#include <linux/init.h>
#include <rsbac/types.h>
Go to the source code of this file.
int rsbac_acl_add_group | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_uid_t | owner, | |||
enum rsbac_acl_group_type_t | type, | |||
char * | name, | |||
rsbac_acl_group_id_t * | group_id_p | |||
) |
Definition at line 8819 of file acl_data_structures.c.
References ACLG_NONE, group_handle, group_last_new, rsbac_acl_group_entry_t::id, rsbac_acl_group_entry_t::name, rsbac_acl_group_entry_t::owner, RSBAC_ACL_GROUP_NAMELEN, RSBAC_ECOULDNOTADDITEM, RSBAC_EEXISTS, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDVALUE, rsbac_ta_list_add_ttl(), rsbac_ta_list_exist(), and rsbac_acl_group_entry_t::type.
Referenced by rsbac_acl_sys_group().
08823 { 08824 struct rsbac_acl_group_entry_t entry; 08825 int err = 0; 08826 08827 if (type >= ACLG_NONE) 08828 return -RSBAC_EINVALIDVALUE; 08829 if (!name || !group_id_p) 08830 return -RSBAC_EINVALIDPOINTER; 08831 if (!name[0]) 08832 return -RSBAC_EINVALIDVALUE; 08833 entry.owner = owner; 08834 entry.type = type; 08835 strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN - 1); 08836 entry.name[RSBAC_ACL_GROUP_NAMELEN - 1] = 0; 08837 if (!*group_id_p) { 08838 /* step new group counter */ 08839 group_last_new++; 08840 /* Just in case the counter has wrapped. It is almost impossible that all IDs are in use. */ 08841 while (!group_last_new 08842 || rsbac_ta_list_exist(ta_number, group_handle, 08843 &group_last_new)) 08844 group_last_new++; 08845 08846 entry.id = group_last_new; 08847 } else { 08848 if (rsbac_ta_list_exist 08849 (ta_number, group_handle, group_id_p)) { 08850 return (-RSBAC_EEXISTS); 08851 } else 08852 entry.id = *group_id_p; 08853 } 08854 if (rsbac_ta_list_add_ttl 08855 (ta_number, group_handle, 0, &entry.id, &entry)) 08856 err = -RSBAC_ECOULDNOTADDITEM; 08857 else { 08858 *group_id_p = entry.id; 08859 } 08860 return (err); 08861 }
int rsbac_acl_add_group_member | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_acl_group_id_t | group, | |||
rsbac_uid_t | user, | |||
rsbac_time_t | ttl | |||
) |
Definition at line 8969 of file acl_data_structures.c.
References gm_handle, group_handle, NULL, RSBAC_EINVALIDVALUE, rsbac_ta_list_exist(), rsbac_ta_list_lol_add_ttl(), rsbac_ta_list_lol_exist(), and rsbac_ta_list_lol_subadd_ttl().
Referenced by rsbac_acl_sys_group().
08972 { 08973 int err = 0; 08974 08975 if (!group) 08976 return -RSBAC_EINVALIDVALUE; 08977 if (!rsbac_ta_list_exist(ta_number, group_handle, &group)) 08978 return -RSBAC_EINVALIDVALUE; 08979 08980 if (!rsbac_ta_list_lol_exist(ta_number, gm_handle, &user)) { 08981 err = 08982 rsbac_ta_list_lol_add_ttl(ta_number, gm_handle, 0, 08983 &user, NULL); 08984 if (err) 08985 return err; 08986 } 08987 return rsbac_ta_list_lol_subadd_ttl(ta_number, gm_handle, ttl, 08988 &user, &group, NULL); 08989 }
int rsbac_acl_add_to_acl_entry | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
enum rsbac_acl_subject_type_t | subj_type, | |||
rsbac_acl_subject_id_t | subj_id, | |||
rsbac_acl_rights_vector_t | rights, | |||
rsbac_time_t | ttl | |||
) |
Definition at line 5755 of file acl_data_structures.c.
References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char, D_char_major, default_dev_handle, default_fd_handle, default_ipc_handle, default_p_handle, default_scd_handle, default_u_handle, rsbac_target_id_t::dev, device_list_lock, rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, I_none, rsbac_target_id_t::ipc, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, rsbac_target_id_t::process, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_add_ttl(), rsbac_ta_list_get_data_ttl(), rsbac_ta_list_lol_add_ttl(), rsbac_ta_list_lol_exist(), rsbac_ta_list_lol_get_subdata_ttl(), rsbac_ta_list_lol_subadd_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_ipc_t::type, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
Referenced by rsbac_acl_check_right(), and rsbac_acl_sys_add_to_acl_entry().
05762 { 05763 int err = 0; 05764 struct rsbac_acl_device_list_item_t *device_p; 05765 rsbac_acl_rights_vector_t old_rights; 05766 struct rsbac_acl_entry_desc_t desc; 05767 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 05768 u_long dflags; 05769 #endif 05770 05771 if (!rsbac_is_initialized()) { 05772 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): RSBAC not initialized\n"); 05773 return (-RSBAC_ENOTINITIALIZED); 05774 } 05775 if (subj_type >= ACLS_NONE) 05776 return (-RSBAC_EINVALIDVALUE); 05777 #ifdef CONFIG_RSBAC_DEBUG 05778 if (in_interrupt()) { 05779 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): called from interrupt!\n"); 05780 } 05781 #endif 05782 desc.subj_type = subj_type; 05783 desc.subj_id = subj_id; 05784 05785 switch (target) { 05786 case T_FILE: 05787 case T_DIR: 05788 case T_FIFO: 05789 case T_SYMLINK: 05790 case T_UNIXSOCK: 05791 /* default entry? */ 05792 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 05793 && !tid.file.dentry_p) { 05794 if (!rsbac_ta_list_get_data_ttl 05795 (ta_number, default_fd_handle, NULL, &desc, 05796 &old_rights)) 05797 rights |= old_rights; 05798 return rsbac_ta_list_add_ttl(ta_number, 05799 default_fd_handle, 05800 ttl, &desc, &rights); 05801 } 05802 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05803 rcu_read_lock(); 05804 #else 05805 rsbac_read_lock(&device_list_lock, &dflags); 05806 #endif 05807 /* lookup device */ 05808 device_p = acl_lookup_device(tid.file.device); 05809 if (!device_p) { 05810 /* trigger rsbac_mount() */ 05811 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05812 rcu_read_unlock(); 05813 #else 05814 rsbac_read_unlock(&device_list_lock, &dflags); 05815 #endif 05816 rsbac_get_super_block(tid.file.device); 05817 /* retry */ 05818 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05819 rcu_read_lock(); 05820 #else 05821 rsbac_read_lock(&device_list_lock, &dflags); 05822 #endif 05823 device_p = acl_lookup_device(tid.file.device); 05824 if (!device_p) { 05825 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): Could not lookup device!\n"); 05826 /* free read lock */ 05827 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05828 rcu_read_unlock(); 05829 #else 05830 rsbac_read_unlock(&device_list_lock, &dflags); 05831 #endif 05832 return (-RSBAC_EINVALIDDEV); 05833 } 05834 } 05835 /* protect this list */ 05836 if (!rsbac_ta_list_lol_exist(ta_number, device_p->handle, &tid.file.inode)) { /* new acl */ 05837 rsbac_acl_rights_vector_t mask = 05838 RSBAC_ACL_DEFAULT_FD_MASK; 05839 05840 err = 05841 rsbac_ta_list_lol_add_ttl(ta_number, 05842 device_p->handle, 0, 05843 &tid.file.inode, 05844 &mask); 05845 if (err) { 05846 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05847 rcu_read_unlock(); 05848 #else 05849 rsbac_read_unlock(&device_list_lock, &dflags); 05850 #endif 05851 return err; 05852 } 05853 } else { /* old entry? */ 05854 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 05855 device_p->handle, 05856 NULL, 05857 &tid.file. 05858 inode, 05859 &desc, 05860 &old_rights)) 05861 rights |= old_rights; 05862 } 05863 err = rsbac_ta_list_lol_subadd_ttl(ta_number, 05864 device_p->handle, ttl, 05865 &tid.file.inode, &desc, 05866 &rights); 05867 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05868 rcu_read_unlock(); 05869 #else 05870 rsbac_read_unlock(&device_list_lock, &dflags); 05871 #endif 05872 return err; 05873 05874 case T_DEV: 05875 /* default entry? */ 05876 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) { 05877 if (!rsbac_ta_list_get_data_ttl 05878 (ta_number, default_dev_handle, NULL, &desc, 05879 &old_rights)) 05880 rights |= old_rights; 05881 return rsbac_ta_list_add_ttl(ta_number, 05882 default_dev_handle, 05883 ttl, &desc, &rights); 05884 } 05885 switch (tid.dev.type) { 05886 case D_char: 05887 case D_block: 05888 if (!rsbac_ta_list_lol_exist(ta_number, dev_handle, &tid.dev)) { /* new acl */ 05889 rsbac_acl_rights_vector_t mask = 05890 RSBAC_ACL_DEFAULT_DEV_MASK; 05891 05892 err = 05893 rsbac_ta_list_lol_add_ttl(ta_number, 05894 dev_handle, 05895 0, &tid.dev, 05896 &mask); 05897 if (err) 05898 return err; 05899 } else { /* old entry? */ 05900 if (!rsbac_ta_list_lol_get_subdata_ttl 05901 (ta_number, dev_handle, NULL, &tid.dev, 05902 &desc, &old_rights)) 05903 rights |= old_rights; 05904 } 05905 return rsbac_ta_list_lol_subadd_ttl(ta_number, 05906 dev_handle, 05907 ttl, &tid.dev, 05908 &desc, 05909 &rights); 05910 05911 case D_char_major: 05912 case D_block_major: 05913 tid.dev.type -= (D_block_major - D_block); 05914 if (!rsbac_ta_list_lol_exist(ta_number, dev_major_handle, &tid.dev)) { /* new acl */ 05915 rsbac_acl_rights_vector_t mask = 05916 RSBAC_ACL_DEFAULT_DEV_MASK; 05917 05918 err = 05919 rsbac_ta_list_lol_add_ttl(ta_number, 05920 dev_major_handle, 05921 0, &tid.dev, 05922 &mask); 05923 if (err) 05924 return err; 05925 } else { /* old entry? */ 05926 if (!rsbac_ta_list_lol_get_subdata_ttl 05927 (ta_number, dev_major_handle, NULL, 05928 &tid.dev, &desc, &old_rights)) 05929 rights |= old_rights; 05930 } 05931 return rsbac_ta_list_lol_subadd_ttl(ta_number, 05932 dev_major_handle, 05933 ttl, &tid.dev, 05934 &desc, 05935 &rights); 05936 05937 default: 05938 return -RSBAC_EINVALIDTARGET; 05939 } 05940 05941 case T_IPC: 05942 /* default entry? */ 05943 if (tid.ipc.type == I_none) { 05944 if (!rsbac_ta_list_get_data_ttl 05945 (ta_number, default_ipc_handle, NULL, &desc, 05946 &old_rights)) 05947 rights |= old_rights; 05948 return rsbac_ta_list_add_ttl(ta_number, 05949 default_ipc_handle, 05950 ttl, &desc, &rights); 05951 } else 05952 return -RSBAC_EINVALIDTARGET; 05953 05954 case T_SCD: 05955 /* default entry? */ 05956 if (tid.scd == AST_none) { 05957 if (!rsbac_ta_list_get_data_ttl 05958 (ta_number, default_scd_handle, NULL, &desc, 05959 &old_rights)) 05960 rights |= old_rights; 05961 return rsbac_ta_list_add_ttl(ta_number, 05962 default_scd_handle, 05963 ttl, &desc, &rights); 05964 } 05965 if (!rsbac_ta_list_lol_exist(ta_number, scd_handle, &tid.scd)) { /* new acl */ 05966 rsbac_acl_rights_vector_t mask = 05967 RSBAC_ACL_DEFAULT_SCD_MASK; 05968 05969 err = 05970 rsbac_ta_list_lol_add_ttl(ta_number, 05971 scd_handle, 0, 05972 &tid.scd, &mask); 05973 if (err) 05974 return err; 05975 } else { /* old entry? */ 05976 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 05977 scd_handle, 05978 NULL, 05979 &tid.scd, 05980 &desc, 05981 &old_rights)) 05982 rights |= old_rights; 05983 } 05984 return rsbac_ta_list_lol_subadd_ttl(ta_number, 05985 scd_handle, 05986 ttl, 05987 &tid.scd, 05988 &desc, &rights); 05989 05990 case T_USER: 05991 /* default entry? */ 05992 if (tid.user == RSBAC_NO_USER) { 05993 if (!rsbac_ta_list_get_data_ttl 05994 (ta_number, default_u_handle, NULL, &desc, 05995 &old_rights)) 05996 rights |= old_rights; 05997 return rsbac_ta_list_add_ttl(ta_number, 05998 default_u_handle, ttl, 05999 &desc, &rights); 06000 } 06001 if (!rsbac_ta_list_lol_exist(ta_number, u_handle, &tid.user)) { /* new acl */ 06002 rsbac_acl_rights_vector_t mask = 06003 RSBAC_ACL_DEFAULT_U_MASK; 06004 06005 err = 06006 rsbac_ta_list_lol_add_ttl(ta_number, u_handle, 06007 0, &tid.user, &mask); 06008 if (err) 06009 return err; 06010 } else { /* old subentry? */ 06011 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06012 u_handle, 06013 NULL, 06014 &tid.user, 06015 &desc, 06016 &old_rights)) 06017 rights |= old_rights; 06018 } 06019 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06020 u_handle, 06021 ttl, 06022 &tid.user, 06023 &desc, &rights); 06024 06025 case T_PROCESS: 06026 /* default entry? */ 06027 if (!tid.process) { 06028 if (!rsbac_ta_list_get_data_ttl 06029 (ta_number, default_p_handle, NULL, &desc, 06030 &old_rights)) 06031 rights |= old_rights; 06032 return rsbac_ta_list_add_ttl(ta_number, 06033 default_p_handle, ttl, 06034 &desc, &rights); 06035 } else 06036 return -RSBAC_EINVALIDTARGET; 06037 06038 #ifdef CONFIG_RSBAC_ACL_UM_PROT 06039 case T_GROUP: 06040 /* default entry? */ 06041 if (tid.group == RSBAC_NO_GROUP) { 06042 if (!rsbac_ta_list_get_data_ttl 06043 (ta_number, default_g_handle, NULL, &desc, 06044 &old_rights)) 06045 rights |= old_rights; 06046 return rsbac_ta_list_add_ttl(ta_number, 06047 default_g_handle, ttl, 06048 &desc, &rights); 06049 } 06050 if (!rsbac_ta_list_lol_exist(ta_number, g_handle, &tid.group)) { /* new acl */ 06051 rsbac_acl_rights_vector_t mask = 06052 RSBAC_ACL_DEFAULT_G_MASK; 06053 06054 err = 06055 rsbac_ta_list_lol_add_ttl(ta_number, g_handle, 06056 0, &tid.group, 06057 &mask); 06058 if (err) 06059 return err; 06060 } else { /* old subentry? */ 06061 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06062 g_handle, 06063 NULL, 06064 &tid.group, 06065 &desc, 06066 &old_rights)) 06067 rights |= old_rights; 06068 } 06069 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06070 g_handle, 06071 ttl, 06072 &tid.group, 06073 &desc, &rights); 06074 #endif 06075 06076 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 06077 case T_NETDEV: 06078 /* default entry? */ 06079 if (!tid.netdev[0]) { 06080 if (!rsbac_ta_list_get_data_ttl 06081 (ta_number, default_netdev_handle, NULL, &desc, 06082 &old_rights)) 06083 rights |= old_rights; 06084 return rsbac_ta_list_add_ttl(ta_number, 06085 default_netdev_handle, 06086 ttl, &desc, &rights); 06087 } 06088 if (!rsbac_ta_list_lol_exist(ta_number, netdev_handle, &tid.netdev)) { /* new acl */ 06089 rsbac_acl_rights_vector_t mask = 06090 RSBAC_ACL_DEFAULT_NETDEV_MASK; 06091 06092 err = 06093 rsbac_ta_list_lol_add_ttl(ta_number, 06094 netdev_handle, 0, 06095 &tid.netdev, &mask); 06096 if (err) 06097 return err; 06098 } else { /* old entry? */ 06099 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06100 netdev_handle, 06101 NULL, 06102 &tid.netdev, 06103 &desc, 06104 &old_rights)) 06105 rights |= old_rights; 06106 } 06107 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06108 netdev_handle, 06109 ttl, 06110 &tid.netdev, 06111 &desc, &rights); 06112 #endif 06113 06114 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 06115 case T_NETTEMP_NT: 06116 /* default entry? */ 06117 if (!tid.nettemp) { 06118 if (!rsbac_ta_list_get_data_ttl 06119 (ta_number, default_nettemp_nt_handle, NULL, 06120 &desc, &old_rights)) 06121 rights |= old_rights; 06122 return rsbac_ta_list_add_ttl(ta_number, 06123 default_nettemp_nt_handle, 06124 ttl, &desc, &rights); 06125 } 06126 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 06127 return -RSBAC_EINVALIDTARGET; 06128 if (!rsbac_ta_list_lol_exist(ta_number, nettemp_nt_handle, &tid.nettemp)) { /* new acl */ 06129 rsbac_acl_rights_vector_t mask = 06130 RSBAC_ACL_DEFAULT_NETTEMP_MASK; 06131 06132 err = 06133 rsbac_ta_list_lol_add_ttl(ta_number, 06134 nettemp_nt_handle, 0, 06135 &tid.nettemp, &mask); 06136 if (err) 06137 return err; 06138 } else { /* old entry? */ 06139 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06140 nettemp_nt_handle, 06141 NULL, 06142 &tid. 06143 nettemp, 06144 &desc, 06145 &old_rights)) 06146 rights |= old_rights; 06147 } 06148 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06149 nettemp_nt_handle, 06150 ttl, 06151 &tid.nettemp, 06152 &desc, &rights); 06153 case T_NETTEMP: 06154 /* default entry? */ 06155 if (!tid.nettemp) { 06156 return -RSBAC_EINVALIDTARGET; 06157 } 06158 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 06159 return -RSBAC_EINVALIDTARGET; 06160 if (!rsbac_ta_list_lol_exist(ta_number, nettemp_handle, &tid.nettemp)) { /* new acl */ 06161 rsbac_acl_rights_vector_t mask = 06162 RSBAC_ACL_DEFAULT_NETOBJ_MASK; 06163 06164 err = 06165 rsbac_ta_list_lol_add_ttl(ta_number, 06166 nettemp_handle, 0, 06167 &tid.nettemp, &mask); 06168 if (err) 06169 return err; 06170 } else { /* old entry? */ 06171 if (!rsbac_ta_list_lol_get_subdata_ttl 06172 (ta_number, nettemp_handle, NULL, &tid.nettemp, 06173 &desc, &old_rights)) 06174 rights |= old_rights; 06175 } 06176 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06177 nettemp_handle, ttl, 06178 &tid.nettemp, &desc, 06179 &rights); 06180 case T_NETOBJ: 06181 /* default entry? */ 06182 if (!tid.netobj.sock_p) { 06183 if (!rsbac_ta_list_get_data_ttl 06184 (ta_number, default_netobj_handle, NULL, &desc, 06185 &old_rights)) 06186 rights |= old_rights; 06187 return rsbac_ta_list_add_ttl(ta_number, 06188 default_netobj_handle, 06189 ttl, &desc, &rights); 06190 } 06191 if (!rsbac_ta_list_lol_exist(ta_number, netobj_handle, &tid.netobj.sock_p)) { /* new acl */ 06192 rsbac_acl_rights_vector_t mask = 06193 RSBAC_ACL_DEFAULT_NETOBJ_MASK; 06194 06195 err = 06196 rsbac_ta_list_lol_add_ttl(ta_number, 06197 netobj_handle, 0, 06198 &tid.netobj.sock_p, 06199 &mask); 06200 if (err) 06201 return err; 06202 } else { /* old entry? */ 06203 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06204 netobj_handle, 06205 NULL, 06206 &tid.netobj. 06207 sock_p, 06208 &desc, 06209 &old_rights)) 06210 rights |= old_rights; 06211 } 06212 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06213 netobj_handle, 06214 ttl, 06215 &tid.netobj.sock_p, 06216 &desc, &rights); 06217 #endif /* NET_OBJ_PROT */ 06218 06219 default: 06220 return -RSBAC_EINVALIDTARGET; 06221 } 06222 }
int rsbac_acl_change_group | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_acl_group_id_t | id, | |||
rsbac_uid_t | owner, | |||
enum rsbac_acl_group_type_t | type, | |||
char * | name | |||
) |
Definition at line 8863 of file acl_data_structures.c.
References group_handle, rsbac_acl_group_entry_t::id, rsbac_acl_group_entry_t::name, rsbac_acl_group_entry_t::owner, RSBAC_ACL_GROUP_NAMELEN, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDVALUE, RSBAC_ENOTFOUND, rsbac_ta_list_add_ttl(), rsbac_ta_list_exist(), and rsbac_acl_group_entry_t::type.
Referenced by rsbac_acl_sys_group().
08867 { 08868 struct rsbac_acl_group_entry_t entry; 08869 08870 if (!id) 08871 return -RSBAC_EINVALIDVALUE; 08872 if (!rsbac_ta_list_exist(ta_number, group_handle, &id)) 08873 return (-RSBAC_ENOTFOUND); 08874 if (!name) 08875 return -RSBAC_EINVALIDPOINTER; 08876 if (!name[0]) 08877 return -RSBAC_EINVALIDVALUE; 08878 entry.id = id; 08879 entry.owner = owner; 08880 entry.type = type; 08881 strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN); 08882 entry.name[RSBAC_ACL_GROUP_NAMELEN - 1] = 0; 08883 return rsbac_ta_list_add_ttl(ta_number, group_handle, 0, &entry.id, 08884 &entry); 08885 }
int rsbac_acl_copy_fd_acl | ( | struct rsbac_fs_file_t | file1, | |
struct rsbac_fs_file_t | file2 | |||
) |
int rsbac_acl_copy_pp_acl | ( | rsbac_pid_t | old_pid, | |
rsbac_pid_t | new_pid | |||
) |
int rsbac_acl_get_group_entry | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_acl_group_id_t | group, | |||
struct rsbac_acl_group_entry_t * | entry_p | |||
) |
Definition at line 8909 of file acl_data_structures.c.
References group_handle, NULL, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDVALUE, and rsbac_ta_list_get_data_ttl().
Referenced by rsbac_acl_sys_group(), sys_rsbac_acl(), sys_rsbac_acl_get_rights(), sys_rsbac_acl_get_rights_n(), and sys_rsbac_acl_n().
08912 { 08913 if (!group) 08914 return -RSBAC_EINVALIDVALUE; 08915 if (!entry_p) 08916 return -RSBAC_EINVALIDPOINTER; 08917 return rsbac_ta_list_get_data_ttl(ta_number, group_handle, NULL, 08918 &group, entry_p); 08919 }
int rsbac_acl_get_group_members | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_acl_group_id_t | group, | |||
rsbac_uid_t | user_array[], | |||
rsbac_time_t | ttl_array[], | |||
int | maxnum | |||
) |
Definition at line 9038 of file acl_data_structures.c.
References gm_handle, group_handle, NULL, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDVALUE, rsbac_ta_list_exist(), rsbac_ta_list_lol_get_all_desc(), rsbac_ta_list_lol_get_subdata_ttl(), and rsbac_vfree.
Referenced by rsbac_acl_sys_group().
09042 { 09043 long desc_count; 09044 long i; 09045 rsbac_uid_t *user_p; 09046 int err = 0; 09047 09048 if (!group || (maxnum <= 0)) 09049 return -RSBAC_EINVALIDVALUE; 09050 if (!rsbac_ta_list_exist(ta_number, group_handle, &group)) 09051 return -RSBAC_EINVALIDVALUE; 09052 if (!user_array) 09053 return -RSBAC_EINVALIDPOINTER; 09054 09055 /* traverse group memberships */ 09056 desc_count = 09057 rsbac_ta_list_lol_get_all_desc(ta_number, gm_handle, 09058 (void **) &user_p); 09059 if (desc_count > 0) { 09060 rsbac_time_t ttl; 09061 09062 for (i = 0; i < desc_count; i++) { 09063 if (!rsbac_ta_list_lol_get_subdata_ttl 09064 (ta_number, gm_handle, &ttl, &user_p[i], 09065 &group, NULL)) { 09066 user_array[err] = user_p[i]; 09067 if (ttl_array) 09068 ttl_array[err] = ttl; 09069 err++; 09070 if (err >= maxnum) 09071 break; 09072 } 09073 } 09074 rsbac_vfree(user_p); 09075 } 09076 return (err); 09077 }
int rsbac_acl_get_mask | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
rsbac_acl_rights_vector_t * | mask_p | |||
) |
Definition at line 6841 of file acl_data_structures.c.
