/linux-2.6.21.1-rsbac-1.3.4/rsbac/adf/adf_main.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Main file main.c                 */
00005 /*                                                   */
00006 /* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
00007 /*                                                   */
00008 /* Last modified: 12/Feb/2007                        */
00009 /*************************************************** */
00010 
00011 #include <linux/string.h>
00012 #include <linux/init.h>
00013 #include <linux/module.h>
00014 #include <rsbac/types.h>
00015 #include <rsbac/aci.h>
00016 #include <rsbac/adf.h>
00017 #include <rsbac/adf_main.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/cap_getname.h>
00022 #include <rsbac/jail_getname.h>
00023 #include <rsbac/rkmem.h>
00024 #include <rsbac/network.h>
00025 #if defined(CONFIG_RSBAC_UM_EXCL)
00026 #include <rsbac/um.h>
00027 #endif
00028 
00029 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00030 #include <linux/config.h>
00031 #endif
00032 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00033 #include <linux/nfs_fs.h>
00034 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00035 #include <linux/coda.h>
00036 #endif
00037 #include <linux/coda_psdev.h>
00038 #include <linux/ncp_fs.h>
00039 #include <linux/smb.h>
00040 #endif
00041 
00042 #ifdef CONFIG_RSBAC_SECDEL
00043 #include <linux/types.h>
00044 #include <linux/dcache.h>
00045 #include <asm/uaccess.h>
00046 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00047 #include <linux/buffer_head.h>
00048 #endif
00049 #endif /* SECDEL */
00050 
00051 /************************************************* */
00052 /*           Global Variables                      */
00053 /************************************************* */
00054 
00055 u_long rsbac_adf_request_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00056 u_long rsbac_adf_set_attr_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00057 #ifdef CONFIG_RSBAC_XSTATS
00058 u_long rsbac_adf_request_xcount[T_NONE+1][R_NONE];
00059 u_long rsbac_adf_set_attr_xcount[T_NONE+1][R_NONE];
00060 #endif
00061 
00062 /******* MAC ********/
00063 #ifdef CONFIG_RSBAC_SWITCH_MAC
00064 rsbac_boolean_t rsbac_switch_mac = TRUE;
00065 #endif  /* MAC */
00066 
00067 /******* PM ********/
00068 #ifdef CONFIG_RSBAC_SWITCH_PM
00069 rsbac_boolean_t rsbac_switch_pm = TRUE;
00070 #endif  /* PM */
00071 
00072 /******* DAZ ********/
00073 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00074 rsbac_boolean_t rsbac_switch_daz = TRUE;
00075 #endif  /* DAZ */
00076 
00077 /******* FF ********/
00078 #ifdef CONFIG_RSBAC_SWITCH_FF
00079 rsbac_boolean_t rsbac_switch_ff = TRUE;
00080 #endif  /* FF */
00081 
00082 /******* RC ********/
00083 #ifdef CONFIG_RSBAC_SWITCH_RC
00084 rsbac_boolean_t rsbac_switch_rc = TRUE;
00085 #endif  /* RC */
00086 
00087 /****** AUTH *******/
00088 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00089 rsbac_boolean_t rsbac_switch_auth = TRUE;
00090 #endif  /* AUTH */
00091 
00092 /****** ACL *******/
00093 #ifdef CONFIG_RSBAC_SWITCH_ACL
00094 rsbac_boolean_t rsbac_switch_acl = TRUE;
00095 #endif  /* ACL */
00096 
00097 /****** CAP *******/
00098 #ifdef CONFIG_RSBAC_SWITCH_CAP
00099 rsbac_boolean_t rsbac_switch_cap = TRUE;
00100 #endif  /* CAP */
00101 
00102 /****** JAIL *******/
00103 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00104 rsbac_boolean_t rsbac_switch_jail = TRUE;
00105 #endif  /* JAIL */
00106 
00107 /****** PAX ********/
00108 #ifdef CONFIG_RSBAC_SWITCH_PAX
00109 rsbac_boolean_t rsbac_switch_pax = TRUE;
00110 #endif  /* PAX */
00111 
00112 /****** RES *******/
00113 #ifdef CONFIG_RSBAC_SWITCH_RES
00114 rsbac_boolean_t rsbac_switch_res = TRUE;
00115 #endif  /* RES */
00116 
00117 /************************************************* */
00118 /*          Internal Help functions                */
00119 /************************************************* */
00120 
00121 /************************************************* */
00122 /*          Externally visible functions           */
00123 /************************************************* */
00124 
00125 /* Init function, calls inits for all sub-modules  */
00126 
00127 #ifdef CONFIG_RSBAC_INIT_DELAY
00128 void rsbac_init_adf(void)
00129 #else
00130 void __init rsbac_init_adf(void)
00131 #endif
00132   {
00133     #if defined(CONFIG_RSBAC_REG)
00134     rsbac_reg_init();
00135     #endif
00136   }
00137 
00138 enum rsbac_adf_req_ret_t
00139     adf_and_plus(enum rsbac_adf_req_ret_t res1,
00140                  enum rsbac_adf_req_ret_t res2)
00141   {
00142     switch (res1)
00143       {
00144         case DO_NOT_CARE: return (res2);
00145         case GRANTED:     if (res2 == DO_NOT_CARE)
00146                             return (GRANTED);
00147                           else
00148                             return (res2);
00149         case NOT_GRANTED: if (res2 == UNDEFINED)
00150                             return (UNDEFINED);
00151                           else
00152                             return (NOT_GRANTED);
00153         default:          return (UNDEFINED);
00154       }
00155   }
00156 
00157 /*
00158  * rsbac_adf_request_int()
00159  * This function is the main decision function, called though the
00160  * rsbac_adf_request wrapper from the AEF.
00161  */
00162 
00163 EXPORT_SYMBOL(rsbac_adf_request_int);
00164 enum rsbac_adf_req_ret_t
00165    rsbac_adf_request_int(enum  rsbac_adf_request_t     request,
00166                                rsbac_pid_t             caller_pid,
00167                          enum  rsbac_target_t          target,
00168                          union rsbac_target_id_t     * tid_p,
00169                          enum  rsbac_attribute_t       attr,
00170                          union rsbac_attribute_value_t * attr_val_p,
00171                          enum  rsbac_switch_target_t   ignore_module)
00172   {
00173     union rsbac_target_id_t        i_tid;
00174     union rsbac_attribute_value_t  i_attr_val;
00175           rsbac_uid_t              owner=0;
00176     int tmperr=0;
00177     rsbac_request_vector_t      request_vector;
00178     enum rsbac_adf_req_ret_t   result = DO_NOT_CARE;
00179 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00180     enum rsbac_adf_req_ret_t   ret_result = DO_NOT_CARE;
00181 #endif
00182 #ifndef CONFIG_RSBAC_MAINT
00183     enum rsbac_adf_req_ret_t   mod_result[SW_NONE + 1] = {
00184                                    DO_NOT_CARE,
00185                                    DO_NOT_CARE,
00186                                    DO_NOT_CARE,
00187                                    DO_NOT_CARE,
00188                                    DO_NOT_CARE,
00189                                    DO_NOT_CARE,
00190                                    DO_NOT_CARE,
00191                                    DO_NOT_CARE,
00192                                    DO_NOT_CARE,
00193                                    DO_NOT_CARE,
00194                                    DO_NOT_CARE,
00195                                    DO_NOT_CARE,
00196                                    DO_NOT_CARE,
00197                                    DO_NOT_CARE,
00198                                    DO_NOT_CARE,
00199                                    DO_NOT_CARE,
00200                                    DO_NOT_CARE,
00201                                    DO_NOT_CARE
00202                                  };
00203 #endif
00204     rsbac_boolean_t do_log = FALSE;
00205     rsbac_boolean_t log_on_request = TRUE;
00206 /* only if individual logging is enabled */
00207 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
00208     union rsbac_attribute_value_t  i_attr_val2;
00209     enum rsbac_log_level_t log_level;
00210 #endif
00211     struct super_block * sb_p;
00212 #ifdef CONFIG_RSBAC_SOFTMODE
00213     rsbac_boolean_t rsbac_internal = FALSE;
00214 #endif
00215 
00216 /* No decision possible before init (called at boot time) -> don't care */
00217     if (!rsbac_is_initialized())
00218       return(DO_NOT_CARE);
00219 
00220 /* Always granted for kernel (pid 0) and logging daemon */
00221     if (   !caller_pid
00222         #if defined(CONFIG_RSBAC_LOG_REMOTE)
00223         || (caller_pid == rsbaclogd_pid)
00224         #endif
00225        )
00226       return(GRANTED);
00227 
00228 /* Checking base values */
00229     if(   request >= R_NONE
00230        || target > T_NONE
00231        || attr > A_none)
00232       {
00233         rsbac_printk(KERN_WARNING
00234                "rsbac_adf_request_int(): called with invalid request, target or attribute\n");
00235         return(NOT_GRANTED);
00236       }
00237     request_vector = RSBAC_REQUEST_VECTOR(request);
00238 
00239     if (in_interrupt())
00240       {
00241         char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00242 
00243         if(request_name)
00244           {
00245             get_request_name(request_name, request);
00246             rsbac_printk(KERN_WARNING "rsbac_adf_request_int(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00247                    request_name, caller_pid, attr_val_p->dummy);
00248             kfree(request_name);
00249           }
00250         else
00251           {
00252             rsbac_printk(KERN_WARNING "rsbac_adf_request_int(): called from interrupt: request %u, pid %u!\n",
00253                    request, caller_pid);
00254           }
00255 //        return DO_NOT_CARE;
00256       }
00257 
00258 /* Getting basic information about this request */
00259 
00260     /* only useful for real process, not idle or init */
00261     if (caller_pid > 1)
00262       {
00263         tmperr = rsbac_get_owner(&owner);
00264         if(tmperr)
00265           {
00266             rsbac_printk(KERN_DEBUG
00267                    "rsbac_adf_request_int(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE\n",
00268                    caller_pid);
00269             return DO_NOT_CARE;      /* Startup-Sequence (see above) */
00270           }
00271       }
00272     else  /* caller_pid = 1 -> init, always owned by root */
00273       owner = 0;
00274 
00275 
00276 /******************************************************/
00277 /* General work for all modules - before module calls */
00278     /* test target on rsbac_internal */
00279     switch(target)
00280       {
00281         case T_FILE:
00282         case T_DIR:
00283         case T_FIFO:
00284         case T_SYMLINK:
00285 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00286           if (   ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00287               && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
00288                   || (sb_p->s_magic == CODA_SUPER_MAGIC)
00289                   || (sb_p->s_magic == NCP_SUPER_MAGIC)
00290                   || (sb_p->s_magic == SMB_SUPER_MAGIC)
00291                  )
00292              )
00293             {
00294               result = DO_NOT_CARE;
00295               goto log;
00296             }
00297 #endif
00298           /* No decision on pseudo pipefs */
00299           if(   (target == T_FIFO)
00300              && ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00301              && (sb_p->s_magic == PIPEFS_MAGIC)
00302             )
00303             return DO_NOT_CARE;
00304 
00305           switch(request)
00306             {
00307               case R_GET_STATUS_DATA:
00308               case R_GET_PERMISSIONS_DATA:
00309               case R_READ_ATTRIBUTE:
00310 #ifdef CONFIG_RSBAC_DAT_VISIBLE
00311               case R_SEARCH:
00312               case R_READ:
00313               case R_CLOSE:
00314               case R_CHDIR:
00315 #endif
00316                 break;
00317 
00318               default:
00319                 if ((tmperr = rsbac_get_attr(SW_GEN,
00320                                              target,
00321                                              *tid_p,
00322                                              A_internal,
00323                                              &i_attr_val,
00324                                              TRUE) ))
00325                   {
00326                     if(tmperr == -RSBAC_EINVALIDDEV)
00327                       {
00328 //                        rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00329                         return(DO_NOT_CARE);  /* last calls on shutdown */
00330                       }
00331                     else
00332                       {
00333                         rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00334                         return(NOT_GRANTED);  /* something weird happened */
00335                       }
00336                   }
00337                 /* no access to rsbac_internal objects is granted in any case */
00338                 if (i_attr_val.internal)
00339                   {
00340                     rsbac_printk(KERN_WARNING
00341                            "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00342                     result = NOT_GRANTED;
00343                     #ifndef CONFIG_RSBAC_MAINT
00344                     mod_result[SW_NONE] = NOT_GRANTED;
00345                     #endif
00346                     #ifdef CONFIG_RSBAC_SOFTMODE
00347                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00348                     ret_result = NOT_GRANTED;
00349                     #endif
00350                     rsbac_internal = TRUE;
00351                     #endif
00352                   }
00353             }
00354           break;
00355 
00356 #if defined(CONFIG_RSBAC_UM_EXCL)
00357         case T_PROCESS:
00358           switch(request)
00359             {
00360               case R_CHANGE_OWNER:
00361 #ifdef CONFIG_RSBAC_DAC_OWNER
00362               case R_CHANGE_DAC_EFF_OWNER:
00363               case R_CHANGE_DAC_FS_OWNER:
00364 #endif
00365                 if(   (attr == A_owner)
00366                    && !rsbac_um_no_excl
00367                    && !rsbac_um_user_exists(0, attr_val_p->owner)
00368                   )
00369                   {
00370                     rsbac_printk(KERN_INFO
00371                                  "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n",
00372                                  attr_val_p->owner);
00373                     result = adf_and_plus(result, NOT_GRANTED);
00374 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00375                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00376 #endif
00377                   }
00378                 break;
00379 
00380               case R_CHANGE_GROUP:
00381 #ifdef CONFIG_RSBAC_DAC_OWNER
00382               case R_CHANGE_DAC_EFF_GROUP:
00383               case R_CHANGE_DAC_FS_GROUP:
00384 #endif
00385                 if(   (attr == A_group)
00386                    && !rsbac_um_no_excl
00387                    && !rsbac_um_group_exists(0, attr_val_p->group)
00388                   )
00389                   {
00390                     rsbac_printk(KERN_INFO
00391                                  "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n",
00392                                  attr_val_p->group);
00393                     result = adf_and_plus(result, NOT_GRANTED);
00394 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00395                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00396 #endif
00397                   }
00398                 break;
00399 
00400               default:
00401                 break;
00402             }
00403           break;
00404 #endif /* UM_EXCL */
00405 
00406 #ifdef CONFIG_RSBAC_NET_OBJ
