#include <linux/string.h>
#include <rsbac/types.h>
#include <rsbac/aci.h>
#include <rsbac/rc.h>
#include <rsbac/adf_main.h>
#include <rsbac/error.h>
#include <rsbac/debug.h>
#include <rsbac/helpers.h>
#include <rsbac/getname.h>
#include <rsbac/rc_getname.h>
#include <rsbac/rkmem.h>
#include <rsbac/um.h>
Go to the source code of this file.
enum rsbac_adf_req_ret_t rsbac_rc_check_type_comp | ( | enum rsbac_target_t | target, | |
rsbac_rc_type_id_t | type, | |||
enum rsbac_adf_request_t | request, | |||
rsbac_pid_t | caller_pid | |||
) |
Definition at line 269 of file rc_main.c.
References A_rc_role, FALSE, get_rc_special_right_name(), GRANTED, NOT_GRANTED, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, RC_type_max_value, RCR_ASSIGN, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_user, rsbac_get_attr, RSBAC_MAXNAMELEN, rsbac_pr_debug, rsbac_pr_get_error, rsbac_printk(), rsbac_rc_check_comp(), SW_RC, T_DEV, T_DIR, T_FD, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SYMLINK, T_UNIXSOCK, T_USER, and rsbac_rc_target_id_t::type.
Referenced by rsbac_adf_request_rc(), rsbac_rc_select_fd_create_type(), rsbac_rc_sys_copy_type(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item().
00273 { 00274 int err; 00275 union rsbac_target_id_t i_tid; 00276 union rsbac_attribute_value_t i_attr_val1; 00277 00278 union rsbac_rc_target_id_t i_rc_subtid; 00279 enum rsbac_rc_item_t i_rc_item; 00280 00281 if (!caller_pid) 00282 caller_pid = current->pid; 00283 /* 00284 * we don't care about tried assignments of special type values, 00285 * but deny other accesses to those 00286 */ 00287 if (type > RC_type_max_value) { 00288 if (request == RCR_ASSIGN) 00289 return GRANTED; 00290 else 00291 return NOT_GRANTED; 00292 } 00293 00294 /* get rc_role from process */ 00295 i_tid.process = caller_pid; 00296 if ((err = rsbac_get_attr(SW_RC, 00297 T_PROCESS, 00298 i_tid, 00299 A_rc_role, &i_attr_val1, FALSE))) { 00300 rsbac_pr_get_error(A_rc_role); 00301 return (NOT_GRANTED); 00302 } 00303 switch (target) { 00304 case T_FILE: 00305 case T_DIR: 00306 case T_FIFO: 00307 case T_SYMLINK: 00308 case T_UNIXSOCK: 00309 case T_FD: 00310 i_rc_item = RI_type_comp_fd; 00311 break; 00312 case T_DEV: 00313 i_rc_item = RI_type_comp_dev; 00314 break; 00315 case T_USER: 00316 i_rc_item = RI_type_comp_user; 00317 break; 00318 case T_PROCESS: 00319 i_rc_item = RI_type_comp_process; 00320 break; 00321 case T_IPC: 00322 i_rc_item = RI_type_comp_ipc; 00323 break; 00324 #if defined(CONFIG_RSBAC_RC_UM_PROT) 00325 case T_GROUP: 00326 i_rc_item = RI_type_comp_group; 00327 break; 00328 #endif 00329 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT) 00330 case T_NETDEV: 00331 i_rc_item = RI_type_comp_netdev; 00332 break; 00333 #endif 00334 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT) 00335 case T_NETTEMP: 00336 i_rc_item = RI_type_comp_nettemp; 00337 break; 00338 case T_NETOBJ: 00339 i_rc_item = RI_type_comp_netobj; 00340 break; 00341 #endif 00342 00343 default: 00344 rsbac_printk(KERN_WARNING "rsbac_rc_check_type_comp(): invalid target %i!\n", 00345 target); 00346 return (NOT_GRANTED); 00347 } 00348 /* check type_comp_xxx of role */ 00349 i_rc_subtid.type = type; 00350 if (rsbac_rc_check_comp(i_attr_val1.rc_role, 00351 i_rc_subtid, i_rc_item, request)) 00352 return (GRANTED); 00353 else { 00354 char tmp[RSBAC_MAXNAMELEN]; 00355 rsbac_pr_debug(adf_rc, "rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n", 00356 i_attr_val1.rc_role, type, 00357 get_rc_special_right_name(tmp, request)); 00358 return (NOT_GRANTED); 00359 } 00360 }
int rsbac_rc_select_fd_create_type | ( | rsbac_rc_type_id_t | type | ) |
Definition at line 1694 of file rc_syscalls.c.
References A_rc_select_type, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_select_type, RC_type_use_fd, RCR_SELECT, RSBAC_EINVALIDVALUE, rsbac_printk(), rsbac_rc_check_type_comp(), rsbac_rc_type_exists(), rsbac_set_attr, SW_RC, T_FILE, and T_PROCESS.
Referenced by sys_rsbac_rc_select_fd_create_type().
01695 { 01696 01697 int res; 01698 01699 union rsbac_target_id_t tid; 01700 union rsbac_attribute_value_t attr_val; 01701 01702 /* sanity checks */ 01703 if (type != RC_type_use_fd) { 01704 if (!rsbac_rc_type_exists(0, T_FILE, type)) 01705 return -RSBAC_EINVALIDVALUE; 01706 #ifndef CONFIG_RSBAC_MAINT 01707 if (!rsbac_rc_check_type_comp(T_FILE, type, RCR_SELECT, current->pid)) { 01708 #ifdef CONFIG_RSBAC_SOFTMODE 01709 if( !rsbac_softmode 01710 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01711 && !rsbac_ind_softmode[SW_RC] 01712 #endif 01713 ) 01714 #endif 01715 return -EPERM; 01716 } 01717 #endif 01718 } 01719 01720 tid.process = current->pid; 01721 attr_val.rc_select_type = type; 01722 if ((res = rsbac_set_attr(SW_RC, 01723 T_PROCESS, 01724 tid, 01725 A_rc_select_type, 01726 attr_val))) { 01727 rsbac_printk(KERN_WARNING "rsbac_rc_select_fd_create_type(): rsbac_set_attr() returned error %i\n", res); 01728 return -EPERM; 01729 } 01730 01731 return 0; 01732 }
int rsbac_rc_sys_change_role | ( | rsbac_rc_role_id_t | role, | |
char * | pass | |||
) |
Definition at line 1427 of file rc_syscalls.c.
References A_rc_role, NULL, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, rsbac_rc_item_value_t::req_reauth, RI_req_reauth, RI_role_comp, rsbac_rc_target_id_t::role, RSBAC_ENOMEM, RSBAC_EWRITEFAILED, rsbac_get_attr, rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, rsbac_printk(), rsbac_rc_check_comp(), rsbac_rc_get_item(), rsbac_set_attr, rsbac_um_check_pass(), RT_ROLE, SW_RC, T_PROCESS, and TRUE.
Referenced by sys_rsbac_rc_change_role().
