/linux-2.6.21.1-rsbac-1.3.4/rsbac/adf/rc/rc_main.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Role Compatibility               */
00005 /* File: rsbac/adf/rc/main.c                         */
00006 /*                                                   */
00007 /* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
00008 /*                                                   */
00009 /* Last modified: 11/Apr/2007                        */
00010 /*************************************************** */
00011 
00012 #include <linux/string.h>
00013 #include <rsbac/types.h>
00014 #include <rsbac/aci.h>
00015 #include <rsbac/adf_main.h>
00016 #include <rsbac/rc.h>
00017 #include <rsbac/error.h>
00018 #include <rsbac/debug.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/rc_getname.h>
00022 #include <rsbac/rkmem.h>
00023 #include <rsbac/network.h>
00024 #include <rsbac/rc_types.h>
00025 
00026 /************************************************* */
00027 /*          Internal Help functions                */
00028 /************************************************* */
00029 
00030 static enum rsbac_adf_req_ret_t
00031 check_comp_rc(enum rsbac_target_t target,
00032               union rsbac_target_id_t tid,
00033               enum rsbac_adf_request_t request, rsbac_pid_t caller_pid)
00034 {
00035         int err;
00036         union rsbac_target_id_t i_tid;
00037         enum rsbac_attribute_t i_attr;
00038         union rsbac_attribute_value_t i_attr_val1;
00039         union rsbac_attribute_value_t i_attr_val2;
00040 
00041         union rsbac_rc_target_id_t i_rc_subtid;
00042         enum rsbac_rc_item_t i_rc_item;
00043 
00044         /* get rc_role from process */
00045         i_tid.process = caller_pid;
00046         if ((err = rsbac_get_attr(SW_RC,
00047                                   T_PROCESS,
00048                                   i_tid,
00049                                   A_rc_role, &i_attr_val1, FALSE))) {
00050                 rsbac_pr_get_error(A_rc_role);
00051                 return (NOT_GRANTED);
00052         }
00053         switch (target) {
00054         case T_FILE:
00055         case T_DIR:
00056         case T_FIFO:
00057         case T_SYMLINK:
00058         case T_UNIXSOCK:
00059                 i_rc_item = RI_type_comp_fd;
00060                 i_attr = A_rc_type_fd;
00061                 break;
00062         case T_DEV:
00063                 i_rc_item = RI_type_comp_dev;
00064                 i_attr = A_rc_type;
00065                 break;
00066         case T_USER:
00067                 i_rc_item = RI_type_comp_user;
00068                 i_attr = A_rc_type;
00069                 break;
00070         case T_PROCESS:
00071                 i_rc_item = RI_type_comp_process;
00072                 i_attr = A_rc_type;
00073                 break;
00074         case T_IPC:
00075                 i_rc_item = RI_type_comp_ipc;
00076                 i_attr = A_rc_type;
00077                 break;
00078 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00079         case T_GROUP:
00080                 i_rc_item = RI_type_comp_group;
00081                 i_attr = A_rc_type;
00082                 break;
00083 #endif
00084 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00085         case T_NETDEV:
00086                 i_rc_item = RI_type_comp_netdev;
00087                 i_attr = A_rc_type;
00088                 break;
00089 #endif
00090 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00091         case T_NETTEMP:
00092                 i_rc_item = RI_type_comp_nettemp;
00093                 i_attr = A_rc_type_nt;
00094                 break;
00095         case T_NETOBJ:
00096                 i_rc_item = RI_type_comp_netobj;
00097                 if (rsbac_net_remote_request(request))
00098                         i_attr = A_remote_rc_type;
00099                 else
00100                         i_attr = A_local_rc_type;
00101                 break;
00102 #endif
00103         default:
00104                 rsbac_printk(KERN_WARNING "check_comp_rc(): invalid target %i!\n",
00105                              target);
00106                 return (NOT_GRANTED);
00107         }
00108 
00109         /* get rc_type[_fd|_nt] from target */
00110         if ((err = rsbac_get_attr(SW_RC,
00111                                   target,
00112                                   tid, i_attr, &i_attr_val2, TRUE))) {
00113                 rsbac_pr_get_error(i_attr);
00114                 return (NOT_GRANTED);
00115         }
00116 
00117         /* get type_comp_xxx of role */
00118         i_rc_subtid.type = i_attr_val2.rc_type;
00119         if (rsbac_rc_check_comp(i_attr_val1.rc_role,
00120                                 i_rc_subtid, i_rc_item, request))
00121                 return (GRANTED);
00122         else {
00123 #ifdef CONFIG_RSBAC_DEBUG
00124                 if (rsbac_debug_adf_rc) {
00125                         char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00126 
00127                         if (tmp) {
00128                                 char *tmp2 =
00129                                     rsbac_kmalloc(RSBAC_MAXNAMELEN);
00130                                 if (tmp2) {
00131                                         rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, %s rc_type %u, request %s -> NOT_GRANTED!\n",
00132                                                      caller_pid,
00133                                                      current->comm,
00134                                                      current->uid,
00135                                                      i_attr_val1.rc_role,
00136                                                      get_target_name_only
00137                                                      (tmp, target),
00138                                                      i_attr_val2.rc_type,
00139                                                      get_rc_special_right_name
00140                                                      (tmp2, request));
00141                                         rsbac_kfree(tmp2);
00142                                 }
00143                                 rsbac_kfree(tmp);
00144                         }
00145                 }
00146 #endif
00147                 return (NOT_GRANTED);
00148         }
00149 }
00150 
00151 static enum rsbac_adf_req_ret_t
00152 check_comp_rc_scd(enum rsbac_rc_scd_type_t scd_type,
00153                   enum rsbac_adf_request_t request, rsbac_pid_t caller_pid)
00154 {
00155         int err;
00156         union rsbac_target_id_t i_tid;
00157         union rsbac_attribute_value_t i_attr_val1;
00158 
00159         union rsbac_rc_target_id_t i_rc_subtid;
00160 
00161         /* get rc_role from process */
00162         i_tid.process = caller_pid;
00163         if ((err = rsbac_get_attr(SW_RC,
00164                                   T_PROCESS,
00165                                   i_tid,
00166                                   A_rc_role, &i_attr_val1, FALSE))) {
00167                 rsbac_pr_get_error(A_rc_role);
00168                 return (NOT_GRANTED);
00169         }
00170         /* get type_comp_scd of role */
00171         i_rc_subtid.type = scd_type;
00172         if (rsbac_rc_check_comp(i_attr_val1.rc_role,
00173                                 i_rc_subtid, RI_type_comp_scd, request)) {
00174                 return (GRANTED);
00175         } else {
00176                 char tmp[RSBAC_MAXNAMELEN];
00177                 rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %i, scd_type %i, request %s -> NOT_GRANTED!\n",
00178                                caller_pid, current->comm, current->uid,
00179                                i_attr_val1.rc_role, scd_type,
00180                                get_request_name(tmp, request));
00181                 return (NOT_GRANTED);
00182         }
00183 }
00184 
00185 /* exported for rc_syscalls.c */
00186 int rsbac_rc_test_admin_roles(rsbac_rc_role_id_t t_role,
00187                               rsbac_boolean_t modify)
00188 {
00189         int err;
00190         union rsbac_target_id_t i_tid;
00191         union rsbac_attribute_value_t i_attr_val1;
00192         union rsbac_rc_target_id_t i_rc_subtid;
00193 
00194         if (t_role > RC_role_max_value)
00195                 return -RSBAC_EINVALIDVALUE;
00196         /* get rc_role of process */
00197         i_tid.process = current->pid;
00198         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00199                                   i_tid, A_rc_role, &i_attr_val1, TRUE))) {
00200                 rsbac_pr_get_error(A_rc_role);
00201                 return -RSBAC_EREADFAILED;
00202         }
00203 
00204         i_rc_subtid.role = t_role;
00205         /* read_only? -> assign_roles membership is enough */
00206         if (!modify) {
00207                 if (rsbac_rc_check_comp(i_attr_val1.rc_role,
00208                                         i_rc_subtid,
00209                                         RI_assign_roles, R_NONE))
00210                         return 0;
00211                 /* fall through */
00212         }
00213         /* check admin_roles of role */
00214         if (rsbac_rc_check_comp(i_attr_val1.rc_role,
00215                                 i_rc_subtid, RI_admin_roles, R_NONE))
00216                 return 0;
00217         else
00218                 return -EPERM;
00219 }
00220 
00221 /* exported for rc_syscalls.c */
00222 int rsbac_rc_test_assign_roles(enum rsbac_target_t target,
00223                                union rsbac_target_id_t tid,
00224                                enum rsbac_attribute_t attr,
00225                                rsbac_rc_role_id_t t_role)
00226 {
00227         int err;
00228         union rsbac_target_id_t i_tid;
00229         union rsbac_attribute_value_t i_attr_val1;
00230         union rsbac_attribute_value_t i_attr_val2;
00231         union rsbac_rc_target_id_t i_rc_subtid;
00232 
00233         if (((t_role > RC_role_max_value)
00234              && (t_role != RC_role_inherit_user)
00235             )
00236             || (target >= T_NONE)
00237             )
00238                 return -RSBAC_EINVALIDVALUE;
00239         /* get rc_role of process */
00240         i_tid.process = current->pid;
00241         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00242                                   i_tid, A_rc_role, &i_attr_val1, TRUE))) {
00243                 rsbac_pr_get_error(A_rc_role);
00244                 return -RSBAC_EREADFAILED;
00245         }
00246         /* get old role of target */
00247         if ((err = rsbac_get_attr(SW_RC,
00248                                   target,
00249                                   tid, attr, &i_attr_val2, TRUE))) {
00250                 rsbac_pr_get_error(attr);
00251                 return -RSBAC_EREADFAILED;
00252         }
00253 
00254         i_rc_subtid.role = i_attr_val2.rc_role;
00255         if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
00256                                  i_rc_subtid, RI_assign_roles, R_NONE))
00257                 return -EPERM;
00258         if (t_role != RC_role_inherit_user) {
00259                 i_rc_subtid.role = t_role;
00260                 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
00261                                          i_rc_subtid,
00262                                          RI_assign_roles, R_NONE))
00263                         return -EPERM;
00264         }
00265         return 0;
00266 }
00267 
00268 enum rsbac_adf_req_ret_t
00269 rsbac_rc_check_type_comp(enum rsbac_target_t target,
00270                          rsbac_rc_type_id_t type,
00271                          enum rsbac_adf_request_t request,
00272                          rsbac_pid_t caller_pid)
00273 {
00274         int err;
00275         union rsbac_target_id_t i_tid;
00276         union rsbac_attribute_value_t i_attr_val1;
00277 
00278         union rsbac_rc_target_id_t i_rc_subtid;
00279         enum rsbac_rc_item_t i_rc_item;
00280 
00281         if (!caller_pid)
00282                 caller_pid = current->pid;
00283         /*
00284          * we don't care about tried assignments of special type values,
00285          * but deny other accesses to those
00286          */
00287         if (type > RC_type_max_value) {
00288                 if (request == RCR_ASSIGN)
00289                         return GRANTED;
00290                 else
00291                         return NOT_GRANTED;
00292         }
00293 
00294         /* get rc_role from process */
00295         i_tid.process = caller_pid;
00296         if ((err = rsbac_get_attr(SW_RC,
00297                                   T_PROCESS,
00298                                   i_tid,
00299                                   A_rc_role, &i_attr_val1, FALSE))) {
00300                 rsbac_pr_get_error(A_rc_role);
00301                 return (NOT_GRANTED);
00302         }
00303         switch (target) {
00304         case T_FILE:
00305         case T_DIR:
00306         case T_FIFO:
00307         case T_SYMLINK:
00308         case T_UNIXSOCK:
00309         case T_FD:
00310                 i_rc_item = RI_type_comp_fd;
00311                 break;
00312         case T_DEV:
00313                 i_rc_item = RI_type_comp_dev;
00314                 break;
00315         case T_USER:
00316                 i_rc_item = RI_type_comp_user;
00317                 break;
00318         case T_PROCESS:
00319                 i_rc_item = RI_type_comp_process;
00320                 break;
00321         case T_IPC:
00322                 i_rc_item = RI_type_comp_ipc;
00323                 break;
00324 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00325         case T_GROUP:
00326                 i_rc_item = RI_type_comp_group;
00327                 break;
00328 #endif
00329 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00330         case T_NETDEV:
00331                 i_rc_item = RI_type_comp_netdev;
00332                 break;
00333 #endif
00334 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00335         case T_NETTEMP:
00336                 i_rc_item = RI_type_comp_nettemp;
00337                 break;
00338         case T_NETOBJ:
00339                 i_rc_item = RI_type_comp_netobj;
00340                 break;
00341 #endif
00342 
00343         default:
00344                 rsbac_printk(KERN_WARNING "rsbac_rc_check_type_comp(): invalid target %i!\n",
00345                              target);
00346                 return (NOT_GRANTED);
00347         }
00348         /* check type_comp_xxx of role */
00349         i_rc_subtid.type = type;
00350         if (rsbac_rc_check_comp(i_attr_val1.rc_role,
00351                                 i_rc_subtid, i_rc_item, request))
00352                 return (GRANTED);
00353         else {
00354                 char tmp[RSBAC_MAXNAMELEN];
00355                 rsbac_pr_debug(adf_rc, "rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n",
00356                                i_attr_val1.rc_role, type,
00357                                get_rc_special_right_name(tmp, request));
00358                 return (NOT_GRANTED);
00359         }
00360 }
00361 
00362 /* exported for rc_syscalls.c */
00363 int rsbac_rc_test_role_admin(rsbac_boolean_t modify)
00364 {
00365         int err;
00366         union rsbac_target_id_t i_tid;
00367         union rsbac_attribute_value_t i_attr_val1;
00368         union rsbac_rc_target_id_t i_rc_tid;
00369         union rsbac_rc_item_value_t i_rc_item_val1;
00370 
00371         /* get rc_role of process */
00372         i_tid.process = current->pid;
00373         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00374                                   i_tid, A_rc_role, &i_attr_val1, TRUE))) {
00375                 rsbac_pr_get_error(A_rc_role);
00376                 return -RSBAC_EREADFAILED;
00377         }
00378 
00379         /* get admin_type of role */
00380         i_rc_tid.role = i_attr_val1.rc_role;
00381         if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_tid, i_rc_tid,    /* dummy */
00382                                      RI_admin_type,
00383                                      &i_rc_item_val1, NULL))) {
00384                 rsbac_rc_pr_get_error(RI_admin_type);
00385                 return -RSBAC_EREADFAILED;
00386         }
00387 
00388         /* allow, if RC_role_admin or (read_only and RC_system_admin) */
00389         if ((i_rc_item_val1.admin_type == RC_role_admin)
00390             || (!modify && (i_rc_item_val1.admin_type == RC_system_admin)
00391             )
00392             )
00393                 return 0;
00394         else
00395                 return -EPERM;
00396 }
00397 
00398 /************************************************* */
00399 /*          Externally visible functions           */
00400 /************************************************* */
00401 
00402 inline enum rsbac_adf_req_ret_t
00403 rsbac_adf_request_rc(enum rsbac_adf_request_t request,
00404                      rsbac_pid_t caller_pid,
00405                      enum rsbac_target_t target,
00406                      union rsbac_target_id_t tid,
00407                      enum rsbac_attribute_t attr,
00408                      union rsbac_attribute_value_t attr_val,
00409                      rsbac_uid_t owner)
00410 {
00411         int err;
00412         enum rsbac_adf_req_ret_t result = DO_NOT_CARE;
00413         union rsbac_attribute_value_t i_attr_val1;
00414         union rsbac_rc_target_id_t i_rc_tid;
00415         union rsbac_rc_target_id_t i_rc_subtid;
00416         union rsbac_rc_item_value_t i_rc_item_val1;
00417         union rsbac_target_id_t i_tid;
00418         union rsbac_attribute_value_t i_attr_val2;
00419 
00420         switch (request) {
00421         case R_SEARCH:
00422                 switch (target) {
00423                 case T_DIR:
00424                 case T_FILE:
