Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
daten / src / rsbac / linux-2.4.31-rsbac-v1.2.4 / rsbac / adf

adf_main.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Main file main.c                 */
00005 /*                                                   */
00006 /* Author and (c) 1999-2005: Amon Ott <ao@rsbac.org> */
00007 /*                                                   */
00008 /* Last modified: 09/Feb/2005                        */
00009 /*************************************************** */
00010 
00011 #include <linux/string.h>
00012 #include <linux/init.h>
00013 #include <linux/config.h>
00014 #include <linux/module.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/adf.h>
00018 #include <rsbac/adf_main.h>
00019 #include <rsbac/error.h>
00020 #include <rsbac/helpers.h>
00021 #include <rsbac/getname.h>
00022 #include <rsbac/rkmem.h>
00023 #include <rsbac/network.h>
00024 #if defined(CONFIG_RSBAC_UM_EXCL)
00025 #include <rsbac/um.h>
00026 #endif
00027 
00028 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00029 #include <linux/nfs_fs.h>
00030 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00031 #include <linux/coda.h>
00032 #endif
00033 #include <linux/coda_psdev.h>
00034 #include <linux/ncp_fs.h>
00035 #include <linux/smb.h>
00036 #endif
00037 
00038 #ifdef CONFIG_RSBAC_SECDEL
00039 #include <linux/types.h>
00040 #include <linux/dcache.h>
00041 #include <asm/uaccess.h>
00042 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00043 #include <linux/buffer_head.h>
00044 #endif
00045 #endif /* SECDEL */
00046 
00047 /************************************************* */
00048 /*           Global Variables                      */
00049 /************************************************* */
00050 
00051 u_long rsbac_adf_request_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00052 u_long rsbac_adf_set_attr_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00053 #ifdef CONFIG_RSBAC_XSTATS
00054 u_long rsbac_adf_request_xcount[T_NONE+1][R_NONE];
00055 u_long rsbac_adf_set_attr_xcount[T_NONE+1][R_NONE];
00056 #endif
00057 
00058 #ifdef CONFIG_RSBAC_SWITCH
00059 
00060 /******* MAC ********/
00061 #ifdef CONFIG_RSBAC_MAC
00062 rsbac_boolean_t rsbac_switch_mac = TRUE;
00063 #endif  /* MAC */
00064 
00065 /******* FC ********/
00066 #ifdef CONFIG_RSBAC_FC
00067 rsbac_boolean_t rsbac_switch_fc = TRUE;
00068 #endif  /* FC */
00069 
00070 /******* SIM ********/
00071 #ifdef CONFIG_RSBAC_SIM
00072 rsbac_boolean_t rsbac_switch_sim = TRUE;
00073 #endif  /* SIM */
00074 
00075 /******* PM ********/
00076 #ifdef CONFIG_RSBAC_PM
00077 rsbac_boolean_t rsbac_switch_pm = TRUE;
00078 #endif  /* PM */
00079 
00080 /******* DAZ ********/
00081 #ifdef CONFIG_RSBAC_DAZ
00082 rsbac_boolean_t rsbac_switch_daz = TRUE;
00083 #endif  /* DAZ */
00084 
00085 /******* FF ********/
00086 #ifdef CONFIG_RSBAC_FF
00087 rsbac_boolean_t rsbac_switch_ff = TRUE;
00088 #endif  /* FF */
00089 
00090 /******* RC ********/
00091 #ifdef CONFIG_RSBAC_RC
00092 rsbac_boolean_t rsbac_switch_rc = TRUE;
00093 #endif  /* RC */
00094 
00095 /****** AUTH *******/
00096 #ifdef CONFIG_RSBAC_AUTH
00097 rsbac_boolean_t rsbac_switch_auth = TRUE;
00098 #endif  /* AUTH */
00099 
00100 /****** ACL *******/
00101 #ifdef CONFIG_RSBAC_ACL
00102 rsbac_boolean_t rsbac_switch_acl = TRUE;
00103 #endif  /* ACL */
00104 
00105 /****** CAP *******/
00106 #ifdef CONFIG_RSBAC_CAP
00107 rsbac_boolean_t rsbac_switch_cap = TRUE;
00108 #endif  /* CAP */
00109 
00110 /****** JAIL *******/
00111 #ifdef CONFIG_RSBAC_JAIL
00112 rsbac_boolean_t rsbac_switch_jail = TRUE;
00113 #endif  /* JAIL */
00114 
00115 /****** PAX ********/
00116 #ifdef CONFIG_RSBAC_PAX
00117 rsbac_boolean_t rsbac_switch_pax = TRUE;
00118 #endif  /* PAX */
00119 
00120 /****** RES *******/
00121 #ifdef CONFIG_RSBAC_RES
00122 rsbac_boolean_t rsbac_switch_res = TRUE;
00123 #endif  /* RES */
00124 
00125 #endif /* SWITCH */
00126 
00127 /************************************************* */
00128 /*          Internal Help functions                */
00129 /************************************************* */
00130 
00131 /************************************************* */
00132 /*          Externally visible functions           */
00133 /************************************************* */
00134 
00135 /* Init function, calls inits for all sub-modules  */
00136 
00137 #ifdef CONFIG_RSBAC_INIT_DELAY
00138 void rsbac_init_adf(void)
00139 #else
00140 void __init rsbac_init_adf(void)
00141 #endif
00142   {
00143     #if defined(CONFIG_RSBAC_REG)
00144     rsbac_reg_init();
00145     #endif
00146   };
00147 
00148 enum rsbac_adf_req_ret_t
00149     adf_and_plus(enum rsbac_adf_req_ret_t res1,
00150                  enum rsbac_adf_req_ret_t res2)
00151   {
00152     switch (res1)
00153       {
00154         case GRANTED:     if (res2 == DO_NOT_CARE)
00155                             return (GRANTED);
00156                           else
00157                             return (res2);
00158         case NOT_GRANTED: if (res2 == UNDEFINED)
00159                             return (UNDEFINED);
00160                           else
00161                             return (NOT_GRANTED);
00162         case DO_NOT_CARE: return (res2);
00163         default:          return (UNDEFINED);
00164       }
00165   };
00166 
00167 /*********************************************************************/
00168 /* rsbac_adf_request()                                               */
00169 /* This function is the main decision function, called from the AEF. */
00170 
00171 EXPORT_SYMBOL(rsbac_adf_request_int);
00172 enum rsbac_adf_req_ret_t
00173    rsbac_adf_request_int(enum  rsbac_adf_request_t     request,
00174                                rsbac_pid_t             caller_pid,
00175                          enum  rsbac_target_t          target,
00176                          union rsbac_target_id_t     * tid_p,
00177                          enum  rsbac_attribute_t       attr,
00178                          union rsbac_attribute_value_t * attr_val_p,
00179                          enum  rsbac_switch_target_t   ignore_module)
00180   {
00181     union rsbac_target_id_t        i_tid;
00182     union rsbac_attribute_value_t  i_attr_val;
00183           rsbac_uid_t              owner=0;
00184     int tmperr=0;
00185     enum rsbac_adf_req_ret_t   result = DO_NOT_CARE;
00186 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00187     enum rsbac_adf_req_ret_t   ret_result = DO_NOT_CARE;
00188 #endif
00189 #ifndef CONFIG_RSBAC_MAINT
00190     enum rsbac_adf_req_ret_t   mod_result[SW_NONE + 1] = {
00191                                    DO_NOT_CARE,
00192                                    DO_NOT_CARE,
00193                                    DO_NOT_CARE,
00194                                    DO_NOT_CARE,
00195                                    DO_NOT_CARE,
00196                                    DO_NOT_CARE,
00197                                    DO_NOT_CARE,
00198                                    DO_NOT_CARE,
00199                                    DO_NOT_CARE,
00200                                    DO_NOT_CARE,
00201                                    DO_NOT_CARE,
00202                                    DO_NOT_CARE,
00203                                    DO_NOT_CARE,
00204                                    DO_NOT_CARE,
00205                                    DO_NOT_CARE,
00206                                    DO_NOT_CARE,
00207                                    DO_NOT_CARE,
00208                                    DO_NOT_CARE
00209                                  };
00210 #endif
00211     rsbac_boolean_t do_log = FALSE;
00212     rsbac_boolean_t log_on_request = TRUE;
00213 /* only if individual logging is enabled */
00214 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
00215     union rsbac_attribute_value_t  i_attr_val2;
00216     enum rsbac_log_level_t log_level;
00217 #endif
00218     struct super_block * sb_p;
00219 #ifdef CONFIG_RSBAC_SOFTMODE
00220     rsbac_boolean_t rsbac_internal = FALSE;
00221 #endif
00222 
00223 /* No decision possible before init (called at boot time) -> don't care */
00224     if (!rsbac_is_initialized())
00225       return(DO_NOT_CARE);
00226 
00227 /* Always granted for kernel (pid 0) and logging daemon */
00228     if (   !caller_pid
00229         #if defined(CONFIG_RSBAC_LOG_REMOTE)
00230         || (caller_pid == rsbaclogd_pid)
00231         #endif
00232        )
00233       return(GRANTED);
00234 
00235 /* Checking base values */
00236     if(   request >= R_NONE
00237        || target > T_NONE
00238        || attr > A_none)
00239       {
00240 #ifdef CONFIG_RSBAC_RMSG
00241         rsbac_printk(KERN_WARNING
00242                "rsbac_adf_request(): called with invalid request, target or attribute\n");
00243 #endif
00244 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00245         if (!rsbac_nosyslog)
00246 #endif
00247         printk(KERN_WARNING
00248                "rsbac_adf_request(): called with invalid request, target or attribute\n");
00249         return(NOT_GRANTED);
00250       }
00251 
00252     if (in_interrupt())
00253       {
00254         char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00255 
00256         if(request_name)
00257           {
00258             get_request_name(request_name, request);
00259 #ifdef CONFIG_RSBAC_RMSG
00260             rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00261                    request_name, caller_pid, attr_val_p->dummy);
00262 #endif
00263 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00264             if (!rsbac_nosyslog)
00265 #endif
00266             printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00267                    request_name, caller_pid, attr_val_p->dummy);
00268             kfree(request_name);
00269           }
00270         else
00271           {
00272 #ifdef CONFIG_RSBAC_RMSG
00273             rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %u, pid %u!\n",
00274                    request, caller_pid);
00275 #endif
00276 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00277             if (!rsbac_nosyslog)
00278 #endif
00279             printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %u, pid %u!\n",
00280                    request, caller_pid);
00281           }
00282 //        return DO_NOT_CARE;
00283       }
00284 
00285 /* Getting basic information about this request */
00286 
00287     /* only useful for real process, not idle or init */
00288     if (caller_pid > 1)
00289       {
00290         tmperr = rsbac_get_owner(&owner);
00291         if(tmperr)
00292           {
00293 #ifdef CONFIG_RSBAC_RMSG
00294             rsbac_printk(KERN_DEBUG
00295                    "rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE",
00296                    caller_pid);
00297 #endif
00298 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00299             if (!rsbac_nosyslog)
00300 #endif
00301             printk(KERN_DEBUG
00302                    "rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE",
00303                    caller_pid);
00304             return(DO_NOT_CARE);      /* Startup-Sequence (see above) */
00305           }
00306       }
00307     else  /* caller_pid = 1 -> init, always owned by root */
00308       owner = 0;
00309 
00310 
00311 /******************************************************/
00312 /* General work for all modules - before module calls */
00313     /* test target on rsbac_internal */
00314     switch(target)
00315       {
00316         case T_FILE:
00317         case T_DIR:
00318         case T_FIFO:
00319         case T_SYMLINK:
00320 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00321           if (   ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00322               && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
00323                   || (sb_p->s_magic == CODA_SUPER_MAGIC)
00324                   || (sb_p->s_magic == NCP_SUPER_MAGIC)
00325                   || (sb_p->s_magic == SMB_SUPER_MAGIC)
00326                  )
00327              )
00328             {
00329               result = DO_NOT_CARE;
00330               goto log;
00331             }
00332 #endif
00333           /* No decision on pseudo pipefs */
00334           if(   (target == T_FIFO)
00335              && ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00336              && (sb_p->s_magic == PIPEFS_MAGIC)
00337             )
