/linux-2.6.21.1-rsbac-1.3.4/rsbac/adf/rc/rc_syscalls.c File Reference

#include <linux/string.h>
#include <rsbac/types.h>
#include <rsbac/aci.h>
#include <rsbac/rc.h>
#include <rsbac/adf_main.h>
#include <rsbac/error.h>
#include <rsbac/debug.h>
#include <rsbac/helpers.h>
#include <rsbac/getname.h>
#include <rsbac/rc_getname.h>
#include <rsbac/rkmem.h>
#include <rsbac/um.h>

Go to the source code of this file.

Functions

int rsbac_rc_test_role_admin (rsbac_boolean_t modify)
int rsbac_rc_test_admin_roles (rsbac_rc_role_id_t t_role, rsbac_boolean_t modify)
enum rsbac_adf_req_ret_t rsbac_rc_check_type_comp (enum rsbac_target_t target, rsbac_rc_type_id_t type, enum rsbac_adf_request_t request, rsbac_pid_t caller_pid)
int rsbac_rc_sys_copy_role (rsbac_list_ta_number_t ta_number, rsbac_rc_role_id_t from_role, rsbac_rc_role_id_t to_role)
int rsbac_rc_sys_copy_type (rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, rsbac_rc_type_id_t from_type, rsbac_rc_type_id_t to_type)
int rsbac_rc_sys_get_item (rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, union rsbac_rc_target_id_t tid, union rsbac_rc_target_id_t subtid, enum rsbac_rc_item_t item, union rsbac_rc_item_value_t *value_p, rsbac_time_t *ttl_p)
int rsbac_rc_sys_set_item (rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, union rsbac_rc_target_id_t tid, union rsbac_rc_target_id_t subtid, enum rsbac_rc_item_t item, union rsbac_rc_item_value_t value, rsbac_time_t ttl)
int rsbac_rc_sys_change_role (rsbac_rc_role_id_t role, char *pass)
int rsbac_rc_sys_get_eff_rights (rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, union rsbac_target_id_t tid, rsbac_rc_request_vector_t *request_vector, rsbac_time_t *ttl_p)
int rsbac_rc_sys_get_current_role (rsbac_rc_role_id_t *role_p)
int rsbac_rc_select_fd_create_type (rsbac_rc_type_id_t type)


Function Documentation

enum rsbac_adf_req_ret_t rsbac_rc_check_type_comp ( enum rsbac_target_t  target,
rsbac_rc_type_id_t  type,
enum rsbac_adf_request_t  request,
rsbac_pid_t  caller_pid 
)

Definition at line 269 of file rc_main.c.

References A_rc_role, FALSE, get_rc_special_right_name(), GRANTED, NOT_GRANTED, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, RC_type_max_value, RCR_ASSIGN, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_user, rsbac_get_attr, RSBAC_MAXNAMELEN, rsbac_pr_debug, rsbac_pr_get_error, rsbac_printk(), rsbac_rc_check_comp(), SW_RC, T_DEV, T_DIR, T_FD, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SYMLINK, T_UNIXSOCK, T_USER, and rsbac_rc_target_id_t::type.

Referenced by rsbac_adf_request_rc(), rsbac_rc_select_fd_create_type(), rsbac_rc_sys_copy_type(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item().

00273 {
00274         int err;
00275         union rsbac_target_id_t i_tid;
00276         union rsbac_attribute_value_t i_attr_val1;
00277 
00278         union rsbac_rc_target_id_t i_rc_subtid;
00279         enum rsbac_rc_item_t i_rc_item;
00280 
00281         if (!caller_pid)
00282                 caller_pid = current->pid;
00283         /*
00284          * we don't care about tried assignments of special type values,
00285          * but deny other accesses to those
00286          */
00287         if (type > RC_type_max_value) {
00288                 if (request == RCR_ASSIGN)
00289                         return GRANTED;
00290                 else
00291                         return NOT_GRANTED;
00292         }
00293 
00294         /* get rc_role from process */
00295         i_tid.process = caller_pid;
00296         if ((err = rsbac_get_attr(SW_RC,
00297                                   T_PROCESS,
00298                                   i_tid,
00299                                   A_rc_role, &i_attr_val1, FALSE))) {
00300                 rsbac_pr_get_error(A_rc_role);
00301                 return (NOT_GRANTED);
00302         }
00303         switch (target) {
00304         case T_FILE:
00305         case T_DIR:
00306         case T_FIFO:
00307         case T_SYMLINK:
00308         case T_UNIXSOCK:
00309         case T_FD:
00310                 i_rc_item = RI_type_comp_fd;
00311                 break;
00312         case T_DEV:
00313                 i_rc_item = RI_type_comp_dev;
00314                 break;
00315         case T_USER:
00316                 i_rc_item = RI_type_comp_user;
00317                 break;
00318         case T_PROCESS:
00319                 i_rc_item = RI_type_comp_process;
00320                 break;
00321         case T_IPC:
00322                 i_rc_item = RI_type_comp_ipc;
00323                 break;
00324 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00325         case T_GROUP:
00326                 i_rc_item = RI_type_comp_group;
00327                 break;
00328 #endif
00329 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00330         case T_NETDEV:
00331                 i_rc_item = RI_type_comp_netdev;
00332                 break;
00333 #endif
00334 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00335         case T_NETTEMP:
00336                 i_rc_item = RI_type_comp_nettemp;
00337                 break;
00338         case T_NETOBJ:
00339                 i_rc_item = RI_type_comp_netobj;
00340                 break;
00341 #endif
00342 
00343         default:
00344                 rsbac_printk(KERN_WARNING "rsbac_rc_check_type_comp(): invalid target %i!\n",
00345                              target);
00346                 return (NOT_GRANTED);
00347         }
00348         /* check type_comp_xxx of role */
00349         i_rc_subtid.type = type;
00350         if (rsbac_rc_check_comp(i_attr_val1.rc_role,
00351                                 i_rc_subtid, i_rc_item, request))
00352                 return (GRANTED);
00353         else {
00354                 char tmp[RSBAC_MAXNAMELEN];
00355                 rsbac_pr_debug(adf_rc, "rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n",
00356                                i_attr_val1.rc_role, type,
00357                                get_rc_special_right_name(tmp, request));
00358                 return (NOT_GRANTED);
00359         }
00360 }

int rsbac_rc_select_fd_create_type ( rsbac_rc_type_id_t  type  ) 

Definition at line 1694 of file rc_syscalls.c.

References A_rc_select_type, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_select_type, RC_type_use_fd, RCR_SELECT, RSBAC_EINVALIDVALUE, rsbac_printk(), rsbac_rc_check_type_comp(), rsbac_rc_type_exists(), rsbac_set_attr, SW_RC, T_FILE, and T_PROCESS.

Referenced by sys_rsbac_rc_select_fd_create_type().

01695 {
01696 
01697         int res;
01698 
01699         union rsbac_target_id_t tid;
01700         union rsbac_attribute_value_t attr_val;
01701 
01702         /* sanity checks */
01703         if (type != RC_type_use_fd) {
01704                 if (!rsbac_rc_type_exists(0, T_FILE, type))
01705                         return -RSBAC_EINVALIDVALUE;
01706 #ifndef CONFIG_RSBAC_MAINT
01707                 if (!rsbac_rc_check_type_comp(T_FILE, type, RCR_SELECT, current->pid)) {
01708 #ifdef CONFIG_RSBAC_SOFTMODE
01709                         if(   !rsbac_softmode
01710 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01711                            && !rsbac_ind_softmode[SW_RC]
01712 #endif
01713                         )
01714 #endif
01715                                 return -EPERM;
01716                 }
01717 #endif
01718         }
01719 
01720         tid.process = current->pid;
01721         attr_val.rc_select_type = type;
01722         if ((res = rsbac_set_attr(SW_RC,
01723                                   T_PROCESS,
01724                                   tid,
01725                                   A_rc_select_type,
01726                                   attr_val))) {
01727                 rsbac_printk(KERN_WARNING "rsbac_rc_select_fd_create_type(): rsbac_set_attr() returned error %i\n", res);
01728                 return -EPERM;
01729         }
01730 
01731         return 0;
01732 }

int rsbac_rc_sys_change_role ( rsbac_rc_role_id_t  role,
char *  pass 
)

Definition at line 1427 of file rc_syscalls.c.

References A_rc_role, NULL, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, rsbac_rc_item_value_t::req_reauth, RI_req_reauth, RI_role_comp, rsbac_rc_target_id_t::role, RSBAC_ENOMEM, RSBAC_EWRITEFAILED, rsbac_get_attr, rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, rsbac_printk(), rsbac_rc_check_comp(), rsbac_rc_get_item(), rsbac_set_attr, rsbac_um_check_pass(), RT_ROLE, SW_RC, T_PROCESS, and TRUE.

Referenced by sys_rsbac_rc_change_role().