00425                 case T_SYMLINK:
00426                 case T_FIFO:
00427                 case T_UNIXSOCK:
00428                 case T_DEV:
00429                 case T_NETOBJ:
00430 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00431                 case T_USER:
00432                 case T_GROUP:
00433 #endif
00434                         return (check_comp_rc
00435                                 (target, tid, request, caller_pid));
00436 
00437                         /* all other cases are unknown */
00438                 default:
00439                         return (DO_NOT_CARE);
00440                 }
00441 
00442         case R_CLOSE:
00443                 return DO_NOT_CARE;
00444 
00445         case R_GET_STATUS_DATA:
00446                 switch (target) {
00447                 case T_SCD:
00448                         return (check_comp_rc_scd
00449                                 (tid.scd, request, caller_pid));
00450                 case T_FILE:
00451                 case T_DIR:
00452                 case T_FIFO:
00453                 case T_SYMLINK:
00454                 case T_UNIXSOCK:
00455                 case T_IPC:
00456                 case T_PROCESS:
00457                 case T_DEV:
00458 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00459                 case T_USER:
00460                 case T_GROUP:
00461 #endif
00462                         return (check_comp_rc
00463                                 (target, tid, request, caller_pid));
00464 
00465 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00466                 case T_NETDEV:
00467                         return (check_comp_rc
00468                                 (target, tid, request, caller_pid));
00469 #endif
00470 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00471                 case T_NETOBJ:
00472                         return (check_comp_rc
00473                                 (target, tid, request, caller_pid));
00474 #endif
00475 
00476                 default:
00477                         return (DO_NOT_CARE);
00478                 }
00479 
00480         case R_SEND:
00481                 switch (target) {
00482                 case T_DEV:
00483 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00484                 case T_NETOBJ:
00485 #endif
00486                         return (check_comp_rc
00487                                 (target, tid, request, caller_pid));
00488 
00489                 case T_UNIXSOCK:
00490                 case T_IPC:
00491 #if defined(CONFIG_RSBAC_RC_NET_OBJ_UNIX_PROCESS)
00492                         if (attr == A_process) {
00493                                 enum rsbac_adf_req_ret_t tmp_result;
00494 
00495                                 i_tid.process = attr_val.process;
00496                                 tmp_result = check_comp_rc(T_PROCESS, i_tid,
00497                                                         R_SEND,
00498                                                         caller_pid);
00499                                 if ((tmp_result == NOT_GRANTED)
00500                                     || (tmp_result == UNDEFINED)
00501                                     )
00502                                         return tmp_result;
00503                         }
00504 #endif                          /* UNIX_PROCESS */
00505                         return (check_comp_rc
00506                                 (target, tid, request, caller_pid));
00507 
00508 
00509                         /* all other cases are undefined */
00510                 default:
00511                         return (DO_NOT_CARE);
00512                 }
00513 
00514         case R_LISTEN:
00515         case R_NET_SHUTDOWN:
00516                 switch (target) {
00517                 case T_UNIXSOCK:
00518                 case T_IPC:
00519 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00520                 case T_NETOBJ:
00521 #endif
00522                         return (check_comp_rc
00523                                 (target, tid, request, caller_pid));
00524 
00525                         /* all other cases are undefined */
00526                 default:
00527                         return (DO_NOT_CARE);
00528                 }
00529         case R_ACCEPT:
00530         case R_CONNECT:
00531         case R_RECEIVE:
00532                 switch (target) {
00533                 case T_UNIXSOCK:
00534                 case T_IPC:
00535 #if defined(CONFIG_RSBAC_RC_NET_OBJ_UNIX_PROCESS)
00536                         if (attr == A_process) {
00537                                 enum rsbac_adf_req_ret_t tmp_result;
00538 
00539                                 i_tid.process = attr_val.process;
00540                                 tmp_result = check_comp_rc(T_PROCESS, i_tid,
00541                                                           request,
00542                                                           caller_pid);
00543                                 if ((tmp_result == NOT_GRANTED)
00544                                     || (tmp_result == UNDEFINED)
00545                                     )
00546                                         return tmp_result;
00547                         }
00548 #endif                          /* UNIX_PROCESS */
00549                         return (check_comp_rc
00550                                 (target, tid, request, caller_pid));
00551 
00552 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00553                 case T_NETOBJ:
00554                         return (check_comp_rc
00555                                 (target, tid, request, caller_pid));
00556 #endif
00557 
00558                         /* all other cases are undefined */
00559                 default:
00560                         return (DO_NOT_CARE);
00561                 }
00562 
00563         case R_READ:
00564         case R_WRITE:
00565                 switch (target) {
00566                 case T_DIR:
00567 #ifdef CONFIG_RSBAC_RW
00568                 case T_FILE:
00569                 case T_FIFO:
00570                 case T_DEV:
00571 #endif
00572 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00573                 case T_USER:
00574                 case T_GROUP:
00575 #endif
00576 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00577 #if defined(CONFIG_RSBAC_NET_OBJ_RW)
00578                 case T_NETTEMP:
00579 #endif
00580 #endif
00581                         return (check_comp_rc
00582                                 (target, tid, request, caller_pid));
00583 
00584 #ifdef CONFIG_RSBAC_RW
00585                 case T_IPC:
00586                 case T_UNIXSOCK:
00587 #if defined(CONFIG_RSBAC_RC_NET_OBJ_UNIX_PROCESS)
00588                         if (attr == A_process) {
00589                                 enum rsbac_adf_req_ret_t tmp_result;
00590 
00591                                 i_tid.process = attr_val.process;
00592                                 if (request == R_READ)
00593                                         tmp_result =
00594                                             check_comp_rc(T_PROCESS, i_tid,
00595                                                           R_RECEIVE,
00596                                                           caller_pid);
00597                                 else
00598                                         tmp_result =
00599                                             check_comp_rc(T_PROCESS, i_tid,
00600                                                           R_SEND,
00601                                                           caller_pid);
00602                                 if ((tmp_result == NOT_GRANTED)
00603                                     || (tmp_result == UNDEFINED)
00604                                     )
00605                                         return tmp_result;
00606                         }
00607 #endif                          /* UNIX_PROCESS */
00608                         return (check_comp_rc
00609                                 (target, tid, request, caller_pid));
00610 #endif                          /* RW */
00611 
00612                 case T_SCD:
00613                         return (check_comp_rc_scd
00614                                 (tid.scd, request, caller_pid));
00615 
00616 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00617 #if defined(CONFIG_RSBAC_NET_OBJ_RW)
00618                 case T_NETOBJ:
00619                         return (check_comp_rc
00620                                 (target, tid, request, caller_pid));
00621 #endif
00622 #endif
00623 
00624                         /* all other cases are unknown */
00625                 default:
00626                         return (DO_NOT_CARE);
00627                 }
00628 
00629         case R_APPEND_OPEN:
00630         case R_READ_WRITE_OPEN:
00631                 switch (target) {
00632                 case T_FILE:
00633                 case T_DEV:
00634                 case T_FIFO:
00635                 case T_IPC:
00636                         return (check_comp_rc
00637                                 (target, tid, request, caller_pid));
00638 
00639                         /* all other cases are unknown */
00640                 default:
00641                         return (DO_NOT_CARE);
00642                 }
00643 
00644         case R_MAP_EXEC:
00645                 switch (target) {
00646                 case T_FILE:
00647                         return (check_comp_rc
00648                                 (target, tid, request, caller_pid));
00649 
00650                         /* all other cases are unknown */
00651                 default:
00652                         return (DO_NOT_CARE);
00653                 }
00654 
00655         case R_CHANGE_GROUP:
00656                 switch (target) {
00657                 case T_FILE:
00658                 case T_DIR:
00659                 case T_FIFO:
00660                 case T_SYMLINK:
00661                 case T_IPC:
00662 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00663                 case T_USER:
00664 #endif
00665                         return (check_comp_rc
00666                                 (target, tid, request, caller_pid));
00667 
00668                         /* all other cases are unknown */
00669                 default:
00670                         return (DO_NOT_CARE);
00671                 }
00672 
00673         case R_CHANGE_OWNER:
00674                 switch (target) {
00675                 case T_FILE:
00676                 case T_DIR:
00677                 case T_FIFO:
00678                 case T_SYMLINK:
00679                 case T_IPC:
00680                         return (check_comp_rc
00681                                 (target, tid, request, caller_pid));
00682 
00683 #ifdef CONFIG_RSBAC_USER_CHOWN
00684                 case T_USER:
00685 #if defined(CONFIG_RSBAC_AUTH)
00686                         result = check_comp_rc(target, tid, request, caller_pid);
00687                         if((result == GRANTED) || (result == DO_NOT_CARE))
00688                                 return result;
00689                         i_tid.process = caller_pid;
00690                         if ((err = rsbac_get_attr(SW_AUTH, T_PROCESS,
00691                                                   i_tid,
00692                                                   A_auth_last_auth,
00693                                                   &i_attr_val1, FALSE))) {
00694                                 rsbac_pr_get_error(A_auth_last_auth);
00695                                 return NOT_GRANTED;
00696                         }
00697                         if(i_attr_val1.auth_last_auth != tid.user)
00698                                 return NOT_GRANTED;
00699                         else
00700                                 return check_comp_rc(target, tid, RCR_CHANGE_AUTHED_OWNER, caller_pid);
00701 #else
00702                         return check_comp_rc(target, tid, request, caller_pid);
00703 #endif
00704 #endif
00705 
00706                 case T_PROCESS:
00707                         /* get rc_role from process */
00708                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00709                                                   tid,
00710                                                   A_rc_role,
00711                                                   &i_attr_val1, FALSE))) {
00712                                 rsbac_pr_get_error(A_rc_role);
00713                                 return NOT_GRANTED;
00714                         }
00715                         /* get def_process_chown_type of role */
00716                         i_rc_tid.role = i_attr_val1.rc_role;
00717                         if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_tid, i_rc_tid,    /* dummy */
00718                                                      RI_def_process_chown_type,
00719                                                      &i_rc_item_val1,
00720                                                      NULL))) {
00721                                 rsbac_rc_pr_get_error
00722                                     (RI_def_process_chown_type);
00723                                 return NOT_GRANTED;
00724                         }
00725                         if ((i_rc_item_val1.type_id == RC_type_no_chown)
00726                             || (i_rc_item_val1.type_id ==
00727                                 RC_type_no_create)
00728                             )
00729                                 return (NOT_GRANTED);
00730                         else
00731                                 return (GRANTED);
00732 
00733                         /* all other cases are unknown */
00734                 default:
00735                         return (DO_NOT_CARE);
00736                 }
00737 
00738         case R_CHDIR:
00739                 switch (target) {
00740                 case T_DIR:
00741                         return (check_comp_rc
00742                                 (target, tid, request, caller_pid));
00743 
00744                         /* all other cases are unknown */
00745                 default:
00746                         return (DO_NOT_CARE);
00747                 }
00748 
00749         case R_CLONE:
00750                 if (target == T_PROCESS) {
00751                         /* check, whether we may create process of def_process_create_type */
00752                         /* get rc_role from process */
00753                         i_tid.process = caller_pid;
00754                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00755                                                   i_tid,
00756                                                   A_rc_role,
00757                                                   &i_attr_val1, FALSE))) {
00758                                 rsbac_pr_get_error(A_rc_role);
00759                                 return (NOT_GRANTED);
00760                         }
00761                         /* get def_process_create_type of role */
00762                         i_rc_tid.role = i_attr_val1.rc_role;
00763                         if ((err = rsbac_rc_get_item(0,
00764                                                      RT_ROLE,
00765                                                      i_rc_tid,
00766                                                      i_rc_tid,
00767                                                      RI_def_process_create_type,
00768                                                      &i_rc_item_val1,
00769                                                      NULL))) {
00770                                 rsbac_rc_pr_get_error
00771                                     (RI_def_process_create_type);
00772                                 return NOT_GRANTED;
00773                         }
00774                         switch (i_rc_item_val1.type_id) {
00775                         case RC_type_no_create:
00776                                 rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, def_process_create_type no_create, request CLONE -> NOT_GRANTED!\n",
00777                                                caller_pid, current->comm,
00778                                                current->uid,
00779                                                i_attr_val1.rc_role);
00780                                 return (NOT_GRANTED);
00781 
00782                         case RC_type_use_new_role_def_create:
00783                         case RC_type_use_fd:
00784                                 /* error - complain and return error */
00785                                 rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
00786                                              i_attr_val1.rc_role);
00787                                 return (NOT_GRANTED);
00788 
00789                         case RC_type_inherit_parent:
00790                         case RC_type_inherit_process:
00791                                 return GRANTED;
00792 
00793                         default:
00794                                 /* check, whether role has CREATE right to new type */
00795                                 /* check type_comp_process of role */
00796                                 i_rc_subtid.type = i_rc_item_val1.type_id;
00797                                 if (rsbac_rc_check_comp
00798                                     (i_attr_val1.rc_role, i_rc_subtid,
00799                                      RI_type_comp_process, R_CREATE))
00800                                         return (GRANTED);
00801                                 else {
00802                                         rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_process_create_type %i -> NOT_GRANTED!\n",
00803                                                      i_attr_val1.rc_role,
00804                                                      i_rc_item_val1.
