00001
00002
00003
00004
00005
00006
00007
00008
00009 #include <linux/types.h>
00010 #include <linux/sched.h>
00011 #include <linux/mm.h>
00012 #include <linux/init.h>
00013 #include <linux/ext2_fs.h>
00014 #include <asm/uaccess.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci_data_structures.h>
00017 #include <rsbac/acl_data_structures.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/adf.h>
00021 #include <rsbac/aci.h>
00022 #include <rsbac/acl.h>
00023 #include <rsbac/lists.h>
00024 #include <rsbac/proc_fs.h>
00025 #include <rsbac/getname.h>
00026 #include <rsbac/acl_getname.h>
00027 #include <rsbac/rkmem.h>
00028 #include <rsbac/network.h>
00029 #include <linux/string.h>
00030 #include <linux/smp_lock.h>
00031 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00032 #include <linux/rcupdate.h>
00033 #else
00034 #define rcu_dereference(x) x
00035 #endif
00036
00037
00038
00039
00040
00041
00042
00043 static struct rsbac_acl_device_list_head_t * device_list_head_p;
00044 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00045 static spinlock_t device_list_lock;
00046 #else
00047 static rwlock_t device_list_lock;
00048 #endif
00049
00050 static rsbac_list_handle_t dev_handle = NULL;
00051 static rsbac_list_handle_t dev_major_handle = NULL;
00052 static rsbac_list_handle_t scd_handle = NULL;
00053 static rsbac_list_handle_t group_handle = NULL;
00054 static rsbac_list_handle_t gm_handle = NULL;
00055 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
00056 static rsbac_list_handle_t netdev_handle = NULL;
00057 #endif
00058 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00059 static rsbac_list_handle_t nettemp_nt_handle = NULL;
00060 static rsbac_list_handle_t nettemp_handle = NULL;
00061 static rsbac_list_handle_t netobj_handle = NULL;
00062 #endif
00063
00064 static rsbac_list_handle_t default_fd_handle = NULL;
00065 static rsbac_list_handle_t default_dev_handle = NULL;
00066 static rsbac_list_handle_t default_ipc_handle = NULL;
00067 static rsbac_list_handle_t default_scd_handle = NULL;
00068 static rsbac_list_handle_t u_handle = NULL;
00069 static rsbac_list_handle_t default_u_handle = NULL;
00070 static rsbac_list_handle_t default_p_handle = NULL;
00071 #ifdef CONFIG_RSBAC_ACL_UM_PROT
00072 static rsbac_list_handle_t g_handle = NULL;
00073 static rsbac_list_handle_t default_g_handle = NULL;
00074 #endif
00075 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
00076 static rsbac_list_handle_t default_netdev_handle = NULL;
00077 static rsbac_acl_rights_vector_t default_netdev_rights = 0;
00078 #endif
00079 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00080 static rsbac_list_handle_t default_nettemp_nt_handle = NULL;
00081 static rsbac_list_handle_t default_netobj_handle = NULL;
00082 static rsbac_acl_rights_vector_t default_nettemp_nt_rights = 0;
00083 static rsbac_acl_rights_vector_t default_netobj_rights = 0;
00084 #endif
00085
00086 static rsbac_acl_group_id_t group_last_new = 0;
00087
00088 static rsbac_acl_rights_vector_t default_fd_rights = 0;
00089 static rsbac_acl_rights_vector_t default_dev_rights = 0;
00090 static rsbac_acl_rights_vector_t default_ipc_rights = 0;
00091 static rsbac_acl_rights_vector_t default_scd_rights = 0;
00092 static rsbac_acl_rights_vector_t default_u_rights = 0;
00093 #ifdef CONFIG_RSBAC_ACL_UM_PROT
00094 static rsbac_acl_rights_vector_t default_g_rights = 0;
00095 #endif
00096 static rsbac_acl_rights_vector_t default_p_rights = 0;
00097
00098
00099
00100
00101
00102 rsbac_boolean_t writable(struct super_block *sb_p);
00103
00104
00105
00106
00107
00108
00109
00110
00111
00112
00113
00114 static u_int nr_fd_hashes = RSBAC_ACL_NR_FD_LISTS;
00115
00116 static u_int group_hash(void * desc, __u32 nr_hashes)
00117 {
00118 return (*((rsbac_acl_group_id_t *) desc) & (nr_hashes - 1));
00119 }
00120
00121 static int entry_compare(void *desc1, void *desc2)
00122 {
00123 int result;
00124 struct rsbac_acl_entry_desc_t *i_desc1 = desc1;
00125 struct rsbac_acl_entry_desc_t *i_desc2 = desc2;
00126
00127 result = memcmp(&i_desc1->subj_type,
00128 &i_desc2->subj_type, sizeof(i_desc1->subj_type));
00129 if (result)
00130 return result;
00131 else
00132 return memcmp(&i_desc1->subj_id,
00133 &i_desc2->subj_id, sizeof(i_desc1->subj_id));
00134 }
00135
00136 static int dev_compare(void *desc1, void *desc2)
00137 {
00138 int result;
00139 struct rsbac_dev_desc_t *i_desc1 = desc1;
00140 struct rsbac_dev_desc_t *i_desc2 = desc2;
00141
00142 result = memcmp(&i_desc1->type,
00143 &i_desc2->type, sizeof(i_desc1->type));
00144 if (result)
00145 return result;
00146 result = memcmp(&i_desc1->major,
00147 &i_desc2->major, sizeof(i_desc1->major));
00148 if (result)
00149 return result;
00150 return memcmp(&i_desc1->minor,
00151 &i_desc2->minor, sizeof(i_desc1->minor));
00152 }
00153
00154 static int dev_major_compare(void *desc1, void *desc2)
00155 {
00156 int result;
00157 struct rsbac_dev_desc_t *i_desc1 = desc1;
00158 struct rsbac_dev_desc_t *i_desc2 = desc2;
00159
00160 result = memcmp(&i_desc1->type,
00161 &i_desc2->type, sizeof(i_desc1->type));
00162 if (result)
00163 return result;
00164 return memcmp(&i_desc1->major,
00165 &i_desc2->major, sizeof(i_desc1->major));
00166 }
00167
00168 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
00169 static int netdev_compare(void *desc1, void *desc2)
00170 {
00171 return strncmp(desc1, desc2, RSBAC_IFNAMSIZ);
00172 }
00173 #endif
00174
00175 static int fd_conv(void *old_desc,
00176 void *old_data, void *new_desc, void *new_data)
00177 {
00178 rsbac_acl_rights_vector_t *new = new_data;
00179 rsbac_acl_rights_vector_t *old = old_data;
00180
00181 memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
00182 *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00183 | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00184 (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00185 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00186 return 0;
00187 }
00188
00189 rsbac_list_conv_function_t *fd_get_conv(rsbac_version_t old_version)
00190 {
00191 switch (old_version) {
00192 case RSBAC_ACL_FD_OLD_LIST_VERSION:
00193 return fd_conv;
00194 default:
00195 return NULL;
00196 }
00197 }
00198
00199 static int dev_conv(void *old_desc,
00200 void *old_data, void *new_desc, void *new_data)
00201 {
00202 rsbac_acl_rights_vector_t *new = new_data;
00203 rsbac_acl_rights_vector_t *old = old_data;
00204
00205 memcpy(new_desc, old_desc, sizeof(struct rsbac_dev_desc_t));
00206 *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00207 | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00208 (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00209 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00210 return 0;
00211 }
00212
00213 static int dev_old_conv(void *old_desc,
00214 void *old_data, void *new_desc, void *new_data)
00215 {
00216 struct rsbac_dev_desc_t *new = new_desc;
00217 struct rsbac_dev_t *old = old_desc;
00218 rsbac_acl_rights_vector_t *newd = new_data;
00219 rsbac_acl_rights_vector_t *oldd = old_data;
00220
00221
00222 memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
00223 new->type = old->type;
00224 new->major = RSBAC_MAJOR(old->id);
00225 new->minor = RSBAC_MINOR(old->id);
00226 *newd = (*oldd & RSBAC_ALL_REQUEST_VECTOR)
00227 | ((*oldd & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00228 (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00229 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00230 return 0;
00231 }
00232
00233 rsbac_list_conv_function_t *dev_get_conv(rsbac_version_t old_version)
00234 {
00235 switch (old_version) {
00236 case RSBAC_ACL_DEV_OLD_LIST_VERSION:
00237 return dev_conv;
00238 case RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION:
00239 return dev_old_conv;
00240 default:
00241 return NULL;
00242 }
00243 }
00244
00245 static int scd_conv(void *old_desc,
00246 void *old_data, void *new_desc, void *new_data)
00247 {
00248 rsbac_acl_rights_vector_t *new = new_data;
00249 rsbac_acl_rights_vector_t *old = old_data;
00250
00251 memcpy(new_desc, old_desc, sizeof(__u8));
00252 *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00253 | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00254 (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00255 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00256 return 0;
00257 }
00258
00259 rsbac_list_conv_function_t *scd_get_conv(rsbac_version_t old_version)
00260 {
00261 switch (old_version) {
00262 case RSBAC_ACL_SCD_OLD_LIST_VERSION:
00263 return scd_conv;
00264 default:
00265 return NULL;
00266 }
00267 }
00268
00269 static int netdev_conv(void *old_desc,
00270 void *old_data, void *new_desc, void *new_data)
00271 {
00272 rsbac_acl_rights_vector_t *new = new_data;
00273 rsbac_acl_rights_vector_t *old = old_data;
00274
00275 memcpy(new_desc, old_desc, sizeof(rsbac_netdev_id_t));
00276 *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00277 | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00278 (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00279 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00280 return 0;
00281 }
00282
00283 rsbac_list_conv_function_t *netdev_get_conv(rsbac_version_t old_version)
00284 {
00285 switch (old_version) {
00286 case RSBAC_ACL_NETDEV_OLD_LIST_VERSION:
00287 return netdev_conv;
00288 default:
00289 return NULL;
00290 }
00291 }
00292
00293 static int nettemp_nt_conv(void *old_desc,
00294 void *old_data, void *new_desc, void *new_data)
00295 {
00296 rsbac_acl_rights_vector_t *new = new_data;
00297 rsbac_acl_rights_vector_t *old = old_data;
00298
00299 memcpy(new_desc, old_desc, sizeof(rsbac_net_temp_id_t));
00300 *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00301 | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00302 (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00303 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00304 return 0;
00305 }
00306
00307 rsbac_list_conv_function_t *nettemp_nt_get_conv(rsbac_version_t
00308 old_version)
00309 {
00310 switch (old_version) {
00311 case RSBAC_ACL_NETTEMP_NT_OLD_LIST_VERSION:
00312 return nettemp_nt_conv;
00313 default:
00314 return NULL;
00315 }
00316 }
00317
00318 static int nettemp_conv(void *old_desc,
00319 void *old_data, void *new_desc, void *new_data)
00320 {
00321 rsbac_acl_rights_vector_t *new = new_data;
00322 rsbac_acl_rights_vector_t *old = old_data;
00323
00324 memcpy(new_desc, old_desc, sizeof(rsbac_net_temp_id_t));
00325 *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00326 | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00327 (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00328 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00329 return 0;
00330 }
00331
00332 rsbac_list_conv_function_t *nettemp_get_conv(rsbac_version_t old_version)
00333 {
00334 switch (old_version) {
00335 case RSBAC_ACL_NETTEMP_OLD_LIST_VERSION:
00336 return nettemp_conv;
00337 default:
00338 return NULL;
00339 }
00340 }
00341
00342
00343 static int common_subconv(void *old_desc,
00344 void *old_data, void *new_desc, void *new_data)
00345 {
00346 rsbac_acl_rights_vector_t *new = new_data;
00347 rsbac_acl_rights_vector_t *old = old_data;
00348
00349 memcpy(new_desc, old_desc, sizeof(struct rsbac_acl_entry_desc_t));
00350 *new = (*old & RSBAC_ALL_REQUEST_VECTOR)
00351 | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
00352 (RSBAC_ACL_SPECIAL_RIGHT_BASE -
00353 RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE));
00354 return 0;
00355 }
00356
00357 rsbac_list_conv_function_t *fd_get_subconv(rsbac_version_t old_version)
00358 {
00359 switch (old_version) {
00360 case RSBAC_ACL_FD_OLD_LIST_VERSION:
00361 return common_subconv;
00362 default:
00363 return NULL;
00364 }
00365 }
00366
00367 rsbac_list_conv_function_t *dev_get_subconv(rsbac_version_t old_version)
00368 {
00369 switch (old_version) {
00370 case RSBAC_ACL_DEV_OLD_LIST_VERSION:
00371 return common_subconv;
00372 case RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION:
00373 return common_subconv;
00374 default:
00375 return NULL;
00376 }
00377 }
00378
00379 rsbac_list_conv_function_t *scd_get_subconv(rsbac_version_t old_version)
00380 {
00381 switch (old_version) {
00382 case RSBAC_ACL_SCD_OLD_LIST_VERSION:
00383 return common_subconv;
00384 default:
00385 return NULL;
00386 }
00387 }
00388
00389 rsbac_list_conv_function_t *netdev_get_subconv(rsbac_version_t old_version)
00390 {
00391 switch (old_version) {
00392 case RSBAC_ACL_NETDEV_OLD_LIST_VERSION:
00393 return common_subconv;
00394 default:
00395 return NULL;
00396 }
00397 }
00398
00399 rsbac_list_conv_function_t *nettemp_nt_get_subconv(rsbac_version_t
00400 old_version)
00401 {
00402 switch (old_version) {
00403 case RSBAC_ACL_NETTEMP_NT_OLD_LIST_VERSION:
00404 return common_subconv;
00405 default:
00406 return NULL;
00407 }
00408 }
00409
00410 rsbac_list_conv_function_t *nettemp_get_subconv(rsbac_version_t
00411 old_version)
00412 {
00413 switch (old_version) {
00414 case RSBAC_ACL_NETTEMP_OLD_LIST_VERSION:
00415 return common_subconv;
00416 default:
00417 return NULL;
00418 }
00419 }
00420
00421 rsbac_list_conv_function_t *def_fd_get_conv(rsbac_version_t old_version)
00422 {
00423 switch (old_version) {
00424 case RSBAC_ACL_DEF_FD_OLD_LIST_VERSION:
00425 return common_subconv;
00426 default:
00427 return NULL;
00428 }
00429 }
00430
00431 rsbac_list_conv_function_t *def_dev_get_conv(rsbac_version_t old_version)
00432 {
00433 switch (old_version) {
00434 case RSBAC_ACL_DEF_DEV_OLD_LIST_VERSION:
00435 return common_subconv;
00436 default:
00437 return NULL;
00438 }
00439 }
00440
00441 rsbac_list_conv_function_t *def_ipc_get_conv(rsbac_version_t old_version)
00442 {
00443 switch (old_version) {
00444 case RSBAC_ACL_DEF_IPC_OLD_LIST_VERSION:
00445 return common_subconv;
00446 default:
00447 return NULL;
00448 }
00449 }
00450
00451 rsbac_list_conv_function_t *def_scd_get_conv(rsbac_version_t old_version)
00452 {
00453 switch (old_version) {
00454 case RSBAC_ACL_DEF_SCD_OLD_LIST_VERSION:
00455 return common_subconv;
00456 default:
00457 return NULL;
00458 }
00459 }
00460
00461 rsbac_list_conv_function_t *def_u_get_conv(rsbac_version_t old_version)
00462 {
00463 switch (old_version) {
00464 case RSBAC_ACL_DEF_U_OLD_LIST_VERSION:
00465 return common_subconv;
00466 default:
00467 return NULL;
00468 }
00469 }
00470
00471 rsbac_list_conv_function_t *def_p_get_conv(rsbac_version_t old_version)
00472 {
00473 switch (old_version) {
00474 case RSBAC_ACL_DEF_P_OLD_LIST_VERSION:
00475 return common_subconv;
00476 default:
00477 return NULL;
00478 }
00479 }
00480
00481 rsbac_list_conv_function_t *def_g_get_conv(rsbac_version_t old_version)
00482 {
00483 switch (old_version) {
00484 case RSBAC_ACL_DEF_G_OLD_LIST_VERSION:
00485 return common_subconv;
00486 default:
00487 return NULL;
00488 }
00489 }
00490
00491 rsbac_list_conv_function_t *def_netdev_get_conv(rsbac_version_t
00492 old_version)
00493 {
00494 switch (old_version) {
00495 case RSBAC_ACL_DEF_NETDEV_OLD_LIST_VERSION:
00496 return common_subconv;
00497 default:
00498 return NULL;
00499 }
00500 }
00501
00502 rsbac_list_conv_function_t *def_nettemp_nt_get_conv(rsbac_version_t
00503 old_version)
00504 {
00505 switch (old_version) {
00506 case RSBAC_ACL_DEF_NETTEMP_NT_OLD_LIST_VERSION:
00507 return common_subconv;
00508 default:
00509 return NULL;
00510 }
00511 }
00512
00513 rsbac_list_conv_function_t *def_netobj_get_conv(rsbac_version_t
00514 old_version)
00515 {
00516 switch (old_version) {
00517 case RSBAC_ACL_DEF_NETOBJ_OLD_LIST_VERSION:
00518 return common_subconv;
00519 default:
00520 return NULL;
00521 }
00522 }
00523
00524
00525
00526
00527
00528 static int acl_register_fd_lists(struct rsbac_acl_device_list_item_t
00529 *device_p, kdev_t kdev)
00530 {
00531 char *name;
00532 int err = 0;
00533 int tmperr;
00534 struct rsbac_list_lol_info_t lol_info;
00535 rsbac_acl_rights_vector_t def_mask = RSBAC_ACL_DEFAULT_FD_MASK;
00536
00537 if (!device_p)
00538 return (-RSBAC_EINVALIDPOINTER);
00539 name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00540 if (!name)
00541 return -RSBAC_ENOMEM;
00542
00543
00544 lol_info.version = RSBAC_ACL_FD_LIST_VERSION;
00545 lol_info.key = RSBAC_ACL_LIST_KEY;
00546 lol_info.desc_size = sizeof(rsbac_inode_nr_t);
00547 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
00548 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
00549 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
00550 lol_info.max_age = 0;
00551 tmperr = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
00552 &device_p->handle,
00553 &lol_info,
00554 RSBAC_LIST_PERSIST |
00555 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
00556 NULL,
00557 entry_compare,
00558 fd_get_conv,
00559 fd_get_subconv, &def_mask,
00560 NULL,
00561 RSBAC_ACL_FD_FILENAME, kdev,
00562 nr_fd_hashes,
00563 (nr_fd_hashes > 0) ? rsbac_list_hash_fd : NULL,
00564 RSBAC_ACL_FD_OLD_FILENAME);
00565 if (tmperr) {
00566 char *tmp;
00567
00568 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00569 if (tmp) {
00570 rsbac_printk(KERN_WARNING "acl_register_fd_lists(): registering list %s for device %02u:%02u failed with error %s!\n",
00571 RSBAC_ACL_FD_FILENAME,
00572 RSBAC_MAJOR(kdev),
00573 RSBAC_MINOR(kdev),
00574 get_error_name(tmp, tmperr));
00575 rsbac_kfree(tmp);
00576 }
00577 err = tmperr;
00578 }
00579 return err;
00580 }
00581
00582
00583
00584
00585 static int acl_detach_fd_lists(struct rsbac_acl_device_list_item_t
00586 *device_p)
00587 {
00588 char *name;
00589 int err = 0;
00590 int tmperr;
00591
00592 if (!device_p)
00593 return (-RSBAC_EINVALIDPOINTER);
00594 name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00595 if (!name)
00596 return -RSBAC_ENOMEM;
00597
00598
00599 tmperr = rsbac_list_lol_detach(&device_p->handle,
00600 RSBAC_ACL_LIST_KEY);
00601 if (tmperr) {
00602 char *tmp;
00603
00604 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00605 if (tmp) {
00606 rsbac_printk(KERN_WARNING "acl_detach_fd_lists(): detaching from list %s for device %02u:%02u failed with error %s!\n",
00607 RSBAC_ACL_FD_FILENAME,
00608 RSBAC_MAJOR(device_p->id),
00609 RSBAC_MINOR(device_p->id),
00610 get_error_name(tmp, tmperr));
00611 rsbac_kfree(tmp);
00612 }
00613 err = tmperr;
00614 }
00615 return err;
00616 }
00617
00618
00619
00620
00621
00622
00623 static struct rsbac_acl_device_list_item_t *acl_lookup_device(kdev_t kdev)
00624 {
00625 struct rsbac_acl_device_list_item_t *curr = rcu_dereference(device_list_head_p)->curr;
00626
00627
00628 if (!curr || (RSBAC_MAJOR(curr->id) != RSBAC_MAJOR(kdev))
00629 || (RSBAC_MINOR(curr->id) != RSBAC_MINOR(kdev))
00630 ) {
00631 curr = rcu_dereference(device_list_head_p)->head;
00632 while (curr
00633 && ((RSBAC_MAJOR(curr->id) != RSBAC_MAJOR(kdev))
00634 || (RSBAC_MINOR(curr->id) != RSBAC_MINOR(kdev))
00635 )
00636 ) {
00637 curr = curr->next;
00638 }
00639 if (curr)
00640 rcu_dereference(device_list_head_p)->curr = curr;
00641 }
00642
00643 return (curr);
00644 }
00645
00646
00647
00648
00649
00650
00651
00652
00653 static struct rsbac_acl_device_list_item_t
00654 *create_device_item(kdev_t kdev)
00655 {
00656 struct rsbac_acl_device_list_item_t *new_item_p;
00657
00658
00659 if (!(new_item_p = (struct rsbac_acl_device_list_item_t *)
00660 rsbac_kmalloc(sizeof(*new_item_p))))
00661 return (NULL);
00662
00663 memset(new_item_p, 0, sizeof(*new_item_p));
00664 new_item_p->id = kdev;
00665 new_item_p->mount_count = 1;
00666 return (new_item_p);
00667 }
00668
00669
00670 static struct rsbac_acl_device_list_item_t
00671 *add_device_item(struct rsbac_acl_device_list_item_t *device_p)
00672 {
00673 struct rsbac_acl_device_list_head_t * new_p;
00674 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00675 struct rsbac_acl_device_list_head_t * old_p;
00676 #else
00677 u_long flags;
00678 #endif
00679
00680 if (!device_p)
00681 return (NULL);
00682
00683 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00684 spin_lock(&device_list_lock);
00685 old_p = device_list_head_p;
00686 new_p = rsbac_kmalloc(sizeof(*new_p));
00687 *new_p = *old_p;
00688 #else
00689 rsbac_write_lock(&device_list_lock, &flags);
00690 new_p = device_list_head_p;
00691 #endif
00692
00693 if (!new_p->head) {
00694 new_p->head = device_p;
00695 new_p->tail = device_p;
00696 new_p->curr = device_p;
00697 new_p->count = 1;
00698 device_p->prev = NULL;
00699 device_p->next = NULL;
00700 } else {
00701 device_p->prev = new_p->tail;
00702 device_p->next = NULL;
00703 new_p->tail->next = device_p;
00704 new_p->tail = device_p;
00705 new_p->curr = device_p;
00706 new_p->count++;
00707 }
00708 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00709 rcu_assign_pointer(device_list_head_p, new_p);
00710 spin_unlock(&device_list_lock);
00711 synchronize_rcu();
00712 rsbac_kfree(old_p);
00713 #else
00714 rsbac_write_unlock(&device_list_lock, &flags);
00715 #endif
00716 return (device_p);
00717 }
00718
00719
00720
00721
00722
00723
00724
00725
00726 static void clear_device_item(struct rsbac_acl_device_list_item_t
00727 *device_p)
00728 {
00729 if (!device_p)
00730 return;
00731
00732
00733 acl_detach_fd_lists(device_p);
00734
00735 rsbac_kfree(device_p);
00736 }
00737
00738 static void remove_device_item(kdev_t kdev)
00739 {
00740 struct rsbac_acl_device_list_item_t *item_p;
00741 struct rsbac_acl_device_list_head_t * new_p;
00742 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00743 struct rsbac_acl_device_list_head_t * old_p;
00744 #endif
00745
00746 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00747 old_p = device_list_head_p;
00748 new_p = rsbac_kmalloc(sizeof(*new_p));
00749 *new_p = *old_p;
00750 #else
00751 new_p = device_list_head_p;
00752 #endif
00753
00754
00755 if ((item_p = acl_lookup_device(kdev))) {
00756 if (new_p->head == item_p) {
00757 if (new_p->tail == item_p) {
00758 new_p->head = NULL;
00759 new_p->tail = NULL;
00760 } else {
00761 item_p->next->prev = NULL;
00762 new_p->head = item_p->next;
00763 }
00764 } else {
00765 if (new_p->tail == item_p) {
00766 item_p->prev->next = NULL;
00767 new_p->tail = item_p->prev;
00768 } else {
00769 item_p->prev->next = item_p->next;
00770 item_p->next->prev = item_p->prev;
00771 }
00772 }
00773
00774
00775 new_p->curr = NULL;
00776
00777 new_p->count--;
00778 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00779 rcu_assign_pointer(device_list_head_p, new_p);
00780 spin_unlock(&device_list_lock);
00781 synchronize_rcu();
00782 rsbac_kfree(old_p);
00783 #endif
00784
00785
00786
00787 clear_device_item(item_p);
00788 }
00789 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00790 else
00791 spin_unlock(&device_list_lock);
00792 #endif
00793 }
00794
00795
00796
00797
00798
00799 #if defined(CONFIG_RSBAC_PROC)
00800 static int
00801 acl_devices_proc_info(char *buffer, char **start, off_t offset, int length)
00802 {
00803 int len = 0;
00804 off_t pos = 0;
00805 off_t begin = 0;
00806 struct rsbac_acl_device_list_item_t *device_p;
00807 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00808 u_long dflags;
00809 #endif
00810
00811 if (!rsbac_is_initialized())
00812 return (-ENOSYS);
00813
00814 len +=
00815 sprintf(buffer, "%u RSBAC ACL Devices\n-------------------\n",
00816 rcu_dereference(device_list_head_p)->count);
00817
00818
00819 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00820 rcu_read_lock();
00821 #else
00822 rsbac_read_lock(&device_list_lock, &dflags);
00823 #endif
00824
00825 for (device_p = rcu_dereference(device_list_head_p)->head; device_p;
00826 device_p = device_p->next) {
00827 len +=
00828 sprintf(buffer + len,
00829 "%02u:%02u with mount_count = %u\n",
00830 RSBAC_MAJOR(device_p->id),
00831 RSBAC_MINOR(device_p->id),
00832 device_p->mount_count);
00833 pos = begin + len;
00834 if (pos < offset) {
00835 len = 0;
00836 begin = pos;
00837 }
00838 if (pos > offset + length)
00839 break;
00840 }
00841
00842 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00843 rcu_read_unlock();
00844 #else
00845 rsbac_read_unlock(&device_list_lock, &dflags);
00846 #endif
00847
00848 *start = buffer + (offset - begin);
00849 len -= (offset - begin);
00850
00851 if (len > length)
00852 len = length;
00853 return len;
00854 }
00855
00856 static int
00857 stats_acl_proc_info(char *buffer, char **start, off_t offset, int length)
00858 {
00859 u_int len = 0;
00860 off_t pos = 0;
00861 off_t begin = 0;
00862 u_int item_count = 0;
00863 u_int member_count = 0;
00864 struct rsbac_acl_device_list_item_t *device_p;
00865 union rsbac_target_id_t rsbac_target_id;
00866 union rsbac_attribute_value_t rsbac_attribute_value;
00867 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00868 u_long dflags;
00869 #endif
00870
00871 if (!rsbac_is_initialized()) {
00872 rsbac_printk(KERN_WARNING "stats_acl_proc_info(): RSBAC not initialized\n");
00873 return (-RSBAC_ENOTINITIALIZED);
00874 }
00875 rsbac_pr_debug(aef_acl, "calling ADF\n");
00876 rsbac_target_id.scd = ST_rsbac;
00877 rsbac_attribute_value.dummy = 0;
00878 if (!rsbac_adf_request(R_GET_STATUS_DATA,
00879 current->pid,
00880 T_SCD,
00881 rsbac_target_id,
00882 A_none, rsbac_attribute_value)) {
00883 return -EPERM;
00884 }
00885
00886 len += sprintf(buffer, "ACL Status\n-----------\n");
00887
00888
00889 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00890 rcu_read_lock();
00891 #else
00892 rsbac_read_lock(&device_list_lock, &dflags);
00893 #endif
00894 device_p = rcu_dereference(device_list_head_p)->head;
00895 while (device_p) {
00896 item_count = rsbac_list_lol_count(device_p->handle);
00897 member_count = rsbac_list_lol_all_subcount(device_p->handle);
00898 len +=
00899 sprintf(buffer + len,
00900 "device %02u:%02u has %i file ACLs, sum of %i members\n",
00901 RSBAC_MAJOR(device_p->id),
00902 RSBAC_MINOR(device_p->id), item_count,
00903 member_count);
00904 pos = begin + len;
00905 if (pos < offset) {
00906 len = 0;
00907 begin = pos;
00908 }
00909 if (pos > offset + length) {
00910 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00911 rcu_read_unlock();
00912 #else
00913 rsbac_read_unlock(&device_list_lock, &dflags);
00914 #endif
00915 goto out;
00916 }
00917 device_p = device_p->next;
00918 }
00919
00920 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00921 rcu_read_unlock();
00922 #else
00923 rsbac_read_unlock(&device_list_lock, &dflags);
00924 #endif
00925
00926
00927 len +=
00928 sprintf(buffer + len,
00929 "%li device ACL items, sum of %li members\n",
00930 rsbac_list_lol_count(dev_handle),
00931 rsbac_list_lol_all_subcount(dev_handle));
00932 pos = begin + len;
00933 if (pos < offset) {
00934 len = 0;
00935 begin = pos;
00936 }
00937 if (pos > offset + length)
00938 goto out;
00939 len +=
00940 sprintf(buffer + len,
00941 "%li device major ACL items, sum of %li members\n",
00942 rsbac_list_lol_count(dev_major_handle),
00943 rsbac_list_lol_all_subcount(dev_major_handle));
00944 pos = begin + len;
00945 if (pos < offset) {
00946 len = 0;
00947 begin = pos;
00948 }
00949 if (pos > offset + length)
00950 goto out;
00951
00952
00953 len +=
00954 sprintf(buffer + len,
00955 "%li scd ACL items, sum of %li members\n",
00956 rsbac_list_lol_count(scd_handle),
00957 rsbac_list_lol_all_subcount(scd_handle));
00958 pos = begin + len;
00959 if (pos < offset) {
00960 len = 0;
00961 begin = pos;
00962 }
00963 if (pos > offset + length)
00964 goto out;
00965
00966
00967 len +=
00968 sprintf(buffer + len,
00969 "%li user ACL items, sum of %li members\n",
00970 rsbac_list_lol_count(u_handle),
00971 rsbac_list_lol_all_subcount(u_handle));
00972 pos = begin + len;
00973 if (pos < offset) {
00974 len = 0;
00975 begin = pos;
00976 }
00977 if (pos > offset + length)
00978 goto out;
00979
00980 #ifdef CONFIG_RSBAC_ACL_UM_PROT
00981
00982 len +=
00983 sprintf(buffer + len,
00984 "%li Linux group ACL items, sum of %li members\n",
00985 rsbac_list_lol_count(g_handle),
00986 rsbac_list_lol_all_subcount(g_handle));
00987 pos = begin + len;
00988 if (pos < offset) {
00989 len = 0;
00990 begin = pos;
00991 }
00992 if (pos > offset + length)
00993 goto out;
00994 #endif
00995
00996 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
00997
00998 len +=
00999 sprintf(buffer + len,
01000 "%li network device ACL items, sum of %li members\n",
01001 rsbac_list_lol_count(netdev_handle),
01002 rsbac_list_lol_all_subcount(netdev_handle));
01003 pos = begin + len;
01004 if (pos < offset) {
01005 len = 0;
01006 begin = pos;
01007 }
01008 if (pos > offset + length)
01009 goto out;
01010 #endif
01011
01012 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
01013
01014 len +=
01015 sprintf(buffer + len,
01016 "%li network template NT ACL items, sum of %li members\n",
01017 rsbac_list_lol_count(nettemp_nt_handle),
01018 rsbac_list_lol_all_subcount(nettemp_nt_handle));
01019 pos = begin + len;
01020 if (pos < offset) {
01021 len = 0;
01022 begin = pos;
01023 }
01024 if (pos > offset + length)
01025 goto out;
01026
01027 len +=
01028 sprintf(buffer + len,
01029 "%li network template ACL items, sum of %li members\n",
01030 rsbac_list_lol_count(nettemp_handle),
01031 rsbac_list_lol_all_subcount(nettemp_handle));
01032 pos = begin + len;
01033 if (pos < offset) {
01034 len = 0;
01035 begin = pos;
01036 }
01037 if (pos > offset + length)
01038 goto out;
01039
01040 len +=
01041 sprintf(buffer + len,
01042 "%li network object ACL items, sum of %li members\n",
01043 rsbac_list_lol_count(netobj_handle),
01044 rsbac_list_lol_all_subcount(netobj_handle));
01045 pos = begin + len;
01046 if (pos < offset) {
01047 len = 0;
01048 begin = pos;
01049 }
01050 if (pos > offset + length)
01051 goto out;
01052 #endif
01053
01054 len += sprintf(buffer + len, "%li groups, last new is %u\n",
01055 rsbac_list_count(group_handle), group_last_new);
01056 pos = begin + len;
01057 if (pos < offset) {
01058 len = 0;
01059 begin = pos;
01060 }
01061 if (pos > offset + length)
01062 goto out;
01063
01064
01065 len +=
01066 sprintf(buffer + len,
01067 "%li group member items, sum of %li group memberships\n",
01068 rsbac_list_lol_count(gm_handle),
01069 rsbac_list_lol_all_subcount(gm_handle));
01070 pos = begin + len;
01071 if (pos < offset) {
01072 len = 0;
01073 begin = pos;
01074 }
01075 if (pos > offset + length)
01076 goto out;
01077
01078 out:
01079 *start = buffer + (offset - begin);
01080 len -= (offset - begin);
01081
01082 if (len > length)
01083 len = length;
01084 return len;
01085 }
01086
01087 static int
01088 acl_acllist_proc_info(char *buffer, char **start, off_t offset, int length)
01089 {
01090 u_int len = 0;
01091 off_t pos = 0;
01092 off_t begin = 0;
01093
01094 u_int i, j, k;
01095 char tmp1[80], tmp2[80];
01096 u_int count = 0;
01097 int tmp_count;
01098 int tmp_sub_count;
01099 u_int member_count = 0;
01100 struct rsbac_acl_device_list_item_t *device_p;
01101 rsbac_inode_nr_t *fd_desc_p;
01102 struct rsbac_dev_desc_t *dev_desc_p;
01103 __u8 *scd_desc_p;
01104 rsbac_uid_t *u_desc_p;
01105 #ifdef CONFIG_RSBAC_ACL_UM_PROT
01106 rsbac_gid_t *g_desc_p;
01107 #endif
01108 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
01109 rsbac_netdev_id_t *netdev_desc_p;
01110 #endif
01111 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
01112 rsbac_net_temp_id_t *nettemp_desc_p;
01113 rsbac_net_obj_id_t *netobj_desc_p;
01114 #endif
01115 struct rsbac_acl_entry_desc_t *sub_desc_p;
01116 rsbac_acl_rights_vector_t rights;
01117 union rsbac_target_id_t rsbac_target_id;
01118 union rsbac_attribute_value_t rsbac_attribute_value;
01119 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
01120 u_long dflags;
01121 #endif
01122
01123 if (!rsbac_is_initialized()) {
01124 rsbac_printk(KERN_WARNING "acl_acllist_proc_info(): RSBAC not initialized\n");
01125 return (-RSBAC_ENOTINITIALIZED);
01126 }
01127 rsbac_pr_debug(aef_acl, "calling ADF\n");
01128 rsbac_target_id.scd = ST_rsbac;
01129 rsbac_attribute_value.dummy = 0;
01130 if (!rsbac_adf_request(R_GET_STATUS_DATA,
01131 current->pid,
01132 T_SCD,
01133 rsbac_target_id,
01134 A_none, rsbac_attribute_value)) {
01135 return -EPERM;
01136 }
01137
01138 len += sprintf(buffer, "ACL Lists\n----------\n");
01139
01140 len += sprintf(buffer + len,
01141 "Default FD ACL: %li members:",
01142 rsbac_list_count(default_fd_handle));
01143 pos = begin + len;
01144 if (pos < offset) {
01145 len = 0;
01146 begin = pos;
01147 }
01148 if (pos > offset + length)
01149 goto out;
01150 tmp_count =
01151 rsbac_list_get_all_desc(default_fd_handle,
01152 (void **) &sub_desc_p);
01153 if (tmp_count > 0) {
01154 for (i = 0; i < tmp_count; i++) {
01155 len += sprintf(buffer + len, " %s %u,",
01156 get_acl_subject_type_name(tmp1,
01157 sub_desc_p
01158 [i].
