00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012 #include <linux/string.h>
00013 #include <rsbac/types.h>
00014 #include <rsbac/aci.h>
00015 #include <rsbac/rc.h>
00016 #include <rsbac/adf_main.h>
00017 #include <rsbac/error.h>
00018 #include <rsbac/debug.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/rc_getname.h>
00022 #include <rsbac/rkmem.h>
00023 #include <rsbac/um.h>
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033 #if !defined(CONFIG_RSBAC_MAINT)
00034
00035 int rsbac_rc_test_role_admin(rsbac_boolean_t modify);
00036
00037 int rsbac_rc_test_admin_roles(rsbac_rc_role_id_t t_role, rsbac_boolean_t modify);
00038
00039 enum rsbac_adf_req_ret_t
00040 rsbac_rc_check_type_comp(enum rsbac_target_t target,
00041 rsbac_rc_type_id_t type,
00042 enum rsbac_adf_request_t request,
00043 rsbac_pid_t caller_pid);
00044 #endif
00045
00046
00047
00048
00049
00050
00051
00052
00053
00054
00055 int rsbac_rc_sys_copy_role(
00056 rsbac_list_ta_number_t ta_number,
00057 rsbac_rc_role_id_t from_role,
00058 rsbac_rc_role_id_t to_role)
00059 {
00060 #if !defined(CONFIG_RSBAC_MAINT)
00061 #ifdef CONFIG_RSBAC_SWITCH_RC
00062 if(rsbac_switch_rc)
00063 #endif
00064 {
00065 int err;
00066
00067 if ( (err=rsbac_rc_test_admin_roles(from_role, TRUE))
00068 && rsbac_rc_test_role_admin(TRUE)
00069 )
00070 {
00071 if(err == -EPERM)
00072 {
00073 rsbac_uid_t user;
00074
00075 if(!rsbac_get_owner(&user))
00076 {
00077 rsbac_printk(KERN_INFO
00078 "rsbac_rc_sys_copy_role(): copying of role %u denied for pid %u, user %u - not in admin_roles!\n",
00079 from_role,
00080 current->pid,
00081 user);
00082 }
00083 #ifdef CONFIG_RSBAC_SOFTMODE
00084 if( !rsbac_softmode
00085 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00086 && !rsbac_ind_softmode[SW_RC]
00087 #endif
00088 )
00089 #endif
00090 return err;
00091 }
00092 else
00093 return err;
00094 }
00095
00096 if ( rsbac_rc_role_exists(ta_number, to_role)
00097 && rsbac_rc_test_role_admin(TRUE)
00098 )
00099 {
00100 rsbac_uid_t user;
00101
00102 if(!rsbac_get_owner(&user))
00103 {
00104 rsbac_printk(KERN_INFO
00105 "rsbac_rc_sys_copy_role(): overwriting of existing role %u denied for pid %u, user %u - no role_admin!\n",
00106 to_role,
00107 current->pid,
00108 user);
00109 }
00110 #ifdef CONFIG_RSBAC_SOFTMODE
00111 if( !rsbac_softmode
00112 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00113 && !rsbac_ind_softmode[SW_RC]
00114 #endif
00115 )
00116 #endif
00117 return -EPERM;
00118 }
00119 }
00120 #endif
00121
00122
00123 return(rsbac_rc_copy_role(ta_number, from_role, to_role));
00124 }
00125
00126
00127 int rsbac_rc_sys_copy_type (
00128 rsbac_list_ta_number_t ta_number,
00129 enum rsbac_rc_target_t target,
00130 rsbac_rc_type_id_t from_type,
00131 rsbac_rc_type_id_t to_type)
00132 {
00133 #if !defined(CONFIG_RSBAC_MAINT)
00134 #ifdef CONFIG_RSBAC_SWITCH_RC
00135 if(rsbac_switch_rc)
00136 #endif
00137 {
00138 int err;
00139
00140 switch(target)
00141 {
00142 case T_FILE:
00143 case T_DIR:
00144 case T_FIFO:
00145 case T_SYMLINK:
00146 target = T_FD;
00147 break;
00148 case T_FD:
00149 case T_DEV:
00150 case T_USER:
00151 case T_PROCESS:
00152 case T_IPC:
00153 case T_GROUP:
00154 case T_NETDEV:
00155 case T_NETTEMP:
00156 case T_NETOBJ:
00157 break;
00158
00159 default:
00160 return -RSBAC_EINVALIDTARGET;
00161 }
00162
00163 if( (rsbac_rc_check_type_comp(target, from_type, RCR_ADMIN, 0) != GRANTED)
00164 && (err=rsbac_rc_test_role_admin(FALSE))
00165 )
00166 {
00167 if(err == -EPERM)
00168 {
00169 rsbac_uid_t user;
00170
00171 if(!rsbac_get_owner(&user))
00172 {
00173 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00174
00175 if(tmp)
00176 {
00177 rsbac_printk(KERN_INFO
00178 "rsbac_rc_sys_copy_type(): copying of %s type %u denied for pid %u, user %u - not in admin_roles!\n",
00179 get_target_name_only(tmp, target),
00180 from_type,
00181 current->pid,
00182 user);
00183 rsbac_kfree(tmp);
00184 }
00185 }
00186 #ifdef CONFIG_RSBAC_SOFTMODE
00187 if( !rsbac_softmode
00188 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00189 && !rsbac_ind_softmode[SW_RC]
00190 #endif
00191 )
00192 #endif
00193 return err;
00194 }
00195 else
00196 return err;
00197 }
00198
00199 if ( rsbac_rc_type_exists(ta_number, target, to_type)
00200 && rsbac_rc_test_role_admin(TRUE)
00201 )
00202 {
00203 rsbac_uid_t user;
00204
00205 if(!rsbac_get_owner(&user))
00206 {
00207 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00208
00209 if(tmp)
00210 {
00211 rsbac_printk(KERN_INFO
00212 "rsbac_rc_sys_copy_type(): overwriting of existing %s type %u denied for pid %u, user %u - no role_admin!\n",
00213 get_target_name_only(tmp, target),
00214 to_type,
00215 current->pid,
00216 user);
00217 rsbac_kfree(tmp);
00218 }
00219 }
00220 #ifdef CONFIG_RSBAC_SOFTMODE
00221 if( !rsbac_softmode
00222 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00223 && !rsbac_ind_softmode[SW_RC]
00224 #endif
00225 )
00226 #endif
00227 return -EPERM;
00228 }
00229 }
00230 #endif
00231
00232
00233 return(rsbac_rc_copy_type(ta_number, target, from_type, to_type));