00407 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG) || defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_RC)
00408         case T_NETOBJ:
00409                 if(rsbac_net_remote_request(request)) {
00410                         tid_p->netobj.local_temp = 0;
00411                         rsbac_ta_net_lookup_templates(0,
00412                                                       &tid_p->
00413                                                       netobj, NULL,
00414                                                       &tid_p->netobj.remote_temp);
00415                 } else {
00416                         tid_p->netobj.remote_temp = 0;
00417                         rsbac_ta_net_lookup_templates(0,
00418                                                       &tid_p->
00419                                                       netobj,
00420                                                       &tid_p->netobj.local_temp,
00421                                                       NULL);
00422                 }
00423 #endif
00424 #endif
00425 
00426         default:
00427           break;
00428       }
00429       
00430 /**********************************************************/
00431 /* calling all decision modules, building a common result */
00432 
00433 #ifdef CONFIG_RSBAC_DEBUG
00434 /* first, check for valid request/target combination      */
00435 /* (undefined should only happen in _check and means a real bug!) */
00436   result = adf_and_plus(result,rsbac_adf_request_check(request,
00437                                                        caller_pid,
00438                                                        target,
00439                                                        tid_p,
00440                                                        attr,
00441                                                        attr_val_p,
00442                                                        owner) );
00443 #endif
00444 
00445 #if !defined(CONFIG_RSBAC_MAINT)
00446 /******* MAC ********/
00447 #if defined(CONFIG_RSBAC_MAC)
00448 #ifdef CONFIG_RSBAC_SWITCH_MAC
00449 if (rsbac_switch_mac)
00450 #endif
00451   /* no need to call module, if to be ignored */
00452   if(ignore_module != SW_MAC && (request_vector & RSBAC_MAC_REQUEST_VECTOR)) {
00453         mod_result[SW_MAC] = rsbac_adf_request_mac(request,
00454                                               caller_pid,
00455                                               target,
00456                                               *tid_p,
00457                                               attr,
00458                                               *attr_val_p,
00459                                               owner);
00460         result = adf_and_plus(result, mod_result[SW_MAC]);
00461 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00462         if(!rsbac_ind_softmode[SW_MAC])
00463           ret_result = adf_and_plus(ret_result, mod_result[SW_MAC]);
00464 #endif
00465     }
00466 #endif  /* MAC */
00467 
00468 /******* PM ********/
00469 #if defined(CONFIG_RSBAC_PM)
00470 #ifdef CONFIG_RSBAC_SWITCH_PM
00471 if (rsbac_switch_pm)
00472 #endif
00473   /* no need to call module, if to be ignored */
00474   if(ignore_module != SW_PM && (request_vector & RSBAC_PM_REQUEST_VECTOR))
00475     {
00476       mod_result[SW_PM]  = rsbac_adf_request_pm (request,
00477                                               caller_pid,
00478                                               target,
00479                                               *tid_p,
00480                                               attr,
00481                                               *attr_val_p,
00482                                               owner);
00483       result = adf_and_plus(result, mod_result[SW_PM]);
00484 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00485       if(!rsbac_ind_softmode[SW_PM])
00486         ret_result = adf_and_plus(ret_result, mod_result[SW_PM]);
00487 #endif
00488     }
00489 #endif  /* PM */
00490 
00491 /******* DAZ ********/
00492 #if defined(CONFIG_RSBAC_DAZ)
00493 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00494 if (rsbac_switch_daz)
00495 #endif
00496   /* no need to call module, if to be ignored */
00497   if(ignore_module != SW_DAZ && (request_vector & RSBAC_DAZ_REQUEST_VECTOR))
00498     {
00499       mod_result[SW_DAZ]  = rsbac_adf_request_daz (request,
00500                                               caller_pid,
00501                                               target,
00502                                               *tid_p,
00503                                               attr,
00504                                               *attr_val_p,
00505                                               owner);
00506       result = adf_and_plus(result, mod_result[SW_DAZ]);
00507 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00508       if(!rsbac_ind_softmode[SW_DAZ])
00509         ret_result = adf_and_plus(ret_result, mod_result[SW_DAZ]);
00510 #endif
00511     }
00512 #endif  /* DAZ */
00513 
00514 /******* FF ********/
00515 #if defined(CONFIG_RSBAC_FF)
00516 #ifdef CONFIG_RSBAC_SWITCH_FF
00517 if (rsbac_switch_ff)
00518 #endif
00519   /* no need to call module, if to be ignored */
00520   if(ignore_module != SW_FF && (request_vector & RSBAC_FF_REQUEST_VECTOR))
00521     {
00522       mod_result[SW_FF]  = rsbac_adf_request_ff (request,
00523                                               caller_pid,
00524                                               target,
00525                                               *tid_p,
00526                                               attr,
00527                                               *attr_val_p,
00528                                               owner);
00529       result = adf_and_plus(result, mod_result[SW_FF]);
00530 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00531       if(!rsbac_ind_softmode[SW_FF])
00532         ret_result = adf_and_plus(ret_result, mod_result[SW_FF]);
00533 #endif
00534     }
00535 #endif  /* FF */
00536 
00537 /******* RC ********/
00538 #if defined(CONFIG_RSBAC_RC)
00539 #ifdef CONFIG_RSBAC_SWITCH_RC
00540 if (rsbac_switch_rc)
00541 #endif
00542   /* no need to call module, if to be ignored */
00543   if(ignore_module != SW_RC)
00544     {
00545       mod_result[SW_RC]  = rsbac_adf_request_rc (request,
00546                                               caller_pid,
00547                                               target,
00548                                               *tid_p,
00549                                               attr,
00550                                               *attr_val_p,
00551                                               owner);
00552       result = adf_and_plus(result, mod_result[SW_RC]);
00553 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00554       if(!rsbac_ind_softmode[SW_RC])
00555         ret_result = adf_and_plus(ret_result, mod_result[SW_RC]);
00556 #endif
00557     }
00558 #endif  /* RC */
00559 
00560 /****** AUTH *******/
00561 #if defined(CONFIG_RSBAC_AUTH)
00562 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00563 if (rsbac_switch_auth)
00564 #endif
00565   /* no need to call module, if to be ignored */
00566   if(ignore_module != SW_AUTH && (request_vector & RSBAC_AUTH_REQUEST_VECTOR))
00567     {
00568       mod_result[SW_AUTH]= rsbac_adf_request_auth(request,
00569                                               caller_pid,
00570                                               target,
00571                                               *tid_p,
00572                                               attr,
00573                                               *attr_val_p,
00574                                               owner);
00575       result = adf_and_plus(result, mod_result[SW_AUTH]);
00576 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00577       if(!rsbac_ind_softmode[SW_AUTH])
00578         ret_result = adf_and_plus(ret_result, mod_result[SW_AUTH]);
00579 #endif
00580     }
00581 #endif  /* AUTH */
00582 
00583 /****** ACL *******/
00584 #if defined(CONFIG_RSBAC_ACL)
00585 #ifdef CONFIG_RSBAC_SWITCH_ACL
00586 if (rsbac_switch_acl)
00587 #endif
00588   /* no need to call module, if to be ignored */
00589   if(ignore_module != SW_ACL)
00590     {
00591       mod_result[SW_ACL] = rsbac_adf_request_acl(request,
00592                                               caller_pid,
00593                                               target,
00594                                               *tid_p,
00595                                               attr,
00596                                               *attr_val_p,
00597                                               owner);
00598       result = adf_and_plus(result, mod_result[SW_ACL]);
00599 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00600       if(!rsbac_ind_softmode[SW_ACL])
00601         ret_result = adf_and_plus(ret_result, mod_result[SW_ACL]);
00602 #endif
00603     }
00604 #endif  /* ACL */
00605 
00606 /****** CAP *******/
00607 #if defined(CONFIG_RSBAC_CAP)
00608 #ifdef CONFIG_RSBAC_SWITCH_CAP
00609 if (rsbac_switch_cap)
00610 #endif
00611   /* no need to call module, if to be ignored */
00612   if(ignore_module != SW_CAP && (request_vector & RSBAC_CAP_REQUEST_VECTOR))
00613     {
00614       mod_result[SW_CAP] = rsbac_adf_request_cap(request,
00615                                               caller_pid,
00616                                               target,
00617                                               *tid_p,
00618                                               attr,
00619                                               *attr_val_p,
00620                                               owner);
00621       result = adf_and_plus(result, mod_result[SW_CAP]);
00622 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00623       if(!rsbac_ind_softmode[SW_CAP])
00624         ret_result = adf_and_plus(ret_result, mod_result[SW_CAP]);
00625 #endif
00626     }
00627 #endif  /* CAP */
00628 
00629 /****** JAIL *******/
00630 #if defined(CONFIG_RSBAC_JAIL)
00631 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00632 if (rsbac_switch_jail)
00633 #endif
00634   /* no need to call module, if to be ignored */
00635   if(ignore_module != SW_JAIL && (request_vector & RSBAC_JAIL_REQUEST_VECTOR))
00636     {
00637       mod_result[SW_JAIL]= rsbac_adf_request_jail(request,
00638                                               caller_pid,
00639                                               target,
00640                                               *tid_p,
00641                                               attr,
00642                                               *attr_val_p,
00643                                               owner);
00644       result = adf_and_plus(result, mod_result[SW_JAIL]);
00645 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00646       if(!rsbac_ind_softmode[SW_JAIL])
00647         ret_result = adf_and_plus(ret_result, mod_result[SW_JAIL]);
00648 #endif
00649     }
00650 #endif  /* JAIL */
00651 
00652 /******* PAX ********/
00653 #if defined(CONFIG_RSBAC_PAX)
00654 #ifdef CONFIG_RSBAC_SWITCH_PAX
00655 if (rsbac_switch_pax)
00656 #endif
00657   /* no need to call module, if to be ignored */
00658   if(ignore_module != SW_PAX && (request_vector & RSBAC_PAX_REQUEST_VECTOR))
00659     {
00660       mod_result[SW_PAX]  = rsbac_adf_request_pax (request,
00661                                               caller_pid,
00662                                               target,
00663                                               *tid_p,
00664                                               attr,
00665                                               *attr_val_p,
00666                                               owner);
00667       result = adf_and_plus(result, mod_result[SW_PAX]);
00668 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00669       if(!rsbac_ind_softmode[SW_PAX])
00670         ret_result = adf_and_plus(ret_result, mod_result[SW_PAX]);
00671 #endif
00672     }
00673 #endif  /* PAX */
00674 
00675 /****** RES *******/
00676 #if defined(CONFIG_RSBAC_RES)
00677 #ifdef CONFIG_RSBAC_SWITCH_RES
00678 if (rsbac_switch_res)
00679 #endif
00680   /* no need to call module, if to be ignored */
00681   if(ignore_module != SW_RES && (request_vector & RSBAC_RES_REQUEST_VECTOR))
00682     {
00683       mod_result[SW_RES] = rsbac_adf_request_res(request,
00684                                               caller_pid,
00685                                               target,
00686                                               *tid_p,
00687                                               attr,
00688                                               *attr_val_p,
00689                                               owner);
00690       result = adf_and_plus(result, mod_result[SW_RES]);
00691 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00692       if(!rsbac_ind_softmode[SW_RES])
00693         ret_result = adf_and_plus(ret_result, mod_result[SW_RES]);
00694 #endif
00695     }
00696 #endif  /* RES */
00697 
00698 /****** REG *******/
00699 #if defined(CONFIG_RSBAC_REG)
00700 if(ignore_module != SW_REG)
00701   {
00702     mod_result[SW_REG]= rsbac_adf_request_reg (request,
00703                                             caller_pid,
00704                                             target,
00705                                             *tid_p,
00706                                             attr,
00707                                             *attr_val_p,
00708                                             owner);
00709     result = adf_and_plus(result, mod_result[SW_REG]);
00710 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00711     if(!rsbac_ind_softmode[SW_REG])
00712       ret_result = adf_and_plus(ret_result, mod_result[SW_REG]);
00713 #endif
00714   }
00715 #endif  /* REG */
00716 
00717 #endif /* !MAINT */
00718 
00719 /****************************/
00720 
00721 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
00722     if(    rsbac_debug_adf_net
00723        && (   (target == T_NETDEV)
00724            || (target == T_NETTEMP)
00725            || (target == T_NETOBJ)
00726           )
00727       )
00728       do_log = TRUE;
00729 #endif
00730 
00731 /* log based on process owner */
00732 #ifdef CONFIG_RSBAC_IND_USER_LOG
00733     i_tid.user = owner;
00734     if (rsbac_get_attr(SW_GEN,
00735                        T_USER,
00736                        i_tid,
00737                        A_log_user_based,
00738                        &i_attr_val,
00739                        FALSE))
00740       {
00741         rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based);
00742       }
00743     else
00744       {
00745         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based)
00746           do_log = TRUE;
00747       }
00748 #endif /* CONFIG_RSBAC_IND_USER_LOG */
00749 
00750 /* log based on program */
00751 #ifdef CONFIG_RSBAC_IND_PROG_LOG
00752     if(!do_log)
00753       {
00754         i_tid.process = caller_pid;
00755         if (rsbac_get_attr(SW_GEN,
00756                            T_PROCESS,
00757                            i_tid,
00758                            A_log_program_based,
00759                            &i_attr_val,
00760                            FALSE))
00761           {
00762             rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based);
00763           }
00764         else
00765           {
00766             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
