00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012 #include <linux/string.h>
00013 #include <linux/sched.h>
00014 #include <linux/errno.h>
00015 #include <linux/vmalloc.h>
00016 #include <rsbac/types.h>
00017 #include <rsbac/aci.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/acl.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/acl_getname.h>
00022 #include <rsbac/helpers.h>
00023 #include <rsbac/debug.h>
00024 #include <rsbac/rkmem.h>
00025 #include <rsbac/adf_main.h>
00026 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00027 #ifdef CONFIG_RSBAC_NET_OBJ
00028 #include <net/sock.h>
00029 #endif
00030 #endif
00031
00032
00033
00034
00035
00036
00037
00038
00039
00040 rsbac_boolean_t rsbac_acl_check_super(enum rsbac_target_t target,
00041 union rsbac_target_id_t tid,
00042 rsbac_uid_t user)
00043 {
00044 rsbac_boolean_t i_result = FALSE;
00045 int err=0, tmperr;
00046 int i;
00047 rsbac_acl_group_id_t * group_p;
00048 #if defined(CONFIG_RSBAC_RC)
00049 union rsbac_target_id_t i_tid;
00050 union rsbac_attribute_value_t i_attr_val1;
00051 #endif
00052
00053
00054 switch(target)
00055 {
00056 case T_FILE:
00057 case T_DIR:
00058 case T_FIFO:
00059 case T_SYMLINK:
00060 case T_DEV:
00061 case T_IPC:
00062 case T_SCD:
00063 case T_USER:
00064 case T_PROCESS:
00065 #ifdef CONFIG_RSBAC_ACL_UM_PROT
00066 case T_GROUP:
00067 #endif
00068 case T_NETDEV:
00069 case T_NETTEMP_NT:
00070 case T_NETTEMP:
00071 case T_NETOBJ:
00072 break;
00073 default:
00074 return TRUE;
00075 }
00076
00077 err = rsbac_acl_get_single_right(target,
00078 tid,
00079 ACLS_USER,
00080 (rsbac_acl_subject_id_t) user,
00081 ACLR_SUPERVISOR,
00082 &i_result);
00083 if(err)
00084 {
00085 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00086
00087 if(tmp)
00088 {
00089 #ifdef CONFIG_RSBAC_RMSG
00090 rsbac_printk(KERN_WARNING
00091 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00092 get_error_name(tmp,err));
00093 #endif
00094 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00095 if (!rsbac_nosyslog)
00096 #endif
00097 printk(KERN_WARNING
00098 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00099 get_error_name(tmp,err));
00100 rsbac_kfree(tmp);
00101 }
00102 return FALSE;
00103 }
00104 if(i_result)
00105 return(TRUE);
00106
00107
00108
00109 err = rsbac_acl_get_single_right(target,
00110 tid,
00111 ACLS_GROUP,
00112 RSBAC_ACL_GROUP_EVERYONE,
00113 ACLR_SUPERVISOR,
00114 &i_result);
00115 if(err)
00116 {
00117 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00118
00119 if(tmp)
00120 {
00121 #ifdef CONFIG_RSBAC_RMSG
00122 rsbac_printk(KERN_WARNING
00123 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00124 get_error_name(tmp,err));
00125 #endif
00126 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00127 if (!rsbac_nosyslog)
00128 #endif
00129 printk(KERN_WARNING
00130 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00131 get_error_name(tmp,err));
00132 rsbac_kfree(tmp);
00133 }
00134 return FALSE;
00135 }
00136 if(i_result)
00137 return(TRUE);
00138
00139 #if defined(CONFIG_RSBAC_RC)
00140
00141
00142 i_tid.process = current->pid;
00143 if (rsbac_get_attr(RC,
00144 T_PROCESS,
00145 i_tid,
00146 A_rc_role,
00147 &i_attr_val1,
00148 FALSE))
00149 {
00150 #ifdef CONFIG_RSBAC_RMSG
00151 rsbac_printk(KERN_WARNING
00152 "rsbac_acl_check_super(): rsbac_get_attr() for process rc_role returned error!\n");
00153 #endif
00154 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00155 if (!rsbac_nosyslog)
00156 #endif
00157 printk(KERN_WARNING
00158 "rsbac_acl_check_super(): rsbac_get_attr() for process rc_role returned error!\n");
00159 }
00160 else
00161 {
00162 err = rsbac_acl_get_single_right(target,
00163 tid,
00164 ACLS_ROLE,
00165 i_attr_val1.rc_role,
00166 ACLR_SUPERVISOR,
00167 &i_result);
00168 if(err)
00169 {
00170 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00171
00172 if(tmp)
00173 {
00174 get_error_name(tmp,err);
00175 #ifdef CONFIG_RSBAC_RMSG
00176 rsbac_printk(KERN_WARNING
00177 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00178 tmp);
00179 #endif
00180 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00181 if (!rsbac_nosyslog)
00182 #endif
00183 printk(KERN_WARNING
00184 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00185 tmp);
00186 rsbac_kfree(tmp);
00187 }
00188 return FALSE;
00189 }
00190 if(i_result)
00191 return(TRUE);
00192 }
00193 #endif
00194
00195
00196
00197 group_p = NULL;
00198 err = rsbac_acl_get_user_groups(0, user, &group_p, NULL);
00199 if(err<0)
00200 {
00201 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00202
00203 if(tmp)
00204 {
00205 #ifdef CONFIG_RSBAC_RMSG
00206 rsbac_printk(KERN_WARNING
00207 "rsbac_acl_check_super(): rsbac_acl_get_user_groups() returned error %s!\n",
00208 get_error_name(tmp,err));
00209 #endif
00210 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00211 if (!rsbac_nosyslog)
00212 #endif
00213 printk(KERN_WARNING
00214 "rsbac_acl_check_super(): rsbac_acl_get_user_groups() returned error %s!\n",
00215 get_error_name(tmp,err));
00216 rsbac_kfree(tmp);
00217 }
00218 return err;
00219 }
00220 for(i=0; i<err; i++)
00221 {
00222 tmperr = rsbac_acl_get_single_right(target,
00223 tid,
00224 ACLS_GROUP,
00225 group_p[i],
00226 ACLR_SUPERVISOR,
00227 &i_result);
00228 if(tmperr)
00229 {
00230 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00231
00232 if(tmp)
00233 {
00234 #ifdef CONFIG_RSBAC_RMSG
00235 rsbac_printk(KERN_WARNING
00236 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00237 get_error_name(tmp,tmperr));
00238 #endif
00239 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00240 if (!rsbac_nosyslog)
00241 #endif
00242 printk(KERN_WARNING
00243 "rsbac_acl_check_super(): rsbac_acl_get_single_right() returned error %s!\n",
00244 get_error_name(tmp,tmperr));
00245 rsbac_kfree(tmp);
00246 }
00247 if(group_p)
00248 rsbac_vfree(group_p);
00249 return FALSE;
00250 }
00251 if(i_result)
00252 {
00253 if(group_p)
00254 rsbac_vfree(group_p);
00255 return(TRUE);
00256 }
00257 }
00258 if(group_p)
00259 rsbac_vfree(group_p);
00260
00261
00262 return FALSE;
00263 };
00264
00265
00266 #if !defined(CONFIG_RSBAC_MAINT)
00267 rsbac_boolean_t rsbac_acl_check_forward(enum rsbac_target_t target,
00268 union rsbac_target_id_t tid,
00269 rsbac_uid_t user,
00270 rsbac_acl_rights_vector_t rights);
00271
00272 rsbac_boolean_t rsbac_acl_check_super(enum rsbac_target_t target,
00273 union rsbac_target_id_t tid,
00274 rsbac_uid_t user);
00275
00276 rsbac_boolean_t rsbac_acl_check_right(enum rsbac_target_t target,
00277 union rsbac_target_id_t tid,
00278 rsbac_uid_t user,
00279 rsbac_pid_t caller_pid,
00280 enum rsbac_adf_request_t request);
00281 #endif
00282
00283
00284
00285
00286
00287 int rsbac_acl_sys_set_acl_entry(
00288 rsbac_list_ta_number_t ta_number,
00289 enum rsbac_target_t target,
00290 union rsbac_target_id_t tid,
00291 enum rsbac_acl_subject_type_t subj_type,
00292 rsbac_acl_subject_id_t subj_id,
00293 rsbac_acl_rights_vector_t rights,
00294 rsbac_time_t ttl)
00295 {
00296 int err=0;
00297
00298 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00299
00300 if( (target == T_NETOBJ)
00301 && tid.netobj.sock_p
00302 && ( tid.netobj.remote_addr
00303 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00304 || !tid.netobj.sock_p->file
00305 || !tid.netobj.sock_p->file->f_dentry
00306 || !tid.netobj.sock_p->file->f_dentry->d_inode