00234 }
00235
00236
00237 int rsbac_rc_sys_get_item(
00238 rsbac_list_ta_number_t ta_number,
00239 enum rsbac_rc_target_t target,
00240 union rsbac_rc_target_id_t tid,
00241 union rsbac_rc_target_id_t subtid,
00242 enum rsbac_rc_item_t item,
00243 union rsbac_rc_item_value_t * value_p,
00244 rsbac_time_t * ttl_p)
00245 {
00246 #if !defined(CONFIG_RSBAC_MAINT)
00247 #ifdef CONFIG_RSBAC_SWITCH_RC
00248 if(rsbac_switch_rc)
00249 #endif
00250 {
00251 int err;
00252
00253 switch(item)
00254 {
00255 case RI_name:
00256 case RI_type_fd_name:
00257 case RI_type_dev_name:
00258 case RI_type_ipc_name:
00259 case RI_type_user_name:
00260 case RI_type_process_name:
00261 case RI_type_scd_name:
00262 case RI_type_group_name:
00263 case RI_type_netdev_name:
00264 case RI_type_nettemp_name:
00265 case RI_type_netobj_name:
00266
00267 break;
00268
00269 case RI_type_fd_need_secdel:
00270 if(target != RT_TYPE)
00271 return -RSBAC_EINVALIDTARGET;
00272 if( (err=rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0))
00273 && (err=rsbac_rc_test_role_admin(FALSE))
00274 )
00275 {
00276 if(err == -EPERM)
00277 {
00278 rsbac_uid_t user;
00279
00280 if(!rsbac_get_owner(&user))
00281 {
00282 rsbac_printk(KERN_INFO
00283 "rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n",
00284 tid.type,
00285 current->pid,
00286 user);
00287 }
00288 #ifdef CONFIG_RSBAC_SOFTMODE
00289 if( !rsbac_softmode
00290 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00291 && !rsbac_ind_softmode[SW_RC]
00292 #endif
00293 )
00294 #endif
00295 return err;
00296 }
00297 else
00298 return err;
00299 }
00300 break;
00301
00302 default:
00303 if(target != RT_ROLE)
00304 return -RSBAC_EINVALIDATTR;
00305
00306 if ( (err=rsbac_rc_test_admin_roles(tid.role, FALSE))
00307 && (err=rsbac_rc_test_role_admin(FALSE))
00308 )
00309 {
00310 if(err == -EPERM)
00311 {
00312 rsbac_uid_t user;
00313
00314 if(!rsbac_get_owner(&user))
00315 {
00316 rsbac_printk(KERN_INFO
00317 "rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n",
00318 tid.role,
00319 current->pid,
00320 user);
00321 }
00322 #ifdef CONFIG_RSBAC_SOFTMODE
00323 if( !rsbac_softmode
00324 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00325 && !rsbac_ind_softmode[SW_RC]
00326 #endif
00327 )
00328 #endif
00329 return err;
00330 }
00331 else
00332 return err;
00333 }
00334 }
00335 }
00336 #endif
00337
00338
00339 return(rsbac_rc_get_item(ta_number,target, tid, subtid, item, value_p, ttl_p));
00340 }
00341
00342
00343 int rsbac_rc_sys_set_item(
00344 rsbac_list_ta_number_t ta_number,
00345 enum rsbac_rc_target_t target,
00346 union rsbac_rc_target_id_t tid,
00347 union rsbac_rc_target_id_t subtid,
00348 enum rsbac_rc_item_t item,
00349 union rsbac_rc_item_value_t value,
00350 rsbac_time_t ttl)
00351 {
00352 #if !defined(CONFIG_RSBAC_MAINT)
00353 #ifdef CONFIG_RSBAC_SWITCH_RC
00354 if(rsbac_switch_rc)
00355 #endif
00356 {
00357 int err;
00358
00359 switch(item)
00360 {
00361
00362 case RI_type_fd_name:
00363 case RI_type_fd_need_secdel:
00364 case RI_type_fd_remove:
00365 if(target != RT_TYPE)
00366 return -RSBAC_EINVALIDTARGET;
00367 if( (rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00368 && (err=rsbac_rc_test_role_admin(TRUE))
00369 )
00370 {
00371 if(err == -EPERM)
00372 {
00373 rsbac_uid_t user;
00374 char tmp[80];
00375
00376 if(!rsbac_get_owner(&user))
00377 {
00378 rsbac_printk(KERN_INFO
00379 "rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n",
00380 get_rc_item_name(tmp, item),
00381 tid.type,
00382 current->pid,
00383 user);
00384 }
00385 #ifdef CONFIG_RSBAC_SOFTMODE
00386 if( !rsbac_softmode
00387 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00388 && !rsbac_ind_softmode[SW_RC]
00389 #endif
00390 )
00391 #endif
00392 return err;
00393 }
00394 else
00395 return err;
00396 }
00397 break;
00398 case RI_type_dev_name:
00399 case RI_type_dev_remove:
00400 if(target != RT_TYPE)
00401 return -RSBAC_EINVALIDTARGET;
00402 if( (rsbac_rc_check_type_comp(T_DEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00403 && (err=rsbac_rc_test_role_admin(TRUE))
00404 )
00405 {
00406 if(err == -EPERM)
00407 {
00408 rsbac_uid_t user;
00409
00410 if(!rsbac_get_owner(&user))
00411 {
00412 rsbac_printk(KERN_INFO
00413 "rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00414 tid.type,
00415 current->pid,
00416 user);
00417 }
00418 #ifdef CONFIG_RSBAC_SOFTMODE
00419 if( !rsbac_softmode
00420 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00421 && !rsbac_ind_softmode[SW_RC]
00422 #endif
00423 )
00424 #endif
00425 return err;
00426 }
00427 else
00428 return err;
00429 }
00430 break;
00431 case RI_type_ipc_name:
00432 case RI_type_ipc_remove:
00433 if(target != RT_TYPE)
00434 return -RSBAC_EINVALIDTARGET;
00435 if( (rsbac_rc_check_type_comp(T_IPC, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00436 && (err=rsbac_rc_test_role_admin(TRUE))
00437 )
00438 {
00439 if(err == -EPERM)
00440 {
00441 rsbac_uid_t user;
00442
00443 if(!rsbac_get_owner(&user))
00444 {
00445 rsbac_printk(KERN_INFO
00446 "rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n",
