);
02694                 desc.subj_type = gen_entry.subj_type;
02695                 desc.subj_id = gen_entry.subj_id;
02696                 rsbac_list_add(default_ipc_handle, &desc,
02697                                &gen_entry.rights);
02698         }
02699         if (!rsbac_list_count(default_scd_handle)) {
02700                 struct rsbac_acl_entry_desc_t desc;
02701                 struct rsbac_acl_entry_t acman_entry =
02702                     RSBAC_ACL_ACMAN_SCD_ENTRY;
02703 
02704                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): SCD default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02705                              RSBAC_MAJOR(rsbac_root_dev),
02706                              RSBAC_MINOR(rsbac_root_dev));
02707                 desc.subj_type = acman_entry.subj_type;
02708                 desc.subj_id = acman_entry.subj_id;
02709                 rsbac_list_add(default_scd_handle, &desc,
02710                                &acman_entry.rights);
02711         }
02712         if (!rsbac_list_lol_count(scd_handle)) {
02713                 struct rsbac_acl_entry_desc_t desc;
02714                 rsbac_acl_rights_vector_t mask =
02715                     RSBAC_ACL_DEFAULT_SCD_MASK;
02716                 struct rsbac_acl_entry_t gen_entry =
02717                     RSBAC_ACL_GENERAL_SCD_ENTRY;
02718 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02719                 struct rsbac_acl_entry_t gen_ioports_entry =
02720                     RSBAC_ACL_GENERAL_SCD_IOPORTS_ENTRY;
02721 #endif
02722                 struct rsbac_acl_entry_t gen_other_entry =
02723                     RSBAC_ACL_GENERAL_SCD_OTHER_ENTRY;
02724                 struct rsbac_acl_entry_t gen_network_entry =
02725                     RSBAC_ACL_GENERAL_SCD_NETWORK_ENTRY;
02726                 struct rsbac_acl_entry_t sysadm_entry =
02727                     RSBAC_ACL_SYSADM_SCD_ENTRY;
02728                 struct rsbac_acl_entry_t sysadm_other_entry =
02729                     RSBAC_ACL_SYSADM_SCD_OTHER_ENTRY;
02730 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02731                 struct rsbac_acl_entry_t sysadm_kmem_entry =
02732                     RSBAC_ACL_SYSADM_SCD_KMEM_ENTRY;
02733 #endif
02734                 struct rsbac_acl_entry_t acman_other_entry =
02735                     RSBAC_ACL_ACMAN_SCD_OTHER_ENTRY;
02736                 struct rsbac_acl_entry_t auditor_rsbaclog_entry =
02737                     RSBAC_ACL_AUDITOR_SCD_RSBACLOG_ENTRY;
02738                 __u8 scd;
02739 
02740                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): SCD ACLs empty on dev %02u:%02u, generating standard entries!\n",
02741                              RSBAC_MAJOR(rsbac_root_dev),
02742                              RSBAC_MINOR(rsbac_root_dev));
02743                 scd = ST_rlimit;
02744                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02745                         desc.subj_type = gen_entry.subj_type;
02746                         desc.subj_id = gen_entry.subj_id;
02747                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02748                                               &gen_entry.rights);
02749                 }
02750                 for (scd = ST_time_strucs; scd <= ST_rsbac; scd++) {
02751                         if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02752                                 desc.subj_type = sysadm_entry.subj_type;
02753                                 desc.subj_id = sysadm_entry.subj_id;
02754                                 rsbac_list_lol_subadd(scd_handle, &scd,
02755                                                       &desc,
02756                                                       &sysadm_entry.
02757                                                       rights);
02758                         }
02759                 }
02760                 scd = ST_rsbac_log;
02761                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02762                         desc.subj_type = auditor_rsbaclog_entry.subj_type;
02763                         desc.subj_id = auditor_rsbaclog_entry.subj_id;
02764                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02765                                               &auditor_rsbaclog_entry.
02766                                               rights);
02767                 }
02768                 scd = ST_network;
02769                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02770                         desc.subj_type = sysadm_entry.subj_type;
02771                         desc.subj_id = sysadm_entry.subj_id;
02772                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02773                                               &sysadm_entry.rights);
02774                         desc.subj_type = gen_network_entry.subj_type;
02775                         desc.subj_id = gen_network_entry.subj_id;
02776                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02777                                               &gen_network_entry.rights);
02778                 }
02779                 scd = ST_firewall;
02780                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02781                         desc.subj_type = sysadm_entry.subj_type;
02782                         desc.subj_id = sysadm_entry.subj_id;
02783                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02784                                               &sysadm_entry.rights);
02785                         desc.subj_type = gen_network_entry.subj_type;
02786                         desc.subj_id = gen_network_entry.subj_id;
02787                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02788                                               &gen_network_entry.rights);
02789                 }
02790                 scd = ST_priority;
02791                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02792                         desc.subj_type = sysadm_entry.subj_type;
02793                         desc.subj_id = sysadm_entry.subj_id;
02794                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02795                                               &sysadm_entry.rights);
02796                 }
02797                 scd = ST_sysfs;
02798                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02799                         desc.subj_type = sysadm_entry.subj_type;
02800                         desc.subj_id = sysadm_entry.subj_id;
02801                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02802                                               &sysadm_entry.rights);
02803                 }
02804                 for (scd = ST_quota; scd < ST_none; scd++)
02805                         if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02806                                 desc.subj_type = sysadm_entry.subj_type;
02807                                 desc.subj_id = sysadm_entry.subj_id;
02808                                 rsbac_list_lol_subadd(scd_handle, &scd,
02809                                                       &desc,
02810                                                       &sysadm_entry.
02811                                                       rights);
02812                         }
02813 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02814                 scd = ST_ioports;
02815                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02816                         desc.subj_type = gen_ioports_entry.subj_type;
02817                         desc.subj_id = gen_ioports_entry.subj_id;
02818                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02819                                               &gen_ioports_entry.rights);
02820                 }
02821                 scd = ST_kmem;
02822                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02823                         desc.subj_type = sysadm_kmem_entry.subj_type;
02824                         desc.subj_id = sysadm_kmem_entry.subj_id;
02825                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02826                                               &sysadm_kmem_entry.rights);
02827                 }
02828 #endif
02829 
02830                 scd = ST_other;
02831                 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02832                         desc.subj_type = sysadm_other_entry.subj_type;
02833                         desc.subj_id = sysadm_other_entry.subj_id;
02834                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02835                                               &sysadm_other_entry.rights);
02836                         desc.subj_type = acman_other_entry.subj_type;
02837                         desc.subj_id = acman_other_entry.subj_id;
02838                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02839                                               &acman_other_entry.rights);
02840                         desc.subj_type = gen_other_entry.subj_type;
02841                         desc.subj_id = gen_other_entry.subj_id;
02842                         rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02843                                               &gen_other_entry.rights);
02844                 }
02845         }
02846 }
02847 
02848 #ifdef CONFIG_RSBAC_INIT_DELAY
02849 void acl_create_def2(void)
02850 #else
02851 void __init acl_create_def2(void)
02852 #endif
02853 {
02854         if (!rsbac_list_count(default_u_handle)) {
02855                 struct rsbac_acl_entry_desc_t desc;
02856                 struct rsbac_acl_entry_t acman_entry =
02857                     RSBAC_ACL_ACMAN_U_ENTRY;
02858                 struct rsbac_acl_entry_t sysadm_entry =
02859                     RSBAC_ACL_SYSADM_U_ENTRY;
02860                 struct rsbac_acl_entry_t gen_entry =
02861                     RSBAC_ACL_GENERAL_U_ENTRY;
02862 
02863                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): User default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02864                              RSBAC_MAJOR(rsbac_root_dev),
02865                              RSBAC_MINOR(rsbac_root_dev));
02866                 desc.subj_type = sysadm_entry.subj_type;
02867                 desc.subj_id = sysadm_entry.subj_id;
02868                 rsbac_list_add(default_u_handle, &desc,
02869                                &sysadm_entry.rights);
02870                 desc.subj_type = acman_entry.subj_type;
02871                 desc.subj_id = acman_entry.subj_id;
02872                 rsbac_list_add(default_u_handle, &desc,
02873                                &acman_entry.rights);
02874                 desc.subj_type = gen_entry.subj_type;
02875                 desc.subj_id = gen_entry.subj_id;
02876                 rsbac_list_add(default_u_handle, &desc, &gen_entry.rights);
02877         }
02878         if (!rsbac_list_count(default_p_handle)) {
02879                 struct rsbac_acl_entry_desc_t desc;
02880                 struct rsbac_acl_entry_t acman_entry =
02881                     RSBAC_ACL_ACMAN_P_ENTRY;
02882                 struct rsbac_acl_entry_t sysadm_entry =
02883                     RSBAC_ACL_SYSADM_P_ENTRY;
02884                 struct rsbac_acl_entry_t gen_entry =
02885                     RSBAC_ACL_GENERAL_P_ENTRY;
02886 
02887                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Process default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02888                              RSBAC_MAJOR(rsbac_root_dev),
02889                              RSBAC_MINOR(rsbac_root_dev));
02890                 desc.subj_type = sysadm_entry.subj_type;
02891                 desc.subj_id = sysadm_entry.subj_id;
02892                 rsbac_list_add(default_p_handle, &desc,
02893                                &sysadm_entry.rights);
02894                 desc.subj_type = acman_entry.subj_type;
02895                 desc.subj_id = acman_entry.subj_id;
02896                 rsbac_list_add(default_p_handle, &desc,
02897                                &acman_entry.rights);
02898                 desc.subj_type = gen_entry.subj_type;
02899                 desc.subj_id = gen_entry.subj_id;
02900                 rsbac_list_add(default_p_handle, &desc, &gen_entry.rights);
02901         }
02902         if (!rsbac_list_lol_count(gm_handle)) {
02903                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Group membership list empty on dev %02u:%02u!\n",
02904                      RSBAC_MAJOR(rsbac_root_dev),
02905                      RSBAC_MINOR(rsbac_root_dev));
02906         }
02907         if (!rsbac_list_count(group_handle)) {
02908                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Group list empty on dev %02u:%02u!\n",
02909                              RSBAC_MAJOR(rsbac_root_dev),
02910                              RSBAC_MINOR(rsbac_root_dev));
02911         } else {
02912                 rsbac_list_get_max_desc(group_handle, &group_last_new);
02913         }
02914 #ifdef CONFIG_RSBAC_ACL_UM_PROT
02915         if (!rsbac_list_count(default_g_handle)) {
02916                 struct rsbac_acl_entry_desc_t desc;
02917                 struct rsbac_acl_entry_t acman_entry =
02918                     RSBAC_ACL_ACMAN_G_ENTRY;
02919                 struct rsbac_acl_entry_t sysadm_entry =
02920                     RSBAC_ACL_SYSADM_G_ENTRY;
02921                 struct rsbac_acl_entry_t gen_entry =
02922                     RSBAC_ACL_GENERAL_G_ENTRY;
02923 
02924                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Linux group default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02925                              RSBAC_MAJOR(rsbac_root_dev),
02926                              RSBAC_MINOR(rsbac_root_dev));
02927                 desc.subj_type = sysadm_entry.subj_type;
02928                 desc.subj_id = sysadm_entry.subj_id;
02929                 rsbac_list_add(default_g_handle, &desc,
02930                                &sysadm_entry.rights);
02931                 desc.subj_type = acman_entry.subj_type;
02932                 desc.subj_id = acman_entry.subj_id;
02933                 rsbac_list_add(default_g_handle, &desc,
02934                                &acman_entry.rights);
02935                 desc.subj_type = gen_entry.subj_type;
02936                 desc.subj_id = gen_entry.subj_id;
02937                 rsbac_list_add(default_g_handle, &desc, &gen_entry.rights);
02938         }
02939 #endif
02940 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
02941         if (!rsbac_list_count(default_netdev_handle)) {
02942                 struct rsbac_acl_entry_desc_t desc;
02943                 struct rsbac_acl_entry_t acman_entry =
02944                     RSBAC_ACL_ACMAN_NETDEV_ENTRY;
02945                 struct rsbac_acl_entry_t sysadm_entry =
02946                     RSBAC_ACL_SYSADM_NETDEV_ENTRY;
02947                 struct rsbac_acl_entry_t gen_entry =
02948                     RSBAC_ACL_GENERAL_NETDEV_ENTRY;
02949 
02950                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Network Device default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02951                              RSBAC_MAJOR(rsbac_root_dev),
02952                              RSBAC_MINOR(rsbac_root_dev));
02953                 desc.subj_type = acman_entry.subj_type;
02954                 desc.subj_id = acman_entry.subj_id;
02955                 rsbac_list_add(default_netdev_handle, &desc,
02956                                &acman_entry.rights);
02957                 desc.subj_type = sysadm_entry.subj_type;
02958                 desc.subj_id = sysadm_entry.subj_id;
02959                 rsbac_list_add(default_netdev_handle, &desc,
02960                                &sysadm_entry.rights);
02961                 desc.subj_type = gen_entry.subj_type;
02962                 desc.subj_id = gen_entry.subj_id;
02963                 rsbac_list_add(default_netdev_handle, &desc,
02964                                &gen_entry.rights);
02965         }
02966 #endif
02967 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
02968         if (!rsbac_no_defaults
02969             && !rsbac_list_count(default_nettemp_nt_handle)) {
02970                 struct rsbac_acl_entry_desc_t desc;
02971                 struct rsbac_acl_entry_t acman_entry =
02972                     RSBAC_ACL_ACMAN_NETTEMP_NT_ENTRY;
02973                 struct rsbac_acl_entry_t sysadm_entry =
02974                     RSBAC_ACL_SYSADM_NETTEMP_NT_ENTRY;
02975                 struct rsbac_acl_entry_t gen_entry =
02976                     RSBAC_ACL_GENERAL_NETTEMP_NT_ENTRY;
02977 
02978                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Network Template NT (template protection) default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02979                              RSBAC_MAJOR(rsbac_root_dev),
02980                              RSBAC_MINOR(rsbac_root_dev));
02981                 desc.subj_type = acman_entry.subj_type;
02982                 desc.subj_id = acman_entry.subj_id;
02983                 rsbac_list_add(default_nettemp_nt_handle, &desc,
02984                                &acman_entry.rights);
02985                 desc.subj_type = sysadm_entry.subj_type;
02986                 desc.subj_id = sysadm_entry.subj_id;
02987                 rsbac_list_add(default_nettemp_nt_handle, &desc,
02988                                &sysadm_entry.rights);
02989                 desc.subj_type = gen_entry.subj_type;
02990                 desc.subj_id = gen_entry.subj_id;
02991                 rsbac_list_add(default_nettemp_nt_handle, &desc,
02992                                &gen_entry.rights);
02993         }
02994         if (!rsbac_list_count(default_netobj_handle)) {
02995                 struct rsbac_acl_entry_desc_t desc;
02996                 struct rsbac_acl_entry_t acman_entry =
02997                     RSBAC_ACL_ACMAN_NETOBJ_ENTRY;
02998                 struct rsbac_acl_entry_t sysadm_entry =
02999                     RSBAC_ACL_SYSADM_NETOBJ_ENTRY;
03000                 struct rsbac_acl_entry_t gen_entry =
03001                     RSBAC_ACL_GENERAL_NETOBJ_ENTRY;
03002 
03003                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Network Object default ACL empty on dev %02u:%02u, generating standard ACL!\n",
03004                              RSBAC_MAJOR(rsbac_root_dev),
03005                              RSBAC_MINOR(rsbac_root_dev));
03006                 desc.subj_type = acman_entry.subj_type;
03007                 desc.subj_id = acman_entry.subj_id;
03008                 rsbac_list_add(default_netobj_handle, &desc,
03009                                &acman_entry.rights);
03010                 desc.subj_type = sysadm_entry.subj_type;
03011                 desc.subj_id = sysadm_entry.subj_id;
03012                 rsbac_list_add(default_netobj_handle, &desc,
03013                                &sysadm_entry.rights);
03014                 desc.subj_type = gen_entry.subj_type;
03015                 desc.subj_id = gen_entry.subj_id;
03016                 rsbac_list_add(default_netobj_handle, &desc,
03017                                &gen_entry.rights);
03018         }
03019 #endif
03020 }
03021 
03022 /* Because there can be no access to aci data structures before init, */
03023 /* rsbac_init_acl() will initialize all rw-spinlocks to unlocked. */
03024 
03025 #ifdef CONFIG_RSBAC_INIT_DELAY
03026 int rsbac_init_acl(void)
03027 #else
03028 int __init rsbac_init_acl(void)
03029 #endif
03030 {
03031         int err = 0;
03032         struct rsbac_acl_device_list_item_t *device_p = NULL;
03033         char tmp[80];
03034         struct proc_dir_entry *tmp_entry_p;
03035         struct rsbac_list_lol_info_t lol_info;
03036         struct rsbac_list_info_t list_info;
03037         rsbac_acl_rights_vector_t def_mask;
03038 
03039         if (rsbac_is_initialized()) {
03040                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): RSBAC already initialized\n");
03041                 return (-RSBAC_EREINIT);
03042         }
03043 
03044         /* set rw-spinlocks to unlocked status and init data structures */
03045         rsbac_printk(KERN_INFO "rsbac_init_acl(): Initializing RSBAC: ACL subsystem\n");
03046 
03047         /* Init device list */
03048         device_list_head_p = kmalloc(sizeof(*device_list_head_p), GFP_KERNEL);
03049         if (!device_list_head_p) {
03050                 rsbac_printk(KERN_WARNING
03051                         "rsbac_init_acl(): Failed to allocate device_list_head\n");
03052                 return -ENOMEM;
03053         }
03054 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03055         spin_lock_init(&device_list_lock);
03056 #else
03057         rwlock_init(&device_list_lock);
03058 #endif
03059         device_list_head_p->head = NULL;
03060         device_list_head_p->tail = NULL;
03061         device_list_head_p->curr = NULL;
03062         device_list_head_p->count = 0;
03063 
03064         /* register ACL lists */
03065         rsbac_pr_debug(ds_acl, "Registering lists\n");
03066         device_p = create_device_item(rsbac_root_dev);
03067         if (!device_p) {
03068                 rsbac_printk(KERN_CRIT
03069                              "rsbac_init_acl(): Could not create device!\n");
03070                 return (-RSBAC_ECOULDNOTADDDEVICE);
03071         }
03072         if ((err = acl_register_fd_lists(device_p, rsbac_root_dev))) {
03073                 rsbac_printk(KERN_WARNING "rsbac_init_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n",
03074                              RSBAC_MAJOR(rsbac_root_dev),
03075                              RSBAC_MINOR(rsbac_root_dev),
03076                              get_error_name(tmp, err));
03077         }
03078         device_p = add_device_item(device_p);
03079         if (!device_p) {
03080                 rsbac_printk(KERN_CRIT
03081                              "rsbac_init_acl(): Could not add device!\n");
03082                 return (-RSBAC_ECOULDNOTADDDEVICE);
03083         }
03084 
03085         list_info.version = RSBAC_ACL_DEF_FD_LIST_VERSION;
03086         list_info.key = RSBAC_ACL_LIST_KEY;
03087         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03088         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03089         list_info.max_age = 0;
03090         err = rsbac_list_register(RSBAC_LIST_VERSION,
03091                                   &default_fd_handle, &list_info,
03092 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03093                                   RSBAC_LIST_BACKUP |
03094 #endif
03095                                   RSBAC_LIST_PERSIST,
03096                                   entry_compare,
03097                                   def_fd_get_conv,
03098                                   NULL,
03099                                   RSBAC_ACL_DEF_FD_FILENAME,
03100                                   RSBAC_AUTO_DEV);
03101         if (err) {
03102                 registration_error(err, "default fd");
03103         }
03104 
03105         lol_info.version = RSBAC_ACL_DEV_LIST_VERSION;
03106         lol_info.key = RSBAC_ACL_LIST_KEY;
03107         lol_info.desc_size = sizeof(struct rsbac_dev_desc_t);
03108         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03109         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03110         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03111         lol_info.max_age = 0;
03112         def_mask = RSBAC_ACL_DEFAULT_DEV_MASK;
03113         err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03114                                       &dev_handle, &lol_info,
03115 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03116                                       RSBAC_LIST_BACKUP |
03117 #endif
03118                                       RSBAC_LIST_PERSIST |
03119                                       RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
03120                                       dev_compare,
03121                                       entry_compare, dev_get_conv,
03122                                       dev_get_subconv, &def_mask, NULL,
03123                                       RSBAC_ACL_DEV_FILENAME,
03124                                       RSBAC_AUTO_DEV,
03125                                         1,
03126                                         rsbac_list_hash_dev,
03127                                         NULL);
03128         if (err) {
03129                 registration_error(err, "dev");
03130         }
03131         lol_info.version = RSBAC_ACL_DEV_LIST_VERSION;
03132         lol_info.key = RSBAC_ACL_LIST_KEY;
03133         lol_info.desc_size = sizeof(struct rsbac_dev_desc_t);
03134         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03135         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03136         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03137         lol_info.max_age = 0;
03138         def_mask = RSBAC_ACL_DEFAULT_DEV_MASK;
03139         err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03140                                       &dev_major_handle, &lol_info,
03141 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03142                                       RSBAC_LIST_BACKUP |
03143 #endif
03144                                       RSBAC_LIST_PERSIST |
03145                                       RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
03146                                       dev_major_compare, entry_compare,
03147                                       dev_get_conv, dev_get_subconv,
03148                                       &def_mask, NULL,
03149                                       RSBAC_ACL_DEV_MAJOR_FILENAME,
03150                                       RSBAC_AUTO_DEV,
03151                                         1,
03152                                         rsbac_list_hash_dev,
03153                                         NULL);
03154         if (err) {
03155                 registration_error(err, "dev major");
03156         }
03157         list_info.version = RSBAC_ACL_DEF_DEV_LIST_VERSION;
03158         list_info.key = RSBAC_ACL_LIST_KEY;
03159         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03160         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03161         list_info.max_age = 0;
03162         err = rsbac_list_register(RSBAC_LIST_VERSION,
03163                                   &default_dev_handle, &list_info,
03164 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03165                                   RSBAC_LIST_BACKUP |
03166 #endif
03167                                   RSBAC_LIST_PERSIST,
03168                                   entry_compare,
03169                                   def_dev_get_conv,
03170                                   NULL,
03171                                   RSBAC_ACL_DEF_DEV_FILENAME,
03172                                   RSBAC_AUTO_DEV);
03173         if (err) {
03174                 registration_error(err, "default dev");
03175         }
03176 
03177         list_info.version = RSBAC_ACL_DEF_IPC_LIST_VERSION;
03178         list_info.key = RSBAC_ACL_LIST_KEY;
03179         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03180         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03181         list_info.max_age = 0;
03182         err = rsbac_list_register(RSBAC_LIST_VERSION,
03183                                   &default_ipc_handle, &list_info,
03184 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03185                                   RSBAC_LIST_BACKUP |
03186 #endif
03187                                   RSBAC_LIST_PERSIST,
03188                                   entry_compare,
03189                                   def_ipc_get_conv,
03190                                   NULL,
03191                                   RSBAC_ACL_DEF_IPC_FILENAME,
03192                                   RSBAC_AUTO_DEV);
03193         if (err) {
03194                 registration_error(err, "default ipc");
03195         }
03196 
03197         lol_info.version = RSBAC_ACL_SCD_LIST_VERSION;
03198         lol_info.key = RSBAC_ACL_LIST_KEY;
03199         lol_info.desc_size = sizeof(__u8);
03200         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03201         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03202         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03203         lol_info.max_age = 0;
03204         def_mask = RSBAC_ACL_DEFAULT_SCD_MASK;
03205         err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03206                                       &scd_handle, &lol_info,
03207 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03208                                       RSBAC_LIST_BACKUP |
03209 #endif
03210                                       RSBAC_LIST_PERSIST |
03211                                       RSBAC_LIST_DEF_DATA, NULL,
03212                                       entry_compare, scd_get_conv,
03213                                       scd_get_subconv, &def_mask, NULL,
03214                                       RSBAC_ACL_SCD_FILENAME,
03215                                       RSBAC_AUTO_DEV);
03216         if (err) {
03217                 registration_error(err, "scd");
03218         }
03219 
03220         list_info.version = RSBAC_ACL_DEF_SCD_LIST_VERSION;
03221         list_info.key = RSBAC_ACL_LIST_KEY;
03222         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03223         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03224         list_info.max_age = 0;
03225         err = rsbac_list_register(RSBAC_LIST_VERSION,
03226                                   &default_scd_handle, &list_info,
03227 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03228                                   RSBAC_LIST_BACKUP |
03229 #endif
03230                                   RSBAC_LIST_PERSIST,
03231                                   entry_compare,
03232                                   def_scd_get_conv,
03233                                   NULL,
03234                                   RSBAC_ACL_DEF_SCD_FILENAME,
03235                                   RSBAC_AUTO_DEV);
03236         if (err) {
03237                 registration_error(err, "default scd");
03238         }
03239 
03240         lol_info.version = RSBAC_ACL_U_LIST_VERSION;
03241         lol_info.key = RSBAC_ACL_LIST_KEY;
03242         lol_info.desc_size = sizeof(rsbac_uid_t);
03243         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03244         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03245         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03246         lol_info.max_age = 0;
03247         def_mask = RSBAC_ACL_DEFAULT_U_MASK;
03248         err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03249                                       &u_handle, &lol_info,
03250 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03251                                       RSBAC_LIST_BACKUP |
03252 #endif
03253                                       RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03254                                       NULL,
03255                                       entry_compare,
03256                                       NULL,
03257                                       NULL,
03258                                       &def_mask,
03259                                       NULL,
03260                                       RSBAC_ACL_U_FILENAME,
03261                                       RSBAC_AUTO_DEV,
03262                                         1,
03263                                         rsbac_list_hash_uid,
03264                                         NULL);
03265         if (err) {
03266                 registration_error(err, "user");
03267         }
03268         list_info.version = RSBAC_ACL_DEF_U_LIST_VERSION;
03269         list_info.key = RSBAC_ACL_LIST_KEY;
03270         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03271         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03272         list_info.max_age = 0;
03273         err = rsbac_list_register(RSBAC_LIST_VERSION,
03274                                   &default_u_handle, &list_info,
03275 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03276                                   RSBAC_LIST_BACKUP |
03277 #endif
03278                                   RSBAC_LIST_PERSIST,
03279                                   entry_compare,
03280                                   def_u_get_conv,
03281                                   NULL,
03282                                   RSBAC_ACL_DEF_U_FILENAME,
03283                                   RSBAC_AUTO_DEV);
03284         if (err) {
03285                 registration_error(err, "default user");
03286         }
03287 
03288         list_info.version = RSBAC_ACL_DEF_P_LIST_VERSION;
03289         list_info.key = RSBAC_ACL_LIST_KEY;
03290         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03291         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03292         list_info.max_age = 0;
03293         err = rsbac_list_register(RSBAC_LIST_VERSION,
03294                                   &default_p_handle, &list_info,
03295 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03296                                   RSBAC_LIST_BACKUP |
03297 #endif
03298                                   RSBAC_LIST_PERSIST,
03299                                   entry_compare,
03300                                   def_p_get_conv,
03301                                   NULL,
03302                                   RSBAC_ACL_DEF_P_FILENAME,
03303                                   RSBAC_AUTO_DEV);
03304         if (err) {
03305                 registration_error(err, "default process");
03306         }
03307 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03308         lol_info.version = RSBAC_ACL_G_LIST_VERSION;
03309         lol_info.key = RSBAC_ACL_LIST_KEY;
03310         lol_info.desc_size = sizeof(rsbac_gid_t);
03311         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03312         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03313         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03314         lol_info.max_age = 0;
03315         def_mask = RSBAC_ACL_DEFAULT_G_MASK;
03316         err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03317                                       &g_handle, &lol_info,
03318 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03319                                       RSBAC_LIST_BACKUP |
03320 #endif
03321                                       RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03322                                       NULL,
03323                                       entry_compare,
03324                                       NULL,
03325                                       NULL,
03326                                       &def_mask,
03327                                       NULL,
03328                                       RSBAC_ACL_G_FILENAME,
03329                                       RSBAC_AUTO_DEV,
03330                                         1,
03331                                         rsbac_list_hash_gid,
03332                                         NULL);
03333         if (err) {
03334                 registration_error(err, "Linux group");
03335         }
03336         list_info.version = RSBAC_ACL_DEF_G_LIST_VERSION;
03337         list_info.key = RSBAC_ACL_LIST_KEY;
03338         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03339         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03340         list_info.max_age = 0;
03341         err = rsbac_list_register(RSBAC_LIST_VERSION,
03342                                   &default_g_handle, &list_info,
03343 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03344                                   RSBAC_LIST_BACKUP |
03345 #endif
03346                                   RSBAC_LIST_PERSIST,
03347                                   entry_compare,
03348                                   def_g_get_conv,
03349                                   NULL,
03350                                   RSBAC_ACL_DEF_G_FILENAME,
03351                                   RSBAC_AUTO_DEV);
03352         if (err) {
03353                 registration_error(err, "default Linux group");
03354         }
03355 #endif
03356 
03357 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03358         lol_info.version = RSBAC_ACL_NETDEV_LIST_VERSION;
03359         lol_info.key = RSBAC_ACL_LIST_KEY;
03360         lol_info.desc_size = sizeof(rsbac_netdev_id_t);
03361         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03362         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03363         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03364         lol_info.max_age = 0;
03365         def_mask = RSBAC_ACL_DEFAULT_NETDEV_MASK;
03366         err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03367                                       &netdev_handle, &lol_info,
03368 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03369                                       RSBAC_LIST_BACKUP |
03370 #endif
03371                                       RSBAC_LIST_PERSIST |
03372                                       RSBAC_LIST_DEF_DATA, netdev_compare,
03373                                       entry_compare, netdev_get_conv,
03374                                       netdev_get_subconv, &def_mask, NULL,
03375                                       RSBAC_ACL_NETDEV_FILENAME,
03376                                       RSBAC_AUTO_DEV);
03377         if (err) {
03378                 registration_error(err, "netdev");
03379         }
03380         list_info.version = RSBAC_ACL_DEF_NETDEV_LIST_VERSION;
03381         list_info.key = RSBAC_ACL_LIST_KEY;
03382         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03383         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03384         list_info.max_age = 0;
03385         err = rsbac_list_register(RSBAC_LIST_VERSION,
03386                                   &default_netdev_handle, &list_info,
03387 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03388                                   RSBAC_LIST_BACKUP |
03389 #endif
03390                                   RSBAC_LIST_PERSIST,
03391                                   entry_compare,
03392                                   def_netdev_get_conv,
03393                                   NULL,
03394                                   RSBAC_ACL_DEF_NETDEV_FILENAME,
03395                                   RSBAC_AUTO_DEV);
03396         if (err) {
03397                 registration_error(err, "default netdev");
03398         }
03399 #endif
03400 
03401 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03402         lol_info.version = RSBAC_ACL_NETTEMP_NT_LIST_VERSION;
03403         lol_info.key = RSBAC_ACL_LIST_KEY;
03404         lol_info.desc_size = sizeof(rsbac_net_temp_id_t);
03405         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03406         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03407         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03408         lol_info.max_age = 0;
03409         def_mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
03410         err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03411                                       &nettemp_nt_handle, &lol_info,
03412 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03413                                       RSBAC_LIST_BACKUP |
03414 #endif
03415                                       RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03416                                       NULL,
03417                                       entry_compare,
03418                                       nettemp_nt_get_conv,
03419                                       nettemp_nt_get_subconv,
03420                                       &def_mask,
03421                                       NULL,
03422                                       RSBAC_ACL_NETTEMP_NT_FILENAME,
03423                                       RSBAC_AUTO_DEV,
03424                                         1,
03425                                         rsbac_list_hash_nettemp,
03426                                         NULL);
03427         if (err) {
03428                 registration_error(err, "nettemp_nt");
03429         }
03430         list_info.version = RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION;
03431         list_info.key = RSBAC_ACL_LIST_KEY;
03432         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03433         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03434         list_info.max_age = 0;
03435         err = rsbac_list_register(RSBAC_LIST_VERSION,
03436                                   &default_nettemp_nt_handle, &list_info,