01428 {
01429         int err;
01430         union rsbac_target_id_t i_tid;
01431         union rsbac_attribute_value_t i_attr_val1;
01432 #if !defined(CONFIG_RSBAC_MAINT)
01433 #ifdef CONFIG_RSBAC_UM
01434         union rsbac_rc_item_value_t i_rc_item_val1;
01435         char *k_pass;
01436 #endif
01437 #endif
01438 
01439 #if !defined(CONFIG_RSBAC_MAINT)
01440 #ifdef CONFIG_RSBAC_SWITCH_RC
01441         if (rsbac_switch_rc)
01442 #endif
01443         {
01444                 union rsbac_rc_target_id_t i_rc_subtid;
01445 
01446                 i_tid.process = current->pid;
01447                 /* get rc_role of process */
01448                 if ((err = rsbac_get_attr(SW_RC,
01449                                           T_PROCESS,
01450                                           i_tid,
01451                                           A_rc_role,
01452                                           &i_attr_val1, TRUE))) {
01453                         rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_get_attr() returned error %i\n",
01454                                      err);
01455                         goto out;
01456                 }
01457 
01458                 /* check role_comp of role */
01459                 i_rc_subtid.role = role;
01460                 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
01461                                          i_rc_subtid, RI_role_comp, 0)) {
01462                         rsbac_uid_t user;
01463 
01464                         if (!rsbac_get_owner(&user)) {
01465                                 rsbac_printk(KERN_INFO "rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible\n",
01466                                              i_attr_val1.rc_role,
01467                                              role,
01468                                              i_tid.process,
01469                                              user, i_attr_val1.rc_role);
01470                         }
01471 #ifdef CONFIG_RSBAC_SOFTMODE
01472                         if (!rsbac_softmode
01473 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01474                             && !rsbac_ind_softmode[SW_RC]
01475 #endif
01476                             )
01477 #endif
01478                         {
01479                                 err = -EPERM;
01480                                 goto out;
01481                         }
01482                 }
01483 #ifdef CONFIG_RSBAC_UM
01484                 /* need to make sure UM is compilled in and active
01485                 * XXX what to do about softmode here
01486                 */
01487                 if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_subtid, i_rc_subtid,      
01488                                              RI_req_reauth,
01489                                              &i_rc_item_val1, NULL))) {
01490                         rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_rc_get_item() returned error %i\n",
01491                                      err);
01492                         err = -EPERM;
01493                         goto out;
01494                 }
01495                 if (i_rc_item_val1.req_reauth) {
01496                         rsbac_uid_t user;
01497 
01498                         if (!pass) {
01499                                 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): password required for switching to role %u\n",
01500                                              role);
01501                                 err = -EPERM;
01502                                 goto out;
01503                         }
01504                         k_pass = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01505                         if (!k_pass) {
01506                                 err = -RSBAC_ENOMEM;
01507                                 goto out;
01508                         }
01509                         err =
01510                             rsbac_get_user(k_pass, pass, RSBAC_MAXNAMELEN);
01511                         if (err)
01512                                 goto out_free;
01513                         k_pass[RSBAC_MAXNAMELEN - 1] = 0;
01514                         err = rsbac_get_owner(&user);
01515                         if (err) {
01516                                 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_rc_get_item() returned error %i\n",
01517                                              err);
01518                                 goto out_free;
01519                         }
01520                         err = rsbac_um_check_pass(user, k_pass);
01521                         if (err) {
01522                                 goto out_free;
01523                         }
01524                 }
01525 #endif
01526 
01527         }
01528 #endif
01529 
01530         /* OK, check passed. Set role. */
01531         i_tid.process = current->pid;
01532         i_attr_val1.rc_role = role;
01533         if (rsbac_set_attr(SW_RC, T_PROCESS, i_tid, A_rc_role, i_attr_val1)) {  /* failed! */
01534                 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_set_attr() returned error\n");
01535                 err = -RSBAC_EWRITEFAILED;
01536         }
01537         else
01538                 err = 0;
01539 
01540 #if !defined(CONFIG_RSBAC_MAINT)
01541 out:
01542 #endif
01543         return err;
01544 
01545 #if !defined(CONFIG_RSBAC_MAINT)
01546 #ifdef CONFIG_RSBAC_UM
01547 out_free:
01548         memset(k_pass, 0, RSBAC_MAXNAMELEN);
01549         rsbac_kfree(k_pass);
01550         goto out;
01551 #endif
01552 #endif
01553 }

int rsbac_rc_sys_copy_role ( rsbac_list_ta_number_t  ta_number,
rsbac_rc_role_id_t  from_role,
rsbac_rc_role_id_t  to_role 
)

Definition at line 55 of file rc_syscalls.c.

References rsbac_printk(), rsbac_rc_copy_role(), rsbac_rc_role_exists(), rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), SW_RC, and TRUE.

Referenced by sys_rsbac_rc_copy_role().

00059   {
00060 #if !defined(CONFIG_RSBAC_MAINT)
00061 #ifdef CONFIG_RSBAC_SWITCH_RC
00062     if(rsbac_switch_rc)
00063 #endif
00064       {
00065         int                           err;
00066         /* source role must be in admin roles or caller must be role_admin */
00067         if (   (err=rsbac_rc_test_admin_roles(from_role, TRUE))
00068             && rsbac_rc_test_role_admin(TRUE)
00069            )
00070           {
00071             if(err == -EPERM)
00072               {
00073                 rsbac_uid_t user;
00074 
00075                 if(!rsbac_get_owner(&user))
00076                   {
00077                     rsbac_printk(KERN_INFO
00078                                  "rsbac_rc_sys_copy_role(): copying of role %u denied for pid %u, user %u - not in admin_roles!\n",
00079                                  from_role,
00080                                  current->pid,
00081                                  user);
00082                   }
00083                 #ifdef CONFIG_RSBAC_SOFTMODE
00084                 if(   !rsbac_softmode
00085                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00086                    && !rsbac_ind_softmode[SW_RC]
00087                 #endif
00088                   )
00089                 #endif
00090                   return err;
00091               }
00092             else
00093               return err;
00094           }
00095         /* only role_admins may copy to existing targets */
00096         if (   rsbac_rc_role_exists(ta_number, to_role)
00097             && rsbac_rc_test_role_admin(TRUE)
00098            )
00099           {
00100             rsbac_uid_t user;
00101 
00102             if(!rsbac_get_owner(&user))
00103               {
00104                 rsbac_printk(KERN_INFO
00105                              "rsbac_rc_sys_copy_role(): overwriting of existing role %u denied for pid %u, user %u - no role_admin!\n",
00106                              to_role,
00107                              current->pid,
00108                              user);
00109               }
00110             #ifdef CONFIG_RSBAC_SOFTMODE
00111             if(   !rsbac_softmode
00112             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00113                && !rsbac_ind_softmode[SW_RC]
00114             #endif
00115               )
00116             #endif
00117               return -EPERM;
00118           }
00119       }
00120 #endif /* !MAINT */
00121 
00122     /* pass on */
00123     return(rsbac_rc_copy_role(ta_number, from_role, to_role));
00124   }

int rsbac_rc_sys_copy_type ( rsbac_list_ta_number_t  ta_number,
enum rsbac_rc_target_t  target,
rsbac_rc_type_id_t  from_type,
rsbac_rc_type_id_t  to_type 
)

Definition at line 127 of file rc_syscalls.c.

References FALSE, get_target_name_only(), GRANTED, RCR_ADMIN, RSBAC_EINVALIDTARGET, rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, rsbac_printk(), rsbac_rc_check_type_comp(), rsbac_rc_copy_type(), rsbac_rc_test_role_admin(), rsbac_rc_type_exists(), SW_RC, T_DEV, T_DIR, T_FD, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SYMLINK, T_USER, and TRUE.

Referenced by sys_rsbac_rc_copy_type().

