00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012 #include <linux/string.h>
00013 #include <rsbac/types.h>
00014 #include <rsbac/aci.h>
00015 #include <rsbac/rc.h>
00016 #include <rsbac/adf_main.h>
00017 #include <rsbac/error.h>
00018 #include <rsbac/debug.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/rc_getname.h>
00022 #include <rsbac/rkmem.h>
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032 #if !defined(CONFIG_RSBAC_MAINT)
00033
00034 int rsbac_rc_test_role_admin(rsbac_boolean_t modify);
00035
00036 int rsbac_rc_test_admin_roles(rsbac_rc_role_id_t t_role, rsbac_boolean_t modify);
00037
00038 enum rsbac_adf_req_ret_t
00039 rsbac_rc_check_type_comp(enum rsbac_target_t target,
00040 rsbac_rc_type_id_t type,
00041 enum rsbac_adf_request_t request,
00042 rsbac_pid_t caller_pid);
00043 #endif
00044
00045
00046
00047
00048
00049
00050
00051
00052
00053
00054 int rsbac_rc_sys_copy_role(
00055 rsbac_list_ta_number_t ta_number,
00056 rsbac_rc_role_id_t from_role,
00057 rsbac_rc_role_id_t to_role)
00058 {
00059 #if !defined(CONFIG_RSBAC_MAINT)
00060 #ifdef CONFIG_RSBAC_SWITCH
00061 if(rsbac_switch_rc)
00062 #endif
00063 {
00064 int err;
00065
00066 if ( (err=rsbac_rc_test_admin_roles(from_role, TRUE))
00067 && rsbac_rc_test_role_admin(TRUE)
00068 )
00069 {
00070 if(err == -EPERM)
00071 {
00072 rsbac_uid_t user;
00073
00074 if(!rsbac_get_owner(&user))
00075 {
00076 #ifdef CONFIG_RSBAC_RMSG
00077 rsbac_printk(KERN_INFO
00078 "rsbac_rc_sys_copy_role(): copying of role %u denied for pid %u, user %u - not in admin_roles!\n",
00079 from_role,
00080 current->pid,
00081 user);
00082 #endif
00083 #ifndef CONFIG_RSBAC_RMSG_EXCL
00084
00085 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00086 if (!rsbac_nosyslog)
00087 #endif
00088 printk(KERN_INFO
00089 "rsbac_rc_sys_copy_role(): copying of role %u denied for pid %u, user %u - not in admin_roles!\n",
00090 from_role,
00091 current->pid,
00092 user);
00093 #endif
00094 }
00095 #ifdef CONFIG_RSBAC_SOFTMODE
00096 if( !rsbac_softmode
00097 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00098 && !rsbac_ind_softmode[RC]
00099 #endif
00100 )
00101 #endif
00102 return err;
00103 }
00104 else
00105 return err;
00106 }
00107
00108 if ( rsbac_rc_role_exists(ta_number, to_role)
00109 && rsbac_rc_test_role_admin(TRUE)
00110 )
00111 {
00112 rsbac_uid_t user;
00113
00114 if(!rsbac_get_owner(&user))
00115 {
00116 #ifdef CONFIG_RSBAC_RMSG
00117 rsbac_printk(KERN_INFO
00118 "rsbac_rc_sys_copy_role(): overwriting of existing role %u denied for pid %u, user %u - no role_admin!\n",
00119 to_role,
00120 current->pid,
00121 user);
00122 #endif
00123 #ifndef CONFIG_RSBAC_RMSG_EXCL
00124
00125 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00126 if (!rsbac_nosyslog)
00127 #endif
00128 printk(KERN_INFO
00129 "rsbac_rc_sys_copy_role(): overwriting of existing role %u denied for pid %u, user %u - no role_admin!\n",
00130 to_role,
00131 current->pid,
00132 user);
00133 #endif
00134 }
00135 #ifdef CONFIG_RSBAC_SOFTMODE
00136 if( !rsbac_softmode
00137 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00138 && !rsbac_ind_softmode[RC]
00139 #endif
00140 )
00141 #endif
00142 return -EPERM;
00143 }
00144 }
00145 #endif
00146
00147
00148 return(rsbac_rc_copy_role(ta_number, from_role, to_role));
00149 }
00150
00151
00152 int rsbac_rc_sys_copy_type (
00153 rsbac_list_ta_number_t ta_number,
00154 enum rsbac_rc_target_t target,
00155 rsbac_rc_type_id_t from_type,
00156 rsbac_rc_type_id_t to_type)
00157 {
00158 #if !defined(CONFIG_RSBAC_MAINT)
00159 #ifdef CONFIG_RSBAC_SWITCH
00160 if(rsbac_switch_rc)
00161 #endif
00162 {
00163 int err;
00164
00165 switch(target)
00166 {
00167 case T_FILE:
00168 case T_DIR:
00169 case T_FIFO:
00170 case T_SYMLINK:
00171 target = T_FD;
00172 break;
00173 case T_FD:
00174 case T_DEV:
00175 case T_USER:
00176 case T_PROCESS:
00177 case T_IPC:
00178 case T_GROUP:
00179 case T_NETDEV:
00180 case T_NETTEMP:
00181 case T_NETOBJ:
00182 break;
00183
00184 default:
00185 return -RSBAC_EINVALIDTARGET;
00186 }
00187
00188 if( (rsbac_rc_check_type_comp(target, from_type, RCR_ADMIN, 0) != GRANTED)
00189 && (err=rsbac_rc_test_role_admin(FALSE))
00190 )
00191 {
00192 if(err == -EPERM)
00193 {
00194 rsbac_uid_t user;
00195
00196 if(!rsbac_get_owner(&user))
00197 {
00198 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00199
00200 if(tmp)
00201 {
00202 #ifdef CONFIG_RSBAC_RMSG
00203 rsbac_printk(KERN_INFO
00204 "rsbac_rc_sys_copy_type(): copying of %s type %u denied for pid %u, user %u - not in admin_roles!\n",
00205 get_target_name_only(tmp, target),
00206 from_type,
00207 current->pid,
00208 user);
00209 #endif
00210 #ifndef CONFIG_RSBAC_RMSG_EXCL
00211
00212 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00213 if (!rsbac_nosyslog)
00214 #endif
00215 printk(KERN_INFO
00216 "rsbac_rc_sys_copy_type(): copying of %s type %u denied for pid %u, user %u - not in admin_roles!\n",
00217 get_target_name_only(tmp, target),
00218 from_type,
00219 current->pid,
00220 user);
00221 #endif
00222 rsbac_kfree(tmp);
00223 }
00224 }
00225 #ifdef CONFIG_RSBAC_SOFTMODE
00226 if( !rsbac_softmode
00227 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00228 && !rsbac_ind_softmode[RC]
00229 #endif
00230 )
00231 #endif
00232 return err;
00233 }
00234 else
00235 return err;
00236 }
00237
00238 if ( rsbac_rc_type_exists(ta_number, target, to_type)
00239 && rsbac_rc_test_role_admin(TRUE)
00240 )
00241 {
00242 rsbac_uid_t user;
00243
00244 if(!rsbac_get_owner(&user))
00245 {
00246 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00247
00248 if(tmp)
00249 {
00250 #ifdef CONFIG_RSBAC_RMSG
00251 rsbac_printk(KERN_INFO
00252 "rsbac_rc_sys_copy_type(): overwriting of existing %s type %u denied for pid %u, user %u - no role_admin!\n",
00253 get_target_name_only(tmp, target),
00254 to_type,
00255 current->pid,
00256 user);
00257 #endif
00258 #ifndef CONFIG_RSBAC_RMSG_EXCL
00259
00260 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00261 if (!rsbac_nosyslog)
00262 #endif
00263 printk(KERN_INFO