References acl_lookup_device(), AST_none, D_block, D_block_major, D_char, D_char_major, D_none, rsbac_target_id_t::dev, device_list_lock, rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_ENOTFOUND, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_lol_get_data_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_NONE, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
06845 { 06846 int err = 0; 06847 struct rsbac_acl_device_list_item_t *device_p; 06848 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 06849 u_long dflags; 06850 #endif 06851 06852 if (!rsbac_is_initialized()) { 06853 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): RSBAC not initialized\n"); 06854 return (-RSBAC_ENOTINITIALIZED); 06855 } 06856 if (target >= T_NONE) 06857 return (-RSBAC_EINVALIDTARGET); 06858 #ifdef CONFIG_RSBAC_DEBUG 06859 if (in_interrupt()) { 06860 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): called from interrupt!\n"); 06861 } 06862 #endif 06863 switch (target) { 06864 case T_FILE: 06865 case T_DIR: 06866 case T_FIFO: 06867 case T_SYMLINK: 06868 case T_UNIXSOCK: 06869 /* default entry? */ 06870 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 06871 && !tid.file.dentry_p) { 06872 return -RSBAC_EINVALIDTARGET; 06873 } 06874 06875 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06876 rcu_read_lock(); 06877 #else 06878 rsbac_read_lock(&device_list_lock, &dflags); 06879 #endif 06880 /* lookup device */ 06881 device_p = acl_lookup_device(tid.file.device); 06882 if (!device_p) { 06883 /* trigger rsbac_mount() */ 06884 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06885 rcu_read_unlock(); 06886 #else 06887 rsbac_read_unlock(&device_list_lock, &dflags); 06888 #endif 06889 rsbac_get_super_block(tid.file.device); 06890 /* retry */ 06891 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06892 rcu_read_lock(); 06893 #else 06894 rsbac_read_lock(&device_list_lock, &dflags); 06895 #endif 06896 device_p = acl_lookup_device(tid.file.device); 06897 if (!device_p) { 06898 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): Could not lookup device!\n"); 06899 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06900 rcu_read_unlock(); 06901 #else 06902 rsbac_read_unlock(&device_list_lock, &dflags); 06903 #endif 06904 return (-RSBAC_EINVALIDDEV); 06905 } 06906 } 06907 err = rsbac_ta_list_lol_get_data_ttl(ta_number, 06908 device_p->handle, NULL, 06909 &tid.file.inode, 06910 mask_p); 06911 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06912 rcu_read_unlock(); 06913 #else 06914 rsbac_read_unlock(&device_list_lock, &dflags); 06915 #endif 06916 if (err == -RSBAC_ENOTFOUND) { 06917 *mask_p = RSBAC_ACL_DEFAULT_FD_MASK; 06918 err = 0; 06919 } 06920 /* ready. */ 06921 return err; 06922 06923 case T_DEV: 06924 /* default entry? */ 06925 if (tid.dev.type == D_none) { 06926 return -RSBAC_EINVALIDTARGET; 06927 } 06928 06929 switch (tid.dev.type) { 06930 case D_char: 06931 case D_block: 06932 err = 06933 rsbac_ta_list_lol_get_data_ttl(ta_number, 06934 dev_handle, 06935 NULL, &tid.dev, 06936 mask_p); 06937 break; 06938 06939 case D_char_major: 06940 case D_block_major: 06941 tid.dev.type -= (D_block_major - D_block); 06942 err = 06943 rsbac_ta_list_lol_get_data_ttl(ta_number, 06944 dev_major_handle, 06945 NULL, &tid.dev, 06946 mask_p); 06947 break; 06948 06949 default: 06950 return -RSBAC_EINVALIDTARGET; 06951 } 06952 if (err == -RSBAC_ENOTFOUND) { 06953 *mask_p = RSBAC_ACL_DEFAULT_DEV_MASK; 06954 err = 0; 06955 } 06956 /* ready. */ 06957 return err; 06958 06959 case T_SCD: 06960 /* default entry? */ 06961 if (tid.scd == AST_none) { 06962 return -RSBAC_EINVALIDTARGET; 06963 } 06964 err = 06965 rsbac_ta_list_lol_get_data_ttl(ta_number, scd_handle, 06966 NULL, &tid.scd, mask_p); 06967 if (err == -RSBAC_ENOTFOUND) { 06968 *mask_p = RSBAC_ACL_DEFAULT_SCD_MASK; 06969 err = 0; 06970 } 06971 /* ready. */ 06972 return err; 06973 06974 case T_USER: 06975 /* default entry? */ 06976 if (tid.user == RSBAC_NO_USER) { 06977 return -RSBAC_EINVALIDTARGET; 06978 } 06979 err = 06980 rsbac_ta_list_lol_get_data_ttl(ta_number, u_handle, 06981 NULL, &tid.user, 06982 mask_p); 06983 if (err == -RSBAC_ENOTFOUND) { 06984 *mask_p = RSBAC_ACL_DEFAULT_U_MASK; 06985 err = 0; 06986 } 06987 /* ready. */ 06988 return err; 06989 06990 #ifdef CONFIG_RSBAC_ACL_UM_PROT 06991 case T_GROUP: 06992 /* default entry? */ 06993 if (tid.group == RSBAC_NO_GROUP) { 06994 return -RSBAC_EINVALIDTARGET; 06995 } 06996 err = 06997 rsbac_ta_list_lol_get_data_ttl(ta_number, g_handle, 06998 NULL, &tid.group, 06999 mask_p); 07000 if (err == -RSBAC_ENOTFOUND) { 07001 *mask_p = RSBAC_ACL_DEFAULT_G_MASK; 07002 err = 0; 07003 } 07004 /* ready. */ 07005 return err; 07006 #endif 07007 07008 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 07009 case T_NETDEV: 07010 /* default entry? */ 07011 if (!tid.netdev[0]) { 07012 return -RSBAC_EINVALIDTARGET; 07013 } 07014 07015 err = 07016 rsbac_ta_list_lol_get_data_ttl(ta_number, 07017 netdev_handle, NULL, 07018 &tid.netdev, mask_p); 07019 if (err == -RSBAC_ENOTFOUND) { 07020 *mask_p = RSBAC_ACL_DEFAULT_NETDEV_MASK; 07021 err = 0; 07022 } 07023 /* ready. */ 07024 return err; 07025 #endif 07026 07027 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 07028 case T_NETTEMP_NT: 07029 /* default entry? */ 07030 if (!tid.nettemp) { 07031 return -RSBAC_EINVALIDTARGET; 07032 } 07033 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 07034 return -RSBAC_EINVALIDTARGET; 07035 07036 err = 07037 rsbac_ta_list_lol_get_data_ttl(ta_number, 07038 nettemp_nt_handle, NULL, 07039 &tid.nettemp, mask_p); 07040 if (err == -RSBAC_ENOTFOUND) { 07041 *mask_p = RSBAC_ACL_DEFAULT_NETTEMP_MASK; 07042 err = 0; 07043 } 07044 /* ready. */ 07045 return err; 07046 case T_NETTEMP: 07047 /* default entry? */ 07048 if (!tid.nettemp) { 07049 return -RSBAC_EINVALIDTARGET; 07050 } 07051 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 07052 return -RSBAC_EINVALIDTARGET; 07053 07054 err = 07055 rsbac_ta_list_lol_get_data_ttl(ta_number, 07056 nettemp_handle, NULL, 07057 &tid.nettemp, mask_p); 07058 if (err == -RSBAC_ENOTFOUND) { 07059 *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 07060 err = 0; 07061 } 07062 /* ready. */ 07063 return err; 07064 case T_NETOBJ: 07065 /* default entry? */ 07066 if (!tid.netobj.sock_p) { 07067 return -RSBAC_EINVALIDTARGET; 07068 } 07069 07070 err = 07071 rsbac_ta_list_lol_get_data_ttl(ta_number, 07072 netobj_handle, NULL, 07073 &tid.netobj.sock_p, 07074 mask_p); 07075 if (err == -RSBAC_ENOTFOUND) { 07076 *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 07077 err = 0; 07078 } 07079 /* ready. */ 07080 return err; 07081 #endif 07082 07083 default: 07084 err = -RSBAC_EINVALIDTARGET; 07085 } 07086 return (err); 07087 }
int rsbac_acl_get_rights | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
enum rsbac_acl_subject_type_t | subj_type, | |||
rsbac_acl_subject_id_t | subj_id, | |||
rsbac_acl_rights_vector_t * | rights_p, | |||
rsbac_boolean_t | inherit | |||
) |
Definition at line 7096 of file acl_data_structures.c.
References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char_major, default_dev_handle, default_dev_rights, default_fd_handle, default_fd_rights, default_ipc_handle, default_ipc_rights, default_p_handle, default_p_rights, default_scd_handle, default_scd_rights, default_u_handle, default_u_rights, rsbac_target_id_t::dev, device_list_lock, rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, KERNEL_VERSION, rsbac_net_obj_desc_t::local_temp, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_parent(), rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_get_data_ttl(), rsbac_ta_list_lol_get_data_ttl(), rsbac_ta_list_lol_get_subdata_ttl(), rsbac_ta_net_lookup_templates(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, ST_none, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
07103 { 07104 int err = 0; 07105 struct rsbac_acl_device_list_item_t *device_p; 07106 struct rsbac_acl_entry_desc_t desc; 07107 rsbac_acl_rights_vector_t i_rights = 0; 07108 rsbac_acl_rights_vector_t mask = -1; 07109 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 07110 u_long dflags; 07111 #endif 07112 07113 if (!rsbac_is_initialized()) { 07114 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): RSBAC not initialized\n"); 07115 return (-RSBAC_ENOTINITIALIZED); 07116 } 07117 if (!rights_p) 07118 return (-RSBAC_EINVALIDPOINTER); 07119 if (subj_type >= ACLS_NONE) 07120 return (-RSBAC_EINVALIDVALUE); 07121 #ifdef CONFIG_RSBAC_DEBUG 07122 if (in_interrupt()) { 07123 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): called from interrupt!\n"); 07124 } 07125 #endif 07126 desc.subj_type = subj_type; 07127 desc.subj_id = subj_id; 07128 07129 switch (target) { 07130 case T_FILE: 07131 case T_DIR: 07132 case T_FIFO: 07133 case T_SYMLINK: 07134 case T_UNIXSOCK: 07135 /* default entry? */ 07136 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 07137 && !tid.file.dentry_p) { 07138 if (rsbac_ta_list_get_data_ttl 07139 (ta_number, default_fd_handle, NULL, &desc, 07140 rights_p)) { 07141 /* last resort: default rights */ 07142 *rights_p = default_fd_rights; 07143 } 07144 return 0; 07145 } 07146 *rights_p = 0; 07147 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07148 rcu_read_lock(); 07149 #else 07150 rsbac_read_lock(&device_list_lock, &dflags); 07151 #endif 07152 /* use loop for inheritance - used to be recursive calls */ 07153 for (;;) { 07154 /* lookup device */ 07155 device_p = acl_lookup_device(tid.file.device); 07156 if (!device_p) { 07157 /* trigger rsbac_mount() */ 07158 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07159 rcu_read_unlock(); 07160 #else 07161 rsbac_read_unlock(&device_list_lock, &dflags); 07162 #endif 07163 rsbac_get_super_block(tid.file.device); 07164 /* retry */ 07165 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07166 rcu_read_lock(); 07167 #else 07168 rsbac_read_lock(&device_list_lock, &dflags); 07169 #endif 07170 device_p = 07171 acl_lookup_device(tid.file.device); 07172 if (!device_p) { 07173 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): Could not lookup device %02u:%02u!\n", 07174 RSBAC_MAJOR(tid.file. 07175 device), 07176 RSBAC_MINOR(tid.file. 07177 device)); 07178 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07179 rcu_read_unlock(); 07180 #else 07181 rsbac_read_unlock(&device_list_lock, &dflags); 07182 #endif 07183 return (-RSBAC_EINVALIDDEV); 07184 } 07185 } 07186 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07187 device_p->handle, 07188 NULL, 07189 &tid.file. 07190 inode, 07191 &desc, 07192 &i_rights)) 07193 { 07194 *rights_p |= (i_rights & mask); 07195 /* leave loop */ 07196 break; 07197 } else if (inherit) { 07198 enum rsbac_target_t parent_target; 07199 union rsbac_target_id_t parent_tid; 07200 rsbac_acl_rights_vector_t i_mask; 07201 07202 /* get mask to filter through in next round */ 07203 if (rsbac_ta_list_lol_get_data_ttl 07204 (ta_number, device_p->handle, 07205 NULL, &tid.file.inode, &i_mask)) { 07206 /* no mask found, set default */ 07207 i_mask = RSBAC_ACL_DEFAULT_FD_MASK; 07208 } 07209 /* mask into cumulative mask */ 07210 mask &= i_mask; 07211 07212 /* inheritance possible? */ 07213 if (!rsbac_get_parent 07214 (target, tid, &parent_target, 07215 &parent_tid)) { 07216 target = parent_target; 07217 tid = parent_tid; 07218 /* next round */ 07219 continue; 07220 } else { 07221 /* no inheritance possible -> try default_fd_acl */ 07222 if (!rsbac_ta_list_get_data_ttl 07223 (ta_number, default_fd_handle, 07224 NULL, &desc, &i_rights)) { 07225 /* found, use it */ 07226 *rights_p |= 07227 (i_rights & mask); 07228 } else { 07229 /* last resort: default rights */ 07230 *rights_p |= 07231 (default_fd_rights & 07232 mask); 07233 } 07234 } 07235 /* leave loop */ 07236 break; 07237 } else { /* do not inherit */ 07238 07239 /* last resort: default rights */ 07240 *rights_p |= default_fd_rights; 07241 /* leave loop */ 07242 break; 07243 } 07244 } /* end of for(;;) inheritance loop */ 07245 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07246 rcu_read_unlock(); 07247 #else 07248 rsbac_read_unlock(&device_list_lock, &dflags); 07249 #endif 07250 return err; 07251 07252 case T_DEV: 07253 /* default entry? */ 07254 07255 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) { 07256 if (rsbac_ta_list_get_data_ttl 07257 (ta_number, default_dev_handle, NULL, &desc, 07258 rights_p)) { 07259 /* last resort: default rights */ 07260 *rights_p = default_dev_rights; 07261 } 07262 return 0; 07263 } 07264 if ((tid.dev.type >= D_char_major) 07265 || (tid.dev.type == D_block_major) 07266 ) { 07267 tid.dev.type -= (D_block_major - D_block); 07268 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07269 dev_major_handle, 07270 NULL, 07271 &tid.dev, 07272 &desc, 07273 &i_rights)) 07274 { 07275 *rights_p |= i_rights; 07276 } else { 07277 rsbac_acl_rights_vector_t mask2; 07278 07279 /* get mask to filter through */ 07280 if (rsbac_ta_list_lol_get_data_ttl 07281 (ta_number, dev_major_handle, NULL, 07282 &tid.dev, &mask2)) { 07283 /* no mask found, set default */ 07284 mask2 = RSBAC_ACL_DEFAULT_DEV_MASK; 07285 } 07286 /* try default_dev_acl */ 07287 if (!rsbac_ta_list_get_data_ttl 07288 (ta_number, default_dev_handle, NULL, 07289 &desc, rights_p)) { 07290 *rights_p &= mask2; 07291 } else { 07292 /* last resort: default rights */ 07293 *rights_p = 07294 default_dev_rights & mask2; 07295 } 07296 } 07297 return 0; 07298 } 07299 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07300 dev_handle, 07301 NULL, 07302 &tid.dev, 07303 &desc, &i_rights)) { 07304 *rights_p |= i_rights; 07305 } else { 07306 rsbac_acl_rights_vector_t mask; 07307 07308 /* get mask to filter through */ 07309 if (rsbac_ta_list_lol_get_data_ttl(ta_number, 07310 dev_handle, 07311 NULL, 07312 &tid.dev, 07313 &mask)) { 07314 /* no mask found, set default */ 07315 mask = RSBAC_ACL_DEFAULT_DEV_MASK; 07316 } 07317 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07318 dev_major_handle, 07319 NULL, 07320 &tid.dev, 07321 &desc, 07322 &i_rights)) 07323 { 07324 i_rights &= mask; 07325 *rights_p |= i_rights; 07326 } else { 07327 rsbac_acl_rights_vector_t mask2; 07328 07329 /* get mask to filter through */ 07330 if (rsbac_ta_list_lol_get_data_ttl 07331 (ta_number, dev_major_handle, NULL, 07332 &tid.dev, &mask2)) { 07333 /* no mask found, set default */ 07334 mask2 = RSBAC_ACL_DEFAULT_DEV_MASK; 07335 } 07336 /* try default_dev_acl */ 07337 if (!rsbac_ta_list_get_data_ttl 07338 (ta_number, default_dev_handle, NULL, 07339 &desc, rights_p)) { 07340 *rights_p &= mask; 07341 *rights_p &= mask2; 07342 } else { 07343 /* last resort: default rights */ 07344 *rights_p = 07345 default_dev_rights & mask & 07346 mask2; 07347 } 07348 } 07349 } 07350 return 0; 07351 07352 case T_IPC: 07353 07354 /* Use default ACL */ 07355 if (rsbac_ta_list_get_data_ttl 07356 (ta_number, default_ipc_handle, NULL, &desc, 07357 rights_p)) { 07358 /* last resort: default rights */ 07359 *rights_p = default_ipc_rights; 07360 } 07361 return 0; 07362 07363 case T_SCD: 07364 /* default entry? */ 07365 if ((tid.scd == AST_none) 07366 || (tid.scd == ST_none) 07367 ) { 07368 if (rsbac_ta_list_get_data_ttl 07369 (ta_number, default_scd_handle, NULL, &desc, 07370 rights_p)) { 07371 /* last resort: default rights */ 07372 *rights_p = default_scd_rights; 07373 } 07374 return 0; 07375 } 07376 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07377 scd_handle, 07378 NULL, 07379 &tid.scd, 07380 &desc, &i_rights)) { 07381 *rights_p |= i_rights; 07382 } else { 07383 rsbac_acl_rights_vector_t mask; 07384 07385 /* get mask to filter through */ 07386 if (rsbac_ta_list_lol_get_data_ttl(ta_number, 07387 scd_handle, 07388 NULL, 07389 &tid.scd, 07390 &mask)) { 07391 /* no mask found, set default */ 07392 mask = RSBAC_ACL_DEFAULT_SCD_MASK; 07393 } 07394 /* try default_dev_acl */ 07395 if (!rsbac_ta_list_get_data_ttl 07396 (ta_number, default_scd_handle, NULL, &desc, 07397 rights_p)) { 07398 *rights_p &= mask; 07399 } else { 07400 /* last resort: default rights */ 07401 *rights_p = default_scd_rights & mask; 07402 } 07403 } 07404 return 0; 07405 07406 case T_USER: 07407 /* default entry? */ 07408 if (tid.user == RSBAC_NO_USER) { 07409 if (rsbac_ta_list_get_data_ttl 07410 (ta_number, default_u_handle, NULL, &desc, 07411 rights_p)) { 07412 /* last resort: default rights */ 07413 *rights_p = default_u_rights; 07414 } 07415 return 0; 07416 } 07417 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07418 u_handle, 07419 NULL, 07420 &tid.user, 07421 &desc, &i_rights)) { 07422 *rights_p |= i_rights; 07423 } else { 07424 rsbac_acl_rights_vector_t mask; 07425 07426 /* get mask to filter through */ 07427 if (rsbac_ta_list_lol_get_data_ttl(ta_number, 07428 u_handle, 07429 NULL, 07430 &tid.user, 07431 &mask)) { 07432 /* no mask found, set default */ 07433 mask = RSBAC_ACL_DEFAULT_U_MASK; 07434 } 07435 /* try default_u_acl */ 07436 if (!rsbac_ta_list_get_data_ttl 07437 (ta_number, default_u_handle, NULL, &desc, 07438 rights_p)) { 07439 *rights_p &= mask; 07440 } else { 07441 /* last resort: default rights */ 07442 *rights_p = default_u_rights & mask; 07443 } 07444 } 07445 return 0; 07446 07447 case T_PROCESS: 07448 07449 /* Use default entry */ 07450 if (rsbac_ta_list_get_data_ttl(ta_number, default_p_handle, 07451 NULL, &desc, rights_p)) { 07452 /* last resort: default rights */ 07453 *rights_p = default_p_rights; 07454 } 07455 return 0; 07456 07457 #ifdef CONFIG_RSBAC_ACL_UM_PROT 07458 case T_GROUP: 07459 /* default entry? */ 07460 if (tid.group == RSBAC_NO_GROUP) { 07461 if (rsbac_ta_list_get_data_ttl 07462 (ta_number, default_g_handle, NULL, &desc, 07463 rights_p)) { 07464 /* last resort: default rights */ 07465 *rights_p = default_g_rights; 07466 } 07467 return 0; 07468 } 07469 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07470 g_handle, 07471 NULL, 07472 &tid.group, 07473 &desc, &i_rights)) { 07474 *rights_p |= i_rights; 07475 } else { 07476 rsbac_acl_rights_vector_t mask; 07477 07478 /* get mask to filter through */ 07479 if (rsbac_ta_list_lol_get_data_ttl(ta_number, 07480 g_handle, 07481 NULL, 07482 &tid.group, 07483 &mask)) { 07484 /* no mask found, set default */ 07485 mask = RSBAC_ACL_DEFAULT_G_MASK; 07486 } 07487 /* try default_u_acl */ 07488 if (!rsbac_ta_list_get_data_ttl 07489 (ta_number, default_g_handle, NULL, &desc, 07490 rights_p)) { 07491 *rights_p &= mask; 07492 } else { 07493 /* last resort: default rights */ 07494 *rights_p = default_g_rights & mask; 07495 } 07496 } 07497 return 0; 07498 #endif 07499 07500 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 07501 case T_NETDEV: 07502 /* default entry? */ 07503 07504 if (!tid.netdev[0]) { 07505 if (rsbac_ta_list_get_data_ttl 07506 (ta_number, default_netdev_handle, NULL, &desc, 07507 rights_p)) { 07508 /* last resort: default rights */ 07509 *rights_p = default_netdev_rights; 07510 } 07511 return 0; 07512 } 07513 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07514 netdev_handle, 07515 NULL, 07516 &tid.netdev, 07517 &desc, &i_rights)) { 07518 *rights_p |= i_rights; 07519 } else { 07520 rsbac_acl_rights_vector_t mask; 07521 07522 /* get mask to filter through */ 07523 if (rsbac_ta_list_lol_get_data_ttl(ta_number, 07524 netdev_handle, 07525 NULL, 07526 &tid.netdev, 07527 &mask)) { 07528 /* no mask found, set default */ 07529 mask = RSBAC_ACL_DEFAULT_NETDEV_MASK; 07530 } 07531 /* try default_dev_acl */ 07532 if (!rsbac_ta_list_get_data_ttl 07533 (ta_number, default_netdev_handle, NULL, &desc, 07534 rights_p)) { 07535 *rights_p &= mask; 07536 } else { 07537 /* last resort: default rights */ 07538 *rights_p = default_netdev_rights & mask; 07539 } 07540 } 07541 return 0; 07542 #endif 07543 07544 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 07545 /* rights to template itself */ 07546 case T_NETTEMP_NT: 07547 /* default entry? */ 07548 07549 if (!tid.nettemp) { 07550 if (rsbac_ta_list_get_data_ttl 07551 (ta_number, default_nettemp_nt_handle, NULL, 07552 &desc, rights_p)) { 07553 /* last resort: default rights */ 07554 *rights_p = default_nettemp_nt_rights; 07555 } 07556 return 0; 07557 } 07558 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 07559 return -RSBAC_EINVALIDTARGET; 07560 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07561 nettemp_nt_handle, 07562 NULL, 07563 &tid.nettemp, 07564 &desc, &i_rights)) { 07565 *rights_p |= i_rights; 07566 } else { 07567 rsbac_acl_rights_vector_t mask; 07568 07569 /* get mask to filter through */ 07570 if (rsbac_ta_list_lol_get_data_ttl(ta_number, 07571 nettemp_nt_handle, 07572 NULL, 07573 &tid.nettemp, 07574 &mask)) { 07575 /* no mask found, set default */ 07576 mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK; 07577 } 07578 /* try default_dev_acl */ 07579 if (!rsbac_ta_list_get_data_ttl 07580 (ta_number, default_nettemp_nt_handle, NULL, 07581 &desc, rights_p)) { 07582 *rights_p &= mask; 07583 } else { 07584 /* last resort: default rights */ 07585 *rights_p = 07586 default_nettemp_nt_rights & mask; 07587 } 07588 } 07589 return 0; 07590 07591 /* rights to netobjs fitting this template */ 07592 case T_NETTEMP: 07593 /* default entry? */ 07594 07595 if (!tid.nettemp) { 07596 if (rsbac_ta_list_get_data_ttl 07597 (ta_number, default_netobj_handle, NULL, &desc, 07598 rights_p)) { 07599 /* last resort: default rights */ 07600 *rights_p = default_netobj_rights; 07601 } 07602 return 0; 07603 } 07604 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 07605 return -RSBAC_EINVALIDTARGET; 07606 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07607 nettemp_handle, 07608 NULL, 07609 &tid.nettemp, 07610 &desc, &i_rights)) { 07611 *rights_p |= i_rights; 07612 } else { 07613 rsbac_acl_rights_vector_t mask; 07614 07615 /* get mask to filter through */ 07616 if (rsbac_ta_list_lol_get_data_ttl(ta_number, 07617 nettemp_handle, 07618 NULL, 07619 &tid.nettemp, 07620 &mask)) { 07621 /* no mask found, set default */ 07622 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 07623 } 07624 /* try default_dev_acl */ 07625 if (!rsbac_ta_list_get_data_ttl 07626 (ta_number, default_netobj_handle, NULL, &desc, 07627 rights_p)) { 07628 *rights_p &= mask; 07629 } else { 07630 /* last resort: default rights */ 07631 *rights_p = default_netobj_rights & mask; 07632 } 07633 } 07634 return 0; 07635 07636 case T_NETOBJ: 07637 /* default entry? */ 07638 07639 if (!tid.nettemp) { 07640 if (rsbac_ta_list_get_data_ttl 07641 (ta_number, default_netobj_handle, NULL, &desc, 07642 rights_p)) { 07643 /* last resort: default rights */ 07644 *rights_p = default_netobj_rights; 07645 } 07646 return 0; 07647 } 07648 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07649 netobj_handle, 07650 NULL, 07651 &tid.netobj.sock_p, 07652 &desc, &i_rights)) { 07653 *rights_p |= i_rights; 07654 } else { 07655 rsbac_acl_rights_vector_t mask; 07656 rsbac_net_temp_id_t temp = 0; 07657 07658 /* get mask to filter through */ 07659 if (rsbac_ta_list_lol_get_data_ttl(ta_number, 07660 nettemp_handle, 07661 NULL, 07662 &temp, &mask)) { 07663 /* no mask found, set default */ 07664 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 07665 } 07666 /* try nettemp_acl */ 07667 if(!ta_number && tid.netobj.local_temp) 07668 temp = tid.netobj.local_temp; 07669 else 07670 rsbac_ta_net_lookup_templates(ta_number, 07671 &tid.netobj, 07672 &temp, NULL); 07673 07674 if (temp 07675 && 07676 !rsbac_ta_list_lol_get_subdata_ttl(ta_number, 07677 nettemp_handle, 07678 NULL, &temp, 07679 &desc, 07680 &i_rights)) 07681 { 07682 *rights_p |= i_rights; 07683 } else { 07684 /* get mask to filter through */ 07685 if (temp 07686 && 07687 rsbac_ta_list_lol_get_data_ttl 07688 (ta_number, nettemp_handle, NULL, 07689 &temp, &mask)) { 07690 /* no mask found, set default */ 07691 mask = 07692 RSBAC_ACL_DEFAULT_NETOBJ_MASK; 07693 } 07694 /* try default_netobj_acl */ 07695 if (!rsbac_ta_list_get_data_ttl 07696 (ta_number, default_netobj_handle, 07697 NULL, &desc, rights_p)) { 07698 *rights_p &= mask; 07699 } else { 07700 /* last resort: default rights */ 07701 *rights_p = 07702 default_netobj_rights & mask; 07703 } 07704 } 07705 } 07706 return 0; 07707 #endif /* NET_OBJ_PROT */ 07708 07709 default: 07710 return -RSBAC_EINVALIDTARGET; 07711 } 07712 }
int rsbac_acl_get_single_right | ( | enum rsbac_target_t | target, | |
union rsbac_target_id_t | tid, | |||
enum rsbac_acl_subject_type_t | subj_type, | |||
rsbac_acl_subject_id_t | subj_id, | |||
enum rsbac_adf_request_t | right, | |||
rsbac_boolean_t * | result | |||
) |
Definition at line 7721 of file acl_data_structures.c.
References acl_lookup_device(), ACLR_NONE, ACLR_SUPERVISOR, ACLS_NONE, AST_none, D_block, D_block_major, default_dev_handle, default_dev_rights, default_fd_handle, default_fd_rights, default_ipc_handle, default_ipc_rights, default_p_handle, default_p_rights, default_scd_handle, default_scd_rights, default_u_handle, default_u_rights, rsbac_target_id_t::dev, device_list_lock, FALSE, rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, KERNEL_VERSION, rsbac_net_obj_desc_t::local_temp, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, R_CREATE, rsbac_net_obj_desc_t::remote_temp, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_parent(), rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, rsbac_net_remote_request(), rsbac_net_template_exist(), RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_get_data_ttl(), rsbac_ta_list_lol_get_data_ttl(), rsbac_ta_list_lol_get_subdata_ttl(), rsbac_ta_net_lookup_templates(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, TRUE, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
Referenced by rsbac_acl_check_right(), rsbac_acl_check_super(), and rsbac_acl_sys_get_rights().