00805                                                      type_id);
00806                                         return (NOT_GRANTED);
00807                                 }
00808                         }
00809                 } else
00810                         return (DO_NOT_CARE);
00811 
00812                 /* Creating dir or (pseudo) file IN target dir! */
00813         case R_CREATE:
00814                 switch (target) {
00815                 case T_DIR:
00816                         /* check, whether we may create files/dirs in this dir */
00817                         result =
00818                             check_comp_rc(target, tid, request,
00819                                           caller_pid);
00820                         if ((result != GRANTED) && (result != DO_NOT_CARE))
00821                                 return result;
00822 
00823                         /* get rc_role from process */
00824                         i_tid.process = caller_pid;
00825                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00826                                                   i_tid,
00827                                                   A_rc_role,
00828                                                   &i_attr_val1, FALSE))) {
00829                                 rsbac_pr_get_error(A_rc_role);
00830                                 return (NOT_GRANTED);
00831                         }
00832                         /* Check, whether this process has a preselected type */
00833                         i_tid.process = caller_pid;
00834                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00835                                                   i_tid,
00836                                                   A_rc_select_type,
00837                                                   &i_attr_val2, FALSE))) {
00838                                 rsbac_pr_get_error(A_rc_select_type);
00839                                 return (NOT_GRANTED);
00840                         }
00841                         if (i_attr_val2.rc_select_type == RC_type_use_fd) {
00842                                 /* get def_fd_create_type of role */
00843                                 /* First get target dir's efftype */
00844                                 if ((err = rsbac_get_attr(SW_RC,
00845                                                   target,
00846                                                   tid,
00847                                                   A_rc_type_fd,
00848                                                   &i_attr_val2, TRUE))) {
00849                                         rsbac_pr_get_error(A_rc_type_fd);
00850                                         return NOT_GRANTED;
00851                                 }
00852                                 i_rc_tid.role = i_attr_val1.rc_role;
00853                                 i_rc_subtid.type = i_attr_val2.rc_type;
00854                                 if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_tid, i_rc_subtid, RI_def_fd_ind_create_type, &i_rc_item_val1, NULL))) {   /* No individual create type -> try global */
00855                                         if ((err = rsbac_rc_get_item(0,
00856                                                              RT_ROLE,
00857                                                              i_rc_tid,
00858                                                              i_rc_subtid,
00859                                                              RI_def_fd_create_type,
00860                                                              &i_rc_item_val1,
00861                                                              NULL))) {
00862                                                 rsbac_rc_pr_get_error
00863                                                     (RI_def_fd_create_type);
00864                                                 return (NOT_GRANTED);
00865                                         }
00866                                 }
00867                         } else
00868                                 i_rc_item_val1.type_id = i_attr_val2.rc_select_type;
00869                         
00870                         switch (i_rc_item_val1.type_id) {
00871                         case RC_type_inherit_parent:
00872                                 return GRANTED;
00873                         case RC_type_no_create:
00874                                 rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, def_fd_create_type no_create, request CREATE -> NOT_GRANTED!\n",
00875                                                caller_pid, current->comm,
00876                                                current->uid,
00877                                                i_attr_val1.rc_role);
00878                                 return (NOT_GRANTED);
00879                                 break;
00880 
00881                         case RC_type_use_new_role_def_create:
00882                         case RC_type_inherit_process:
00883                         case RC_type_use_fd:
00884                                 /* error - complain and return error */
00885                                 rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00886                                              i_attr_val1.rc_role);
00887                                 return (NOT_GRANTED);
00888 
00889                         default:
00890                                 /* check, whether role has CREATE right to new type */
00891                                 /* get type_comp_fd of role */
00892                                 i_rc_subtid.type = i_rc_item_val1.type_id;
00893                                 if (rsbac_rc_check_comp
00894                                     (i_attr_val1.rc_role, i_rc_subtid,
00895                                      RI_type_comp_fd, R_CREATE))
00896                                         return (GRANTED);
00897                                 else {
00898                                         rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_fd_create_type %i -> NOT_GRANTED!\n",
00899                                                      i_attr_val1.rc_role,
00900                                                      i_rc_item_val1.
00901                                                      type_id);
00902                                         return (NOT_GRANTED);
00903                                 }
00904                         }
00905 
00906                 case T_IPC:
00907                         /* check, whether we may create IPC of def_ipc_create_type */
00908                         /* get rc_role from process */
00909                         i_tid.process = caller_pid;
00910                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00911                                                   i_tid,
00912                                                   A_rc_role,
00913                                                   &i_attr_val1, FALSE))) {
00914                                 rsbac_pr_get_error(A_rc_role);
00915                                 return NOT_GRANTED;
00916                         }
00917                         /* get def_ipc_create_type of role */
00918                         i_rc_tid.role = i_attr_val1.rc_role;
00919                         if ((err = rsbac_rc_get_item(0,
00920                                                      RT_ROLE,
00921                                                      i_rc_tid,
00922                                                      i_rc_tid,
00923                                                      RI_def_ipc_create_type,
00924                                                      &i_rc_item_val1,
00925                                                      NULL))) {
00926                                 rsbac_rc_pr_get_error
00927                                     (RI_def_ipc_create_type);
00928                                 return (NOT_GRANTED);
00929                         }
00930                         switch (i_rc_item_val1.type_id) {
00931                         case RC_type_no_create:
00932                                 rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, def_ipc_create_type no_create, request CREATE -> NOT_GRANTED!\n",
00933                                                caller_pid, current->comm,
00934                                                current->uid,
00935                                                i_attr_val1.rc_role);
00936                                 return (NOT_GRANTED);
00937 
00938                         case RC_type_use_new_role_def_create:
00939                                 /* error - complain and return error */
00940                                 rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n",
00941                                              i_attr_val1.rc_role);
00942                                 return (NOT_GRANTED);
00943 
00944                         case RC_type_inherit_parent:
00945                         case RC_type_inherit_process:
00946                         case RC_type_use_fd:
00947                                 /* error - complain and return error */
00948                                 rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type inherit_parent in def_ipc_create_type of role %i!\n",
00949                                              i_attr_val1.rc_role);
00950                                 return (NOT_GRANTED);
00951 
00952                         default:
00953                                 /* check, whether role has CREATE right to new type */
00954                                 /* get type_comp_ipc of role */
00955                                 i_rc_subtid.type = i_rc_item_val1.type_id;
00956                                 if (rsbac_rc_check_comp
00957                                     (i_attr_val1.rc_role, i_rc_subtid,
00958                                      RI_type_comp_ipc, R_CREATE))
00959                                         return (GRANTED);
00960                                 else {
00961                                         rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_ipc_create_type %i -> NOT_GRANTED!\n",
00962                                                      i_attr_val1.rc_role,
00963                                                      i_rc_item_val1.
00964                                                      type_id);
00965                                         return (NOT_GRANTED);
00966                                 }
00967                         }
00968 
00969 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00970                 case T_USER:
00971                         /* check, whether we may create USER of def_user_create_type */
00972                         /* get rc_role from process */
00973                         i_tid.process = caller_pid;
00974                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
00975                                                   i_tid,
00976                                                   A_rc_role,
00977                                                   &i_attr_val1, FALSE))) {
00978                                 rsbac_pr_get_error(A_rc_role);
00979                                 return (NOT_GRANTED);
00980                         }
00981                         /* get def_user_create_type of role */
00982                         i_rc_tid.role = i_attr_val1.rc_role;
00983                         if ((err = rsbac_rc_get_item(0,
00984                                                      RT_ROLE,
00985                                                      i_rc_tid,
00986                                                      i_rc_tid,
00987                                                      RI_def_user_create_type,
00988                                                      &i_rc_item_val1,
00989                                                      NULL))) {
00990                                 rsbac_rc_pr_get_error
00991                                     (RI_def_user_create_type);
00992                                 return (NOT_GRANTED);
00993                         }
00994                         switch (i_rc_item_val1.type_id) {
00995                         case RC_type_no_create:
00996                                 rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, def_user_create_type no_create, request CREATE -> NOT_GRANTED!\n",
00997                                                caller_pid, current->comm,
00998                                                current->uid,
00999                                                i_attr_val1.rc_role);
01000                                 return (NOT_GRANTED);
01001 
01002                         case RC_type_use_new_role_def_create:
01003                                 /* error - complain and return error */
01004                                 rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_user_create_type of role %i!\n",
01005                                              i_attr_val1.rc_role);
01006                                 return (NOT_GRANTED);
01007 
01008                         case RC_type_inherit_parent:
01009                         case RC_type_inherit_process:
01010                         case RC_type_use_fd:
01011                                 /* error - complain and return error */
01012                                 rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type inherit_parent in def_user_create_type of role %i!\n",
01013                                              i_attr_val1.rc_role);
01014                                 return (NOT_GRANTED);
01015 
01016                         default:
01017                                 /* check, whether role has CREATE right to new type */
01018                                 /* get type_comp_ipc of role */
01019                                 i_rc_subtid.type = i_rc_item_val1.type_id;
01020                                 if (rsbac_rc_check_comp
01021                                     (i_attr_val1.rc_role, i_rc_subtid,
01022                                      RI_type_comp_user, R_CREATE))
01023                                         return (GRANTED);
01024                                 else {
01025                                         rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_user_create_type %i -> NOT_GRANTED!\n",
01026                                                      i_attr_val1.rc_role,
01027                                                      i_rc_item_val1.