00307 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p)
00308 #else
00309 || !tid.netobj.sock_p->inode
00310 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p)
00311 #endif
00312 )
00313 )
00314 return -RSBAC_EINVALIDTARGET;
00315 #endif
00316
00317
00318 #if !defined(CONFIG_RSBAC_MAINT)
00319 #ifdef CONFIG_RSBAC_SWITCH
00320 if(rsbac_switch_acl)
00321 #endif
00322 {
00323 rsbac_uid_t user;
00324
00325 if(rsbac_get_owner(&user))
00326 return -RSBAC_EREADFAILED;
00327
00328 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL))
00329 {
00330
00331
00332 if( (ttl != RSBAC_LIST_TTL_KEEP)
00333 || !rsbac_acl_check_forward(target, tid, user, rights)
00334 )
00335 {
00336 char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00337 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00338 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00339 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00340 char * target_id_name
00341 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
00342
00343 #else
00344 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
00345
00346 #endif
00347
00348 u64tostracl(rights_string, rights);
00349 get_acl_subject_type_name(subject_type_name, subj_type);
00350 get_target_name(target_type_name, target, target_id_name, tid);
00351 #ifdef CONFIG_RSBAC_RMSG
00352 rsbac_printk(KERN_INFO
00353 "rsbac_acl_sys_set_acl_entry(): setting rights %s for %s %u to %s %s denied for user %u!\n",
00354 rights_string,
00355 subject_type_name,
00356 subj_id,
00357 target_type_name,
00358 target_id_name,
00359 user);
00360 #endif
00361 #ifndef CONFIG_RSBAC_RMSG_EXCL
00362 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00363 if (!rsbac_nosyslog)
00364 #endif
00365 printk(KERN_INFO
00366 "rsbac_acl_sys_set_acl_entry(): setting rights %s for %s %u to %s %s denied for user %u!\n",
00367 rights_string,
00368 subject_type_name,
00369 subj_id,
00370 target_type_name,
00371 target_id_name,
00372 user);
00373 #endif
00374 rsbac_kfree(rights_string);
00375 rsbac_kfree(subject_type_name);
00376 rsbac_kfree(target_type_name);
00377 rsbac_kfree(target_id_name);
00378
00379 #ifdef CONFIG_RSBAC_SOFTMODE
00380 if( !rsbac_softmode
00381 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00382 && !rsbac_ind_softmode[ACL]
00383 #endif
00384 )
00385 #endif
00386 return(-EPERM);
00387 }
00388 }
00389 if(rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
00390 {
00391
00392 if(!rsbac_acl_check_super(target, tid, user))
00393 {
00394 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00395 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00396 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00397 char * target_id_name
00398 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
00399
00400 #else
00401 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
00402
00403 #endif
00404
00405 get_acl_subject_type_name(subject_type_name, subj_type);
00406 get_target_name(target_type_name, target, target_id_name, tid);
00407 #ifdef CONFIG_RSBAC_RMSG
00408 rsbac_printk(KERN_INFO
00409 "rsbac_acl_sys_set_acl_entry(): setting SUPERVISOR for %s %u to %s %s denied for user %u!\n",
00410 subject_type_name,
00411 subj_id,
00412 target_type_name,
00413 target_id_name,
00414 user);
00415 #endif
00416 #ifndef CONFIG_RSBAC_RMSG_EXCL
00417 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00418 if (!rsbac_nosyslog)
00419 #endif
00420 printk(KERN_INFO
00421 "rsbac_acl_sys_set_acl_entry(): setting SUPERVISOR for %s %u to %s %s denied for user %u!\n",
00422 subject_type_name,
00423 subj_id,
00424 target_type_name,
00425 target_id_name,
00426 user);
00427 #endif
00428 rsbac_kfree(subject_type_name);
00429 rsbac_kfree(target_type_name);
00430 rsbac_kfree(target_id_name);
00431 #ifdef CONFIG_RSBAC_SOFTMODE
00432 if( !rsbac_softmode
00433 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00434 && !rsbac_ind_softmode[ACL]
00435 #endif
00436 )
00437 #endif
00438 return(-EPERM);
00439 }
00440 }
00441 }
00442 #endif
00443
00444
00445 err = rsbac_acl_set_acl_entry(ta_number, target, tid, subj_type, subj_id, rights, ttl);
00446 if(err)
00447 {
00448 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00449
00450 if(tmp)
00451 {
00452 #ifdef CONFIG_RSBAC_RMSG
00453 rsbac_printk(KERN_WARNING
00454 "rsbac_acl_sys_set_acl_entry(): rsbac_acl_set_acl_entry() returned error %s!\n",
00455 get_error_name(tmp,err));
00456 #endif
00457 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00458 if (!rsbac_nosyslog)
00459 #endif
00460 printk(KERN_WARNING
00461 "rsbac_acl_sys_set_acl_entry(): rsbac_acl_set_acl_entry() returned error %s!\n",
00462 get_error_name(tmp,err));
00463 rsbac_kfree(tmp);
00464 }
00465 }
00466 return err;
00467 }
00468
00469 int rsbac_acl_sys_remove_acl_entry(
00470 rsbac_list_ta_number_t ta_number,
00471 enum rsbac_target_t target,
00472 union rsbac_target_id_t tid,
00473 enum rsbac_acl_subject_type_t subj_type,
00474 rsbac_acl_subject_id_t subj_id)
00475 {
00476 int err=0;
00477
00478 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00479
00480 if( (target == T_NETOBJ)
00481 && tid.netobj.sock_p
00482 && ( tid.netobj.remote_addr
00483 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00484 || !tid.netobj.sock_p->file
00485 || !tid.netobj.sock_p->file->f_dentry
00486 || !tid.netobj.sock_p->file->f_dentry->d_inode
00487 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p)
00488 #else
00489 || !tid.netobj.sock_p->inode
00490 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p)
00491 #endif
00492 )
00493 )
00494 return -RSBAC_EINVALIDTARGET;
00495 #endif
00496
00497
00498 #if !defined(CONFIG_RSBAC_MAINT)
00499 #ifdef CONFIG_RSBAC_SWITCH
00500 if(rsbac_switch_acl)
00501 #endif
00502 {
00503 rsbac_uid_t user;
00504 rsbac_acl_rights_vector_t res_rights = 0;
00505
00506 if(rsbac_get_owner(&user))
00507 return -RSBAC_EREADFAILED;
00508
00509 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL))
00510 {
00511 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00512 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00513 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00514 char * target_id_name
00515 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
00516
00517 #else
00518 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
00519
00520 #endif
00521
00522 get_acl_subject_type_name(subject_type_name, subj_type);
00523 get_target_name(target_type_name, target, target_id_name, tid);
00524 #ifdef CONFIG_RSBAC_RMSG
00525 rsbac_printk(KERN_INFO
00526 "rsbac_acl_sys_remove_acl_entry(): removing ACL entry for %s %u at %s %s denied for user %u!\n",
00527 subject_type_name,
00528 subj_id,
00529 target_type_name,
00530 target_id_name,
00531 user);
00532 #endif
00533 #ifndef CONFIG_RSBAC_RMSG_EXCL
00534 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00535 if (!rsbac_nosyslog)
00536 #endif
00537 printk(KERN_INFO
00538 "rsbac_acl_sys_remove_acl_entry(): removing ACL entry for %s %u at %s %s denied for user %u!\n",
00539 subject_type_name,
00540 subj_id,
00541 target_type_name,
00542 target_id_name,
00543 user);
00544 #endif
00545 rsbac_kfree(subject_type_name);
00546 rsbac_kfree(target_type_name);
00547 rsbac_kfree(target_id_name);
00548 #ifdef CONFIG_RSBAC_SOFTMODE
00549 if( !rsbac_softmode
00550 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00551 && !rsbac_ind_softmode[ACL]
00552 #endif
00553 )
00554 #endif