03437 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03438                                   RSBAC_LIST_BACKUP |
03439 #endif
03440                                   RSBAC_LIST_PERSIST,
03441                                   entry_compare,
03442                                   def_nettemp_nt_get_conv,
03443                                   NULL,
03444                                   RSBAC_ACL_DEF_NETTEMP_NT_FILENAME,
03445                                   RSBAC_AUTO_DEV);
03446         if (err) {
03447                 registration_error(err, "default nettemp_nt");
03448         }
03449         lol_info.version = RSBAC_ACL_NETTEMP_LIST_VERSION;
03450         lol_info.key = RSBAC_ACL_LIST_KEY;
03451         lol_info.desc_size = sizeof(rsbac_net_temp_id_t);
03452         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03453         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03454         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03455         lol_info.max_age = 0;
03456         def_mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
03457         err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03458                                       &nettemp_handle, &lol_info,
03459 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03460                                       RSBAC_LIST_BACKUP |
03461 #endif
03462                                       RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03463                                       NULL,
03464                                       entry_compare,
03465                                       nettemp_get_conv,
03466                                       nettemp_get_subconv,
03467                                       &def_mask,
03468                                       NULL,
03469                                       RSBAC_ACL_NETTEMP_FILENAME,
03470                                       RSBAC_AUTO_DEV,
03471                                         1,
03472                                         rsbac_list_hash_nettemp,
03473                                         NULL);
03474         if (err) {
03475                 registration_error(err, "nettemp");
03476         }
03477         lol_info.version = RSBAC_ACL_NETOBJ_LIST_VERSION;
03478         lol_info.key = RSBAC_ACL_LIST_KEY;
03479         lol_info.desc_size = sizeof(rsbac_net_obj_id_t);
03480         lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03481         lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);  /* subj_type + subj_id */
03482         lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);      /* rights */
03483         lol_info.max_age = 0;
03484         def_mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
03485         err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03486                                       &netobj_handle,
03487                                       &lol_info,
03488                                       RSBAC_LIST_AUTO_HASH_RESIZE,
03489                                       NULL,
03490                                       entry_compare,
03491                                       NULL,
03492                                       NULL,
03493                                       &def_mask,
03494                                       NULL,
03495                                       RSBAC_ACL_NETOBJ_FILENAME,
03496                                       RSBAC_AUTO_DEV,
03497                                         1,
03498                                         rsbac_list_hash_netobj,
03499                                         NULL);
03500         if (err) {
03501                 registration_error(err, "netobj");
03502         }
03503         list_info.version = RSBAC_ACL_DEF_NETOBJ_LIST_VERSION;
03504         list_info.key = RSBAC_ACL_LIST_KEY;
03505         list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);    /* subj_type + subj_id */
03506         list_info.data_size = sizeof(rsbac_acl_rights_vector_t);        /* rights */
03507         list_info.max_age = 0;
03508         err = rsbac_list_register(RSBAC_LIST_VERSION,
03509                                   &default_netobj_handle, &list_info,
03510 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03511                                   RSBAC_LIST_BACKUP |
03512 #endif
03513                                   RSBAC_LIST_PERSIST,
03514                                   entry_compare,
03515                                   def_netobj_get_conv,
03516                                   NULL,
03517                                   RSBAC_ACL_DEF_NETOBJ_FILENAME,
03518                                   RSBAC_AUTO_DEV);
03519         if (err) {
03520                 registration_error(err, "default netobj");
03521         }
03522 #endif                          /* NET_OBJ_PROT */
03523 
03524         /* groups */
03525         list_info.version = RSBAC_ACL_GROUP_VERSION;
03526         list_info.key = RSBAC_ACL_LIST_KEY;
03527         list_info.desc_size = sizeof(rsbac_acl_group_id_t);
03528         list_info.data_size = sizeof(struct rsbac_acl_group_entry_t);
03529         list_info.max_age = 0;
03530         err = rsbac_list_register_hashed(RSBAC_LIST_VERSION,
03531                                   &group_handle, &list_info,
03532 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03533                                   RSBAC_LIST_BACKUP |
03534 #endif
03535                                   RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03536                                   NULL,
03537                                   NULL,
03538                                   NULL,
03539                                   RSBAC_ACL_GROUP_FILENAME,
03540                                   RSBAC_AUTO_DEV,
03541                                   1,
03542                                   group_hash,
03543                                   NULL);
03544         if (err) {
03545                 registration_error(err, "group");
03546         }
03547 
03548         /* group memberships */
03549         lol_info.version = RSBAC_ACL_GM_VERSION;
03550         lol_info.key = RSBAC_ACL_LIST_KEY;
03551         lol_info.desc_size = sizeof(rsbac_uid_t);
03552         lol_info.data_size = 0;
03553         lol_info.subdesc_size = sizeof(rsbac_acl_group_id_t);
03554         lol_info.subdata_size = 0;
03555         lol_info.max_age = 0;
03556         err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03557                                       &gm_handle, &lol_info,
03558 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03559                                       RSBAC_LIST_BACKUP |
03560 #endif
03561                                       RSBAC_LIST_PERSIST |
03562                                       RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
03563                                       NULL,
03564                                       NULL, NULL, NULL,
03565                                       NULL, NULL, RSBAC_ACL_GM_FILENAME,
03566                                       RSBAC_AUTO_DEV,
03567                                         1,
03568                                         rsbac_list_hash_uid,
03569                                         NULL);
03570         if (err) {
03571                 registration_error(err, "gm");
03572         }
03573 
03574 /* Create default lists */
03575         if (!rsbac_no_defaults) {
03576                 acl_create_def();
03577                 acl_create_def2();
03578         }
03579 #if defined(CONFIG_RSBAC_PROC)
03580         tmp_entry_p = create_proc_entry("acl_devices",
03581                                         S_IFREG | S_IRUGO,
03582                                         proc_rsbac_root_p);
03583         if (tmp_entry_p) {
03584                 tmp_entry_p->get_info = acl_devices_proc_info;
03585         }
03586         tmp_entry_p = create_proc_entry("stats_acl",
03587                                         S_IFREG | S_IRUGO,
03588                                         proc_rsbac_root_p);
03589         if (tmp_entry_p) {
03590                 tmp_entry_p->get_info = stats_acl_proc_info;
03591         }
03592         tmp_entry_p = create_proc_entry("acl_acllist",
03593                                         S_IFREG | S_IRUGO,
03594                                         proc_rsbac_root_p);
03595         if (tmp_entry_p) {
03596                 tmp_entry_p->get_info = acl_acllist_proc_info;
03597         }
03598         tmp_entry_p = create_proc_entry("acl_grouplist",
03599                                         S_IFREG | S_IRUGO,
03600                                         proc_rsbac_root_p);
03601         if (tmp_entry_p) {
03602                 tmp_entry_p->get_info = acl_grouplist_proc_info;
03603         }
03604 #endif
03605 
03606         rsbac_pr_debug(ds_acl, "Ready.\n");
03607         return (err);
03608 }
03609 
03610 int rsbac_mount_acl(kdev_t kdev)
03611 {
03612         int err = 0;
03613         struct rsbac_acl_device_list_item_t *device_p;
03614         struct rsbac_acl_device_list_item_t *new_device_p;
03615 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03616         u_long dflags;
03617 #endif
03618 
03619         if (!rsbac_is_initialized()) {
03620                 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): RSBAC not initialized\n");
03621                 return (-RSBAC_ENOTINITIALIZED);
03622         }
03623         rsbac_pr_debug(ds_acl, "mounting device %02u:%02u\n",
03624                        RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03625         /* wait for read access to device_list_head */
03626 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03627         rcu_read_lock();
03628 #else
03629         rsbac_read_lock(&device_list_lock, &dflags);
03630 #endif
03631         device_p = acl_lookup_device(kdev);
03632         /* repeated mount? */
03633         if (device_p) {
03634                 rsbac_printk(KERN_INFO "rsbac_mount_acl: repeated mount %u of device %02u:%02u\n",
03635                              device_p->mount_count, RSBAC_MAJOR(kdev),
03636                              RSBAC_MINOR(kdev));
03637                 device_p->mount_count++;
03638 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03639                 rcu_read_unlock();
03640 #else
03641                 rsbac_read_unlock(&device_list_lock, &dflags);
03642 #endif
03643                 return 0;
03644         }
03645 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03646         rcu_read_unlock();
03647 #else
03648         rsbac_read_unlock(&device_list_lock, &dflags);
03649 #endif
03650         /* OK, go on */
03651         new_device_p = create_device_item(kdev);
03652         if (!new_device_p)
03653                 return -RSBAC_ECOULDNOTADDDEVICE;
03654 
03655         if ((err = acl_register_fd_lists(new_device_p, kdev))) {
03656                 char *tmp;
03657 
03658                 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
03659                 if (tmp) {
03660                         rsbac_printk(KERN_WARNING "rsbac_mount_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n",
03661                                      RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev),
03662                                      get_error_name(tmp, err));
03663                         rsbac_kfree(tmp);
03664                 }
03665         }
03666 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03667         rcu_read_lock();
03668 #else
03669         rsbac_read_lock(&device_list_lock, &dflags);
03670 #endif
03671         /* make sure to only add, if this device item has not been added in the meantime */
03672         device_p = acl_lookup_device(kdev);
03673         if (device_p) {
03674                 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): mount race for device %02u:%02u detected!\n",
03675                              RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03676                 device_p->mount_count++;
03677                 /* also detaches lists */
03678                 clear_device_item(new_device_p);
03679 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03680                 rcu_read_unlock();
03681 #else
03682                 rsbac_read_unlock(&device_list_lock, &dflags);
03683 #endif
03684         } else {
03685 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03686                 rcu_read_unlock();
03687 #else
03688                 rsbac_read_unlock(&device_list_lock, &dflags);
03689 #endif
03690                 device_p = add_device_item(new_device_p);
03691                 if (!device_p) {
03692                         rsbac_printk(KERN_WARNING "rsbac_mount_acl: adding device %02u:%02u failed!\n",
03693                                      RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03694                         /* also detaches lists */
03695                         clear_device_item(new_device_p);
03696                         err = -RSBAC_ECOULDNOTADDDEVICE;
03697                 }
03698         }
03699 
03700         return err;
03701 }
03702 
03703 /* When umounting a device, its file/dir ACLs must be removed. */
03704 
03705 int rsbac_umount_acl(kdev_t kdev)
03706 {
03707 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03708         u_long flags;
03709 #endif
03710         struct rsbac_acl_device_list_item_t *device_p;
03711 
03712         if (!rsbac_is_initialized()) {
03713                 rsbac_printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n");
03714                 return (-RSBAC_ENOTINITIALIZED);
03715         }
03716         rsbac_pr_debug(ds_acl, "umounting device %02u:%02u\n",
03717                      RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03718         /* sync of attribute lists was done in rsbac_umount */
03719 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03720         spin_lock(&device_list_lock);
03721 #else
03722         rsbac_write_lock(&device_list_lock, &flags);
03723 #endif
03724         /* OK, nobody else is working on it... */
03725         device_p = acl_lookup_device(kdev);
03726         if (device_p) {
03727                 if (device_p->mount_count == 1)
03728                         remove_device_item(kdev);
03729                 else {
03730                         if (device_p->mount_count > 1) {
03731                                 device_p->mount_count--;
03732 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03733                                 spin_unlock(&device_list_lock);
03734 #endif
03735                         } else {
03736 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03737                                 spin_unlock(&device_list_lock);
03738 #endif
03739                                 rsbac_printk(KERN_WARNING "rsbac_umount_acl: device %02u:%02u has mount_count < 1!\n",
03740                                              RSBAC_MAJOR(kdev),
03741                                              RSBAC_MINOR(kdev));
03742                         }
03743                 }
03744         }
03745 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03746         else
03747                 spin_unlock(&device_list_lock);
03748 #else
03749         rsbac_write_unlock(&device_list_lock, &flags);
03750 #endif
03751         return 0;
03752 }
03753 
03754 /***************************************************/
03755 /* We also need some status information...         */
03756 
03757 int rsbac_stats_acl(void)
03758 {
03759         struct rsbac_acl_device_list_item_t *device_p;
03760         union rsbac_target_id_t rsbac_target_id;
03761         union rsbac_attribute_value_t rsbac_attribute_value;
03762 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03763         u_long dflags;
03764 #endif
03765 
03766         if (!rsbac_is_initialized()) {
03767                 rsbac_printk(KERN_WARNING "rsbac_stats_acl(): RSBAC not initialized\n");
03768                 return (-RSBAC_ENOTINITIALIZED);
03769         }
03770         rsbac_pr_debug(aef_acl, "calling ADF\n");
03771         rsbac_target_id.scd = ST_rsbac;
03772         rsbac_attribute_value.dummy = 0;
03773         if (!rsbac_adf_request(R_GET_STATUS_DATA,
03774                                current->pid,
03775                                T_SCD,
03776                                rsbac_target_id,
03777                                A_none, rsbac_attribute_value)) {
03778                 return -EPERM;
03779         }
03780 
03781         rsbac_printk(KERN_INFO "ACL Status\n-----------\n");
03782 
03783         /* protect device list */
03784 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03785         rcu_read_lock();
03786 #else
03787         rsbac_read_lock(&device_list_lock, &dflags);
03788 #endif
03789         device_p = rcu_dereference(device_list_head_p)->head;
03790         while (device_p) {
03791                 rsbac_printk(KERN_INFO "device %02u:%02u has %u file ACLs, sum of %u members\n",
03792                              RSBAC_MAJOR(device_p->id),
03793                              RSBAC_MINOR(device_p->id),
03794                              rsbac_list_lol_count(device_p->handle),
03795                              rsbac_list_lol_all_subcount(device_p->handle));
03796                 device_p = device_p->next;
03797         }
03798         /* unprotect device list */
03799 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03800         rcu_read_unlock();
03801 #else
03802         rsbac_read_unlock(&device_list_lock, &dflags);
03803 #endif
03804 
03805         /* dev list */
03806         rsbac_printk(KERN_INFO "%li device major ACL items, sum of %li members\n",
03807                      rsbac_list_lol_count(dev_major_handle),
03808                      rsbac_list_lol_all_subcount(dev_major_handle));
03809         rsbac_printk(KERN_INFO "%li device ACL items, sum of %li members\n",
03810                      rsbac_list_lol_count(dev_handle),
03811                      rsbac_list_lol_all_subcount(dev_handle));
03812 
03813         /* SCD list */
03814         rsbac_printk(KERN_INFO "%li scd ACL items, sum of %li members\n",
03815                      rsbac_list_lol_count(scd_handle),
03816                      rsbac_list_lol_all_subcount(scd_handle));
03817 
03818         /* user list */
03819         rsbac_printk(KERN_INFO "%li user ACL items, sum of %li members\n",
03820                      rsbac_list_lol_count(u_handle),
03821                      rsbac_list_lol_all_subcount(u_handle));
03822 
03823 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03824         /* Linux group list */
03825         rsbac_printk(KERN_INFO "%li Linux group ACL items, sum of %li members\n",
03826                      rsbac_list_lol_count(g_handle),
03827                      rsbac_list_lol_all_subcount(g_handle));
03828 #endif
03829 
03830 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03831         /* netdev list */
03832         rsbac_printk(KERN_INFO "%li network device ACL items, sum of %li members\n",
03833                      rsbac_list_lol_count(netdev_handle),
03834                      rsbac_list_lol_all_subcount(netdev_handle));
03835 #endif
03836 
03837 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03838         /* nettemp_nt list */
03839         rsbac_printk(KERN_INFO "%li network template NT ACL items, sum of %li members\n",
03840                      rsbac_list_lol_count(nettemp_nt_handle),
03841                      rsbac_list_lol_all_subcount(nettemp_nt_handle));
03842         /* nettemp list */
03843         rsbac_printk(KERN_INFO "%li network template ACL items, sum of %li members\n",
03844                      rsbac_list_lol_count(nettemp_handle),
03845                      rsbac_list_lol_all_subcount(nettemp_handle));
03846         /* netobj list */
03847         rsbac_printk(KERN_INFO "%li network object ACL items, sum of %li members\n",
03848                      rsbac_list_lol_count(netobj_handle),
03849                      rsbac_list_lol_all_subcount(netobj_handle));
03850 #endif
03851 
03852         rsbac_printk(KERN_INFO "%li groups, last new is %u\n",
03853                      rsbac_list_count(group_handle), group_last_new);
03854 
03855         /* protect gm list */
03856         rsbac_printk(KERN_INFO "%li group member items, sum of %li group memberships\n",
03857                      rsbac_list_lol_count(gm_handle),
03858                      rsbac_list_lol_all_subcount(gm_handle));
03859 
03860         return 0;
03861 }
03862 
03863 /***************************************************/
03864 /* consistency checking (as far as possible)       */
03865 
03866 int rsbac_check_acl(int correct)
03867 {
03868         struct rsbac_acl_device_list_item_t *device_p;
03869         u_long f_count = 0, f_sum = 0, tmp_count,
03870             r_count, u_count, b_count, no_member_count;
03871         long desc_count;
03872         long sub_desc_count;
03873         rsbac_inode_nr_t *fd_desc_p;
03874         struct rsbac_dev_desc_t *dev_desc_p;
03875         __u8 *scd_desc_p;
03876         rsbac_uid_t *u_desc_p;
03877 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03878         rsbac_gid_t *g_desc_p;
03879 #endif
03880 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03881         rsbac_netdev_id_t *netdev_desc_p;
03882 #endif
03883 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03884         rsbac_net_temp_id_t *nettemp_desc_p;
03885         rsbac_net_obj_id_t *netobj_desc_p;
03886 #endif
03887         struct rsbac_acl_entry_desc_t *sub_desc_p;
03888         rsbac_uid_t *user_p;
03889         rsbac_acl_group_id_t *group_p;
03890         u_int i, j;
03891 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03892         u_long dflags;
03893 #endif
03894 
03895         if (!rsbac_is_initialized()) {
03896                 rsbac_printk(KERN_WARNING "rsbac_check_acl(): RSBAC not initialized\n");
03897                 return (-RSBAC_ENOTINITIALIZED);
03898         }
03899 
03900         /* group membership list */
03901         tmp_count = 0;
03902         desc_count =
03903             rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p);
03904         if (desc_count > 0) {
03905                 for (i = 0; i < desc_count; i++) {
03906                         sub_desc_count =
03907                             rsbac_list_lol_get_all_subdesc(gm_handle,
03908                                                            &user_p[i],
03909                                                            (void **)
03910                                                            &group_p);
03911                         if (sub_desc_count > 0) {
03912                                 for (j = 0; j < sub_desc_count; j++) {
03913                                         if (!rsbac_list_exist
03914                                             (group_handle, &group_p[j])) {
03915                                                 rsbac_printk(KERN_WARNING "rsbac_check_acl(): removing user %u membership in non-existent group %u!\n",
03916                                                              user_p[i],
03917                                                              group_p[j]);
03918                                                 rsbac_list_lol_subremove
03919                                                     (gm_handle, &user_p[i],
03920                                                      &group_p[j]);
03921                                         }
03922                                 }
03923                                 rsbac_vfree(group_p);
03924                         } else {
03925                                 /* remove empty membership list */
03926                                 if (!sub_desc_count)
03927                                         rsbac_list_lol_remove(gm_handle,
03928                                                               &user_p[i]);
03929                         }
03930                 }
03931                 rsbac_vfree(user_p);
03932         }
03933         /* recalculated values! */
03934         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group membership items\n",
03935                      rsbac_list_lol_count(gm_handle));
03936 
03937         /* group list */
03938         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group items\n",
03939                      rsbac_list_count(group_handle));
03940 
03941 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03942         rcu_read_lock();
03943 #else
03944         rsbac_read_lock(&device_list_lock, &dflags);
03945 #endif
03946 /*    rsbac_printk(KERN_INFO "rsbac_check_acl(): currently %u processes working on file/dir aci\n",
03947                      device_list_head.lock.lock); */
03948         device_p = rcu_dereference(device_list_head_p)->head;
03949         while (device_p) {      /* for all sublists */
03950                 f_count = 0;
03951                 r_count = 0;
03952                 u_count = 0;
03953                 b_count = 0;
03954                 no_member_count = 0;
03955 
03956                 tmp_count = 0;
03957                 desc_count = rsbac_list_lol_get_all_desc(device_p->handle,
03958                                                         (void **)
03959                                                         &fd_desc_p);
03960                 if (desc_count > 0) {
03961                         for (i = 0; i < desc_count; i++) {
03962                                 /* check for group existence of all ACL entries for groups */
03963                                 sub_desc_count =
03964                                     rsbac_list_lol_get_all_subdesc
03965                                     (device_p->handle,
03966                                      &fd_desc_p[i],
03967                                      (void **) &sub_desc_p);
03968                                 if (sub_desc_count > 0) {
03969                                         for (j = 0;
03970                                              j < sub_desc_count;
03971                                              j++) {
03972                                                 if ((sub_desc_p[j].
03973                                                      subj_type ==
03974                                                      ACLS_GROUP)
03975                                                     &&
03976                                                     sub_desc_p[j].
03977                                                     subj_id
03978                                                     &&
03979                                                     !rsbac_list_exist
03980                                                     (group_handle,
03981                                                      &sub_desc_p
03982                                                      [j].
03983                                                      subj_id)) {
03984                                                         if (correct) {
03985                                                                 /* remove sub item and complain */
03986                                                                 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid group %u in ACL -> removing entry!\n",
03987                                                                                fd_desc_p[i],
03988                                                                                RSBAC_MAJOR(device_p->id),
03989                                                                                RSBAC_MINOR(device_p->id),
03990                                                                                sub_desc_p[j].subj_id);
03991                                                                 rsbac_list_lol_subremove
03992                                                                     (device_p->handle,
03993                                                                      &fd_desc_p
03994                                                                      [i],
03995                                                                      &sub_desc_p
03996                                                                      [j]);
03997                                                         } else /* complain */
03998                                                                 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid group %u in ACL!\n",
03999                                                                                fd_desc_p[i],
04000                                                                                RSBAC_MAJOR(device_p->id),
04001                                                                                RSBAC_MINOR(device_p->id),
04002                                                                                sub_desc_p[j].subj_id);
04003                                                 }
04004 #if defined(CONFIG_RSBAC_RC)
04005                                                 else if ((sub_desc_p[j].subj_type == ACLS_ROLE)
04006                                                          &&
04007                                                          (sub_desc_p
04008                                                           [j].
04009                                                           subj_id >
04010                                                           RC_role_max_value)
04011                                                     ) {
04012                                                         if (correct) {
04013                                                                 /* remove sub item and complain */
04014                                                                 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid RC role %u in ACL -> removing entry!\n",
04015                                                                                fd_desc_p[i],
04016                                                                                RSBAC_MAJOR(device_p->id),
04017                                                                                RSBAC_MINOR(device_p->id),
04018                                                                                sub_desc_p[j].subj_id);
04019                                                                 rsbac_list_lol_subremove
04020                                                                     (device_p->handle,
04021                                                                      &fd_desc_p
04022                                                                      [i],
04023                                                                      &sub_desc_p
04024                                                                      [j]);
04025                                                         } else /* complain */
04026                                                                 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid role %u in ACL!\n",
04027                                                                                fd_desc_p[i],
04028                                                                                RSBAC_MAJOR(device_p->id),
04029                                                                                RSBAC_MINOR(device_p->id),
04030                                                                                sub_desc_p[j].subj_id);
04031                                                 }
04032 #endif
04033                                         }
04034                                         rsbac_vfree(sub_desc_p);
04035                                 }
04036                         }
04037                         tmp_count++;
04038                         rsbac_vfree(fd_desc_p);
04039                         f_count += desc_count;
04040                 }
04041 
04042                 switch (correct) {
04043                 case 2:
04044                         rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n",
04045                                      RSBAC_MAJOR(device_p->id),
04046                                      RSBAC_MINOR(device_p->id), f_count,
04047                                      b_count + r_count + u_count +
04048                                      no_member_count, b_count, r_count,
04049                                      u_count, no_member_count);
04050                         break;
04051                 case 1:
04052                         rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n",
04053                                      RSBAC_MAJOR(device_p->id),
04054                                      RSBAC_MINOR(device_p->id), f_count,
04055                                      b_count + r_count + no_member_count,
04056                                      b_count, r_count, no_member_count,
04057                                      u_count);
04058                         break;
04059                 default:
04060                         rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n",
04061                                      RSBAC_MAJOR(device_p->id),
04062                                      RSBAC_MINOR(device_p->id), f_count,
04063                                      b_count, r_count, u_count,
04064                                      no_member_count);
04065                 }
04066                 f_sum += f_count;
04067                 /* go on */
04068                 device_p = device_p->next;
04069         }
04070         rsbac_printk(KERN_INFO "rsbac_check_acl(): Sum of %u Devices with %lu file/dir ACLs\n",
04071                      rcu_dereference(device_list_head_p)->count, f_sum);
04072         /* free access to device_list_head */
04073 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04074         rcu_read_unlock();
04075 #else
04076         rsbac_read_unlock(&device_list_lock, &dflags);
04077 #endif
04078 
04079         /* dev list */
04080         tmp_count = 0;
04081         desc_count =
04082             rsbac_list_lol_get_all_desc(dev_handle, (void **) &dev_desc_p);
04083         if (desc_count > 0) {
04084                 for (i = 0; i < desc_count; i++) {
04085                         /* check for group existence of all ACL entries for groups */
04086                         sub_desc_count =
04087                             rsbac_list_lol_get_all_subdesc(dev_handle,
04088                                                            &dev_desc_p[i],
04089                                                            (void **)
04090                                                            &sub_desc_p);
04091                         if (sub_desc_count > 0) {
04092                                 for (j = 0; j < sub_desc_count; j++) {
04093                                         if ((sub_desc_p[j].subj_type ==
04094                                              ACLS_GROUP)
04095                                             && sub_desc_p[j].subj_id
04096                                             &&
04097                                             !rsbac_list_exist(group_handle,
04098                                                               &sub_desc_p
04099                                                               [j].
04100                                                               subj_id)) {
04101                                                 if (correct) {
04102                                                         /* remove sub item and complain */
04103                                                         rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n",
04104                                                                        'B' + dev_desc_p[i].type,
04105                                                                        dev_desc_p[i].major,
04106                                                                        dev_desc_p[i].minor,
04107                                                                        sub_desc_p[j].subj_id);
04108                                                         rsbac_list_lol_subremove
04109                                                             (dev_handle,
04110                                                              &dev_desc_p
04111                                                              [i],
04112                                                              &sub_desc_p
04113                                                              [j]);
04114                                                 } else /* complain */
04115                                                         rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL!\n",
04116                                                                        'B' + dev_desc_p[i].type,
04117                                                                        dev_desc_p[i].major,
04118                                                                        dev_desc_p[i].minor,
04119                                                                        sub_desc_p[j].subj_id);
04120                                         }
04121 #if defined(CONFIG_RSBAC_RC)
04122                                         else if ((sub_desc_p[j].
04123                                                   subj_type == ACLS_ROLE)
04124                                                  && (sub_desc_p[j].
04125                                                      subj_id >
04126                                                      RC_role_max_value)
04127                                             ) {
04128                                                 if (correct) {
04129                                                         /* remove sub item and complain */
04130                                                         rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n",
04131                                                                        'B' + dev_desc_p[i].type,
04132                                                                        dev_desc_p[i].major,
04133                                                                        dev_desc_p[i].minor,
04134                                                                        sub_desc_p[j].subj_id);
04135                                                         rsbac_list_lol_subremove
04136                                                             (dev_handle,
04137                                                              &dev_desc_p
04138                                                              [i],
04139                                                              &sub_desc_p
04140                                                              [j]);
04141                                                 } else /* complain */
04142                                                         rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL!\n",
04143                                                                        'B' + dev_desc_p[i].type,
04144                                                                        dev_desc_p[i].major,
04145                                                                        dev_desc_p[i].minor,
04146                                                                        sub_desc_p[j].subj_id);
04147                                         }
04148 #endif
04149                                 }
04150                                 rsbac_vfree(sub_desc_p);
04151                         }
04152                 }
04153                 rsbac_vfree(dev_desc_p);
04154                 f_sum += desc_count;
04155         }
04156         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n",
04157                      desc_count);
04158         tmp_count = 0;
04159         desc_count =
04160             rsbac_list_lol_get_all_desc(dev_major_handle,
04161                                         (void **) &dev_desc_p);
04162         if (desc_count > 0) {
04163                 for (i = 0; i < desc_count; i++) {
04164                         /* check for group existence of all ACL entries for groups */
04165                         sub_desc_count =
04166                             rsbac_list_lol_get_all_subdesc
04167                             (dev_major_handle, &dev_desc_p[i],
04168                              (void **) &sub_desc_p);
04169                         if (sub_desc_count > 0) {
04170                                 for (j = 0; j < sub_desc_count; j++) {
04171                                         if ((sub_desc_p[j].subj_type ==
04172                                              ACLS_GROUP)
04173                                             && sub_desc_p[j].subj_id
04174                                             &&
04175                                             !rsbac_list_exist(group_handle,
04176                                                               &sub_desc_p
04177                                                               [j].