00447 tid.type,
00448 current->pid,
00449 user);
00450 }
00451 #ifdef CONFIG_RSBAC_SOFTMODE
00452 if( !rsbac_softmode
00453 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00454 && !rsbac_ind_softmode[SW_RC]
00455 #endif
00456 )
00457 #endif
00458 return err;
00459 }
00460 else
00461 return err;
00462 }
00463 break;
00464 case RI_type_user_name:
00465 case RI_type_user_remove:
00466 if(target != RT_TYPE)
00467 return -RSBAC_EINVALIDTARGET;
00468 if( (rsbac_rc_check_type_comp(T_USER, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00469 && (err=rsbac_rc_test_role_admin(TRUE))
00470 )
00471 {
00472 if(err == -EPERM)
00473 {
00474 rsbac_uid_t user;
00475
00476 if(!rsbac_get_owner(&user))
00477 {
00478 rsbac_printk(KERN_INFO
00479 "rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n",
00480 tid.type,
00481 current->pid,
00482 user);
00483 }
00484 #ifdef CONFIG_RSBAC_SOFTMODE
00485 if( !rsbac_softmode
00486 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00487 && !rsbac_ind_softmode[SW_RC]
00488 #endif
00489 )
00490 #endif
00491 return err;
00492 }
00493 else
00494 return err;
00495 }
00496 break;
00497 case RI_type_process_name:
00498 case RI_type_process_remove:
00499 if(target != RT_TYPE)
00500 return -RSBAC_EINVALIDTARGET;
00501 if( (rsbac_rc_check_type_comp(T_PROCESS, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00502 && (err=rsbac_rc_test_role_admin(TRUE))
00503 )
00504 {
00505 if(err == -EPERM)
00506 {
00507 rsbac_uid_t user;
00508
00509 if(!rsbac_get_owner(&user))
00510 {
00511 rsbac_printk(KERN_INFO
00512 "rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n",
00513 tid.type,
00514 current->pid,
00515 user);
00516 }
00517 #ifdef CONFIG_RSBAC_SOFTMODE
00518 if( !rsbac_softmode
00519 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00520 && !rsbac_ind_softmode[SW_RC]
00521 #endif
00522 )
00523 #endif
00524 return err;
00525 }
00526 else
00527 return err;
00528 }
00529 break;
00530 case RI_type_scd_name:
00531 if(target != RT_TYPE)
00532 return -RSBAC_EINVALIDTARGET;
00533 if( (rsbac_rc_check_type_comp(T_SCD, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00534 && (err=rsbac_rc_test_role_admin(TRUE))
00535 )
00536 {
00537 if(err == -EPERM)
00538 {
00539 rsbac_uid_t user;
00540
00541 if(!rsbac_get_owner(&user))
00542 {
00543 rsbac_printk(KERN_INFO
00544 "rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n",
00545 tid.type,
00546 current->pid,
00547 user);
00548 }
00549 #ifdef CONFIG_RSBAC_SOFTMODE
00550 if( !rsbac_softmode
00551 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00552 && !rsbac_ind_softmode[SW_RC]
00553 #endif
00554 )
00555 #endif
00556 return err;
00557 }
00558 else
00559 return err;
00560 }
00561 break;
00562 case RI_type_group_name:
00563 case RI_type_group_remove:
00564 if(target != RT_TYPE)
00565 return -RSBAC_EINVALIDTARGET;
00566 if( (rsbac_rc_check_type_comp(T_GROUP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00567 && (err=rsbac_rc_test_role_admin(TRUE))
00568 )
00569 {
00570 if(err == -EPERM)
00571 {
00572 rsbac_uid_t user;
00573
00574 if(!rsbac_get_owner(&user))
00575 {
00576 rsbac_printk(KERN_INFO
00577 "rsbac_rc_sys_set_item(): changing name or removing of GROUP type %u denied for pid %u, user %u - no ADMIN right!\n",
00578 tid.type,
00579 current->pid,
00580 user);
00581 }
00582 #ifdef CONFIG_RSBAC_SOFTMODE
00583 if( !rsbac_softmode
00584 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00585 && !rsbac_ind_softmode[SW_RC]
00586 #endif
00587 )
00588 #endif
00589 return err;
00590 }
00591 else
00592 return err;
00593 }
00594 break;
00595 case RI_type_netdev_name:
00596 case RI_type_netdev_remove:
00597 if(target != RT_TYPE)
00598 return -RSBAC_EINVALIDTARGET;
00599 if( (rsbac_rc_check_type_comp(T_NETDEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00600 && (err=rsbac_rc_test_role_admin(TRUE))
00601 )
00602 {
00603 if(err == -EPERM)
00604 {
00605 rsbac_uid_t user;
00606
00607 if(!rsbac_get_owner(&user))
00608 {
00609 rsbac_printk(KERN_INFO
00610 "rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00611 tid.type,
00612 current->pid,
00613 user);
00614 }
00615 #ifdef CONFIG_RSBAC_SOFTMODE
00616 if( !rsbac_softmode
00617 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00618 && !rsbac_ind_softmode[SW_RC]
00619 #endif
00620 )
00621 #endif
00622 return err;
00623 }
00624 else
00625 return err;
00626 }
00627 break;
00628 case RI_type_nettemp_name:
00629 case RI_type_nettemp_remove:
00630 if(target != RT_TYPE)
00631 return -RSBAC_EINVALIDTARGET;
00632 if( (rsbac_rc_check_type_comp(T_NETTEMP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00633 && (err=rsbac_rc_test_role_admin(TRUE))
00634 )
00635 {
00636 if(err == -EPERM)
00637 {
00638 rsbac_uid_t user;
00639
00640 if(!rsbac_get_owner(&user))
00641 {
00642 rsbac_printk(KERN_INFO
00643 "rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n",
00644 tid.type,
00645 current->pid,
00646 user);
00647 }
00648 #ifdef CONFIG_RSBAC_SOFTMODE
00649 if( !rsbac_softmode
00650 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00651 && !rsbac_ind_softmode[SW_RC]