00338             return DO_NOT_CARE;
00339 #if 0 && LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00340           /* No decision on pseudo sockfs */
00341           if(   (target == T_FILE)
00342              && (!RSBAC_MAJOR(tid_p->file.device))
00343              && (!RSBAC_MINOR(tid_p->file.device))
00344             )
00345             return DO_NOT_CARE;
00346 #endif
00347           switch(request)
00348             {
00349               case R_GET_STATUS_DATA:
00350               case R_READ_ATTRIBUTE:
00351 #ifdef CONFIG_RSBAC_DAT_VISIBLE
00352               case R_SEARCH:
00353               case R_READ:
00354               case R_CLOSE:
00355               case R_CHDIR:
00356               case R_GET_PERMISSIONS_DATA:
00357 #endif
00358                 break;
00359 
00360               default:
00361                 if ((tmperr = rsbac_get_attr(GEN,
00362                                              target,
00363                                              *tid_p,
00364                                              A_internal,
00365                                              &i_attr_val,
00366                                              TRUE) ))
00367                   {
00368                     if(tmperr == -RSBAC_EINVALIDDEV)
00369                       {
00370                         rsbac_ds_get_error("rsbac_adf_request()", A_internal);
00371                         return(DO_NOT_CARE);  /* last calls on shutdown */
00372                       }
00373                     else
00374                       {
00375                         rsbac_ds_get_error("rsbac_adf_request()", A_internal);
00376                         return(NOT_GRANTED);  /* something weird happened */
00377                       }
00378                   }
00379                 /* no access to rsbac_internal objects is granted in any case */
00380                 if (i_attr_val.internal)
00381                   {
00382 #ifdef CONFIG_RSBAC_RMSG
00383                     rsbac_printk(KERN_WARNING
00384                            "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00385 #endif
00386 #ifndef CONFIG_RSBAC_RMSG_EXCL
00387         /* only log to standard syslog, if not disabled by kernel boot parameter */
00388 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00389         if (!rsbac_nosyslog)
00390 #endif
00391                     printk(KERN_WARNING
00392                            "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00393 #endif
00394                     result = NOT_GRANTED;
00395                     #ifndef CONFIG_RSBAC_MAINT
00396                     mod_result[SW_NONE] = NOT_GRANTED;
00397                     #endif
00398                     #ifdef CONFIG_RSBAC_SOFTMODE
00399                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00400                     ret_result = NOT_GRANTED;
00401                     #endif
00402                     rsbac_internal = TRUE;
00403                     #endif
00404                   }
00405             }
00406           break;
00407 
00408 #if defined(CONFIG_RSBAC_UM_EXCL)
00409         case T_PROCESS:
00410           switch(request)
00411             {
00412               case R_CHANGE_OWNER:
00413 #ifdef CONFIG_RSBAC_DAC_OWNER
00414               case R_CHANGE_DAC_EFF_OWNER:
00415               case R_CHANGE_DAC_FS_OWNER:
00416 #endif
00417                 if(   (attr == A_owner)
00418                    && !rsbac_um_no_excl
00419                    && !rsbac_um_user_exists(0, attr_val_p->owner)
00420                   )
00421                   {
00422 #ifdef CONFIG_RSBAC_RMSG
00423                     rsbac_printk(KERN_INFO
00424                                  "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n",
00425                                  attr_val_p->owner);
00426 #endif
00427 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00428                     if (!rsbac_nosyslog)
00429 #endif
00430                     printk(KERN_INFO
00431                            "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n",
00432                            attr_val_p->owner);
00433                     result = adf_and_plus(result, NOT_GRANTED);
00434 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00435                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00436 #endif
00437                   }
00438                 break;
00439 
00440               case R_CHANGE_GROUP:
00441 #ifdef CONFIG_RSBAC_DAC_OWNER
00442               case R_CHANGE_DAC_EFF_GROUP:
00443               case R_CHANGE_DAC_FS_GROUP:
00444 #endif
00445                 if(   (attr == A_group)
00446                    && !rsbac_um_no_excl
00447                    && !rsbac_um_group_exists(0, attr_val_p->group)
00448                   )
00449                   {
00450 #ifdef CONFIG_RSBAC_RMSG
00451                     rsbac_printk(KERN_INFO
00452                                  "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n",
00453                                  attr_val_p->group);
00454 #endif
00455 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00456                     if (!rsbac_nosyslog)
00457 #endif
00458                     printk(KERN_INFO
00459                            "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n",
00460                            attr_val_p->group);
00461                     result = adf_and_plus(result, NOT_GRANTED);
00462 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00463                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00464 #endif
00465                   }
00466                 break;
00467 
00468               default:
00469                 break;
00470             }
00471           break;
00472 #endif /* UM_EXCL */
00473 
00474         default:
00475           break;
00476       }
00477       
00478 /**********************************************************/
00479 /* calling all decision modules, building a common result */
00480 
00481 #ifdef CONFIG_RSBAC_DEBUG
00482 /* first, check for valid request/target combination      */
00483 /* (undefined should only happen in _check and means a real bug!) */
00484   result = adf_and_plus(result,rsbac_adf_request_check(request,
00485                                                        caller_pid,
00486                                                        target,
00487                                                        tid_p,
00488                                                        attr,
00489                                                        attr_val_p,
00490                                                        owner) );
00491 
00492 if(result == UNDEFINED)
00493   goto log;
00494 #endif
00495 
00496 #if !defined(CONFIG_RSBAC_MAINT)
00497 /******* MAC ********/
00498 #if defined(CONFIG_RSBAC_MAC)
00499 #ifdef CONFIG_RSBAC_SWITCH
00500 if (rsbac_switch_mac)
00501 #endif
00502   /* no need to call module, if to be ignored */
00503   if(ignore_module != MAC)
00504     {
00505       mod_result[MAC] = rsbac_adf_request_mac(request,
00506                                               caller_pid,
00507                                               target,
00508                                               *tid_p,
00509                                               attr,
00510                                               *attr_val_p,
00511                                               owner);
00512       result = adf_and_plus(result, mod_result[MAC]);
00513 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00514       if(!rsbac_ind_softmode[MAC])
00515         ret_result = adf_and_plus(ret_result, mod_result[MAC]);
00516 #endif
00517     }
00518 #endif  /* MAC */
00519 
00520 /******* FC ********/
00521 #if defined(CONFIG_RSBAC_FC)
00522 #ifdef CONFIG_RSBAC_SWITCH
00523 if (rsbac_switch_fc)
00524 #endif
00525   /* no need to call module, if to be ignored */
00526   if(ignore_module != FC)
00527     {
00528       mod_result[FC]  = rsbac_adf_request_fc (request,
00529                                               caller_pid,
00530                                               target,
00531                                               *tid_p,
00532                                               attr,
00533                                               *attr_val_p,
00534                                               owner);
00535       result = adf_and_plus(result, mod_result[FC]);
00536 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00537       if(!rsbac_ind_softmode[FC])
00538         ret_result = adf_and_plus(ret_result, mod_result[FC]);
00539 #endif
00540     }
00541 #endif  /* FC */
00542 
00543 /******* SIM ********/
00544 #if defined(CONFIG_RSBAC_SIM)
00545 #ifdef CONFIG_RSBAC_SWITCH
00546 if (rsbac_switch_sim)
00547 #endif
00548   /* no need to call module, if to be ignored */
00549   if(ignore_module != SIM)
00550     {
00551       mod_result[SIM] = rsbac_adf_request_sim(request,
00552                                               caller_pid,
00553                                               target,
00554                                               *tid_p,
00555                                               attr,
00556                                               *attr_val_p,
00557                                               owner);
00558       result = adf_and_plus(result, mod_result[SIM]);
00559 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00560       if(!rsbac_ind_softmode[SIM])
00561         ret_result = adf_and_plus(ret_result, mod_result[SIM]);
00562 #endif
00563     }
00564 #endif  /* SIM */
00565 
00566 /******* PM ********/
00567 #if defined(CONFIG_RSBAC_PM)
00568 #ifdef CONFIG_RSBAC_SWITCH
00569 if (rsbac_switch_pm)
00570 #endif
00571   /* no need to call module, if to be ignored */
00572   if(ignore_module != PM)
00573     {
00574       mod_result[PM]  = rsbac_adf_request_pm (request,
00575                                               caller_pid,
00576                                               target,
00577                                               *tid_p,
00578                                               attr,
00579                                               *attr_val_p,
00580                                               owner);
00581       result = adf_and_plus(result, mod_result[PM]);
00582 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00583       if(!rsbac_ind_softmode[PM])
00584         ret_result = adf_and_plus(ret_result, mod_result[PM]);
00585 #endif
00586     }
00587 #endif  /* PM */
00588 
00589 /******* DAZ ********/
00590 #if defined(CONFIG_RSBAC_DAZ)
00591 #ifdef CONFIG_RSBAC_SWITCH
00592 if (rsbac_switch_daz)
00593 #endif
00594   /* no need to call module, if to be ignored */
00595   if(ignore_module != DAZ)
00596     {
00597       mod_result[DAZ]  = rsbac_adf_request_daz (request,
00598                                               caller_pid,
00599                                               target,
00600                                               *tid_p,
00601                                               attr,
00602                                               *attr_val_p,
00603                                               owner);
00604       result = adf_and_plus(result, mod_result[DAZ]);
00605 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00606       if(!rsbac_ind_softmode[DAZ])
00607         ret_result = adf_and_plus(ret_result, mod_result[DAZ]);
00608 #endif
00609     }
00610 #endif  /* DAZ */
00611 
00612 /******* FF ********/
00613 #if defined(CONFIG_RSBAC_FF)
00614 #ifdef CONFIG_RSBAC_SWITCH
00615 if (rsbac_switch_ff)
00616 #endif
00617   /* no need to call module, if to be ignored */
00618   if(ignore_module != FF)
00619     {
00620       mod_result[FF]  = rsbac_adf_request_ff (request,
00621                                               caller_pid,
00622                                               target,
00623                                               *tid_p,
00624                                               attr,
00625                                               *attr_val_p,
00626                                               owner);
00627       result = adf_and_plus(result, mod_result[FF]);
00628 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00629       if(!rsbac_ind_softmode[FF])
00630         ret_result = adf_and_plus(ret_result, mod_result[FF]);
00631 #endif
00632     }
00633 #endif  /* FF */
00634 
00635 /******* RC ********/
00636 #if defined(CONFIG_RSBAC_RC)