00264 "rsbac_rc_sys_copy_type(): overwriting of existing %s type %u denied for pid %u, user %u - no role_admin!\n",
00265 get_target_name_only(tmp, target),
00266 to_type,
00267 current->pid,
00268 user);
00269 #endif
00270 rsbac_kfree(tmp);
00271 }
00272 }
00273 #ifdef CONFIG_RSBAC_SOFTMODE
00274 if( !rsbac_softmode
00275 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00276 && !rsbac_ind_softmode[RC]
00277 #endif
00278 )
00279 #endif
00280 return -EPERM;
00281 }
00282 }
00283 #endif
00284
00285
00286 return(rsbac_rc_copy_type(ta_number, target, from_type, to_type));
00287 }
00288
00289
00290 int rsbac_rc_sys_get_item(
00291 rsbac_list_ta_number_t ta_number,
00292 enum rsbac_rc_target_t target,
00293 union rsbac_rc_target_id_t tid,
00294 union rsbac_rc_target_id_t subtid,
00295 enum rsbac_rc_item_t item,
00296 union rsbac_rc_item_value_t * value_p,
00297 rsbac_time_t * ttl_p)
00298 {
00299 #if !defined(CONFIG_RSBAC_MAINT)
00300 #ifdef CONFIG_RSBAC_SWITCH
00301 if(rsbac_switch_rc)
00302 #endif
00303 {
00304 int err;
00305
00306 switch(item)
00307 {
00308 case RI_name:
00309 case RI_type_fd_name:
00310 case RI_type_dev_name:
00311 case RI_type_ipc_name:
00312 case RI_type_user_name:
00313 case RI_type_process_name:
00314 case RI_type_scd_name:
00315 case RI_type_group_name:
00316 case RI_type_netdev_name:
00317 case RI_type_nettemp_name:
00318 case RI_type_netobj_name:
00319
00320 break;
00321
00322 case RI_type_fd_need_secdel:
00323 if(target != RT_TYPE)
00324 return -RSBAC_EINVALIDTARGET;
00325 if( (err=rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0))
00326 && (err=rsbac_rc_test_role_admin(FALSE))
00327 )
00328 {
00329 if(err == -EPERM)
00330 {
00331 rsbac_uid_t user;
00332
00333 if(!rsbac_get_owner(&user))
00334 {
00335 #ifdef CONFIG_RSBAC_RMSG
00336 rsbac_printk(KERN_INFO
00337 "rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n",
00338 tid.type,
00339 current->pid,
00340 user);
00341 #endif
00342 #ifndef CONFIG_RSBAC_RMSG_EXCL
00343
00344 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00345 if (!rsbac_nosyslog)
00346 #endif
00347 printk(KERN_INFO
00348 "rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n",
00349 tid.type,
00350 current->pid,
00351 user);
00352 #endif
00353 }
00354 #ifdef CONFIG_RSBAC_SOFTMODE
00355 if( !rsbac_softmode
00356 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00357 && !rsbac_ind_softmode[RC]
00358 #endif
00359 )
00360 #endif
00361 return err;
00362 }
00363 else
00364 return err;
00365 }
00366 break;
00367
00368 default:
00369 if(target != RT_ROLE)
00370 return -RSBAC_EINVALIDATTR;
00371
00372 if ( (err=rsbac_rc_test_admin_roles(tid.role, FALSE))
00373 && (err=rsbac_rc_test_role_admin(FALSE))
00374 )
00375 {
00376 if(err == -EPERM)
00377 {
00378 rsbac_uid_t user;
00379
00380 if(!rsbac_get_owner(&user))
00381 {
00382 #ifdef CONFIG_RSBAC_RMSG
00383 rsbac_printk(KERN_INFO
00384 "rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n",
00385 tid.role,
00386 current->pid,
00387 user);
00388 #endif
00389 #ifndef CONFIG_RSBAC_RMSG_EXCL
00390
00391 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00392 if (!rsbac_nosyslog)
00393 #endif
00394 printk(KERN_INFO
00395 "rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n",
00396 tid.role,
00397 current->pid,
00398 user);
00399 #endif
00400 }
00401 #ifdef CONFIG_RSBAC_SOFTMODE
00402 if( !rsbac_softmode
00403 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00404 && !rsbac_ind_softmode[RC]
00405 #endif
00406 )
00407 #endif
00408 return err;
00409 }
00410 else
00411 return err;
00412 }
00413 }
00414 }
00415 #endif
00416
00417
00418 return(rsbac_rc_get_item(ta_number,target, tid, subtid, item, value_p, ttl_p));
00419 };
00420
00421
00422 int rsbac_rc_sys_set_item(
00423 rsbac_list_ta_number_t ta_number,
00424 enum rsbac_rc_target_t target,
00425 union rsbac_rc_target_id_t tid,
00426 union rsbac_rc_target_id_t subtid,
00427 enum rsbac_rc_item_t item,
00428 union rsbac_rc_item_value_t value,
00429 rsbac_time_t ttl)
00430 {
00431 #if !defined(CONFIG_RSBAC_MAINT)
00432 #ifdef CONFIG_RSBAC_SWITCH
00433 if(rsbac_switch_rc)
00434 #endif
00435 {
00436 int err;
00437
00438 switch(item)
00439 {
00440
00441 case RI_type_fd_name:
00442 case RI_type_fd_need_secdel:
00443 case RI_type_fd_remove:
00444 if(target != RT_TYPE)
00445 return -RSBAC_EINVALIDTARGET;
00446 if( (rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00447 && (err=rsbac_rc_test_role_admin(TRUE))
00448 )
00449 {
00450 if(err == -EPERM)
00451 {
00452 rsbac_uid_t user;
00453 char tmp[80];
00454
00455 if(!rsbac_get_owner(&user))
00456 {
00457 #ifdef CONFIG_RSBAC_RMSG
00458 rsbac_printk(KERN_INFO
00459 "rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n",
00460 get_rc_item_name(tmp, item),
00461 tid.type,
00462 current->pid,
00463 user);
00464 #endif
00465 #ifndef CONFIG_RSBAC_RMSG_EXCL
00466
00467 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00468 if (!rsbac_nosyslog)
00469 #endif
00470 printk(KERN_INFO
00471 "rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n",
00472 get_rc_item_name(tmp, item),
00473 tid.type,
00474 current->pid,
00475 user);
00476 #endif
00477 }
00478 #ifdef CONFIG_RSBAC_SOFTMODE
00479 if( !rsbac_softmode
00480 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00481 && !rsbac_ind_softmode[RC]
00482 #endif
00483 )
00484 #endif
00485 return err;
00486 }
00487 else
00488 return err;
00489 }
00490 break;
00491 case RI_type_dev_name:
00492 case RI_type_dev_remove:
00493 if(target != RT_TYPE)
00494 return -RSBAC_EINVALIDTARGET;
00495 if( (rsbac_rc_check_type_comp(T_DEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00496 && (err=rsbac_rc_test_role_admin(TRUE))
00497 )
00498 {
00499 if(err == -EPERM)
00500 {
00501 rsbac_uid_t user;
00502
00503 if(!rsbac_get_owner(&user))
00504 {
00505 #ifdef CONFIG_RSBAC_RMSG
00506 rsbac_printk(KERN_INFO
00507 "rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00508 tid.type,
00509 current->pid,
00510 user);
00511 #endif
00512 #ifndef CONFIG_RSBAC_RMSG_EXCL
00513
00514 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00515 if (!rsbac_nosyslog)
00516 #endif