01028                                                      type_id);
01029                                         return (NOT_GRANTED);
01030                                 }
01031                         }
01032 
01033                 case T_GROUP:
01034                         /* check, whether we may create GROUP of def_group_create_type */
01035                         /* get rc_role from process */
01036                         i_tid.process = caller_pid;
01037                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
01038                                                   i_tid,
01039                                                   A_rc_role,
01040                                                   &i_attr_val1, FALSE))) {
01041                                 rsbac_pr_get_error(A_rc_role);
01042                                 return (NOT_GRANTED);
01043                         }
01044                         /* get def_group_create_type of role */
01045                         i_rc_tid.role = i_attr_val1.rc_role;
01046                         if ((err = rsbac_rc_get_item(0,
01047                                                      RT_ROLE,
01048                                                      i_rc_tid,
01049                                                      i_rc_tid,
01050                                                      RI_def_group_create_type,
01051                                                      &i_rc_item_val1,
01052                                                      NULL))) {
01053                                 rsbac_rc_pr_get_error
01054                                     (RI_def_group_create_type);
01055                                 return (NOT_GRANTED);
01056                         }
01057                         switch (i_rc_item_val1.type_id) {
01058                         case RC_type_no_create:
01059                                 rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, def_group_create_type no_create, request CREATE -> NOT_GRANTED!\n",
01060                                                caller_pid, current->comm,
01061                                                current->uid,
01062                                                i_attr_val1.rc_role);
01063                                 return (NOT_GRANTED);
01064 
01065                         case RC_type_use_new_role_def_create:
01066                                 /* error - complain and return error */
01067                                 rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_group_create_type of role %i!\n",
01068                                              i_attr_val1.rc_role);
01069                                 return (NOT_GRANTED);
01070 
01071                         case RC_type_inherit_parent:
01072                         case RC_type_inherit_process:
01073                         case RC_type_use_fd:
01074                                 /* error - complain and return error */
01075                                 rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type inherit_parent in def_group_create_type of role %i!\n",
01076                                              i_attr_val1.rc_role);
01077                                 return (NOT_GRANTED);
01078 
01079                         default:
01080                                 /* check, whether role has CREATE right to new type */
01081                                 /* get type_comp_ipc of role */
01082                                 i_rc_subtid.type = i_rc_item_val1.type_id;
01083                                 if (rsbac_rc_check_comp
01084                                     (i_attr_val1.rc_role, i_rc_subtid,
01085                                      RI_type_comp_group, R_CREATE))
01086                                         return (GRANTED);
01087                                 else {
01088                                         rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_group_create_type %i -> NOT_GRANTED!\n",
01089                                                      i_attr_val1.rc_role,
01090                                                      i_rc_item_val1.
01091                                                      type_id);
01092                                         return (NOT_GRANTED);
01093                                 }
01094                         }
01095 #endif                          /* RSBAC_RC_UM_PROT */
01096 
01097 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01098                 case T_NETTEMP:
01099                         /* get rc_role from process */
01100                         i_tid.process = caller_pid;
01101                         if ((err = rsbac_get_attr(SW_RC,
01102                                                   T_PROCESS,
01103                                                   i_tid,
01104                                                   A_rc_role,
01105                                                   &i_attr_val1, FALSE))) {
01106                                 rsbac_pr_get_error(A_rc_role);
01107                                 return NOT_GRANTED;
01108                         }
01109                         /* get type_comp_xxx of role - we always use type GENERAL for CREATE */
01110                         i_rc_subtid.type = RSBAC_RC_GENERAL_TYPE;
01111                         if (rsbac_rc_check_comp(i_attr_val1.rc_role,
01112                                                 i_rc_subtid,
01113                                                 RI_type_comp_nettemp,
01114                                                 request))
01115                                 return (GRANTED);
01116                         else {
01117                                 rsbac_pr_debug(adf_rc, "rc_role is %i, rc_nettemp_type is %i, request is CREATE -> NOT_GRANTED!\n",
01118                                                i_attr_val1.rc_role,
01119                                                RSBAC_RC_GENERAL_TYPE);
01120                                 return (NOT_GRANTED);
01121                         }
01122 
01123                 case T_NETOBJ:
01124                         /* check, whether we may create NETOBJ of this type */
01125                         return(check_comp_rc(target, tid, request, caller_pid));
01126 #endif
01127 
01128                         /* all other cases are unknown */
01129                 default:
01130                         return (DO_NOT_CARE);
01131                 }
01132 
01133         case R_DELETE:
01134                 switch (target) {
01135                 case T_FILE:
01136                 case T_DIR:
01137                 case T_FIFO:
01138                 case T_SYMLINK:
01139                 case T_UNIXSOCK:
01140                 case T_IPC:
01141 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01142                 case T_NETTEMP:
01143                 case T_NETOBJ:
01144 #endif
01145 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01146                 case T_USER:
01147                 case T_GROUP:
01148 #endif
01149                         return (check_comp_rc
01150                                 (target, tid, request, caller_pid));
01151 
01152                         /* all other cases are unknown */
01153                 default:
01154                         return (DO_NOT_CARE);
01155                 }
01156 
01157         case R_EXECUTE:
01158                 switch (target) {
01159                 case T_FILE:
01160                         /* get rc_role from process */
01161                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
01162                                                   tid,
01163                                                   A_rc_role,
01164                                                   &i_attr_val1, FALSE))) {
01165                                 rsbac_pr_get_error(A_rc_role);
01166                                 return NOT_GRANTED;
01167                         }
01168                         /* get def_process_execute_type of role */
01169                         i_rc_tid.role = i_attr_val1.rc_role;
01170                         if ((err = rsbac_rc_get_item(0,
01171                                                      RT_ROLE,
01172                                                      i_rc_tid,
01173                                                      i_rc_tid,
01174                                                      RI_def_process_execute_type,
01175                                                      &i_rc_item_val1,
01176                                                      NULL))) {
01177                                 rsbac_rc_pr_get_error
01178                                     (RI_def_process_execute_type);
01179                                 return (NOT_GRANTED);
01180                         }
01181                         if (i_rc_item_val1.type_id == RC_type_no_execute)
01182                                 return (NOT_GRANTED);
01183                         else
01184                                 return (check_comp_rc
01185                                         (target, tid, request,
01186                                          caller_pid));
01187 
01188                         /* all other cases are unknown */
01189                 default:
01190                         return (DO_NOT_CARE);
01191                 }
01192 
01193         case R_GET_PERMISSIONS_DATA:
01194                 switch (target) {
01195                 case T_SCD:
01196                         return (check_comp_rc_scd
01197                                 (tid.scd, request, caller_pid));
01198                 case T_FILE:
01199                 case T_DIR:
01200                 case T_FIFO:
01201                 case T_SYMLINK:
01202                 case T_UNIXSOCK:
01203                 case T_IPC:
01204                 case T_DEV:
01205 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01206                 case T_NETOBJ:
01207 #endif
01208 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01209                 case T_USER:
01210                 case T_GROUP:
01211 #endif
01212                         return (check_comp_rc
01213                                 (target, tid, request, caller_pid));
01214 
01215                 default:
01216                         return (DO_NOT_CARE);
01217                 };
01218 
01219         case R_LINK_HARD:
01220                 switch (target) {
01221                 case T_FILE:
01222                 case T_FIFO:
01223                 case T_SYMLINK:
01224                         return (check_comp_rc
01225                                 (target, tid, request, caller_pid));
01226 
01227                         /* all other cases are unknown */
01228                 default:
01229                         return (DO_NOT_CARE);
01230                 }
01231 
01232         case R_MODIFY_ACCESS_DATA:
01233                 switch (target) {
01234                 case T_FILE:
01235                 case T_DIR:
01236                 case T_FIFO:
01237                 case T_SYMLINK:
01238                 case T_UNIXSOCK:
01239                         return (check_comp_rc
01240                                 (target, tid, request, caller_pid));
01241 
01242                         /* all other cases are unknown */
01243                 default:
01244                         return (DO_NOT_CARE);
01245                 }
01246 
01247         case R_AUTHENTICATE:
01248                 switch (target) {
01249                 case T_USER:
01250                         return (check_comp_rc
01251                                 (target, tid, request, caller_pid));
01252 
01253                         /* all other cases are unknown */
01254                 default:
01255                         return (DO_NOT_CARE);
01256                 }
01257 
01258         case R_MODIFY_ATTRIBUTE:
01259                 switch (attr) { /* owner must be changed by other request to prevent inconsistency */
01260                 case A_owner:
01261                         return (NOT_GRANTED);
01262                 case A_rc_type:
01263                 case A_local_rc_type:
01264                 case A_remote_rc_type:
01265                 case A_rc_type_fd:
01266                 case A_rc_type_nt:
01267                 case A_rc_select_type:
01268                         /* Granted on target? */
01269                         result =
01270                             check_comp_rc(target, tid, request,
01271                                           caller_pid);
01272                         if ((result == GRANTED)
01273                             || (result == DO_NOT_CARE)
01274                             ) {
01275                                 /* Granted on type? */
01276                                 result =
01277                                     rsbac_rc_check_type_comp(target,
01278                                                              attr_val.
01279                                                              rc_type,
01280                                                              RCR_ASSIGN,
01281                                                              caller_pid);
01282                                 if ((result == GRANTED)
01283                                     || (result == DO_NOT_CARE)
01284                                     )
01285                                         return result;
01286                         }
01287                         /* Classical admin_type check */
01288                         if ((err = rsbac_rc_test_role_admin(TRUE)))
01289                                 return (NOT_GRANTED);
01290                         else
01291                                 return (GRANTED);
01292 
01293                 case A_rc_force_role:
01294                 case A_rc_initial_role:
01295                 case A_rc_role:
01296                 case A_rc_def_role:
01297                         /* Granted on target? */
01298                         result =
01299                             check_comp_rc(target, tid, request,
01300                                           caller_pid);
01301                         if ((result == GRANTED)
01302                             || (result == DO_NOT_CARE)
01303                             ) {
01304                                 /* test assign_roles of process / modify */
01305                                 if (!
01306                                     (err =
01307                                      rsbac_rc_test_assign_roles(target,
01308                                                                 tid, attr,
01309                                                                 attr_val.