07727 { 07728 struct rsbac_acl_device_list_item_t *device_p; 07729 rsbac_acl_rights_vector_t i_rvec; 07730 rsbac_acl_rights_vector_t i_rights; 07731 struct rsbac_acl_entry_desc_t desc; 07732 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 07733 u_long dflags; 07734 #endif 07735 07736 if (!rsbac_is_initialized()) { 07737 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): RSBAC not initialized\n"); 07738 return (-RSBAC_ENOTINITIALIZED); 07739 } 07740 if (!result) 07741 return (-RSBAC_EINVALIDPOINTER); 07742 if ((subj_type >= ACLS_NONE) 07743 || (right >= ACLR_NONE) 07744 ) 07745 return (-RSBAC_EINVALIDVALUE); 07746 #ifdef CONFIG_RSBAC_DEBUG 07747 if (in_interrupt()) { 07748 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): called from interrupt!\n"); 07749 } 07750 #endif 07751 i_rvec = (rsbac_acl_rights_vector_t) 1 << right; 07752 07753 desc.subj_type = subj_type; 07754 desc.subj_id = subj_id; 07755 07756 switch (target) { 07757 case T_FILE: 07758 case T_DIR: 07759 case T_FIFO: 07760 case T_SYMLINK: 07761 case T_UNIXSOCK: 07762 /* default entry? */ 07763 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 07764 && !tid.file.dentry_p) { 07765 if (!rsbac_ta_list_get_data_ttl 07766 (0, default_fd_handle, NULL, &desc, 07767 &i_rights)) { 07768 if (i_rights & i_rvec) 07769 *result = TRUE; 07770 else 07771 *result = FALSE; 07772 } else { 07773 if (default_fd_rights & i_rvec) 07774 *result = TRUE; 07775 else 07776 *result = FALSE; 07777 } 07778 return 0; 07779 } 07780 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07781 rcu_read_lock(); 07782 #else 07783 rsbac_read_lock(&device_list_lock, &dflags); 07784 #endif 07785 /* use loop for inheritance - used to be recursive calls */ 07786 for (;;) { 07787 /* lookup device */ 07788 device_p = acl_lookup_device(tid.file.device); 07789 if (!device_p) { 07790 /* trigger rsbac_mount() */ 07791 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07792 rcu_read_unlock(); 07793 #else 07794 rsbac_read_unlock(&device_list_lock, &dflags); 07795 #endif 07796 rsbac_get_super_block(tid.file.device); 07797 /* retry */ 07798 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07799 rcu_read_lock(); 07800 #else 07801 rsbac_read_lock(&device_list_lock, &dflags); 07802 #endif 07803 device_p = 07804 acl_lookup_device(tid.file.device); 07805 if (!device_p) { 07806 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): Could not lookup device, blindly granting access!\n"); 07807 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07808 rcu_read_unlock(); 07809 #else 07810 rsbac_read_unlock(&device_list_lock, &dflags); 07811 #endif 07812 *result = TRUE; 07813 return 0; 07814 } 07815 } 07816 if (!rsbac_ta_list_lol_get_subdata_ttl(0, 07817 device_p->handle, 07818 NULL, 07819 &tid.file. 07820 inode, 07821 &desc, 07822 &i_rights) 07823 ) { 07824 if (i_rights & i_rvec) 07825 *result = TRUE; 07826 else 07827 *result = FALSE; 07828 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07829 rcu_read_unlock(); 07830 #else 07831 rsbac_read_unlock(&device_list_lock, &dflags); 07832 #endif 07833 return 0; 07834 } 07835 07836 { 07837 enum rsbac_target_t parent_target; 07838 union rsbac_target_id_t parent_tid; 07839 07840 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07841 if (right != ACLR_SUPERVISOR) 07842 #endif 07843 { 07844 rsbac_acl_rights_vector_t mask; 07845 07846 /* get mask to filter through */ 07847 if (!rsbac_ta_list_lol_get_data_ttl 07848 (0, device_p->handle, 07849 NULL, &tid.file.inode, &mask) 07850 && !(mask & i_rvec) 07851 ) { 07852 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07853 rcu_read_unlock(); 07854 #else 07855 rsbac_read_unlock(&device_list_lock, &dflags); 07856 #endif 07857 *result = FALSE; 07858 return 0; 07859 } 07860 } 07861 07862 /* inheritance possible? */ 07863 if (!rsbac_get_parent 07864 (target, tid, &parent_target, 07865 &parent_tid)) { 07866 target = parent_target; 07867 tid = parent_tid; 07868 continue; 07869 } else { 07870 /* no inheritance possible -> try default_fd_acl */ 07871 if (!rsbac_ta_list_get_data_ttl 07872 (0, default_fd_handle, NULL, 07873 &desc, &i_rights) 07874 ) { 07875 if (i_rights & i_rvec) 07876 *result = TRUE; 07877 else 07878 *result = FALSE; 07879 } else { 07880 if (default_fd_rights & 07881 i_rvec) 07882 *result = TRUE; 07883 else 07884 *result = FALSE; 07885 } 07886 /* free access to device_list_head - see above */ 07887 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 07888 rcu_read_unlock(); 07889 #else 07890 rsbac_read_unlock(&device_list_lock, &dflags); 07891 #endif 07892 return 0; 07893 } 07894 } 07895 } /* end of for(;;) for inheritance */ 07896 07897 case T_DEV: 07898 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) { 07899 if (!rsbac_ta_list_get_data_ttl 07900 (0, default_dev_handle, NULL, &desc, 07901 &i_rights)) { 07902 if (i_rights & i_rvec) 07903 *result = TRUE; 07904 else 07905 *result = FALSE; 07906 } else { 07907 if (default_dev_rights & i_rvec) 07908 *result = TRUE; 07909 else 07910 *result = FALSE; 07911 } 07912 return 0; 07913 } 07914 07915 if (tid.dev.type >= D_block_major) { 07916 tid.dev.type -= (D_block_major - D_block); 07917 if (!rsbac_ta_list_lol_get_subdata_ttl 07918 (0, dev_major_handle, NULL, &tid.dev, &desc, 07919 &i_rights) 07920 ) { 07921 if (i_rights & i_rvec) 07922 *result = TRUE; 07923 else 07924 *result = FALSE; 07925 return 0; 07926 } 07927 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07928 if (right != ACLR_SUPERVISOR) 07929 #endif 07930 { 07931 rsbac_acl_rights_vector_t mask; 07932 07933 /* get mask to filter through */ 07934 if (!rsbac_ta_list_lol_get_data_ttl 07935 (0, dev_major_handle, NULL, &tid.dev, 07936 &mask) 07937 && !(mask & i_rvec) 07938 ) { 07939 *result = FALSE; 07940 return 0; 07941 } 07942 } 07943 /* no inheritance possible -> try default acl */ 07944 if (!rsbac_ta_list_get_data_ttl 07945 (0, default_dev_handle, NULL, &desc, &i_rights) 07946 ) { 07947 if (i_rights & i_rvec) 07948 *result = TRUE; 07949 else 07950 *result = FALSE; 07951 } else { 07952 if (default_dev_rights & i_rvec) 07953 *result = TRUE; 07954 else 07955 *result = FALSE; 07956 } 07957 return 0; 07958 } 07959 if (!rsbac_ta_list_lol_get_subdata_ttl(0, dev_handle, 07960 NULL, 07961 &tid.dev, 07962 &desc, &i_rights) 07963 ) { 07964 if (i_rights & i_rvec) 07965 *result = TRUE; 07966 else 07967 *result = FALSE; 07968 return 0; 07969 } 07970 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07971 if (right != ACLR_SUPERVISOR) 07972 #endif 07973 { 07974 rsbac_acl_rights_vector_t mask; 07975 07976 /* get mask to filter through */ 07977 if (!rsbac_ta_list_lol_get_data_ttl(0, dev_handle, 07978 NULL, 07979 &tid.dev, 07980 &mask) 07981 && !(mask & i_rvec) 07982 ) { 07983 *result = FALSE; 07984 return 0; 07985 } 07986 } 07987 if (!rsbac_ta_list_lol_get_subdata_ttl(0, dev_major_handle, 07988 NULL, 07989 &tid.dev, 07990 &desc, &i_rights) 07991 ) { 07992 if (i_rights & i_rvec) 07993 *result = TRUE; 07994 else 07995 *result = FALSE; 07996 return 0; 07997 } 07998 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 07999 if (right != ACLR_SUPERVISOR) 08000 #endif 08001 { 08002 rsbac_acl_rights_vector_t mask; 08003 08004 /* get mask to filter through */ 08005 if (!rsbac_ta_list_lol_get_data_ttl 08006 (0, dev_major_handle, NULL, &tid.dev, &mask) 08007 && !(mask & i_rvec) 08008 ) { 08009 *result = FALSE; 08010 return 0; 08011 } 08012 } 08013 /* no inheritance possible -> try default acl */ 08014 if (!rsbac_ta_list_get_data_ttl(0, default_dev_handle, 08015 NULL, &desc, &i_rights) 08016 ) { 08017 if (i_rights & i_rvec) 08018 *result = TRUE; 08019 else 08020 *result = FALSE; 08021 } else { 08022 if (default_dev_rights & i_rvec) 08023 *result = TRUE; 08024 else 08025 *result = FALSE; 08026 } 08027 return 0; 08028 08029 case T_IPC: 08030 /* Use default entry */ 08031 if (!rsbac_ta_list_get_data_ttl(0, default_ipc_handle, 08032 NULL, &desc, &i_rights)) { 08033 if (i_rights & i_rvec) 08034 *result = TRUE; 08035 else 08036 *result = FALSE; 08037 } else { 08038 if (default_ipc_rights & i_rvec) 08039 *result = TRUE; 08040 else 08041 *result = FALSE; 08042 } 08043 return 0; 08044 08045 case T_SCD: 08046 if (tid.scd == AST_none) { 08047 if (!rsbac_ta_list_get_data_ttl 08048 (0, default_scd_handle, NULL, &desc, 08049 &i_rights)) { 08050 if (i_rights & i_rvec) 08051 *result = TRUE; 08052 else 08053 *result = FALSE; 08054 } else { 08055 if (default_scd_rights & i_rvec) 08056 *result = TRUE; 08057 else 08058 *result = FALSE; 08059 } 08060 return 0; 08061 } 08062 08063 if (!rsbac_ta_list_lol_get_subdata_ttl(0, scd_handle, 08064 NULL, 08065 &tid.scd, 08066 &desc, &i_rights) 08067 ) { 08068 if (i_rights & i_rvec) 08069 *result = TRUE; 08070 else 08071 *result = FALSE; 08072 return 0; 08073 } 08074 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 08075 if (right != ACLR_SUPERVISOR) 08076 #endif 08077 { 08078 rsbac_acl_rights_vector_t mask; 08079 08080 /* get mask to filter through */ 08081 if (!rsbac_ta_list_lol_get_data_ttl(0, scd_handle, 08082 NULL, 08083 &tid.scd, 08084 &mask) 08085 && !(mask & i_rvec) 08086 ) { 08087 *result = FALSE; 08088 return 0; 08089 } 08090 } 08091 08092 /* no inheritance possible -> try default acl */ 08093 if (!rsbac_ta_list_get_data_ttl(0, default_scd_handle, 08094 NULL, &desc, &i_rights) 08095 ) { 08096 if (i_rights & i_rvec) 08097 *result = TRUE; 08098 else 08099 *result = FALSE; 08100 } else { 08101 if (default_scd_rights & i_rvec) 08102 *result = TRUE; 08103 else 08104 *result = FALSE; 08105 } 08106 return 0; 08107 08108 case T_USER: 08109 if (tid.user == RSBAC_NO_USER) { 08110 if (!rsbac_ta_list_get_data_ttl 08111 (0, default_u_handle, NULL, &desc, 08112 &i_rights)) { 08113 if (i_rights & i_rvec) 08114 *result = TRUE; 08115 else 08116 *result = FALSE; 08117 } else { 08118 if (default_u_rights & i_rvec) 08119 *result = TRUE; 08120 else 08121 *result = FALSE; 08122 } 08123 return 0; 08124 } 08125 08126 if (!rsbac_ta_list_lol_get_subdata_ttl(0, u_handle, 08127 NULL, 08128 &tid.user, 08129 &desc, &i_rights) 08130 ) { 08131 if (i_rights & i_rvec) 08132 *result = TRUE; 08133 else 08134 *result = FALSE; 08135 return 0; 08136 } 08137 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 08138 if (right != ACLR_SUPERVISOR) 08139 #endif 08140 { 08141 rsbac_acl_rights_vector_t mask; 08142 08143 /* get mask to filter through */ 08144 if (!rsbac_ta_list_lol_get_data_ttl(0, u_handle, 08145 NULL, 08146 &tid.user, 08147 &mask) 08148 && !(mask & i_rvec) 08149 ) { 08150 *result = FALSE; 08151 return 0; 08152 } 08153 } 08154 08155 /* no inheritance possible -> try default acl */ 08156 if (!rsbac_ta_list_get_data_ttl(0, default_u_handle, 08157 NULL, &desc, &i_rights) 08158 ) { 08159 if (i_rights & i_rvec) 08160 *result = TRUE; 08161 else 08162 *result = FALSE; 08163 } else { 08164 if (default_u_rights & i_rvec) 08165 *result = TRUE; 08166 else 08167 *result = FALSE; 08168 } 08169 return 0; 08170 08171 case T_PROCESS: 08172 /* Use default entry */ 08173 if (!rsbac_ta_list_get_data_ttl(0, default_p_handle, 08174 NULL, &desc, &i_rights)) { 08175 if (i_rights & i_rvec) 08176 *result = TRUE; 08177 else 08178 *result = FALSE; 08179 } else { 08180 if (default_p_rights & i_rvec) 08181 *result = TRUE; 08182 else 08183 *result = FALSE; 08184 } 08185 return 0; 08186 08187 #ifdef CONFIG_RSBAC_ACL_UM_PROT 08188 case T_GROUP: 08189 if (tid.group == RSBAC_NO_GROUP) { 08190 if (!rsbac_ta_list_get_data_ttl 08191 (0, default_g_handle, NULL, &desc, 08192 &i_rights)) { 08193 if (i_rights & i_rvec) 08194 *result = TRUE; 08195 else 08196 *result = FALSE; 08197 } else { 08198 if (default_g_rights & i_rvec) 08199 *result = TRUE; 08200 else 08201 *result = FALSE; 08202 } 08203 return 0; 08204 } 08205 08206 if (!rsbac_ta_list_lol_get_subdata_ttl(0, g_handle, 08207 NULL, 08208 &tid.group, 08209 &desc, &i_rights) 08210 ) { 08211 if (i_rights & i_rvec) 08212 *result = TRUE; 08213 else 08214 *result = FALSE; 08215 return 0; 08216 } 08217 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 08218 if (right != ACLR_SUPERVISOR) 08219 #endif 08220 { 08221 rsbac_acl_rights_vector_t mask; 08222 08223 /* get mask to filter through */ 08224 if (!rsbac_ta_list_lol_get_data_ttl(0, g_handle, 08225 NULL, 08226 &tid.group, 08227 &mask) 08228 && !(mask & i_rvec) 08229 ) { 08230 *result = FALSE; 08231 return 0; 08232 } 08233 } 08234 08235 /* no inheritance possible -> try default acl */ 08236 if (!rsbac_ta_list_get_data_ttl(0, default_g_handle, 08237 NULL, &desc, &i_rights) 08238 ) { 08239 if (i_rights & i_rvec) 08240 *result = TRUE; 08241 else 08242 *result = FALSE; 08243 } else { 08244 if (default_g_rights & i_rvec) 08245 *result = TRUE; 08246 else 08247 *result = FALSE; 08248 } 08249 return 0; 08250 #endif 08251 08252 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT) 08253 case T_NETDEV: 08254 if (!tid.netdev[0]) { 08255 if (!rsbac_ta_list_get_data_ttl 08256 (0, default_netdev_handle, NULL, &desc, 08257 &i_rights)) { 08258 if (i_rights & i_rvec) 08259 *result = TRUE; 08260 else 08261 *result = FALSE; 08262 } else { 08263 if (default_netdev_rights & i_rvec) 08264 *result = TRUE; 08265 else 08266 *result = FALSE; 08267 } 08268 return 0; 08269 } 08270 08271 if (!rsbac_ta_list_lol_get_subdata_ttl(0, netdev_handle, 08272 NULL, 08273 &tid.netdev, 08274 &desc, &i_rights) 08275 ) { 08276 if (i_rights & i_rvec) 08277 *result = TRUE; 08278 else 08279 *result = FALSE; 08280 return 0; 08281 } 08282 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 08283 if (right != ACLR_SUPERVISOR) 08284 #endif 08285 { 08286 rsbac_acl_rights_vector_t mask; 08287 08288 /* get mask to filter through */ 08289 if (!rsbac_ta_list_lol_get_data_ttl 08290 (0, netdev_handle, NULL, &tid.netdev, &mask) 08291 && !(mask & i_rvec) 08292 ) { 08293 *result = FALSE; 08294 return 0; 08295 } 08296 } 08297 08298 /* no inheritance possible -> try default acl */ 08299 if (!rsbac_ta_list_get_data_ttl(0, default_netdev_handle, 08300 NULL, &desc, &i_rights) 08301 ) { 08302 if (i_rights & i_rvec) 08303 *result = TRUE; 08304 else 08305 *result = FALSE; 08306 } else { 08307 if (default_netdev_rights & i_rvec) 08308 *result = TRUE; 08309 else 08310 *result = FALSE; 08311 } 08312 return 0; 08313 #endif 08314 08315 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT) 08316 case T_NETTEMP_NT: 08317 case T_NETTEMP: 08318 if (!tid.nettemp) { 08319 if (!rsbac_ta_list_get_data_ttl 08320 (0, default_nettemp_nt_handle, NULL, &desc, 08321 &i_rights)) { 08322 if (i_rights & i_rvec) 08323 *result = TRUE; 08324 else 08325 *result = FALSE; 08326 } else { 08327 if (default_nettemp_nt_rights & i_rvec) 08328 *result = TRUE; 08329 else 08330 *result = FALSE; 08331 } 08332 return 0; 08333 } 08334 08335 /* There should be no template, which is to be created, so skip nettemp_nt list */ 08336 if (right != R_CREATE) { 08337 if (!rsbac_net_template_exist(tid.nettemp)) 08338 return FALSE; 08339 if (!rsbac_ta_list_lol_get_subdata_ttl 08340 (0, nettemp_nt_handle, NULL, &tid.nettemp, 08341 &desc, &i_rights) 08342 && (i_rights & i_rvec) 08343 ) { 08344 *result = TRUE; 08345 return 0; 08346 } 08347 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 08348 if (right != ACLR_SUPERVISOR) 08349 #endif 08350 { 08351 rsbac_acl_rights_vector_t mask; 08352 08353 /* get mask to filter through */ 08354 if (!rsbac_ta_list_lol_get_data_ttl 08355 (0, nettemp_nt_handle, NULL, 08356 &tid.nettemp, &mask) 08357 && !(mask & i_rvec) 08358 ) { 08359 *result = FALSE; 08360 return 0; 08361 } 08362 } 08363 } 08364 08365 /* no inheritance possible -> try default acl */ 08366 if (!rsbac_ta_list_get_data_ttl 08367 (0, default_nettemp_nt_handle, NULL, &desc, &i_rights) 08368 ) { 08369 if (i_rights & i_rvec) 08370 *result = TRUE; 08371 else 08372 *result = FALSE; 08373 } else { 08374 if (default_nettemp_nt_rights & i_rvec) 08375 *result = TRUE; 08376 else 08377 *result = FALSE; 08378 } 08379 return 0; 08380 08381 case T_NETOBJ: 08382 if (!tid.netobj.sock_p) { 08383 if (!rsbac_ta_list_get_data_ttl 08384 (0, default_netobj_handle, NULL, &desc, 08385 &i_rights)) { 08386 if (i_rights & i_rvec) 08387 *result = TRUE; 08388 else 08389 *result = FALSE; 08390 } else { 08391 if (default_netobj_rights & i_rvec) 08392 *result = TRUE; 08393 else 08394 *result = FALSE; 08395 } 08396 return 0; 08397 } 08398 08399 if (!rsbac_ta_list_lol_get_subdata_ttl(0, netobj_handle, 08400 NULL, 08401 &tid.netobj.sock_p, 08402 &desc, &i_rights) 08403 ) { 08404 if (i_rights & i_rvec) 08405 *result = TRUE; 08406 else 08407 *result = FALSE; 08408 return 0; 08409 } 08410 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 08411 if (right != ACLR_SUPERVISOR) 08412 #endif 08413 { 08414 rsbac_acl_rights_vector_t mask; 08415 08416 /* get mask to filter through */ 08417 if (!rsbac_ta_list_lol_get_data_ttl 08418 (0, netobj_handle, NULL, &tid.netobj.sock_p, 08419 &mask) 08420 && !(mask & i_rvec) 08421 ) { 08422 *result = FALSE; 08423 return 0; 08424 } 08425 } 08426 /* Try net template */ 08427 { 08428 rsbac_net_temp_id_t temp = 0; 08429 08430 if (rsbac_net_remote_request(right)) { 08431 if(tid.netobj.remote_temp) 08432 temp = tid.netobj.remote_temp; 08433 else 08434 rsbac_ta_net_lookup_templates(0, 08435 &tid.netobj, 08436 NULL, &temp); 08437 } else { 08438 if(tid.netobj.local_temp) 08439 temp = tid.netobj.local_temp; 08440 else 08441 rsbac_ta_net_lookup_templates(0, 08442 &tid.netobj, 08443 &temp, NULL); 08444 } 08445 if (temp 08446 && !rsbac_ta_list_lol_get_subdata_ttl(0, 08447 nettemp_handle, 08448 NULL, 08449 &temp, 08450 &desc, 08451 &i_rights) 08452 ) { 08453 if (i_rights & i_rvec) 08454 *result = TRUE; 08455 else 08456 *result = FALSE; 08457 return 0; 08458 } 08459 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER 08460 if (right != ACLR_SUPERVISOR) 08461 #endif 08462 { 08463 rsbac_acl_rights_vector_t mask; 08464 08465 /* get mask from template to filter through */ 08466 if (!rsbac_ta_list_lol_get_data_ttl 08467 (0, nettemp_handle, NULL, &temp, &mask) 08468 && !(mask & i_rvec) 08469 ) { 08470 *result = FALSE; 08471 return 0; 08472 } 08473 } 08474 } 08475 08476 /* no inheritance possible -> try default acl */ 08477 if (!rsbac_ta_list_get_data_ttl(0, default_netobj_handle, 08478 NULL, &desc, &i_rights) 08479 ) { 08480 if (i_rights & i_rvec) 08481 *result = TRUE; 08482 else 08483 *result = FALSE; 08484 } else { 08485 if (default_netobj_rights & i_rvec) 08486 *result = TRUE; 08487 else 08488 *result = FALSE; 08489 } 08490 return 0; 08491 #endif /* NET_OBJ_PROT */ 08492 08493 default: 08494 return -RSBAC_EINVALIDTARGET; 08495 } 08496 }
int rsbac_acl_get_tlist | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
struct rsbac_acl_entry_t ** | entry_pp, | |||
rsbac_time_t ** | ttl_pp | |||
) |
Definition at line 8503 of file acl_data_structures.c.
References acl_lookup_device(), AST_none, D_block, D_block_major, D_char, D_char_major, default_dev_handle, default_fd_handle, default_ipc_handle, default_p_handle, default_scd_handle, default_u_handle, rsbac_target_id_t::dev, device_list_lock, rsbac_target_id_t::group, handle, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, RSBAC_EINVALIDDEV, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_get_all_items_ttl(), rsbac_ta_list_lol_get_all_subitems_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, ST_none, T_DEV, T_DIR, T_FD, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
08508 { 08509 int count = 0; 08510 struct rsbac_acl_device_list_item_t *device_p; 08511 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 08512 u_long dflags; 08513 #endif 08514 08515 if (!rsbac_is_initialized()) { 08516 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): RSBAC not initialized\n"); 08517 return (-RSBAC_ENOTINITIALIZED); 08518 } 08519 if (!entry_pp) 08520 return (-RSBAC_EINVALIDPOINTER); 08521 #ifdef CONFIG_RSBAC_DEBUG 08522 if (in_interrupt()) { 08523 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): called from interrupt!\n"); 08524 } 08525 #endif 08526 switch (target) { 08527 case T_FD: 08528 case T_FILE: 08529 case T_DIR: 08530 case T_FIFO: 08531 case T_SYMLINK: 08532 case T_UNIXSOCK: 08533 /* default entry? */ 08534 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 08535 && !tid.file.dentry_p) 08536 return rsbac_ta_list_get_all_items_ttl(ta_number, 08537 default_fd_handle, 08538 (void **) 08539 entry_pp, 08540 ttl_pp); 08541 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 08542 rcu_read_lock(); 08543 #else 08544 rsbac_read_lock(&device_list_lock, &dflags); 08545 #endif 08546 /* lookup device */ 08547 device_p = acl_lookup_device(tid.file.device); 08548 if (!device_p) { 08549 /* trigger rsbac_mount() */ 08550 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 08551 rcu_read_unlock(); 08552 #else 08553 rsbac_read_unlock(&device_list_lock, &dflags); 08554 #endif 08555 rsbac_get_super_block(tid.file.device); 08556 /* retry */ 08557 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 08558 rcu_read_lock(); 08559 #else 08560 rsbac_read_lock(&device_list_lock, &dflags); 08561 #endif 08562 device_p = acl_lookup_device(tid.file.device); 08563 if (!device_p) { 08564 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): Could not lookup device!\n"); 08565 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 08566 rcu_read_unlock(); 08567 #else 08568 rsbac_read_unlock(&device_list_lock, &dflags); 08569 #endif 08570 return (-RSBAC_EINVALIDDEV); 08571 } 08572 } 08573 /* protect this list */ 08574 count = rsbac_ta_list_lol_get_all_subitems_ttl(ta_number, 08575 device_p-> 08576 handle, 08577 &tid.file. 08578 inode, 08579 (void **) 08580 entry_pp, 08581 ttl_pp); 08582 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 08583 rcu_read_unlock(); 08584 #else 08585 rsbac_read_unlock(&device_list_lock, &dflags); 08586 #endif 08587 return count; 08588 08589 case T_DEV: 08590 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) 08591 return rsbac_ta_list_get_all_items_ttl(ta_number, 08592 default_dev_handle, 08593 (void **) 08594 entry_pp, 08595 ttl_pp); 08596 else 08597 switch (tid.dev.type) { 08598 case D_char: 08599 case D_block: 08600 return 08601 rsbac_ta_list_lol_get_all_subitems_ttl 08602 (ta_number, dev_handle, &tid.dev, 08603 (void **) entry_pp, ttl_pp); 08604 08605 case D_char_major: 08606 case D_block_major: 08607 tid.dev.type -= (D_block_major - D_block); 08608 return 08609 rsbac_ta_list_lol_get_all_subitems_ttl 08610 (ta_number, dev_major_handle, &tid.dev, 08611 (void **) entry_pp, ttl_pp); 08612 08613 default: 08614 return -RSBAC_EINVALIDTARGET; 08615 } 08616 08617 case T_IPC: 08618 /* default entry */ 08619 return rsbac_ta_list_get_all_items_ttl(ta_number, 08620 default_ipc_handle, 08621 (void **) entry_pp, 08622 ttl_pp); 08623 08624 case T_SCD: 08625 if ((tid.scd == AST_none) 08626 || (tid.scd == ST_none) 08627 ) 08628 return rsbac_ta_list_get_all_items_ttl(ta_number, 08629 default_scd_handle, 08630 (void **) 08631 entry_pp, 08632 ttl_pp); 08633 else 08634 return 08635 rsbac_ta_list_lol_get_all_subitems_ttl 08636 (ta_number, scd_handle, &tid.scd, 08637 (void **) entry_pp, ttl_pp); 08638 08639 case T_USER: 08640 if (tid.user == RSBAC_NO_USER) 08641 return rsbac_ta_list_get_all_items_ttl(ta_number, 08642 default_u_handle, 08643 (void **) 08644 entry_pp, 08645 ttl_pp); 08646 else 08647 return 08648 rsbac_ta_list_lol_get_all_subitems_ttl 08649 (ta_number, u_handle, &tid.user, 08650 (void **) entry_pp, ttl_pp); 08651 08652 case T_PROCESS: 08653 return rsbac_ta_list_get_all_items_ttl(ta_number, 08654 default_p_handle, 08655 (void **) entry_pp, 08656 ttl_pp); 08657 08658 #ifdef CONFIG_RSBAC_ACL_UM_PROT 08659 case T_GROUP: 08660 if (tid.group == RSBAC_NO_GROUP) 08661 return rsbac_ta_list_get_all_items_ttl(ta_number, 08662 default_g_handle, 08663 (void **) 08664 entry_pp, 08665 ttl_pp); 08666 else 08667 return 08668 rsbac_ta_list_lol_get_all_subitems_ttl 08669 (ta_number, g_handle, &tid.group, 08670 (void **) entry_pp, ttl_pp); 08671 #endif 08672 08673 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT) 08674 case T_NETDEV: 08675 if (!tid.netdev[0]) 08676 return rsbac_ta_list_get_all_items_ttl(ta_number, 08677 default_netdev_handle, 08678 (void **) 08679 entry_pp, 08680 ttl_pp); 08681 else 08682 return 08683 rsbac_ta_list_lol_get_all_subitems_ttl 08684 (ta_number, netdev_handle, &tid.netdev, 08685 (void **) entry_pp, ttl_pp); 08686 #endif 08687 08688 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT) 08689 case T_NETTEMP_NT: 08690 if (!tid.nettemp) 08691 return rsbac_ta_list_get_all_items_ttl(ta_number, 08692 default_nettemp_nt_handle, 08693 (void **) 08694 entry_pp, 08695 ttl_pp); 08696 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 08697 return -RSBAC_EINVALIDTARGET; 08698 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number, 08699 nettemp_nt_handle, 08700 &tid.nettemp, 08701 (void **) 08702 entry_pp, 08703 ttl_pp); 08704 08705 case T_NETTEMP: 08706 if (!tid.nettemp) 08707 return -RSBAC_EINVALIDTARGET; 08708 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 08709 return -RSBAC_EINVALIDTARGET; 08710 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number, 08711 nettemp_handle, 08712 &tid.nettemp, 08713 (void **) 08714 entry_pp, 08715 ttl_pp); 08716 08717 case T_NETOBJ: 08718 if (!tid.nettemp) 08719 return rsbac_ta_list_get_all_items_ttl(ta_number, 08720 default_netobj_handle, 08721 (void **) 08722 entry_pp, 08723 ttl_pp); 08724 else 08725 return 08726 rsbac_ta_list_lol_get_all_subitems_ttl 08727 (ta_number, netobj_handle, &tid.netobj.sock_p, 08728 (void **) entry_pp, ttl_pp); 08729 #endif /* NET_OBJ_PROT */ 08730 08731 default: 08732 return -RSBAC_EINVALIDTARGET; 08733 } 08734 }
int rsbac_acl_get_user_groups | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_uid_t | user, | |||
rsbac_acl_group_id_t ** | group_pp, | |||
rsbac_time_t ** | ttl_pp | |||
) |
Definition at line 9025 of file acl_data_structures.c.