01428 { 01429 int err; 01430 union rsbac_target_id_t i_tid; 01431 union rsbac_attribute_value_t i_attr_val1; 01432 #if !defined(CONFIG_RSBAC_MAINT) 01433 #ifdef CONFIG_RSBAC_UM 01434 union rsbac_rc_item_value_t i_rc_item_val1; 01435 char *k_pass; 01436 #endif 01437 #endif 01438 01439 #if !defined(CONFIG_RSBAC_MAINT) 01440 #ifdef CONFIG_RSBAC_SWITCH_RC 01441 if (rsbac_switch_rc) 01442 #endif 01443 { 01444 union rsbac_rc_target_id_t i_rc_subtid; 01445 01446 i_tid.process = current->pid; 01447 /* get rc_role of process */ 01448 if ((err = rsbac_get_attr(SW_RC, 01449 T_PROCESS, 01450 i_tid, 01451 A_rc_role, 01452 &i_attr_val1, TRUE))) { 01453 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_get_attr() returned error %i\n", 01454 err); 01455 goto out; 01456 } 01457 01458 /* check role_comp of role */ 01459 i_rc_subtid.role = role; 01460 if (!rsbac_rc_check_comp(i_attr_val1.rc_role, 01461 i_rc_subtid, RI_role_comp, 0)) { 01462 rsbac_uid_t user; 01463 01464 if (!rsbac_get_owner(&user)) { 01465 rsbac_printk(KERN_INFO "rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible\n", 01466 i_attr_val1.rc_role, 01467 role, 01468 i_tid.process, 01469 user, i_attr_val1.rc_role); 01470 } 01471 #ifdef CONFIG_RSBAC_SOFTMODE 01472 if (!rsbac_softmode 01473 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01474 && !rsbac_ind_softmode[SW_RC] 01475 #endif 01476 ) 01477 #endif 01478 { 01479 err = -EPERM; 01480 goto out; 01481 } 01482 } 01483 #ifdef CONFIG_RSBAC_UM 01484 /* need to make sure UM is compilled in and active 01485 * XXX what to do about softmode here 01486 */ 01487 if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_subtid, i_rc_subtid, 01488 RI_req_reauth, 01489 &i_rc_item_val1, NULL))) { 01490 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_rc_get_item() returned error %i\n", 01491 err); 01492 err = -EPERM; 01493 goto out; 01494 } 01495 if (i_rc_item_val1.req_reauth) { 01496 rsbac_uid_t user; 01497 01498 if (!pass) { 01499 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): password required for switching to role %u\n", 01500 role); 01501 err = -EPERM; 01502 goto out; 01503 } 01504 k_pass = rsbac_kmalloc(RSBAC_MAXNAMELEN); 01505 if (!k_pass) { 01506 err = -RSBAC_ENOMEM; 01507 goto out; 01508 } 01509 err = 01510 rsbac_get_user(k_pass, pass, RSBAC_MAXNAMELEN); 01511 if (err) 01512 goto out_free; 01513 k_pass[RSBAC_MAXNAMELEN - 1] = 0; 01514 err = rsbac_get_owner(&user); 01515 if (err) { 01516 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_rc_get_item() returned error %i\n", 01517 err); 01518 goto out_free; 01519 } 01520 err = rsbac_um_check_pass(user, k_pass); 01521 if (err) { 01522 goto out_free; 01523 } 01524 } 01525 #endif 01526 01527 } 01528 #endif 01529 01530 /* OK, check passed. Set role. */ 01531 i_tid.process = current->pid; 01532 i_attr_val1.rc_role = role; 01533 if (rsbac_set_attr(SW_RC, T_PROCESS, i_tid, A_rc_role, i_attr_val1)) { /* failed! */ 01534 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_set_attr() returned error\n"); 01535 err = -RSBAC_EWRITEFAILED; 01536 } 01537 else 01538 err = 0; 01539 01540 #if !defined(CONFIG_RSBAC_MAINT) 01541 out: 01542 #endif 01543 return err; 01544 01545 #if !defined(CONFIG_RSBAC_MAINT) 01546 #ifdef CONFIG_RSBAC_UM 01547 out_free: 01548 memset(k_pass, 0, RSBAC_MAXNAMELEN); 01549 rsbac_kfree(k_pass); 01550 goto out; 01551 #endif 01552 #endif 01553 }
int rsbac_rc_sys_copy_role | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_rc_role_id_t | from_role, | |||
rsbac_rc_role_id_t | to_role | |||
) |
Definition at line 55 of file rc_syscalls.c.
References rsbac_printk(), rsbac_rc_copy_role(), rsbac_rc_role_exists(), rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), SW_RC, and TRUE.
Referenced by sys_rsbac_rc_copy_role().
00059 { 00060 #if !defined(CONFIG_RSBAC_MAINT) 00061 #ifdef CONFIG_RSBAC_SWITCH_RC 00062 if(rsbac_switch_rc) 00063 #endif 00064 { 00065 int err; 00066 /* source role must be in admin roles or caller must be role_admin */ 00067 if ( (err=rsbac_rc_test_admin_roles(from_role, TRUE)) 00068 && rsbac_rc_test_role_admin(TRUE) 00069 ) 00070 { 00071 if(err == -EPERM) 00072 { 00073 rsbac_uid_t user; 00074 00075 if(!rsbac_get_owner(&user)) 00076 { 00077 rsbac_printk(KERN_INFO 00078 "rsbac_rc_sys_copy_role(): copying of role %u denied for pid %u, user %u - not in admin_roles!\n", 00079 from_role, 00080 current->pid, 00081 user); 00082 } 00083 #ifdef CONFIG_RSBAC_SOFTMODE 00084 if( !rsbac_softmode 00085 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00086 && !rsbac_ind_softmode[SW_RC] 00087 #endif 00088 ) 00089 #endif 00090 return err; 00091 } 00092 else 00093 return err; 00094 } 00095 /* only role_admins may copy to existing targets */ 00096 if ( rsbac_rc_role_exists(ta_number, to_role) 00097 && rsbac_rc_test_role_admin(TRUE) 00098 ) 00099 { 00100 rsbac_uid_t user; 00101 00102 if(!rsbac_get_owner(&user)) 00103 { 00104 rsbac_printk(KERN_INFO 00105 "rsbac_rc_sys_copy_role(): overwriting of existing role %u denied for pid %u, user %u - no role_admin!\n", 00106 to_role, 00107 current->pid, 00108 user); 00109 } 00110 #ifdef CONFIG_RSBAC_SOFTMODE 00111 if( !rsbac_softmode 00112 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00113 && !rsbac_ind_softmode[SW_RC] 00114 #endif 00115 ) 00116 #endif 00117 return -EPERM; 00118 } 00119 } 00120 #endif /* !MAINT */ 00121 00122 /* pass on */ 00123 return(rsbac_rc_copy_role(ta_number, from_role, to_role)); 00124 }
int rsbac_rc_sys_copy_type | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_rc_target_t | target, | |||
rsbac_rc_type_id_t | from_type, | |||
rsbac_rc_type_id_t | to_type | |||
) |
Definition at line 127 of file rc_syscalls.c.
References FALSE, get_target_name_only(), GRANTED, RCR_ADMIN, RSBAC_EINVALIDTARGET, rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, rsbac_printk(), rsbac_rc_check_type_comp(), rsbac_rc_copy_type(), rsbac_rc_test_role_admin(), rsbac_rc_type_exists(), SW_RC, T_DEV, T_DIR, T_FD, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SYMLINK, T_USER, and TRUE.
Referenced by sys_rsbac_rc_copy_type().
00132 { 00133 #if !defined(CONFIG_RSBAC_MAINT) 00134 #ifdef CONFIG_RSBAC_SWITCH_RC 00135 if(rsbac_switch_rc) 00136 #endif 00137 { 00138 int err; 00139 00140 switch(target) 00141 { 00142 case T_FILE: 00143 case T_DIR: 00144 case T_FIFO: 00145 case T_SYMLINK: 00146 target = T_FD; 00147 break; 00148 case T_FD: 00149 case T_DEV: 00150 case T_USER: 00151 case T_PROCESS: 00152 case T_IPC: 00153 case T_GROUP: 00154 case T_NETDEV: 00155 case T_NETTEMP: 00156 case T_NETOBJ: 00157 break; 00158 00159 default: 00160 return -RSBAC_EINVALIDTARGET; 00161 } 00162 /* need ADMIN right to source type or caller must be role_admin */ 00163 if( (rsbac_rc_check_type_comp(target, from_type, RCR_ADMIN, 0) != GRANTED) 00164 && (err=rsbac_rc_test_role_admin(FALSE)) 00165 ) 00166 { 00167 if(err == -EPERM) 00168 { 00169 rsbac_uid_t user; 00170 00171 if(!rsbac_get_owner(&user)) 00172 { 00173 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00174 00175 if(tmp) 00176 { 00177 rsbac_printk(KERN_INFO 00178 "rsbac_rc_sys_copy_type(): copying of %s type %u denied for pid %u, user %u - not in admin_roles!\n", 00179 get_target_name_only(tmp, target), 00180 from_type, 00181 current->pid, 00182 user); 00183 rsbac_kfree(tmp); 00184 } 00185 } 00186 #ifdef CONFIG_RSBAC_SOFTMODE 00187 if( !rsbac_softmode 00188 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00189 && !rsbac_ind_softmode[SW_RC] 00190 #endif 00191 ) 00192 #endif 00193 return err; 00194 } 00195 else 00196 return err; 00197 } 00198 /* only role_admins may copy to existing targets */ 00199 if ( rsbac_rc_type_exists(ta_number, target, to_type) 00200 && rsbac_rc_test_role_admin(TRUE) 00201 ) 00202 { 00203 rsbac_uid_t user; 00204 00205 if(!rsbac_get_owner(&user)) 00206 { 00207 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 00208 00209 if(tmp) 00210 { 00211 rsbac_printk(KERN_INFO 00212 "rsbac_rc_sys_copy_type(): overwriting of existing %s type %u denied for pid %u, user %u - no role_admin!\n", 00213 get_target_name_only(tmp, target), 00214 to_type, 00215 current->pid, 00216 user); 00217 rsbac_kfree(tmp); 00218 } 00219 } 00220 #ifdef CONFIG_RSBAC_SOFTMODE 00221 if( !rsbac_softmode 00222 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00223 && !rsbac_ind_softmode[SW_RC] 00224 #endif 00225 ) 00226 #endif 00227 return -EPERM; 00228 } 00229 } 00230 #endif /* !MAINT */ 00231 00232 /* pass on */ 00233 return(rsbac_rc_copy_type(ta_number, target, from_type, to_type)); 00234 }
int rsbac_rc_sys_get_current_role | ( | rsbac_rc_role_id_t * | role_p | ) |
Definition at line 1671 of file rc_syscalls.c.
