#include <linux/string.h>
#include <linux/init.h>
#include <linux/module.h>
#include <rsbac/types.h>
#include <rsbac/aci.h>
#include <rsbac/adf.h>
#include <rsbac/adf_main.h>
#include <rsbac/error.h>
#include <rsbac/helpers.h>
#include <rsbac/getname.h>
#include <rsbac/cap_getname.h>
#include <rsbac/jail_getname.h>
#include <rsbac/rkmem.h>
#include <rsbac/network.h>
Go to the source code of this file.
Functions | |
void __init | rsbac_init_adf (void) |
enum rsbac_adf_req_ret_t | adf_and_plus (enum rsbac_adf_req_ret_t res1, enum rsbac_adf_req_ret_t res2) |
EXPORT_SYMBOL (rsbac_adf_request_int) | |
enum rsbac_adf_req_ret_t | rsbac_adf_request_int (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t *tid_p, enum rsbac_attribute_t attr, union rsbac_attribute_value_t *attr_val_p, enum rsbac_switch_target_t ignore_module) |
EXPORT_SYMBOL (rsbac_adf_set_attr) | |
int | rsbac_adf_set_attr (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_target_t new_target, union rsbac_target_id_t new_tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val) |
EXPORT_SYMBOL (rsbac_sec_trunc) | |
int | rsbac_sec_trunc (struct dentry *dentry_p, loff_t new_len, loff_t old_len) |
EXPORT_SYMBOL (rsbac_sec_del) | |
int | rsbac_sec_del (struct dentry *dentry_p) |
int | rsbac_set_audit_uid (rsbac_uid_t uid) |
Variables | |
u_long | rsbac_adf_request_count [T_NONE+1] = {0,0,0,0,0,0,0,0} |
u_long | rsbac_adf_set_attr_count [T_NONE+1] = {0,0,0,0,0,0,0,0} |
enum rsbac_adf_req_ret_t adf_and_plus | ( | enum rsbac_adf_req_ret_t | res1, | |
enum rsbac_adf_req_ret_t | res2 | |||
) |
Definition at line 139 of file adf_main.c.
References DO_NOT_CARE, GRANTED, NOT_GRANTED, and UNDEFINED.
Referenced by rsbac_adf_request_int(), and rsbac_adf_request_reg().
00141 { 00142 switch (res1) 00143 { 00144 case DO_NOT_CARE: return (res2); 00145 case GRANTED: if (res2 == DO_NOT_CARE) 00146 return (GRANTED); 00147 else 00148 return (res2); 00149 case NOT_GRANTED: if (res2 == UNDEFINED) 00150 return (UNDEFINED); 00151 else 00152 return (NOT_GRANTED); 00153 default: return (UNDEFINED); 00154 } 00155 }
EXPORT_SYMBOL | ( | rsbac_sec_del | ) |
EXPORT_SYMBOL | ( | rsbac_sec_trunc | ) |
EXPORT_SYMBOL | ( | rsbac_adf_set_attr | ) |
EXPORT_SYMBOL | ( | rsbac_adf_request_int | ) |
enum rsbac_adf_req_ret_t rsbac_adf_request_int | ( | enum rsbac_adf_request_t | request, | |
rsbac_pid_t | caller_pid, | |||
enum rsbac_target_t | target, | |||
union rsbac_target_id_t * | tid_p, | |||
enum rsbac_attribute_t | attr, | |||
union rsbac_attribute_value_t * | attr_val_p, | |||
enum rsbac_switch_target_t | ignore_module | |||
) |
Definition at line 165 of file adf_main.c.
References A_audit_uid, A_local_log_array_high, A_local_log_array_low, A_log_array_high, A_log_array_low, A_log_program_based, A_log_user_based, A_none, A_pseudo, A_remote_ip, A_remote_log_array_high, A_remote_log_array_low, adf_and_plus(), rsbac_attribute_value_t::audit_uid, DO_NOT_CARE, rsbac_attribute_value_t::dummy, FALSE, get_attribute_name(), get_attribute_value_name(), get_request_name(), get_result_name(), get_target_name(), GRANTED, LL_denied, LL_full, LL_request, rsbac_net_obj_desc_t::local_temp, rsbac_attribute_value_t::log_array_high, rsbac_attribute_value_t::log_array_low, rsbac_attribute_value_t::log_program_based, rsbac_attribute_value_t::log_user_based, rsbac_target_id_t::netobj, NIPQUAD, NOT_GRANTED, NULL, rsbac_attribute_value_t::owner, rsbac_target_id_t::process, rsbac_attribute_value_t::pseudo, R_CHANGE_DAC_EFF_GROUP, R_CHANGE_DAC_EFF_OWNER, R_CHANGE_DAC_FS_GROUP, R_CHANGE_DAC_FS_OWNER, R_CHANGE_GROUP, R_CHANGE_OWNER, R_CHDIR, R_CLOSE, R_GET_PERMISSIONS_DATA, R_GET_STATUS_DATA, R_NONE, R_READ, R_READ_ATTRIBUTE, R_SEARCH, R_TERMINATE, rsbac_attribute_value_t::remote_ip, rsbac_net_obj_desc_t::remote_temp, rsbac_adf_request_acl(), rsbac_adf_request_auth(), rsbac_adf_request_cap(), rsbac_adf_request_check(), rsbac_adf_request_count, rsbac_adf_request_daz(), rsbac_adf_request_ff(), rsbac_adf_request_int(), rsbac_adf_request_jail(), rsbac_adf_request_mac(), rsbac_adf_request_pax(), rsbac_adf_request_pm(), rsbac_adf_request_rc(), rsbac_adf_request_reg(), rsbac_adf_request_res(), RSBAC_EINVALIDDEV, rsbac_get_attr, rsbac_get_full_path(), rsbac_get_super_block(), rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), rsbac_log_levels, RSBAC_MAXNAMELEN, rsbac_min, rsbac_net_remote_request(), RSBAC_NO_USER, rsbac_printk(), rsbac_remove_target, RSBAC_REQUEST_VECTOR, rsbac_ta_net_lookup_templates(), rsbac_um_group_exists(), rsbac_um_user_exists(), SW_ACL, SW_AUTH, SW_CAP, SW_DAZ, SW_FF, SW_GEN, SW_JAIL, SW_MAC, SW_NONE, SW_PAX, SW_PM, SW_RC, SW_REG, SW_RES, T_DEV, T_DIR, T_FIFO, T_FILE, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NONE, T_PROCESS, T_SYMLINK, T_UNIXSOCK, T_USER, TRUE, UNDEFINED, and rsbac_target_id_t::user.
Referenced by rsbac_adf_request(), rsbac_adf_request_int(), and rsbac_pm().
00172 { 00173 union rsbac_target_id_t i_tid; 00174 union rsbac_attribute_value_t i_attr_val; 00175 rsbac_uid_t owner=0; 00176 int tmperr=0; 00177 rsbac_request_vector_t request_vector; 00178 enum rsbac_adf_req_ret_t result = DO_NOT_CARE; 00179 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00180 enum rsbac_adf_req_ret_t ret_result = DO_NOT_CARE; 00181 #endif 00182 #ifndef CONFIG_RSBAC_MAINT 00183 enum rsbac_adf_req_ret_t mod_result[SW_NONE + 1] = { 00184 DO_NOT_CARE, 00185 DO_NOT_CARE, 00186 DO_NOT_CARE, 00187 DO_NOT_CARE, 00188 DO_NOT_CARE, 00189 DO_NOT_CARE, 00190 DO_NOT_CARE, 00191 DO_NOT_CARE, 00192 DO_NOT_CARE, 00193 DO_NOT_CARE, 00194 DO_NOT_CARE, 00195 DO_NOT_CARE, 00196 DO_NOT_CARE, 00197 DO_NOT_CARE, 00198 DO_NOT_CARE, 00199 DO_NOT_CARE, 00200 DO_NOT_CARE, 00201 DO_NOT_CARE 00202 }; 00203 #endif 00204 rsbac_boolean_t do_log = FALSE; 00205 rsbac_boolean_t log_on_request = TRUE; 00206 /* only if individual logging is enabled */ 00207 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG) 00208 union rsbac_attribute_value_t i_attr_val2; 00209 enum rsbac_log_level_t log_level; 00210 #endif 00211 struct super_block * sb_p; 00212 #ifdef CONFIG_RSBAC_SOFTMODE 00213 rsbac_boolean_t rsbac_internal = FALSE; 00214 #endif 00215 00216 /* No decision possible before init (called at boot time) -> don't care */ 00217 if (!rsbac_is_initialized()) 00218 return(DO_NOT_CARE); 00219 00220 /* Always granted for kernel (pid 0) and logging daemon */ 00221 if ( !caller_pid 00222 #if defined(CONFIG_RSBAC_LOG_REMOTE) 00223 || (caller_pid == rsbaclogd_pid) 00224 #endif 00225 ) 00226 return(GRANTED); 00227 00228 /* Checking base values */ 00229 if( request >= R_NONE 00230 || target > T_NONE 00231 || attr > A_none) 00232 { 00233 rsbac_printk(KERN_WARNING 00234 "rsbac_adf_request_int(): called with invalid request, target or attribute\n"); 00235 return(NOT_GRANTED); 00236 } 00237 request_vector = RSBAC_REQUEST_VECTOR(request); 00238 00239 if (in_interrupt()) 00240 { 00241 char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00242 00243 if(request_name) 00244 { 00245 get_request_name(request_name, request); 00246 rsbac_printk(KERN_WARNING "rsbac_adf_request_int(): called from interrupt: request %s, pid %u, attr_val %u!\n", 00247 request_name, caller_pid, attr_val_p->dummy); 00248 kfree(request_name); 00249 } 00250 else 00251 { 00252 rsbac_printk(KERN_WARNING "rsbac_adf_request_int(): called from interrupt: request %u, pid %u!