References gm_handle, and rsbac_ta_list_lol_get_all_subdesc_ttl().
Referenced by rsbac_acl_check_right(), rsbac_acl_check_super(), rsbac_acl_sys_get_rights(), and rsbac_acl_sys_group().
09029 { 09030 return rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number, 09031 gm_handle, 09032 &user, 09033 (void **) group_pp, 09034 ttl_pp); 09035 }
rsbac_boolean_t rsbac_acl_group_exist | ( | rsbac_acl_group_id_t | group | ) |
Definition at line 8962 of file acl_data_structures.c.
References group_handle, rsbac_ta_list_exist(), and TRUE.
08963 { 08964 if (!group) 08965 return TRUE; 08966 return rsbac_ta_list_exist(0, group_handle, &group); 08967 }
rsbac_boolean_t rsbac_acl_group_member | ( | rsbac_acl_group_id_t | group, | |
rsbac_uid_t | user | |||
) |
Definition at line 9016 of file acl_data_structures.c.
References gm_handle, and rsbac_ta_list_lol_subexist().
09018 { 09019 return rsbac_ta_list_lol_subexist(0, gm_handle, &user, &group); 09020 }
int rsbac_acl_list_all_dev | ( | rsbac_list_ta_number_t | ta_number, | |
struct rsbac_dev_desc_t ** | id_pp | |||
) |
Definition at line 9079 of file acl_data_structures.c.
References rsbac_ta_list_lol_count(), and rsbac_ta_list_lol_get_all_desc().
09081 { 09082 if (id_pp) 09083 return rsbac_ta_list_lol_get_all_desc(ta_number, 09084 dev_handle, 09085 (void **) id_pp); 09086 else 09087 return rsbac_ta_list_lol_count(ta_number, dev_handle); 09088 }
int rsbac_acl_list_all_group | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_gid_t ** | id_pp | |||
) |
Referenced by sys_rsbac_acl_list_all_group().
int rsbac_acl_list_all_ipc | ( | rsbac_list_ta_number_t | ta_number, | |
struct rsbac_ipc_t ** | id_pp | |||
) |
int rsbac_acl_list_all_major_dev | ( | rsbac_list_ta_number_t | ta_number, | |
struct rsbac_dev_desc_t ** | id_pp | |||
) |
Definition at line 9090 of file acl_data_structures.c.
References D_block, D_block_major, rsbac_ta_list_lol_count(), and rsbac_ta_list_lol_get_all_desc().
Referenced by sys_rsbac_acl_list_all_dev().
09092 { 09093 if (id_pp) { 09094 int count; 09095 09096 count = 09097 rsbac_ta_list_lol_get_all_desc(ta_number, 09098 dev_major_handle, 09099 (void **) id_pp); 09100 if (count > 0) { 09101 u_int i; 09102 struct rsbac_dev_desc_t *tmp_p; 09103 09104 tmp_p = *id_pp; 09105 for (i = 0; i < count; i++) 09106 tmp_p[i].type += (D_block_major - D_block); 09107 } 09108 return count; 09109 } else 09110 return rsbac_ta_list_lol_count(ta_number, 09111 dev_major_handle); 09112 }
int rsbac_acl_list_all_user | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_uid_t ** | id_pp | |||
) |
Definition at line 9114 of file acl_data_structures.c.
References rsbac_ta_list_lol_count(), and rsbac_ta_list_lol_get_all_desc().
09116 { 09117 if (id_pp) 09118 return rsbac_ta_list_lol_get_all_desc(ta_number, u_handle, 09119 (void **) id_pp); 09120 else 09121 return rsbac_ta_list_lol_count(ta_number, u_handle); 09122 }
int rsbac_acl_list_groups | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_uid_t | owner, | |||
rsbac_boolean_t | include_global, | |||
struct rsbac_acl_group_entry_t ** | entry_pp | |||
) |
Definition at line 8921 of file acl_data_structures.c.
References ACLG_GLOBAL, group_handle, RSBAC_EINVALIDPOINTER, RSBAC_ENOMEM, rsbac_ta_list_get_all_data(), rsbac_vfree, and rsbac_vmalloc.
Referenced by rsbac_acl_sys_group().
08925 { 08926 long count; 08927 struct rsbac_acl_group_entry_t *local_entry_p; 08928 08929 if (!entry_pp) 08930 return -RSBAC_EINVALIDPOINTER; 08931 count = 08932 rsbac_ta_list_get_all_data(ta_number, group_handle, 08933 (void **) &local_entry_p); 08934 if (count > 0) { 08935 long i; 08936 long rescount = 0; 08937 08938 *entry_pp = rsbac_vmalloc(count * sizeof(**entry_pp)); 08939 if (!*entry_pp) { 08940 rsbac_vfree(local_entry_p); 08941 return -RSBAC_ENOMEM; 08942 } 08943 for (i = 0; i < count; i++) { 08944 if ((local_entry_p[i].owner == owner) 08945 || (include_global 08946 && (local_entry_p[i].type == ACLG_GLOBAL) 08947 ) 08948 ) { 08949 memcpy(&(*entry_pp)[rescount], 08950 &local_entry_p[i], 08951 sizeof(local_entry_p[i])); 08952 rescount++; 08953 } 08954 } 08955 rsbac_vfree(local_entry_p); 08956 count = rescount; 08957 } 08958 return count; 08959 }
int rsbac_acl_remove_acl | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid | |||
) |
Definition at line 5561 of file acl_data_structures.c.
References acl_lookup_device(), AST_none, D_block, D_block_major, D_char, D_char_major, rsbac_target_id_t::dev, device_list_lock, get_acl_scd_type_name(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_MAXNAMELEN, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_pr_debug, rsbac_printk(), rsbac_ta_list_lol_remove(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
Referenced by rsbac_acl_sys_remove_acl(), and rsbac_ta_remove_target().
05564 { 05565 int err = 0; 05566 char tmp[RSBAC_MAXNAMELEN]; 05567 struct rsbac_acl_device_list_item_t *device_p; 05568 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 05569 u_long dflags; 05570 #endif 05571 05572 if (!rsbac_is_initialized()) { 05573 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): RSBAC not initialized\n"); 05574 return (-RSBAC_ENOTINITIALIZED); 05575 } 05576 #ifdef CONFIG_RSBAC_DEBUG 05577 if (in_interrupt()) { 05578 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): called from interrupt!\n"); 05579 } 05580 #endif 05581 switch (target) { 05582 case T_FILE: 05583 case T_DIR: 05584 case T_FIFO: 05585 case T_SYMLINK: 05586 case T_UNIXSOCK: 05587 rsbac_pr_debug(ds_acl, "Removing file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n", 05588 RSBAC_MAJOR(tid.file.device), 05589 RSBAC_MINOR(tid.file.device), tid.file.inode); 05590 /* default entry? */ 05591 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 05592 && !tid.file.dentry_p) 05593 return -RSBAC_EINVALIDTARGET; 05594 05595 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05596 rcu_read_lock(); 05597 #else 05598 rsbac_read_lock(&device_list_lock, &dflags); 05599 #endif 05600 /* lookup device */ 05601 device_p = acl_lookup_device(tid.file.device); 05602 if (!device_p) { 05603 /* trigger rsbac_mount() */ 05604 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05605 rcu_read_unlock(); 05606 #else 05607 rsbac_read_unlock(&device_list_lock, &dflags); 05608 #endif 05609 rsbac_get_super_block(tid.file.device); 05610 /* retry */ 05611 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05612 rcu_read_lock(); 05613 #else 05614 rsbac_read_lock(&device_list_lock, &dflags); 05615 #endif 05616 device_p = acl_lookup_device(tid.file.device); 05617 if (!device_p) { 05618 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): Could not lookup device!\n"); 05619 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05620 rcu_read_unlock(); 05621 #else 05622 rsbac_read_unlock(&device_list_lock, &dflags); 05623 #endif 05624 return -RSBAC_EINVALIDDEV; 05625 } 05626 } 05627 err = rsbac_ta_list_lol_remove(ta_number, 05628 device_p->handle, 05629 &tid.file.inode); 05630 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05631 rcu_read_unlock(); 05632 #else 05633 rsbac_read_unlock(&device_list_lock, &dflags); 05634 #endif 05635 return err; 05636 05637 case T_DEV: 05638 rsbac_pr_debug(ds_acl, "Removing device ACL for dev %c %02u:%02u\n", 05639 'B' + tid.dev.type, tid.dev.major, 05640 tid.dev.minor); 05641 /* default entry? */ 05642 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) 05643 return -RSBAC_EINVALIDTARGET; 05644 switch (tid.dev.type) { 05645 case D_char: 05646 case D_block: 05647 return rsbac_ta_list_lol_remove(ta_number, 05648 dev_handle, 05649 &tid.dev); 05650 05651 case D_char_major: 05652 case D_block_major: 05653 tid.dev.type -= (D_block_major - D_block); 05654 return rsbac_ta_list_lol_remove(ta_number, 05655 dev_major_handle, 05656 &tid.dev); 05657 05658 default: 05659 return -RSBAC_EINVALIDTARGET; 05660 } 05661 05662 case T_SCD: 05663 rsbac_pr_debug(ds_acl, "Removing SCD ACL for %s\n", 05664 get_acl_scd_type_name(tmp, tid.scd)); 05665 /* default entry? */ 05666 if (tid.scd == AST_none) 05667 return -RSBAC_EINVALIDTARGET; 05668 else 05669 return rsbac_ta_list_lol_remove(ta_number, 05670 scd_handle, 05671 &tid.scd); 05672 05673 case T_USER: 05674 rsbac_pr_debug(ds_acl, "Removing user ACL for user %u\n", 05675 tid.user); 05676 /* default entry? */ 05677 if (tid.user == RSBAC_NO_USER) 05678 return -RSBAC_EINVALIDTARGET; 05679 else 05680 return rsbac_ta_list_lol_remove(ta_number, 05681 u_handle, 05682 &tid.user); 05683 05684 #ifdef CONFIG_RSBAC_ACL_UM_PROT 05685 case T_GROUP: 05686 rsbac_pr_debug(ds_acl, "Removing Linux group ACL for group %u\n", 05687 tid.group); 05688 /* default entry? */ 05689 if (tid.group == RSBAC_NO_GROUP) 05690 return -RSBAC_EINVALIDTARGET; 05691 else 05692 return rsbac_ta_list_lol_remove(ta_number, 05693 g_handle, 05694 &tid.group); 05695 #endif 05696 05697 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 05698 case T_NETDEV: 05699 rsbac_pr_debug(ds_acl, "Removing network device ACL for netdev %s\n", 05700 tid.netdev); 05701 /* default entry? */ 05702 if (!tid.netdev[0]) 05703 return -RSBAC_EINVALIDTARGET; 05704 else 05705 return rsbac_ta_list_lol_remove(ta_number, 05706 netdev_handle, 05707 &tid.netdev); 05708 #endif 05709 05710 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 05711 case T_NETTEMP_NT: 05712 rsbac_pr_debug(ds_acl, "Removing network template NT ACL for nettemp_nt %u\n", 05713 tid.nettemp); 05714 /* default entry? */ 05715 if (!tid.nettemp) 05716 return -RSBAC_EINVALIDTARGET; 05717 else 05718 return rsbac_ta_list_lol_remove(ta_number, 05719 nettemp_nt_handle, 05720 &tid.nettemp); 05721 case T_NETTEMP: 05722 rsbac_pr_debug(ds_acl, "Removing network template ACL for nettemp %u\n", 05723 tid.nettemp); 05724 /* default entry? */ 05725 if (!tid.nettemp) 05726 return -RSBAC_EINVALIDTARGET; 05727 else 05728 return rsbac_ta_list_lol_remove(ta_number, 05729 nettemp_handle, 05730 &tid.nettemp); 05731 case T_NETOBJ: 05732 rsbac_pr_debug(ds_acl, "Removing network object ACL for netobj %p\n", 05733 tid.netobj.sock_p); 05734 /* default entry? */ 05735 if (!tid.netobj.sock_p) 05736 return -RSBAC_EINVALIDTARGET; 05737 else 05738 return rsbac_ta_list_lol_remove(ta_number, 05739 netobj_handle, 05740 &tid.netobj. 05741 sock_p); 05742 #endif 05743 05744 default: 05745 err = -RSBAC_EINVALIDTARGET; 05746 } 05747 return (err); 05748 }
int rsbac_acl_remove_acl_entry | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
enum rsbac_acl_subject_type_t | subj_type, | |||
rsbac_acl_subject_id_t | subj_id | |||
) |
Definition at line 5151 of file acl_data_structures.c.
References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char, D_char_major, default_dev_handle, default_fd_handle, default_ipc_handle, default_p_handle, default_scd_handle, default_u_handle, rsbac_target_id_t::dev, device_list_lock, get_acl_scd_type_name(), get_acl_subject_type_name(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, I_none, rsbac_target_id_t::ipc, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, rsbac_target_id_t::process, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_MAXNAMELEN, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_pr_debug, rsbac_printk(), rsbac_ta_list_lol_get_data_ttl(), rsbac_ta_list_lol_remove(), rsbac_ta_list_lol_subcount(), rsbac_ta_list_lol_subremove(), rsbac_ta_list_remove(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_ipc_t::type, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
Referenced by rsbac_acl_sys_remove_acl_entry().
05156 { 05157 int err = 0; 05158 struct rsbac_acl_device_list_item_t *device_p; 05159 struct rsbac_acl_entry_desc_t desc; 05160 char tmp[RSBAC_MAXNAMELEN]; 05161 rsbac_acl_rights_vector_t mask; 05162 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 05163 u_long dflags; 05164 #endif 05165 05166 if (!rsbac_is_initialized()) { 05167 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): RSBAC not initialized\n"); 05168 return (-RSBAC_ENOTINITIALIZED); 05169 } 05170 if (subj_type >= ACLS_NONE) 05171 return (-RSBAC_EINVALIDVALUE); 05172 #ifdef CONFIG_RSBAC_DEBUG 05173 if (in_interrupt()) { 05174 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): called from interrupt!\n"); 05175 } 05176 #endif 05177 desc.subj_type = subj_type; 05178 desc.subj_id = subj_id; 05179 05180 switch (target) { 05181 case T_FILE: 05182 case T_DIR: 05183 case T_FIFO: 05184 case T_SYMLINK: 05185 case T_UNIXSOCK: 05186 rsbac_pr_debug(ds_acl, "Removing file/dir/fifo/symlink ACL entry %s %u for device %02u:%02u, inode %u\n", 05187 get_acl_subject_type_name(tmp, desc.subj_type), 05188 desc.subj_id, 05189 RSBAC_MAJOR(tid.file.device), 05190 RSBAC_MINOR(tid.file.device), tid.file.inode); 05191 /* default entry? */ 05192 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 05193 && !tid.file.dentry_p) 05194 return rsbac_ta_list_remove(ta_number, 05195 default_fd_handle, 05196 &desc); 05197 05198 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05199 rcu_read_lock(); 05200 #else 05201 rsbac_read_lock(&device_list_lock, &dflags); 05202 #endif 05203 /* lookup device */ 05204 device_p = acl_lookup_device(tid.file.device); 05205 if (!device_p) { 05206 /* trigger rsbac_mount() */ 05207 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05208 rcu_read_unlock(); 05209 #else 05210 rsbac_read_unlock(&device_list_lock, &dflags); 05211 #endif 05212 rsbac_get_super_block(tid.file.device); 05213 /* retry */ 05214 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05215 rcu_read_lock(); 05216 #else 05217 rsbac_read_lock(&device_list_lock, &dflags); 05218 #endif 05219 device_p = acl_lookup_device(tid.file.device); 05220 if (!device_p) { 05221 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): Could not lookup device!\n"); 05222 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05223 rcu_read_unlock(); 05224 #else 05225 rsbac_read_unlock(&device_list_lock, &dflags); 05226 #endif 05227 return (-RSBAC_EINVALIDDEV); 05228 } 05229 } 05230 err = rsbac_ta_list_lol_subremove(ta_number, 05231 device_p->handle, 05232 &tid.file.inode, &desc); 05233 /* if ACL is empty, remove it */ 05234 if (!err 05235 && !rsbac_ta_list_lol_subcount(ta_number, 05236 device_p->handle, 05237 &tid.file.inode) 05238 && !rsbac_ta_list_lol_get_data_ttl(ta_number, 05239 device_p->handle, 05240 NULL, 05241 &tid.file.inode, 05242 &mask) 05243 && (mask == RSBAC_ACL_DEFAULT_FD_MASK) 05244 ) { 05245 err = rsbac_ta_list_lol_remove(ta_number, 05246 device_p->handle, 05247 &tid.file.inode); 05248 } 05249 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 05250 rcu_read_unlock(); 05251 #else 05252 rsbac_read_unlock(&device_list_lock, &dflags); 05253 #endif 05254 return err; 05255 05256 case T_DEV: 05257 rsbac_pr_debug(ds_acl, "Removing device ACL entry for dev %c %02u:%02u\n", 05258 'B' + tid.dev.type, tid.dev.major, 05259 tid.dev.minor); 05260 /* default entry? */ 05261 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) 05262 return rsbac_ta_list_remove(ta_number, 05263 default_dev_handle, 05264 &desc); 05265 05266 { 05267 switch (tid.dev.type) { 05268 case D_char: 05269 case D_block: 05270 err = 05271 rsbac_ta_list_lol_subremove(ta_number, 05272 dev_handle, 05273 &tid.dev, 05274 &desc); 05275 /* if ACL is empty, remove it */ 05276 if (!err 05277 && 05278 !rsbac_ta_list_lol_subcount(ta_number, 05279 dev_handle, 05280 &tid.dev) 05281 && 05282 !rsbac_ta_list_lol_get_data_ttl 05283 (ta_number, dev_handle, NULL, &tid.dev, 05284 &mask) 05285 && (mask == RSBAC_ACL_DEFAULT_DEV_MASK) 05286 ) { 05287 err = 05288 rsbac_ta_list_lol_remove 05289 (ta_number, dev_handle, 05290 &tid.dev); 05291 } 05292 return err; 05293 05294 case D_char_major: 05295 case D_block_major: 05296 tid.dev.type -= (D_block_major - D_block); 05297 err = 05298 rsbac_ta_list_lol_subremove(ta_number, 05299 dev_major_handle, 05300 &tid.dev, 05301 &desc); 05302 /* if ACL is empty, remove it */ 05303 if (!err 05304 && 05305 !rsbac_ta_list_lol_subcount(ta_number, 05306 dev_major_handle, 05307 &tid.dev) 05308 && 05309 !rsbac_ta_list_lol_get_data_ttl 05310 (ta_number, dev_major_handle, NULL, 05311 &tid.dev, &mask) 05312 && (mask == RSBAC_ACL_DEFAULT_DEV_MASK) 05313 ) { 05314 err = 05315 rsbac_ta_list_lol_remove 05316 (ta_number, dev_major_handle, 05317 &tid.dev); 05318 } 05319 return err; 05320 05321 default: 05322 return -RSBAC_EINVALIDTARGET; 05323 } 05324 } 05325 05326 case T_IPC: 05327 rsbac_pr_debug(ds_acl, "Removing IPC ACL for type %u\n", tid.ipc.type); 05328 /* default entry? */ 05329 if (tid.ipc.type == I_none) 05330 return rsbac_ta_list_remove(ta_number, 05331 default_ipc_handle, 05332 &desc); 05333 else 05334 return -RSBAC_EINVALIDTARGET; 05335 05336 case T_SCD: 05337 rsbac_pr_debug(ds_acl, "Removing SCD ACL entry for %s\n", 05338 get_acl_scd_type_name(tmp, tid.scd)); 05339 /* default entry? */ 05340 if (tid.scd == AST_none) 05341 return rsbac_ta_list_remove(ta_number, 05342 default_scd_handle, 05343 &desc); 05344 err = 05345 rsbac_ta_list_lol_subremove(ta_number, scd_handle, 05346 &tid.scd, &desc); 05347 /* if ACL is empty, remove it */ 05348 if (!err 05349 && !rsbac_ta_list_lol_subcount(ta_number, scd_handle, 05350 &tid.scd) 05351 && !rsbac_ta_list_lol_get_data_ttl(ta_number, 05352 scd_handle, NULL, 05353 &tid.scd, &mask) 05354 && (mask == RSBAC_ACL_DEFAULT_SCD_MASK) 05355 ) { 05356 err = 05357 rsbac_ta_list_lol_remove(ta_number, scd_handle, 05358 &tid.scd); 05359 } 05360 return err; 05361 05362 case T_USER: 05363 rsbac_pr_debug(ds_acl, "Removing user ACL for user %u\n", 05364 tid.user); 05365 /* default entry? */ 05366 if (tid.user == RSBAC_NO_USER) 05367 return rsbac_ta_list_remove(ta_number, 05368 default_u_handle, 05369 &desc); 05370 err = 05371 rsbac_ta_list_lol_subremove(ta_number, u_handle, 05372 &tid.user, &desc); 05373 /* if ACL is empty, remove it */ 05374 if (!err 05375 && !rsbac_ta_list_lol_subcount(ta_number, u_handle, 05376 &tid.user) 05377 && !rsbac_ta_list_lol_get_data_ttl(ta_number, u_handle, 05378 NULL, &tid.user, 05379 &mask) 05380 && (mask == RSBAC_ACL_DEFAULT_U_MASK) 05381 ) { 05382 err = 05383 rsbac_ta_list_lol_remove(ta_number, u_handle, 05384 &tid.user); 05385 } 05386 return err; 05387 05388 case T_PROCESS: 05389 rsbac_pr_debug(ds_acl, "Removing process ACL for pid %u\n", 05390 tid.process); 05391 /* default entry? */ 05392 if (!tid.process) 05393 return rsbac_ta_list_remove(ta_number, 05394 default_p_handle, 05395 &desc); 05396 else 05397 return -RSBAC_EINVALIDTARGET; 05398 05399 #ifdef CONFIG_RSBAC_ACL_UM_PROT 05400 case T_GROUP: 05401 rsbac_pr_debug(ds_acl, "Removing Linux group ACL for group %u\n", 05402 tid.group); 05403 /* default entry? */ 05404 if (tid.group == RSBAC_NO_GROUP) 05405 return rsbac_ta_list_remove(ta_number, 05406 default_g_handle, 05407 &desc); 05408 err = 05409 rsbac_ta_list_lol_subremove(ta_number, g_handle, 05410 &tid.group, &desc); 05411 /* if ACL is empty, remove it */ 05412 if (!err 05413 && !rsbac_ta_list_lol_subcount(ta_number, g_handle, 05414 &tid.group) 05415 && !rsbac_ta_list_lol_get_data_ttl(ta_number, g_handle, 05416 NULL, &tid.group, 05417 &mask) 05418 && (mask == RSBAC_ACL_DEFAULT_G_MASK) 05419 ) { 05420 err = 05421 rsbac_ta_list_lol_remove(ta_number, g_handle, 05422 &tid.group); 05423 } 05424 return err; 05425 #endif 05426 05427 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 05428 case T_NETDEV: 05429 rsbac_pr_debug(ds_acl, "Removing network device ACL entry for netdev %s\n", 05430 tid.netdev); 05431 /* default entry? */ 05432 if (!tid.netdev[0]) 05433 return rsbac_ta_list_remove(ta_number, 05434 default_netdev_handle, 05435 &desc); 05436 05437 err = 05438 rsbac_ta_list_lol_subremove(ta_number, netdev_handle, 05439 &tid.netdev, &desc); 05440 /* if ACL is empty, remove it */ 05441 if (!err 05442 && !rsbac_ta_list_lol_subcount(ta_number, 05443 netdev_handle, 05444 &tid.netdev) 05445 && !rsbac_ta_list_lol_get_data_ttl(ta_number, 05446 netdev_handle, NULL, 05447 &tid.netdev, &mask) 05448 && (mask == RSBAC_ACL_DEFAULT_NETDEV_MASK) 05449 ) { 05450 err = 05451 rsbac_ta_list_lol_remove(ta_number, 05452 netdev_handle, 05453 &tid.netdev); 05454 } 05455 return err; 05456 #endif 05457 05458 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 05459 case T_NETTEMP_NT: 05460 rsbac_pr_debug(ds_acl, "Removing network template NT ACL entry for " 05461 "nettemp_nt %u\n", tid.nettemp); 05462 /* default entry? */ 05463 if (!tid.nettemp) 05464 return rsbac_ta_list_remove(ta_number, 05465 default_nettemp_nt_handle, 05466 &desc); 05467 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 05468 return -RSBAC_EINVALIDTARGET; 05469 05470 err = 05471 rsbac_ta_list_lol_subremove(ta_number, 05472 nettemp_nt_handle, 05473 &tid.nettemp, &desc); 05474 /* if ACL is empty, remove it */ 05475 if (!err 05476 && !rsbac_ta_list_lol_subcount(ta_number, 05477 nettemp_nt_handle, 05478 &tid.nettemp) 05479 && !rsbac_ta_list_lol_get_data_ttl(ta_number, 05480 nettemp_nt_handle, 05481 NULL, &tid.nettemp, 05482 &mask) 05483 && (mask == RSBAC_ACL_DEFAULT_NETTEMP_MASK) 05484 ) { 05485 err = 05486 rsbac_ta_list_lol_remove(ta_number, 05487 nettemp_nt_handle, 05488 &tid.nettemp); 05489 } 05490 return err; 05491 05492 case T_NETTEMP: 05493 rsbac_pr_debug(ds_acl, "Removing network template ACL entry for nettemp_nt %u\n", 05494 tid.nettemp); 05495 /* default entry? */ 05496 if (!tid.nettemp) 05497 return -RSBAC_EINVALIDTARGET; 05498 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 05499 return -RSBAC_EINVALIDTARGET; 05500 05501 err = 05502 rsbac_ta_list_lol_subremove(ta_number, nettemp_handle, 05503 &tid.nettemp, &desc); 05504 /* if ACL is empty, remove it */ 05505 if (!err 05506 && !rsbac_ta_list_lol_subcount(ta_number, 05507 nettemp_handle, 05508 &tid.nettemp) 05509 && !rsbac_ta_list_lol_get_data_ttl(ta_number, 05510 nettemp_handle, 05511 NULL, &tid.nettemp, 05512 &mask) 05513 && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK) 05514 ) { 05515 err = 05516 rsbac_ta_list_lol_remove(ta_number, 05517 nettemp_handle, 05518 &tid.nettemp); 05519 } 05520 return err; 05521 05522 case T_NETOBJ: 05523 rsbac_pr_debug(ds_acl, "Removing network object ACL entry for netobj %p\n", 05524 tid.netobj.sock_p); 05525 /* default entry? */ 05526 if (!tid.netobj.sock_p) 05527 return rsbac_ta_list_remove(ta_number, 05528 default_netobj_handle, 05529 &desc); 05530 05531 err = 05532 rsbac_ta_list_lol_subremove(ta_number, netobj_handle, 05533 &tid.netobj.sock_p, &desc); 05534 /* if ACL is empty, remove it */ 05535 if (!err 05536 && !rsbac_ta_list_lol_subcount(ta_number, 05537 netobj_handle, 05538 &tid.netobj.sock_p) 05539 && !rsbac_ta_list_lol_get_data_ttl(ta_number, 05540 netobj_handle, NULL, 05541 &tid.netobj, &mask) 05542 && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK) 05543 ) { 05544 err = 05545 rsbac_ta_list_lol_remove(ta_number, 05546 netobj_handle, 05547 &tid.netobj.sock_p); 05548 } 05549 return err; 05550 #endif /* NET_OBJ_PROT */ 05551 05552 default: 05553 return -RSBAC_EINVALIDTARGET; 05554 } 05555 }
int rsbac_acl_remove_from_acl_entry | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
enum rsbac_acl_subject_type_t | subj_type, | |||
rsbac_acl_subject_id_t | subj_id, | |||
rsbac_acl_rights_vector_t | rights | |||
) |
Definition at line 6231 of file acl_data_structures.c.