References A_rc_role, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_printk(), SW_RC, T_PROCESS, and TRUE.
Referenced by sys_rsbac_rc_get_current_role().
01672 { 01673 union rsbac_target_id_t i_tid; 01674 union rsbac_attribute_value_t i_attr_val1; 01675 int err; 01676 01677 /* get rc_role of process */ 01678 i_tid.process = current->pid; 01679 if ((err=rsbac_get_attr(SW_RC, T_PROCESS, 01680 i_tid, 01681 A_rc_role, 01682 &i_attr_val1, 01683 TRUE))) 01684 { 01685 rsbac_printk(KERN_WARNING 01686 "rsbac_rc_sys_get_current_role(): rsbac_get_attr() returned error %i!\n",err); 01687 return -RSBAC_EREADFAILED; 01688 } 01689 *role_p = i_attr_val1.rc_role; 01690 /* Ready. */ 01691 return 0; 01692 }
int rsbac_rc_sys_get_eff_rights | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
rsbac_rc_request_vector_t * | request_vector, | |||
rsbac_time_t * | ttl_p | |||
) |
Definition at line 1556 of file rc_syscalls.c.
References A_none, A_rc_role, A_rc_type, A_rc_type_fd, A_rc_type_nt, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, rsbac_attribute_value_t::rc_type, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_scd, rsbac_rc_item_value_t::rights, rsbac_rc_target_id_t::role, RSBAC_EINVALIDTARGET, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_printk(), rsbac_rc_get_item(), RST_none, RT_ROLE, rsbac_target_id_t::scd, SW_RC, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SCD, T_SYMLINK, TRUE, and rsbac_rc_target_id_t::type.
Referenced by sys_rsbac_rc_get_eff_rights_n().
01562 { 01563 union rsbac_target_id_t i_tid; 01564 enum rsbac_attribute_t i_attr = A_none; 01565 union rsbac_attribute_value_t i_attr_val1; 01566 union rsbac_attribute_value_t i_attr_val2; 01567 int err; 01568 enum rsbac_rc_item_t i_rc_item; 01569 union rsbac_rc_target_id_t i_rc_tid; 01570 union rsbac_rc_target_id_t i_rc_subtid; 01571 union rsbac_rc_item_value_t i_rc_item_val1; 01572 01573 i_tid.process = current->pid; 01574 /* get rc_role of process */ 01575 if ((err=rsbac_get_attr(SW_RC, T_PROCESS, 01576 i_tid, 01577 A_rc_role, 01578 &i_attr_val1, 01579 TRUE))) 01580 { 01581 rsbac_printk(KERN_WARNING 01582 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err); 01583 return -RSBAC_EREADFAILED; 01584 } 01585 01586 switch(target) 01587 { 01588 case T_FILE: 01589 case T_DIR: 01590 case T_FIFO: 01591 case T_SYMLINK: 01592 i_attr = A_rc_type_fd; 01593 i_rc_item = RI_type_comp_fd; 01594 break; 01595 case T_DEV: 01596 i_attr = A_rc_type; 01597 i_rc_item = RI_type_comp_dev; 01598 break; 01599 case T_IPC: 01600 i_attr = A_rc_type; 01601 i_rc_item = RI_type_comp_ipc; 01602 break; 01603 case T_PROCESS: 01604 i_attr = A_rc_type; 01605 i_rc_item = RI_type_comp_process; 01606 break; 01607 case T_SCD: /* special case! */ 01608 if(tid.scd >= RST_none) 01609 return -RSBAC_EINVALIDTARGET; 01610 i_rc_item = RI_type_comp_scd; 01611 break; 01612 case T_GROUP: 01613 i_attr = A_rc_type; 01614 i_rc_item = RI_type_comp_group; 01615 break; 01616 case T_NETDEV: 01617 i_attr = A_rc_type; 01618 i_rc_item = RI_type_comp_netdev; 01619 break; 01620 case T_NETTEMP: 01621 i_attr = A_rc_type_nt; 01622 i_rc_item = RI_type_comp_nettemp; 01623 break; 01624 case T_NETOBJ: 01625 i_attr = A_rc_type; 01626 i_rc_item = RI_type_comp_netobj; 01627 break; 01628 default: 01629 return -RSBAC_EINVALIDTARGET; 01630 } 01631 /* get rc_type of target */ 01632 if(target == T_SCD) 01633 { 01634 i_attr_val2.rc_type = tid.scd; 01635 } 01636 else 01637 { 01638 if ((err=rsbac_get_attr(SW_RC, 01639 target, 01640 tid, 01641 i_attr, 01642 &i_attr_val2, 01643 TRUE))) 01644 { 01645 rsbac_printk(KERN_WARNING 01646 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err); 01647 return -RSBAC_EREADFAILED; 01648 } 01649 } 01650 /* get type_comp_xxx of role for type and target */ 01651 i_rc_tid.role = i_attr_val1.rc_role; 01652 i_rc_subtid.type = i_attr_val2.rc_type; 01653 if ((err=rsbac_rc_get_item(ta_number, 01654 RT_ROLE, 01655 i_rc_tid, 01656 i_rc_subtid, 01657 i_rc_item, 01658 &i_rc_item_val1, 01659 ttl_p))) 01660 { 01661 rsbac_printk(KERN_WARNING 01662 "rsbac_rc_sys_get_eff_rights(): rsbac_rc_get_item() returned error %i!\n",err); 01663 return -RSBAC_EREADFAILED; 01664 } 01665 /* extract value */ 01666 *request_vector = i_rc_item_val1.rights; 01667 /* Ready. */ 01668 return 0; 01669 }
int rsbac_rc_sys_get_item | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_rc_target_t | target, | |||
union rsbac_rc_target_id_t | tid, | |||
union rsbac_rc_target_id_t | subtid, | |||
enum rsbac_rc_item_t | item, | |||
union rsbac_rc_item_value_t * | value_p, | |||
rsbac_time_t * | ttl_p | |||
) |
Definition at line 237 of file rc_syscalls.c.
References FALSE, RCR_ADMIN, RI_name, RI_type_dev_name, RI_type_fd_name, RI_type_fd_need_secdel, RI_type_group_name, RI_type_ipc_name, RI_type_netdev_name, RI_type_netobj_name, RI_type_nettemp_name, RI_type_process_name, RI_type_scd_name, RI_type_user_name, rsbac_rc_target_id_t::role, RSBAC_EINVALIDATTR, RSBAC_EINVALIDTARGET, rsbac_printk(), rsbac_rc_check_type_comp(), rsbac_rc_get_item(), rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), RT_ROLE, RT_TYPE, SW_RC, T_FILE, and rsbac_rc_target_id_t::type.
Referenced by sys_rsbac_rc_get_item().