00555 return(-EPERM);
00556 }
00557
00558 err = rsbac_acl_get_rights(0, target, tid, subj_type, subj_id, &res_rights, FALSE);
00559 if(err)
00560 {
00561 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00562
00563 if(tmp)
00564 {
00565 #ifdef CONFIG_RSBAC_RMSG
00566 rsbac_printk(KERN_WARNING
00567 "rsbac_acl_sys_remove_acl_entry(): rsbac_acl_get_rights() returned error %s!\n",
00568 get_error_name(tmp,err));
00569 #endif
00570 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00571 if (!rsbac_nosyslog)
00572 #endif
00573 printk(KERN_WARNING
00574 "rsbac_acl_sys_remove_acl_entry(): rsbac_acl_get_rights() returned error %s!\n",
00575 get_error_name(tmp,err));
00576 rsbac_kfree(tmp);
00577 }
00578 return err;
00579 }
00580 if(res_rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
00581 {
00582
00583 if(!rsbac_acl_check_super(target, tid, user))
00584 {
00585 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00586 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00587 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00588 char * target_id_name
00589 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
00590
00591 #else
00592 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
00593
00594 #endif
00595
00596 get_acl_subject_type_name(subject_type_name, subj_type);
00597 get_target_name(target_type_name, target, target_id_name, tid);
00598 #ifdef CONFIG_RSBAC_RMSG
00599 rsbac_printk(KERN_INFO
00600 "rsbac_acl_sys_remove_acl_entry(): removing ACL entry with SUPERVISOR for %s %u at %s %s denied for user %u!\n",
00601 subject_type_name,
00602 subj_id,
00603 target_type_name,
00604 target_id_name,
00605 user);
00606 #endif
00607 #ifndef CONFIG_RSBAC_RMSG_EXCL
00608 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00609 if (!rsbac_nosyslog)
00610 #endif
00611 printk(KERN_INFO
00612 "rsbac_acl_sys_remove_acl_entry(): removing ACL entry with SUPERVISOR for %s %u at %s %s denied for user %u!\n",
00613 subject_type_name,
00614 subj_id,
00615 target_type_name,
00616 target_id_name,
00617 user);
00618 #endif
00619 rsbac_kfree(subject_type_name);
00620 rsbac_kfree(target_type_name);
00621 rsbac_kfree(target_id_name);
00622 #ifdef CONFIG_RSBAC_SOFTMODE
00623 if( !rsbac_softmode
00624 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00625 && !rsbac_ind_softmode[ACL]
00626 #endif
00627 )
00628 #endif
00629 return(-EPERM);
00630 }
00631 }
00632 }
00633 #endif
00634
00635
00636 err = rsbac_acl_remove_acl_entry(ta_number, target, tid, subj_type, subj_id);
00637 if(err)
00638 {
00639 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00640
00641 if(tmp)
00642 {
00643 #ifdef CONFIG_RSBAC_RMSG
00644 rsbac_printk(KERN_WARNING
00645 "rsbac_acl_sys_remove_acl_entry(): rsbac_acl_remove_acl_entry() returned error %s!\n",
00646 get_error_name(tmp,err));
00647 #endif
00648 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00649 if (!rsbac_nosyslog)
00650 #endif
00651 printk(KERN_WARNING
00652 "rsbac_acl_sys_remove_acl_entry(): rsbac_acl_remove_acl_entry() returned error %s!\n",
00653 get_error_name(tmp,err));
00654 rsbac_kfree(tmp);
00655 }
00656 }
00657 return err;
00658 }
00659
00660 int rsbac_acl_sys_remove_acl(
00661 rsbac_list_ta_number_t ta_number,
00662 enum rsbac_target_t target,
00663 union rsbac_target_id_t tid)
00664 {
00665 int err=0;
00666
00667
00668 #if !defined(CONFIG_RSBAC_MAINT)
00669 #ifdef CONFIG_RSBAC_SWITCH
00670 if(rsbac_switch_acl)
00671 #endif
00672 {
00673 rsbac_uid_t user;
00674
00675 if(rsbac_get_owner(&user))
00676 return -RSBAC_EREADFAILED;
00677
00678 if(!rsbac_acl_check_super(target, tid, user))
00679 {
00680 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00681 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00682 char * target_id_name
00683 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
00684
00685 #else
00686 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
00687
00688 #endif
00689
00690 get_target_name(target_type_name, target, target_id_name, tid);
00691 #ifdef CONFIG_RSBAC_RMSG
00692 rsbac_printk(KERN_INFO
00693 "rsbac_acl_sys_remove_acl(): removing ACL from %s %s denied for user %u!\n",
00694 target_type_name,
00695 target_id_name,
00696 user);
00697 #endif
00698 #ifndef CONFIG_RSBAC_RMSG_EXCL
00699 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00700 if (!rsbac_nosyslog)
00701 #endif
00702 printk(KERN_INFO
00703 "rsbac_acl_sys_remove_acl(): removing ACL from %s %s denied for user %u!\n",
00704 target_type_name,
00705 target_id_name,
00706 user);
00707 #endif
00708 rsbac_kfree(target_type_name);
00709 rsbac_kfree(target_id_name);
00710 #ifdef CONFIG_RSBAC_SOFTMODE
00711 if( !rsbac_softmode
00712 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00713 && !rsbac_ind_softmode[ACL]
00714 #endif
00715 )
00716 #endif
00717 return(-EPERM);
00718 }
00719 }
00720 #endif
00721
00722
00723 err = rsbac_acl_remove_acl(ta_number, target, tid);
00724 if(err)
00725 {
00726 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00727
00728 if(tmp)
00729 {
00730 #ifdef CONFIG_RSBAC_RMSG
00731 rsbac_printk(KERN_WARNING
00732 "rsbac_acl_sys_remove_acl(): rsbac_acl_remove_acl() returned error %s!\n",
00733 get_error_name(tmp,err));
00734 #endif
00735 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00736 if (!rsbac_nosyslog)
00737 #endif
00738 printk(KERN_WARNING
00739 "rsbac_acl_sys_remove_acl(): rsbac_acl_remove_acl() returned error %s!\n",
00740 get_error_name(tmp,err));
00741 rsbac_kfree(tmp);
00742 }
00743 }
00744 return err;
00745 }
00746
00747 int rsbac_acl_sys_add_to_acl_entry(
00748 rsbac_list_ta_number_t ta_number,
00749 enum rsbac_target_t target,
00750 union rsbac_target_id_t tid,
00751 enum rsbac_acl_subject_type_t subj_type,
00752 rsbac_acl_subject_id_t subj_id,
00753 rsbac_acl_rights_vector_t rights,
00754 rsbac_time_t ttl)
00755 {
00756 int err=0;
00757
00758 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00759
00760 if( (target == T_NETOBJ)
00761 && tid.netobj.sock_p
00762 && ( tid.netobj.remote_addr
00763 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00764 || !tid.netobj.sock_p->file
00765 || !tid.netobj.sock_p->file->f_dentry
00766 || !tid.netobj.sock_p->file->f_dentry->d_inode
00767 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p)
00768 #else
00769 || !tid.netobj.sock_p->inode
00770 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p)
00771 #endif
00772 )
00773 )
00774 return -RSBAC_EINVALIDTARGET;
00775 #endif
00776
00777
00778 #if !defined(CONFIG_RSBAC_MAINT)
00779 #ifdef CONFIG_RSBAC_SWITCH
00780 if(rsbac_switch_acl)
00781 #endif
00782 {
00783 rsbac_uid_t user;
00784
00785 if(rsbac_get_owner(&user))
00786 return -RSBAC_EREADFAILED;
00787
00788 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL))
00789 {
00790
00791
00792 if( (ttl != RSBAC_LIST_TTL_KEEP)
00793 || !rsbac_acl_check_forward(target, tid, user, rights)
00794 )
00795 {
00796 char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00797 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00798 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00799 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00800 char * target_id_name
00801 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
00802
00803 #else
00804 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
00805
00806 #endif
00807
00808 u64tostracl(rights_string, rights);
00809 get_acl_subject_type_name(subject_type_name, subj_type);