00132   {
00133 #if !defined(CONFIG_RSBAC_MAINT)
00134 #ifdef CONFIG_RSBAC_SWITCH_RC
00135     if(rsbac_switch_rc)
00136 #endif
00137       {
00138         int                           err;
00139 
00140         switch(target)
00141           {
00142             case T_FILE:
00143             case T_DIR:
00144             case T_FIFO:
00145             case T_SYMLINK:
00146               target = T_FD;
00147               break;
00148             case T_FD:
00149             case T_DEV:
00150             case T_USER:
00151             case T_PROCESS:
00152             case T_IPC:
00153             case T_GROUP:
00154             case T_NETDEV:
00155             case T_NETTEMP:
00156             case T_NETOBJ:
00157               break;
00158 
00159             default:
00160               return -RSBAC_EINVALIDTARGET;
00161           }
00162         /* need ADMIN right to source type or caller must be role_admin */
00163         if(   (rsbac_rc_check_type_comp(target, from_type, RCR_ADMIN, 0) != GRANTED)
00164            && (err=rsbac_rc_test_role_admin(FALSE))
00165           )
00166           {
00167             if(err == -EPERM)
00168               {
00169                 rsbac_uid_t user;
00170 
00171                 if(!rsbac_get_owner(&user))
00172                   {
00173                     char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00174 
00175                     if(tmp)
00176                       {
00177                         rsbac_printk(KERN_INFO
00178                                      "rsbac_rc_sys_copy_type(): copying of %s type %u denied for pid %u, user %u - not in admin_roles!\n",
00179                                      get_target_name_only(tmp, target),
00180                                      from_type,
00181                                      current->pid,
00182                                      user);
00183                         rsbac_kfree(tmp);
00184                       }
00185                   }
00186                 #ifdef CONFIG_RSBAC_SOFTMODE
00187                 if(   !rsbac_softmode
00188                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00189                    && !rsbac_ind_softmode[SW_RC]
00190                 #endif
00191                   )
00192                 #endif
00193                   return err;
00194               }
00195             else
00196               return err;
00197           }
00198         /* only role_admins may copy to existing targets */
00199         if (   rsbac_rc_type_exists(ta_number, target, to_type)
00200             && rsbac_rc_test_role_admin(TRUE)
00201            )
00202           {
00203             rsbac_uid_t user;
00204 
00205             if(!rsbac_get_owner(&user))
00206               {
00207                 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00208 
00209                 if(tmp)
00210                   {
00211                     rsbac_printk(KERN_INFO
00212                                  "rsbac_rc_sys_copy_type(): overwriting of existing %s type %u denied for pid %u, user %u - no role_admin!\n",
00213                                  get_target_name_only(tmp, target),
00214                                  to_type,
00215                                  current->pid,
00216                                  user);
00217                     rsbac_kfree(tmp);
00218                   }
00219               }
00220             #ifdef CONFIG_RSBAC_SOFTMODE
00221             if(   !rsbac_softmode
00222             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00223                && !rsbac_ind_softmode[SW_RC]
00224             #endif
00225               )
00226             #endif
00227               return -EPERM;
00228           }
00229       }
00230 #endif /* !MAINT */
00231 
00232     /* pass on */
00233     return(rsbac_rc_copy_type(ta_number, target, from_type, to_type));
00234   }

int rsbac_rc_sys_get_current_role ( rsbac_rc_role_id_t role_p  ) 

Definition at line 1671 of file rc_syscalls.c.

References A_rc_role, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_printk(), SW_RC, T_PROCESS, and TRUE.

Referenced by sys_rsbac_rc_get_current_role().

01672   {
01673     union rsbac_target_id_t       i_tid;
01674     union rsbac_attribute_value_t i_attr_val1;
01675     int err;
01676 
01677     /* get rc_role of process */
01678     i_tid.process = current->pid;
01679     if ((err=rsbac_get_attr(SW_RC, T_PROCESS,
01680                        i_tid,
01681                        A_rc_role,
01682                        &i_attr_val1,
01683                        TRUE)))
01684       {
01685         rsbac_printk(KERN_WARNING
01686                "rsbac_rc_sys_get_current_role(): rsbac_get_attr() returned error %i!\n",err);
01687         return -RSBAC_EREADFAILED;
01688       }
01689     *role_p = i_attr_val1.rc_role;
01690     /* Ready. */
01691     return 0;
01692   }

int rsbac_rc_sys_get_eff_rights ( rsbac_list_ta_number_t  ta_number,
enum rsbac_target_t  target,
union rsbac_target_id_t  tid,
rsbac_rc_request_vector_t request_vector,
rsbac_time_t ttl_p 
)

Definition at line 1556 of file rc_syscalls.c.

References A_none, A_rc_role, A_rc_type, A_rc_type_fd, A_rc_type_nt, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, rsbac_attribute_value_t::rc_type, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_scd, rsbac_rc_item_value_t::rights, rsbac_rc_target_id_t::role, RSBAC_EINVALIDTARGET, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_printk(), rsbac_rc_get_item(), RST_none, RT_ROLE, rsbac_target_id_t::scd, SW_RC, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SCD, T_SYMLINK, TRUE, and rsbac_rc_target_id_t::type.

Referenced by sys_rsbac_rc_get_eff_rights_n().

01562   {
01563     union rsbac_target_id_t       i_tid;
01564     enum  rsbac_attribute_t       i_attr = A_none;
01565     union rsbac_attribute_value_t i_attr_val1;
01566     union rsbac_attribute_value_t i_attr_val2;
01567     int                           err;
01568     enum  rsbac_rc_item_t         i_rc_item;
01569     union rsbac_rc_target_id_t    i_rc_tid;
01570     union rsbac_rc_target_id_t    i_rc_subtid;
01571     union rsbac_rc_item_value_t   i_rc_item_val1;
01572 
01573     i_tid.process = current->pid;
01574     /* get rc_role of process */
01575     if ((err=rsbac_get_attr(SW_RC, T_PROCESS,
01576                        i_tid,
01577                        A_rc_role,
01578                        &i_attr_val1,
01579                        TRUE)))
01580       {
01581         rsbac_printk(KERN_WARNING
01582                "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01583         return -RSBAC_EREADFAILED;
01584       }
01585 
01586     switch(target)
01587       {
01588         case T_FILE:
01589         case T_DIR:
01590         case T_FIFO:
01591         case T_SYMLINK:
01592           i_attr = A_rc_type_fd;
01593           i_rc_item = RI_type_comp_fd;
01594           break;
01595         case T_DEV:
01596           i_attr = A_rc_type;
01597           i_rc_item = RI_type_comp_dev;
01598           break;
01599         case T_IPC:
01600           i_attr = A_rc_type;
01601           i_rc_item = RI_type_comp_ipc;
01602           break;
01603         case T_PROCESS:
01604           i_attr = A_rc_type;
01605           i_rc_item = RI_type_comp_process;
01606           break;
01607         case T_SCD: /* special case! */
01608           if(tid.scd >= RST_none)
01609             return -RSBAC_EINVALIDTARGET;
01610           i_rc_item = RI_type_comp_scd;
01611           break;
01612         case T_GROUP:
01613           i_attr = A_rc_type;
01614           i_rc_item = RI_type_comp_group;
01615           break;
01616         case T_NETDEV:
01617           i_attr = A_rc_type;
01618           i_rc_item = RI_type_comp_netdev;
01619           break;
01620         case T_NETTEMP:
01621           i_attr = A_rc_type_nt;
01622           i_rc_item = RI_type_comp_nettemp;
01623           break;
01624         case T_NETOBJ:
01625           i_attr = A_rc_type;
01626           i_rc_item = RI_type_comp_netobj;
01627           break;
01628         default:
01629           return -RSBAC_EINVALIDTARGET;
01630       }
01631     /* get rc_type of target */
01632     if(target == T_SCD)
01633       {
01634         i_attr_val2.rc_type = tid.scd;
01635       }
01636     else
01637       {
01638         if ((err=rsbac_get_attr(SW_RC,
01639                                 target,
01640                                 tid,
01641                                 i_attr,
01642                                 &i_attr_val2,
01643                                 TRUE)))
01644           {
01645             rsbac_printk(KERN_WARNING
01646                    "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01647             return -RSBAC_EREADFAILED;
01648           }
01649       }
01650     /* get type_comp_xxx of role for type and target */
01651     i_rc_tid.role = i_attr_val1.rc_role;
01652     i_rc_subtid.type = i_attr_val2.rc_type;
01653     if ((err=rsbac_rc_get_item(ta_number,
01654                                 RT_ROLE,
01655                                 i_rc_tid,
01656                                 i_rc_subtid,
01657                                 i_rc_item,
01658                                 &i_rc_item_val1,
01659                                 ttl_p)))
01660       {
01661         rsbac_printk(KERN_WARNING
01662                "rsbac_rc_sys_get_eff_rights(): rsbac_rc_get_item() returned error %i!\n",err);
01663         return -RSBAC_EREADFAILED;
01664       }
01665     /* extract value */
01666     *request_vector = i_rc_item_val1.rights;
01667     /* Ready. */
01668     return 0;
01669   }

int rsbac_rc_sys_get_item ( rsbac_list_ta_number_t  ta_number,
enum rsbac_rc_target_t  target,
union rsbac_rc_target_id_t  tid,
union rsbac_rc_target_id_t  subtid,
enum rsbac_rc_item_t  item,
union rsbac_rc_item_value_t value_p,
rsbac_time_t ttl_p 
)

Definition at line 237 of file rc_syscalls.c.