00245 { 00246 #if !defined(CONFIG_RSBAC_MAINT) 00247 #ifdef CONFIG_RSBAC_SWITCH_RC 00248 if(rsbac_switch_rc) 00249 #endif 00250 { 00251 int err; 00252 00253 switch(item) 00254 { 00255 case RI_name: 00256 case RI_type_fd_name: 00257 case RI_type_dev_name: 00258 case RI_type_ipc_name: 00259 case RI_type_user_name: 00260 case RI_type_process_name: 00261 case RI_type_scd_name: 00262 case RI_type_group_name: 00263 case RI_type_netdev_name: 00264 case RI_type_nettemp_name: 00265 case RI_type_netobj_name: 00266 /* getting names is always allowed */ 00267 break; 00268 00269 case RI_type_fd_need_secdel: 00270 if(target != RT_TYPE) 00271 return -RSBAC_EINVALIDTARGET; 00272 if( (err=rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0)) 00273 && (err=rsbac_rc_test_role_admin(FALSE)) 00274 ) 00275 { 00276 if(err == -EPERM) 00277 { 00278 rsbac_uid_t user; 00279 00280 if(!rsbac_get_owner(&user)) 00281 { 00282 rsbac_printk(KERN_INFO 00283 "rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n", 00284 tid.type, 00285 current->pid, 00286 user); 00287 } 00288 #ifdef CONFIG_RSBAC_SOFTMODE 00289 if( !rsbac_softmode 00290 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00291 && !rsbac_ind_softmode[SW_RC] 00292 #endif 00293 ) 00294 #endif 00295 return err; 00296 } 00297 else 00298 return err; 00299 } 00300 break; 00301 00302 default: 00303 if(target != RT_ROLE) 00304 return -RSBAC_EINVALIDATTR; 00305 /* test admin_roles or admin_type of process' role / no modify */ 00306 if ( (err=rsbac_rc_test_admin_roles(tid.role, FALSE)) 00307 && (err=rsbac_rc_test_role_admin(FALSE)) 00308 ) 00309 { 00310 if(err == -EPERM) 00311 { 00312 rsbac_uid_t user; 00313 00314 if(!rsbac_get_owner(&user)) 00315 { 00316 rsbac_printk(KERN_INFO 00317 "rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n", 00318 tid.role, 00319 current->pid, 00320 user); 00321 } 00322 #ifdef CONFIG_RSBAC_SOFTMODE 00323 if( !rsbac_softmode 00324 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00325 && !rsbac_ind_softmode[SW_RC] 00326 #endif 00327 ) 00328 #endif 00329 return err; 00330 } 00331 else 00332 return err; 00333 } 00334 } 00335 } 00336 #endif /* !MAINT */ 00337 00338 /* pass on */ 00339 return(rsbac_rc_get_item(ta_number,target, tid, subtid, item, value_p, ttl_p)); 00340 }
int rsbac_rc_sys_set_item | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_rc_target_t | target, | |||
union rsbac_rc_target_id_t | tid, | |||
union rsbac_rc_target_id_t | subtid, | |||
enum rsbac_rc_item_t | item, | |||
union rsbac_rc_item_value_t | value, | |||
rsbac_time_t | ttl | |||
) |
Definition at line 343 of file rc_syscalls.c.
References A_rc_role, get_rc_item_name(), NOT_GRANTED, NULL, rsbac_target_id_t::process, R_NONE, rsbac_attribute_value_t::rc_role, RCR_ACCESS_CONTROL, RCR_ADMIN, RCR_ASSIGN, RCR_SUPERVISOR, RI_admin_roles, RI_admin_type, RI_assign_roles, RI_boot_role, RI_def_fd_create_type, RI_def_fd_ind_create_type, RI_def_fd_ind_create_type_remove, RI_def_group_create_type, RI_def_ipc_create_type, RI_def_process_chown_type, RI_def_process_create_type, RI_def_process_execute_type, RI_def_unixsock_create_type, RI_def_user_create_type, RI_name, RI_remove_role, RI_req_reauth, RI_role_comp, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_scd, RI_type_comp_user, RI_type_dev_name, RI_type_dev_remove, RI_type_fd_name, RI_type_fd_need_secdel, RI_type_fd_remove, RI_type_group_name, RI_type_group_remove, RI_type_ipc_name, RI_type_ipc_remove, RI_type_netdev_name, RI_type_netdev_remove, RI_type_netobj_name, RI_type_netobj_remove, RI_type_nettemp_name, RI_type_nettemp_remove, RI_type_process_name, RI_type_process_remove, RI_type_scd_name, RI_type_user_name, RI_type_user_remove, rsbac_rc_item_value_t::rights, rsbac_rc_target_id_t::role, RSBAC_ALL_REQUEST_VECTOR, RSBAC_EINVALIDATTR, RSBAC_EINVALIDTARGET, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_pr_get_error, rsbac_printk(), rsbac_rc_check_comp(), rsbac_rc_check_type_comp(), rsbac_rc_get_item(), rsbac_rc_pr_get_error, RSBAC_RC_RIGHTS_VECTOR, rsbac_rc_set_item(), RSBAC_RC_SPECIAL_RIGHTS_VECTOR, rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), RT_ROLE, RT_TYPE, SW_RC, T_DEV, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SCD, T_USER, TRUE, rsbac_rc_target_id_t::type, rsbac_rc_item_value_t::type_id, and UNDEFINED.
Referenced by sys_rsbac_rc_set_item().
00351 { 00352 #if !defined(CONFIG_RSBAC_MAINT) 00353 #ifdef CONFIG_RSBAC_SWITCH_RC 00354 if(rsbac_switch_rc) 00355 #endif 00356 { 00357 int err; 00358 00359 switch(item) 00360 { 00361 /* type targets */ 00362 case RI_type_fd_name: 00363 case RI_type_fd_need_secdel: 00364 case RI_type_fd_remove: 00365 if(target != RT_TYPE) 00366 return -RSBAC_EINVALIDTARGET; 00367 if( (rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00368 && (err=rsbac_rc_test_role_admin(TRUE)) 00369 ) 00370 { 00371 if(err == -EPERM) 00372 { 00373 rsbac_uid_t user; 00374 char tmp[80]; 00375 00376 if(!rsbac_get_owner(&user)) 00377 { 00378 rsbac_printk(KERN_INFO 00379 "rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n", 00380 get_rc_item_name(tmp, item), 00381 tid.type, 00382 current->pid, 00383 user); 00384 } 00385 #ifdef CONFIG_RSBAC_SOFTMODE 00386 if( !rsbac_softmode 00387 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00388 && !rsbac_ind_softmode[SW_RC] 00389 #endif 00390 ) 00391 #endif 00392 return err; 00393 } 00394 else 00395 return err; 00396 } 00397 break; 00398 case RI_type_dev_name: 00399 case RI_type_dev_remove: 00400 if(target != RT_TYPE) 00401 return -RSBAC_EINVALIDTARGET; 00402 if( (rsbac_rc_check_type_comp(T_DEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00403 && (err=rsbac_rc_test_role_admin(TRUE)) 00404 ) 00405 { 00406 if(err == -EPERM) 00407 { 00408 rsbac_uid_t user; 00409 00410 if(!rsbac_get_owner(&user)) 00411 { 00412 rsbac_printk(KERN_INFO 00413 "rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n", 00414 tid.type, 00415 current->pid, 00416 user); 00417 } 00418 #ifdef CONFIG_RSBAC_SOFTMODE 00419 if( !rsbac_softmode 00420 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00421 && !rsbac_ind_softmode[SW_RC] 00422 #endif 00423 ) 00424 #endif 00425 return err; 00426 } 00427 else 00428 return err; 00429 } 00430 break; 00431 case RI_type_ipc_name: 00432 case RI_type_ipc_remove: 00433 if(target != RT_TYPE) 00434 return -RSBAC_EINVALIDTARGET; 00435 if( (rsbac_rc_check_type_comp(T_IPC, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00436 && (err=rsbac_rc_test_role_admin(TRUE)) 00437 ) 00438 { 00439 if(err == -EPERM) 00440 { 00441 rsbac_uid_t user; 00442 00443 if(!rsbac_get_owner(&user)) 00444 { 00445 rsbac_printk(KERN_INFO 00446 "rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n", 00447 tid.type, 00448 current->pid, 00449 user); 00450 } 00451 #ifdef CONFIG_RSBAC_SOFTMODE 00452 if( !rsbac_softmode 