00767               do_log = TRUE;
00768           }
00769       }
00770 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
00771 
00772 /*****************************************************/
00773 /* General work for all modules - after module calls */
00774 /* Note: the process' individual logging attributes are needed above */
00775     switch(request)
00776       {
00777         case R_TERMINATE:
00778             if (target == T_PROCESS)
00779               rsbac_remove_target(T_PROCESS,*tid_p);
00780             break;
00781 
00782 #ifdef CONFIG_RSBAC_USER_CHOWN
00783         case R_CHANGE_OWNER:
00784                 if (target == T_PROCESS) {
00785                         i_tid.user = attr_val_p->owner;
00786                         i_attr_val.process = tid_p->process;
00787                         result = adf_and_plus(result,
00788                                 rsbac_adf_request_int(request,
00789                                         caller_pid,
00790                                         T_USER,
00791                                         &i_tid,
00792                                         A_process,
00793                                         &i_attr_val,
00794                                         ignore_module));
00795                 }
00796                 break;
00797 #endif
00798 
00799         default:
00800             break;
00801       }
00802 
00803 /* logging request on info level, if requested by file/dir/dev attributes */
00804 /* log_array_low/high, or, if that is requested, if enabled for this request */
00805 /* type (attributes state level, or that request based level is to be taken) */
00806 /* loglevel 2: log everything */
00807 /* loglevel 1: log, if denied */
00808 /* loglevel 0: log nothing */
00809 
00810 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
00811     /* if file/dir/dev, depend log on log_arrays */
00812     /* (but not for file.device = 0) */
00813     /* log_on_request is TRUE */
00814     if(   !do_log
00815        && (   (   (   (target == T_FILE)
00816                    || (target == T_DIR)
00817                    || (target == T_FIFO)
00818                    || (target == T_SYMLINK)
00819                    || (target == T_UNIXSOCK)
00820                   )
00821                && RSBAC_MAJOR(tid_p->file.device)
00822                && RSBAC_MINOR(tid_p->file.device)
00823               )
00824            || (target == T_DEV)
00825           )
00826       )
00827       {
00828         if (rsbac_get_attr(SW_GEN,
00829                            target,
00830                            *tid_p,
00831                            A_log_array_low,
00832                            &i_attr_val,
00833                            FALSE))
00834           {
00835             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00836           }
00837         else
00838           {
00839             if (rsbac_get_attr(SW_GEN,
00840                                target,
00841                                *tid_p,
00842                                A_log_array_high,
00843                                &i_attr_val2,
00844                                FALSE))
00845               {
00846                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00847               }
00848             else
00849               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00850                 /* WARNING: we deal with u64 here, only logical operations and */
00851                 /* shifts work correctly! */
00852                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00853                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00854                 if (   log_level == LL_full
00855                     || (   log_level == LL_denied
00856                         && (result == NOT_GRANTED
00857                             || result == UNDEFINED)) )
00858                   {
00859                     do_log = TRUE;
00860                   }
00861                 if(log_level != LL_request)
00862                   log_on_request = FALSE;
00863               }
00864           }
00865       }
00866 #endif /* CONFIG_RSBAC_IND_LOG */
00867 
00868 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */
00869     /* if netdev, depend log on log_arrays */
00870     /* log_on_request is TRUE */
00871     if(   !do_log
00872        && (target == T_NETDEV)
00873       )
00874       {
00875         if (rsbac_get_attr(SW_GEN,
00876                            target,
00877                            *tid_p,
00878                            A_log_array_low,
00879                            &i_attr_val,
00880                            FALSE))
00881           {
00882             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00883           }
00884         else
00885           {
00886             if (rsbac_get_attr(SW_GEN,
00887                                target,
00888                                *tid_p,
00889                                A_log_array_high,
00890                                &i_attr_val2,
00891                                FALSE))
00892               {
00893                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00894               }
00895             else
00896               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00897                 /* WARNING: we deal with u64 here, only logical operations and */
00898                 /* shifts work correctly! */
00899                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00900                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00901                 if (   log_level == LL_full
00902                     || (   log_level == LL_denied
00903                         && (result == NOT_GRANTED
00904                             || result == UNDEFINED)) )
00905                   {
00906                     do_log = TRUE;
00907                   }
00908                 if(log_level != LL_request)
00909                   log_on_request = FALSE;
00910               }
00911           }
00912       }
00913 #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */
00914 
00915 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */
00916     /* if nettemp, netobj, depend log on log_arrays */
00917     /* (but not for file.device = 0) */
00918     /* log_on_request is TRUE */
00919     if(   !do_log
00920        && (   (target == T_NETTEMP)
00921            || (target == T_NETOBJ)
00922           )
00923       )
00924       {
00925         enum rsbac_attribute_t i_attr1, i_attr2;
00926 
00927         if(target == T_NETOBJ)
00928           {
00929             if(rsbac_net_remote_request(request))
00930               {
00931                 i_attr1 = A_remote_log_array_low;
00932                 i_attr2 = A_remote_log_array_high;
00933               }
00934             else
00935               {
00936                 i_attr1 = A_local_log_array_low;
00937                 i_attr2 = A_local_log_array_high;
00938               }
00939           }
00940         else
00941           {
00942             i_attr1 = A_log_array_low;
00943             i_attr2 = A_log_array_high;
00944           }
00945         if (rsbac_get_attr(SW_GEN,
00946                            target,
00947                            *tid_p,
00948                            i_attr1,
00949                            &i_attr_val,
00950                            FALSE))
00951           {
00952             rsbac_ds_get_error("rsbac_adf_request()", i_attr1);
00953           }
00954         else
00955           {
00956             if (rsbac_get_attr(SW_GEN,
00957                                target,
00958                                *tid_p,
00959                                i_attr2,
00960                                &i_attr_val2,
00961                                FALSE))
00962               {
00963                 rsbac_ds_get_error("rsbac_adf_request()", i_attr2);
00964               }
00965             else
00966               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00967                 /* WARNING: we deal with u64 here, only logical operations and */
00968                 /* shifts work correctly! */
00969                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00970                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00971                 if (   log_level == LL_full
00972                     || (   log_level == LL_denied
00973                         && (result == NOT_GRANTED
00974                             || result == UNDEFINED)) )
00975                   {
00976                     do_log = TRUE;
00977                   }
00978                 if(log_level != LL_request)
00979                   log_on_request = FALSE;
00980               }
00981           }
00982       }
00983 #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */
00984 
00985 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00986 log:
00987 #endif
00988     /* if enabled, try request based log level */
00989     if (   !do_log
00990         && log_on_request
00991         && (   rsbac_log_levels[request][target] == LL_full
00992             || (   rsbac_log_levels[request][target] == LL_denied
00993                 && (result == NOT_GRANTED
00994                     || result == UNDEFINED)) ) )
00995       do_log = TRUE;
00996 
00997     if(do_log)
00998       {
00999         char * request_name;
01000         char * res_name;
01001         char * res_mods;
01002         char * target_type_name;
01003         char * target_id_name;
01004         char * attr_name;
01005         char * attr_val_name;
01006 #ifdef CONFIG_RSBAC_NET_OBJ
01007         char * remote_ip_name;
01008 #else
01009         char remote_ip_name[1];
01010 #endif
01011         char * audit_uid_name;
01012         char  command[17];
01013         rsbac_pid_t parent_pid = 0;
01014         rsbac_uid_t audit_uid;
01015 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01016         rsbac_pseudo_t  pseudo = 0;
01017 #endif
01018         char * program_path;
01019 
01020         /* parent pid */
01021         #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01022         if(current->parent)
01023           parent_pid = current->parent->pid;
01024         #else
01025         if(current->p_pptr)
01026           parent_pid = current->p_pptr->pid;
01027         #endif
01028 
01029         /* rsbac_kmalloc all memory */
01030         request_name = rsbac_kmalloc(32);
01031         res_name = rsbac_kmalloc(32);
01032         res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01033         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01034         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01035         target_id_name
01036          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01037            /* max. path name len + some extra */
01038         #else
01039         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01040            /* max. file name len + some extra */
01041         #endif
01042         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01043         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01044         program_path
01045          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01046            /* max. path name len + some extra */
01047         #else
01048         program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01049            /* max. file name len + some extra */
01050         #endif
01051         #else
01052         program_path = rsbac_kmalloc(2);
01053         #endif
01054         attr_name = rsbac_kmalloc(32);
01055         attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01056 #ifdef CONFIG_RSBAC_NET_OBJ
01057         remote_ip_name = rsbac_kmalloc(32);
01058 #endif
01059         audit_uid_name = rsbac_kmalloc(32);
01060 
01061         request_name[0] = (char) 0;
01062         target_type_name[0] = (char) 0;
01063         target_id_name[0] = (char) 0;
01064         program_path[0] = (char) 0;
01065         attr_name[0] = (char) 0;
01066         attr_val_name[0] = (char) 0;
01067         remote_ip_name[0] = (char) 0;
01068         audit_uid_name[0] = (char) 0;
01069         res_name[0] = (char) 0;
01070         res_mods[0] = (char) 0;
01071         command[0] = (char) 0;
01072         get_request_name(request_name, request);
01073     #if !defined(CONFIG_RSBAC_MAINT)
01074 /*
01075         if(result == mod_result[SW_NONE])
01076           {
01077             strcat(res_mods, " SW_GEN");
01078           }
01079 */
01080     #if defined(CONFIG_RSBAC_MAC)
01081         if(result == mod_result[SW_MAC])
01082           {
01083             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01084             if(rsbac_ind_softmode[SW_MAC])
01085               strcat(res_mods, " MAC(Softmode)");
01086             else
01087             #endif
01088               strcat(res_mods, " MAC");
01089           }
01090     #endif
01091     #if defined(CONFIG_RSBAC_PM)
01092         if(result == mod_result[SW_PM])
01093           {
01094             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01095             if(rsbac_ind_softmode[SW_PM])
01096               strcat(res_mods, " PM(Softmode)");
01097             else
01098             #endif
01099               strcat(res_mods, " PM");
01100           }
01101     #endif
01102     #if defined(CONFIG_RSBAC_DAZ)
01103         if(result == mod_result[SW_DAZ])
01104           {
01105             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01106             if(rsbac_ind_softmode[SW_DAZ])
01107               strcat(res_mods, " DAZ(Softmode)");
01108             else
01109             #endif
01110               strcat(res_mods, " DAZ");
01111           }
01112     #endif
01113     #ifdef CONFIG_RSBAC_FF
01114         if(result == mod_result[SW_FF])
01115           {
01116             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01117             if(rsbac_ind_softmode[SW_FF])
01118               strcat(res_mods, " FF(Softmode)");
01119             else
01120             #endif
01121               strcat(res_mods, " FF");
01122           }
01123     #endif
01124     #ifdef CONFIG_RSBAC_RC
01125         if(result == mod_result[SW_RC])
01126           {
01127             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01128             if(rsbac_ind_softmode[SW_RC])
01129               strcat(res_mods, " RC(Softmode)");
01130             else
01131             #endif
01132               strcat(res_mods, " RC");
01133           }
01134     #endif
01135     #ifdef CONFIG_RSBAC_AUTH
01136         if(result == mod_result[SW_AUTH])
01137           {
01138             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01139             if(rsbac_ind_softmode[SW_AUTH])
01140               strcat(res_mods, " AUTH(Softmode)");
01141             else
01142             #endif
01143               strcat(res_mods, " AUTH");
01144           }
01145     #endif
01146     #ifdef CONFIG_RSBAC_ACL
01147         if(result == mod_result[SW_ACL])
01148           {
01149             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01150             if(rsbac_ind_softmode[SW_ACL])
01151               strcat(res_mods, " ACL(Softmode)");
01152             else
01153             #endif
01154               strcat(res_mods, " ACL");
01155           }
01156     #endif
01157     #ifdef CONFIG_RSBAC_CAP
01158         if(result == mod_result[SW_CAP])
01159           {
01160             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01161             if(rsbac_ind_softmode[SW_CAP])
01162               strcat(res_mods, " CAP(Softmode)");