01159 subj_type),
01160 sub_desc_p[i].subj_id);
01161 pos = begin + len;
01162 if (pos < offset) {
01163 len = 0;
01164 begin = pos;
01165 }
01166 if (pos > offset + length) {
01167 rsbac_vfree(sub_desc_p);
01168 goto out;
01169 }
01170 }
01171 rsbac_vfree(sub_desc_p);
01172 }
01173
01174
01175 len +=
01176 sprintf(buffer + len,
01177 "\nDefault Device ACL: %li members:",
01178 rsbac_list_count(default_dev_handle));
01179 pos = begin + len;
01180 if (pos < offset) {
01181 len = 0;
01182 begin = pos;
01183 }
01184 if (pos > offset + length)
01185 goto out;
01186 tmp_count =
01187 rsbac_list_get_all_desc(default_dev_handle,
01188 (void **) &sub_desc_p);
01189 if (tmp_count > 0) {
01190 for (i = 0; i < tmp_count; i++) {
01191 len += sprintf(buffer + len, " %s %u,",
01192 get_acl_subject_type_name(tmp1,
01193 sub_desc_p
01194 [i].
01195 subj_type),
01196 sub_desc_p[i].subj_id);
01197 pos = begin + len;
01198 if (pos < offset) {
01199 len = 0;
01200 begin = pos;
01201 }
01202 if (pos > offset + length) {
01203 rsbac_vfree(sub_desc_p);
01204 goto out;
01205 }
01206 }
01207 rsbac_vfree(sub_desc_p);
01208 }
01209
01210
01211 len +=
01212 sprintf(buffer + len,
01213 "\nDefault IPC ACL: %li members:",
01214 rsbac_list_count(default_ipc_handle));
01215 pos = begin + len;
01216 if (pos < offset) {
01217 len = 0;
01218 begin = pos;
01219 }
01220 if (pos > offset + length)
01221 goto out;
01222 tmp_count =
01223 rsbac_list_get_all_desc(default_ipc_handle,
01224 (void **) &sub_desc_p);
01225 if (tmp_count > 0) {
01226 for (i = 0; i < tmp_count; i++) {
01227 len += sprintf(buffer + len, " %s %u,",
01228 get_acl_subject_type_name(tmp1,
01229 sub_desc_p
01230 [i].
01231 subj_type),
01232 sub_desc_p[i].subj_id);
01233 pos = begin + len;
01234 if (pos < offset) {
01235 len = 0;
01236 begin = pos;
01237 }
01238 if (pos > offset + length) {
01239 rsbac_vfree(sub_desc_p);
01240 goto out;
01241 }
01242 }
01243 rsbac_vfree(sub_desc_p);
01244 }
01245
01246
01247 len +=
01248 sprintf(buffer + len,
01249 "\nDefault SCD ACL: %li members:",
01250 rsbac_list_count(default_scd_handle));
01251 pos = begin + len;
01252 if (pos < offset) {
01253 len = 0;
01254 begin = pos;
01255 }
01256 if (pos > offset + length)
01257 goto out;
01258 tmp_count =
01259 rsbac_list_get_all_desc(default_scd_handle,
01260 (void **) &sub_desc_p);
01261 if (tmp_count > 0) {
01262 for (i = 0; i < tmp_count; i++) {
01263 len += sprintf(buffer + len, " %s %u,",
01264 get_acl_subject_type_name(tmp1,
01265 sub_desc_p
01266 [i].
01267 subj_type),
01268 sub_desc_p[i].subj_id);
01269 pos = begin + len;
01270 if (pos < offset) {
01271 len = 0;
01272 begin = pos;
01273 }
01274 if (pos > offset + length) {
01275 rsbac_vfree(sub_desc_p);
01276 goto out;
01277 }
01278 }
01279 rsbac_vfree(sub_desc_p);
01280 }
01281
01282
01283 len +=
01284 sprintf(buffer + len,
01285 "\nDefault User ACL: %li members:",
01286 rsbac_list_count(default_u_handle));
01287 pos = begin + len;
01288 if (pos < offset) {
01289 len = 0;
01290 begin = pos;
01291 }
01292 if (pos > offset + length)
01293 goto out;
01294 tmp_count =
01295 rsbac_list_get_all_desc(default_u_handle,
01296 (void **) &sub_desc_p);
01297 if (tmp_count > 0) {
01298 for (i = 0; i < tmp_count; i++) {
01299 len += sprintf(buffer + len, " %s %u,",
01300 get_acl_subject_type_name(tmp1,
01301 sub_desc_p
01302 [i].
01303 subj_type),
01304 sub_desc_p[i].subj_id);
01305 pos = begin + len;
01306 if (pos < offset) {
01307 len = 0;
01308 begin = pos;
01309 }
01310 if (pos > offset + length) {
01311 rsbac_vfree(sub_desc_p);
01312 goto out;
01313 }
01314 }
01315 rsbac_vfree(sub_desc_p);
01316 }
01317
01318
01319 len +=
01320 sprintf(buffer + len,
01321 "\nDefault Process ACL: %li members:",
01322 rsbac_list_count(default_p_handle));
01323 pos = begin + len;
01324 if (pos < offset) {
01325 len = 0;
01326 begin = pos;
01327 }
01328 if (pos > offset + length)
01329 goto out;
01330 tmp_count =
01331 rsbac_list_get_all_desc(default_p_handle,
01332 (void **) &sub_desc_p);
01333 if (tmp_count > 0) {
01334 for (i = 0; i < tmp_count; i++) {
01335 len += sprintf(buffer + len, " %s %u,",
01336 get_acl_subject_type_name(tmp1,
01337 sub_desc_p
01338 [i].
01339 subj_type),
01340 sub_desc_p[i].subj_id);
01341 pos = begin + len;
01342 if (pos < offset) {
01343 len = 0;
01344 begin = pos;
01345 }
01346 if (pos > offset + length) {
01347 rsbac_vfree(sub_desc_p);
01348 goto out;
01349 }
01350 }
01351 rsbac_vfree(sub_desc_p);
01352 }
01353 #ifdef CONFIG_RSBAC_ACL_UM_PROT
01354
01355 len +=
01356 sprintf(buffer + len,
01357 "\nDefault Linux Group ACL: %li members:",
01358 rsbac_list_count(default_g_handle));
01359 pos = begin + len;
01360 if (pos < offset) {
01361 len = 0;
01362 begin = pos;
01363 }
01364 if (pos > offset + length)
01365 goto out;
01366 tmp_count =
01367 rsbac_list_get_all_desc(default_g_handle,
01368 (void **) &sub_desc_p);
01369 if (tmp_count > 0) {
01370 for (i = 0; i < tmp_count; i++) {
01371 len += sprintf(buffer + len, " %s %u,",
01372 get_acl_subject_type_name(tmp1,
01373 sub_desc_p
01374 [i].
01375 subj_type),
01376 sub_desc_p[i].subj_id);
01377 pos = begin + len;
01378 if (pos < offset) {
01379 len = 0;
01380 begin = pos;
01381 }
01382 if (pos > offset + length) {
01383 rsbac_vfree(sub_desc_p);
01384 goto out;
01385 }
01386 }
01387 rsbac_vfree(sub_desc_p);
01388 }
01389 #endif
01390
01391 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
01392
01393 len +=
01394 sprintf(buffer + len,
01395 "\nDefault Network Device ACL: %li members:",
01396 rsbac_list_count(default_netdev_handle));
01397 pos = begin + len;
01398 if (pos < offset) {
01399 len = 0;
01400 begin = pos;
01401 }
01402 if (pos > offset + length)
01403 goto out;
01404 tmp_count =
01405 rsbac_list_get_all_desc(default_netdev_handle,
01406 (void **) &sub_desc_p);
01407 if (tmp_count > 0) {
01408 for (i = 0; i < tmp_count; i++) {
01409 len += sprintf(buffer + len, " %s %u,",
01410 get_acl_subject_type_name(tmp1,
01411 sub_desc_p
01412 [i].
01413 subj_type),
01414 sub_desc_p[i].subj_id);
01415 pos = begin + len;
01416 if (pos < offset) {
01417 len = 0;
01418 begin = pos;
01419 }
01420 if (pos > offset + length) {
01421 rsbac_vfree(sub_desc_p);
01422 goto out;
01423 }
01424 }
01425 rsbac_vfree(sub_desc_p);
01426 }
01427 #endif
01428
01429 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
01430
01431 len +=
01432 sprintf(buffer + len,
01433 "\nDefault Network Template NT ACL: %li members:",
01434 rsbac_list_count(default_nettemp_nt_handle));
01435 pos = begin + len;
01436 if (pos < offset) {
01437 len = 0;
01438 begin = pos;
01439 }
01440 if (pos > offset + length)
01441 goto out;
01442 tmp_count =
01443 rsbac_list_get_all_desc(default_nettemp_nt_handle,
01444 (void **) &sub_desc_p);
01445 if (tmp_count > 0) {
01446 for (i = 0; i < tmp_count; i++) {
01447 len += sprintf(buffer + len, " %s %u,",
01448 get_acl_subject_type_name(tmp1,
01449 sub_desc_p
01450 [i].
01451 subj_type),
01452 sub_desc_p[i].subj_id);
01453 pos = begin + len;
01454 if (pos < offset) {
01455 len = 0;
01456 begin = pos;
01457 }
01458 if (pos > offset + length) {
01459 rsbac_vfree(sub_desc_p);
01460 goto out;
01461 }
01462 }
01463 rsbac_vfree(sub_desc_p);
01464 }
01465
01466 len +=
01467 sprintf(buffer + len,
01468 "\nDefault Network Object ACL: %li members:",
01469 rsbac_list_count(default_netobj_handle));
01470 pos = begin + len;
01471 if (pos < offset) {
01472 len = 0;
01473 begin = pos;
01474 }
01475 if (pos > offset + length)
01476 goto out;
01477 tmp_count =
01478 rsbac_list_get_all_desc(default_netobj_handle,
01479 (void **) &sub_desc_p);
01480 if (tmp_count > 0) {
01481 for (i = 0; i < tmp_count; i++) {
01482 len += sprintf(buffer + len, " %s %u,",
01483 get_acl_subject_type_name(tmp1,
01484 sub_desc_p
01485 [i].
01486 subj_type),
01487 sub_desc_p[i].subj_id);
01488 pos = begin + len;
01489 if (pos < offset) {
01490 len = 0;
01491 begin = pos;
01492 }
01493 if (pos > offset + length) {
01494 rsbac_vfree(sub_desc_p);
01495 goto out;
01496 }
01497 }
01498 rsbac_vfree(sub_desc_p);
01499 }
01500 #endif
01501
01502 len += sprintf(buffer + len, "\n\nFile/Dir/Fifo/Symlink ACLs:\n");
01503 pos = begin + len;
01504 if (pos < offset) {
01505 len = 0;
01506 begin = pos;
01507 }
01508 if (pos > offset + length)
01509 goto out;
01510
01511
01512 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01513 rcu_read_lock();
01514 #else
01515 rsbac_read_lock(&device_list_lock, &dflags);
01516 #endif
01517 device_p = rcu_dereference(device_list_head_p)->head;
01518 while (device_p) {
01519
01520 count = 0;
01521 member_count = 0;
01522 len +=
01523 sprintf(buffer + len,
01524 "\nDevice %02u:%02u\n inode count mask+members",
01525 RSBAC_MAJOR(device_p->id),
01526 RSBAC_MINOR(device_p->id));
01527 pos = begin + len;
01528 if (pos < offset) {
01529 len = 0;
01530 begin = pos;
01531 }
01532 if (pos > offset + length) {
01533 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01534 rcu_read_unlock();
01535 #else
01536 rsbac_read_unlock(&device_list_lock, &dflags);
01537 #endif
01538 goto out;
01539 }
01540 tmp_count = rsbac_list_lol_get_all_desc(device_p->handle,
01541 (void **)
01542 &fd_desc_p);
01543 if (tmp_count > 0) {
01544 for (j = 0; j < tmp_count; j++) {
01545 len +=
01546 sprintf(buffer + len,
01547 "\n%6u\t %li\t",
01548 fd_desc_p[j],
01549 rsbac_list_lol_subcount
01550 (device_p->handle,
01551 &fd_desc_p[j]));
01552 pos = begin + len;
01553 if (pos < offset) {
01554 len = 0;
01555 begin = pos;
01556 }
01557 if (pos > offset + length) {
01558 rsbac_vfree(fd_desc_p);
01559 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01560 rcu_read_unlock();
01561 #else
01562 rsbac_read_unlock(&device_list_lock, &dflags);
01563 #endif
01564 goto out;
01565 }
01566 if (!rsbac_list_lol_get_data
01567 (device_p->handle,
01568 &fd_desc_p[j], &rights)) {
01569 len +=
01570 sprintf(buffer + len,
01571 "%s\n\t\t",
01572 u64tostracl
01573 (tmp1,
01574 rights));
01575 pos = begin + len;
01576 if (pos < offset) {
01577 len = 0;
01578 begin = pos;
01579 }
01580 if (pos > offset + length) {
01581 rsbac_vfree
01582 (fd_desc_p);
01583 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01584 rcu_read_unlock();
01585 #else
01586 rsbac_read_unlock(&device_list_lock, &dflags);
01587 #endif
01588 goto out;
01589 }
01590 }
01591 tmp_sub_count =
01592 rsbac_list_lol_get_all_subdesc
01593 (device_p->handle,
01594 &fd_desc_p[j],
01595 (void **) &sub_desc_p);
01596 if (tmp_sub_count > 0) {
01597 for (k = 0;
01598 k < tmp_sub_count;
01599 k++) {
01600 len +=
01601 sprintf(buffer
01602 + len,
01603 "%s %u, ",
01604 get_acl_subject_type_name
01605 (tmp1,
01606 sub_desc_p
01607 [k].
01608 subj_type),
01609 sub_desc_p
01610 [k].
01611 subj_id);
01612 pos = begin + len;
01613 if (pos < offset) {
01614 len = 0;
01615 begin =
01616 pos;
01617 }
01618 if (pos >
01619 offset +
01620 length) {
01621 rsbac_vfree
01622 (sub_desc_p);
01623 rsbac_vfree
01624 (fd_desc_p);
01625 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01626 rcu_read_unlock();
01627 #else
01628 rsbac_read_unlock(&device_list_lock, &dflags);
01629 #endif
01630 goto out;
01631 }
01632 }
01633 rsbac_vfree(sub_desc_p);
01634 member_count +=
01635 tmp_sub_count;
01636 }
01637 }
01638 count += tmp_count;
01639 rsbac_vfree(fd_desc_p);
01640 }
01641 len +=
01642 sprintf(buffer + len,
01643 "\n%u file ACLs, sum of %u members\n", count,
01644 member_count);
01645 pos = begin + len;
01646 if (pos < offset) {
01647 len = 0;
01648 begin = pos;
01649 }
01650 if (pos > offset + length) {
01651 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01652 rcu_read_unlock();
01653 #else
01654 rsbac_read_unlock(&device_list_lock, &dflags);
01655 #endif
01656 goto out;
01657 }
01658 device_p = device_p->next;
01659 }
01660
01661 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01662 rcu_read_unlock();
01663 #else
01664 rsbac_read_unlock(&device_list_lock, &dflags);
01665 #endif
01666
01667
01668 len +=
01669 sprintf(buffer + len,
01670 "\nDevice ACLs:\ntype+id count mask+members");
01671 pos = begin + len;
01672 if (pos < offset) {
01673 len = 0;
01674 begin = pos;
01675 }
01676 if (pos > offset + length)
01677 goto out;
01678
01679 member_count = 0;
01680 tmp_count =
01681 rsbac_list_lol_get_all_desc(dev_handle, (void **) &dev_desc_p);
01682 if (tmp_count > 0) {
01683 for (i = 0; i < tmp_count; i++) {
01684 if (!rsbac_list_lol_get_data
01685 (dev_handle, &dev_desc_p[i], &rights)) {
01686 len +=
01687 sprintf(buffer + len,
01688 "\n%c%02u:%02u\t %3li\t%s\n\t\t",
01689 'B' + dev_desc_p[i].type,
01690 dev_desc_p[i].major,
01691 dev_desc_p[i].minor,
01692 rsbac_list_lol_subcount
01693 (dev_handle, &dev_desc_p[i]),
01694 u64tostracl(tmp1, rights));
01695 pos = begin + len;
01696 if (pos < offset) {
01697 len = 0;
01698 begin = pos;
01699 }
01700 if (pos > offset + length) {
01701 rsbac_vfree(dev_desc_p);
01702 goto out;
01703 }
01704 }
01705 tmp_sub_count =
01706 rsbac_list_lol_get_all_subdesc(dev_handle,
01707 &dev_desc_p[i],
01708 (void **)
01709 &sub_desc_p);
01710 if (tmp_sub_count > 0) {
01711 for (j = 0; j < tmp_sub_count; j++) {
01712 len +=
01713 sprintf(buffer + len,
01714 "%s %u, ",
01715 get_acl_subject_type_name
01716 (tmp1,
01717 sub_desc_p[j].
01718 subj_type),
01719 sub_desc_p[j].subj_id);
01720 pos = begin + len;
01721 if (pos < offset) {
01722 len = 0;
01723 begin = pos;
01724 }
01725 if (pos > offset + length) {
01726 rsbac_vfree(sub_desc_p);
01727 rsbac_vfree(dev_desc_p);
01728 goto out;
01729 }
01730 }
01731 rsbac_vfree(sub_desc_p);
01732 member_count += tmp_sub_count;
01733 }
01734 }
01735 rsbac_vfree(dev_desc_p);
01736 }
01737 len +=
01738 sprintf(buffer + len,
01739 "\n\n%i device ACL items, sum of %u members\n",
01740 tmp_count, member_count);
01741 pos = begin + len;
01742 if (pos < offset) {
01743 len = 0;
01744 begin = pos;
01745 }
01746 if (pos > offset + length)
01747 goto out;
01748
01749
01750 len +=
01751 sprintf(buffer + len,
01752 "\nDevice major ACLs:\ntype+id count mask+members");
01753 pos = begin + len;
01754 if (pos < offset) {
01755 len = 0;
01756 begin = pos;
01757 }
01758 if (pos > offset + length)
01759 goto out;
01760
01761 member_count = 0;
01762 tmp_count =
01763 rsbac_list_lol_get_all_desc(dev_major_handle,
01764 (void **) &dev_desc_p);
01765 if (tmp_count > 0) {
01766 for (i = 0; i < tmp_count; i++) {
01767 if (!rsbac_list_lol_get_data
01768 (dev_major_handle, &dev_desc_p[i], &rights)) {
01769 len +=
01770 sprintf(buffer + len,
01771 "\n%c%02u\t %3li\t%s\n\t\t",
01772 'B' + dev_desc_p[i].type,
01773 dev_desc_p[i].major,
01774 rsbac_list_lol_subcount
01775 (dev_major_handle,
01776 &dev_desc_p[i]),
01777 u64tostracl(tmp1, rights));
01778 pos = begin + len;
01779 if (pos < offset) {
01780 len = 0;
01781 begin = pos;
01782 }
01783 if (pos > offset + length) {
01784 rsbac_vfree(dev_desc_p);
01785 goto out;
01786 }
01787 }
01788 tmp_sub_count =
01789 rsbac_list_lol_get_all_subdesc
01790 (dev_major_handle, &dev_desc_p[i],
01791 (void **) &sub_desc_p);
01792 if (tmp_sub_count > 0) {
01793 for (j = 0; j < tmp_sub_count; j++) {
01794 len +=
01795 sprintf(buffer + len,
01796 "%s %u, ",
01797 get_acl_subject_type_name
01798 (tmp1,
01799 sub_desc_p[j].
01800 subj_type),
01801 sub_desc_p[j].subj_id);
01802 pos = begin + len;
01803 if (pos < offset) {
01804 len = 0;
01805 begin = pos;
01806 }
01807 if (pos > offset + length) {
01808 rsbac_vfree(sub_desc_p);
01809 rsbac_vfree(dev_desc_p);
01810 goto out;
01811 }
01812 }
01813 rsbac_vfree(sub_desc_p);
01814 member_count += tmp_sub_count;
01815 }
01816 }
01817 rsbac_vfree(dev_desc_p);
01818 }
01819 len +=
01820 sprintf(buffer + len,
01821 "\n\n%i device major ACL items, sum of %u members\n",
01822 tmp_count, member_count);
01823 pos = begin + len;
01824 if (pos < offset) {
01825 len = 0;
01826 begin = pos;
01827 }
01828 if (pos > offset + length)
01829 goto out;
01830
01831
01832 member_count = 0;
01833 len +=
01834 sprintf(buffer + len,
01835 "\nSCD ACLs:\nname count mask+members");
01836 pos = begin + len;
01837 if (pos < offset) {
01838 len = 0;
01839 begin = pos;
01840 }
01841 if (pos > offset + length)
01842 goto out;
01843
01844 tmp_count =
01845 rsbac_list_lol_get_all_desc(scd_handle, (void **) &scd_desc_p);
01846 if (tmp_count > 0) {
01847 for (i = 0; i < tmp_count; i++) {
01848 if (!rsbac_list_lol_get_data
01849 (scd_handle, &scd_desc_p[i], &rights)) {
01850 len +=
01851 sprintf(buffer + len,
01852 "\n%-16s %3li\t%s\n\t\t\t",
01853 get_acl_scd_type_name(tmp1,
01854 scd_desc_p
01855 [i]),
01856 rsbac_list_lol_subcount
01857 (scd_handle, &scd_desc_p[i]),
01858 u64tostracl(tmp2, rights));
01859 pos = begin + len;
01860 if (pos < offset) {
01861 len = 0;
01862 begin = pos;
01863 }
01864 if (pos > offset + length) {
01865 rsbac_vfree(scd_desc_p);
01866 goto out;
01867 }
01868 }
01869 tmp_sub_count =
01870 rsbac_list_lol_get_all_subdesc(scd_handle,
01871 &scd_desc_p[i],
01872 (void **)
01873 &sub_desc_p);
01874 if (tmp_sub_count > 0) {
01875 for (j = 0; j < tmp_sub_count; j++) {
01876 len +=
01877 sprintf(buffer + len,
01878 "%s %u, ",
01879 get_acl_subject_type_name
01880 (tmp1,
01881 sub_desc_p[j].
01882 subj_type),
01883 sub_desc_p[j].subj_id);
01884 pos = begin + len;
01885 if (pos < offset) {
01886 len = 0;
01887 begin = pos;
01888 }
01889 if (pos > offset + length) {
01890 rsbac_vfree(sub_desc_p);
01891 rsbac_vfree(scd_desc_p);
01892 goto out;
01893 }
01894 }
01895 rsbac_vfree(sub_desc_p);
01896 member_count += tmp_sub_count;
01897 }
01898 }
01899 rsbac_vfree(scd_desc_p);
01900 }
01901 len +=
01902 sprintf(buffer + len,
01903 "\n\n%u SCD ACL items, sum of %u members\n", tmp_count,
01904 member_count);
01905 pos = begin + len;
01906 if (pos < offset) {
01907 len = 0;
01908 begin = pos;
01909 }
01910 if (pos > offset + length)
01911 goto out;
01912
01913
01914 len +=
01915 sprintf(buffer + len,
01916 "\nUser ACLs:\nuid count mask+members");
01917 pos = begin + len;
01918 if (pos < offset) {
01919 len = 0;
01920 begin = pos;
01921 }
01922 if (pos > offset + length)
01923 goto out;
01924
01925 member_count = 0;
01926 tmp_count =
01927 rsbac_list_lol_get_all_desc(u_handle, (void **) &u_desc_p);
01928 if (tmp_count > 0) {
01929 for (i = 0; i < tmp_count; i++) {
01930 if (!rsbac_list_lol_get_data
01931 (u_handle, &u_desc_p[i], &rights)) {
01932 len +=
01933 sprintf(buffer + len,
01934 "\n%u\t %3li\t%s\n\t\t",
01935 u_desc_p[i],
01936 rsbac_list_lol_subcount
01937 (u_handle, &u_desc_p[i]),
01938 u64tostracl(tmp1, rights));
01939 pos = begin + len;
01940 if (pos < offset) {
01941 len = 0;
01942 begin = pos;
01943 }
01944 if (pos > offset + length) {
01945 rsbac_vfree(dev_desc_p);
01946 goto out;
01947 }
01948 }
01949 tmp_sub_count =
01950 rsbac_list_lol_get_all_subdesc(u_handle,
01951 &u_desc_p[i],
01952 (void **)
01953 &sub_desc_p);
01954 if (tmp_sub_count > 0) {
01955 for (j = 0; j < tmp_sub_count; j++) {
01956 len +=
01957 sprintf(buffer + len,
01958 "%s %u, ",
01959 get_acl_subject_type_name
01960 (tmp1,
01961 sub_desc_p[j].
01962 subj_type),
01963 sub_desc_p[j].subj_id);
01964 pos = begin + len;
01965 if (pos < offset) {
01966 len = 0;
01967 begin = pos;
01968 }
01969 if (pos > offset + length) {
01970 rsbac_vfree(sub_desc_p);
01971 rsbac_vfree(dev_desc_p);
01972 goto out;
01973 }
01974 }
01975 rsbac_vfree(sub_desc_p);
01976 member_count += tmp_sub_count;
01977 }
01978 }
01979 rsbac_vfree(u_desc_p);
01980 }
01981 len +=
01982 sprintf(buffer + len,
01983 "\n\n%i user ACL items, sum of %u members\n",
01984 tmp_count, member_count);
01985 pos = begin + len;
01986 if (pos < offset) {
01987 len = 0;
01988 begin = pos;
01989 }
01990 if (pos > offset + length)
01991 goto out;
01992
01993 #ifdef CONFIG_RSBAC_ACL_UM_PROT
01994
01995 len +=
01996 sprintf(buffer + len,
01997 "\nLinux group ACLs:\ngid count mask+members");
01998 pos = begin + len;
01999 if (pos < offset) {
02000 len = 0;
02001 begin = pos;
02002 }
02003 if (pos > offset + length)
02004 goto out;
02005
02006 member_count = 0;
02007 tmp_count =
02008 rsbac_list_lol_get_all_desc(g_handle, (void **) &g_desc_p);
02009 if (tmp_count > 0) {
02010 for (i = 0; i < tmp_count; i++) {
02011 if (!rsbac_list_lol_get_data
02012 (g_handle, &g_desc_p[i], &rights)) {
02013 len +=
02014 sprintf(buffer + len,
02015 "\n%u\t %3li\t%s\n\t\t",
02016 g_desc_p[i],
02017 rsbac_list_lol_subcount
02018 (g_handle, &g_desc_p[i]),
02019 u64tostracl(tmp1, rights));
02020 pos = begin + len;
02021 if (pos < offset) {
02022 len = 0;
02023 begin = pos;
02024 }
02025 if (pos > offset + length) {
02026 rsbac_vfree(dev_desc_p);
02027 goto out;
02028 }
02029 }
02030 tmp_sub_count =
02031 rsbac_list_lol_get_all_subdesc(g_handle,
02032 &g_desc_p[i],
02033 (void **)
02034 &sub_desc_p);
02035 if (tmp_sub_count > 0) {
02036 for (j = 0; j < tmp_sub_count; j++) {
02037 len +=
02038 sprintf(buffer + len,
02039 "%s %u, ",
02040 get_acl_subject_type_name
02041 (tmp1,
02042 sub_desc_p[j].
02043 subj_type),
02044 sub_desc_p[j].subj_id);
02045 pos = begin + len;
02046 if (pos < offset) {
02047 len = 0;
02048 begin = pos;
02049 }
02050 if (pos > offset + length) {
02051 rsbac_vfree(sub_desc_p);
02052 rsbac_vfree(dev_desc_p);
02053 goto out;
02054 }
02055 }
02056 rsbac_vfree(sub_desc_p);
02057 member_count += tmp_sub_count;
02058 }
02059 }
02060 rsbac_vfree(g_desc_p);
02061 }
02062 len +=
02063 sprintf(buffer + len,
02064 "\n\n%i Linux group ACL items, sum of %u members\n",
02065 tmp_count, member_count);
02066 pos = begin + len;
02067 if (pos < offset) {
02068 len = 0;
02069 begin = pos;
02070 }
02071 if (pos > offset + length)
02072 goto out;
02073 #endif
02074
02075 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
02076
02077 len +=
02078 sprintf(buffer + len,
02079 "\nNetwork Device ACLs:\nname\t\t count mask+members");
02080 pos = begin + len;
02081 if (pos < offset) {
02082 len = 0;
02083 begin = pos;
02084 }
02085 if (pos > offset + length)
02086 goto out;
02087
02088 member_count = 0;
02089 tmp_count =
02090 rsbac_list_lol_get_all_desc(netdev_handle,
02091 (void **) &netdev_desc_p);
02092 if (tmp_count > 0) {
02093 for (i = 0; i < tmp_count; i++) {
02094 if (!rsbac_list_lol_get_data
02095 (netdev_handle, &netdev_desc_p[i], &rights)) {
02096 len +=
02097 sprintf(buffer + len,
02098 "\n%-16s %3li\t %s\n\t\t",
02099 netdev_desc_p[i],
02100 rsbac_list_lol_subcount
02101 (netdev_handle,
02102 &netdev_desc_p[i]),
02103 u64tostracl(tmp1, rights));
02104 pos = begin + len;
02105 if (pos < offset) {
02106 len = 0;
02107 begin = pos;
02108 }
02109 if (pos > offset + length) {
02110 rsbac_vfree(netdev_desc_p);
02111 goto out;
02112 }
02113 }
02114 tmp_sub_count =
02115 rsbac_list_lol_get_all_subdesc(netdev_handle,
02116 &netdev_desc_p
02117 [i],
02118 (void **)
02119 &sub_desc_p);
02120 if (tmp_sub_count > 0) {
02121 for (j = 0; j < tmp_sub_count; j++) {
02122 len +=
02123 sprintf(buffer + len,
02124 "%s %u, ",
02125 get_acl_subject_type_name
02126 (tmp1,
02127 sub_desc_p[j].
02128 subj_type),
02129 sub_desc_p[j].subj_id);
02130 pos = begin + len;
02131 if (pos < offset) {
02132 len = 0;
02133 begin = pos;
02134 }
02135 if (pos > offset + length) {
02136 rsbac_vfree(sub_desc_p);
02137 rsbac_vfree(netdev_desc_p);
02138 goto out;
02139 }
02140 }
02141 rsbac_vfree(sub_desc_p);
02142 member_count += tmp_sub_count;
02143 }
02144 }
02145 rsbac_vfree(netdev_desc_p);
02146 }
02147 len +=
02148 sprintf(buffer + len,
02149 "\n\n%i network device ACL items, sum of %u members\n",
02150 tmp_count, member_count);
02151 pos = begin + len;
02152 if (pos < offset) {
02153 len = 0;
02154 begin = pos;
02155 }
02156 if (pos > offset + length)
02157 goto out;
02158 #endif
02159
02160 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
02161
02162 len +=
02163 sprintf(buffer + len,
02164 "\nNetwork Template NT (template protection) ACLs:\nTemplate count mask+members");
02165 pos = begin + len;
02166 if (pos < offset) {
02167 len = 0;
02168 begin = pos;
02169 }
02170 if (pos > offset + length)
02171 goto out;
02172
02173 member_count = 0;
02174 tmp_count =
02175 rsbac_list_lol_get_all_desc(nettemp_nt_handle,
02176 (void **) &nettemp_desc_p);
02177 if (tmp_count > 0) {
02178 for (i = 0; i < tmp_count; i++) {
02179 if (!rsbac_list_lol_get_data
02180 (nettemp_nt_handle, &nettemp_desc_p[i],
02181 &rights)) {
02182 len +=
02183 sprintf(buffer + len,
02184 "\n%10u %3li\t%s\n\t\t",
02185 nettemp_desc_p[i],
02186 rsbac_list_lol_subcount
02187 (nettemp_nt_handle,
02188 &nettemp_desc_p[i]),
02189 u64tostracl(tmp1, rights));
02190 pos = begin + len;
02191 if (pos < offset) {
02192 len = 0;
02193 begin = pos;
02194 }
02195 if (pos > offset + length) {
02196 rsbac_vfree(nettemp_desc_p);
02197 goto out;
02198 }
02199 }
02200 tmp_sub_count =
02201 rsbac_list_lol_get_all_subdesc
02202 (nettemp_nt_handle, &nettemp_desc_p[i],
02203 (void **) &sub_desc_p);
02204 if (tmp_sub_count > 0) {
02205 for (j = 0; j < tmp_sub_count; j++) {
02206 len +=
02207 sprintf(buffer + len,
02208 "%s %u, ",
02209 get_acl_subject_type_name
02210 (tmp1,
02211 sub_desc_p[j].
02212 subj_type),
02213 sub_desc_p[j].subj_id);
02214 pos = begin + len;
02215 if (pos < offset) {
02216 len = 0;
02217 begin = pos;
02218 }
02219 if (pos > offset + length) {
02220 rsbac_vfree(sub_desc_p);
02221 rsbac_vfree
02222 (nettemp_desc_p);
02223 goto out;
02224 }
02225 }
02226 rsbac_vfree(sub_desc_p);
02227 member_count += tmp_sub_count;
02228 }
02229 }
02230 rsbac_vfree(nettemp_desc_p);
02231 }
02232 len +=
02233 sprintf(buffer + len,
02234 "\n\n%i network template NT ACL items, sum of %u members\n",
02235 tmp_count, member_count);
02236 pos = begin + len;
02237 if (pos < offset) {
02238 len = 0;
02239 begin = pos;
02240 }
02241 if (pos > offset + length)
02242 goto out;
02243
02244
02245 len +=
02246 sprintf(buffer + len,
02247 "\nNetwork Template (netobj protection) ACLs:\nTemplate count mask+members");
02248 pos = begin + len;
02249 if (pos < offset) {
02250 len = 0;
02251 begin = pos;
02252 }
02253 if (pos > offset + length)
02254 goto out;
02255
02256 member_count = 0;
02257 tmp_count =
02258 rsbac_list_lol_get_all_desc(nettemp_handle,
02259 (void **) &nettemp_desc_p);
02260 if (tmp_count > 0) {
02261 for (i = 0; i < tmp_count; i++) {
02262 if (!rsbac_list_lol_get_data
02263 (nettemp_handle, &nettemp_desc_p[i],
02264 &rights)) {
02265 len +=
02266 sprintf(buffer + len,
02267 "\n%10u %3li\t%s\n\t\t",
02268 nettemp_desc_p[i],
02269 rsbac_list_lol_subcount
02270 (nettemp_handle,
02271 &nettemp_desc_p[i]),
02272 u64tostracl(tmp1, rights));
02273 pos = begin + len;
02274 if (pos < offset) {
02275 len = 0;
02276 begin = pos;
02277 }
02278 if (pos > offset + length) {
02279 rsbac_vfree(nettemp_desc_p);
02280 goto out;
02281 }
02282 }
02283 tmp_sub_count =
02284 rsbac_list_lol_get_all_subdesc(nettemp_handle,
02285 &nettemp_desc_p
02286 [i],
02287 (void **)
02288 &sub_desc_p);
02289 if (tmp_sub_count > 0) {
02290 for (j = 0; j < tmp_sub_count; j++) {
02291 len +=
02292 sprintf(buffer + len,
02293 "%s %u, ",
02294 get_acl_subject_type_name
02295 (tmp1,
02296 sub_desc_p[j].
02297 subj_type),
02298 sub_desc_p[j].subj_id);
02299 pos = begin + len;
02300 if (pos < offset) {
02301 len = 0;
02302 begin = pos;
02303 }
02304 if (pos > offset + length) {
02305 rsbac_vfree(sub_desc_p);
02306 rsbac_vfree
02307 (nettemp_desc_p);
02308 goto out;
02309 }
02310 }
02311 rsbac_vfree(sub_desc_p);
02312 member_count += tmp_sub_count;
02313 }
02314 }
02315 rsbac_vfree(nettemp_desc_p);
02316 }
02317 len +=
02318 sprintf(buffer + len,
02319 "\n\n%i network template ACL items, sum of %u members\n",
02320 tmp_count, member_count);
02321 pos = begin + len;
02322 if (pos < offset) {
02323 len = 0;
02324 begin = pos;
02325 }
02326 if (pos > offset + length)
02327 goto out;
02328
02329
02330 len +=
02331 sprintf(buffer + len,
02332 "\nNetwork Object ACLs:\nObject-ID count mask+members");
02333 pos = begin + len;
02334 if (pos < offset) {
02335 len = 0;
02336 begin = pos;
02337 }
02338 if (pos > offset + length)
02339 goto out;
02340
02341 member_count = 0;
02342 tmp_count =
02343 rsbac_list_lol_get_all_desc(netobj_handle,
02344 (void **) &netobj_desc_p);
02345 if (tmp_count > 0) {
02346 for (i = 0; i < tmp_count; i++) {
02347 if (!rsbac_list_lol_get_data
02348 (netobj_handle, &netobj_desc_p[i], &rights)) {
02349 len +=
02350 sprintf(buffer + len,
02351 "\n%p %3li\t%s\n\t\t",
02352 netobj_desc_p[i],
02353 rsbac_list_lol_subcount
02354 (netobj_handle,
02355 &netobj_desc_p[i]),
02356 u64tostracl(tmp1, rights));
02357 pos = begin + len;
02358 if (pos < offset) {
02359 len = 0;
02360 begin = pos;
02361 }
02362 if (pos > offset + length) {
02363 rsbac_vfree(netobj_desc_p);
02364 goto out;
02365 }
02366 }
02367 tmp_sub_count =
02368 rsbac_list_lol_get_all_subdesc(netobj_handle,
02369 &netobj_desc_p
02370 [i],
02371 (void **)
02372 &sub_desc_p);
02373 if (tmp_sub_count > 0) {
02374 for (j = 0; j < tmp_sub_count; j++) {
02375 len +=
02376 sprintf(buffer + len,
02377 "%s %u, ",
02378 get_acl_subject_type_name
02379 (tmp1,
02380 sub_desc_p[j].