04178                                                               subj_id)) {
04179                                                 if (correct) {
04180                                                         /* remove sub item and complain */
04181                                                         rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n",
04182                                                                        'B' + dev_desc_p[i].type,
04183                                                                        dev_desc_p[i].major,
04184                                                                        dev_desc_p[i].minor,
04185                                                                        sub_desc_p[j].subj_id);
04186                                                         rsbac_list_lol_subremove
04187                                                             (dev_major_handle,
04188                                                              &dev_desc_p
04189                                                              [i],
04190                                                              &sub_desc_p
04191                                                              [j]);
04192                                                 } else /* complain */
04193                                                         rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL!\n",
04194                                                                        'B' + dev_desc_p[i].type,
04195                                                                        dev_desc_p[i].major,
04196                                                                        dev_desc_p[i].minor,
04197                                                                        sub_desc_p[j].subj_id);
04198                                         }
04199 #if defined(CONFIG_RSBAC_RC)
04200                                         else if ((sub_desc_p[j].
04201                                                   subj_type == ACLS_ROLE)
04202                                                  && (sub_desc_p[j].
04203                                                      subj_id >
04204                                                      RC_role_max_value)
04205                                             ) {
04206                                                 if (correct) {
04207                                                         /* remove sub item and complain */
04208                                                         rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n",
04209                                                                        'B' + dev_desc_p[i].type,
04210                                                                        dev_desc_p[i].major,
04211                                                                        dev_desc_p[i].minor,
04212                                                                        sub_desc_p[j].subj_id);
04213                                                         rsbac_list_lol_subremove
04214                                                             (dev_major_handle,
04215                                                              &dev_desc_p
04216                                                              [i],
04217                                                              &sub_desc_p
04218                                                              [j]);
04219                                                 } else /* complain */
04220                                                         rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL!\n",
04221                                                                        'B' + dev_desc_p[i].type,
04222                                                                        dev_desc_p[i].major,
04223                                                                        dev_desc_p[i].minor,
04224                                                                        sub_desc_p[j].subj_id);
04225                                         }
04226 #endif
04227                                 }
04228                                 rsbac_vfree(sub_desc_p);
04229                         }
04230                 }
04231                 rsbac_vfree(dev_desc_p);
04232                 f_sum += desc_count;
04233         }
04234         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n",
04235                      desc_count);
04236 
04237         /* SCD list */
04238         tmp_count = 0;
04239         desc_count =
04240             rsbac_list_lol_get_all_desc(scd_handle, (void **) &scd_desc_p);
04241         if (desc_count > 0) {
04242                 for (i = 0; i < desc_count; i++) {
04243                         /* check for group existence of all ACL entries for groups */
04244                         sub_desc_count =
04245                             rsbac_list_lol_get_all_subdesc(scd_handle,
04246                                                            &scd_desc_p[i],
04247                                                            (void **)
04248                                                            &sub_desc_p);
04249                         if (sub_desc_count > 0) {
04250                                 for (j = 0; j < sub_desc_count; j++) {
04251                                         if ((sub_desc_p[j].subj_type ==
04252                                              ACLS_GROUP)
04253                                             && sub_desc_p[j].subj_id
04254                                             &&
04255                                             !rsbac_list_exist(group_handle,
04256                                                               &sub_desc_p
04257                                                               [j].
04258                                                               subj_id)) {
04259                                                 if (correct) {
04260                                                         /* remove sub item and complain */
04261                                                         rsbac_pr_debug(ds, "scd_item %u has invalid group %u in ACL -> removing entry!\n",
04262                                                                        scd_desc_p[i],
04263                                                                        sub_desc_p[j].subj_id);
04264                                                         rsbac_list_lol_subremove
04265                                                             (scd_handle,
04266                                                              &scd_desc_p
04267                                                              [i],
04268                                                              &sub_desc_p
04269                                                              [j]);
04270                                                 } else /* complain */
04271                                                         rsbac_pr_debug(ds, "scd_item %u has invalid group %u in ACL!\n",
04272                                                                        scd_desc_p[i],
04273                                                                        sub_desc_p[j].subj_id);
04274                                         }
04275 #if defined(CONFIG_RSBAC_RC)
04276                                         else if ((sub_desc_p[j].
04277                                                   subj_type == ACLS_ROLE)
04278                                                  && (sub_desc_p[j].
04279                                                      subj_id >
04280                                                      RC_role_max_value)
04281                                             ) {
04282                                                 if (correct) {
04283                                                         /* remove sub item and complain */
04284                                                         rsbac_pr_debug(ds, "scd_item %u has invalid role %u in ACL -> removing entry!\n",
04285                                                                        scd_desc_p[i],
04286                                                                        sub_desc_p[j].subj_id);
04287                                                         rsbac_list_lol_subremove
04288                                                             (scd_handle,
04289                                                              &scd_desc_p
04290                                                              [i],
04291                                                              &sub_desc_p
04292                                                              [j]);
04293                                                 } else /* complain */
04294                                                         rsbac_pr_debug(ds, "scd_item %u has invalid role %u in ACL!\n",
04295                                                                        scd_desc_p[i],
04296                                                                        sub_desc_p[j].subj_id);
04297                                         }
04298 #endif
04299                                 }
04300                                 rsbac_vfree(sub_desc_p);
04301                         }
04302                 }
04303                 rsbac_vfree(scd_desc_p);
04304                 f_sum += desc_count;
04305         }
04306         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li SCD items\n",
04307                      desc_count);
04308 
04309         /* User list */
04310         tmp_count = 0;
04311         desc_count =
04312             rsbac_list_lol_get_all_desc(u_handle, (void **) &u_desc_p);
04313         if (desc_count > 0) {
04314                 for (i = 0; i < desc_count; i++) {
04315                         /* check for group existence of all ACL entries for groups */
04316                         sub_desc_count =
04317                             rsbac_list_lol_get_all_subdesc(u_handle,
04318                                                            &u_desc_p[i],
04319                                                            (void **)
04320                                                            &sub_desc_p);
04321                         if (sub_desc_count > 0) {
04322                                 for (j = 0; j < sub_desc_count; j++) {
04323                                         if ((sub_desc_p[j].subj_type ==
04324                                              ACLS_GROUP)
04325                                             && sub_desc_p[j].subj_id
04326                                             &&
04327                                             !rsbac_list_exist(group_handle,
04328                                                               &sub_desc_p
04329                                                               [j].
04330                                                               subj_id)) {
04331                                                 if (correct) {
04332                                                         /* remove sub item and complain */
04333                                                         rsbac_pr_debug(ds, "u_item %u has invalid group %u in ACL -> removing entry!\n",
04334                                                                        u_desc_p[i],
04335                                                                        sub_desc_p[j].subj_id);
04336                                                         rsbac_list_lol_subremove
04337                                                             (u_handle,
04338                                                              &u_desc_p[i],
04339                                                              &sub_desc_p
04340                                                              [j]);
04341                                                 } else /* complain */
04342                                                         rsbac_pr_debug(ds, "u_item %u has invalid group %u in ACL!\n",
04343                                                                        u_desc_p[i],
04344                                                                        sub_desc_p[j].subj_id);
04345                                         }
04346 #if defined(CONFIG_RSBAC_RC)
04347                                         else if ((sub_desc_p[j].
04348                                                   subj_type == ACLS_ROLE)
04349                                                  && (sub_desc_p[j].
04350                                                      subj_id >
04351                                                      RC_role_max_value)
04352                                             ) {
04353                                                 if (correct) {
04354                                                         /* remove sub item and complain */
04355                                                         rsbac_pr_debug(ds, "u_item %u has invalid role %u in ACL -> removing entry!\n",
04356                                                                        u_desc_p[i],
04357                                                                        sub_desc_p[j].subj_id);
04358                                                         rsbac_list_lol_subremove
04359                                                             (u_handle,
04360                                                              &u_desc_p[i],
04361                                                              &sub_desc_p
04362                                                              [j]);
04363                                                 } else /* complain */
04364                                                         rsbac_pr_debug(ds, "u_item %u has invalid role %u in ACL!\n",
04365                                                                        u_desc_p[i],
04366                                                                        sub_desc_p[j].subj_id);
04367                                         }
04368 #endif
04369                                 }
04370                                 rsbac_vfree(sub_desc_p);
04371                         }
04372                 }
04373                 rsbac_vfree(u_desc_p);
04374                 f_sum += desc_count;
04375         }
04376         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li user items\n",
04377                      desc_count);
04378 
04379 #ifdef CONFIG_RSBAC_ACL_UM_PROT
04380         /* User list */
04381         tmp_count = 0;
04382         desc_count =
04383             rsbac_list_lol_get_all_desc(g_handle, (void **) &g_desc_p);
04384         if (desc_count > 0) {
04385                 for (i = 0; i < desc_count; i++) {
04386                         /* check for group existence of all ACL entries for groups */
04387                         sub_desc_count =
04388                             rsbac_list_lol_get_all_subdesc(g_handle,
04389                                                            &g_desc_p[i],
04390                                                            (void **)
04391                                                            &sub_desc_p);
04392                         if (sub_desc_count > 0) {
04393                                 for (j = 0; j < sub_desc_count; j++) {
04394                                         if ((sub_desc_p[j].subj_type ==
04395                                              ACLS_GROUP)
04396                                             && sub_desc_p[j].subj_id
04397                                             &&
04398                                             !rsbac_list_exist(group_handle,
04399                                                               &sub_desc_p
04400                                                               [j].
04401                                                               subj_id)) {
04402                                                 if (correct) {
04403                                                         /* remove sub item and complain */
04404                                                         rsbac_pr_debug(ds, "g_item %u has invalid group %u in ACL -> removing entry!\n",
04405                                                                        g_desc_p[i],
04406                                                                        sub_desc_p[j].subj_id);
04407                                                         rsbac_list_lol_subremove
04408                                                             (g_handle,
04409                                                              &g_desc_p[i],
04410                                                              &sub_desc_p
04411                                                              [j]);
04412                                                 } else /* complain */
04413                                                         rsbac_pr_debug(ds, "g_item %u has invalid group %u in ACL!\n",
04414                                                                        g_desc_p[i],
04415                                                                        sub_desc_p[j].subj_id);
04416                                         }
04417 #if defined(CONFIG_RSBAC_RC)
04418                                         else if ((sub_desc_p[j].
04419                                                   subj_type == ACLS_ROLE)
04420                                                  && (sub_desc_p[j].
04421                                                      subj_id >
04422                                                      RC_role_max_value)
04423                                             ) {
04424                                                 if (correct) {
04425                                                         /* remove sub item and complain */
04426                                                         rsbac_pr_debug(ds, "g_item %u has invalid role %u in ACL -> removing entry!\n",
04427                                                                        g_desc_p[i],
04428                                                                        sub_desc_p[j].subj_id);
04429                                                         rsbac_list_lol_subremove
04430                                                             (g_handle,
04431                                                              &g_desc_p[i],
04432                                                              &sub_desc_p
04433                                                              [j]);
04434                                                 } else /* complain */
04435                                                         rsbac_pr_debug(ds, "g_item %u has invalid role %u in ACL!\n",
04436                                                                        g_desc_p[i],
04437                                                                        sub_desc_p[j].subj_id);
04438                                         }
04439 #endif
04440                                 }
04441                                 rsbac_vfree(sub_desc_p);
04442                         }
04443                 }
04444                 rsbac_vfree(g_desc_p);
04445                 f_sum += desc_count;
04446         }
04447         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li Linux group items\n",
04448                      desc_count);
04449 #endif
04450 
04451 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
04452         /* netdev list */
04453         tmp_count = 0;
04454         desc_count =
04455             rsbac_list_lol_get_all_desc(netdev_handle,
04456                                         (void **) &netdev_desc_p);
04457         if (desc_count > 0) {
04458                 for (i = 0; i < desc_count; i++) {
04459                         /* check for group existence of all ACL entries for groups */
04460                         sub_desc_count =
04461                             rsbac_list_lol_get_all_subdesc(netdev_handle,
04462                                                            &netdev_desc_p
04463                                                            [i],
04464                                                            (void **)
04465                                                            &sub_desc_p);
04466                         if (sub_desc_count > 0) {
04467                                 for (j = 0; j < sub_desc_count; j++) {
04468                                         if ((sub_desc_p[j].subj_type ==
04469                                              ACLS_GROUP)
04470                                             && sub_desc_p[j].subj_id
04471                                             &&
04472                                             !rsbac_list_exist(group_handle,
04473                                                               &sub_desc_p
04474                                                               [j].
04475                                                               subj_id)) {
04476                                                 if (correct) {
04477                                                         /* remove sub item and complain */
04478                                                         rsbac_pr_debug(ds, "netdev_item %s has invalid group %u in ACL -> removing entry!\n",
04479                                                                        netdev_desc_p[i],
04480                                                                        sub_desc_p[j].subj_id);
04481                                                         rsbac_list_lol_subremove
04482                                                             (netdev_handle,
04483                                                              &netdev_desc_p
04484                                                              [i],
04485                                                              &sub_desc_p
04486                                                              [j]);
04487                                                 } else /* complain */
04488                                                         rsbac_pr_debug(ds, "netdev_item %s has invalid group %u in ACL!\n",
04489                                                                        netdev_desc_p[i],
04490                                                                        sub_desc_p[j].subj_id);
04491                                         }
04492 #if defined(CONFIG_RSBAC_RC)
04493                                         else if ((sub_desc_p[j].
04494                                                   subj_type == ACLS_ROLE)
04495                                                  && (sub_desc_p[j].
04496                                                      subj_id >
04497                                                      RC_role_max_value)
04498                                             ) {
04499                                                 if (correct) {
04500                                                         /* remove sub item and complain */
04501                                                         rsbac_pr_debug(ds, "netdev_item %s has invalid role %u in ACL -> removing entry!\n",
04502                                                                        netdev_desc_p[i],
04503                                                                        sub_desc_p[j].subj_id);
04504                                                         rsbac_list_lol_subremove
04505                                                             (netdev_handle,
04506                                                              &netdev_desc_p
04507                                                              [i],
04508                                                              &sub_desc_p
04509                                                              [j]);
04510                                                 } else /* complain */
04511                                                         rsbac_pr_debug(ds, "netdev_item %s has invalid role %u in ACL!\n",
04512                                                                        netdev_desc_p[i],
04513                                                                        sub_desc_p[j].subj_id);
04514                                         }
04515 #endif
04516                                 }
04517                                 rsbac_vfree(sub_desc_p);
04518                         }
04519                 }
04520                 rsbac_vfree(netdev_desc_p);
04521                 f_sum += desc_count;
04522         }
04523         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network device items\n",
04524                      desc_count);
04525 #endif                          /* NET_DEV_PROT */
04526 
04527 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
04528         /* nettemp_nt list */
04529         tmp_count = 0;
04530         desc_count =
04531             rsbac_list_lol_get_all_desc(nettemp_nt_handle,
04532                                         (void **) &nettemp_desc_p);
04533         if (desc_count > 0) {
04534                 for (i = 0; i < desc_count; i++) {
04535                         /* check for group existence of all ACL entries for groups */
04536                         sub_desc_count =
04537                             rsbac_list_lol_get_all_subdesc
04538                             (nettemp_nt_handle, &nettemp_desc_p[i],
04539                              (void **) &sub_desc_p);
04540                         if (sub_desc_count > 0) {
04541                                 for (j = 0; j < sub_desc_count; j++) {
04542                                         if ((sub_desc_p[j].subj_type ==
04543                                              ACLS_GROUP)
04544                                             && sub_desc_p[j].subj_id
04545                                             &&
04546                                             !rsbac_list_exist(group_handle,
04547                                                               &sub_desc_p
04548                                                               [j].
04549                                                               subj_id)) {
04550                                                 if (correct) {
04551                                                         /* remove sub item and complain */
04552                                                         rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid group %u in ACL -> removing entry!\n",
04553                                                                        nettemp_desc_p[i],
04554                                                                        sub_desc_p[j].subj_id);
04555                                                         rsbac_list_lol_subremove
04556                                                             (nettemp_nt_handle,
04557                                                              &nettemp_desc_p
04558                                                              [i],
04559                                                              &sub_desc_p
04560                                                              [j]);
04561                                                 } else /* complain */
04562                                                         rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid group %u in ACL!\n",
04563                                                                        nettemp_desc_p[i],
04564                                                                        sub_desc_p[j].subj_id);
04565                                         }
04566 #if defined(CONFIG_RSBAC_RC)
04567                                         else if ((sub_desc_p[j].
04568                                                   subj_type == ACLS_ROLE)
04569                                                  && (sub_desc_p[j].
04570                                                      subj_id >
04571                                                      RC_role_max_value)
04572                                             ) {
04573                                                 if (correct) {
04574                                                         /* remove sub item and complain */
04575                                                         rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid role %u in ACL -> removing entry!\n",
04576                                                                        nettemp_desc_p[i],
04577                                                                        sub_desc_p[j].subj_id);
04578                                                         rsbac_list_lol_subremove
04579                                                             (nettemp_nt_handle,
04580                                                              &nettemp_desc_p
04581                                                              [i],
04582                                                              &sub_desc_p
04583                                                              [j]);
04584                                                 } else /* complain */
04585                                                         rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid role %u in ACL!\n",
04586                                                                        nettemp_desc_p[i],
04587                                                                        sub_desc_p[j].subj_id);
04588                                         }
04589 #endif
04590                                 }
04591                                 rsbac_vfree(sub_desc_p);
04592                         }
04593                 }
04594                 rsbac_vfree(nettemp_desc_p);
04595                 f_sum += desc_count;
04596         }
04597         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template NT items\n",
04598                      desc_count);
04599 
04600         /* nettemp list */
04601         tmp_count = 0;
04602         desc_count =
04603             rsbac_list_lol_get_all_desc(nettemp_handle,
04604                                         (void **) &nettemp_desc_p);
04605         if (desc_count > 0) {
04606                 for (i = 0; i < desc_count; i++) {
04607                         /* check for group existence of all ACL entries for groups */
04608                         sub_desc_count =
04609                             rsbac_list_lol_get_all_subdesc(nettemp_handle,
04610                                                            &nettemp_desc_p
04611                                                            [i],
04612                                                            (void **)
04613                                                            &sub_desc_p);
04614                         if (sub_desc_count > 0) {
04615                                 for (j = 0; j < sub_desc_count; j++) {
04616                                         if ((sub_desc_p[j].subj_type ==
04617                                              ACLS_GROUP)
04618                                             && sub_desc_p[j].subj_id
04619                                             &&
04620                                             !rsbac_list_exist(group_handle,
04621                                                               &sub_desc_p
04622                                                               [j].
04623                                                               subj_id)) {
04624                                                 if (correct) {
04625                                                         /* remove sub item and complain */
04626                                                         rsbac_pr_debug(ds, "nettemp_item %u has invalid group %u in ACL -> removing entry!\n",
04627                                                                        nettemp_desc_p[i],
04628                                                                        sub_desc_p[j].subj_id);
04629                                                         rsbac_list_lol_subremove
04630                                                             (nettemp_handle,
04631                                                              &nettemp_desc_p
04632                                                              [i],
04633                                                              &sub_desc_p
04634                                                              [j]);
04635                                                 } else /* complain */
04636                                                         rsbac_pr_debug(ds, "nettemp_item %u has invalid group %u in ACL!\n",
04637                                                                        nettemp_desc_p[i],
04638                                                                        sub_desc_p[j].subj_id);
04639                                         }
04640 #if defined(CONFIG_RSBAC_RC)
04641                                         else if ((sub_desc_p[j].
04642                                                   subj_type == ACLS_ROLE)
04643                                                  && (sub_desc_p[j].
04644                                                      subj_id >
04645                                                      RC_role_max_value)
04646                                             ) {
04647                                                 if (correct) {
04648                                                         /* remove sub item and complain */
04649                                                         rsbac_pr_debug(ds, "nettemp_item %u has invalid role %u in ACL -> removing entry!\n",
04650                                                                        nettemp_desc_p[i],
04651                                                                        sub_desc_p[j].subj_id);
04652                                                         rsbac_list_lol_subremove
04653                                                             (nettemp_handle,
04654                                                              &nettemp_desc_p
04655                                                              [i],
04656                                                              &sub_desc_p
04657                                                              [j]);
04658                                                 } else /* complain */
04659                                                         rsbac_pr_debug(ds, "nettemp_item %u has invalid role %u in ACL!\n",
04660                                                                        nettemp_desc_p[i],
04661                                                                        sub_desc_p[j].subj_id);
04662                                         }
04663 #endif
04664                                 }
04665                                 rsbac_vfree(sub_desc_p);
04666                         }
04667                 }
04668                 rsbac_vfree(nettemp_desc_p);
04669                 f_sum += desc_count;
04670         }
04671         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template items\n",
04672                      desc_count);
04673 
04674         /* netobj list */
04675         tmp_count = 0;
04676         desc_count =
04677             rsbac_list_lol_get_all_desc(netobj_handle,
04678                                         (void **) &netobj_desc_p);
04679         if (desc_count > 0) {
04680                 for (i = 0; i < desc_count; i++) {
04681                         /* check for group existence of all ACL entries for groups */
04682                         sub_desc_count =
04683                             rsbac_list_lol_get_all_subdesc(netobj_handle,
04684                                                            &netobj_desc_p
04685                                                            [i],
04686                                                            (void **)
04687                                                            &sub_desc_p);
04688                         if (sub_desc_count > 0) {
04689                                 for (j = 0; j < sub_desc_count; j++) {
04690                                         if ((sub_desc_p[j].subj_type ==
04691                                              ACLS_GROUP)
04692                                             && sub_desc_p[j].subj_id
04693                                             &&
04694                                             !rsbac_list_exist(group_handle,
04695                                                               &sub_desc_p
04696                                                               [j].
04697                                                               subj_id)) {
04698                                                 if (correct) {
04699                                                         /* remove sub item and complain */
04700                                                         rsbac_pr_debug(ds, "netobj_item %p has invalid group %u in ACL -> removing entry!\n",
04701                                                                        netobj_desc_p[i],
04702                                                                        sub_desc_p[j].subj_id);
04703                                                         rsbac_list_lol_subremove
04704                                                             (netobj_handle,
04705                                                              &netobj_desc_p
04706                                                              [i],
04707                                                              &sub_desc_p
04708                                                              [j]);
04709                                                 } else /* complain */
04710                                                         rsbac_pr_debug(ds, "netobj_item %p has invalid group %u in ACL!\n",
04711                                                                        netobj_desc_p[i],
04712                                                                        sub_desc_p[j].subj_id);
04713                                         }
04714 #if defined(CONFIG_RSBAC_RC)
04715                                         else if ((sub_desc_p[j].
04716                                                   subj_type == ACLS_ROLE)
04717                                                  && (sub_desc_p[j].
04718                                                      subj_id >
04719                                                      RC_role_max_value)
04720                                             ) {
04721                                                 if (correct) {
04722                                                         /* remove sub item and complain */
04723                                                         rsbac_pr_debug(ds, "netobj_item %p has invalid role %u in ACL -> removing entry!\n",
04724                                                                        netobj_desc_p[i],
04725                                                                        sub_desc_p[j].subj_id);
04726                                                         rsbac_list_lol_subremove
04727                                                             (netobj_handle,
04728                                                              &netobj_desc_p
04729                                                              [i],
04730                                                              &sub_desc_p
04731                                                              [j]);
04732                                                 } else /* complain */
04733                                                         rsbac_pr_debug(ds, "netobj_item %p has invalid role %u in ACL!\n",
04734                                                                        netobj_desc_p[i],
04735                                                                        sub_desc_p[j].subj_id);
04736                                         }
04737 #endif
04738                                 }
04739                                 rsbac_vfree(sub_desc_p);
04740                         }
04741                 }
04742                 rsbac_vfree(netobj_desc_p);
04743                 f_sum += desc_count;
04744         }
04745         rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network object items\n",
04746                      desc_count);
04747 #endif                          /* NET_OBJ_PROT */
04748 
04749         rsbac_printk(KERN_INFO "rsbac_check_acl(): Total of %lu registered ACLs\n",
04750                      f_sum);
04751 
04752         return 0;
04753 }
04754 
04755 /************************************************* */
04756 /*               Access functions                  */
04757 /************************************************* */
04758 
04759 /* All these procedures handle the spinlocks to protect the targets during */
04760 /* access.                                                                 */
04761 
04762 /* rsbac_acl_set_acl_entry
04763  * Set ACL entry for given target and subject to given rights. If entry does
04764  * not exist, it is created, thus cutting the inheritance from default/parent.