00810 get_target_name(target_type_name, target, target_id_name, tid);
00811 #ifdef CONFIG_RSBAC_RMSG
00812 rsbac_printk(KERN_INFO
00813 "rsbac_acl_sys_add_to_acl_entry(): adding rights %s for %s %u to %s %s denied for user %u!\n",
00814 rights_string,
00815 subject_type_name,
00816 subj_id,
00817 target_type_name,
00818 target_id_name,
00819 user);
00820 #endif
00821 #ifndef CONFIG_RSBAC_RMSG_EXCL
00822 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00823 if (!rsbac_nosyslog)
00824 #endif
00825 printk(KERN_INFO
00826 "rsbac_acl_sys_add_to_acl_entry(): adding rights %s for %s %u to %s %s denied for user %u!\n",
00827 rights_string,
00828 subject_type_name,
00829 subj_id,
00830 target_type_name,
00831 target_id_name,
00832 user);
00833 #endif
00834 rsbac_kfree(rights_string);
00835 rsbac_kfree(subject_type_name);
00836 rsbac_kfree(target_type_name);
00837 rsbac_kfree(target_id_name);
00838 #ifdef CONFIG_RSBAC_SOFTMODE
00839 if( !rsbac_softmode
00840 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00841 && !rsbac_ind_softmode[ACL]
00842 #endif
00843 )
00844 #endif
00845 return(-EPERM);
00846 }
00847 }
00848 if(rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
00849 {
00850
00851 if(!rsbac_acl_check_super(target, tid, user))
00852 {
00853 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00854 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00855 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00856 char * target_id_name
00857 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
00858
00859 #else
00860 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
00861
00862 #endif
00863
00864 get_acl_subject_type_name(subject_type_name, subj_type);
00865 get_target_name(target_type_name, target, target_id_name, tid);
00866 #ifdef CONFIG_RSBAC_RMSG
00867 rsbac_printk(KERN_INFO
00868 "rsbac_acl_sys_add_to_acl_entry(): adding SUPERVISOR for %s %u to %s %s denied for user %u!\n",
00869 subject_type_name,
00870 subj_id,
00871 target_type_name,
00872 target_id_name,
00873 user);
00874 #endif
00875 #ifndef CONFIG_RSBAC_RMSG_EXCL
00876 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00877 if (!rsbac_nosyslog)
00878 #endif
00879 printk(KERN_INFO
00880 "rsbac_acl_sys_add_to_acl_entry(): adding SUPERVISOR for %s %u to %s %s denied for user %u!\n",
00881 subject_type_name,
00882 subj_id,
00883 target_type_name,
00884 target_id_name,
00885 user);
00886 #endif
00887 rsbac_kfree(subject_type_name);
00888 rsbac_kfree(target_type_name);
00889 rsbac_kfree(target_id_name);
00890 #ifdef CONFIG_RSBAC_SOFTMODE
00891 if( !rsbac_softmode
00892 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00893 && !rsbac_ind_softmode[ACL]
00894 #endif
00895 )
00896 #endif
00897 return(-EPERM);
00898 }
00899 }
00900 }
00901 #endif
00902
00903
00904 err = rsbac_acl_add_to_acl_entry(ta_number, target, tid, subj_type, subj_id, rights, ttl);
00905 if(err)
00906 {
00907 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00908
00909 if(tmp)
00910 {
00911 #ifdef CONFIG_RSBAC_RMSG
00912 rsbac_printk(KERN_WARNING
00913 "rsbac_acl_sys_add_to_acl_entry(): rsbac_acl_add_to_acl_entry() returned error %s!\n",
00914 get_error_name(tmp,err));
00915 #endif
00916 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00917 if (!rsbac_nosyslog)
00918 #endif
00919 printk(KERN_WARNING
00920 "rsbac_acl_sys_add_to_acl_entry(): rsbac_acl_add_to_acl_entry() returned error %s!\n",
00921 get_error_name(tmp,err));
00922 rsbac_kfree(tmp);
00923 }
00924 }
00925 return err;
00926 }
00927
00928 int rsbac_acl_sys_remove_from_acl_entry(
00929 rsbac_list_ta_number_t ta_number,
00930 enum rsbac_target_t target,
00931 union rsbac_target_id_t tid,
00932 enum rsbac_acl_subject_type_t subj_type,
00933 rsbac_acl_subject_id_t subj_id,
00934 rsbac_acl_rights_vector_t rights)
00935 {
00936 int err=0;
00937
00938 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
00939
00940 if( (target == T_NETOBJ)
00941 && tid.netobj.sock_p
00942 && ( tid.netobj.remote_addr
00943 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00944 || !tid.netobj.sock_p->file
00945 || !tid.netobj.sock_p->file->f_dentry
00946 || !tid.netobj.sock_p->file->f_dentry->d_inode
00947 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p)
00948 #else
00949 || !tid.netobj.sock_p->inode
00950 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p)
00951 #endif
00952 )
00953 )
00954 return -RSBAC_EINVALIDTARGET;
00955 #endif
00956
00957
00958 #if !defined(CONFIG_RSBAC_MAINT)
00959 #ifdef CONFIG_RSBAC_SWITCH
00960 if(rsbac_switch_acl)
00961 #endif
00962 {
00963 rsbac_uid_t user;
00964
00965 if(rsbac_get_owner(&user))
00966 return -RSBAC_EREADFAILED;
00967
00968 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL))
00969 {
00970 char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00971 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00972 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00973 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00974 char * target_id_name
00975 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
00976
00977 #else
00978 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
00979
00980 #endif
00981
00982 u64tostracl(rights_string, rights);
00983 get_acl_subject_type_name(subject_type_name, subj_type);
00984 get_target_name(target_type_name, target, target_id_name, tid);
00985 #ifdef CONFIG_RSBAC_RMSG
00986 rsbac_printk(KERN_INFO
00987 "rsbac_acl_sys_remove_from_acl_entry(): removing rights %s for %s %u to %s %s denied for user %u!\n",
00988 rights_string,
00989 subject_type_name,
00990 subj_id,
00991 target_type_name,
00992 target_id_name,
00993 user);
00994 #endif
00995 #ifndef CONFIG_RSBAC_RMSG_EXCL
00996 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00997 if (!rsbac_nosyslog)
00998 #endif
00999 printk(KERN_INFO
01000 "rsbac_acl_sys_remove_from_acl_entry(): removing rights %s for %s %u to %s %s denied for user %u!\n",
01001 rights_string,
01002 subject_type_name,
01003 subj_id,
01004 target_type_name,
01005 target_id_name,
01006 user);
01007 #endif
01008 rsbac_kfree(rights_string);
01009 rsbac_kfree(subject_type_name);
01010 rsbac_kfree(target_type_name);
01011 rsbac_kfree(target_id_name);
01012 #ifdef CONFIG_RSBAC_SOFTMODE
01013 if( !rsbac_softmode
01014 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01015 && !rsbac_ind_softmode[ACL]
01016 #endif
01017 )
01018 #endif
01019 return(-EPERM);
01020 }
01021 if(rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
01022 {
01023
01024 if(!rsbac_acl_check_super(target, tid, user))
01025 {
01026 char * subject_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01027 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01028 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01029 char * target_id_name
01030 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01031
01032 #else
01033 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01034
01035 #endif
01036
01037 get_acl_subject_type_name(subject_type_name, subj_type);
01038 get_target_name(target_type_name, target, target_id_name, tid);
01039 #ifdef CONFIG_RSBAC_RMSG
01040 rsbac_printk(KERN_INFO
01041 "rsbac_acl_sys_remove_from_acl_entry(): removing SUPERVISOR for %s %u to %s %s denied for user %u!\n",
01042 subject_type_name,
01043 subj_id,
01044 target_type_name,
01045 target_id_name,
01046 user);
01047 #endif
01048 #ifndef CONFIG_RSBAC_RMSG_EXCL