01310                                                                 rc_role)))
01311                                         return (GRANTED);
01312                         }
01313                         /* Classical admin_type check */
01314                         if (rsbac_rc_test_role_admin(TRUE))
01315                                 return (NOT_GRANTED);
01316                         else
01317                                 return (GRANTED);
01318 
01319                         /* you may only change a user's pseudo, if you also may assign her role */
01320                 case A_pseudo:
01321                         if (target != T_USER)
01322                                 return UNDEFINED;
01323                         /* test assign_roles of process for user's role only */
01324                         if (rsbac_rc_test_assign_roles
01325                             (target, tid, A_rc_def_role,
01326                              RC_role_inherit_user))
01327                                 return (NOT_GRANTED);
01328                         else
01329                                 return (GRANTED);
01330 
01331 #ifdef CONFIG_RSBAC_RC_GEN_PROT
01332                 case A_log_array_low:
01333                 case A_log_array_high:
01334                 case A_log_program_based:
01335                 case A_log_user_based:
01336                 case A_symlink_add_remote_ip:
01337                 case A_symlink_add_uid:
01338                 case A_symlink_add_rc_role:
01339                 case A_linux_dac_disable:
01340                 case A_fake_root_uid:
01341                 case A_audit_uid:
01342                 case A_auid_exempt:
01343                 case A_remote_ip:
01344                         /* Explicitely granted? */
01345                         result =
01346                             check_comp_rc(target, tid, request,
01347                                           caller_pid);
01348                         if ((result == GRANTED)
01349                             || (result == DO_NOT_CARE)
01350                             )
01351                                 return result;
01352                         /* Failed -> Classical admin_type check / modify */
01353                         if (rsbac_rc_test_role_admin(TRUE))
01354                                 return (NOT_GRANTED);
01355                         else
01356                                 return (GRANTED);
01357 #endif
01358 
01359                         /* All attributes (remove target!) */
01360                 case A_none:
01361                         switch (target) {
01362                         case T_USER:
01363                                 /* test assign_roles of process for user's role */
01364                                 if ((err =
01365                                      rsbac_rc_test_assign_roles(target,
01366                                                                 tid,
01367                                                                 A_rc_def_role,
01368                                                                 RC_role_inherit_user)))
01369                                         return (NOT_GRANTED);
01370                                 else
01371                                         return (GRANTED);
01372 
01373                         default:
01374                                 /* Explicitely granted? */
01375                                 return (check_comp_rc
01376                                         (target, tid, request,
01377                                          caller_pid));
01378                         }
01379 
01380 #ifdef CONFIG_RSBAC_RC_AUTH_PROT
01381                 case A_auth_may_setuid:
01382                 case A_auth_may_set_cap:
01383                 case A_auth_start_uid:
01384                 case A_auth_start_euid:
01385                 case A_auth_start_gid:
01386                 case A_auth_start_egid:
01387                 case A_auth_program_file:
01388                 case A_auth_learn:
01389                 case A_auth_add_f_cap:
01390                 case A_auth_remove_f_cap:
01391                 case A_auth_last_auth:
01392                         /* may manipulate auth capabilities, if allowed in general... */
01393                         result =
01394                             check_comp_rc_scd(RST_auth_administration,
01395                                               request, caller_pid);
01396                         if ((result == GRANTED)
01397                             || (result == DO_NOT_CARE)
01398                             ) {
01399                                 /* ...and for this target */
01400                                 result =
01401                                     check_comp_rc(target, tid,
01402                                                   RCR_MODIFY_AUTH,
01403                                                   caller_pid);
01404                                 if ((result == GRANTED)
01405                                     || (result == DO_NOT_CARE)
01406                                     )
01407                                         return result;
01408                         }
01409                         /* Last chance: classical admin_type check */
01410                         if ((err = rsbac_rc_test_role_admin(TRUE)))
01411                                 return (NOT_GRANTED);
01412                         else
01413                                 return (GRANTED);
01414 #endif
01415 
01416                 default:
01417                         return (DO_NOT_CARE);
01418                 }
01419 
01420         case R_MODIFY_PERMISSIONS_DATA:
01421                 switch (target) {
01422                 case T_FILE:
01423                 case T_DIR:
01424                 case T_FIFO:
01425                 case T_SYMLINK:
01426                 case T_UNIXSOCK:
01427                 case T_IPC:
01428                 case T_DEV:
01429 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01430                 case T_USER:
01431                 case T_GROUP:
01432 #endif
01433 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01434                 case T_NETOBJ:
01435 #endif
01436                         return (check_comp_rc
01437                                 (target, tid, request, caller_pid));
01438 
01439                 case T_SCD:
01440                         return (check_comp_rc_scd
01441                                 (tid.scd, request, caller_pid));
01442 
01443 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE
01444                 case T_NONE:
01445                         /* may turn off Linux DAC, if compatible */
01446                         return (check_comp_rc_scd
01447                                 (ST_other, request, caller_pid));
01448 #endif
01449 
01450                         /* all other cases are unknown */
01451                 default:
01452                         return (DO_NOT_CARE);
01453                 }
01454 
01455         case R_MODIFY_SYSTEM_DATA:
01456                 switch (target) {
01457                 case T_SCD:
01458                         return (check_comp_rc_scd
01459                                 (tid.scd, request, caller_pid));
01460 
01461                 case T_DEV:
01462                 case T_PROCESS:
01463                 case T_IPC:
01464 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
01465                 case T_NETDEV:
01466 #endif
01467 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01468                 case T_NETOBJ:
01469 #endif
01470                         return (check_comp_rc
01471                                 (target, tid, request, caller_pid));
01472 
01473                         /* all other cases are unknown */
01474                 default:
01475                         return (DO_NOT_CARE);
01476                 }
01477 
01478         case R_MOUNT:
01479                 switch (target) {
01480                 case T_FILE:
01481                 case T_DIR:
01482                 case T_DEV:
01483                         return (check_comp_rc
01484                                 (target, tid, request, caller_pid));
01485 
01486                         /* all other cases are unknown */
01487                 default:
01488                         return (DO_NOT_CARE);
01489                 }
01490 
01491         case R_READ_ATTRIBUTE:
01492                 switch (attr) {
01493                 case A_rc_type:
01494                 case A_rc_type_fd:
01495                 case A_rc_type_nt:
01496                 case A_rc_force_role:
01497                 case A_rc_initial_role:
01498                 case A_rc_role:
01499                 case A_rc_def_role:
01500                 case A_rc_select_type:
01501                 case A_pseudo:
01502 #ifdef CONFIG_RSBAC_RC_GEN_PROT
01503                 case A_owner:
01504                 case A_log_array_low:
01505                 case A_log_array_high:
01506                 case A_log_program_based:
01507                 case A_log_user_based:
01508                 case A_symlink_add_remote_ip:
01509                 case A_symlink_add_uid:
01510                 case A_symlink_add_rc_role:
01511                 case A_linux_dac_disable:
01512                 case A_fake_root_uid:
01513                 case A_audit_uid:
01514                 case A_auid_exempt:
01515                 case A_remote_ip:
01516 #endif
01517                         /* Explicitely granted? */
01518                         result =
01519                             check_comp_rc(target, tid, request,
01520                                           caller_pid);
01521                         if ((result == GRANTED)
01522                             || (result == DO_NOT_CARE)
01523                             )
01524                                 return result;
01525                         /* Failed -> Classical admin_type check / modify */
01526                         if (rsbac_rc_test_role_admin(FALSE))
01527                                 return (NOT_GRANTED);
01528                         else
01529                                 return (GRANTED);
01530 
01531 #ifdef CONFIG_RSBAC_RC_AUTH_PROT
01532                 case A_auth_may_setuid:
01533                 case A_auth_may_set_cap:
01534                 case A_auth_start_uid:
01535                 case A_auth_start_euid:
01536                 case A_auth_start_gid:
01537                 case A_auth_start_egid:
01538                 case A_auth_program_file:
01539                 case A_auth_learn:
01540                 case A_auth_add_f_cap:
01541                 case A_auth_remove_f_cap:
01542                 case A_auth_last_auth:
01543                         /* may read auth capabilities, if compatible */
01544                         result =
01545                             check_comp_rc_scd(RST_auth_administration,
01546                                               request, caller_pid);
01547                         if ((result == GRANTED)
01548                             || (result == DO_NOT_CARE)
01549                             )
01550                                 return result;
01551                         /* Failed -> Classical admin_type check / modify */
01552                         if (rsbac_rc_test_role_admin(FALSE))
01553                                 return (NOT_GRANTED);
01554                         else
01555                                 return (GRANTED);
01556 #endif
01557 
01558                 default:
01559                         return (DO_NOT_CARE);
01560                 }
01561 
01562         case R_READ_OPEN:
01563                 switch (target) {
01564                 case T_FILE:
01565                 case T_FIFO:
01566                 case T_UNIXSOCK:
01567                 case T_DEV:
01568                 case T_IPC:
01569                         return (check_comp_rc
01570                                 (target, tid, request, caller_pid));
01571 
01572                         /* all other cases are unknown */
01573                 default:
01574                         return (DO_NOT_CARE);
01575                 }
01576 
01577         case R_ADD_TO_KERNEL:
01578                 switch (target) {
01579                 case T_NONE:
01580                         /* may add to kernel, if compatible */
01581                         return (check_comp_rc_scd
01582                                 (ST_other, request, caller_pid));
01583 
01584                 case T_FILE:
01585                 case T_DEV:
01586                         return (check_comp_rc
01587                                 (target, tid, request, caller_pid));
01588 
01589                         /* all other cases are unknown */
01590                 default:
01591                         return (DO_NOT_CARE);
01592                 }
01593 
01594 
01595         case R_ALTER:
01596                 /* only for IPC */
01597                 switch (target) {
01598                 case T_IPC:
01599                         return (check_comp_rc
01600                                 (target, tid, request, caller_pid));
01601 
01602                         /* all other cases are unknown */
01603                 default:
01604                         return (DO_NOT_CARE);
01605                 }
01606 
01607         case R_REMOVE_FROM_KERNEL:
01608                 switch (target) {
01609                 case T_NONE:
01610                         return (check_comp_rc_scd
01611                                 (ST_other, request, caller_pid));
01612 
01613                 case T_FILE:
01614                 case T_DEV:
01615                         return (check_comp_rc
01616                                 (target, tid, request, caller_pid));
01617 
01618                         /* all other cases are unknown */
01619                 default:
01620                         return (DO_NOT_CARE);
01621                 }
01622 
01623         case R_RENAME:
01624                 switch (target) {
01625                 case T_FILE:
01626                 case T_DIR:
01627                 case T_FIFO:
01628                 case T_SYMLINK:
01629                 case T_UNIXSOCK:
01630 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01631                 case T_USER:
01632                 case T_GROUP:
01633 #endif
01634                         return (check_comp_rc
01635                                 (target, tid, request, caller_pid));
01636 
01637                         /* all other cases are unknown */
01638                 default:
01639                         return (DO_NOT_CARE);
01640                 }
01641 
01642         case R_SEND_SIGNAL:
01643         case R_TRACE:
01644                 if (target == T_PROCESS)
01645                         return (check_comp_rc
01646                                 (target, tid, request, caller_pid));
01647                 else
01648                         return (DO_NOT_CARE);
01649 
01650         case R_SHUTDOWN:
01651                 switch (target) {
01652                 case T_NONE:
01653                         return (check_comp_rc_scd
01654                                 (ST_other, request, caller_pid));
01655 
01656                         /* all other cases are unknown */
01657                 default:
01658                         return (DO_NOT_CARE);
01659                 }
01660 
01661         case R_SWITCH_LOG:
01662                 switch (target) {
01663                 case T_NONE:
01664                         return (check_comp_rc_scd
01665                                 (ST_other, request, caller_pid));
01666 
01667                         /* all other cases are unknown */
01668                 default:
01669                         return (DO_NOT_CARE);
01670                 }
01671 
01672         case R_SWITCH_MODULE:
01673                 switch (target) {
01674                 case T_NONE:
01675                         /* we need the switch_target */
01676                         if (attr != A_switch_target)
01677                                 return (UNDEFINED);
01678                         /* do not care for other modules */
01679                         if ((attr_val.switch_target != SW_RC)
01680 #ifdef CONFIG_RSBAC_SOFTMODE
01681                             && (attr_val.switch_target != SW_SOFTMODE)
01682 #endif
01683 #ifdef CONFIG_RSBAC_FREEZE
01684                             && (attr_val.switch_target != SW_FREEZE)
01685 #endif
01686 #ifdef CONFIG_RSBAC_RC_AUTH_PROT
01687                             && (attr_val.switch_target != SW_AUTH)
01688 #endif
01689                             )
01690                                 return (DO_NOT_CARE);
01691                         return (check_comp_rc_scd
01692                                 (ST_other, request, caller_pid));
01693 
01694                         /* all other cases are unknown */
01695                 default:
01696                         return (DO_NOT_CARE);
01697                 }
01698 
01699         case R_TERMINATE:
01700                 if (target == T_PROCESS)
01701                         return (DO_NOT_CARE);
01702                 else
01703                         return (DO_NOT_CARE);
01704 
01705         case R_TRUNCATE:
01706                 switch (target) {
01707                 case T_FILE:
01708                         return (check_comp_rc
01709                                 (target, tid, request, caller_pid));
01710 
01711                         /* all other cases are unknown */
01712                 default:
01713                         return (DO_NOT_CARE);
01714                 }
01715 
01716         case R_WRITE_OPEN:
01717                 switch (target) {
01718                 case T_FILE:
01719                 case T_DEV:
01720                 case T_FIFO:
01721                 case T_UNIXSOCK:
01722                 case T_IPC:
01723                         return (check_comp_rc
01724                                 (target, tid, request, caller_pid));
01725 
01726                         /* all other cases are unknown */
01727                 default:
01728                         return (DO_NOT_CARE);
01729                 }
01730 
01731         case R_UMOUNT:
01732                 switch (target) {
01733                 case T_FILE:
01734                 case T_DIR:
01735                 case T_DEV:
01736                         return (check_comp_rc
01737                                 (target, tid, request, caller_pid));
01738 
01739                         /* all other cases are unknown */
01740                 default:
01741                         return (DO_NOT_CARE);
01742                 }
01743 
01744 
01745 #if defined(CONFIG_RSBAC_NET)
01746         case R_BIND:
01747                 switch (target) {
01748 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
01749                 case T_NETDEV:
01750                         return (check_comp_rc
01751                                 (target, tid, request, caller_pid));
01752 #endif
01753 
01754 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01755                 case T_NETOBJ:
01756                         return (check_comp_rc
01757                                 (target, tid, request, caller_pid));
01758 #endif
01759 
01760                         /* all other cases are undefined */
01761                 default:
01762                         return (DO_NOT_CARE);
01763                 }
01764 #endif
01765 
01766         case R_IOCTL:
01767                 switch (target) {
01768                 case T_DEV:
01769                 case T_UNIXSOCK:
01770                 case T_IPC:
01771                         return (check_comp_rc
01772                                 (target, tid, request, caller_pid));
01773 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01774                 case T_NETOBJ:
01775 #endif
01776                         return (check_comp_rc
01777                                 (target, tid, request, caller_pid));
01778 
01779                 default:
01780                         return (DO_NOT_CARE);
01781                 }
01782 
01783         case R_LOCK:
01784                 switch (target) {
01785                 case T_FILE:
01786                 case T_DIR:
01787                 case T_FIFO:
01788                 case T_SYMLINK:
01789                 case T_UNIXSOCK:
01790                         return (check_comp_rc
01791                                 (target, tid, request, caller_pid));
01792 
01793                 default:
01794                         return (DO_NOT_CARE);
01795                 }
01796         case RCR_SELECT:
01797                 switch (target) {
01798                 case T_FILE:
01799                 case T_DIR:
01800                 case T_FIFO:
01801                 case T_SYMLINK:
01802                 case T_UNIXSOCK:
01803                         return (check_comp_rc
01804                                 (target, tid, request, caller_pid));
01805                 default:
01806                         return (DO_NOT_CARE);
01807                 }