01163             else
01164             #endif
01165               strcat(res_mods, " CAP");
01166           }
01167     #endif
01168     #ifdef CONFIG_RSBAC_JAIL
01169         if(result == mod_result[SW_JAIL])
01170           {
01171             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01172             if(rsbac_ind_softmode[SW_JAIL])
01173               strcat(res_mods, " JAIL(Softmode)");
01174             else
01175             #endif
01176               strcat(res_mods, " JAIL");
01177           }
01178     #endif
01179     #ifdef CONFIG_RSBAC_RES
01180         if(result == mod_result[SW_RES])
01181           {
01182             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01183             if(rsbac_ind_softmode[SW_RES])
01184               strcat(res_mods, " RES(Softmode)");
01185             else
01186             #endif
01187               strcat(res_mods, " RES");
01188           }
01189     #endif
01190     #ifdef CONFIG_RSBAC_REG
01191         if(result == mod_result[SW_REG])
01192           {
01193             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01194             if(rsbac_ind_softmode[SW_REG])
01195               strcat(res_mods, " REG(Softmode)");
01196             else
01197             #endif
01198               strcat(res_mods, " REG");
01199           }
01200     #endif
01201     #endif /* !MAINT */
01202         if(!res_mods[0])
01203           strcat(res_mods, " ADF");
01204 
01205         /* Get process audit_uid */
01206         i_tid.process = caller_pid;
01207         if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
01208           {
01209             rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid);
01210             return(NOT_GRANTED);  /* something weird happened */
01211           }
01212         audit_uid = i_attr_val.audit_uid;
01213         if(audit_uid == RSBAC_NO_USER)
01214           audit_uid = owner;
01215         else
01216           sprintf(audit_uid_name, "audit uid %u, ", audit_uid);
01217 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01218         /* Get owner's logging pseudo */
01219         i_tid.user = audit_uid;
01220         if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
01221           {
01222             rsbac_ds_get_error("rsbac_adf_request()", A_pseudo);
01223             return(NOT_GRANTED);  /* something weird happened */
01224           }
01225         /* if pseudo is not registered, return attribute value is 0 (see later) */
01226         pseudo = i_attr_val.pseudo;
01227 #endif
01228 
01229 #ifdef CONFIG_RSBAC_NET_OBJ
01230         /* Get process remote_ip */
01231         i_tid.process = caller_pid;
01232         if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE))
01233           {
01234             rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip);
01235             return(NOT_GRANTED);  /* something weird happened */
01236           }
01237         if(i_attr_val.remote_ip)
01238           sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip));
01239 #endif
01240 
01241         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01242         {
01243           struct mm_struct * mm;
01244           struct vm_area_struct * vma;
01245           struct dentry * dentry_p = NULL;
01246 
01247           mm = current->mm;
01248           if(mm)
01249             {
01250               atomic_inc(&mm->mm_users);
01251               if(!down_read_trylock(&mm->mmap_sem))
01252                 goto down_failed;
01253               vma = mm->mmap;
01254               while (vma)
01255                 {
01256                   if(   (vma->vm_flags & VM_EXECUTABLE)
01257                      && vma->vm_file)
01258                     {
01259                       dentry_p = dget(vma->vm_file->f_dentry);
01260                       break;
01261                     }
01262                   vma = vma->vm_next;
01263                 }
01264               up_read(&mm->mmap_sem);
01265               if(dentry_p)
01266                 {
01267                   char * p = program_path;
01268 
01269                   p += sprintf(program_path, ", prog_file ");
01270                   #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01271                   rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN);
01272                   #else
01273                   int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN);
01274 
01275                   strncpy(p, dentry_p->d_name.name, namelen);
01276                   p[namelen]=0;
01277                   #endif
01278                   dput(dentry_p);
01279                 }
01280 down_failed:
01281               mmput(mm);
01282             }
01283         }
01284         #endif
01285         get_target_name(target_type_name, target, target_id_name, *tid_p);
01286         get_attribute_name(attr_name, attr);
01287         get_attribute_value_name(attr_val_name, attr, attr_val_p);
01288         get_result_name(res_name, result);
01289         if ((current) && (current->comm))
01290           {
01291             strncpy(command,current->comm,16);          
01292             command[16] = (char) 0;
01293           }
01294 
01295 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01296         /* if pseudo is set, its value is != 0, else -> use id */
01297         if (pseudo)
01298           {
01299     #ifdef CONFIG_RSBAC_SOFTMODE
01300             if(rsbac_softmode)
01301               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01302                            request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01303             else
01304     #endif
01305               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01306                            request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01307           }
01308         else
01309 #endif
01310           {
01311     #ifdef CONFIG_RSBAC_SOFTMODE
01312             if(rsbac_softmode)
01313               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01314                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01315             else
01316     #endif
01317               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01318                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01319           }
01320         /* rsbac_kfree all helper mem */
01321         rsbac_kfree(request_name);
01322         rsbac_kfree(res_name);
01323         rsbac_kfree(res_mods);
01324         rsbac_kfree(target_type_name);
01325         rsbac_kfree(target_id_name);
01326         rsbac_kfree(program_path);
01327         rsbac_kfree(attr_name);
01328         rsbac_kfree(attr_val_name);
01329 #ifdef CONFIG_RSBAC_NET_OBJ
01330         rsbac_kfree(remote_ip_name);
01331 #endif
01332         rsbac_kfree(audit_uid_name);
01333       }
01334 
01335 /* UNDEFINED must never be returned -> change result */
01336     if(result == UNDEFINED)
01337       result = NOT_GRANTED;
01338 
01339 /* count */
01340     rsbac_adf_request_count[target]++;
01341 #ifdef CONFIG_RSBAC_XSTATS
01342     rsbac_adf_request_xcount[target][request]++;
01343 #endif
01344 
01345 /* return result */
01346     #ifdef CONFIG_RSBAC_SOFTMODE
01347     if(rsbac_softmode && !rsbac_internal)
01348       return DO_NOT_CARE;
01349     else
01350     #endif
01351     #ifdef CONFIG_RSBAC_SOFTMODE_IND
01352       return ret_result;
01353     #else
01354       return result; /* change for debugging! */
01355     #endif
01356   } /* end of rsbac_adf_request_int() */
01357 
01358 
01359 /*****************************************************************************/
01360 /* If the request returned granted and the operation is performed,           */
01361 /* the following function is called by the AEF to get all aci set correctly. */
01362 /* The second instance of target specification is the new target, if one has */
01363 /* been created, otherwise its values are ignored.                           */
01364 /* It returns 0 on success and an error from error.h otherwise.              */
01365 
01366 EXPORT_SYMBOL(rsbac_adf_set_attr);
01367 int  rsbac_adf_set_attr(
01368                       enum  rsbac_adf_request_t     request,
01369                             rsbac_pid_t             caller_pid,
01370                       enum  rsbac_target_t          target,
01371                       union rsbac_target_id_t       tid,
01372                       enum  rsbac_target_t          new_target,
01373                       union rsbac_target_id_t       new_tid,
01374                       enum  rsbac_attribute_t       attr,
01375                       union rsbac_attribute_value_t attr_val)
01376   {
01377     union rsbac_target_id_t i_tid;
01378     rsbac_uid_t owner;
01379     int   error = 0;
01380     rsbac_request_vector_t      request_vector;
01381     rsbac_boolean_t do_log = FALSE;
01382     rsbac_boolean_t log_on_request = TRUE;
01383     union rsbac_attribute_value_t i_attr_val;
01384 #ifdef CONFIG_RSBAC_IND_LOG
01385     union rsbac_attribute_value_t i_attr_val2;
01386     enum rsbac_log_level_t log_level;
01387 #endif
01388 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01389     struct super_block * sb_p;
01390 #endif
01391 
01392 /* No attribute setting possible before init (called at boot time) */
01393 
01394    if (!rsbac_is_initialized())
01395       return 0;
01396 
01397 /* kernel (pid 0) is ignored */
01398     if (   !caller_pid
01399         #if defined(CONFIG_RSBAC_LOG_REMOTE)
01400         || (caller_pid == rsbaclogd_pid)
01401         #endif
01402        )
01403       return 0;
01404 
01405 /* Checking base values */
01406     if(   request >= R_NONE
01407        || target > T_NONE
01408        || new_target > T_NONE
01409        || attr > A_none)
01410       {
01411         rsbac_printk(KERN_WARNING
01412                "rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01413         return(-RSBAC_EINVALIDVALUE);
01414       }
01415     request_vector = RSBAC_REQUEST_VECTOR(request);
01416 
01417 /* Getting basic information about this adf_set_attr-call */
01418 
01419     owner = RSBAC_NO_USER;
01420     /* only useful for real process, not idle or init */
01421     if (caller_pid > 1)
01422       {
01423         error = rsbac_get_owner(&owner);
01424         if(error)
01425           {
01426             rsbac_printk(KERN_DEBUG
01427                    "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01428                    caller_pid);
01429             return(0);      /* Startup-Sequence (see above) */
01430           }
01431       }
01432     else /* caller_pid = 1  -> init -> owner = root */
01433       owner = 0;
01434 
01435 /*************************************************/
01436 /* General work for all modules - before modules */
01437 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT) || defined(CONFIG_RSBAC_FD_CACHE)
01438     switch (target) {
01439       case T_DIR:
01440 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT)
01441         if ((sb_p = rsbac_get_super_block(tid.file.device))
01442             && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
01443                 || (sb_p->s_magic == CODA_SUPER_MAGIC)
01444                 || (sb_p->s_magic == NCP_SUPER_MAGIC)
01445                 || (sb_p->s_magic == SMB_SUPER_MAGIC)
01446                )
01447         ) {
01448           error = 0;
01449           goto log;
01450         }
01451 #endif
01452 #if defined(CONFIG_RSBAC_FD_CACHE)
01453         if (request == R_RENAME)
01454           rsbac_fd_cache_invalidate_all();
01455 #endif
01456         break;
01457 
01458       case T_FILE:
01459       case T_FIFO:
01460       case T_SYMLINK:
01461       case T_UNIXSOCK:
01462 #if defined(CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT)
01463         if ((sb_p = rsbac_get_super_block(tid.file.device))
01464             && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
01465                 || (sb_p->s_magic == CODA_SUPER_MAGIC)
01466                 || (sb_p->s_magic == NCP_SUPER_MAGIC)
01467                 || (sb_p->s_magic == SMB_SUPER_MAGIC)
01468                )
01469           ) {
01470           error = 0;
01471           goto log;
01472         }
01473 #endif
01474 #if defined(CONFIG_RSBAC_FD_CACHE)
01475         if (request == R_RENAME)
01476           rsbac_fd_cache_invalidate(&tid.file);
01477 #endif
01478         break;
01479 
01480       default:
01481         break;
01482     }
01483 #endif
01484 
01485 /**********************************************************/
01486 /* calling all decision modules, building a common result */
01487 
01488 
01489 #ifdef CONFIG_RSBAC_DEBUG
01490 /* first, check for valid request/target combination      */
01491 error |= rsbac_adf_set_attr_check(request,
01492                                   caller_pid,
01493                                   target,
01494                                   tid,
01495                                   new_target,
01496                                   new_tid,
01497                                   attr,
01498                                   attr_val,
01499                                   owner);
01500 if(error)
01501   goto general_work;
01502 #endif
01503 
01504 #if !defined(CONFIG_RSBAC_MAINT)
01505 /******* MAC ********/
01506 #if defined(CONFIG_RSBAC_MAC)
01507 #ifdef CONFIG_RSBAC_SWITCH_MAC
01508 if (rsbac_switch_mac)
01509 #endif
01510   if(request_vector & RSBAC_MAC_SET_ATTR_VECTOR)
01511     error |= rsbac_adf_set_attr_mac(request,
01512                                   caller_pid,
01513                                   target,
01514                                   tid,
01515                                   new_target,
01516                                   new_tid,
01517                                   attr,
01518                                   attr_val,
01519                                   owner);
01520 #endif  /* MAC */
01521 
01522 /******* PM ********/
01523 #ifdef CONFIG_RSBAC_PM
01524 #ifdef CONFIG_RSBAC_SWITCH_PM
01525 if (rsbac_switch_pm)
01526 #endif
01527   if(request_vector & RSBAC_PM_SET_ATTR_VECTOR)
01528     error |= rsbac_adf_set_attr_pm (request,
01529                                   caller_pid,
01530                                   target,
01531                                   tid,
01532                                   new_target,
01533                                   new_tid,
01534                                   attr,
01535                                   attr_val,
01536                                   owner);
01537 #endif  /* PM */
01538 
01539 /******* DAZ ********/
01540 #ifdef CONFIG_RSBAC_DAZ
01541 #ifdef CONFIG_RSBAC_SWITCH_DAZ
01542 if (rsbac_switch_daz)
01543 #endif
01544   if(request_vector & RSBAC_DAZ_SET_ATTR_VECTOR)
01545     error |= rsbac_adf_set_attr_daz (request,
01546                                   caller_pid,
01547                                   target,
01548                                   tid,
01549                                   new_target,
01550                                   new_tid,
01551                                   attr,
01552                                   attr_val,
01553                                   owner);
01554 #endif  /* DAZ */
01555 
01556 /******* RC ********/
01557 #ifdef CONFIG_RSBAC_RC
01558 #ifdef CONFIG_RSBAC_SWITCH_RC
01559 if (rsbac_switch_rc)
01560 #endif
01561   error |= rsbac_adf_set_attr_rc (request,
01562                                   caller_pid,
01563                                   target,
01564                                   tid,
01565                                   new_target,