01049 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01050 if (!rsbac_nosyslog)
01051 #endif
01052 printk(KERN_INFO
01053 "rsbac_acl_sys_remove_from_acl_entry(): removing SUPERVISOR for %s %u to %s %s denied for user %u!\n",
01054 subject_type_name,
01055 subj_id,
01056 target_type_name,
01057 target_id_name,
01058 user);
01059 #endif
01060 rsbac_kfree(subject_type_name);
01061 rsbac_kfree(target_type_name);
01062 rsbac_kfree(target_id_name);
01063 #ifdef CONFIG_RSBAC_SOFTMODE
01064 if( !rsbac_softmode
01065 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01066 && !rsbac_ind_softmode[ACL]
01067 #endif
01068 )
01069 #endif
01070 return(-EPERM);
01071 }
01072 }
01073 }
01074 #endif
01075
01076
01077 err = rsbac_acl_remove_from_acl_entry(ta_number, target, tid, subj_type, subj_id, rights);
01078 if(err)
01079 {
01080 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01081
01082 if(tmp)
01083 {
01084 #ifdef CONFIG_RSBAC_RMSG
01085 rsbac_printk(KERN_WARNING
01086 "rsbac_acl_sys_remove_from_acl_entry(): rsbac_acl_remove_from_acl_entry() returned error %s!\n",
01087 get_error_name(tmp,err));
01088 #endif
01089 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01090 if (!rsbac_nosyslog)
01091 #endif
01092 printk(KERN_WARNING
01093 "rsbac_acl_sys_remove_from_acl_entry(): rsbac_acl_remove_from_acl_entry() returned error %s!\n",
01094 get_error_name(tmp,err));
01095 rsbac_kfree(tmp);
01096 }
01097 }
01098 return err;
01099 }
01100
01101 int rsbac_acl_sys_set_mask(
01102 rsbac_list_ta_number_t ta_number,
01103 enum rsbac_target_t target,
01104 union rsbac_target_id_t tid,
01105 rsbac_acl_rights_vector_t mask)
01106 {
01107 int err=0;
01108
01109
01110 #if !defined(CONFIG_RSBAC_MAINT) || defined (CONFIG_RSBAC_ACL_SUPER_FILTER)
01111 rsbac_uid_t user;
01112
01113 if(rsbac_get_owner(&user))
01114 return -RSBAC_EREADFAILED;
01115 #endif
01116
01117 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
01118
01119 if( (target == T_NETOBJ)
01120 && tid.netobj.sock_p
01121 && ( tid.netobj.remote_addr
01122 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01123 || !tid.netobj.sock_p->file
01124 || !tid.netobj.sock_p->file->f_dentry
01125 || !tid.netobj.sock_p->file->f_dentry->d_inode
01126 || (SOCKET_I(tid.netobj.sock_p->file->f_dentry->d_inode) != tid.netobj.sock_p)
01127 #else
01128 || !tid.netobj.sock_p->inode
01129 || (&(tid.netobj.sock_p->inode->u.socket_i) != tid.netobj.sock_p)
01130 #endif
01131 )
01132 )
01133 return -RSBAC_EINVALIDTARGET;
01134 #endif
01135
01136 #if !defined(CONFIG_RSBAC_MAINT)
01137 #ifdef CONFIG_RSBAC_SWITCH
01138 if(rsbac_switch_acl)
01139 #endif
01140 {
01141
01142 if(!rsbac_acl_check_right(target, tid, user, current->pid, ACLR_ACCESS_CONTROL))
01143 {
01144 char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01145 char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01146 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01147 char * target_id_name
01148 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01149
01150 #else
01151 char * target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01152
01153 #endif
01154
01155 u64tostracl(rights_string, mask);
01156 get_target_name(target_type_name, target, target_id_name, tid);
01157 #ifdef CONFIG_RSBAC_RMSG
01158 rsbac_printk(KERN_INFO
01159 "rsbac_acl_sys_set_mask(): setting mask %s for %s %s denied for user %u!\n",
01160 rights_string,
01161 target_type_name,
01162 target_id_name,
01163 user);
01164 #endif
01165 #ifndef CONFIG_RSBAC_RMSG_EXCL
01166 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01167 if (!rsbac_nosyslog)
01168 #endif
01169 printk(KERN_INFO
01170 "rsbac_acl_sys_set_mask(): setting mask %s for %s %s denied for user %u!\n",
01171 rights_string,
01172 target_type_name,
01173 target_id_name,
01174 user);
01175 #endif
01176 rsbac_kfree(rights_string);
01177 rsbac_kfree(target_type_name);
01178 rsbac_kfree(target_id_name);
01179 #ifdef CONFIG_RSBAC_SOFTMODE
01180 if( !rsbac_softmode
01181 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01182 && !rsbac_ind_softmode[ACL]
01183 #endif
01184 )
01185 #endif
01186 return(-EPERM);
01187 }
01188 }
01189 #endif
01190
01191 #ifdef CONFIG_RSBAC_ACL_SUPER_FILTER
01192 if(!(mask & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR))
01193 {
01194 rsbac_acl_rights_vector_t res_rights = 0;
01195
01196
01197
01198 err = rsbac_acl_get_rights(0, target, tid, ACLS_USER, user, &res_rights, FALSE);
01199 if(err)
01200 return -RSBAC_EREADFAILED;
01201 if(!(res_rights & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR))
01202 mask |= RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR;
01203 }
01204 #else
01205
01206 mask |= RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR;
01207 #endif
01208
01209
01210 err = rsbac_acl_set_mask(ta_number, target, tid, mask);
01211 if(err)
01212 {
01213 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01214
01215 if(tmp)
01216 {
01217 #ifdef CONFIG_RSBAC_RMSG
01218 rsbac_printk(KERN_WARNING
01219 "rsbac_acl_sys_set_mask(): rsbac_acl_set_mask() returned error %s!\n",
01220 get_error_name(tmp,err));
01221 #endif
01222 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01223 if (!rsbac_nosyslog)
01224 #endif
01225 printk(KERN_WARNING
01226 "rsbac_acl_sys_set_mask(): rsbac_acl_set_mask() returned error %s!\n",
01227 get_error_name(tmp,err));
01228 rsbac_kfree(tmp);
01229 }
01230 }
01231 return err;
01232 }
01233
01234 int rsbac_acl_sys_remove_user(
01235 rsbac_list_ta_number_t ta_number,
01236 rsbac_uid_t uid)
01237 {
01238 int err=0;
01239
01240
01241 #if !defined(CONFIG_RSBAC_MAINT)
01242 #ifdef CONFIG_RSBAC_SWITCH
01243 if(rsbac_switch_acl)
01244 #endif
01245 {
01246 rsbac_uid_t user;
01247 union rsbac_target_id_t tid;
01248
01249 if(rsbac_get_owner(&user))
01250 return -RSBAC_EREADFAILED;
01251 tid.user = uid;
01252
01253 if(!rsbac_acl_check_right(T_USER, tid, user, current->pid, R_DELETE))
01254 {
01255 #ifdef CONFIG_RSBAC_RMSG
01256 rsbac_printk(KERN_INFO
01257 "rsbac_acl_sys_remove_user(): removing all data for user %u denied for user %u!\n",
01258 uid,
01259 user);
01260 #endif
01261 #ifndef CONFIG_RSBAC_RMSG_EXCL
01262 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01263 if (!rsbac_nosyslog)
01264 #endif
01265 printk(KERN_INFO
01266 "rsbac_acl_sys_remove_user(): removing all data for user %u denied for user %u!\n",
01267 uid,
01268 user);
01269 #endif
01270 #ifdef CONFIG_RSBAC_SOFTMODE
01271 if( !rsbac_softmode
01272 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01273 && !rsbac_ind_softmode[ACL]
01274 #endif
01275 )
01276 #endif
01277 return(-EPERM);
01278 }
01279 }
01280 #endif
01281
01282 #ifdef CONFIG_RSBAC_RMSG
01283 rsbac_printk(KERN_INFO
01284 "rsbac_acl_sys_remove_user(): removing all data for user %u!\n",
01285 uid);
01286 #endif
01287 #ifndef CONFIG_RSBAC_RMSG_EXCL
01288 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01289 if (!rsbac_nosyslog)
01290 #endif
01291 printk(KERN_INFO
01292 "rsbac_acl_sys_remove_user(): removing all data for user %u!\n",
01293 uid);
01294 #endif
01295
01296 err = rsbac_acl_remove_user(ta_number, uid);
01297 if(err)
01298 {
01299 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01300
01301 if(tmp)
01302 {
01303 #ifdef CONFIG_RSBAC_RMSG
01304 rsbac_printk(KERN_WARNING
01305 "rsbac_acl_sys_remove_user(): rsbac_acl_remove_user() returned error %s!\n",