00517 printk(KERN_INFO
00518 "rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00519 tid.type,
00520 current->pid,
00521 user);
00522 #endif
00523 }
00524 #ifdef CONFIG_RSBAC_SOFTMODE
00525 if( !rsbac_softmode
00526 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00527 && !rsbac_ind_softmode[RC]
00528 #endif
00529 )
00530 #endif
00531 return err;
00532 }
00533 else
00534 return err;
00535 }
00536 break;
00537 case RI_type_ipc_name:
00538 case RI_type_ipc_remove:
00539 if(target != RT_TYPE)
00540 return -RSBAC_EINVALIDTARGET;
00541 if( (rsbac_rc_check_type_comp(T_IPC, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00542 && (err=rsbac_rc_test_role_admin(TRUE))
00543 )
00544 {
00545 if(err == -EPERM)
00546 {
00547 rsbac_uid_t user;
00548
00549 if(!rsbac_get_owner(&user))
00550 {
00551 #ifdef CONFIG_RSBAC_RMSG
00552 rsbac_printk(KERN_INFO
00553 "rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n",
00554 tid.type,
00555 current->pid,
00556 user);
00557 #endif
00558 #ifndef CONFIG_RSBAC_RMSG_EXCL
00559
00560 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00561 if (!rsbac_nosyslog)
00562 #endif
00563 printk(KERN_INFO
00564 "rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n",
00565 tid.type,
00566 current->pid,
00567 user);
00568 #endif
00569 }
00570 #ifdef CONFIG_RSBAC_SOFTMODE
00571 if( !rsbac_softmode
00572 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00573 && !rsbac_ind_softmode[RC]
00574 #endif
00575 )
00576 #endif
00577 return err;
00578 }
00579 else
00580 return err;
00581 }
00582 break;
00583 case RI_type_user_name:
00584 case RI_type_user_remove:
00585 if(target != RT_TYPE)
00586 return -RSBAC_EINVALIDTARGET;
00587 if( (rsbac_rc_check_type_comp(T_USER, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00588 && (err=rsbac_rc_test_role_admin(TRUE))
00589 )
00590 {
00591 if(err == -EPERM)
00592 {
00593 rsbac_uid_t user;
00594
00595 if(!rsbac_get_owner(&user))
00596 {
00597 #ifdef CONFIG_RSBAC_RMSG
00598 rsbac_printk(KERN_INFO
00599 "rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n",
00600 tid.type,
00601 current->pid,
00602 user);
00603 #endif
00604 #ifndef CONFIG_RSBAC_RMSG_EXCL
00605
00606 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00607 if (!rsbac_nosyslog)
00608 #endif
00609 printk(KERN_INFO
00610 "rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n",
00611 tid.type,
00612 current->pid,
00613 user);
00614 #endif
00615 }
00616 #ifdef CONFIG_RSBAC_SOFTMODE
00617 if( !rsbac_softmode
00618 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00619 && !rsbac_ind_softmode[RC]
00620 #endif
00621 )
00622 #endif
00623 return err;
00624 }
00625 else
00626 return err;
00627 }
00628 break;
00629 case RI_type_process_name:
00630 case RI_type_process_remove:
00631 if(target != RT_TYPE)
00632 return -RSBAC_EINVALIDTARGET;
00633 if( (rsbac_rc_check_type_comp(T_PROCESS, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00634 && (err=rsbac_rc_test_role_admin(TRUE))
00635 )
00636 {
00637 if(err == -EPERM)
00638 {
00639 rsbac_uid_t user;
00640
00641 if(!rsbac_get_owner(&user))
00642 {
00643 #ifdef CONFIG_RSBAC_RMSG
00644 rsbac_printk(KERN_INFO
00645 "rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n",
00646 tid.type,
00647 current->pid,
00648 user);
00649 #endif
00650 #ifndef CONFIG_RSBAC_RMSG_EXCL
00651
00652 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00653 if (!rsbac_nosyslog)
00654 #endif
00655 printk(KERN_INFO
00656 "rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n",
00657 tid.type,
00658 current->pid,
00659 user);
00660 #endif
00661 }
00662 #ifdef CONFIG_RSBAC_SOFTMODE
00663 if( !rsbac_softmode
00664 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00665 && !rsbac_ind_softmode[RC]
00666 #endif
00667 )
00668 #endif
00669 return err;
00670 }
00671 else
00672 return err;
00673 }
00674 break;
00675 case RI_type_scd_name:
00676 if(target != RT_TYPE)
00677 return -RSBAC_EINVALIDTARGET;
00678 if( (rsbac_rc_check_type_comp(T_SCD, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00679 && (err=rsbac_rc_test_role_admin(TRUE))
00680 )
00681 {
00682 if(err == -EPERM)
00683 {
00684 rsbac_uid_t user;
00685
00686 if(!rsbac_get_owner(&user))
00687 {
00688 #ifdef CONFIG_RSBAC_RMSG
00689 rsbac_printk(KERN_INFO
00690 "rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n",
00691 tid.type,
00692 current->pid,
00693 user);
00694 #endif
00695 #ifndef CONFIG_RSBAC_RMSG_EXCL
00696
00697 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00698 if (!rsbac_nosyslog)
00699 #endif
00700 printk(KERN_INFO
00701 "rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n",
00702 tid.type,
00703 current->pid,
00704 user);
00705 #endif
00706 }
00707 #ifdef CONFIG_RSBAC_SOFTMODE
00708 if( !rsbac_softmode
00709 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00710 && !rsbac_ind_softmode[RC]
00711 #endif
00712 )
00713 #endif
00714 return err;
00715 }
00716 else
00717 return err;
00718 }
00719 break;
00720 case RI_type_group_name:
00721 case RI_type_group_remove:
00722 if(target != RT_TYPE)
00723 return -RSBAC_EINVALIDTARGET;
00724 if( (rsbac_rc_check_type_comp(T_GROUP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00725 && (err=rsbac_rc_test_role_admin(TRUE))
00726 )
00727 {
00728 if(err == -EPERM)
00729 {
00730 rsbac_uid_t user;
00731
00732 if(!rsbac_get_owner(&user))
00733 {
00734 #ifdef CONFIG_RSBAC_RMSG
00735 rsbac_printk(KERN_INFO
00736 "rsbac_rc_sys_set_item(): changing name or removing of GROUP type %u denied for pid %u, user %u - no ADMIN right!\n",
00737 tid.type,
00738 current->pid,
00739 user);
00740 #endif
00741 #ifndef CONFIG_RSBAC_RMSG_EXCL
00742
00743 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00744 if (!rsbac_nosyslog)
00745 #endif
00746 printk(KERN_INFO
00747 "rsbac_rc_sys_set_item(): changing name or removing of GROUP type %u denied for pid %u, user %u - no ADMIN right!\n",
00748 tid.type,
00749 current->pid,
00750 user);
00751 #endif
00752 }
00753 #ifdef CONFIG_RSBAC_SOFTMODE
00754 if( !rsbac_softmode
00755 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00756 && !rsbac_ind_softmode[RC]