02381 subj_type),
02382 sub_desc_p[j].subj_id);
02383 pos = begin + len;
02384 if (pos < offset) {
02385 len = 0;
02386 begin = pos;
02387 }
02388 if (pos > offset + length) {
02389 rsbac_vfree(sub_desc_p);
02390 rsbac_vfree(netobj_desc_p);
02391 goto out;
02392 }
02393 }
02394 rsbac_vfree(sub_desc_p);
02395 member_count += tmp_sub_count;
02396 }
02397 }
02398 rsbac_vfree(netobj_desc_p);
02399 }
02400 len +=
02401 sprintf(buffer + len,
02402 "\n\n%i network object ACL items, sum of %u members\n",
02403 tmp_count, member_count);
02404 pos = begin + len;
02405 if (pos < offset) {
02406 len = 0;
02407 begin = pos;
02408 }
02409 if (pos > offset + length)
02410 goto out;
02411 #endif
02412
02413 out:
02414 *start = buffer + (offset - begin);
02415 len -= (offset - begin);
02416
02417 if (len > length)
02418 len = length;
02419 return len;
02420 }
02421
02422 static int
02423 acl_grouplist_proc_info(char *buffer, char **start, off_t offset,
02424 int length)
02425 {
02426 u_int len = 0;
02427 off_t pos = 0;
02428 off_t begin = 0;
02429
02430 char type;
02431 int count, sub_count;
02432 int i, j;
02433 u_int member_count = 0;
02434 struct rsbac_acl_group_entry_t *entry_p;
02435 rsbac_uid_t *user_p;
02436 rsbac_acl_group_id_t *group_p;
02437 rsbac_time_t *ttl_p;
02438
02439 union rsbac_target_id_t rsbac_target_id;
02440 union rsbac_attribute_value_t rsbac_attribute_value;
02441
02442 if (!rsbac_is_initialized()) {
02443 rsbac_printk(KERN_WARNING "acl_grouplist_proc_info(): RSBAC not initialized\n");
02444 return (-RSBAC_ENOTINITIALIZED);
02445 }
02446 rsbac_pr_debug(aef_acl, "calling ADF\n");
02447 rsbac_target_id.scd = ST_rsbac;
02448 rsbac_attribute_value.dummy = 0;
02449 if (!rsbac_adf_request(R_GET_STATUS_DATA,
02450 current->pid,
02451 T_SCD,
02452 rsbac_target_id,
02453 A_none, rsbac_attribute_value)) {
02454 return -EPERM;
02455 }
02456
02457 len += sprintf(buffer, "ACL Groups\n----------\n");
02458
02459
02460 len +=
02461 sprintf(buffer + len,
02462 "Group list: %li groups, last new is %u\nID\ttype name\t\towner\n",
02463 rsbac_list_count(group_handle), group_last_new);
02464 pos = begin + len;
02465 if (pos < offset) {
02466 len = 0;
02467 begin = pos;
02468 }
02469 if (pos > offset + length) {
02470 goto out;
02471 }
02472
02473 count = rsbac_list_get_all_data(group_handle, (void **) &entry_p);
02474 if (count > 0) {
02475 for (i = 0; i < count; i++) {
02476 if (entry_p[i].type == ACLG_GLOBAL)
02477 type = 'G';
02478 else
02479 type = 'P';
02480 len +=
02481 sprintf(buffer + len, "%u\t%c %-18s %u\n",
02482 entry_p[i].id, type, entry_p[i].name,
02483 entry_p[i].owner);
02484 pos = begin + len;
02485 if (pos < offset) {
02486 len = 0;
02487 begin = pos;
02488 }
02489 if (pos > offset + length) {
02490 rsbac_vfree(entry_p);
02491 goto out;
02492 }
02493 }
02494 rsbac_vfree(entry_p);
02495 }
02496
02497
02498 member_count = 0;
02499 len +=
02500 sprintf(buffer + len,
02501 "\nGroup memberships:\nuser count\tgroups");
02502 pos = begin + len;
02503 if (pos < offset) {
02504 len = 0;
02505 begin = pos;
02506 }
02507 if (pos > offset + length) {
02508 goto out;
02509 }
02510
02511 count = rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p);
02512 if (count > 0) {
02513 for (i = 0; i < count; i++) {
02514 sub_count =
02515 rsbac_list_lol_get_all_subdesc_ttl(gm_handle,
02516 &user_p[i],
02517 (void **)
02518 &group_p,
02519 &ttl_p);
02520 len +=
02521 sprintf(buffer + len, "\n%u\t%i\t", user_p[i],
02522 sub_count);
02523 pos = begin + len;
02524 if (pos < offset) {
02525 len = 0;
02526 begin = pos;
02527 }
02528 if (pos > offset + length) {
02529 rsbac_vfree(user_p);
02530 goto out;
02531 }
02532
02533 if (sub_count > 0) {
02534 for (j = 0; j < sub_count; j++) {
02535 if (ttl_p[j])
02536 len +=
02537 sprintf(buffer + len,
02538 "%u(ttl:%i) ",
02539 group_p[j],
02540 ttl_p[j]);
02541 else
02542 len +=
02543 sprintf(buffer + len,
02544 "%u ",
02545 group_p[j]);
02546 pos = begin + len;
02547 if (pos < offset) {
02548 len = 0;
02549 begin = pos;
02550 }
02551 if (pos > offset + length) {
02552 rsbac_vfree(group_p);
02553 rsbac_vfree(user_p);
02554 goto out;
02555 }
02556 }
02557 member_count += sub_count;
02558 rsbac_vfree(group_p);
02559 rsbac_vfree(ttl_p);
02560 }
02561 }
02562 rsbac_vfree(user_p);
02563 }
02564 len +=
02565 sprintf(buffer + len,
02566 "\n\n%u user items, sum of %u memberships\n", count,
02567 member_count);
02568 pos = begin + len;
02569 if (pos < offset) {
02570 len = 0;
02571 begin = pos;
02572 }
02573 if (pos > offset + length)
02574 goto out;
02575
02576 out:
02577 *start = buffer + (offset - begin);
02578 len -= (offset - begin);
02579
02580 if (len > length)
02581 len = length;
02582 return len;
02583 }
02584
02585 #endif
02586
02587
02588
02589
02590
02591
02592
02593
02594
02595
02596
02597
02598
02599
02600 #ifdef CONFIG_RSBAC_INIT_DELAY
02601 static void registration_error(int err, char *listname)
02602 #else
02603 static void __init registration_error(int err, char *listname)
02604 #endif
02605 {
02606 if (err) {
02607 char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02608
02609 if (tmp) {
02610 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Registering ACL %s list failed with error %s\n",
02611 listname, get_error_name(tmp, err));
02612 rsbac_kfree(tmp);
02613 }
02614 }
02615 }
02616
02617
02618 #ifdef CONFIG_RSBAC_INIT_DELAY
02619 void acl_create_def(void)
02620 #else
02621 void __init acl_create_def(void)
02622 #endif
02623 {
02624 if (!rsbac_list_count(default_fd_handle)) {
02625 struct rsbac_acl_entry_desc_t desc;
02626 struct rsbac_acl_entry_t acman_entry =
02627 RSBAC_ACL_ACMAN_FD_ENTRY;
02628 struct rsbac_acl_entry_t sysadm_entry =
02629 RSBAC_ACL_SYSADM_FD_ENTRY;
02630 struct rsbac_acl_entry_t gen_entry =
02631 RSBAC_ACL_GENERAL_FD_ENTRY;
02632
02633 rsbac_printk(KERN_WARNING "rsbac_init_acl(): File/Dir default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02634 RSBAC_MAJOR(rsbac_root_dev),
02635 RSBAC_MINOR(rsbac_root_dev));
02636 desc.subj_type = acman_entry.subj_type;
02637 desc.subj_id = acman_entry.subj_id;
02638 rsbac_list_add(default_fd_handle, &desc,
02639 &acman_entry.rights);
02640 desc.subj_type = sysadm_entry.subj_type;
02641 desc.subj_id = sysadm_entry.subj_id;
02642 rsbac_list_add(default_fd_handle, &desc,
02643 &sysadm_entry.rights);
02644 desc.subj_type = gen_entry.subj_type;
02645 desc.subj_id = gen_entry.subj_id;
02646 rsbac_list_add(default_fd_handle, &desc,
02647 &gen_entry.rights);
02648 }
02649 if (!rsbac_list_count(default_dev_handle)) {
02650 struct rsbac_acl_entry_desc_t desc;
02651 struct rsbac_acl_entry_t acman_entry =
02652 RSBAC_ACL_ACMAN_DEV_ENTRY;
02653 struct rsbac_acl_entry_t sysadm_entry =
02654 RSBAC_ACL_SYSADM_DEV_ENTRY;
02655 struct rsbac_acl_entry_t gen_entry =
02656 RSBAC_ACL_GENERAL_DEV_ENTRY;
02657
02658 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Device default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02659 RSBAC_MAJOR(rsbac_root_dev),
02660 RSBAC_MINOR(rsbac_root_dev));
02661 desc.subj_type = acman_entry.subj_type;
02662 desc.subj_id = acman_entry.subj_id;
02663 rsbac_list_add(default_dev_handle, &desc,
02664 &acman_entry.rights);
02665 desc.subj_type = sysadm_entry.subj_type;
02666 desc.subj_id = sysadm_entry.subj_id;
02667 rsbac_list_add(default_dev_handle, &desc,
02668 &sysadm_entry.rights);
02669 desc.subj_type = gen_entry.subj_type;
02670 desc.subj_id = gen_entry.subj_id;
02671 rsbac_list_add(default_dev_handle, &desc,
02672 &gen_entry.rights);
02673 }
02674 if (!rsbac_list_count(default_ipc_handle)) {
02675 struct rsbac_acl_entry_desc_t desc;
02676 struct rsbac_acl_entry_t acman_entry =
02677 RSBAC_ACL_ACMAN_IPC_ENTRY;
02678 struct rsbac_acl_entry_t sysadm_entry =
02679 RSBAC_ACL_SYSADM_IPC_ENTRY;
02680 struct rsbac_acl_entry_t gen_entry =
02681 RSBAC_ACL_GENERAL_IPC_ENTRY;
02682
02683 rsbac_printk(KERN_WARNING "rsbac_init_acl(): IPC default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02684 RSBAC_MAJOR(rsbac_root_dev),
02685 RSBAC_MINOR(rsbac_root_dev));
02686 desc.subj_type = acman_entry.subj_type;
02687 desc.subj_id = acman_entry.subj_id;
02688 rsbac_list_add(default_ipc_handle, &desc,
02689 &acman_entry.rights);
02690 desc.subj_type = sysadm_entry.subj_type;
02691 desc.subj_id = sysadm_entry.subj_id;
02692 rsbac_list_add(default_ipc_handle, &desc,
02693 &sysadm_entry.rights);
02694 desc.subj_type = gen_entry.subj_type;
02695 desc.subj_id = gen_entry.subj_id;
02696 rsbac_list_add(default_ipc_handle, &desc,
02697 &gen_entry.rights);
02698 }
02699 if (!rsbac_list_count(default_scd_handle)) {
02700 struct rsbac_acl_entry_desc_t desc;
02701 struct rsbac_acl_entry_t acman_entry =
02702 RSBAC_ACL_ACMAN_SCD_ENTRY;
02703
02704 rsbac_printk(KERN_WARNING "rsbac_init_acl(): SCD default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02705 RSBAC_MAJOR(rsbac_root_dev),
02706 RSBAC_MINOR(rsbac_root_dev));
02707 desc.subj_type = acman_entry.subj_type;
02708 desc.subj_id = acman_entry.subj_id;
02709 rsbac_list_add(default_scd_handle, &desc,
02710 &acman_entry.rights);
02711 }
02712 if (!rsbac_list_lol_count(scd_handle)) {
02713 struct rsbac_acl_entry_desc_t desc;
02714 rsbac_acl_rights_vector_t mask =
02715 RSBAC_ACL_DEFAULT_SCD_MASK;
02716 struct rsbac_acl_entry_t gen_entry =
02717 RSBAC_ACL_GENERAL_SCD_ENTRY;
02718 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02719 struct rsbac_acl_entry_t gen_ioports_entry =
02720 RSBAC_ACL_GENERAL_SCD_IOPORTS_ENTRY;
02721 #endif
02722 struct rsbac_acl_entry_t gen_other_entry =
02723 RSBAC_ACL_GENERAL_SCD_OTHER_ENTRY;
02724 struct rsbac_acl_entry_t gen_network_entry =
02725 RSBAC_ACL_GENERAL_SCD_NETWORK_ENTRY;
02726 struct rsbac_acl_entry_t sysadm_entry =
02727 RSBAC_ACL_SYSADM_SCD_ENTRY;
02728 struct rsbac_acl_entry_t sysadm_other_entry =
02729 RSBAC_ACL_SYSADM_SCD_OTHER_ENTRY;
02730 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02731 struct rsbac_acl_entry_t sysadm_kmem_entry =
02732 RSBAC_ACL_SYSADM_SCD_KMEM_ENTRY;
02733 #endif
02734 struct rsbac_acl_entry_t acman_other_entry =
02735 RSBAC_ACL_ACMAN_SCD_OTHER_ENTRY;
02736 struct rsbac_acl_entry_t auditor_rsbaclog_entry =
02737 RSBAC_ACL_AUDITOR_SCD_RSBACLOG_ENTRY;
02738 __u8 scd;
02739
02740 rsbac_printk(KERN_WARNING "rsbac_init_acl(): SCD ACLs empty on dev %02u:%02u, generating standard entries!\n",
02741 RSBAC_MAJOR(rsbac_root_dev),
02742 RSBAC_MINOR(rsbac_root_dev));
02743 scd = ST_rlimit;
02744 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02745 desc.subj_type = gen_entry.subj_type;
02746 desc.subj_id = gen_entry.subj_id;
02747 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02748 &gen_entry.rights);
02749 }
02750 for (scd = ST_time_strucs; scd <= ST_rsbac; scd++) {
02751 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02752 desc.subj_type = sysadm_entry.subj_type;
02753 desc.subj_id = sysadm_entry.subj_id;
02754 rsbac_list_lol_subadd(scd_handle, &scd,
02755 &desc,
02756 &sysadm_entry.
02757 rights);
02758 }
02759 }
02760 scd = ST_rsbac_log;
02761 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02762 desc.subj_type = auditor_rsbaclog_entry.subj_type;
02763 desc.subj_id = auditor_rsbaclog_entry.subj_id;
02764 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02765 &auditor_rsbaclog_entry.
02766 rights);
02767 }
02768 scd = ST_network;
02769 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02770 desc.subj_type = sysadm_entry.subj_type;
02771 desc.subj_id = sysadm_entry.subj_id;
02772 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02773 &sysadm_entry.rights);
02774 desc.subj_type = gen_network_entry.subj_type;
02775 desc.subj_id = gen_network_entry.subj_id;
02776 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02777 &gen_network_entry.rights);
02778 }
02779 scd = ST_firewall;
02780 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02781 desc.subj_type = sysadm_entry.subj_type;
02782 desc.subj_id = sysadm_entry.subj_id;
02783 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02784 &sysadm_entry.rights);
02785 desc.subj_type = gen_network_entry.subj_type;
02786 desc.subj_id = gen_network_entry.subj_id;
02787 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02788 &gen_network_entry.rights);
02789 }
02790 scd = ST_priority;
02791 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02792 desc.subj_type = sysadm_entry.subj_type;
02793 desc.subj_id = sysadm_entry.subj_id;
02794 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02795 &sysadm_entry.rights);
02796 }
02797 scd = ST_sysfs;
02798 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02799 desc.subj_type = sysadm_entry.subj_type;
02800 desc.subj_id = sysadm_entry.subj_id;
02801 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02802 &sysadm_entry.rights);
02803 }
02804 for (scd = ST_quota; scd < ST_none; scd++)
02805 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02806 desc.subj_type = sysadm_entry.subj_type;
02807 desc.subj_id = sysadm_entry.subj_id;
02808 rsbac_list_lol_subadd(scd_handle, &scd,
02809 &desc,
02810 &sysadm_entry.
02811 rights);
02812 }
02813 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02814 scd = ST_ioports;
02815 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02816 desc.subj_type = gen_ioports_entry.subj_type;
02817 desc.subj_id = gen_ioports_entry.subj_id;
02818 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02819 &gen_ioports_entry.rights);
02820 }
02821 scd = ST_kmem;
02822 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02823 desc.subj_type = sysadm_kmem_entry.subj_type;
02824 desc.subj_id = sysadm_kmem_entry.subj_id;
02825 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02826 &sysadm_kmem_entry.rights);
02827 }
02828 #endif
02829
02830 scd = ST_other;
02831 if (!rsbac_list_lol_add(scd_handle, &scd, &mask)) {
02832 desc.subj_type = sysadm_other_entry.subj_type;
02833 desc.subj_id = sysadm_other_entry.subj_id;
02834 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02835 &sysadm_other_entry.rights);
02836 desc.subj_type = acman_other_entry.subj_type;
02837 desc.subj_id = acman_other_entry.subj_id;
02838 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02839 &acman_other_entry.rights);
02840 desc.subj_type = gen_other_entry.subj_type;
02841 desc.subj_id = gen_other_entry.subj_id;
02842 rsbac_list_lol_subadd(scd_handle, &scd, &desc,
02843 &gen_other_entry.rights);
02844 }
02845 }
02846 }
02847
02848 #ifdef CONFIG_RSBAC_INIT_DELAY
02849 void acl_create_def2(void)
02850 #else
02851 void __init acl_create_def2(void)
02852 #endif
02853 {
02854 if (!rsbac_list_count(default_u_handle)) {
02855 struct rsbac_acl_entry_desc_t desc;
02856 struct rsbac_acl_entry_t acman_entry =
02857 RSBAC_ACL_ACMAN_U_ENTRY;
02858 struct rsbac_acl_entry_t sysadm_entry =
02859 RSBAC_ACL_SYSADM_U_ENTRY;
02860 struct rsbac_acl_entry_t gen_entry =
02861 RSBAC_ACL_GENERAL_U_ENTRY;
02862
02863 rsbac_printk(KERN_WARNING "rsbac_init_acl(): User default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02864 RSBAC_MAJOR(rsbac_root_dev),
02865 RSBAC_MINOR(rsbac_root_dev));
02866 desc.subj_type = sysadm_entry.subj_type;
02867 desc.subj_id = sysadm_entry.subj_id;
02868 rsbac_list_add(default_u_handle, &desc,
02869 &sysadm_entry.rights);
02870 desc.subj_type = acman_entry.subj_type;
02871 desc.subj_id = acman_entry.subj_id;
02872 rsbac_list_add(default_u_handle, &desc,
02873 &acman_entry.rights);
02874 desc.subj_type = gen_entry.subj_type;
02875 desc.subj_id = gen_entry.subj_id;
02876 rsbac_list_add(default_u_handle, &desc, &gen_entry.rights);
02877 }
02878 if (!rsbac_list_count(default_p_handle)) {
02879 struct rsbac_acl_entry_desc_t desc;
02880 struct rsbac_acl_entry_t acman_entry =
02881 RSBAC_ACL_ACMAN_P_ENTRY;
02882 struct rsbac_acl_entry_t sysadm_entry =
02883 RSBAC_ACL_SYSADM_P_ENTRY;
02884 struct rsbac_acl_entry_t gen_entry =
02885 RSBAC_ACL_GENERAL_P_ENTRY;
02886
02887 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Process default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02888 RSBAC_MAJOR(rsbac_root_dev),
02889 RSBAC_MINOR(rsbac_root_dev));
02890 desc.subj_type = sysadm_entry.subj_type;
02891 desc.subj_id = sysadm_entry.subj_id;
02892 rsbac_list_add(default_p_handle, &desc,
02893 &sysadm_entry.rights);
02894 desc.subj_type = acman_entry.subj_type;
02895 desc.subj_id = acman_entry.subj_id;
02896 rsbac_list_add(default_p_handle, &desc,
02897 &acman_entry.rights);
02898 desc.subj_type = gen_entry.subj_type;
02899 desc.subj_id = gen_entry.subj_id;
02900 rsbac_list_add(default_p_handle, &desc, &gen_entry.rights);
02901 }
02902 if (!rsbac_list_lol_count(gm_handle)) {
02903 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Group membership list empty on dev %02u:%02u!\n",
02904 RSBAC_MAJOR(rsbac_root_dev),
02905 RSBAC_MINOR(rsbac_root_dev));
02906 }
02907 if (!rsbac_list_count(group_handle)) {
02908 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Group list empty on dev %02u:%02u!\n",
02909 RSBAC_MAJOR(rsbac_root_dev),
02910 RSBAC_MINOR(rsbac_root_dev));
02911 } else {
02912 rsbac_list_get_max_desc(group_handle, &group_last_new);
02913 }
02914 #ifdef CONFIG_RSBAC_ACL_UM_PROT
02915 if (!rsbac_list_count(default_g_handle)) {
02916 struct rsbac_acl_entry_desc_t desc;
02917 struct rsbac_acl_entry_t acman_entry =
02918 RSBAC_ACL_ACMAN_G_ENTRY;
02919 struct rsbac_acl_entry_t sysadm_entry =
02920 RSBAC_ACL_SYSADM_G_ENTRY;
02921 struct rsbac_acl_entry_t gen_entry =
02922 RSBAC_ACL_GENERAL_G_ENTRY;
02923
02924 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Linux group default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02925 RSBAC_MAJOR(rsbac_root_dev),
02926 RSBAC_MINOR(rsbac_root_dev));
02927 desc.subj_type = sysadm_entry.subj_type;
02928 desc.subj_id = sysadm_entry.subj_id;
02929 rsbac_list_add(default_g_handle, &desc,
02930 &sysadm_entry.rights);
02931 desc.subj_type = acman_entry.subj_type;
02932 desc.subj_id = acman_entry.subj_id;
02933 rsbac_list_add(default_g_handle, &desc,
02934 &acman_entry.rights);
02935 desc.subj_type = gen_entry.subj_type;
02936 desc.subj_id = gen_entry.subj_id;
02937 rsbac_list_add(default_g_handle, &desc, &gen_entry.rights);
02938 }
02939 #endif
02940 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
02941 if (!rsbac_list_count(default_netdev_handle)) {
02942 struct rsbac_acl_entry_desc_t desc;
02943 struct rsbac_acl_entry_t acman_entry =
02944 RSBAC_ACL_ACMAN_NETDEV_ENTRY;
02945 struct rsbac_acl_entry_t sysadm_entry =
02946 RSBAC_ACL_SYSADM_NETDEV_ENTRY;
02947 struct rsbac_acl_entry_t gen_entry =
02948 RSBAC_ACL_GENERAL_NETDEV_ENTRY;
02949
02950 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Network Device default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02951 RSBAC_MAJOR(rsbac_root_dev),
02952 RSBAC_MINOR(rsbac_root_dev));
02953 desc.subj_type = acman_entry.subj_type;
02954 desc.subj_id = acman_entry.subj_id;
02955 rsbac_list_add(default_netdev_handle, &desc,
02956 &acman_entry.rights);
02957 desc.subj_type = sysadm_entry.subj_type;
02958 desc.subj_id = sysadm_entry.subj_id;
02959 rsbac_list_add(default_netdev_handle, &desc,
02960 &sysadm_entry.rights);
02961 desc.subj_type = gen_entry.subj_type;
02962 desc.subj_id = gen_entry.subj_id;
02963 rsbac_list_add(default_netdev_handle, &desc,
02964 &gen_entry.rights);
02965 }
02966 #endif
02967 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
02968 if (!rsbac_no_defaults
02969 && !rsbac_list_count(default_nettemp_nt_handle)) {
02970 struct rsbac_acl_entry_desc_t desc;
02971 struct rsbac_acl_entry_t acman_entry =
02972 RSBAC_ACL_ACMAN_NETTEMP_NT_ENTRY;
02973 struct rsbac_acl_entry_t sysadm_entry =
02974 RSBAC_ACL_SYSADM_NETTEMP_NT_ENTRY;
02975 struct rsbac_acl_entry_t gen_entry =
02976 RSBAC_ACL_GENERAL_NETTEMP_NT_ENTRY;
02977
02978 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Network Template NT (template protection) default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02979 RSBAC_MAJOR(rsbac_root_dev),
02980 RSBAC_MINOR(rsbac_root_dev));
02981 desc.subj_type = acman_entry.subj_type;
02982 desc.subj_id = acman_entry.subj_id;
02983 rsbac_list_add(default_nettemp_nt_handle, &desc,
02984 &acman_entry.rights);
02985 desc.subj_type = sysadm_entry.subj_type;
02986 desc.subj_id = sysadm_entry.subj_id;
02987 rsbac_list_add(default_nettemp_nt_handle, &desc,
02988 &sysadm_entry.rights);
02989 desc.subj_type = gen_entry.subj_type;
02990 desc.subj_id = gen_entry.subj_id;
02991 rsbac_list_add(default_nettemp_nt_handle, &desc,
02992 &gen_entry.rights);
02993 }
02994 if (!rsbac_list_count(default_netobj_handle)) {
02995 struct rsbac_acl_entry_desc_t desc;
02996 struct rsbac_acl_entry_t acman_entry =
02997 RSBAC_ACL_ACMAN_NETOBJ_ENTRY;
02998 struct rsbac_acl_entry_t sysadm_entry =
02999 RSBAC_ACL_SYSADM_NETOBJ_ENTRY;
03000 struct rsbac_acl_entry_t gen_entry =
03001 RSBAC_ACL_GENERAL_NETOBJ_ENTRY;
03002
03003 rsbac_printk(KERN_WARNING "rsbac_init_acl(): Network Object default ACL empty on dev %02u:%02u, generating standard ACL!\n",
03004 RSBAC_MAJOR(rsbac_root_dev),
03005 RSBAC_MINOR(rsbac_root_dev));
03006 desc.subj_type = acman_entry.subj_type;
03007 desc.subj_id = acman_entry.subj_id;
03008 rsbac_list_add(default_netobj_handle, &desc,
03009 &acman_entry.rights);
03010 desc.subj_type = sysadm_entry.subj_type;
03011 desc.subj_id = sysadm_entry.subj_id;
03012 rsbac_list_add(default_netobj_handle, &desc,
03013 &sysadm_entry.rights);
03014 desc.subj_type = gen_entry.subj_type;
03015 desc.subj_id = gen_entry.subj_id;
03016 rsbac_list_add(default_netobj_handle, &desc,
03017 &gen_entry.rights);
03018 }
03019 #endif
03020 }
03021
03022
03023
03024
03025 #ifdef CONFIG_RSBAC_INIT_DELAY
03026 int rsbac_init_acl(void)
03027 #else
03028 int __init rsbac_init_acl(void)
03029 #endif
03030 {
03031 int err = 0;
03032 struct rsbac_acl_device_list_item_t *device_p = NULL;
03033 char tmp[80];
03034 struct proc_dir_entry *tmp_entry_p;
03035 struct rsbac_list_lol_info_t lol_info;
03036 struct rsbac_list_info_t list_info;
03037 rsbac_acl_rights_vector_t def_mask;
03038
03039 if (rsbac_is_initialized()) {
03040 rsbac_printk(KERN_WARNING "rsbac_init_acl(): RSBAC already initialized\n");
03041 return (-RSBAC_EREINIT);
03042 }
03043
03044
03045 rsbac_printk(KERN_INFO "rsbac_init_acl(): Initializing RSBAC: ACL subsystem\n");
03046
03047
03048 device_list_head_p = kmalloc(sizeof(*device_list_head_p), GFP_KERNEL);
03049 if (!device_list_head_p) {
03050 rsbac_printk(KERN_WARNING
03051 "rsbac_init_acl(): Failed to allocate device_list_head\n");
03052 return -ENOMEM;
03053 }
03054 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03055 spin_lock_init(&device_list_lock);
03056 #else
03057 rwlock_init(&device_list_lock);
03058 #endif
03059 device_list_head_p->head = NULL;
03060 device_list_head_p->tail = NULL;
03061 device_list_head_p->curr = NULL;
03062 device_list_head_p->count = 0;
03063
03064
03065 rsbac_pr_debug(ds_acl, "Registering lists\n");
03066 device_p = create_device_item(rsbac_root_dev);
03067 if (!device_p) {
03068 rsbac_printk(KERN_CRIT
03069 "rsbac_init_acl(): Could not create device!\n");
03070 return (-RSBAC_ECOULDNOTADDDEVICE);
03071 }
03072 if ((err = acl_register_fd_lists(device_p, rsbac_root_dev))) {
03073 rsbac_printk(KERN_WARNING "rsbac_init_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n",
03074 RSBAC_MAJOR(rsbac_root_dev),
03075 RSBAC_MINOR(rsbac_root_dev),
03076 get_error_name(tmp, err));
03077 }
03078 device_p = add_device_item(device_p);
03079 if (!device_p) {
03080 rsbac_printk(KERN_CRIT
03081 "rsbac_init_acl(): Could not add device!\n");
03082 return (-RSBAC_ECOULDNOTADDDEVICE);
03083 }
03084
03085 list_info.version = RSBAC_ACL_DEF_FD_LIST_VERSION;
03086 list_info.key = RSBAC_ACL_LIST_KEY;
03087 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03088 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03089 list_info.max_age = 0;
03090 err = rsbac_list_register(RSBAC_LIST_VERSION,
03091 &default_fd_handle, &list_info,
03092 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03093 RSBAC_LIST_BACKUP |
03094 #endif
03095 RSBAC_LIST_PERSIST,
03096 entry_compare,
03097 def_fd_get_conv,
03098 NULL,
03099 RSBAC_ACL_DEF_FD_FILENAME,
03100 RSBAC_AUTO_DEV);
03101 if (err) {
03102 registration_error(err, "default fd");
03103 }
03104
03105 lol_info.version = RSBAC_ACL_DEV_LIST_VERSION;
03106 lol_info.key = RSBAC_ACL_LIST_KEY;
03107 lol_info.desc_size = sizeof(struct rsbac_dev_desc_t);
03108 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03109 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03110 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03111 lol_info.max_age = 0;
03112 def_mask = RSBAC_ACL_DEFAULT_DEV_MASK;
03113 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03114 &dev_handle, &lol_info,
03115 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03116 RSBAC_LIST_BACKUP |
03117 #endif
03118 RSBAC_LIST_PERSIST |
03119 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
03120 dev_compare,
03121 entry_compare, dev_get_conv,
03122 dev_get_subconv, &def_mask, NULL,
03123 RSBAC_ACL_DEV_FILENAME,
03124 RSBAC_AUTO_DEV,
03125 1,
03126 rsbac_list_hash_dev,
03127 NULL);
03128 if (err) {
03129 registration_error(err, "dev");
03130 }
03131 lol_info.version = RSBAC_ACL_DEV_LIST_VERSION;
03132 lol_info.key = RSBAC_ACL_LIST_KEY;
03133 lol_info.desc_size = sizeof(struct rsbac_dev_desc_t);
03134 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03135 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03136 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03137 lol_info.max_age = 0;
03138 def_mask = RSBAC_ACL_DEFAULT_DEV_MASK;
03139 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03140 &dev_major_handle, &lol_info,
03141 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03142 RSBAC_LIST_BACKUP |
03143 #endif
03144 RSBAC_LIST_PERSIST |
03145 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
03146 dev_major_compare, entry_compare,
03147 dev_get_conv, dev_get_subconv,
03148 &def_mask, NULL,
03149 RSBAC_ACL_DEV_MAJOR_FILENAME,
03150 RSBAC_AUTO_DEV,
03151 1,
03152 rsbac_list_hash_dev,
03153 NULL);
03154 if (err) {
03155 registration_error(err, "dev major");
03156 }
03157 list_info.version = RSBAC_ACL_DEF_DEV_LIST_VERSION;
03158 list_info.key = RSBAC_ACL_LIST_KEY;
03159 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03160 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03161 list_info.max_age = 0;
03162 err = rsbac_list_register(RSBAC_LIST_VERSION,
03163 &default_dev_handle, &list_info,
03164 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03165 RSBAC_LIST_BACKUP |
03166 #endif
03167 RSBAC_LIST_PERSIST,
03168 entry_compare,
03169 def_dev_get_conv,
03170 NULL,
03171 RSBAC_ACL_DEF_DEV_FILENAME,
03172 RSBAC_AUTO_DEV);
03173 if (err) {
03174 registration_error(err, "default dev");
03175 }
03176
03177 list_info.version = RSBAC_ACL_DEF_IPC_LIST_VERSION;
03178 list_info.key = RSBAC_ACL_LIST_KEY;
03179 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03180 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03181 list_info.max_age = 0;
03182 err = rsbac_list_register(RSBAC_LIST_VERSION,
03183 &default_ipc_handle, &list_info,
03184 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03185 RSBAC_LIST_BACKUP |
03186 #endif
03187 RSBAC_LIST_PERSIST,
03188 entry_compare,
03189 def_ipc_get_conv,
03190 NULL,
03191 RSBAC_ACL_DEF_IPC_FILENAME,
03192 RSBAC_AUTO_DEV);
03193 if (err) {
03194 registration_error(err, "default ipc");
03195 }
03196
03197 lol_info.version = RSBAC_ACL_SCD_LIST_VERSION;
03198 lol_info.key = RSBAC_ACL_LIST_KEY;
03199 lol_info.desc_size = sizeof(__u8);
03200 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03201 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03202 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03203 lol_info.max_age = 0;
03204 def_mask = RSBAC_ACL_DEFAULT_SCD_MASK;
03205 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03206 &scd_handle, &lol_info,
03207 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03208 RSBAC_LIST_BACKUP |
03209 #endif
03210 RSBAC_LIST_PERSIST |
03211 RSBAC_LIST_DEF_DATA, NULL,
03212 entry_compare, scd_get_conv,
03213 scd_get_subconv, &def_mask, NULL,
03214 RSBAC_ACL_SCD_FILENAME,
03215 RSBAC_AUTO_DEV);
03216 if (err) {
03217 registration_error(err, "scd");
03218 }
03219
03220 list_info.version = RSBAC_ACL_DEF_SCD_LIST_VERSION;
03221 list_info.key = RSBAC_ACL_LIST_KEY;
03222 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03223 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03224 list_info.max_age = 0;
03225 err = rsbac_list_register(RSBAC_LIST_VERSION,
03226 &default_scd_handle, &list_info,
03227 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03228 RSBAC_LIST_BACKUP |
03229 #endif
03230 RSBAC_LIST_PERSIST,
03231 entry_compare,
03232 def_scd_get_conv,
03233 NULL,
03234 RSBAC_ACL_DEF_SCD_FILENAME,
03235 RSBAC_AUTO_DEV);
03236 if (err) {
03237 registration_error(err, "default scd");
03238 }
03239
03240 lol_info.version = RSBAC_ACL_U_LIST_VERSION;
03241 lol_info.key = RSBAC_ACL_LIST_KEY;
03242 lol_info.desc_size = sizeof(rsbac_uid_t);
03243 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03244 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03245 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03246 lol_info.max_age = 0;
03247 def_mask = RSBAC_ACL_DEFAULT_U_MASK;
03248 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03249 &u_handle, &lol_info,
03250 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03251 RSBAC_LIST_BACKUP |
03252 #endif
03253 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03254 NULL,
03255 entry_compare,
03256 NULL,
03257 NULL,
03258 &def_mask,
03259 NULL,
03260 RSBAC_ACL_U_FILENAME,
03261 RSBAC_AUTO_DEV,
03262 1,
03263 rsbac_list_hash_uid,
03264 NULL);
03265 if (err) {
03266 registration_error(err, "user");
03267 }
03268 list_info.version = RSBAC_ACL_DEF_U_LIST_VERSION;
03269 list_info.key = RSBAC_ACL_LIST_KEY;
03270 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03271 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03272 list_info.max_age = 0;
03273 err = rsbac_list_register(RSBAC_LIST_VERSION,
03274 &default_u_handle, &list_info,
03275 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03276 RSBAC_LIST_BACKUP |
03277 #endif
03278 RSBAC_LIST_PERSIST,
03279 entry_compare,
03280 def_u_get_conv,
03281 NULL,
03282 RSBAC_ACL_DEF_U_FILENAME,
03283 RSBAC_AUTO_DEV);
03284 if (err) {
03285 registration_error(err, "default user");
03286 }
03287
03288 list_info.version = RSBAC_ACL_DEF_P_LIST_VERSION;
03289 list_info.key = RSBAC_ACL_LIST_KEY;
03290 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03291 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03292 list_info.max_age = 0;
03293 err = rsbac_list_register(RSBAC_LIST_VERSION,
03294 &default_p_handle, &list_info,
03295 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03296 RSBAC_LIST_BACKUP |
03297 #endif
03298 RSBAC_LIST_PERSIST,
03299 entry_compare,
03300 def_p_get_conv,
03301 NULL,
03302 RSBAC_ACL_DEF_P_FILENAME,
03303 RSBAC_AUTO_DEV);
03304 if (err) {
03305 registration_error(err, "default process");
03306 }
03307 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03308 lol_info.version = RSBAC_ACL_G_LIST_VERSION;
03309 lol_info.key = RSBAC_ACL_LIST_KEY;
03310 lol_info.desc_size = sizeof(rsbac_gid_t);
03311 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03312 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03313 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03314 lol_info.max_age = 0;
03315 def_mask = RSBAC_ACL_DEFAULT_G_MASK;
03316 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03317 &g_handle, &lol_info,
03318 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03319 RSBAC_LIST_BACKUP |
03320 #endif