00652 #endif
00653 )
00654 #endif
00655 return err;
00656 }
00657 else
00658 return err;
00659 }
00660 break;
00661 case RI_type_netobj_name:
00662 case RI_type_netobj_remove:
00663 if(target != RT_TYPE)
00664 return -RSBAC_EINVALIDTARGET;
00665 if( (rsbac_rc_check_type_comp(T_NETOBJ, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00666 && (err=rsbac_rc_test_role_admin(TRUE))
00667 )
00668 {
00669 if(err == -EPERM)
00670 {
00671 rsbac_uid_t user;
00672
00673 if(!rsbac_get_owner(&user))
00674 {
00675 rsbac_printk(KERN_INFO
00676 "rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n",
00677 tid.type,
00678 current->pid,
00679 user);
00680 }
00681 #ifdef CONFIG_RSBAC_SOFTMODE
00682 if( !rsbac_softmode
00683 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00684 && !rsbac_ind_softmode[SW_RC]
00685 #endif
00686 )
00687 #endif
00688 return err;
00689 }
00690 else
00691 return err;
00692 }
00693 break;
00694
00695
00696 case RI_role_comp:
00697
00698 {
00699 union rsbac_target_id_t i_tid;
00700 union rsbac_attribute_value_t i_attr_val1;
00701
00702 if(target != RT_ROLE)
00703 return -RSBAC_EINVALIDATTR;
00704 if(!rsbac_rc_test_role_admin(TRUE))
00705 break;
00706
00707 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE)))
00708 {
00709 if(err == -EPERM)
00710 {
00711 rsbac_uid_t user;
00712
00713 if(!rsbac_get_owner(&user))
00714 {
00715 rsbac_printk(KERN_INFO
00716 "rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n",
00717 tid.role,
00718 current->pid,
00719 user);
00720 }
00721 #ifdef CONFIG_RSBAC_SOFTMODE
00722 if( !rsbac_softmode
00723 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00724 && !rsbac_ind_softmode[SW_RC]
00725 #endif
00726 )
00727 #endif
00728 return err;
00729 }
00730 else
00731 return err;
00732 }
00733
00734
00735 i_tid.process = current->pid;
00736 if ((err=rsbac_get_attr(SW_RC, T_PROCESS,
00737 i_tid,
00738 A_rc_role,
00739 &i_attr_val1,
00740 TRUE)))
00741 {
00742 rsbac_pr_get_error(A_rc_role);
00743 return -RSBAC_EREADFAILED;
00744 }
00745
00746 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
00747 tid,
00748 RI_assign_roles,
00749 R_NONE))
00750 {
00751 rsbac_uid_t user;
00752 if(!rsbac_get_owner(&user))
00753 {
00754 rsbac_printk(KERN_INFO
00755 "rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n",
00756 tid.role,
00757 user,
00758 i_attr_val1.rc_role);
00759 }
00760 #ifdef CONFIG_RSBAC_SOFTMODE
00761 if( !rsbac_softmode
00762 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00763 && !rsbac_ind_softmode[SW_RC]
00764 #endif
00765 )
00766 #endif
00767 return -EPERM;
00768 }
00769 }
00770 break;
00771
00772 case RI_admin_type:
00773 case RI_admin_roles:
00774 case RI_assign_roles:
00775 case RI_boot_role:
00776 case RI_req_reauth:
00777
00778 if((err=rsbac_rc_test_role_admin(TRUE)))
00779 {
00780 if(err == -EPERM)
00781 {
00782 rsbac_uid_t user;
00783 char tmp[80];
00784
00785 if(!rsbac_get_owner(&user))
00786 {
00787 rsbac_printk(KERN_INFO
00788 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n",
00789 get_rc_item_name(tmp, item),
00790 tid.role,
00791 current->pid,
00792 user);
00793 }
00794 #ifdef CONFIG_RSBAC_SOFTMODE
00795 if( !rsbac_softmode
00796 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00797 && !rsbac_ind_softmode[SW_RC]
00798 #endif
00799 )
00800 #endif
00801 return err;
00802 }
00803 else
00804 return err;
00805 }
00806 break;
00807 case RI_name:
00808
00809
00810 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00811 && (err=rsbac_rc_test_role_admin(TRUE))
00812 )
00813 {
00814 if(err == -EPERM)
00815 {
00816 rsbac_uid_t user;
00817
00818 if(!rsbac_get_owner(&user))
00819 {
00820 rsbac_printk(KERN_INFO
00821 "rsbac_rc_sys_set_item(): changing name of role %u denied for pid %u, user %u - not in admin_roles!\n",
00822 tid.role,
00823 current->pid,
00824 user);
00825 }
00826 #ifdef CONFIG_RSBAC_SOFTMODE
00827 if( !rsbac_softmode
00828 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00829 && !rsbac_ind_softmode[SW_RC]
00830 #endif
00831 )
00832 #endif
00833 return err;
00834 }
00835 else
00836 return err;
00837 }
00838 break;
00839
00840 case RI_remove_role:
00841
00842 if((err=rsbac_rc_test_role_admin(TRUE)))
00843 {
00844 if(err == -EPERM)
00845 {
00846 rsbac_uid_t user;
00847
00848 if(!rsbac_get_owner(&user))
00849 {
00850 rsbac_printk(KERN_INFO
00851 "rsbac_rc_sys_set_item(): removing of role %u denied for pid %u, user %u - not in admin_roles!\n",
00852 tid.role,
00853 current->pid,
00854 user);
00855 }
00856 #ifdef CONFIG_RSBAC_SOFTMODE
00857 if( !rsbac_softmode
00858 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00859 && !rsbac_ind_softmode[SW_RC]
00860 #endif
00861 )
00862 #endif
00863 return err;
00864 }
00865 else
00866 return err;
00867 }
00868 break;
00869
00870 case RI_def_fd_create_type:
00871 case RI_def_fd_ind_create_type:
00872
00873
00874 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00875 && (err=rsbac_rc_test_role_admin(TRUE))
00876 )
00877 {
00878 if(err == -EPERM)
00879 {
00880 rsbac_uid_t user;
00881
00882 if(!rsbac_get_owner(&user))