00757 #endif
00758 )
00759 #endif
00760 return err;
00761 }
00762 else
00763 return err;
00764 }
00765 break;
00766 case RI_type_netdev_name:
00767 case RI_type_netdev_remove:
00768 if(target != RT_TYPE)
00769 return -RSBAC_EINVALIDTARGET;
00770 if( (rsbac_rc_check_type_comp(T_NETDEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00771 && (err=rsbac_rc_test_role_admin(TRUE))
00772 )
00773 {
00774 if(err == -EPERM)
00775 {
00776 rsbac_uid_t user;
00777
00778 if(!rsbac_get_owner(&user))
00779 {
00780 #ifdef CONFIG_RSBAC_RMSG
00781 rsbac_printk(KERN_INFO
00782 "rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00783 tid.type,
00784 current->pid,
00785 user);
00786 #endif
00787 #ifndef CONFIG_RSBAC_RMSG_EXCL
00788
00789 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00790 if (!rsbac_nosyslog)
00791 #endif
00792 printk(KERN_INFO
00793 "rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00794 tid.type,
00795 current->pid,
00796 user);
00797 #endif
00798 }
00799 #ifdef CONFIG_RSBAC_SOFTMODE
00800 if( !rsbac_softmode
00801 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00802 && !rsbac_ind_softmode[RC]
00803 #endif
00804 )
00805 #endif
00806 return err;
00807 }
00808 else
00809 return err;
00810 }
00811 break;
00812 case RI_type_nettemp_name:
00813 case RI_type_nettemp_remove:
00814 if(target != RT_TYPE)
00815 return -RSBAC_EINVALIDTARGET;
00816 if( (rsbac_rc_check_type_comp(T_NETTEMP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00817 && (err=rsbac_rc_test_role_admin(TRUE))
00818 )
00819 {
00820 if(err == -EPERM)
00821 {
00822 rsbac_uid_t user;
00823
00824 if(!rsbac_get_owner(&user))
00825 {
00826 #ifdef CONFIG_RSBAC_RMSG
00827 rsbac_printk(KERN_INFO
00828 "rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n",
00829 tid.type,
00830 current->pid,
00831 user);
00832 #endif
00833 #ifndef CONFIG_RSBAC_RMSG_EXCL
00834
00835 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00836 if (!rsbac_nosyslog)
00837 #endif
00838 printk(KERN_INFO
00839 "rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n",
00840 tid.type,
00841 current->pid,
00842 user);
00843 #endif
00844 }
00845 #ifdef CONFIG_RSBAC_SOFTMODE
00846 if( !rsbac_softmode
00847 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00848 && !rsbac_ind_softmode[RC]
00849 #endif
00850 )
00851 #endif
00852 return err;
00853 }
00854 else
00855 return err;
00856 }
00857 break;
00858 case RI_type_netobj_name:
00859 case RI_type_netobj_remove:
00860 if(target != RT_TYPE)
00861 return -RSBAC_EINVALIDTARGET;
00862 if( (rsbac_rc_check_type_comp(T_NETOBJ, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00863 && (err=rsbac_rc_test_role_admin(TRUE))
00864 )
00865 {
00866 if(err == -EPERM)
00867 {
00868 rsbac_uid_t user;
00869
00870 if(!rsbac_get_owner(&user))
00871 {
00872 #ifdef CONFIG_RSBAC_RMSG
00873 rsbac_printk(KERN_INFO
00874 "rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n",
00875 tid.type,
00876 current->pid,
00877 user);
00878 #endif
00879 #ifndef CONFIG_RSBAC_RMSG_EXCL
00880
00881 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00882 if (!rsbac_nosyslog)
00883 #endif
00884 printk(KERN_INFO
00885 "rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n",
00886 tid.type,
00887 current->pid,
00888 user);
00889 #endif
00890 }
00891 #ifdef CONFIG_RSBAC_SOFTMODE
00892 if( !rsbac_softmode
00893 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00894 && !rsbac_ind_softmode[RC]
00895 #endif
00896 )
00897 #endif
00898 return err;
00899 }
00900 else
00901 return err;
00902 }
00903 break;
00904
00905
00906 case RI_role_comp:
00907
00908 {
00909 union rsbac_target_id_t i_tid;
00910 union rsbac_attribute_value_t i_attr_val1;
00911
00912 if(target != RT_ROLE)
00913 return -RSBAC_EINVALIDATTR;
00914 if(!rsbac_rc_test_role_admin(TRUE))
00915 break;
00916
00917 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE)))
00918 {
00919 if(err == -EPERM)
00920 {
00921 rsbac_uid_t user;
00922
00923 if(!rsbac_get_owner(&user))
00924 {
00925 #ifdef CONFIG_RSBAC_RMSG
00926 rsbac_printk(KERN_INFO
00927 "rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n",
00928 tid.role,
00929 current->pid,
00930 user);
00931 #endif
00932 #ifndef CONFIG_RSBAC_RMSG_EXCL
00933
00934 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00935 if (!rsbac_nosyslog)
00936 #endif
00937 printk(KERN_INFO
00938 "rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n",
00939 tid.role,
00940 current->pid,
00941 user);
00942 #endif
00943 }
00944 #ifdef CONFIG_RSBAC_SOFTMODE
00945 if( !rsbac_softmode
00946 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00947 && !rsbac_ind_softmode[RC]
00948 #endif
00949 )
00950 #endif
00951 return err;
00952 }
00953 else
00954 return err;
00955 }
00956
00957
00958 i_tid.process = current->pid;
00959 if ((err=rsbac_get_attr(RC, T_PROCESS,
00960 i_tid,
00961 A_rc_role,
00962 &i_attr_val1,
00963 TRUE)))
00964 {
00965 rsbac_ds_get_error("rsbac_rc_sys_set_item()", A_rc_role);
00966 return -RSBAC_EREADFAILED;
00967 }
00968
00969 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
00970 tid,
00971 RI_assign_roles,
00972 R_NONE))
00973 {
00974 rsbac_uid_t user;
00975 if(!rsbac_get_owner(&user))
00976 {
00977 #ifdef CONFIG_RSBAC_RMSG
00978 rsbac_printk(KERN_INFO
00979 "rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n",
00980 tid.role,
00981 user,
00982 i_attr_val1.rc_role);
00983 #endif
00984 #ifndef CONFIG_RSBAC_RMSG_EXCL
00985
00986 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00987 if (!rsbac_nosyslog)
00988 #endif
00989 printk(KERN_INFO
00990 "rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n",
00991 tid.role,
00992 user,
00993 i_attr_val1.rc_role);
00994 #endif
00995 }
00996 #ifdef CONFIG_RSBAC_SOFTMODE
00997 if( !rsbac_softmode
00998 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00999 && !rsbac_ind_softmode[RC]
01000 #endif
01001 )
01002 #endif
01003 return -EPERM;
01004 }
01005 }
01006 break;
01007
01008 case RI_admin_type:
01009 case RI_admin_roles:
01010 case RI_assign_roles:
01011 case RI_boot_role:
01012
01013 if((err=rsbac_rc_test_role_admin(TRUE)))