03321 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03322 NULL,
03323 entry_compare,
03324 NULL,
03325 NULL,
03326 &def_mask,
03327 NULL,
03328 RSBAC_ACL_G_FILENAME,
03329 RSBAC_AUTO_DEV,
03330 1,
03331 rsbac_list_hash_gid,
03332 NULL);
03333 if (err) {
03334 registration_error(err, "Linux group");
03335 }
03336 list_info.version = RSBAC_ACL_DEF_G_LIST_VERSION;
03337 list_info.key = RSBAC_ACL_LIST_KEY;
03338 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03339 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03340 list_info.max_age = 0;
03341 err = rsbac_list_register(RSBAC_LIST_VERSION,
03342 &default_g_handle, &list_info,
03343 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03344 RSBAC_LIST_BACKUP |
03345 #endif
03346 RSBAC_LIST_PERSIST,
03347 entry_compare,
03348 def_g_get_conv,
03349 NULL,
03350 RSBAC_ACL_DEF_G_FILENAME,
03351 RSBAC_AUTO_DEV);
03352 if (err) {
03353 registration_error(err, "default Linux group");
03354 }
03355 #endif
03356
03357 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03358 lol_info.version = RSBAC_ACL_NETDEV_LIST_VERSION;
03359 lol_info.key = RSBAC_ACL_LIST_KEY;
03360 lol_info.desc_size = sizeof(rsbac_netdev_id_t);
03361 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03362 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03363 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03364 lol_info.max_age = 0;
03365 def_mask = RSBAC_ACL_DEFAULT_NETDEV_MASK;
03366 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03367 &netdev_handle, &lol_info,
03368 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03369 RSBAC_LIST_BACKUP |
03370 #endif
03371 RSBAC_LIST_PERSIST |
03372 RSBAC_LIST_DEF_DATA, netdev_compare,
03373 entry_compare, netdev_get_conv,
03374 netdev_get_subconv, &def_mask, NULL,
03375 RSBAC_ACL_NETDEV_FILENAME,
03376 RSBAC_AUTO_DEV);
03377 if (err) {
03378 registration_error(err, "netdev");
03379 }
03380 list_info.version = RSBAC_ACL_DEF_NETDEV_LIST_VERSION;
03381 list_info.key = RSBAC_ACL_LIST_KEY;
03382 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03383 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03384 list_info.max_age = 0;
03385 err = rsbac_list_register(RSBAC_LIST_VERSION,
03386 &default_netdev_handle, &list_info,
03387 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03388 RSBAC_LIST_BACKUP |
03389 #endif
03390 RSBAC_LIST_PERSIST,
03391 entry_compare,
03392 def_netdev_get_conv,
03393 NULL,
03394 RSBAC_ACL_DEF_NETDEV_FILENAME,
03395 RSBAC_AUTO_DEV);
03396 if (err) {
03397 registration_error(err, "default netdev");
03398 }
03399 #endif
03400
03401 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03402 lol_info.version = RSBAC_ACL_NETTEMP_NT_LIST_VERSION;
03403 lol_info.key = RSBAC_ACL_LIST_KEY;
03404 lol_info.desc_size = sizeof(rsbac_net_temp_id_t);
03405 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03406 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03407 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03408 lol_info.max_age = 0;
03409 def_mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
03410 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03411 &nettemp_nt_handle, &lol_info,
03412 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03413 RSBAC_LIST_BACKUP |
03414 #endif
03415 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03416 NULL,
03417 entry_compare,
03418 nettemp_nt_get_conv,
03419 nettemp_nt_get_subconv,
03420 &def_mask,
03421 NULL,
03422 RSBAC_ACL_NETTEMP_NT_FILENAME,
03423 RSBAC_AUTO_DEV,
03424 1,
03425 rsbac_list_hash_nettemp,
03426 NULL);
03427 if (err) {
03428 registration_error(err, "nettemp_nt");
03429 }
03430 list_info.version = RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION;
03431 list_info.key = RSBAC_ACL_LIST_KEY;
03432 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03433 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03434 list_info.max_age = 0;
03435 err = rsbac_list_register(RSBAC_LIST_VERSION,
03436 &default_nettemp_nt_handle, &list_info,
03437 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03438 RSBAC_LIST_BACKUP |
03439 #endif
03440 RSBAC_LIST_PERSIST,
03441 entry_compare,
03442 def_nettemp_nt_get_conv,
03443 NULL,
03444 RSBAC_ACL_DEF_NETTEMP_NT_FILENAME,
03445 RSBAC_AUTO_DEV);
03446 if (err) {
03447 registration_error(err, "default nettemp_nt");
03448 }
03449 lol_info.version = RSBAC_ACL_NETTEMP_LIST_VERSION;
03450 lol_info.key = RSBAC_ACL_LIST_KEY;
03451 lol_info.desc_size = sizeof(rsbac_net_temp_id_t);
03452 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03453 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03454 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03455 lol_info.max_age = 0;
03456 def_mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
03457 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03458 &nettemp_handle, &lol_info,
03459 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03460 RSBAC_LIST_BACKUP |
03461 #endif
03462 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03463 NULL,
03464 entry_compare,
03465 nettemp_get_conv,
03466 nettemp_get_subconv,
03467 &def_mask,
03468 NULL,
03469 RSBAC_ACL_NETTEMP_FILENAME,
03470 RSBAC_AUTO_DEV,
03471 1,
03472 rsbac_list_hash_nettemp,
03473 NULL);
03474 if (err) {
03475 registration_error(err, "nettemp");
03476 }
03477 lol_info.version = RSBAC_ACL_NETOBJ_LIST_VERSION;
03478 lol_info.key = RSBAC_ACL_LIST_KEY;
03479 lol_info.desc_size = sizeof(rsbac_net_obj_id_t);
03480 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03481 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t);
03482 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t);
03483 lol_info.max_age = 0;
03484 def_mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
03485 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03486 &netobj_handle,
03487 &lol_info,
03488 RSBAC_LIST_AUTO_HASH_RESIZE,
03489 NULL,
03490 entry_compare,
03491 NULL,
03492 NULL,
03493 &def_mask,
03494 NULL,
03495 RSBAC_ACL_NETOBJ_FILENAME,
03496 RSBAC_AUTO_DEV,
03497 1,
03498 rsbac_list_hash_netobj,
03499 NULL);
03500 if (err) {
03501 registration_error(err, "netobj");
03502 }
03503 list_info.version = RSBAC_ACL_DEF_NETOBJ_LIST_VERSION;
03504 list_info.key = RSBAC_ACL_LIST_KEY;
03505 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t);
03506 list_info.data_size = sizeof(rsbac_acl_rights_vector_t);
03507 list_info.max_age = 0;
03508 err = rsbac_list_register(RSBAC_LIST_VERSION,
03509 &default_netobj_handle, &list_info,
03510 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03511 RSBAC_LIST_BACKUP |
03512 #endif
03513 RSBAC_LIST_PERSIST,
03514 entry_compare,
03515 def_netobj_get_conv,
03516 NULL,
03517 RSBAC_ACL_DEF_NETOBJ_FILENAME,
03518 RSBAC_AUTO_DEV);
03519 if (err) {
03520 registration_error(err, "default netobj");
03521 }
03522 #endif
03523
03524
03525 list_info.version = RSBAC_ACL_GROUP_VERSION;
03526 list_info.key = RSBAC_ACL_LIST_KEY;
03527 list_info.desc_size = sizeof(rsbac_acl_group_id_t);
03528 list_info.data_size = sizeof(struct rsbac_acl_group_entry_t);
03529 list_info.max_age = 0;
03530 err = rsbac_list_register_hashed(RSBAC_LIST_VERSION,
03531 &group_handle, &list_info,
03532 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03533 RSBAC_LIST_BACKUP |
03534 #endif
03535 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
03536 NULL,
03537 NULL,
03538 NULL,
03539 RSBAC_ACL_GROUP_FILENAME,
03540 RSBAC_AUTO_DEV,
03541 1,
03542 group_hash,
03543 NULL);
03544 if (err) {
03545 registration_error(err, "group");
03546 }
03547
03548
03549 lol_info.version = RSBAC_ACL_GM_VERSION;
03550 lol_info.key = RSBAC_ACL_LIST_KEY;
03551 lol_info.desc_size = sizeof(rsbac_uid_t);
03552 lol_info.data_size = 0;
03553 lol_info.subdesc_size = sizeof(rsbac_acl_group_id_t);
03554 lol_info.subdata_size = 0;
03555 lol_info.max_age = 0;
03556 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION,
03557 &gm_handle, &lol_info,
03558 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03559 RSBAC_LIST_BACKUP |
03560 #endif
03561 RSBAC_LIST_PERSIST |
03562 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
03563 NULL,
03564 NULL, NULL, NULL,
03565 NULL, NULL, RSBAC_ACL_GM_FILENAME,
03566 RSBAC_AUTO_DEV,
03567 1,
03568 rsbac_list_hash_uid,
03569 NULL);
03570 if (err) {
03571 registration_error(err, "gm");
03572 }
03573
03574
03575 if (!rsbac_no_defaults) {
03576 acl_create_def();
03577 acl_create_def2();
03578 }
03579 #if defined(CONFIG_RSBAC_PROC)
03580 tmp_entry_p = create_proc_entry("acl_devices",
03581 S_IFREG | S_IRUGO,
03582 proc_rsbac_root_p);
03583 if (tmp_entry_p) {
03584 tmp_entry_p->get_info = acl_devices_proc_info;
03585 }
03586 tmp_entry_p = create_proc_entry("stats_acl",
03587 S_IFREG | S_IRUGO,
03588 proc_rsbac_root_p);
03589 if (tmp_entry_p) {
03590 tmp_entry_p->get_info = stats_acl_proc_info;
03591 }
03592 tmp_entry_p = create_proc_entry("acl_acllist",
03593 S_IFREG | S_IRUGO,
03594 proc_rsbac_root_p);
03595 if (tmp_entry_p) {
03596 tmp_entry_p->get_info = acl_acllist_proc_info;
03597 }
03598 tmp_entry_p = create_proc_entry("acl_grouplist",
03599 S_IFREG | S_IRUGO,
03600 proc_rsbac_root_p);
03601 if (tmp_entry_p) {
03602 tmp_entry_p->get_info = acl_grouplist_proc_info;
03603 }
03604 #endif
03605
03606 rsbac_pr_debug(ds_acl, "Ready.\n");
03607 return (err);
03608 }
03609
03610 int rsbac_mount_acl(kdev_t kdev)
03611 {
03612 int err = 0;
03613 struct rsbac_acl_device_list_item_t *device_p;
03614 struct rsbac_acl_device_list_item_t *new_device_p;
03615 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03616 u_long dflags;
03617 #endif
03618
03619 if (!rsbac_is_initialized()) {
03620 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): RSBAC not initialized\n");
03621 return (-RSBAC_ENOTINITIALIZED);
03622 }
03623 rsbac_pr_debug(ds_acl, "mounting device %02u:%02u\n",
03624 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03625
03626 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03627 rcu_read_lock();
03628 #else
03629 rsbac_read_lock(&device_list_lock, &dflags);
03630 #endif
03631 device_p = acl_lookup_device(kdev);
03632
03633 if (device_p) {
03634 rsbac_printk(KERN_INFO "rsbac_mount_acl: repeated mount %u of device %02u:%02u\n",
03635 device_p->mount_count, RSBAC_MAJOR(kdev),
03636 RSBAC_MINOR(kdev));
03637 device_p->mount_count++;
03638 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03639 rcu_read_unlock();
03640 #else
03641 rsbac_read_unlock(&device_list_lock, &dflags);
03642 #endif
03643 return 0;
03644 }
03645 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03646 rcu_read_unlock();
03647 #else
03648 rsbac_read_unlock(&device_list_lock, &dflags);
03649 #endif
03650
03651 new_device_p = create_device_item(kdev);
03652 if (!new_device_p)
03653 return -RSBAC_ECOULDNOTADDDEVICE;
03654
03655 if ((err = acl_register_fd_lists(new_device_p, kdev))) {
03656 char *tmp;
03657
03658 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
03659 if (tmp) {
03660 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n",
03661 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev),
03662 get_error_name(tmp, err));
03663 rsbac_kfree(tmp);
03664 }
03665 }
03666 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03667 rcu_read_lock();
03668 #else
03669 rsbac_read_lock(&device_list_lock, &dflags);
03670 #endif
03671
03672 device_p = acl_lookup_device(kdev);
03673 if (device_p) {
03674 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): mount race for device %02u:%02u detected!\n",
03675 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03676 device_p->mount_count++;
03677
03678 clear_device_item(new_device_p);
03679 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03680 rcu_read_unlock();
03681 #else
03682 rsbac_read_unlock(&device_list_lock, &dflags);
03683 #endif
03684 } else {
03685 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03686 rcu_read_unlock();
03687 #else
03688 rsbac_read_unlock(&device_list_lock, &dflags);
03689 #endif
03690 device_p = add_device_item(new_device_p);
03691 if (!device_p) {
03692 rsbac_printk(KERN_WARNING "rsbac_mount_acl: adding device %02u:%02u failed!\n",
03693 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03694
03695 clear_device_item(new_device_p);
03696 err = -RSBAC_ECOULDNOTADDDEVICE;
03697 }
03698 }
03699
03700 return err;
03701 }
03702
03703
03704
03705 int rsbac_umount_acl(kdev_t kdev)
03706 {
03707 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03708 u_long flags;
03709 #endif
03710 struct rsbac_acl_device_list_item_t *device_p;
03711
03712 if (!rsbac_is_initialized()) {
03713 rsbac_printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n");
03714 return (-RSBAC_ENOTINITIALIZED);
03715 }
03716 rsbac_pr_debug(ds_acl, "umounting device %02u:%02u\n",
03717 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03718
03719 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03720 spin_lock(&device_list_lock);
03721 #else
03722 rsbac_write_lock(&device_list_lock, &flags);
03723 #endif
03724
03725 device_p = acl_lookup_device(kdev);
03726 if (device_p) {
03727 if (device_p->mount_count == 1)
03728 remove_device_item(kdev);
03729 else {
03730 if (device_p->mount_count > 1) {
03731 device_p->mount_count--;
03732 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03733 spin_unlock(&device_list_lock);
03734 #endif
03735 } else {
03736 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03737 spin_unlock(&device_list_lock);
03738 #endif
03739 rsbac_printk(KERN_WARNING "rsbac_umount_acl: device %02u:%02u has mount_count < 1!\n",
03740 RSBAC_MAJOR(kdev),
03741 RSBAC_MINOR(kdev));
03742 }
03743 }
03744 }
03745 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03746 else
03747 spin_unlock(&device_list_lock);
03748 #else
03749 rsbac_write_unlock(&device_list_lock, &flags);
03750 #endif
03751 return 0;
03752 }
03753
03754
03755
03756
03757 int rsbac_stats_acl(void)
03758 {
03759 struct rsbac_acl_device_list_item_t *device_p;
03760 union rsbac_target_id_t rsbac_target_id;
03761 union rsbac_attribute_value_t rsbac_attribute_value;
03762 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03763 u_long dflags;
03764 #endif
03765
03766 if (!rsbac_is_initialized()) {
03767 rsbac_printk(KERN_WARNING "rsbac_stats_acl(): RSBAC not initialized\n");
03768 return (-RSBAC_ENOTINITIALIZED);
03769 }
03770 rsbac_pr_debug(aef_acl, "calling ADF\n");
03771 rsbac_target_id.scd = ST_rsbac;
03772 rsbac_attribute_value.dummy = 0;
03773 if (!rsbac_adf_request(R_GET_STATUS_DATA,
03774 current->pid,
03775 T_SCD,
03776 rsbac_target_id,
03777 A_none, rsbac_attribute_value)) {
03778 return -EPERM;
03779 }
03780
03781 rsbac_printk(KERN_INFO "ACL Status\n-----------\n");
03782
03783
03784 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03785 rcu_read_lock();
03786 #else
03787 rsbac_read_lock(&device_list_lock, &dflags);
03788 #endif
03789 device_p = rcu_dereference(device_list_head_p)->head;
03790 while (device_p) {
03791 rsbac_printk(KERN_INFO "device %02u:%02u has %u file ACLs, sum of %u members\n",
03792 RSBAC_MAJOR(device_p->id),
03793 RSBAC_MINOR(device_p->id),
03794 rsbac_list_lol_count(device_p->handle),
03795 rsbac_list_lol_all_subcount(device_p->handle));
03796 device_p = device_p->next;
03797 }
03798
03799 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03800 rcu_read_unlock();
03801 #else
03802 rsbac_read_unlock(&device_list_lock, &dflags);
03803 #endif
03804
03805
03806 rsbac_printk(KERN_INFO "%li device major ACL items, sum of %li members\n",
03807 rsbac_list_lol_count(dev_major_handle),
03808 rsbac_list_lol_all_subcount(dev_major_handle));
03809 rsbac_printk(KERN_INFO "%li device ACL items, sum of %li members\n",
03810 rsbac_list_lol_count(dev_handle),
03811 rsbac_list_lol_all_subcount(dev_handle));
03812
03813
03814 rsbac_printk(KERN_INFO "%li scd ACL items, sum of %li members\n",
03815 rsbac_list_lol_count(scd_handle),
03816 rsbac_list_lol_all_subcount(scd_handle));
03817
03818
03819 rsbac_printk(KERN_INFO "%li user ACL items, sum of %li members\n",
03820 rsbac_list_lol_count(u_handle),
03821 rsbac_list_lol_all_subcount(u_handle));
03822
03823 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03824
03825 rsbac_printk(KERN_INFO "%li Linux group ACL items, sum of %li members\n",
03826 rsbac_list_lol_count(g_handle),
03827 rsbac_list_lol_all_subcount(g_handle));
03828 #endif
03829
03830 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03831
03832 rsbac_printk(KERN_INFO "%li network device ACL items, sum of %li members\n",
03833 rsbac_list_lol_count(netdev_handle),
03834 rsbac_list_lol_all_subcount(netdev_handle));
03835 #endif
03836
03837 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03838
03839 rsbac_printk(KERN_INFO "%li network template NT ACL items, sum of %li members\n",
03840 rsbac_list_lol_count(nettemp_nt_handle),
03841 rsbac_list_lol_all_subcount(nettemp_nt_handle));
03842
03843 rsbac_printk(KERN_INFO "%li network template ACL items, sum of %li members\n",
03844 rsbac_list_lol_count(nettemp_handle),
03845 rsbac_list_lol_all_subcount(nettemp_handle));
03846
03847 rsbac_printk(KERN_INFO "%li network object ACL items, sum of %li members\n",
03848 rsbac_list_lol_count(netobj_handle),
03849 rsbac_list_lol_all_subcount(netobj_handle));
03850 #endif
03851
03852 rsbac_printk(KERN_INFO "%li groups, last new is %u\n",
03853 rsbac_list_count(group_handle), group_last_new);
03854
03855
03856 rsbac_printk(KERN_INFO "%li group member items, sum of %li group memberships\n",
03857 rsbac_list_lol_count(gm_handle),
03858 rsbac_list_lol_all_subcount(gm_handle));
03859
03860 return 0;
03861 }
03862
03863
03864
03865
03866 int rsbac_check_acl(int correct)
03867 {
03868 struct rsbac_acl_device_list_item_t *device_p;
03869 u_long f_count = 0, f_sum = 0, tmp_count,
03870 r_count, u_count, b_count, no_member_count;
03871 long desc_count;
03872 long sub_desc_count;
03873 rsbac_inode_nr_t *fd_desc_p;
03874 struct rsbac_dev_desc_t *dev_desc_p;
03875 __u8 *scd_desc_p;
03876 rsbac_uid_t *u_desc_p;
03877 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03878 rsbac_gid_t *g_desc_p;
03879 #endif
03880 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03881 rsbac_netdev_id_t *netdev_desc_p;
03882 #endif
03883 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03884 rsbac_net_temp_id_t *nettemp_desc_p;
03885 rsbac_net_obj_id_t *netobj_desc_p;
03886 #endif
03887 struct rsbac_acl_entry_desc_t *sub_desc_p;
03888 rsbac_uid_t *user_p;
03889 rsbac_acl_group_id_t *group_p;
03890 u_int i, j;
03891 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03892 u_long dflags;
03893 #endif
03894
03895 if (!rsbac_is_initialized()) {
03896 rsbac_printk(KERN_WARNING "rsbac_check_acl(): RSBAC not initialized\n");
03897 return (-RSBAC_ENOTINITIALIZED);
03898 }
03899
03900
03901 tmp_count = 0;
03902 desc_count =
03903 rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p);
03904 if (desc_count > 0) {
03905 for (i = 0; i < desc_count; i++) {
03906 sub_desc_count =
03907 rsbac_list_lol_get_all_subdesc(gm_handle,
03908 &user_p[i],
03909 (void **)
03910 &group_p);
03911 if (sub_desc_count > 0) {
03912 for (j = 0; j < sub_desc_count; j++) {
03913 if (!rsbac_list_exist
03914 (group_handle, &group_p[j])) {
03915 rsbac_printk(KERN_WARNING "rsbac_check_acl(): removing user %u membership in non-existent group %u!\n",
03916 user_p[i],
03917 group_p[j]);
03918 rsbac_list_lol_subremove
03919 (gm_handle, &user_p[i],
03920 &group_p[j]);
03921 }
03922 }
03923 rsbac_vfree(group_p);
03924 } else {
03925
03926 if (!sub_desc_count)
03927 rsbac_list_lol_remove(gm_handle,
03928 &user_p[i]);
03929 }
03930 }
03931 rsbac_vfree(user_p);
03932 }
03933
03934 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group membership items\n",
03935 rsbac_list_lol_count(gm_handle));
03936
03937
03938 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group items\n",
03939 rsbac_list_count(group_handle));
03940
03941 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03942 rcu_read_lock();
03943 #else
03944 rsbac_read_lock(&device_list_lock, &dflags);
03945 #endif
03946
03947
03948 device_p = rcu_dereference(device_list_head_p)->head;
03949 while (device_p) {
03950 f_count = 0;
03951 r_count = 0;
03952 u_count = 0;
03953 b_count = 0;
03954 no_member_count = 0;
03955
03956 tmp_count = 0;
03957 desc_count = rsbac_list_lol_get_all_desc(device_p->handle,
03958 (void **)
03959 &fd_desc_p);
03960 if (desc_count > 0) {
03961 for (i = 0; i < desc_count; i++) {
03962
03963 sub_desc_count =
03964 rsbac_list_lol_get_all_subdesc
03965 (device_p->handle,
03966 &fd_desc_p[i],
03967 (void **) &sub_desc_p);
03968 if (sub_desc_count > 0) {
03969 for (j = 0;
03970 j < sub_desc_count;
03971 j++) {
03972 if ((sub_desc_p[j].
03973 subj_type ==
03974 ACLS_GROUP)
03975 &&
03976 sub_desc_p[j].
03977 subj_id
03978 &&
03979 !rsbac_list_exist
03980 (group_handle,
03981 &sub_desc_p
03982 [j].
03983 subj_id)) {
03984 if (correct) {
03985
03986 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid group %u in ACL -> removing entry!\n",
03987 fd_desc_p[i],
03988 RSBAC_MAJOR(device_p->id),
03989 RSBAC_MINOR(device_p->id),
03990 sub_desc_p[j].subj_id);
03991 rsbac_list_lol_subremove
03992 (device_p->handle,
03993 &fd_desc_p
03994 [i],
03995 &sub_desc_p
03996 [j]);
03997 } else
03998 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid group %u in ACL!\n",
03999 fd_desc_p[i],
04000 RSBAC_MAJOR(device_p->id),
04001 RSBAC_MINOR(device_p->id),
04002 sub_desc_p[j].subj_id);
04003 }
04004 #if defined(CONFIG_RSBAC_RC)
04005 else if ((sub_desc_p[j].subj_type == ACLS_ROLE)
04006 &&
04007 (sub_desc_p
04008 [j].
04009 subj_id >
04010 RC_role_max_value)
04011 ) {
04012 if (correct) {
04013
04014 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid RC role %u in ACL -> removing entry!\n",
04015 fd_desc_p[i],
04016 RSBAC_MAJOR(device_p->id),
04017 RSBAC_MINOR(device_p->id),
04018 sub_desc_p[j].subj_id);
04019 rsbac_list_lol_subremove
04020 (device_p->handle,
04021 &fd_desc_p
04022 [i],
04023 &sub_desc_p
04024 [j]);
04025 } else
04026 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid role %u in ACL!\n",
04027 fd_desc_p[i],
04028 RSBAC_MAJOR(device_p->id),
04029 RSBAC_MINOR(device_p->id),
04030 sub_desc_p[j].subj_id);
04031 }
04032 #endif
04033 }
04034 rsbac_vfree(sub_desc_p);
04035 }
04036 }
04037 tmp_count++;
04038 rsbac_vfree(fd_desc_p);
04039 f_count += desc_count;
04040 }
04041
04042 switch (correct) {
04043 case 2:
04044 rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n",
04045 RSBAC_MAJOR(device_p->id),
04046 RSBAC_MINOR(device_p->id), f_count,
04047 b_count + r_count + u_count +
04048 no_member_count, b_count, r_count,
04049 u_count, no_member_count);
04050 break;
04051 case 1:
04052 rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n",
04053 RSBAC_MAJOR(device_p->id),
04054 RSBAC_MINOR(device_p->id), f_count,
04055 b_count + r_count + no_member_count,
04056 b_count, r_count, no_member_count,
04057 u_count);
04058 break;
04059 default:
04060 rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n",
04061 RSBAC_MAJOR(device_p->id),
04062 RSBAC_MINOR(device_p->id), f_count,
04063 b_count, r_count, u_count,
04064 no_member_count);
04065 }
04066 f_sum += f_count;
04067
04068 device_p = device_p->next;
04069 }
04070 rsbac_printk(KERN_INFO "rsbac_check_acl(): Sum of %u Devices with %lu file/dir ACLs\n",
04071 rcu_dereference(device_list_head_p)->count, f_sum);
04072
04073 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04074 rcu_read_unlock();
04075 #else
04076 rsbac_read_unlock(&device_list_lock, &dflags);
04077 #endif
04078
04079
04080 tmp_count = 0;
04081 desc_count =
04082 rsbac_list_lol_get_all_desc(dev_handle, (void **) &dev_desc_p);
04083 if (desc_count > 0) {
04084 for (i = 0; i < desc_count; i++) {
04085
04086 sub_desc_count =
04087 rsbac_list_lol_get_all_subdesc(dev_handle,
04088 &dev_desc_p[i],
04089 (void **)
04090 &sub_desc_p);
04091 if (sub_desc_count > 0) {
04092 for (j = 0; j < sub_desc_count; j++) {
04093 if ((sub_desc_p[j].subj_type ==
04094 ACLS_GROUP)
04095 && sub_desc_p[j].subj_id
04096 &&
04097 !rsbac_list_exist(group_handle,
04098 &sub_desc_p
04099 [j].
04100 subj_id)) {
04101 if (correct) {
04102
04103 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n",
04104 'B' + dev_desc_p[i].type,
04105 dev_desc_p[i].major,
04106 dev_desc_p[i].minor,
04107 sub_desc_p[j].subj_id);
04108 rsbac_list_lol_subremove
04109 (dev_handle,
04110 &dev_desc_p
04111 [i],
04112 &sub_desc_p
04113 [j]);
04114 } else
04115 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL!\n",
04116 'B' + dev_desc_p[i].type,
04117 dev_desc_p[i].major,
04118 dev_desc_p[i].minor,
04119 sub_desc_p[j].subj_id);
04120 }
04121 #if defined(CONFIG_RSBAC_RC)
04122 else if ((sub_desc_p[j].
04123 subj_type == ACLS_ROLE)
04124 && (sub_desc_p[j].
04125 subj_id >
04126 RC_role_max_value)
04127 ) {
04128 if (correct) {
04129
04130 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n",
04131 'B' + dev_desc_p[i].type,
04132 dev_desc_p[i].major,
04133 dev_desc_p[i].minor,
04134 sub_desc_p[j].subj_id);
04135 rsbac_list_lol_subremove
04136 (dev_handle,
04137 &dev_desc_p
04138 [i],
04139 &sub_desc_p
04140 [j]);
04141 } else
04142 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL!\n",
04143 'B' + dev_desc_p[i].type,
04144 dev_desc_p[i].major,
04145 dev_desc_p[i].minor,
04146 sub_desc_p[j].subj_id);
04147 }
04148 #endif
04149 }
04150 rsbac_vfree(sub_desc_p);
04151 }
04152 }
04153 rsbac_vfree(dev_desc_p);
04154 f_sum += desc_count;
04155 }
04156 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n",
04157 desc_count);
04158 tmp_count = 0;
04159 desc_count =
04160 rsbac_list_lol_get_all_desc(dev_major_handle,
04161 (void **) &dev_desc_p);
04162 if (desc_count > 0) {
04163 for (i = 0; i < desc_count; i++) {
04164
04165 sub_desc_count =
04166 rsbac_list_lol_get_all_subdesc
04167 (dev_major_handle, &dev_desc_p[i],
04168 (void **) &sub_desc_p);
04169 if (sub_desc_count > 0) {
04170 for (j = 0; j < sub_desc_count; j++) {
04171 if ((sub_desc_p[j].subj_type ==
04172 ACLS_GROUP)
04173 && sub_desc_p[j].subj_id
04174 &&
04175 !rsbac_list_exist(group_handle,
04176 &sub_desc_p
04177 [j].
04178 subj_id)) {
04179 if (correct) {
04180
04181 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n",
04182 'B' + dev_desc_p[i].type,
04183 dev_desc_p[i].major,
04184 dev_desc_p[i].minor,
04185 sub_desc_p[j].subj_id);
04186 rsbac_list_lol_subremove
04187 (dev_major_handle,
04188 &dev_desc_p
04189 [i],
04190 &sub_desc_p
04191 [j]);
04192 } else
04193 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL!\n",
04194 'B' + dev_desc_p[i].type,
04195 dev_desc_p[i].major,
04196 dev_desc_p[i].minor,
04197 sub_desc_p[j].subj_id);
04198 }
04199 #if defined(CONFIG_RSBAC_RC)
04200 else if ((sub_desc_p[j].
04201 subj_type == ACLS_ROLE)
04202 && (sub_desc_p[j].
04203 subj_id >
04204 RC_role_max_value)
04205 ) {
04206 if (correct) {
04207
04208 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n",
04209 'B' + dev_desc_p[i].type,
04210 dev_desc_p[i].major,
04211 dev_desc_p[i].minor,
04212 sub_desc_p[j].subj_id);
04213 rsbac_list_lol_subremove
04214 (dev_major_handle,
04215 &dev_desc_p
04216 [i],
04217 &sub_desc_p
04218 [j]);
04219 } else
04220 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL!\n",
04221 'B' + dev_desc_p[i].type,
04222 dev_desc_p[i].major,
04223 dev_desc_p[i].minor,
04224 sub_desc_p[j].subj_id);
04225 }
04226 #endif
04227 }
04228 rsbac_vfree(sub_desc_p);
04229 }
04230 }
04231 rsbac_vfree(dev_desc_p);
04232 f_sum += desc_count;
04233 }
04234 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n",
04235 desc_count);
04236
04237
04238 tmp_count = 0;
04239 desc_count =
04240 rsbac_list_lol_get_all_desc(scd_handle, (void **) &scd_desc_p);
04241 if (desc_count > 0) {
04242 for (i = 0; i < desc_count; i++) {
04243
04244 sub_desc_count =
04245 rsbac_list_lol_get_all_subdesc(scd_handle,
04246 &scd_desc_p[i],
04247 (void **)
04248 &sub_desc_p);
04249 if (sub_desc_count > 0) {
04250 for (j = 0; j < sub_desc_count; j++) {
04251 if ((sub_desc_p[j].subj_type ==
04252 ACLS_GROUP)
04253 && sub_desc_p[j].subj_id
04254 &&
04255 !rsbac_list_exist(group_handle,
04256 &sub_desc_p
04257 [j].
04258 subj_id)) {
04259 if (correct) {
04260
04261 rsbac_pr_debug(ds, "scd_item %u has invalid group %u in ACL -> removing entry!\n",
04262 scd_desc_p[i],
04263 sub_desc_p[j].subj_id);
04264 rsbac_list_lol_subremove
04265 (scd_handle,
04266 &scd_desc_p
04267 [i],
04268 &sub_desc_p
04269 [j]);
04270 } else
04271 rsbac_pr_debug(ds, "scd_item %u has invalid group %u in ACL!\n",
04272 scd_desc_p[i],
04273 sub_desc_p[j].subj_id);
04274 }
04275 #if defined(CONFIG_RSBAC_RC)
04276 else if ((sub_desc_p[j].
04277 subj_type == ACLS_ROLE)
04278 && (sub_desc_p[j].
04279 subj_id >
04280 RC_role_max_value)
04281 ) {
04282 if (correct) {
04283
04284 rsbac_pr_debug(ds, "scd_item %u has invalid role %u in ACL -> removing entry!\n",
04285 scd_desc_p[i],
04286 sub_desc_p[j].subj_id);
04287 rsbac_list_lol_subremove
04288 (scd_handle,
04289 &scd_desc_p
04290 [i],
04291 &sub_desc_p
04292 [j]);
04293 } else
04294 rsbac_pr_debug(ds, "scd_item %u has invalid role %u in ACL!\n",
04295 scd_desc_p[i],
04296 sub_desc_p[j].subj_id);
04297 }
04298 #endif
04299 }
04300 rsbac_vfree(sub_desc_p);
04301 }
04302 }
04303 rsbac_vfree(scd_desc_p);
04304 f_sum += desc_count;
04305 }
04306 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li SCD items\n",
04307 desc_count);
04308
04309
04310 tmp_count = 0;
04311 desc_count =
04312 rsbac_list_lol_get_all_desc(u_handle, (void **) &u_desc_p);
04313 if (desc_count > 0) {
04314 for (i = 0; i < desc_count; i++) {
04315
04316 sub_desc_count =
04317 rsbac_list_lol_get_all_subdesc(u_handle,
04318 &u_desc_p[i],
04319 (void **)
04320 &sub_desc_p);
04321 if (sub_desc_count > 0) {
04322 for (j = 0; j < sub_desc_count; j++) {
04323 if ((sub_desc_p[j].subj_type ==
04324 ACLS_GROUP)
04325 && sub_desc_p[j].subj_id
04326 &&
04327 !rsbac_list_exist(group_handle,
04328 &sub_desc_p
04329 [j].
04330 subj_id)) {
04331 if (correct) {
04332
04333 rsbac_pr_debug(ds, "u_item %u has invalid group %u in ACL -> removing entry!\n",
04334 u_desc_p[i],
04335 sub_desc_p[j].subj_id);
04336 rsbac_list_lol_subremove
04337 (u_handle,
04338 &u_desc_p[i],
04339 &sub_desc_p
04340 [j]);
04341 } else
04342 rsbac_pr_debug(ds, "u_item %u has invalid group %u in ACL!\n",
04343 u_desc_p[i],
04344 sub_desc_p[j].subj_id);
04345 }
04346 #if defined(CONFIG_RSBAC_RC)
04347 else if ((sub_desc_p[j].
04348 subj_type == ACLS_ROLE)
04349 && (sub_desc_p[j].
04350 subj_id >
04351 RC_role_max_value)
04352 ) {
04353 if (correct) {
04354
04355 rsbac_pr_debug(ds, "u_item %u has invalid role %u in ACL -> removing entry!\n",
04356 u_desc_p[i],
04357 sub_desc_p[j].subj_id);
04358 rsbac_list_lol_subremove
04359 (u_handle,
04360 &u_desc_p[i],
04361 &sub_desc_p
04362 [j]);
04363 } else
04364 rsbac_pr_debug(ds, "u_item %u has invalid role %u in ACL!\n",
04365 u_desc_p[i],
04366 sub_desc_p[j].subj_id);
04367 }
04368 #endif
04369 }
04370 rsbac_vfree(sub_desc_p);
04371 }
04372 }
04373 rsbac_vfree(u_desc_p);
04374 f_sum += desc_count;
04375 }
04376 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li user items\n",
04377 desc_count);
04378
04379 #ifdef CONFIG_RSBAC_ACL_UM_PROT
04380
04381 tmp_count = 0;
04382 desc_count =
04383 rsbac_list_lol_get_all_desc(g_handle, (void **) &g_desc_p);
04384 if (desc_count > 0) {
04385 for (i = 0; i < desc_count; i++) {
04386
04387 sub_desc_count =
04388 rsbac_list_lol_get_all_subdesc(g_handle,
04389 &g_desc_p[i],
04390 (void **)
04391 &sub_desc_p);
04392 if (sub_desc_count > 0) {
04393 for (j = 0; j < sub_desc_count; j++) {
04394 if ((sub_desc_p[j].subj_type ==
04395 ACLS_GROUP)
04396 && sub_desc_p[j].subj_id
04397 &&
04398 !rsbac_list_exist(group_handle,
04399 &sub_desc_p
04400 [j].