00637 #ifdef CONFIG_RSBAC_SWITCH
00638 if (rsbac_switch_rc)
00639 #endif
00640   /* no need to call module, if to be ignored */
00641   if(ignore_module != RC)
00642     {
00643       mod_result[RC]  = rsbac_adf_request_rc (request,
00644                                               caller_pid,
00645                                               target,
00646                                               *tid_p,
00647                                               attr,
00648                                               *attr_val_p,
00649                                               owner);
00650       result = adf_and_plus(result, mod_result[RC]);
00651 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00652       if(!rsbac_ind_softmode[RC])
00653         ret_result = adf_and_plus(ret_result, mod_result[RC]);
00654 #endif
00655     }
00656 #endif  /* RC */
00657 
00658 /****** AUTH *******/
00659 #if defined(CONFIG_RSBAC_AUTH)
00660 #ifdef CONFIG_RSBAC_SWITCH
00661 if (rsbac_switch_auth)
00662 #endif
00663   /* no need to call module, if to be ignored */
00664   if(ignore_module != AUTH)
00665     {
00666       mod_result[AUTH]= rsbac_adf_request_auth(request,
00667                                               caller_pid,
00668                                               target,
00669                                               *tid_p,
00670                                               attr,
00671                                               *attr_val_p,
00672                                               owner);
00673       result = adf_and_plus(result, mod_result[AUTH]);
00674 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00675       if(!rsbac_ind_softmode[AUTH])
00676         ret_result = adf_and_plus(ret_result, mod_result[AUTH]);
00677 #endif
00678     }
00679 #endif  /* AUTH */
00680 
00681 /****** ACL *******/
00682 #if defined(CONFIG_RSBAC_ACL)
00683 #ifdef CONFIG_RSBAC_SWITCH
00684 if (rsbac_switch_acl)
00685 #endif
00686   /* no need to call module, if to be ignored */
00687   if(ignore_module != ACL)
00688     {
00689       mod_result[ACL] = rsbac_adf_request_acl(request,
00690                                               caller_pid,
00691                                               target,
00692                                               *tid_p,
00693                                               attr,
00694                                               *attr_val_p,
00695                                               owner);
00696       result = adf_and_plus(result, mod_result[ACL]);
00697 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00698       if(!rsbac_ind_softmode[ACL])
00699         ret_result = adf_and_plus(ret_result, mod_result[ACL]);
00700 #endif
00701     }
00702 #endif  /* ACL */
00703 
00704 /****** CAP *******/
00705 #if defined(CONFIG_RSBAC_CAP)
00706 #ifdef CONFIG_RSBAC_SWITCH
00707 if (rsbac_switch_cap)
00708 #endif
00709   /* no need to call module, if to be ignored */
00710   if(ignore_module != CAP)
00711     {
00712       mod_result[CAP] = rsbac_adf_request_cap(request,
00713                                               caller_pid,
00714                                               target,
00715                                               *tid_p,
00716                                               attr,
00717                                               *attr_val_p,
00718                                               owner);
00719       result = adf_and_plus(result, mod_result[CAP]);
00720 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00721       if(!rsbac_ind_softmode[CAP])
00722         ret_result = adf_and_plus(ret_result, mod_result[CAP]);
00723 #endif
00724     }
00725 #endif  /* CAP */
00726 
00727 /****** JAIL *******/
00728 #if defined(CONFIG_RSBAC_JAIL)
00729 #ifdef CONFIG_RSBAC_SWITCH
00730 if (rsbac_switch_jail)
00731 #endif
00732   /* no need to call module, if to be ignored */
00733   if(ignore_module != JAIL)
00734     {
00735       mod_result[JAIL]= rsbac_adf_request_jail(request,
00736                                               caller_pid,
00737                                               target,
00738                                               *tid_p,
00739                                               attr,
00740                                               *attr_val_p,
00741                                               owner);
00742       result = adf_and_plus(result, mod_result[JAIL]);
00743 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00744       if(!rsbac_ind_softmode[JAIL])
00745         ret_result = adf_and_plus(ret_result, mod_result[JAIL]);
00746 #endif
00747     }
00748 #endif  /* JAIL */
00749 
00750 /******* PAX ********/
00751 #if defined(CONFIG_RSBAC_PAX)
00752 #ifdef CONFIG_RSBAC_SWITCH
00753 if (rsbac_switch_pax)
00754 #endif
00755   /* no need to call module, if to be ignored */
00756   if(ignore_module != PAX)
00757     {
00758       mod_result[PAX]  = rsbac_adf_request_pax (request,
00759                                               caller_pid,
00760                                               target,
00761                                               *tid_p,
00762                                               attr,
00763                                               *attr_val_p,
00764                                               owner);
00765       result = adf_and_plus(result, mod_result[PAX]);
00766 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00767       if(!rsbac_ind_softmode[PAX])
00768         ret_result = adf_and_plus(ret_result, mod_result[PAX]);
00769 #endif
00770     }
00771 #endif  /* PAX */
00772 
00773 /****** RES *******/
00774 #if defined(CONFIG_RSBAC_RES)
00775 #ifdef CONFIG_RSBAC_SWITCH
00776 if (rsbac_switch_res)
00777 #endif
00778   /* no need to call module, if to be ignored */
00779   if(ignore_module != RES)
00780     {
00781       mod_result[RES] = rsbac_adf_request_res(request,
00782                                               caller_pid,
00783                                               target,
00784                                               *tid_p,
00785                                               attr,
00786                                               *attr_val_p,
00787                                               owner);
00788       result = adf_and_plus(result, mod_result[RES]);
00789 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00790       if(!rsbac_ind_softmode[RES])
00791         ret_result = adf_and_plus(ret_result, mod_result[RES]);
00792 #endif
00793     }
00794 #endif  /* RES */
00795 
00796 /****** REG *******/
00797 #if defined(CONFIG_RSBAC_REG)
00798 if(ignore_module != REG)
00799   {
00800     mod_result[REG]= rsbac_adf_request_reg (request,
00801                                             caller_pid,
00802                                             target,
00803                                             *tid_p,
00804                                             attr,
00805                                             *attr_val_p,
00806                                             owner);
00807     result = adf_and_plus(result, mod_result[REG]);
00808 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00809     if(!rsbac_ind_softmode[REG])
00810       ret_result = adf_and_plus(ret_result, mod_result[REG]);
00811 #endif
00812   }
00813 #endif  /* REG */
00814 
00815 #endif /* !MAINT */
00816 
00817 /****************************/
00818 
00819 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
00820     if(    rsbac_debug_adf_net
00821        && (   (target == T_NETDEV)
00822            || (target == T_NETTEMP)
00823            || (target == T_NETOBJ)
00824           )
00825       )
00826       do_log = TRUE;
00827 #endif
00828 
00829 /* log based on process owner */
00830 #ifdef CONFIG_RSBAC_IND_USER_LOG
00831     i_tid.user = owner;
00832     if (rsbac_get_attr(GEN,
00833                        T_USER,
00834                        i_tid,
00835                        A_log_user_based,
00836                        &i_attr_val,
00837                        FALSE))
00838       {
00839         rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based);
00840       }
00841     else
00842       {
00843         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 
00844           do_log = TRUE;
00845       }
00846 #endif /* CONFIG_RSBAC_IND_USER_LOG */
00847 
00848 /* log based on program */
00849 #ifdef CONFIG_RSBAC_IND_PROG_LOG
00850     if(!do_log)
00851       {
00852         i_tid.process = caller_pid;
00853         if (rsbac_get_attr(GEN,
00854                            T_PROCESS,
00855                            i_tid,
00856                            A_log_program_based,
00857                            &i_attr_val,
00858                            FALSE))
00859           {
00860             rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based);
00861           }
00862         else
00863           {
00864             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
00865               do_log = TRUE;
00866           }
00867       }
00868 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
00869 
00870 /*****************************************************/
00871 /* General work for all modules - after module calls */
00872 /* Note: the process' individual logging attributes are needed above */
00873     switch(request)
00874       {
00875         case R_TERMINATE:
00876             if (target == T_PROCESS)
00877               rsbac_remove_target(T_PROCESS,*tid_p);
00878             break;
00879         default:
00880             break;
00881       }
00882 
00883 /* logging request on info level, if requested by file/dir/dev attributes */
00884 /* log_array_low/high, or, if that is requested, if enabled for this request */
00885 /* type (attributes state level, or that request based level is to be taken) */
00886 /* loglevel 2: log everything */
00887 /* loglevel 1: log, if denied */
00888 /* loglevel 0: log nothing */
00889 
00890 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
00891     /* if file/dir/dev, depend log on log_arrays */
00892     /* (but not for file.device = 0) */
00893     /* log_on_request is TRUE */
00894     if(   !do_log
00895        && (   (   (   (target == T_FILE)
00896                    || (target == T_DIR)
00897                    || (target == T_FIFO)
00898                    || (target == T_SYMLINK)
00899                   )
00900                && RSBAC_MAJOR(tid_p->file.device)
00901                && RSBAC_MINOR(tid_p->file.device)
00902               )
00903            || (target == T_DEV)
00904           )
00905       )
00906       {
00907         if (rsbac_get_attr(GEN,
00908                            target,
00909                            *tid_p,
00910                            A_log_array_low,
00911                            &i_attr_val,
00912                            FALSE))
00913           {
00914             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00915           }
00916         else
00917           {
00918             if (rsbac_get_attr(GEN,
00919                                target,
00920                                *tid_p,
00921                                A_log_array_high,
00922                                &i_attr_val2,
00923                                FALSE))
00924               {
00925                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00926               }
00927             else
00928               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00929                 /* WARNING: we deal with u64 here, only logical operations and */
00930                 /* shifts work correctly! */
00931                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00932                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00933                 if (   log_level == LL_full
00934                     || (   log_level == LL_denied
00935                         && (result == NOT_GRANTED
00936                             || result == UNDEFINED)) )
00937                   {
00938                     do_log = TRUE;
00939                   }
00940                 if(log_level != LL_request)
00941                   log_on_request = FALSE;
00942               }
00943           }
00944       }
00945 #endif /* CONFIG_RSBAC_IND_LOG */
00946 
00947 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */
00948     /* if netdev, depend log on log_arrays */