00453 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00454 && !rsbac_ind_softmode[SW_RC] 00455 #endif 00456 ) 00457 #endif 00458 return err; 00459 } 00460 else 00461 return err; 00462 } 00463 break; 00464 case RI_type_user_name: 00465 case RI_type_user_remove: 00466 if(target != RT_TYPE) 00467 return -RSBAC_EINVALIDTARGET; 00468 if( (rsbac_rc_check_type_comp(T_USER, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00469 && (err=rsbac_rc_test_role_admin(TRUE)) 00470 ) 00471 { 00472 if(err == -EPERM) 00473 { 00474 rsbac_uid_t user; 00475 00476 if(!rsbac_get_owner(&user)) 00477 { 00478 rsbac_printk(KERN_INFO 00479 "rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n", 00480 tid.type, 00481 current->pid, 00482 user); 00483 } 00484 #ifdef CONFIG_RSBAC_SOFTMODE 00485 if( !rsbac_softmode 00486 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00487 && !rsbac_ind_softmode[SW_RC] 00488 #endif 00489 ) 00490 #endif 00491 return err; 00492 } 00493 else 00494 return err; 00495 } 00496 break; 00497 case RI_type_process_name: 00498 case RI_type_process_remove: 00499 if(target != RT_TYPE) 00500 return -RSBAC_EINVALIDTARGET; 00501 if( (rsbac_rc_check_type_comp(T_PROCESS, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00502 && (err=rsbac_rc_test_role_admin(TRUE)) 00503 ) 00504 { 00505 if(err == -EPERM) 00506 { 00507 rsbac_uid_t user; 00508 00509 if(!rsbac_get_owner(&user)) 00510 { 00511 rsbac_printk(KERN_INFO 00512 "rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n", 00513 tid.type, 00514 current->pid, 00515 user); 00516 } 00517 #ifdef CONFIG_RSBAC_SOFTMODE 00518 if( !rsbac_softmode 00519 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00520 && !rsbac_ind_softmode[SW_RC] 00521 #endif 00522 ) 00523 #endif 00524 return err; 00525 } 00526 else 00527 return err; 00528 } 00529 break; 00530 case RI_type_scd_name: 00531 if(target != RT_TYPE) 00532 return -RSBAC_EINVALIDTARGET; 00533 if( (rsbac_rc_check_type_comp(T_SCD, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00534 && (err=rsbac_rc_test_role_admin(TRUE)) 00535 ) 00536 { 00537 if(err == -EPERM) 00538 { 00539 rsbac_uid_t user; 00540 00541 if(!rsbac_get_owner(&user)) 00542 { 00543 rsbac_printk(KERN_INFO 00544 "rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n", 00545 tid.type, 00546 current->pid, 00547 user); 00548 } 00549 #ifdef CONFIG_RSBAC_SOFTMODE 00550 if( !rsbac_softmode 00551 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00552 && !rsbac_ind_softmode[SW_RC] 00553 #endif 00554 ) 00555 #endif 00556 return err; 00557 } 00558 else 00559 return err; 00560 } 00561 break; 00562 case RI_type_group_name: 00563 case RI_type_group_remove: 00564 if(target != RT_TYPE) 00565 return -RSBAC_EINVALIDTARGET; 00566 if( (rsbac_rc_check_type_comp(T_GROUP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00567 && (err=rsbac_rc_test_role_admin(TRUE)) 00568 ) 00569 { 00570 if(err == -EPERM) 00571 { 00572 rsbac_uid_t user; 00573 00574 if(!rsbac_get_owner(&user)) 00575 { 00576 rsbac_printk(KERN_INFO 00577 "rsbac_rc_sys_set_item(): changing name or removing of GROUP type %u denied for pid %u, user %u - no ADMIN right!\n", 00578 tid.type, 00579 current->pid, 00580 user); 00581 } 00582 #ifdef CONFIG_RSBAC_SOFTMODE 00583 if( !rsbac_softmode 00584 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00585 && !rsbac_ind_softmode[SW_RC] 00586 #endif 00587 ) 00588 #endif 00589 return err; 00590 } 00591 else 00592 return err; 00593 } 00594 break; 00595 case RI_type_netdev_name: 00596 case RI_type_netdev_remove: 00597 if(target != RT_TYPE) 00598 return -RSBAC_EINVALIDTARGET; 00599 if( (rsbac_rc_check_type_comp(T_NETDEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00600 && (err=rsbac_rc_test_role_admin(TRUE)) 00601 ) 00602 { 00603 if(err == -EPERM) 00604 { 00605 rsbac_uid_t user; 00606 00607 if(!rsbac_get_owner(&user)) 00608 { 00609 rsbac_printk(KERN_INFO 00610 "rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n", 00611 tid.type, 00612 current->pid, 00613 user); 00614 } 00615 #ifdef CONFIG_RSBAC_SOFTMODE 00616 if( !rsbac_softmode 00617 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00618 && !rsbac_ind_softmode[SW_RC] 00619 #endif 00620 ) 00621 #endif 00622 return err; 00623 } 00624 else 00625 return err; 00626 } 00627 break; 00628 case RI_type_nettemp_name: 00629 case RI_type_nettemp_remove: 00630 if(target != RT_TYPE) 00631 return -RSBAC_EINVALIDTARGET; 00632 if( (rsbac_rc_check_type_comp(T_NETTEMP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00633 && (err=rsbac_rc_test_role_admin(TRUE)) 00634 ) 00635 { 00636 if(err == -EPERM) 00637 { 00638 rsbac_uid_t user; 00639 00640 if(!rsbac_get_owner(&user)) 00641 { 00642 rsbac_printk(KERN_INFO 00643 "rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n", 00644 tid.type, 00645 current->pid, 00646 user); 00647 } 00648 #ifdef CONFIG_RSBAC_SOFTMODE 00649 if( !rsbac_softmode 00650 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00651 && !rsbac_ind_softmode[SW_RC] 00652 #endif 00653 ) 00654 #endif 00655 return err; 00656 } 00657 else 00658 return err; 00659 } 00660 break; 00661 case RI_type_netobj_name: 00662 case RI_type_netobj_remove: 00663 if(target != RT_TYPE) 00664 return -RSBAC_EINVALIDTARGET; 00665 if( (rsbac_rc_check_type_comp(T_NETOBJ, tid.type, RCR_ADMIN, 0) == NOT_GRANTED) 00666 && (err=rsbac_rc_test_role_admin(TRUE)) 00667 ) 00668 { 00669 if(err == -EPERM) 00670 { 00671 rsbac_uid_t user; 00672 00673 if(!rsbac_get_owner(&user)) 00674 { 00675 rsbac_printk(KERN_INFO 00676 "rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n", 00677 tid.type, 00678 current->pid, 00679 user); 00680 } 00681 #ifdef CONFIG_RSBAC_SOFTMODE 00682 if( !rsbac_softmode 00683 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00684 && !rsbac_ind_softmode[SW_RC] 00685 #endif 00686 ) 00687 #endif 00688 return err; 00689 } 00690 else 00691 return err; 00692 } 00693 break; 00694 00695 /* roles only from here */ 00696 case RI_role_comp: 00697 /* need admin for this role, assign for changed compatible roles */ 00698 { 00699 union rsbac_target_id_t i_tid; 00700 union rsbac_attribute_value_t i_attr_val1; 00701 00702 if(target != RT_ROLE) 00703 return -RSBAC_EINVALIDATTR; 00704 if(!rsbac_rc_test_role_admin(TRUE)) 00705 break; 00706 /* test admin_role of process / modify */ 00707 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE))) 00708 { 00709 if(err == -EPERM) 00710 { 00711 rsbac_uid_t user; 00712 00713 if(!rsbac_get_owner(&user)) 00714 { 00715 rsbac_printk(KERN_INFO 00716 "rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n", 00717 tid.role, 00718 current->pid, 00719 user); 00720 } 00721 #ifdef CONFIG_RSBAC_SOFTMODE 00722 if( !rsbac_softmode 00723 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00724 && !rsbac_ind_softmode[SW_RC] 00725 #endif 00726 ) 00727 #endif 00728 return err; 00729 } 00730 else 00731 return err; 00732 } 00733 /* now check assign for changed comp role. */ 00734 /* get rc_role of process */ 00735 i_tid.process = current->pid; 00736 if ((err=rsbac_get_attr(SW_RC, T_PROCESS, 00737 i_tid, 00738 A_rc_role, 00739 &i_attr_val1, 00740 TRUE))) 00741 { 00742 rsbac_pr_get_error(A_rc_role); 00743 return -RSBAC_EREADFAILED; 00744 } 00745 /* check assign_roles of role */ 00746 if (!rsbac_rc_check_comp(i_attr_val1.rc_role, 00747 tid, 00748 RI_assign_roles, 00749 R_NONE)) 00750 { 00751 rsbac_uid_t user; 00752 if(!rsbac_get_owner(&user)) 00753 { 00754 rsbac_printk(KERN_INFO 00755 "rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n", 00756 tid.role, 00757 user, 00758 i_attr_val1.rc_role); 00759 } 00760 #ifdef CONFIG_RSBAC_SOFTMODE 00761 if( !rsbac_softmode 00762 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00763 && !rsbac_ind_softmode[SW_RC] 00764 #endif 00765 ) 00766 #endif 00767 return -EPERM; 00768 } 00769 } 00770 break; 00771 00772 case RI_admin_type: 00773 case RI_admin_roles: 00774 case RI_assign_roles: 00775 case RI_boot_role: 00776 case RI_req_reauth: 00777 /* admin_type role_admin */ 00778 if((err=rsbac_rc_test_role_admin(TRUE))) 00779 { 00780 if(err == -EPERM) 00781 { 00782 rsbac_uid_t user; 00783 char tmp[80]; 00784 00785 if(!rsbac_get_owner(&user)) 00786 { 00787 rsbac_printk(KERN_INFO 00788 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n", 00789 get_rc_item_name(tmp, item), 00790 tid.role, 00791 current->pid, 00792 user); 00793 } 00794 #ifdef CONFIG_RSBAC_SOFTMODE 00795 if( !rsbac_softmode 00796 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00797 && !rsbac_ind_softmode[SW_RC] 00798 #endif 00799 ) 00800 #endif 00801 return err; 00802 } 00803 else 00804 return err; 00805 } 00806 break; 00807 case RI_name: 00808 /* admin for this role */ 00809 /* test admin_role of process / modify */ 00810 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 00811 && (err=rsbac_rc_test_role_admin(TRUE)) 00812 ) 00813 { 00814 if(err == -EPERM) 00815 { 00816 rsbac_uid_t user; 00817 00818 if(!rsbac_get_owner(&user)) 00819 { 00820 rsbac_printk(KERN_INFO 00821 "rsbac_rc_sys_set_item(): changing name of role %u denied for pid %u, user %u - not in admin_roles!\n", 00822 tid.role, 00823 current->pid, 00824 user); 00825 } 00826 #ifdef CONFIG_RSBAC_SOFTMODE 00827 if( !rsbac_softmode 00828 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00829 && !rsbac_ind_softmode[SW_RC] 00830 #endif 00831 ) 00832 #endif 00833 return err; 00834 } 00835 else 00836 return err; 00837 } 00838 break; 00839 00840 case RI_remove_role: 00841 /* test admin_role of process role / modify */ 00842 if((err=rsbac_rc_test_role_admin(TRUE))) 00843 { 00844 if(err == -EPERM) 00845 { 00846 rsbac_uid_t user; 00847 00848 if(!rsbac_get_owner(&user)) 00849 { 00850 rsbac_printk(KERN_INFO 00851 "rsbac_rc_sys_set_item(): removing of role %u denied for pid %u, user %u - not in admin_roles!\n", 00852 tid.role, 00853 current->pid, 00854 user); 00855 } 00856 #ifdef CONFIG_RSBAC_SOFTMODE 00857 if( !rsbac_softmode 00858 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00859 && !rsbac_ind_softmode[SW_RC] 00860 #endif 00861 ) 00862 #endif 00863 return err; 00864 } 00865 else 00866 return err; 00867 } 00868 break; 00869 00870 case RI_def_fd_create_type: 00871 case RI_def_fd_ind_create_type: 00872 /* admin for this role and assign for target type */ 00873 /* test admin_role of process / modify */ 00874 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 00875 && (err=rsbac_rc_test_role_admin(TRUE)) 00876 ) 00877 { 00878 if(err == -EPERM) 00879 { 00880 rsbac_uid_t user; 00881 00882 if(!rsbac_get_owner(&user)) 00883 { 00884 rsbac_printk(KERN_INFO 00885 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 00886 tid.role, 00887 current->pid, 00888 user); 00889 } 00890 #ifdef CONFIG_RSBAC_SOFTMODE 00891 if( !rsbac_softmode 00892 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00893 && !rsbac_ind_softmode[SW_RC] 00894 #endif 00895 ) 00896 #endif 00897 return err; 00898 } 00899 else 00900 return err; 00901 } 00902 else 00903 { 00904 enum rsbac_adf_req_ret_t result; 00905 00906 result = rsbac_rc_check_type_comp(T_FILE, value.type_id, RCR_ASSIGN, 0); 00907 if( ( (result == NOT_GRANTED) 00908 || (result == UNDEFINED) 00909 ) 00910 && (err=rsbac_rc_test_role_admin(TRUE)) 00911 ) 00912 { 00913 rsbac_uid_t user; 00914 00915 if(!rsbac_get_owner(&user)) 00916 { 00917 rsbac_printk(KERN_INFO 00918 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 00919 tid.role, 00920 value.type_id, 00921 user); 00922 } 00923 #ifdef CONFIG_RSBAC_SOFTMODE 00924 if( !rsbac_softmode 00925 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00926 && !rsbac_ind_softmode[SW_RC] 00927 #endif 00928 ) 00929 #endif 00930 return -EPERM; 00931 } 00932 } 00933 break; 00934 00935 case RI_def_fd_ind_create_type_remove: 00936 /* test admin_role of process / modify */ 00937 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 00938 && (err=rsbac_rc_test_role_admin(TRUE)) 00939 ) 00940 { 00941 if(err == -EPERM) 00942 { 00943 rsbac_uid_t user; 00944 00945 if(!rsbac_get_owner(&user)) 00946 { 00947 rsbac_printk(KERN_INFO 00948 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 00949 tid.role, 00950 current->pid, 00951 user); 00952 } 00953 #ifdef CONFIG_RSBAC_SOFTMODE 00954 if( !rsbac_softmode 00955 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00956 && !rsbac_ind_softmode[SW_RC] 00957 #endif 00958 ) 00959 #endif 00960 return err; 00961 } 00962 else 00963 return err; 00964 } 00965 break; 00966 00967 case RI_def_user_create_type: 00968 /* admin for this role and assign for target type */ 00969 /* test admin_role of process / modify */ 00970 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 00971 && (err=rsbac_rc_test_role_admin(TRUE)) 00972 ) 00973 { 00974 if(err == -EPERM) 00975 { 00976 rsbac_uid_t user; 00977 00978 if(!rsbac_get_owner(&user)) 00979 { 00980 rsbac_printk(KERN_INFO 00981 "rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 00982 tid.role, 00983 current->pid, 00984 user); 00985 } 00986 #ifdef CONFIG_RSBAC_SOFTMODE 00987 if( !rsbac_softmode 00988 #ifdef CONFIG_RSBAC_SOFTMODE_IND 00989 && !rsbac_ind_softmode[SW_RC] 00990 #endif 00991 ) 00992 #endif 00993 return err; 00994 } 00995 else 00996 return err; 00997 } 00998 else 00999 { 01000 enum rsbac_adf_req_ret_t result; 01001 01002 result = rsbac_rc_check_type_comp(T_USER, value.type_id, RCR_ASSIGN, 0); 01003 if( ( (result == NOT_GRANTED) 01004 || (result == UNDEFINED) 01005 ) 01006 && (err=rsbac_rc_test_role_admin(TRUE)) 01007 ) 01008 { 01009 rsbac_uid_t user; 01010 01011 if(!rsbac_get_owner(&user)) 01012 { 01013 rsbac_printk(KERN_INFO 01014 "rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01015 tid.role, 01016 