\n", 00253 request, caller_pid); 00254 } 00255 // return DO_NOT_CARE; 00256 } 00257 00258 /* Getting basic information about this request */ 00259 00260 /* only useful for real process, not idle or init */ 00261 if (caller_pid > 1) 00262 { 00263 tmperr = rsbac_get_owner(&owner); 00264 if(tmperr) 00265 { 00266 rsbac_printk(KERN_DEBUG 00267 "rsbac_adf_request_int(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE\n", 00268 caller_pid); 00269 return DO_NOT_CARE; /* Startup-Sequence (see above) */ 00270 } 00271 } 00272 else /* caller_pid = 1 -> init, always owned by root */ 00273 owner = 0; 00274 00275 00276 /******************************************************/ 00277 /* General work for all modules - before module calls */ 00278 /* test target on rsbac_internal */ 00279 switch(target) 00280 { 00281 case T_FILE: 00282 case T_DIR: 00283 case T_FIFO: 00284 case T_SYMLINK: 00285 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 00286 if ( ((sb_p = rsbac_get_super_block(tid_p->file.device))) 00287 && ( (sb_p->s_magic == NFS_SUPER_MAGIC) 00288 || (sb_p->s_magic == CODA_SUPER_MAGIC) 00289 || (sb_p->s_magic == NCP_SUPER_MAGIC) 00290 || (sb_p->s_magic == SMB_SUPER_MAGIC) 00291 ) 00292 ) 00293 { 00294 result = DO_NOT_CARE; 00295 goto log; 00296 } 00297 #endif 00298 /* No decision on pseudo pipefs */ 00299 if( (target == T_FIFO) 00300 && ((sb_p = rsbac_get_super_block(tid_p->file.device))) 00301 && (sb_p->s_magic == PIPEFS_MAGIC) 00302 ) 00303 return DO_NOT_CARE; 00304 00305 switch(request) 00306 { 00307 case R_GET_STATUS_DATA: 00308 case R_GET_PERMISSIONS_DATA: 00309 case R_READ_ATTRIBUTE: 00310 #ifdef CONFIG_RSBAC_DAT_VISIBLE 00311 case R_SEARCH: 00312 case R_READ: 00313 case R_CLOSE: 00314 case R_CHDIR: 00315 #endif 00316 break; 00317 00318 default: 00319 if ((tmperr = rsbac_get_attr(SW_GEN, 00320 target, 00321 *tid_p, 00322 A_internal, 00323 &i_attr_val, 00324 TRUE) )) 00325 { 00326 if(tmperr == -RSBAC_EINVALIDDEV) 00327 { 00328 // rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr); 00329 return(DO_NOT_CARE); /* last calls on shutdown */ 00330 } 00331 else 00332 { 00333 rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr); 00334 return(NOT_GRANTED); /* something weird happened */ 00335 } 00336 } 00337 /* no access to rsbac_internal objects is granted in any case */ 00338 if (i_attr_val.internal) 00339 { 00340 rsbac_printk(KERN_WARNING 00341 "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n"); 00342 result = NOT_GRANTED; 00343 #ifndef CONFIG_RSBAC_MAINT 00344 mod_result[SW_NONE] = NOT_GRANTED; 00345 #endif 00346 #ifdef CONFIG_RSBAC_SOFTMODE 00347 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00348 ret_result = NOT_GRANTED; 00349 #endif 00350 rsbac_internal = TRUE; 00351 #endif 00352 } 00353 } 00354 break; 00355 00356 #if defined(CONFIG_RSBAC_UM_EXCL) 00357 case T_PROCESS: 00358 switch(request) 00359 { 00360 case R_CHANGE_OWNER: 00361 #ifdef CONFIG_RSBAC_DAC_OWNER 00362 case R_CHANGE_DAC_EFF_OWNER: 00363 case R_CHANGE_DAC_FS_OWNER: 00364 #endif 00365 if( (attr == A_owner) 00366 && !rsbac_um_no_excl 00367 && !rsbac_um_user_exists(0, attr_val_p->owner) 00368 ) 00369 { 00370 rsbac_printk(KERN_INFO 00371 "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n", 00372 attr_val_p->owner); 00373 result = adf_and_plus(result, NOT_GRANTED); 00374 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00375 ret_result = adf_and_plus(ret_result, NOT_GRANTED); 00376 #endif 00377 } 00378 break; 00379 00380 case R_CHANGE_GROUP: 00381 #ifdef CONFIG_RSBAC_DAC_OWNER 00382 case R_CHANGE_DAC_EFF_GROUP: 00383 case R_CHANGE_DAC_FS_GROUP: 00384 #endif 00385 if( (attr == A_group) 00386 && !rsbac_um_no_excl 00387 && !rsbac_um_group_exists(0, attr_val_p->group) 00388 ) 00389 { 00390 rsbac_printk(KERN_INFO 00391 "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n", 00392 attr_val_p->group); 00393 result = adf_and_plus(result, NOT_GRANTED); 00394 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00395 ret_result = adf_and_plus(ret_result, NOT_GRANTED); 00396 #endif 00397 } 00398 break; 00399 00400 default: 00401 break; 00402 } 00403 break; 00404 #endif /* UM_EXCL */ 00405 00406 #ifdef CONFIG_RSBAC_NET_OBJ 00407 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG) || defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_RC) 00408 case T_NETOBJ: 00409 if(rsbac_net_remote_request(request)) { 00410 tid_p->netobj.local_temp = 0; 00411 rsbac_ta_net_lookup_templates(0, 00412 &tid_p-> 00413 netobj, NULL, 00414 &tid_p->netobj.remote_temp); 00415 } else { 00416 tid_p->netobj.remote_temp = 0; 00417 rsbac_ta_net_lookup_templates(0, 00418 &tid_p-> 00419 netobj, 00420 &tid_p->netobj.local_temp, 00421 NULL); 00422 } 00423 #endif 00424 #endif 00425 00426 default: 00427 break; 00428 } 00429 00430 /**********************************************************/ 00431 /* calling all decision modules, building a common result */ 00432 00433 #ifdef CONFIG_RSBAC_DEBUG 00434 /* first, check for valid request/target combination */ 00435 /* (undefined should only happen in _check and means a real bug!) */ 00436 result = adf_and_plus(result,rsbac_adf_request_check(request, 00437 caller_pid, 00438 target, 00439 tid_p, 00440 attr, 00441 attr_val_p, 00442 owner) ); 00443 #endif 00444 00445 #if !defined(CONFIG_RSBAC_MAINT) 00446 /******* MAC ********/ 00447 #if defined(CONFIG_RSBAC_MAC) 00448 #ifdef CONFIG_RSBAC_SWITCH_MAC 00449 if (rsbac_switch_mac) 00450 #endif 00451 /* no need to call module, if to be ignored */ 00452 if(ignore_module != SW_MAC && (request_vector & RSBAC_MAC_REQUEST_VECTOR)) { 00453 mod_result[SW_MAC] = rsbac_adf_request_mac(request, 00454 caller_pid, 00455 target, 00456 *tid_p, 00457 attr, 00458 *attr_val_p, 00459 owner); 00460 result = adf_and_plus(result, mod_result[SW_MAC]); 00461 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00462 if(!rsbac_ind_softmode[SW_MAC]) 00463 ret_result = adf_and_plus(ret_result, mod_result[SW_MAC]); 00464 #endif 00465 } 00466 #endif /* MAC */ 00467 00468 /******* PM ********/ 00469 #if defined(CONFIG_RSBAC_PM) 00470 #ifdef CONFIG_RSBAC_SWITCH_PM 00471 if (rsbac_switch_pm) 00472 #endif 00473 /* no need to call module, if to be ignored */ 00474 if(ignore_module != SW_PM && (request_vector & RSBAC_PM_REQUEST_VECTOR)) 00475 { 00476 mod_result[SW_PM] = rsbac_adf_request_pm (request, 00477 caller_pid, 00478 target, 00479 *tid_p, 00480 attr, 00481 *attr_val_p, 00482 owner); 00483 result = adf_and_plus(result, mod_result[SW_PM]); 00484 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00485 if(!rsbac_ind_softmode[SW_PM]) 00486 ret_result = adf_and_plus(ret_result, mod_result[SW_PM]); 00487 #endif 00488 } 00489 #endif /* PM */ 00490 00491 /******* DAZ ********/ 00492 #if defined(CONFIG_RSBAC_DAZ) 00493 #ifdef CONFIG_RSBAC_SWITCH_DAZ 00494 if (rsbac_switch_daz) 00495 #endif 00496 /* no need to call module, if to be ignored */ 00497 if(ignore_module != SW_DAZ && (request_vector & RSBAC_DAZ_REQUEST_VECTOR)) 00498 { 00499 mod_result[SW_DAZ] = rsbac_adf_request_daz (request, 00500 caller_pid, 00501 target, 00502 *tid_p, 00503 attr, 00504 *attr_val_p, 00505 owner); 00506 result = adf_and_plus(result, mod_result[SW_DAZ]); 00507 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00508 if(!rsbac_ind_softmode[SW_DAZ]) 00509 ret_result = adf_and_plus(ret_result, mod_result[SW_DAZ]); 00510 #endif 00511 } 00512 #endif /* DAZ */ 00513 00514 /******* FF ********/ 00515 #if defined(CONFIG_RSBAC_FF) 00516 #ifdef CONFIG_RSBAC_SWITCH_FF 00517 if (rsbac_switch_ff) 00518 #endif 00519 /* no need to call module, if to be ignored */ 00520 if(ignore_module != SW_FF && (request_vector & RSBAC_FF_REQUEST_VECTOR)) 00521 { 00522 mod_result[SW_FF] = rsbac_adf_request_ff (request, 00523 caller_pid, 00524 target, 00525 *tid_p, 00526 attr, 00527 *attr_val_p, 00528 owner); 00529 result = adf_and_plus(result, mod_result[SW_FF]); 00530 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00531 if(!rsbac_ind_softmode[SW_FF]) 00532 ret_result = adf_and_plus(ret_result, mod_result[SW_FF]); 00533 #endif 00534 } 00535 #endif /* FF */ 00536 00537 /******* RC ********/ 00538 #if defined(CONFIG_RSBAC_RC) 00539 #ifdef CONFIG_RSBAC_SWITCH_RC 00540 if (rsbac_switch_rc) 00541 #endif 00542 /* no need to call module, if to be ignored */ 00543 if(ignore_module != SW_RC) 00544 { 00545 mod_result[SW_RC] = rsbac_adf_request_rc (request, 00546 caller_pid, 00547 target, 00548 *tid_p, 00549 attr, 00550 *attr_val_p, 00551 owner); 00552 result = adf_and_plus(result, mod_result[SW_RC]); 00553 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00554 if(!rsbac_ind_softmode[SW_RC]) 00555 ret_result = adf_and_plus(ret_result, mod_result[SW_RC]); 00556 #endif 00557 } 00558 #endif /* RC */ 00559 00560 /****** AUTH *******/ 00561 #if defined(CONFIG_RSBAC_AUTH) 00562 #ifdef CONFIG_RSBAC_SWITCH_AUTH 00563 if (rsbac_switch_auth) 00564 #endif 00565 /* no need to call module, if to be ignored */ 00566 if(ignore_module != SW_AUTH && (request_vector & RSBAC_AUTH_REQUEST_VECTOR)) 00567 { 00568 mod_result[SW_AUTH]= rsbac_adf_request_auth(request, 00569 caller_pid, 00570 target, 00571 *tid_p, 00572 attr, 00573 *attr_val_p, 00574 owner); 00575 result = adf_and_plus(result, mod_result[SW_AUTH]); 00576 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00577 if(!rsbac_ind_softmode[SW_AUTH]) 00578 ret_result = adf_and_plus(ret_result, mod_result[SW_AUTH]); 00579 #endif 00580 } 00581 #endif /* AUTH */ 00582 00583 /****** ACL *******/ 00584 #if defined(CONFIG_RSBAC_ACL) 00585 #ifdef CONFIG_RSBAC_SWITCH_ACL 00586 if (rsbac_switch_acl) 00587 #endif 00588 /* no need to call module, if to be ignored */ 00589 if(ignore_module != SW_ACL) 00590 { 00591 mod_result[SW_ACL] = rsbac_adf_request_acl(request, 00592 caller_pid, 00593 target, 00594 *tid_p, 00595 attr, 00596 *attr_val_p, 00597 owner); 00598 result = adf_and_plus(result, mod_result[SW_ACL]); 00599 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00600 if(!rsbac_ind_softmode[SW_ACL]) 00601 ret_result = adf_and_plus(ret_result, mod_result[SW_ACL]); 00602 #endif 00603 } 00604 #endif /* ACL */ 00605 00606 /****** CAP *******/ 00607 #if defined(CONFIG_RSBAC_CAP) 00608 #ifdef CONFIG_RSBAC_SWITCH_CAP 00609 if (rsbac_switch_cap) 00610 #endif 00611 /* no need to call module, if to be ignored */ 00612 if(ignore_module != SW_CAP && (request_vector & RSBAC_CAP_REQUEST_VECTOR)) 00613 { 00614 mod_result[SW_CAP] = rsbac_adf_request_cap(request, 00615 caller_pid, 00616 target, 00617 *tid_p, 00618 attr, 00619 *attr_val_p, 00620 owner); 00621 result = adf_and_plus(result, mod_result[SW_CAP]); 00622 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00623 if(!rsbac_ind_softmode[SW_CAP]) 00624 ret_result = adf_and_plus(ret_result, mod_result[SW_CAP]); 00625 #endif 00626 } 00627 #endif /* CAP */ 00628 00629 /****** JAIL *******/ 00630 #if defined(CONFIG_RSBAC_JAIL) 00631 #ifdef CONFIG_RSBAC_SWITCH_JAIL 00632 if (rsbac_switch_jail) 00633 #endif 00634 /* no need to call module, if to be ignored */ 00635 if(ignore_module != SW_JAIL && (request_vector & RSBAC_JAIL_REQUEST_VECTOR)) 00636 { 00637 mod_result[SW_JAIL]= rsbac_adf_request_jail(request, 00638 caller_pid, 00639 target, 00640 *tid_p, 00641 attr, 00642 *attr_val_p, 00643 owner); 00644 result = adf_and_plus(result, mod_result[SW_JAIL]); 00645 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00646 if(!rsbac_ind_softmode[SW_JAIL]) 00647 ret_result = adf_and_plus(ret_result, mod_result[SW_JAIL]); 00648 #endif 00649 } 00650 #endif /* JAIL */ 00651 00652 /******* PAX ********/ 00653 #if defined(CONFIG_RSBAC_PAX) 00654 #ifdef CONFIG_RSBAC_SWITCH_PAX 00655 if (rsbac_switch_pax) 00656 #endif 00657 /* no need to call module, if to be ignored */ 00658 if(ignore_module != SW_PAX && (request_vector & RSBAC_PAX_REQUEST_VECTOR)) 00659 { 00660 mod_result[SW_PAX] = rsbac_adf_request_pax (request, 00661 caller_pid, 00662 target, 00663 *tid_p, 00664 attr, 00665 *attr_val_p, 00666 owner); 00667 result = adf_and_plus(result, mod_result[SW_PAX]); 00668 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00669 if(!rsbac_ind_softmode[SW_PAX]) 00670 ret_result = adf_and_plus(ret_result, mod_result[SW_PAX]); 00671 #endif 00672 } 00673 #endif /* PAX */ 00674 00675 /****** RES *******/ 00676 #if defined(CONFIG_RSBAC_RES) 00677 #ifdef CONFIG_RSBAC_SWITCH_RES 00678 if (rsbac_switch_res) 00679 #endif 00680 /* no need to call module, if to be ignored */ 00681 if(ignore_module != SW_RES && (request_vector & RSBAC_RES_REQUEST_VECTOR)) 00682 { 00683 mod_result[SW_RES] = rsbac_adf_request_res(request, 00684 caller_pid, 00685 target, 00686 *tid_p, 00687 attr, 00688 *attr_val_p, 00689 owner); 00690 result = adf_and_plus(result, mod_result[SW_RES]); 00691 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00692 if(!rsbac_ind_softmode[SW_RES]) 00693 ret_result = adf_and_plus(ret_result, mod_result[SW_RES]); 00694 #endif 00695 } 00696 #endif /* RES */ 00697 00698 /****** REG *******/ 00699 #if defined(CONFIG_RSBAC_REG) 00700 if(ignore_module != SW_REG) 00701 { 00702 mod_result[SW_REG]= rsbac_adf_request_reg (request, 00703 caller_pid, 00704 target, 00705 *tid_p, 00706 attr, 00707 *attr_val_p, 00708 owner); 00709 result = adf_and_plus(result, mod_result[SW_REG]); 00710 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00711 if(!rsbac_ind_softmode[SW_REG]) 00712 ret_result = adf_and_plus(ret_result, mod_result[SW_REG]); 00713 #endif 00714 } 00715 #endif /* REG */ 00716 00717 #endif /* !MAINT */ 00718 00719 /****************************/ 00720 00721 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET) 00722 if( rsbac_debug_adf_net 00723 && ( (target == T_NETDEV) 00724 || (target == T_NETTEMP) 00725 || (target == T_NETOBJ) 00726 ) 00727 ) 00728 do_log = TRUE; 00729 #endif 00730 00731 /* log based on process owner */ 00732 #ifdef CONFIG_RSBAC_IND_USER_LOG 00733 i_tid.user = owner; 00734 if (rsbac_get_attr(SW_GEN, 00735 T_USER, 00736 i_tid, 00737 A_log_user_based, 00738 &i_attr_val, 00739 FALSE)) 00740 { 00741 rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based); 00742 } 00743 else 00744 { 00745 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 00746 do_log = TRUE; 00747 } 00748 #endif /* CONFIG_RSBAC_IND_USER_LOG */ 00749 00750 /* log based on program */ 00751 #ifdef CONFIG_RSBAC_IND_PROG_LOG 00752 if(!do_log) 00753 { 00754 i_tid.process = caller_pid; 00755 if (rsbac_get_attr(SW_GEN, 00756 T_PROCESS, 00757 i_tid, 00758 A_log_program_based, 00759 &i_attr_val, 00760 FALSE)) 00761 { 00762 rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based); 00763 } 00764 else 00765 { 00766 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 00767 do_log = TRUE; 00768 } 00769 } 00770 #endif /* CONFIG_RSBAC_IND_PROG_LOG */ 00771 00772 /*****************************************************/ 00773 /* General work for all modules - after module calls */ 00774 /* Note: the process' individual logging attributes are needed above */ 00775 switch(request) 00776 { 00777 case R_TERMINATE: 00778 if (target == T_PROCESS) 00779 rsbac_remove_target(T_PROCESS,*tid_p); 00780 break; 00781 00782 #ifdef CONFIG_RSBAC_USER_CHOWN 00783 case R_CHANGE_OWNER: 00784 if (target == T_PROCESS) { 00785 i_tid.user = attr_val_p->owner; 00786 i_attr_val.process = tid_p->process; 00787 result = adf_and_plus(result, 00788 rsbac_adf_request_int(request, 00789 caller_pid, 00790 T_USER, 00791 &i_tid, 00792 A_process, 00793 &i_attr_val, 00794 ignore_module)); 00795 } 00796 break; 00797 #endif 00798 00799 default: 00800 break; 00801 } 00802 00803 /* logging request on info level, if requested by file/dir/dev attributes */ 00804 /* log_array_low/high, or, if that is requested, if enabled for this request */ 00805 /* type (attributes state level, or that request based level is to be taken) */ 00806 /* loglevel 2: log everything */ 00807 /* loglevel 1: log, if denied */ 00808 /* loglevel 0: log nothing */ 00809 00810 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */ 00811 /* if file/dir/dev, depend log on log_arrays */ 00812 /* (but not for file.device = 0) */ 00813 /* log_on_request is TRUE */ 00814 if( !do_log 00815 && ( ( ( (target == T_FILE) 00816 || (target == T_DIR) 00817 || (target == T_FIFO) 00818 || (target == T_SYMLINK) 00819 || (target == T_UNIXSOCK) 00820 ) 00821 && RSBAC_MAJOR(tid_p->file.device) 00822 && RSBAC_MINOR(tid_p->file.device) 00823 ) 00824 || (target == T_DEV) 00825 ) 00826 ) 00827 { 00828 if (rsbac_get_attr(SW_GEN, 00829 target, 00830 *tid_p, 00831 A_log_array_low, 00832 &i_attr_val, 00833 FALSE)) 00834 { 00835 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low); 00836 } 00837 else 00838 { 00839 if (rsbac_get_attr(SW_GEN, 00840 target, 00841 *tid_p, 00842 A_log_array_high, 00843 &i_attr_val2, 00844 FALSE)) 00845 { 00846 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high); 00847 } 00848 else 00849 { /* ll = low-bit for request | (high-bit for request as bit 1) */ 00850 /* WARNING: we deal with u64 here, only logical operations and */ 00851 /* shifts work correctly! */ 00852 log_level = ((i_attr_val.log_array_low >> request) & 1) 00853 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); 