01808         default:
01809                 return DO_NOT_CARE;
01810         }
01811 
01812         return result;
01813 }
01814 
01815 /*****************************************************************************/
01816 /* If the request returned granted and the operation is performed,           */
01817 /* the following function can be called by the AEF to get all aci set        */
01818 /* correctly. For write accesses that are performed fully within the kernel, */
01819 /* this is usually not done to prevent extra calls, including R_CLOSE for    */
01820 /* cleaning up. Because of this, the write boundary is not adjusted - there  */
01821 /* is no user-level writing anyway...                                        */
01822 /* The second instance of target specification is the new target, if one has */
01823 /* been created, otherwise its values are ignored.                           */
01824 /* On success, 0 is returned, and an error from rsbac/error.h otherwise.     */
01825 
01826 inline int rsbac_adf_set_attr_rc(enum rsbac_adf_request_t request,
01827                           rsbac_pid_t caller_pid,
01828                           enum rsbac_target_t target,
01829                           union rsbac_target_id_t tid,
01830                           enum rsbac_target_t new_target,
01831                           union rsbac_target_id_t new_tid,
01832                           enum rsbac_attribute_t attr,
01833                           union rsbac_attribute_value_t attr_val,
01834                           rsbac_uid_t owner)
01835 {
01836         int err;
01837         union rsbac_target_id_t i_tid;
01838         union rsbac_attribute_value_t i_attr_val1;
01839         union rsbac_attribute_value_t i_attr_val2;
01840         union rsbac_rc_target_id_t i_rc_tid;
01841         union rsbac_rc_target_id_t i_rc_subtid;
01842         union rsbac_rc_item_value_t i_rc_item_val1;
01843 
01844         switch (request) {
01845         case R_CLOSE:
01846         case R_ACCEPT:
01847         case R_READ:
01848                 return 0;
01849         case R_CHANGE_OWNER:
01850                 switch (target) {
01851                 case T_PROCESS:
01852                         /* setting owner for process is done in main dispatcher */
01853                         /* Here we have to adjust the rc_type and set the rc_role */
01854                         /* to the new owner's rc_def_role */
01855                         if (attr != A_owner)
01856                                 return (-RSBAC_EINVALIDATTR);
01857 
01858                         /* get old rc_role from process */
01859                         i_tid.process = caller_pid;
01860                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
01861                                                   i_tid,
01862                                                   A_rc_role,
01863                                                   &i_attr_val1, TRUE))) {
01864                                 rsbac_pr_get_error(A_rc_role);
01865                                 return -RSBAC_EREADFAILED;
01866                         }
01867                         /* get def_process_chown_type of old role */
01868                         i_rc_tid.role = i_attr_val1.rc_role;
01869                         if ((err = rsbac_rc_get_item(0,
01870                                                      RT_ROLE,
01871                                                      i_rc_tid,
01872                                                      i_rc_tid,
01873                                                      RI_def_process_chown_type,
01874                                                      &i_rc_item_val1,
01875                                                      NULL))) {
01876                                 rsbac_rc_pr_get_error
01877                                     (RI_def_process_chown_type);
01878                                 return -RSBAC_EREADFAILED;
01879                         }
01880 
01881                         /* get rc_force_role from process */
01882                         i_tid.process = caller_pid;
01883                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
01884                                                   i_tid,
01885                                                   A_rc_force_role,
01886                                                   &i_attr_val1, TRUE))) {
01887                                 rsbac_pr_get_error(A_rc_force_role);
01888                                 return -RSBAC_EREADFAILED;
01889                         }
01890                         /* only set to user's rc_def_role, if indicated by force_role, otherwise keep */
01891                         if ((i_attr_val1.rc_force_role ==
01892                              RC_role_inherit_user)
01893                             || (i_attr_val1.rc_force_role ==
01894                                 RC_role_inherit_up_mixed)
01895                             ) {
01896                                 /* get rc_def_role from new owner */
01897                                 i_tid.user = attr_val.owner;
01898                                 if ((err = rsbac_get_attr(SW_RC, T_USER,
01899                                                           i_tid,
01900                                                           A_rc_def_role,
01901                                                           &i_attr_val1,
01902                                                           TRUE))) {
01903                                         rsbac_pr_get_error(A_rc_def_role);
01904                                         return -RSBAC_EREADFAILED;
01905                                 }
01906                                 /* check rc_def_role, warn, if unusable */
01907                                 if (i_attr_val1.rc_def_role >
01908                                     RC_role_max_value) {
01909                                         rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): rc_def_role %u of user %u is higher than MAX_ROLE %u, setting role of process %u to GENERAL_ROLE %u!\n",
01910                                                      i_attr_val1.
01911                                                      rc_def_role,
01912                                                      attr_val.owner,
01913                                                      RC_role_max_value,
01914                                                      caller_pid,
01915                                                      RSBAC_RC_GENERAL_ROLE);
01916                                         i_attr_val1.rc_def_role =
01917                                             RSBAC_RC_GENERAL_ROLE;
01918                                 }
01919                                 /* set new rc_role for process */
01920                                 i_tid.process = caller_pid;
01921                                 if ((err = rsbac_set_attr(SW_RC, T_PROCESS,
01922                                                           i_tid,
01923                                                           A_rc_role,
01924                                                           i_attr_val1))) {
01925                                         rsbac_pr_set_error(A_rc_role);
01926                                         return -RSBAC_EWRITEFAILED;
01927                                 }
01928                         } else
01929                             /* set it to the force_role, if real role) */
01930                         if ((i_attr_val1.rc_force_role <= RC_role_max_value)
01931                             ) {
01932                                 /* set new rc_role for process */
01933                                 i_tid.process = caller_pid;
01934                                 if ((err = rsbac_set_attr(SW_RC, T_PROCESS,
01935                                                           i_tid,
01936                                                           A_rc_role,
01937                                                           i_attr_val1))) {
01938                                         rsbac_pr_set_error(A_rc_role);
01939                                         return -RSBAC_EWRITEFAILED;
01940                                 }
01941                         }
01942 
01943                         /* adjust type: switch on def_process_chown_type of old role */
01944                         switch (i_rc_item_val1.type_id) {
01945                         case RC_type_inherit_parent:
01946                         case RC_type_inherit_process:
01947                                 /* keep old type */
01948                                 break;
01949                         case RC_type_use_new_role_def_create:
01950                                 /* get new rc_role from process */
01951                                 i_tid.process = caller_pid;
01952                                 if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
01953                                                           i_tid,
01954                                                           A_rc_role,
01955                                                           &i_attr_val1, TRUE))) {
01956                                         rsbac_pr_get_error(A_rc_role);
01957                                         return -RSBAC_EREADFAILED;
01958                                 }
01959                                 /* Cannot adjust, if new role is no real role */
01960                                 if (i_attr_val1.rc_role >
01961                                     RC_role_max_value)
01962                                         break;
01963                                 /* get def_process_create_type of new role */
01964                                 i_rc_tid.role = i_attr_val1.rc_role;
01965                                 if ((err = rsbac_rc_get_item(0,
01966                                                              RT_ROLE,
01967                                                              i_rc_tid,
01968                                                              i_rc_tid,
01969                                                              RI_def_process_create_type,
01970                                                              &i_rc_item_val1,
01971                                                              NULL))) {
01972                                         rsbac_rc_pr_get_error
01973                                             (RI_def_process_create_type);
01974                                         return (-RSBAC_EREADFAILED);
01975                                 }
01976                                 switch (i_rc_item_val1.type_id) {
01977                                 case RC_type_inherit_parent:
01978                                 case RC_type_inherit_process:
01979                                         /* keep old type */
01980                                         break;
01981                                 case RC_type_use_new_role_def_create:
01982                                         /* error - complain, but keep type (inherit) */
01983                                         rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
01984                                                      i_attr_val1.rc_role);
01985                                         break;
01986                                 case RC_type_no_create:
01987                                         /* set rc_type for process to general */
01988                                         i_rc_item_val1.type_id =
01989                                             RSBAC_RC_GENERAL_TYPE;
01990                                         /* fall through */
01991                                 default:
01992                                         /* set rc_type for process */
01993                                         i_attr_val1.rc_type =
01994                                             i_rc_item_val1.type_id;
01995                                         if ((err =
01996                                              rsbac_set_attr(SW_RC, T_PROCESS,
01997                                                             i_tid,
01998                                                             A_rc_type,
01999                                                             i_attr_val1)))
02000                                         {
02001                                                 rsbac_pr_set_error(A_rc_type);
02002                                                 return -RSBAC_EWRITEFAILED;
02003                                         }
02004                                 }
02005                                 break;
02006                         case RC_type_no_create:
02007                         case RC_type_no_chown:
02008                                 /* set rc_type for process to general */
02009                                 i_rc_item_val1.type_id =
02010                                     RSBAC_RC_GENERAL_TYPE;
02011                                 /* fall through */
02012                         default:
02013                                 /* set rc_type for process */
02014                                 i_attr_val1.rc_type =
02015                                     i_rc_item_val1.type_id;
02016                                 if ((err =
02017                                      rsbac_set_attr(SW_RC, T_PROCESS, i_tid,
02018                                                     A_rc_type,
02019                                                     i_attr_val1))) {
02020                                         rsbac_pr_set_error(A_rc_type);
02021                                         return -RSBAC_EWRITEFAILED;
02022                                 }
02023                         }
02024 
02025                         return 0;
02026 
02027                         /* all other cases */
02028                 default:
02029                         return 0;
02030                 }
02031 
02032         case R_CLONE:
02033                 if (target == T_PROCESS) {
02034                         /* get rc_role from process */
02035                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02036                                                   tid,
02037                                                   A_rc_role,
02038                                                   &i_attr_val1, FALSE))) {
02039                                 rsbac_pr_get_error(A_rc_role);
02040                                 return (-RSBAC_EREADFAILED);
02041                         }
02042 
02043                         /* get rc_force_role from process */
02044                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02045                                                   tid,
02046                                                   A_rc_force_role,
02047                                                   &i_attr_val2, FALSE))) {
02048                                 rsbac_pr_get_error(A_rc_force_role);
02049                                 return (-RSBAC_EREADFAILED);
02050                         }
02051 
02052                         /* set rc_role for new process */
02053                         if ((err = rsbac_set_attr(SW_RC, T_PROCESS,
02054                                                   new_tid,
02055                                                   A_rc_role,
02056                                                   i_attr_val1))) {
02057                                 rsbac_pr_set_error(A_rc_role);
02058                                 return -RSBAC_EWRITEFAILED;
02059                         }
02060 
02061                         /* set rc_force_role for new process */
02062                         if ((err = rsbac_set_attr(SW_RC, T_PROCESS,
02063                                                   new_tid,
02064                                                   A_rc_force_role,
02065                                                   i_attr_val2))) {
02066                                 rsbac_pr_set_error(A_rc_force_role);
02067                                 return -RSBAC_EWRITEFAILED;
02068                         }
02069 
02070                         /* get def_process_create_type of role */
02071                         i_rc_tid.role = i_attr_val1.rc_role;
02072                         if ((err = rsbac_rc_get_item(0,
02073                                                      RT_ROLE,
02074                                                      i_rc_tid,
02075                                                      i_rc_tid,
02076                                                      RI_def_process_create_type,
02077                                                      &i_rc_item_val1,
02078                                                      NULL))) {
02079                                 rsbac_rc_pr_get_error
02080                                     (RI_def_process_create_type);
02081                                 return (-RSBAC_EREADFAILED);
02082                         }
02083                         switch (i_rc_item_val1.type_id) {
02084                         case RC_type_inherit_parent:
02085                         case RC_type_inherit_process:
02086                                 /* copy old type */
02087                                 /* get rc_type from old process */
02088                                 if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02089                                                           tid,
02090                                                           A_rc_type,
02091                                                           &i_attr_val1,
02092                                                           FALSE))) {
02093                                         rsbac_pr_get_error(A_rc_type);
02094                                         return -RSBAC_EREADFAILED;
02095                                 }
02096                                 /* set rc_type for new process */
02097                                 if ((err = rsbac_set_attr(SW_RC, T_PROCESS,
02098                                                           new_tid,
02099                                                           A_rc_type,
02100                                                           i_attr_val1))) {
02101                                         rsbac_pr_set_error(A_rc_type);
02102                                         return -RSBAC_EWRITEFAILED;
02103                                 }
02104                                 break;
02105                         case RC_type_no_create:
02106                                 return (-RSBAC_EDECISIONMISMATCH);
02107                         case RC_type_use_new_role_def_create:
02108                                 /* error - complain, but keep type (inherit) */
02109                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
02110                                              i_attr_val1.rc_role);
02111                                 return (-RSBAC_EINVALIDVALUE);
02112                         default:
02113                                 /* set rc_type for new process */
02114                                 i_attr_val1.rc_type =
02115                                     i_rc_item_val1.type_id;
02116                                 if ((err =
02117                                      rsbac_set_attr(SW_RC, T_PROCESS, new_tid,
02118                                                     A_rc_type,
02119                                                     i_attr_val1))) {
02120                                         rsbac_pr_set_error(A_rc_type);
02121                                         return -RSBAC_EWRITEFAILED;
02122                                 }
02123                         }
02124                         return 0;
02125                 } else
02126                         return 0;
02127 
02128         case R_CREATE:
02129                 switch (target) {
02130                         /* Creating dir or (pseudo) file IN target dir! */
02131                 case T_DIR:
02132                         /* Mode of created item is ignored! */
02133                         /* check for select_fd_type being set for calling
02134                          * process and enforce it if set. */
02135                         i_tid.process = caller_pid;
02136                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02137                                                   i_tid,
02138                                                   A_rc_select_type,
02139                                                   &i_attr_val1, FALSE))) {
02140                                 rsbac_pr_get_error(A_rc_select_type);
02141                                 return -RSBAC_EREADFAILED;
02142                         }
02143                         if (i_attr_val1.rc_select_type != RC_type_use_fd) {
02144                                 i_attr_val2.rc_type_fd = i_attr_val1.rc_select_type;
02145                                 /* rc_select_type is one use only so we reset it
02146                                  * to default value first.