04401 subj_id)) {
04402 if (correct) {
04403
04404 rsbac_pr_debug(ds, "g_item %u has invalid group %u in ACL -> removing entry!\n",
04405 g_desc_p[i],
04406 sub_desc_p[j].subj_id);
04407 rsbac_list_lol_subremove
04408 (g_handle,
04409 &g_desc_p[i],
04410 &sub_desc_p
04411 [j]);
04412 } else
04413 rsbac_pr_debug(ds, "g_item %u has invalid group %u in ACL!\n",
04414 g_desc_p[i],
04415 sub_desc_p[j].subj_id);
04416 }
04417 #if defined(CONFIG_RSBAC_RC)
04418 else if ((sub_desc_p[j].
04419 subj_type == ACLS_ROLE)
04420 && (sub_desc_p[j].
04421 subj_id >
04422 RC_role_max_value)
04423 ) {
04424 if (correct) {
04425
04426 rsbac_pr_debug(ds, "g_item %u has invalid role %u in ACL -> removing entry!\n",
04427 g_desc_p[i],
04428 sub_desc_p[j].subj_id);
04429 rsbac_list_lol_subremove
04430 (g_handle,
04431 &g_desc_p[i],
04432 &sub_desc_p
04433 [j]);
04434 } else
04435 rsbac_pr_debug(ds, "g_item %u has invalid role %u in ACL!\n",
04436 g_desc_p[i],
04437 sub_desc_p[j].subj_id);
04438 }
04439 #endif
04440 }
04441 rsbac_vfree(sub_desc_p);
04442 }
04443 }
04444 rsbac_vfree(g_desc_p);
04445 f_sum += desc_count;
04446 }
04447 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li Linux group items\n",
04448 desc_count);
04449 #endif
04450
04451 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
04452
04453 tmp_count = 0;
04454 desc_count =
04455 rsbac_list_lol_get_all_desc(netdev_handle,
04456 (void **) &netdev_desc_p);
04457 if (desc_count > 0) {
04458 for (i = 0; i < desc_count; i++) {
04459
04460 sub_desc_count =
04461 rsbac_list_lol_get_all_subdesc(netdev_handle,
04462 &netdev_desc_p
04463 [i],
04464 (void **)
04465 &sub_desc_p);
04466 if (sub_desc_count > 0) {
04467 for (j = 0; j < sub_desc_count; j++) {
04468 if ((sub_desc_p[j].subj_type ==
04469 ACLS_GROUP)
04470 && sub_desc_p[j].subj_id
04471 &&
04472 !rsbac_list_exist(group_handle,
04473 &sub_desc_p
04474 [j].
04475 subj_id)) {
04476 if (correct) {
04477
04478 rsbac_pr_debug(ds, "netdev_item %s has invalid group %u in ACL -> removing entry!\n",
04479 netdev_desc_p[i],
04480 sub_desc_p[j].subj_id);
04481 rsbac_list_lol_subremove
04482 (netdev_handle,
04483 &netdev_desc_p
04484 [i],
04485 &sub_desc_p
04486 [j]);
04487 } else
04488 rsbac_pr_debug(ds, "netdev_item %s has invalid group %u in ACL!\n",
04489 netdev_desc_p[i],
04490 sub_desc_p[j].subj_id);
04491 }
04492 #if defined(CONFIG_RSBAC_RC)
04493 else if ((sub_desc_p[j].
04494 subj_type == ACLS_ROLE)
04495 && (sub_desc_p[j].
04496 subj_id >
04497 RC_role_max_value)
04498 ) {
04499 if (correct) {
04500
04501 rsbac_pr_debug(ds, "netdev_item %s has invalid role %u in ACL -> removing entry!\n",
04502 netdev_desc_p[i],
04503 sub_desc_p[j].subj_id);
04504 rsbac_list_lol_subremove
04505 (netdev_handle,
04506 &netdev_desc_p
04507 [i],
04508 &sub_desc_p
04509 [j]);
04510 } else
04511 rsbac_pr_debug(ds, "netdev_item %s has invalid role %u in ACL!\n",
04512 netdev_desc_p[i],
04513 sub_desc_p[j].subj_id);
04514 }
04515 #endif
04516 }
04517 rsbac_vfree(sub_desc_p);
04518 }
04519 }
04520 rsbac_vfree(netdev_desc_p);
04521 f_sum += desc_count;
04522 }
04523 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network device items\n",
04524 desc_count);
04525 #endif
04526
04527 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
04528
04529 tmp_count = 0;
04530 desc_count =
04531 rsbac_list_lol_get_all_desc(nettemp_nt_handle,
04532 (void **) &nettemp_desc_p);
04533 if (desc_count > 0) {
04534 for (i = 0; i < desc_count; i++) {
04535
04536 sub_desc_count =
04537 rsbac_list_lol_get_all_subdesc
04538 (nettemp_nt_handle, &nettemp_desc_p[i],
04539 (void **) &sub_desc_p);
04540 if (sub_desc_count > 0) {
04541 for (j = 0; j < sub_desc_count; j++) {
04542 if ((sub_desc_p[j].subj_type ==
04543 ACLS_GROUP)
04544 && sub_desc_p[j].subj_id
04545 &&
04546 !rsbac_list_exist(group_handle,
04547 &sub_desc_p
04548 [j].
04549 subj_id)) {
04550 if (correct) {
04551
04552 rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid group %u in ACL -> removing entry!\n",
04553 nettemp_desc_p[i],
04554 sub_desc_p[j].subj_id);
04555 rsbac_list_lol_subremove
04556 (nettemp_nt_handle,
04557 &nettemp_desc_p
04558 [i],
04559 &sub_desc_p
04560 [j]);
04561 } else
04562 rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid group %u in ACL!\n",
04563 nettemp_desc_p[i],
04564 sub_desc_p[j].subj_id);
04565 }
04566 #if defined(CONFIG_RSBAC_RC)
04567 else if ((sub_desc_p[j].
04568 subj_type == ACLS_ROLE)
04569 && (sub_desc_p[j].
04570 subj_id >
04571 RC_role_max_value)
04572 ) {
04573 if (correct) {
04574
04575 rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid role %u in ACL -> removing entry!\n",
04576 nettemp_desc_p[i],
04577 sub_desc_p[j].subj_id);
04578 rsbac_list_lol_subremove
04579 (nettemp_nt_handle,
04580 &nettemp_desc_p
04581 [i],
04582 &sub_desc_p
04583 [j]);
04584 } else
04585 rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid role %u in ACL!\n",
04586 nettemp_desc_p[i],
04587 sub_desc_p[j].subj_id);
04588 }
04589 #endif
04590 }
04591 rsbac_vfree(sub_desc_p);
04592 }
04593 }
04594 rsbac_vfree(nettemp_desc_p);
04595 f_sum += desc_count;
04596 }
04597 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template NT items\n",
04598 desc_count);
04599
04600
04601 tmp_count = 0;
04602 desc_count =
04603 rsbac_list_lol_get_all_desc(nettemp_handle,
04604 (void **) &nettemp_desc_p);
04605 if (desc_count > 0) {
04606 for (i = 0; i < desc_count; i++) {
04607
04608 sub_desc_count =
04609 rsbac_list_lol_get_all_subdesc(nettemp_handle,
04610 &nettemp_desc_p
04611 [i],
04612 (void **)
04613 &sub_desc_p);
04614 if (sub_desc_count > 0) {
04615 for (j = 0; j < sub_desc_count; j++) {
04616 if ((sub_desc_p[j].subj_type ==
04617 ACLS_GROUP)
04618 && sub_desc_p[j].subj_id
04619 &&
04620 !rsbac_list_exist(group_handle,
04621 &sub_desc_p
04622 [j].
04623 subj_id)) {
04624 if (correct) {
04625
04626 rsbac_pr_debug(ds, "nettemp_item %u has invalid group %u in ACL -> removing entry!\n",
04627 nettemp_desc_p[i],
04628 sub_desc_p[j].subj_id);
04629 rsbac_list_lol_subremove
04630 (nettemp_handle,
04631 &nettemp_desc_p
04632 [i],
04633 &sub_desc_p
04634 [j]);
04635 } else
04636 rsbac_pr_debug(ds, "nettemp_item %u has invalid group %u in ACL!\n",
04637 nettemp_desc_p[i],
04638 sub_desc_p[j].subj_id);
04639 }
04640 #if defined(CONFIG_RSBAC_RC)
04641 else if ((sub_desc_p[j].
04642 subj_type == ACLS_ROLE)
04643 && (sub_desc_p[j].
04644 subj_id >
04645 RC_role_max_value)
04646 ) {
04647 if (correct) {
04648
04649 rsbac_pr_debug(ds, "nettemp_item %u has invalid role %u in ACL -> removing entry!\n",
04650 nettemp_desc_p[i],
04651 sub_desc_p[j].subj_id);
04652 rsbac_list_lol_subremove
04653 (nettemp_handle,
04654 &nettemp_desc_p
04655 [i],
04656 &sub_desc_p
04657 [j]);
04658 } else
04659 rsbac_pr_debug(ds, "nettemp_item %u has invalid role %u in ACL!\n",
04660 nettemp_desc_p[i],
04661 sub_desc_p[j].subj_id);
04662 }
04663 #endif
04664 }
04665 rsbac_vfree(sub_desc_p);
04666 }
04667 }
04668 rsbac_vfree(nettemp_desc_p);
04669 f_sum += desc_count;
04670 }
04671 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template items\n",
04672 desc_count);
04673
04674
04675 tmp_count = 0;
04676 desc_count =
04677 rsbac_list_lol_get_all_desc(netobj_handle,
04678 (void **) &netobj_desc_p);
04679 if (desc_count > 0) {
04680 for (i = 0; i < desc_count; i++) {
04681
04682 sub_desc_count =
04683 rsbac_list_lol_get_all_subdesc(netobj_handle,
04684 &netobj_desc_p
04685 [i],
04686 (void **)
04687 &sub_desc_p);
04688 if (sub_desc_count > 0) {
04689 for (j = 0; j < sub_desc_count; j++) {
04690 if ((sub_desc_p[j].subj_type ==
04691 ACLS_GROUP)
04692 && sub_desc_p[j].subj_id
04693 &&
04694 !rsbac_list_exist(group_handle,
04695 &sub_desc_p
04696 [j].
04697 subj_id)) {
04698 if (correct) {
04699
04700 rsbac_pr_debug(ds, "netobj_item %p has invalid group %u in ACL -> removing entry!\n",
04701 netobj_desc_p[i],
04702 sub_desc_p[j].subj_id);
04703 rsbac_list_lol_subremove
04704 (netobj_handle,
04705 &netobj_desc_p
04706 [i],
04707 &sub_desc_p
04708 [j]);
04709 } else
04710 rsbac_pr_debug(ds, "netobj_item %p has invalid group %u in ACL!\n",
04711 netobj_desc_p[i],
04712 sub_desc_p[j].subj_id);
04713 }
04714 #if defined(CONFIG_RSBAC_RC)
04715 else if ((sub_desc_p[j].
04716 subj_type == ACLS_ROLE)
04717 && (sub_desc_p[j].
04718 subj_id >
04719 RC_role_max_value)
04720 ) {
04721 if (correct) {
04722
04723 rsbac_pr_debug(ds, "netobj_item %p has invalid role %u in ACL -> removing entry!\n",
04724 netobj_desc_p[i],
04725 sub_desc_p[j].subj_id);
04726 rsbac_list_lol_subremove
04727 (netobj_handle,
04728 &netobj_desc_p
04729 [i],
04730 &sub_desc_p
04731 [j]);
04732 } else
04733 rsbac_pr_debug(ds, "netobj_item %p has invalid role %u in ACL!\n",
04734 netobj_desc_p[i],
04735 sub_desc_p[j].subj_id);
04736 }
04737 #endif
04738 }
04739 rsbac_vfree(sub_desc_p);
04740 }
04741 }
04742 rsbac_vfree(netobj_desc_p);
04743 f_sum += desc_count;
04744 }
04745 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network object items\n",
04746 desc_count);
04747 #endif
04748
04749 rsbac_printk(KERN_INFO "rsbac_check_acl(): Total of %lu registered ACLs\n",
04750 f_sum);
04751
04752 return 0;
04753 }
04754
04755
04756
04757
04758
04759
04760
04761
04762
04763
04764
04765
04766
04767 int rsbac_acl_set_acl_entry(rsbac_list_ta_number_t ta_number,
04768 enum rsbac_target_t target,
04769 union rsbac_target_id_t tid,
04770 enum rsbac_acl_subject_type_t subj_type,
04771 rsbac_acl_subject_id_t subj_id,
04772 rsbac_acl_rights_vector_t rights,
04773 rsbac_time_t ttl)
04774 {
04775 int err = 0;
04776 struct rsbac_acl_device_list_item_t *device_p;
04777 struct rsbac_acl_entry_desc_t desc;
04778 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
04779 u_long dflags;
04780 #endif
04781
04782 if (!rsbac_is_initialized()) {
04783 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): RSBAC not initialized\n");
04784 return (-RSBAC_ENOTINITIALIZED);
04785 }
04786 if (subj_type >= ACLS_NONE)
04787 return (-RSBAC_EINVALIDVALUE);
04788 #ifdef CONFIG_RSBAC_DEBUG
04789 if (in_interrupt()) {
04790 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): called from interrupt!\n");
04791 }
04792 #endif
04793 desc.subj_type = subj_type;
04794 desc.subj_id = subj_id;
04795
04796 switch (target) {
04797 case T_FILE:
04798 case T_DIR:
04799 case T_FIFO:
04800 case T_SYMLINK:
04801 case T_UNIXSOCK:
04802 rsbac_pr_debug(ds_acl, "Setting file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n",
04803 RSBAC_MAJOR(tid.file.device),
04804 RSBAC_MINOR(tid.file.device), tid.file.inode);
04805
04806 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
04807 && !tid.file.dentry_p)
04808 return rsbac_ta_list_add_ttl(ta_number,
04809 default_fd_handle,
04810 ttl, &desc, &rights);
04811 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04812 rcu_read_lock();
04813 #else
04814 rsbac_read_lock(&device_list_lock, &dflags);
04815 #endif
04816
04817 device_p = acl_lookup_device(tid.file.device);
04818 if (!device_p) {
04819
04820 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04821 rcu_read_unlock();
04822 #else
04823 rsbac_read_unlock(&device_list_lock, &dflags);
04824 #endif
04825 rsbac_get_super_block(tid.file.device);
04826
04827 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04828 rcu_read_lock();
04829 #else
04830 rsbac_read_lock(&device_list_lock, &dflags);
04831 #endif
04832 device_p = acl_lookup_device(tid.file.device);
04833 if (!device_p) {
04834 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): Could not lookup device!\n");
04835
04836 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04837 rcu_read_unlock();
04838 #else
04839 rsbac_read_unlock(&device_list_lock, &dflags);
04840 #endif
04841 return (-RSBAC_EINVALIDDEV);
04842 }
04843 }
04844 if (!rsbac_ta_list_lol_exist
04845 (ta_number, device_p->handle,
04846 &tid.file.inode)) {
04847 rsbac_acl_rights_vector_t mask =
04848 RSBAC_ACL_DEFAULT_FD_MASK;
04849
04850 err = rsbac_ta_list_lol_add_ttl(ta_number,
04851 device_p->handle,
04852 0, &tid.file.inode,
04853 &mask);
04854 if (err) {
04855 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04856 rcu_read_unlock();
04857 #else
04858 rsbac_read_unlock(&device_list_lock, &dflags);
04859 #endif
04860 return err;
04861 }
04862 }
04863 err =
04864 rsbac_ta_list_lol_subadd_ttl(ta_number,
04865 device_p->handle, ttl,
04866 &tid.file.inode, &desc,
04867 &rights);
04868 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
04869 rcu_read_unlock();
04870 #else
04871 rsbac_read_unlock(&device_list_lock, &dflags);
04872 #endif
04873
04874 return err;
04875
04876 case T_DEV:
04877 rsbac_pr_debug(ds_acl, "Setting device ACL for dev %c %02u:%02u\n",
04878 'B' + tid.dev.type, tid.dev.major,
04879 tid.dev.minor);
04880
04881 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev))
04882 return rsbac_ta_list_add_ttl(ta_number,
04883 default_dev_handle,
04884 ttl, &desc, &rights);
04885
04886 {
04887 switch (tid.dev.type) {
04888 case D_char:
04889 case D_block:
04890 if (!rsbac_ta_list_lol_exist
04891 (ta_number, dev_handle, &tid.dev)) {
04892 rsbac_acl_rights_vector_t mask =
04893 RSBAC_ACL_DEFAULT_DEV_MASK;
04894
04895 err =
04896 rsbac_ta_list_lol_add_ttl
04897 (ta_number, dev_handle, 0,
04898 &tid.dev, &mask);
04899 if (err)
04900 return err;
04901 }
04902 return
04903 rsbac_ta_list_lol_subadd_ttl(ta_number,
04904 dev_handle,
04905 ttl,
04906 &tid.dev,
04907 &desc,
04908 &rights);
04909
04910 case D_char_major:
04911 case D_block_major:
04912 tid.dev.type -= (D_block_major - D_block);
04913 if (!rsbac_ta_list_lol_exist
04914 (ta_number, dev_major_handle,
04915 &tid.dev)) {
04916 rsbac_acl_rights_vector_t mask =
04917 RSBAC_ACL_DEFAULT_DEV_MASK;
04918
04919 err =
04920 rsbac_ta_list_lol_add_ttl
04921 (ta_number, dev_major_handle,
04922 0, &tid.dev, &mask);
04923 if (err)
04924 return err;
04925 }
04926 return
04927 rsbac_ta_list_lol_subadd_ttl(ta_number,
04928 dev_major_handle,
04929 ttl,
04930 &tid.dev,
04931 &desc,
04932 &rights);
04933
04934 default:
04935 return -RSBAC_EINVALIDTARGET;
04936 }
04937 }
04938
04939 case T_IPC:
04940
04941 if (tid.ipc.type == I_none)
04942 return rsbac_ta_list_add_ttl(ta_number,
04943 default_ipc_handle,
04944 ttl, &desc, &rights);
04945 else
04946 return -RSBAC_EINVALIDTARGET;
04947
04948 case T_SCD:
04949
04950 if (tid.scd == AST_none)
04951 return rsbac_ta_list_add_ttl(ta_number,
04952 default_scd_handle,
04953 ttl, &desc, &rights);
04954
04955 if (!rsbac_ta_list_lol_exist
04956 (ta_number, scd_handle, &tid.scd)) {
04957 rsbac_acl_rights_vector_t mask =
04958 RSBAC_ACL_DEFAULT_SCD_MASK;
04959
04960 err = rsbac_ta_list_lol_add_ttl(ta_number,
04961 scd_handle,
04962 0,
04963 &tid.scd, &mask);
04964 if (err)
04965 return err;
04966 }
04967 return rsbac_ta_list_lol_subadd_ttl(ta_number, scd_handle,
04968 ttl, &tid.scd, &desc,
04969 &rights);
04970
04971 case T_USER:
04972
04973 if (tid.user == RSBAC_NO_USER)
04974 return rsbac_ta_list_add_ttl(ta_number,
04975 default_u_handle, ttl,
04976 &desc, &rights);
04977 if (!rsbac_ta_list_lol_exist
04978 (ta_number, u_handle, &tid.user)) {
04979 rsbac_acl_rights_vector_t mask =
04980 RSBAC_ACL_DEFAULT_U_MASK;
04981
04982 err = rsbac_ta_list_lol_add_ttl(ta_number,
04983 u_handle,
04984 0,
04985 &tid.user, &mask);
04986 if (err)
04987 return err;
04988 }
04989 return rsbac_ta_list_lol_subadd_ttl(ta_number, u_handle,
04990 ttl, &tid.user, &desc,
04991 &rights);
04992
04993
04994 case T_PROCESS:
04995
04996 if (!tid.process)
04997 return rsbac_ta_list_add_ttl(ta_number,
04998 default_p_handle, ttl,
04999 &desc, &rights);
05000 else
05001 return -RSBAC_EINVALIDTARGET;
05002
05003 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05004 case T_GROUP:
05005
05006 if (tid.group == RSBAC_NO_GROUP)
05007 return rsbac_ta_list_add_ttl(ta_number,
05008 default_g_handle, ttl,
05009 &desc, &rights);
05010 if (!rsbac_ta_list_lol_exist
05011 (ta_number, g_handle, &tid.group)) {
05012 rsbac_acl_rights_vector_t mask =
05013 RSBAC_ACL_DEFAULT_G_MASK;
05014
05015 err = rsbac_ta_list_lol_add_ttl(ta_number,
05016 g_handle,
05017 0,
05018 &tid.group, &mask);
05019 if (err)
05020 return err;
05021 }
05022 return rsbac_ta_list_lol_subadd_ttl(ta_number, g_handle,
05023 ttl, &tid.group, &desc,
05024 &rights);
05025 #endif
05026
05027 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05028 case T_NETDEV:
05029 rsbac_pr_debug(ds_acl, "Setting network device ACL for netdev %s\n",
05030 tid.netdev);
05031
05032 if (!tid.netdev[0])
05033 return rsbac_ta_list_add_ttl(ta_number,
05034 default_netdev_handle,
05035 ttl, &desc, &rights);
05036
05037 if (!rsbac_ta_list_lol_exist
05038 (ta_number, netdev_handle, &tid.netdev)) {
05039 rsbac_acl_rights_vector_t mask =
05040 RSBAC_ACL_DEFAULT_NETDEV_MASK;
05041
05042 err = rsbac_ta_list_lol_add_ttl(ta_number,
05043 netdev_handle,
05044 0,
05045 &tid.netdev,
05046 &mask);
05047 if (err)
05048 return err;
05049 }
05050 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05051 netdev_handle, ttl,
05052 &tid.netdev, &desc,
05053 &rights);
05054 #endif
05055
05056 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05057 case T_NETTEMP_NT:
05058 rsbac_pr_debug(ds_acl, "Setting network template NT ACL for "
05059 "nettemp_nt %u\n", tid.nettemp);
05060
05061 if (!tid.nettemp)
05062 return rsbac_ta_list_add_ttl(ta_number,
05063 default_nettemp_nt_handle,
05064 ttl, &desc, &rights);
05065
05066 if (!rsbac_ta_list_lol_exist
05067 (ta_number, nettemp_nt_handle, &tid.nettemp)) {
05068 rsbac_acl_rights_vector_t mask =
05069 RSBAC_ACL_DEFAULT_NETTEMP_MASK;
05070
05071 err = rsbac_ta_list_lol_add_ttl(ta_number,
05072 nettemp_nt_handle,
05073 0,
05074 &tid.nettemp,
05075 &mask);
05076 if (err)
05077 return err;
05078 }
05079 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05080 nettemp_nt_handle, ttl,
05081 &tid.nettemp, &desc,
05082 &rights);
05083
05084 case T_NETTEMP:
05085 rsbac_pr_debug(ds_acl, "Setting network template ACL for nettemp %u\n",
05086 tid.nettemp);
05087
05088 if (!tid.nettemp)
05089 return -RSBAC_EINVALIDTARGET;
05090 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05091 return -RSBAC_EINVALIDTARGET;
05092
05093 if (!rsbac_ta_list_lol_exist
05094 (ta_number, nettemp_handle, &tid.nettemp)) {
05095 rsbac_acl_rights_vector_t mask =
05096 RSBAC_ACL_DEFAULT_NETOBJ_MASK;
05097
05098 err = rsbac_ta_list_lol_add_ttl(ta_number,
05099 nettemp_handle,
05100 0,
05101 &tid.nettemp,
05102 &mask);
05103 if (err)
05104 return err;
05105 }
05106 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05107 nettemp_handle, ttl,
05108 &tid.nettemp, &desc,
05109 &rights);
05110
05111 case T_NETOBJ:
05112 rsbac_pr_debug(ds_acl, "Setting network object ACL for netobj %p\n",
05113 tid.netobj.sock_p);
05114
05115 if (!tid.netobj.sock_p)
05116 return rsbac_ta_list_add_ttl(ta_number,
05117 default_netobj_handle,
05118 ttl, &desc, &rights);
05119
05120 if (!rsbac_ta_list_lol_exist
05121 (ta_number, netobj_handle, &tid.netobj.sock_p)) {
05122 rsbac_acl_rights_vector_t mask =
05123 RSBAC_ACL_DEFAULT_NETOBJ_MASK;
05124
05125 err = rsbac_ta_list_lol_add_ttl(ta_number,
05126 netobj_handle,
05127 0,
05128 &tid.netobj.sock_p,
05129 &mask);
05130 if (err)
05131 return err;
05132 }
05133 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05134 netobj_handle, ttl,
05135 &tid.netobj.sock_p,
05136 &desc, &rights);
05137 #endif
05138
05139
05140 default:
05141 err = -RSBAC_EINVALIDTARGET;
05142 }
05143 return (err);
05144 }
05145
05146
05147
05148
05149
05150
05151 int rsbac_acl_remove_acl_entry(rsbac_list_ta_number_t ta_number,
05152 enum rsbac_target_t target,
05153 union rsbac_target_id_t tid,
05154 enum rsbac_acl_subject_type_t subj_type,
05155 rsbac_acl_subject_id_t subj_id)
05156 {
05157 int err = 0;
05158 struct rsbac_acl_device_list_item_t *device_p;
05159 struct rsbac_acl_entry_desc_t desc;
05160 char tmp[RSBAC_MAXNAMELEN];
05161 rsbac_acl_rights_vector_t mask;
05162 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
05163 u_long dflags;
05164 #endif
05165
05166 if (!rsbac_is_initialized()) {
05167 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): RSBAC not initialized\n");
05168 return (-RSBAC_ENOTINITIALIZED);
05169 }
05170 if (subj_type >= ACLS_NONE)
05171 return (-RSBAC_EINVALIDVALUE);
05172 #ifdef CONFIG_RSBAC_DEBUG
05173 if (in_interrupt()) {
05174 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): called from interrupt!\n");
05175 }
05176 #endif
05177 desc.subj_type = subj_type;
05178 desc.subj_id = subj_id;
05179
05180 switch (target) {
05181 case T_FILE:
05182 case T_DIR:
05183 case T_FIFO:
05184 case T_SYMLINK:
05185 case T_UNIXSOCK:
05186 rsbac_pr_debug(ds_acl, "Removing file/dir/fifo/symlink ACL entry %s %u for device %02u:%02u, inode %u\n",
05187 get_acl_subject_type_name(tmp, desc.subj_type),
05188 desc.subj_id,
05189 RSBAC_MAJOR(tid.file.device),
05190 RSBAC_MINOR(tid.file.device), tid.file.inode);
05191
05192 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
05193 && !tid.file.dentry_p)
05194 return rsbac_ta_list_remove(ta_number,
05195 default_fd_handle,
05196 &desc);
05197
05198 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05199 rcu_read_lock();
05200 #else
05201 rsbac_read_lock(&device_list_lock, &dflags);
05202 #endif
05203
05204 device_p = acl_lookup_device(tid.file.device);
05205 if (!device_p) {
05206
05207 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05208 rcu_read_unlock();
05209 #else
05210 rsbac_read_unlock(&device_list_lock, &dflags);
05211 #endif
05212 rsbac_get_super_block(tid.file.device);
05213
05214 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05215 rcu_read_lock();
05216 #else
05217 rsbac_read_lock(&device_list_lock, &dflags);
05218 #endif
05219 device_p = acl_lookup_device(tid.file.device);
05220 if (!device_p) {
05221 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): Could not lookup device!\n");
05222 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05223 rcu_read_unlock();
05224 #else
05225 rsbac_read_unlock(&device_list_lock, &dflags);
05226 #endif
05227 return (-RSBAC_EINVALIDDEV);
05228 }
05229 }
05230 err = rsbac_ta_list_lol_subremove(ta_number,
05231 device_p->handle,
05232 &tid.file.inode, &desc);
05233
05234 if (!err
05235 && !rsbac_ta_list_lol_subcount(ta_number,
05236 device_p->handle,
05237 &tid.file.inode)
05238 && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05239 device_p->handle,
05240 NULL,
05241 &tid.file.inode,
05242 &mask)
05243 && (mask == RSBAC_ACL_DEFAULT_FD_MASK)
05244 ) {
05245 err = rsbac_ta_list_lol_remove(ta_number,
05246 device_p->handle,
05247 &tid.file.inode);
05248 }
05249 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05250 rcu_read_unlock();
05251 #else
05252 rsbac_read_unlock(&device_list_lock, &dflags);
05253 #endif
05254 return err;
05255
05256 case T_DEV:
05257 rsbac_pr_debug(ds_acl, "Removing device ACL entry for dev %c %02u:%02u\n",
05258 'B' + tid.dev.type, tid.dev.major,
05259 tid.dev.minor);
05260
05261 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev))
05262 return rsbac_ta_list_remove(ta_number,
05263 default_dev_handle,
05264 &desc);
05265
05266 {
05267 switch (tid.dev.type) {
05268 case D_char:
05269 case D_block:
05270 err =
05271 rsbac_ta_list_lol_subremove(ta_number,
05272 dev_handle,
05273 &tid.dev,
05274 &desc);
05275
05276 if (!err
05277 &&
05278 !rsbac_ta_list_lol_subcount(ta_number,
05279 dev_handle,
05280 &tid.dev)
05281 &&
05282 !rsbac_ta_list_lol_get_data_ttl
05283 (ta_number, dev_handle, NULL, &tid.dev,
05284 &mask)
05285 && (mask == RSBAC_ACL_DEFAULT_DEV_MASK)
05286 ) {
05287 err =
05288 rsbac_ta_list_lol_remove
05289 (ta_number, dev_handle,
05290 &tid.dev);
05291 }
05292 return err;
05293
05294 case D_char_major:
05295 case D_block_major:
05296 tid.dev.type -= (D_block_major - D_block);
05297 err =
05298 rsbac_ta_list_lol_subremove(ta_number,
05299 dev_major_handle,
05300 &tid.dev,
05301 &desc);
05302
05303 if (!err
05304 &&
05305 !rsbac_ta_list_lol_subcount(ta_number,
05306 dev_major_handle,
05307 &tid.dev)
05308 &&
05309 !rsbac_ta_list_lol_get_data_ttl
05310 (ta_number, dev_major_handle, NULL,
05311 &tid.dev, &mask)
05312 && (mask == RSBAC_ACL_DEFAULT_DEV_MASK)
05313 ) {
05314 err =
05315 rsbac_ta_list_lol_remove
05316 (ta_number, dev_major_handle,
05317 &tid.dev);
05318 }
05319 return err;
05320
05321 default:
05322 return -RSBAC_EINVALIDTARGET;
05323 }
05324 }
05325
05326 case T_IPC:
05327 rsbac_pr_debug(ds_acl, "Removing IPC ACL for type %u\n", tid.ipc.type);
05328
05329 if (tid.ipc.type == I_none)
05330 return rsbac_ta_list_remove(ta_number,
05331 default_ipc_handle,
05332 &desc);
05333 else
05334 return -RSBAC_EINVALIDTARGET;
05335
05336 case T_SCD:
05337 rsbac_pr_debug(ds_acl, "Removing SCD ACL entry for %s\n",
05338 get_acl_scd_type_name(tmp, tid.scd));
05339
05340 if (tid.scd == AST_none)
05341 return rsbac_ta_list_remove(ta_number,
05342 default_scd_handle,
05343 &desc);
05344 err =
05345 rsbac_ta_list_lol_subremove(ta_number, scd_handle,
05346 &tid.scd, &desc);
05347
05348 if (!err
05349 && !rsbac_ta_list_lol_subcount(ta_number, scd_handle,
05350 &tid.scd)
05351 && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05352 scd_handle, NULL,
05353 &tid.scd, &mask)
05354 && (mask == RSBAC_ACL_DEFAULT_SCD_MASK)
05355 ) {
05356 err =
05357 rsbac_ta_list_lol_remove(ta_number, scd_handle,
05358 &tid.scd);
05359 }
05360 return err;
05361
05362 case T_USER:
05363 rsbac_pr_debug(ds_acl, "Removing user ACL for user %u\n",
05364 tid.user);
05365
05366 if (tid.user == RSBAC_NO_USER)
05367 return rsbac_ta_list_remove(ta_number,
05368 default_u_handle,
05369 &desc);
05370 err =
05371 rsbac_ta_list_lol_subremove(ta_number, u_handle,
05372 &tid.user, &desc);
05373
05374 if (!err
05375 && !rsbac_ta_list_lol_subcount(ta_number, u_handle,
05376 &tid.user)
05377 && !rsbac_ta_list_lol_get_data_ttl(ta_number, u_handle,
05378 NULL, &tid.user,
05379 &mask)
05380 && (mask == RSBAC_ACL_DEFAULT_U_MASK)
05381 ) {
05382 err =
05383 rsbac_ta_list_lol_remove(ta_number, u_handle,
05384 &tid.user);
05385 }
05386 return err;
05387
05388 case T_PROCESS:
05389 rsbac_pr_debug(ds_acl, "Removing process ACL for pid %u\n",
05390 tid.process);
05391
05392 if (!tid.process)
05393 return rsbac_ta_list_remove(ta_number,
05394 default_p_handle,
05395 &desc);
05396 else
05397 return -RSBAC_EINVALIDTARGET;
05398
05399 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05400 case T_GROUP:
05401 rsbac_pr_debug(ds_acl, "Removing Linux group ACL for group %u\n",
05402 tid.group);
05403
05404 if (tid.group == RSBAC_NO_GROUP)
05405 return rsbac_ta_list_remove(ta_number,
05406 default_g_handle,
05407 &desc);
05408 err =
05409 rsbac_ta_list_lol_subremove(ta_number, g_handle,
05410 &tid.group, &desc);
05411
05412 if (!err
05413 && !rsbac_ta_list_lol_subcount(ta_number, g_handle,
05414 &tid.group)
05415 && !rsbac_ta_list_lol_get_data_ttl(ta_number, g_handle,
05416 NULL, &tid.group,
05417 &mask)
05418 && (mask == RSBAC_ACL_DEFAULT_G_MASK)
05419 ) {
05420 err =
05421 rsbac_ta_list_lol_remove(ta_number, g_handle,
05422 &tid.group);
05423 }
05424 return err;
05425 #endif
05426
05427 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05428 case T_NETDEV:
05429 rsbac_pr_debug(ds_acl, "Removing network device ACL entry for netdev %s\n",
05430 tid.netdev);
05431
05432 if (!tid.netdev[0])
05433 return rsbac_ta_list_remove(ta_number,
05434 default_netdev_handle,
05435 &desc);
05436
05437 err =
05438 rsbac_ta_list_lol_subremove(ta_number, netdev_handle,
05439 &tid.netdev, &desc);
05440
05441 if (!err
05442 && !rsbac_ta_list_lol_subcount(ta_number,
05443 netdev_handle,
05444 &tid.netdev)
05445 && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05446 netdev_handle, NULL,
05447 &tid.netdev, &mask)
05448 && (mask == RSBAC_ACL_DEFAULT_NETDEV_MASK)
05449 ) {
05450 err =
05451 rsbac_ta_list_lol_remove(ta_number,
05452 netdev_handle,
05453 &tid.netdev);
05454 }
05455 return err;
05456 #endif
05457
05458 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05459 case T_NETTEMP_NT:
05460 rsbac_pr_debug(ds_acl, "Removing network template NT ACL entry for "
05461 "nettemp_nt %u\n", tid.nettemp);
05462
05463 if (!tid.nettemp)
05464 return rsbac_ta_list_remove(ta_number,
05465 default_nettemp_nt_handle,
05466 &desc);
05467 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05468 return -RSBAC_EINVALIDTARGET;
05469
05470 err =
05471 rsbac_ta_list_lol_subremove(ta_number,
05472 nettemp_nt_handle,
05473 &tid.nettemp, &desc);
05474
05475 if (!err
05476 && !rsbac_ta_list_lol_subcount(ta_number,
05477 nettemp_nt_handle,
05478 &tid.nettemp)
05479 && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05480 nettemp_nt_handle,
05481 NULL, &tid.nettemp,
05482 &mask)
05483 && (mask == RSBAC_ACL_DEFAULT_NETTEMP_MASK)
05484 ) {
05485 err =
05486 rsbac_ta_list_lol_remove(ta_number,
05487 nettemp_nt_handle,
05488 &tid.nettemp);
05489 }
05490 return err;
05491
05492 case T_NETTEMP:
05493 rsbac_pr_debug(ds_acl, "Removing network template ACL entry for nettemp_nt %u\n",
05494 tid.nettemp);
05495
05496 if (!tid.nettemp)
05497 return -RSBAC_EINVALIDTARGET;
05498 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05499 return -RSBAC_EINVALIDTARGET;
05500
05501 err =
05502 rsbac_ta_list_lol_subremove(ta_number, nettemp_handle,
05503 &tid.nettemp, &desc);
05504
05505 if (!err
05506 && !rsbac_ta_list_lol_subcount(ta_number,
05507 nettemp_handle,
05508 &tid.nettemp)
05509 && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05510 nettemp_handle,
05511 NULL, &tid.nettemp,
05512 &mask)
05513 && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK)
05514 ) {
05515 err =
05516 rsbac_ta_list_lol_remove(ta_number,
05517 nettemp_handle,
05518 &tid.nettemp);
05519 }
05520 return err;
05521
05522 case T_NETOBJ:
05523 rsbac_pr_debug(ds_acl, "Removing network object ACL entry for netobj %p\n",
05524 tid.netobj.sock_p);
05525
05526 if (!tid.netobj.sock_p)
05527 return rsbac_ta_list_remove(ta_number,
05528 default_netobj_handle,
05529 &desc);
05530
05531 err =
05532 rsbac_ta_list_lol_subremove(ta_number, netobj_handle,
05533 &tid.netobj.sock_p, &desc);
05534
05535 if (!err
05536 && !rsbac_ta_list_lol_subcount(ta_number,
05537 netobj_handle,
05538 &tid.netobj.sock_p)
05539 && !rsbac_ta_list_lol_get_data_ttl(ta_number,
05540 netobj_handle, NULL,
05541 &tid.netobj, &mask)
05542 && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK)
05543 ) {
05544 err =
05545 rsbac_ta_list_lol_remove(ta_number,
05546 netobj_handle,
05547 &tid.netobj.sock_p);
05548 }
05549 return err;
05550 #endif
05551
05552 default:
05553 return -RSBAC_EINVALIDTARGET;
05554 }
05555 }
05556
05557
05558
05559
05560
05561 int rsbac_acl_remove_acl(rsbac_list_ta_number_t ta_number,
05562 enum rsbac_target_t target,
05563 union rsbac_target_id_t tid)
05564 {
05565 int err = 0;
05566 char tmp[RSBAC_MAXNAMELEN];
05567 struct rsbac_acl_device_list_item_t *device_p;
05568 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
05569 u_long dflags;
05570 #endif
05571
05572 if (!rsbac_is_initialized()) {
05573 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): RSBAC not initialized\n");
05574 return (-RSBAC_ENOTINITIALIZED);
05575 }
05576 #ifdef CONFIG_RSBAC_DEBUG
05577 if (in_interrupt()) {
05578 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): called from interrupt!\n");
05579 }
05580 #endif
05581 switch (target) {
05582 case T_FILE:
05583 case T_DIR:
05584 case T_FIFO:
05585 case T_SYMLINK:
05586 case T_UNIXSOCK:
05587 rsbac_pr_debug(ds_acl, "Removing file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n",
05588 RSBAC_MAJOR(tid.file.device),
05589 RSBAC_MINOR(tid.file.device), tid.file.inode);
05590
05591 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
05592 && !tid.file.dentry_p)
05593 return -RSBAC_EINVALIDTARGET;
05594
05595 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05596 rcu_read_lock();
05597 #else
05598 rsbac_read_lock(&device_list_lock, &dflags);
05599 #endif
05600
05601 device_p = acl_lookup_device(tid.file.device);
05602 if (!device_p) {
05603
05604 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05605 rcu_read_unlock();
05606 #else
05607 rsbac_read_unlock(&device_list_lock, &dflags);
05608 #endif
05609 rsbac_get_super_block(tid.file.device);
05610
05611 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05612 rcu_read_lock();
05613 #else
05614 rsbac_read_lock(&device_list_lock, &dflags);
05615 #endif
05616 device_p = acl_lookup_device(tid.file.device);
05617 if (!device_p) {
05618 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): Could not lookup device!\n");
05619 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05620 rcu_read_unlock();
05621 #else
05622 rsbac_read_unlock(&device_list_lock, &dflags);
05623 #endif
05624 return -RSBAC_EINVALIDDEV;
05625 }
05626 }
05627 err = rsbac_ta_list_lol_remove(ta_number,
05628 device_p->handle,
05629 &tid.file.inode);
05630 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05631 rcu_read_unlock();
05632 #else
05633 rsbac_read_unlock(&device_list_lock, &dflags);
05634 #endif
05635 return err;
05636
05637 case T_DEV:
05638 rsbac_pr_debug(ds_acl, "Removing device ACL for dev %c %02u:%02u\n",
05639 'B' + tid.dev.type, tid.dev.major,
05640 tid.dev.minor);
05641
05642 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev))
05643 return -RSBAC_EINVALIDTARGET;
05644 switch (tid.dev.type) {
05645 case D_char:
05646 case D_block:
05647 return rsbac_ta_list_lol_remove(ta_number,
05648 dev_handle,
05649 &tid.dev);
05650
05651 case D_char_major:
05652 case D_block_major:
05653 tid.dev.type -= (D_block_major - D_block);
05654 return rsbac_ta_list_lol_remove(ta_number,
05655 dev_major_handle,
05656 &tid.dev);
05657
05658 default:
05659 return -RSBAC_EINVALIDTARGET;
05660 }
05661
05662 case T_SCD:
05663 rsbac_pr_debug(ds_acl, "Removing SCD ACL for %s\n",
05664 get_acl_scd_type_name(tmp, tid.scd));
05665
05666 if (tid.scd == AST_none)
05667 return -RSBAC_EINVALIDTARGET;
05668 else
05669 return rsbac_ta_list_lol_remove(ta_number,
05670 scd_handle,
05671 &tid.scd);
05672
05673 case T_USER:
05674 rsbac_pr_debug(ds_acl, "Removing user ACL for user %u\n",
05675 tid.user);
05676
05677 if (tid.user == RSBAC_NO_USER)
05678 return -RSBAC_EINVALIDTARGET;
05679 else
05680 return rsbac_ta_list_lol_remove(ta_number,
05681 u_handle,
05682 &tid.user);
05683
05684 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05685 case T_GROUP:
05686 rsbac_pr_debug(ds_acl, "Removing Linux group ACL for group %u\n",
05687 tid.group);
05688
05689 if (tid.group == RSBAC_NO_GROUP)
05690 return -RSBAC_EINVALIDTARGET;
05691 else
05692 return rsbac_ta_list_lol_remove(ta_number,
05693 g_handle,
05694 &tid.group);
05695 #endif
05696
05697 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05698 case T_NETDEV:
05699 rsbac_pr_debug(ds_acl, "Removing network device ACL for netdev %s\n",
05700 tid.netdev);
05701
05702 if (!tid.netdev[0])
05703 return -RSBAC_EINVALIDTARGET;
05704 else
05705 return rsbac_ta_list_lol_remove(ta_number,
05706 netdev_handle,
05707 &tid.netdev);
05708 #endif
05709
05710 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05711 case T_NETTEMP_NT:
05712 rsbac_pr_debug(ds_acl, "Removing network template NT ACL for nettemp_nt %u\n",
05713 tid.nettemp);
05714
05715 if (!tid.nettemp)
05716 return -RSBAC_EINVALIDTARGET;
05717 else
05718 return rsbac_ta_list_lol_remove(ta_number,
05719 nettemp_nt_handle,
05720 &tid.nettemp);
05721 case T_NETTEMP:
05722 rsbac_pr_debug(ds_acl, "Removing network template ACL for nettemp %u\n",
05723 tid.nettemp);
05724
05725 if (!tid.nettemp)
05726 return -RSBAC_EINVALIDTARGET;
05727 else
05728 return rsbac_ta_list_lol_remove(ta_number,
05729 nettemp_handle,
05730 &tid.nettemp);
05731 case T_NETOBJ:
05732 rsbac_pr_debug(ds_acl, "Removing network object ACL for netobj %p\n",
05733 tid.netobj.sock_p);
05734
05735 if (!tid.netobj.sock_p)
05736 return -RSBAC_EINVALIDTARGET;
05737 else
05738 return rsbac_ta_list_lol_remove(ta_number,
05739 netobj_handle,
05740 &tid.netobj.