00854 if ( log_level == LL_full 00855 || ( log_level == LL_denied 00856 && (result == NOT_GRANTED 00857 || result == UNDEFINED)) ) 00858 { 00859 do_log = TRUE; 00860 } 00861 if(log_level != LL_request) 00862 log_on_request = FALSE; 00863 } 00864 } 00865 } 00866 #endif /* CONFIG_RSBAC_IND_LOG */ 00867 00868 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */ 00869 /* if netdev, depend log on log_arrays */ 00870 /* log_on_request is TRUE */ 00871 if( !do_log 00872 && (target == T_NETDEV) 00873 ) 00874 { 00875 if (rsbac_get_attr(SW_GEN, 00876 target, 00877 *tid_p, 00878 A_log_array_low, 00879 &i_attr_val, 00880 FALSE)) 00881 { 00882 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low); 00883 } 00884 else 00885 { 00886 if (rsbac_get_attr(SW_GEN, 00887 target, 00888 *tid_p, 00889 A_log_array_high, 00890 &i_attr_val2, 00891 FALSE)) 00892 { 00893 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high); 00894 } 00895 else 00896 { /* ll = low-bit for request | (high-bit for request as bit 1) */ 00897 /* WARNING: we deal with u64 here, only logical operations and */ 00898 /* shifts work correctly! */ 00899 log_level = ((i_attr_val.log_array_low >> request) & 1) 00900 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); 00901 if ( log_level == LL_full 00902 || ( log_level == LL_denied 00903 && (result == NOT_GRANTED 00904 || result == UNDEFINED)) ) 00905 { 00906 do_log = TRUE; 00907 } 00908 if(log_level != LL_request) 00909 log_on_request = FALSE; 00910 } 00911 } 00912 } 00913 #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */ 00914 00915 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */ 00916 /* if nettemp, netobj, depend log on log_arrays */ 00917 /* (but not for file.device = 0) */ 00918 /* log_on_request is TRUE */ 00919 if( !do_log 00920 && ( (target == T_NETTEMP) 00921 || (target == T_NETOBJ) 00922 ) 00923 ) 00924 { 00925 enum rsbac_attribute_t i_attr1, i_attr2; 00926 00927 if(target == T_NETOBJ) 00928 { 00929 if(rsbac_net_remote_request(request)) 00930 { 00931 i_attr1 = A_remote_log_array_low; 00932 i_attr2 = A_remote_log_array_high; 00933 } 00934 else 00935 { 00936 i_attr1 = A_local_log_array_low; 00937 i_attr2 = A_local_log_array_high; 00938 } 00939 } 00940 else 00941 { 00942 i_attr1 = A_log_array_low; 00943 i_attr2 = A_log_array_high; 00944 } 00945 if (rsbac_get_attr(SW_GEN, 00946 target, 00947 *tid_p, 00948 i_attr1, 00949 &i_attr_val, 00950 FALSE)) 00951 { 00952 rsbac_ds_get_error("rsbac_adf_request()", i_attr1); 00953 } 00954 else 00955 { 00956 if (rsbac_get_attr(SW_GEN, 00957 target, 00958 *tid_p, 00959 i_attr2, 00960 &i_attr_val2, 00961 FALSE)) 00962 { 00963 rsbac_ds_get_error("rsbac_adf_request()", i_attr2); 00964 } 00965 else 00966 { /* ll = low-bit for request | (high-bit for request as bit 1) */ 00967 /* WARNING: we deal with u64 here, only logical operations and */ 00968 /* shifts work correctly! */ 00969 log_level = ((i_attr_val.log_array_low >> request) & 1) 00970 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); 00971 if ( log_level == LL_full 00972 || ( log_level == LL_denied 00973 && (result == NOT_GRANTED 00974 || result == UNDEFINED)) ) 00975 { 00976 do_log = TRUE; 00977 } 00978 if(log_level != LL_request) 00979 log_on_request = FALSE; 00980 } 00981 } 00982 } 00983 #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */ 00984 00985 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 00986 log: 00987 #endif 00988 /* if enabled, try request based log level */ 00989 if ( !do_log 00990 && log_on_request 00991 && ( rsbac_log_levels[request][target] == LL_full 00992 || ( rsbac_log_levels[request][target] == LL_denied 00993 && (result == NOT_GRANTED 00994 || result == UNDEFINED)) ) ) 00995 do_log = TRUE; 00996 00997 if(do_log) 00998 { 00999 char * request_name; 01000 char * res_name; 01001 char * res_mods; 01002 char * target_type_name; 01003 char * target_id_name; 01004 char * attr_name; 01005 char * attr_val_name; 01006 #ifdef CONFIG_RSBAC_NET_OBJ 01007 char * remote_ip_name; 01008 #else 01009 char remote_ip_name[1]; 01010 #endif 01011 char * audit_uid_name; 01012 char command[17]; 01013 rsbac_pid_t parent_pid = 0; 01014 rsbac_uid_t audit_uid; 01015 #ifdef CONFIG_RSBAC_LOG_PSEUDO 01016 rsbac_pseudo_t pseudo = 0; 01017 #endif 01018 char * program_path; 01019 01020 /* parent pid */ 01021 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 01022 if(current->parent) 01023 parent_pid = current->parent->pid; 01024 #else 01025 if(current->p_pptr) 01026 parent_pid = current->p_pptr->pid; 01027 #endif 01028 01029 /* rsbac_kmalloc all memory */ 01030 request_name = rsbac_kmalloc(32); 01031 res_name = rsbac_kmalloc(32); 01032 res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01033 target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01034 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 01035 target_id_name 01036 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 01037 /* max. path name len + some extra */ 01038 #else 01039 target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 01040 /* max. file name len + some extra */ 01041 #endif 01042 #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE 01043 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 01044 program_path 01045 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 01046 /* max. path name len + some extra */ 01047 #else 01048 program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 01049 /* max. file name len + some extra */ 01050 #endif 01051 #else 01052 program_path = rsbac_kmalloc(2); 01053 #endif 01054 attr_name = rsbac_kmalloc(32); 01055 attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01056 #ifdef CONFIG_RSBAC_NET_OBJ 01057 remote_ip_name = rsbac_kmalloc(32); 01058 #endif 01059 audit_uid_name = rsbac_kmalloc(32); 01060 01061 request_name[0] = (char) 0; 01062 target_type_name[0] = (char) 0; 01063 target_id_name[0] = (char) 0; 01064 program_path[0] = (char) 0; 01065 attr_name[0] = (char) 0; 01066 attr_val_name[0] = (char) 0; 01067 remote_ip_name[0] = (char) 0; 01068 audit_uid_name[0] = (char) 0; 01069 res_name[0] = (char) 0; 01070 res_mods[0] = (char) 0; 01071 command[0] = (char) 0; 01072 get_request_name(request_name, request); 01073 #if !defined(CONFIG_RSBAC_MAINT) 01074 /* 01075 if(result == mod_result[SW_NONE]) 01076 { 01077 strcat(res_mods, " SW_GEN"); 01078 } 01079 */ 01080 #if defined(CONFIG_RSBAC_MAC) 01081 if(result == mod_result[SW_MAC]) 01082 { 01083 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01084 if(rsbac_ind_softmode[SW_MAC]) 01085 strcat(res_mods, " MAC(Softmode)"); 01086 else 01087 #endif 01088 strcat(res_mods, " MAC"); 01089 } 01090 #endif 01091 #if defined(CONFIG_RSBAC_PM) 01092 if(result == mod_result[SW_PM]) 01093 { 01094 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01095 if(rsbac_ind_softmode[SW_PM]) 01096 strcat(res_mods, " PM(Softmode)"); 01097 else 01098 #endif 01099 strcat(res_mods, " PM"); 01100 } 01101 #endif 01102 #if defined(CONFIG_RSBAC_DAZ) 01103 if(result == mod_result[SW_DAZ]) 01104 { 01105 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01106 if(rsbac_ind_softmode[SW_DAZ]) 01107 strcat(res_mods, " DAZ(Softmode)"); 01108 else 01109 #endif 01110 strcat(res_mods, " DAZ"); 01111 } 01112 #endif 01113 #ifdef CONFIG_RSBAC_FF 01114 if(result == mod_result[SW_FF]) 01115 { 01116 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01117 if(rsbac_ind_softmode[SW_FF]) 01118 strcat(res_mods, " FF(Softmode)"); 01119 else 01120 #endif 01121 strcat(res_mods, " FF"); 01122 } 01123 #endif 01124 #ifdef CONFIG_RSBAC_RC 01125 if(result == mod_result[SW_RC]) 01126 { 01127 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01128 if(rsbac_ind_softmode[SW_RC]) 01129 strcat(res_mods, " RC(Softmode)"); 01130 else 01131 #endif 01132 strcat(res_mods, " RC"); 01133 } 01134 #endif 01135 #ifdef CONFIG_RSBAC_AUTH 01136 if(result == mod_result[SW_AUTH]) 01137 { 01138 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01139 if(rsbac_ind_softmode[SW_AUTH]) 01140 strcat(res_mods, " AUTH(Softmode)"); 01141 else 01142 #endif 01143 strcat(res_mods, " AUTH"); 01144 } 01145 #endif 01146 #ifdef CONFIG_RSBAC_ACL 01147 