References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char, D_char_major, default_dev_handle, default_fd_handle, default_ipc_handle, default_p_handle, default_scd_handle, default_u_handle, rsbac_target_id_t::dev, device_list_lock, rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, I_none, rsbac_target_id_t::ipc, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, rsbac_target_id_t::process, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_add_ttl(), rsbac_ta_list_get_data_ttl(), rsbac_ta_list_lol_get_subdata_ttl(), rsbac_ta_list_lol_subadd_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_ipc_t::type, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
Referenced by rsbac_acl_sys_remove_from_acl_entry().
06238 { 06239 int err = 0; 06240 struct rsbac_acl_device_list_item_t *device_p; 06241 rsbac_acl_rights_vector_t old_rights; 06242 struct rsbac_acl_entry_desc_t desc; 06243 rsbac_time_t ttl; 06244 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 06245 u_long dflags; 06246 #endif 06247 06248 if (!rsbac_is_initialized()) { 06249 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): RSBAC not initialized\n"); 06250 return (-RSBAC_ENOTINITIALIZED); 06251 } 06252 if (subj_type >= ACLS_NONE) 06253 return (-RSBAC_EINVALIDVALUE); 06254 #ifdef CONFIG_RSBAC_DEBUG 06255 if (in_interrupt()) { 06256 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): called from interrupt!\n"); 06257 } 06258 #endif 06259 desc.subj_type = subj_type; 06260 desc.subj_id = subj_id; 06261 06262 switch (target) { 06263 case T_FILE: 06264 case T_DIR: 06265 case T_FIFO: 06266 case T_SYMLINK: 06267 case T_UNIXSOCK: 06268 /* default entry? */ 06269 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 06270 && !tid.file.dentry_p) { 06271 if (!rsbac_ta_list_get_data_ttl 06272 (ta_number, default_fd_handle, &ttl, &desc, 06273 &old_rights)) { 06274 old_rights &= ~rights; 06275 return rsbac_ta_list_add_ttl(ta_number, 06276 default_fd_handle, 06277 ttl, &desc, 06278 &old_rights); 06279 } else 06280 return 0; 06281 } 06282 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06283 rcu_read_lock(); 06284 #else 06285 rsbac_read_lock(&device_list_lock, &dflags); 06286 #endif 06287 /* lookup device */ 06288 device_p = acl_lookup_device(tid.file.device); 06289 if (!device_p) { 06290 /* trigger rsbac_mount() */ 06291 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06292 rcu_read_unlock(); 06293 #else 06294 rsbac_read_unlock(&device_list_lock, &dflags); 06295 #endif 06296 rsbac_get_super_block(tid.file.device); 06297 /* retry */ 06298 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06299 rcu_read_lock(); 06300 #else 06301 rsbac_read_lock(&device_list_lock, &dflags); 06302 #endif 06303 device_p = acl_lookup_device(tid.file.device); 06304 if (!device_p) { 06305 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): Could not lookup device!\n"); 06306 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06307 rcu_read_unlock(); 06308 #else 06309 rsbac_read_unlock(&device_list_lock, &dflags); 06310 #endif 06311 return (-RSBAC_EINVALIDDEV); 06312 } 06313 } 06314 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06315 device_p->handle, 06316 &ttl, 06317 &tid.file.inode, 06318 &desc, 06319 &old_rights)) { 06320 old_rights &= ~rights; 06321 err = rsbac_ta_list_lol_subadd_ttl(ta_number, 06322 device_p->handle, 06323 ttl, 06324 &tid.file.inode, 06325 &desc, 06326 &old_rights); 06327 } else 06328 err = 0; 06329 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06330 rcu_read_unlock(); 06331 #else 06332 rsbac_read_unlock(&device_list_lock, &dflags); 06333 #endif 06334 return err; 06335 06336 case T_DEV: 06337 /* default entry? */ 06338 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) { 06339 if (!rsbac_ta_list_get_data_ttl 06340 (ta_number, default_dev_handle, &ttl, &desc, 06341 &old_rights)) { 06342 old_rights &= ~rights; 06343 return rsbac_ta_list_add_ttl(ta_number, 06344 default_dev_handle, 06345 ttl, &desc, 06346 &old_rights); 06347 } else 06348 return 0; 06349 } 06350 switch (tid.dev.type) { 06351 case D_char: 06352 case D_block: 06353 if (!rsbac_ta_list_lol_get_subdata_ttl 06354 (ta_number, dev_handle, &ttl, &tid.dev, &desc, 06355 &old_rights)) { 06356 old_rights &= ~rights; 06357 return 06358 rsbac_ta_list_lol_subadd_ttl(ta_number, 06359 dev_handle, 06360 ttl, 06361 &tid.dev, 06362 &desc, 06363 &old_rights); 06364 } else 06365 return 0; 06366 06367 case D_char_major: 06368 case D_block_major: 06369 tid.dev.type -= (D_block_major - D_block); 06370 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06371 dev_major_handle, 06372 &ttl, 06373 &tid.dev, 06374 &desc, 06375 &old_rights)) 06376 { 06377 old_rights &= ~rights; 06378 return 06379 rsbac_ta_list_lol_subadd_ttl(ta_number, 06380 dev_major_handle, 06381 ttl, 06382 &tid.dev, 06383 &desc, 06384 &old_rights); 06385 } else 06386 return 0; 06387 06388 default: 06389 return -RSBAC_EINVALIDTARGET; 06390 } 06391 06392 case T_IPC: 06393 /* default entry? */ 06394 if (tid.ipc.type == I_none) { 06395 if (!rsbac_ta_list_get_data_ttl 06396 (ta_number, default_ipc_handle, &ttl, &desc, 06397 &old_rights)) { 06398 old_rights &= ~rights; 06399 return rsbac_ta_list_add_ttl(ta_number, 06400 default_ipc_handle, 06401 ttl, &desc, 06402 &old_rights); 06403 } else 06404 return 0; 06405 } else 06406 return -RSBAC_EINVALIDTARGET; 06407 06408 case T_SCD: 06409 /* default entry? */ 06410 if (tid.scd == AST_none) { 06411 if (!rsbac_ta_list_get_data_ttl 06412 (ta_number, default_scd_handle, &ttl, &desc, 06413 &old_rights)) { 06414 old_rights &= ~rights; 06415 return rsbac_ta_list_add_ttl(ta_number, 06416 default_scd_handle, 06417 ttl, &desc, 06418 &old_rights); 06419 } else 06420 return 0; 06421 } 06422 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06423 scd_handle, 06424 &ttl, 06425 &tid.scd, 06426 &desc, 06427 &old_rights)) { 06428 old_rights &= ~rights; 06429 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06430 scd_handle, 06431 ttl, 06432 &tid.scd, 06433 &desc, 06434 &old_rights); 06435 } else 06436 return 0; 06437 06438 case T_USER: 06439 /* default entry? */ 06440 if (tid.user == RSBAC_NO_USER) { 06441 if (!rsbac_ta_list_get_data_ttl 06442 (ta_number, default_u_handle, &ttl, &desc, 06443 &old_rights)) { 06444 old_rights &= ~rights; 06445 return rsbac_ta_list_add_ttl(ta_number, 06446 default_u_handle, 06447 ttl, &desc, 06448 &old_rights); 06449 } else 06450 return 0; 06451 } 06452 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06453 u_handle, 06454 &ttl, 06455 &tid.user, 06456 &desc, 06457 &old_rights)) { 06458 old_rights &= ~rights; 06459 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06460 u_handle, 06461 ttl, 06462 &tid.user, 06463 &desc, 06464 &old_rights); 06465 } else 06466 return 0; 06467 06468 case T_PROCESS: 06469 /* default entry? */ 06470 if (!tid.process) { 06471 if (!rsbac_ta_list_get_data_ttl 06472 (ta_number, default_p_handle, &ttl, &desc, 06473 &old_rights)) { 06474 old_rights &= ~rights; 06475 return rsbac_ta_list_add_ttl(ta_number, 06476 default_p_handle, 06477 ttl, &desc, 06478 &old_rights); 06479 } else 06480 return 0; 06481 } else 06482 return -RSBAC_EINVALIDTARGET; 06483 06484 #ifdef CONFIG_RSBAC_ACL_UM_PROT 06485 case T_GROUP: 06486 /* default entry? */ 06487 if (tid.group == RSBAC_NO_GROUP) { 06488 if (!rsbac_ta_list_get_data_ttl 06489 (ta_number, default_g_handle, &ttl, &desc, 06490 &old_rights)) { 06491 old_rights &= ~rights; 06492 return rsbac_ta_list_add_ttl(ta_number, 06493 default_g_handle, 06494 ttl, &desc, 06495 &old_rights); 06496 } else 06497 return 0; 06498 } 06499 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06500 g_handle, 06501 &ttl, 06502 &tid.group, 06503 &desc, 06504 &old_rights)) { 06505 old_rights &= ~rights; 06506 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06507 g_handle, 06508 ttl, 06509 &tid.group, 06510 &desc, 06511 &old_rights); 06512 } else 06513 return 0; 06514 #endif 06515 06516 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 06517 case T_NETDEV: 06518 /* default entry? */ 06519 if (!tid.netdev[0]) { 06520 if (!rsbac_ta_list_get_data_ttl 06521 (ta_number, default_netdev_handle, &ttl, &desc, 06522 &old_rights)) { 06523 old_rights &= ~rights; 06524 return rsbac_ta_list_add_ttl(ta_number, 06525 default_netdev_handle, 06526 ttl, &desc, 06527 &old_rights); 06528 } else 06529 return 0; 06530 } 06531 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06532 netdev_handle, 06533 &ttl, 06534 &tid.netdev, 06535 &desc, 06536 &old_rights)) { 06537 old_rights &= ~rights; 06538 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06539 netdev_handle, 06540 ttl, 06541 &tid.netdev, 06542 &desc, 06543 &old_rights); 06544 } else 06545 return 0; 06546 #endif 06547 06548 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 06549 case T_NETTEMP_NT: 06550 /* default entry? */ 06551 if (!tid.nettemp) { 06552 if (!rsbac_ta_list_get_data_ttl 06553 (ta_number, default_nettemp_nt_handle, &ttl, 06554 &desc, &old_rights)) { 06555 old_rights &= ~rights; 06556 return rsbac_ta_list_add_ttl(ta_number, 06557 default_nettemp_nt_handle, 06558 ttl, &desc, 06559 &old_rights); 06560 } else 06561 return 0; 06562 } 06563 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 06564 return -RSBAC_EINVALIDTARGET; 06565 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06566 nettemp_nt_handle, 06567 &ttl, 06568 &tid.nettemp, 06569 &desc, 06570 &old_rights)) { 06571 old_rights &= ~rights; 06572 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06573 nettemp_nt_handle, 06574 ttl, 06575 &tid.nettemp, 06576 &desc, 06577 &old_rights); 06578 } else 06579 return 0; 06580 case T_NETTEMP: 06581 /* default entry? */ 06582 if (!tid.nettemp) { 06583 return -RSBAC_EINVALIDTARGET; 06584 } 06585 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 06586 return -RSBAC_EINVALIDTARGET; 06587 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06588 nettemp_handle, 06589 &ttl, 06590 &tid.nettemp, 06591 &desc, 06592 &old_rights)) { 06593 old_rights &= ~rights; 06594 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06595 nettemp_handle, 06596 ttl, 06597 &tid.nettemp, 06598 &desc, 06599 &old_rights); 06600 } else 06601 return 0; 06602 case T_NETOBJ: 06603 /* default entry? */ 06604 if (!tid.netobj.sock_p) { 06605 if (!rsbac_ta_list_get_data_ttl 06606 (ta_number, default_netobj_handle, &ttl, &desc, 06607 &old_rights)) { 06608 old_rights &= ~rights; 06609 return rsbac_ta_list_add_ttl(ta_number, 06610 default_netobj_handle, 06611 ttl, &desc, 06612 &old_rights); 06613 } else 06614 return 0; 06615 } 06616 if (!rsbac_ta_list_lol_get_subdata_ttl(ta_number, 06617 netobj_handle, 06618 &ttl, 06619 &tid.netobj.sock_p, 06620 &desc, 06621 &old_rights)) { 06622 old_rights &= ~rights; 06623 return rsbac_ta_list_lol_subadd_ttl(ta_number, 06624 netobj_handle, 06625 ttl, 06626 &tid.netobj. 06627 sock_p, &desc, 06628 &old_rights); 06629 } else 06630 return 0; 06631 #endif /* NET_OBJ_PROT */ 06632 06633 default: 06634 return -RSBAC_EINVALIDTARGET; 06635 } 06636 }
int rsbac_acl_remove_group | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_acl_group_id_t | id | |||
) |
Definition at line 8887 of file acl_data_structures.c.
References ACLS_GROUP, gm_handle, group_handle, rsbac_acl_remove_subject(), RSBAC_EINVALIDVALUE, rsbac_ta_list_lol_subremove_from_all(), rsbac_ta_list_remove(), rsbac_acl_entry_desc_t::subj_id, and rsbac_acl_entry_desc_t::subj_type.
Referenced by rsbac_acl_sys_group().
08889 { 08890 int err = 0; 08891 08892 if (!id) 08893 return -RSBAC_EINVALIDVALUE; 08894 08895 err = rsbac_ta_list_remove(ta_number, group_handle, &id); 08896 if (!err) { 08897 struct rsbac_acl_entry_desc_t desc; 08898 08899 /* cleanup group memberships */ 08900 rsbac_ta_list_lol_subremove_from_all(ta_number, gm_handle, 08901 &id); 08902 desc.subj_type = ACLS_GROUP; 08903 desc.subj_id = id; 08904 err = rsbac_acl_remove_subject(ta_number, desc); 08905 } 08906 return (err); 08907 }
int rsbac_acl_remove_group_member | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_acl_group_id_t | group, | |||
rsbac_uid_t | user | |||
) |
Definition at line 8991 of file acl_data_structures.c.
References gm_handle, group_handle, RSBAC_EINVALIDVALUE, rsbac_ta_list_exist(), rsbac_ta_list_lol_remove(), rsbac_ta_list_lol_subcount(), and rsbac_ta_list_lol_subremove().
Referenced by rsbac_acl_sys_group().
08994 { 08995 int err; 08996 08997 if (!group) 08998 return -RSBAC_EINVALIDVALUE; 08999 if (!rsbac_ta_list_exist(ta_number, group_handle, &group)) 09000 return -RSBAC_EINVALIDVALUE; 09001 09002 err = 09003 rsbac_ta_list_lol_subremove(ta_number, gm_handle, &user, 09004 &group); 09005 /* cleanup empty gm items */ 09006 if (!err 09007 && !rsbac_ta_list_lol_subcount(ta_number, gm_handle, &user) 09008 ) 09009 err = 09010 rsbac_ta_list_lol_remove(ta_number, gm_handle, &user); 09011 09012 return err; 09013 }
int rsbac_acl_remove_subject | ( | rsbac_list_ta_number_t | ta_number, | |
struct rsbac_acl_entry_desc_t | desc | |||
) |
Definition at line 8737 of file acl_data_structures.c.
References ACLS_NONE, default_dev_handle, default_fd_handle, default_ipc_handle, default_p_handle, default_scd_handle, default_u_handle, device_list_head_p, device_list_lock, rsbac_acl_device_list_item_t::handle, rsbac_acl_device_list_item_t::next, RSBAC_EINVALIDVALUE, rsbac_ta_list_lol_subremove_from_all(), rsbac_ta_list_remove(), and rsbac_acl_entry_desc_t::subj_type.
Referenced by rsbac_acl_remove_group(), rsbac_acl_remove_user(), and rsbac_rc_set_item().
08739 { 08740 struct rsbac_acl_device_list_item_t *device_p; 08741 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 08742 u_long dflags; 08743 #endif 08744 08745 if (desc.subj_type >= ACLS_NONE) 08746 return -RSBAC_EINVALIDVALUE; 08747 08748 /* remove from default ACLs */ 08749 rsbac_ta_list_remove(ta_number, default_fd_handle, &desc); 08750 rsbac_ta_list_remove(ta_number, default_dev_handle, &desc); 08751 rsbac_ta_list_remove(ta_number, default_ipc_handle, &desc); 08752 rsbac_ta_list_remove(ta_number, default_scd_handle, &desc); 08753 rsbac_ta_list_remove(ta_number, default_u_handle, &desc); 08754 rsbac_ta_list_remove(ta_number, default_p_handle, &desc); 08755 #ifdef CONFIG_RSBAC_ACL_UM_PROT 08756 rsbac_ta_list_remove(ta_number, default_g_handle, &desc); 08757 #endif 08758 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 08759 rsbac_ta_list_remove(ta_number, default_netdev_handle, &desc); 08760 #endif 08761 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 08762 rsbac_ta_list_remove(ta_number, default_nettemp_nt_handle, &desc); 08763 rsbac_ta_list_remove(ta_number, default_netobj_handle, &desc); 08764 #endif 08765 08766 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 08767 rcu_read_lock(); 08768 #else 08769 rsbac_read_lock(&device_list_lock, &dflags); 08770 #endif 08771 device_p = rcu_dereference(device_list_head_p)->head; 08772 while (device_p) { 08773 rsbac_ta_list_lol_subremove_from_all(ta_number, 08774 device_p->handle, 08775 &desc); 08776 device_p = device_p->next; 08777 } 08778 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 08779 rcu_read_unlock(); 08780 #else 08781 rsbac_read_unlock(&device_list_lock, &dflags); 08782 #endif 08783 08784 /* dev list */ 08785 rsbac_ta_list_lol_subremove_from_all(ta_number, dev_major_handle, 08786 &desc); 08787 rsbac_ta_list_lol_subremove_from_all(ta_number, dev_handle, &desc); 08788 08789 /* scd list */ 08790 rsbac_ta_list_lol_subremove_from_all(ta_number, scd_handle, &desc); 08791 08792 /* user list */ 08793 rsbac_ta_list_lol_subremove_from_all(ta_number, u_handle, &desc); 08794 08795 #ifdef CONFIG_RSBAC_ACL_UM_PROT 08796 /* Linux group list */ 08797 rsbac_ta_list_lol_subremove_from_all(ta_number, g_handle, &desc); 08798 #endif 08799 08800 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 08801 /* netdev list */ 08802 rsbac_ta_list_lol_subremove_from_all(ta_number, netdev_handle, 08803 &desc); 08804 #endif 08805 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 08806 rsbac_ta_list_lol_subremove_from_all(ta_number, nettemp_nt_handle, 08807 &desc); 08808 rsbac_ta_list_lol_subremove_from_all(ta_number, nettemp_handle, 08809 &desc); 08810 rsbac_ta_list_lol_subremove_from_all(ta_number, netobj_handle, 08811 &desc); 08812 #endif 08813 08814 return 0; 08815 }
int rsbac_acl_remove_user | ( | rsbac_list_ta_number_t | ta_number, | |
rsbac_uid_t | user | |||
) |
Definition at line 9138 of file acl_data_structures.c.
References ACLS_USER, gm_handle, group_handle, rsbac_acl_remove_subject(), rsbac_ta_list_get_all_data(), rsbac_ta_list_lol_remove(), rsbac_ta_list_lol_subremove_from_all(), rsbac_ta_list_remove(), rsbac_vfree, rsbac_acl_entry_desc_t::subj_id, and rsbac_acl_entry_desc_t::subj_type.
Referenced by rsbac_acl_sys_remove_user().
09140 { 09141 u_long i; 09142 struct rsbac_acl_group_entry_t *entry_p; 09143 long desc_count; 09144 struct rsbac_acl_entry_desc_t desc; 09145 09146 rsbac_ta_list_lol_remove(ta_number, gm_handle, &user); 09147 /* traverse groups for this owner */ 09148 desc_count = 09149 rsbac_ta_list_get_all_data(ta_number, group_handle, 09150 (void **) &entry_p); 09151 if (desc_count > 0) { 09152 for (i = 0; i < desc_count; i++) { 09153 if (entry_p[i].owner == user) { 09154 rsbac_ta_list_remove(ta_number, 09155 group_handle, 09156 &entry_p[i].id); 09157 /* cleanup group memberships */ 09158 rsbac_ta_list_lol_subremove_from_all 09159 (ta_number, gm_handle, &entry_p[i].id); 09160 } 09161 } 09162 rsbac_vfree(entry_p); 09163 } 09164 09165 desc.subj_type = ACLS_USER; 09166 desc.subj_id = user; 09167 09168 return rsbac_acl_remove_subject(ta_number, desc); 09169 }
int rsbac_acl_set_acl_entry | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
enum rsbac_acl_subject_type_t | subj_type, | |||
rsbac_acl_subject_id_t | subj_id, | |||
rsbac_acl_rights_vector_t | rights, | |||
rsbac_time_t | ttl | |||
) |
Definition at line 4767 of file acl_data_structures.c.
References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char, D_char_major, default_dev_handle, default_fd_handle, default_ipc_handle, default_p_handle, default_scd_handle, default_u_handle, rsbac_target_id_t::dev, device_list_lock, rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, I_none, rsbac_target_id_t::ipc, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, rsbac_target_id_t::process, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_pr_debug, rsbac_printk(), rsbac_ta_list_add_ttl(), rsbac_ta_list_lol_add_ttl(), rsbac_ta_list_lol_exist(), rsbac_ta_list_lol_subadd_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_ipc_t::type, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
Referenced by rsbac_acl_sys_set_acl_entry().