05741 sock_p);
05742 #endif
05743
05744 default:
05745 err = -RSBAC_EINVALIDTARGET;
05746 }
05747 return (err);
05748 }
05749
05750
05751
05752
05753
05754
05755 int rsbac_acl_add_to_acl_entry(rsbac_list_ta_number_t ta_number,
05756 enum rsbac_target_t target,
05757 union rsbac_target_id_t tid,
05758 enum rsbac_acl_subject_type_t subj_type,
05759 rsbac_acl_subject_id_t subj_id,
05760 rsbac_acl_rights_vector_t rights,
05761 rsbac_time_t ttl)
05762 {
05763 int err = 0;
05764 struct rsbac_acl_device_list_item_t *device_p;
05765 rsbac_acl_rights_vector_t old_rights;
05766 struct rsbac_acl_entry_desc_t desc;
05767 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
05768 u_long dflags;
05769 #endif
05770
05771 if (!rsbac_is_initialized()) {
05772 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): RSBAC not initialized\n");
05773 return (-RSBAC_ENOTINITIALIZED);
05774 }
05775 if (subj_type >= ACLS_NONE)
05776 return (-RSBAC_EINVALIDVALUE);
05777 #ifdef CONFIG_RSBAC_DEBUG
05778 if (in_interrupt()) {
05779 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): called from interrupt!\n");
05780 }
05781 #endif
05782 desc.subj_type = subj_type;
05783 desc.subj_id = subj_id;
05784
05785 switch (target) {
05786 case T_FILE:
05787 case T_DIR:
05788 case T_FIFO:
05789 case T_SYMLINK:
05790 case T_UNIXSOCK:
05791
05792 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
05793 && !tid.file.dentry_p) {
05794 if (!rsbac_ta_list_get_data_ttl
05795 (ta_number, default_fd_handle, NULL, &desc,
05796 &old_rights))
05797 rights |= old_rights;
05798 return rsbac_ta_list_add_ttl(ta_number,
05799 default_fd_handle,
05800 ttl, &desc, &rights);
05801 }
05802 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05803 rcu_read_lock();
05804 #else
05805 rsbac_read_lock(&device_list_lock, &dflags);
05806 #endif
05807
05808 device_p = acl_lookup_device(tid.file.device);
05809 if (!device_p) {
05810
05811 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05812 rcu_read_unlock();
05813 #else
05814 rsbac_read_unlock(&device_list_lock, &dflags);
05815 #endif
05816 rsbac_get_super_block(tid.file.device);
05817
05818 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05819 rcu_read_lock();
05820 #else
05821 rsbac_read_lock(&device_list_lock, &dflags);
05822 #endif
05823 device_p = acl_lookup_device(tid.file.device);
05824 if (!device_p) {
05825 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): Could not lookup device!\n");
05826
05827 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05828 rcu_read_unlock();
05829 #else
05830 rsbac_read_unlock(&device_list_lock, &dflags);
05831 #endif
05832 return (-RSBAC_EINVALIDDEV);
05833 }
05834 }
05835
05836 if (!rsbac_ta_list_lol_exist(ta_number, device_p->handle, &tid.file.inode)) {
05837 rsbac_acl_rights_vector_t mask =
05838 RSBAC_ACL_DEFAULT_FD_MASK;
05839
05840 err =
05841 rsbac_ta_list_lol_add_ttl(ta_number,
05842 device_p->handle, 0,
05843 &tid.file.inode,
05844 &mask);
05845 if (err) {
05846 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05847 rcu_read_unlock();
05848 #else
05849 rsbac_read_unlock(&device_list_lock, &dflags);
05850 #endif
05851 return err;
05852 }
05853 } else {
05854 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
05855 device_p->handle,
05856 NULL,
05857 &tid.file.
05858 inode,
05859 &desc,
05860 &old_rights))
05861 rights |= old_rights;
05862 }
05863 err = rsbac_ta_list_lol_subadd_ttl(ta_number,
05864 device_p->handle, ttl,
05865 &tid.file.inode, &desc,
05866 &rights);
05867 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
05868 rcu_read_unlock();
05869 #else
05870 rsbac_read_unlock(&device_list_lock, &dflags);
05871 #endif
05872 return err;
05873
05874 case T_DEV:
05875
05876 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
05877 if (!rsbac_ta_list_get_data_ttl
05878 (ta_number, default_dev_handle, NULL, &desc,
05879 &old_rights))
05880 rights |= old_rights;
05881 return rsbac_ta_list_add_ttl(ta_number,
05882 default_dev_handle,
05883 ttl, &desc, &rights);
05884 }
05885 switch (tid.dev.type) {
05886 case D_char:
05887 case D_block:
05888 if (!rsbac_ta_list_lol_exist(ta_number, dev_handle, &tid.dev)) {
05889 rsbac_acl_rights_vector_t mask =
05890 RSBAC_ACL_DEFAULT_DEV_MASK;
05891
05892 err =
05893 rsbac_ta_list_lol_add_ttl(ta_number,
05894 dev_handle,
05895 0, &tid.dev,
05896 &mask);
05897 if (err)
05898 return err;
05899 } else {
05900 if (!rsbac_ta_list_lol_get_subdata_ttl
05901 (ta_number, dev_handle, NULL, &tid.dev,
05902 &desc, &old_rights))
05903 rights |= old_rights;
05904 }
05905 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05906 dev_handle,
05907 ttl, &tid.dev,
05908 &desc,
05909 &rights);
05910
05911 case D_char_major:
05912 case D_block_major:
05913 tid.dev.type -= (D_block_major - D_block);
05914 if (!rsbac_ta_list_lol_exist(ta_number, dev_major_handle, &tid.dev)) {
05915 rsbac_acl_rights_vector_t mask =
05916 RSBAC_ACL_DEFAULT_DEV_MASK;
05917
05918 err =
05919 rsbac_ta_list_lol_add_ttl(ta_number,
05920 dev_major_handle,
05921 0, &tid.dev,
05922 &mask);
05923 if (err)
05924 return err;
05925 } else {
05926 if (!rsbac_ta_list_lol_get_subdata_ttl
05927 (ta_number, dev_major_handle, NULL,
05928 &tid.dev, &desc, &old_rights))
05929 rights |= old_rights;
05930 }
05931 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05932 dev_major_handle,
05933 ttl, &tid.dev,
05934 &desc,
05935 &rights);
05936
05937 default:
05938 return -RSBAC_EINVALIDTARGET;
05939 }
05940
05941 case T_IPC:
05942
05943 if (tid.ipc.type == I_none) {
05944 if (!rsbac_ta_list_get_data_ttl
05945 (ta_number, default_ipc_handle, NULL, &desc,
05946 &old_rights))
05947 rights |= old_rights;
05948 return rsbac_ta_list_add_ttl(ta_number,
05949 default_ipc_handle,
05950 ttl, &desc, &rights);
05951 } else
05952 return -RSBAC_EINVALIDTARGET;
05953
05954 case T_SCD:
05955
05956 if (tid.scd == AST_none) {
05957 if (!rsbac_ta_list_get_data_ttl
05958 (ta_number, default_scd_handle, NULL, &desc,
05959 &old_rights))
05960 rights |= old_rights;
05961 return rsbac_ta_list_add_ttl(ta_number,
05962 default_scd_handle,
05963 ttl, &desc, &rights);
05964 }
05965 if (!rsbac_ta_list_lol_exist(ta_number, scd_handle, &tid.scd)) {
05966 rsbac_acl_rights_vector_t mask =
05967 RSBAC_ACL_DEFAULT_SCD_MASK;
05968
05969 err =
05970 rsbac_ta_list_lol_add_ttl(ta_number,
05971 scd_handle, 0,
05972 &tid.scd, &mask);
05973 if (err)
05974 return err;
05975 } else {
05976 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
05977 scd_handle,
05978 NULL,
05979 &tid.scd,
05980 &desc,
05981 &old_rights))
05982 rights |= old_rights;
05983 }
05984 return rsbac_ta_list_lol_subadd_ttl(ta_number,
05985 scd_handle,
05986 ttl,
05987 &tid.scd,
05988 &desc, &rights);
05989
05990 case T_USER:
05991
05992 if (tid.user == RSBAC_NO_USER) {
05993 if (!rsbac_ta_list_get_data_ttl
05994 (ta_number, default_u_handle, NULL, &desc,
05995 &old_rights))
05996 rights |= old_rights;
05997 return rsbac_ta_list_add_ttl(ta_number,
05998 default_u_handle, ttl,
05999 &desc, &rights);
06000 }
06001 if (!rsbac_ta_list_lol_exist(ta_number, u_handle, &tid.user)) {
06002 rsbac_acl_rights_vector_t mask =
06003 RSBAC_ACL_DEFAULT_U_MASK;
06004
06005 err =
06006 rsbac_ta_list_lol_add_ttl(ta_number, u_handle,
06007 0, &tid.user, &mask);
06008 if (err)
06009 return err;
06010 } else {
06011 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06012 u_handle,
06013 NULL,
06014 &tid.user,
06015 &desc,
06016 &old_rights))
06017 rights |= old_rights;
06018 }
06019 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06020 u_handle,
06021 ttl,
06022 &tid.user,
06023 &desc, &rights);
06024
06025 case T_PROCESS:
06026
06027 if (!tid.process) {
06028 if (!rsbac_ta_list_get_data_ttl
06029 (ta_number, default_p_handle, NULL, &desc,
06030 &old_rights))
06031 rights |= old_rights;
06032 return rsbac_ta_list_add_ttl(ta_number,
06033 default_p_handle, ttl,
06034 &desc, &rights);
06035 } else
06036 return -RSBAC_EINVALIDTARGET;
06037
06038 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06039 case T_GROUP:
06040
06041 if (tid.group == RSBAC_NO_GROUP) {
06042 if (!rsbac_ta_list_get_data_ttl
06043 (ta_number, default_g_handle, NULL, &desc,
06044 &old_rights))
06045 rights |= old_rights;
06046 return rsbac_ta_list_add_ttl(ta_number,
06047 default_g_handle, ttl,
06048 &desc, &rights);
06049 }
06050 if (!rsbac_ta_list_lol_exist(ta_number, g_handle, &tid.group)) {
06051 rsbac_acl_rights_vector_t mask =
06052 RSBAC_ACL_DEFAULT_G_MASK;
06053
06054 err =
06055 rsbac_ta_list_lol_add_ttl(ta_number, g_handle,
06056 0, &tid.group,
06057 &mask);
06058 if (err)
06059 return err;
06060 } else {
06061 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06062 g_handle,
06063 NULL,
06064 &tid.group,
06065 &desc,
06066 &old_rights))
06067 rights |= old_rights;
06068 }
06069 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06070 g_handle,
06071 ttl,
06072 &tid.group,
06073 &desc, &rights);
06074 #endif
06075
06076 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06077 case T_NETDEV:
06078
06079 if (!tid.netdev[0]) {
06080 if (!rsbac_ta_list_get_data_ttl
06081 (ta_number, default_netdev_handle, NULL, &desc,
06082 &old_rights))
06083 rights |= old_rights;
06084 return rsbac_ta_list_add_ttl(ta_number,
06085 default_netdev_handle,
06086 ttl, &desc, &rights);
06087 }
06088 if (!rsbac_ta_list_lol_exist(ta_number, netdev_handle, &tid.netdev)) {
06089 rsbac_acl_rights_vector_t mask =
06090 RSBAC_ACL_DEFAULT_NETDEV_MASK;
06091
06092 err =
06093 rsbac_ta_list_lol_add_ttl(ta_number,
06094 netdev_handle, 0,
06095 &tid.netdev, &mask);
06096 if (err)
06097 return err;
06098 } else {
06099 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06100 netdev_handle,
06101 NULL,
06102 &tid.netdev,
06103 &desc,
06104 &old_rights))
06105 rights |= old_rights;
06106 }
06107 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06108 netdev_handle,
06109 ttl,
06110 &tid.netdev,
06111 &desc, &rights);
06112 #endif
06113
06114 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06115 case T_NETTEMP_NT:
06116
06117 if (!tid.nettemp) {
06118 if (!rsbac_ta_list_get_data_ttl
06119 (ta_number, default_nettemp_nt_handle, NULL,
06120 &desc, &old_rights))
06121 rights |= old_rights;
06122 return rsbac_ta_list_add_ttl(ta_number,
06123 default_nettemp_nt_handle,
06124 ttl, &desc, &rights);
06125 }
06126 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06127 return -RSBAC_EINVALIDTARGET;
06128 if (!rsbac_ta_list_lol_exist(ta_number, nettemp_nt_handle, &tid.nettemp)) {
06129 rsbac_acl_rights_vector_t mask =
06130 RSBAC_ACL_DEFAULT_NETTEMP_MASK;
06131
06132 err =
06133 rsbac_ta_list_lol_add_ttl(ta_number,
06134 nettemp_nt_handle, 0,
06135 &tid.nettemp, &mask);
06136 if (err)
06137 return err;
06138 } else {
06139 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06140 nettemp_nt_handle,
06141 NULL,
06142 &tid.
06143 nettemp,
06144 &desc,
06145 &old_rights))
06146 rights |= old_rights;
06147 }
06148 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06149 nettemp_nt_handle,
06150 ttl,
06151 &tid.nettemp,
06152 &desc, &rights);
06153 case T_NETTEMP:
06154
06155 if (!tid.nettemp) {
06156 return -RSBAC_EINVALIDTARGET;
06157 }
06158 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06159 return -RSBAC_EINVALIDTARGET;
06160 if (!rsbac_ta_list_lol_exist(ta_number, nettemp_handle, &tid.nettemp)) {
06161 rsbac_acl_rights_vector_t mask =
06162 RSBAC_ACL_DEFAULT_NETOBJ_MASK;
06163
06164 err =
06165 rsbac_ta_list_lol_add_ttl(ta_number,
06166 nettemp_handle, 0,
06167 &tid.nettemp, &mask);
06168 if (err)
06169 return err;
06170 } else {
06171 if (!rsbac_ta_list_lol_get_subdata_ttl
06172 (ta_number, nettemp_handle, NULL, &tid.nettemp,
06173 &desc, &old_rights))
06174 rights |= old_rights;
06175 }
06176 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06177 nettemp_handle, ttl,
06178 &tid.nettemp, &desc,
06179 &rights);
06180 case T_NETOBJ:
06181
06182 if (!tid.netobj.sock_p) {
06183 if (!rsbac_ta_list_get_data_ttl
06184 (ta_number, default_netobj_handle, NULL, &desc,
06185 &old_rights))
06186 rights |= old_rights;
06187 return rsbac_ta_list_add_ttl(ta_number,
06188 default_netobj_handle,
06189 ttl, &desc, &rights);
06190 }
06191 if (!rsbac_ta_list_lol_exist(ta_number, netobj_handle, &tid.netobj.sock_p)) {
06192 rsbac_acl_rights_vector_t mask =
06193 RSBAC_ACL_DEFAULT_NETOBJ_MASK;
06194
06195 err =
06196 rsbac_ta_list_lol_add_ttl(ta_number,
06197 netobj_handle, 0,
06198 &tid.netobj.sock_p,
06199 &mask);
06200 if (err)
06201 return err;
06202 } else {
06203 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06204 netobj_handle,
06205 NULL,
06206 &tid.netobj.
06207 sock_p,
06208 &desc,
06209 &old_rights))
06210 rights |= old_rights;
06211 }
06212 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06213 netobj_handle,
06214 ttl,
06215 &tid.netobj.sock_p,
06216 &desc, &rights);
06217 #endif
06218
06219 default:
06220 return -RSBAC_EINVALIDTARGET;
06221 }
06222 }
06223
06224
06225
06226
06227
06228
06229
06230
06231 int rsbac_acl_remove_from_acl_entry(rsbac_list_ta_number_t ta_number,
06232 enum rsbac_target_t target,
06233 union rsbac_target_id_t tid,
06234 enum rsbac_acl_subject_type_t
06235 subj_type,
06236 rsbac_acl_subject_id_t subj_id,
06237 rsbac_acl_rights_vector_t rights)
06238 {
06239 int err = 0;
06240 struct rsbac_acl_device_list_item_t *device_p;
06241 rsbac_acl_rights_vector_t old_rights;
06242 struct rsbac_acl_entry_desc_t desc;
06243 rsbac_time_t ttl;
06244 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
06245 u_long dflags;
06246 #endif
06247
06248 if (!rsbac_is_initialized()) {
06249 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): RSBAC not initialized\n");
06250 return (-RSBAC_ENOTINITIALIZED);
06251 }
06252 if (subj_type >= ACLS_NONE)
06253 return (-RSBAC_EINVALIDVALUE);
06254 #ifdef CONFIG_RSBAC_DEBUG
06255 if (in_interrupt()) {
06256 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): called from interrupt!\n");
06257 }
06258 #endif
06259 desc.subj_type = subj_type;
06260 desc.subj_id = subj_id;
06261
06262 switch (target) {
06263 case T_FILE:
06264 case T_DIR:
06265 case T_FIFO:
06266 case T_SYMLINK:
06267 case T_UNIXSOCK:
06268
06269 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
06270 && !tid.file.dentry_p) {
06271 if (!rsbac_ta_list_get_data_ttl
06272 (ta_number, default_fd_handle, &ttl, &desc,
06273 &old_rights)) {
06274 old_rights &= ~rights;
06275 return rsbac_ta_list_add_ttl(ta_number,
06276 default_fd_handle,
06277 ttl, &desc,
06278 &old_rights);
06279 } else
06280 return 0;
06281 }
06282 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06283 rcu_read_lock();
06284 #else
06285 rsbac_read_lock(&device_list_lock, &dflags);
06286 #endif
06287
06288 device_p = acl_lookup_device(tid.file.device);
06289 if (!device_p) {
06290
06291 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06292 rcu_read_unlock();
06293 #else
06294 rsbac_read_unlock(&device_list_lock, &dflags);
06295 #endif
06296 rsbac_get_super_block(tid.file.device);
06297
06298 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06299 rcu_read_lock();
06300 #else
06301 rsbac_read_lock(&device_list_lock, &dflags);
06302 #endif
06303 device_p = acl_lookup_device(tid.file.device);
06304 if (!device_p) {
06305 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): Could not lookup device!\n");
06306 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06307 rcu_read_unlock();
06308 #else
06309 rsbac_read_unlock(&device_list_lock, &dflags);
06310 #endif
06311 return (-RSBAC_EINVALIDDEV);
06312 }
06313 }
06314 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06315 device_p->handle,
06316 &ttl,
06317 &tid.file.inode,
06318 &desc,
06319 &old_rights)) {
06320 old_rights &= ~rights;
06321 err = rsbac_ta_list_lol_subadd_ttl(ta_number,
06322 device_p->handle,
06323 ttl,
06324 &tid.file.inode,
06325 &desc,
06326 &old_rights);
06327 } else
06328 err = 0;
06329 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06330 rcu_read_unlock();
06331 #else
06332 rsbac_read_unlock(&device_list_lock, &dflags);
06333 #endif
06334 return err;
06335
06336 case T_DEV:
06337
06338 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
06339 if (!rsbac_ta_list_get_data_ttl
06340 (ta_number, default_dev_handle, &ttl, &desc,
06341 &old_rights)) {
06342 old_rights &= ~rights;
06343 return rsbac_ta_list_add_ttl(ta_number,
06344 default_dev_handle,
06345 ttl, &desc,
06346 &old_rights);
06347 } else
06348 return 0;
06349 }
06350 switch (tid.dev.type) {
06351 case D_char:
06352 case D_block:
06353 if (!rsbac_ta_list_lol_get_subdata_ttl
06354 (ta_number, dev_handle, &ttl, &tid.dev, &desc,
06355 &old_rights)) {
06356 old_rights &= ~rights;
06357 return
06358 rsbac_ta_list_lol_subadd_ttl(ta_number,
06359 dev_handle,
06360 ttl,
06361 &tid.dev,
06362 &desc,
06363 &old_rights);
06364 } else
06365 return 0;
06366
06367 case D_char_major:
06368 case D_block_major:
06369 tid.dev.type -= (D_block_major - D_block);
06370 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06371 dev_major_handle,
06372 &ttl,
06373 &tid.dev,
06374 &desc,
06375 &old_rights))
06376 {
06377 old_rights &= ~rights;
06378 return
06379 rsbac_ta_list_lol_subadd_ttl(ta_number,
06380 dev_major_handle,
06381 ttl,
06382 &tid.dev,
06383 &desc,
06384 &old_rights);
06385 } else
06386 return 0;
06387
06388 default:
06389 return -RSBAC_EINVALIDTARGET;
06390 }
06391
06392 case T_IPC:
06393
06394 if (tid.ipc.type == I_none) {
06395 if (!rsbac_ta_list_get_data_ttl
06396 (ta_number, default_ipc_handle, &ttl, &desc,
06397 &old_rights)) {
06398 old_rights &= ~rights;
06399 return rsbac_ta_list_add_ttl(ta_number,
06400 default_ipc_handle,
06401 ttl, &desc,
06402 &old_rights);
06403 } else
06404 return 0;
06405 } else
06406 return -RSBAC_EINVALIDTARGET;
06407
06408 case T_SCD:
06409
06410 if (tid.scd == AST_none) {
06411 if (!rsbac_ta_list_get_data_ttl
06412 (ta_number, default_scd_handle, &ttl, &desc,
06413 &old_rights)) {
06414 old_rights &= ~rights;
06415 return rsbac_ta_list_add_ttl(ta_number,
06416 default_scd_handle,
06417 ttl, &desc,
06418 &old_rights);
06419 } else
06420 return 0;
06421 }
06422 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06423 scd_handle,
06424 &ttl,
06425 &tid.scd,
06426 &desc,
06427 &old_rights)) {
06428 old_rights &= ~rights;
06429 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06430 scd_handle,
06431 ttl,
06432 &tid.scd,
06433 &desc,
06434 &old_rights);
06435 } else
06436 return 0;
06437
06438 case T_USER:
06439
06440 if (tid.user == RSBAC_NO_USER) {
06441 if (!rsbac_ta_list_get_data_ttl
06442 (ta_number, default_u_handle, &ttl, &desc,
06443 &old_rights)) {
06444 old_rights &= ~rights;
06445 return rsbac_ta_list_add_ttl(ta_number,
06446 default_u_handle,
06447 ttl, &desc,
06448 &old_rights);
06449 } else
06450 return 0;
06451 }
06452 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06453 u_handle,
06454 &ttl,
06455 &tid.user,
06456 &desc,
06457 &old_rights)) {
06458 old_rights &= ~rights;
06459 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06460 u_handle,
06461 ttl,
06462 &tid.user,
06463 &desc,
06464 &old_rights);
06465 } else
06466 return 0;
06467
06468 case T_PROCESS:
06469
06470 if (!tid.process) {
06471 if (!rsbac_ta_list_get_data_ttl
06472 (ta_number, default_p_handle, &ttl, &desc,
06473 &old_rights)) {
06474 old_rights &= ~rights;
06475 return rsbac_ta_list_add_ttl(ta_number,
06476 default_p_handle,
06477 ttl, &desc,
06478 &old_rights);
06479 } else
06480 return 0;
06481 } else
06482 return -RSBAC_EINVALIDTARGET;
06483
06484 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06485 case T_GROUP:
06486
06487 if (tid.group == RSBAC_NO_GROUP) {
06488 if (!rsbac_ta_list_get_data_ttl
06489 (ta_number, default_g_handle, &ttl, &desc,
06490 &old_rights)) {
06491 old_rights &= ~rights;
06492 return rsbac_ta_list_add_ttl(ta_number,
06493 default_g_handle,
06494 ttl, &desc,
06495 &old_rights);
06496 } else
06497 return 0;
06498 }
06499 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06500 g_handle,
06501 &ttl,
06502 &tid.group,
06503 &desc,
06504 &old_rights)) {
06505 old_rights &= ~rights;
06506 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06507 g_handle,
06508 ttl,
06509 &tid.group,
06510 &desc,
06511 &old_rights);
06512 } else
06513 return 0;
06514 #endif
06515
06516 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06517 case T_NETDEV:
06518
06519 if (!tid.netdev[0]) {
06520 if (!rsbac_ta_list_get_data_ttl
06521 (ta_number, default_netdev_handle, &ttl, &desc,
06522 &old_rights)) {
06523 old_rights &= ~rights;
06524 return rsbac_ta_list_add_ttl(ta_number,
06525 default_netdev_handle,
06526 ttl, &desc,
06527 &old_rights);
06528 } else
06529 return 0;
06530 }
06531 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06532 netdev_handle,
06533 &ttl,
06534 &tid.netdev,
06535 &desc,
06536 &old_rights)) {
06537 old_rights &= ~rights;
06538 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06539 netdev_handle,
06540 ttl,
06541 &tid.netdev,
06542 &desc,
06543 &old_rights);
06544 } else
06545 return 0;
06546 #endif
06547
06548 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06549 case T_NETTEMP_NT:
06550
06551 if (!tid.nettemp) {
06552 if (!rsbac_ta_list_get_data_ttl
06553 (ta_number, default_nettemp_nt_handle, &ttl,
06554 &desc, &old_rights)) {
06555 old_rights &= ~rights;
06556 return rsbac_ta_list_add_ttl(ta_number,
06557 default_nettemp_nt_handle,
06558 ttl, &desc,
06559 &old_rights);
06560 } else
06561 return 0;
06562 }
06563 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06564 return -RSBAC_EINVALIDTARGET;
06565 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06566 nettemp_nt_handle,
06567 &ttl,
06568 &tid.nettemp,
06569 &desc,
06570 &old_rights)) {
06571 old_rights &= ~rights;
06572 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06573 nettemp_nt_handle,
06574 ttl,
06575 &tid.nettemp,
06576 &desc,
06577 &old_rights);
06578 } else
06579 return 0;
06580 case T_NETTEMP:
06581
06582 if (!tid.nettemp) {
06583 return -RSBAC_EINVALIDTARGET;
06584 }
06585 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06586 return -RSBAC_EINVALIDTARGET;
06587 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06588 nettemp_handle,
06589 &ttl,
06590 &tid.nettemp,
06591 &desc,
06592 &old_rights)) {
06593 old_rights &= ~rights;
06594 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06595 nettemp_handle,
06596 ttl,
06597 &tid.nettemp,
06598 &desc,
06599 &old_rights);
06600 } else
06601 return 0;
06602 case T_NETOBJ:
06603
06604 if (!tid.netobj.sock_p) {
06605 if (!rsbac_ta_list_get_data_ttl
06606 (ta_number, default_netobj_handle, &ttl, &desc,
06607 &old_rights)) {
06608 old_rights &= ~rights;
06609 return rsbac_ta_list_add_ttl(ta_number,
06610 default_netobj_handle,
06611 ttl, &desc,
06612 &old_rights);
06613 } else
06614 return 0;
06615 }
06616 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06617 netobj_handle,
06618 &ttl,
06619 &tid.netobj.sock_p,
06620 &desc,
06621 &old_rights)) {
06622 old_rights &= ~rights;
06623 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06624 netobj_handle,
06625 ttl,
06626 &tid.netobj.