if(result == mod_result[SW_ACL]) 01148 { 01149 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01150 if(rsbac_ind_softmode[SW_ACL]) 01151 strcat(res_mods, " ACL(Softmode)"); 01152 else 01153 #endif 01154 strcat(res_mods, " ACL"); 01155 } 01156 #endif 01157 #ifdef CONFIG_RSBAC_CAP 01158 if(result == mod_result[SW_CAP]) 01159 { 01160 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01161 if(rsbac_ind_softmode[SW_CAP]) 01162 strcat(res_mods, " CAP(Softmode)"); 01163 else 01164 #endif 01165 strcat(res_mods, " CAP"); 01166 } 01167 #endif 01168 #ifdef CONFIG_RSBAC_JAIL 01169 if(result == mod_result[SW_JAIL]) 01170 { 01171 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01172 if(rsbac_ind_softmode[SW_JAIL]) 01173 strcat(res_mods, " JAIL(Softmode)"); 01174 else 01175 #endif 01176 strcat(res_mods, " JAIL"); 01177 } 01178 #endif 01179 #ifdef CONFIG_RSBAC_RES 01180 if(result == mod_result[SW_RES]) 01181 { 01182 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01183 if(rsbac_ind_softmode[SW_RES]) 01184 strcat(res_mods, " RES(Softmode)"); 01185 else 01186 #endif 01187 strcat(res_mods, " RES"); 01188 } 01189 #endif 01190 #ifdef CONFIG_RSBAC_REG 01191 if(result == mod_result[SW_REG]) 01192 { 01193 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01194 if(rsbac_ind_softmode[SW_REG]) 01195 strcat(res_mods, " REG(Softmode)"); 01196 else 01197 #endif 01198 strcat(res_mods, " REG"); 01199 } 01200 #endif 01201 #endif /* !MAINT */ 01202 if(!res_mods[0]) 01203 strcat(res_mods, " ADF"); 01204 01205 /* Get process audit_uid */ 01206 i_tid.process = caller_pid; 01207 if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE)) 01208 { 01209 rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid); 01210 return(NOT_GRANTED); /* something weird happened */ 01211 } 01212 audit_uid = i_attr_val.audit_uid; 01213 if(audit_uid == RSBAC_NO_USER) 01214 audit_uid = owner; 01215 else 01216 sprintf(audit_uid_name, "audit uid %u, ", audit_uid); 01217 #ifdef CONFIG_RSBAC_LOG_PSEUDO 01218 /* Get owner's logging pseudo */ 01219 i_tid.user = audit_uid; 01220 if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE)) 01221 { 01222 rsbac_ds_get_error("rsbac_adf_request()", A_pseudo); 01223 return(NOT_GRANTED); /* something weird happened */ 01224 } 01225 /* if pseudo is not registered, return attribute value is 0 (see later) */ 01226 pseudo = i_attr_val.pseudo; 01227 #endif 01228 01229 #ifdef CONFIG_RSBAC_NET_OBJ 01230 /* Get process remote_ip */ 01231 i_tid.process = caller_pid; 01232 if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE)) 01233 { 01234 rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip); 01235 return(NOT_GRANTED); /* something weird happened */ 01236 } 01237 if(i_attr_val.remote_ip) 01238 sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip)); 01239 #endif 01240 01241 #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE 01242 { 01243 struct mm_struct * mm; 01244 struct vm_area_struct * vma; 01245 struct dentry * dentry_p = NULL; 01246 01247 mm = current->mm; 01248 if(mm) 01249 { 01250 atomic_inc(&mm->mm_users); 01251 if(!down_read_trylock(&mm->mmap_sem)) 01252 goto down_failed; 01253 vma = mm->mmap; 01254 while (vma) 01255 { 01256 if( (vma->vm_flags & VM_EXECUTABLE) 01257 && vma->vm_file) 01258 { 01259 dentry_p = dget(vma->vm_file->f_dentry); 01260 break; 01261 } 01262 vma = vma->vm_next; 01263 } 01264 up_read(&mm->mmap_sem); 01265 if(dentry_p) 01266 { 01267 char * p = program_path; 01268 01269 p += sprintf(program_path, ", prog_file "); 01270 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 01271 rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN); 01272 #else 01273 int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN); 01274 01275 strncpy(p, dentry_p->d_name.name, namelen); 01276 p[namelen]=0; 01277 #endif 01278 dput(dentry_p); 01279 } 01280 down_failed: 01281 mmput(mm); 01282 } 01283 } 01284 #endif 01285 get_target_name(target_type_name, target, target_id_name, *tid_p); 01286 get_attribute_name(attr_name, attr); 01287 get_attribute_value_name(attr_val_name, attr, attr_val_p); 01288 get_result_name(res_name, result); 01289 if ((current) && (current->comm)) 01290 { 01291 strncpy(command,current->comm,16); 01292 command[16] = (char) 0; 01293 } 01294 01295 #ifdef CONFIG_RSBAC_LOG_PSEUDO 01296 /* if pseudo is set, its value is != 0, else -> use id */ 01297 if (pseudo) 01298 { 01299 #ifdef CONFIG_RSBAC_SOFTMODE 01300 if(rsbac_softmode) 01301 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n", 01302 request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods); 01303 else 01304 #endif 01305 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s by%s\n", 01306 request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods); 01307 } 01308 else 01309 #endif 01310 { 01311 #ifdef CONFIG_RSBAC_SOFTMODE 01312 if(rsbac_softmode) 01313 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n", 01314 request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods); 01315 else 01316 #endif 01317 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n", 01318 request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods); 01319 } 01320 /* rsbac_kfree all helper mem */ 01321 rsbac_kfree(request_name); 01322 rsbac_kfree(res_name); 01323 rsbac_kfree(res_mods); 01324 rsbac_kfree(target_type_name); 01325 rsbac_kfree(target_id_name); 01326 rsbac_kfree(program_path); 01327 rsbac_kfree(attr_name); 01328 rsbac_kfree(attr_val_name); 01329 #ifdef CONFIG_RSBAC_NET_OBJ 01330 rsbac_kfree(remote_ip_name); 01331 #endif 01332 rsbac_kfree(audit_uid_name); 01333 } 01334 01335 /* UNDEFINED must never be returned -> change result */ 01336 if(result == UNDEFINED) 01337 result = NOT_GRANTED; 01338 01339 /* count */ 01340 rsbac_adf_request_count[target]++; 01341 #ifdef CONFIG_RSBAC_XSTATS 01342 rsbac_adf_request_xcount[target][request]++; 01343 #endif 01344 01345 /* return result */ 01346 #ifdef CONFIG_RSBAC_SOFTMODE 01347 if(rsbac_softmode && !rsbac_internal) 01348 return DO_NOT_CARE; 01349 else 01350 #endif 01351 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01352 return ret_result; 01353 #else 01354 return result; /* change for debugging! */ 01355 #endif 01356 } /* end of rsbac_adf_request_int() */
int rsbac_adf_set_attr | ( | enum rsbac_adf_request_t | request, | |
rsbac_pid_t | caller_pid, | |||
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
enum rsbac_target_t | new_target, | |||
union rsbac_target_id_t | new_tid, | |||
enum rsbac_attribute_t | attr, | |||
union rsbac_attribute_value_t | attr_val | |||
) |
Definition at line 1367 of file adf_main.c.
References A_audit_uid, A_auid_exempt, A_fake_root_uid, A_log_array_high, A_log_array_low, A_log_program_based, A_log_user_based, A_none, A_pseudo, A_remote_ip, rsbac_attribute_value_t::audit_uid, rsbac_attribute_value_t::auid_exempt, rsbac_attribute_value_t::dummy, rsbac_attribute_value_t::fake_root_uid, FALSE, get_attribute_name(), get_request_name(), get_target_name(), I_anonunix, I_shm, rsbac_ipc_t::id, rsbac_ipc_id_t::id_nr, rsbac_target_id_t::ipc, LL_denied, LL_full, LL_request, rsbac_attribute_value_t::log_array_high, rsbac_attribute_value_t::log_array_low, rsbac_attribute_value_t::log_program_based, rsbac_attribute_value_t::log_user_based, rsbac_target_id_t::netobj, rsbac_target_id_t::process, rsbac_attribute_value_t::pseudo, R_ACCEPT, R_CLONE, R_CLOSE, R_CREATE, R_DELETE, R_EXECUTE, R_NONE, R_RENAME, rsbac_attribute_value_t::remote_ip, rsbac_adf_set_attr_auth(), rsbac_adf_set_attr_cap(), rsbac_adf_set_attr_check(), rsbac_adf_set_attr_count, rsbac_adf_set_attr_daz(), rsbac_adf_set_attr_jail(), rsbac_adf_set_attr_mac(), rsbac_adf_set_attr_pm(), rsbac_adf_set_attr_rc(), rsbac_adf_set_attr_reg(), rsbac_adf_set_attr_res(), RSBAC_EINVALIDVALUE, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), rsbac_log_levels, RSBAC_MAXNAMELEN, RSBAC_NO_USER, rsbac_printk(), rsbac_remove_target, RSBAC_REQUEST_VECTOR, rsbac_set_attr, rsbac_net_obj_desc_t::sock_p, SW_GEN, T_DEV, T_DIR, T_FIFO, T_FILE, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NONE, T_PROCESS, T_SYMLINK, T_UNIXSOCK, T_USER, TRUE, rsbac_ipc_t::type, and rsbac_target_id_t::user.