00883 {
00884 rsbac_printk(KERN_INFO
00885 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00886 tid.role,
00887 current->pid,
00888 user);
00889 }
00890 #ifdef CONFIG_RSBAC_SOFTMODE
00891 if( !rsbac_softmode
00892 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00893 && !rsbac_ind_softmode[SW_RC]
00894 #endif
00895 )
00896 #endif
00897 return err;
00898 }
00899 else
00900 return err;
00901 }
00902 else
00903 {
00904 enum rsbac_adf_req_ret_t result;
00905
00906 result = rsbac_rc_check_type_comp(T_FILE, value.type_id, RCR_ASSIGN, 0);
00907 if( ( (result == NOT_GRANTED)
00908 || (result == UNDEFINED)
00909 )
00910 && (err=rsbac_rc_test_role_admin(TRUE))
00911 )
00912 {
00913 rsbac_uid_t user;
00914
00915 if(!rsbac_get_owner(&user))
00916 {
00917 rsbac_printk(KERN_INFO
00918 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
00919 tid.role,
00920 value.type_id,
00921 user);
00922 }
00923 #ifdef CONFIG_RSBAC_SOFTMODE
00924 if( !rsbac_softmode
00925 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00926 && !rsbac_ind_softmode[SW_RC]
00927 #endif
00928 )
00929 #endif
00930 return -EPERM;
00931 }
00932 }
00933 break;
00934
00935 case RI_def_fd_ind_create_type_remove:
00936
00937 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00938 && (err=rsbac_rc_test_role_admin(TRUE))
00939 )
00940 {
00941 if(err == -EPERM)
00942 {
00943 rsbac_uid_t user;
00944
00945 if(!rsbac_get_owner(&user))
00946 {
00947 rsbac_printk(KERN_INFO
00948 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00949 tid.role,
00950 current->pid,
00951 user);
00952 }
00953 #ifdef CONFIG_RSBAC_SOFTMODE
00954 if( !rsbac_softmode
00955 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00956 && !rsbac_ind_softmode[SW_RC]
00957 #endif
00958 )
00959 #endif
00960 return err;
00961 }
00962 else
00963 return err;
00964 }
00965 break;
00966
00967 case RI_def_user_create_type:
00968
00969
00970 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00971 && (err=rsbac_rc_test_role_admin(TRUE))
00972 )
00973 {
00974 if(err == -EPERM)
00975 {
00976 rsbac_uid_t user;
00977
00978 if(!rsbac_get_owner(&user))
00979 {
00980 rsbac_printk(KERN_INFO
00981 "rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00982 tid.role,
00983 current->pid,
00984 user);
00985 }
00986 #ifdef CONFIG_RSBAC_SOFTMODE
00987 if( !rsbac_softmode
00988 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00989 && !rsbac_ind_softmode[SW_RC]
00990 #endif
00991 )
00992 #endif
00993 return err;
00994 }
00995 else
00996 return err;
00997 }
00998 else
00999 {
01000 enum rsbac_adf_req_ret_t result;
01001
01002 result = rsbac_rc_check_type_comp(T_USER, value.type_id, RCR_ASSIGN, 0);
01003 if( ( (result == NOT_GRANTED)
01004 || (result == UNDEFINED)
01005 )
01006 && (err=rsbac_rc_test_role_admin(TRUE))
01007 )
01008 {
01009 rsbac_uid_t user;
01010
01011 if(!rsbac_get_owner(&user))
01012 {
01013 rsbac_printk(KERN_INFO
01014 "rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01015 tid.role,
01016 value.type_id,
01017 user);
01018 }
01019 #ifdef CONFIG_RSBAC_SOFTMODE
01020 if( !rsbac_softmode
01021 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01022 && !rsbac_ind_softmode[SW_RC]
01023 #endif
01024 )
01025 #endif
01026 return -EPERM;
01027 }
01028 }
01029 break;
01030
01031 case RI_def_process_create_type:
01032 case RI_def_process_chown_type:
01033 case RI_def_process_execute_type:
01034
01035
01036 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01037 && (err=rsbac_rc_test_role_admin(TRUE))
01038 )
01039 {
01040 if(err == -EPERM)
01041 {
01042 rsbac_uid_t user;
01043 char tmp[80];
01044
01045 if(!rsbac_get_owner(&user))
01046 {
01047 rsbac_printk(KERN_INFO
01048 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01049 get_rc_item_name(tmp, item),
01050 tid.role,
01051 current->pid,
01052 user);
01053 }
01054 #ifdef CONFIG_RSBAC_SOFTMODE
01055 if( !rsbac_softmode
01056 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01057 && !rsbac_ind_softmode[SW_RC]
01058 #endif
01059 )
01060 #endif
01061 return err;
01062 }
01063 else
01064 return err;
01065 }
01066 else
01067 {
01068 enum rsbac_adf_req_ret_t result;
01069
01070 result = rsbac_rc_check_type_comp(T_PROCESS, value.type_id, RCR_ASSIGN, 0);
01071 if( ( (result == NOT_GRANTED)
01072 || (result == UNDEFINED)
01073 )
01074 && (err=rsbac_rc_test_role_admin(TRUE))
01075 )
01076 {
01077 rsbac_uid_t user;
01078
01079 if(!rsbac_get_owner(&user))
01080 {
01081 rsbac_printk(KERN_INFO
01082 "rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01083 tid.role,
01084 value.type_id,
01085 user);
01086 }
01087 #ifdef CONFIG_RSBAC_SOFTMODE
01088 if( !rsbac_softmode
01089 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01090 && !rsbac_ind_softmode[SW_RC]
01091 #endif
01092 )
01093 #endif
01094 return -EPERM;
01095 }
01096 }
01097 break;
01098 case RI_def_ipc_create_type:
01099
01100
01101 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01102 && (err=rsbac_rc_test_role_admin(TRUE))
01103 )
01104 {
01105 if(err == -EPERM)
01106 {
01107 rsbac_uid_t user;
01108
01109 if(!rsbac_get_owner(&user))