01566                                   new_tid,
01567                                   attr,
01568                                   attr_val,
01569                                   owner);
01570 #endif  /* RC */
01571 
01572 /****** AUTH *******/
01573 #ifdef CONFIG_RSBAC_AUTH
01574 #ifdef CONFIG_RSBAC_SWITCH_AUTH
01575 if (rsbac_switch_auth)
01576 #endif
01577   if(request_vector & RSBAC_AUTH_SET_ATTR_VECTOR)
01578     error |= rsbac_adf_set_attr_auth(request,
01579                                    caller_pid,
01580                                    target,
01581                                    tid,
01582                                    new_target,
01583                                    new_tid,
01584                                    attr,
01585                                    attr_val,
01586                                    owner);
01587 #endif  /* AUTH */
01588 
01589 /****** CAP *******/
01590 #ifdef CONFIG_RSBAC_CAP
01591 #ifdef CONFIG_RSBAC_SWITCH_CAP
01592 if (rsbac_switch_cap)
01593 #endif
01594   if(request_vector & RSBAC_CAP_SET_ATTR_VECTOR)
01595     error |= rsbac_adf_set_attr_cap (request,
01596                                    caller_pid,
01597                                    target,
01598                                    tid,
01599                                    new_target,
01600                                    new_tid,
01601                                    attr,
01602                                    attr_val,
01603                                    owner);
01604 #endif  /* CAP */
01605 
01606 /****** JAIL *******/
01607 #ifdef CONFIG_RSBAC_JAIL
01608 #ifdef CONFIG_RSBAC_SWITCH_JAIL
01609 if (rsbac_switch_jail)
01610 #endif
01611   if(request_vector & RSBAC_JAIL_SET_ATTR_VECTOR)
01612     error |= rsbac_adf_set_attr_jail(request,
01613                                    caller_pid,
01614                                    target,
01615                                    tid,
01616                                    new_target,
01617                                    new_tid,
01618                                    attr,
01619                                    attr_val,
01620                                    owner);
01621 #endif  /* JAIL */
01622 
01623 /****** RES *******/
01624 #ifdef CONFIG_RSBAC_RES
01625 #ifdef CONFIG_RSBAC_SWITCH_RES
01626 if (rsbac_switch_res)
01627 #endif
01628   if(request_vector & RSBAC_RES_SET_ATTR_VECTOR)
01629     error |= rsbac_adf_set_attr_res (request,
01630                                    caller_pid,
01631                                    target,
01632                                    tid,
01633                                    new_target,
01634                                    new_tid,
01635                                    attr,
01636                                    attr_val,
01637                                    owner);
01638 #endif  /* RES */
01639 
01640 /****** REG *******/
01641 #ifdef CONFIG_RSBAC_REG
01642   error |= rsbac_adf_set_attr_reg (request,
01643                                    caller_pid,
01644                                    target,
01645                                    tid,
01646                                    new_target,
01647                                    new_tid,
01648                                    attr,
01649                                    attr_val,
01650                                    owner);
01651 #endif  /* REG */
01652 #endif /* !MAINT */
01653 
01654 /* General work for all modules (after set_attr call) */
01655 #ifdef CONFIG_RSBAC_DEBUG
01656 general_work:
01657 #endif
01658     switch(request)
01659       {
01660         /* remove deleted item from rsbac data */
01661         case R_DELETE :
01662             switch (target)
01663               {
01664                 case T_FILE:
01665                 case T_FIFO:
01666                 case T_SYMLINK:
01667                   /* Only remove file/fifo target on deletion of last link */
01668                   if (   (attr == A_nlink)
01669                       && (attr_val.nlink > 1)
01670                      )
01671                      break;
01672                   /* fall through */
01673                 case T_DIR:
01674                   rsbac_remove_target(target,tid);
01675                   break;
01676                 case T_IPC:
01677                   /* shm removal delayed and removed directly, when destroyed */
01678                   if(tid.ipc.type != I_shm)
01679                     rsbac_remove_target(target,tid);
01680                   break;
01681                 default:
01682                   break;
01683               }
01684             break;
01685 
01686         case R_CLONE:
01687             switch (target)
01688               {
01689                 case T_PROCESS:
01690                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01691                   /* get program based log from old process */
01692                   if (rsbac_get_attr(SW_GEN,
01693                                      target,
01694                                      tid,
01695                                      A_log_program_based,
01696                                      &i_attr_val,
01697                                      FALSE))
01698                     {
01699                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01700                     }
01701                   else
01702                     { /* only set, of not default value 0 */
01703                       if(i_attr_val.log_program_based)
01704                         {
01705                           /* set program based log for new process */
01706                           if (rsbac_set_attr(SW_GEN, new_target,
01707                                              new_tid,
01708                                              A_log_program_based,
01709                                              i_attr_val))
01710                             {
01711                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01712                             }
01713                         }
01714                     }
01715                   #endif
01716                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01717                   /* get fake_root_uid from old process */
01718                   if (rsbac_get_attr(SW_GEN,
01719                                      target,
01720                                      tid,
01721                                      A_fake_root_uid,
01722                                      &i_attr_val,
01723                                      FALSE))
01724                     {
01725                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01726                     }
01727                   else
01728                     { /* only set, of not default value 0 */
01729                       if(i_attr_val.fake_root_uid)
01730                         {
01731                           /* set program based log for new process */
01732                           if (rsbac_set_attr(SW_GEN, new_target,
01733                                              new_tid,
01734                                              A_fake_root_uid,
01735                                              i_attr_val))
01736                             {
01737                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01738                             }
01739                         }
01740                     }
01741                   #endif
01742                   #if defined(CONFIG_RSBAC_NET)
01743                   /* get remote_ip from old process */
01744                   if (rsbac_get_attr(SW_GEN,
01745                                      target,
01746                                      tid,
01747                                      A_remote_ip,
01748                                      &i_attr_val,
01749                                      FALSE))
01750                     {
01751                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_remote_ip);
01752                     }
01753                   else
01754                     { /* only set, of not default value 0 */
01755                       if(i_attr_val.remote_ip)
01756                         {
01757                           /* set program based log for new process */
01758                           if (rsbac_set_attr(SW_GEN, new_target,
01759                                              new_tid,
01760                                              A_remote_ip,
01761                                              i_attr_val))
01762                             {
01763                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01764                             }
01765                         }
01766                     }
01767                   #endif
01768                         /* get kernel_thread from old process */
01769                         if (rsbac_get_attr(SW_GEN,
01770                                         target,
01771                                         tid,
01772                                         A_kernel_thread,
01773                                         &i_attr_val, FALSE)) {
01774                                 rsbac_ds_get_error("rsbac_adf_set_attr()",
01775                                                 A_kernel_thread);
01776                         } else {
01777                                 if (i_attr_val.kernel_thread) {
01778                                         if (rsbac_set_attr(SW_GEN, new_target,
01779                                                         new_tid,
01780                                                         A_kernel_thread,
01781                                                         i_attr_val)) {
01782                                                 rsbac_ds_set_error
01783                                                         ("rsbac_adf_set_attr()",
01784                                                          A_kernel_thread);
01785                                         }
01786                                 }
01787                         }
01788 
01789                   /* get audit_uid from old process */
01790                   if (rsbac_get_attr(SW_GEN,
01791                                      target,
01792                                      tid,
01793                                      A_audit_uid,
01794                                      &i_attr_val,
01795                                      FALSE))
01796                     {
01797                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
01798                     }
01799                   else
01800                     { /* only set, of not default value NO_USER */
01801                       if(i_attr_val.audit_uid != RSBAC_NO_USER)
01802                         {
01803                           /* set audit uid for new process */
01804                           if (rsbac_set_attr(SW_GEN,
01805                                              new_target,
01806                                              new_tid,
01807                                              A_audit_uid,
01808                                              i_attr_val))
01809                             {
01810                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid);
01811                             }
01812                         }
01813                     }
01814                   /* get auid_exempt from old process */
01815                   if (rsbac_get_attr(SW_GEN,
01816                                      target,
01817                                      tid,
01818                                      A_auid_exempt,
01819                                      &i_attr_val,
01820                                      FALSE))
01821                     {
01822                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01823                     }
01824                   else
01825                     { /* only set, of not default value NO_USER */
01826                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01827                         {
01828                           /* set program based log for new process */
01829                           if (rsbac_set_attr(SW_GEN,
01830                                              new_target,
01831                                              new_tid,
01832                                              A_auid_exempt,
01833                                              i_attr_val))
01834                             {
01835                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01836                             }
01837                         }
01838                     }
01839                   break;
01840 
01841                 default:
01842                   break;
01843               }
01844             break;
01845 
01846         case R_CLOSE:
01847                 switch (target) {
01848                 case T_IPC:
01849                         if(tid.ipc.type == I_anonunix)
01850                                 rsbac_remove_target(target, tid);
01851                         break;
01852 #ifdef CONFIG_RSBAC_NET_OBJ
01853                 case T_NETOBJ:
01854                         rsbac_remove_target(target, tid);
01855                         break;
01856 #endif
01857                 default:
01858                         break;
01859                 }
01860                 break;
01861 
01862         case R_CREATE:
01863                 switch (target) {
01864                 case T_IPC:
01865                         if(!tid.ipc.id.id_nr)
01866                                 error |= -RSBAC_EINVALIDVALUE;
01867                         break;
01868                 default:
01869                         break;
01870                 }
01871                 break;
01872 
01873 #ifdef CONFIG_RSBAC_NET_OBJ
01874         case R_ACCEPT:
01875             switch (target)
01876               {
01877                 case T_NETOBJ:
01878                   /* store remote IP */
01879                   if(   tid.netobj.sock_p
01880                      && tid.netobj.sock_p->ops
01881                      && tid.netobj.sock_p->sk
01882                      && (tid.netobj.sock_p->ops->family == AF_INET)
01883                     )
01884                     {
01885                       i_tid.process = caller_pid;
01886 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01887                       i_attr_val.remote_ip = inet_sk(tid.netobj.sock_p->sk)->daddr;
01888 #else
01889                       i_attr_val.remote_ip = tid.netobj.sock_p->sk->daddr;
01890 #endif
01891                       /* set program based log for new process */
01892                       if (rsbac_set_attr(SW_GEN,
01893                                          T_PROCESS,
01894                                          i_tid,
01895                                          A_remote_ip,
01896                                          i_attr_val))
01897                         {
01898                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01899                         }
01900                     }
01901                   break;
01902 
01903                 default:
01904                   break;
01905               }
01906             break;
01907 #endif /* CONFIG_RSBAC_NET_OBJ */
01908 
01909         case R_EXECUTE :
01910             switch (target)
01911               {
01912                 case T_FILE:
01913                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01914                   /* get program based log from file */