01014 {
01015 if(err == -EPERM)
01016 {
01017 rsbac_uid_t user;
01018 char tmp[80];
01019
01020 if(!rsbac_get_owner(&user))
01021 {
01022 #ifdef CONFIG_RSBAC_RMSG
01023 rsbac_printk(KERN_INFO
01024 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n",
01025 get_rc_item_name(tmp, item),
01026 tid.role,
01027 current->pid,
01028 user);
01029 #endif
01030 #ifndef CONFIG_RSBAC_RMSG_EXCL
01031
01032 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01033 if (!rsbac_nosyslog)
01034 #endif
01035 printk(KERN_INFO
01036 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n",
01037 get_rc_item_name(tmp, item),
01038 tid.role,
01039 current->pid,
01040 user);
01041 #endif
01042 }
01043 #ifdef CONFIG_RSBAC_SOFTMODE
01044 if( !rsbac_softmode
01045 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01046 && !rsbac_ind_softmode[RC]
01047 #endif
01048 )
01049 #endif
01050 return err;
01051 }
01052 else
01053 return err;
01054 }
01055 break;
01056 case RI_name:
01057
01058
01059 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01060 && (err=rsbac_rc_test_role_admin(TRUE))
01061 )
01062 {
01063 if(err == -EPERM)
01064 {
01065 rsbac_uid_t user;
01066
01067 if(!rsbac_get_owner(&user))
01068 {
01069 #ifdef CONFIG_RSBAC_RMSG
01070 rsbac_printk(KERN_INFO
01071 "rsbac_rc_sys_set_item(): changing name of role %u denied for pid %u, user %u - not in admin_roles!\n",
01072 tid.role,
01073 current->pid,
01074 user);
01075 #endif
01076 #ifndef CONFIG_RSBAC_RMSG_EXCL
01077
01078 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01079 if (!rsbac_nosyslog)
01080 #endif
01081 printk(KERN_INFO
01082 "rsbac_rc_sys_set_item(): changing name of role %u denied for pid %u, user %u - not in admin_roles!\n",
01083 tid.role,
01084 current->pid,
01085 user);
01086 #endif
01087 }
01088 #ifdef CONFIG_RSBAC_SOFTMODE
01089 if( !rsbac_softmode
01090 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01091 && !rsbac_ind_softmode[RC]
01092 #endif
01093 )
01094 #endif
01095 return err;
01096 }
01097 else
01098 return err;
01099 }
01100 break;
01101
01102 case RI_remove_role:
01103
01104 if((err=rsbac_rc_test_role_admin(TRUE)))
01105 {
01106 if(err == -EPERM)
01107 {
01108 rsbac_uid_t user;
01109
01110 if(!rsbac_get_owner(&user))
01111 {
01112 #ifdef CONFIG_RSBAC_RMSG
01113 rsbac_printk(KERN_INFO
01114 "rsbac_rc_sys_set_item(): removing of role %u denied for pid %u, user %u - not in admin_roles!\n",
01115 tid.role,
01116 current->pid,
01117 user);
01118 #endif
01119 #ifndef CONFIG_RSBAC_RMSG_EXCL
01120
01121 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01122 if (!rsbac_nosyslog)
01123 #endif
01124 printk(KERN_INFO
01125 "rsbac_rc_sys_set_item(): removing of role %u denied for pid %u, user %u - not in admin_roles!\n",
01126 tid.role,
01127 current->pid,
01128 user);
01129 #endif
01130 }
01131 #ifdef CONFIG_RSBAC_SOFTMODE
01132 if( !rsbac_softmode
01133 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01134 && !rsbac_ind_softmode[RC]
01135 #endif
01136 )
01137 #endif
01138 return err;
01139 }
01140 else
01141 return err;
01142 }
01143 break;
01144
01145 case RI_def_fd_create_type:
01146 case RI_def_fd_ind_create_type:
01147
01148
01149 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01150 && (err=rsbac_rc_test_role_admin(TRUE))
01151 )
01152 {
01153 if(err == -EPERM)
01154 {
01155 rsbac_uid_t user;
01156
01157 if(!rsbac_get_owner(&user))
01158 {
01159 #ifdef CONFIG_RSBAC_RMSG
01160 rsbac_printk(KERN_INFO
01161 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01162 tid.role,
01163 current->pid,
01164 user);
01165 #endif
01166 #ifndef CONFIG_RSBAC_RMSG_EXCL
01167
01168 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01169 if (!rsbac_nosyslog)
01170 #endif
01171 printk(KERN_INFO
01172 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01173 tid.role,
01174 current->pid,
01175 user);
01176 #endif
01177 }
01178 #ifdef CONFIG_RSBAC_SOFTMODE
01179 if( !rsbac_softmode
01180 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01181 && !rsbac_ind_softmode[RC]
01182 #endif
01183 )
01184 #endif
01185 return err;
01186 }
01187 else
01188 return err;
01189 }
01190 else
01191 {
01192 enum rsbac_adf_req_ret_t result;
01193
01194 result = rsbac_rc_check_type_comp(T_FILE, value.type_id, RCR_ASSIGN, 0);
01195 if( ( (result == NOT_GRANTED)
01196 || (result == UNDEFINED)
01197 )
01198 && (err=rsbac_rc_test_role_admin(TRUE))
01199 )
01200 {
01201 rsbac_uid_t user;
01202
01203 if(!rsbac_get_owner(&user))
01204 {
01205 #ifdef CONFIG_RSBAC_RMSG
01206 rsbac_printk(KERN_INFO
01207 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01208 tid.role,
01209 value.type_id,
01210 user);
01211 #endif
01212 #ifndef CONFIG_RSBAC_RMSG_EXCL
01213
01214 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01215 if (!rsbac_nosyslog)
01216 #endif
01217 printk(KERN_INFO
01218 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01219 tid.role,
01220 value.type_id,
01221 user);
01222 #endif
01223 }
01224 #ifdef CONFIG_RSBAC_SOFTMODE
01225 if( !rsbac_softmode
01226 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01227 && !rsbac_ind_softmode[RC]
01228 #endif
01229 )
01230 #endif
01231 return -EPERM;
01232 }
01233 }
01234 break;
01235
01236 case RI_def_fd_ind_create_type_remove:
01237
01238 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01239 && (err=rsbac_rc_test_role_admin(TRUE))
01240 )
01241 {
01242 if(err == -EPERM)
01243 {
01244 rsbac_uid_t user;
01245
01246 if(!rsbac_get_owner(&user))
01247 {
01248 #ifdef CONFIG_RSBAC_RMSG
01249 rsbac_printk(KERN_INFO
01250 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01251 tid.role,
01252 current->pid,
01253 user);
01254 #endif
01255 #ifndef CONFIG_RSBAC_RMSG_EXCL
01256
01257 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01258 if (!rsbac_nosyslog)
01259 #endif
01260 printk(KERN_INFO
01261 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01262 tid.role,
01263 current->pid,
01264 user);
01265 #endif
01266 }
01267 #ifdef CONFIG_RSBAC_SOFTMODE
01268 if( !rsbac_softmode
01269 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01270 && !rsbac_ind_softmode[RC]