value.type_id, 01017 user); 01018 } 01019 #ifdef CONFIG_RSBAC_SOFTMODE 01020 if( !rsbac_softmode 01021 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01022 && !rsbac_ind_softmode[SW_RC] 01023 #endif 01024 ) 01025 #endif 01026 return -EPERM; 01027 } 01028 } 01029 break; 01030 01031 case RI_def_process_create_type: 01032 case RI_def_process_chown_type: 01033 case RI_def_process_execute_type: 01034 /* admin for this role and assign for target type */ 01035 /* test admin_role of process / modify */ 01036 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 01037 && (err=rsbac_rc_test_role_admin(TRUE)) 01038 ) 01039 { 01040 if(err == -EPERM) 01041 { 01042 rsbac_uid_t user; 01043 char tmp[80]; 01044 01045 if(!rsbac_get_owner(&user)) 01046 { 01047 rsbac_printk(KERN_INFO 01048 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n", 01049 get_rc_item_name(tmp, item), 01050 tid.role, 01051 current->pid, 01052 user); 01053 } 01054 #ifdef CONFIG_RSBAC_SOFTMODE 01055 if( !rsbac_softmode 01056 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01057 && !rsbac_ind_softmode[SW_RC] 01058 #endif 01059 ) 01060 #endif 01061 return err; 01062 } 01063 else 01064 return err; 01065 } 01066 else 01067 { 01068 enum rsbac_adf_req_ret_t result; 01069 01070 result = rsbac_rc_check_type_comp(T_PROCESS, value.type_id, RCR_ASSIGN, 0); 01071 if( ( (result == NOT_GRANTED) 01072 || (result == UNDEFINED) 01073 ) 01074 && (err=rsbac_rc_test_role_admin(TRUE)) 01075 ) 01076 { 01077 rsbac_uid_t user; 01078 01079 if(!rsbac_get_owner(&user)) 01080 { 01081 rsbac_printk(KERN_INFO 01082 "rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01083 tid.role, 01084 value.type_id, 01085 user); 01086 } 01087 #ifdef CONFIG_RSBAC_SOFTMODE 01088 if( !rsbac_softmode 01089 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01090 && !rsbac_ind_softmode[SW_RC] 01091 #endif 01092 ) 01093 #endif 01094 return -EPERM; 01095 } 01096 } 01097 break; 01098 case RI_def_ipc_create_type: 01099 /* admin for this role and assign for target type */ 01100 /* test admin_role of process / modify */ 01101 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 01102 && (err=rsbac_rc_test_role_admin(TRUE)) 01103 ) 01104 { 01105 if(err == -EPERM) 01106 { 01107 rsbac_uid_t user; 01108 01109 if(!rsbac_get_owner(&user)) 01110 { 01111 rsbac_printk(KERN_INFO 01112 "rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 01113 tid.role, 01114 current->pid, 01115 user); 01116 } 01117 #ifdef CONFIG_RSBAC_SOFTMODE 01118 if( !rsbac_softmode 01119 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01120 && !rsbac_ind_softmode[SW_RC] 01121 #endif 01122 ) 01123 #endif 01124 return err; 01125 } 01126 else 01127 return err; 01128 } 01129 else 01130 { 01131 enum rsbac_adf_req_ret_t result; 01132 01133 result = rsbac_rc_check_type_comp(T_IPC, value.type_id, RCR_ASSIGN, 0); 01134 if( ( (result == NOT_GRANTED) 01135 || (result == UNDEFINED) 01136 ) 01137 && (err=rsbac_rc_test_role_admin(TRUE)) 01138 ) 01139 { 01140 rsbac_uid_t user; 01141 01142 if(!rsbac_get_owner(&user)) 01143 { 01144 rsbac_printk(KERN_INFO 01145 "rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01146 tid.role, 01147 value.type_id, 01148 user); 01149 } 01150 #ifdef CONFIG_RSBAC_SOFTMODE 01151 if( !rsbac_softmode 01152 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01153 && !rsbac_ind_softmode[SW_RC] 01154 #endif 01155 ) 01156 #endif 01157 return -EPERM; 01158 } 01159 } 01160 break; 01161 case RI_def_group_create_type: 01162 /* admin for this role and assign for target type */ 01163 /* test admin_role of process / modify */ 01164 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE)) 01165 && (err=rsbac_rc_test_role_admin(TRUE)) 01166 ) 01167 { 01168 if(err == -EPERM) 01169 { 01170 rsbac_uid_t user; 01171 01172 if(!rsbac_get_owner(&user)) 01173 { 01174 rsbac_printk(KERN_INFO 01175 "rsbac_rc_sys_set_item(): changing def_group_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n", 01176 tid.role, 01177 current->pid, 01178 user); 01179 } 01180 #ifdef CONFIG_RSBAC_SOFTMODE 01181 if( !rsbac_softmode 01182 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01183 && !rsbac_ind_softmode[SW_RC] 01184 #endif 01185 ) 01186 #endif 01187 return err; 01188 } 01189 else 01190 return err; 01191 } 01192 else 01193 { 01194 enum rsbac_adf_req_ret_t result; 01195 01196 result = rsbac_rc_check_type_comp(T_GROUP, value.type_id, RCR_ASSIGN, 0); 01197 if( ( (result == NOT_GRANTED) 01198 || (result == UNDEFINED) 01199 ) 01200 && (err=rsbac_rc_test_role_admin(TRUE)) 01201 ) 01202 { 01203 rsbac_uid_t user; 01204 01205 if(!rsbac_get_owner(&user)) 01206 { 01207 rsbac_printk(KERN_INFO 01208 "rsbac_rc_sys_set_item(): changing def_group_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n", 01209 tid.role, 01210 value.type_id, 01211 user); 01212 } 01213 #ifdef CONFIG_RSBAC_SOFTMODE 01214 if( !rsbac_softmode 01215 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01216 && !rsbac_ind_softmode[SW_RC] 01217 #endif 01218 ) 01219 #endif 01220 return -EPERM; 01221 } 01222 } 01223 break; 01224 case RI_def_unixsock_create_type: 01225 /* admin for this role and assign for target type */ 01226 /* test admin_role of process / modify */ 01227 if ((err = 01228 rsbac_rc_test_admin_roles(tid.role, TRUE)) 01229 && (err = rsbac_rc_test_role_admin(TRUE)) 01230 ) { 01231 if (err == -EPERM) { 01232 rsbac_uid_t user; 01233 01234 if (!rsbac_get_owner(&user)) { 01235 rsbac_printk(KERN_INFO "rsbac_rc_sys_set_item(): changing def_unixsock_create_type of role %u denied for pid %u, user %u - not in admin_roles\n", 01236 tid.role, 01237 current->pid, 01238 user); 01239 } 01240 #ifdef CONFIG_RSBAC_SOFTMODE 01241 if (!rsbac_softmode 01242 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01243 && !rsbac_ind_softmode[SW_RC] 01244 #endif 01245 ) 01246 #endif 01247 return err; 01248 } else 01249 return err; 01250 } else { 01251 enum rsbac_adf_req_ret_t result; 01252 01253 result = 01254 rsbac_rc_check_type_comp(T_NETOBJ, 01255 value.type_id, 01256 RCR_ASSIGN, 01257 0); 01258 if (((result == NOT_GRANTED) 01259 || (result == UNDEFINED) 01260 ) 01261 && (err = 01262 rsbac_rc_test_role_admin(TRUE)) 01263 ) { 01264 rsbac_uid_t user; 01265 01266 if (!rsbac_get_owner(&user)) { 01267 rsbac_printk(KERN_INFO "rsbac_rc_sys_set_item(): changing def_unixsock_create_type for role %u to %u denied for user %u - no ASSIGN right for type\n", 01268 tid.role, 01269 value.type_id, 01270 user); 01271 } 01272 #ifdef CONFIG_RSBAC_SOFTMODE 01273 if (!rsbac_softmode 01274 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01275 && !rsbac_ind_softmode[SW_RC] 01276 #endif 01277 ) 01278 #endif 01279 return -EPERM; 01280 } 01281 } 01282 break; 01283 01284 01285 case RI_type_comp_fd: 01286 case RI_type_comp_dev: 01287 case RI_type_comp_user: 01288 case