04774 { 04775 int err = 0; 04776 struct rsbac_acl_device_list_item_t *device_p; 04777 struct rsbac_acl_entry_desc_t desc; 04778 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 04779 u_long dflags; 04780 #endif 04781 04782 if (!rsbac_is_initialized()) { 04783 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): RSBAC not initialized\n"); 04784 return (-RSBAC_ENOTINITIALIZED); 04785 } 04786 if (subj_type >= ACLS_NONE) 04787 return (-RSBAC_EINVALIDVALUE); 04788 #ifdef CONFIG_RSBAC_DEBUG 04789 if (in_interrupt()) { 04790 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): called from interrupt!\n"); 04791 } 04792 #endif 04793 desc.subj_type = subj_type; 04794 desc.subj_id = subj_id; 04795 04796 switch (target) { 04797 case T_FILE: 04798 case T_DIR: 04799 case T_FIFO: 04800 case T_SYMLINK: 04801 case T_UNIXSOCK: 04802 rsbac_pr_debug(ds_acl, "Setting file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n", 04803 RSBAC_MAJOR(tid.file.device), 04804 RSBAC_MINOR(tid.file.device), tid.file.inode); 04805 /* default entry? */ 04806 if (RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode 04807 && !tid.file.dentry_p) 04808 return rsbac_ta_list_add_ttl(ta_number, 04809 default_fd_handle, 04810 ttl, &desc, &rights); 04811 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04812 rcu_read_lock(); 04813 #else 04814 rsbac_read_lock(&device_list_lock, &dflags); 04815 #endif 04816 /* lookup device */ 04817 device_p = acl_lookup_device(tid.file.device); 04818 if (!device_p) { 04819 /* trigger rsbac_mount() */ 04820 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04821 rcu_read_unlock(); 04822 #else 04823 rsbac_read_unlock(&device_list_lock, &dflags); 04824 #endif 04825 rsbac_get_super_block(tid.file.device); 04826 /* retry */ 04827 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04828 rcu_read_lock(); 04829 #else 04830 rsbac_read_lock(&device_list_lock, &dflags); 04831 #endif 04832 device_p = acl_lookup_device(tid.file.device); 04833 if (!device_p) { 04834 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): Could not lookup device!\n"); 04835 /* free read lock */ 04836 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04837 rcu_read_unlock(); 04838 #else 04839 rsbac_read_unlock(&device_list_lock, &dflags); 04840 #endif 04841 return (-RSBAC_EINVALIDDEV); 04842 } 04843 } 04844 if (!rsbac_ta_list_lol_exist 04845 (ta_number, device_p->handle, 04846 &tid.file.inode)) { 04847 rsbac_acl_rights_vector_t mask = 04848 RSBAC_ACL_DEFAULT_FD_MASK; 04849 04850 err = rsbac_ta_list_lol_add_ttl(ta_number, 04851 device_p->handle, 04852 0, &tid.file.inode, 04853 &mask); 04854 if (err) { 04855 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04856 rcu_read_unlock(); 04857 #else 04858 rsbac_read_unlock(&device_list_lock, &dflags); 04859 #endif 04860 return err; 04861 } 04862 } 04863 err = 04864 rsbac_ta_list_lol_subadd_ttl(ta_number, 04865 device_p->handle, ttl, 04866 &tid.file.inode, &desc, 04867 &rights); 04868 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04869 rcu_read_unlock(); 04870 #else 04871 rsbac_read_unlock(&device_list_lock, &dflags); 04872 #endif 04873 /* ready. */ 04874 return err; 04875 04876 case T_DEV: 04877 rsbac_pr_debug(ds_acl, "Setting device ACL for dev %c %02u:%02u\n", 04878 'B' + tid.dev.type, tid.dev.major, 04879 tid.dev.minor); 04880 /* default entry? */ 04881 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) 04882 return rsbac_ta_list_add_ttl(ta_number, 04883 default_dev_handle, 04884 ttl, &desc, &rights); 04885 04886 { 04887 switch (tid.dev.type) { 04888 case D_char: 04889 case D_block: 04890 if (!rsbac_ta_list_lol_exist 04891 (ta_number, dev_handle, &tid.dev)) { 04892 rsbac_acl_rights_vector_t mask = 04893 RSBAC_ACL_DEFAULT_DEV_MASK; 04894 04895 err = 04896 rsbac_ta_list_lol_add_ttl 04897 (ta_number, dev_handle, 0, 04898 &tid.dev, &mask); 04899 if (err) 04900 return err; 04901 } 04902 return 04903 rsbac_ta_list_lol_subadd_ttl(ta_number, 04904 dev_handle, 04905 ttl, 04906 &tid.dev, 04907 &desc, 04908 &rights); 04909 04910 case D_char_major: 04911 case D_block_major: 04912 tid.dev.type -= (D_block_major - D_block); 04913 if (!rsbac_ta_list_lol_exist 04914 (ta_number, dev_major_handle, 04915 &tid.dev)) { 04916 rsbac_acl_rights_vector_t mask = 04917 RSBAC_ACL_DEFAULT_DEV_MASK; 04918 04919 err = 04920 rsbac_ta_list_lol_add_ttl 04921 (ta_number, dev_major_handle, 04922 0, &tid.dev, &mask); 04923 if (err) 04924 return err; 04925 } 04926 return 04927 rsbac_ta_list_lol_subadd_ttl(ta_number, 04928 dev_major_handle, 04929 ttl, 04930 &tid.dev, 04931 &desc, 04932 &rights); 04933 04934 default: 04935 return -RSBAC_EINVALIDTARGET; 04936 } 04937 } 04938 04939 case T_IPC: 04940 /* default entry? */ 04941 if (tid.ipc.type == I_none) 04942 return rsbac_ta_list_add_ttl(ta_number, 04943 default_ipc_handle, 04944 ttl, &desc, &rights); 04945 else 04946 return -RSBAC_EINVALIDTARGET; 04947 04948 case T_SCD: 04949 /* default entry? */ 04950 if (tid.scd == AST_none) 04951 return rsbac_ta_list_add_ttl(ta_number, 04952 default_scd_handle, 04953 ttl, &desc, &rights); 04954 04955 if (!rsbac_ta_list_lol_exist 04956 (ta_number, scd_handle, &tid.scd)) { 04957 rsbac_acl_rights_vector_t mask = 04958 RSBAC_ACL_DEFAULT_SCD_MASK; 04959 04960 err = rsbac_ta_list_lol_add_ttl(ta_number, 04961 scd_handle, 04962 0, 04963 &tid.scd, &mask); 04964 if (err) 04965 return err; 04966 } 04967 return rsbac_ta_list_lol_subadd_ttl(ta_number, scd_handle, 04968 ttl, &tid.scd, &desc, 04969 &rights); 04970 04971 case T_USER: 04972 /* default entry? */ 04973 if (tid.user == RSBAC_NO_USER) 04974 return rsbac_ta_list_add_ttl(ta_number, 04975 default_u_handle, ttl, 04976 &desc, &rights); 04977 if (!rsbac_ta_list_lol_exist 04978 (ta_number, u_handle, &tid.user)) { 04979 rsbac_acl_rights_vector_t mask = 04980 RSBAC_ACL_DEFAULT_U_MASK; 04981 04982 err = rsbac_ta_list_lol_add_ttl(ta_number, 04983 u_handle, 04984 0, 04985 &tid.user, &mask); 04986 if (err) 04987 return err; 04988 } 04989 return rsbac_ta_list_lol_subadd_ttl(ta_number, u_handle, 04990 ttl, &tid.user, &desc, 04991 &rights); 04992 04993 04994 case T_PROCESS: 04995 /* default entry? */ 04996 if (!tid.process) 04997 return rsbac_ta_list_add_ttl(ta_number, 04998 default_p_handle, ttl, 04999 &desc, &rights); 05000 else 05001 return -RSBAC_EINVALIDTARGET; 05002 05003 #ifdef CONFIG_RSBAC_ACL_UM_PROT 05004 case T_GROUP: 05005 /* default entry? */ 05006 if (tid.group == RSBAC_NO_GROUP) 05007 return rsbac_ta_list_add_ttl(ta_number, 05008 default_g_handle, ttl, 05009 &desc, &rights); 05010 if (!rsbac_ta_list_lol_exist 05011 (ta_number, g_handle, &tid.group)) { 05012 rsbac_acl_rights_vector_t mask = 05013 RSBAC_ACL_DEFAULT_G_MASK; 05014 05015 err = rsbac_ta_list_lol_add_ttl(ta_number, 05016 g_handle, 05017 0, 05018 &tid.group, &mask); 05019 if (err) 05020 return err; 05021 } 05022 return rsbac_ta_list_lol_subadd_ttl(ta_number, g_handle, 05023 ttl, &tid.group, &desc, 05024 &rights); 05025 #endif 05026 05027 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 05028 case T_NETDEV: 05029 rsbac_pr_debug(ds_acl, "Setting network device ACL for netdev %s\n", 05030 tid.netdev); 05031 /* default entry? */ 05032 if (!tid.netdev[0]) 05033 return rsbac_ta_list_add_ttl(ta_number, 05034 default_netdev_handle, 05035 ttl, &desc, &rights); 05036 05037 if (!rsbac_ta_list_lol_exist 05038 (ta_number, netdev_handle, &tid.netdev)) { 05039 rsbac_acl_rights_vector_t mask = 05040 RSBAC_ACL_DEFAULT_NETDEV_MASK; 05041 05042 err = rsbac_ta_list_lol_add_ttl(ta_number, 05043 netdev_handle, 05044 0, 05045 &tid.netdev, 05046 &mask); 05047 if (err) 05048 return err; 05049 } 05050 return rsbac_ta_list_lol_subadd_ttl(ta_number, 05051 netdev_handle, ttl, 05052 &tid.netdev, &desc, 05053 &rights); 05054 #endif 05055 05056 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 05057 case T_NETTEMP_NT: 05058 rsbac_pr_debug(ds_acl, "Setting network template NT ACL for " 05059 "nettemp_nt %u\n", tid.nettemp); 05060 /* default entry? */ 05061 if (!tid.nettemp) 05062 return rsbac_ta_list_add_ttl(ta_number, 05063 default_nettemp_nt_handle, 05064 ttl, &desc, &rights); 05065 05066 if (!rsbac_ta_list_lol_exist 05067 (ta_number, nettemp_nt_handle, &tid.nettemp)) { 05068 rsbac_acl_rights_vector_t mask = 05069 RSBAC_ACL_DEFAULT_NETTEMP_MASK; 05070 05071 err = rsbac_ta_list_lol_add_ttl(ta_number, 05072 nettemp_nt_handle, 05073 0, 05074 &tid.nettemp, 05075 &mask); 05076 if (err) 05077 return err; 05078 } 05079 return rsbac_ta_list_lol_subadd_ttl(ta_number, 05080 nettemp_nt_handle, ttl, 05081 &tid.nettemp, &desc, 05082 &rights); 05083 05084 case T_NETTEMP: 05085 rsbac_pr_debug(ds_acl, "Setting network template ACL for nettemp %u\n", 05086 tid.nettemp); 05087 /* default entry? */ 05088 if (!tid.nettemp) 05089 return -RSBAC_EINVALIDTARGET; 05090 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 05091 return -RSBAC_EINVALIDTARGET; 05092 05093 if (!rsbac_ta_list_lol_exist 05094 (ta_number, nettemp_handle, &tid.nettemp)) { 05095 rsbac_acl_rights_vector_t mask = 05096 RSBAC_ACL_DEFAULT_NETOBJ_MASK; 05097 05098 err = rsbac_ta_list_lol_add_ttl(ta_number, 05099 nettemp_handle, 05100 0, 05101 &tid.nettemp, 05102 &mask); 05103 if (err) 05104 return err; 05105 } 05106 return rsbac_ta_list_lol_subadd_ttl(ta_number, 05107 nettemp_handle, ttl, 05108 &tid.nettemp, &desc, 05109 &rights); 05110 05111 case T_NETOBJ: 05112 rsbac_pr_debug(ds_acl, "Setting network object ACL for netobj %p\n", 05113 tid.netobj.sock_p); 05114 /* default entry? */ 05115 if (!tid.netobj.sock_p) 05116 return rsbac_ta_list_add_ttl(ta_number, 05117 default_netobj_handle, 05118 ttl, &desc, &rights); 05119 05120 if (!rsbac_ta_list_lol_exist 05121 (ta_number, netobj_handle, &tid.netobj.sock_p)) { 05122 rsbac_acl_rights_vector_t mask = 05123 RSBAC_ACL_DEFAULT_NETOBJ_MASK; 05124 05125 err = rsbac_ta_list_lol_add_ttl(ta_number, 05126 netobj_handle, 05127 0, 05128 &tid.netobj.sock_p, 05129 &mask); 05130 if (err) 05131 return err; 05132 } 05133 return rsbac_ta_list_lol_subadd_ttl(ta_number, 05134 netobj_handle, ttl, 05135 &tid.netobj.sock_p, 05136 &desc, &rights); 05137 #endif /* NET_OBJ_PROT */ 05138 05139 05140 default: 05141 err = -RSBAC_EINVALIDTARGET; 05142 } 05143 return (err); 05144 }
int rsbac_acl_set_mask | ( | rsbac_list_ta_number_t | ta_number, | |
enum rsbac_target_t | target, | |||
union rsbac_target_id_t | tid, | |||
rsbac_acl_rights_vector_t | mask | |||
) |
Definition at line 6643 of file acl_data_structures.c.
References acl_lookup_device(), AST_none, D_block, D_block_major, D_char, D_char_major, D_none, rsbac_target_id_t::dev, device_list_lock, get_acl_scd_type_name(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handle, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_pr_debug, rsbac_printk(), rsbac_ta_list_lol_add_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_NONE, T_SCD, T_SYMLINK, T_UNIXSOCK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user.
Referenced by rsbac_acl_sys_set_mask().
06647 { 06648 int err = 0; 06649 char tmp[80]; 06650 struct rsbac_acl_device_list_item_t *device_p; 06651 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 06652 u_long dflags; 06653 #endif 06654 06655 if (!rsbac_is_initialized()) { 06656 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): RSBAC not initialized\n"); 06657 return (-RSBAC_ENOTINITIALIZED); 06658 } 06659 if (target >= T_NONE) 06660 return (-RSBAC_EINVALIDTARGET); 06661 #ifdef CONFIG_RSBAC_DEBUG 06662 if (in_interrupt()) { 06663 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): called from interrupt!\n"); 06664 } 06665 #endif 06666 switch (target) { 06667 case T_FILE: 06668 case T_DIR: 06669 case T_FIFO: 06670 case T_SYMLINK: 06671 case T_UNIXSOCK: 06672 /* default entry? */ 06673 if (RSBAC_IS_ZERO_DEV_DESC(tid.dev)) { 06674 return -RSBAC_EINVALIDTARGET; 06675 } 06676 rsbac_pr_debug(ds_acl, "Setting file/dir/fifo/symlink inheritance mask for device %02u:%02u, inode %u\n", 06677 RSBAC_MAJOR(tid.file.device), 06678 RSBAC_MINOR(tid.file.device), tid.file.inode); 06679 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06680 rcu_read_lock(); 06681 #else 06682 rsbac_read_lock(&device_list_lock, &dflags); 06683 #endif 06684 device_p = acl_lookup_device(tid.file.device); 06685 if (!device_p) { 06686 /* trigger rsbac_mount() */ 06687 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06688 rcu_read_unlock(); 06689 #else 06690 rsbac_read_unlock(&device_list_lock, &dflags); 06691 #endif 06692 rsbac_get_super_block(tid.file.device); 06693 /* retry */ 06694 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06695 rcu_read_lock(); 06696 #else 06697 rsbac_read_lock(&device_list_lock, &dflags); 06698 #endif 06699 device_p = acl_lookup_device(tid.file.device); 06700 if (!device_p) { 06701 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): Could not lookup device!\n"); 06702 /* free read lock */ 06703 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06704 rcu_read_unlock(); 06705 #else 06706 rsbac_read_unlock(&device_list_lock, &dflags); 06707 #endif 06708 return (-RSBAC_EINVALIDDEV); 06709 } 06710 } 06711 err = rsbac_ta_list_lol_add_ttl(ta_number, 06712 device_p->handle, 06713 0, &tid.file.inode, &mask); 06714 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 06715 rcu_read_unlock(); 06716 #else 06717 rsbac_read_unlock(&device_list_lock, &dflags); 06718 #endif 06719 return err; 06720 06721 case T_DEV: 06722 /* default entry? */ 06723 if (tid.dev.type == D_none) { 06724 return -RSBAC_EINVALIDTARGET; 06725 } 06726 rsbac_pr_debug(ds_acl, "Setting device inheritance mask for dev %c %02u:%02u\n", 06727 'B' + tid.dev.type, 06728 tid.dev.major, tid.dev.minor); 06729 switch (tid.dev.type) { 06730 case D_char: 06731 case D_block: 06732 return rsbac_ta_list_lol_add_ttl(ta_number, 06733 dev_handle, 0, 06734 &tid.dev, &mask); 06735 06736 case D_char_major: 06737 case D_block_major: 06738 tid.dev.type -= (D_block_major - D_block); 06739 return rsbac_ta_list_lol_add_ttl(ta_number, 06740 dev_major_handle, 06741 0, &tid.dev, 06742 &mask); 06743 06744 default: 06745 return -RSBAC_EINVALIDTARGET; 06746 } 06747 06748 case T_SCD: 06749 /* default entry? */ 06750 if (tid.scd == AST_none) { 06751 return -RSBAC_EINVALIDTARGET; 06752 } 06753 rsbac_pr_debug(ds_acl, "Setting SCD inheritance mask for %s\n", 06754 get_acl_scd_type_name(tmp, tid.scd)); 06755 return rsbac_ta_list_lol_add_ttl(ta_number, scd_handle, 0, 06756 &tid.scd, &mask); 06757 06758 case T_USER: 06759 /* default entry? */ 06760 if (tid.user == RSBAC_NO_USER) { 06761 return -RSBAC_EINVALIDTARGET; 06762 } 06763 rsbac_pr_debug(ds_acl, "Setting user inheritance mask for user %u\n", 06764 tid.user); 06765 return rsbac_ta_list_lol_add_ttl(ta_number, u_handle, 0, 06766 &tid.user, &mask); 06767 06768 #ifdef CONFIG_RSBAC_ACL_UM_PROT 06769 case T_GROUP: 06770 /* default entry? */ 06771 if (tid.group == RSBAC_NO_GROUP) { 06772 return -RSBAC_EINVALIDTARGET; 06773 } 06774 rsbac_pr_debug(ds_acl, "Setting Linux group inheritance mask for group %u\n", 06775 tid.group); 06776 return rsbac_ta_list_lol_add_ttl(ta_number, g_handle, 0, 06777 &tid.group, &mask); 06778 #endif 06779 06780 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 06781 case T_NETDEV: 06782 /* default entry? */ 06783 if (!tid.netdev[0]) { 06784 return -RSBAC_EINVALIDTARGET; 06785 } 06786 rsbac_pr_debug(ds_acl, "Setting network device inheritance mask for netdev %s\n", 06787 tid.netdev); 06788 return rsbac_ta_list_lol_add_ttl(ta_number, netdev_handle, 06789 0, &tid.netdev, &mask); 06790 #endif 06791 06792 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 06793 case T_NETTEMP_NT: 06794 /* default entry? */ 06795 if (!tid.nettemp) { 06796 return -RSBAC_EINVALIDTARGET; 06797 } 06798 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 06799 return -RSBAC_EINVALIDTARGET; 06800 rsbac_pr_debug(ds_acl, "Setting network template NT inheritance mask for nettemp %u\n", 06801 tid.nettemp); 06802 return rsbac_ta_list_lol_add_ttl(ta_number, 06803 nettemp_nt_handle, 0, 06804 &tid.nettemp, &mask); 06805 06806 case T_NETTEMP: 06807 /* default entry? */ 06808 if (!tid.nettemp) { 06809 return -RSBAC_EINVALIDTARGET; 06810 } 06811 if (!rsbac_ta_net_template_exist(ta_number, tid.nettemp)) 06812 return -RSBAC_EINVALIDTARGET; 06813 rsbac_pr_debug(ds_acl, "Setting network template inheritance mask for nettemp %u\n", 06814 tid.nettemp); 06815 return rsbac_ta_list_lol_add_ttl(ta_number, nettemp_handle, 06816 0, &tid.nettemp, &mask); 06817 06818 case T_NETOBJ: 06819 /* default entry? */ 06820 if (!tid.netobj.sock_p) { 06821 return -RSBAC_EINVALIDTARGET; 06822 } 06823 rsbac_pr_debug(ds_acl, "Setting network object inheritance mask for netobj %p\n", 06824 tid.netobj.sock_p); 06825 return rsbac_ta_list_lol_add_ttl(ta_number, netobj_handle, 06826 0, &tid.netobj.sock_p, 06827 &mask); 06828 #endif /* NET_OBJ_PROT */ 06829 06830 default: 06831 err = -RSBAC_EINVALIDTARGET; 06832 } 06833 return (err); 06834 }
int rsbac_check_acl | ( | int | correct | ) |
Definition at line 3866 of file acl_data_structures.c.
References ACLS_GROUP, ACLS_ROLE, device_list_head_p, device_list_lock, gm_handle, group_handle, rsbac_acl_device_list_item_t::handle, rsbac_acl_device_list_item_t::id, rsbac_acl_device_list_item_t::next, RC_role_max_value, RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_list_count(), rsbac_list_exist(), rsbac_list_lol_count(), rsbac_list_lol_get_all_desc(), rsbac_list_lol_get_all_subdesc(), rsbac_list_lol_remove(), rsbac_list_lol_subremove(), rsbac_pr_debug, rsbac_printk(), and rsbac_vfree.
Referenced by rsbac_do_init(), and sys_rsbac_check().
03867 { 03868 struct rsbac_acl_device_list_item_t *device_p; 03869 u_long f_count = 0, f_sum = 0, tmp_count, 03870 r_count, u_count, b_count, no_member_count; 03871 long desc_count; 03872 long sub_desc_count; 03873 rsbac_inode_nr_t *fd_desc_p; 03874 struct rsbac_dev_desc_t *dev_desc_p; 03875 __u8 *scd_desc_p; 03876 rsbac_uid_t *u_desc_p; 03877 #ifdef CONFIG_RSBAC_ACL_UM_PROT 03878 rsbac_gid_t *g_desc_p; 03879 #endif 03880 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 03881 rsbac_netdev_id_t *netdev_desc_p; 03882 #endif 03883 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 03884 rsbac_net_temp_id_t *nettemp_desc_p; 03885 rsbac_net_obj_id_t *netobj_desc_p; 03886 #endif 03887 struct rsbac_acl_entry_desc_t *sub_desc_p; 03888 rsbac_uid_t *user_p; 03889 rsbac_acl_group_id_t *group_p; 03890 u_int i, j; 03891 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03892 u_long dflags; 03893 #endif 03894 03895 if (!rsbac_is_initialized()) { 03896 rsbac_printk(KERN_WARNING "rsbac_check_acl(): RSBAC not initialized\n"); 03897 return (-RSBAC_ENOTINITIALIZED); 03898 } 03899 03900 /* group membership list */ 03901 tmp_count = 0; 03902 desc_count = 03903 rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p); 03904 if (desc_count > 0) { 03905 for (i = 0; i < desc_count; i++) { 03906 sub_desc_count = 03907 rsbac_list_lol_get_all_subdesc(gm_handle, 03908 &user_p[i], 03909 (void **) 03910 &group_p); 03911 if (sub_desc_count > 0) { 03912 for (j = 0; j < sub_desc_count; j++) { 03913 if (!rsbac_list_exist 03914 (group_handle, &group_p[j])) { 03915 rsbac_printk(KERN_WARNING "rsbac_check_acl(): removing user %u membership in non-existent group %u!\n", 03916 user_p[i], 03917 group_p[j]); 03918 rsbac_list_lol_subremove 03919 (gm_handle, &user_p[i], 03920 &group_p[j]); 03921 } 03922 } 03923 rsbac_vfree(group_p); 03924 } else { 03925 /* remove empty membership list */ 03926 if (!sub_desc_count) 03927 rsbac_list_lol_remove(gm_handle, 03928 &user_p[i]); 03929 } 03930 } 03931 rsbac_vfree(user_p); 03932 } 03933 /* recalculated values! */ 03934 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group membership items\n", 03935 rsbac_list_lol_count(gm_handle)); 03936 03937 /* group list */ 03938 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group items\n", 03939 rsbac_list_count(group_handle)); 03940 03941 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03942 rcu_read_lock(); 03943 #else 03944 rsbac_read_lock(&device_list_lock, &dflags); 03945 #endif 03946 /* rsbac_printk(KERN_INFO "rsbac_check_acl(): currently %u processes working on file/dir aci\n", 03947 device_list_head.lock.lock); */ 03948 device_p = rcu_dereference(device_list_head_p)->head; 03949 while (device_p) { /* for all sublists */ 03950 f_count = 0; 03951 r_count = 0; 03952 u_count = 0; 03953 b_count = 0; 03954 no_member_count = 0; 03955 03956 tmp_count = 0; 03957 desc_count = rsbac_list_lol_get_all_desc(device_p->handle, 03958 (void **) 03959 &fd_desc_p); 03960 if (desc_count > 0) { 03961 for (i = 0; i < desc_count; i++) { 03962 /* check for group existence of all ACL entries for groups */ 03963 sub_desc_count = 03964 rsbac_list_lol_get_all_subdesc 03965 (device_p->handle, 03966 &fd_desc_p[i], 03967 (void **) &sub_desc_p); 03968 if (sub_desc_count > 0) { 03969 for (j = 0; 03970 j < sub_desc_count; 03971 j++) { 03972 if ((sub_desc_p[j]. 03973 subj_type == 03974 ACLS_GROUP) 03975 && 03976 sub_desc_p[j]. 03977 subj_id 03978 && 03979 !rsbac_list_exist 03980 (group_handle, 03981 &sub_desc_p 03982 [j]. 03983 subj_id)) { 03984 if (correct) { 03985 /* remove sub item and complain */ 03986 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid group %u in ACL -> removing entry!\n", 03987 fd_desc_p[i], 03988 RSBAC_MAJOR(device_p->id), 03989 RSBAC_MINOR(device_p->id), 03990 sub_desc_p[j].subj_id); 03991 rsbac_list_lol_subremove 03992 (device_p->handle, 03993 &fd_desc_p 03994 [i], 03995 &sub_desc_p 03996 [j]); 03997 } else /* complain */ 03998 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid group %u in ACL!\n", 03999 fd_desc_p[i], 04000 RSBAC_MAJOR(device_p->id), 04001 RSBAC_MINOR(device_p->id), 04002 sub_desc_p[j].subj_id); 04003 } 04004 #if defined(CONFIG_RSBAC_RC) 04005 else if ((sub_desc_p[j].subj_type == ACLS_ROLE) 04006 && 04007 (sub_desc_p 04008 [j]. 04009 subj_id > 04010 RC_role_max_value) 04011 ) { 04012 if (correct) { 04013 /* remove sub item and complain */ 04014 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid RC role %u in ACL -> removing entry!\n", 04015 fd_desc_p[i], 04016 RSBAC_MAJOR(device_p->id), 04017 RSBAC_MINOR(device_p->id), 04018 sub_desc_p[j].subj_id); 04019 rsbac_list_lol_subremove 04020 (device_p->handle, 04021 &fd_desc_p 04022 [i], 04023 &sub_desc_p 04024 [j]); 04025 } else /* complain */ 04026 rsbac_pr_debug(ds, "fd_item for inode %u on device %02u:%02u has invalid role %u in ACL!