04765  */
04766 
04767 int rsbac_acl_set_acl_entry(rsbac_list_ta_number_t ta_number,
04768                             enum rsbac_target_t target,
04769                             union rsbac_target_id_t tid,
04770                             enum rsbac_acl_subject_type_t subj_type,
04771                             rsbac_acl_subject_id_t subj_id,
04772                             rsbac_acl_rights_vector_t rights,
04773                             rsbac_time_t ttl)
04774 {
04775         int err = 0;
04776         struct rsbac_acl_device_list_item_t *device_p;
04777         struct rsbac_acl_entry_desc_t desc;
04778 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
04779         u_long dflags;
04780 #endif
04781 
04782         if (!rsbac_is_initialized()) {
04783                 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): RSBAC not initialized\n");
04784                 return (-RSBAC_ENOTINITIALIZED);
04785         }
04786         if (subj_type >= ACLS_NONE)
04787                 return (-RSBAC_EINVALIDVALUE);
04788 #ifdef CONFIG_RSBAC_DEBUG
04789         if (in_interrupt()) {
04790                 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): called from interrupt!\n");
04791         }
04792 #endif
04793         desc.subj_type = subj_type;
04794         desc.subj_id = subj_id;
04795 
04796         switch (target) {
04797         case T_FILE:
04798         case T_DIR:
04799         case T_FIFO:
04800         case T_SYMLINK:
04801         case T_UNIXSOCK:
04802                 rsbac_pr_debug(ds_acl, "Setting file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n",
04803                                RSBAC_MAJOR(tid.file.device),
04804                                RSBAC_MINOR(tid.file.device), tid.file.inode);
04805                 /* default entry? */
04806                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
04807                     && !tid.file.dentry_p)
04808                         return rsbac_ta_list_add_ttl(ta_number,
04809                                                      default_fd_handle,
04810                                                      ttl, &desc, &rights);
04811 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04812                 rcu_read_lock();
04813 #else
04814                 rsbac_read_lock(&device_list_lock, &dflags);
04815 #endif
04816                 /* lookup device */
04817                 device_p = acl_lookup_device(tid.file.device);
04818                 if (!device_p) {
04819                         /* trigger rsbac_mount() */
04820 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04821                         rcu_read_unlock();
04822 #else
04823                         rsbac_read_unlock(&device_list_lock, &dflags);
04824 #endif
04825                         rsbac_get_super_block(tid.file.device);
04826                         /* retry */
04827 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04828                         rcu_read_lock();
04829 #else
04830                         rsbac_read_lock(&device_list_lock, &dflags);
04831 #endif
04832                         device_p = acl_lookup_device(tid.file.device);
04833                         if (!device_p) {
04834                                 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): Could not lookup device!\n");
04835                                 /* free read lock */
04836 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04837                                 rcu_read_unlock();
04838 #else
04839                                 rsbac_read_unlock(&device_list_lock, &dflags);
04840 #endif
04841                                 return (-RSBAC_EINVALIDDEV);
04842                         }
04843                 }
04844                 if (!rsbac_ta_list_lol_exist
04845                     (ta_number, device_p->handle,
04846                      &tid.file.inode)) {
04847                         rsbac_acl_rights_vector_t mask =
04848                             RSBAC_ACL_DEFAULT_FD_MASK;
04849 
04850                         err = rsbac_ta_list_lol_add_ttl(ta_number,
04851                                                         device_p->handle,
04852                                                         0, &tid.file.inode,
04853                                                         &mask);
04854                         if (err) {
04855 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04856                                 rcu_read_unlock();
04857 #else
04858                                 rsbac_read_unlock(&device_list_lock, &dflags);
04859 #endif
04860                                 return err;
04861                         }
04862                 }
04863                 err =
04864                     rsbac_ta_list_lol_subadd_ttl(ta_number,
04865                                                  device_p->handle, ttl,
04866                                                  &tid.file.inode, &desc,
04867                                                  &rights);
04868 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04869                 rcu_read_unlock();
04870 #else
04871                 rsbac_read_unlock(&device_list_lock, &dflags);
04872 #endif
04873                 /* ready. */
04874                 return err;
04875 
04876         case T_DEV:
04877                 rsbac_pr_debug(ds_acl, "Setting device ACL for dev %c %02u:%02u\n",
04878                                'B' + tid.dev.type, tid.dev.major,
04879                                tid.dev.minor);
04880                 /* default entry? */
04881                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev))
04882                         return rsbac_ta_list_add_ttl(ta_number,
04883                                                      default_dev_handle,
04884                                                      ttl, &desc, &rights);
04885 
04886                 {
04887                         switch (tid.dev.type) {
04888                         case D_char:
04889                         case D_block:
04890                                 if (!rsbac_ta_list_lol_exist
04891                                     (ta_number, dev_handle, &tid.dev)) {
04892                                         rsbac_acl_rights_vector_t mask =
04893                                             RSBAC_ACL_DEFAULT_DEV_MASK;
04894 
04895                                         err =
04896                                             rsbac_ta_list_lol_add_ttl
04897                                             (ta_number, dev_handle, 0,
04898                                              &tid.dev, &mask);
04899                                         if (err)
04900                                                 return err;
04901                                 }
04902                                 return
04903                                     rsbac_ta_list_lol_subadd_ttl(ta_number,
04904                                                                  dev_handle,
04905                                                                  ttl,
04906                                                                  &tid.dev,
04907                                                                  &desc,
04908                                                                  &rights);
04909 
04910                         case D_char_major:
04911                         case D_block_major:
04912                                 tid.dev.type -= (D_block_major - D_block);
04913                                 if (!rsbac_ta_list_lol_exist
04914                                     (ta_number, dev_major_handle,
04915                                      &tid.dev)) {
04916                                         rsbac_acl_rights_vector_t mask =
04917                                             RSBAC_ACL_DEFAULT_DEV_MASK;
04918 
04919                                         err =
04920                                             rsbac_ta_list_lol_add_ttl
04921                                             (ta_number, dev_major_handle,
04922                                              0, &tid.dev, &mask);
04923                                         if (err)
04924                                                 return err;
04925                                 }
04926                                 return
04927                                     rsbac_ta_list_lol_subadd_ttl(ta_number,
04928                                                                  dev_major_handle,
04929                                                                  ttl,
04930                                                                  &tid.dev,
04931                                                                  &desc,
04932                                                                  &rights);
04933 
04934                         default:
04935                                 return -RSBAC_EINVALIDTARGET;
04936                         }
04937                 }
04938 
04939         case T_IPC:
04940                 /* default entry? */
04941                 if (tid.ipc.type == I_none)
04942                         return rsbac_ta_list_add_ttl(ta_number,
04943                                                      default_ipc_handle,
04944                                                      ttl, &desc, &rights);
04945                 else
04946                         return -RSBAC_EINVALIDTARGET;
04947 
04948         case T_SCD:
04949                 /* default entry? */
04950                 if (tid.scd == AST_none)
04951                         return rsbac_ta_list_add_ttl(ta_number,
04952                                                      default_scd_handle,
04953                                                      ttl, &desc, &rights);
04954 
04955                 if (!rsbac_ta_list_lol_exist
04956                     (ta_number, scd_handle, &tid.scd)) {
04957                         rsbac_acl_rights_vector_t mask =
04958                             RSBAC_ACL_DEFAULT_SCD_MASK;
04959 
04960                         err = rsbac_ta_list_lol_add_ttl(ta_number,
04961                                                         scd_handle,
04962                                                         0,
04963                                                         &tid.scd, &mask);
04964                         if (err)
04965                                 return err;
04966                 }
04967                 return rsbac_ta_list_lol_subadd_ttl(ta_number, scd_handle,
04968                                                     ttl, &tid.scd, &desc,
04969                                                     &rights);
04970 
04971         case T_USER:
04972                 /* default entry? */
04973                 if (tid.user == RSBAC_NO_USER)
04974                         return rsbac_ta_list_add_ttl(ta_number,
04975                                                      default_u_handle, ttl,
04976                                                      &desc, &rights);
04977                 if (!rsbac_ta_list_lol_exist
04978                     (ta_number, u_handle, &tid.user)) {
04979                         rsbac_acl_rights_vector_t mask =
04980                             RSBAC_ACL_DEFAULT_U_MASK;
04981 
04982                         err = rsbac_ta_list_lol_add_ttl(ta_number,
04983                                                         u_handle,
04984                                                         0,
04985                                                         &tid.user, &mask);
04986                         if (err)
04987                                 return err;
04988                 }
04989                 return rsbac_ta_list_lol_subadd_ttl(ta_number, u_handle,
04990                                                     ttl, &tid.user, &desc,
04991                                                     &rights);
04992 
04993 
04994         case T_PROCESS:
04995                 /* default entry? */
04996                 if (!tid.process)
04997                         return rsbac_ta_list_add_ttl(ta_number,
04998                                                      default_p_handle, ttl,
04999                                                      &desc, &rights);
05000                 else
05001                         return -RSBAC_EINVALIDTARGET;
05002 
05003 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05004         case T_GROUP:
05005                 /* default entry? */
05006                 if (tid.group == RSBAC_NO_GROUP)
05007                         return rsbac_ta_list_add_ttl(ta_number,
05008                                                      default_g_handle, ttl,
05009                                                      &desc, &rights);
05010                 if (!rsbac_ta_list_lol_exist
05011                     (ta_number, g_handle, &tid.group)) {
05012                         rsbac_acl_rights_vector_t mask =
05013                             RSBAC_ACL_DEFAULT_G_MASK;
05014 
05015                         err = rsbac_ta_list_lol_add_ttl(ta_number,
05016                                                         g_handle,
05017                                                         0,
05018                                                         &tid.group, &mask);
05019                         if (err)
05020                                 return err;
05021                 }
05022                 return rsbac_ta_list_lol_subadd_ttl(ta_number, g_handle,
05023                                                     ttl, &tid.group, &desc,
05024                                                     &rights);
05025 #endif
05026 
05027 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05028         case T_NETDEV:
05029                 rsbac_pr_debug(ds_acl, "Setting network device ACL for netdev %s\n",
05030                                tid.netdev);
05031                 /* default entry? */
05032                 if (!tid.netdev[0])
05033                         return rsbac_ta_list_add_ttl(ta_number,
05034                                                      default_netdev_handle,
05035                                                      ttl, &desc, &rights);
05036 
05037                 if (!rsbac_ta_list_lol_exist
05038                     (ta_number, netdev_handle, &tid.netdev)) {
05039                         rsbac_acl_rights_vector_t mask =
05040                             RSBAC_ACL_DEFAULT_NETDEV_MASK;
05041 
05042                         err = rsbac_ta_list_lol_add_ttl(ta_number,
05043                                                         netdev_handle,
05044                                                         0,
05045                                                         &tid.netdev,
05046                                                         &mask);
05047                         if (err)
05048                                 return err;
05049                 }
05050                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05051                                                     netdev_handle, ttl,
05052                                                     &tid.netdev, &desc,
05053                                                     &rights);
05054 #endif
05055 
05056 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05057         case T_NETTEMP_NT:
05058                 rsbac_pr_debug(ds_acl, "Setting network template NT ACL for "
05059                                "nettemp_nt %u\n", tid.nettemp);
05060                 /* default entry? */
05061                 if (!tid.nettemp)
05062                         return rsbac_ta_list_add_ttl(ta_number,
05063                                                      default_nettemp_nt_handle,
05064                                                      ttl, &desc, &rights);
05065 
05066                 if (!rsbac_ta_list_lol_exist
05067                     (ta_number, nettemp_nt_handle, &tid.nettemp)) {
05068                         rsbac_acl_rights_vector_t mask =
05069                             RSBAC_ACL_DEFAULT_NETTEMP_MASK;
05070 
05071                         err = rsbac_ta_list_lol_add_ttl(ta_number,
05072                                                         nettemp_nt_handle,
05073                                                         0,
05074                                                         &tid.nettemp,
05075                                                         &mask);
05076                         if (err)
05077                                 return err;
05078                 }
05079                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05080                                                     nettemp_nt_handle, ttl,
05081                                                     &tid.nettemp, &desc,
05082                                                     &rights);
05083 
05084         case T_NETTEMP:
05085                 rsbac_pr_debug(ds_acl, "Setting network template ACL for nettemp %u\n",
05086                                tid.nettemp);
05087                 /* default entry? */
05088                 if (!tid.nettemp)
05089                         return -RSBAC_EINVALIDTARGET;
05090                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05091                         return -RSBAC_EINVALIDTARGET;
05092 
05093                 if (!rsbac_ta_list_lol_exist
05094                     (ta_number, nettemp_handle, &tid.nettemp)) {
05095                         rsbac_acl_rights_vector_t mask =
05096                             RSBAC_ACL_DEFAULT_NETOBJ_MASK;
05097 
05098                         err = rsbac_ta_list_lol_add_ttl(ta_number,
05099                                                         nettemp_handle,
05100                                                         0,
05101                                                         &tid.nettemp,
05102                                                         &mask);
05103                         if (err)
05104                                 return err;
05105                 }
05106                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05107                                                     nettemp_handle, ttl,
05108                                                     &tid.nettemp, &desc,
05109                                                     &rights);
05110 
05111         case T_NETOBJ:
05112                 rsbac_pr_debug(ds_acl, "Setting network object ACL for netobj %p\n",
05113                                tid.netobj.sock_p);
05114                 /* default entry? */
05115                 if (!tid.netobj.sock_p)
05116                         return rsbac_ta_list_add_ttl(ta_number,
05117                                                      default_netobj_handle,
05118                                                      ttl, &desc, &rights);
05119 
05120                 if (!rsbac_ta_list_lol_exist
05121                     (ta_number, netobj_handle, &tid.netobj.sock_p)) {
05122                         rsbac_acl_rights_vector_t mask =
05123                             RSBAC_ACL_DEFAULT_NETOBJ_MASK;
05124 
05125                         err = rsbac_ta_list_lol_add_ttl(ta_number,
05126                                                         netobj_handle,
05127                                                         0,
05128                                                         &tid.netobj.sock_p,
05129                                                         &mask);
05130                         if (err)
05131                                 return err;
05132                 }
05133                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05134                                                     netobj_handle, ttl,
05135                                                     &tid.netobj.sock_p,
05136                                                     &desc, &rights);
05137 #endif                          /* NET_OBJ_PROT */
05138 
05139 
05140         default:
05141                 err = -RSBAC_EINVALIDTARGET;
05142         }
05143         return (err);
05144 }
05145 
05146 /* rsbac_acl_remove_acl_entry
05147  * Remove ACL entry for given target and subject. This reactivates the
05148  * inheritance from default/parent.
05149  */
05150 
05151 int rsbac_acl_remove_acl_entry(rsbac_list_ta_number_t ta_number,
05152                                enum rsbac_target_t target,
05153                                union rsbac_target_id_t tid,
05154                                enum rsbac_acl_subject_type_t subj_type,
05155                                rsbac_acl_subject_id_t subj_id)
05156 {
05157         int err = 0;
05158         struct rsbac_acl_device_list_item_t *device_p;
05159         struct rsbac_acl_entry_desc_t desc;
05160         char tmp[RSBAC_MAXNAMELEN];
05161         rsbac_acl_rights_vector_t mask;
05162 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
05163         u_long dflags;
05164 #endif
05165 
05166         if (!rsbac_is_initialized()) {
05167                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): RSBAC not initialized\n");
05168                 return (-RSBAC_ENOTINITIALIZED);
05169         }
05170         if (subj_type >= ACLS_NONE)
05171                 return (-RSBAC_EINVALIDVALUE);
05172 #ifdef CONFIG_RSBAC_DEBUG
05173         if (in_interrupt()) {
05174                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): called from interrupt!\n");
05175         }
05176 #endif
05177         desc.subj_type = subj_type;
05178         desc.subj_id = subj_id;
05179 
05180         switch (target) {
05181         case T_FILE:
05182         case T_DIR:
05183         case T_FIFO:
05184         case T_SYMLINK:
05185         case T_UNIXSOCK:
05186                 rsbac_pr_debug(ds_acl, "Removing file/dir/fifo/symlink ACL entry %s %u for device %02u:%02u, inode %u\n",
05187                                get_acl_subject_type_name(tmp, desc.subj_type),
05188                                desc.subj_id,
05189                                RSBAC_MAJOR(tid.file.device),
05190                                RSBAC_MINOR(tid.file.device), tid.file.inode);
05191                 /* default entry? */
05192                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
05193                     && !tid.file.dentry_p)
05194                         return rsbac_ta_list_remove(ta_number,
05195                                                     default_fd_handle,
05196                                                     &desc);
05197 
05198 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05199                 rcu_read_lock();
05200 #else
05201                 rsbac_read_lock(&device_list_lock, &dflags);
05202 #endif
05203                 /* lookup device */
05204                 device_p = acl_lookup_device(tid.file.device);
05205                 if (!device_p) {
05206                         /* trigger rsbac_mount() */
05207 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05208                         rcu_read_unlock();
05209 #else
05210                         rsbac_read_unlock(&device_list_lock, &dflags);
05211 #endif
05212                         rsbac_get_super_block(tid.file.device);
05213                         /* retry */
05214 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05215                         rcu_read_lock();
05216 #else
05217                         rsbac_read_lock(&device_list_lock, &dflags);
05218 #endif
05219                         device_p = acl_lookup_device(tid.file.device);
05220                         if (!device_p) {
05221                                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): Could not lookup device!\n");
05222 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05223                                 rcu_read_unlock();
05224 #else
05225                                 rsbac_read_unlock(&device_list_lock, &dflags);
05226 #endif
05227                                 return (-RSBAC_EINVALIDDEV);
05228                         }
05229                 }
05230                 err = rsbac_ta_list_lol_subremove(ta_number,
05231                                                 device_p->handle,
05232                                                 &tid.file.inode, &desc);
05233                 /* if ACL is empty, remove it */
05234                 if (!err
05235                     && !rsbac_ta_list_lol_subcount(ta_number,
05236                                                    device_p->handle,
05237                                                    &tid.file.inode)
05238                     && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05239                                                        device_p->handle,
05240                                                        NULL,
05241                                                        &tid.file.inode,
05242                                                        &mask)
05243                     && (mask == RSBAC_ACL_DEFAULT_FD_MASK)
05244                     ) {
05245                         err = rsbac_ta_list_lol_remove(ta_number,
05246                                                      device_p->handle,
05247                                                      &tid.file.inode);
05248                 }
05249 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05250                 rcu_read_unlock();
05251 #else
05252                 rsbac_read_unlock(&device_list_lock, &dflags);
05253 #endif
05254                 return err;
05255 
05256         case T_DEV:
05257                 rsbac_pr_debug(ds_acl, "Removing device ACL entry for dev %c %02u:%02u\n",
05258                                'B' + tid.dev.type, tid.dev.major,
05259                                tid.dev.minor);
05260                 /* default entry? */
05261                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev))
05262                         return rsbac_ta_list_remove(ta_number,
05263                                                     default_dev_handle,
05264                                                     &desc);
05265 
05266                 {
05267                         switch (tid.dev.type) {
05268                         case D_char:
05269                         case D_block:
05270                                 err =
05271                                     rsbac_ta_list_lol_subremove(ta_number,
05272                                                                 dev_handle,
05273                                                                 &tid.dev,
05274                                                                 &desc);
05275                                 /* if ACL is empty, remove it */
05276                                 if (!err
05277                                     &&
05278                                     !rsbac_ta_list_lol_subcount(ta_number,
05279                                                                 dev_handle,
05280                                                                 &tid.dev)
05281                                     &&
05282                                     !rsbac_ta_list_lol_get_data_ttl
05283                                     (ta_number, dev_handle, NULL, &tid.dev,
05284                                      &mask)
05285                                     && (mask == RSBAC_ACL_DEFAULT_DEV_MASK)
05286                                     ) {
05287                                         err =
05288                                             rsbac_ta_list_lol_remove
05289                                             (ta_number, dev_handle,
05290                                              &tid.dev);
05291                                 }
05292                                 return err;
05293 
05294                         case D_char_major:
05295                         case D_block_major:
05296                                 tid.dev.type -= (D_block_major - D_block);
05297                                 err =
05298                                     rsbac_ta_list_lol_subremove(ta_number,
05299                                                                 dev_major_handle,
05300                                                                 &tid.dev,
05301                                                                 &desc);
05302                                 /* if ACL is empty, remove it */
05303                                 if (!err
05304                                     &&
05305                                     !rsbac_ta_list_lol_subcount(ta_number,
05306                                                                 dev_major_handle,
05307                                                                 &tid.dev)
05308                                     &&
05309                                     !rsbac_ta_list_lol_get_data_ttl
05310                                     (ta_number, dev_major_handle, NULL,
05311                                      &tid.dev, &mask)
05312                                     && (mask == RSBAC_ACL_DEFAULT_DEV_MASK)
05313                                     ) {
05314                                         err =
05315                                             rsbac_ta_list_lol_remove
05316                                             (ta_number, dev_major_handle,
05317                                              &tid.dev);
05318                                 }
05319                                 return err;
05320 
05321                         default:
05322                                 return -RSBAC_EINVALIDTARGET;
05323                         }
05324                 }
05325 
05326         case T_IPC:
05327                 rsbac_pr_debug(ds_acl, "Removing IPC ACL for type %u\n", tid.ipc.type);
05328                 /* default entry? */
05329                 if (tid.ipc.type == I_none)
05330                         return rsbac_ta_list_remove(ta_number,
05331                                                     default_ipc_handle,
05332                                                     &desc);
05333                 else
05334                         return -RSBAC_EINVALIDTARGET;
05335 
05336         case T_SCD:
05337                 rsbac_pr_debug(ds_acl, "Removing SCD ACL entry for %s\n",
05338                                get_acl_scd_type_name(tmp, tid.scd));
05339                 /* default entry? */
05340                 if (tid.scd == AST_none)
05341                         return rsbac_ta_list_remove(ta_number,
05342                                                     default_scd_handle,
05343                                                     &desc);
05344                 err =
05345                     rsbac_ta_list_lol_subremove(ta_number, scd_handle,
05346                                                 &tid.scd, &desc);
05347                 /* if ACL is empty, remove it */
05348                 if (!err
05349                     && !rsbac_ta_list_lol_subcount(ta_number, scd_handle,
05350                                                    &tid.scd)
05351                     && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05352                                                        scd_handle, NULL,
05353                                                        &tid.scd, &mask)
05354                     && (mask == RSBAC_ACL_DEFAULT_SCD_MASK)
05355                     ) {
05356                         err =
05357                             rsbac_ta_list_lol_remove(ta_number, scd_handle,
05358                                                      &tid.scd);
05359                 }
05360                 return err;
05361 
05362         case T_USER:
05363                 rsbac_pr_debug(ds_acl, "Removing user ACL for user %u\n",
05364                                tid.user);
05365                 /* default entry? */
05366                 if (tid.user == RSBAC_NO_USER)
05367                         return rsbac_ta_list_remove(ta_number,
05368                                                     default_u_handle,
05369                                                     &desc);
05370                 err =
05371                     rsbac_ta_list_lol_subremove(ta_number, u_handle,
05372                                                 &tid.user, &desc);
05373                 /* if ACL is empty, remove it */
05374                 if (!err
05375                     && !rsbac_ta_list_lol_subcount(ta_number, u_handle,
05376                                                    &tid.user)
05377                     && !rsbac_ta_list_lol_get_data_ttl(ta_number, u_handle,
05378                                                        NULL, &tid.user,
05379                                                        &mask)
05380                     && (mask == RSBAC_ACL_DEFAULT_U_MASK)
05381                     ) {
05382                         err =
05383                             rsbac_ta_list_lol_remove(ta_number, u_handle,
05384                                                      &tid.user);
05385                 }
05386                 return err;
05387 
05388         case T_PROCESS:
05389                 rsbac_pr_debug(ds_acl, "Removing process ACL for pid %u\n",
05390                                tid.process);
05391                 /* default entry? */
05392                 if (!tid.process)
05393                         return rsbac_ta_list_remove(ta_number,
05394                                                     default_p_handle,
05395                                                     &desc);
05396                 else
05397                         return -RSBAC_EINVALIDTARGET;
05398 
05399 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05400         case T_GROUP:
05401                 rsbac_pr_debug(ds_acl, "Removing Linux group ACL for group %u\n",
05402                                tid.group);
05403                 /* default entry? */
05404                 if (tid.group == RSBAC_NO_GROUP)
05405                         return rsbac_ta_list_remove(ta_number,
05406                                                     default_g_handle,
05407                                                     &desc);
05408                 err =
05409                     rsbac_ta_list_lol_subremove(ta_number, g_handle,
05410                                                 &tid.group, &desc);
05411                 /* if ACL is empty, remove it */
05412                 if (!err
05413                     && !rsbac_ta_list_lol_subcount(ta_number, g_handle,
05414                                                    &tid.group)
05415                     && !rsbac_ta_list_lol_get_data_ttl(ta_number, g_handle,
05416                                                        NULL, &tid.group,
05417                                                        &mask)
05418                     && (mask == RSBAC_ACL_DEFAULT_G_MASK)
05419                     ) {
05420                         err =
05421                             rsbac_ta_list_lol_remove(ta_number, g_handle,
05422                                                      &tid.group);
05423                 }
05424                 return err;
05425 #endif
05426 
05427 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05428         case T_NETDEV:
05429                 rsbac_pr_debug(ds_acl, "Removing network device ACL entry for netdev %s\n",
05430                                tid.netdev);
05431                 /* default entry? */
05432                 if (!tid.netdev[0])
05433                         return rsbac_ta_list_remove(ta_number,
05434                                                     default_netdev_handle,
05435                                                     &desc);
05436 
05437                 err =
05438                     rsbac_ta_list_lol_subremove(ta_number, netdev_handle,
05439                                                 &tid.netdev, &desc);
05440                 /* if ACL is empty, remove it */
05441                 if (!err
05442                     && !rsbac_ta_list_lol_subcount(ta_number,
05443                                                    netdev_handle,
05444                                                    &tid.netdev)
05445                     && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05446                                                        netdev_handle, NULL,
05447                                                        &tid.netdev, &mask)
05448                     && (mask == RSBAC_ACL_DEFAULT_NETDEV_MASK)
05449                     ) {
05450                         err =
05451                             rsbac_ta_list_lol_remove(ta_number,
05452                                                      netdev_handle,
05453                                                      &tid.netdev);
05454                 }
05455                 return err;
05456 #endif
05457 
05458 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05459         case T_NETTEMP_NT:
05460                 rsbac_pr_debug(ds_acl, "Removing network template NT ACL entry for "
05461                                "nettemp_nt %u\n", tid.nettemp);
05462                 /* default entry? */
05463                 if (!tid.nettemp)
05464                         return rsbac_ta_list_remove(ta_number,
05465                                                     default_nettemp_nt_handle,
05466                                                     &desc);
05467                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05468                         return -RSBAC_EINVALIDTARGET;
05469 
05470                 err =
05471                     rsbac_ta_list_lol_subremove(ta_number,
05472                                                 nettemp_nt_handle,
05473                                                 &tid.nettemp, &desc);
05474                 /* if ACL is empty, remove it */
05475                 if (!err
05476                     && !rsbac_ta_list_lol_subcount(ta_number,
05477                                                    nettemp_nt_handle,
05478                                                    &tid.nettemp)
05479                     && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05480                                                        nettemp_nt_handle,
05481                                                        NULL, &tid.nettemp,
05482                                                        &mask)
05483                     && (mask == RSBAC_ACL_DEFAULT_NETTEMP_MASK)
05484                     ) {
05485                         err =
05486                             rsbac_ta_list_lol_remove(ta_number,
05487                                                      nettemp_nt_handle,
05488                                                      &tid.nettemp);
05489                 }
05490                 return err;
05491 
05492         case T_NETTEMP:
05493                 rsbac_pr_debug(ds_acl, "Removing network template ACL entry for nettemp_nt %u\n",
05494                                tid.nettemp);
05495                 /* default entry? */
05496                 if (!tid.nettemp)
05497                         return -RSBAC_EINVALIDTARGET;
05498                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05499                         return -RSBAC_EINVALIDTARGET;
05500 
05501                 err =
05502                     rsbac_ta_list_lol_subremove(ta_number, nettemp_handle,
05503                                                 &tid.nettemp, &desc);
05504                 /* if ACL is empty, remove it */
05505                 if (!err
05506                     && !rsbac_ta_list_lol_subcount(ta_number,
05507                                                    nettemp_handle,
05508                                                    &tid.nettemp)
05509                     && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05510                                                        nettemp_handle,
05511                                                        NULL, &tid.nettemp,
05512                                                        &mask)
05513                     && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK)
05514                     ) {
05515                         err =
05516                             rsbac_ta_list_lol_remove(ta_number,
05517                                                      nettemp_handle,
05518                                                      &tid.nettemp);
05519                 }
05520                 return err;
05521 
05522         case T_NETOBJ:
05523                 rsbac_pr_debug(ds_acl, "Removing network object ACL entry for netobj %p\n",
05524                                tid.netobj.sock_p);
05525                 /* default entry? */
05526                 if (!tid.netobj.sock_p)
05527                         return rsbac_ta_list_remove(ta_number,
05528                                                     default_netobj_handle,
05529                                                     &desc);
05530 
05531                 err =
05532                     rsbac_ta_list_lol_subremove(ta_number, netobj_handle,
05533                                                 &tid.netobj.sock_p, &desc);
05534                 /* if ACL is empty, remove it */
05535                 if (!err
05536                     && !rsbac_ta_list_lol_subcount(ta_number,
05537                                                    netobj_handle,
05538                                                    &tid.netobj.sock_p)
05539                     && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05540                                                        netobj_handle, NULL,
05541                                                        &tid.netobj, &mask)
05542                     && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK)
05543                     ) {
05544                         err =
05545                             rsbac_ta_list_lol_remove(ta_number,
05546                                                      netobj_handle,
05547                                                      &tid.netobj.sock_p);
05548                 }
05549                 return err;
05550 #endif                          /* NET_OBJ_PROT */
05551 
05552         default:
05553                 return -RSBAC_EINVALIDTARGET;
05554         }
05555 }
05556 
05557 /* rsbac_acl_remove_acl
05558  * Remove ACL for given target. For cleanup on delete.
05559  */
05560 
05561 int rsbac_acl_remove_acl(rsbac_list_ta_number_t ta_number,
05562                          enum rsbac_target_t target,
05563                          union rsbac_target_id_t tid)
05564 {
05565         int err = 0;
05566         char tmp[RSBAC_MAXNAMELEN];
05567         struct rsbac_acl_device_list_item_t *device_p;
05568 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
05569         u_long dflags;
05570 #endif
05571 
05572         if (!rsbac_is_initialized()) {
05573                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): RSBAC not initialized\n");
05574                 return (-RSBAC_ENOTINITIALIZED);
05575         }
05576 #ifdef CONFIG_RSBAC_DEBUG
05577         if (in_interrupt()) {
05578                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): called from interrupt!\n");
05579         }
05580 #endif
05581         switch (target) {
05582         case T_FILE:
05583         case T_DIR:
05584         case T_FIFO:
05585         case T_SYMLINK:
05586         case T_UNIXSOCK:
05587                 rsbac_pr_debug(ds_acl, "Removing file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n",
05588                                RSBAC_MAJOR(tid.file.device),
05589                                RSBAC_MINOR(tid.file.device), tid.file.inode);
05590                 /* default entry? */
05591                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
05592                     && !tid.file.dentry_p)
05593                         return -RSBAC_EINVALIDTARGET;
05594 
05595 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05596                 rcu_read_lock();
05597 #else
05598                 rsbac_read_lock(&device_list_lock, &dflags);
05599 #endif
05600                 /* lookup device */
05601                 device_p = acl_lookup_device(tid.file.device);
05602                 if (!device_p) {
05603                         /* trigger rsbac_mount() */
05604 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05605                         rcu_read_unlock();
05606 #else
05607                         rsbac_read_unlock(&device_list_lock, &dflags);
05608 #endif
05609                         rsbac_get_super_block(tid.file.device);
05610                         /* retry */
05611 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05612                         rcu_read_lock();
05613 #else
05614                         rsbac_read_lock(&device_list_lock, &dflags);
05615 #endif
05616                         device_p = acl_lookup_device(tid.file.device);
05617                         if (!device_p) {
05618                                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): Could not lookup device!\n");
05619 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05620                                 rcu_read_unlock();
05621 #else
05622                                 rsbac_read_unlock(&device_list_lock, &dflags);
05623 #endif
05624                                 return -RSBAC_EINVALIDDEV;
05625                         }
05626                 }
05627                 err = rsbac_ta_list_lol_remove(ta_number,
05628                                              device_p->handle,
05629                                              &tid.file.inode);
05630 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05631                 rcu_read_unlock();
05632 #else
05633                 rsbac_read_unlock(&device_list_lock, &dflags);
05634 #endif
05635                 return err;
05636 
05637         case T_DEV:
05638                 rsbac_pr_debug(ds_acl, "Removing device ACL for dev %c %02u:%02u\n",
05639                                'B' + tid.dev.type, tid.dev.major,
05640                                tid.dev.minor);
05641                 /* default entry? */
05642                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev))
05643                         return -RSBAC_EINVALIDTARGET;
05644                 switch (tid.dev.type) {
05645                 case D_char:
05646                 case D_block:
05647                         return rsbac_ta_list_lol_remove(ta_number,
05648                                                         dev_handle,
05649                                                         &tid.dev);
05650 
05651                 case D_char_major:
05652                 case D_block_major:
05653                         tid.dev.type -= (D_block_major - D_block);
05654                         return rsbac_ta_list_lol_remove(ta_number,
05655                                                         dev_major_handle,
05656                                                         &tid.dev);
05657 
05658                 default:
05659                         return -RSBAC_EINVALIDTARGET;
05660                 }
05661 
05662         case T_SCD:
05663                 rsbac_pr_debug(ds_acl, "Removing SCD ACL for %s\n",
05664                                get_acl_scd_type_name(tmp, tid.scd));
05665                 /* default entry? */
05666                 if (tid.scd == AST_none)
05667                         return -RSBAC_EINVALIDTARGET;
05668                 else
05669                         return rsbac_ta_list_lol_remove(ta_number,
05670                                                         scd_handle,
05671                                                         &tid.scd);
05672 
05673         case T_USER:
05674                 rsbac_pr_debug(ds_acl, "Removing user ACL for user %u\n",
05675                                tid.user);
05676                 /* default entry? */
05677                 if (tid.user == RSBAC_NO_USER)
05678                         return -RSBAC_EINVALIDTARGET;
05679                 else
05680                         return rsbac_ta_list_lol_remove(ta_number,
05681                                                         u_handle,
05682                                                         &tid.user);
05683 
05684 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05685         case T_GROUP:
05686                 rsbac_pr_debug(ds_acl, "Removing Linux group ACL for group %u\n",
05687                                tid.group);
05688                 /* default entry? */
05689                 if (tid.group == RSBAC_NO_GROUP)
05690                         return -RSBAC_EINVALIDTARGET;
05691                 else
05692                         return rsbac_ta_list_lol_remove(ta_number,
05693                                                         g_handle,
05694                                                         &tid.group);
05695 #endif
05696 
05697 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05698         case T_NETDEV:
05699                 rsbac_pr_debug(ds_acl, "Removing network device ACL for netdev %s\n",
05700                                tid.netdev);
05701                 /* default entry? */
05702                 if (!tid.netdev[0])
05703                         return -RSBAC_EINVALIDTARGET;
05704                 else
05705                         return rsbac_ta_list_lol_remove(ta_number,
05706                                                         netdev_handle,
05707                                                         &tid.netdev);
05708 #endif
05709 
05710 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05711         case T_NETTEMP_NT:
05712                 rsbac_pr_debug(ds_acl, "Removing network template NT ACL for nettemp_nt %u\n",
05713                                tid.nettemp);
05714                 /* default entry? */
05715                 if (!tid.nettemp)
05716                         return -RSBAC_EINVALIDTARGET;
05717                 else
05718                         return rsbac_ta_list_lol_remove(ta_number,
05719                                                         nettemp_nt_handle,
05720                                                         &tid.nettemp);
05721         case T_NETTEMP:
05722                 rsbac_pr_debug(ds_acl, "Removing network template ACL for nettemp %u\n",
05723                                tid.nettemp);
05724                 /* default entry? */
05725                 if (!tid.nettemp)
05726                         return -RSBAC_EINVALIDTARGET;
05727                 else
05728                         return rsbac_ta_list_lol_remove(ta_number,
05729                                                         nettemp_handle,
05730                                                         &tid.nettemp);
05731         case T_NETOBJ:
05732                 rsbac_pr_debug(ds_acl, "Removing network object ACL for netobj %p\n",
05733                                tid.netobj.sock_p);
05734                 /* default entry? */
05735                 if (!tid.netobj.sock_p)
05736                         return -RSBAC_EINVALIDTARGET;
05737                 else
05738                         return rsbac_ta_list_lol_remove(ta_number,
05739                                                         netobj_handle,
05740                                                         &tid.netobj.