01271 #endif
01272 )
01273 #endif
01274 return err;
01275 }
01276 else
01277 return err;
01278 }
01279 break;
01280
01281 case RI_def_user_create_type:
01282
01283
01284 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01285 && (err=rsbac_rc_test_role_admin(TRUE))
01286 )
01287 {
01288 if(err == -EPERM)
01289 {
01290 rsbac_uid_t user;
01291
01292 if(!rsbac_get_owner(&user))
01293 {
01294 #ifdef CONFIG_RSBAC_RMSG
01295 rsbac_printk(KERN_INFO
01296 "rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01297 tid.role,
01298 current->pid,
01299 user);
01300 #endif
01301 #ifndef CONFIG_RSBAC_RMSG_EXCL
01302
01303 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01304 if (!rsbac_nosyslog)
01305 #endif
01306 printk(KERN_INFO
01307 "rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01308 tid.role,
01309 current->pid,
01310 user);
01311 #endif
01312 }
01313 #ifdef CONFIG_RSBAC_SOFTMODE
01314 if( !rsbac_softmode
01315 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01316 && !rsbac_ind_softmode[RC]
01317 #endif
01318 )
01319 #endif
01320 return err;
01321 }
01322 else
01323 return err;
01324 }
01325 else
01326 {
01327 enum rsbac_adf_req_ret_t result;
01328
01329 result = rsbac_rc_check_type_comp(T_USER, value.type_id, RCR_ASSIGN, 0);
01330 if( ( (result == NOT_GRANTED)
01331 || (result == UNDEFINED)
01332 )
01333 && (err=rsbac_rc_test_role_admin(TRUE))
01334 )
01335 {
01336 rsbac_uid_t user;
01337
01338 if(!rsbac_get_owner(&user))
01339 {
01340 #ifdef CONFIG_RSBAC_RMSG
01341 rsbac_printk(KERN_INFO
01342 "rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01343 tid.role,
01344 value.type_id,
01345 user);
01346 #endif
01347 #ifndef CONFIG_RSBAC_RMSG_EXCL
01348
01349 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01350 if (!rsbac_nosyslog)
01351 #endif
01352 printk(KERN_INFO
01353 "rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01354 tid.role,
01355 value.type_id,
01356 user);
01357 #endif
01358 }
01359 #ifdef CONFIG_RSBAC_SOFTMODE
01360 if( !rsbac_softmode
01361 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01362 && !rsbac_ind_softmode[RC]
01363 #endif
01364 )
01365 #endif
01366 return -EPERM;
01367 }
01368 }
01369 break;
01370
01371 case RI_def_process_create_type:
01372 case RI_def_process_chown_type:
01373 case RI_def_process_execute_type:
01374
01375
01376 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01377 && (err=rsbac_rc_test_role_admin(TRUE))
01378 )
01379 {
01380 if(err == -EPERM)
01381 {
01382 rsbac_uid_t user;
01383 char tmp[80];
01384
01385 if(!rsbac_get_owner(&user))
01386 {
01387 #ifdef CONFIG_RSBAC_RMSG
01388 rsbac_printk(KERN_INFO
01389 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01390 get_rc_item_name(tmp, item),
01391 tid.role,
01392 current->pid,
01393 user);
01394 #endif
01395 #ifndef CONFIG_RSBAC_RMSG_EXCL
01396
01397 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01398 if (!rsbac_nosyslog)
01399 #endif
01400 printk(KERN_INFO
01401 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01402 get_rc_item_name(tmp, item),
01403 tid.role,
01404 current->pid,
01405 user);
01406 #endif
01407 }
01408 #ifdef CONFIG_RSBAC_SOFTMODE
01409 if( !rsbac_softmode
01410 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01411 && !rsbac_ind_softmode[RC]
01412 #endif
01413 )
01414 #endif
01415 return err;
01416 }
01417 else
01418 return err;
01419 }
01420 else
01421 {
01422 enum rsbac_adf_req_ret_t result;
01423
01424 result = rsbac_rc_check_type_comp(T_PROCESS, value.type_id, RCR_ASSIGN, 0);
01425 if( ( (result == NOT_GRANTED)
01426 || (result == UNDEFINED)
01427 )
01428 && (err=rsbac_rc_test_role_admin(TRUE))
01429 )
01430 {
01431 rsbac_uid_t user;
01432
01433 if(!rsbac_get_owner(&user))
01434 {
01435 #ifdef CONFIG_RSBAC_RMSG
01436 rsbac_printk(KERN_INFO
01437 "rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01438 tid.role,
01439 value.type_id,
01440 user);
01441 #endif
01442 #ifndef CONFIG_RSBAC_RMSG_EXCL
01443
01444 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01445 if (!rsbac_nosyslog)
01446 #endif
01447 printk(KERN_INFO
01448 "rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01449 tid.role,
01450 value.type_id,
01451 user);
01452 #endif
01453 }
01454 #ifdef CONFIG_RSBAC_SOFTMODE
01455 if( !rsbac_softmode
01456 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01457 && !rsbac_ind_softmode[RC]
01458 #endif
01459 )
01460 #endif
01461 return -EPERM;
01462 }
01463 }
01464 break;
01465 case RI_def_ipc_create_type:
01466
01467
01468 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01469 && (err=rsbac_rc_test_role_admin(TRUE))
01470 )
01471 {
01472 if(err == -EPERM)
01473 {
01474 rsbac_uid_t user;
01475
01476 if(!rsbac_get_owner(&user))
01477 {
01478 #ifdef CONFIG_RSBAC_RMSG
01479 rsbac_printk(KERN_INFO
01480 "rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01481 tid.role,
01482 current->pid,
01483 user);
01484 #endif
01485 #ifndef CONFIG_RSBAC_RMSG_EXCL
01486
01487 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01488 if (!rsbac_nosyslog)
01489 #endif
01490 printk(KERN_INFO
01491 "rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01492 tid.role,
01493 current->pid,
01494 user);
01495 #endif
01496 }
01497 #ifdef CONFIG_RSBAC_SOFTMODE
01498 if( !rsbac_softmode
01499 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01500 && !rsbac_ind_softmode[RC]
01501 #endif
01502 )
01503 #endif
01504 return err;
01505 }
01506 else
01507 return err;
01508 }
01509 else
01510 {
01511 enum rsbac_adf_req_ret_t result;
01512
01513 result = rsbac_rc_check_type_comp(T_IPC, value.type_id, RCR_ASSIGN, 0);
01514 if( ( (result == NOT_GRANTED)
01515 || (result == UNDEFINED)
01516 )
01517 && (err=rsbac_rc_test_role_admin(TRUE))
01518 )
01519 {
01520 rsbac_uid_t user;
01521
01522 if(!rsbac_get_owner(&user))
01523 {
01524 #ifdef CONFIG_RSBAC_RMSG
01525 rsbac_printk(KERN_INFO
01526 "rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01527 tid.role,
01528 value.type_id,
01529 user);
01530 #endif
01531 #ifndef CONFIG_RSBAC_RMSG_EXCL
01532
01533 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01534 if (!rsbac_nosyslog)