00949     /* log_on_request is TRUE */
00950     if(   !do_log
00951        && (target == T_NETDEV)
00952       )
00953       {
00954         if (rsbac_get_attr(GEN,
00955                            target,
00956                            *tid_p,
00957                            A_log_array_low,
00958                            &i_attr_val,
00959                            FALSE))
00960           {
00961             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00962           }
00963         else
00964           {
00965             if (rsbac_get_attr(GEN,
00966                                target,
00967                                *tid_p,
00968                                A_log_array_high,
00969                                &i_attr_val2,
00970                                FALSE))
00971               {
00972                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00973               }
00974             else
00975               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00976                 /* WARNING: we deal with u64 here, only logical operations and */
00977                 /* shifts work correctly! */
00978                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00979                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00980                 if (   log_level == LL_full
00981                     || (   log_level == LL_denied
00982                         && (result == NOT_GRANTED
00983                             || result == UNDEFINED)) )
00984                   {
00985                     do_log = TRUE;
00986                   }
00987                 if(log_level != LL_request)
00988                   log_on_request = FALSE;
00989               }
00990           }
00991       }
00992 #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */
00993 
00994 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */
00995     /* if nettemp, netobj, depend log on log_arrays */
00996     /* (but not for file.device = 0) */
00997     /* log_on_request is TRUE */
00998     if(   !do_log
00999        && (   (target == T_NETTEMP)
01000            || (target == T_NETOBJ)
01001           )
01002       )
01003       {
01004         enum rsbac_attribute_t i_attr1, i_attr2;
01005 
01006         if(target == T_NETOBJ)
01007           {
01008             if(rsbac_net_remote_request(request))
01009               {
01010                 i_attr1 = A_remote_log_array_low;
01011                 i_attr2 = A_remote_log_array_high;
01012               }
01013             else
01014               {
01015                 i_attr1 = A_local_log_array_low;
01016                 i_attr2 = A_local_log_array_high;
01017               }
01018           }
01019         else
01020           {
01021             i_attr1 = A_log_array_low;
01022             i_attr2 = A_log_array_high;
01023           }
01024         if (rsbac_get_attr(GEN,
01025                            target,
01026                            *tid_p,
01027                            i_attr1,
01028                            &i_attr_val,
01029                            FALSE))
01030           {
01031             rsbac_ds_get_error("rsbac_adf_request()", i_attr1);
01032           }
01033         else
01034           {
01035             if (rsbac_get_attr(GEN,
01036                                target,
01037                                *tid_p,
01038                                i_attr2,
01039                                &i_attr_val2,
01040                                FALSE))
01041               {
01042                 rsbac_ds_get_error("rsbac_adf_request()", i_attr2);
01043               }
01044             else
01045               { /* ll = low-bit for request | (high-bit for request as bit 1) */
01046                 /* WARNING: we deal with u64 here, only logical operations and */
01047                 /* shifts work correctly! */
01048                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
01049                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
01050                 if (   log_level == LL_full
01051                     || (   log_level == LL_denied
01052                         && (result == NOT_GRANTED
01053                             || result == UNDEFINED)) )
01054                   {
01055                     do_log = TRUE;
01056                   }
01057                 if(log_level != LL_request)
01058                   log_on_request = FALSE;
01059               }
01060           }
01061       }
01062 #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */
01063 
01064 log:
01065     /* if enabled, try request based log level */
01066     if (   !do_log
01067         && log_on_request
01068         && (   rsbac_log_levels[request][target] == LL_full
01069             || (   rsbac_log_levels[request][target] == LL_denied
01070                 && (result == NOT_GRANTED
01071                     || result == UNDEFINED)) ) )
01072       do_log = TRUE;
01073 
01074     if(do_log)
01075       {
01076         char * request_name;
01077         char * res_name;
01078         char * res_mods;
01079         char * target_type_name;
01080         char * target_id_name;
01081         char * attr_name;
01082         char * attr_val_name;
01083         char  command[17];
01084         rsbac_pid_t parent_pid = 0;
01085         rsbac_uid_t audit_uid;
01086 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01087         rsbac_pseudo_t  pseudo = 0;
01088 #endif
01089         char * program_path;
01090 
01091         /* Get process audit_uid */
01092         i_tid.process = caller_pid;
01093         if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
01094           {
01095             rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid);
01096             return(NOT_GRANTED);  /* something weird happened */
01097           }
01098         audit_uid = i_attr_val.audit_uid;
01099         if(audit_uid == RSBAC_NO_USER)
01100           audit_uid = owner;
01101 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01102         /* Get owner's logging pseudo */
01103         i_tid.user = audit_uid;
01104         if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
01105           {
01106             rsbac_ds_get_error("rsbac_adf_request()", A_pseudo);
01107             return(NOT_GRANTED);  /* something weird happened */
01108           }
01109         /* if pseudo is not registered, return attribute value is 0 (see later) */
01110         pseudo = i_attr_val.pseudo;
01111 #endif
01112 
01113         /* parent pid */
01114         #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01115         if(current->parent)
01116           parent_pid = current->parent->pid;
01117         #else
01118         if(current->p_pptr)
01119           parent_pid = current->p_pptr->pid;
01120         #endif
01121         /* rsbac_kmalloc all memory */
01122         request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01123         res_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01124         res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01125         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01126         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01127         target_id_name
01128          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01129            /* max. path name len + some extra */
01130         #else
01131         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01132            /* max. file name len + some extra */
01133         #endif
01134         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01135         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01136         program_path
01137          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01138            /* max. path name len + some extra */
01139         #else
01140         program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01141            /* max. file name len + some extra */
01142         #endif
01143         #else
01144         program_path = rsbac_kmalloc(2);
01145         #endif
01146         attr_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01147         attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01148 
01149         request_name[0] = (char) 0;
01150         target_type_name[0] = (char) 0;
01151         target_id_name[0] = (char) 0;
01152         program_path[0] = (char) 0;
01153         attr_name[0] = (char) 0;
01154         attr_val_name[0] = (char) 0;
01155         res_name[0] = (char) 0;
01156         res_mods[0] = (char) 0;
01157         command[0] = (char) 0;
01158         get_request_name(request_name, request);
01159     #if !defined(CONFIG_RSBAC_MAINT)
01160 /*
01161         if(result == mod_result[SW_NONE])
01162           {
01163             strcat(res_mods, " GEN");
01164           }
01165 */
01166     #if defined(CONFIG_RSBAC_MAC)
01167         if(result == mod_result[MAC])
01168           {
01169             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01170             if(rsbac_ind_softmode[MAC])
01171               strcat(res_mods, " MAC(Softmode)");
01172             else
01173             #endif
01174               strcat(res_mods, " MAC");
01175           }
01176     #endif
01177     #if defined(CONFIG_RSBAC_FC)
01178         if(result == mod_result[FC])
01179           {
01180             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01181             if(rsbac_ind_softmode[FC])
01182               strcat(res_mods, " FC(Softmode)");
01183             else
01184             #endif
01185               strcat(res_mods, " FC");
01186           }
01187     #endif
01188     #if defined(CONFIG_RSBAC_SIM)
01189         if(result == mod_result[SIM])
01190           {
01191             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01192             if(rsbac_ind_softmode[SIM])
01193               strcat(res_mods, " SIM(Softmode)");
01194             else
01195             #endif
01196               strcat(res_mods, " SIM");
01197           }
01198     #endif
01199     #if defined(CONFIG_RSBAC_PM)
01200         if(result == mod_result[PM])
01201           {
01202             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01203             if(rsbac_ind_softmode[PM])
01204               strcat(res_mods, " PM(Softmode)");
01205             else
01206             #endif
01207               strcat(res_mods, " PM");
01208           }
01209     #endif
01210     #if defined(CONFIG_RSBAC_DAZ)
01211         if(result == mod_result[DAZ])
01212           {
01213             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01214             if(rsbac_ind_softmode[DAZ])
01215               strcat(res_mods, " DAZ(Softmode)");
01216             else
01217             #endif
01218               strcat(res_mods, " DAZ");
01219           }
01220     #endif
01221     #ifdef CONFIG_RSBAC_FF
01222         if(result == mod_result[FF])
01223           {
01224             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01225             if(rsbac_ind_softmode[FF])
01226               strcat(res_mods, " FF(Softmode)");
01227             else
01228             #endif
01229               strcat(res_mods, " FF");
01230           }
01231     #endif
01232     #ifdef CONFIG_RSBAC_RC
01233         if(result == mod_result[RC])
01234           {
01235             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01236             if(rsbac_ind_softmode[RC])
01237               strcat(res_mods, " RC(Softmode)");
01238             else
01239             #endif
01240               strcat(res_mods, " RC");
01241           }
01242     #endif
01243     #ifdef CONFIG_RSBAC_AUTH
01244         if(result == mod_result[AUTH])
01245           {
01246             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01247             if(rsbac_ind_softmode[AUTH])
01248               strcat(res_mods, " AUTH(Softmode)");
01249             else
01250             #endif
01251               strcat(res_mods, " AUTH");
01252           }
01253     #endif
01254     #ifdef CONFIG_RSBAC_ACL
01255         if(result == mod_result[ACL])
01256           {
01257             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01258             if(rsbac_ind_softmode[ACL])
01259               strcat(res_mods, " ACL(Softmode)");
01260             else
01261             #endif
01262               strcat(res_mods, " ACL");
01263           }
01264     #endif
01265     #ifdef CONFIG_RSBAC_CAP
01266         if(result == mod_result[CAP])