References FALSE, RCR_ADMIN, RI_name, RI_type_dev_name, RI_type_fd_name, RI_type_fd_need_secdel, RI_type_group_name, RI_type_ipc_name, RI_type_netdev_name, RI_type_netobj_name, RI_type_nettemp_name, RI_type_process_name, RI_type_scd_name, RI_type_user_name, rsbac_rc_target_id_t::role, RSBAC_EINVALIDATTR, RSBAC_EINVALIDTARGET, rsbac_printk(), rsbac_rc_check_type_comp(), rsbac_rc_get_item(), rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), RT_ROLE, RT_TYPE, SW_RC, T_FILE, and rsbac_rc_target_id_t::type.

Referenced by sys_rsbac_rc_get_item().

00245   {
00246 #if !defined(CONFIG_RSBAC_MAINT)
00247 #ifdef CONFIG_RSBAC_SWITCH_RC
00248     if(rsbac_switch_rc)
00249 #endif
00250       {
00251         int                           err;
00252 
00253         switch(item)
00254           {
00255             case RI_name:
00256             case RI_type_fd_name:
00257             case RI_type_dev_name:
00258             case RI_type_ipc_name:
00259             case RI_type_user_name:
00260             case RI_type_process_name:
00261             case RI_type_scd_name:
00262             case RI_type_group_name:
00263             case RI_type_netdev_name:
00264             case RI_type_nettemp_name:
00265             case RI_type_netobj_name:
00266               /* getting names is always allowed */
00267               break;
00268 
00269             case RI_type_fd_need_secdel:
00270               if(target != RT_TYPE)
00271                 return -RSBAC_EINVALIDTARGET;
00272               if(   (err=rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0))
00273                  && (err=rsbac_rc_test_role_admin(FALSE))
00274                 )
00275                 {
00276                   if(err == -EPERM)
00277                     {
00278                       rsbac_uid_t user;
00279 
00280                       if(!rsbac_get_owner(&user))
00281                         {
00282                           rsbac_printk(KERN_INFO
00283                                        "rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n",
00284                                        tid.type,
00285                                        current->pid,
00286                                        user);
00287                         }
00288                       #ifdef CONFIG_RSBAC_SOFTMODE
00289                       if(   !rsbac_softmode
00290                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00291                          && !rsbac_ind_softmode[SW_RC]
00292                       #endif
00293                         )
00294                       #endif
00295                         return err;
00296                     }
00297                   else
00298                     return err;
00299                 }
00300               break;
00301 
00302             default:
00303               if(target != RT_ROLE)
00304                 return -RSBAC_EINVALIDATTR;
00305               /* test admin_roles or admin_type of process' role / no modify */
00306               if (   (err=rsbac_rc_test_admin_roles(tid.role, FALSE))
00307                   && (err=rsbac_rc_test_role_admin(FALSE))
00308                  )
00309                 {
00310                   if(err == -EPERM)
00311                     {
00312                       rsbac_uid_t user;
00313 
00314                       if(!rsbac_get_owner(&user))
00315                         {
00316                           rsbac_printk(KERN_INFO
00317                                        "rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n",
00318                                        tid.role,
00319                                        current->pid,
00320                                        user);
00321                         }
00322                       #ifdef CONFIG_RSBAC_SOFTMODE
00323                       if(   !rsbac_softmode
00324                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00325                          && !rsbac_ind_softmode[SW_RC]
00326                       #endif
00327                         )
00328                       #endif
00329                         return err;
00330                     }
00331                   else
00332                     return err;
00333                 }
00334           }
00335       }
00336 #endif /* !MAINT */
00337 
00338     /* pass on */
00339     return(rsbac_rc_get_item(ta_number,target, tid, subtid, item, value_p, ttl_p));
00340   }

int rsbac_rc_sys_set_item ( rsbac_list_ta_number_t  ta_number,
enum rsbac_rc_target_t  target,
union rsbac_rc_target_id_t  tid,
union rsbac_rc_target_id_t  subtid,
enum rsbac_rc_item_t  item,
union rsbac_rc_item_value_t  value,
rsbac_time_t  ttl 
)

Definition at line 343 of file rc_syscalls.c.

References A_rc_role, get_rc_item_name(), NOT_GRANTED, NULL, rsbac_target_id_t::process, R_NONE, rsbac_attribute_value_t::rc_role, RCR_ACCESS_CONTROL, RCR_ADMIN, RCR_ASSIGN, RCR_SUPERVISOR, RI_admin_roles, RI_admin_type, RI_assign_roles, RI_boot_role, RI_def_fd_create_type, RI_def_fd_ind_create_type, RI_def_fd_ind_create_type_remove, RI_def_group_create_type, RI_def_ipc_create_type, RI_def_process_chown_type, RI_def_process_create_type, RI_def_process_execute_type, RI_def_unixsock_create_type, RI_def_user_create_type, RI_name, RI_remove_role, RI_req_reauth, RI_role_comp, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_scd, RI_type_comp_user, RI_type_dev_name, RI_type_dev_remove, RI_type_fd_name, RI_type_fd_need_secdel, RI_type_fd_remove, RI_type_group_name, RI_type_group_remove, RI_type_ipc_name, RI_type_ipc_remove, RI_type_netdev_name, RI_type_netdev_remove, RI_type_netobj_name, RI_type_netobj_remove, RI_type_nettemp_name, RI_type_nettemp_remove, RI_type_process_name, RI_type_process_remove, RI_type_scd_name, RI_type_user_name, RI_type_user_remove, rsbac_rc_item_value_t::rights, rsbac_rc_target_id_t::role, RSBAC_ALL_REQUEST_VECTOR, RSBAC_EINVALIDATTR, RSBAC_EINVALIDTARGET, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_pr_get_error, rsbac_printk(), rsbac_rc_check_comp(), rsbac_rc_check_type_comp(), rsbac_rc_get_item(), rsbac_rc_pr_get_error, RSBAC_RC_RIGHTS_VECTOR, rsbac_rc_set_item(), RSBAC_RC_SPECIAL_RIGHTS_VECTOR, rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), RT_ROLE, RT_TYPE, SW_RC, T_DEV, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SCD, T_USER, TRUE, rsbac_rc_target_id_t::type, rsbac_rc_item_value_t::type_id, and UNDEFINED.

Referenced by sys_rsbac_rc_set_item().