05741                                                         sock_p);
05742 #endif
05743 
05744         default:
05745                 err = -RSBAC_EINVALIDTARGET;
05746         }
05747         return (err);
05748 }
05749 
05750 /* rsbac_acl_add_to_acl_entry
05751  * Add given rights to ACL entry for given target and subject. If entry does
05752  * not exist, behaviour is exactly like rsbac_acl_set_acl_entry.
05753  */
05754 
05755 int rsbac_acl_add_to_acl_entry(rsbac_list_ta_number_t ta_number,
05756                                enum rsbac_target_t target,
05757                                union rsbac_target_id_t tid,
05758                                enum rsbac_acl_subject_type_t subj_type,
05759                                rsbac_acl_subject_id_t subj_id,
05760                                rsbac_acl_rights_vector_t rights,
05761                                rsbac_time_t ttl)
05762 {
05763         int err = 0;
05764         struct rsbac_acl_device_list_item_t *device_p;
05765         rsbac_acl_rights_vector_t old_rights;
05766         struct rsbac_acl_entry_desc_t desc;
05767 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
05768         u_long dflags;
05769 #endif
05770 
05771         if (!rsbac_is_initialized()) {
05772                 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): RSBAC not initialized\n");
05773                 return (-RSBAC_ENOTINITIALIZED);
05774         }
05775         if (subj_type >= ACLS_NONE)
05776                 return (-RSBAC_EINVALIDVALUE);
05777 #ifdef CONFIG_RSBAC_DEBUG
05778         if (in_interrupt()) {
05779                 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): called from interrupt!\n");
05780         }
05781 #endif
05782         desc.subj_type = subj_type;
05783         desc.subj_id = subj_id;
05784 
05785         switch (target) {
05786         case T_FILE:
05787         case T_DIR:
05788         case T_FIFO:
05789         case T_SYMLINK:
05790         case T_UNIXSOCK:
05791                 /* default entry? */
05792                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
05793                     && !tid.file.dentry_p) {
05794                         if (!rsbac_ta_list_get_data_ttl
05795                             (ta_number, default_fd_handle, NULL, &desc,
05796                              &old_rights))
05797                                 rights |= old_rights;
05798                         return rsbac_ta_list_add_ttl(ta_number,
05799                                                      default_fd_handle,
05800                                                      ttl, &desc, &rights);
05801                 }
05802 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05803                 rcu_read_lock();
05804 #else
05805                 rsbac_read_lock(&device_list_lock, &dflags);
05806 #endif
05807                 /* lookup device */
05808                 device_p = acl_lookup_device(tid.file.device);
05809                 if (!device_p) {
05810                         /* trigger rsbac_mount() */
05811 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05812                         rcu_read_unlock();
05813 #else
05814                         rsbac_read_unlock(&device_list_lock, &dflags);
05815 #endif
05816                         rsbac_get_super_block(tid.file.device);
05817                         /* retry */
05818 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05819                         rcu_read_lock();
05820 #else
05821                         rsbac_read_lock(&device_list_lock, &dflags);
05822 #endif
05823                         device_p = acl_lookup_device(tid.file.device);
05824                         if (!device_p) {
05825                                 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): Could not lookup device!\n");
05826                                 /* free read lock */
05827 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05828                                 rcu_read_unlock();
05829 #else
05830                                 rsbac_read_unlock(&device_list_lock, &dflags);
05831 #endif
05832                                 return (-RSBAC_EINVALIDDEV);
05833                         }
05834                 }
05835                 /* protect this list */
05836                 if (!rsbac_ta_list_lol_exist(ta_number, device_p->handle, &tid.file.inode)) {   /* new acl */
05837                         rsbac_acl_rights_vector_t mask =
05838                             RSBAC_ACL_DEFAULT_FD_MASK;
05839 
05840                         err =
05841                             rsbac_ta_list_lol_add_ttl(ta_number,
05842                                                       device_p->handle, 0,
05843                                                       &tid.file.inode,
05844                                                       &mask);
05845                         if (err) {
05846 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05847                                 rcu_read_unlock();
05848 #else
05849                                 rsbac_read_unlock(&device_list_lock, &dflags);
05850 #endif
05851                                 return err;
05852                         }
05853                 } else {        /* old entry? */
05854                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
05855                                                                device_p->handle,
05856                                                                NULL,
05857                                                                &tid.file.
05858                                                                inode,
05859                                                                &desc,
05860                                                                &old_rights))
05861                                 rights |= old_rights;
05862                 }
05863                 err = rsbac_ta_list_lol_subadd_ttl(ta_number,
05864                                                    device_p->handle, ttl,
05865                                                    &tid.file.inode, &desc,
05866                                                    &rights);
05867 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05868                 rcu_read_unlock();
05869 #else
05870                 rsbac_read_unlock(&device_list_lock, &dflags);
05871 #endif
05872                 return err;
05873 
05874         case T_DEV:
05875                 /* default entry? */
05876                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
05877                         if (!rsbac_ta_list_get_data_ttl
05878                             (ta_number, default_dev_handle, NULL, &desc,
05879                              &old_rights))
05880                                 rights |= old_rights;
05881                         return rsbac_ta_list_add_ttl(ta_number,
05882                                                      default_dev_handle,
05883                                                      ttl, &desc, &rights);
05884                 }
05885                 switch (tid.dev.type) {
05886                 case D_char:
05887                 case D_block:
05888                         if (!rsbac_ta_list_lol_exist(ta_number, dev_handle, &tid.dev)) {        /* new acl */
05889                                 rsbac_acl_rights_vector_t mask =
05890                                     RSBAC_ACL_DEFAULT_DEV_MASK;
05891 
05892                                 err =
05893                                     rsbac_ta_list_lol_add_ttl(ta_number,
05894                                                               dev_handle,
05895                                                               0, &tid.dev,
05896                                                               &mask);
05897                                 if (err)
05898                                         return err;
05899                         } else {        /* old entry? */
05900                                 if (!rsbac_ta_list_lol_get_subdata_ttl
05901                                     (ta_number, dev_handle, NULL, &tid.dev,
05902                                      &desc, &old_rights))
05903                                         rights |= old_rights;
05904                         }
05905                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
05906                                                             dev_handle,
05907                                                             ttl, &tid.dev,
05908                                                             &desc,
05909                                                             &rights);
05910 
05911                 case D_char_major:
05912                 case D_block_major:
05913                         tid.dev.type -= (D_block_major - D_block);
05914                         if (!rsbac_ta_list_lol_exist(ta_number, dev_major_handle, &tid.dev)) {  /* new acl */
05915                                 rsbac_acl_rights_vector_t mask =
05916                                     RSBAC_ACL_DEFAULT_DEV_MASK;
05917 
05918                                 err =
05919                                     rsbac_ta_list_lol_add_ttl(ta_number,
05920                                                               dev_major_handle,
05921                                                               0, &tid.dev,
05922                                                               &mask);
05923                                 if (err)
05924                                         return err;
05925                         } else {        /* old entry? */
05926                                 if (!rsbac_ta_list_lol_get_subdata_ttl
05927                                     (ta_number, dev_major_handle, NULL,
05928                                      &tid.dev, &desc, &old_rights))
05929                                         rights |= old_rights;
05930                         }
05931                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
05932                                                             dev_major_handle,
05933                                                             ttl, &tid.dev,
05934                                                             &desc,
05935                                                             &rights);
05936 
05937                 default:
05938                         return -RSBAC_EINVALIDTARGET;
05939                 }
05940 
05941         case T_IPC:
05942                 /* default entry? */
05943                 if (tid.ipc.type == I_none) {
05944                         if (!rsbac_ta_list_get_data_ttl
05945                             (ta_number, default_ipc_handle, NULL, &desc,
05946                              &old_rights))
05947                                 rights |= old_rights;
05948                         return rsbac_ta_list_add_ttl(ta_number,
05949                                                      default_ipc_handle,
05950                                                      ttl, &desc, &rights);
05951                 } else
05952                         return -RSBAC_EINVALIDTARGET;
05953 
05954         case T_SCD:
05955                 /* default entry? */
05956                 if (tid.scd == AST_none) {
05957                         if (!rsbac_ta_list_get_data_ttl
05958                             (ta_number, default_scd_handle, NULL, &desc,
05959                              &old_rights))
05960                                 rights |= old_rights;
05961                         return rsbac_ta_list_add_ttl(ta_number,
05962                                                      default_scd_handle,
05963                                                      ttl, &desc, &rights);
05964                 }
05965                 if (!rsbac_ta_list_lol_exist(ta_number, scd_handle, &tid.scd)) {        /* new acl */
05966                         rsbac_acl_rights_vector_t mask =
05967                             RSBAC_ACL_DEFAULT_SCD_MASK;
05968 
05969                         err =
05970                             rsbac_ta_list_lol_add_ttl(ta_number,
05971                                                       scd_handle, 0,
05972                                                       &tid.scd, &mask);
05973                         if (err)
05974                                 return err;
05975                 } else {        /* old entry? */
05976                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
05977                                                                scd_handle,
05978                                                                NULL,
05979                                                                &tid.scd,
05980                                                                &desc,
05981                                                                &old_rights))
05982                                 rights |= old_rights;
05983                 }
05984                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05985                                                     scd_handle,
05986                                                     ttl,
05987                                                     &tid.scd,
05988                                                     &desc, &rights);
05989 
05990         case T_USER:
05991                 /* default entry? */
05992                 if (tid.user == RSBAC_NO_USER) {
05993                         if (!rsbac_ta_list_get_data_ttl
05994                             (ta_number, default_u_handle, NULL, &desc,
05995                              &old_rights))
05996                                 rights |= old_rights;
05997                         return rsbac_ta_list_add_ttl(ta_number,
05998                                                      default_u_handle, ttl,
05999                                                      &desc, &rights);
06000                 }
06001                 if (!rsbac_ta_list_lol_exist(ta_number, u_handle, &tid.user)) { /* new acl */
06002                         rsbac_acl_rights_vector_t mask =
06003                             RSBAC_ACL_DEFAULT_U_MASK;
06004 
06005                         err =
06006                             rsbac_ta_list_lol_add_ttl(ta_number, u_handle,
06007                                                       0, &tid.user, &mask);
06008                         if (err)
06009                                 return err;
06010                 } else {        /* old subentry? */
06011                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06012                                                                u_handle,
06013                                                                NULL,
06014                                                                &tid.user,
06015                                                                &desc,
06016                                                                &old_rights))
06017                                 rights |= old_rights;
06018                 }
06019                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06020                                                     u_handle,
06021                                                     ttl,
06022                                                     &tid.user,
06023                                                     &desc, &rights);
06024 
06025         case T_PROCESS:
06026                 /* default entry? */
06027                 if (!tid.process) {
06028                         if (!rsbac_ta_list_get_data_ttl
06029                             (ta_number, default_p_handle, NULL, &desc,
06030                              &old_rights))
06031                                 rights |= old_rights;
06032                         return rsbac_ta_list_add_ttl(ta_number,
06033                                                      default_p_handle, ttl,
06034                                                      &desc, &rights);
06035                 } else
06036                         return -RSBAC_EINVALIDTARGET;
06037 
06038 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06039         case T_GROUP:
06040                 /* default entry? */
06041                 if (tid.group == RSBAC_NO_GROUP) {
06042                         if (!rsbac_ta_list_get_data_ttl
06043                             (ta_number, default_g_handle, NULL, &desc,
06044                              &old_rights))
06045                                 rights |= old_rights;
06046                         return rsbac_ta_list_add_ttl(ta_number,
06047                                                      default_g_handle, ttl,
06048                                                      &desc, &rights);
06049                 }
06050                 if (!rsbac_ta_list_lol_exist(ta_number, g_handle, &tid.group)) {        /* new acl */
06051                         rsbac_acl_rights_vector_t mask =
06052                             RSBAC_ACL_DEFAULT_G_MASK;
06053 
06054                         err =
06055                             rsbac_ta_list_lol_add_ttl(ta_number, g_handle,
06056                                                       0, &tid.group,
06057                                                       &mask);
06058                         if (err)
06059                                 return err;
06060                 } else {        /* old subentry? */
06061                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06062                                                                g_handle,
06063                                                                NULL,
06064                                                                &tid.group,
06065                                                                &desc,
06066                                                                &old_rights))
06067                                 rights |= old_rights;
06068                 }
06069                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06070                                                     g_handle,
06071                                                     ttl,
06072                                                     &tid.group,
06073                                                     &desc, &rights);
06074 #endif
06075 
06076 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06077         case T_NETDEV:
06078                 /* default entry? */
06079                 if (!tid.netdev[0]) {
06080                         if (!rsbac_ta_list_get_data_ttl
06081                             (ta_number, default_netdev_handle, NULL, &desc,
06082                              &old_rights))
06083                                 rights |= old_rights;
06084                         return rsbac_ta_list_add_ttl(ta_number,
06085                                                      default_netdev_handle,
06086                                                      ttl, &desc, &rights);
06087                 }
06088                 if (!rsbac_ta_list_lol_exist(ta_number, netdev_handle, &tid.netdev)) {  /* new acl */
06089                         rsbac_acl_rights_vector_t mask =
06090                             RSBAC_ACL_DEFAULT_NETDEV_MASK;
06091 
06092                         err =
06093                             rsbac_ta_list_lol_add_ttl(ta_number,
06094                                                       netdev_handle, 0,
06095                                                       &tid.netdev, &mask);
06096                         if (err)
06097                                 return err;
06098                 } else {        /* old entry? */
06099                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06100                                                                netdev_handle,
06101                                                                NULL,
06102                                                                &tid.netdev,
06103                                                                &desc,
06104                                                                &old_rights))
06105                                 rights |= old_rights;
06106                 }
06107                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06108                                                     netdev_handle,
06109                                                     ttl,
06110                                                     &tid.netdev,
06111                                                     &desc, &rights);
06112 #endif
06113 
06114 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06115         case T_NETTEMP_NT:
06116                 /* default entry? */
06117                 if (!tid.nettemp) {
06118                         if (!rsbac_ta_list_get_data_ttl
06119                             (ta_number, default_nettemp_nt_handle, NULL,
06120                              &desc, &old_rights))
06121                                 rights |= old_rights;
06122                         return rsbac_ta_list_add_ttl(ta_number,
06123                                                      default_nettemp_nt_handle,
06124                                                      ttl, &desc, &rights);
06125                 }
06126                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06127                         return -RSBAC_EINVALIDTARGET;
06128                 if (!rsbac_ta_list_lol_exist(ta_number, nettemp_nt_handle, &tid.nettemp)) {     /* new acl */
06129                         rsbac_acl_rights_vector_t mask =
06130                             RSBAC_ACL_DEFAULT_NETTEMP_MASK;
06131 
06132                         err =
06133                             rsbac_ta_list_lol_add_ttl(ta_number,
06134                                                       nettemp_nt_handle, 0,
06135                                                       &tid.nettemp, &mask);
06136                         if (err)
06137                                 return err;
06138                 } else {        /* old entry? */
06139                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06140                                                                nettemp_nt_handle,
06141                                                                NULL,
06142                                                                &tid.
06143                                                                nettemp,
06144                                                                &desc,
06145                                                                &old_rights))
06146                                 rights |= old_rights;
06147                 }
06148                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06149                                                     nettemp_nt_handle,
06150                                                     ttl,
06151                                                     &tid.nettemp,
06152                                                     &desc, &rights);
06153         case T_NETTEMP:
06154                 /* default entry? */
06155                 if (!tid.nettemp) {
06156                         return -RSBAC_EINVALIDTARGET;
06157                 }
06158                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06159                         return -RSBAC_EINVALIDTARGET;
06160                 if (!rsbac_ta_list_lol_exist(ta_number, nettemp_handle, &tid.nettemp)) {        /* new acl */
06161                         rsbac_acl_rights_vector_t mask =
06162                             RSBAC_ACL_DEFAULT_NETOBJ_MASK;
06163 
06164                         err =
06165                             rsbac_ta_list_lol_add_ttl(ta_number,
06166                                                       nettemp_handle, 0,
06167                                                       &tid.nettemp, &mask);
06168                         if (err)
06169                                 return err;
06170                 } else {        /* old entry? */
06171                         if (!rsbac_ta_list_lol_get_subdata_ttl
06172                             (ta_number, nettemp_handle, NULL, &tid.nettemp,
06173                              &desc, &old_rights))
06174                                 rights |= old_rights;
06175                 }
06176                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06177                                                     nettemp_handle, ttl,
06178                                                     &tid.nettemp, &desc,
06179                                                     &rights);
06180         case T_NETOBJ:
06181                 /* default entry? */
06182                 if (!tid.netobj.sock_p) {
06183                         if (!rsbac_ta_list_get_data_ttl
06184                             (ta_number, default_netobj_handle, NULL, &desc,
06185                              &old_rights))
06186                                 rights |= old_rights;
06187                         return rsbac_ta_list_add_ttl(ta_number,
06188                                                      default_netobj_handle,
06189                                                      ttl, &desc, &rights);
06190                 }
06191                 if (!rsbac_ta_list_lol_exist(ta_number, netobj_handle, &tid.netobj.sock_p)) {   /* new acl */
06192                         rsbac_acl_rights_vector_t mask =
06193                             RSBAC_ACL_DEFAULT_NETOBJ_MASK;
06194 
06195                         err =
06196                             rsbac_ta_list_lol_add_ttl(ta_number,
06197                                                       netobj_handle, 0,
06198                                                       &tid.netobj.sock_p,
06199                                                       &mask);
06200                         if (err)
06201                                 return err;
06202                 } else {        /* old entry? */
06203                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06204                                                                netobj_handle,
06205                                                                NULL,
06206                                                                &tid.netobj.
06207                                                                sock_p,
06208                                                                &desc,
06209                                                                &old_rights))
06210                                 rights |= old_rights;
06211                 }
06212                 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06213                                                     netobj_handle,
06214                                                     ttl,
06215                                                     &tid.netobj.sock_p,
06216                                                     &desc, &rights);
06217 #endif                          /* NET_OBJ_PROT */
06218 
06219         default:
06220                 return -RSBAC_EINVALIDTARGET;
06221         }
06222 }
06223 
06224 /* rsbac_acl_remove_from_acl_entry
06225  * Remove given rights from ACL entry for given target and subject. If entry does
06226  * not exist, nothing happens.
06227  * This function does NOT remove the ACL entry, so removing all rights results in
06228  * NO rights for this subject/target combination!
06229  */
06230 
06231 int rsbac_acl_remove_from_acl_entry(rsbac_list_ta_number_t ta_number,
06232                                     enum rsbac_target_t target,
06233                                     union rsbac_target_id_t tid,
06234                                     enum rsbac_acl_subject_type_t
06235                                     subj_type,
06236                                     rsbac_acl_subject_id_t subj_id,
06237                                     rsbac_acl_rights_vector_t rights)
06238 {
06239         int err = 0;
06240         struct rsbac_acl_device_list_item_t *device_p;
06241         rsbac_acl_rights_vector_t old_rights;
06242         struct rsbac_acl_entry_desc_t desc;
06243         rsbac_time_t ttl;
06244 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
06245         u_long dflags;
06246 #endif
06247 
06248         if (!rsbac_is_initialized()) {
06249                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): RSBAC not initialized\n");
06250                 return (-RSBAC_ENOTINITIALIZED);
06251         }
06252         if (subj_type >= ACLS_NONE)
06253                 return (-RSBAC_EINVALIDVALUE);
06254 #ifdef CONFIG_RSBAC_DEBUG
06255         if (in_interrupt()) {
06256                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): called from interrupt!\n");
06257         }
06258 #endif
06259         desc.subj_type = subj_type;
06260         desc.subj_id = subj_id;
06261 
06262         switch (target) {
06263         case T_FILE:
06264         case T_DIR:
06265         case T_FIFO:
06266         case T_SYMLINK:
06267         case T_UNIXSOCK:
06268                 /* default entry? */
06269                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
06270                     && !tid.file.dentry_p) {
06271                         if (!rsbac_ta_list_get_data_ttl
06272                             (ta_number, default_fd_handle, &ttl, &desc,
06273                              &old_rights)) {
06274                                 old_rights &= ~rights;
06275                                 return rsbac_ta_list_add_ttl(ta_number,
06276                                                              default_fd_handle,
06277                                                              ttl, &desc,
06278                                                              &old_rights);
06279                         } else
06280                                 return 0;
06281                 }
06282 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06283                 rcu_read_lock();
06284 #else
06285                 rsbac_read_lock(&device_list_lock, &dflags);
06286 #endif
06287                 /* lookup device */
06288                 device_p = acl_lookup_device(tid.file.device);
06289                 if (!device_p) {
06290                         /* trigger rsbac_mount() */
06291 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06292                         rcu_read_unlock();
06293 #else
06294                         rsbac_read_unlock(&device_list_lock, &dflags);
06295 #endif
06296                         rsbac_get_super_block(tid.file.device);
06297                         /* retry */
06298 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06299                         rcu_read_lock();
06300 #else
06301                         rsbac_read_lock(&device_list_lock, &dflags);
06302 #endif
06303                         device_p = acl_lookup_device(tid.file.device);
06304                         if (!device_p) {
06305                                 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): Could not lookup device!\n");
06306 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06307                                 rcu_read_unlock();
06308 #else
06309                                 rsbac_read_unlock(&device_list_lock, &dflags);
06310 #endif
06311                                 return (-RSBAC_EINVALIDDEV);
06312                         }
06313                 }
06314                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06315                                                        device_p->handle,
06316                                                        &ttl,
06317                                                        &tid.file.inode,
06318                                                        &desc,
06319                                                        &old_rights)) {
06320                         old_rights &= ~rights;
06321                         err = rsbac_ta_list_lol_subadd_ttl(ta_number,
06322                                                            device_p->handle,
06323                                                            ttl,
06324                                                            &tid.file.inode,
06325                                                            &desc,
06326                                                            &old_rights);
06327                 } else
06328                         err = 0;
06329 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06330                 rcu_read_unlock();
06331 #else
06332                 rsbac_read_unlock(&device_list_lock, &dflags);
06333 #endif
06334                 return err;
06335 
06336         case T_DEV:
06337                 /* default entry? */
06338                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
06339                         if (!rsbac_ta_list_get_data_ttl
06340                             (ta_number, default_dev_handle, &ttl, &desc,
06341                              &old_rights)) {
06342                                 old_rights &= ~rights;
06343                                 return rsbac_ta_list_add_ttl(ta_number,
06344                                                              default_dev_handle,
06345                                                              ttl, &desc,
06346                                                              &old_rights);
06347                         } else
06348                                 return 0;
06349                 }
06350                 switch (tid.dev.type) {
06351                 case D_char:
06352                 case D_block:
06353                         if (!rsbac_ta_list_lol_get_subdata_ttl
06354                             (ta_number, dev_handle, &ttl, &tid.dev, &desc,
06355                              &old_rights)) {
06356                                 old_rights &= ~rights;
06357                                 return
06358                                     rsbac_ta_list_lol_subadd_ttl(ta_number,
06359                                                                  dev_handle,
06360                                                                  ttl,
06361                                                                  &tid.dev,
06362                                                                  &desc,
06363                                                                  &old_rights);
06364                         } else
06365                                 return 0;
06366 
06367                 case D_char_major:
06368                 case D_block_major:
06369                         tid.dev.type -= (D_block_major - D_block);
06370                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06371                                                                dev_major_handle,
06372                                                                &ttl,
06373                                                                &tid.dev,
06374                                                                &desc,
06375                                                                &old_rights))
06376                         {
06377                                 old_rights &= ~rights;
06378                                 return
06379                                     rsbac_ta_list_lol_subadd_ttl(ta_number,
06380                                                                  dev_major_handle,
06381                                                                  ttl,
06382                                                                  &tid.dev,
06383                                                                  &desc,
06384                                                                  &old_rights);
06385                         } else
06386                                 return 0;
06387 
06388                 default:
06389                         return -RSBAC_EINVALIDTARGET;
06390                 }
06391 
06392         case T_IPC:
06393                 /* default entry? */
06394                 if (tid.ipc.type == I_none) {
06395                         if (!rsbac_ta_list_get_data_ttl
06396                             (ta_number, default_ipc_handle, &ttl, &desc,
06397                              &old_rights)) {
06398                                 old_rights &= ~rights;
06399                                 return rsbac_ta_list_add_ttl(ta_number,
06400                                                              default_ipc_handle,
06401                                                              ttl, &desc,
06402                                                              &old_rights);
06403                         } else
06404                                 return 0;
06405                 } else
06406                         return -RSBAC_EINVALIDTARGET;
06407 
06408         case T_SCD:
06409                 /* default entry? */
06410                 if (tid.scd == AST_none) {
06411                         if (!rsbac_ta_list_get_data_ttl
06412                             (ta_number, default_scd_handle, &ttl, &desc,
06413                              &old_rights)) {
06414                                 old_rights &= ~rights;
06415                                 return rsbac_ta_list_add_ttl(ta_number,
06416                                                              default_scd_handle,
06417                                                              ttl, &desc,
06418                                                              &old_rights);
06419                         } else
06420                                 return 0;
06421                 }
06422                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06423                                                        scd_handle,
06424                                                        &ttl,
06425                                                        &tid.scd,
06426                                                        &desc,
06427                                                        &old_rights)) {
06428                         old_rights &= ~rights;
06429                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
06430                                                             scd_handle,
06431                                                             ttl,
06432                                                             &tid.scd,
06433                                                             &desc,
06434                                                             &old_rights);
06435                 } else
06436                         return 0;
06437 
06438         case T_USER:
06439                 /* default entry? */
06440                 if (tid.user == RSBAC_NO_USER) {
06441                         if (!rsbac_ta_list_get_data_ttl
06442                             (ta_number, default_u_handle, &ttl, &desc,
06443                              &old_rights)) {
06444                                 old_rights &= ~rights;
06445                                 return rsbac_ta_list_add_ttl(ta_number,
06446                                                              default_u_handle,
06447                                                              ttl, &desc,
06448                                                              &old_rights);
06449                         } else
06450                                 return 0;
06451                 }
06452                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06453                                                        u_handle,
06454                                                        &ttl,
06455                                                        &tid.user,
06456                                                        &desc,
06457                                                        &old_rights)) {
06458                         old_rights &= ~rights;
06459                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
06460                                                             u_handle,
06461                                                             ttl,
06462                                                             &tid.user,
06463                                                             &desc,
06464                                                             &old_rights);
06465                 } else
06466                         return 0;
06467 
06468         case T_PROCESS:
06469                 /* default entry? */
06470                 if (!tid.process) {
06471                         if (!rsbac_ta_list_get_data_ttl
06472                             (ta_number, default_p_handle, &ttl, &desc,
06473                              &old_rights)) {
06474                                 old_rights &= ~rights;
06475                                 return rsbac_ta_list_add_ttl(ta_number,
06476                                                              default_p_handle,
06477                                                              ttl, &desc,
06478                                                              &old_rights);
06479                         } else
06480                                 return 0;
06481                 } else
06482                         return -RSBAC_EINVALIDTARGET;
06483 
06484 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06485         case T_GROUP:
06486                 /* default entry? */
06487                 if (tid.group == RSBAC_NO_GROUP) {
06488                         if (!rsbac_ta_list_get_data_ttl
06489                             (ta_number, default_g_handle, &ttl, &desc,
06490                              &old_rights)) {
06491                                 old_rights &= ~rights;
06492                                 return rsbac_ta_list_add_ttl(ta_number,
06493                                                              default_g_handle,
06494                                                              ttl, &desc,
06495                                                              &old_rights);
06496                         } else
06497                                 return 0;
06498                 }
06499                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06500                                                        g_handle,
06501                                                        &ttl,
06502                                                        &tid.group,
06503                                                        &desc,
06504                                                        &old_rights)) {
06505                         old_rights &= ~rights;
06506                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
06507                                                             g_handle,
06508                                                             ttl,
06509                                                             &tid.group,
06510                                                             &desc,
06511                                                             &old_rights);
06512                 } else
06513                         return 0;
06514 #endif
06515 
06516 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06517         case T_NETDEV:
06518                 /* default entry? */
06519                 if (!tid.netdev[0]) {
06520                         if (!rsbac_ta_list_get_data_ttl
06521                             (ta_number, default_netdev_handle, &ttl, &desc,
06522                              &old_rights)) {
06523                                 old_rights &= ~rights;
06524                                 return rsbac_ta_list_add_ttl(ta_number,
06525                                                              default_netdev_handle,
06526                                                              ttl, &desc,
06527                                                              &old_rights);
06528                         } else
06529                                 return 0;
06530                 }
06531                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06532                                                        netdev_handle,
06533                                                        &ttl,
06534                                                        &tid.netdev,
06535                                                        &desc,
06536                                                        &old_rights)) {
06537                         old_rights &= ~rights;
06538                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
06539                                                             netdev_handle,
06540                                                             ttl,
06541                                                             &tid.netdev,
06542                                                             &desc,
06543                                                             &old_rights);
06544                 } else
06545                         return 0;
06546 #endif
06547 
06548 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06549         case T_NETTEMP_NT:
06550                 /* default entry? */
06551                 if (!tid.nettemp) {
06552                         if (!rsbac_ta_list_get_data_ttl
06553                             (ta_number, default_nettemp_nt_handle, &ttl,
06554                              &desc, &old_rights)) {
06555                                 old_rights &= ~rights;
06556                                 return rsbac_ta_list_add_ttl(ta_number,
06557                                                              default_nettemp_nt_handle,
06558                                                              ttl, &desc,
06559                                                              &old_rights);
06560                         } else
06561                                 return 0;
06562                 }
06563                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06564                         return -RSBAC_EINVALIDTARGET;
06565                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06566                                                        nettemp_nt_handle,
06567                                                        &ttl,
06568                                                        &tid.nettemp,
06569                                                        &desc,
06570                                                        &old_rights)) {
06571                         old_rights &= ~rights;
06572                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
06573                                                             nettemp_nt_handle,
06574                                                             ttl,
06575                                                             &tid.nettemp,
06576                                                             &desc,
06577                                                             &old_rights);
06578                 } else
06579                         return 0;
06580         case T_NETTEMP:
06581                 /* default entry? */
06582                 if (!tid.nettemp) {
06583                         return -RSBAC_EINVALIDTARGET;
06584                 }
06585                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06586                         return -RSBAC_EINVALIDTARGET;
06587                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06588                                                        nettemp_handle,
06589                                                        &ttl,
06590                                                        &tid.nettemp,
06591                                                        &desc,
06592                                                        &old_rights)) {
06593                         old_rights &= ~rights;
06594                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
06595                                                             nettemp_handle,
06596                                                             ttl,
06597                                                             &tid.nettemp,
06598                                                             &desc,
06599                                                             &old_rights);
06600                 } else
06601                         return 0;
06602         case T_NETOBJ:
06603                 /* default entry? */
06604                 if (!tid.netobj.sock_p) {
06605                         if (!rsbac_ta_list_get_data_ttl
06606                             (ta_number, default_netobj_handle, &ttl, &desc,
06607                              &old_rights)) {
06608                                 old_rights &= ~rights;
06609                                 return rsbac_ta_list_add_ttl(ta_number,
06610                                                              default_netobj_handle,
06611                                                              ttl, &desc,
06612                                                              &old_rights);
06613                         } else
06614                                 return 0;
06615                 }
06616                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06617                                                        netobj_handle,
06618                                                        &ttl,
06619                                                        &tid.netobj.sock_p,
06620                                                        &desc,
06621                                                        &old_rights)) {
06622                         old_rights &= ~rights;
06623                         return rsbac_ta_list_lol_subadd_ttl(ta_number,
06624                                                             netobj_handle,
06625                                                             ttl,
06626                                                             &tid.netobj.