01267           {
01268             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01269             if(rsbac_ind_softmode[CAP])
01270               strcat(res_mods, " CAP(Softmode)");
01271             else
01272             #endif
01273               strcat(res_mods, " CAP");
01274           }
01275     #endif
01276     #ifdef CONFIG_RSBAC_JAIL
01277         if(result == mod_result[JAIL])
01278           {
01279             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01280             if(rsbac_ind_softmode[JAIL])
01281               strcat(res_mods, " JAIL(Softmode)");
01282             else
01283             #endif
01284               strcat(res_mods, " JAIL");
01285           }
01286     #endif
01287     #ifdef CONFIG_RSBAC_RES
01288         if(result == mod_result[RES])
01289           {
01290             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01291             if(rsbac_ind_softmode[RES])
01292               strcat(res_mods, " RES(Softmode)");
01293             else
01294             #endif
01295               strcat(res_mods, " RES");
01296           }
01297     #endif
01298     #ifdef CONFIG_RSBAC_REG
01299         if(result == mod_result[REG])
01300           {
01301             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01302             if(rsbac_ind_softmode[REG])
01303               strcat(res_mods, " REG(Softmode)");
01304             else
01305             #endif
01306               strcat(res_mods, " REG");
01307           }
01308     #endif
01309     #endif /* !MAINT */
01310         if(!res_mods[0])
01311           strcat(res_mods, " ADF");
01312         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01313         {
01314           struct mm_struct * mm;
01315           struct vm_area_struct * vma;
01316           struct dentry * dentry_p = NULL;
01317 
01318           mm = current->mm;
01319           if(mm)
01320             {
01321               atomic_inc(&mm->mm_users);
01322               if(!down_read_trylock(&mm->mmap_sem))
01323                 goto down_failed;
01324               vma = mm->mmap;
01325               while (vma)
01326                 {
01327                   if(   (vma->vm_flags & VM_EXECUTABLE)
01328                      && vma->vm_file)
01329                     {
01330                       dentry_p = dget(vma->vm_file->f_dentry);
01331                       break;
01332                     }
01333                   vma = vma->vm_next;
01334                 }
01335               up_read(&mm->mmap_sem);
01336               if(dentry_p)
01337                 {
01338                   char * p = program_path;
01339 
01340                   p += sprintf(program_path, ", prog_file ");
01341                   #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01342                   rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN);
01343                   #else
01344                   int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN);
01345 
01346                   strncpy(p, dentry_p->d_name.name, namelen);
01347                   p[namelen]=0;
01348                   #endif
01349                   dput(dentry_p);
01350                 }
01351 down_failed:
01352               mmput(mm);
01353             }
01354         }
01355         #endif
01356         get_target_name(target_type_name, target, target_id_name, *tid_p);
01357         get_attribute_name(attr_name, attr);
01358         get_attribute_value_name(attr_val_name, attr, attr_val_p);
01359         get_result_name(res_name, result);
01360         if ((current) && (current->comm))
01361           {
01362             strncpy(command,current->comm,16);          
01363             command[16] = (char) 0;
01364           }
01365 
01366 #ifdef CONFIG_RSBAC_RMSG
01367 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01368         /* if pseudo is set, its value is != 0, else -> use id */
01369         if (pseudo)
01370           {
01371     #ifdef CONFIG_RSBAC_SOFTMODE
01372             if(rsbac_softmode)
01373               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, target_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01374                            request_name, caller_pid, parent_pid, command, program_path, i_attr_val.pseudo, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01375             else
01376     #endif
01377               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, target_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01378                            request_name, caller_pid, parent_pid, command, program_path, i_attr_val.pseudo, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01379           }
01380         else
01381 #endif
01382           {
01383     #ifdef CONFIG_RSBAC_SOFTMODE
01384             if(rsbac_softmode)
01385               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, audit_uid %u, target_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01386                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01387             else
01388     #endif
01389               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, audit_uid %u, target_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01390                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01391           }
01392 #endif
01393 #ifndef CONFIG_RSBAC_RMSG_EXCL
01394         /* only log to standard syslog, if not disabled by kernel boot parameter */
01395 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01396         if (!rsbac_nosyslog)
01397 #endif
01398           {
01399 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01400             /* if pseudo is set, its value is != 0, else -> use id */
01401             if (pseudo)
01402               {
01403     #ifdef CONFIG_RSBAC_SOFTMODE
01404                 if(rsbac_softmode)
01405                   printk(KERN_INFO
01406                          "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, target_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01407                          request_name, caller_pid, parent_pid, command, program_path, i_attr_val.pseudo, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01408                 else
01409     #endif
01410                   printk(KERN_INFO
01411                          "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, target_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01412                          request_name, caller_pid, parent_pid, command, program_path, i_attr_val.pseudo, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01413               }
01414             else
01415 #endif
01416               {
01417     #ifdef CONFIG_RSBAC_SOFTMODE
01418                 if(rsbac_softmode)
01419                   printk(KERN_INFO
01420                          "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, audit_uid %u, target_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01421                          request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01422                 else
01423     #endif
01424                   printk(KERN_INFO
01425                          "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, audit_uid %u, target_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01426                          request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01427               }
01428           }
01429 #endif
01430         /* rsbac_kfree all helper mem */
01431         rsbac_kfree(request_name);
01432         rsbac_kfree(res_name);
01433         rsbac_kfree(res_mods);
01434         rsbac_kfree(target_type_name);
01435         rsbac_kfree(target_id_name);
01436         rsbac_kfree(program_path);
01437         rsbac_kfree(attr_name);
01438         rsbac_kfree(attr_val_name);
01439       }
01440 
01441 /* UNDEFINED must never be returned -> change result */
01442     if(result == UNDEFINED)
01443       result = NOT_GRANTED;
01444 
01445 /* count */
01446     rsbac_adf_request_count[target]++;
01447 #ifdef CONFIG_RSBAC_XSTATS
01448     rsbac_adf_request_xcount[target][request]++;
01449 #endif
01450 
01451 /* return result */
01452     #ifdef CONFIG_RSBAC_SOFTMODE
01453     if(rsbac_softmode && !rsbac_internal)
01454       return DO_NOT_CARE;
01455     else
01456     #endif
01457     #ifdef CONFIG_RSBAC_SOFTMODE_IND
01458       return ret_result;
01459     #else
01460       return result; /* change for debugging! */
01461     #endif
01462   }; /* end of rsbac_adf_request_int() */
01463 
01464 
01465 /*********************************************************************/
01466 /* rsbac_adf_request()                                               */
01467 /* This function is the main decision function, called from the AEF. */
01468 /* It is a simple wrapper to the internal function, setting          */
01469 /* ignore_module to SW_NONE.                                         */
01470 
01471 EXPORT_SYMBOL(rsbac_adf_request);
01472 enum rsbac_adf_req_ret_t
01473    rsbac_adf_request( enum  rsbac_adf_request_t     request,
01474                             rsbac_pid_t             caller_pid,
01475                       enum  rsbac_target_t          target,
01476                       union rsbac_target_id_t       tid,
01477                       enum  rsbac_attribute_t       attr,
01478                       union rsbac_attribute_value_t attr_val)
01479   {
01480     return(rsbac_adf_request_int(request,
01481                                  caller_pid,
01482                                  target,
01483                                  &tid,
01484                                  attr,
01485                                  &attr_val,
01486                                  SW_NONE));
01487   }
01488 
01489 /*****************************************************************************/
01490 /* If the request returned granted and the operation is performed,           */
01491 /* the following function is called by the AEF to get all aci set correctly. */
01492 /* The second instance of target specification is the new target, if one has */
01493 /* been created, otherwise its values are ignored.                           */
01494 /* It returns 0 on success and an error from error.h otherwise.              */
01495 
01496 EXPORT_SYMBOL(rsbac_adf_set_attr);
01497 int  rsbac_adf_set_attr(
01498                       enum  rsbac_adf_request_t     request,
01499                             rsbac_pid_t             caller_pid,
01500                       enum  rsbac_target_t          target,
01501                       union rsbac_target_id_t       tid,
01502                       enum  rsbac_target_t          new_target,
01503                       union rsbac_target_id_t       new_tid,
01504                       enum  rsbac_attribute_t       attr,
01505                       union rsbac_attribute_value_t attr_val)
01506   {
01507     union rsbac_target_id_t i_tid;
01508     rsbac_uid_t owner;
01509     int   error = 0;
01510     rsbac_boolean_t do_log = FALSE;
01511     rsbac_boolean_t log_on_request = TRUE;
01512     union rsbac_attribute_value_t i_attr_val;
01513 #ifdef CONFIG_RSBAC_IND_LOG
01514     union rsbac_attribute_value_t i_attr_val2;
01515     enum rsbac_log_level_t log_level;
01516 #endif
01517 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01518     struct super_block * sb_p;
01519 #endif
01520 
01521 /* No attribute setting possible before init (called at boot time) */
01522 
01523    if (!rsbac_is_initialized())
01524       return(0);
01525 
01526 /* kernel (pid 0) is ignored */
01527     if (   !caller_pid
01528         #if defined(CONFIG_RSBAC_LOG_REMOTE)
01529         || (caller_pid == rsbaclogd_pid)
01530         #endif
01531        )
01532       return(0);
01533 
01534 /* Checking base values */
01535     if(   request >= R_NONE
01536        || target > T_NONE
01537        || new_target > T_NONE
01538        || attr > A_none)
01539       {
01540 #ifdef CONFIG_RSBAC_RMSG
01541         rsbac_printk(KERN_WARNING
01542                "rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01543 #endif
01544 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01545         if (!rsbac_nosyslog)
01546 #endif
01547         printk(KERN_WARNING
01548                "rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01549         return(-RSBAC_EINVALIDVALUE);
01550       }
01551 
01552 /* Getting basic information about this adf_set_attr-call */
01553 