00351   {
00352 #if !defined(CONFIG_RSBAC_MAINT)
00353 #ifdef CONFIG_RSBAC_SWITCH_RC
00354     if(rsbac_switch_rc)
00355 #endif
00356       {
00357         int                           err;
00358 
00359         switch(item)
00360           {
00361           /* type targets */
00362             case RI_type_fd_name:
00363             case RI_type_fd_need_secdel:
00364             case RI_type_fd_remove:
00365               if(target != RT_TYPE)
00366                 return -RSBAC_EINVALIDTARGET;
00367               if(   (rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00368                  && (err=rsbac_rc_test_role_admin(TRUE))
00369                 )
00370                 {
00371                   if(err == -EPERM)
00372                     {
00373                       rsbac_uid_t user;
00374                       char tmp[80];
00375 
00376                       if(!rsbac_get_owner(&user))
00377                         {
00378                           rsbac_printk(KERN_INFO
00379                                        "rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n",
00380                                        get_rc_item_name(tmp, item),
00381                                        tid.type,
00382                                        current->pid,
00383                                        user);
00384                         }
00385                       #ifdef CONFIG_RSBAC_SOFTMODE
00386                       if(   !rsbac_softmode
00387                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00388                          && !rsbac_ind_softmode[SW_RC]
00389                       #endif
00390                         )
00391                       #endif
00392                         return err;
00393                     }
00394                   else
00395                     return err;
00396                 }
00397               break;
00398             case RI_type_dev_name:
00399             case RI_type_dev_remove:
00400               if(target != RT_TYPE)
00401                 return -RSBAC_EINVALIDTARGET;
00402               if(   (rsbac_rc_check_type_comp(T_DEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00403                  && (err=rsbac_rc_test_role_admin(TRUE))
00404                 )
00405                 {
00406                   if(err == -EPERM)
00407                     {
00408                       rsbac_uid_t user;
00409 
00410                       if(!rsbac_get_owner(&user))
00411                         {
00412                           rsbac_printk(KERN_INFO
00413                                        "rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00414                                        tid.type,
00415                                        current->pid,
00416                                        user);
00417                         }
00418                       #ifdef CONFIG_RSBAC_SOFTMODE
00419                       if(   !rsbac_softmode
00420                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00421                          && !rsbac_ind_softmode[SW_RC]
00422                       #endif
00423                         )
00424                       #endif
00425                         return err;
00426                     }
00427                   else
00428                     return err;
00429                 }
00430               break;
00431             case RI_type_ipc_name:
00432             case RI_type_ipc_remove:
00433               if(target != RT_TYPE)
00434                 return -RSBAC_EINVALIDTARGET;
00435               if(   (rsbac_rc_check_type_comp(T_IPC, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00436                  && (err=rsbac_rc_test_role_admin(TRUE))
00437                 )
00438                 {
00439                   if(err == -EPERM)
00440                     {
00441                       rsbac_uid_t user;
00442 
00443                       if(!rsbac_get_owner(&user))
00444                         {
00445                           rsbac_printk(KERN_INFO
00446                                        "rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n",
00447                                        tid.type,
00448                                        current->pid,
00449                                        user);
00450                         }
00451                       #ifdef CONFIG_RSBAC_SOFTMODE
00452                       if(   !rsbac_softmode
00453                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00454                          && !rsbac_ind_softmode[SW_RC]
00455                       #endif
00456                         )
00457                       #endif
00458                         return err;
00459                     }
00460                   else
00461                     return err;
00462                 }
00463               break;
00464             case RI_type_user_name:
00465             case RI_type_user_remove:
00466               if(target != RT_TYPE)
00467                 return -RSBAC_EINVALIDTARGET;
00468               if(   (rsbac_rc_check_type_comp(T_USER, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00469                  && (err=rsbac_rc_test_role_admin(TRUE))
00470                 )
00471                 {
00472                   if(err == -EPERM)
00473                     {
00474                       rsbac_uid_t user;
00475 
00476                       if(!rsbac_get_owner(&user))
00477                         {
00478                           rsbac_printk(KERN_INFO
00479                                        "rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n",
00480                                        tid.type,
00481                                        current->pid,
00482                                        user);
00483                         }
00484                       #ifdef CONFIG_RSBAC_SOFTMODE
00485                       if(   !rsbac_softmode
00486                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00487                          && !rsbac_ind_softmode[SW_RC]
00488                       #endif
00489                         )
00490                       #endif
00491                         return err;
00492                     }
00493                   else
00494                     return err;
00495                 }
00496               break;
00497             case RI_type_process_name:
00498             case RI_type_process_remove:
00499               if(target != RT_TYPE)
00500                 return -RSBAC_EINVALIDTARGET;
00501               if(   (rsbac_rc_check_type_comp(T_PROCESS, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00502                  && (err=rsbac_rc_test_role_admin(TRUE))
00503                 )
00504                 {
00505                   if(err == -EPERM)
00506                     {
00507                       rsbac_uid_t user;
00508 
00509                       if(!rsbac_get_owner(&user))
00510                         {
00511                           rsbac_printk(KERN_INFO
00512                                        "rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n",
00513                                        tid.type,
00514                                        current->pid,
00515                                        user);
00516                         }
00517                       #ifdef CONFIG_RSBAC_SOFTMODE
00518                       if(   !rsbac_softmode
00519                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00520                          && !rsbac_ind_softmode[SW_RC]
00521                       #endif
00522                         )
00523                       #endif
00524                         return err;
00525                     }
00526                   else
00527                     return err;
00528                 }
00529               break;
00530             case RI_type_scd_name:
00531               if(target != RT_TYPE)
00532                 return -RSBAC_EINVALIDTARGET;
00533               if(   (rsbac_rc_check_type_comp(T_SCD, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00534                  && (err=rsbac_rc_test_role_admin(TRUE))
00535                 )
00536                 {
00537                   if(err == -EPERM)
00538                     {
00539                       rsbac_uid_t user;
00540 
00541                       if(!rsbac_get_owner(&user))
00542                         {
00543                           rsbac_printk(KERN_INFO
00544                                        "rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n",
00545                                        tid.type,
00546                                        current->pid,
00547                                        user);
00548                         }
00549                       #ifdef CONFIG_RSBAC_SOFTMODE
00550                       if(   !rsbac_softmode
00551                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00552                          && !rsbac_ind_softmode[SW_RC]
00553                       #endif
00554                         )
00555                       #endif
00556                         return err;
00557                     }
00558                   else
00559                     return err;
00560                 }
00561               break;
00562             case RI_type_group_name:
00563             case RI_type_group_remove:
00564               if(target != RT_TYPE)
00565                 return -RSBAC_EINVALIDTARGET;
00566               if(   (rsbac_rc_check_type_comp(T_GROUP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00567                  && (err=rsbac_rc_test_role_admin(TRUE))
00568                 )
00569                 {
00570                   if(err == -EPERM)
00571                     {
00572                       rsbac_uid_t user;
00573 
00574                       if(!rsbac_get_owner(&user))
00575                         {
00576                           rsbac_printk(KERN_INFO
00577                                        "rsbac_rc_sys_set_item(): changing name or removing of GROUP type %u denied for pid %u, user %u - no ADMIN right!\n",
00578                                        tid.type,
00579                                        current->pid,
00580                                        user);
00581                         }
00582                       #ifdef CONFIG_RSBAC_SOFTMODE
00583                       if(   !rsbac_softmode
00584                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00585                          && !rsbac_ind_softmode[SW_RC]
00586                       #endif
00587                         )
00588                       #endif
00589                         return err;
00590                     }
00591                   else
00592                     return err;
00593                 }
00594               break;
00595             case RI_type_netdev_name:
00596             case RI_type_netdev_remove:
00597               if(target != RT_TYPE)
00598                 return -RSBAC_EINVALIDTARGET;
00599               if(   (rsbac_rc_check_type_comp(T_NETDEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00600                  && (err=rsbac_rc_test_role_admin(TRUE))
00601                 )
00602                 {
00603                   if(err == -EPERM)
00604                     {
00605                       rsbac_uid_t user;
00606 
00607                       if(!rsbac_get_owner(&user))
00608                         {
00609                           rsbac_printk(KERN_INFO
00610                                        "rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00611                                        tid.type,
00612                                        current->pid,
00613                                        user);
00614                         }
00615                       #ifdef CONFIG_RSBAC_SOFTMODE
00616                       if(   !rsbac_softmode
00617                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00618                          && !rsbac_ind_softmode[SW_RC]
00619                       #endif
00620                         )
00621                       #endif
00622                         return err;
00623                     }
00624                   else
00625                     return err;
00626                 }
00627               break;
00628             case RI_type_nettemp_name:
00629             case RI_type_nettemp_remove:
00630               if(target != RT_TYPE)
00631                 return -RSBAC_EINVALIDTARGET;
00632               if(   (rsbac_rc_check_type_comp(T_NETTEMP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00633                  && (err=rsbac_rc_test_role_admin(TRUE))
00634                 )
00635                 {
00636                   if(err == -EPERM)
00637                     {
00638                       rsbac_uid_t user;
00639 
00640                       if(!rsbac_get_owner(&user))
00641                         {
00642                           rsbac_printk(KERN_INFO
00643                                        "rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n",
00644                                        tid.type,
00645                                        current->pid,
00646                                        user);
00647                         }
00648                       #ifdef CONFIG_RSBAC_SOFTMODE
00649                       if(   !rsbac_softmode
00650                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00651                          && !rsbac_ind_softmode[SW_RC]
00652                       #endif
00653                         )
00654                       #endif
00655                         return err;
00656                     }
00657                   else
00658                     return err;
00659                 }
00660               break;
00661             case RI_type_netobj_name:
00662             case RI_type_netobj_remove:
00663               if(target != RT_TYPE)
00664                 return -RSBAC_EINVALIDTARGET;
00665               if(   (rsbac_rc_check_type_comp(T_NETOBJ, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00666                  && (err=rsbac_rc_test_role_admin(TRUE))
00667                 )
00668                 {
00669                   if(err == -EPERM)
00670                     {
00671                       rsbac_uid_t user;
00672 
00673                       if(!rsbac_get_owner(&user))
00674                         {
00675                           rsbac_printk(KERN_INFO
00676                                        "rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n",
00677                                        tid.type,
00678                                        current->pid,
00679                                        user);
00680                         }
00681                       #ifdef CONFIG_RSBAC_SOFTMODE
00682                       if(   !rsbac_softmode
00683                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00684                          && !rsbac_ind_softmode[SW_RC]
00685                       #endif
00686                         )
00687                       #endif
00688                         return err;
00689                     }
00690                   else
00691                     return err;
00692                 }
00693               break;
00694 
00695           /* roles only from here */
00696             case RI_role_comp:
00697               /* need admin for this role, assign for changed compatible roles */
00698               {
00699                 union rsbac_target_id_t       i_tid;
00700                 union rsbac_attribute_value_t i_attr_val1;
00701 
00702                 if(target != RT_ROLE)
00703                   return -RSBAC_EINVALIDATTR;
00704                 if(!rsbac_rc_test_role_admin(TRUE))
00705                   break;
00706                 /* test admin_role of process / modify */
00707                 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE)))
00708                   {
00709                     if(err == -EPERM)
00710                       {
00711                         rsbac_uid_t user;
00712 
00713                         if(!rsbac_get_owner(&user))
00714                           {
00715                             rsbac_printk(KERN_INFO
00716                                          "rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n",
00717                                          tid.role,
00718                                          current->pid,
00719                                          user);
00720                           }