\n", 04027 fd_desc_p[i], 04028 RSBAC_MAJOR(device_p->id), 04029 RSBAC_MINOR(device_p->id), 04030 sub_desc_p[j].subj_id); 04031 } 04032 #endif 04033 } 04034 rsbac_vfree(sub_desc_p); 04035 } 04036 } 04037 tmp_count++; 04038 rsbac_vfree(fd_desc_p); 04039 f_count += desc_count; 04040 } 04041 04042 switch (correct) { 04043 case 2: 04044 rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n", 04045 RSBAC_MAJOR(device_p->id), 04046 RSBAC_MINOR(device_p->id), f_count, 04047 b_count + r_count + u_count + 04048 no_member_count, b_count, r_count, 04049 u_count, no_member_count); 04050 break; 04051 case 1: 04052 rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n", 04053 RSBAC_MAJOR(device_p->id), 04054 RSBAC_MINOR(device_p->id), f_count, 04055 b_count + r_count + no_member_count, 04056 b_count, r_count, no_member_count, 04057 u_count); 04058 break; 04059 default: 04060 rsbac_printk(KERN_INFO "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n", 04061 RSBAC_MAJOR(device_p->id), 04062 RSBAC_MINOR(device_p->id), f_count, 04063 b_count, r_count, u_count, 04064 no_member_count); 04065 } 04066 f_sum += f_count; 04067 /* go on */ 04068 device_p = device_p->next; 04069 } 04070 rsbac_printk(KERN_INFO "rsbac_check_acl(): Sum of %u Devices with %lu file/dir ACLs\n", 04071 rcu_dereference(device_list_head_p)->count, f_sum); 04072 /* free access to device_list_head */ 04073 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 04074 rcu_read_unlock(); 04075 #else 04076 rsbac_read_unlock(&device_list_lock, &dflags); 04077 #endif 04078 04079 /* dev list */ 04080 tmp_count = 0; 04081 desc_count = 04082 rsbac_list_lol_get_all_desc(dev_handle, (void **) &dev_desc_p); 04083 if (desc_count > 0) { 04084 for (i = 0; i < desc_count; i++) { 04085 /* check for group existence of all ACL entries for groups */ 04086 sub_desc_count = 04087 rsbac_list_lol_get_all_subdesc(dev_handle, 04088 &dev_desc_p[i], 04089 (void **) 04090 &sub_desc_p); 04091 if (sub_desc_count > 0) { 04092 for (j = 0; j < sub_desc_count; j++) { 04093 if ((sub_desc_p[j].subj_type == 04094 ACLS_GROUP) 04095 && sub_desc_p[j].subj_id 04096 && 04097 !rsbac_list_exist(group_handle, 04098 &sub_desc_p 04099 [j]. 04100 subj_id)) { 04101 if (correct) { 04102 /* remove sub item and complain */ 04103 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n", 04104 'B' + dev_desc_p[i].type, 04105 dev_desc_p[i].major, 04106 dev_desc_p[i].minor, 04107 sub_desc_p[j].subj_id); 04108 rsbac_list_lol_subremove 04109 (dev_handle, 04110 &dev_desc_p 04111 [i], 04112 &sub_desc_p 04113 [j]); 04114 } else /* complain */ 04115 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL!\n", 04116 'B' + dev_desc_p[i].type, 04117 dev_desc_p[i].major, 04118 dev_desc_p[i].minor, 04119 sub_desc_p[j].subj_id); 04120 } 04121 #if defined(CONFIG_RSBAC_RC) 04122 else if ((sub_desc_p[j]. 04123 subj_type == ACLS_ROLE) 04124 && (sub_desc_p[j]. 04125 subj_id > 04126 RC_role_max_value) 04127 ) { 04128 if (correct) { 04129 /* remove sub item and complain */ 04130 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n", 04131 'B' + dev_desc_p[i].type, 04132 dev_desc_p[i].major, 04133 dev_desc_p[i].minor, 04134 sub_desc_p[j].subj_id); 04135 rsbac_list_lol_subremove 04136 (dev_handle, 04137 &dev_desc_p 04138 [i], 04139 &sub_desc_p 04140 [j]); 04141 } else /* complain */ 04142 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL!\n", 04143 'B' + dev_desc_p[i].type, 04144 dev_desc_p[i].major, 04145 dev_desc_p[i].minor, 04146 sub_desc_p[j].subj_id); 04147 } 04148 #endif 04149 } 04150 rsbac_vfree(sub_desc_p); 04151 } 04152 } 04153 rsbac_vfree(dev_desc_p); 04154 f_sum += desc_count; 04155 } 04156 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n", 04157 desc_count); 04158 tmp_count = 0; 04159 desc_count = 04160 rsbac_list_lol_get_all_desc(dev_major_handle, 04161 (void **) &dev_desc_p); 04162 if (desc_count > 0) { 04163 for (i = 0; i < desc_count; i++) { 04164 /* check for group existence of all ACL entries for groups */ 04165 sub_desc_count = 04166 rsbac_list_lol_get_all_subdesc 04167 (dev_major_handle, &dev_desc_p[i], 04168 (void **) &sub_desc_p); 04169 if (sub_desc_count > 0) { 04170 for (j = 0; j < sub_desc_count; j++) { 04171 if ((sub_desc_p[j].subj_type == 04172 ACLS_GROUP) 04173 && sub_desc_p[j].subj_id 04174 && 04175 !rsbac_list_exist(group_handle, 04176 &sub_desc_p 04177 [j]. 04178 subj_id)) { 04179 if (correct) { 04180 /* remove sub item and complain */ 04181 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n", 04182 'B' + dev_desc_p[i].type, 04183 dev_desc_p[i].major, 04184 dev_desc_p[i].minor, 04185 sub_desc_p[j].subj_id); 04186 rsbac_list_lol_subremove 04187 (dev_major_handle, 04188 &dev_desc_p 04189 [i], 04190 &sub_desc_p 04191 [j]); 04192 } else /* complain */ 04193 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid group %u in ACL!\n", 04194 'B' + dev_desc_p[i].type, 04195 dev_desc_p[i].major, 04196 dev_desc_p[i].minor, 04197 sub_desc_p[j].subj_id); 04198 } 04199 #if defined(CONFIG_RSBAC_RC) 04200 else if ((sub_desc_p[j]. 04201 subj_type == ACLS_ROLE) 04202 && (sub_desc_p[j]. 04203 subj_id > 04204 RC_role_max_value) 04205 ) { 04206 if (correct) { 04207 /* remove sub item and complain */ 04208 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n", 04209 'B' + dev_desc_p[i].type, 04210 dev_desc_p[i].major, 04211 dev_desc_p[i].minor, 04212 sub_desc_p[j].subj_id); 04213 rsbac_list_lol_subremove 04214 (dev_major_handle, 04215 &dev_desc_p 04216 [i], 04217 &sub_desc_p 04218 [j]); 04219 } else /* complain */ 04220 rsbac_pr_debug(ds, "dev_item %c%02u:%02u, has invalid role %u in ACL!\n", 04221 'B' + dev_desc_p[i].type, 04222 dev_desc_p[i].major, 04223 dev_desc_p[i].minor, 04224 sub_desc_p[j].subj_id); 04225 } 04226 #endif 04227 } 04228 rsbac_vfree(sub_desc_p); 04229 } 04230 } 04231 rsbac_vfree(dev_desc_p); 04232 f_sum += desc_count; 04233 } 04234 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n", 04235 desc_count); 04236 04237 /* SCD list */ 04238 tmp_count = 0; 04239 desc_count = 04240 rsbac_list_lol_get_all_desc(scd_handle, (void **) &scd_desc_p); 04241 if (desc_count > 0) { 04242 for (i = 0; i < desc_count; i++) { 04243 /* check for group existence of all ACL entries for groups */ 04244 sub_desc_count = 04245 rsbac_list_lol_get_all_subdesc(scd_handle, 04246 &scd_desc_p[i], 04247 (void **) 04248 &sub_desc_p); 04249 if (sub_desc_count > 0) { 04250 for (j = 0; j < sub_desc_count; j++) { 04251 if ((sub_desc_p[j].subj_type == 04252 ACLS_GROUP) 04253 && sub_desc_p[j].subj_id 04254 && 04255 !rsbac_list_exist(group_handle, 04256 &sub_desc_p 04257 [j]. 04258 subj_id)) { 04259 if (correct) { 04260 /* remove sub item and complain */ 04261 rsbac_pr_debug(ds, "scd_item %u has invalid group %u in ACL -> removing entry!\n", 04262 scd_desc_p[i], 04263 sub_desc_p[j].subj_id); 04264 rsbac_list_lol_subremove 04265 (scd_handle, 04266 &scd_desc_p 04267 [i], 04268 &sub_desc_p 04269 [j]); 04270 } else /* complain */ 04271 rsbac_pr_debug(ds, "scd_item %u has invalid group %u in ACL!\n", 04272 scd_desc_p[i], 04273 sub_desc_p[j].subj_id); 04274 } 04275 #if defined(CONFIG_RSBAC_RC) 04276 else if ((sub_desc_p[j]. 04277 subj_type == ACLS_ROLE) 04278 && (sub_desc_p[j]. 04279 subj_id > 04280 RC_role_max_value) 04281 ) { 04282 if (correct) { 04283 /* remove sub item and complain */ 04284 rsbac_pr_debug(ds, "scd_item %u has invalid role %u in ACL -> removing entry!\n", 04285 scd_desc_p[i], 04286 sub_desc_p[j].subj_id); 04287 rsbac_list_lol_subremove 04288 (scd_handle, 04289 &scd_desc_p 04290 [i], 04291 &sub_desc_p 04292 [j]); 04293 } else /* complain */ 04294 rsbac_pr_debug(ds, "scd_item %u has invalid role %u in ACL!\n", 04295 scd_desc_p[i], 04296 sub_desc_p[j].subj_id); 04297 } 04298 #endif 04299 } 04300 rsbac_vfree(sub_desc_p); 04301 } 04302 } 04303 rsbac_vfree(scd_desc_p); 04304 f_sum += desc_count; 04305 } 04306 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li SCD items\n", 04307 desc_count); 04308 04309 /* User list */ 04310 tmp_count = 0; 04311 desc_count = 04312 rsbac_list_lol_get_all_desc(u_handle, (void **) &u_desc_p); 04313 if (desc_count > 0) { 04314 for (i = 0; i < desc_count; i++) { 04315 /* check for group existence of all ACL entries for groups */ 04316 sub_desc_count = 04317 rsbac_list_lol_get_all_subdesc(u_handle, 04318 &u_desc_p[i], 04319 (void **) 04320 &sub_desc_p); 04321 if (sub_desc_count > 0) { 04322 for (j = 0; j < sub_desc_count; j++) { 04323 if ((sub_desc_p[j].subj_type == 04324 ACLS_GROUP) 04325 && sub_desc_p[j].subj_id 04326 && 04327 !rsbac_list_exist(group_handle, 04328 &sub_desc_p 04329 [j]. 04330 subj_id)) { 04331 if (correct) { 04332 /* remove sub item and complain */ 04333 rsbac_pr_debug(ds, "u_item %u has invalid group %u in ACL -> removing entry!\n", 04334 u_desc_p[i], 04335 sub_desc_p[j].subj_id); 04336 rsbac_list_lol_subremove 04337 (u_handle, 04338 &u_desc_p[i], 04339 &sub_desc_p 04340 [j]); 04341 } else /* complain */ 04342 rsbac_pr_debug(ds, "u_item %u has invalid group %u in ACL!\n", 04343 u_desc_p[i], 04344 sub_desc_p[j].subj_id); 04345 } 04346 #if defined(CONFIG_RSBAC_RC) 04347 else if ((sub_desc_p[j]. 04348 subj_type == ACLS_ROLE) 04349 && (sub_desc_p[j]. 04350 subj_id > 04351 RC_role_max_value) 04352 ) { 04353 if (correct) { 04354 /* remove sub item and complain */ 04355 rsbac_pr_debug(ds, "u_item %u has invalid role %u in ACL -> removing entry!\n", 04356 u_desc_p[i], 04357 sub_desc_p[j].subj_id); 04358 rsbac_list_lol_subremove 04359 (u_handle, 04360 &u_desc_p[i], 04361 &sub_desc_p 04362 [j]); 04363 } else /* complain */ 04364 rsbac_pr_debug(ds, "u_item %u has invalid role %u in ACL!\n", 04365 u_desc_p[i], 04366 sub_desc_p[j].subj_id); 04367 } 04368 #endif 04369 } 04370 rsbac_vfree(sub_desc_p); 04371 } 04372 } 04373 rsbac_vfree(u_desc_p); 04374 f_sum += desc_count; 04375 } 04376 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li user items\n", 04377 desc_count); 04378 04379 #ifdef CONFIG_RSBAC_ACL_UM_PROT 04380 /* User list */ 04381 tmp_count = 0; 04382 desc_count = 04383 rsbac_list_lol_get_all_desc(g_handle, (void **) &g_desc_p); 04384 if (desc_count > 0) { 04385 for (i = 0; i < desc_count; i++) { 04386 /* check for group existence of all ACL entries for groups */ 04387 sub_desc_count = 04388 rsbac_list_lol_get_all_subdesc(g_handle, 04389 &g_desc_p[i], 04390 (void **) 04391 &sub_desc_p); 04392 if (sub_desc_count > 0) { 04393 for (j = 0; j < sub_desc_count; j++) { 04394 if ((sub_desc_p[j].subj_type == 04395 ACLS_GROUP) 04396 && sub_desc_p[j].subj_id 04397 && 04398 !rsbac_list_exist(group_handle, 04399 &sub_desc_p 04400 [j]. 04401 subj_id)) { 04402 if (correct) { 04403 /* remove sub item and complain */ 04404 rsbac_pr_debug(ds, "g_item %u has invalid group %u in ACL -> removing entry!\n", 04405 g_desc_p[i], 04406 sub_desc_p[j].subj_id); 04407 rsbac_list_lol_subremove 04408 (g_handle, 04409 &g_desc_p[i], 04410 &sub_desc_p 04411 [j]); 04412 } else /* complain */ 04413 rsbac_pr_debug(ds, "g_item %u has invalid group %u in ACL!\n", 04414 g_desc_p[i], 04415 sub_desc_p[j].subj_id); 04416 } 04417 #if defined(CONFIG_RSBAC_RC) 04418 else if ((sub_desc_p[j]. 04419 subj_type == ACLS_ROLE) 04420 && (sub_desc_p[j]. 04421 subj_id > 04422 RC_role_max_value) 04423 ) { 04424 if (correct) { 04425 /* remove sub item and complain */ 04426 rsbac_pr_debug(ds, "g_item %u has invalid role %u in ACL -> removing entry!\n", 04427 g_desc_p[i], 04428 sub_desc_p[j].subj_id); 04429 rsbac_list_lol_subremove 04430 (g_handle, 04431 &g_desc_p[i], 04432 &sub_desc_p 04433 [j]); 04434 } else /* complain */ 04435 rsbac_pr_debug(ds, "g_item %u has invalid role %u in ACL!\n", 04436 g_desc_p[i], 04437 sub_desc_p[j].subj_id); 04438 } 04439 #endif 04440 } 04441 rsbac_vfree(sub_desc_p); 04442 } 04443 } 04444 rsbac_vfree(g_desc_p); 04445 f_sum += desc_count; 04446 } 04447 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li Linux group items\n", 04448 desc_count); 04449 #endif 04450 04451 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 04452 /* netdev list */ 04453 tmp_count = 0; 04454 desc_count = 04455 rsbac_list_lol_get_all_desc(netdev_handle, 04456 (void **) &netdev_desc_p); 04457 if (desc_count > 0) { 04458 for (i = 0; i < desc_count; i++) { 04459 /* check for group existence of all ACL entries for groups */ 04460 sub_desc_count = 04461 rsbac_list_lol_get_all_subdesc(netdev_handle, 04462 &netdev_desc_p 04463 [i], 04464 (void **) 04465 &sub_desc_p); 04466 if (sub_desc_count > 0) { 04467 for (j = 0; j < sub_desc_count; j++) { 04468 if ((sub_desc_p[j].subj_type == 04469 ACLS_GROUP) 04470 && sub_desc_p[j].subj_id 04471 && 04472 !rsbac_list_exist(group_handle, 04473 &sub_desc_p 04474 [j]. 04475 subj_id)) { 04476 if (correct) { 04477 /* remove sub item and complain */ 04478 rsbac_pr_debug(ds, "netdev_item %s has invalid group %u in ACL -> removing entry!\n", 04479 netdev_desc_p[i], 04480 sub_desc_p[j].subj_id); 04481 rsbac_list_lol_subremove 04482 (netdev_handle, 04483 &netdev_desc_p 04484 [i], 04485 &sub_desc_p 04486 [j]); 04487 } else /* complain */ 04488 rsbac_pr_debug(ds, "netdev_item %s has invalid group %u in ACL!\n", 04489 netdev_desc_p[i], 04490 sub_desc_p[j].subj_id); 04491 } 04492 #if defined(CONFIG_RSBAC_RC) 04493 else if ((sub_desc_p[j]. 04494 subj_type == ACLS_ROLE) 04495 && (sub_desc_p[j]. 04496 subj_id > 04497 RC_role_max_value) 04498 ) { 04499 if (correct) { 04500 /* remove sub item and complain */ 04501 rsbac_pr_debug(ds, "netdev_item %s has invalid role %u in ACL -> removing entry!\n", 04502 netdev_desc_p[i], 04503 sub_desc_p[j].subj_id); 04504 rsbac_list_lol_subremove 04505 (netdev_handle, 04506 &netdev_desc_p 04507 [i], 04508 &sub_desc_p 04509 [j]); 04510 } else /* complain */ 04511 rsbac_pr_debug(ds, "netdev_item %s has invalid role %u in ACL!\n", 04512 netdev_desc_p[i], 04513 sub_desc_p[j].subj_id); 04514 } 04515 #endif 04516 } 04517 rsbac_vfree(sub_desc_p); 04518 } 04519 } 04520 rsbac_vfree(netdev_desc_p); 04521 f_sum += desc_count; 04522 } 04523 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network device items\n", 04524 desc_count); 04525 #endif /* NET_DEV_PROT */ 04526 04527 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 04528 /* nettemp_nt list */ 04529 tmp_count = 0; 04530 desc_count = 04531 rsbac_list_lol_get_all_desc(nettemp_nt_handle, 04532 (void **) &nettemp_desc_p); 04533 if (desc_count > 0) { 04534 for (i = 0; i < desc_count; i++) { 04535 /* check for group existence of all ACL entries for groups */ 04536 sub_desc_count = 04537 rsbac_list_lol_get_all_subdesc 04538 (nettemp_nt_handle, &nettemp_desc_p[i], 04539 (void **) &sub_desc_p); 04540 if (sub_desc_count > 0) { 04541 for (j = 0; j < sub_desc_count; j++) { 04542 if ((sub_desc_p[j].subj_type == 04543 ACLS_GROUP) 04544 && sub_desc_p[j].subj_id 04545 && 04546 !rsbac_list_exist(group_handle, 04547 &sub_desc_p 04548 [j]. 04549 subj_id)) { 04550 if (correct) { 04551 /* remove sub item and complain */ 04552 rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid group %u in ACL -> removing entry!\n", 04553 nettemp_desc_p[i], 04554 sub_desc_p[j].subj_id); 04555 rsbac_list_lol_subremove 04556 (nettemp_nt_handle, 04557 &nettemp_desc_p 04558 [i], 04559 &sub_desc_p 04560 [j]); 04561 } else /* complain */ 04562 rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid group %u in ACL!\n", 04563 nettemp_desc_p[i], 04564 sub_desc_p[j].subj_id); 04565 } 04566 #if defined(CONFIG_RSBAC_RC) 04567 else if ((sub_desc_p[j]. 04568 subj_type == ACLS_ROLE) 04569 && (sub_desc_p[j]. 04570 subj_id > 04571 RC_role_max_value) 04572 ) { 04573 if (correct) { 04574 /* remove sub item and complain */ 04575 rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid role %u in ACL -> removing entry!\n", 04576 nettemp_desc_p[i], 04577 sub_desc_p[j].subj_id); 04578 rsbac_list_lol_subremove 04579 (nettemp_nt_handle, 04580 &nettemp_desc_p 04581 [i], 04582 &sub_desc_p 04583 [j]); 04584 } else /* complain */ 04585 rsbac_pr_debug(ds, "nettemp_nt_item %u has invalid role %u in ACL!\n", 04586 nettemp_desc_p[i], 04587 sub_desc_p[j].subj_id); 04588 } 04589 #endif 04590 } 04591 rsbac_vfree(sub_desc_p); 04592 } 04593 } 04594 rsbac_vfree(nettemp_desc_p); 04595 f_sum += desc_count; 04596 } 04597 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template NT items\n", 04598 desc_count); 04599 04600 /* nettemp list */ 04601 tmp_count = 0; 04602 desc_count = 04603 rsbac_list_lol_get_all_desc(nettemp_handle, 04604 (void **) &nettemp_desc_p); 04605 if (desc_count > 0) { 04606 for (i = 0; i < desc_count; i++) { 04607 /* check for group existence of all ACL entries for groups */ 04608 sub_desc_count = 04609 rsbac_list_lol_get_all_subdesc(nettemp_handle, 04610 &nettemp_desc_p 04611 [i], 04612 (void **) 04613 &sub_desc_p); 04614 if (sub_desc_count > 0) { 04615 for (j = 0; j < sub_desc_count; j++) { 04616 if ((sub_desc_p[j].subj_type == 04617 ACLS_GROUP) 04618 && sub_desc_p[j].subj_id 04619 && 04620 !rsbac_list_exist(group_handle, 04621 &sub_desc_p 04622 [j]. 04623 subj_id)) { 04624 if (correct) { 04625 /* remove sub item and complain */ 04626 rsbac_pr_debug(ds, "nettemp_item %u has invalid group %u in ACL -> removing entry!\n", 04627 nettemp_desc_p[i], 04628 sub_desc_p[j].subj_id); 04629 rsbac_list_lol_subremove 04630 (nettemp_handle, 04631 &nettemp_desc_p 04632 [i], 04633 &sub_desc_p 04634 [j]); 04635 } else /* complain */ 04636 rsbac_pr_debug(ds, "nettemp_item %u has invalid group %u in ACL!\n", 04637 nettemp_desc_p[i], 04638 sub_desc_p[j].subj_id); 04639 } 04640 #if defined(CONFIG_RSBAC_RC) 04641 else if ((sub_desc_p[j]. 04642 subj_type == ACLS_ROLE) 04643 && (sub_desc_p[j]. 04644 subj_id > 04645 RC_role_max_value) 04646 ) { 04647 if (correct) { 04648 /* remove sub item and complain */ 04649 rsbac_pr_debug(ds, "nettemp_item %u has invalid role %u in ACL -> removing entry!\n", 04650 nettemp_desc_p[i], 04651 sub_desc_p[j].subj_id); 04652 rsbac_list_lol_subremove 04653 (nettemp_handle, 04654 &nettemp_desc_p 04655 [i], 04656 &sub_desc_p 04657 [j]); 04658 } else /* complain */ 04659 rsbac_pr_debug(ds, "nettemp_item %u has invalid role %u in ACL!\n", 04660 nettemp_desc_p[i], 04661 sub_desc_p[j].subj_id); 04662 } 04663 #endif 04664 } 04665 rsbac_vfree(sub_desc_p); 04666 } 04667 } 04668 rsbac_vfree(nettemp_desc_p); 04669 f_sum += desc_count; 04670 } 04671 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template items\n", 04672 desc_count); 04673 04674 /* netobj list */ 04675 tmp_count = 0; 04676 desc_count = 04677 rsbac_list_lol_get_all_desc(netobj_handle, 04678 (void **) &netobj_desc_p); 04679 if (desc_count > 0) { 04680 for (i = 0; i < desc_count; i++) { 04681 /* check for group existence of all ACL entries for groups */ 04682 sub_desc_count = 04683 rsbac_list_lol_get_all_subdesc(netobj_handle, 04684 &netobj_desc_p 04685 [i], 04686 (void **) 04687 &sub_desc_p); 04688 if (sub_desc_count > 0) { 04689 for (j = 0; j < sub_desc_count; j++) { 04690 if ((sub_desc_p[j].subj_type == 04691 ACLS_GROUP) 04692 && sub_desc_p[j].subj_id 04693 && 04694 !rsbac_list_exist(group_handle, 04695 &sub_desc_p 04696 [j]. 04697 subj_id)) { 04698 if (correct) { 04699 /* remove sub item and complain */ 04700 rsbac_pr_debug(ds, "netobj_item %p has invalid group %u in ACL -> removing entry!\n", 04701 netobj_desc_p[i], 04702 sub_desc_p[j].subj_id); 04703 rsbac_list_lol_subremove 04704 (netobj_handle, 04705 &netobj_desc_p 04706 [i], 04707 &sub_desc_p 04708 [j]); 04709 } else /* complain */ 04710 rsbac_pr_debug(ds, "netobj_item %p has invalid group %u in ACL!\n", 04711 netobj_desc_p[i], 04712 sub_desc_p[j].subj_id); 04713 } 04714 #if defined(CONFIG_RSBAC_RC) 04715 else if ((sub_desc_p[j]. 04716 subj_type == ACLS_ROLE) 04717 && (sub_desc_p[j]. 04718 subj_id > 04719 RC_role_max_value) 04720 ) { 04721 if (correct) { 04722 /* remove sub item and complain */ 04723 rsbac_pr_debug(ds, "netobj_item %p has invalid role %u in ACL -> removing entry!\n", 04724 netobj_desc_p[i], 04725 sub_desc_p[j].subj_id); 04726 rsbac_list_lol_subremove 04727 (netobj_handle, 04728 &netobj_desc_p 04729 [i], 04730 &sub_desc_p 04731 [j]); 04732 } else /* complain */ 04733 rsbac_pr_debug(ds, "netobj_item %p has invalid role %u in ACL!\n", 04734 netobj_desc_p[i], 04735 sub_desc_p[j].subj_id); 04736 } 04737 #endif 04738 } 04739 rsbac_vfree(sub_desc_p); 04740 } 04741 } 04742 rsbac_vfree(netobj_desc_p); 04743 f_sum += desc_count; 04744 } 04745 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network object items\n", 04746 desc_count); 04747 #endif /* NET_OBJ_PROT */ 04748 04749 rsbac_printk(KERN_INFO "rsbac_check_acl(): Total of %lu registered ACLs\n", 04750 f_sum); 04751 04752 return 0; 04753 }
int rsbac_init_acl | ( | void | ) |
Definition at line 3028 of file acl_data_structures.c.
References acl_create_def(), acl_create_def2(), acl_register_fd_lists(), add_device_item(), create_device_item(), rsbac_list_lol_info_t::data_size, rsbac_list_info_t::data_size, def_dev_get_conv(), def_fd_get_conv(), def_g_get_conv(), def_ipc_get_conv(), def_netdev_get_conv(), def_netobj_get_conv(), def_nettemp_nt_get_conv(), def_p_get_conv(), def_scd_get_conv(), def_u_get_conv(), default_dev_handle, default_fd_handle, default_ipc_handle, default_p_handle, default_scd_handle, default_u_handle, rsbac_list_lol_info_t::desc_size, rsbac_list_info_t::desc_size, dev_compare(), dev_get_conv(), dev_get_subconv(), dev_major_compare(), device_list_head_p, device_list_lock, entry_compare(), get_error_name(), gm_handle, group_handle, group_hash(), rsbac_list_lol_info_t::key, rsbac_list_info_t::key, rsbac_list_lol_info_t::max_age, rsbac_list_info_t::max_age, netdev_get_conv(), netdev_get_subconv(), nettemp_get_conv(), nettemp_get_subconv(), nettemp_nt_get_conv(), nettemp_nt_get_subconv(), NULL, proc_rsbac_root_p, registration_error(), RSBAC_ACL_DEF_DEV_FILENAME, RSBAC_ACL_DEF_DEV_LIST_VERSION, RSBAC_ACL_DEF_FD_FILENAME, RSBAC_ACL_DEF_FD_LIST_VERSION, RSBAC_ACL_DEF_G_FILENAME, RSBAC_ACL_DEF_G_LIST_VERSION, RSBAC_ACL_DEF_IPC_FILENAME, RSBAC_ACL_DEF_IPC_LIST_VERSION, RSBAC_ACL_DEF_NETDEV_FILENAME, RSBAC_ACL_DEF_NETDEV_LIST_VERSION, RSBAC_ACL_DEF_NETOBJ_FILENAME, RSBAC_ACL_DEF_NETOBJ_LIST_VERSION, RSBAC_ACL_DEF_NETTEMP_NT_FILENAME, RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION, RSBAC_ACL_DEF_P_FILENAME, RSBAC_ACL_DEF_P_LIST_VERSION, RSBAC_ACL_DEF_SCD_FILENAME, RSBAC_ACL_DEF_SCD_LIST_VERSION, RSBAC_ACL_DEF_U_FILENAME, RSBAC_ACL_DEF_U_LIST_VERSION, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_ACL_DEV_FILENAME, RSBAC_ACL_DEV_LIST_VERSION, RSBAC_ACL_DEV_MAJOR_FILENAME, RSBAC_ACL_G_FILENAME, RSBAC_ACL_G_LIST_VERSION, RSBAC_ACL_GM_FILENAME, RSBAC_ACL_GM_VERSION, RSBAC_ACL_GROUP_FILENAME, RSBAC_ACL_GROUP_VERSION, RSBAC_ACL_LIST_KEY, RSBAC_ACL_NETDEV_FILENAME, RSBAC_ACL_NETDEV_LIST_VERSION, RSBAC_ACL_NETOBJ_FILENAME, RSBAC_ACL_NETOBJ_LIST_VERSION, RSBAC_ACL_NETTEMP_FILENAME, RSBAC_ACL_NETTEMP_LIST_VERSION, RSBAC_ACL_NETTEMP_NT_FILENAME, RSBAC_ACL_NETTEMP_NT_LIST_VERSION, RSBAC_ACL_SCD_FILENAME, RSBAC_ACL_SCD_LIST_VERSION, RSBAC_ACL_U_FILENAME, RSBAC_ACL_U_LIST_VERSION, RSBAC_ECOULDNOTADDDEVICE, RSBAC_EREINIT, rsbac_is_initialized(), RSBAC_LIST_AUTO_HASH_RESIZE, RSBAC_LIST_BACKUP, RSBAC_LIST_DEF_DATA, rsbac_list_hash_dev(), rsbac_list_hash_gid(), rsbac_list_hash_netobj(), rsbac_list_hash_nettemp(), rsbac_list_hash_uid(), rsbac_list_lol_register(), rsbac_list_lol_register_hashed(), RSBAC_LIST_PERSIST, rsbac_list_register(), rsbac_list_register_hashed(), RSBAC_LIST_VERSION, rsbac_no_defaults, rsbac_pr_debug, rsbac_printk(), rsbac_root_dev, scd_get_conv(), scd_get_subconv(), rsbac_list_lol_info_t::subdata_size, rsbac_list_lol_info_t::subdesc_size, rsbac_list_lol_info_t::version, and rsbac_list_info_t::version.
Referenced by rsbac_do_init().