RI_type_comp_process: 01289 case RI_type_comp_ipc: 01290 case RI_type_comp_scd: 01291 case RI_type_comp_group: 01292 case RI_type_comp_netdev: 01293 case RI_type_comp_nettemp: 01294 case RI_type_comp_netobj: 01295 { 01296 union rsbac_rc_item_value_t old_value, my_value; 01297 union rsbac_target_id_t i_tid; 01298 union rsbac_attribute_value_t i_attr_val1; 01299 union rsbac_rc_target_id_t i_rc_tid; 01300 01301 if(target != RT_ROLE) 01302 return -RSBAC_EINVALIDATTR; 01303 if(!rsbac_rc_test_role_admin(TRUE)) 01304 break; 01305 /* test admin_role of process / modify */ 01306 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE))) 01307 { 01308 if(err == -EPERM) 01309 { 01310 rsbac_uid_t user; 01311 char tmp[80]; 01312 01313 if(!rsbac_get_owner(&user)) 01314 { 01315 rsbac_printk(KERN_INFO 01316 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n", 01317 get_rc_item_name(tmp, item), 01318 tid.role, 01319 current->pid, 01320 user); 01321 } 01322 #ifdef CONFIG_RSBAC_SOFTMODE 01323 if( !rsbac_softmode 01324 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01325 && !rsbac_ind_softmode[SW_RC] 01326 #endif 01327 ) 01328 #endif 01329 return err; 01330 } 01331 else 01332 return err; 01333 } 01334 /* test caller's RCR_ACCESS_CONTROL for the type, if we change normal access */ 01335 /* and caller's RCR_SUPERVISOR for the type, if we change special rights */ 01336 /* first get old setting */ 01337 err = rsbac_rc_get_item(ta_number, target, tid, subtid, item, &old_value, NULL); 01338 if(err) 01339 return(err); 01340 01341 /* get rc_role of process */ 01342 i_tid.process = current->pid; 01343 if ((err=rsbac_get_attr(SW_RC, T_PROCESS, 01344 i_tid, 01345 A_rc_role, 01346 &i_attr_val1, 01347 TRUE))) 01348 { 01349 rsbac_pr_get_error(A_rc_role); 01350 return err; 01351 } 01352 /* get item of process role */ 01353 i_rc_tid.role = i_attr_val1.rc_role; 01354 if ((err=rsbac_rc_get_item(ta_number, 01355 RT_ROLE, 01356 i_rc_tid, 01357 subtid, 01358 item, 01359 &my_value, 01360 NULL))) 01361 { 01362 rsbac_rc_pr_get_error(item); 01363 return err; 01364 } 01365 01366 /* check planned changes for type */ 01367 if( /* Want to change normal rights to this type? Need RCR_ACCESS_CONTROL. */ 01368 ( ( (old_value.rights & RSBAC_ALL_REQUEST_VECTOR) 01369 != (value.rights & RSBAC_ALL_REQUEST_VECTOR) 01370 ) 01371 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL))) 01372 ) 01373 || 01374 /* Want to change special rights to this type? Need RCR_SUPERVISOR. */ 01375 ( ( (old_value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR) 01376 != (value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR) 01377 ) 01378 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR))) 01379 ) 01380 ) 01381 { 01382 /* check failed. Last resort: Classical admin_type. */ 01383 if((err=rsbac_rc_test_role_admin(TRUE))) 01384 { 01385 if(err == -EPERM) 01386 { 01387 rsbac_uid_t user; 01388 char tmp[80]; 01389 01390 if(!rsbac_get_owner(&user)) 01391 { 01392 rsbac_printk(KERN_INFO 01393 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u, role %u - insufficent rights!\n", 01394 get_rc_item_name(tmp, item), 01395 tid.role, 01396 current->pid, 01397 user, 01398 i_attr_val1.rc_role); 01399 } 01400 #ifdef CONFIG_RSBAC_SOFTMODE 01401 if( !rsbac_softmode 01402 #ifdef CONFIG_RSBAC_SOFTMODE_IND 01403 && !rsbac_ind_softmode[SW_RC] 01404 #endif 01405 ) 01406 #endif 01407 return err; 01408 } 01409 else 01410 return err; 01411 } 01412 } 01413 } 01414 break; 01415 01416 default: 01417 return -RSBAC_EINVALIDATTR; 01418 } 01419 } 01420 #endif /* !MAINT */ 01421 01422 /* pass on */ 01423 return(rsbac_rc_set_item(ta_number, target, tid, subtid, item, value, ttl)); 01424 }
int rsbac_rc_test_admin_roles | ( | rsbac_rc_role_id_t | t_role, | |
rsbac_boolean_t | modify | |||
) |
Definition at line 186 of file rc_main.c.
References A_rc_role, rsbac_target_id_t::process, R_NONE, rsbac_attribute_value_t::rc_role, RC_role_max_value, RI_admin_roles, RI_assign_roles, rsbac_rc_target_id_t::role, RSBAC_EINVALIDVALUE, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_pr_get_error, rsbac_rc_check_comp(), SW_RC, T_PROCESS, and TRUE.
Referenced by rsbac_rc_sys_copy_role(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item().
00188 { 00189 int err; 00190 union rsbac_target_id_t i_tid; 00191 union rsbac_attribute_value_t i_attr_val1; 00192 union rsbac_rc_target_id_t i_rc_subtid; 00193 00194 if (t_role > RC_role_max_value) 00195 return -RSBAC_EINVALIDVALUE; 00196 /* get rc_role of process */ 00197 i_tid.process = current->pid; 00198 if ((err = rsbac_get_attr(SW_RC, T_PROCESS, 00199 i_tid, A_rc_role, &i_attr_val1, TRUE))) { 00200 rsbac_pr_get_error(A_rc_role); 00201 return -RSBAC_EREADFAILED; 00202 } 00203 00204 i_rc_subtid.role = t_role; 00205 /* read_only? -> assign_roles membership is enough */ 00206 if (!modify) { 00207 if (rsbac_rc_check_comp(i_attr_val1.rc_role, 00208 i_rc_subtid, 00209 RI_assign_roles, R_NONE)) 00210 return 0; 00211 /* fall through */ 00212 } 00213 /* check admin_roles of role */ 00214 if (rsbac_rc_check_comp(i_attr_val1.rc_role, 00215 i_rc_subtid, RI_admin_roles, R_NONE)) 00216 return 0; 00217 else 00218 return -EPERM; 00219 }
int rsbac_rc_test_role_admin | ( | rsbac_boolean_t | modify | ) |
Definition at line 363 of file rc_main.c.
References A_rc_role, rsbac_rc_item_value_t::admin_type, NULL, rsbac_target_id_t::process, rsbac_attribute_value_t::rc_role, RC_role_admin, RC_system_admin, RI_admin_type, rsbac_rc_target_id_t::role, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_pr_get_error, rsbac_rc_get_item(), rsbac_rc_pr_get_error, RT_ROLE, SW_RC, T_PROCESS, and TRUE.
Referenced by rsbac_adf_request_rc(), rsbac_rc_sys_copy_role(), rsbac_rc_sys_copy_type(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item().
00364 { 00365 int err; 00366 union rsbac_target_id_t i_tid; 00367 union rsbac_attribute_value_t i_attr_val1; 00368 union rsbac_rc_target_id_t i_rc_tid; 00369 union rsbac_rc_item_value_t i_rc_item_val1; 00370 00371 /* get rc_role of process */ 00372 i_tid.process = current->pid; 00373 if ((err = rsbac_get_attr(SW_RC, T_PROCESS, 00374 i_tid, A_rc_role, &i_attr_val1, TRUE))) { 00375 rsbac_pr_get_error(A_rc_role); 00376 return -RSBAC_EREADFAILED; 00377 } 00378 00379 /* get admin_type of role */ 00380 i_rc_tid.role = i_attr_val1.rc_role; 00381 if ((err = rsbac_rc_get_item(0, RT_ROLE, i_rc_tid, i_rc_tid, /* dummy */ 00382 RI_admin_type, 00383 &i_rc_item_val1, NULL))) { 00384 rsbac_rc_pr_get_error(RI_admin_type); 00385 return -RSBAC_EREADFAILED; 00386 } 00387 00388 /* allow, if RC_role_admin or (read_only and RC_system_admin) */ 00389 if ((i_rc_item_val1.admin_type == RC_role_admin) 00390 || (!modify && (i_rc_item_val1.admin_type == RC_system_admin) 00391 ) 00392 ) 00393 return 0; 00394 else 00395 return -EPERM; 00396 }