01554     owner = RSBAC_NO_USER;
01555     /* only useful for real process, not idle or init */
01556     if (caller_pid > 1)
01557       {
01558         error = rsbac_get_owner(&owner);
01559         if(error)
01560           {
01561 #ifdef CONFIG_RSBAC_RMSG
01562             rsbac_printk(KERN_DEBUG
01563                    "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01564                    caller_pid);
01565 #endif
01566 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01567             if (!rsbac_nosyslog)
01568 #endif
01569             printk(KERN_DEBUG
01570                    "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01571                    caller_pid);
01572             return(0);      /* Startup-Sequence (see above) */
01573           }
01574       }
01575     else /* caller_pid = 1  -> init -> owner = root */
01576       owner = 0;
01577 
01578 /*************************************************/
01579 /* General work for all modules - before modules */
01580 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01581     if (   (   (target == T_FILE)
01582             || (target == T_DIR)
01583             || (target == T_FIFO)
01584             || (target == T_SYMLINK)
01585            )
01586         && ((sb_p = rsbac_get_super_block(tid.file.device)))
01587         && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
01588             || (sb_p->s_magic == CODA_SUPER_MAGIC)
01589             || (sb_p->s_magic == NCP_SUPER_MAGIC)
01590             || (sb_p->s_magic == SMB_SUPER_MAGIC)
01591            )
01592        )
01593       {
01594         error = 0;
01595         goto log;
01596       }
01597 #endif
01598 
01599 /**********************************************************/
01600 /* calling all decision modules, building a common result */
01601 
01602 
01603 #ifdef CONFIG_RSBAC_DEBUG
01604 /* first, check for valid request/target combination      */
01605 error |= rsbac_adf_set_attr_check(request,
01606                                   caller_pid,
01607                                   target,
01608                                   tid,
01609                                   new_target,
01610                                   new_tid,
01611                                   attr,
01612                                   attr_val,
01613                                   owner);
01614 if(error)
01615   goto general_work;
01616 #endif
01617 
01618 #if !defined(CONFIG_RSBAC_MAINT)
01619 /******* MAC ********/
01620 #if defined(CONFIG_RSBAC_MAC)
01621 #ifdef CONFIG_RSBAC_SWITCH
01622 if (rsbac_switch_mac)
01623 #endif
01624   error |= rsbac_adf_set_attr_mac(request,
01625                                   caller_pid,
01626                                   target,
01627                                   tid,
01628                                   new_target,
01629                                   new_tid,
01630                                   attr,
01631                                   attr_val,
01632                                   owner);
01633 #endif  /* MAC */
01634 
01635 /******* FC ********/
01636 #ifdef CONFIG_RSBAC_FC
01637 #ifdef CONFIG_RSBAC_SWITCH
01638 if (rsbac_switch_fc)
01639 #endif
01640   error |= rsbac_adf_set_attr_fc (request,
01641                                   caller_pid,
01642                                   target,
01643                                   tid,
01644                                   new_target,
01645                                   new_tid,
01646                                   attr,
01647                                   attr_val,
01648                                   owner);
01649 #endif  /* FC */
01650 
01651 /******* SIM ********/
01652 #ifdef CONFIG_RSBAC_SIM
01653 #ifdef CONFIG_RSBAC_SWITCH
01654 if (rsbac_switch_sim)
01655 #endif
01656   error |= rsbac_adf_set_attr_sim(request,
01657                                   caller_pid,
01658                                   target,
01659                                   tid,
01660                                   new_target,
01661                                   new_tid,
01662                                   attr,
01663                                   attr_val,
01664                                   owner);
01665 #endif  /* SIM */
01666 
01667 /******* PM ********/
01668 #ifdef CONFIG_RSBAC_PM
01669 #ifdef CONFIG_RSBAC_SWITCH
01670 if (rsbac_switch_pm)
01671 #endif
01672   error |= rsbac_adf_set_attr_pm (request,
01673                                   caller_pid,
01674                                   target,
01675                                   tid,
01676                                   new_target,
01677                                   new_tid,
01678                                   attr,
01679                                   attr_val,
01680                                   owner);
01681 #endif  /* PM */
01682 
01683 /******* DAZ ********/
01684 #ifdef CONFIG_RSBAC_DAZ
01685 #ifdef CONFIG_RSBAC_SWITCH
01686 if (rsbac_switch_daz)
01687 #endif
01688   error |= rsbac_adf_set_attr_daz (request,
01689                                   caller_pid,
01690                                   target,
01691                                   tid,
01692                                   new_target,
01693                                   new_tid,
01694                                   attr,
01695                                   attr_val,
01696                                   owner);
01697 #endif  /* DAZ */
01698 
01699 /******* FF ********/
01700 #if 0 /* Nothing to do in there */
01701 #ifdef CONFIG_RSBAC_FF
01702 #ifdef CONFIG_RSBAC_SWITCH
01703 if (rsbac_switch_ff)
01704 #endif
01705   error |= rsbac_adf_set_attr_ff (request,
01706                                   caller_pid,
01707                                   target,
01708                                   tid,
01709                                   new_target,
01710                                   new_tid,
01711                                   attr,
01712                                   attr_val,
01713                                   owner);
01714 #endif  /* FF */
01715 #endif /* 0 */
01716 
01717 /******* RC ********/
01718 #ifdef CONFIG_RSBAC_RC
01719 #ifdef CONFIG_RSBAC_SWITCH
01720 if (rsbac_switch_rc)
01721 #endif
01722   error |= rsbac_adf_set_attr_rc (request,
01723                                   caller_pid,
01724                                   target,
01725                                   tid,
01726                                   new_target,
01727                                   new_tid,
01728                                   attr,
01729                                   attr_val,
01730                                   owner);
01731 #endif  /* RC */
01732 
01733 /****** AUTH *******/
01734 #ifdef CONFIG_RSBAC_AUTH
01735 #ifdef CONFIG_RSBAC_SWITCH
01736 if (rsbac_switch_auth)
01737 #endif
01738   error |= rsbac_adf_set_attr_auth(request,
01739                                    caller_pid,
01740                                    target,
01741                                    tid,
01742                                    new_target,
01743                                    new_tid,
01744                                    attr,
01745                                    attr_val,
01746                                    owner);
01747 #endif  /* AUTH */
01748 
01749 /****** ACL *******/
01750 #ifdef CONFIG_RSBAC_ACL
01751 #ifdef CONFIG_RSBAC_SWITCH
01752 if (rsbac_switch_acl)
01753 #endif
01754   error |= rsbac_adf_set_attr_acl (request,
01755                                    caller_pid,
01756                                    target,
01757                                    tid,
01758                                    new_target,
01759                                    new_tid,
01760                                    attr,
01761                                    attr_val,
01762                                    owner);
01763 #endif  /* ACL */
01764 
01765 /****** CAP *******/
01766 #ifdef CONFIG_RSBAC_CAP
01767 #ifdef CONFIG_RSBAC_SWITCH
01768 if (rsbac_switch_cap)
01769 #endif
01770   error |= rsbac_adf_set_attr_cap (request,
01771                                    caller_pid,
01772                                    target,
01773                                    tid,
01774                                    new_target,
01775                                    new_tid,
01776                                    attr,
01777                                    attr_val,
01778                                    owner);
01779 #endif  /* CAP */
01780 
01781 /****** JAIL *******/
01782 #ifdef CONFIG_RSBAC_JAIL
01783 #ifdef CONFIG_RSBAC_SWITCH
01784 if (rsbac_switch_jail)
01785 #endif
01786   error |= rsbac_adf_set_attr_jail(request,
01787                                    caller_pid,
01788                                    target,
01789                                    tid,
01790                                    new_target,
01791                                    new_tid,
01792                                    attr,
01793                                    attr_val,
01794                                    owner);
01795 #endif  /* JAIL */
01796 
01797 /******* PAX ********/
01798 #ifdef CONFIG_RSBAC_PAX
01799 #ifdef CONFIG_RSBAC_SWITCH
01800 if (rsbac_switch_pax)
01801 #endif
01802   error |= rsbac_adf_set_attr_pax (request,
01803                                   caller_pid,
01804                                   target,
01805                                   tid,
01806                                   new_target,
01807                                   new_tid,
01808                                   attr,
01809                                   attr_val,
01810                                   owner);
01811 #endif  /* PAX */
01812 
01813 /****** RES *******/
01814 #ifdef CONFIG_RSBAC_RES
01815 #ifdef CONFIG_RSBAC_SWITCH
01816 if (rsbac_switch_res)
01817 #endif
01818   error |= rsbac_adf_set_attr_res (request,
01819                                    caller_pid,
01820                                    target,
01821                                    tid,
01822                                    new_target,
01823                                    new_tid,
01824                                    attr,
01825                                    attr_val,
01826                                    owner);
01827 #endif  /* RES */
01828 
01829 /****** REG *******/
01830 #ifdef CONFIG_RSBAC_REG
01831   error |= rsbac_adf_set_attr_reg (request,
01832                                    caller_pid,
01833                                    target,
01834                                    tid,
01835                                    new_target,
01836                                    new_tid,
01837                                    attr,
01838                                    attr_val,
01839                                    owner);
01840 #endif  /* REG */
01841 #endif /* !MAINT */
01842 
01843 /* General work for all modules (after set_attr call) */
01844 #ifdef CONFIG_RSBAC_DEBUG
01845 general_work:
01846 #endif
01847     switch(request)
01848       {
01849         /* remove deleted item from rsbac data */
01850         case R_DELETE :
01851             switch (target)
01852               {
01853                 case T_FILE:
01854                 case T_FIFO:
01855                 case T_SYMLINK:
01856                   /* Only remove file/fifo target on deletion of last link */
01857                   if (   (attr == A_nlink)
01858                       && (attr_val.nlink > 1)
01859                      )
01860                      break;
01861                   /* fall through */
01862                 case T_DIR:
01863                   rsbac_remove_target(target,tid);
01864                   break;
01865                 case T_IPC:
01866                   /* shm removal delayed and removed directly, when destroyed */
01867                   if(tid.ipc.type != I_shm)
01868                     rsbac_remove_target(target,tid);
01869                   break;
01870                 default:
01871                   break;
01872               }
01873             break;
01874 
01875         case R_CLONE:
01876             switch (target)
01877               {
01878                 case T_PROCESS:
01879                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01880                   /* get program based log from old process */
01881                   if (rsbac_get_attr(GEN,
01882                                      target,