01306 get_error_name(tmp,err));
01307 #endif
01308 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01309 if (!rsbac_nosyslog)
01310 #endif
01311 printk(KERN_WARNING
01312 "rsbac_acl_sys_remove_user(): rsbac_acl_remove_user() returned error %s!\n",
01313 get_error_name(tmp,err));
01314 rsbac_kfree(tmp);
01315 }
01316 }
01317 return err;
01318 }
01319
01320
01321
01322 int rsbac_acl_sys_get_mask(
01323 rsbac_list_ta_number_t ta_number,
01324 enum rsbac_target_t target,
01325 union rsbac_target_id_t tid,
01326 rsbac_acl_rights_vector_t * mask_p)
01327 {
01328 int err=0;
01329
01330
01331
01332
01333 err = rsbac_acl_get_mask(ta_number, target, tid, mask_p);
01334 if(err)
01335 {
01336 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01337
01338 if(tmp)
01339 {
01340 #ifdef CONFIG_RSBAC_RMSG
01341 rsbac_printk(KERN_WARNING
01342 "rsbac_acl_sys_get_mask(): rsbac_acl_get_mask() returned error %s!\n",
01343 get_error_name(tmp,err));
01344 #endif
01345 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01346 if (!rsbac_nosyslog)
01347 #endif
01348 printk(KERN_WARNING
01349 "rsbac_acl_sys_get_mask(): rsbac_acl_get_mask() returned error %s!\n",
01350 get_error_name(tmp,err));
01351 rsbac_kfree(tmp);
01352 }
01353 }
01354 return err;
01355 }
01356
01357 int rsbac_acl_sys_get_rights(
01358 rsbac_list_ta_number_t ta_number,
01359 enum rsbac_target_t target,
01360 union rsbac_target_id_t tid,
01361 enum rsbac_acl_subject_type_t subj_type,
01362 rsbac_acl_subject_id_t subj_id,
01363 rsbac_acl_rights_vector_t * rights_p,
01364 rsbac_boolean_t effective)
01365 {
01366 int err=0;
01367 rsbac_acl_rights_vector_t res_rights;
01368 #if defined(CONFIG_RSBAC_RC)
01369 union rsbac_target_id_t i_tid;
01370 union rsbac_attribute_value_t i_attr_val1;
01371 #endif
01372
01373
01374
01375 if( (subj_type == ACLS_USER)
01376 && (subj_id == RSBAC_NO_USER)
01377 )
01378 rsbac_get_owner((rsbac_uid_t *) &subj_id);
01379
01380 if(effective)
01381 {
01382
01383 res_rights = 0;
01384 err = rsbac_acl_get_rights(ta_number, target, tid, subj_type, subj_id, &res_rights, TRUE);
01385 if(err)
01386 {
01387 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01388
01389 if(tmp)
01390 {
01391 #ifdef CONFIG_RSBAC_RMSG
01392 rsbac_printk(KERN_WARNING
01393 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01394 get_error_name(tmp,err));
01395 #endif
01396 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01397 if (!rsbac_nosyslog)
01398 #endif
01399 printk(KERN_WARNING
01400 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01401 get_error_name(tmp,err));
01402 rsbac_kfree(tmp);
01403 }
01404 return err;
01405 }
01406 *rights_p = res_rights;
01407
01408 if(subj_type == ACLS_USER)
01409 {
01410 rsbac_acl_group_id_t * group_p;
01411 int i;
01412 int tmperr;
01413
01414
01415 res_rights = 0;
01416 err = rsbac_acl_get_rights(ta_number, target, tid,
01417 ACLS_GROUP, RSBAC_ACL_GROUP_EVERYONE,
01418 &res_rights, TRUE);
01419 if(err)
01420 {
01421 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01422
01423 if(tmp)
01424 {
01425 #ifdef CONFIG_RSBAC_RMSG
01426 rsbac_printk(KERN_WARNING
01427 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01428 get_error_name(tmp,err));
01429 #endif
01430 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01431 if (!rsbac_nosyslog)
01432 #endif
01433 printk(KERN_WARNING
01434 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01435 get_error_name(tmp,err));
01436 rsbac_kfree(tmp);
01437 }
01438 return err;
01439 }
01440 *rights_p |= res_rights;
01441
01442
01443
01444 group_p = NULL;
01445 err = rsbac_acl_get_user_groups(ta_number, subj_id, &group_p, NULL);
01446 if(err<0)
01447 {
01448 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01449
01450 if(tmp)
01451 {
01452 #ifdef CONFIG_RSBAC_RMSG
01453 rsbac_printk(KERN_WARNING
01454 "rsbac_acl_sys_get_rights(): rsbac_acl_get_user_groups() returned error %s!\n",
01455 get_error_name(tmp,err));
01456 #endif
01457 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01458 if (!rsbac_nosyslog)
01459 #endif
01460 printk(KERN_WARNING
01461 "rsbac_acl_sys_get_rights(): rsbac_acl_get_user_groups() returned error %s!\n",
01462 get_error_name(tmp,err));
01463 rsbac_kfree(tmp);
01464 }
01465 return err;
01466 }
01467 for(i=0; i<err; i++)
01468 {
01469 res_rights = 0;
01470 tmperr = rsbac_acl_get_rights(ta_number, target, tid, ACLS_GROUP, group_p[i],
01471 &res_rights, TRUE);
01472 if(tmperr)
01473 {
01474 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01475
01476 if(tmp)
01477 {
01478 #ifdef CONFIG_RSBAC_RMSG
01479 rsbac_printk(KERN_WARNING
01480 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01481 get_error_name(tmp,err));
01482 #endif
01483 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01484 if (!rsbac_nosyslog)
01485 #endif
01486 printk(KERN_WARNING
01487 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01488 get_error_name(tmp,err));
01489 rsbac_kfree(tmp);
01490 }
01491 if(group_p)
01492 rsbac_vfree(group_p);
01493 return tmperr;
01494 }
01495 *rights_p |= res_rights;
01496 }
01497 err = 0;
01498 if(group_p)
01499 rsbac_vfree(group_p);
01500
01501 #if defined(CONFIG_RSBAC_RC)
01502
01503
01504 i_tid.user = subj_id;
01505 if (rsbac_get_attr(RC,
01506 T_USER,
01507 i_tid,
01508 A_rc_def_role,
01509 &i_attr_val1,
01510 FALSE))
01511 {
01512 #ifdef CONFIG_RSBAC_RMSG
01513 rsbac_printk(KERN_WARNING
01514 "rsbac_acl_sys_get_rights(): rsbac_get_attr() for process rc_role returned error!\n");
01515 #endif
01516 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01517 if (!rsbac_nosyslog)
01518 #endif
01519 printk(KERN_WARNING
01520 "rsbac_acl_sys_get_rights(): rsbac_get_attr() for process rc_role returned error!\n");
01521 }
01522 else
01523 {
01524 res_rights = 0;
01525 err = rsbac_acl_get_rights(ta_number, target, tid,
01526 ACLS_ROLE, i_attr_val1.rc_role,
01527 &res_rights, TRUE);
01528 if(err)
01529 {
01530 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01531
01532 if(tmp)
01533 {
01534 get_error_name(tmp,err);
01535 #ifdef CONFIG_RSBAC_RMSG
01536 rsbac_printk(KERN_WARNING
01537 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01538 tmp);
01539 #endif
01540 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01541 if (!rsbac_nosyslog)
01542 #endif
01543 printk(KERN_WARNING
01544 "rsbac_acl_sys_get_rights(): rsbac_acl_get_rights() returned error %s!\n",
01545 tmp);
01546 rsbac_kfree(tmp);
01547 }
01548 return err;
01549 }
01550 *rights_p |= res_rights;
01551 }
01552 #endif
01553
01554
01555 if( !(*rights_p & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR)
01556 && rsbac_acl_check_super(target, tid, subj_id)
01557 )
01558 *rights_p |= RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR;
01559 }
01560 else
01561 {
01562 if(!(*rights_p & RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR))
01563 {
01564 rsbac_boolean_t i_result = FALSE;
01565
01566
01567
01568 err = rsbac_acl_get_single_right(target,
01569 tid,
01570 subj_type,
01571 subj_id,
01572 ACLR_SUPERVISOR,
01573 &i_result);
01574 if(err)
01575 {
01576 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01577
01578 if(tmp)
01579 {
01580 #ifdef CONFIG_RSBAC_RMSG
01581 rsbac_printk(KERN_WARNING
01582 "rsbac_acl_sys_get_rights(): rsbac_acl_get_right() returned error %s!\n",
01583 get_error_name(tmp,err));
01584 #endif
01585 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01586 if (!rsbac_nosyslog)