Referenced by sys_rsbac_um_add_group(), sys_rsbac_um_add_user(), sys_rsbac_um_remove_group(), and sys_rsbac_um_remove_user().
01376 { 01377 union rsbac_target_id_t i_tid; 01378 rsbac_uid_t owner; 01379 int error = 0; 01380 rsbac_request_vector_t request_vector; 01381 rsbac_boolean_t do_log = FALSE; 01382 rsbac_boolean_t log_on_request = TRUE; 01383 union rsbac_attribute_value_t i_attr_val; 01384 #ifdef CONFIG_RSBAC_IND_LOG 01385 union rsbac_attribute_value_t i_attr_val2; 01386 enum rsbac_log_level_t log_level; 01387 #endif 01388 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 01389 struct super_block * sb_p; 01390 #endif 01391 01392 /* No attribute setting possible before init (called at boot time) */ 01393 01394 if (!rsbac_is_initialized()) 01395 return 0; 01396 01397 /* kernel (pid 0) is ignored */ 01398 if ( !caller_pid 01399 #if defined(CONFIG_RSBAC_LOG_REMOTE) 01400 || (caller_pid == rsbaclogd_pid) 01401 #endif 01402 ) 01403 return 0; 01404 01405 /* Checking base values */ 01406 if( request >= R_NONE 01407 || target > T_NONE 01408 || new_target > T_NONE 01409 || attr > A_none) 01410 { 01411 rsbac_printk(KERN_WARNING 01412 "rsbac_adf_set_attr(): called with invalid request, target or attribute\n"); 01413 return(-RSBAC_EINVALIDVALUE); 01414 } 01415 request_vector = RSBAC_REQUEST_VECTOR(request); 01416 01417 /* Getting basic information about this adf_set_attr-call */ 01418 01419 owner = RSBAC_NO_USER; 01420 /* only useful for real process, not idle or init */ 01421 if (caller_pid > 1) 01422 { 01423 error = rsbac_get_owner(&owner); 01424 if(error) 01425 { 01426 rsbac_printk(KERN_DEBUG 01427 "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0", 01428 caller_pid); 01429 return(0); /* Startup-Sequence (see above) */ 01430 } 01431 } 01432 else /* caller_pid = 1 -> init -> owner = root */ 01433 owner = 0; 01434 01435 /*************************************************/ 01436 /* General work for all modules - before modules */ 01437 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT) || defined(CONFIG_RSBAC_FD_CACHE) 01438 switch (target) { 01439 case T_DIR: 01440 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT) 01441 if ((sb_p = rsbac_get_super_block(tid.file.device)) 01442 && ( (sb_p->s_magic == NFS_SUPER_MAGIC) 01443 || (sb_p->s_magic == CODA_SUPER_MAGIC) 01444 || (sb_p->s_magic == NCP_SUPER_MAGIC) 01445 || (sb_p->s_magic == SMB_SUPER_MAGIC) 01446 ) 01447 ) { 01448 error = 0; 01449 goto log; 01450 } 01451 #endif 01452 #if defined(CONFIG_RSBAC_FD_CACHE) 01453 if (request == R_RENAME) 01454 rsbac_fd_cache_invalidate_all(); 01455 #endif 01456 break; 01457 01458 case T_FILE: 01459 case T_FIFO: 01460 case T_SYMLINK: 01461 case T_UNIXSOCK: 01462 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT) 01463 if ((sb_p = rsbac_get_super_block(tid.file.device)) 01464 && ( (sb_p->s_magic == NFS_SUPER_MAGIC) 01465 || (sb_p->s_magic == CODA_SUPER_MAGIC) 01466 || (sb_p->s_magic == NCP_SUPER_MAGIC) 01467 || (sb_p->s_magic == SMB_SUPER_MAGIC) 01468 ) 01469 ) { 01470 error = 0; 01471 goto log; 01472 } 01473 #endif 01474 #if defined(CONFIG_RSBAC_FD_CACHE) 01475 if (request == R_RENAME) 01476 rsbac_fd_cache_invalidate(&tid.file); 01477 #endif 01478 break; 01479 01480 default: 01481 break; 01482 } 01483 #endif 01484 01485 /**********************************************************/ 01486 /* calling all decision modules, building a common result */ 01487 01488 01489 #ifdef CONFIG_RSBAC_DEBUG 01490 /* first, check for valid request/target combination */ 01491 error |= rsbac_adf_set_attr_check(request, 01492 caller_pid, 01493 target, 01494 tid, 01495 new_target, 01496 new_tid, 01497 attr, 01498 attr_val, 01499 owner); 01500 if(error) 01501 goto general_work; 01502 #endif 01503 01504 #if !defined(CONFIG_RSBAC_MAINT) 01505 /******* MAC ********/ 01506 #if defined(CONFIG_RSBAC_MAC) 01507 #ifdef CONFIG_RSBAC_SWITCH_MAC 01508 if (rsbac_switch_mac) 01509 #endif 01510 if(request_vector & RSBAC_MAC_SET_ATTR_VECTOR) 01511 error |= rsbac_adf_set_attr_mac(request, 01512 caller_pid, 01513 target, 01514 tid, 01515 new_target, 01516 new_tid, 01517 attr, 01518 attr_val, 01519 owner); 01520 #endif /* MAC */ 01521 01522 /******* PM ********/ 01523 #ifdef CONFIG_RSBAC_PM 01524 #ifdef CONFIG_RSBAC_SWITCH_PM 01525 if (rsbac_switch_pm) 01526 #endif 01527 if(request_vector & RSBAC_PM_SET_ATTR_VECTOR) 01528 error |= rsbac_adf_set_attr_pm (request, 01529 caller_pid, 01530 target, 01531 tid, 01532 new_target, 01533 new_tid, 01534 attr, 01535 attr_val, 01536 owner); 01537 #endif /* PM */ 01538 01539 /******* DAZ ********/ 01540 #ifdef CONFIG_RSBAC_DAZ 01541 #ifdef CONFIG_RSBAC_SWITCH_DAZ 01542 if (rsbac_switch_daz) 01543 #endif 01544 if(request_vector & RSBAC_DAZ_SET_ATTR_VECTOR) 01545 error |= rsbac_adf_set_attr_daz (request, 01546 caller_pid, 01547 target, 01548 tid, 01549 new_target, 01550 new_tid, 01551 attr, 01552 attr_val, 01553 owner); 01554 #endif /* DAZ */ 01555 01556 /******* RC ********/ 01557 #ifdef CONFIG_RSBAC_RC 01558 #ifdef CONFIG_RSBAC_SWITCH_RC 01559 if (rsbac_switch_rc) 01560 #endif 01561 error |= rsbac_adf_set_attr_rc (request, 01562 caller_pid, 01563 target, 01564 tid, 01565 new_target, 01566 new_tid, 01567 attr, 01568 attr_val, 01569 owner); 01570 #endif /* RC */ 01571 01572 /****** AUTH *******/ 01573 #ifdef CONFIG_RSBAC_AUTH 01574 #ifdef CONFIG_RSBAC_SWITCH_AUTH 01575 if (rsbac_switch_auth) 01576 #endif 01577 if(request_vector & RSBAC_AUTH_SET_ATTR_VECTOR) 01578 error |= rsbac_adf_set_attr_auth(request, 01579 caller_pid, 01580 target, 01581 tid, 01582 new_target, 01583 new_tid, 01584 attr, 01585 attr_val, 01586 owner); 01587 #endif /* AUTH */ 01588 01589 /****** CAP *******/ 01590 #ifdef CONFIG_RSBAC_CAP 01591 #ifdef CONFIG_RSBAC_SWITCH_CAP 01592 if (rsbac_switch_cap) 01593 #endif 01594 if(request_vector & RSBAC_CAP_SET_ATTR_VECTOR) 01595 error |= rsbac_adf_set_attr_cap (request, 01596 caller_pid, 01597 target, 01598 tid, 01599 new_target, 01600 new_tid, 01601 attr, 01602 attr_val, 01603 owner); 01604 #endif /* CAP */ 01605 01606 /****** JAIL *******/ 01607 #ifdef CONFIG_RSBAC_JAIL 01608 #ifdef CONFIG_RSBAC_SWITCH_JAIL 01609 if (rsbac_switch_jail) 01610 #endif 01611 if(request_vector & RSBAC_JAIL_SET_ATTR_VECTOR) 01612 error |= rsbac_adf_set_attr_jail(request, 01613 caller_pid, 01614 target, 01615 tid, 01616 new_target, 01617 new_tid, 01618 attr, 01619 attr_val, 01620 owner); 01621 #endif /* JAIL */ 01622 01623 /****** RES *******/ 01624 #ifdef CONFIG_RSBAC_RES 01625 #ifdef CONFIG_RSBAC_SWITCH_RES 01626 if (rsbac_switch_res) 01627 #endif 01628 if(request_vector & RSBAC_RES_SET_ATTR_VECTOR) 01629 error |= rsbac_adf_set_attr_res (request, 01630 caller_pid, 01631 target, 01632 tid, 01633 new_target, 01634 new_tid, 01635 attr, 01636 attr_val, 01637 owner); 01638 #endif /* RES */ 01639 01640 /****** REG *******/ 01641 #ifdef CONFIG_RSBAC_REG 01642 error |= rsbac_adf_set_attr_reg (request, 01643 caller_pid, 01644 target, 01645 tid, 01646 new_target, 01647 new_tid, 01648 attr, 01649 attr_val, 01650 owner); 01651 #endif /* REG */ 01652 #endif /* !MAINT */ 01653 01654 /* General work for all modules (after set_attr call) */ 01655 #ifdef CONFIG_RSBAC_DEBUG 01656 general_work: 01657 #endif 01658 switch(request) 01659 { 01660 /* remove deleted item from rsbac data */ 01661 case R_DELETE : 01662 switch (target) 01663 { 01664 case T_FILE: 01665 case T_FIFO: 01666 case T_SYMLINK: 01667 /* Only remove file/fifo target on deletion of last link */ 01668 if ( (attr == A_nlink) 01669 && (attr_val.nlink > 1) 01670 ) 01671 break; 01672 /* fall through */ 01673 case T_DIR: 01674 rsbac_remove_target(target,tid); 01675 break; 01676 case T_IPC: 01677 /* shm removal delayed and removed directly, when destroyed */ 01678 if(tid.ipc.type != I_shm) 01679 rsbac_remove_target(target,tid); 01680 break; 01681 default: 01682 break; 01683 } 01684 break; 01685 01686 case R_CLONE: 01687 switch (target) 