01915                   if (rsbac_get_attr(SW_GEN,
01916                                      target,
01917                                      tid,
01918                                      A_log_program_based,
01919                                      &i_attr_val,
01920                                      FALSE))
01921                     {
01922                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01923                     }
01924                   else
01925                     {
01926                       /* set program based log for process */
01927                       i_tid.process = caller_pid;
01928                       if (rsbac_set_attr(SW_GEN, T_PROCESS,
01929                                          i_tid,
01930                                          A_log_program_based,
01931                                          i_attr_val))
01932                         {
01933                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01934                         }
01935                     }
01936                   #endif
01937                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01938                   /* get fake_root_uid from file */
01939                   if (rsbac_get_attr(SW_GEN,
01940                                      target,
01941                                      tid,
01942                                      A_fake_root_uid,
01943                                      &i_attr_val,
01944                                      FALSE))
01945                     {
01946                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01947                     }
01948                   else
01949                     {
01950                       /* set fake_root_uid for process */
01951                       if(i_attr_val.fake_root_uid)
01952                         {
01953                           i_tid.process = caller_pid;
01954                           if (rsbac_set_attr(SW_GEN, T_PROCESS,
01955                                              i_tid,
01956                                              A_fake_root_uid,
01957                                              i_attr_val))
01958                             {
01959                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01960                             }
01961                         }
01962                     }
01963                   #endif
01964                   /* get auid_exempt from file */
01965                   if (rsbac_get_attr(SW_GEN,
01966                                      target,
01967                                      tid,
01968                                      A_auid_exempt,
01969                                      &i_attr_val,
01970                                      FALSE))
01971                     {
01972                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01973                     }
01974                   else
01975                     {
01976                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01977                         {
01978                           /* set auid_exempt for process */
01979                           i_tid.process = caller_pid;
01980                           if (rsbac_set_attr(SW_GEN, T_PROCESS,
01981                                              i_tid,
01982                                              A_auid_exempt,
01983                                              i_attr_val))
01984                             {
01985                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01986                             }
01987                         }
01988                     }
01989                   break;
01990 
01991                 default:
01992                   break;
01993               }
01994             break;
01995 
01996         default:
01997             break;
01998       }
01999 
02000 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
02001     if(    rsbac_debug_adf_net
02002        && (   (target == T_NETDEV)
02003            || (target == T_NETTEMP)
02004            || (target == T_NETOBJ)
02005           )
02006       )
02007       do_log = TRUE;
02008 #endif
02009 
02010 /* log based on process owner */
02011 #ifdef CONFIG_RSBAC_IND_USER_LOG
02012     i_tid.user = owner;
02013     if (rsbac_get_attr(SW_GEN,
02014                        T_USER,
02015                        i_tid,
02016                        A_log_user_based,
02017                        &i_attr_val,
02018                        FALSE))
02019       {
02020         rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based);
02021       }
02022     else
02023       {
02024         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 
02025           do_log = TRUE;
02026       }
02027 #endif /* CONFIG_RSBAC_IND_USER_LOG */
02028 
02029 /* log based on program */
02030 #ifdef CONFIG_RSBAC_IND_PROG_LOG
02031     if(!do_log)
02032       {
02033         i_tid.process = caller_pid;
02034         if (rsbac_get_attr(SW_GEN,
02035                            T_PROCESS,
02036                            i_tid,
02037                            A_log_program_based,
02038                            &i_attr_val,
02039                            FALSE))
02040           {
02041             rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
02042           }
02043         else
02044           {
02045             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
02046               do_log = TRUE;
02047           }
02048       }
02049 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
02050 
02051 
02052 /* logging request on info level, if requested by file/dir/dev attributes */
02053 /* log_array_low/high, or, if that is requested, if enabled for this request */
02054 /* type (attributes state level, or that request based level is to be taken) */
02055 /* loglevel 2: log everything */
02056 /* loglevel 1: log, if denied */
02057 /* loglevel 0: log nothing */
02058 
02059 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
02060     /* if file/dir/dev, depend log on log_arrays */
02061     /* (but not for file.device = 0) */
02062     /* log_on_request is TRUE */
02063     if(!do_log)
02064       {
02065         if(   (   (   (target == T_FILE)
02066                    || (target == T_DIR)
02067                    || (target == T_FIFO)
02068                    || (target == T_SYMLINK)
02069                   )
02070                && RSBAC_MAJOR(tid.file.device)
02071                && RSBAC_MINOR(tid.file.device)
02072               )
02073            || (target == T_DEV)
02074           )
02075           {
02076             if (rsbac_get_attr(SW_GEN,
02077                                target,
02078                                tid,
02079                                A_log_array_low,
02080                                &i_attr_val,
02081                                FALSE))
02082               {
02083                 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low);
02084               }
02085             else
02086               {
02087                 if (rsbac_get_attr(SW_GEN,
02088                                    target,
02089                                    tid,
02090                                    A_log_array_high,
02091                                    &i_attr_val2,
02092                                    FALSE))
02093                   {
02094                     rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high);
02095                   }
02096                 else
02097                   { /* ll = low-bit for request | (high-bit for request as bit 1) */
02098                     log_level =   ((i_attr_val.log_array_low   >> request) & 1)
02099                               | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
02100                     if (   log_level == LL_full
02101                         || (   log_level == LL_denied
02102                             && error) )
02103                       {
02104                         do_log = TRUE;
02105                       }
02106                     if(log_level != LL_request)
02107                       log_on_request = FALSE;
02108                   }
02109               }
02110           }
02111       }
02112 #endif /* CONFIG_RSBAC_IND_LOG */
02113 
02114 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
02115 log:
02116 #endif
02117     /* if enabled, try request based log level */
02118     if (log_on_request
02119         && (   rsbac_log_levels[request][target] == LL_full
02120             || (   rsbac_log_levels[request][target] == LL_denied
02121                 && error) ) )
02122       do_log = TRUE;
02123 
02124     if(do_log)
02125       {
02126         char * request_name;
02127         char * target_type_name;
02128         char * new_target_type_name;
02129         char * target_id_name;
02130         char * new_target_id_name;
02131         char * attr_name;
02132         rsbac_uid_t audit_uid;
02133 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02134         rsbac_pseudo_t  pseudo = 0;
02135 #endif
02136 
02137         /* Get process audit_uid */
02138         i_tid.process = caller_pid;
02139         if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
02140           {
02141             rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
02142             return -RSBAC_EREADFAILED;  /* something weird happened */
02143           }
02144         audit_uid = i_attr_val.audit_uid;
02145         if(audit_uid == RSBAC_NO_USER)
02146           audit_uid = owner;
02147 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02148         /* Get owner's logging pseudo */
02149         i_tid.user = audit_uid;
02150         if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
02151           {
02152             rsbac_ds_get_error("rsbac_adf_set_attr()", A_pseudo);
02153             return -RSBAC_EREADFAILED;  /* something weird happened */
02154           }
02155         /* if pseudo is not registered, return attribute value is 0 (see later) */
02156         pseudo = i_attr_val.pseudo;
02157 #endif
02158 
02159         /* rsbac_kmalloc all memory */
02160         request_name = rsbac_kmalloc(32);
02161         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02162         new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02163         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
02164         target_id_name
02165          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02166         new_target_id_name
02167          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02168            /* max. path name len + some extra */
02169         #else
02170         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02171         new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02172            /* max. file name len + some extra */
02173         #endif
02174         attr_name = rsbac_kmalloc(32);
02175 
02176         /* Getting basic information about this request */
02177         request_name[0] = (char) 0;
02178         target_type_name[0] = (char) 0;
02179         target_id_name[0] = (char) 0;
02180         new_target_type_name[0] = (char) 0;
02181         new_target_id_name[0] = (char) 0;
02182         attr_name[0] = (char) 0;
02183         get_request_name(request_name, request);
02184         get_target_name(target_type_name, target, target_id_name, tid);
02185         get_target_name(new_target_type_name, new_target,
02186                         new_target_id_name, new_tid);
02187         get_attribute_name(attr_name, attr);
02188 
02189 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02190         if(pseudo)
02191           rsbac_printk(KERN_INFO
02192                        "rsbac_adf_set_attr(): request %s, pid %u, pseudo %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02193                        request_name, (u_int) caller_pid, pseudo, target_type_name, target_id_name,
02194                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02195         else
02196 #endif
02197           rsbac_printk(KERN_INFO
02198                        "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02199                        request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name,
02200                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02201         /* rsbac_kfree all helper mem */
02202         rsbac_kfree(request_name);
02203         rsbac_kfree(target_type_name);
02204         rsbac_kfree(new_target_type_name);
02205         rsbac_kfree(target_id_name);
02206         rsbac_kfree(new_target_id_name);
02207         rsbac_kfree(attr_name);
02208       }
02209 
02210 /* count */
02211     rsbac_adf_set_attr_count[target]++;
02212 #ifdef CONFIG_RSBAC_XSTATS
02213     rsbac_adf_set_attr_xcount[target][request]++;
02214 #endif
02215 
02216     return(error);
02217   } /* end of rsbac_adf_set_attr() */
02218 
02219 
02220 /****************
02221  *
02222  * Secure Delete
02223  *
02224  ****************/
02225 
02226 #ifdef CONFIG_RSBAC_SECDEL
02227 
02228 /* open_by_dentry */
02229 /* This is done by hand (copy from rsbac_read_open), because system calls */
02230 /* are currently blocked by rsbac */
02231 
02232 static int open_by_dentry(struct dentry * file_dentry_p, struct file * file_p)
02233   {
02234     int tmperr;
02235 
02236     if ( !(S_ISREG(file_dentry_p->d_inode->i_mode)) )
02237       { /* this is not a file! -> error! */
02238         rsbac_printk(KERN_WARNING
02239                "open_by_dentry(): expected file is not a file!\n");
02240         return (-RSBAC_EWRITEFAILED);
02241       }
02242     /* Now we fill the file structure, and */
02243     /* if there is an open func, use it, otherwise ignore */
02244     if ((tmperr = init_private_file(file_p, file_dentry_p, O_WRONLY | O_SYNC)))
02245       {
02246         rsbac_printk(KERN_WARNING
02247                "open_by_dentry(): could not open file!\n");
02248         return (-RSBAC_EWRITEFAILED);
02249       }
02250     /* Without a write function we get into troubles -> error */
02251     if ((!file_p->f_op) || (!file_p->f_op->write))
02252       {
02253         rsbac_printk(KERN_WARNING
02254                "open_by_dentry(): file write function missing!\n");
02255         if (file_p->f_op && file_p->f_op->release)
02256           file_p->f_op->release(file_dentry_p->d_inode,file_p);
02257         return(-RSBAC_EWRITEFAILED);
02258       }
02259     /* trying to get write access                                   */
02260 /*
02261     if (get_write_access(file_dentry_p->d_inode))
02262       {
02263         rsbac_printk(KERN_WARNING
02264                "rsbac_write_open(): could not get write access!\n");
02265         if (file_p->f_op->release)
02266           file_p->f_op->release(file_dentry_p->d_inode,file_p);
02267         return(-RSBAC_EWRITEFAILED);
02268       }
02269 */
02270     return 0;
02271   }
02272 
02273 /*
02274  **********************
02275  * Secure File Truncation
02276  */
02277 rsbac_boolean_t writable(struct super_block * sb_p);
02278 
02279 static int do_rsbac_sec_trunc(struct dentry * dentry_p,
02280                               loff_t new_len,
02281                               loff_t old_len,
02282                               rsbac_boolean_t need_lock)
02283   {
02284 #if defined(CONFIG_RSBAC_MAINT)
02285     return 0;
02286 #else
02287     int                           err = 0;
02288     rsbac_boolean_t                       need_overwrite = FALSE;
02289 
02290     if (!rsbac_is_initialized())
02291       return 0;
02292     /* security checks */