01535 #endif
01536 printk(KERN_INFO
01537 "rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01538 tid.role,
01539 value.type_id,
01540 user);
01541 #endif
01542 }
01543 #ifdef CONFIG_RSBAC_SOFTMODE
01544 if( !rsbac_softmode
01545 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01546 && !rsbac_ind_softmode[RC]
01547 #endif
01548 )
01549 #endif
01550 return -EPERM;
01551 }
01552 }
01553 break;
01554 case RI_def_group_create_type:
01555
01556
01557 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01558 && (err=rsbac_rc_test_role_admin(TRUE))
01559 )
01560 {
01561 if(err == -EPERM)
01562 {
01563 rsbac_uid_t user;
01564
01565 if(!rsbac_get_owner(&user))
01566 {
01567 #ifdef CONFIG_RSBAC_RMSG
01568 rsbac_printk(KERN_INFO
01569 "rsbac_rc_sys_set_item(): changing def_group_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01570 tid.role,
01571 current->pid,
01572 user);
01573 #endif
01574 #ifndef CONFIG_RSBAC_RMSG_EXCL
01575
01576 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01577 if (!rsbac_nosyslog)
01578 #endif
01579 printk(KERN_INFO
01580 "rsbac_rc_sys_set_item(): changing def_group_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01581 tid.role,
01582 current->pid,
01583 user);
01584 #endif
01585 }
01586 #ifdef CONFIG_RSBAC_SOFTMODE
01587 if( !rsbac_softmode
01588 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01589 && !rsbac_ind_softmode[RC]
01590 #endif
01591 )
01592 #endif
01593 return err;
01594 }
01595 else
01596 return err;
01597 }
01598 else
01599 {
01600 enum rsbac_adf_req_ret_t result;
01601
01602 result = rsbac_rc_check_type_comp(T_GROUP, value.type_id, RCR_ASSIGN, 0);
01603 if( ( (result == NOT_GRANTED)
01604 || (result == UNDEFINED)
01605 )
01606 && (err=rsbac_rc_test_role_admin(TRUE))
01607 )
01608 {
01609 rsbac_uid_t user;
01610
01611 if(!rsbac_get_owner(&user))
01612 {
01613 #ifdef CONFIG_RSBAC_RMSG
01614 rsbac_printk(KERN_INFO
01615 "rsbac_rc_sys_set_item(): changing def_group_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01616 tid.role,
01617 value.type_id,
01618 user);
01619 #endif
01620 #ifndef CONFIG_RSBAC_RMSG_EXCL
01621
01622 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01623 if (!rsbac_nosyslog)
01624 #endif
01625 printk(KERN_INFO
01626 "rsbac_rc_sys_set_item(): changing def_group_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01627 tid.role,
01628 value.type_id,
01629 user);
01630 #endif
01631 }
01632 #ifdef CONFIG_RSBAC_SOFTMODE
01633 if( !rsbac_softmode
01634 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01635 && !rsbac_ind_softmode[RC]
01636 #endif
01637 )
01638 #endif
01639 return -EPERM;
01640 }
01641 }
01642 break;
01643
01644 case RI_type_comp_fd:
01645 case RI_type_comp_dev:
01646 case RI_type_comp_user:
01647 case RI_type_comp_process:
01648 case RI_type_comp_ipc:
01649 case RI_type_comp_scd:
01650 case RI_type_comp_group:
01651 case RI_type_comp_netdev:
01652 case RI_type_comp_nettemp:
01653 case RI_type_comp_netobj:
01654 {
01655 union rsbac_rc_item_value_t old_value, my_value;
01656 union rsbac_target_id_t i_tid;
01657 union rsbac_attribute_value_t i_attr_val1;
01658 union rsbac_rc_target_id_t i_rc_tid;
01659
01660 if(target != RT_ROLE)
01661 return -RSBAC_EINVALIDATTR;
01662 if(!rsbac_rc_test_role_admin(TRUE))
01663 break;
01664
01665 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE)))
01666 {
01667 if(err == -EPERM)
01668 {
01669 rsbac_uid_t user;
01670 char tmp[80];
01671
01672 if(!rsbac_get_owner(&user))
01673 {
01674 #ifdef CONFIG_RSBAC_RMSG
01675 rsbac_printk(KERN_INFO
01676 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01677 get_rc_item_name(tmp, item),
01678 tid.role,
01679 current->pid,
01680 user);
01681 #endif
01682 #ifndef CONFIG_RSBAC_RMSG_EXCL
01683
01684 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01685 if (!rsbac_nosyslog)
01686 #endif
01687 printk(KERN_INFO
01688 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01689 get_rc_item_name(tmp, item),
01690 tid.role,
01691 current->pid,
01692 user);
01693 #endif
01694 }
01695 #ifdef CONFIG_RSBAC_SOFTMODE
01696 if( !rsbac_softmode
01697 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01698 && !rsbac_ind_softmode[RC]
01699 #endif
01700 )
01701 #endif
01702 return err;
01703 }
01704 else
01705 return err;
01706 }
01707
01708
01709
01710 err = rsbac_rc_get_item(ta_number, target, tid, subtid, item, &old_value, NULL);
01711 if(err)
01712 return(err);
01713
01714
01715 i_tid.process = current->pid;
01716 if ((err=rsbac_get_attr(RC, T_PROCESS,
01717 i_tid,
01718 A_rc_role,
01719 &i_attr_val1,
01720 TRUE)))
01721 {
01722 rsbac_ds_get_error("rsbac_rc_sys_set_item()", A_rc_role);
01723 return err;
01724 }
01725
01726 i_rc_tid.role = i_attr_val1.rc_role;
01727 if ((err=rsbac_rc_get_item(ta_number,
01728 RT_ROLE,
01729 i_rc_tid,
01730 subtid,
01731 item,
01732 &my_value,
01733 NULL)))
01734 {
01735 rsbac_rc_ds_get_error("rsbac_rc_sys_set_item()", item);
01736 return err;
01737 }
01738
01739
01740 if(
01741 ( ( (old_value.rights & RSBAC_ALL_REQUEST_VECTOR)
01742 != (value.rights & RSBAC_ALL_REQUEST_VECTOR)
01743 )
01744 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL)))
01745 )
01746 ||
01747
01748 ( ( (old_value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01749 != (value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01750 )
01751 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR)))
01752 )
01753 )
01754 {
01755
01756 if((err=rsbac_rc_test_role_admin(TRUE)))
01757 {
01758 if(err == -EPERM)
01759 {
01760 rsbac_uid_t user;
01761 char tmp[80];
01762
01763 if(!rsbac_get_owner(&user))
01764 {
01765 #ifdef CONFIG_RSBAC_RMSG
01766 rsbac_printk(KERN_INFO
01767 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - insufficent rights!\n",
01768 get_rc_item_name(tmp, item),
01769 tid.role,
01770 current->pid,
01771 user);
01772 #endif
01773 #ifndef CONFIG_RSBAC_RMSG_EXCL
01774
01775 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01776 if (!rsbac_nosyslog)
01777 #endif
01778 printk(KERN_INFO
01779 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - insufficent rights!\n",