06627 sock_p, &desc,
06628 &old_rights);
06629 } else
06630 return 0;
06631 #endif
06632
06633 default:
06634 return -RSBAC_EINVALIDTARGET;
06635 }
06636 }
06637
06638
06639
06640
06641
06642
06643 int rsbac_acl_set_mask(rsbac_list_ta_number_t ta_number,
06644 enum rsbac_target_t target,
06645 union rsbac_target_id_t tid,
06646 rsbac_acl_rights_vector_t mask)
06647 {
06648 int err = 0;
06649 char tmp[80];
06650 struct rsbac_acl_device_list_item_t *device_p;
06651 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
06652 u_long dflags;
06653 #endif
06654
06655 if (!rsbac_is_initialized()) {
06656 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): RSBAC not initialized\n");
06657 return (-RSBAC_ENOTINITIALIZED);
06658 }
06659 if (target >= T_NONE)
06660 return (-RSBAC_EINVALIDTARGET);
06661 #ifdef CONFIG_RSBAC_DEBUG
06662 if (in_interrupt()) {
06663 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): called from interrupt!\n");
06664 }
06665 #endif
06666 switch (target) {
06667 case T_FILE:
06668 case T_DIR:
06669 case T_FIFO:
06670 case T_SYMLINK:
06671 case T_UNIXSOCK:
06672
06673 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
06674 return -RSBAC_EINVALIDTARGET;
06675 }
06676 rsbac_pr_debug(ds_acl, "Setting file/dir/fifo/symlink inheritance mask for device %02u:%02u, inode %u\n",
06677 RSBAC_MAJOR(tid.file.device),
06678 RSBAC_MINOR(tid.file.device), tid.file.inode);
06679 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06680 rcu_read_lock();
06681 #else
06682 rsbac_read_lock(&device_list_lock, &dflags);
06683 #endif
06684 device_p = acl_lookup_device(tid.file.device);
06685 if (!device_p) {
06686
06687 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06688 rcu_read_unlock();
06689 #else
06690 rsbac_read_unlock(&device_list_lock, &dflags);
06691 #endif
06692 rsbac_get_super_block(tid.file.device);
06693
06694 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06695 rcu_read_lock();
06696 #else
06697 rsbac_read_lock(&device_list_lock, &dflags);
06698 #endif
06699 device_p = acl_lookup_device(tid.file.device);
06700 if (!device_p) {
06701 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): Could not lookup device!\n");
06702
06703 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06704 rcu_read_unlock();
06705 #else
06706 rsbac_read_unlock(&device_list_lock, &dflags);
06707 #endif
06708 return (-RSBAC_EINVALIDDEV);
06709 }
06710 }
06711 err = rsbac_ta_list_lol_add_ttl(ta_number,
06712 device_p->handle,
06713 0, &tid.file.inode, &mask);
06714 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06715 rcu_read_unlock();
06716 #else
06717 rsbac_read_unlock(&device_list_lock, &dflags);
06718 #endif
06719 return err;
06720
06721 case T_DEV:
06722
06723 if (tid.dev.type == D_none) {
06724 return -RSBAC_EINVALIDTARGET;
06725 }
06726 rsbac_pr_debug(ds_acl, "Setting device inheritance mask for dev %c %02u:%02u\n",
06727 'B' + tid.dev.type,
06728 tid.dev.major, tid.dev.minor);
06729 switch (tid.dev.type) {
06730 case D_char:
06731 case D_block:
06732 return rsbac_ta_list_lol_add_ttl(ta_number,
06733 dev_handle, 0,
06734 &tid.dev, &mask);
06735
06736 case D_char_major:
06737 case D_block_major:
06738 tid.dev.type -= (D_block_major - D_block);
06739 return rsbac_ta_list_lol_add_ttl(ta_number,
06740 dev_major_handle,
06741 0, &tid.dev,
06742 &mask);
06743
06744 default:
06745 return -RSBAC_EINVALIDTARGET;
06746 }
06747
06748 case T_SCD:
06749
06750 if (tid.scd == AST_none) {
06751 return -RSBAC_EINVALIDTARGET;
06752 }
06753 rsbac_pr_debug(ds_acl, "Setting SCD inheritance mask for %s\n",
06754 get_acl_scd_type_name(tmp, tid.scd));
06755 return rsbac_ta_list_lol_add_ttl(ta_number, scd_handle, 0,
06756 &tid.scd, &mask);
06757
06758 case T_USER:
06759
06760 if (tid.user == RSBAC_NO_USER) {
06761 return -RSBAC_EINVALIDTARGET;
06762 }
06763 rsbac_pr_debug(ds_acl, "Setting user inheritance mask for user %u\n",
06764 tid.user);
06765 return rsbac_ta_list_lol_add_ttl(ta_number, u_handle, 0,
06766 &tid.user, &mask);
06767
06768 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06769 case T_GROUP:
06770
06771 if (tid.group == RSBAC_NO_GROUP) {
06772 return -RSBAC_EINVALIDTARGET;
06773 }
06774 rsbac_pr_debug(ds_acl, "Setting Linux group inheritance mask for group %u\n",
06775 tid.group);
06776 return rsbac_ta_list_lol_add_ttl(ta_number, g_handle, 0,
06777 &tid.group, &mask);
06778 #endif
06779
06780 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06781 case T_NETDEV:
06782
06783 if (!tid.netdev[0]) {
06784 return -RSBAC_EINVALIDTARGET;
06785 }
06786 rsbac_pr_debug(ds_acl, "Setting network device inheritance mask for netdev %s\n",
06787 tid.netdev);
06788 return rsbac_ta_list_lol_add_ttl(ta_number, netdev_handle,
06789 0, &tid.netdev, &mask);
06790 #endif
06791
06792 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06793 case T_NETTEMP_NT:
06794
06795 if (!tid.nettemp) {
06796 return -RSBAC_EINVALIDTARGET;
06797 }
06798 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06799 return -RSBAC_EINVALIDTARGET;
06800 rsbac_pr_debug(ds_acl, "Setting network template NT inheritance mask for nettemp %u\n",
06801 tid.nettemp);
06802 return rsbac_ta_list_lol_add_ttl(ta_number,
06803 nettemp_nt_handle, 0,
06804 &tid.nettemp, &mask);
06805
06806 case T_NETTEMP:
06807
06808 if (!tid.nettemp) {
06809 return -RSBAC_EINVALIDTARGET;
06810 }
06811 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06812 return -RSBAC_EINVALIDTARGET;
06813 rsbac_pr_debug(ds_acl, "Setting network template inheritance mask for nettemp %u\n",
06814 tid.nettemp);
06815 return rsbac_ta_list_lol_add_ttl(ta_number, nettemp_handle,
06816 0, &tid.nettemp, &mask);
06817
06818 case T_NETOBJ:
06819
06820 if (!tid.netobj.sock_p) {
06821 return -RSBAC_EINVALIDTARGET;
06822 }
06823 rsbac_pr_debug(ds_acl, "Setting network object inheritance mask for netobj %p\n",
06824 tid.netobj.sock_p);
06825 return rsbac_ta_list_lol_add_ttl(ta_number, netobj_handle,
06826 0, &tid.netobj.sock_p,
06827 &mask);
06828 #endif
06829
06830 default:
06831 err = -RSBAC_EINVALIDTARGET;
06832 }
06833 return (err);
06834 }
06835
06836
06837
06838
06839
06840
06841 int rsbac_acl_get_mask(rsbac_list_ta_number_t ta_number,
06842 enum rsbac_target_t target,
06843 union rsbac_target_id_t tid,
06844 rsbac_acl_rights_vector_t * mask_p)
06845 {
06846 int err = 0;
06847 struct rsbac_acl_device_list_item_t *device_p;
06848 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
06849 u_long dflags;
06850 #endif
06851
06852 if (!rsbac_is_initialized()) {
06853 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): RSBAC not initialized\n");
06854 return (-RSBAC_ENOTINITIALIZED);
06855 }
06856 if (target >= T_NONE)
06857 return (-RSBAC_EINVALIDTARGET);
06858 #ifdef CONFIG_RSBAC_DEBUG
06859 if (in_interrupt()) {
06860 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): called from interrupt!\n");
06861 }
06862 #endif
06863 switch (target) {
06864 case T_FILE:
06865 case T_DIR:
06866 case T_FIFO:
06867 case T_SYMLINK:
06868 case T_UNIXSOCK:
06869
06870 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
06871 && !tid.file.dentry_p) {
06872 return -RSBAC_EINVALIDTARGET;
06873 }
06874
06875 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06876 rcu_read_lock();
06877 #else
06878 rsbac_read_lock(&device_list_lock, &dflags);
06879 #endif
06880
06881 device_p = acl_lookup_device(tid.file.device);
06882 if (!device_p) {
06883
06884 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06885 rcu_read_unlock();
06886 #else
06887 rsbac_read_unlock(&device_list_lock, &dflags);
06888 #endif
06889 rsbac_get_super_block(tid.file.device);
06890
06891 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06892 rcu_read_lock();
06893 #else
06894 rsbac_read_lock(&device_list_lock, &dflags);
06895 #endif
06896 device_p = acl_lookup_device(tid.file.device);
06897 if (!device_p) {
06898 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): Could not lookup device!\n");
06899 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06900 rcu_read_unlock();
06901 #else
06902 rsbac_read_unlock(&device_list_lock, &dflags);
06903 #endif
06904 return (-RSBAC_EINVALIDDEV);
06905 }
06906 }
06907 err = rsbac_ta_list_lol_get_data_ttl(ta_number,
06908 device_p->handle, NULL,
06909 &tid.file.inode,
06910 mask_p);
06911 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
06912 rcu_read_unlock();
06913 #else
06914 rsbac_read_unlock(&device_list_lock, &dflags);
06915 #endif
06916 if (err == -RSBAC_ENOTFOUND) {
06917 *mask_p = RSBAC_ACL_DEFAULT_FD_MASK;
06918 err = 0;
06919 }
06920
06921 return err;
06922
06923 case T_DEV:
06924
06925 if (tid.dev.type == D_none) {
06926 return -RSBAC_EINVALIDTARGET;
06927 }
06928
06929 switch (tid.dev.type) {
06930 case D_char:
06931 case D_block:
06932 err =
06933 rsbac_ta_list_lol_get_data_ttl(ta_number,
06934 dev_handle,
06935 NULL, &tid.dev,
06936 mask_p);
06937 break;
06938
06939 case D_char_major:
06940 case D_block_major:
06941 tid.dev.type -= (D_block_major - D_block);
06942 err =
06943 rsbac_ta_list_lol_get_data_ttl(ta_number,
06944 dev_major_handle,
06945 NULL, &tid.dev,
06946 mask_p);
06947 break;
06948
06949 default:
06950 return -RSBAC_EINVALIDTARGET;
06951 }
06952 if (err == -RSBAC_ENOTFOUND) {
06953 *mask_p = RSBAC_ACL_DEFAULT_DEV_MASK;
06954 err = 0;
06955 }
06956
06957 return err;
06958
06959 case T_SCD:
06960
06961 if (tid.scd == AST_none) {
06962 return -RSBAC_EINVALIDTARGET;
06963 }
06964 err =
06965 rsbac_ta_list_lol_get_data_ttl(ta_number, scd_handle,
06966 NULL, &tid.scd, mask_p);
06967 if (err == -RSBAC_ENOTFOUND) {
06968 *mask_p = RSBAC_ACL_DEFAULT_SCD_MASK;
06969 err = 0;
06970 }
06971
06972 return err;
06973
06974 case T_USER:
06975
06976 if (tid.user == RSBAC_NO_USER) {
06977 return -RSBAC_EINVALIDTARGET;
06978 }
06979 err =
06980 rsbac_ta_list_lol_get_data_ttl(ta_number, u_handle,
06981 NULL, &tid.user,
06982 mask_p);
06983 if (err == -RSBAC_ENOTFOUND) {
06984 *mask_p = RSBAC_ACL_DEFAULT_U_MASK;
06985 err = 0;
06986 }
06987
06988 return err;
06989
06990 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06991 case T_GROUP:
06992
06993 if (tid.group == RSBAC_NO_GROUP) {
06994 return -RSBAC_EINVALIDTARGET;
06995 }
06996 err =
06997 rsbac_ta_list_lol_get_data_ttl(ta_number, g_handle,
06998 NULL, &tid.group,
06999 mask_p);
07000 if (err == -RSBAC_ENOTFOUND) {
07001 *mask_p = RSBAC_ACL_DEFAULT_G_MASK;
07002 err = 0;
07003 }
07004
07005 return err;
07006 #endif
07007
07008 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
07009 case T_NETDEV:
07010
07011 if (!tid.netdev[0]) {
07012 return -RSBAC_EINVALIDTARGET;
07013 }
07014
07015 err =
07016 rsbac_ta_list_lol_get_data_ttl(ta_number,
07017 netdev_handle, NULL,
07018 &tid.netdev, mask_p);
07019 if (err == -RSBAC_ENOTFOUND) {
07020 *mask_p = RSBAC_ACL_DEFAULT_NETDEV_MASK;
07021 err = 0;
07022 }
07023
07024 return err;
07025 #endif
07026
07027 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
07028 case T_NETTEMP_NT:
07029
07030 if (!tid.nettemp) {
07031 return -RSBAC_EINVALIDTARGET;
07032 }
07033 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07034 return -RSBAC_EINVALIDTARGET;
07035
07036 err =
07037 rsbac_ta_list_lol_get_data_ttl(ta_number,
07038 nettemp_nt_handle, NULL,
07039 &tid.nettemp, mask_p);
07040 if (err == -RSBAC_ENOTFOUND) {
07041 *mask_p = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
07042 err = 0;
07043 }
07044
07045 return err;
07046 case T_NETTEMP:
07047
07048 if (!tid.nettemp) {
07049 return -RSBAC_EINVALIDTARGET;
07050 }
07051 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07052 return -RSBAC_EINVALIDTARGET;
07053
07054 err =
07055 rsbac_ta_list_lol_get_data_ttl(ta_number,
07056 nettemp_handle, NULL,
07057 &tid.nettemp, mask_p);
07058 if (err == -RSBAC_ENOTFOUND) {
07059 *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07060 err = 0;
07061 }
07062
07063 return err;
07064 case T_NETOBJ:
07065
07066 if (!tid.netobj.sock_p) {
07067 return -RSBAC_EINVALIDTARGET;
07068 }
07069
07070 err =
07071 rsbac_ta_list_lol_get_data_ttl(ta_number,
07072 netobj_handle, NULL,
07073 &tid.netobj.sock_p,
07074 mask_p);
07075 if (err == -RSBAC_ENOTFOUND) {
07076 *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07077 err = 0;
07078 }
07079
07080 return err;
07081 #endif
07082
07083 default:
07084 err = -RSBAC_EINVALIDTARGET;
07085 }
07086 return (err);
07087 }
07088
07089
07090
07091
07092
07093
07094
07095
07096 int rsbac_acl_get_rights(rsbac_list_ta_number_t ta_number,
07097 enum rsbac_target_t target,
07098 union rsbac_target_id_t tid,
07099 enum rsbac_acl_subject_type_t subj_type,
07100 rsbac_acl_subject_id_t subj_id,
07101 rsbac_acl_rights_vector_t * rights_p,
07102 rsbac_boolean_t inherit)
07103 {
07104 int err = 0;
07105 struct rsbac_acl_device_list_item_t *device_p;
07106 struct rsbac_acl_entry_desc_t desc;
07107 rsbac_acl_rights_vector_t i_rights = 0;
07108 rsbac_acl_rights_vector_t mask = -1;
07109 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
07110 u_long dflags;
07111 #endif
07112
07113 if (!rsbac_is_initialized()) {
07114 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): RSBAC not initialized\n");
07115 return (-RSBAC_ENOTINITIALIZED);
07116 }
07117 if (!rights_p)
07118 return (-RSBAC_EINVALIDPOINTER);
07119 if (subj_type >= ACLS_NONE)
07120 return (-RSBAC_EINVALIDVALUE);
07121 #ifdef CONFIG_RSBAC_DEBUG
07122 if (in_interrupt()) {
07123 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): called from interrupt!\n");
07124 }
07125 #endif
07126 desc.subj_type = subj_type;
07127 desc.subj_id = subj_id;
07128
07129 switch (target) {
07130 case T_FILE:
07131 case T_DIR:
07132 case T_FIFO:
07133 case T_SYMLINK:
07134 case T_UNIXSOCK:
07135
07136 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
07137 && !tid.file.dentry_p) {
07138 if (rsbac_ta_list_get_data_ttl
07139 (ta_number, default_fd_handle, NULL, &desc,
07140 rights_p)) {
07141
07142 *rights_p = default_fd_rights;
07143 }
07144 return 0;
07145 }
07146 *rights_p = 0;
07147 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07148 rcu_read_lock();
07149 #else
07150 rsbac_read_lock(&device_list_lock, &dflags);
07151 #endif
07152
07153 for (;;) {
07154
07155 device_p = acl_lookup_device(tid.file.device);
07156 if (!device_p) {
07157
07158 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07159 rcu_read_unlock();
07160 #else
07161 rsbac_read_unlock(&device_list_lock, &dflags);
07162 #endif
07163 rsbac_get_super_block(tid.file.device);
07164
07165 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07166 rcu_read_lock();
07167 #else
07168 rsbac_read_lock(&device_list_lock, &dflags);
07169 #endif
07170 device_p =
07171 acl_lookup_device(tid.file.device);
07172 if (!device_p) {
07173 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): Could not lookup device %02u:%02u!\n",
07174 RSBAC_MAJOR(tid.file.
07175 device),
07176 RSBAC_MINOR(tid.file.
07177 device));
07178 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07179 rcu_read_unlock();
07180 #else
07181 rsbac_read_unlock(&device_list_lock, &dflags);
07182 #endif
07183 return (-RSBAC_EINVALIDDEV);
07184 }
07185 }
07186 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07187 device_p->handle,
07188 NULL,
07189 &tid.file.
07190 inode,
07191 &desc,
07192 &i_rights))
07193 {
07194 *rights_p |= (i_rights & mask);
07195
07196 break;
07197 } else if (inherit) {
07198 enum rsbac_target_t parent_target;
07199 union rsbac_target_id_t parent_tid;
07200 rsbac_acl_rights_vector_t i_mask;
07201
07202
07203 if (rsbac_ta_list_lol_get_data_ttl
07204 (ta_number, device_p->handle,
07205 NULL, &tid.file.inode, &i_mask)) {
07206
07207 i_mask = RSBAC_ACL_DEFAULT_FD_MASK;
07208 }
07209
07210 mask &= i_mask;
07211
07212
07213 if (!rsbac_get_parent
07214 (target, tid, &parent_target,
07215 &parent_tid)) {
07216 target = parent_target;
07217 tid = parent_tid;
07218
07219 continue;
07220 } else {
07221
07222 if (!rsbac_ta_list_get_data_ttl
07223 (ta_number, default_fd_handle,
07224 NULL, &desc, &i_rights)) {
07225
07226 *rights_p |=
07227 (i_rights & mask);
07228 } else {
07229
07230 *rights_p |=
07231 (default_fd_rights &
07232 mask);
07233 }
07234 }
07235
07236 break;
07237 } else {
07238
07239
07240 *rights_p |= default_fd_rights;
07241
07242 break;
07243 }
07244 }
07245 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07246 rcu_read_unlock();
07247 #else
07248 rsbac_read_unlock(&device_list_lock, &dflags);
07249 #endif
07250 return err;
07251
07252 case T_DEV:
07253
07254
07255 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
07256 if (rsbac_ta_list_get_data_ttl
07257 (ta_number, default_dev_handle, NULL, &desc,
07258 rights_p)) {
07259
07260 *rights_p = default_dev_rights;
07261 }
07262 return 0;
07263 }
07264 if ((tid.dev.type >= D_char_major)
07265 || (tid.dev.type == D_block_major)
07266 ) {
07267 tid.dev.type -= (D_block_major - D_block);
07268 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07269 dev_major_handle,
07270 NULL,
07271 &tid.dev,
07272 &desc,
07273 &i_rights))
07274 {
07275 *rights_p |= i_rights;
07276 } else {
07277 rsbac_acl_rights_vector_t mask2;
07278
07279
07280 if (rsbac_ta_list_lol_get_data_ttl
07281 (ta_number, dev_major_handle, NULL,
07282 &tid.dev, &mask2)) {
07283
07284 mask2 = RSBAC_ACL_DEFAULT_DEV_MASK;
07285 }
07286
07287 if (!rsbac_ta_list_get_data_ttl
07288 (ta_number, default_dev_handle, NULL,
07289 &desc, rights_p)) {
07290 *rights_p &= mask2;
07291 } else {
07292
07293 *rights_p =
07294 default_dev_rights & mask2;
07295 }
07296 }
07297 return 0;
07298 }
07299 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07300 dev_handle,
07301 NULL,
07302 &tid.dev,
07303 &desc, &i_rights)) {
07304 *rights_p |= i_rights;
07305 } else {
07306 rsbac_acl_rights_vector_t mask;
07307
07308
07309 if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07310 dev_handle,
07311 NULL,
07312 &tid.dev,
07313 &mask)) {
07314
07315 mask = RSBAC_ACL_DEFAULT_DEV_MASK;
07316 }
07317 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07318 dev_major_handle,
07319 NULL,
07320 &tid.dev,
07321 &desc,
07322 &i_rights))
07323 {
07324 i_rights &= mask;
07325 *rights_p |= i_rights;
07326 } else {
07327 rsbac_acl_rights_vector_t mask2;
07328
07329
07330 if (rsbac_ta_list_lol_get_data_ttl
07331 (ta_number, dev_major_handle, NULL,
07332 &tid.dev, &mask2)) {
07333
07334 mask2 = RSBAC_ACL_DEFAULT_DEV_MASK;
07335 }
07336
07337 if (!rsbac_ta_list_get_data_ttl
07338 (ta_number, default_dev_handle, NULL,
07339 &desc, rights_p)) {
07340 *rights_p &= mask;
07341 *rights_p &= mask2;
07342 } else {
07343
07344 *rights_p =
07345 default_dev_rights & mask &
07346 mask2;
07347 }
07348 }
07349 }
07350 return 0;
07351
07352 case T_IPC:
07353
07354
07355 if (rsbac_ta_list_get_data_ttl
07356 (ta_number, default_ipc_handle, NULL, &desc,
07357 rights_p)) {
07358
07359 *rights_p = default_ipc_rights;
07360 }
07361 return 0;
07362
07363 case T_SCD:
07364
07365 if ((tid.scd == AST_none)
07366 || (tid.scd == ST_none)
07367 ) {
07368 if (rsbac_ta_list_get_data_ttl
07369 (ta_number, default_scd_handle, NULL, &desc,
07370 rights_p)) {
07371
07372 *rights_p = default_scd_rights;
07373 }
07374 return 0;
07375 }
07376 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07377 scd_handle,
07378 NULL,
07379 &tid.scd,
07380 &desc, &i_rights)) {
07381 *rights_p |= i_rights;
07382 } else {
07383 rsbac_acl_rights_vector_t mask;
07384
07385
07386 if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07387 scd_handle,
07388 NULL,
07389 &tid.scd,
07390 &mask)) {
07391
07392 mask = RSBAC_ACL_DEFAULT_SCD_MASK;
07393 }
07394
07395 if (!rsbac_ta_list_get_data_ttl
07396 (ta_number, default_scd_handle, NULL, &desc,
07397 rights_p)) {
07398 *rights_p &= mask;
07399 } else {
07400
07401 *rights_p = default_scd_rights & mask;
07402 }
07403 }
07404 return 0;
07405
07406 case T_USER:
07407
07408 if (tid.user == RSBAC_NO_USER) {
07409 if (rsbac_ta_list_get_data_ttl
07410 (ta_number, default_u_handle, NULL, &desc,
07411 rights_p)) {
07412
07413 *rights_p = default_u_rights;
07414 }
07415 return 0;
07416 }
07417 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07418 u_handle,
07419 NULL,
07420 &tid.user,
07421 &desc, &i_rights)) {
07422 *rights_p |= i_rights;
07423 } else {
07424 rsbac_acl_rights_vector_t mask;
07425
07426
07427 if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07428 u_handle,
07429 NULL,
07430 &tid.user,
07431 &mask)) {
07432
07433 mask = RSBAC_ACL_DEFAULT_U_MASK;
07434 }
07435
07436 if (!rsbac_ta_list_get_data_ttl
07437 (ta_number, default_u_handle, NULL, &desc,
07438 rights_p)) {
07439 *rights_p &= mask;
07440 } else {
07441
07442 *rights_p = default_u_rights & mask;
07443 }
07444 }
07445 return 0;
07446
07447 case T_PROCESS:
07448
07449
07450 if (rsbac_ta_list_get_data_ttl(ta_number, default_p_handle,
07451 NULL, &desc, rights_p)) {
07452
07453 *rights_p = default_p_rights;
07454 }
07455 return 0;
07456
07457 #ifdef CONFIG_RSBAC_ACL_UM_PROT
07458 case T_GROUP:
07459
07460 if (tid.group == RSBAC_NO_GROUP) {
07461 if (rsbac_ta_list_get_data_ttl
07462 (ta_number, default_g_handle, NULL, &desc,
07463 rights_p)) {
07464
07465 *rights_p = default_g_rights;
07466 }
07467 return 0;
07468 }
07469 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07470 g_handle,
07471 NULL,
07472 &tid.group,
07473 &desc, &i_rights)) {
07474 *rights_p |= i_rights;
07475 } else {
07476 rsbac_acl_rights_vector_t mask;
07477
07478
07479 if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07480 g_handle,
07481 NULL,
07482 &tid.group,
07483 &mask)) {
07484
07485 mask = RSBAC_ACL_DEFAULT_G_MASK;
07486 }
07487
07488 if (!rsbac_ta_list_get_data_ttl
07489 (ta_number, default_g_handle, NULL, &desc,
07490 rights_p)) {
07491 *rights_p &= mask;
07492 } else {
07493
07494 *rights_p = default_g_rights & mask;
07495 }
07496 }
07497 return 0;
07498 #endif
07499
07500 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
07501 case T_NETDEV:
07502
07503
07504 if (!tid.netdev[0]) {
07505 if (rsbac_ta_list_get_data_ttl
07506 (ta_number, default_netdev_handle, NULL, &desc,
07507 rights_p)) {
07508
07509 *rights_p = default_netdev_rights;
07510 }
07511 return 0;
07512 }
07513 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07514 netdev_handle,
07515 NULL,
07516 &tid.netdev,
07517 &desc, &i_rights)) {
07518 *rights_p |= i_rights;
07519 } else {
07520 rsbac_acl_rights_vector_t mask;
07521
07522
07523 if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07524 netdev_handle,
07525 NULL,
07526 &tid.netdev,
07527 &mask)) {
07528
07529 mask = RSBAC_ACL_DEFAULT_NETDEV_MASK;
07530 }
07531
07532 if (!rsbac_ta_list_get_data_ttl
07533 (ta_number, default_netdev_handle, NULL, &desc,
07534 rights_p)) {
07535 *rights_p &= mask;
07536 } else {
07537
07538 *rights_p = default_netdev_rights & mask;
07539 }
07540 }
07541 return 0;
07542 #endif
07543
07544 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
07545
07546 case T_NETTEMP_NT:
07547
07548
07549 if (!tid.nettemp) {
07550 if (rsbac_ta_list_get_data_ttl
07551 (ta_number, default_nettemp_nt_handle, NULL,
07552 &desc, rights_p)) {
07553
07554 *rights_p = default_nettemp_nt_rights;
07555 }
07556 return 0;
07557 }
07558 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07559 return -RSBAC_EINVALIDTARGET;
07560 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07561 nettemp_nt_handle,
07562 NULL,
07563 &tid.nettemp,
07564 &desc, &i_rights)) {
07565 *rights_p |= i_rights;
07566 } else {
07567 rsbac_acl_rights_vector_t mask;
07568
07569
07570 if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07571 nettemp_nt_handle,
07572 NULL,
07573 &tid.nettemp,
07574 &mask)) {
07575
07576 mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
07577 }
07578
07579 if (!rsbac_ta_list_get_data_ttl
07580 (ta_number, default_nettemp_nt_handle, NULL,
07581 &desc, rights_p)) {
07582 *rights_p &= mask;
07583 } else {
07584
07585 *rights_p =
07586 default_nettemp_nt_rights & mask;
07587 }
07588 }
07589 return 0;
07590
07591
07592 case T_NETTEMP:
07593
07594
07595 if (!tid.nettemp) {
07596 if (rsbac_ta_list_get_data_ttl
07597 (ta_number, default_netobj_handle, NULL, &desc,
07598 rights_p)) {
07599
07600 *rights_p = default_netobj_rights;
07601 }
07602 return 0;
07603 }
07604 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07605 return -RSBAC_EINVALIDTARGET;
07606 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07607 nettemp_handle,
07608 NULL,
07609 &tid.nettemp,
07610 &desc, &i_rights)) {
07611 *rights_p |= i_rights;
07612 } else {
07613 rsbac_acl_rights_vector_t mask;
07614
07615
07616 if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07617 nettemp_handle,
07618 NULL,
07619 &tid.nettemp,
07620 &mask)) {
07621
07622 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07623 }
07624
07625 if (!rsbac_ta_list_get_data_ttl
07626 (ta_number, default_netobj_handle, NULL, &desc,
07627 rights_p)) {
07628 *rights_p &= mask;
07629 } else {
07630
07631 *rights_p = default_netobj_rights & mask;
07632 }
07633 }
07634 return 0;
07635
07636 case T_NETOBJ:
07637
07638
07639 if (!tid.nettemp) {
07640 if (rsbac_ta_list_get_data_ttl
07641 (ta_number, default_netobj_handle, NULL, &desc,
07642 rights_p)) {
07643
07644 *rights_p = default_netobj_rights;
07645 }
07646 return 0;
07647 }
07648 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07649 netobj_handle,
07650 NULL,
07651 &tid.netobj.sock_p,
07652 &desc, &i_rights)) {
07653 *rights_p |= i_rights;
07654 } else {
07655 rsbac_acl_rights_vector_t mask;
07656 rsbac_net_temp_id_t temp = 0;
07657
07658
07659 if (rsbac_ta_list_lol_get_data_ttl(ta_number,
07660 nettemp_handle,
07661 NULL,
07662 &temp, &mask)) {
07663
07664 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07665 }
07666
07667 if(!ta_number && tid.netobj.local_temp)
07668 temp = tid.netobj.local_temp;
07669 else
07670 rsbac_ta_net_lookup_templates(ta_number,
07671 &tid.netobj,
07672 &temp, NULL);
07673
07674 if (temp
07675 &&
07676 !rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07677 nettemp_handle,
07678 NULL, &temp,
07679 &desc,
07680 &i_rights))
07681 {
07682 *rights_p |= i_rights;
07683 } else {
07684
07685 if (temp
07686 &&
07687 rsbac_ta_list_lol_get_data_ttl
07688 (ta_number, nettemp_handle, NULL,
07689 &temp, &mask)) {
07690
07691 mask =
07692 RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07693 }
07694
07695 if (!rsbac_ta_list_get_data_ttl
07696 (ta_number, default_netobj_handle,
07697 NULL, &desc, rights_p)) {
07698 *rights_p &= mask;
07699 } else {
07700
07701 *rights_p =
07702 default_netobj_rights & mask;
07703 }
07704 }
07705 }
07706 return 0;
07707 #endif
07708
07709 default:
07710 return -RSBAC_EINVALIDTARGET;
07711 }
07712 }
07713
07714
07715
07716
07717
07718
07719
07720
07721 int rsbac_acl_get_single_right(enum rsbac_target_t target,
07722 union rsbac_target_id_t tid,
07723 enum rsbac_acl_subject_type_t subj_type,
07724 rsbac_acl_subject_id_t subj_id,
07725 enum rsbac_adf_request_t right,
07726 rsbac_boolean_t * result)
07727 {
07728 struct rsbac_acl_device_list_item_t *device_p;
07729 rsbac_acl_rights_vector_t i_rvec;
07730 rsbac_acl_rights_vector_t i_rights;
07731 struct rsbac_acl_entry_desc_t desc;
07732 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
07733 u_long dflags;
07734 #endif
07735
07736 if (!rsbac_is_initialized()) {
07737 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): RSBAC not initialized\n");
07738 return (-RSBAC_ENOTINITIALIZED);
07739 }
07740 if (!result)
07741 return (-RSBAC_EINVALIDPOINTER);
07742 if ((subj_type >= ACLS_NONE)
07743 || (right >= ACLR_NONE)
07744 )
07745 return (-RSBAC_EINVALIDVALUE);
07746 #ifdef CONFIG_RSBAC_DEBUG
07747 if (in_interrupt()) {
07748 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): called from interrupt!\n");
07749 }
07750 #endif
07751 i_rvec = (rsbac_acl_rights_vector_t) 1 << right;
07752
07753 desc.subj_type = subj_type;
07754 desc.subj_id = subj_id;
07755
07756 switch (target) {
07757 case T_FILE:
07758 case T_DIR:
07759 case T_FIFO:
07760 case T_SYMLINK:
07761 case T_UNIXSOCK:
07762
07763 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
07764 && !tid.file.dentry_p) {
07765 if (!rsbac_ta_list_get_data_ttl
07766 (0, default_fd_handle, NULL, &desc,
07767 &i_rights)) {
07768 if (i_rights & i_rvec)
07769 *result = TRUE;
07770 else
07771 *result = FALSE;
07772 } else {
07773 if (default_fd_rights & i_rvec)
07774 *result = TRUE;
07775 else
07776 *result = FALSE;
07777 }
07778 return 0;
07779 }
07780 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07781 rcu_read_lock();
07782 #else
07783 rsbac_read_lock(&device_list_lock, &dflags);
07784 #endif
07785
07786 for (;;) {
07787
07788 device_p = acl_lookup_device(tid.file.device);
07789 if (!device_p) {
07790
07791 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07792 rcu_read_unlock();
07793 #else
07794 rsbac_read_unlock(&device_list_lock, &dflags);
07795 #endif
07796 rsbac_get_super_block(tid.file.device);
07797
07798 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07799 rcu_read_lock();
07800 #else
07801 rsbac_read_lock(&device_list_lock, &dflags);
07802 #endif
07803 device_p =
07804 acl_lookup_device(tid.file.device);
07805 if (!device_p) {
07806 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): Could not lookup device, blindly granting access!\n");
07807 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07808 rcu_read_unlock();
07809 #else
07810 rsbac_read_unlock(&device_list_lock, &dflags);
07811 #endif
07812 *result = TRUE;
07813 return 0;
07814 }
07815 }
07816 if (!rsbac_ta_list_lol_get_subdata_ttl(0,
07817 device_p->handle,
07818 NULL,
07819 &tid.file.