02293     if(   !dentry_p
02294        || !dentry_p->d_inode)
02295       return -RSBAC_EINVALIDPOINTER;
02296     if(!S_ISREG(dentry_p->d_inode->i_mode))
02297       return -RSBAC_EINVALIDTARGET;
02298     if(dentry_p->d_sb->s_magic == PIPEFS_MAGIC)
02299       return 0;
02300     if(new_len >= old_len)
02301       return 0;
02302 
02303     if(dentry_p->d_inode && !writable(dentry_p->d_inode->i_sb))
02304       {
02305 #ifdef CONFIG_RSBAC_DEBUG
02306         if(rsbac_debug_write)
02307           {
02308             rsbac_printk(KERN_DEBUG
02309                    "do_rsbac_sec_trunc(): ignoring file %lu on network device %02u:%02u!\n",
02310                    dentry_p->d_inode->i_ino,
02311                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02312                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02313           }
02314 #endif
02315         return 0;
02316       }
02317 
02318     /******* PM ********/
02319     #ifdef CONFIG_RSBAC_PM
02320     #ifdef CONFIG_RSBAC_SWITCH_PM
02321     if (rsbac_switch_pm)
02322     #endif
02323       /* no need to call module, if already need_overwrite */
02324       if(!need_overwrite)
02325         need_overwrite = rsbac_need_overwrite_pm(dentry_p);
02326     #endif  /* PM */
02327 
02328     /******* FF ********/
02329     #ifdef CONFIG_RSBAC_FF
02330     #ifdef CONFIG_RSBAC_SWITCH_FF
02331     if (rsbac_switch_ff)
02332     #endif
02333       /* no need to call module, if already need_overwrite */
02334       if(!need_overwrite)
02335         need_overwrite = rsbac_need_overwrite_ff(dentry_p);
02336     #endif  /* FF */
02337 
02338     /******* RC ********/
02339     #ifdef CONFIG_RSBAC_RC
02340     #ifdef CONFIG_RSBAC_SWITCH_RC
02341     if (rsbac_switch_rc)
02342     #endif
02343       /* no need to call module, if already need_overwrite */
02344       if(!need_overwrite)
02345         need_overwrite = rsbac_need_overwrite_rc(dentry_p);
02346     #endif  /* RC */
02347 
02348     /****** RES *******/
02349     #ifdef CONFIG_RSBAC_RES
02350     #ifdef CONFIG_RSBAC_SWITCH_RES
02351     if (rsbac_switch_res)
02352     #endif
02353       /* no need to call module, if already need_overwrite */
02354       if(!need_overwrite)
02355         need_overwrite = rsbac_need_overwrite_res(dentry_p);
02356     #endif  /* RES */
02357 
02358     /****** REG *******/
02359     #ifdef CONFIG_RSBAC_REG
02360     if(!need_overwrite)
02361       need_overwrite = rsbac_need_overwrite_reg(dentry_p);
02362     #endif  /* REG */
02363 
02364     if(need_overwrite)
02365       {
02366         char            * buffer;
02367         rsbac_boolean_t   vmalloc_used;
02368         struct file       file;
02369         int               tmperr = 0;
02370         int               len;
02371         mm_segment_t      oldfs;
02372 
02373         buffer = rsbac_vkmalloc(RSBAC_SEC_DEL_CHUNK_SIZE, &vmalloc_used);
02374         if(!buffer)
02375           return -RSBAC_ENOMEM;
02376 
02377 #ifdef CONFIG_RSBAC_DEBUG
02378         if(rsbac_debug_write)
02379           {
02380             rsbac_printk(KERN_DEBUG
02381                    "rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n",
02382                    dentry_p->d_inode->i_ino,
02383                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02384                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02385                    (u_long) new_len,
02386                    (u_long) old_len-1);
02387           }
02388 #endif
02389         /* open */
02390         err = open_by_dentry(dentry_p, &file);
02391         if(err)
02392           {
02393             rsbac_vkfree(buffer, vmalloc_used);
02394             return(err);
02395           }
02396 
02397 #ifdef CONFIG_RSBAC_DEBUG
02398         if(rsbac_debug_write)
02399           {
02400             rsbac_printk(KERN_DEBUG
02401                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n",
02402                    dentry_p->d_inode->i_ino,
02403                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02404                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02405                    (u_long) new_len);
02406           }
02407 #endif
02408 
02409         /* OK, now we can start writing */
02410 
02411         /* Set current user space to kernel space, because write() reads
02412          * from user space
02413          */
02414         oldfs = get_fs();
02415         set_fs(KERNEL_DS);
02416 
02417 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02418         if(file.f_op->llseek)
02419           file.f_op->llseek(&file,new_len,0);
02420         else
02421 #endif
02422           { /* taken from fs/read_write.c */
02423             file.f_pos = new_len;
02424 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02425             file.f_reada = 0;
02426 #endif
02427 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02428             file.f_version = ++event;
02429 #else
02430             file.f_version = 0;
02431 #endif
02432           }
02433         memset(buffer,0,RSBAC_SEC_DEL_CHUNK_SIZE);
02434 
02435 #ifdef CONFIG_RSBAC_DEBUG
02436         if(rsbac_debug_write)
02437           {
02438             rsbac_printk(KERN_DEBUG
02439                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n",
02440                    dentry_p->d_inode->i_ino,
02441                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02442                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02443           }
02444 #endif
02445 
02446         while(new_len < old_len)
02447           {
02448             len = rsbac_min(RSBAC_SEC_DEL_CHUNK_SIZE, old_len-new_len);
02449 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02450             tmperr = file.f_op->write(&file,
02451                                      buffer,
02452                                      len,
02453                                      &file.f_pos);
02454 #else
02455             if(need_lock)
02456               tmperr = file.f_op->write(&file,
02457                                         buffer,
02458                                         len,
02459                                         &file.f_pos);
02460             else
02461               {
02462                 struct iovec local_iov = { .iov_base = (void __user *)buffer,
02463                                         .iov_len = len };
02464                 struct kiocb kiocb;
02465                 init_sync_kiocb(&kiocb, &file);
02466                 kiocb.ki_pos = file.f_pos;
02467 
02468                 tmperr = generic_file_aio_write_nolock(&kiocb,
02469                                                    &local_iov,
02470                                                    1,
02471                                                    file.f_pos);
02472               }
02473 #endif
02474             /* if none written, end of file is reached -> complain and return */
02475             if (tmperr <= 0)
02476               {
02477                 rsbac_printk(KERN_WARNING
02478                        "rsbac_sec_trunc(): write error on file!\n");
02479                 err = -RSBAC_EWRITEFAILED;
02480                 goto out;
02481               }
02482             new_len += tmperr;
02483           }
02484 
02485         out:
02486         /* Set current user space back to user space, because read() writes */
02487         /* to user space */
02488         set_fs(oldfs);
02489 
02490 #ifdef CONFIG_RSBAC_DEBUG
02491 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0))
02492         if(need_lock)
02493 #endif
02494         if(rsbac_debug_write)
02495           {
02496             rsbac_printk(KERN_DEBUG
02497                    "rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n",
02498                    dentry_p->d_inode->i_ino,
02499                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02500                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02501           }
02502 #endif
02503 
02504 //        err = fsync_inode_buffers(dentry_p->d_inode);
02505 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02506         err = fsync_inode_data_buffers(dentry_p->d_inode);
02507 #else
02508         if(need_lock)
02509           err = file_fsync(&file, dentry_p, 1);
02510 #endif
02511           
02512 /*
02513         if (file.f_op->flush)
02514           file.f_op->flush(&file);
02515         if (file.f_op->release)
02516           file.f_op->release(dentry_p->d_inode,&file);
02517 */
02518         /* End of write access                     */
02519 //        put_write_access(dentry_p->d_inode);
02520 
02521         rsbac_vkfree(buffer, vmalloc_used);
02522       }
02523 
02524     /* Ready. */
02525     return(err);
02526 
02527 #endif /* else of MAINT */
02528   }
02529 
02530 EXPORT_SYMBOL(rsbac_sec_trunc);
02531 int rsbac_sec_trunc(struct dentry * dentry_p,
02532                     loff_t new_len, loff_t old_len)
02533   {
02534     return do_rsbac_sec_trunc(dentry_p, new_len, old_len, TRUE);
02535   }
02536 
02537 EXPORT_SYMBOL(rsbac_sec_del);
02538 int rsbac_sec_del(struct dentry * dentry_p)
02539   {
02540     return do_rsbac_sec_trunc(dentry_p,
02541                               0,
02542                               dentry_p->d_inode->i_size,
02543                               FALSE);
02544   }
02545 
02546 #else /* no SECDEL */
02547 EXPORT_SYMBOL(rsbac_sec_trunc);
02548 int rsbac_sec_trunc(struct dentry * dentry_p,
02549                     loff_t new_len, loff_t old_len)
02550   {
02551     return 0;
02552   }
02553 EXPORT_SYMBOL(rsbac_sec_del);
02554 int rsbac_sec_del(struct dentry * dentry_p)
02555   {
02556     return 0;
02557   }
02558 #endif /* SECDEL */
02559 
02560 #ifdef CONFIG_RSBAC_SYM_REDIR
02561 EXPORT_SYMBOL(rsbac_symlink_redirect);
02562 
02563 /* This function changes the symlink content by adding a suffix, if
02564  * requested. It returns NULL, if unchanged, or a pointer to a
02565  * kmalloc'd new char * otherwise, which has to be kfree'd after use.
02566  */
02567 char * rsbac_symlink_redirect(
02568   struct dentry * dentry_p,
02569   const char * name,
02570   u_int maxlen)
02571   {
02572     union rsbac_target_id_t        i_tid;
02573     char                         * new_name = NULL;
02574 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) || defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC) || defined(CONFIG_RSBAC_SYM_REDIR_UID)
02575     int                            err;
02576     union rsbac_target_id_t        i_tid2;
02577     union rsbac_attribute_value_t  i_attr_val;
02578 #endif
02579 
02580     if(!name)
02581       return NULL;
02582     if(!dentry_p || !dentry_p->d_inode)
02583       return NULL;
02584     if (!rsbac_is_initialized())
02585       return NULL;
02586 
02587     if(!S_ISLNK(dentry_p->d_inode->i_mode))
02588       {
02589         rsbac_printk(KERN_DEBUG
02590                "rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n",
02591                i_tid.symlink.inode,
02592                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02593         return NULL;
02594       }
02595 
02596     i_tid.symlink.device = dentry_p->d_inode->i_sb->s_dev;
02597     i_tid.symlink.inode = dentry_p->d_inode->i_ino;
02598     i_tid.symlink.dentry_p = dentry_p;
02599 #ifdef CONFIG_RSBAC_DEBUG
02600     if (rsbac_debug_aef)
02601       {
02602         rsbac_printk(KERN_DEBUG
02603                "rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n",
02604                i_tid.symlink.inode,
02605                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02606       }
02607 #endif
02608 
02609 #ifdef CONFIG_RSBAC_SYM_REDIR_REMOTE_IP
02610     if ((err = rsbac_get_attr(SW_GEN,
02611                               T_SYMLINK,
02612                               i_tid,
02613                               A_symlink_add_remote_ip,
02614                               &i_attr_val,
02615                               FALSE) ))
02616       {
02617         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_remote_ip, err);
02618         if(new_name)
02619           kfree(new_name);
02620         return NULL;  /* something weird happened */
02621       }
02622     if(i_attr_val.symlink_add_remote_ip)
02623       {
02624         u_int len;
02625         rsbac_enum_t add_remote_ip;
02626         __u32 addr;
02627 
02628         len = strlen(name);
02629         while(   len
02630               && (name[len-1] >= '0')
02631               && (name[len-1] <= '9')
02632              )
02633           len--;
02634         if(len > (maxlen - 20))
02635           {
02636             if(new_name)
02637               kfree(new_name);
02638             rsbac_printk(KERN_DEBUG
02639                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02640                i_tid.symlink.inode,
02641                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02642             return NULL;
02643           }
02644         add_remote_ip = i_attr_val.symlink_add_remote_ip;
02645         i_tid2.process = current->pid;
02646         if ((err = rsbac_get_attr(SW_GEN,
02647                                   T_PROCESS,
02648                                   i_tid2,
02649                                   A_remote_ip,
02650                                   &i_attr_val,
02651                                   FALSE) ))
02652           {
02653             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_remote_ip, err);
02654             if(new_name)
02655               kfree(new_name);
02656             return NULL;  /* something weird happened */
02657           }
02658         addr = i_attr_val.remote_ip;
02659         if(!new_name)
02660           {
02661             new_name = kmalloc(maxlen, GFP_KERNEL);
02662             if(!new_name)
02663               {
02664                 rsbac_printk(KERN_DEBUG
02665                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02666                              i_tid.symlink.inode,
02667                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02668                 return NULL;
02669               }
02670             strcpy(new_name, name);
02671           }
02672         switch(add_remote_ip)
02673           {
02674             case 1:
02675               sprintf(new_name+len, "%u",
02676                       ((unsigned char *)&addr)[0]);
02677               break;
02678             case 2:
02679               sprintf(new_name+len, "%u.%u",
02680                       ((unsigned char *)&addr)[0],
02681                       ((unsigned char *)&addr)[1]);
02682               break;
02683             case 3:
02684               sprintf(new_name+len, "%u.%u.%u",
02685                       ((unsigned char *)&addr)[0],
02686                       ((unsigned char *)&addr)[1],
02687                       ((unsigned char *)&addr)[2]);
02688               break;
02689             default:
02690               sprintf(new_name+len, "%u.%u.%u.%u",
02691                       ((unsigned char *)&addr)[0],
02692                       ((unsigned char *)&addr)[1],
02693                       ((unsigned char *)&addr)[2],
02694                       ((unsigned char *)&addr)[3]);
02695           }
02696       }
02697 #endif
02698 
02699 #ifdef CONFIG_RSBAC_SYM_REDIR_UID
02700     if ((err = rsbac_get_attr(SW_GEN,
02701                               T_SYMLINK,
02702                               i_tid,
02703                               A_symlink_add_uid,
02704                               &i_attr_val,
02705                               FALSE) ))
02706       {