06627                                                             sock_p, &desc,
06628                                                             &old_rights);
06629                 } else
06630                         return 0;
06631 #endif                          /* NET_OBJ_PROT */
06632 
06633         default:
06634                 return -RSBAC_EINVALIDTARGET;
06635         }
06636 }
06637 
06638 /* rsbac_acl_set_mask
06639  * Set inheritance mask for given target to given rights. If item does
06640  * not exist, it is created.
06641  */
06642 
06643 int rsbac_acl_set_mask(rsbac_list_ta_number_t ta_number,
06644                        enum rsbac_target_t target,
06645                        union rsbac_target_id_t tid,
06646                        rsbac_acl_rights_vector_t mask)
06647 {
06648         int err = 0;
06649         char tmp[80];
06650         struct rsbac_acl_device_list_item_t *device_p;
06651 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
06652         u_long dflags;
06653 #endif
06654 
06655         if (!rsbac_is_initialized()) {
06656                 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): RSBAC not initialized\n");
06657                 return (-RSBAC_ENOTINITIALIZED);
06658         }
06659         if (target >= T_NONE)
06660                 return (-RSBAC_EINVALIDTARGET);
06661 #ifdef CONFIG_RSBAC_DEBUG
06662         if (in_interrupt()) {
06663                 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): called from interrupt!\n");
06664         }
06665 #endif
06666         switch (target) {
06667         case T_FILE:
06668         case T_DIR:
06669         case T_FIFO:
06670         case T_SYMLINK:
06671         case T_UNIXSOCK:
06672                 /* default entry? */
06673                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
06674                         return -RSBAC_EINVALIDTARGET;
06675                 }
06676                 rsbac_pr_debug(ds_acl, "Setting file/dir/fifo/symlink inheritance mask for device %02u:%02u, inode %u\n",
06677                                RSBAC_MAJOR(tid.file.device),
06678                                RSBAC_MINOR(tid.file.device), tid.file.inode);
06679 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06680                 rcu_read_lock();
06681 #else
06682                 rsbac_read_lock(&device_list_lock, &dflags);
06683 #endif
06684                 device_p = acl_lookup_device(tid.file.device);
06685                 if (!device_p) {
06686                         /* trigger rsbac_mount() */
06687 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06688                         rcu_read_unlock();
06689 #else
06690                         rsbac_read_unlock(&device_list_lock, &dflags);
06691 #endif
06692                         rsbac_get_super_block(tid.file.device);
06693                         /* retry */
06694 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06695                         rcu_read_lock();
06696 #else
06697                         rsbac_read_lock(&device_list_lock, &dflags);
06698 #endif
06699                         device_p = acl_lookup_device(tid.file.device);
06700                         if (!device_p) {
06701                                 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): Could not lookup device!\n");
06702                                 /* free read lock */
06703 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06704                                 rcu_read_unlock();
06705 #else
06706                                 rsbac_read_unlock(&device_list_lock, &dflags);
06707 #endif
06708                                 return (-RSBAC_EINVALIDDEV);
06709                         }
06710                 }
06711                 err = rsbac_ta_list_lol_add_ttl(ta_number,
06712                                               device_p->handle,
06713                                               0, &tid.file.inode, &mask);
06714 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06715                 rcu_read_unlock();
06716 #else
06717                 rsbac_read_unlock(&device_list_lock, &dflags);
06718 #endif
06719                 return err;
06720 
06721         case T_DEV:
06722                 /* default entry? */
06723                 if (tid.dev.type == D_none) {
06724                         return -RSBAC_EINVALIDTARGET;
06725                 }
06726                 rsbac_pr_debug(ds_acl, "Setting device inheritance mask for dev %c %02u:%02u\n",
06727                                'B' + tid.dev.type,
06728                                tid.dev.major, tid.dev.minor);
06729                 switch (tid.dev.type) {
06730                 case D_char:
06731                 case D_block:
06732                         return rsbac_ta_list_lol_add_ttl(ta_number,
06733                                                          dev_handle, 0,
06734                                                          &tid.dev, &mask);
06735 
06736                 case D_char_major:
06737                 case D_block_major:
06738                         tid.dev.type -= (D_block_major - D_block);
06739                         return rsbac_ta_list_lol_add_ttl(ta_number,
06740                                                          dev_major_handle,
06741                                                          0, &tid.dev,
06742                                                          &mask);
06743 
06744                 default:
06745                         return -RSBAC_EINVALIDTARGET;
06746                 }
06747 
06748         case T_SCD:
06749                 /* default entry? */
06750                 if (tid.scd == AST_none) {
06751                         return -RSBAC_EINVALIDTARGET;
06752                 }
06753                 rsbac_pr_debug(ds_acl, "Setting SCD inheritance mask for %s\n",
06754                                get_acl_scd_type_name(tmp, tid.scd));
06755                 return rsbac_ta_list_lol_add_ttl(ta_number, scd_handle, 0,
06756                                                  &tid.scd, &mask);
06757 
06758         case T_USER:
06759                 /* default entry? */
06760                 if (tid.user == RSBAC_NO_USER) {
06761                         return -RSBAC_EINVALIDTARGET;
06762                 }
06763                 rsbac_pr_debug(ds_acl, "Setting user inheritance mask for user %u\n",
06764                                tid.user);
06765                 return rsbac_ta_list_lol_add_ttl(ta_number, u_handle, 0,
06766                                                  &tid.user, &mask);
06767 
06768 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06769         case T_GROUP:
06770                 /* default entry? */
06771                 if (tid.group == RSBAC_NO_GROUP) {
06772                         return -RSBAC_EINVALIDTARGET;
06773                 }
06774                 rsbac_pr_debug(ds_acl, "Setting Linux group inheritance mask for group %u\n",
06775                                tid.group);
06776                 return rsbac_ta_list_lol_add_ttl(ta_number, g_handle, 0,
06777                                                  &tid.group, &mask);
06778 #endif
06779 
06780 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06781         case T_NETDEV:
06782                 /* default entry? */
06783                 if (!tid.netdev[0]) {
06784                         return -RSBAC_EINVALIDTARGET;
06785                 }
06786                 rsbac_pr_debug(ds_acl, "Setting network device inheritance mask for netdev %s\n",
06787                                tid.netdev);
06788                 return rsbac_ta_list_lol_add_ttl(ta_number, netdev_handle,
06789                                                  0, &tid.netdev, &mask);
06790 #endif
06791 
06792 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06793         case T_NETTEMP_NT:
06794                 /* default entry? */
06795                 if (!tid.nettemp) {
06796                         return -RSBAC_EINVALIDTARGET;
06797                 }
06798                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06799                         return -RSBAC_EINVALIDTARGET;
06800                 rsbac_pr_debug(ds_acl, "Setting network template NT inheritance mask for nettemp %u\n",
06801                                tid.nettemp);
06802                 return rsbac_ta_list_lol_add_ttl(ta_number,
06803                                                  nettemp_nt_handle, 0,
06804                                                  &tid.nettemp, &mask);
06805 
06806         case T_NETTEMP:
06807                 /* default entry? */
06808                 if (!tid.nettemp) {
06809                         return -RSBAC_EINVALIDTARGET;
06810                 }
06811                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06812                         return -RSBAC_EINVALIDTARGET;
06813                 rsbac_pr_debug(ds_acl, "Setting network template inheritance mask for nettemp %u\n",
06814                                tid.nettemp);
06815                 return rsbac_ta_list_lol_add_ttl(ta_number, nettemp_handle,
06816                                                  0, &tid.nettemp, &mask);
06817 
06818         case T_NETOBJ:
06819                 /* default entry? */
06820                 if (!tid.netobj.sock_p) {
06821                         return -RSBAC_EINVALIDTARGET;
06822                 }
06823                 rsbac_pr_debug(ds_acl, "Setting network object inheritance mask for netobj %p\n",
06824                                tid.netobj.sock_p);
06825                 return rsbac_ta_list_lol_add_ttl(ta_number, netobj_handle,
06826                                                  0, &tid.netobj.sock_p,
06827                                                  &mask);
06828 #endif                          /* NET_OBJ_PROT */
06829 
06830         default:
06831                 err = -RSBAC_EINVALIDTARGET;
06832         }
06833         return (err);
06834 }
06835 
06836 /* rsbac_acl_get_mask
06837  * Get inheritance mask for given target. If item does
06838  * not exist, default mask is returned.
06839  */
06840 
06841 int rsbac_acl_get_mask(rsbac_list_ta_number_t ta_number,
06842                        enum rsbac_target_t target,
06843                        union rsbac_target_id_t tid,
06844                        rsbac_acl_rights_vector_t * mask_p)
06845 {
06846         int err = 0;
06847         struct rsbac_acl_device_list_item_t *device_p;
06848 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
06849         u_long dflags;
06850 #endif
06851 
06852         if (!rsbac_is_initialized()) {
06853                 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): RSBAC not initialized\n");
06854                 return (-RSBAC_ENOTINITIALIZED);
06855         }
06856         if (target >= T_NONE)
06857                 return (-RSBAC_EINVALIDTARGET);
06858 #ifdef CONFIG_RSBAC_DEBUG
06859         if (in_interrupt()) {
06860                 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): called from interrupt!\n");
06861         }
06862 #endif
06863         switch (target) {
06864         case T_FILE:
06865         case T_DIR:
06866         case T_FIFO:
06867         case T_SYMLINK:
06868         case T_UNIXSOCK:
06869                 /* default entry? */
06870                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
06871                     && !tid.file.dentry_p) {
06872                         return -RSBAC_EINVALIDTARGET;
06873                 }
06874 
06875 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06876                 rcu_read_lock();
06877 #else
06878                 rsbac_read_lock(&device_list_lock, &dflags);
06879 #endif
06880                 /* lookup device */
06881                 device_p = acl_lookup_device(tid.file.device);
06882                 if (!device_p) {
06883                         /* trigger rsbac_mount() */
06884 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06885                         rcu_read_unlock();
06886 #else
06887                         rsbac_read_unlock(&device_list_lock, &dflags);
06888 #endif
06889                         rsbac_get_super_block(tid.file.device);
06890                         /* retry */
06891 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06892                         rcu_read_lock();
06893 #else
06894                         rsbac_read_lock(&device_list_lock, &dflags);
06895 #endif
06896                         device_p = acl_lookup_device(tid.file.device);
06897                         if (!device_p) {
06898                                 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): Could not lookup device!\n");
06899 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06900                                 rcu_read_unlock();
06901 #else
06902                                 rsbac_read_unlock(&device_list_lock, &dflags);
06903 #endif
06904                                 return (-RSBAC_EINVALIDDEV);
06905                         }
06906                 }
06907                 err = rsbac_ta_list_lol_get_data_ttl(ta_number,
06908                                                    device_p->handle, NULL,
06909                                                    &tid.file.inode,
06910                                                    mask_p);
06911 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06912                 rcu_read_unlock();
06913 #else
06914                 rsbac_read_unlock(&device_list_lock, &dflags);
06915 #endif
06916                 if (err == -RSBAC_ENOTFOUND) {
06917                         *mask_p = RSBAC_ACL_DEFAULT_FD_MASK;
06918                         err = 0;
06919                 }
06920                 /* ready. */
06921                 return err;
06922 
06923         case T_DEV:
06924                 /* default entry? */
06925                 if (tid.dev.type == D_none) {
06926                         return -RSBAC_EINVALIDTARGET;
06927                 }
06928 
06929                 switch (tid.dev.type) {
06930                 case D_char:
06931                 case D_block:
06932                         err =
06933                             rsbac_ta_list_lol_get_data_ttl(ta_number,
06934                                                            dev_handle,
06935                                                            NULL, &tid.dev,
06936                                                            mask_p);
06937                         break;
06938 
06939                 case D_char_major:
06940                 case D_block_major:
06941                         tid.dev.type -= (D_block_major - D_block);
06942                         err =
06943                             rsbac_ta_list_lol_get_data_ttl(ta_number,
06944                                                            dev_major_handle,
06945                                                            NULL, &tid.dev,
06946                                                            mask_p);
06947                         break;
06948 
06949                 default:
06950                         return -RSBAC_EINVALIDTARGET;
06951                 }
06952                 if (err == -RSBAC_ENOTFOUND) {
06953                         *mask_p = RSBAC_ACL_DEFAULT_DEV_MASK;
06954                         err = 0;
06955                 }
06956                 /* ready. */
06957                 return err;
06958 
06959         case T_SCD:
06960                 /* default entry? */
06961                 if (tid.scd == AST_none) {
06962                         return -RSBAC_EINVALIDTARGET;
06963                 }
06964                 err =
06965                     rsbac_ta_list_lol_get_data_ttl(ta_number, scd_handle,
06966                                                    NULL, &tid.scd, mask_p);
06967                 if (err == -RSBAC_ENOTFOUND) {
06968                         *mask_p = RSBAC_ACL_DEFAULT_SCD_MASK;
06969                         err = 0;
06970                 }
06971                 /* ready. */
06972                 return err;
06973 
06974         case T_USER:
06975                 /* default entry? */
06976                 if (tid.user == RSBAC_NO_USER) {
06977                         return -RSBAC_EINVALIDTARGET;
06978                 }
06979                 err =
06980                     rsbac_ta_list_lol_get_data_ttl(ta_number, u_handle,
06981                                                    NULL, &tid.user,
06982                                                    mask_p);
06983                 if (err == -RSBAC_ENOTFOUND) {
06984                         *mask_p = RSBAC_ACL_DEFAULT_U_MASK;
06985                         err = 0;
06986                 }
06987                 /* ready. */
06988                 return err;
06989 
06990 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06991         case T_GROUP:
06992                 /* default entry? */
06993                 if (tid.group == RSBAC_NO_GROUP) {
06994                         return -RSBAC_EINVALIDTARGET;
06995                 }
06996                 err =
06997                     rsbac_ta_list_lol_get_data_ttl(ta_number, g_handle,
06998                                                    NULL, &tid.group,
06999                                                    mask_p);
07000                 if (err == -RSBAC_ENOTFOUND) {
07001                         *mask_p = RSBAC_ACL_DEFAULT_G_MASK;
07002                         err = 0;
07003                 }
07004                 /* ready. */
07005                 return err;
07006 #endif
07007 
07008 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
07009         case T_NETDEV:
07010                 /* default entry? */
07011                 if (!tid.netdev[0]) {
07012                         return -RSBAC_EINVALIDTARGET;
07013                 }
07014 
07015                 err =
07016                     rsbac_ta_list_lol_get_data_ttl(ta_number,
07017                                                    netdev_handle, NULL,
07018                                                    &tid.netdev, mask_p);
07019                 if (err == -RSBAC_ENOTFOUND) {
07020                         *mask_p = RSBAC_ACL_DEFAULT_NETDEV_MASK;
07021                         err = 0;
07022                 }
07023                 /* ready. */
07024                 return err;
07025 #endif
07026 
07027 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
07028         case T_NETTEMP_NT:
07029                 /* default entry? */
07030                 if (!tid.nettemp) {
07031                         return -RSBAC_EINVALIDTARGET;
07032                 }
07033                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07034                         return -RSBAC_EINVALIDTARGET;
07035 
07036                 err =
07037                     rsbac_ta_list_lol_get_data_ttl(ta_number,
07038                                                    nettemp_nt_handle, NULL,
07039                                                    &tid.nettemp, mask_p);
07040                 if (err == -RSBAC_ENOTFOUND) {
07041                         *mask_p = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
07042                         err = 0;
07043                 }
07044                 /* ready. */
07045                 return err;
07046         case T_NETTEMP:
07047                 /* default entry? */
07048                 if (!tid.nettemp) {
07049                         return -RSBAC_EINVALIDTARGET;
07050                 }
07051                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07052                         return -RSBAC_EINVALIDTARGET;
07053 
07054                 err =
07055                     rsbac_ta_list_lol_get_data_ttl(ta_number,
07056                                                    nettemp_handle, NULL,
07057                                                    &tid.nettemp, mask_p);
07058                 if (err == -RSBAC_ENOTFOUND) {
07059                         *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07060                         err = 0;
07061                 }
07062                 /* ready. */
07063                 return err;
07064         case T_NETOBJ:
07065                 /* default entry? */
07066                 if (!tid.netobj.sock_p) {
07067                         return -RSBAC_EINVALIDTARGET;
07068                 }
07069 
07070                 err =
07071                     rsbac_ta_list_lol_get_data_ttl(ta_number,
07072                                                    netobj_handle, NULL,
07073                                                    &tid.netobj.sock_p,
07074                                                    mask_p);
07075                 if (err == -RSBAC_ENOTFOUND) {
07076                         *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07077                         err = 0;
07078                 }
07079                 /* ready. */
07080                 return err;
07081 #endif
07082 
07083         default:
07084                 err = -RSBAC_EINVALIDTARGET;
07085         }
07086         return (err);
07087 }
07088 
07089 /* rsbac_acl_get_rights
07090  * Get rights from ACL entry for given target and subject.
07091  * If entry does not exist and inherit is on, inherited rights are used.
07092  * If there is no parent, the default rights vector for this target type is returned.
07093  * This function does NOT add role or group rights to user rights!
07094  */
07095 
07096 int rsbac_acl_get_rights(rsbac_list_ta_number_t ta_number,
07097                          enum rsbac_target_t target,
07098                          union rsbac_target_id_t tid,
07099                          enum rsbac_acl_subject_type_t subj_type,
07100                          rsbac_acl_subject_id_t subj_id,
07101                          rsbac_acl_rights_vector_t * rights_p,
07102                          rsbac_boolean_t inherit)
07103 {
07104         int err = 0;
07105         struct rsbac_acl_device_list_item_t *device_p;
07106         struct rsbac_acl_entry_desc_t desc;
07107         rsbac_acl_rights_vector_t i_rights = 0;
07108         rsbac_acl_rights_vector_t mask = -1;
07109 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
07110         u_long dflags;
07111 #endif
07112 
07113         if (!rsbac_is_initialized()) {
07114                 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): RSBAC not initialized\n");
07115                 return (-RSBAC_ENOTINITIALIZED);
07116         }
07117         if (!rights_p)
07118                 return (-RSBAC_EINVALIDPOINTER);
07119         if (subj_type >= ACLS_NONE)
07120                 return (-RSBAC_EINVALIDVALUE);
07121 #ifdef CONFIG_RSBAC_DEBUG
07122         if (in_interrupt()) {
07123                 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): called from interrupt!\n");
07124         }
07125 #endif
07126         desc.subj_type = subj_type;
07127         desc.subj_id = subj_id;
07128 
07129         switch (target) {
07130         case T_FILE:
07131         case T_DIR:
07132         case T_FIFO:
07133         case T_SYMLINK:
07134         case T_UNIXSOCK:
07135                 /* default entry? */
07136                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
07137                     && !tid.file.dentry_p) {
07138                         if (rsbac_ta_list_get_data_ttl
07139                             (ta_number, default_fd_handle, NULL, &desc,
07140                              rights_p)) {
07141                                 /* last resort: default rights */
07142                                 *rights_p = default_fd_rights;
07143                         }
07144                         return 0;
07145                 }
07146                 *rights_p = 0;
07147 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07148                 rcu_read_lock();
07149 #else
07150                 rsbac_read_lock(&device_list_lock, &dflags);
07151 #endif
07152                 /* use loop for inheritance - used to be recursive calls */
07153                 for (;;) {
07154                         /* lookup device */
07155                         device_p = acl_lookup_device(tid.file.device);
07156                         if (!device_p) {
07157                                 /* trigger rsbac_mount() */
07158 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07159                                 rcu_read_unlock();
07160 #else
07161                                 rsbac_read_unlock(&device_list_lock, &dflags);
07162 #endif
07163                                 rsbac_get_super_block(tid.file.device);
07164                                 /* retry */
07165 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07166                                 rcu_read_lock();
07167 #else
07168                                 rsbac_read_lock(&device_list_lock, &dflags);
07169 #endif
07170                                 device_p =
07171                                     acl_lookup_device(tid.file.device);
07172                                 if (!device_p) {
07173                                         rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): Could not lookup device %02u:%02u!\n",
07174                                                      RSBAC_MAJOR(tid.file.
07175                                                                  device),
07176                                                      RSBAC_MINOR(tid.file.
07177                                                                  device));
07178 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07179                                         rcu_read_unlock();
07180 #else
07181                                         rsbac_read_unlock(&device_list_lock, &dflags);
07182 #endif
07183                                         return (-RSBAC_EINVALIDDEV);
07184                                 }
07185                         }
07186                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07187                                                                device_p->handle,
07188                                                                NULL,
07189                                                                &tid.file.