01688 { 01689 case T_PROCESS: 01690 #if defined(CONFIG_RSBAC_IND_PROG_LOG) 01691 /* get program based log from old process */ 01692 if (rsbac_get_attr(SW_GEN, 01693 target, 01694 tid, 01695 A_log_program_based, 01696 &i_attr_val, 01697 FALSE)) 01698 { 01699 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); 01700 } 01701 else 01702 { /* only set, of not default value 0 */ 01703 if(i_attr_val.log_program_based) 01704 { 01705 /* set program based log for new process */ 01706 if (rsbac_set_attr(SW_GEN, new_target, 01707 new_tid, 01708 A_log_program_based, 01709 i_attr_val)) 01710 { 01711 rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based); 01712 } 01713 } 01714 } 01715 #endif 01716 #if defined(CONFIG_RSBAC_FAKE_ROOT_UID) 01717 /* get fake_root_uid from old process */ 01718 if (rsbac_get_attr(SW_GEN, 01719 target, 01720 tid, 01721 A_fake_root_uid, 01722 &i_attr_val, 01723 FALSE)) 01724 { 01725 rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid); 01726 } 01727 else 01728 { /* only set, of not default value 0 */ 01729 if(i_attr_val.fake_root_uid) 01730 { 01731 /* set program based log for new process */ 01732 if (rsbac_set_attr(SW_GEN, new_target, 01733 new_tid, 01734 A_fake_root_uid, 01735 i_attr_val)) 01736 { 01737 rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid); 01738 } 01739 } 01740 } 01741 #endif 01742 #if defined(CONFIG_RSBAC_NET) 01743 /* get remote_ip from old process */ 01744 if (rsbac_get_attr(SW_GEN, 01745 target, 01746 tid, 01747 A_remote_ip, 01748 &i_attr_val, 01749 FALSE)) 01750 { 01751 rsbac_ds_get_error("rsbac_adf_set_attr()", A_remote_ip); 01752 } 01753 else 01754 { /* only set, of not default value 0 */ 01755 if(i_attr_val.remote_ip) 01756 { 01757 /* set program based log for new process */ 01758 if (rsbac_set_attr(SW_GEN, new_target, 01759 new_tid, 01760 A_remote_ip, 01761 i_attr_val)) 01762 { 01763 rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip); 01764 } 01765 } 01766 } 01767 #endif 01768 /* get kernel_thread from old process */ 01769 if (rsbac_get_attr(SW_GEN, 01770 target, 01771 tid, 01772 A_kernel_thread, 01773 &i_attr_val, FALSE)) { 01774 rsbac_ds_get_error("rsbac_adf_set_attr()", 01775 A_kernel_thread); 01776 } else { 01777 if (i_attr_val.kernel_thread) { 01778 if (rsbac_set_attr(SW_GEN, new_target, 01779 new_tid, 01780 A_kernel_thread, 01781 i_attr_val)) { 01782 rsbac_ds_set_error 01783 ("rsbac_adf_set_attr()", 01784 A_kernel_thread); 01785 } 01786 } 01787 } 01788 01789 /* get audit_uid from old process */ 01790 if (rsbac_get_attr(SW_GEN, 01791 target, 01792 tid, 01793 A_audit_uid, 01794 &i_attr_val, 01795 FALSE)) 01796 { 01797 rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid); 01798 } 01799 else 01800 { /* only set, of not default value NO_USER */ 01801 if(i_attr_val.audit_uid != RSBAC_NO_USER) 01802 { 01803 /* set audit uid for new process */ 01804 if (rsbac_set_attr(SW_GEN, 01805 new_target, 01806 new_tid, 01807 A_audit_uid, 01808 i_attr_val)) 01809 { 01810 rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid); 01811 } 01812 } 01813 } 01814 /* get auid_exempt from old process */ 01815 if (rsbac_get_attr(SW_GEN, 01816 target, 01817 tid, 01818 A_auid_exempt, 01819 &i_attr_val, 01820 FALSE)) 01821 { 01822 rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt); 01823 } 01824 else 01825 { /* only set, of not default value NO_USER */ 01826 if(i_attr_val.auid_exempt != RSBAC_NO_USER) 01827 { 01828 /* set program based log for new process */ 01829 if (rsbac_set_attr(SW_GEN, 01830 new_target, 01831 new_tid, 01832 A_auid_exempt, 01833 i_attr_val)) 01834 { 01835 rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt); 01836 } 01837 } 01838 } 01839 break; 01840 01841 default: 01842 break; 01843 } 01844 break; 01845 01846 case R_CLOSE: 01847 switch (target) { 01848 case T_IPC: 01849 if(tid.ipc.type == I_anonunix) 01850 rsbac_remove_target(target, tid); 01851 break; 01852 #ifdef CONFIG_RSBAC_NET_OBJ 01853 case T_NETOBJ: 01854 rsbac_remove_target(target, tid); 01855 break; 01856 #endif 01857 default: 01858 break; 01859 } 01860 break; 01861 01862 case R_CREATE: 01863 switch (target) { 01864 case T_IPC: 01865 if(!tid.ipc.id.id_nr) 01866 error |= -RSBAC_EINVALIDVALUE; 01867 break; 01868 default: 01869 break; 01870 } 01871 break; 01872 01873 #ifdef CONFIG_RSBAC_NET_OBJ 01874 case R_ACCEPT: 01875 switch (target) 01876 { 01877 case T_NETOBJ: 01878 /* store remote IP */ 01879 if( tid.netobj.sock_p 01880 && tid.netobj.sock_p->ops 01881 && tid.netobj.sock_p->sk 01882 && (tid.netobj.sock_p->ops->family == AF_INET) 01883 ) 01884 { 01885 i_tid.process = caller_pid; 01886 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 01887 i_attr_val.remote_ip = inet_sk(tid.netobj.sock_p->sk)->daddr; 01888 #else 01889 i_attr_val.remote_ip = tid.netobj.sock_p->sk->daddr; 01890 #endif 01891 /* set program based log for new process */ 01892 if (rsbac_set_attr(SW_GEN, 01893 T_PROCESS, 01894 i_tid, 01895 A_remote_ip, 01896 i_attr_val)) 01897 { 01898 rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip); 01899 } 01900 } 01901 break; 01902 01903 default: 01904 break; 01905 } 01906 break; 01907 #endif /* CONFIG_RSBAC_NET_OBJ */ 01908 01909 case R_EXECUTE : 01910 switch (target) 01911 { 01912 case T_FILE: 01913 #if defined(CONFIG_RSBAC_IND_PROG_LOG) 01914 /* get program based log from file */ 01915 if (rsbac_get_attr(SW_GEN, 01916 target, 01917 tid, 01918 A_log_program_based, 01919 &i_attr_val, 01920 FALSE)) 01921 { 01922 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); 01923 } 01924 else 01925 { 01926 /* set program based log for process */ 01927 i_tid.process = caller_pid; 01928 if (rsbac_set_attr(SW_GEN, T_PROCESS, 01929 i_tid, 01930 A_log_program_based, 01931 i_attr_val)) 01932 { 01933 rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based); 01934 } 01935 } 01936 #endif 01937 #if defined(CONFIG_RSBAC_FAKE_ROOT_UID) 01938 /* get fake_root_uid from file */ 01939 if (rsbac_get_attr(SW_GEN, 01940 target, 01941 tid, 01942 A_fake_root_uid, 01943 &i_attr_val, 01944 FALSE)) 01945 { 01946 rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid); 01947 } 01948 else 01949 { 01950 /* set fake_root_uid for process */ 01951 if(i_attr_val.fake_root_uid) 01952 { 01953 i_tid.process = caller_pid; 01954 if (rsbac_set_attr(SW_GEN, T_PROCESS, 01955 i_tid, 01956 A_fake_root_uid, 01957 i_attr_val)) 01958 { 01959 rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid); 01960 } 01961 } 01962 } 01963 #endif 01964 /* get auid_exempt from file */ 01965 if (rsbac_get_attr(SW_GEN, 01966 target, 01967 tid, 01968 A_auid_exempt, 01969 &i_attr_val, 01970 FALSE)) 01971 { 01972 rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt); 01973 } 01974 else 01975 { 01976 if(i_attr_val.auid_exempt != RSBAC_NO_USER) 01977 { 01978 /* set auid_exempt for process */ 01979 i_tid.process = caller_pid; 01980 if (rsbac_set_attr(SW_GEN, T_PROCESS, 01981 i_tid, 01982 A_auid_exempt, 01983 i_attr_val)) 01984 { 01985 rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt); 01986 } 01987 } 01988 } 01989 break; 01990 01991 default: 01992 break; 01993 } 01994 break; 01995 01996 default: 01997 break; 01998 } 01999 02000 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET) 02001 if( rsbac_debug_adf_net 02002 && ( (target == T_NETDEV) 02003 || (target == T_NETTEMP) 02004 || (target == T_NETOBJ) 02005 ) 02006 ) 02007 do_log = TRUE; 02008 #endif 02009 02010 /* log based on process owner */ 02011 #ifdef CONFIG_RSBAC_IND_USER_LOG 02012 i_tid.user = owner; 02013 if (rsbac_get_attr(SW_GEN, 02014 T_USER, 02015 i_tid, 02016 A_log_user_based, 02017 &i_attr_val, 02018 FALSE)) 02019 { 02020 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based); 02021 } 02022 else 02023 { 02024 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 02025 do_log = TRUE; 02026 } 02027 #endif /* CONFIG_RSBAC_IND_USER_LOG */ 02028 02029 /* log based on program */ 02030 #ifdef