02707         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_uid, err);
02708         if(new_name)
02709           kfree(new_name);
02710             rsbac_printk(KERN_DEBUG
02711                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02712                i_tid.symlink.inode,
02713                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02714         return NULL;  /* something weird happened */
02715       }
02716     if(i_attr_val.symlink_add_uid)
02717       {
02718         rsbac_uid_t user;
02719         u_int len;
02720 
02721         len = strlen(name);
02722         while(   len
02723               && (name[len-1] >= '0')
02724               && (name[len-1] <= '9')
02725              )
02726           len--;
02727         if(len > (maxlen - 20))
02728           {
02729             if(new_name)
02730               kfree(new_name);
02731             rsbac_printk(KERN_DEBUG
02732                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02733                i_tid.symlink.inode,
02734                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02735             return NULL;
02736           }
02737         if(!rsbac_get_owner(&user))
02738           {
02739             if(!new_name)
02740               {
02741                 new_name = kmalloc(maxlen, GFP_KERNEL);
02742                 if(!new_name)
02743                   {
02744                     rsbac_printk(KERN_DEBUG
02745                                  "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02746                                  i_tid.symlink.inode,
02747                                  RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02748                     return NULL;
02749                   }
02750                 strcpy(new_name, name);
02751               }
02752             ulongtostr(new_name+len, user);
02753           }
02754       }
02755 #endif
02756 
02757 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC
02758     if ((err = rsbac_get_attr(SW_GEN,
02759                               T_SYMLINK,
02760                               i_tid,
02761                               A_symlink_add_mac_level,
02762                               &i_attr_val,
02763                               FALSE) ))
02764       {
02765         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_mac_level, err);
02766         if(new_name)
02767           kfree(new_name);
02768         return NULL;  /* something weird happened */
02769       }
02770     if(i_attr_val.symlink_add_mac_level)
02771       {
02772         u_int len;
02773 
02774         len = strlen(name);
02775         while(   len
02776               && (   (   (name[len-1] >= '0')
02777                       && (name[len-1] <= '9')
02778                      )
02779 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02780                   || (name[len-1] == ':')
02781 #endif
02782                  )
02783              )
02784           len--;
02785 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02786         if(len > (maxlen - 85))
02787 #else
02788         if(len > (maxlen - 20))
02789 #endif
02790           {
02791             if(new_name)
02792               kfree(new_name);
02793             rsbac_printk(KERN_DEBUG
02794                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02795                i_tid.symlink.inode,
02796                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02797             return NULL;
02798           }
02799 
02800         i_tid2.process = current->pid;
02801         if ((err = rsbac_get_attr(SW_MAC,
02802                                   T_PROCESS,
02803                                   i_tid2,
02804                                   A_current_sec_level,
02805                                   &i_attr_val,
02806                                   FALSE) ))
02807           {
02808             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_current_sec_level, err);
02809             if(new_name)
02810               kfree(new_name);
02811             return NULL;  /* something weird happened */
02812           }
02813 
02814         if(!new_name)
02815           {
02816             new_name = kmalloc(maxlen, GFP_KERNEL);
02817             if(!new_name)
02818               {
02819                 rsbac_printk(KERN_DEBUG
02820                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02821                              i_tid.symlink.inode,
02822                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02823                 return NULL;
02824               }
02825             strcpy(new_name, name);
02826           }
02827 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02828         len+=sprintf(new_name+len, "%u:", i_attr_val.current_sec_level);
02829 #else
02830         len+=sprintf(new_name+len, "%u", i_attr_val.current_sec_level);
02831 #endif
02832 
02833 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02834         if ((err = rsbac_get_attr(SW_MAC,
02835                                   T_PROCESS,
02836                                   i_tid2,
02837                                   A_mac_curr_categories,
02838                                   &i_attr_val,
02839                                   FALSE) ))
02840           {
02841             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_mac_curr_categories, err);
02842             if(new_name)
02843               kfree(new_name);
02844             return NULL;  /* something weird happened */
02845           }
02846         u64tostrmac(new_name+len, i_attr_val.mac_categories);
02847 #endif
02848       }
02849 #endif
02850 
02851 #ifdef CONFIG_RSBAC_SYM_REDIR_RC
02852     if ((err = rsbac_get_attr(SW_GEN,
02853                               T_SYMLINK,
02854                               i_tid,
02855                               A_symlink_add_rc_role,
02856                               &i_attr_val,
02857                               FALSE) ))
02858       {
02859         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_rc_role, err);
02860         if(new_name)
02861           kfree(new_name);
02862         return NULL;  /* something weird happened */
02863       }
02864     if(i_attr_val.symlink_add_rc_role)
02865       {
02866         u_int len;
02867 
02868         len = strlen(name);
02869         while(   len
02870               && (name[len-1] >= '0')
02871               && (name[len-1] <= '9')
02872              )
02873           len--;
02874         if(len > (maxlen - 20))
02875           {
02876             if(new_name)
02877               kfree(new_name);
02878             rsbac_printk(KERN_DEBUG
02879                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02880                i_tid.symlink.inode,
02881                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02882             return NULL;
02883           }
02884 
02885         i_tid2.process = current->pid;
02886         if ((err = rsbac_get_attr(SW_RC,
02887                                   T_PROCESS,
02888                                   i_tid2,
02889                                   A_rc_role,
02890                                   &i_attr_val,
02891                                   FALSE) ))
02892           {
02893             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_rc_role, err);
02894             if(new_name)
02895               kfree(new_name);
02896             return NULL;  /* something weird happened */
02897           }
02898 
02899         if(!new_name)
02900           {
02901             new_name = kmalloc(maxlen, GFP_KERNEL);
02902             if(!new_name)
02903               {
02904                 rsbac_printk(KERN_DEBUG
02905                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02906                              i_tid.symlink.inode,
02907                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02908                 return NULL;
02909               }
02910             strcpy(new_name, name);
02911           }
02912         ulongtostr(new_name+len, i_attr_val.rc_role);
02913       }
02914 #endif
02915 
02916     return new_name;
02917   }
02918 #endif
02919 
02920 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
02921 int rsbac_dac_part_disabled(struct dentry * dentry_p)
02922   {
02923     int                            err;
02924     enum  rsbac_target_t           i_target;
02925     union rsbac_target_id_t        i_tid;
02926     union rsbac_attribute_value_t  i_attr_val;
02927 
02928     if(!dentry_p || !dentry_p->d_inode || !dentry_p->d_inode->i_sb->s_dev || !rsbac_is_initialized())
02929       return FALSE;
02930 
02931     if(S_ISREG(dentry_p->d_inode->i_mode))
02932       i_target = T_FILE;
02933     else
02934     if(S_ISDIR(dentry_p->d_inode->i_mode))
02935       i_target = T_DIR;
02936     else
02937     if(S_ISFIFO(dentry_p->d_inode->i_mode))
02938       i_target = T_FIFO;
02939     else
02940     if(S_ISLNK(dentry_p->d_inode->i_mode))
02941       i_target = T_SYMLINK;
02942     else
02943       return FALSE;
02944 
02945     i_tid.file.device = dentry_p->d_sb->s_dev;
02946     i_tid.file.inode = dentry_p->d_inode->i_ino;
02947     i_tid.file.dentry_p = dentry_p;
02948 
02949 #ifdef CONFIG_RSBAC_DEBUG
02950     if (rsbac_debug_aef)
02951       {
02952         rsbac_printk(KERN_DEBUG
02953                "rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n",
02954                i_tid.file.inode,
02955                RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device),
02956                i_tid.file.dentry_p );
02957       }
02958 #endif
02959 
02960     if ((err = rsbac_get_attr(SW_GEN,
02961                               i_target,
02962                               i_tid,
02963                               A_linux_dac_disable,
02964                               &i_attr_val,
02965                               TRUE) ))
02966       {
02967         rsbac_printk(KERN_WARNING
02968                "rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n",
02969                err);
02970         return FALSE;  /* something weird happened */
02971       }
02972     if(i_attr_val.linux_dac_disable == LDD_true)
02973       return TRUE;
02974     else
02975       return FALSE;
02976   }
02977 #endif
02978 
02979 #ifdef CONFIG_RSBAC_FAKE_ROOT_UID
02980 rsbac_uid_t rsbac_fake_uid(void)
02981   {
02982     int                            err;
02983     union rsbac_target_id_t        i_tid;
02984     union rsbac_attribute_value_t  i_attr_val;
02985 
02986     if(!current->uid)
02987       return 0;
02988     if (!rsbac_is_initialized())
02989       return current->uid;
02990 
02991     i_tid.process = current->pid;
02992     if ((err = rsbac_get_attr(SW_GEN,
02993                               T_PROCESS,
02994                               i_tid,
02995                               A_fake_root_uid,
02996                               &i_attr_val,
02997                               FALSE) ))
02998       {
02999         rsbac_ds_get_error("rsbac_fake_uid()", A_fake_root_uid);
03000         return current->uid;  /* something weird happened */
03001       }
03002     switch(i_attr_val.fake_root_uid)
03003       {
03004         case FR_both:
03005         case FR_uid_only:
03006           return 0;
03007         default:
03008           return current->uid;
03009       }
03010   }
03011 
03012 rsbac_uid_t rsbac_fake_euid(void)
03013   {
03014     int                            err;
03015     union rsbac_target_id_t        i_tid;
03016     union rsbac_attribute_value_t  i_attr_val;
03017 
03018     if(!current->euid)
03019       return 0;
03020     if (!rsbac_is_initialized())
03021       return current->euid;
03022 
03023     i_tid.process = current->pid;
03024     if ((err = rsbac_get_attr(SW_GEN,
03025                               T_PROCESS,
03026                               i_tid,
03027                               A_fake_root_uid,
03028                               &i_attr_val,
03029                               FALSE) ))
03030       {
03031         rsbac_ds_get_error("rsbac_fake_euid()", A_fake_root_uid);
03032         return current->euid;  /* something weird happened */
03033       }
03034     switch(i_attr_val.fake_root_uid)
03035       {
03036         case FR_both:
03037         case FR_euid_only:
03038           return 0;
03039         default:
03040           return current->euid;
03041       }
03042   }
03043 
03044 int rsbac_uid_faked(void)
03045   {
03046     int                            err;
03047     union rsbac_target_id_t        i_tid;
03048     union rsbac_attribute_value_t  i_attr_val;
03049 
03050     if (!rsbac_is_initialized())
03051       return 0;
03052 
03053     i_tid.process = current->pid;
03054     if ((err = rsbac_get_attr(SW_GEN,
03055                               T_PROCESS,
03056                               i_tid,
03057                               A_fake_root_uid,
03058                               &i_attr_val,
03059                               FALSE) ))
03060       {
03061         rsbac_ds_get_error("rsbac_uid_faked()", A_fake_root_uid);
03062         return 0;  /* something weird happened */
03063       }
03064     switch(i_attr_val.fake_root_uid)
03065       {
03066         case FR_both:
03067         case FR_uid_only:
03068           return 1;
03069         default:
03070           return 0;
03071       }
03072   }
03073 
03074 #endif
03075 
03076 int rsbac_set_audit_uid(rsbac_uid_t uid)
03077   {
03078     union rsbac_target_id_t       tid;
03079     union rsbac_attribute_value_t attr_val;
03080 
03081     if(!uid || (uid == current->uid))
03082       return 0;
03083     tid.process = current->pid;
03084     if (rsbac_get_attr(SW_GEN,
03085                        T_PROCESS,
03086                        tid,
03087                        A_audit_uid,
03088                        &attr_val,
03089                        FALSE))
03090       {
03091         rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid);
03092         return -RSBAC_EREADFAILED;
03093       }
03094     if(attr_val.audit_uid != RSBAC_NO_USER)
03095       return 0;
03096 
03097     if (rsbac_get_attr(SW_GEN,
03098                        T_PROCESS,
03099                        tid,
03100                        A_auid_exempt,
03101                        &attr_val,
03102                        FALSE))
03103       {
03104         rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt);
03105         return -RSBAC_EREADFAILED;
03106       }
03107     if(attr_val.auid_exempt == uid)
03108       return 0;
03109 
03110     attr_val.audit_uid = uid;
03111     if (rsbac_set_attr(SW_GEN,
03112                        T_PROCESS,
03113                        tid,
03114                        A_audit_uid,
03115                        attr_val))
03116       {
03117         rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid);
03118         return -RSBAC_EWRITEFAILED;
03119       }
03120     return 0;
03121   }
03122 
03123 #if defined(CONFIG_RSBAC_CAP_LOG_MISSING) || defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
03124 EXPORT_SYMBOL(rsbac_log_missing_cap);
03125 
03126 void rsbac_log_missing_cap(int cap)
03127   {
03128     #if defined(CONFIG_RSBAC_CAP_LOG_MISSING)
03129     if(rsbac_cap_log_missing)
03130       rsbac_cap_log_missing_cap(cap);
03131     #endif
03132     #if defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
03133     if(rsbac_jail_log_missing)
03134       rsbac_jail_log_missing_cap(cap);
03135     #endif
03136   }
03137 #endif
03138 
03139 /* end of rsbac/adf/main.c */

Generated on Wed May 16 11:53:29 2007 for RSBAC by  doxygen 1.5.1