00721                       #ifdef CONFIG_RSBAC_SOFTMODE
00722                       if(   !rsbac_softmode
00723                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00724                          && !rsbac_ind_softmode[SW_RC]
00725                       #endif
00726                         )
00727                       #endif
00728                         return err;
00729                     }
00730                   else
00731                     return err;
00732                   }
00733                 /* now check assign for changed comp role. */
00734                 /* get rc_role of process */
00735                 i_tid.process = current->pid;
00736                 if ((err=rsbac_get_attr(SW_RC, T_PROCESS,
00737                                         i_tid,
00738                                         A_rc_role,
00739                                         &i_attr_val1,
00740                                         TRUE)))
00741                   {
00742                     rsbac_pr_get_error(A_rc_role);
00743                     return -RSBAC_EREADFAILED;
00744                   }
00745                 /* check assign_roles of role */
00746                 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
00747                                          tid,
00748                                          RI_assign_roles,
00749                                          R_NONE))
00750                   {
00751                     rsbac_uid_t user;
00752                     if(!rsbac_get_owner(&user))
00753                       {
00754                         rsbac_printk(KERN_INFO
00755                                      "rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n",
00756                                      tid.role,
00757                                      user,
00758                                      i_attr_val1.rc_role);
00759                       }
00760                       #ifdef CONFIG_RSBAC_SOFTMODE
00761                       if(   !rsbac_softmode
00762                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00763                          && !rsbac_ind_softmode[SW_RC]
00764                       #endif
00765                         )
00766                       #endif
00767                       return -EPERM;
00768                   }
00769               }
00770               break;
00771 
00772             case RI_admin_type:
00773             case RI_admin_roles:
00774             case RI_assign_roles:
00775             case RI_boot_role:
00776             case RI_req_reauth:
00777               /* admin_type role_admin */
00778               if((err=rsbac_rc_test_role_admin(TRUE)))
00779                 {
00780                   if(err == -EPERM)
00781                     {
00782                       rsbac_uid_t user;
00783                       char tmp[80];
00784 
00785                       if(!rsbac_get_owner(&user))
00786                         {
00787                           rsbac_printk(KERN_INFO
00788                                        "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n",
00789                                        get_rc_item_name(tmp, item),
00790                                        tid.role,
00791                                        current->pid,
00792                                        user);
00793                         }
00794                       #ifdef CONFIG_RSBAC_SOFTMODE
00795                       if(   !rsbac_softmode
00796                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00797                          && !rsbac_ind_softmode[SW_RC]
00798                       #endif
00799                         )
00800                       #endif
00801                         return err;
00802                     }
00803                   else
00804                     return err;
00805                 }
00806               break;
00807             case RI_name:
00808               /* admin for this role */
00809               /* test admin_role of process / modify */
00810               if(   (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00811                  && (err=rsbac_rc_test_role_admin(TRUE))
00812                 )
00813                 {
00814                   if(err == -EPERM)
00815                     {
00816                       rsbac_uid_t user;
00817 
00818                       if(!rsbac_get_owner(&user))
00819                         {
00820                           rsbac_printk(KERN_INFO
00821                                        "rsbac_rc_sys_set_item(): changing name of role %u denied for pid %u, user %u - not in admin_roles!\n",
00822                                        tid.role,
00823                                        current->pid,
00824                                        user);
00825                         }
00826                       #ifdef CONFIG_RSBAC_SOFTMODE
00827                       if(   !rsbac_softmode
00828                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00829                          && !rsbac_ind_softmode[SW_RC]
00830                       #endif
00831                         )
00832                       #endif
00833                         return err;
00834                     }
00835                   else
00836                     return err;
00837                 }
00838               break;
00839 
00840             case RI_remove_role:
00841               /* test admin_role of process role / modify */
00842               if((err=rsbac_rc_test_role_admin(TRUE)))
00843                 {
00844                   if(err == -EPERM)
00845                     {
00846                       rsbac_uid_t user;
00847 
00848                       if(!rsbac_get_owner(&user))
00849                         {
00850                           rsbac_printk(KERN_INFO
00851                                        "rsbac_rc_sys_set_item(): removing of role %u denied for pid %u, user %u - not in admin_roles!\n",
00852                                        tid.role,
00853                                        current->pid,
00854                                        user);
00855                         }
00856                       #ifdef CONFIG_RSBAC_SOFTMODE
00857                       if(   !rsbac_softmode
00858                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00859                          && !rsbac_ind_softmode[SW_RC]
00860                       #endif
00861                         )
00862                       #endif
00863                         return err;
00864                     }
00865                   else
00866                     return err;
00867                 }
00868               break;
00869 
00870             case RI_def_fd_create_type:
00871             case RI_def_fd_ind_create_type:
00872               /* admin for this role and assign for target type */
00873               /* test admin_role of process / modify */
00874               if(   (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00875                  && (err=rsbac_rc_test_role_admin(TRUE))
00876                 )
00877                 {
00878                   if(err == -EPERM)
00879                     {
00880                       rsbac_uid_t user;
00881 
00882                       if(!rsbac_get_owner(&user))
00883                         {
00884                           rsbac_printk(KERN_INFO
00885                                        "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00886                                        tid.role,
00887                                        current->pid,
00888                                        user);
00889                         }
00890                       #ifdef CONFIG_RSBAC_SOFTMODE
00891                       if(   !rsbac_softmode
00892                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00893                          && !rsbac_ind_softmode[SW_RC]
00894                       #endif
00895                         )
00896                       #endif
00897                         return err;
00898                     }
00899                   else
00900                     return err;
00901                 }
00902               else
00903                 {
00904                   enum rsbac_adf_req_ret_t result;
00905 
00906                   result = rsbac_rc_check_type_comp(T_FILE, value.type_id, RCR_ASSIGN, 0);
00907                   if(   (   (result == NOT_GRANTED)
00908                          || (result == UNDEFINED)
00909                         )
00910                      && (err=rsbac_rc_test_role_admin(TRUE))
00911                     )
00912                     {
00913                       rsbac_uid_t user;
00914 
00915                       if(!rsbac_get_owner(&user))
00916                         {
00917                           rsbac_printk(KERN_INFO
00918                                        "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
00919                                        tid.role,
00920                                        value.type_id,
00921                                        user);
00922                         }
00923                       #ifdef CONFIG_RSBAC_SOFTMODE
00924                       if(   !rsbac_softmode
00925                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00926                          && !rsbac_ind_softmode[SW_RC]
00927                       #endif
00928                         )
00929                       #endif
00930                         return -EPERM;
00931                     }
00932                 }
00933               break;
00934 
00935             case RI_def_fd_ind_create_type_remove:
00936               /* test admin_role of process / modify */
00937               if(   (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00938                  && (err=rsbac_rc_test_role_admin(TRUE))
00939                 )
00940                 {
00941                   if(err == -EPERM)
00942                     {
00943                       rsbac_uid_t user;
00944 
00945                       if(!rsbac_get_owner(&user))
00946                         {
00947                           rsbac_printk(KERN_INFO
00948                                        "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00949                                        tid.role,
00950                                        current->pid,
00951                                        user);
00952                         }
00953                       #ifdef CONFIG_RSBAC_SOFTMODE
00954                       if(   !rsbac_softmode
00955                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00956                          && !rsbac_ind_softmode[SW_RC]
00957                       #endif
00958                         )
00959                       #endif
00960                         return err;
00961                     }
00962                   else
00963                     return err;
00964                 }
00965               break;
00966 
00967             case RI_def_user_create_type:
00968               /* admin for this role and assign for target type */
00969               /* test admin_role of process / modify */
00970               if(   (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00971                  && (err=rsbac_rc_test_role_admin(TRUE))
00972                 )
00973                 {
00974                   if(err == -EPERM)
00975                     {
00976                       rsbac_uid_t user;
00977 
00978                       if(!rsbac_get_owner(&user))
00979                         {
00980                           rsbac_printk(KERN_INFO
00981                                        "rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00982                                        tid.role,
00983                                        current->pid,
00984                                        user);
00985                         }
00986                       #ifdef CONFIG_RSBAC_SOFTMODE
00987                       if(   !rsbac_softmode
00988                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
00989                          && !rsbac_ind_softmode[SW_RC]
00990                       #endif
00991                         )
00992                       #endif
00993                         return err;
00994                     }
00995                   else
00996                     return err;
00997                 }
00998               else
00999                 {
01000                   enum rsbac_adf_req_ret_t result;
01001 
01002                   result = rsbac_rc_check_type_comp(T_USER, value.type_id, RCR_ASSIGN, 0);
01003                   if(   (   (result == NOT_GRANTED)
01004                          || (result == UNDEFINED)
01005                         )
01006                      && (err=rsbac_rc_test_role_admin(TRUE))
01007                     )
01008                     {
01009                       rsbac_uid_t user;
01010 
01011                       if(!rsbac_get_owner(&user))
01012                         {
01013                           rsbac_printk(KERN_INFO
01014                                        "rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01015                                        tid.role,
01016                                        value.type_id,
01017                                        user);
01018                         }
01019                       #ifdef CONFIG_RSBAC_SOFTMODE
01020                       if(   !rsbac_softmode
01021                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
01022                          && !rsbac_ind_softmode[SW_RC]
01023                       #endif
01024                         )
01025                       #endif
01026                         return -EPERM;
01027                     }
01028                 }
01029               break;
01030 
01031             case RI_def_process_create_type:
01032             case RI_def_process_chown_type:
01033             case RI_def_process_execute_type:
01034               /* admin for this role and assign for target type */
01035               /* test admin_role of process / modify */
01036               if(   (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01037                  && (err=rsbac_rc_test_role_admin(TRUE))
01038                 )
01039                 {
01040                   if(err == -EPERM)
01041                     {
01042                       rsbac_uid_t user;
01043                       char tmp[80];
01044 
01045                       if(!rsbac_get_owner(&user))
01046                         {
01047                           rsbac_printk(KERN_INFO
01048                                        "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01049                                        get_rc_item_name(tmp, item),
01050                                        tid.role,
01051                                        current->pid,
01052                                        user);
01053                         }
01054                       #ifdef CONFIG_RSBAC_SOFTMODE
01055                       if(   !rsbac_softmode
01056                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
01057                          && !rsbac_ind_softmode[SW_RC]
01058                       #endif
01059                         )
01060                       #endif
01061                         return err;
01062                     }
01063                   else
01064                     return err;
01065                 }
01066               else
01067                 {
01068                   enum rsbac_adf_req_ret_t result;
01069 
01070                   result = rsbac_rc_check_type_comp(T_PROCESS, value.type_id, RCR_ASSIGN, 0);
01071                   if(   (   (result == NOT_GRANTED)
01072                          || (result == UNDEFINED)
01073                         )
01074                      && (err=rsbac_rc_test_role_admin(TRUE))
01075                     )
01076                     {
01077                       rsbac_uid_t user;
01078 
01079                       if(!rsbac_get_owner(&user))
01080                         {
01081                           rsbac_printk(KERN_INFO
01082                                        "rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01083                                        tid.role,
01084                                        value.type_id,
01085                                        user);
01086                         }
01087                       #ifdef CONFIG_RSBAC_SOFTMODE