01110 {
01111 rsbac_printk(KERN_INFO
01112 "rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01113 tid.role,
01114 current->pid,
01115 user);
01116 }
01117 #ifdef CONFIG_RSBAC_SOFTMODE
01118 if( !rsbac_softmode
01119 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01120 && !rsbac_ind_softmode[SW_RC]
01121 #endif
01122 )
01123 #endif
01124 return err;
01125 }
01126 else
01127 return err;
01128 }
01129 else
01130 {
01131 enum rsbac_adf_req_ret_t result;
01132
01133 result = rsbac_rc_check_type_comp(T_IPC, value.type_id, RCR_ASSIGN, 0);
01134 if( ( (result == NOT_GRANTED)
01135 || (result == UNDEFINED)
01136 )
01137 && (err=rsbac_rc_test_role_admin(TRUE))
01138 )
01139 {
01140 rsbac_uid_t user;
01141
01142 if(!rsbac_get_owner(&user))
01143 {
01144 rsbac_printk(KERN_INFO
01145 "rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01146 tid.role,
01147 value.type_id,
01148 user);
01149 }
01150 #ifdef CONFIG_RSBAC_SOFTMODE
01151 if( !rsbac_softmode
01152 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01153 && !rsbac_ind_softmode[SW_RC]
01154 #endif
01155 )
01156 #endif
01157 return -EPERM;
01158 }
01159 }
01160 break;
01161 case RI_def_group_create_type:
01162
01163
01164 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01165 && (err=rsbac_rc_test_role_admin(TRUE))
01166 )
01167 {
01168 if(err == -EPERM)
01169 {
01170 rsbac_uid_t user;
01171
01172 if(!rsbac_get_owner(&user))
01173 {
01174 rsbac_printk(KERN_INFO
01175 "rsbac_rc_sys_set_item(): changing def_group_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01176 tid.role,
01177 current->pid,
01178 user);
01179 }
01180 #ifdef CONFIG_RSBAC_SOFTMODE
01181 if( !rsbac_softmode
01182 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01183 && !rsbac_ind_softmode[SW_RC]
01184 #endif
01185 )
01186 #endif
01187 return err;
01188 }
01189 else
01190 return err;
01191 }
01192 else
01193 {
01194 enum rsbac_adf_req_ret_t result;
01195
01196 result = rsbac_rc_check_type_comp(T_GROUP, value.type_id, RCR_ASSIGN, 0);
01197 if( ( (result == NOT_GRANTED)
01198 || (result == UNDEFINED)
01199 )
01200 && (err=rsbac_rc_test_role_admin(TRUE))
01201 )
01202 {
01203 rsbac_uid_t user;
01204
01205 if(!rsbac_get_owner(&user))
01206 {
01207 rsbac_printk(KERN_INFO
01208 "rsbac_rc_sys_set_item(): changing def_group_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01209 tid.role,
01210 value.type_id,
01211 user);
01212 }
01213 #ifdef CONFIG_RSBAC_SOFTMODE
01214 if( !rsbac_softmode
01215 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01216 && !rsbac_ind_softmode[SW_RC]
01217 #endif
01218 )
01219 #endif
01220 return -EPERM;
01221 }
01222 }
01223 break;
01224 case RI_def_unixsock_create_type:
01225
01226
01227 if ((err =
01228 rsbac_rc_test_admin_roles(tid.role, TRUE))
01229 && (err = rsbac_rc_test_role_admin(TRUE))
01230 ) {
01231 if (err == -EPERM) {
01232 rsbac_uid_t user;
01233
01234 if (!rsbac_get_owner(&user)) {
01235 rsbac_printk(KERN_INFO "rsbac_rc_sys_set_item(): changing def_unixsock_create_type of role %u denied for pid %u, user %u - not in admin_roles\n",
01236 tid.role,
01237 current->pid,
01238 user);
01239 }
01240 #ifdef CONFIG_RSBAC_SOFTMODE
01241 if (!rsbac_softmode
01242 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01243 && !rsbac_ind_softmode[SW_RC]
01244 #endif
01245 )
01246 #endif
01247 return err;
01248 } else
01249 return err;
01250 } else {
01251 enum rsbac_adf_req_ret_t result;
01252
01253 result =
01254 rsbac_rc_check_type_comp(T_NETOBJ,
01255 value.type_id,
01256 RCR_ASSIGN,
01257 0);
01258 if (((result == NOT_GRANTED)
01259 || (result == UNDEFINED)
01260 )
01261 && (err =
01262 rsbac_rc_test_role_admin(TRUE))
01263 ) {
01264 rsbac_uid_t user;
01265
01266 if (!rsbac_get_owner(&user)) {
01267 rsbac_printk(KERN_INFO "rsbac_rc_sys_set_item(): changing def_unixsock_create_type for role %u to %u denied for user %u - no ASSIGN right for type\n",
01268 tid.role,
01269 value.type_id,
01270 user);
01271 }
01272 #ifdef CONFIG_RSBAC_SOFTMODE
01273 if (!rsbac_softmode
01274 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01275 && !rsbac_ind_softmode[SW_RC]
01276 #endif
01277 )
01278 #endif
01279 return -EPERM;
01280 }
01281 }
01282 break;
01283
01284
01285 case RI_type_comp_fd:
01286 case RI_type_comp_dev:
01287 case RI_type_comp_user:
01288 case RI_type_comp_process:
01289 case RI_type_comp_ipc:
01290 case RI_type_comp_scd:
01291 case RI_type_comp_group:
01292 case RI_type_comp_netdev:
01293 case RI_type_comp_nettemp:
01294 case RI_type_comp_netobj:
01295 {
01296 union rsbac_rc_item_value_t old_value, my_value;
01297 union rsbac_target_id_t i_tid;
01298 union rsbac_attribute_value_t i_attr_val1;
01299 union rsbac_rc_target_id_t i_rc_tid;
01300
01301 if(target != RT_ROLE)
01302 return -RSBAC_EINVALIDATTR;
01303 if(!rsbac_rc_test_role_admin(TRUE))
01304 break;
01305
01306 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE)))
01307 {
01308 if(err == -EPERM)
01309 {
01310 rsbac_uid_t user;
01311 char tmp[80];
01312
01313 if(!rsbac_get_owner(&user))
01314 {
01315 rsbac_printk(KERN_INFO