02147                                  * value to be set already backup'ed. */
02148                                 i_attr_val1.rc_select_type = RC_type_use_fd;
02149                                 if ((err = rsbac_set_attr(SW_RC, T_PROCESS,
02150                                                          i_tid, A_rc_select_type,
02151                                                          i_attr_val1)))
02152                                 {
02153                                         rsbac_printk("rsbac_adf_set_attr_rc(): unable to reset rc_select_type to default value!\n");
02154                                 }
02155                                 if ((err = rsbac_set_attr(SW_RC, new_target,
02156                                                           new_tid, A_rc_type_fd,
02157                                                           i_attr_val2)))
02158                                 {
02159                                         rsbac_pr_set_error(A_rc_type_fd);
02160                                         return -RSBAC_EWRITEFAILED;
02161                                 }
02162                                 return 0;
02163                                                                 
02164                         }
02165                         /* get rc_role from process */
02166                         i_tid.process = caller_pid;
02167                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02168                                                   i_tid,
02169                                                   A_rc_role,
02170                                                   &i_attr_val1, FALSE))) {
02171                                 rsbac_pr_get_error(A_rc_role);
02172                                 return -RSBAC_EREADFAILED;
02173                         }
02174                         /* get def_fd_create_type of role */
02175                         /* First get target dir's efftype */
02176                         if ((err = rsbac_get_attr(SW_RC,
02177                                                   target,
02178                                                   tid,
02179                                                   A_rc_type_fd,
02180                                                   &i_attr_val2, TRUE))) {
02181                                 rsbac_pr_get_error(A_rc_type_fd);
02182                                 return (-RSBAC_EREADFAILED);
02183                         }
02184                         i_rc_tid.role = i_attr_val1.rc_role;
02185                         switch(new_target) {
02186                                 case T_UNIXSOCK:
02187                                         if ((err = rsbac_rc_get_item(0,
02188                                                                      RT_ROLE,
02189                                                                      i_rc_tid,
02190                                                                      i_rc_subtid,
02191                                                                      RI_def_unixsock_create_type,
02192                                                                      &i_rc_item_val1,
02193                                                                      NULL))) {
02194                                                 rsbac_rc_pr_get_error
02195                                                     (RI_def_unixsock_create_type);
02196                                                 return -RSBAC_EREADFAILED;
02197                                         }
02198                                         if(i_rc_item_val1.type_id != RC_type_use_fd)
02199                                                 break;
02200                                         /* fall through */
02201                                 default:
02202                                         i_rc_subtid.type = i_attr_val2.rc_type;
02203                                         if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_tid, i_rc_subtid, RI_def_fd_ind_create_type, &i_rc_item_val1, NULL))) {   /* No individual create type -> try global */
02204                                                 if ((err = rsbac_rc_get_item(0,
02205                                                                              RT_ROLE,
02206                                                                              i_rc_tid,
02207                                                                              i_rc_subtid,
02208                                                                              RI_def_fd_create_type,
02209                                                                              &i_rc_item_val1,
02210                                                                              NULL))) {
02211                                                         rsbac_rc_pr_get_error
02212                                                             (RI_def_fd_create_type);
02213                                                         return -RSBAC_EREADFAILED;
02214                                                 }
02215                                         }
02216                         }
02217                         switch (i_rc_item_val1.type_id) {
02218                         case RC_type_no_create:
02219                                 return (-RSBAC_EDECISIONMISMATCH);
02220                                 break;
02221 
02222                         case RC_type_use_new_role_def_create:
02223                         case RC_type_inherit_process:
02224                                 /* error - complain and return error */
02225                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type inherit_process or use_new_role_def_create in def_fd_create_type or def_unixsock_create_type of role %i!\n",
02226                                              i_attr_val1.rc_role);
02227                                 return (-RSBAC_EINVALIDVALUE);
02228 
02229                         case RC_type_inherit_parent:
02230                         default:
02231                                 /* get type from new target */
02232                                 if ((err = rsbac_get_attr(SW_RC, new_target,
02233                                                           new_tid,
02234                                                           A_rc_type_fd,
02235                                                           &i_attr_val1,
02236                                                           FALSE))) {
02237                                         rsbac_pr_get_error(A_rc_type_fd);
02238                                         return (-RSBAC_EREADFAILED);
02239                                 }
02240                                 /* set it for new target, if different */
02241                                 if (i_attr_val1.rc_type_fd !=
02242                                     i_rc_item_val1.type_id) {
02243                                         i_attr_val1.rc_type_fd =
02244                                             i_rc_item_val1.type_id;
02245                                         if ((err =
02246                                              rsbac_set_attr(SW_RC, new_target,
02247                                                             new_tid,
02248                                                             A_rc_type_fd,
02249                                                             i_attr_val1)))
02250                                         {
02251                                                 rsbac_pr_set_error(A_rc_type_fd);
02252                                                 return -RSBAC_EWRITEFAILED;
02253                                         }
02254                                 }
02255                         }
02256                         return 0;
02257 
02258                 case T_IPC:
02259                         /* get rc_role from process */
02260                         i_tid.process = caller_pid;
02261                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02262                                                   i_tid,
02263                                                   A_rc_role,
02264                                                   &i_attr_val1, FALSE))) {
02265                                 rsbac_pr_get_error(A_rc_role);
02266                                 return -RSBAC_EREADFAILED;
02267                         }
02268                         /* get def_ipc_create_type of role */
02269                         i_rc_tid.role = i_attr_val1.rc_role;
02270                         if ((err = rsbac_rc_get_item(0,
02271                                                      RT_ROLE,
02272                                                      i_rc_tid,
02273                                                      i_rc_tid,
02274                                                      RI_def_ipc_create_type,
02275                                                      &i_rc_item_val1,
02276                                                      NULL))) {
02277                                 rsbac_rc_pr_get_error
02278                                     (RI_def_ipc_create_type);
02279                                 return -RSBAC_EREADFAILED;
02280                         }
02281                         switch (i_rc_item_val1.type_id) {
02282                         case RC_type_no_create:
02283                                 return (-RSBAC_EDECISIONMISMATCH);
02284                                 break;
02285 
02286                         case RC_type_use_new_role_def_create:
02287                                 /* error - complain and return error */
02288                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n",
02289                                              i_attr_val1.rc_role);
02290                                 return (-RSBAC_EINVALIDVALUE);
02291 
02292                         case RC_type_inherit_parent:
02293                         case RC_type_inherit_process:
02294                                 /* error - complain and return error */
02295                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type inherit_parent in def_ipc_create_type of role %i!\n",
02296                                              i_attr_val1.rc_role);
02297                                 return -RSBAC_EINVALIDVALUE;
02298 
02299                         default:
02300                                 /* set rc_type for ipc target */
02301                                 i_attr_val1.rc_type =
02302                                     i_rc_item_val1.type_id;
02303                                 /* get type from target */
02304                                 if ((err = rsbac_get_attr(SW_RC,
02305                                                           target,
02306                                                           tid,
02307                                                           A_rc_type,
02308                                                           &i_attr_val2,
02309                                                           FALSE))) {
02310                                         rsbac_pr_get_error(A_rc_type);
02311                                         return -RSBAC_EREADFAILED;
02312                                 }
02313                                 /* set it for new target, if different */
02314                                 if (i_attr_val1.rc_type !=
02315                                     i_attr_val2.rc_type) {
02316                                         if ((err =
02317                                              rsbac_set_attr(SW_RC, target,
02318                                                             tid, A_rc_type,
02319                                                             i_attr_val1)))
02320                                         {
02321                                                 rsbac_pr_set_error
02322                                                     (A_rc_type);
02323                                                 return -RSBAC_EWRITEFAILED;
02324                                         }
02325                                 }
02326                         }
02327                         return 0;
02328 
02329                 case T_USER:
02330                         /* get rc_role from process */
02331                         i_tid.process = caller_pid;
02332                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02333                                                   i_tid,
02334                                                   A_rc_role,
02335                                                   &i_attr_val1, FALSE))) {
02336                                 rsbac_pr_get_error(A_rc_role);
02337                                 return -RSBAC_EREADFAILED;
02338                         }
02339                         /* get def_user_create_type of role */
02340                         i_rc_tid.role = i_attr_val1.rc_role;
02341                         if ((err = rsbac_rc_get_item(0,
02342                                                      RT_ROLE,
02343                                                      i_rc_tid,
02344                                                      i_rc_tid,
02345                                                      RI_def_user_create_type,
02346                                                      &i_rc_item_val1,
02347                                                      NULL))) {
02348                                 rsbac_rc_pr_get_error
02349                                     (RI_def_user_create_type);
02350                                 return -RSBAC_EREADFAILED;
02351                         }
02352                         switch (i_rc_item_val1.type_id) {
02353                         case RC_type_no_create:
02354                                 rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, def_user_create_type no_create, request CREATE -> NOT_GRANTED!\n",
02355                                                caller_pid, current->comm,
02356                                                current->uid,
02357                                                i_attr_val1.rc_role);
02358                                 return -RSBAC_EDECISIONMISMATCH;
02359 
02360                         case RC_type_use_new_role_def_create:
02361                                 /* error - complain and return error */
02362                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_user_create_type of role %i!\n",
02363                                              i_attr_val1.rc_role);
02364                                 return -RSBAC_EINVALIDVALUE;
02365 
02366                         case RC_type_inherit_parent:
02367                         case RC_type_inherit_process:
02368                                 /* error - complain and return error */
02369                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type inherit_parent in def_user_create_type of role %i!\n",
02370                                              i_attr_val1.rc_role);
02371                                 return -RSBAC_EINVALIDVALUE;
02372 
02373                         default:
02374                                 /* set rc_type for user target */
02375                                 i_attr_val1.rc_type =
02376                                     i_rc_item_val1.type_id;
02377                                 /* get type from target */
02378                                 if ((err = rsbac_get_attr(SW_RC,
02379                                                           target,
02380                                                           tid,
02381                                                           A_rc_type,
02382                                                           &i_attr_val2,
02383                                                           FALSE))) {
02384                                         rsbac_pr_get_error(A_rc_type);
02385                                         return -RSBAC_EREADFAILED;
02386                                 }
02387                                 /* set it for new target, if different */
02388                                 if (i_attr_val1.rc_type !=
02389                                     i_attr_val2.rc_type) {
02390                                         if ((err =
02391                                              rsbac_set_attr(SW_RC, target,
02392                                                             tid, A_rc_type,
02393                                                             i_attr_val1)))
02394                                         {
02395                                                 rsbac_pr_set_error
02396                                                     (A_rc_type);
02397                                                 return -RSBAC_EWRITEFAILED;
02398                                         }
02399                                 }
02400                         }
02401                         return 0;
02402 
02403                 case T_GROUP:
02404                         /* get rc_role from process */
02405                         i_tid.process = caller_pid;
02406                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02407                                                   i_tid,
02408                                                   A_rc_role,
02409                                                   &i_attr_val1, FALSE))) {
02410                                 rsbac_pr_get_error(A_rc_role);
02411                                 return -RSBAC_EREADFAILED;
02412                         }
02413                         /* get def_group_create_type of role */