03030 { 03031 int err = 0; 03032 struct rsbac_acl_device_list_item_t *device_p = NULL; 03033 char tmp[80]; 03034 struct proc_dir_entry *tmp_entry_p; 03035 struct rsbac_list_lol_info_t lol_info; 03036 struct rsbac_list_info_t list_info; 03037 rsbac_acl_rights_vector_t def_mask; 03038 03039 if (rsbac_is_initialized()) { 03040 rsbac_printk(KERN_WARNING "rsbac_init_acl(): RSBAC already initialized\n"); 03041 return (-RSBAC_EREINIT); 03042 } 03043 03044 /* set rw-spinlocks to unlocked status and init data structures */ 03045 rsbac_printk(KERN_INFO "rsbac_init_acl(): Initializing RSBAC: ACL subsystem\n"); 03046 03047 /* Init device list */ 03048 device_list_head_p = kmalloc(sizeof(*device_list_head_p), GFP_KERNEL); 03049 if (!device_list_head_p) { 03050 rsbac_printk(KERN_WARNING 03051 "rsbac_init_acl(): Failed to allocate device_list_head\n"); 03052 return -ENOMEM; 03053 } 03054 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03055 spin_lock_init(&device_list_lock); 03056 #else 03057 rwlock_init(&device_list_lock); 03058 #endif 03059 device_list_head_p->head = NULL; 03060 device_list_head_p->tail = NULL; 03061 device_list_head_p->curr = NULL; 03062 device_list_head_p->count = 0; 03063 03064 /* register ACL lists */ 03065 rsbac_pr_debug(ds_acl, "Registering lists\n"); 03066 device_p = create_device_item(rsbac_root_dev); 03067 if (!device_p) { 03068 rsbac_printk(KERN_CRIT 03069 "rsbac_init_acl(): Could not create device!\n"); 03070 return (-RSBAC_ECOULDNOTADDDEVICE); 03071 } 03072 if ((err = acl_register_fd_lists(device_p, rsbac_root_dev))) { 03073 rsbac_printk(KERN_WARNING "rsbac_init_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 03074 RSBAC_MAJOR(rsbac_root_dev), 03075 RSBAC_MINOR(rsbac_root_dev), 03076 get_error_name(tmp, err)); 03077 } 03078 device_p = add_device_item(device_p); 03079 if (!device_p) { 03080 rsbac_printk(KERN_CRIT 03081 "rsbac_init_acl(): Could not add device!\n"); 03082 return (-RSBAC_ECOULDNOTADDDEVICE); 03083 } 03084 03085 list_info.version = RSBAC_ACL_DEF_FD_LIST_VERSION; 03086 list_info.key = RSBAC_ACL_LIST_KEY; 03087 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03088 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03089 list_info.max_age = 0; 03090 err = rsbac_list_register(RSBAC_LIST_VERSION, 03091 &default_fd_handle, &list_info, 03092 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03093 RSBAC_LIST_BACKUP | 03094 #endif 03095 RSBAC_LIST_PERSIST, 03096 entry_compare, 03097 def_fd_get_conv, 03098 NULL, 03099 RSBAC_ACL_DEF_FD_FILENAME, 03100 RSBAC_AUTO_DEV); 03101 if (err) { 03102 registration_error(err, "default fd"); 03103 } 03104 03105 lol_info.version = RSBAC_ACL_DEV_LIST_VERSION; 03106 lol_info.key = RSBAC_ACL_LIST_KEY; 03107 lol_info.desc_size = sizeof(struct rsbac_dev_desc_t); 03108 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03109 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03110 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03111 lol_info.max_age = 0; 03112 def_mask = RSBAC_ACL_DEFAULT_DEV_MASK; 03113 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 03114 &dev_handle, &lol_info, 03115 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03116 RSBAC_LIST_BACKUP | 03117 #endif 03118 RSBAC_LIST_PERSIST | 03119 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 03120 dev_compare, 03121 entry_compare, dev_get_conv, 03122 dev_get_subconv, &def_mask, NULL, 03123 RSBAC_ACL_DEV_FILENAME, 03124 RSBAC_AUTO_DEV, 03125 1, 03126 rsbac_list_hash_dev, 03127 NULL); 03128 if (err) { 03129 registration_error(err, "dev"); 03130 } 03131 lol_info.version = RSBAC_ACL_DEV_LIST_VERSION; 03132 lol_info.key = RSBAC_ACL_LIST_KEY; 03133 lol_info.desc_size = sizeof(struct rsbac_dev_desc_t); 03134 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03135 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03136 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03137 lol_info.max_age = 0; 03138 def_mask = RSBAC_ACL_DEFAULT_DEV_MASK; 03139 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 03140 &dev_major_handle, &lol_info, 03141 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03142 RSBAC_LIST_BACKUP | 03143 #endif 03144 RSBAC_LIST_PERSIST | 03145 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 03146 dev_major_compare, entry_compare, 03147 dev_get_conv, dev_get_subconv, 03148 &def_mask, NULL, 03149 RSBAC_ACL_DEV_MAJOR_FILENAME, 03150 RSBAC_AUTO_DEV, 03151 1, 03152 rsbac_list_hash_dev, 03153 NULL); 03154 if (err) { 03155 registration_error(err, "dev major"); 03156 } 03157 list_info.version = RSBAC_ACL_DEF_DEV_LIST_VERSION; 03158 list_info.key = RSBAC_ACL_LIST_KEY; 03159 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03160 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03161 list_info.max_age = 0; 03162 err = rsbac_list_register(RSBAC_LIST_VERSION, 03163 &default_dev_handle, &list_info, 03164 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03165 RSBAC_LIST_BACKUP | 03166 #endif 03167 RSBAC_LIST_PERSIST, 03168 entry_compare, 03169 def_dev_get_conv, 03170 NULL, 03171 RSBAC_ACL_DEF_DEV_FILENAME, 03172 RSBAC_AUTO_DEV); 03173 if (err) { 03174 registration_error(err, "default dev"); 03175 } 03176 03177 list_info.version = RSBAC_ACL_DEF_IPC_LIST_VERSION; 03178 list_info.key = RSBAC_ACL_LIST_KEY; 03179 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03180 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03181 list_info.max_age = 0; 03182 err = rsbac_list_register(RSBAC_LIST_VERSION, 03183 &default_ipc_handle, &list_info, 03184 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03185 RSBAC_LIST_BACKUP | 03186 #endif 03187 RSBAC_LIST_PERSIST, 03188 entry_compare, 03189 def_ipc_get_conv, 03190 NULL, 03191 RSBAC_ACL_DEF_IPC_FILENAME, 03192 RSBAC_AUTO_DEV); 03193 if (err) { 03194 registration_error(err, "default ipc"); 03195 } 03196 03197 lol_info.version = RSBAC_ACL_SCD_LIST_VERSION; 03198 lol_info.key = RSBAC_ACL_LIST_KEY; 03199 lol_info.desc_size = sizeof(__u8); 03200 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03201 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03202 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03203 lol_info.max_age = 0; 03204 def_mask = RSBAC_ACL_DEFAULT_SCD_MASK; 03205 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 03206 &scd_handle, &lol_info, 03207 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03208 RSBAC_LIST_BACKUP | 03209 #endif 03210 RSBAC_LIST_PERSIST | 03211 RSBAC_LIST_DEF_DATA, NULL, 03212 entry_compare, scd_get_conv, 03213 scd_get_subconv, &def_mask, NULL, 03214 RSBAC_ACL_SCD_FILENAME, 03215 RSBAC_AUTO_DEV); 03216 if (err) { 03217 registration_error(err, "scd"); 03218 } 03219 03220 list_info.version = RSBAC_ACL_DEF_SCD_LIST_VERSION; 03221 list_info.key = RSBAC_ACL_LIST_KEY; 03222 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03223 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03224 list_info.max_age = 0; 03225 err = rsbac_list_register(RSBAC_LIST_VERSION, 03226 &default_scd_handle, &list_info, 03227 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03228 RSBAC_LIST_BACKUP | 03229 #endif 03230 RSBAC_LIST_PERSIST, 03231 entry_compare, 03232 def_scd_get_conv, 03233 NULL, 03234 RSBAC_ACL_DEF_SCD_FILENAME, 03235 RSBAC_AUTO_DEV); 03236 if (err) { 03237 registration_error(err, "default scd"); 03238 } 03239 03240 lol_info.version = RSBAC_ACL_U_LIST_VERSION; 03241 lol_info.key = RSBAC_ACL_LIST_KEY; 03242 lol_info.desc_size = sizeof(rsbac_uid_t); 03243 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03244 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03245 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03246 lol_info.max_age = 0; 03247 def_mask = RSBAC_ACL_DEFAULT_U_MASK; 03248 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 03249 &u_handle, &lol_info, 03250 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03251 RSBAC_LIST_BACKUP | 03252 #endif 03253 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE, 03254 NULL, 03255 entry_compare, 03256 NULL, 03257 NULL, 03258 &def_mask, 03259 NULL, 03260 RSBAC_ACL_U_FILENAME, 03261 RSBAC_AUTO_DEV, 03262 1, 03263 rsbac_list_hash_uid, 03264 NULL); 03265 if (err) { 03266 registration_error(err, "user"); 03267 } 03268 list_info.version = RSBAC_ACL_DEF_U_LIST_VERSION; 03269 list_info.key = RSBAC_ACL_LIST_KEY; 03270 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03271 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03272 list_info.max_age = 0; 03273 err = rsbac_list_register(RSBAC_LIST_VERSION, 03274 &default_u_handle, &list_info, 03275 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03276 RSBAC_LIST_BACKUP | 03277 #endif 03278 RSBAC_LIST_PERSIST, 03279 entry_compare, 03280 def_u_get_conv, 03281 NULL, 03282 RSBAC_ACL_DEF_U_FILENAME, 03283 RSBAC_AUTO_DEV); 03284 if (err) { 03285 registration_error(err, "default user"); 03286 } 03287 03288 list_info.version = RSBAC_ACL_DEF_P_LIST_VERSION; 03289 list_info.key = RSBAC_ACL_LIST_KEY; 03290 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03291 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03292 list_info.max_age = 0; 03293 err = rsbac_list_register(RSBAC_LIST_VERSION, 03294 &default_p_handle, &list_info, 03295 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03296 RSBAC_LIST_BACKUP | 03297 #endif 03298 RSBAC_LIST_PERSIST, 03299 entry_compare, 03300 def_p_get_conv, 03301 NULL, 03302 RSBAC_ACL_DEF_P_FILENAME, 03303 RSBAC_AUTO_DEV); 03304 if (err) { 03305 registration_error(err, "default process"); 03306 } 03307 #ifdef CONFIG_RSBAC_ACL_UM_PROT 03308 lol_info.version = RSBAC_ACL_G_LIST_VERSION; 03309 lol_info.key = RSBAC_ACL_LIST_KEY; 03310 lol_info.desc_size = sizeof(rsbac_gid_t); 03311 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03312 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03313 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03314 lol_info.max_age = 0; 03315 def_mask = RSBAC_ACL_DEFAULT_G_MASK; 03316 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 03317 &g_handle, &lol_info, 03318 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03319 RSBAC_LIST_BACKUP | 03320 #endif 03321 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE, 03322 NULL, 03323 entry_compare, 03324 NULL, 03325 NULL, 03326 &def_mask, 03327 NULL, 03328 RSBAC_ACL_G_FILENAME, 03329 RSBAC_AUTO_DEV, 03330 1, 03331 rsbac_list_hash_gid, 03332 NULL); 03333 if (err) { 03334 registration_error(err, "Linux group"); 03335 } 03336 list_info.version = RSBAC_ACL_DEF_G_LIST_VERSION; 03337 list_info.key = RSBAC_ACL_LIST_KEY; 03338 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03339 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03340 list_info.max_age = 0; 03341 err = rsbac_list_register(RSBAC_LIST_VERSION, 03342 &default_g_handle, &list_info, 03343 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03344 RSBAC_LIST_BACKUP | 03345 #endif 03346 RSBAC_LIST_PERSIST, 03347 entry_compare, 03348 def_g_get_conv, 03349 NULL, 03350 RSBAC_ACL_DEF_G_FILENAME, 03351 RSBAC_AUTO_DEV); 03352 if (err) { 03353 registration_error(err, "default Linux group"); 03354 } 03355 #endif 03356 03357 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 03358 lol_info.version = RSBAC_ACL_NETDEV_LIST_VERSION; 03359 lol_info.key = RSBAC_ACL_LIST_KEY; 03360 lol_info.desc_size = sizeof(rsbac_netdev_id_t); 03361 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03362 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03363 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03364 lol_info.max_age = 0; 03365 def_mask = RSBAC_ACL_DEFAULT_NETDEV_MASK; 03366 err = rsbac_list_lol_register(RSBAC_LIST_VERSION, 03367 &netdev_handle, &lol_info, 03368 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03369 RSBAC_LIST_BACKUP | 03370 #endif 03371 RSBAC_LIST_PERSIST | 03372 RSBAC_LIST_DEF_DATA, netdev_compare, 03373 entry_compare, netdev_get_conv, 03374 netdev_get_subconv, &def_mask, NULL, 03375 RSBAC_ACL_NETDEV_FILENAME, 03376 RSBAC_AUTO_DEV); 03377 if (err) { 03378 registration_error(err, "netdev"); 03379 } 03380 list_info.version = RSBAC_ACL_DEF_NETDEV_LIST_VERSION; 03381 list_info.key = RSBAC_ACL_LIST_KEY; 03382 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03383 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03384 list_info.max_age = 0; 03385 err = rsbac_list_register(RSBAC_LIST_VERSION, 03386 &default_netdev_handle, &list_info, 03387 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03388 RSBAC_LIST_BACKUP | 03389 #endif 03390 RSBAC_LIST_PERSIST, 03391 entry_compare, 03392 def_netdev_get_conv, 03393 NULL, 03394 RSBAC_ACL_DEF_NETDEV_FILENAME, 03395 RSBAC_AUTO_DEV); 03396 if (err) { 03397 registration_error(err, "default netdev"); 03398 } 03399 #endif 03400 03401 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 03402 lol_info.version = RSBAC_ACL_NETTEMP_NT_LIST_VERSION; 03403 lol_info.key = RSBAC_ACL_LIST_KEY; 03404 lol_info.desc_size = sizeof(rsbac_net_temp_id_t); 03405 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03406 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03407 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03408 lol_info.max_age = 0; 03409 def_mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK; 03410 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 03411 &nettemp_nt_handle, &lol_info, 03412 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03413 RSBAC_LIST_BACKUP | 03414 #endif 03415 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE, 03416 NULL, 03417 entry_compare, 03418 nettemp_nt_get_conv, 03419 nettemp_nt_get_subconv, 03420 &def_mask, 03421 NULL, 03422 RSBAC_ACL_NETTEMP_NT_FILENAME, 03423 RSBAC_AUTO_DEV, 03424 1, 03425 rsbac_list_hash_nettemp, 03426 NULL); 03427 if (err) { 03428 registration_error(err, "nettemp_nt"); 03429 } 03430 list_info.version = RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION; 03431 list_info.key = RSBAC_ACL_LIST_KEY; 03432 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03433 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03434 list_info.max_age = 0; 03435 err = rsbac_list_register(RSBAC_LIST_VERSION, 03436 &default_nettemp_nt_handle, &list_info, 03437 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03438 RSBAC_LIST_BACKUP | 03439 #endif 03440 RSBAC_LIST_PERSIST, 03441 entry_compare, 03442 def_nettemp_nt_get_conv, 03443 NULL, 03444 RSBAC_ACL_DEF_NETTEMP_NT_FILENAME, 03445 RSBAC_AUTO_DEV); 03446 if (err) { 03447 registration_error(err, "default nettemp_nt"); 03448 } 03449 lol_info.version = RSBAC_ACL_NETTEMP_LIST_VERSION; 03450 lol_info.key = RSBAC_ACL_LIST_KEY; 03451 lol_info.desc_size = sizeof(rsbac_net_temp_id_t); 03452 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03453 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03454 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03455 lol_info.max_age = 0; 03456 def_mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 03457 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 03458 &nettemp_handle, &lol_info, 03459 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03460 RSBAC_LIST_BACKUP | 03461 #endif 03462 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE, 03463 NULL, 03464 entry_compare, 03465 nettemp_get_conv, 03466 nettemp_get_subconv, 03467 &def_mask, 03468 NULL, 03469 RSBAC_ACL_NETTEMP_FILENAME, 03470 RSBAC_AUTO_DEV, 03471 1, 03472 rsbac_list_hash_nettemp, 03473 NULL); 03474 if (err) { 03475 registration_error(err, "nettemp"); 03476 } 03477 lol_info.version = RSBAC_ACL_NETOBJ_LIST_VERSION; 03478 lol_info.key = RSBAC_ACL_LIST_KEY; 03479 lol_info.desc_size = sizeof(rsbac_net_obj_id_t); 03480 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */ 03481 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03482 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03483 lol_info.max_age = 0; 03484 def_mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; 03485 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 03486 &netobj_handle, 03487 &lol_info, 03488 RSBAC_LIST_AUTO_HASH_RESIZE, 03489 NULL, 03490 entry_compare, 03491 NULL, 03492 NULL, 03493 &def_mask, 03494 NULL, 03495 RSBAC_ACL_NETOBJ_FILENAME, 03496 RSBAC_AUTO_DEV, 03497 1, 03498 rsbac_list_hash_netobj, 03499 NULL); 03500 if (err) { 03501 registration_error(err, "netobj"); 03502 } 03503 list_info.version = RSBAC_ACL_DEF_NETOBJ_LIST_VERSION; 03504 list_info.key = RSBAC_ACL_LIST_KEY; 03505 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */ 03506 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */ 03507 list_info.max_age = 0; 03508 err = rsbac_list_register(RSBAC_LIST_VERSION, 03509 &default_netobj_handle, &list_info, 03510 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03511 RSBAC_LIST_BACKUP | 03512 #endif 03513 RSBAC_LIST_PERSIST, 03514 entry_compare, 03515 def_netobj_get_conv, 03516 NULL, 03517 RSBAC_ACL_DEF_NETOBJ_FILENAME, 03518 RSBAC_AUTO_DEV); 03519 if (err) { 03520 registration_error(err, "default netobj"); 03521 } 03522 #endif /* NET_OBJ_PROT */ 03523 03524 /* groups */ 03525 list_info.version = RSBAC_ACL_GROUP_VERSION; 03526 list_info.key = RSBAC_ACL_LIST_KEY; 03527 list_info.desc_size = sizeof(rsbac_acl_group_id_t); 03528 list_info.data_size = sizeof(struct rsbac_acl_group_entry_t); 03529 list_info.max_age = 0; 03530 err = rsbac_list_register_hashed(RSBAC_LIST_VERSION, 03531 &group_handle, &list_info, 03532 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03533 RSBAC_LIST_BACKUP | 03534 #endif 03535 RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE, 03536 NULL, 03537 NULL, 03538 NULL, 03539 RSBAC_ACL_GROUP_FILENAME, 03540 RSBAC_AUTO_DEV, 03541 1, 03542 group_hash, 03543 NULL); 03544 if (err) { 03545 registration_error(err, "group"); 03546 } 03547 03548 /* group memberships */ 03549 lol_info.version = RSBAC_ACL_GM_VERSION; 03550 lol_info.key = RSBAC_ACL_LIST_KEY; 03551 lol_info.desc_size = sizeof(rsbac_uid_t); 03552 lol_info.data_size = 0; 03553 lol_info.subdesc_size = sizeof(rsbac_acl_group_id_t); 03554 lol_info.subdata_size = 0; 03555 lol_info.max_age = 0; 03556 err = rsbac_list_lol_register_hashed(RSBAC_LIST_VERSION, 03557 &gm_handle, &lol_info, 03558 #if defined(CONFIG_RSBAC_ACL_BACKUP) 03559 RSBAC_LIST_BACKUP | 03560 #endif 03561 RSBAC_LIST_PERSIST | 03562 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, 03563 NULL, 03564 NULL, NULL, NULL, 03565 NULL, NULL, RSBAC_ACL_GM_FILENAME, 03566 RSBAC_AUTO_DEV, 03567 1, 03568 rsbac_list_hash_uid, 03569 NULL); 03570 if (err) { 03571 registration_error(err, "gm"); 03572 } 03573 03574 /* Create default lists */ 03575 if (!rsbac_no_defaults) { 03576 acl_create_def(); 03577 acl_create_def2(); 03578 } 03579 #if defined(CONFIG_RSBAC_PROC) 03580 tmp_entry_p = create_proc_entry("acl_devices", 03581 S_IFREG | S_IRUGO, 03582 proc_rsbac_root_p); 03583 if (tmp_entry_p) { 03584 tmp_entry_p->get_info = acl_devices_proc_info; 03585 } 03586 tmp_entry_p = create_proc_entry("stats_acl", 03587 S_IFREG | S_IRUGO, 03588 proc_rsbac_root_p); 03589 if (tmp_entry_p) { 03590 tmp_entry_p->get_info = stats_acl_proc_info; 03591 } 03592 tmp_entry_p = create_proc_entry("acl_acllist", 03593 S_IFREG | S_IRUGO, 03594 proc_rsbac_root_p); 03595 if (tmp_entry_p) { 03596 tmp_entry_p->get_info = acl_acllist_proc_info; 03597 } 03598 tmp_entry_p = create_proc_entry("acl_grouplist", 03599 S_IFREG | S_IRUGO, 03600 proc_rsbac_root_p); 03601 if (tmp_entry_p) { 03602 tmp_entry_p->get_info = acl_grouplist_proc_info; 03603 } 03604 #endif 03605 03606 rsbac_pr_debug(ds_acl, "Ready.\n"); 03607 return (err); 03608 }
int rsbac_mount_acl | ( | kdev_t | kdev | ) |
Definition at line 3610 of file acl_data_structures.c.
References acl_lookup_device(), acl_register_fd_lists(), add_device_item(), clear_device_item(), create_device_item(), device_list_lock, get_error_name(), rsbac_acl_device_list_item_t::mount_count, RSBAC_ECOULDNOTADDDEVICE, RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, rsbac_pr_debug, and rsbac_printk().
Referenced by rsbac_mount().
03611 { 03612 int err = 0; 03613 struct rsbac_acl_device_list_item_t *device_p; 03614 struct rsbac_acl_device_list_item_t *new_device_p; 03615 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03616 u_long dflags; 03617 #endif 03618 03619 if (!rsbac_is_initialized()) { 03620 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): RSBAC not initialized\n"); 03621 return (-RSBAC_ENOTINITIALIZED); 03622 } 03623 rsbac_pr_debug(ds_acl, "mounting device %02u:%02u\n", 03624 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 03625 /* wait for read access to device_list_head */ 03626 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03627 rcu_read_lock(); 03628 #else 03629 rsbac_read_lock(&device_list_lock, &dflags); 03630 #endif 03631 device_p = acl_lookup_device(kdev); 03632 /* repeated mount? */ 03633 if (device_p) { 03634 rsbac_printk(KERN_INFO "rsbac_mount_acl: repeated mount %u of device %02u:%02u\n", 03635 device_p->mount_count, RSBAC_MAJOR(kdev), 03636 RSBAC_MINOR(kdev)); 03637 device_p->mount_count++; 03638 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03639 rcu_read_unlock(); 03640 #else 03641 rsbac_read_unlock(&device_list_lock, &dflags); 03642 #endif 03643 return 0; 03644 } 03645 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03646 rcu_read_unlock(); 03647 #else 03648 rsbac_read_unlock(&device_list_lock, &dflags); 03649 #endif 03650 /* OK, go on */ 03651 new_device_p = create_device_item(kdev); 03652 if (!new_device_p) 03653 return -RSBAC_ECOULDNOTADDDEVICE; 03654 03655 if ((err = acl_register_fd_lists(new_device_p, kdev))) { 03656 char *tmp; 03657 03658 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); 03659 if (tmp) { 03660 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n", 03661 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev), 03662 get_error_name(tmp, err)); 03663 rsbac_kfree(tmp); 03664 } 03665 } 03666 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03667 rcu_read_lock(); 03668 #else 03669 rsbac_read_lock(&device_list_lock, &dflags); 03670 #endif 03671 /* make sure to only add, if this device item has not been added in the meantime */ 03672 device_p = acl_lookup_device(kdev); 03673 if (device_p) { 03674 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): mount race for device %02u:%02u detected!\n", 03675 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 03676 device_p->mount_count++; 03677 /* also detaches lists */ 03678 clear_device_item(new_device_p); 03679 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03680 rcu_read_unlock(); 03681 #else 03682 rsbac_read_unlock(&device_list_lock, &dflags); 03683 #endif 03684 } else { 03685 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03686 rcu_read_unlock(); 03687 #else 03688 rsbac_read_unlock(&device_list_lock, &dflags); 03689 #endif 03690 device_p = add_device_item(new_device_p); 03691 if (!device_p) { 03692 rsbac_printk(KERN_WARNING "rsbac_mount_acl: adding device %02u:%02u failed!\n", 03693 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 03694 /* also detaches lists */ 03695 clear_device_item(new_device_p); 03696 err = -RSBAC_ECOULDNOTADDDEVICE; 03697 } 03698 } 03699 03700 return err; 03701 }
int rsbac_stats_acl | ( | void | ) |
Definition at line 3757 of file acl_data_structures.c.
References A_none, device_list_head_p, device_list_lock, rsbac_attribute_value_t::dummy, gm_handle, group_handle, group_last_new, rsbac_acl_device_list_item_t::handle, rsbac_acl_device_list_item_t::id, rsbac_acl_device_list_item_t::next, R_GET_STATUS_DATA, rsbac_adf_request(), RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_list_count(), rsbac_list_lol_all_subcount(), rsbac_list_lol_count(), rsbac_pr_debug, rsbac_printk(), rsbac_target_id_t::scd, ST_rsbac, and T_SCD.
Referenced by rsbac_stats().
03758 { 03759 struct rsbac_acl_device_list_item_t *device_p; 03760 union rsbac_target_id_t rsbac_target_id; 03761 union rsbac_attribute_value_t rsbac_attribute_value; 03762 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03763 u_long dflags; 03764 #endif 03765 03766 if (!rsbac_is_initialized()) { 03767 rsbac_printk(KERN_WARNING "rsbac_stats_acl(): RSBAC not initialized\n"); 03768 return (-RSBAC_ENOTINITIALIZED); 03769 } 03770 rsbac_pr_debug(aef_acl, "calling ADF\n"); 03771 rsbac_target_id.scd = ST_rsbac; 03772 rsbac_attribute_value.dummy = 0; 03773 if (!rsbac_adf_request(R_GET_STATUS_DATA, 03774 current->pid, 03775 T_SCD, 03776 rsbac_target_id, 03777 A_none, rsbac_attribute_value)) { 03778 return -EPERM; 03779 } 03780 03781 rsbac_printk(KERN_INFO "ACL Status\n-----------\n"); 03782 03783 /* protect device list */ 03784 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03785 rcu_read_lock(); 03786 #else 03787 rsbac_read_lock(&device_list_lock, &dflags); 03788 #endif 03789 device_p = rcu_dereference(device_list_head_p)->head; 03790 while (device_p) { 03791 rsbac_printk(KERN_INFO "device %02u:%02u has %u file ACLs, sum of %u members\n", 03792 RSBAC_MAJOR(device_p->id), 03793 RSBAC_MINOR(device_p->id), 03794 rsbac_list_lol_count(device_p->handle), 03795 rsbac_list_lol_all_subcount(device_p->handle)); 03796 device_p = device_p->next; 03797 } 03798 /* unprotect device list */ 03799 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03800 rcu_read_unlock(); 03801 #else 03802 rsbac_read_unlock(&device_list_lock, &dflags); 03803 #endif 03804 03805 /* dev list */ 03806 rsbac_printk(KERN_INFO "%li device major ACL items, sum of %li members\n", 03807 rsbac_list_lol_count(dev_major_handle), 03808 rsbac_list_lol_all_subcount(dev_major_handle)); 03809 rsbac_printk(KERN_INFO "%li device ACL items, sum of %li members\n", 03810 rsbac_list_lol_count(dev_handle), 03811 rsbac_list_lol_all_subcount(dev_handle)); 03812 03813 /* SCD list */ 03814 rsbac_printk(KERN_INFO "%li scd ACL items, sum of %li members\n", 03815 rsbac_list_lol_count(scd_handle), 03816 rsbac_list_lol_all_subcount(scd_handle)); 03817 03818 /* user list */ 03819 rsbac_printk(KERN_INFO "%li user ACL items, sum of %li members\n", 03820 rsbac_list_lol_count(u_handle), 03821 rsbac_list_lol_all_subcount(u_handle)); 03822 03823 #ifdef CONFIG_RSBAC_ACL_UM_PROT 03824 /* Linux group list */ 03825 rsbac_printk(KERN_INFO "%li Linux group ACL items, sum of %li members\n", 03826 rsbac_list_lol_count(g_handle), 03827 rsbac_list_lol_all_subcount(g_handle)); 03828 #endif 03829 03830 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT 03831 /* netdev list */ 03832 rsbac_printk(KERN_INFO "%li network device ACL items, sum of %li members\n", 03833 rsbac_list_lol_count(netdev_handle), 03834 rsbac_list_lol_all_subcount(netdev_handle)); 03835 #endif 03836 03837 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT 03838 /* nettemp_nt list */ 03839 rsbac_printk(KERN_INFO "%li network template NT ACL items, sum of %li members\n", 03840 rsbac_list_lol_count(nettemp_nt_handle), 03841 rsbac_list_lol_all_subcount(nettemp_nt_handle)); 03842 /* nettemp list */ 03843 rsbac_printk(KERN_INFO "%li network template ACL items, sum of %li members\n", 03844 rsbac_list_lol_count(nettemp_handle), 03845 rsbac_list_lol_all_subcount(nettemp_handle)); 03846 /* netobj list */ 03847 rsbac_printk(KERN_INFO "%li network object ACL items, sum of %li members\n", 03848 rsbac_list_lol_count(netobj_handle), 03849 rsbac_list_lol_all_subcount(netobj_handle)); 03850 #endif 03851 03852 rsbac_printk(KERN_INFO "%li groups, last new is %u\n", 03853 rsbac_list_count(group_handle), group_last_new); 03854 03855 /* protect gm list */ 03856 rsbac_printk(KERN_INFO "%li group member items, sum of %li group memberships\n", 03857 rsbac_list_lol_count(gm_handle), 03858 rsbac_list_lol_all_subcount(gm_handle)); 03859 03860 return 0; 03861 }
int rsbac_umount_acl | ( | kdev_t | kdev | ) |
Definition at line 3705 of file acl_data_structures.c.
References acl_lookup_device(), device_list_lock, rsbac_acl_device_list_item_t::mount_count, remove_device_item(), RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_pr_debug, and rsbac_printk().
Referenced by rsbac_umount().
03706 { 03707 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) 03708 u_long flags; 03709 #endif 03710 struct rsbac_acl_device_list_item_t *device_p; 03711 03712 if (!rsbac_is_initialized()) { 03713 rsbac_printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n"); 03714 return (-RSBAC_ENOTINITIALIZED); 03715 } 03716 rsbac_pr_debug(ds_acl, "umounting device %02u:%02u\n", 03717 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev)); 03718 /* sync of attribute lists was done in rsbac_umount */ 03719 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03720 spin_lock(&device_list_lock); 03721 #else 03722 rsbac_write_lock(&device_list_lock, &flags); 03723 #endif 03724 /* OK, nobody else is working on it... */ 03725 device_p = acl_lookup_device(kdev); 03726 if (device_p) { 03727 if (device_p->mount_count == 1) 03728 remove_device_item(kdev); 03729 else { 03730 if (device_p->mount_count > 1) { 03731 device_p->mount_count--; 03732 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03733 spin_unlock(&device_list_lock); 03734 #endif 03735 } else { 03736 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03737 spin_unlock(&device_list_lock); 03738 #endif 03739 rsbac_printk(KERN_WARNING "rsbac_umount_acl: device %02u:%02u has mount_count < 1!\n", 03740 RSBAC_MAJOR(kdev), 03741 RSBAC_MINOR(kdev)); 03742 } 03743 } 03744 } 03745 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 03746 else 03747 spin_unlock(&device_list_lock); 03748 #else 03749 rsbac_write_unlock(&device_list_lock, &flags); 03750 #endif 03751 return 0; 03752 }