01088                       if(   !rsbac_softmode
01089                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
01090                          && !rsbac_ind_softmode[SW_RC]
01091                       #endif
01092                         )
01093                       #endif
01094                         return -EPERM;
01095                     }
01096                 }
01097               break;
01098             case RI_def_ipc_create_type:
01099               /* admin for this role and assign for target type */
01100               /* test admin_role of process / modify */
01101               if(   (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01102                  && (err=rsbac_rc_test_role_admin(TRUE))
01103                 )
01104                 {
01105                   if(err == -EPERM)
01106                     {
01107                       rsbac_uid_t user;
01108 
01109                       if(!rsbac_get_owner(&user))
01110                         {
01111                           rsbac_printk(KERN_INFO
01112                                        "rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01113                                        tid.role,
01114                                        current->pid,
01115                                        user);
01116                         }
01117                       #ifdef CONFIG_RSBAC_SOFTMODE
01118                       if(   !rsbac_softmode
01119                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
01120                          && !rsbac_ind_softmode[SW_RC]
01121                       #endif
01122                         )
01123                       #endif
01124                         return err;
01125                     }
01126                   else
01127                     return err;
01128                 }
01129               else
01130                 {
01131                   enum rsbac_adf_req_ret_t result;
01132 
01133                   result = rsbac_rc_check_type_comp(T_IPC, value.type_id, RCR_ASSIGN, 0);
01134                   if(   (   (result == NOT_GRANTED)
01135                          || (result == UNDEFINED)
01136                         )
01137                      && (err=rsbac_rc_test_role_admin(TRUE))
01138                     )
01139                     {
01140                       rsbac_uid_t user;
01141 
01142                       if(!rsbac_get_owner(&user))
01143                         {
01144                           rsbac_printk(KERN_INFO
01145                                        "rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01146                                        tid.role,
01147                                        value.type_id,
01148                                        user);
01149                         }
01150                       #ifdef CONFIG_RSBAC_SOFTMODE
01151                       if(   !rsbac_softmode
01152                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
01153                          && !rsbac_ind_softmode[SW_RC]
01154                       #endif
01155                         )
01156                       #endif
01157                         return -EPERM;
01158                     }
01159                 }
01160               break;
01161             case RI_def_group_create_type:
01162               /* admin for this role and assign for target type */
01163               /* test admin_role of process / modify */
01164               if(   (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01165                  && (err=rsbac_rc_test_role_admin(TRUE))
01166                 )
01167                 {
01168                   if(err == -EPERM)
01169                     {
01170                       rsbac_uid_t user;
01171 
01172                       if(!rsbac_get_owner(&user))
01173                         {
01174                           rsbac_printk(KERN_INFO
01175                                        "rsbac_rc_sys_set_item(): changing def_group_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01176                                        tid.role,
01177                                        current->pid,
01178                                        user);
01179                         }
01180                       #ifdef CONFIG_RSBAC_SOFTMODE
01181                       if(   !rsbac_softmode
01182                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
01183                          && !rsbac_ind_softmode[SW_RC]
01184                       #endif
01185                         )
01186                       #endif
01187                         return err;
01188                     }
01189                   else
01190                     return err;
01191                 }
01192               else
01193                 {
01194                   enum rsbac_adf_req_ret_t result;
01195 
01196                   result = rsbac_rc_check_type_comp(T_GROUP, value.type_id, RCR_ASSIGN, 0);
01197                   if(   (   (result == NOT_GRANTED)
01198                          || (result == UNDEFINED)
01199                         )
01200                      && (err=rsbac_rc_test_role_admin(TRUE))
01201                     )
01202                     {
01203                       rsbac_uid_t user;
01204 
01205                       if(!rsbac_get_owner(&user))
01206                         {
01207                           rsbac_printk(KERN_INFO
01208                                        "rsbac_rc_sys_set_item(): changing def_group_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01209                                        tid.role,
01210                                        value.type_id,
01211                                        user);
01212                         }
01213                       #ifdef CONFIG_RSBAC_SOFTMODE
01214                       if(   !rsbac_softmode
01215                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
01216                          && !rsbac_ind_softmode[SW_RC]
01217                       #endif
01218                         )
01219                       #endif
01220                         return -EPERM;
01221                     }
01222                 }
01223               break;
01224             case RI_def_unixsock_create_type:
01225                         /* admin for this role and assign for target type */
01226                         /* test admin_role of process / modify */
01227                         if ((err =
01228                              rsbac_rc_test_admin_roles(tid.role, TRUE))
01229                             && (err = rsbac_rc_test_role_admin(TRUE))
01230                             ) {
01231                                 if (err == -EPERM) {
01232                                         rsbac_uid_t user;
01233 
01234                                         if (!rsbac_get_owner(&user)) {
01235                                                 rsbac_printk(KERN_INFO "rsbac_rc_sys_set_item(): changing def_unixsock_create_type of role %u denied for pid %u, user %u - not in admin_roles\n",
01236                                                              tid.role,
01237                                                              current->pid,
01238                                                              user);
01239                                         }
01240 #ifdef CONFIG_RSBAC_SOFTMODE
01241                                         if (!rsbac_softmode
01242 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01243                                             && !rsbac_ind_softmode[SW_RC]
01244 #endif
01245                                             )
01246 #endif
01247                                                 return err;
01248                                 } else
01249                                         return err;
01250                         } else {
01251                                 enum rsbac_adf_req_ret_t result;
01252 
01253                                 result =
01254                                     rsbac_rc_check_type_comp(T_NETOBJ,
01255                                                              value.type_id,
01256                                                              RCR_ASSIGN,
01257                                                              0);
01258                                 if (((result == NOT_GRANTED)
01259                                      || (result == UNDEFINED)
01260                                     )
01261                                     && (err =
01262                                         rsbac_rc_test_role_admin(TRUE))
01263                                     ) {
01264                                         rsbac_uid_t user;
01265 
01266                                         if (!rsbac_get_owner(&user)) {
01267                                                 rsbac_printk(KERN_INFO "rsbac_rc_sys_set_item(): changing def_unixsock_create_type for role %u to %u denied for user %u - no ASSIGN right for type\n",
01268                                                              tid.role,
01269                                                              value.type_id,
01270                                                              user);
01271                                         }
01272 #ifdef CONFIG_RSBAC_SOFTMODE
01273                                         if (!rsbac_softmode
01274 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01275                                             && !rsbac_ind_softmode[SW_RC]
01276 #endif
01277                                             )
01278 #endif
01279                                                 return -EPERM;
01280                                 }
01281                         }
01282                         break;
01283 
01284 
01285             case RI_type_comp_fd:
01286             case RI_type_comp_dev:
01287             case RI_type_comp_user:
01288             case RI_type_comp_process:
01289             case RI_type_comp_ipc:
01290             case RI_type_comp_scd:
01291             case RI_type_comp_group:
01292             case RI_type_comp_netdev:
01293             case RI_type_comp_nettemp:
01294             case RI_type_comp_netobj:
01295               {
01296                 union rsbac_rc_item_value_t old_value, my_value;
01297                 union rsbac_target_id_t       i_tid;
01298                 union rsbac_attribute_value_t i_attr_val1;
01299                 union rsbac_rc_target_id_t    i_rc_tid;
01300 
01301                 if(target != RT_ROLE)
01302                   return -RSBAC_EINVALIDATTR;
01303                 if(!rsbac_rc_test_role_admin(TRUE))
01304                   break;
01305                 /* test admin_role of process / modify */
01306                 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE)))
01307                   {
01308                     if(err == -EPERM)
01309                       {
01310                         rsbac_uid_t user;
01311                         char tmp[80];
01312 
01313                         if(!rsbac_get_owner(&user))
01314                           {
01315                             rsbac_printk(KERN_INFO
01316                                          "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01317                                          get_rc_item_name(tmp, item),
01318                                          tid.role,
01319                                          current->pid,
01320                                          user);
01321                           }
01322                       #ifdef CONFIG_RSBAC_SOFTMODE
01323                       if(   !rsbac_softmode
01324                       #ifdef CONFIG_RSBAC_SOFTMODE_IND
01325                          && !rsbac_ind_softmode[SW_RC]
01326                       #endif
01327                         )
01328                       #endif
01329                           return err;
01330                       }
01331                     else
01332                       return err;
01333                   }
01334                 /* test caller's RCR_ACCESS_CONTROL for the type, if we change normal access */
01335                 /* and caller's RCR_SUPERVISOR for the type, if we change special rights */
01336                 /* first get old setting */
01337                 err = rsbac_rc_get_item(ta_number, target, tid, subtid, item, &old_value, NULL);
01338                 if(err)
01339                   return(err);
01340 
01341                 /* get rc_role of process */
01342                 i_tid.process = current->pid;
01343                 if ((err=rsbac_get_attr(SW_RC, T_PROCESS,
01344                                         i_tid,
01345                                         A_rc_role,
01346                                         &i_attr_val1,
01347                                         TRUE)))
01348                   {
01349                     rsbac_pr_get_error(A_rc_role);
01350                     return err;
01351                   }
01352                 /* get item of process role */
01353                 i_rc_tid.role = i_attr_val1.rc_role;
01354                 if ((err=rsbac_rc_get_item(ta_number,
01355                                            RT_ROLE,
01356                                            i_rc_tid,
01357                                            subtid,
01358                                            item,
01359                                            &my_value,
01360                                            NULL)))
01361                   {
01362                     rsbac_rc_pr_get_error(item);
01363                     return err;
01364                   }
01365 
01366                 /* check planned changes for type */
01367                 if(   /* Want to change normal rights to this type? Need RCR_ACCESS_CONTROL. */
01368                       (   (   (old_value.rights & RSBAC_ALL_REQUEST_VECTOR)
01369                            != (value.rights & RSBAC_ALL_REQUEST_VECTOR)
01370                           )
01371                        && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL)))
01372                       )
01373                    ||    
01374                       /* Want to change special rights to this type? Need RCR_SUPERVISOR. */
01375                       (   (   (old_value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01376                            != (value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01377                           )
01378                        && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR)))
01379                       )
01380                   )
01381                   {
01382                     /* check failed. Last resort: Classical admin_type. */
01383                     if((err=rsbac_rc_test_role_admin(TRUE)))
01384                       {
01385                         if(err == -EPERM)
01386                           {
01387                             rsbac_uid_t user;
01388                             char tmp[80];
01389 
01390                             if(!rsbac_get_owner(&user))
01391                               {
01392                                 rsbac_printk(KERN_INFO
01393                                              "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u, role %u - insufficent rights!\n",
01394                                              get_rc_item_name(tmp, item),
01395                                              tid.role,
01396                                              current->pid,
01397                                              user,
01398                                              i_attr_val1.rc_role);
01399                               }
01400                             #ifdef CONFIG_RSBAC_SOFTMODE
01401                             if(   !rsbac_softmode
01402                             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01403                                && !rsbac_ind_softmode[SW_RC]
01404                             #endif
01405                               )
01406                             #endif
01407                               return err;
01408                           }
01409                         else
01410                           return err;
01411                       }
01412                   }
01413               }
01414               break;
01415 
01416             default:
01417               return -RSBAC_EINVALIDATTR;
01418           }
01419       }
01420 #endif /* !MAINT */
01421 
01422     /* pass on */
01423     return(rsbac_rc_set_item(ta_number, target, tid, subtid, item, value, ttl));
01424   }