07190                                                                inode,
07191                                                                &desc,
07192                                                                &i_rights))
07193                         {
07194                                 *rights_p |= (i_rights & mask);
07195                                 /* leave loop */
07196                                 break;
07197                         } else if (inherit) {
07198                                 enum rsbac_target_t parent_target;
07199                                 union rsbac_target_id_t parent_tid;
07200                                 rsbac_acl_rights_vector_t i_mask;
07201 
07202                                 /* get mask to filter through in next round */
07203                                 if (rsbac_ta_list_lol_get_data_ttl
07204                                     (ta_number, device_p->handle,
07205                                      NULL, &tid.file.inode, &i_mask)) {
07206                                         /* no mask found, set default */
07207                                         i_mask = RSBAC_ACL_DEFAULT_FD_MASK;
07208                                 }
07209                                 /* mask into cumulative mask */
07210                                 mask &= i_mask;
07211 
07212                                 /* inheritance possible? */
07213                                 if (!rsbac_get_parent
07214                                     (target, tid, &parent_target,
07215                                      &parent_tid)) {
07216                                         target = parent_target;
07217                                         tid = parent_tid;
07218                                         /* next round */
07219                                         continue;
07220                                 } else {
07221                                         /* no inheritance possible -> try default_fd_acl */
07222                                         if (!rsbac_ta_list_get_data_ttl
07223                                             (ta_number, default_fd_handle,
07224                                              NULL, &desc, &i_rights)) {
07225                                                 /* found, use it */
07226                                                 *rights_p |=
07227                                                     (i_rights & mask);
07228                                         } else {
07229                                                 /* last resort: default rights */
07230                                                 *rights_p |=
07231                                                     (default_fd_rights &
07232                                                      mask);
07233                                         }
07234                                 }
07235                                 /* leave loop */
07236                                 break;
07237                         } else {        /* do not inherit */
07238 
07239                                 /* last resort: default rights */
07240                                 *rights_p |= default_fd_rights;
07241                                 /* leave loop */
07242                                 break;
07243                         }
07244                 }               /* end of for(;;) inheritance loop */
07245 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07246                 rcu_read_unlock();
07247 #else
07248                 rsbac_read_unlock(&device_list_lock, &dflags);
07249 #endif
07250                 return err;
07251 
07252         case T_DEV:
07253                 /* default entry? */
07254 
07255                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
07256                         if (rsbac_ta_list_get_data_ttl
07257                             (ta_number, default_dev_handle, NULL, &desc,
07258                              rights_p)) {
07259                                 /* last resort: default rights */
07260                                 *rights_p = default_dev_rights;
07261                         }
07262                         return 0;
07263                 }
07264                 if ((tid.dev.type >= D_char_major)
07265                     || (tid.dev.type == D_block_major)
07266                     ) {
07267                         tid.dev.type -= (D_block_major - D_block);
07268                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07269                                                                dev_major_handle,
07270                                                                NULL,
07271                                                                &tid.dev,
07272                                                                &desc,
07273                                                                &i_rights))
07274                         {
07275                                 *rights_p |= i_rights;
07276                         } else {
07277                                 rsbac_acl_rights_vector_t mask2;
07278 
07279                                 /* get mask to filter through */
07280                                 if (rsbac_ta_list_lol_get_data_ttl
07281                                     (ta_number, dev_major_handle, NULL,
07282                                      &tid.dev, &mask2)) {
07283                                         /* no mask found, set default */
07284                                         mask2 = RSBAC_ACL_DEFAULT_DEV_MASK;
07285                                 }
07286                                 /* try default_dev_acl */
07287                                 if (!rsbac_ta_list_get_data_ttl
07288                                     (ta_number, default_dev_handle, NULL,
07289                                      &desc, rights_p)) {
07290                                         *rights_p &= mask2;
07291                                 } else {
07292                                         /* last resort: default rights */
07293                                         *rights_p =
07294                                             default_dev_rights & mask2;
07295                                 }
07296                         }
07297                         return 0;
07298                 }
07299                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07300                                                        dev_handle,
07301                                                        NULL,
07302                                                        &tid.dev,
07303                                                        &desc, &i_rights)) {
07304                         *rights_p |= i_rights;
07305                 } else {
07306                         rsbac_acl_rights_vector_t mask;
07307 
07308                         /* get mask to filter through */
07309                         if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07310                                                            dev_handle,
07311                                                            NULL,
07312                                                            &tid.dev,
07313                                                            &mask)) {
07314                                 /* no mask found, set default */
07315                                 mask = RSBAC_ACL_DEFAULT_DEV_MASK;
07316                         }
07317                         if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07318                                                                dev_major_handle,
07319                                                                NULL,
07320                                                                &tid.dev,
07321                                                                &desc,
07322                                                                &i_rights))
07323                         {
07324                                 i_rights &= mask;
07325                                 *rights_p |= i_rights;
07326                         } else {
07327                                 rsbac_acl_rights_vector_t mask2;
07328 
07329                                 /* get mask to filter through */
07330                                 if (rsbac_ta_list_lol_get_data_ttl
07331                                     (ta_number, dev_major_handle, NULL,
07332                                      &tid.dev, &mask2)) {
07333                                         /* no mask found, set default */
07334                                         mask2 = RSBAC_ACL_DEFAULT_DEV_MASK;
07335                                 }
07336                                 /* try default_dev_acl */
07337                                 if (!rsbac_ta_list_get_data_ttl
07338                                     (ta_number, default_dev_handle, NULL,
07339                                      &desc, rights_p)) {
07340                                         *rights_p &= mask;
07341                                         *rights_p &= mask2;
07342                                 } else {
07343                                         /* last resort: default rights */
07344                                         *rights_p =
07345                                             default_dev_rights & mask &
07346                                             mask2;
07347                                 }
07348                         }
07349                 }
07350                 return 0;
07351 
07352         case T_IPC:
07353 
07354                 /* Use default ACL */
07355                 if (rsbac_ta_list_get_data_ttl
07356                     (ta_number, default_ipc_handle, NULL, &desc,
07357                      rights_p)) {
07358                         /* last resort: default rights */
07359                         *rights_p = default_ipc_rights;
07360                 }
07361                 return 0;
07362 
07363         case T_SCD:
07364                 /* default entry? */
07365                 if ((tid.scd == AST_none)
07366                     || (tid.scd == ST_none)
07367                     ) {
07368                         if (rsbac_ta_list_get_data_ttl
07369                             (ta_number, default_scd_handle, NULL, &desc,
07370                              rights_p)) {
07371                                 /* last resort: default rights */
07372                                 *rights_p = default_scd_rights;
07373                         }
07374                         return 0;
07375                 }
07376                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07377                                                        scd_handle,
07378                                                        NULL,
07379                                                        &tid.scd,
07380                                                        &desc, &i_rights)) {
07381                         *rights_p |= i_rights;
07382                 } else {
07383                         rsbac_acl_rights_vector_t mask;
07384 
07385                         /* get mask to filter through */
07386                         if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07387                                                            scd_handle,
07388                                                            NULL,
07389                                                            &tid.scd,
07390                                                            &mask)) {
07391                                 /* no mask found, set default */
07392                                 mask = RSBAC_ACL_DEFAULT_SCD_MASK;
07393                         }
07394                         /* try default_dev_acl */
07395                         if (!rsbac_ta_list_get_data_ttl
07396                             (ta_number, default_scd_handle, NULL, &desc,
07397                              rights_p)) {
07398                                 *rights_p &= mask;
07399                         } else {
07400                                 /* last resort: default rights */
07401                                 *rights_p = default_scd_rights & mask;
07402                         }
07403                 }
07404                 return 0;
07405 
07406         case T_USER:
07407                 /* default entry? */
07408                 if (tid.user == RSBAC_NO_USER) {
07409                         if (rsbac_ta_list_get_data_ttl
07410                             (ta_number, default_u_handle, NULL, &desc,
07411                              rights_p)) {
07412                                 /* last resort: default rights */
07413                                 *rights_p = default_u_rights;
07414                         }
07415                         return 0;
07416                 }
07417                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07418                                                        u_handle,
07419                                                        NULL,
07420                                                        &tid.user,
07421                                                        &desc, &i_rights)) {
07422                         *rights_p |= i_rights;
07423                 } else {
07424                         rsbac_acl_rights_vector_t mask;
07425 
07426                         /* get mask to filter through */
07427                         if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07428                                                            u_handle,
07429                                                            NULL,
07430                                                            &tid.user,
07431                                                            &mask)) {
07432                                 /* no mask found, set default */
07433                                 mask = RSBAC_ACL_DEFAULT_U_MASK;
07434                         }
07435                         /* try default_u_acl */
07436                         if (!rsbac_ta_list_get_data_ttl
07437                             (ta_number, default_u_handle, NULL, &desc,
07438                              rights_p)) {
07439                                 *rights_p &= mask;
07440                         } else {
07441                                 /* last resort: default rights */
07442                                 *rights_p = default_u_rights & mask;
07443                         }
07444                 }
07445                 return 0;
07446 
07447         case T_PROCESS:
07448 
07449                 /* Use default entry */
07450                 if (rsbac_ta_list_get_data_ttl(ta_number, default_p_handle,
07451                                                NULL, &desc, rights_p)) {
07452                         /* last resort: default rights */
07453                         *rights_p = default_p_rights;
07454                 }
07455                 return 0;
07456 
07457 #ifdef CONFIG_RSBAC_ACL_UM_PROT
07458         case T_GROUP:
07459                 /* default entry? */
07460                 if (tid.group == RSBAC_NO_GROUP) {
07461                         if (rsbac_ta_list_get_data_ttl
07462                             (ta_number, default_g_handle, NULL, &desc,
07463                              rights_p)) {
07464                                 /* last resort: default rights */
07465                                 *rights_p = default_g_rights;
07466                         }
07467                         return 0;
07468                 }
07469                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07470                                                        g_handle,
07471                                                        NULL,
07472                                                        &tid.group,
07473                                                        &desc, &i_rights)) {
07474                         *rights_p |= i_rights;
07475                 } else {
07476                         rsbac_acl_rights_vector_t mask;
07477 
07478                         /* get mask to filter through */
07479                         if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07480                                                            g_handle,
07481                                                            NULL,
07482                                                            &tid.group,
07483                                                            &mask)) {
07484                                 /* no mask found, set default */
07485                                 mask = RSBAC_ACL_DEFAULT_G_MASK;
07486                         }
07487                         /* try default_u_acl */
07488                         if (!rsbac_ta_list_get_data_ttl
07489                             (ta_number, default_g_handle, NULL, &desc,
07490                              rights_p)) {
07491                                 *rights_p &= mask;
07492                         } else {
07493                                 /* last resort: default rights */
07494                                 *rights_p = default_g_rights & mask;
07495                         }
07496                 }
07497                 return 0;
07498 #endif
07499 
07500 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
07501         case T_NETDEV:
07502                 /* default entry? */
07503 
07504                 if (!tid.netdev[0]) {
07505                         if (rsbac_ta_list_get_data_ttl
07506                             (ta_number, default_netdev_handle, NULL, &desc,
07507                              rights_p)) {
07508                                 /* last resort: default rights */
07509                                 *rights_p = default_netdev_rights;
07510                         }
07511                         return 0;
07512                 }
07513                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07514                                                        netdev_handle,
07515                                                        NULL,
07516                                                        &tid.netdev,
07517                                                        &desc, &i_rights)) {
07518                         *rights_p |= i_rights;
07519                 } else {
07520                         rsbac_acl_rights_vector_t mask;
07521 
07522                         /* get mask to filter through */
07523                         if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07524                                                            netdev_handle,
07525                                                            NULL,
07526                                                            &tid.netdev,
07527                                                            &mask)) {
07528                                 /* no mask found, set default */
07529                                 mask = RSBAC_ACL_DEFAULT_NETDEV_MASK;
07530                         }
07531                         /* try default_dev_acl */
07532                         if (!rsbac_ta_list_get_data_ttl
07533                             (ta_number, default_netdev_handle, NULL, &desc,
07534                              rights_p)) {
07535                                 *rights_p &= mask;
07536                         } else {
07537                                 /* last resort: default rights */
07538                                 *rights_p = default_netdev_rights & mask;
07539                         }
07540                 }
07541                 return 0;
07542 #endif
07543 
07544 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
07545                 /* rights to template itself */
07546         case T_NETTEMP_NT:
07547                 /* default entry? */
07548 
07549                 if (!tid.nettemp) {
07550                         if (rsbac_ta_list_get_data_ttl
07551                             (ta_number, default_nettemp_nt_handle, NULL,
07552                              &desc, rights_p)) {
07553                                 /* last resort: default rights */
07554                                 *rights_p = default_nettemp_nt_rights;
07555                         }
07556                         return 0;
07557                 }
07558                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07559                         return -RSBAC_EINVALIDTARGET;
07560                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07561                                                        nettemp_nt_handle,
07562                                                        NULL,
07563                                                        &tid.nettemp,
07564                                                        &desc, &i_rights)) {
07565                         *rights_p |= i_rights;
07566                 } else {
07567                         rsbac_acl_rights_vector_t mask;
07568 
07569                         /* get mask to filter through */
07570                         if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07571                                                            nettemp_nt_handle,
07572                                                            NULL,
07573                                                            &tid.nettemp,
07574                                                            &mask)) {
07575                                 /* no mask found, set default */
07576                                 mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
07577                         }
07578                         /* try default_dev_acl */
07579                         if (!rsbac_ta_list_get_data_ttl
07580                             (ta_number, default_nettemp_nt_handle, NULL,
07581                              &desc, rights_p)) {
07582                                 *rights_p &= mask;
07583                         } else {
07584                                 /* last resort: default rights */
07585                                 *rights_p =
07586                                     default_nettemp_nt_rights & mask;
07587                         }
07588                 }
07589                 return 0;
07590 
07591                 /* rights to netobjs fitting this template */
07592         case T_NETTEMP:
07593                 /* default entry? */
07594 
07595                 if (!tid.nettemp) {
07596                         if (rsbac_ta_list_get_data_ttl
07597                             (ta_number, default_netobj_handle, NULL, &desc,
07598                              rights_p)) {
07599                                 /* last resort: default rights */
07600                                 *rights_p = default_netobj_rights;
07601                         }
07602                         return 0;
07603                 }
07604                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07605                         return -RSBAC_EINVALIDTARGET;
07606                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07607                                                        nettemp_handle,
07608                                                        NULL,
07609                                                        &tid.nettemp,
07610                                                        &desc, &i_rights)) {
07611                         *rights_p |= i_rights;
07612                 } else {
07613                         rsbac_acl_rights_vector_t mask;
07614 
07615                         /* get mask to filter through */
07616                         if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07617                                                            nettemp_handle,
07618                                                            NULL,
07619                                                            &tid.nettemp,
07620                                                            &mask)) {
07621                                 /* no mask found, set default */
07622                                 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07623                         }
07624                         /* try default_dev_acl */
07625                         if (!rsbac_ta_list_get_data_ttl
07626                             (ta_number, default_netobj_handle, NULL, &desc,
07627                              rights_p)) {
07628                                 *rights_p &= mask;
07629                         } else {
07630                                 /* last resort: default rights */
07631                                 *rights_p = default_netobj_rights & mask;
07632                         }
07633                 }
07634                 return 0;
07635 
07636         case T_NETOBJ:
07637                 /* default entry? */
07638 
07639                 if (!tid.nettemp) {
07640                         if (rsbac_ta_list_get_data_ttl
07641                             (ta_number, default_netobj_handle, NULL, &desc,
07642                              rights_p)) {
07643                                 /* last resort: default rights */
07644                                 *rights_p = default_netobj_rights;
07645                         }
07646                         return 0;
07647                 }
07648                 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07649                                                        netobj_handle,
07650                                                        NULL,
07651                                                        &tid.netobj.sock_p,
07652                                                        &desc, &i_rights)) {
07653                         *rights_p |= i_rights;
07654                 } else {
07655                         rsbac_acl_rights_vector_t mask;
07656                         rsbac_net_temp_id_t temp = 0;
07657 
07658                         /* get mask to filter through */
07659                         if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07660                                                            nettemp_handle,
07661                                                            NULL,
07662                                                            &temp, &mask)) {
07663                                 /* no mask found, set default */
07664                                 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07665                         }
07666                         /* try nettemp_acl */
07667                         if(!ta_number && tid.netobj.local_temp)
07668                                 temp = tid.netobj.local_temp;
07669                         else
07670                                 rsbac_ta_net_lookup_templates(ta_number,
07671                                                       &tid.netobj,
07672                                                       &temp, NULL);
07673 
07674                         if (temp
07675                             &&
07676                             !rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07677                                                                nettemp_handle,
07678                                                                NULL, &temp,
07679                                                                &desc,
07680                                                                &i_rights))
07681                         {
07682                                 *rights_p |= i_rights;
07683                         } else {
07684                                 /* get mask to filter through */
07685                                 if (temp
07686                                     &&
07687                                     rsbac_ta_list_lol_get_data_ttl
07688                                     (ta_number, nettemp_handle, NULL,
07689                                      &temp, &mask)) {
07690                                         /* no mask found, set default */
07691                                         mask =
07692                                             RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07693                                 }
07694                                 /* try default_netobj_acl */
07695                                 if (!rsbac_ta_list_get_data_ttl
07696                                     (ta_number, default_netobj_handle,
07697                                      NULL, &desc, rights_p)) {
07698                                         *rights_p &= mask;
07699                                 } else {
07700                                         /* last resort: default rights */
07701                                         *rights_p =
07702                                             default_netobj_rights & mask;
07703                                 }
07704                         }
07705                 }
07706                 return 0;
07707 #endif                          /* NET_OBJ_PROT */
07708 
07709         default:
07710                 return -RSBAC_EINVALIDTARGET;
07711         }
07712 }
07713 
07714 /* rsbac_acl_get_single_right
07715  * Show, whether individual right is set for given target and subject.
07716  * If right is not set, it is checked at all parents, unless it has been
07717  * masked out. (Special case SUPERVISOR: unless
07718  * CONFIG_RSBAC_ACL_SUPER_FILTER is set *and* supervisor has been masked out)
07719  */
07720 
07721 int rsbac_acl_get_single_right(enum rsbac_target_t target,
07722                                union rsbac_target_id_t tid,
07723                                enum rsbac_acl_subject_type_t subj_type,
07724                                rsbac_acl_subject_id_t subj_id,
07725                                enum rsbac_adf_request_t right,
07726                                rsbac_boolean_t * result)
07727 {
07728         struct rsbac_acl_device_list_item_t *device_p;
07729         rsbac_acl_rights_vector_t i_rvec;
07730         rsbac_acl_rights_vector_t i_rights;
07731         struct rsbac_acl_entry_desc_t desc;
07732 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
07733         u_long dflags;
07734 #endif
07735 
07736         if (!rsbac_is_initialized()) {
07737                 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): RSBAC not initialized\n");
07738                 return (-RSBAC_ENOTINITIALIZED);
07739         }
07740         if (!result)
07741                 return (-RSBAC_EINVALIDPOINTER);
07742         if ((subj_type >= ACLS_NONE)
07743             || (right >= ACLR_NONE)
07744             )
07745                 return (-RSBAC_EINVALIDVALUE);
07746 #ifdef CONFIG_RSBAC_DEBUG
07747         if (in_interrupt()) {
07748                 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): called from interrupt!\n");
07749         }
07750 #endif
07751         i_rvec = (rsbac_acl_rights_vector_t) 1 << right;
07752 
07753         desc.subj_type = subj_type;
07754         desc.subj_id = subj_id;
07755 
07756         switch (target) {
07757         case T_FILE:
07758         case T_DIR:
07759         case T_FIFO:
07760         case T_SYMLINK:
07761         case T_UNIXSOCK:
07762                 /* default entry? */
07763                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
07764                     && !tid.file.dentry_p) {
07765                         if (!rsbac_ta_list_get_data_ttl
07766                             (0, default_fd_handle, NULL, &desc,
07767                              &i_rights)) {
07768                                 if (i_rights & i_rvec)
07769                                         *result = TRUE;
07770                                 else
07771                                         *result = FALSE;
07772                         } else {
07773                                 if (default_fd_rights & i_rvec)
07774                                         *result = TRUE;
07775                                 else
07776                                         *result = FALSE;
07777                         }
07778                         return 0;
07779                 }
07780 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07781                 rcu_read_lock();
07782 #else
07783                 rsbac_read_lock(&device_list_lock, &dflags);
07784 #endif
07785                 /* use loop for inheritance - used to be recursive calls */
07786                 for (;;) {
07787                         /* lookup device */
07788                         device_p = acl_lookup_device(tid.file.device);
07789                         if (!device_p) {
07790                                 /* trigger rsbac_mount() */
07791 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07792                                 rcu_read_unlock();
07793 #else
07794                                 rsbac_read_unlock(&device_list_lock, &dflags);
07795 #endif
07796                                 rsbac_get_super_block(tid.file.device);
07797                                 /* retry */
07798 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07799                                 rcu_read_lock();
07800 #else
07801                                 rsbac_read_lock(&device_list_lock, &dflags);
07802 #endif
07803                                 device_p =
07804                                     acl_lookup_device(tid.file.device);
07805                                 if (!device_p) {
07806                                         rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): Could not lookup device, blindly granting access!\n");
07807 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07808                                         rcu_read_unlock();
07809 #else
07810                                         rsbac_read_unlock(&device_list_lock, &dflags);
07811 #endif
07812                                         *result = TRUE;
07813                                         return 0;
07814                                 }
07815                         }
07816                         if (!rsbac_ta_list_lol_get_subdata_ttl(0,
07817                                                                device_p->handle,
07818                                                                NULL,
07819                                                                &tid.file.
07820                                                                inode,
07821                                                                &desc,
07822                                                                &i_rights)
07823                             ) {
07824                                 if (i_rights & i_rvec)
07825                                         *result = TRUE;
07826                                 else
07827                                         *result = FALSE;
07828 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07829                                 rcu_read_unlock();
07830 #else
07831                                 rsbac_read_unlock(&device_list_lock, &dflags);
07832 #endif
07833                                 return 0;
07834                         }
07835 
07836                         {
07837                                 enum rsbac_target_t parent_target;
07838                                 union rsbac_target_id_t parent_tid;
07839 
07840 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
07841                                 if (right != ACLR_SUPERVISOR)
07842 #endif
07843                                 {
07844                                         rsbac_acl_rights_vector_t mask;
07845 
07846                                         /* get mask to filter through */
07847                                         if (!rsbac_ta_list_lol_get_data_ttl
07848                                             (0, device_p->handle,
07849                                              NULL, &tid.file.inode, &mask)
07850                                             && !(mask & i_rvec)
07851                                             ) {
07852 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07853                                                 rcu_read_unlock();
07854 #else
07855                                                 rsbac_read_unlock(&device_list_lock, &dflags);
07856 #endif
07857                                                 *result = FALSE;
07858                                                 return 0;
07859                                         }
07860                                 }
07861 
07862                                 /* inheritance possible? */
07863                                 if (!rsbac_get_parent
07864                                     (target, tid, &parent_target,
07865                                      &parent_tid)) {
07866                                         target = parent_target;
07867                                         tid = parent_tid;
07868                                         continue;
07869                                 } else {
07870                                         /* no inheritance possible -> try default_fd_acl */
07871                                         if (!rsbac_ta_list_get_data_ttl
07872                                             (0, default_fd_handle, NULL,
07873                                              &desc, &i_rights)
07874                                             ) {
07875                                                 if (i_rights & i_rvec)
07876                                                         *result = TRUE;
07877                                                 else
07878                                                         *result = FALSE;
07879                                         } else {
07880                                                 if (default_fd_rights &
07881                                                     i_rvec)
07882                                                         *result = TRUE;
07883                                                 else
07884                                                         *result = FALSE;
07885                                         }
07886                                         /* free access to device_list_head - see above */
07887 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07888                                         rcu_read_unlock();
07889 #else
07890                                         rsbac_read_unlock(&device_list_lock, &dflags);
07891 #endif
07892                                         return 0;
07893                                 }
07894                         }
07895                 }               /* end of for(;;) for inheritance */
07896 
07897         case T_DEV:
07898                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
07899                         if (!rsbac_ta_list_get_data_ttl
07900                             (0, default_dev_handle, NULL, &desc,
07901                              &i_rights)) {
07902                                 if (i_rights & i_rvec)
07903                                         *result = TRUE;
07904                                 else
07905                                         *result = FALSE;
07906                         } else {
07907                                 if (default_dev_rights & i_rvec)
07908                                         *result = TRUE;
07909                                 else
07910                                         *result = FALSE;
07911                         }
07912                         return 0;
07913                 }
07914 
07915                 if (tid.dev.type >= D_block_major) {
07916                         tid.dev.type -= (D_block_major - D_block);
07917                         if (!rsbac_ta_list_lol_get_subdata_ttl
07918                             (0, dev_major_handle, NULL, &tid.dev, &desc,
07919                              &i_rights)
07920                             ) {
07921                                 if (i_rights & i_rvec)
07922                                         *result = TRUE;
07923                                 else
07924                                         *result = FALSE;
07925                                 return 0;
07926                         }
07927 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
07928                         if (right != ACLR_SUPERVISOR)
07929 #endif
07930                         {
07931                                 rsbac_acl_rights_vector_t mask;
07932 
07933                                 /* get mask to filter through */
07934                                 if (!rsbac_ta_list_lol_get_data_ttl
07935                                     (0, dev_major_handle, NULL, &tid.dev,
07936                                      &mask)
07937                                     && !(mask & i_rvec)
07938                                     ) {
07939                                         *result = FALSE;
07940                                         return 0;
07941                                 }
07942                         }
07943                         /* no inheritance possible -> try default acl */
07944                         if (!rsbac_ta_list_get_data_ttl
07945                             (0, default_dev_handle, NULL, &desc, &i_rights)
07946                             ) {
07947                                 if (i_rights & i_rvec)
07948                                         *result = TRUE;
07949                                 else
07950                                         *result = FALSE;
07951                         } else {
07952                                 if (default_dev_rights & i_rvec)
07953                                         *result = TRUE;
07954                                 else
07955                                         *result = FALSE;
07956                         }
07957                         return 0;
07958                 }
07959                 if (!rsbac_ta_list_lol_get_subdata_ttl(0, dev_handle,
07960                                                        NULL,
07961                                                        &tid.dev,
07962                                                        &desc, &i_rights)
07963                     ) {
07964                         if (i_rights & i_rvec)
07965                                 *result = TRUE;
07966                         else
07967                                 *result = FALSE;
07968                         return 0;
07969                 }
07970 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
07971                 if (right != ACLR_SUPERVISOR)
07972 #endif
07973                 {
07974                         rsbac_acl_rights_vector_t mask;
07975 
07976                         /* get mask to filter through */
07977                         if (!rsbac_ta_list_lol_get_data_ttl(0, dev_handle,
07978                                                             NULL,
07979                                                             &tid.dev,
07980                                                             &mask)
07981                             && !(mask & i_rvec)
07982                             ) {
07983                                 *result = FALSE;
07984                                 return 0;
07985                         }
07986                 }
07987                 if (!rsbac_ta_list_lol_get_subdata_ttl(0, dev_major_handle,
07988                                                        NULL,
07989                                                        &tid.dev,
07990                                                        &desc, &i_rights)
07991                     ) {
07992                         if (i_rights & i_rvec)
07993                                 *result = TRUE;
07994                         else
07995                                 *result = FALSE;
07996                         return 0;
07997                 }
07998 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
07999                 if (right != ACLR_SUPERVISOR)
08000 #endif
08001                 {
08002                         rsbac_acl_rights_vector_t mask;
08003 
08004                         /* get mask to filter through */
08005                         if (!rsbac_ta_list_lol_get_data_ttl
08006                             (0, dev_major_handle, NULL, &tid.dev, &mask)
08007                             && !(mask & i_rvec)
08008                             ) {
08009                                 *result = FALSE;
08010                                 return 0;
08011                         }
08012                 }
08013                 /* no inheritance possible -> try default acl */
08014                 if (!rsbac_ta_list_get_data_ttl(0, default_dev_handle,
08015                                                 NULL, &desc, &i_rights)
08016                     ) {
08017                         if (i_rights & i_rvec)
08018                                 *result = TRUE;
08019                         else
08020                                 *result = FALSE;
08021                 } else {
08022                         if (default_dev_rights & i_rvec)
08023                                 *result = TRUE;
08024                         else
08025                                 *result = FALSE;
08026                 }
08027                 return 0;
08028 
08029         case T_IPC:
08030                 /* Use default entry */
08031                 if (!rsbac_ta_list_get_data_ttl(0, default_ipc_handle,
08032                                                 NULL, &desc, &i_rights)) {
08033                         if (i_rights & i_rvec)
08034                                 *result = TRUE;
08035                         else
08036                                 *result = FALSE;
08037                 } else {
08038                         if (default_ipc_rights & i_rvec)
08039                                 *result = TRUE;
08040                         else
08041                                 *result = FALSE;
08042                 }
08043                 return 0;
08044 
08045         case T_SCD:
08046                 if (tid.scd == AST_none) {
08047                         if (!rsbac_ta_list_get_data_ttl
08048                             (0, default_scd_handle, NULL, &desc,
08049                              &i_rights)) {
08050                                 if (i_rights & i_rvec)
08051                                         *result = TRUE;
08052                                 else
08053                                         *result = FALSE;
08054                         } else {
08055                                 if (default_scd_rights & i_rvec)
08056                                         *result = TRUE;
08057                                 else
08058                                         *result = FALSE;
08059                         }
08060                         return 0;
08061                 }
08062 
08063                 if (!rsbac_ta_list_lol_get_subdata_ttl(0, scd_handle,
08064                                                        NULL,
08065                                                        &tid.scd,
08066                                                        &desc, &i_rights)
08067                     ) {
08068                         if (i_rights & i_rvec)
08069                                 *result = TRUE;
08070                         else
08071                                 *result = FALSE;
08072                         return 0;
08073                 }
08074 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08075                 if (right != ACLR_SUPERVISOR)
08076 #endif
08077                 {
08078                         rsbac_acl_rights_vector_t mask;
08079 
08080                         /* get mask to filter through */
08081                         if (!rsbac_ta_list_lol_get_data_ttl(0, scd_handle,
08082                                                             NULL,
08083                                                             &tid.scd,
08084                                                             &mask)
08085                             && !(mask & i_rvec)
08086                             ) {
08087                                 *result = FALSE;
08088                                 return 0;
08089                         }
08090                 }
08091 
08092                 /* no inheritance possible -> try default acl */
08093                 if (!rsbac_ta_list_get_data_ttl(0, default_scd_handle,
08094                                                 NULL, &desc, &i_rights)
08095                     ) {
08096                         if (i_rights & i_rvec)
08097                                 *result = TRUE;
08098                         else
08099                                 *result = FALSE;
08100                 } else {
08101                         if (default_scd_rights & i_rvec)
08102                                 *result = TRUE;
08103                         else
08104                                 *result = FALSE;
08105                 }
08106                 return 0;
08107 
08108         case T_USER:
08109                 if (tid.user == RSBAC_NO_USER) {
08110                         if (!rsbac_ta_list_get_data_ttl
08111                             (0, default_u_handle, NULL, &desc,
08112                              &i_rights)) {
08113                                 if (i_rights & i_rvec)
08114                                         *result = TRUE;
08115                                 else
08116                                         *result = FALSE;
08117                         } else {
08118                                 if (default_u_rights & i_rvec)
08119                                         *result = TRUE;
08120                                 else
08121                                         *result = FALSE;
08122                         }
08123                         return 0;
08124                 }
08125 
08126                 if (!rsbac_ta_list_lol_get_subdata_ttl(0, u_handle,
08127                                                        NULL,
08128                                                        &tid.user,
08129                                                        &desc, &i_rights)
08130                     ) {
08131                         if (i_rights & i_rvec)
08132                                 *result = TRUE;
08133                         else
08134                                 *result = FALSE;
08135                         return 0;
08136                 }
08137 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08138                 if (right != ACLR_SUPERVISOR)
08139 #endif
08140                 {
08141                         rsbac_acl_rights_vector_t mask;
08142 
08143                         /* get mask to filter through */
08144                         if (!rsbac_ta_list_lol_get_data_ttl(0, u_handle,
08145                                                             NULL,
08146                                                             &tid.user,
08147                                                             &mask)
08148                             && !(mask & i_rvec)
08149                             ) {
08150                                 *result = FALSE;
08151                                 return 0;
08152                         }
08153                 }
08154 
08155                 /* no inheritance possible -> try default acl */
08156                 if (!rsbac_ta_list_get_data_ttl(0, default_u_handle,
08157                                                 NULL, &desc, &i_rights)
08158                     ) {
08159                         if (i_rights & i_rvec)
08160                                 *result = TRUE;
08161                         else
08162                                 *result = FALSE;
08163                 } else {
08164                         if (default_u_rights & i_rvec)
08165                                 *result = TRUE;
08166                         else
08167                                 *result = FALSE;
08168                 }
08169                 return 0;
08170 
08171         case T_PROCESS:
08172                 /* Use default entry */
08173                 if (!rsbac_ta_list_get_data_ttl(0, default_p_handle,
08174                                                 NULL, &desc, &i_rights)) {
08175                         if (i_rights & i_rvec)
08176                                 *result = TRUE;
08177                         else
08178                                 *result = FALSE;
08179                 } else {
08180                         if (default_p_rights & i_rvec)
08181                                 *result = TRUE;
08182                         else
08183                                 *result = FALSE;
08184                 }
08185                 return 0;
08186 
08187 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08188         case T_GROUP:
08189                 if (tid.group == RSBAC_NO_GROUP) {
08190                         if (!rsbac_ta_list_get_data_ttl
08191                             (0, default_g_handle, NULL, &desc,
08192                              &i_rights)) {
08193                                 if (i_rights & i_rvec)
08194                                         *result = TRUE;
08195                                 else
08196                                         *result = FALSE;
08197                         } else {
08198                                 if (default_g_rights & i_rvec)
08199                                         *result = TRUE;
08200                                 else
08201                                         *result = FALSE;
08202                         }
08203                         return 0;
08204                 }
08205 
08206                 if (!rsbac_ta_list_lol_get_subdata_ttl(0, g_handle,
08207                                                        NULL,
08208                                                        &tid.group,
08209                                                        &desc, &i_rights)
08210                     ) {
08211                         if (i_rights & i_rvec)
08212                                 *result = TRUE;
08213                         else
08214                                 *result = FALSE;
08215                         return 0;
08216                 }
08217 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08218                 if (right != ACLR_SUPERVISOR)
08219 #endif
08220                 {
08221                         rsbac_acl_rights_vector_t mask;
08222 
08223                         /* get mask to filter through */
08224                         if (!rsbac_ta_list_lol_get_data_ttl(0, g_handle,
08225                                                             NULL,
08226                                                             &tid.group,
08227                                                             &mask)
08228                             && !(mask & i_rvec)
08229                             ) {
08230                                 *result = FALSE;
08231                                 return 0;
08232                         }
08233                 }
08234 
08235                 /* no inheritance possible -> try default acl */
08236                 if (!rsbac_ta_list_get_data_ttl(0, default_g_handle,
08237                                                 NULL, &desc, &i_rights)
08238                     ) {
08239                         if (i_rights & i_rvec)
08240                                 *result = TRUE;
08241                         else
08242                                 *result = FALSE;
08243                 } else {
08244                         if (default_g_rights & i_rvec)
08245                                 *result = TRUE;
08246                         else
08247                                 *result = FALSE;
08248                 }
08249                 return 0;
08250 #endif
08251 
08252 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT)
08253         case T_NETDEV:
08254                 if (!tid.netdev[0]) {
08255                         if (!rsbac_ta_list_get_data_ttl
08256                             (0, default_netdev_handle, NULL, &desc,
08257                              &i_rights)) {
08258                                 if (i_rights & i_rvec)
08259                                         *result = TRUE;
08260                                 else
08261                                         *result = FALSE;
08262                         } else {
08263                                 if (default_netdev_rights & i_rvec)
08264                                         *result = TRUE;
08265                                 else
08266                                         *result = FALSE;
08267                         }
08268                         return 0;
08269                 }
08270 
08271                 if (!rsbac_ta_list_lol_get_subdata_ttl(0, netdev_handle,
08272                                                        NULL,
08273                                                        &tid.netdev,
08274                                                        &desc, &i_rights)
08275                     ) {
08276                         if (i_rights & i_rvec)
08277                                 *result = TRUE;
08278                         else
08279                                 *result = FALSE;
08280                         return 0;
08281                 }
08282 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08283                 if (right != ACLR_SUPERVISOR)
08284 #endif
08285                 {
08286                         rsbac_acl_rights_vector_t mask;
08287 
08288                         /* get mask to filter through */
08289                         if (!rsbac_ta_list_lol_get_data_ttl
08290                             (0, netdev_handle, NULL, &tid.netdev, &mask)
08291                             && !(mask & i_rvec)
08292                             ) {
08293                                 *result = FALSE;
08294                                 return 0;
08295                         }
08296                 }
08297 
08298                 /* no inheritance possible -> try default acl */
08299                 if (!rsbac_ta_list_get_data_ttl(0, default_netdev_handle,
08300                                                 NULL, &desc, &i_rights)
08301                     ) {
08302                         if (i_rights & i_rvec)
08303                                 *result = TRUE;
08304                         else
08305                                 *result = FALSE;
08306                 } else {
08307                         if (default_netdev_rights & i_rvec)
08308                                 *result = TRUE;
08309                         else
08310                                 *result = FALSE;
08311                 }
08312                 return 0;
08313 #endif
08314 
08315 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT)
08316         case T_NETTEMP_NT:
08317         case T_NETTEMP:
08318                 if (!tid.nettemp) {
08319                         if (!rsbac_ta_list_get_data_ttl
08320                             (0, default_nettemp_nt_handle, NULL, &desc,
08321                              &i_rights)) {
08322                                 if (i_rights & i_rvec)
08323                                         *result = TRUE;
08324                                 else
08325                                         *result = FALSE;
08326                         } else {
08327                                 if (default_nettemp_nt_rights & i_rvec)
08328                                         *result = TRUE;
08329                                 else
08330                                         *result = FALSE;
08331                         }
08332                         return 0;
08333                 }
08334 
08335                 /* There should be no template, which is to be created, so skip nettemp_nt list */
08336                 if (right != R_CREATE) {
08337                         if (!rsbac_net_template_exist(tid.nettemp))
08338                                 return FALSE;
08339                         if (!rsbac_ta_list_lol_get_subdata_ttl
08340                             (0, nettemp_nt_handle, NULL, &tid.nettemp,
08341                              &desc, &i_rights)
08342                             && (i_rights & i_rvec)
08343                             ) {
08344                                 *result = TRUE;
08345                                 return 0;
08346                         }
08347 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08348                         if (right != ACLR_SUPERVISOR)
08349 #endif
08350                         {
08351                                 rsbac_acl_rights_vector_t mask;
08352 
08353                                 /* get mask to filter through */
08354                                 if (!rsbac_ta_list_lol_get_data_ttl
08355                                     (0, nettemp_nt_handle, NULL,
08356                                      &tid.nettemp, &mask)
08357                                     && !(mask & i_rvec)
08358                                     ) {
08359                                         *result = FALSE;
08360                                         return 0;
08361                                 }
08362                         }
08363                 }
08364 
08365                 /* no inheritance possible -> try default acl */
08366                 if (!rsbac_ta_list_get_data_ttl
08367                     (0, default_nettemp_nt_handle, NULL, &desc, &i_rights)
08368                     ) {
08369                         if (i_rights & i_rvec)
08370                                 *result = TRUE;
08371                         else
08372                                 *result = FALSE;
08373                 } else {
08374                         if (default_nettemp_nt_rights & i_rvec)
08375                                 *result = TRUE;
08376                         else
08377                                 *result = FALSE;
08378                 }
08379                 return 0;
08380 
08381         case T_NETOBJ:
08382                 if (!tid.netobj.sock_p) {
08383                         if (!rsbac_ta_list_get_data_ttl
08384                             (0, default_netobj_handle, NULL, &desc,
08385                              &i_rights)) {
08386                                 if (i_rights & i_rvec)
08387                                         *result = TRUE;
08388                                 else
08389                                         *result = FALSE;
08390                         } else {
08391                                 if (default_netobj_rights & i_rvec)
08392                                         *result = TRUE;
08393                                 else
08394                                         *result = FALSE;
08395                         }
08396                         return 0;
08397                 }
08398 
08399                 if (!rsbac_ta_list_lol_get_subdata_ttl(0, netobj_handle,
08400                                                        NULL,
08401                                                        &tid.netobj.sock_p,
08402                                                        &desc, &i_rights)
08403                     ) {
08404                         if (i_rights & i_rvec)
08405                                 *result = TRUE;
08406                         else
08407                                 *result = FALSE;
08408                         return 0;
08409                 }
08410 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08411                 if (right != ACLR_SUPERVISOR)
08412 #endif
08413                 {
08414                         rsbac_acl_rights_vector_t mask;
08415 
08416                         /* get mask to filter through */
08417                         if (!rsbac_ta_list_lol_get_data_ttl
08418                             (0, netobj_handle, NULL, &tid.netobj.sock_p,
08419                              &mask)
08420                             && !(mask & i_rvec)
08421                             ) {
08422                                 *result = FALSE;
08423                                 return 0;
08424                         }
08425                 }
08426                 /* Try net template */
08427                 {
08428                         rsbac_net_temp_id_t temp = 0;
08429 
08430                         if (rsbac_net_remote_request(right)) {
08431                                 if(tid.netobj.remote_temp)
08432                                         temp = tid.netobj.remote_temp;
08433                                 else
08434                                         rsbac_ta_net_lookup_templates(0,
08435                                                               &tid.netobj,
08436                                                               NULL, &temp);
08437                         } else {
08438                                 if(tid.netobj.local_temp)
08439                                         temp = tid.netobj.local_temp;
08440                                 else
08441                                         rsbac_ta_net_lookup_templates(0,
08442                                                               &tid.netobj,
08443                                                               &temp, NULL);
08444                         }
08445                         if (temp
08446                             && !rsbac_ta_list_lol_get_subdata_ttl(0,
08447                                                                   nettemp_handle,
08448                                                                   NULL,
08449                                                                   &temp,
08450                                                                   &desc,
08451                                                                   &i_rights)
08452                             ) {
08453                                 if (i_rights & i_rvec)
08454                                         *result = TRUE;
08455                                 else
08456                                         *result = FALSE;
08457                                 return 0;
08458                         }
08459 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08460                         if (right != ACLR_SUPERVISOR)
08461 #endif
08462                         {
08463                                 rsbac_acl_rights_vector_t mask;
08464 
08465                                 /* get mask from template to filter through */
08466                                 if (!rsbac_ta_list_lol_get_data_ttl
08467                                     (0, nettemp_handle, NULL, &temp, &mask)
08468                                     && !(mask & i_rvec)
08469                                     ) {
08470                                         *result = FALSE;
08471                                         return 0;
08472                                 }
08473                         }
08474                 }
08475 
08476                 /* no inheritance possible -> try default acl */
08477                 if (!rsbac_ta_list_get_data_ttl(0, default_netobj_handle,
08478                                                 NULL, &desc, &i_rights)
08479                     ) {
08480                         if (i_rights & i_rvec)
08481                                 *result = TRUE;
08482                         else
08483                                 *result = FALSE;
08484                 } else {
08485                         if (default_netobj_rights & i_rvec)
08486                                 *result = TRUE;
08487                         else
08488                                 *result = FALSE;
08489                 }
08490                 return 0;
08491 #endif                          /* NET_OBJ_PROT */
08492 
08493         default:
08494                 return -RSBAC_EINVALIDTARGET;
08495         }
08496 }
08497 
08498 /*************************************************
08499  * rsbac_acl_get_tlist
08500  * Get subjects from ACL entries for given target.