01316 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01317 get_rc_item_name(tmp, item),
01318 tid.role,
01319 current->pid,
01320 user);
01321 }
01322 #ifdef CONFIG_RSBAC_SOFTMODE
01323 if( !rsbac_softmode
01324 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01325 && !rsbac_ind_softmode[SW_RC]
01326 #endif
01327 )
01328 #endif
01329 return err;
01330 }
01331 else
01332 return err;
01333 }
01334
01335
01336
01337 err = rsbac_rc_get_item(ta_number, target, tid, subtid, item, &old_value, NULL);
01338 if(err)
01339 return(err);
01340
01341
01342 i_tid.process = current->pid;
01343 if ((err=rsbac_get_attr(SW_RC, T_PROCESS,
01344 i_tid,
01345 A_rc_role,
01346 &i_attr_val1,
01347 TRUE)))
01348 {
01349 rsbac_pr_get_error(A_rc_role);
01350 return err;
01351 }
01352
01353 i_rc_tid.role = i_attr_val1.rc_role;
01354 if ((err=rsbac_rc_get_item(ta_number,
01355 RT_ROLE,
01356 i_rc_tid,
01357 subtid,
01358 item,
01359 &my_value,
01360 NULL)))
01361 {
01362 rsbac_rc_pr_get_error(item);
01363 return err;
01364 }
01365
01366
01367 if(
01368 ( ( (old_value.rights & RSBAC_ALL_REQUEST_VECTOR)
01369 != (value.rights & RSBAC_ALL_REQUEST_VECTOR)
01370 )
01371 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL)))
01372 )
01373 ||
01374
01375 ( ( (old_value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01376 != (value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01377 )
01378 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR)))
01379 )
01380 )
01381 {
01382
01383 if((err=rsbac_rc_test_role_admin(TRUE)))
01384 {
01385 if(err == -EPERM)
01386 {
01387 rsbac_uid_t user;
01388 char tmp[80];
01389
01390 if(!rsbac_get_owner(&user))
01391 {
01392 rsbac_printk(KERN_INFO
01393 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u, role %u - insufficent rights!\n",
01394 get_rc_item_name(tmp, item),
01395 tid.role,
01396 current->pid,
01397 user,
01398 i_attr_val1.rc_role);
01399 }
01400 #ifdef CONFIG_RSBAC_SOFTMODE
01401 if( !rsbac_softmode
01402 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01403 && !rsbac_ind_softmode[SW_RC]
01404 #endif
01405 )
01406 #endif
01407 return err;
01408 }
01409 else
01410 return err;
01411 }
01412 }
01413 }
01414 break;
01415
01416 default:
01417 return -RSBAC_EINVALIDATTR;
01418 }
01419 }
01420 #endif
01421
01422
01423 return(rsbac_rc_set_item(ta_number, target, tid, subtid, item, value, ttl));
01424 }
01425
01426
01427 int rsbac_rc_sys_change_role(rsbac_rc_role_id_t role, char *pass)
01428 {
01429 int err;
01430 union rsbac_target_id_t i_tid;
01431 union rsbac_attribute_value_t i_attr_val1;
01432 #if !defined(CONFIG_RSBAC_MAINT)
01433 #ifdef CONFIG_RSBAC_UM
01434 union rsbac_rc_item_value_t i_rc_item_val1;
01435 char *k_pass;
01436 #endif
01437 #endif
01438
01439 #if !defined(CONFIG_RSBAC_MAINT)
01440 #ifdef CONFIG_RSBAC_SWITCH_RC
01441 if (rsbac_switch_rc)
01442 #endif
01443 {
01444 union rsbac_rc_target_id_t i_rc_subtid;
01445
01446 i_tid.process = current->pid;
01447
01448 if ((err = rsbac_get_attr(SW_RC,
01449 T_PROCESS,
01450 i_tid,
01451 A_rc_role,
01452 &i_attr_val1, TRUE))) {
01453 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_get_attr() returned error %i\n",
01454 err);
01455 goto out;
01456 }
01457
01458
01459 i_rc_subtid.role = role;
01460 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
01461 i_rc_subtid, RI_role_comp, 0)) {
01462 rsbac_uid_t user;
01463
01464 if (!rsbac_get_owner(&user)) {
01465 rsbac_printk(KERN_INFO "rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible\n",
01466 i_attr_val1.rc_role,
01467 role,
01468 i_tid.process,
01469 user, i_attr_val1.rc_role);
01470 }
01471 #ifdef CONFIG_RSBAC_SOFTMODE
01472 if (!rsbac_softmode
01473 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01474 && !rsbac_ind_softmode[SW_RC]
01475 #endif
01476 )
01477 #endif
01478 {
01479 err = -EPERM;
01480 goto out;
01481 }
01482 }
01483 #ifdef CONFIG_RSBAC_UM
01484
01485
01486
01487 if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_subtid, i_rc_subtid,
01488 RI_req_reauth,
01489 &i_rc_item_val1, NULL))) {
01490 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_rc_get_item() returned error %i\n",
01491 err);
01492 err = -EPERM;
01493 goto out;
01494 }
01495 if (i_rc_item_val1.req_reauth) {
01496 rsbac_uid_t user;
01497
01498 if (!pass) {
01499 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): password required for switching to role %u\n",
01500 role);
01501 err = -EPERM;
01502 goto out;
01503 }
01504 k_pass = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01505 if (!k_pass) {
01506 err = -RSBAC_ENOMEM;
01507 goto out;
01508 }
01509 err =
01510 rsbac_get_user(k_pass, pass, RSBAC_MAXNAMELEN);
01511 if (err)
01512 goto out_free;
01513 k_pass[RSBAC_MAXNAMELEN - 1] = 0;
01514 err = rsbac_get_owner(&user);
01515 if (err) {
01516 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_rc_get_item() returned error %i\n",
01517 err);
01518 goto out_free;
01519 }
01520 err = rsbac_um_check_pass(user, k_pass);
01521 if (err) {
01522 goto out_free;
01523 }
01524 }
01525 #endif
01526
01527 }
01528 #endif
01529