07820 inode,
07821 &desc,
07822 &i_rights)
07823 ) {
07824 if (i_rights & i_rvec)
07825 *result = TRUE;
07826 else
07827 *result = FALSE;
07828 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07829 rcu_read_unlock();
07830 #else
07831 rsbac_read_unlock(&device_list_lock, &dflags);
07832 #endif
07833 return 0;
07834 }
07835
07836 {
07837 enum rsbac_target_t parent_target;
07838 union rsbac_target_id_t parent_tid;
07839
07840 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
07841 if (right != ACLR_SUPERVISOR)
07842 #endif
07843 {
07844 rsbac_acl_rights_vector_t mask;
07845
07846
07847 if (!rsbac_ta_list_lol_get_data_ttl
07848 (0, device_p->handle,
07849 NULL, &tid.file.inode, &mask)
07850 && !(mask & i_rvec)
07851 ) {
07852 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07853 rcu_read_unlock();
07854 #else
07855 rsbac_read_unlock(&device_list_lock, &dflags);
07856 #endif
07857 *result = FALSE;
07858 return 0;
07859 }
07860 }
07861
07862
07863 if (!rsbac_get_parent
07864 (target, tid, &parent_target,
07865 &parent_tid)) {
07866 target = parent_target;
07867 tid = parent_tid;
07868 continue;
07869 } else {
07870
07871 if (!rsbac_ta_list_get_data_ttl
07872 (0, default_fd_handle, NULL,
07873 &desc, &i_rights)
07874 ) {
07875 if (i_rights & i_rvec)
07876 *result = TRUE;
07877 else
07878 *result = FALSE;
07879 } else {
07880 if (default_fd_rights &
07881 i_rvec)
07882 *result = TRUE;
07883 else
07884 *result = FALSE;
07885 }
07886
07887 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
07888 rcu_read_unlock();
07889 #else
07890 rsbac_read_unlock(&device_list_lock, &dflags);
07891 #endif
07892 return 0;
07893 }
07894 }
07895 }
07896
07897 case T_DEV:
07898 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) {
07899 if (!rsbac_ta_list_get_data_ttl
07900 (0, default_dev_handle, NULL, &desc,
07901 &i_rights)) {
07902 if (i_rights & i_rvec)
07903 *result = TRUE;
07904 else
07905 *result = FALSE;
07906 } else {
07907 if (default_dev_rights & i_rvec)
07908 *result = TRUE;
07909 else
07910 *result = FALSE;
07911 }
07912 return 0;
07913 }
07914
07915 if (tid.dev.type >= D_block_major) {
07916 tid.dev.type -= (D_block_major - D_block);
07917 if (!rsbac_ta_list_lol_get_subdata_ttl
07918 (0, dev_major_handle, NULL, &tid.dev, &desc,
07919 &i_rights)
07920 ) {
07921 if (i_rights & i_rvec)
07922 *result = TRUE;
07923 else
07924 *result = FALSE;
07925 return 0;
07926 }
07927 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
07928 if (right != ACLR_SUPERVISOR)
07929 #endif
07930 {
07931 rsbac_acl_rights_vector_t mask;
07932
07933
07934 if (!rsbac_ta_list_lol_get_data_ttl
07935 (0, dev_major_handle, NULL, &tid.dev,
07936 &mask)
07937 && !(mask & i_rvec)
07938 ) {
07939 *result = FALSE;
07940 return 0;
07941 }
07942 }
07943
07944 if (!rsbac_ta_list_get_data_ttl
07945 (0, default_dev_handle, NULL, &desc, &i_rights)
07946 ) {
07947 if (i_rights & i_rvec)
07948 *result = TRUE;
07949 else
07950 *result = FALSE;
07951 } else {
07952 if (default_dev_rights & i_rvec)
07953 *result = TRUE;
07954 else
07955 *result = FALSE;
07956 }
07957 return 0;
07958 }
07959 if (!rsbac_ta_list_lol_get_subdata_ttl(0, dev_handle,
07960 NULL,
07961 &tid.dev,
07962 &desc, &i_rights)
07963 ) {
07964 if (i_rights & i_rvec)
07965 *result = TRUE;
07966 else
07967 *result = FALSE;
07968 return 0;
07969 }
07970 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
07971 if (right != ACLR_SUPERVISOR)
07972 #endif
07973 {
07974 rsbac_acl_rights_vector_t mask;
07975
07976
07977 if (!rsbac_ta_list_lol_get_data_ttl(0, dev_handle,
07978 NULL,
07979 &tid.dev,
07980 &mask)
07981 && !(mask & i_rvec)
07982 ) {
07983 *result = FALSE;
07984 return 0;
07985 }
07986 }
07987 if (!rsbac_ta_list_lol_get_subdata_ttl(0, dev_major_handle,
07988 NULL,
07989 &tid.dev,
07990 &desc, &i_rights)
07991 ) {
07992 if (i_rights & i_rvec)
07993 *result = TRUE;
07994 else
07995 *result = FALSE;
07996 return 0;
07997 }
07998 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
07999 if (right != ACLR_SUPERVISOR)
08000 #endif
08001 {
08002 rsbac_acl_rights_vector_t mask;
08003
08004
08005 if (!rsbac_ta_list_lol_get_data_ttl
08006 (0, dev_major_handle, NULL, &tid.dev, &mask)
08007 && !(mask & i_rvec)
08008 ) {
08009 *result = FALSE;
08010 return 0;
08011 }
08012 }
08013
08014 if (!rsbac_ta_list_get_data_ttl(0, default_dev_handle,
08015 NULL, &desc, &i_rights)
08016 ) {
08017 if (i_rights & i_rvec)
08018 *result = TRUE;
08019 else
08020 *result = FALSE;
08021 } else {
08022 if (default_dev_rights & i_rvec)
08023 *result = TRUE;
08024 else
08025 *result = FALSE;
08026 }
08027 return 0;
08028
08029 case T_IPC:
08030
08031 if (!rsbac_ta_list_get_data_ttl(0, default_ipc_handle,
08032 NULL, &desc, &i_rights)) {
08033 if (i_rights & i_rvec)
08034 *result = TRUE;
08035 else
08036 *result = FALSE;
08037 } else {
08038 if (default_ipc_rights & i_rvec)
08039 *result = TRUE;
08040 else
08041 *result = FALSE;
08042 }
08043 return 0;
08044
08045 case T_SCD:
08046 if (tid.scd == AST_none) {
08047 if (!rsbac_ta_list_get_data_ttl
08048 (0, default_scd_handle, NULL, &desc,
08049 &i_rights)) {
08050 if (i_rights & i_rvec)
08051 *result = TRUE;
08052 else
08053 *result = FALSE;
08054 } else {
08055 if (default_scd_rights & i_rvec)
08056 *result = TRUE;
08057 else
08058 *result = FALSE;
08059 }
08060 return 0;
08061 }
08062
08063 if (!rsbac_ta_list_lol_get_subdata_ttl(0, scd_handle,
08064 NULL,
08065 &tid.scd,
08066 &desc, &i_rights)
08067 ) {
08068 if (i_rights & i_rvec)
08069 *result = TRUE;
08070 else
08071 *result = FALSE;
08072 return 0;
08073 }
08074 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08075 if (right != ACLR_SUPERVISOR)
08076 #endif
08077 {
08078 rsbac_acl_rights_vector_t mask;
08079
08080
08081 if (!rsbac_ta_list_lol_get_data_ttl(0, scd_handle,
08082 NULL,
08083 &tid.scd,
08084 &mask)
08085 && !(mask & i_rvec)
08086 ) {
08087 *result = FALSE;
08088 return 0;
08089 }
08090 }
08091
08092
08093 if (!rsbac_ta_list_get_data_ttl(0, default_scd_handle,
08094 NULL, &desc, &i_rights)
08095 ) {
08096 if (i_rights & i_rvec)
08097 *result = TRUE;
08098 else
08099 *result = FALSE;
08100 } else {
08101 if (default_scd_rights & i_rvec)
08102 *result = TRUE;
08103 else
08104 *result = FALSE;
08105 }
08106 return 0;
08107
08108 case T_USER:
08109 if (tid.user == RSBAC_NO_USER) {
08110 if (!rsbac_ta_list_get_data_ttl
08111 (0, default_u_handle, NULL, &desc,
08112 &i_rights)) {
08113 if (i_rights & i_rvec)
08114 *result = TRUE;
08115 else
08116 *result = FALSE;
08117 } else {
08118 if (default_u_rights & i_rvec)
08119 *result = TRUE;
08120 else
08121 *result = FALSE;
08122 }
08123 return 0;
08124 }
08125
08126 if (!rsbac_ta_list_lol_get_subdata_ttl(0, u_handle,
08127 NULL,
08128 &tid.user,
08129 &desc, &i_rights)
08130 ) {
08131 if (i_rights & i_rvec)
08132 *result = TRUE;
08133 else
08134 *result = FALSE;
08135 return 0;
08136 }
08137 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08138 if (right != ACLR_SUPERVISOR)
08139 #endif
08140 {
08141 rsbac_acl_rights_vector_t mask;
08142
08143
08144 if (!rsbac_ta_list_lol_get_data_ttl(0, u_handle,
08145 NULL,
08146 &tid.user,
08147 &mask)
08148 && !(mask & i_rvec)
08149 ) {
08150 *result = FALSE;
08151 return 0;
08152 }
08153 }
08154
08155
08156 if (!rsbac_ta_list_get_data_ttl(0, default_u_handle,
08157 NULL, &desc, &i_rights)
08158 ) {
08159 if (i_rights & i_rvec)
08160 *result = TRUE;
08161 else
08162 *result = FALSE;
08163 } else {
08164 if (default_u_rights & i_rvec)
08165 *result = TRUE;
08166 else
08167 *result = FALSE;
08168 }
08169 return 0;
08170
08171 case T_PROCESS:
08172
08173 if (!rsbac_ta_list_get_data_ttl(0, default_p_handle,
08174 NULL, &desc, &i_rights)) {
08175 if (i_rights & i_rvec)
08176 *result = TRUE;
08177 else
08178 *result = FALSE;
08179 } else {
08180 if (default_p_rights & i_rvec)
08181 *result = TRUE;
08182 else
08183 *result = FALSE;
08184 }
08185 return 0;
08186
08187 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08188 case T_GROUP:
08189 if (tid.group == RSBAC_NO_GROUP) {
08190 if (!rsbac_ta_list_get_data_ttl
08191 (0, default_g_handle, NULL, &desc,
08192 &i_rights)) {
08193 if (i_rights & i_rvec)
08194 *result = TRUE;
08195 else
08196 *result = FALSE;
08197 } else {
08198 if (default_g_rights & i_rvec)
08199 *result = TRUE;
08200 else
08201 *result = FALSE;
08202 }
08203 return 0;
08204 }
08205
08206 if (!rsbac_ta_list_lol_get_subdata_ttl(0, g_handle,
08207 NULL,
08208 &tid.group,
08209 &desc, &i_rights)
08210 ) {
08211 if (i_rights & i_rvec)
08212 *result = TRUE;
08213 else
08214 *result = FALSE;
08215 return 0;
08216 }
08217 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08218 if (right != ACLR_SUPERVISOR)
08219 #endif
08220 {
08221 rsbac_acl_rights_vector_t mask;
08222
08223
08224 if (!rsbac_ta_list_lol_get_data_ttl(0, g_handle,
08225 NULL,
08226 &tid.group,
08227 &mask)
08228 && !(mask & i_rvec)
08229 ) {
08230 *result = FALSE;
08231 return 0;
08232 }
08233 }
08234
08235
08236 if (!rsbac_ta_list_get_data_ttl(0, default_g_handle,
08237 NULL, &desc, &i_rights)
08238 ) {
08239 if (i_rights & i_rvec)
08240 *result = TRUE;
08241 else
08242 *result = FALSE;
08243 } else {
08244 if (default_g_rights & i_rvec)
08245 *result = TRUE;
08246 else
08247 *result = FALSE;
08248 }
08249 return 0;
08250 #endif
08251
08252 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT)
08253 case T_NETDEV:
08254 if (!tid.netdev[0]) {
08255 if (!rsbac_ta_list_get_data_ttl
08256 (0, default_netdev_handle, NULL, &desc,
08257 &i_rights)) {
08258 if (i_rights & i_rvec)
08259 *result = TRUE;
08260 else
08261 *result = FALSE;
08262 } else {
08263 if (default_netdev_rights & i_rvec)
08264 *result = TRUE;
08265 else
08266 *result = FALSE;
08267 }
08268 return 0;
08269 }
08270
08271 if (!rsbac_ta_list_lol_get_subdata_ttl(0, netdev_handle,
08272 NULL,
08273 &tid.netdev,
08274 &desc, &i_rights)
08275 ) {
08276 if (i_rights & i_rvec)
08277 *result = TRUE;
08278 else
08279 *result = FALSE;
08280 return 0;
08281 }
08282 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08283 if (right != ACLR_SUPERVISOR)
08284 #endif
08285 {
08286 rsbac_acl_rights_vector_t mask;
08287
08288
08289 if (!rsbac_ta_list_lol_get_data_ttl
08290 (0, netdev_handle, NULL, &tid.netdev, &mask)
08291 && !(mask & i_rvec)
08292 ) {
08293 *result = FALSE;
08294 return 0;
08295 }
08296 }
08297
08298
08299 if (!rsbac_ta_list_get_data_ttl(0, default_netdev_handle,
08300 NULL, &desc, &i_rights)
08301 ) {
08302 if (i_rights & i_rvec)
08303 *result = TRUE;
08304 else
08305 *result = FALSE;
08306 } else {
08307 if (default_netdev_rights & i_rvec)
08308 *result = TRUE;
08309 else
08310 *result = FALSE;
08311 }
08312 return 0;
08313 #endif
08314
08315 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT)
08316 case T_NETTEMP_NT:
08317 case T_NETTEMP:
08318 if (!tid.nettemp) {
08319 if (!rsbac_ta_list_get_data_ttl
08320 (0, default_nettemp_nt_handle, NULL, &desc,
08321 &i_rights)) {
08322 if (i_rights & i_rvec)
08323 *result = TRUE;
08324 else
08325 *result = FALSE;
08326 } else {
08327 if (default_nettemp_nt_rights & i_rvec)
08328 *result = TRUE;
08329 else
08330 *result = FALSE;
08331 }
08332 return 0;
08333 }
08334
08335
08336 if (right != R_CREATE) {
08337 if (!rsbac_net_template_exist(tid.nettemp))
08338 return FALSE;
08339 if (!rsbac_ta_list_lol_get_subdata_ttl
08340 (0, nettemp_nt_handle, NULL, &tid.nettemp,
08341 &desc, &i_rights)
08342 && (i_rights & i_rvec)
08343 ) {
08344 *result = TRUE;
08345 return 0;
08346 }
08347 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08348 if (right != ACLR_SUPERVISOR)
08349 #endif
08350 {
08351 rsbac_acl_rights_vector_t mask;
08352
08353
08354 if (!rsbac_ta_list_lol_get_data_ttl
08355 (0, nettemp_nt_handle, NULL,
08356 &tid.nettemp, &mask)
08357 && !(mask & i_rvec)
08358 ) {
08359 *result = FALSE;
08360 return 0;
08361 }
08362 }
08363 }
08364
08365
08366 if (!rsbac_ta_list_get_data_ttl
08367 (0, default_nettemp_nt_handle, NULL, &desc, &i_rights)
08368 ) {
08369 if (i_rights & i_rvec)
08370 *result = TRUE;
08371 else
08372 *result = FALSE;
08373 } else {
08374 if (default_nettemp_nt_rights & i_rvec)
08375 *result = TRUE;
08376 else
08377 *result = FALSE;
08378 }
08379 return 0;
08380
08381 case T_NETOBJ:
08382 if (!tid.netobj.sock_p) {
08383 if (!rsbac_ta_list_get_data_ttl
08384 (0, default_netobj_handle, NULL, &desc,
08385 &i_rights)) {
08386 if (i_rights & i_rvec)
08387 *result = TRUE;
08388 else
08389 *result = FALSE;
08390 } else {
08391 if (default_netobj_rights & i_rvec)
08392 *result = TRUE;
08393 else
08394 *result = FALSE;
08395 }
08396 return 0;
08397 }
08398
08399 if (!rsbac_ta_list_lol_get_subdata_ttl(0, netobj_handle,
08400 NULL,
08401 &tid.netobj.sock_p,
08402 &desc, &i_rights)
08403 ) {
08404 if (i_rights & i_rvec)
08405 *result = TRUE;
08406 else
08407 *result = FALSE;
08408 return 0;
08409 }
08410 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08411 if (right != ACLR_SUPERVISOR)
08412 #endif
08413 {
08414 rsbac_acl_rights_vector_t mask;
08415
08416
08417 if (!rsbac_ta_list_lol_get_data_ttl
08418 (0, netobj_handle, NULL, &tid.netobj.sock_p,
08419 &mask)
08420 && !(mask & i_rvec)
08421 ) {
08422 *result = FALSE;
08423 return 0;
08424 }
08425 }
08426
08427 {
08428 rsbac_net_temp_id_t temp = 0;
08429
08430 if (rsbac_net_remote_request(right)) {
08431 if(tid.netobj.remote_temp)
08432 temp = tid.netobj.remote_temp;
08433 else
08434 rsbac_ta_net_lookup_templates(0,
08435 &tid.netobj,
08436 NULL, &temp);
08437 } else {
08438 if(tid.netobj.local_temp)
08439 temp = tid.netobj.local_temp;
08440 else
08441 rsbac_ta_net_lookup_templates(0,
08442 &tid.netobj,
08443 &temp, NULL);
08444 }
08445 if (temp
08446 && !rsbac_ta_list_lol_get_subdata_ttl(0,
08447 nettemp_handle,
08448 NULL,
08449 &temp,
08450 &desc,
08451 &i_rights)
08452 ) {
08453 if (i_rights & i_rvec)
08454 *result = TRUE;
08455 else
08456 *result = FALSE;
08457 return 0;
08458 }
08459 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08460 if (right != ACLR_SUPERVISOR)
08461 #endif
08462 {
08463 rsbac_acl_rights_vector_t mask;
08464
08465
08466 if (!rsbac_ta_list_lol_get_data_ttl
08467 (0, nettemp_handle, NULL, &temp, &mask)
08468 && !(mask & i_rvec)
08469 ) {
08470 *result = FALSE;
08471 return 0;
08472 }
08473 }
08474 }
08475
08476
08477 if (!rsbac_ta_list_get_data_ttl(0, default_netobj_handle,
08478 NULL, &desc, &i_rights)
08479 ) {
08480 if (i_rights & i_rvec)
08481 *result = TRUE;
08482 else
08483 *result = FALSE;
08484 } else {
08485 if (default_netobj_rights & i_rvec)
08486 *result = TRUE;
08487 else
08488 *result = FALSE;
08489 }
08490 return 0;
08491 #endif
08492
08493 default:
08494 return -RSBAC_EINVALIDTARGET;
08495 }
08496 }
08497
08498
08499
08500
08501
08502
08503 int rsbac_acl_get_tlist(rsbac_list_ta_number_t ta_number,
08504 enum rsbac_target_t target,
08505 union rsbac_target_id_t tid,
08506 struct rsbac_acl_entry_t **entry_pp,
08507 rsbac_time_t ** ttl_pp)
08508 {
08509 int count = 0;
08510 struct rsbac_acl_device_list_item_t *device_p;
08511 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
08512 u_long dflags;
08513 #endif
08514
08515 if (!rsbac_is_initialized()) {
08516 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): RSBAC not initialized\n");
08517 return (-RSBAC_ENOTINITIALIZED);
08518 }
08519 if (!entry_pp)
08520 return (-RSBAC_EINVALIDPOINTER);
08521 #ifdef CONFIG_RSBAC_DEBUG
08522 if (in_interrupt()) {
08523 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): called from interrupt!\n");
08524 }
08525 #endif
08526 switch (target) {
08527 case T_FD:
08528 case T_FILE:
08529 case T_DIR:
08530 case T_FIFO:
08531 case T_SYMLINK:
08532 case T_UNIXSOCK:
08533
08534 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode
08535 && !tid.file.dentry_p)
08536 return rsbac_ta_list_get_all_items_ttl(ta_number,
08537 default_fd_handle,
08538 (void **)
08539 entry_pp,
08540 ttl_pp);
08541 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08542 rcu_read_lock();
08543 #else
08544 rsbac_read_lock(&device_list_lock, &dflags);
08545 #endif
08546
08547 device_p = acl_lookup_device(tid.file.device);
08548 if (!device_p) {
08549
08550 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08551 rcu_read_unlock();
08552 #else
08553 rsbac_read_unlock(&device_list_lock, &dflags);
08554 #endif
08555 rsbac_get_super_block(tid.file.device);
08556
08557 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08558 rcu_read_lock();
08559 #else
08560 rsbac_read_lock(&device_list_lock, &dflags);
08561 #endif
08562 device_p = acl_lookup_device(tid.file.device);
08563 if (!device_p) {
08564 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): Could not lookup device!\n");
08565 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08566 rcu_read_unlock();
08567 #else
08568 rsbac_read_unlock(&device_list_lock, &dflags);
08569 #endif
08570 return (-RSBAC_EINVALIDDEV);
08571 }
08572 }
08573
08574 count = rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
08575 device_p->
08576 handle,
08577 &tid.file.
08578 inode,
08579 (void **)
08580 entry_pp,
08581 ttl_pp);
08582 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08583 rcu_read_unlock();
08584 #else
08585 rsbac_read_unlock(&device_list_lock, &dflags);
08586 #endif
08587 return count;
08588
08589 case T_DEV:
08590 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev))
08591 return rsbac_ta_list_get_all_items_ttl(ta_number,
08592 default_dev_handle,
08593 (void **)
08594 entry_pp,
08595 ttl_pp);
08596 else
08597 switch (tid.dev.type) {
08598 case D_char:
08599 case D_block:
08600 return
08601 rsbac_ta_list_lol_get_all_subitems_ttl
08602 (ta_number, dev_handle, &tid.dev,
08603 (void **) entry_pp, ttl_pp);
08604
08605 case D_char_major:
08606 case D_block_major:
08607 tid.dev.type -= (D_block_major - D_block);
08608 return
08609 rsbac_ta_list_lol_get_all_subitems_ttl
08610 (ta_number, dev_major_handle, &tid.dev,
08611 (void **) entry_pp, ttl_pp);
08612
08613 default:
08614 return -RSBAC_EINVALIDTARGET;
08615 }
08616
08617 case T_IPC:
08618
08619 return rsbac_ta_list_get_all_items_ttl(ta_number,
08620 default_ipc_handle,
08621 (void **) entry_pp,
08622 ttl_pp);
08623
08624 case T_SCD:
08625 if ((tid.scd == AST_none)
08626 || (tid.scd == ST_none)
08627 )
08628 return rsbac_ta_list_get_all_items_ttl(ta_number,
08629 default_scd_handle,
08630 (void **)
08631 entry_pp,
08632 ttl_pp);
08633 else
08634 return
08635 rsbac_ta_list_lol_get_all_subitems_ttl
08636 (ta_number, scd_handle, &tid.scd,
08637 (void **) entry_pp, ttl_pp);
08638
08639 case T_USER:
08640 if (tid.user == RSBAC_NO_USER)
08641 return rsbac_ta_list_get_all_items_ttl(ta_number,
08642 default_u_handle,
08643 (void **)
08644 entry_pp,
08645 ttl_pp);
08646 else
08647 return
08648 rsbac_ta_list_lol_get_all_subitems_ttl
08649 (ta_number, u_handle, &tid.user,
08650 (void **) entry_pp, ttl_pp);
08651
08652 case T_PROCESS:
08653 return rsbac_ta_list_get_all_items_ttl(ta_number,
08654 default_p_handle,
08655 (void **) entry_pp,
08656 ttl_pp);
08657
08658 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08659 case T_GROUP:
08660 if (tid.group == RSBAC_NO_GROUP)
08661 return rsbac_ta_list_get_all_items_ttl(ta_number,
08662 default_g_handle,
08663 (void **)
08664 entry_pp,
08665 ttl_pp);
08666 else
08667 return
08668 rsbac_ta_list_lol_get_all_subitems_ttl
08669 (ta_number, g_handle, &tid.group,
08670 (void **) entry_pp, ttl_pp);
08671 #endif
08672
08673 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT)
08674 case T_NETDEV:
08675 if (!tid.netdev[0])
08676 return rsbac_ta_list_get_all_items_ttl(ta_number,
08677 default_netdev_handle,
08678 (void **)
08679 entry_pp,
08680 ttl_pp);
08681 else
08682 return
08683 rsbac_ta_list_lol_get_all_subitems_ttl
08684 (ta_number, netdev_handle, &tid.netdev,
08685 (void **) entry_pp, ttl_pp);
08686 #endif
08687
08688 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT)
08689 case T_NETTEMP_NT:
08690 if (!tid.nettemp)
08691 return rsbac_ta_list_get_all_items_ttl(ta_number,
08692 default_nettemp_nt_handle,
08693 (void **)
08694 entry_pp,
08695 ttl_pp);
08696 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
08697 return -RSBAC_EINVALIDTARGET;
08698 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
08699 nettemp_nt_handle,
08700 &tid.nettemp,
08701 (void **)
08702 entry_pp,
08703 ttl_pp);
08704
08705 case T_NETTEMP:
08706 if (!tid.nettemp)
08707 return -RSBAC_EINVALIDTARGET;
08708 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
08709 return -RSBAC_EINVALIDTARGET;
08710 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
08711 nettemp_handle,
08712 &tid.nettemp,
08713 (void **)
08714 entry_pp,
08715 ttl_pp);
08716
08717 case T_NETOBJ:
08718 if (!tid.nettemp)
08719 return rsbac_ta_list_get_all_items_ttl(ta_number,
08720 default_netobj_handle,
08721 (void **)
08722 entry_pp,
08723 ttl_pp);
08724 else
08725 return
08726 rsbac_ta_list_lol_get_all_subitems_ttl
08727 (ta_number, netobj_handle, &tid.netobj.sock_p,
08728 (void **) entry_pp, ttl_pp);
08729 #endif
08730
08731 default:
08732 return -RSBAC_EINVALIDTARGET;
08733 }
08734 }
08735
08736
08737 int rsbac_acl_remove_subject(rsbac_list_ta_number_t ta_number,
08738 struct rsbac_acl_entry_desc_t desc)
08739 {
08740 struct rsbac_acl_device_list_item_t *device_p;
08741 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
08742 u_long dflags;
08743 #endif
08744
08745 if (desc.subj_type >= ACLS_NONE)
08746 return -RSBAC_EINVALIDVALUE;
08747
08748
08749 rsbac_ta_list_remove(ta_number, default_fd_handle, &desc);
08750 rsbac_ta_list_remove(ta_number, default_dev_handle, &desc);
08751 rsbac_ta_list_remove(ta_number, default_ipc_handle, &desc);
08752 rsbac_ta_list_remove(ta_number, default_scd_handle, &desc);
08753 rsbac_ta_list_remove(ta_number, default_u_handle, &desc);
08754 rsbac_ta_list_remove(ta_number, default_p_handle, &desc);
08755 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08756 rsbac_ta_list_remove(ta_number, default_g_handle, &desc);
08757 #endif
08758 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
08759 rsbac_ta_list_remove(ta_number, default_netdev_handle, &desc);
08760 #endif
08761 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
08762 rsbac_ta_list_remove(ta_number, default_nettemp_nt_handle, &desc);
08763 rsbac_ta_list_remove(ta_number, default_netobj_handle, &desc);
08764 #endif
08765
08766 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08767 rcu_read_lock();
08768 #else
08769 rsbac_read_lock(&device_list_lock, &dflags);
08770 #endif
08771 device_p = rcu_dereference(device_list_head_p)->head;
08772 while (device_p) {
08773 rsbac_ta_list_lol_subremove_from_all(ta_number,
08774 device_p->handle,
08775 &desc);
08776 device_p = device_p->next;
08777 }
08778 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
08779 rcu_read_unlock();
08780 #else
08781 rsbac_read_unlock(&device_list_lock, &dflags);
08782 #endif
08783
08784
08785 rsbac_ta_list_lol_subremove_from_all(ta_number, dev_major_handle,
08786 &desc);
08787 rsbac_ta_list_lol_subremove_from_all(ta_number, dev_handle, &desc);
08788
08789
08790 rsbac_ta_list_lol_subremove_from_all(ta_number, scd_handle, &desc);
08791
08792
08793 rsbac_ta_list_lol_subremove_from_all(ta_number, u_handle, &desc);
08794
08795 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08796
08797 rsbac_ta_list_lol_subremove_from_all(ta_number, g_handle, &desc);
08798 #endif
08799
08800 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
08801
08802 rsbac_ta_list_lol_subremove_from_all(ta_number, netdev_handle,
08803 &desc);
08804 #endif
08805 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
08806 rsbac_ta_list_lol_subremove_from_all(ta_number, nettemp_nt_handle,
08807 &desc);
08808 rsbac_ta_list_lol_subremove_from_all(ta_number, nettemp_handle,
08809 &desc);
08810 rsbac_ta_list_lol_subremove_from_all(ta_number, netobj_handle,
08811 &desc);
08812 #endif
08813
08814 return 0;
08815 }
08816
08817
08818
08819 int rsbac_acl_add_group(rsbac_list_ta_number_t ta_number,
08820 rsbac_uid_t owner,
08821 enum rsbac_acl_group_type_t type,
08822 char *name, rsbac_acl_group_id_t * group_id_p)
08823 {
08824 struct rsbac_acl_group_entry_t entry;
08825 int err = 0;
08826
08827 if (type >= ACLG_NONE)
08828 return -RSBAC_EINVALIDVALUE;
08829 if (!name || !group_id_p)
08830 return -RSBAC_EINVALIDPOINTER;
08831 if (!name[0])
08832 return -RSBAC_EINVALIDVALUE;
08833 entry.owner = owner;
08834 entry.type = type;
08835 strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN - 1);
08836 entry.name[RSBAC_ACL_GROUP_NAMELEN - 1] = 0;
08837 if (!*group_id_p) {
08838
08839 group_last_new++;
08840
08841 while (!group_last_new
08842 || rsbac_ta_list_exist(ta_number, group_handle,
08843 &group_last_new))
08844 group_last_new++;
08845
08846 entry.id = group_last_new;
08847 } else {
08848 if (rsbac_ta_list_exist
08849 (ta_number, group_handle, group_id_p)) {
08850 return (-RSBAC_EEXISTS);
08851 } else
08852 entry.id = *group_id_p;
08853 }
08854 if (rsbac_ta_list_add_ttl
08855 (ta_number, group_handle, 0, &entry.id, &entry))
08856 err = -RSBAC_ECOULDNOTADDITEM;
08857 else {
08858 *group_id_p = entry.id;
08859 }
08860 return (err);
08861 }
08862
08863 int rsbac_acl_change_group(rsbac_list_ta_number_t ta_number,
08864 rsbac_acl_group_id_t id,
08865 rsbac_uid_t owner,
08866 enum rsbac_acl_group_type_t type, char *name)
08867 {
08868 struct rsbac_acl_group_entry_t entry;
08869
08870 if (!id)
08871 return -RSBAC_EINVALIDVALUE;
08872 if (!rsbac_ta_list_exist(ta_number, group_handle, &id))
08873 return (-RSBAC_ENOTFOUND);
08874 if (!name)
08875 return -RSBAC_EINVALIDPOINTER;
08876 if (!name[0])
08877 return -RSBAC_EINVALIDVALUE;
08878 entry.id = id;
08879 entry.owner = owner;
08880 entry.type = type;
08881 strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN);
08882 entry.name[RSBAC_ACL_GROUP_NAMELEN - 1] = 0;
08883 return rsbac_ta_list_add_ttl(ta_number, group_handle, 0, &entry.id,
08884 &entry);
08885 }
08886
08887 int rsbac_acl_remove_group(rsbac_list_ta_number_t ta_number,
08888 rsbac_acl_group_id_t id)
08889 {
08890 int err = 0;
08891
08892 if (!id)
08893 return -RSBAC_EINVALIDVALUE;
08894
08895 err = rsbac_ta_list_remove(ta_number, group_handle, &id);
08896 if (!err) {
08897 struct rsbac_acl_entry_desc_t desc;
08898
08899
08900 rsbac_ta_list_lol_subremove_from_all(ta_number, gm_handle,
08901 &id);
08902 desc.subj_type = ACLS_GROUP;
08903 desc.subj_id = id;
08904 err = rsbac_acl_remove_subject(ta_number, desc);
08905 }
08906 return (err);
08907 }
08908
08909 int rsbac_acl_get_group_entry(rsbac_list_ta_number_t ta_number,
08910 rsbac_acl_group_id_t group,
08911 struct rsbac_acl_group_entry_t *entry_p)
08912 {
08913 if (!group)
08914 return -RSBAC_EINVALIDVALUE;
08915 if (!entry_p)
08916 return -RSBAC_EINVALIDPOINTER;
08917 return rsbac_ta_list_get_data_ttl(ta_number, group_handle, NULL,
08918 &group, entry_p);
08919 }
08920
08921 int rsbac_acl_list_groups(rsbac_list_ta_number_t ta_number,
08922 rsbac_uid_t owner,
08923 rsbac_boolean_t include_global,
08924 struct rsbac_acl_group_entry_t **entry_pp)
08925 {
08926 long count;
08927 struct rsbac_acl_group_entry_t *local_entry_p;
08928
08929 if (!entry_pp)
08930 return -RSBAC_EINVALIDPOINTER;
08931 count =
08932 rsbac_ta_list_get_all_data(ta_number, group_handle,
08933 (void **) &local_entry_p);
08934 if (count > 0) {
08935 long i;
08936 long rescount = 0;
08937
08938 *entry_pp = rsbac_vmalloc(count * sizeof(**entry_pp));
08939 if (!*entry_pp) {
08940 rsbac_vfree(local_entry_p);
08941 return -RSBAC_ENOMEM;
08942 }
08943 for (i = 0; i < count; i++) {
08944 if ((local_entry_p[i].owner == owner)
08945 || (include_global
08946 && (local_entry_p[i].type == ACLG_GLOBAL)
08947 )
08948 ) {
08949 memcpy(&(*entry_pp)[rescount],
08950 &local_entry_p[i],
08951 sizeof(local_entry_p[i]));
08952 rescount++;
08953 }
08954 }
08955 rsbac_vfree(local_entry_p);
08956 count = rescount;
08957 }
08958 return count;
08959 }
08960
08961
08962 rsbac_boolean_t rsbac_acl_group_exist(rsbac_acl_group_id_t group)
08963 {
08964 if (!group)
08965 return TRUE;
08966 return rsbac_ta_list_exist(0, group_handle, &group);
08967 }
08968
08969 int rsbac_acl_add_group_member(rsbac_list_ta_number_t ta_number,
08970 rsbac_acl_group_id_t group,
08971 rsbac_uid_t user, rsbac_time_t ttl)
08972 {
08973 int err = 0;
08974
08975 if (!group)
08976 return -RSBAC_EINVALIDVALUE;
08977 if (!rsbac_ta_list_exist(ta_number, group_handle, &group))
08978 return -RSBAC_EINVALIDVALUE;
08979
08980 if (!rsbac_ta_list_lol_exist(ta_number, gm_handle, &user)) {
08981 err =
08982 rsbac_ta_list_lol_add_ttl(ta_number, gm_handle, 0,
08983 &user, NULL);
08984 if (err)
08985 return err;
08986 }
08987 return rsbac_ta_list_lol_subadd_ttl(ta_number, gm_handle, ttl,
08988 &user, &group, NULL);
08989 }
08990
08991 int rsbac_acl_remove_group_member(rsbac_list_ta_number_t ta_number,
08992 rsbac_acl_group_id_t group,
08993 rsbac_uid_t user)
08994 {
08995 int err;
08996
08997 if (!group)
08998 return -RSBAC_EINVALIDVALUE;
08999 if (!rsbac_ta_list_exist(ta_number, group_handle, &group))
09000 return -RSBAC_EINVALIDVALUE;
09001
09002 err =
09003 rsbac_ta_list_lol_subremove(ta_number, gm_handle, &user,
09004 &group);
09005
09006 if (!err
09007 && !rsbac_ta_list_lol_subcount(ta_number, gm_handle, &user)
09008 )
09009 err =
09010 rsbac_ta_list_lol_remove(ta_number, gm_handle, &user);
09011
09012 return err;
09013 }
09014
09015
09016 rsbac_boolean_t rsbac_acl_group_member(rsbac_acl_group_id_t group,
09017 rsbac_uid_t user)
09018 {
09019 return rsbac_ta_list_lol_subexist(0, gm_handle, &user, &group);
09020 }
09021
09022
09023
09024
09025 int rsbac_acl_get_user_groups(rsbac_list_ta_number_t ta_number,
09026 rsbac_uid_t user,
09027 rsbac_acl_group_id_t ** group_pp,
09028 rsbac_time_t ** ttl_pp)
09029 {
09030 return rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number,
09031 gm_handle,
09032 &user,
09033 (void **) group_pp,
09034 ttl_pp);
09035 }
09036
09037
09038 int rsbac_acl_get_group_members(rsbac_list_ta_number_t ta_number,
09039 rsbac_acl_group_id_t group,
09040 rsbac_uid_t user_array[],
09041 rsbac_time_t ttl_array[], int maxnum)
09042 {
09043 long desc_count;
09044 long i;
09045 rsbac_uid_t *user_p;
09046 int err = 0;
09047
09048 if (!group || (maxnum <= 0))
09049 return -RSBAC_EINVALIDVALUE;
09050 if (!rsbac_ta_list_exist(ta_number, group_handle, &group))
09051 return -RSBAC_EINVALIDVALUE;
09052 if (!user_array)
09053 return -RSBAC_EINVALIDPOINTER;
09054
09055
09056 desc_count =
09057 rsbac_ta_list_lol_get_all_desc(ta_number, gm_handle,
09058 (void **) &user_p);
09059 if (desc_count > 0) {
09060 rsbac_time_t ttl;
09061
09062 for (i = 0; i < desc_count; i++) {
09063 if (!rsbac_ta_list_lol_get_subdata_ttl
09064 (ta_number, gm_handle, &ttl, &user_p[i],
09065 &group, NULL)) {
09066 user_array[err] = user_p[i];
09067 if (ttl_array)
09068 ttl_array[err] = ttl;
09069 err++;
09070 if (err >= maxnum)
09071 break;
09072 }
09073 }
09074 rsbac_vfree(user_p);
09075 }
09076 return (err);
09077 }
09078
09079 int rsbac_acl_list_all_dev(rsbac_list_ta_number_t ta_number,
09080 struct rsbac_dev_desc_t **id_pp)
09081 {
09082 if (id_pp)
09083 return rsbac_ta_list_lol_get_all_desc(ta_number,
09084 dev_handle,
09085 (void **) id_pp);
09086 else
09087 return rsbac_ta_list_lol_count(ta_number, dev_handle);
09088 }
09089
09090 int rsbac_acl_list_all_major_dev(rsbac_list_ta_number_t ta_number,
09091 struct rsbac_dev_desc_t **id_pp)
09092 {
09093 if (id_pp) {
09094 int count;
09095
09096 count =
09097 rsbac_ta_list_lol_get_all_desc(ta_number,
09098 dev_major_handle,
09099 (void **) id_pp);
09100 if (count > 0) {
09101 u_int i;
09102 struct rsbac_dev_desc_t *tmp_p;
09103
09104 tmp_p = *id_pp;
09105 for (i = 0; i < count; i++)
09106 tmp_p[i].type += (D_block_major - D_block);
09107 }
09108 return count;
09109 } else
09110 return rsbac_ta_list_lol_count(ta_number,
09111 dev_major_handle);
09112 }
09113
09114 int rsbac_acl_list_all_user(rsbac_list_ta_number_t ta_number,
09115 rsbac_uid_t ** id_pp)
09116 {
09117 if (id_pp)
09118 return rsbac_ta_list_lol_get_all_desc(ta_number, u_handle,
09119 (void **) id_pp);
09120 else
09121 return rsbac_ta_list_lol_count(ta_number, u_handle);
09122 }
09123
09124 #ifdef CONFIG_RSBAC_ACL_UM_PROT
09125 int rsbac_acl_list_all_group(rsbac_list_ta_number_t ta_number,
09126 rsbac_gid_t ** id_pp)
09127 {
09128 if (id_pp)
09129 return rsbac_ta_list_lol_get_all_desc(ta_number, g_handle,
09130 (void **) id_pp);
09131 else
09132 return rsbac_ta_list_lol_count(ta_number, g_handle);
09133 }
09134 #endif
09135
09136
09137
09138 int rsbac_acl_remove_user(rsbac_list_ta_number_t ta_number,
09139 rsbac_uid_t user)
09140 {
09141 u_long i;
09142 struct rsbac_acl_group_entry_t *entry_p;
09143 long desc_count;
09144 struct rsbac_acl_entry_desc_t desc;
09145
09146 rsbac_ta_list_lol_remove(ta_number, gm_handle, &user);
09147
09148 desc_count =
09149 rsbac_ta_list_get_all_data(ta_number, group_handle,
09150 (void **) &entry_p);
09151 if (desc_count > 0) {
09152 for (i = 0; i < desc_count; i++) {
09153 if (entry_p[i].owner == user) {
09154 rsbac_ta_list_remove(ta_number,
09155 group_handle,
09156 &entry_p[i].id);
09157
09158 rsbac_ta_list_lol_subremove_from_all
09159 (ta_number, gm_handle, &entry_p[i].id);
09160 }
09161 }
09162 rsbac_vfree(entry_p);
09163 }
09164
09165 desc.subj_type = ACLS_USER;
09166 desc.subj_id = user;
09167
09168 return rsbac_acl_remove_subject(ta_number, desc);
09169 }