int rsbac_rc_test_admin_roles ( rsbac_rc_role_id_t  t_role,
rsbac_boolean_t  modify 
)

Definition at line 186 of file rc_main.c.

References A_rc_role, rsbac_target_id_t::process, R_NONE, rsbac_attribute_value_t::rc_role, RC_role_max_value, RI_admin_roles, RI_assign_roles, rsbac_rc_target_id_t::role, RSBAC_EINVALIDVALUE, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_pr_get_error, rsbac_rc_check_comp(), SW_RC, T_PROCESS, and TRUE.

Referenced by rsbac_rc_sys_copy_role(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item().

00188 {
00189         int err;
00190         union rsbac_target_id_t i_tid;
00191         union rsbac_attribute_value_t i_attr_val1;
00192         union rsbac_rc_target_id_t i_rc_subtid;
00193 
00194         if (t_role > RC_role_max_value)
00195                 return -RSBAC_EINVALIDVALUE;
00196         /* get rc_role of process */
00197         i_tid.process = current->pid;
00198         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00199                                   i_tid, A_rc_role, &i_attr_val1, TRUE))) {
00200                 rsbac_pr_get_error(A_rc_role);
00201                 return -RSBAC_EREADFAILED;
00202         }
00203 
00204         i_rc_subtid.role = t_role;
00205         /* read_only? -> assign_roles membership is enough */
00206         if (!modify) {
00207                 if (rsbac_rc_check_comp(i_attr_val1.rc_role,
00208                                         i_rc_subtid,
00209                                         RI_assign_roles, R_NONE))
00210                         return 0;
00211                 /* fall through */
00212         }
00213         /* check admin_roles of role */
00214         if (rsbac_rc_check_comp(i_attr_val1.rc_role,
00215                                 i_rc_subtid, RI_admin_roles, R_NONE))
00216                 return 0;
00217         else
00218                 return -EPERM;
00219 }

int rsbac_rc_test_role_admin ( rsbac_boolean_t  modify  ) 

Definition at line 363 of file rc_main.c.

References A_rc_role, rsbac_rc_item_value_t::admin_type, NULL, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, RC_role_admin, RC_system_admin, RI_admin_type, rsbac_rc_target_id_t::role, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_pr_get_error, rsbac_rc_get_item(), rsbac_rc_pr_get_error, RT_ROLE, SW_RC, T_PROCESS, and TRUE.

Referenced by rsbac_adf_request_rc(), rsbac_rc_sys_copy_role(), rsbac_rc_sys_copy_type(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item().

00364 {
00365         int err;
00366         union rsbac_target_id_t i_tid;
00367         union rsbac_attribute_value_t i_attr_val1;
00368         union rsbac_rc_target_id_t i_rc_tid;
00369         union rsbac_rc_item_value_t i_rc_item_val1;
00370 
00371         /* get rc_role of process */
00372         i_tid.process = current->pid;
00373         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00374                                   i_tid, A_rc_role, &i_attr_val1, TRUE))) {
00375                 rsbac_pr_get_error(A_rc_role);
00376                 return -RSBAC_EREADFAILED;
00377         }
00378 
00379         /* get admin_type of role */
00380         i_rc_tid.role = i_attr_val1.rc_role;
00381         if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_tid, i_rc_tid,    /* dummy */
00382                                      RI_admin_type,
00383                                      &i_rc_item_val1, NULL))) {
00384                 rsbac_rc_pr_get_error(RI_admin_type);
00385                 return -RSBAC_EREADFAILED;
00386         }
00387 
00388         /* allow, if RC_role_admin or (read_only and RC_system_admin) */
00389         if ((i_rc_item_val1.admin_type == RC_role_admin)
00390             || (!modify && (i_rc_item_val1.admin_type == RC_system_admin)
00391             )
00392             )
00393                 return 0;
00394         else
00395                 return -EPERM;
00396 }


Generated on Wed May 16 11:54:17 2007 for RSBAC by  doxygen 1.5.1