01883                                      tid,
01884                                      A_log_program_based,
01885                                      &i_attr_val,
01886                                      FALSE))
01887                     {
01888                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01889                     }
01890                   else
01891                     { /* only set, of not default value 0 */
01892                       if(i_attr_val.log_program_based)
01893                         {
01894                           /* set program based log for new process */
01895                           if (rsbac_set_attr(GEN, new_target,
01896                                              new_tid,
01897                                              A_log_program_based,
01898                                              i_attr_val))
01899                             {
01900                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01901                             }
01902                         }
01903                     }
01904                   #endif
01905                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01906                   /* get fake_root_uid from old process */
01907                   if (rsbac_get_attr(GEN,
01908                                      target,
01909                                      tid,
01910                                      A_fake_root_uid,
01911                                      &i_attr_val,
01912                                      FALSE))
01913                     {
01914                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01915                     }
01916                   else
01917                     { /* only set, of not default value 0 */
01918                       if(i_attr_val.fake_root_uid)
01919                         {
01920                           /* set program based log for new process */
01921                           if (rsbac_set_attr(GEN, new_target,
01922                                              new_tid,
01923                                              A_fake_root_uid,
01924                                              i_attr_val))
01925                             {
01926                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01927                             }
01928                         }
01929                     }
01930                   #endif
01931                   /* get audit_uid from old process */
01932                   if (rsbac_get_attr(GEN,
01933                                      target,
01934                                      tid,
01935                                      A_audit_uid,
01936                                      &i_attr_val,
01937                                      FALSE))
01938                     {
01939                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
01940                     }
01941                   else
01942                     { /* only set, of not default value NO_USER */
01943                       if(i_attr_val.audit_uid != RSBAC_NO_USER)
01944                         {
01945                           /* set audit uid for new process */
01946                           if (rsbac_set_attr(GEN,
01947                                              new_target,
01948                                              new_tid,
01949                                              A_audit_uid,
01950                                              i_attr_val))
01951                             {
01952                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid);
01953                             }
01954                         }
01955                     }
01956                   /* get auid_exempt from old process */
01957                   if (rsbac_get_attr(GEN,
01958                                      target,
01959                                      tid,
01960                                      A_auid_exempt,
01961                                      &i_attr_val,
01962                                      FALSE))
01963                     {
01964                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01965                     }
01966                   else
01967                     { /* only set, of not default value NO_USER */
01968                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01969                         {
01970                           /* set program based log for new process */
01971                           if (rsbac_set_attr(GEN,
01972                                              new_target,
01973                                              new_tid,
01974                                              A_auid_exempt,
01975                                              i_attr_val))
01976                             {
01977                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01978                             }
01979                         }
01980                     }
01981                   break;
01982 
01983                 default:
01984                   break;
01985               }
01986             break;
01987 
01988 #ifdef CONFIG_RSBAC_NET_OBJ
01989         case R_CLOSE:
01990             switch (target)
01991               {
01992                 case T_NETOBJ:
01993                   rsbac_remove_target(target,tid);
01994                   break;
01995 
01996                 default:
01997                   break;
01998               }
01999             break;
02000 #endif /* CONFIG_RSBAC_NET_OBJ */
02001 
02002         case R_EXECUTE :
02003             switch (target)
02004               {
02005                 case T_FILE:
02006                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
02007                   /* get program based log from file */
02008                   if (rsbac_get_attr(GEN,
02009                                      target,
02010                                      tid,
02011                                      A_log_program_based,
02012                                      &i_attr_val,
02013                                      FALSE))
02014                     {
02015                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
02016                     }
02017                   else
02018                     {
02019                       /* set program based log for process */
02020                       i_tid.process = caller_pid;
02021                       if (rsbac_set_attr(GEN, T_PROCESS,
02022                                          i_tid,
02023                                          A_log_program_based,
02024                                          i_attr_val))
02025                         {
02026                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
02027                         }
02028                     }
02029                   #endif
02030                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
02031                   /* get fake_root_uid from file */
02032                   if (rsbac_get_attr(GEN,
02033                                      target,
02034                                      tid,
02035                                      A_fake_root_uid,
02036                                      &i_attr_val,
02037                                      FALSE))
02038                     {
02039                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
02040                     }
02041                   else
02042                     {
02043                       /* set fake_root_uid for process */
02044                       if(i_attr_val.fake_root_uid)
02045                         {
02046                           i_tid.process = caller_pid;
02047                           if (rsbac_set_attr(GEN, T_PROCESS,
02048                                              i_tid,
02049                                              A_fake_root_uid,
02050                                              i_attr_val))
02051                             {
02052                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
02053                             }
02054                         }
02055                     }
02056                   #endif
02057                   /* get auid_exempt from file */
02058                   if (rsbac_get_attr(GEN,
02059                                      target,
02060                                      tid,
02061                                      A_auid_exempt,
02062                                      &i_attr_val,
02063                                      FALSE))
02064                     {
02065                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
02066                     }
02067                   else
02068                     {
02069                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
02070                         {
02071                           /* set auid_exempt for process */
02072                           i_tid.process = caller_pid;
02073                           if (rsbac_set_attr(GEN, T_PROCESS,
02074                                              i_tid,
02075                                              A_auid_exempt,
02076                                              i_attr_val))
02077                             {
02078                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
02079                             }
02080                         }
02081                     }
02082                   break;
02083 
02084                 default:
02085                   break;
02086               }
02087             break;
02088 
02089         default:
02090             break;
02091       }
02092 
02093 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
02094     if(    rsbac_debug_adf_net
02095        && (   (target == T_NETDEV)
02096            || (target == T_NETTEMP)
02097            || (target == T_NETOBJ)
02098           )
02099       )
02100       do_log = TRUE;
02101 #endif
02102 
02103 /* log based on process owner */
02104 #ifdef CONFIG_RSBAC_IND_USER_LOG
02105     i_tid.user = owner;
02106     if (rsbac_get_attr(GEN,
02107                        T_USER,
02108                        i_tid,
02109                        A_log_user_based,
02110                        &i_attr_val,
02111                        FALSE))
02112       {
02113         rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based);
02114       }
02115     else
02116       {
02117         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 
02118           do_log = TRUE;
02119       }
02120 #endif /* CONFIG_RSBAC_IND_USER_LOG */
02121 
02122 /* log based on program */
02123 #ifdef CONFIG_RSBAC_IND_PROG_LOG
02124     if(!do_log)
02125       {
02126         i_tid.process = caller_pid;
02127         if (rsbac_get_attr(GEN,
02128                            T_PROCESS,
02129                            i_tid,
02130                            A_log_program_based,
02131                            &i_attr_val,
02132                            FALSE))
02133           {
02134             rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
02135           }
02136         else
02137           {
02138             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
02139               do_log = TRUE;
02140           }
02141       }
02142 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
02143 
02144 
02145 /* logging request on info level, if requested by file/dir/dev attributes */
02146 /* log_array_low/high, or, if that is requested, if enabled for this request */
02147 /* type (attributes state level, or that request based level is to be taken) */
02148 /* loglevel 2: log everything */
02149 /* loglevel 1: log, if denied */
02150 /* loglevel 0: log nothing */
02151 
02152 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
02153     /* if file/dir/dev, depend log on log_arrays */
02154     /* (but not for file.device = 0) */
02155     /* log_on_request is TRUE */
02156     if(!do_log)
02157       {
02158         if(   (   (   (target == T_FILE)
02159                    || (target == T_DIR)
02160                    || (target == T_FIFO)
02161                    || (target == T_SYMLINK)
02162                   )
02163                && RSBAC_MAJOR(tid.file.device)
02164                && RSBAC_MINOR(tid.file.device)
02165               )
02166            || (target == T_DEV)
02167           )
02168           {
02169             if (rsbac_get_attr(GEN,