01587 #endif
01588 printk(KERN_WARNING
01589 "rsbac_acl_sys_get_rights(): rsbac_acl_get_right() returned error %s!\n",
01590 get_error_name(tmp,err));
01591 rsbac_kfree(tmp);
01592 }
01593 }
01594 else
01595 if(i_result)
01596 *rights_p |= RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR;
01597 }
01598 }
01599 }
01600 else
01601 {
01602
01603 res_rights = 0;
01604 err = rsbac_acl_get_rights(ta_number, target, tid, subj_type, subj_id, &res_rights, FALSE);
01605 if(!err)
01606 *rights_p = res_rights;
01607 }
01608 return err;
01609 }
01610
01611 int rsbac_acl_sys_get_tlist(
01612 rsbac_list_ta_number_t ta_number,
01613 enum rsbac_target_t target,
01614 union rsbac_target_id_t tid,
01615 struct rsbac_acl_entry_t ** entry_pp,
01616 rsbac_time_t ** ttl_pp)
01617 {
01618 int err=0;
01619
01620
01621
01622
01623 err = rsbac_acl_get_tlist(ta_number, target, tid, entry_pp, ttl_pp);
01624 if(err == -RSBAC_ENOTFOUND)
01625 err = 0;
01626 else
01627 if(err<0)
01628 {
01629 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01630
01631 if(tmp)
01632 {
01633 #ifdef CONFIG_RSBAC_RMSG
01634 rsbac_printk(KERN_WARNING
01635 "rsbac_acl_sys_get_tlist(): rsbac_acl_get_tlist() returned error %s!\n",
01636 get_error_name(tmp,err));
01637 #endif
01638 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01639 if (!rsbac_nosyslog)
01640 #endif
01641 printk(KERN_WARNING
01642 "rsbac_acl_sys_get_tlist(): rsbac_acl_get_tlist() returned error %s!\n",
01643 get_error_name(tmp,err));
01644 rsbac_kfree(tmp);
01645 }
01646 }
01647 return err;
01648 }
01649
01650
01651
01652 int rsbac_acl_sys_group(
01653 rsbac_list_ta_number_t ta_number,
01654 enum rsbac_acl_group_syscall_type_t call,
01655 union rsbac_acl_group_syscall_arg_t arg)
01656 {
01657 int err = -RSBAC_EINVALIDREQUEST;
01658 char * k_name;
01659 rsbac_acl_group_id_t k_group;
01660 struct rsbac_acl_group_entry_t entry;
01661 rsbac_uid_t caller;
01662
01663 if(call >= ACLGS_none)
01664 return -RSBAC_EINVALIDREQUEST;
01665 if(rsbac_get_owner(&caller))
01666 return -RSBAC_EREADFAILED;
01667
01668 #ifdef CONFIG_RSBAC_DEBUG
01669 if(rsbac_debug_aef_acl)
01670 {
01671 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01672
01673 if(tmp)
01674 {
01675 #ifdef CONFIG_RSBAC_RMSG
01676 rsbac_printk(KERN_DEBUG
01677 "rsbac_acl_sys_group(): %s called\n",
01678 get_acl_group_syscall_name(tmp,call));
01679 #endif
01680 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01681 if (!rsbac_nosyslog)
01682 #endif
01683 printk(KERN_DEBUG
01684 "rsbac_acl_sys_group(): %s called\n",
01685 get_acl_group_syscall_name(tmp,call));
01686 rsbac_kfree(tmp);
01687 }
01688 }
01689 #endif
01690
01691 switch(call)
01692 {
01693 case ACLGS_add_group:
01694 if(arg.add_group.type >= ACLG_NONE)
01695 {
01696 err = -RSBAC_EINVALIDVALUE;
01697 break;
01698 }
01699 k_name = rsbac_getname(arg.add_group.name);
01700 if(!k_name)
01701 {
01702 err = -RSBAC_EINVALIDVALUE;
01703 break;
01704 }
01705 err = rsbac_get_user((char *)&k_group, (char *)arg.add_group.group_id_p, sizeof(k_group));
01706 if(err)
01707 break;
01708 err = rsbac_acl_add_group(ta_number,
01709 caller,
01710 arg.add_group.type,
01711 k_name,
01712 &k_group);
01713 rsbac_putname(k_name);
01714 if(!err)
01715 err = rsbac_put_user((char *)&k_group, (char *) arg.add_group.group_id_p, sizeof(k_group));
01716 break;
01717
01718 case ACLGS_change_group:
01719 if(arg.change_group.type >= ACLG_NONE)
01720 {
01721 err = -RSBAC_EINVALIDVALUE;
01722 break;
01723 }
01724 err = rsbac_acl_get_group_entry(ta_number, arg.change_group.id, &entry);
01725 if(err)
01726 break;
01727
01728 #if !defined(CONFIG_RSBAC_MAINT)
01729 #ifdef CONFIG_RSBAC_SWITCH
01730 if(rsbac_switch_acl)
01731 #endif
01732 {
01733 if(entry.owner != caller)
01734 {
01735 #ifdef CONFIG_RSBAC_RMSG
01736 rsbac_printk(KERN_INFO
01737 "rsbac_acl_group(): changing group %u denied for user %u - not owner!\n",
01738 entry.id,
01739 caller);
01740 #endif
01741 #ifndef CONFIG_RSBAC_RMSG_EXCL
01742 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01743 if (!rsbac_nosyslog)
01744 #endif
01745 printk(KERN_INFO
01746 "rsbac_acl_group(): changing group %u denied for user %u - not owner!\n",
01747 entry.id,
01748 caller);
01749 #endif
01750 err = -EPERM;
01751 break;
01752 }
01753 }
01754 #endif
01755 {
01756 char * k_name;
01757
01758 k_name = rsbac_getname(arg.change_group.name);
01759 if(k_name)
01760 {
01761 err = rsbac_acl_change_group(ta_number,
01762 arg.change_group.id,
01763 arg.change_group.owner,
01764 arg.change_group.type,
01765 k_name);
01766 putname(k_name);
01767 }
01768 else
01769 err = -RSBAC_EINVALIDVALUE;
01770 }
01771 break;
01772
01773 case ACLGS_remove_group:
01774 err = rsbac_acl_get_group_entry(ta_number, arg.remove_group.id, &entry);
01775 if(err)
01776 break;
01777
01778 #if !defined(CONFIG_RSBAC_MAINT)
01779 #ifdef CONFIG_RSBAC_SWITCH
01780 if(rsbac_switch_acl)
01781 #endif
01782 {
01783 if(entry.owner != caller)
01784 {
01785 #ifdef CONFIG_RSBAC_RMSG
01786 rsbac_printk(KERN_INFO
01787 "rsbac_acl_group(): removing group %u denied for user %u - not owner!\n",
01788 entry.id,
01789 caller);
01790 #endif
01791 #ifndef CONFIG_RSBAC_RMSG_EXCL
01792 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01793 if (!rsbac_nosyslog)
01794 #endif
01795 printk(KERN_INFO
01796 "rsbac_acl_group(): removing group %u denied for user %u - not owner!\n",
01797 entry.id,
01798 caller);
01799 #endif
01800 err = -EPERM;
01801 break;
01802 }
01803 }
01804 #endif
01805 err = rsbac_acl_remove_group(ta_number, arg.remove_group.id);
01806 break;
01807
01808 case ACLGS_get_group_entry:
01809 if(!arg.get_group_entry.entry_p)
01810 {
01811 err = -RSBAC_EINVALIDPOINTER;
01812 break;
01813 }
01814 if(!arg.get_group_entry.id)
01815 {
01816 entry.id=0;
01817 entry.owner=RSBAC_NO_USER;
01818 entry.type=ACLG_GLOBAL;
01819 strcpy(entry.name, "Everyone");
01820 err=0;
01821 }
01822 else
01823 {
01824 err = rsbac_acl_get_group_entry(ta_number,
01825 arg.get_group_entry.id,
01826 &entry);
01827 }
01828 if(!err)
01829 {
01830 if( (entry.owner != caller)
01831 &&(entry.type != ACLG_GLOBAL)
01832 )
01833 {
01834 #ifdef CONFIG_RSBAC_RMSG
01835 rsbac_printk(KERN_INFO
01836 "rsbac_acl_group(): getting group entry %u denied for user %u - neither owner nor global!\n",
01837 entry.id,
01838 caller);
01839 #endif
01840 #ifndef CONFIG_RSBAC_RMSG_EXCL
01841 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01842 if (!rsbac_nosyslog)
01843 #endif
01844 printk(KERN_INFO
01845 "rsbac_acl_group(): getting group entry %u denied for user %u - neither owner nor global!\n",
01846 entry.id,
01847 caller);
01848 #endif
01849 err = -EPERM;
01850 }
01851 else
01852 err = rsbac_put_user((char *)&entry, (char *)arg.get_group_entry.entry_p, sizeof(entry));
01853 }
01854 break;
01855
01856 case ACLGS_list_groups:
01857 if(arg.list_groups.maxnum <= 0)
01858 {
01859 err = -RSBAC_EINVALIDVALUE;
01860 break;
01861 }
01862 if(!arg.list_groups.group_entry_array)
01863 {
01864 err = -RSBAC_EINVALIDPOINTER;
01865 break;
01866 }
01867 {
01868 struct rsbac_acl_group_entry_t * entry_p;
01869 int tmperr=0;
01870
01871 if(arg.list_groups.include_global)
01872 {
01873 struct rsbac_acl_group_entry_t entry_0;
01874
01875 entry_0.id=0;
01876 entry_0.owner=RSBAC_NO_USER;
01877 entry_0.type=ACLG_GLOBAL;
01878 strcpy(entry_0.name, "Everyone");