CONFIG_RSBAC_IND_PROG_LOG 02031 if(!do_log) 02032 { 02033 i_tid.process = caller_pid; 02034 if (rsbac_get_attr(SW_GEN, 02035 T_PROCESS, 02036 i_tid, 02037 A_log_program_based, 02038 &i_attr_val, 02039 FALSE)) 02040 { 02041 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); 02042 } 02043 else 02044 { 02045 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 02046 do_log = TRUE; 02047 } 02048 } 02049 #endif /* CONFIG_RSBAC_IND_PROG_LOG */ 02050 02051 02052 /* logging request on info level, if requested by file/dir/dev attributes */ 02053 /* log_array_low/high, or, if that is requested, if enabled for this request */ 02054 /* type (attributes state level, or that request based level is to be taken) */ 02055 /* loglevel 2: log everything */ 02056 /* loglevel 1: log, if denied */ 02057 /* loglevel 0: log nothing */ 02058 02059 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */ 02060 /* if file/dir/dev, depend log on log_arrays */ 02061 /* (but not for file.device = 0) */ 02062 /* log_on_request is TRUE */ 02063 if(!do_log) 02064 { 02065 if( ( ( (target == T_FILE) 02066 || (target == T_DIR) 02067 || (target == T_FIFO) 02068 || (target == T_SYMLINK) 02069 ) 02070 && RSBAC_MAJOR(tid.file.device) 02071 && RSBAC_MINOR(tid.file.device) 02072 ) 02073 || (target == T_DEV) 02074 ) 02075 { 02076 if (rsbac_get_attr(SW_GEN, 02077 target, 02078 tid, 02079 A_log_array_low, 02080 &i_attr_val, 02081 FALSE)) 02082 { 02083 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low); 02084 } 02085 else 02086 { 02087 if (rsbac_get_attr(SW_GEN, 02088 target, 02089 tid, 02090 A_log_array_high, 02091 &i_attr_val2, 02092 FALSE)) 02093 { 02094 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high); 02095 } 02096 else 02097 { /* ll = low-bit for request | (high-bit for request as bit 1) */ 02098 log_level = ((i_attr_val.log_array_low >> request) & 1) 02099 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); 02100 if ( log_level == LL_full 02101 || ( log_level == LL_denied 02102 && error) ) 02103 { 02104 do_log = TRUE; 02105 } 02106 if(log_level != LL_request) 02107 log_on_request = FALSE; 02108 } 02109 } 02110 } 02111 } 02112 #endif /* CONFIG_RSBAC_IND_LOG */ 02113 02114 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT 02115 log: 02116 #endif 02117 /* if enabled, try request based log level */ 02118 if (log_on_request 02119 && ( rsbac_log_levels[request][target] == LL_full 02120 || ( rsbac_log_levels[request][target] == LL_denied 02121 && error) ) ) 02122 do_log = TRUE; 02123 02124 if(do_log) 02125 { 02126 char * request_name; 02127 char * target_type_name; 02128 char * new_target_type_name; 02129 char * target_id_name; 02130 char * new_target_id_name; 02131 char * attr_name; 02132 rsbac_uid_t audit_uid; 02133 #ifdef CONFIG_RSBAC_LOG_PSEUDO 02134 rsbac_pseudo_t pseudo = 0; 02135 #endif 02136 02137 /* Get process audit_uid */ 02138 i_tid.process = caller_pid; 02139 if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE)) 02140 { 02141 rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid); 02142 return -RSBAC_EREADFAILED; /* something weird happened */ 02143 } 02144 audit_uid = i_attr_val.audit_uid; 02145 if(audit_uid == RSBAC_NO_USER) 02146 audit_uid = owner; 02147 #ifdef CONFIG_RSBAC_LOG_PSEUDO 02148 /* Get owner's logging pseudo */ 02149 i_tid.user = audit_uid; 02150 if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE)) 02151 { 02152 rsbac_ds_get_error("rsbac_adf_set_attr()", A_pseudo); 02153 return -RSBAC_EREADFAILED; /* something weird happened */ 02154 } 02155 /* if pseudo is not registered, return attribute value is 0 (see later) */ 02156 pseudo = i_attr_val.pseudo; 02157 #endif 02158 02159 /* rsbac_kmalloc all memory */ 02160 request_name = rsbac_kmalloc(32); 02161 target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02162 new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); 02163 #ifdef CONFIG_RSBAC_LOG_FULL_PATH 02164 target_id_name 02165 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 02166 new_target_id_name 02167 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); 02168 /* max. path name len + some extra */ 02169 #else 02170 target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 02171 new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); 02172 /* max. file name len + some extra */ 02173 #endif 02174 attr_name = rsbac_kmalloc(32); 02175 02176 /* Getting basic information about this request */ 02177 request_name[0] = (char) 0; 02178 target_type_name[0] = (char) 0; 02179 target_id_name[0] = (char) 0; 02180 new_target_type_name[0] = (char) 0; 02181 new_target_id_name[0] = (char) 0; 02182 attr_name[0] = (char) 0; 02183 get_request_name(request_name, request); 02184 get_target_name(target_type_name, target, target_id_name, tid); 02185 get_target_name(new_target_type_name, new_target, 02186 new_target_id_name, new_tid); 02187 get_attribute_name(attr_name, attr); 02188 02189 #ifdef CONFIG_RSBAC_LOG_PSEUDO 02190 if(pseudo) 02191 rsbac_printk(KERN_INFO 02192 "rsbac_adf_set_attr(): request %s, pid %u, pseudo %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n", 02193 request_name, (u_int) caller_pid, pseudo, target_type_name, target_id_name, 02194 new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error); 02195 else 02196 #endif 02197 rsbac_printk(KERN_INFO 02198 "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n", 02199 request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name, 02200 new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error); 02201 /* rsbac_kfree all helper mem */ 02202 rsbac_kfree(request_name); 02203 rsbac_kfree(target_type_name); 02204 rsbac_kfree(new_target_type_name); 02205 rsbac_kfree(target_id_name); 02206 rsbac_kfree(new_target_id_name); 02207 rsbac_kfree(attr_name); 02208 } 02209 02210 /* count */ 02211 rsbac_adf_set_attr_count[target]++; 02212 #ifdef CONFIG_RSBAC_XSTATS 02213 rsbac_adf_set_attr_xcount[target][request]++; 02214 #endif 02215 02216 return(error); 02217 } /* end of rsbac_adf_set_attr() */
void __init rsbac_init_adf | ( | void | ) |
Definition at line 130 of file adf_main.c.
References rsbac_reg_init().
Referenced by rsbac_do_init().
00132 { 00133 #if defined(CONFIG_RSBAC_REG) 00134 rsbac_reg_init(); 00135 #endif 00136 }
int rsbac_sec_del | ( | struct dentry * | dentry_p | ) |
int rsbac_sec_trunc | ( | struct dentry * | dentry_p, | |
loff_t | new_len, | |||
loff_t | old_len | |||
) |
int rsbac_set_audit_uid | ( | rsbac_uid_t | uid | ) |
Definition at line 3076 of file adf_main.c.
References A_audit_uid, A_auid_exempt, rsbac_attribute_value_t::audit_uid, rsbac_attribute_value_t::auid_exempt, FALSE, rsbac_target_id_t::process, RSBAC_EREADFAILED, RSBAC_EWRITEFAILED, rsbac_get_attr, RSBAC_NO_USER, rsbac_set_attr, SW_GEN, and T_PROCESS.
03077 { 03078 union rsbac_target_id_t tid; 03079 union rsbac_attribute_value_t attr_val; 03080 03081 if(!uid || (uid == current->uid)) 03082 return 0; 03083 tid.process = current->pid; 03084 if (rsbac_get_attr(SW_GEN, 03085 T_PROCESS, 03086 tid, 03087 A_audit_uid, 03088 &attr_val, 03089 FALSE)) 03090 { 03091 rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid); 03092 return -RSBAC_EREADFAILED; 03093 } 03094 if(attr_val.audit_uid != RSBAC_NO_USER) 03095 return 0; 03096 03097 if (rsbac_get_attr(SW_GEN, 03098 T_PROCESS, 03099 tid, 03100 A_auid_exempt, 03101 &attr_val, 03102 FALSE)) 03103 { 03104 rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt); 03105 return -RSBAC_EREADFAILED; 03106 } 03107 if(attr_val.auid_exempt == uid) 03108 return 0; 03109 03110 attr_val.audit_uid = uid; 03111 if (rsbac_set_attr(SW_GEN, 03112 T_PROCESS, 03113 tid, 03114 A_audit_uid, 03115 attr_val)) 03116 { 03117 rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid); 03118 return -RSBAC_EWRITEFAILED; 03119 } 03120 return 0; 03121 }
u_long rsbac_adf_request_count[T_NONE+1] = {0,0,0,0,0,0,0,0} |
u_long rsbac_adf_set_attr_count[T_NONE+1] = {0,0,0,0,0,0,0,0} |