08501  */
08502 
08503 int rsbac_acl_get_tlist(rsbac_list_ta_number_t ta_number,
08504                         enum rsbac_target_t target,
08505                         union rsbac_target_id_t tid,
08506                         struct rsbac_acl_entry_t **entry_pp,
08507                         rsbac_time_t ** ttl_pp)
08508 {
08509         int count = 0;
08510         struct rsbac_acl_device_list_item_t *device_p;
08511 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
08512         u_long dflags;
08513 #endif
08514 
08515         if (!rsbac_is_initialized()) {
08516                 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): RSBAC not initialized\n");
08517                 return (-RSBAC_ENOTINITIALIZED);
08518         }
08519         if (!entry_pp)
08520                 return (-RSBAC_EINVALIDPOINTER);
08521 #ifdef CONFIG_RSBAC_DEBUG
08522         if (in_interrupt()) {
08523                 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): called from interrupt!\n");
08524         }
08525 #endif
08526         switch (target) {
08527         case T_FD:
08528         case T_FILE:
08529         case T_DIR:
08530         case T_FIFO:
08531         case T_SYMLINK:
08532         case T_UNIXSOCK:
08533                 /* default entry? */
08534                 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
08535                     && !tid.file.dentry_p)
08536                         return rsbac_ta_list_get_all_items_ttl(ta_number,
08537                                                                default_fd_handle,
08538                                                                (void **)
08539                                                                entry_pp,
08540                                                                ttl_pp);
08541 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08542                 rcu_read_lock();
08543 #else
08544                 rsbac_read_lock(&device_list_lock, &dflags);
08545 #endif
08546                 /* lookup device */
08547                 device_p = acl_lookup_device(tid.file.device);
08548                 if (!device_p) {
08549                         /* trigger rsbac_mount() */
08550 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08551                         rcu_read_unlock();
08552 #else
08553                         rsbac_read_unlock(&device_list_lock, &dflags);
08554 #endif
08555                         rsbac_get_super_block(tid.file.device);
08556                         /* retry */
08557 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08558                         rcu_read_lock();
08559 #else
08560                         rsbac_read_lock(&device_list_lock, &dflags);
08561 #endif
08562                         device_p = acl_lookup_device(tid.file.device);
08563                         if (!device_p) {
08564                                 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): Could not lookup device!\n");
08565 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08566                                 rcu_read_unlock();
08567 #else
08568                                 rsbac_read_unlock(&device_list_lock, &dflags);
08569 #endif
08570                                 return (-RSBAC_EINVALIDDEV);
08571                         }
08572                 }
08573                 /* protect this list */
08574                 count = rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
08575                                                                device_p->
08576                                                                handle,
08577                                                                &tid.file.
08578                                                                inode,
08579                                                                (void **)
08580                                                                entry_pp,
08581                                                                ttl_pp);
08582 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08583                 rcu_read_unlock();
08584 #else
08585                 rsbac_read_unlock(&device_list_lock, &dflags);
08586 #endif
08587                 return count;
08588 
08589         case T_DEV:
08590                 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev))
08591                         return rsbac_ta_list_get_all_items_ttl(ta_number,
08592                                                                default_dev_handle,
08593                                                                (void **)
08594                                                                entry_pp,
08595                                                                ttl_pp);
08596                 else
08597                         switch (tid.dev.type) {
08598                         case D_char:
08599                         case D_block:
08600                                 return
08601                                     rsbac_ta_list_lol_get_all_subitems_ttl
08602                                     (ta_number, dev_handle, &tid.dev,
08603                                      (void **) entry_pp, ttl_pp);
08604 
08605                         case D_char_major:
08606                         case D_block_major:
08607                                 tid.dev.type -= (D_block_major - D_block);
08608                                 return
08609                                     rsbac_ta_list_lol_get_all_subitems_ttl
08610                                     (ta_number, dev_major_handle, &tid.dev,
08611                                      (void **) entry_pp, ttl_pp);
08612 
08613                         default:
08614                                 return -RSBAC_EINVALIDTARGET;
08615                         }
08616 
08617         case T_IPC:
08618                 /* default entry */
08619                 return rsbac_ta_list_get_all_items_ttl(ta_number,
08620                                                        default_ipc_handle,
08621                                                        (void **) entry_pp,
08622                                                        ttl_pp);
08623 
08624         case T_SCD:
08625                 if ((tid.scd == AST_none)
08626                     || (tid.scd == ST_none)
08627                     )
08628                         return rsbac_ta_list_get_all_items_ttl(ta_number,
08629                                                                default_scd_handle,
08630                                                                (void **)
08631                                                                entry_pp,
08632                                                                ttl_pp);
08633                 else
08634                         return
08635                             rsbac_ta_list_lol_get_all_subitems_ttl
08636                             (ta_number, scd_handle, &tid.scd,
08637                              (void **) entry_pp, ttl_pp);
08638 
08639         case T_USER:
08640                 if (tid.user == RSBAC_NO_USER)
08641                         return rsbac_ta_list_get_all_items_ttl(ta_number,
08642                                                                default_u_handle,
08643                                                                (void **)
08644                                                                entry_pp,
08645                                                                ttl_pp);
08646                 else
08647                         return
08648                             rsbac_ta_list_lol_get_all_subitems_ttl
08649                             (ta_number, u_handle, &tid.user,
08650                              (void **) entry_pp, ttl_pp);
08651 
08652         case T_PROCESS:
08653                 return rsbac_ta_list_get_all_items_ttl(ta_number,
08654                                                        default_p_handle,
08655                                                        (void **) entry_pp,
08656                                                        ttl_pp);
08657 
08658 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08659         case T_GROUP:
08660                 if (tid.group == RSBAC_NO_GROUP)
08661                         return rsbac_ta_list_get_all_items_ttl(ta_number,
08662                                                                default_g_handle,
08663                                                                (void **)
08664                                                                entry_pp,
08665                                                                ttl_pp);
08666                 else
08667                         return
08668                             rsbac_ta_list_lol_get_all_subitems_ttl
08669                             (ta_number, g_handle, &tid.group,
08670                              (void **) entry_pp, ttl_pp);
08671 #endif
08672 
08673 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT)
08674         case T_NETDEV:
08675                 if (!tid.netdev[0])
08676                         return rsbac_ta_list_get_all_items_ttl(ta_number,
08677                                                                default_netdev_handle,
08678                                                                (void **)
08679                                                                entry_pp,
08680                                                                ttl_pp);
08681                 else
08682                         return
08683                             rsbac_ta_list_lol_get_all_subitems_ttl
08684                             (ta_number, netdev_handle, &tid.netdev,
08685                              (void **) entry_pp, ttl_pp);
08686 #endif
08687 
08688 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT)
08689         case T_NETTEMP_NT:
08690                 if (!tid.nettemp)
08691                         return rsbac_ta_list_get_all_items_ttl(ta_number,
08692                                                                default_nettemp_nt_handle,
08693                                                                (void **)
08694                                                                entry_pp,
08695                                                                ttl_pp);
08696                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
08697                         return -RSBAC_EINVALIDTARGET;
08698                 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
08699                                                               nettemp_nt_handle,
08700                                                               &tid.nettemp,
08701                                                               (void **)
08702                                                               entry_pp,
08703                                                               ttl_pp);
08704 
08705         case T_NETTEMP:
08706                 if (!tid.nettemp)
08707                         return -RSBAC_EINVALIDTARGET;
08708                 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
08709                         return -RSBAC_EINVALIDTARGET;
08710                 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
08711                                                               nettemp_handle,
08712                                                               &tid.nettemp,
08713                                                               (void **)
08714                                                               entry_pp,
08715                                                               ttl_pp);
08716 
08717         case T_NETOBJ:
08718                 if (!tid.nettemp)
08719                         return rsbac_ta_list_get_all_items_ttl(ta_number,
08720                                                                default_netobj_handle,
08721                                                                (void **)
08722                                                                entry_pp,
08723                                                                ttl_pp);
08724                 else
08725                         return
08726                             rsbac_ta_list_lol_get_all_subitems_ttl
08727                             (ta_number, netobj_handle, &tid.netobj.sock_p,
08728                              (void **) entry_pp, ttl_pp);
08729 #endif                          /* NET_OBJ_PROT */
08730 
08731         default:
08732                 return -RSBAC_EINVALIDTARGET;
08733         }
08734 }
08735 
08736 /* Remove a subject from all acls (but not from group memberships, see remove_user) */
08737 int rsbac_acl_remove_subject(rsbac_list_ta_number_t ta_number,
08738                              struct rsbac_acl_entry_desc_t desc)
08739 {
08740         struct rsbac_acl_device_list_item_t *device_p;
08741 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
08742         u_long dflags;
08743 #endif
08744 
08745         if (desc.subj_type >= ACLS_NONE)
08746                 return -RSBAC_EINVALIDVALUE;
08747 
08748         /* remove from default ACLs */
08749         rsbac_ta_list_remove(ta_number, default_fd_handle, &desc);
08750         rsbac_ta_list_remove(ta_number, default_dev_handle, &desc);
08751         rsbac_ta_list_remove(ta_number, default_ipc_handle, &desc);
08752         rsbac_ta_list_remove(ta_number, default_scd_handle, &desc);
08753         rsbac_ta_list_remove(ta_number, default_u_handle, &desc);
08754         rsbac_ta_list_remove(ta_number, default_p_handle, &desc);
08755 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08756         rsbac_ta_list_remove(ta_number, default_g_handle, &desc);
08757 #endif
08758 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
08759         rsbac_ta_list_remove(ta_number, default_netdev_handle, &desc);
08760 #endif
08761 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
08762         rsbac_ta_list_remove(ta_number, default_nettemp_nt_handle, &desc);
08763         rsbac_ta_list_remove(ta_number, default_netobj_handle, &desc);
08764 #endif
08765 
08766 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08767         rcu_read_lock();
08768 #else
08769         rsbac_read_lock(&device_list_lock, &dflags);
08770 #endif
08771         device_p = rcu_dereference(device_list_head_p)->head;
08772         while (device_p) {
08773                 rsbac_ta_list_lol_subremove_from_all(ta_number,
08774                                                      device_p->handle,
08775                                                      &desc);
08776                 device_p = device_p->next;
08777         }
08778 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08779         rcu_read_unlock();
08780 #else
08781         rsbac_read_unlock(&device_list_lock, &dflags);
08782 #endif
08783 
08784         /* dev list */
08785         rsbac_ta_list_lol_subremove_from_all(ta_number, dev_major_handle,
08786                                              &desc);
08787         rsbac_ta_list_lol_subremove_from_all(ta_number, dev_handle, &desc);
08788 
08789         /* scd list */
08790         rsbac_ta_list_lol_subremove_from_all(ta_number, scd_handle, &desc);
08791 
08792         /* user list */
08793         rsbac_ta_list_lol_subremove_from_all(ta_number, u_handle, &desc);
08794 
08795 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08796         /* Linux group list */
08797         rsbac_ta_list_lol_subremove_from_all(ta_number, g_handle, &desc);
08798 #endif
08799 
08800 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
08801         /* netdev list */
08802         rsbac_ta_list_lol_subremove_from_all(ta_number, netdev_handle,
08803                                              &desc);
08804 #endif
08805 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
08806         rsbac_ta_list_lol_subremove_from_all(ta_number, nettemp_nt_handle,
08807                                              &desc);
08808         rsbac_ta_list_lol_subremove_from_all(ta_number, nettemp_handle,
08809                                              &desc);
08810         rsbac_ta_list_lol_subremove_from_all(ta_number, netobj_handle,
08811                                              &desc);
08812 #endif
08813 
08814         return 0;
08815 }
08816 
08817 /* add a group with new id and fill this id into *group_id_p */
08818 /* if old content of group_id_p is 0, make new id, else try given id */
08819 int rsbac_acl_add_group(rsbac_list_ta_number_t ta_number,
08820                         rsbac_uid_t owner,
08821                         enum rsbac_acl_group_type_t type,
08822                         char *name, rsbac_acl_group_id_t * group_id_p)
08823 {
08824         struct rsbac_acl_group_entry_t entry;
08825         int err = 0;
08826 
08827         if (type >= ACLG_NONE)
08828                 return -RSBAC_EINVALIDVALUE;
08829         if (!name || !group_id_p)
08830                 return -RSBAC_EINVALIDPOINTER;
08831         if (!name[0])
08832                 return -RSBAC_EINVALIDVALUE;
08833         entry.owner = owner;
08834         entry.type = type;
08835         strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN - 1);
08836         entry.name[RSBAC_ACL_GROUP_NAMELEN - 1] = 0;
08837         if (!*group_id_p) {
08838                 /* step new group counter */
08839                 group_last_new++;
08840                 /* Just in case the counter has wrapped. It is almost impossible that all IDs are in use. */
08841                 while (!group_last_new
08842                        || rsbac_ta_list_exist(ta_number, group_handle,
08843                                               &group_last_new))
08844                         group_last_new++;
08845 
08846                 entry.id = group_last_new;
08847         } else {
08848                 if (rsbac_ta_list_exist
08849                     (ta_number, group_handle, group_id_p)) {
08850                         return (-RSBAC_EEXISTS);
08851                 } else
08852                         entry.id = *group_id_p;
08853         }
08854         if (rsbac_ta_list_add_ttl
08855             (ta_number, group_handle, 0, &entry.id, &entry))
08856                 err = -RSBAC_ECOULDNOTADDITEM;
08857         else {
08858                 *group_id_p = entry.id;
08859         }
08860         return (err);
08861 }
08862 
08863 int rsbac_acl_change_group(rsbac_list_ta_number_t ta_number,
08864                            rsbac_acl_group_id_t id,
08865                            rsbac_uid_t owner,
08866                            enum rsbac_acl_group_type_t type, char *name)
08867 {
08868         struct rsbac_acl_group_entry_t entry;
08869 
08870         if (!id)
08871                 return -RSBAC_EINVALIDVALUE;
08872         if (!rsbac_ta_list_exist(ta_number, group_handle, &id))
08873                 return (-RSBAC_ENOTFOUND);
08874         if (!name)
08875                 return -RSBAC_EINVALIDPOINTER;
08876         if (!name[0])
08877                 return -RSBAC_EINVALIDVALUE;
08878         entry.id = id;
08879         entry.owner = owner;
08880         entry.type = type;
08881         strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN);
08882         entry.name[RSBAC_ACL_GROUP_NAMELEN - 1] = 0;
08883         return rsbac_ta_list_add_ttl(ta_number, group_handle, 0, &entry.id,
08884                                      &entry);
08885 }
08886 
08887 int rsbac_acl_remove_group(rsbac_list_ta_number_t ta_number,
08888                            rsbac_acl_group_id_t id)
08889 {
08890         int err = 0;
08891 
08892         if (!id)
08893                 return -RSBAC_EINVALIDVALUE;
08894 
08895         err = rsbac_ta_list_remove(ta_number, group_handle, &id);
08896         if (!err) {
08897                 struct rsbac_acl_entry_desc_t desc;
08898 
08899                 /* cleanup group memberships */
08900                 rsbac_ta_list_lol_subremove_from_all(ta_number, gm_handle,
08901                                                      &id);
08902                 desc.subj_type = ACLS_GROUP;
08903                 desc.subj_id = id;
08904                 err = rsbac_acl_remove_subject(ta_number, desc);
08905         }
08906         return (err);
08907 }
08908 
08909 int rsbac_acl_get_group_entry(rsbac_list_ta_number_t ta_number,
08910                               rsbac_acl_group_id_t group,
08911                               struct rsbac_acl_group_entry_t *entry_p)
08912 {
08913         if (!group)
08914                 return -RSBAC_EINVALIDVALUE;
08915         if (!entry_p)
08916                 return -RSBAC_EINVALIDPOINTER;
08917         return rsbac_ta_list_get_data_ttl(ta_number, group_handle, NULL,
08918                                           &group, entry_p);
08919 }
08920 
08921 int rsbac_acl_list_groups(rsbac_list_ta_number_t ta_number,
08922                           rsbac_uid_t owner,
08923                           rsbac_boolean_t include_global,
08924                           struct rsbac_acl_group_entry_t **entry_pp)
08925 {
08926         long count;
08927         struct rsbac_acl_group_entry_t *local_entry_p;
08928 
08929         if (!entry_pp)
08930                 return -RSBAC_EINVALIDPOINTER;
08931         count =
08932             rsbac_ta_list_get_all_data(ta_number, group_handle,
08933                                        (void **) &local_entry_p);
08934         if (count > 0) {
08935                 long i;
08936                 long rescount = 0;
08937 
08938                 *entry_pp = rsbac_vmalloc(count * sizeof(**entry_pp));
08939                 if (!*entry_pp) {
08940                         rsbac_vfree(local_entry_p);
08941                         return -RSBAC_ENOMEM;
08942                 }
08943                 for (i = 0; i < count; i++) {
08944                         if ((local_entry_p[i].owner == owner)
08945                             || (include_global
08946                                 && (local_entry_p[i].type == ACLG_GLOBAL)
08947                             )
08948                             ) {
08949                                 memcpy(&(*entry_pp)[rescount],
08950                                        &local_entry_p[i],
08951                                        sizeof(local_entry_p[i]));
08952                                 rescount++;
08953                         }
08954                 }
08955                 rsbac_vfree(local_entry_p);
08956                 count = rescount;
08957         }
08958         return count;
08959 }
08960 
08961 /* check group existence */
08962 rsbac_boolean_t rsbac_acl_group_exist(rsbac_acl_group_id_t group)
08963 {
08964         if (!group)
08965                 return TRUE;
08966         return rsbac_ta_list_exist(0, group_handle, &group);
08967 }
08968 
08969 int rsbac_acl_add_group_member(rsbac_list_ta_number_t ta_number,
08970                                rsbac_acl_group_id_t group,
08971                                rsbac_uid_t user, rsbac_time_t ttl)
08972 {
08973         int err = 0;
08974 
08975         if (!group)
08976                 return -RSBAC_EINVALIDVALUE;
08977         if (!rsbac_ta_list_exist(ta_number, group_handle, &group))
08978                 return -RSBAC_EINVALIDVALUE;
08979 
08980         if (!rsbac_ta_list_lol_exist(ta_number, gm_handle, &user)) {
08981                 err =
08982                     rsbac_ta_list_lol_add_ttl(ta_number, gm_handle, 0,
08983                                               &user, NULL);
08984                 if (err)
08985                         return err;
08986         }
08987         return rsbac_ta_list_lol_subadd_ttl(ta_number, gm_handle, ttl,
08988                                             &user, &group, NULL);
08989 }
08990 
08991 int rsbac_acl_remove_group_member(rsbac_list_ta_number_t ta_number,
08992                                   rsbac_acl_group_id_t group,
08993                                   rsbac_uid_t user)
08994 {
08995         int err;
08996 
08997         if (!group)
08998                 return -RSBAC_EINVALIDVALUE;
08999         if (!rsbac_ta_list_exist(ta_number, group_handle, &group))
09000                 return -RSBAC_EINVALIDVALUE;
09001 
09002         err =
09003             rsbac_ta_list_lol_subremove(ta_number, gm_handle, &user,
09004                                         &group);
09005         /* cleanup empty gm items */
09006         if (!err
09007             && !rsbac_ta_list_lol_subcount(ta_number, gm_handle, &user)
09008             )
09009                 err =
09010                     rsbac_ta_list_lol_remove(ta_number, gm_handle, &user);
09011 
09012         return err;
09013 }
09014 
09015 /* check membership */
09016 rsbac_boolean_t rsbac_acl_group_member(rsbac_acl_group_id_t group,
09017                                        rsbac_uid_t user)
09018 {
09019         return rsbac_ta_list_lol_subexist(0, gm_handle, &user, &group);
09020 }
09021 
09022 /* build vmalloc'd array of all group memberships of the given user */
09023 /* returns number of groups or negative error */
09024 /* Attention: memory deallocation with rsbac_vfree (if result > 0) must be done by caller! */
09025 int rsbac_acl_get_user_groups(rsbac_list_ta_number_t ta_number,
09026                               rsbac_uid_t user,
09027                               rsbac_acl_group_id_t ** group_pp,
09028                               rsbac_time_t ** ttl_pp)
09029 {
09030         return rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number,
09031                                                      gm_handle,
09032                                                      &user,
09033                                                      (void **) group_pp,
09034                                                      ttl_pp);
09035 }
09036 
09037 /* Returns number of members or negative error */
09038 int rsbac_acl_get_group_members(rsbac_list_ta_number_t ta_number,
09039                                 rsbac_acl_group_id_t group,
09040                                 rsbac_uid_t user_array[],
09041                                 rsbac_time_t ttl_array[], int maxnum)
09042 {
09043         long desc_count;
09044         long i;
09045         rsbac_uid_t *user_p;
09046         int err = 0;
09047 
09048         if (!group || (maxnum <= 0))
09049                 return -RSBAC_EINVALIDVALUE;
09050         if (!rsbac_ta_list_exist(ta_number, group_handle, &group))
09051                 return -RSBAC_EINVALIDVALUE;
09052         if (!user_array)
09053                 return -RSBAC_EINVALIDPOINTER;
09054 
09055         /* traverse group memberships */
09056         desc_count =
09057             rsbac_ta_list_lol_get_all_desc(ta_number, gm_handle,
09058                                            (void **) &user_p);
09059         if (desc_count > 0) {
09060                 rsbac_time_t ttl;
09061 
09062                 for (i = 0; i < desc_count; i++) {
09063                         if (!rsbac_ta_list_lol_get_subdata_ttl
09064                             (ta_number, gm_handle, &ttl, &user_p[i],
09065                              &group, NULL)) {
09066                                 user_array[err] = user_p[i];
09067                                 if (ttl_array)
09068                                         ttl_array[err] = ttl;
09069                                 err++;
09070                                 if (err >= maxnum)
09071                                         break;
09072                         }
09073                 }
09074                 rsbac_vfree(user_p);
09075         }
09076         return (err);
09077 }
09078 
09079 int rsbac_acl_list_all_dev(rsbac_list_ta_number_t ta_number,
09080                            struct rsbac_dev_desc_t **id_pp)
09081 {
09082         if (id_pp)
09083                 return rsbac_ta_list_lol_get_all_desc(ta_number,
09084                                                       dev_handle,
09085                                                       (void **) id_pp);
09086         else
09087                 return rsbac_ta_list_lol_count(ta_number, dev_handle);
09088 }
09089 
09090 int rsbac_acl_list_all_major_dev(rsbac_list_ta_number_t ta_number,
09091                                  struct rsbac_dev_desc_t **id_pp)
09092 {
09093         if (id_pp) {
09094                 int count;
09095 
09096                 count =
09097                     rsbac_ta_list_lol_get_all_desc(ta_number,
09098                                                    dev_major_handle,
09099                                                    (void **) id_pp);
09100                 if (count > 0) {
09101                         u_int i;
09102                         struct rsbac_dev_desc_t *tmp_p;
09103 
09104                         tmp_p = *id_pp;
09105                         for (i = 0; i < count; i++)
09106                                 tmp_p[i].type += (D_block_major - D_block);
09107                 }
09108                 return count;
09109         } else
09110                 return rsbac_ta_list_lol_count(ta_number,
09111                                                dev_major_handle);
09112 }
09113 
09114 int rsbac_acl_list_all_user(rsbac_list_ta_number_t ta_number,
09115                             rsbac_uid_t ** id_pp)
09116 {
09117         if (id_pp)
09118                 return rsbac_ta_list_lol_get_all_desc(ta_number, u_handle,
09119                                                       (void **) id_pp);
09120         else
09121                 return rsbac_ta_list_lol_count(ta_number, u_handle);
09122 }
09123 
09124 #ifdef CONFIG_RSBAC_ACL_UM_PROT
09125 int rsbac_acl_list_all_group(rsbac_list_ta_number_t ta_number,
09126                              rsbac_gid_t ** id_pp)
09127 {
09128         if (id_pp)
09129                 return rsbac_ta_list_lol_get_all_desc(ta_number, g_handle,
09130                                                       (void **) id_pp);
09131         else
09132                 return rsbac_ta_list_lol_count(ta_number, g_handle);
09133 }
09134 #endif
09135 
09136 /********************************************/
09137 /* remove user from all groups and all ACLs */
09138 int rsbac_acl_remove_user(rsbac_list_ta_number_t ta_number,
09139                           rsbac_uid_t user)
09140 {
09141         u_long i;
09142         struct rsbac_acl_group_entry_t *entry_p;
09143         long desc_count;
09144         struct rsbac_acl_entry_desc_t desc;
09145 
09146         rsbac_ta_list_lol_remove(ta_number, gm_handle, &user);
09147         /* traverse groups for this owner */
09148         desc_count =
09149             rsbac_ta_list_get_all_data(ta_number, group_handle,
09150                                        (void **) &entry_p);
09151         if (desc_count > 0) {
09152                 for (i = 0; i < desc_count; i++) {
09153                         if (entry_p[i].owner == user) {
09154                                 rsbac_ta_list_remove(ta_number,
09155                                                      group_handle,
09156                                                      &entry_p[i].id);
09157                                 /* cleanup group memberships */
09158                                 rsbac_ta_list_lol_subremove_from_all
09159                                     (ta_number, gm_handle, &entry_p[i].id);
09160                         }
09161                 }
09162                 rsbac_vfree(entry_p);
09163         }
09164 
09165         desc.subj_type = ACLS_USER;
09166         desc.subj_id = user;
09167 
09168         return rsbac_acl_remove_subject(ta_number, desc);
09169 }

Generated on Wed May 16 11:53:41 2007 for RSBAC by  doxygen 1.5.1