01879 tmperr = rsbac_put_user((char *) &entry_0,
01880 (char *) arg.list_groups.group_entry_array,
01881 sizeof(entry_0));
01882 if(tmperr)
01883 {
01884 err = tmperr;
01885 break;
01886 }
01887 else
01888 err = 1;
01889 arg.list_groups.maxnum--;
01890 arg.list_groups.group_entry_array++;
01891 }
01892 else
01893 err = 0;
01894
01895 if(arg.list_groups.maxnum)
01896 {
01897 long count;
01898
01899 count = rsbac_acl_list_groups(ta_number,
01900 caller,
01901 arg.list_groups.include_global,
01902 &entry_p);
01903 if(count>0)
01904 {
01905 if(count > arg.list_groups.maxnum)
01906 count = arg.list_groups.maxnum;
01907 err+=count;
01908 tmperr = rsbac_put_user((char *)entry_p,
01909 ((char *)arg.list_groups.group_entry_array),
01910 count * sizeof(*entry_p));
01911 if(tmperr)
01912 err=tmperr;
01913 rsbac_vfree(entry_p);
01914 }
01915 else
01916 if(count < 0)
01917 err=count;
01918 }
01919 }
01920 break;
01921
01922 case ACLGS_add_member:
01923
01924 #if !defined(CONFIG_RSBAC_MAINT)
01925 #ifdef CONFIG_RSBAC_SWITCH
01926 if(rsbac_switch_acl)
01927 #endif
01928 {
01929 err = rsbac_acl_get_group_entry(ta_number, arg.add_member.group, &entry);
01930 if(err)
01931 break;
01932 if(entry.owner != caller)
01933 {
01934 #ifdef CONFIG_RSBAC_RMSG
01935 rsbac_printk(KERN_INFO
01936 "rsbac_acl_group(): adding group member to group %u denied for user %u - not owner!\n",
01937 entry.id,
01938 caller);
01939 #endif
01940 #ifndef CONFIG_RSBAC_RMSG_EXCL
01941 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01942 if (!rsbac_nosyslog)
01943 #endif
01944 printk(KERN_INFO
01945 "rsbac_acl_group(): adding group member to group %u denied for user %u - not owner!\n",
01946 entry.id,
01947 caller);
01948 #endif
01949 err = -EPERM;
01950 break;
01951 }
01952 }
01953 #endif
01954 err = rsbac_acl_add_group_member(ta_number,
01955 arg.add_member.group,
01956 arg.add_member.user,
01957 arg.add_member.ttl);
01958 break;
01959
01960 case ACLGS_remove_member:
01961
01962 #if !defined(CONFIG_RSBAC_MAINT)
01963 #ifdef CONFIG_RSBAC_SWITCH
01964 if(rsbac_switch_acl)
01965 #endif
01966 {
01967 err = rsbac_acl_get_group_entry(ta_number, arg.remove_member.group, &entry);
01968 if(err)
01969 break;
01970 if(entry.owner != caller)
01971 {
01972 #ifdef CONFIG_RSBAC_RMSG
01973 rsbac_printk(KERN_INFO
01974 "rsbac_acl_group(): removing group member from group %u denied for user %u - not owner!\n",
01975 entry.id,
01976 caller);
01977 #endif
01978 #ifndef CONFIG_RSBAC_RMSG_EXCL
01979 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01980 if (!rsbac_nosyslog)
01981 #endif
01982 printk(KERN_INFO
01983 "rsbac_acl_group(): removing group member from group %u denied for user %u - not owner!\n",
01984 entry.id,
01985 caller);
01986 #endif
01987 err = -EPERM;
01988 break;
01989 }
01990 }
01991 #endif
01992 err = rsbac_acl_remove_group_member(ta_number, arg.remove_member.group, arg.remove_member.user);
01993 break;
01994
01995 case ACLGS_get_user_groups:
01996 {
01997 rsbac_acl_group_id_t * group_p = NULL;
01998 rsbac_time_t * ttl_p = NULL;
01999
02000 if(arg.get_user_groups.maxnum <= 0)
02001 {
02002 err = -RSBAC_EINVALIDVALUE;
02003 break;
02004 }
02005 if(!arg.get_user_groups.group_array)
02006 {
02007 err = -RSBAC_EINVALIDPOINTER;
02008 break;
02009 }
02010 if(arg.get_user_groups.user == RSBAC_NO_USER)
02011 arg.get_user_groups.user = caller;
02012 #if !defined(CONFIG_RSBAC_MAINT)
02013 else
02014 #ifdef CONFIG_RSBAC_SWITCH
02015 if(rsbac_switch_acl)
02016 #endif
02017 {
02018 if(arg.get_user_groups.user != caller)
02019 {
02020 #ifdef CONFIG_RSBAC_RMSG
02021 rsbac_printk(KERN_INFO
02022 "rsbac_acl_group(): getting user groups for user %u denied for user %u!\n",
02023 arg.get_user_groups.user,
02024 caller);
02025 #endif
02026 #ifndef CONFIG_RSBAC_RMSG_EXCL
02027 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02028 if (!rsbac_nosyslog)
02029 #endif
02030 printk(KERN_INFO
02031 "rsbac_acl_group(): getting user groups for user %u denied for user %u!\n",
02032 arg.get_user_groups.user,
02033 caller);
02034 #endif
02035 err = -EPERM;
02036 break;
02037 }
02038 }
02039 #endif
02040 err = rsbac_acl_get_user_groups(ta_number, arg.get_user_groups.user, &group_p, &ttl_p);
02041 if(err>0)
02042 {
02043 int tmperr;
02044
02045 err = rsbac_min(err, arg.get_user_groups.maxnum);
02046 tmperr = rsbac_put_user((char *)group_p,
02047 (char *)arg.get_user_groups.group_array,
02048 err * sizeof(*group_p));
02049 if(tmperr)
02050 err=tmperr;
02051 if(arg.get_user_groups.ttl_array)
02052 {
02053 tmperr = rsbac_put_user((char *)ttl_p,
02054 (char *)arg.get_user_groups.ttl_array,
02055 err * sizeof(*ttl_p));
02056 if(tmperr)
02057 err=tmperr;
02058 }
02059 }
02060 if(group_p)
02061 rsbac_vfree(group_p);
02062 if(ttl_p)
02063 rsbac_vfree(ttl_p);
02064 break;
02065 }
02066
02067 case ACLGS_get_group_members:
02068 if( (arg.get_group_members.maxnum <= 0)
02069 || !arg.get_group_members.group
02070 )
02071 {
02072 err = -RSBAC_EINVALIDVALUE;
02073 break;
02074 }
02075 if(arg.get_group_members.maxnum > RSBAC_ACL_MAX_MAXNUM)
02076 arg.get_group_members.maxnum = RSBAC_ACL_MAX_MAXNUM;
02077 if(!arg.get_group_members.user_array)
02078 {
02079 err = -RSBAC_EINVALIDPOINTER;
02080 break;
02081 }
02082 err = rsbac_acl_get_group_entry(ta_number,
02083 arg.get_group_members.group,
02084 &entry);
02085 if(err)
02086 break;
02087 if( (entry.owner != caller)
02088 &&(entry.type != ACLG_GLOBAL)
02089 )
02090 {
02091 #ifdef CONFIG_RSBAC_RMSG
02092 rsbac_printk(KERN_INFO
02093 "rsbac_acl_group(): getting group members of group %u denied for user %u - neither owner nor global!\n",
02094 entry.id,
02095 caller);
02096 #endif
02097 #ifndef CONFIG_RSBAC_RMSG_EXCL
02098 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02099 if (!rsbac_nosyslog)
02100 #endif
02101 printk(KERN_INFO
02102 "rsbac_acl_group(): getting group members of group %u denied for user %u - neither owner nor global!\n",
02103 entry.id,
02104 caller);
02105 #endif
02106 err = -EPERM;
02107 break;
02108 }
02109 {
02110 rsbac_uid_t * user_array;
02111 rsbac_time_t * ttl_array;
02112
02113 user_array = rsbac_vmalloc(sizeof(*user_array) * arg.get_group_members.maxnum);
02114 if(!user_array)
02115 return -RSBAC_ENOMEM;
02116 ttl_array = rsbac_vmalloc(sizeof(*ttl_array) * arg.get_group_members.maxnum);
02117 if(!ttl_array)
02118 {
02119 rsbac_vfree(user_array);
02120 return -RSBAC_ENOMEM;
02121 }
02122
02123 err = rsbac_acl_get_group_members(ta_number,
02124 arg.get_group_members.group,
02125 user_array,
02126 ttl_array,
02127 arg.get_group_members.maxnum);
02128 if(err>0)
02129 {
02130 int tmperr;
02131
02132 tmperr = rsbac_put_user((char *)user_array,
02133 (char *)arg.get_group_members.user_array,
02134 err * sizeof(*user_array));
02135 if(tmperr)
02136 err=tmperr;
02137 if(arg.get_group_members.ttl_array)
02138 {
02139 tmperr = rsbac_put_user((char *)ttl_array,
02140 (char *)arg.get_group_members.ttl_array,
02141 err * sizeof(*ttl_array));
02142 if(tmperr)
02143 err=tmperr;
02144 }
02145 }
02146 rsbac_vfree(user_array);
02147 rsbac_vfree(ttl_array);
02148 }
02149 break;
02150
02151 default:
02152 break;
02153 }
02154 #ifdef CONFIG_RSBAC_SOFTMODE
02155 if( ( rsbac_softmode
02156 #ifdef CONFIG_RSBAC_SOFTMODE_IND
02157 || rsbac_ind_softmode[ACL]
02158 #endif
02159 )
02160 && (err == -EPERM)
02161 )
02162 return 0;
02163 else
02164 #endif
02165 return(err);
02166 };
02167
02168