02414                         i_rc_tid.role = i_attr_val1.rc_role;
02415                         if ((err = rsbac_rc_get_item(0,
02416                                                      RT_ROLE,
02417                                                      i_rc_tid,
02418                                                      i_rc_tid,
02419                                                      RI_def_group_create_type,
02420                                                      &i_rc_item_val1,
02421                                                      NULL))) {
02422                                 rsbac_rc_pr_get_error
02423                                     (RI_def_group_create_type);
02424                                 return -RSBAC_EREADFAILED;
02425                         }
02426                         switch (i_rc_item_val1.type_id) {
02427                         case RC_type_no_create:
02428                                 rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, def_group_create_type no_create, request CREATE -> NOT_GRANTED!\n",
02429                                                caller_pid, current->comm,
02430                                                current->uid,
02431                                                i_attr_val1.rc_role);
02432                                 return -RSBAC_EDECISIONMISMATCH;
02433 
02434                         case RC_type_use_new_role_def_create:
02435                                 /* error - complain and return error */
02436                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_group_create_type of role %i!\n",
02437                                              i_attr_val1.rc_role);
02438                                 return -RSBAC_EINVALIDVALUE;
02439 
02440                         case RC_type_inherit_parent:
02441                         case RC_type_inherit_process:
02442                                 /* error - complain and return error */
02443                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type inherit_parent in def_group_create_type of role %i!\n",
02444                                              i_attr_val1.rc_role);
02445                                 return -RSBAC_EINVALIDVALUE;
02446 
02447                         default:
02448                                 /* set rc_type for group target */
02449                                 i_attr_val1.rc_type =
02450                                     i_rc_item_val1.type_id;
02451                                 /* get type from target */
02452                                 if ((err = rsbac_get_attr(SW_RC,
02453                                                           target,
02454                                                           tid,
02455                                                           A_rc_type,
02456                                                           &i_attr_val2,
02457                                                           FALSE))) {
02458                                         rsbac_pr_get_error(A_rc_type);
02459                                         return -RSBAC_EREADFAILED;
02460                                 }
02461                                 /* set it for new target, if different */
02462                                 if (i_attr_val1.rc_type !=
02463                                     i_attr_val2.rc_type) {
02464                                         if ((err =
02465                                              rsbac_set_attr(SW_RC, target,
02466                                                             tid, A_rc_type,
02467                                                             i_attr_val1)))
02468                                         {
02469                                                 rsbac_pr_set_error
02470                                                     (A_rc_type);
02471                                                 return -RSBAC_EWRITEFAILED;
02472                                         }
02473                                 }
02474                         }
02475                         return 0;
02476 
02477                         /* all other cases are unknown */
02478                 default:
02479                         return 0;
02480                 }
02481 
02482         case R_EXECUTE:
02483                 switch (target) {
02484                 case T_FILE:
02485                         /* get rc_force_role from target file */
02486                         if ((err = rsbac_get_attr(SW_RC, T_FILE,
02487                                                   tid,
02488                                                   A_rc_force_role,
02489                                                   &i_attr_val1, TRUE))) {
02490                                 rsbac_pr_get_error(A_rc_force_role);
02491                                 return -RSBAC_EREADFAILED;
02492                         }
02493                         /* check rc_force_role, warn, if unusable */
02494                         if ((i_attr_val1.rc_force_role > RC_role_max_value)
02495                             && (i_attr_val1.rc_force_role <
02496                                 RC_role_min_special)
02497                             ) {
02498                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): rc_force_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting forced role of process %u to default value %u!\n",
02499                                              i_attr_val1.rc_force_role,
02500                                              tid.file.inode,
02501                                              MAJOR(tid.file.device),
02502                                              MINOR(tid.file.device),
02503                                              RC_role_max_value, caller_pid,
02504                                              RC_default_root_dir_force_role);
02505                                 i_attr_val1.rc_force_role =
02506                                     RC_default_root_dir_force_role;
02507                         }
02508                         /* set rc_force_role for this process to keep track of it later */
02509                         i_tid.process = caller_pid;
02510                         if ((err = rsbac_set_attr(SW_RC, T_PROCESS,
02511                                                   i_tid,
02512                                                   A_rc_force_role,
02513                                                   i_attr_val1))) {
02514                                 rsbac_pr_set_error(A_rc_force_role);
02515                                 return -RSBAC_EWRITEFAILED;
02516                         }
02517                         /* get rc_initial_role from target file */
02518                         if ((err = rsbac_get_attr(SW_RC, T_FILE,
02519                                                   tid,
02520                                                   A_rc_initial_role,
02521                                                   &i_attr_val2, TRUE))) {
02522                                 rsbac_pr_get_error(A_rc_initial_role);
02523                                 return -RSBAC_EREADFAILED;
02524                         }
02525                         /* check rc_initial_role, warn, if unusable */
02526                         if ((i_attr_val2.rc_initial_role >
02527                              RC_role_max_value)
02528                             && (i_attr_val2.rc_initial_role !=
02529                                 RC_role_use_force_role)
02530                             ) {
02531                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): rc_initial_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting initial role of process %u to default value %u!\n",
02532                                              i_attr_val2.rc_initial_role,
02533                                              tid.file.inode,
02534                                              MAJOR(tid.file.device),
02535                                              MINOR(tid.file.device),
02536                                              RC_role_max_value, caller_pid,
02537                                              RC_default_root_dir_initial_role);
02538                                 i_attr_val2.rc_initial_role =
02539                                     RC_default_root_dir_initial_role;
02540                         }
02541                         if (i_attr_val2.rc_initial_role ==
02542                             RC_role_use_force_role) {
02543                                 switch (i_attr_val1.rc_force_role) {
02544                                 case RC_role_inherit_user:
02545                                         /* get rc_def_role from process owner */
02546                                         i_tid.user = owner;
02547                                         if ((err =
02548                                              rsbac_get_attr(SW_RC, T_USER,
02549                                                             i_tid,
02550                                                             A_rc_def_role,
02551                                                             &i_attr_val1,
02552                                                             TRUE))) {
02553                                                 rsbac_pr_get_error
02554                                                     (A_rc_def_role);
02555                                                 return -RSBAC_EREADFAILED;
02556                                         }
02557                                         /* set it for this process */
02558                                         i_tid.process = caller_pid;
02559                                         if ((err =
02560                                              rsbac_set_attr(SW_RC, T_PROCESS,
02561                                                             i_tid,
02562                                                             A_rc_role,
02563                                                             i_attr_val1)))
02564                                         {
02565                                                 rsbac_pr_set_error
02566                                                     (A_rc_role);
02567                                                 return -RSBAC_EWRITEFAILED;
02568                                         }
02569                                         break;
02570 
02571                                 case RC_role_inherit_parent:
02572                                 case RC_role_inherit_process:
02573                                 case RC_role_inherit_up_mixed:
02574                                         /* keep current role */
02575                                         break;
02576 
02577                                 default:
02578                                         /* set forced role for this process */
02579                                         i_tid.process = caller_pid;
02580                                         if ((err =
02581                                              rsbac_set_attr(SW_RC, T_PROCESS,
02582                                                             i_tid,
02583                                                             A_rc_role,
02584                                                             i_attr_val1)))
02585                                         {
02586                                                 rsbac_pr_set_error
02587                                                     (A_rc_role);
02588                                                 return -RSBAC_EWRITEFAILED;
02589                                         }
02590                                 }
02591                         } else {        /* use initial_role */
02592 
02593                                 /* set initial role for this process */
02594                                 i_tid.process = caller_pid;
02595                                 if ((err = rsbac_set_attr(SW_RC, T_PROCESS,
02596                                                           i_tid,
02597                                                           A_rc_role,
02598                                                           i_attr_val2))) {
02599                                         rsbac_pr_set_error
02600                                             (A_rc_role);
02601                                         return -RSBAC_EWRITEFAILED;
02602                                 }
02603                         }
02604                         /* Get role of process. */
02605                         i_tid.process = caller_pid;
02606                         if ((err = rsbac_get_attr(SW_RC, T_PROCESS,
02607                                                   i_tid,
02608                                                   A_rc_role,
02609                                                   &i_attr_val1, FALSE))) {
02610                                 rsbac_pr_get_error(A_rc_role);
02611                                 return -RSBAC_EREADFAILED;
02612                         }
02613                         /* get def_process_execute_type of role */
02614                         i_rc_tid.role = i_attr_val1.rc_role;
02615                         if ((err = rsbac_rc_get_item(0,
02616                                                      RT_ROLE,
02617                                                      i_rc_tid,
02618                                                      i_rc_tid,
02619                                                      RI_def_process_execute_type,
02620                                                      &i_rc_item_val1,
02621                                                      NULL))) {
02622                                 rsbac_rc_pr_get_error
02623                                     (RI_def_process_execute_type);
02624                                 return (-RSBAC_EREADFAILED);
02625                         }
02626                         switch (i_rc_item_val1.type_id) {
02627                         case RC_type_no_create:
02628                         case RC_type_use_new_role_def_create:
02629                                 /* Cannot reset, because of unusable default -> warn and keep */
02630                                 rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type in def_process_execute_type of role %i!\n",
02631                                              i_attr_val1.rc_role);
02632                                 return (-RSBAC_EINVALIDVALUE);
02633                         case RC_type_inherit_parent:
02634                         case RC_type_inherit_process:
02635                                 break;
02636                         case RC_type_no_execute:
02637                                 return (-RSBAC_EDECISIONMISMATCH);
02638                         default:
02639                                 /* set rc_type for process */
02640                                 i_attr_val1.rc_type =
02641                                     i_rc_item_val1.type_id;
02642                                 i_tid.process = caller_pid;
02643                                 if ((err =
02644                                      rsbac_set_attr(SW_RC, T_PROCESS, i_tid,
02645                                                     A_rc_type,
02646                                                     i_attr_val1))) {
02647                                         rsbac_pr_set_error(A_rc_type);
02648                                         return -RSBAC_EWRITEFAILED;
02649                                 }
02650                         }
02651                         /* type and role are set - ready. */
02652                         return 0;
02653 
02654                         /* all other cases are unknown */
02655                 default:
02656                         return 0;
02657                 }
02658         default:
02659                 return 0;
02660         }
02661 
02662         return 0;
02663 }
02664 
02665 #ifdef CONFIG_RSBAC_SECDEL
02666 inline rsbac_boolean_t rsbac_need_overwrite_rc(struct dentry * dentry_p)
02667 {
02668         int err = 0;
02669         union rsbac_target_id_t i_tid;
02670         union rsbac_attribute_value_t i_attr_val1;
02671         union rsbac_rc_target_id_t i_rc_tid;
02672         union rsbac_rc_item_value_t i_rc_item_val1;
02673 
02674         if (!dentry_p || !dentry_p->d_inode)
02675                 return FALSE;
02676 
02677         i_tid.file.device = dentry_p->d_sb->s_dev;
02678         i_tid.file.inode = dentry_p->d_inode->i_ino;
02679         i_tid.file.dentry_p = dentry_p;
02680         /* get target's rc_type_fd */
02681         if (rsbac_get_attr(SW_RC, T_FILE,
02682                            i_tid, A_rc_type_fd, &i_attr_val1, TRUE)) {
02683                 rsbac_pr_get_error(A_rc_type_fd);
02684                 return FALSE;
02685         }
02686         /* get type_fd_need_secdel of target's rc_type_fd */
02687         i_rc_tid.role = i_attr_val1.rc_role;
02688         if ((err = rsbac_rc_get_item(0,
02689                                      RT_TYPE,
02690                                      i_rc_tid,
02691                                      i_rc_tid,
02692                                      RI_type_fd_need_secdel,
02693                                      &i_rc_item_val1, NULL))) {
02694                 rsbac_rc_pr_get_error(RI_type_fd_need_secdel);
02695                 return FALSE;
02696         }
02697 
02698         /* return need_overwrite */
02699         return (i_rc_item_val1.need_secdel);
02700 }
02701 #endif

Generated on Wed May 16 11:53:34 2007 for RSBAC by  doxygen 1.5.1