01780 get_rc_item_name(tmp, item),
01781 tid.role,
01782 current->pid,
01783 user);
01784 #endif
01785 }
01786 #ifdef CONFIG_RSBAC_SOFTMODE
01787 if( !rsbac_softmode
01788 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01789 && !rsbac_ind_softmode[RC]
01790 #endif
01791 )
01792 #endif
01793 return err;
01794 }
01795 else
01796 return err;
01797 }
01798 }
01799 }
01800 break;
01801
01802 default:
01803 return -RSBAC_EINVALIDATTR;
01804 }
01805 }
01806 #endif
01807
01808
01809 return(rsbac_rc_set_item(ta_number, target, tid, subtid, item, value, ttl));
01810 }
01811
01812
01813 int rsbac_rc_sys_change_role(rsbac_rc_role_id_t role)
01814 {
01815 union rsbac_target_id_t i_tid;
01816 union rsbac_attribute_value_t i_attr_val1;
01817 #if !defined(CONFIG_RSBAC_MAINT)
01818 #ifdef CONFIG_RSBAC_SWITCH
01819 if(rsbac_switch_rc)
01820 #endif
01821 {
01822 int err;
01823 union rsbac_rc_target_id_t i_rc_subtid;
01824
01825 i_tid.process = current->pid;
01826
01827 if ((err=rsbac_get_attr(RC,
01828 T_PROCESS,
01829 i_tid,
01830 A_rc_role,
01831 &i_attr_val1,
01832 TRUE)))
01833 {
01834 printk(KERN_WARNING
01835 "rsbac_rc_sys_change_role(): rsbac_get_attr() returned error %i!\n",err);
01836 return err;
01837 }
01838
01839
01840 i_rc_subtid.role = role;
01841 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
01842 i_rc_subtid,
01843 RI_role_comp,
01844 0))
01845 {
01846 rsbac_uid_t user;
01847
01848 if(!rsbac_get_owner(&user))
01849 {
01850 #ifdef CONFIG_RSBAC_RMSG
01851 rsbac_printk(KERN_INFO
01852 "rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible!\n",
01853 i_attr_val1.rc_role,
01854 role,
01855 i_tid.process,
01856 user,
01857 i_attr_val1.rc_role);
01858 #endif
01859 #ifndef CONFIG_RSBAC_RMSG_EXCL
01860
01861 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01862 if (!rsbac_nosyslog)
01863 #endif
01864 printk(KERN_INFO
01865 "rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible!\n",
01866 i_attr_val1.rc_role,
01867 role,
01868 i_tid.process,
01869 user,
01870 i_attr_val1.rc_role);
01871 #endif
01872 }
01873 #ifdef CONFIG_RSBAC_SOFTMODE
01874 if( !rsbac_softmode
01875 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01876 && !rsbac_ind_softmode[RC]
01877 #endif
01878 )
01879 #endif
01880 return -EPERM;
01881 }
01882 }
01883 #endif
01884
01885
01886 i_tid.process = current->pid;
01887 i_attr_val1.rc_role = role;
01888 if (rsbac_set_attr(RC, T_PROCESS,
01889 i_tid,
01890 A_rc_role,
01891 i_attr_val1))
01892 {
01893 printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_set_attr() returned error!\n");
01894 return(-RSBAC_EWRITEFAILED);
01895 }
01896
01897 return(0);
01898 }
01899
01900
01901 int rsbac_rc_sys_get_eff_rights(
01902 rsbac_list_ta_number_t ta_number,
01903 enum rsbac_target_t target,
01904 union rsbac_target_id_t tid,
01905 rsbac_rc_request_vector_t * request_vector,
01906 rsbac_time_t * ttl_p)
01907 {
01908 union rsbac_target_id_t i_tid;
01909 enum rsbac_attribute_t i_attr = A_none;
01910 union rsbac_attribute_value_t i_attr_val1;
01911 union rsbac_attribute_value_t i_attr_val2;
01912 int err;
01913 enum rsbac_rc_item_t i_rc_item;
01914 union rsbac_rc_target_id_t i_rc_tid;
01915 union rsbac_rc_target_id_t i_rc_subtid;
01916 union rsbac_rc_item_value_t i_rc_item_val1;
01917
01918 i_tid.process = current->pid;
01919
01920 if ((err=rsbac_get_attr(RC, T_PROCESS,
01921 i_tid,
01922 A_rc_role,
01923 &i_attr_val1,
01924 TRUE)))
01925 {
01926 printk(KERN_WARNING
01927 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01928 return -RSBAC_EREADFAILED;
01929 }
01930
01931 switch(target)
01932 {
01933 case T_FILE:
01934 case T_DIR:
01935 case T_FIFO:
01936 case T_SYMLINK:
01937 i_attr = A_rc_type_fd;
01938 i_rc_item = RI_type_comp_fd;
01939 break;
01940 case T_DEV:
01941 i_attr = A_rc_type;
01942 i_rc_item = RI_type_comp_dev;
01943 break;
01944 case T_IPC:
01945 i_attr = A_rc_type;
01946 i_rc_item = RI_type_comp_ipc;
01947 break;
01948 case T_PROCESS:
01949 i_attr = A_rc_type;
01950 i_rc_item = RI_type_comp_process;
01951 break;
01952 case T_SCD:
01953 if(tid.scd >= RST_none)
01954 return -RSBAC_EINVALIDTARGET;
01955 i_rc_item = RI_type_comp_scd;
01956 break;
01957 case T_GROUP:
01958 i_attr = A_rc_type;
01959 i_rc_item = RI_type_comp_group;
01960 break;
01961 case T_NETDEV:
01962 i_attr = A_rc_type;
01963 i_rc_item = RI_type_comp_netdev;
01964 break;
01965 case T_NETTEMP:
01966 i_attr = A_rc_type_nt;
01967 i_rc_item = RI_type_comp_nettemp;
01968 break;
01969 case T_NETOBJ:
01970 i_attr = A_rc_type;
01971 i_rc_item = RI_type_comp_netobj;
01972 break;
01973 default:
01974 return -RSBAC_EINVALIDTARGET;
01975 }
01976
01977 if(target == T_SCD)
01978 {
01979 i_attr_val2.rc_type = tid.scd;
01980 }
01981 else
01982 {
01983 if ((err=rsbac_get_attr(RC,
01984 target,
01985 tid,
01986 i_attr,
01987 &i_attr_val2,
01988 TRUE)))
01989 {
01990 printk(KERN_WARNING
01991 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01992 return -RSBAC_EREADFAILED;
01993 }
01994 }
01995
01996 i_rc_tid.role = i_attr_val1.rc_role;
01997 i_rc_subtid.type = i_attr_val2.rc_type;
01998 if ((err=rsbac_rc_get_item(ta_number,
01999 RT_ROLE,
02000 i_rc_tid,
02001 i_rc_subtid,
02002 i_rc_item,
02003 &i_rc_item_val1,
02004 ttl_p)))
02005 {
02006 printk(KERN_WARNING
02007 "rsbac_rc_sys_get_eff_rights(): rsbac_rc_get_item() returned error %i!\n",err);
02008 return -RSBAC_EREADFAILED;
02009 }
02010
02011 *request_vector = i_rc_item_val1.rights;
02012
02013 return(0);
02014 }
02015
02016 int rsbac_rc_sys_get_current_role(rsbac_rc_role_id_t * role_p)
02017 {
02018 union rsbac_target_id_t i_tid;
02019 union rsbac_attribute_value_t i_attr_val1;
02020 int err;
02021
02022
02023 i_tid.process = current->pid;
02024 if ((err=rsbac_get_attr(RC, T_PROCESS,
02025 i_tid,
02026 A_rc_role,
02027 &i_attr_val1,
02028 TRUE)))
02029 {
02030 printk(KERN_WARNING
02031 "rsbac_rc_sys_get_current_role(): rsbac_get_attr() returned error %i!\n",err);
02032 return -RSBAC_EREADFAILED;
02033 }
02034 *role_p = i_attr_val1.rc_role;
02035
02036 return(0);
02037 }
02038
02039