01530
01531 i_tid.process = current->pid;
01532 i_attr_val1.rc_role = role;
01533 if (rsbac_set_attr(SW_RC, T_PROCESS, i_tid, A_rc_role, i_attr_val1)) {
01534 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_set_attr() returned error\n");
01535 err = -RSBAC_EWRITEFAILED;
01536 }
01537 else
01538 err = 0;
01539
01540 #if !defined(CONFIG_RSBAC_MAINT)
01541 out:
01542 #endif
01543 return err;
01544
01545 #if !defined(CONFIG_RSBAC_MAINT)
01546 #ifdef CONFIG_RSBAC_UM
01547 out_free:
01548 memset(k_pass, 0, RSBAC_MAXNAMELEN);
01549 rsbac_kfree(k_pass);
01550 goto out;
01551 #endif
01552 #endif
01553 }
01554
01555
01556 int rsbac_rc_sys_get_eff_rights(
01557 rsbac_list_ta_number_t ta_number,
01558 enum rsbac_target_t target,
01559 union rsbac_target_id_t tid,
01560 rsbac_rc_request_vector_t * request_vector,
01561 rsbac_time_t * ttl_p)
01562 {
01563 union rsbac_target_id_t i_tid;
01564 enum rsbac_attribute_t i_attr = A_none;
01565 union rsbac_attribute_value_t i_attr_val1;
01566 union rsbac_attribute_value_t i_attr_val2;
01567 int err;
01568 enum rsbac_rc_item_t i_rc_item;
01569 union rsbac_rc_target_id_t i_rc_tid;
01570 union rsbac_rc_target_id_t i_rc_subtid;
01571 union rsbac_rc_item_value_t i_rc_item_val1;
01572
01573 i_tid.process = current->pid;
01574
01575 if ((err=rsbac_get_attr(SW_RC, T_PROCESS,
01576 i_tid,
01577 A_rc_role,
01578 &i_attr_val1,
01579 TRUE)))
01580 {
01581 rsbac_printk(KERN_WARNING
01582 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01583 return -RSBAC_EREADFAILED;
01584 }
01585
01586 switch(target)
01587 {
01588 case T_FILE:
01589 case T_DIR:
01590 case T_FIFO:
01591 case T_SYMLINK:
01592 i_attr = A_rc_type_fd;
01593 i_rc_item = RI_type_comp_fd;
01594 break;
01595 case T_DEV:
01596 i_attr = A_rc_type;
01597 i_rc_item = RI_type_comp_dev;
01598 break;
01599 case T_IPC:
01600 i_attr = A_rc_type;
01601 i_rc_item = RI_type_comp_ipc;
01602 break;
01603 case T_PROCESS:
01604 i_attr = A_rc_type;
01605 i_rc_item = RI_type_comp_process;
01606 break;
01607 case T_SCD:
01608 if(tid.scd >= RST_none)
01609 return -RSBAC_EINVALIDTARGET;
01610 i_rc_item = RI_type_comp_scd;
01611 break;
01612 case T_GROUP:
01613 i_attr = A_rc_type;
01614 i_rc_item = RI_type_comp_group;
01615 break;
01616 case T_NETDEV:
01617 i_attr = A_rc_type;
01618 i_rc_item = RI_type_comp_netdev;
01619 break;
01620 case T_NETTEMP:
01621 i_attr = A_rc_type_nt;
01622 i_rc_item = RI_type_comp_nettemp;
01623 break;
01624 case T_NETOBJ:
01625 i_attr = A_rc_type;
01626 i_rc_item = RI_type_comp_netobj;
01627 break;
01628 default:
01629 return -RSBAC_EINVALIDTARGET;
01630 }
01631
01632 if(target == T_SCD)
01633 {
01634 i_attr_val2.rc_type = tid.scd;
01635 }
01636 else
01637 {
01638 if ((err=rsbac_get_attr(SW_RC,
01639 target,
01640 tid,
01641 i_attr,
01642 &i_attr_val2,
01643 TRUE)))
01644 {
01645 rsbac_printk(KERN_WARNING
01646 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01647 return -RSBAC_EREADFAILED;
01648 }
01649 }
01650
01651 i_rc_tid.role = i_attr_val1.rc_role;
01652 i_rc_subtid.type = i_attr_val2.rc_type;
01653 if ((err=rsbac_rc_get_item(ta_number,
01654 RT_ROLE,
01655 i_rc_tid,
01656 i_rc_subtid,
01657 i_rc_item,
01658 &i_rc_item_val1,
01659 ttl_p)))
01660 {
01661 rsbac_printk(KERN_WARNING
01662 "rsbac_rc_sys_get_eff_rights(): rsbac_rc_get_item() returned error %i!\n",err);
01663 return -RSBAC_EREADFAILED;
01664 }
01665
01666 *request_vector = i_rc_item_val1.rights;
01667
01668 return 0;
01669 }
01670
01671 int rsbac_rc_sys_get_current_role(rsbac_rc_role_id_t * role_p)
01672 {
01673 union rsbac_target_id_t i_tid;
01674 union rsbac_attribute_value_t i_attr_val1;
01675 int err;
01676
01677
01678 i_tid.process = current->pid;
01679 if ((err=rsbac_get_attr(SW_RC, T_PROCESS,
01680 i_tid,
01681 A_rc_role,
01682 &i_attr_val1,
01683 TRUE)))
01684 {
01685 rsbac_printk(KERN_WARNING
01686 "rsbac_rc_sys_get_current_role(): rsbac_get_attr() returned error %i!\n",err);
01687 return -RSBAC_EREADFAILED;
01688 }
01689 *role_p = i_attr_val1.rc_role;
01690
01691 return 0;
01692 }
01693
01694 int rsbac_rc_select_fd_create_type(rsbac_rc_type_id_t type)
01695 {
01696
01697 int res;
01698
01699 union rsbac_target_id_t tid;
01700 union rsbac_attribute_value_t attr_val;
01701
01702
01703 if (type != RC_type_use_fd) {
01704 if (!rsbac_rc_type_exists(0, T_FILE, type))
01705 return -RSBAC_EINVALIDVALUE;
01706 #ifndef CONFIG_RSBAC_MAINT
01707 if (!rsbac_rc_check_type_comp(T_FILE, type, RCR_SELECT, current->pid)) {
01708 #ifdef CONFIG_RSBAC_SOFTMODE
01709 if( !rsbac_softmode
01710 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01711 && !rsbac_ind_softmode[SW_RC]
01712 #endif
01713 )
01714 #endif
01715 return -EPERM;
01716 }
01717 #endif
01718 }
01719
01720 tid.process = current->pid;
01721 attr_val.rc_select_type = type;
01722 if ((res = rsbac_set_attr(SW_RC,
01723 T_PROCESS,
01724 tid,
01725 A_rc_select_type,
01726 attr_val))) {
01727 rsbac_printk(KERN_WARNING "rsbac_rc_select_fd_create_type(): rsbac_set_attr() returned error %i\n", res);
01728 return -EPERM;
01729 }
01730
01731 return 0;
01732 }
01733
01734