02170                                target,
02171                                tid,
02172                                A_log_array_low,
02173                                &i_attr_val,
02174                                FALSE))
02175               {
02176                 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low);
02177               }
02178             else
02179               {
02180                 if (rsbac_get_attr(GEN,
02181                                    target,
02182                                    tid,
02183                                    A_log_array_high,
02184                                    &i_attr_val2,
02185                                    FALSE))
02186                   {
02187                     rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high);
02188                   }
02189                 else
02190                   { /* ll = low-bit for request | (high-bit for request as bit 1) */
02191                     log_level =   ((i_attr_val.log_array_low   >> request) & 1)
02192                               | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
02193                     if (   log_level == LL_full
02194                         || (   log_level == LL_denied
02195                             && error) )
02196                       {
02197                         do_log = TRUE;
02198                       }
02199                     if(log_level != LL_request)
02200                       log_on_request = FALSE;
02201                   }
02202               }
02203           }
02204       }
02205 #endif /* CONFIG_RSBAC_IND_LOG */
02206 
02207 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
02208 log:
02209 #endif
02210     /* if enabled, try request based log level */
02211     if (log_on_request
02212         && (   rsbac_log_levels[request][target] == LL_full
02213             || (   rsbac_log_levels[request][target] == LL_denied
02214                 && error) ) )
02215       do_log = TRUE;
02216 
02217     if(do_log)
02218       {
02219         char * request_name;
02220         char * target_type_name;
02221         char * new_target_type_name;
02222         char * target_id_name;
02223         char * new_target_id_name;
02224         char * attr_name;
02225 
02226         /* rsbac_kmalloc all memory */
02227         request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02228         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02229         new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02230         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
02231         target_id_name
02232          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02233         new_target_id_name
02234          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02235            /* max. path name len + some extra */
02236         #else
02237         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02238         new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02239            /* max. file name len + some extra */
02240         #endif
02241         attr_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02242 
02243         /* Getting basic information about this request */
02244         request_name[0] = (char) 0;
02245         target_type_name[0] = (char) 0;
02246         target_id_name[0] = (char) 0;
02247         new_target_type_name[0] = (char) 0;
02248         new_target_id_name[0] = (char) 0;
02249         attr_name[0] = (char) 0;
02250         get_request_name(request_name, request);
02251         get_target_name(target_type_name, target, target_id_name, tid);
02252         get_target_name(new_target_type_name, new_target,
02253                         new_target_id_name, new_tid);
02254         get_attribute_name(attr_name, attr);
02255 
02256 #ifdef CONFIG_RSBAC_RMSG
02257         /* Logging without pseudo or user id, see previous request log */
02258         rsbac_printk(KERN_INFO
02259                  "rsbac_adf_set_attr(): request %s, pid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02260                    request_name, (u_int) caller_pid, target_type_name, target_id_name,
02261                    new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02262 #endif
02263 #ifndef CONFIG_RSBAC_RMSG_EXCL
02264         /* Logging without pseudo or user id, see previous request log */
02265 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02266         if (!rsbac_nosyslog)
02267 #endif
02268           printk(KERN_INFO
02269                  "rsbac_adf_set_attr(): request %s, pid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02270                  request_name, (u_int) caller_pid, target_type_name, target_id_name,
02271                  new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02272 #endif
02273         /* rsbac_kfree all helper mem */
02274         rsbac_kfree(request_name);
02275         rsbac_kfree(target_type_name);
02276         rsbac_kfree(new_target_type_name);
02277         rsbac_kfree(target_id_name);
02278         rsbac_kfree(new_target_id_name);
02279         rsbac_kfree(attr_name);
02280       }
02281 
02282 /* count */
02283     rsbac_adf_set_attr_count[target]++;
02284 #ifdef CONFIG_RSBAC_XSTATS
02285     rsbac_adf_set_attr_xcount[target][request]++;
02286 #endif
02287 
02288     return(error);
02289   }; /* end of rsbac_adf_set_attr() */
02290 
02291 
02292 /****************
02293  *
02294  * Secure Delete
02295  *
02296  ****************/
02297 
02298 #ifdef CONFIG_RSBAC_SECDEL
02299 
02300 /* open_by_dentry */
02301 /* This is done by hand (copy from rsbac_read_open), because system calls */
02302 /* are currently blocked by rsbac */
02303 
02304 static int open_by_dentry(struct dentry * file_dentry_p, struct file * file_p)
02305   {
02306     int tmperr;
02307 
02308     if ( !(S_ISREG(file_dentry_p->d_inode->i_mode)) )
02309       { /* this is not a file! -> error! */
02310 #ifdef CONFIG_RSBAC_RMSG
02311         rsbac_printk(KERN_WARNING
02312                "open_by_dentry(): expected file is not a file!\n");
02313 #endif
02314 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02315         if (!rsbac_nosyslog)
02316 #endif
02317         printk(KERN_WARNING
02318                "open_by_dentry(): expected file is not a file!\n");
02319         return (-RSBAC_EWRITEFAILED);
02320       }
02321     /* Now we fill the file structure, and */
02322     /* if there is an open func, use it, otherwise ignore */
02323     if ((tmperr = init_private_file(file_p, file_dentry_p, O_WRONLY | O_SYNC)))
02324       {
02325 #ifdef CONFIG_RSBAC_RMSG
02326         rsbac_printk(KERN_WARNING
02327                "open_by_dentry(): could not open file!\n");
02328 #endif
02329 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02330         if (!rsbac_nosyslog)
02331 #endif
02332         printk(KERN_WARNING
02333                "open_by_dentry(): could not open file!\n");
02334         return (-RSBAC_EWRITEFAILED);
02335       }
02336     /* Without a write function we get into troubles -> error */
02337     if ((!file_p->f_op) || (!file_p->f_op->write))
02338       {
02339 #ifdef CONFIG_RSBAC_RMSG
02340         rsbac_printk(KERN_WARNING
02341                "open_by_dentry(): file write function missing!\n");
02342 #endif
02343 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02344         if (!rsbac_nosyslog)
02345 #endif
02346         printk(KERN_WARNING
02347                "open_by_dentry(): file write function missing!\n");
02348         if (file_p->f_op && file_p->f_op->release)
02349           file_p->f_op->release(file_dentry_p->d_inode,file_p);
02350         return(-RSBAC_EWRITEFAILED);
02351       }
02352     /* trying to get write access                                   */
02353 /*
02354     if (get_write_access(file_dentry_p->d_inode))
02355       {
02356 #ifdef CONFIG_RSBAC_RMSG
02357         rsbac_printk(KERN_WARNING
02358                "rsbac_write_open(): could not get write access!\n");
02359 #endif
02360 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02361         if (!rsbac_nosyslog)
02362 #endif
02363         printk(KERN_WARNING
02364                "rsbac_write_open(): could not get write access!\n");
02365         if (file_p->f_op->release)
02366           file_p->f_op->release(file_dentry_p->d_inode,file_p);
02367         return(-RSBAC_EWRITEFAILED);
02368       }
02369 */
02370     return 0;
02371   }
02372 
02373 /*
02374  **********************
02375  * Secure File Truncation
02376  */
02377 rsbac_boolean_t writable(struct super_block * sb_p);
02378 
02379 static int do_rsbac_sec_trunc(struct dentry * dentry_p,
02380                               loff_t new_len,
02381                               loff_t old_len,
02382                               rsbac_boolean_t need_lock)
02383   {
02384 #if defined(CONFIG_RSBAC_MAINT)
02385     return 0;
02386 #else
02387     int                           err = 0;
02388     rsbac_boolean_t                       need_overwrite = FALSE;
02389 
02390     if (!rsbac_is_initialized())
02391       return 0;
02392     /* security checks */
02393     if(   !dentry_p
02394        || !dentry_p->d_inode)
02395       return -RSBAC_EINVALIDPOINTER;
02396     if(!S_ISREG(dentry_p->d_inode->i_mode))
02397       return -RSBAC_EINVALIDTARGET;
02398     if(new_len >= old_len)
02399       return 0;
02400 
02401     if(dentry_p->d_inode && !writable(dentry_p->d_inode->i_sb))
02402       {
02403 #ifdef CONFIG_RSBAC_DEBUG
02404         if(rsbac_debug_write)
02405           {
02406 #ifdef CONFIG_RSBAC_RMSG
02407             rsbac_printk(KERN_DEBUG
02408                    "do_rsbac_sec_trunc(): ignoring file %lu on network device %02u:%02u!\n",
02409                    dentry_p->d_inode->i_ino,
02410                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02411                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02412 #endif
02413 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02414             if (!rsbac_nosyslog)
02415 #endif
02416             printk(KERN_DEBUG
02417                    "do_rsbac_sec_trunc(): ignoring file %lu on network device %02u:%02u!\n",
02418                    dentry_p->d_inode->i_ino,
02419                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02420                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02421           }
02422 #endif
02423         return 0;
02424       }
02425 
02426     /******* PM ********/
02427     #ifdef CONFIG_RSBAC_PM
02428     #ifdef CONFIG_RSBAC_SWITCH
02429     if (rsbac_switch_pm)
02430     #endif
02431       /* no need to call module, if already need_overwrite */
02432       if(!need_overwrite)
02433         need_overwrite = rsbac_need_overwrite_pm(dentry_p);
02434     #endif  /* PM */
02435 
02436     /******* FF ********/
02437     #ifdef CONFIG_RSBAC_FF
02438     #ifdef CONFIG_RSBAC_SWITCH
02439     if (rsbac_switch_ff)
02440     #endif
02441       /* no need to call module, if already need_overwrite */
02442       if(!need_overwrite)
02443         need_overwrite = rsbac_need_overwrite_ff(dentry_p);
02444     #endif  /* FF */
02445 
02446     /******* RC ********/
02447     #ifdef CONFIG_RSBAC_RC
02448     #ifdef CONFIG_RSBAC_SWITCH
02449     if (rsbac_switch_rc)
02450     #endif
02451       /* no need to call module, if already need_overwrite */
02452       if(!need_overwrite)
02453         need_overwrite = rsbac_need_overwrite_rc(dentry_p);
02454     #endif  /* RC */
02455 
02456     /****** RES *******/
02457     #ifdef CONFIG_RSBAC_RES
02458     #ifdef CONFIG_RSBAC_SWITCH
02459     if (rsbac_switch_res)
02460     #endif
02461       /* no need to call module, if already need_overwrite */
02462       if(!need_overwrite)
02463         need_overwrite = rsbac_need_overwrite_res(dentry_p);
02464     #endif  /* RES */
02465 
02466     /****** REG *******/
02467     #ifdef CONFIG_RSBAC_REG
02468     if(!need_overwrite)
02469       need_overwrite = rsbac_need_overwrite_reg(dentry_p);
02470     #endif  /* REG */
02471 
02472     if(need_overwrite)
02473       {
02474         char            * buffer;
02475         rsbac_boolean_t   vmalloc_used;
02476         struct file       file;
02477         int               tmperr = 0;
02478         int               len;
02479         mm_segment_t      oldfs;
02480 
02481         buffer = rsbac_vkmalloc(RSBAC_SEC_DEL_CHUNK_SIZE, &vmalloc_used);
02482         if(!buffer)
02483           return -RSBAC_ENOMEM;
02484 
02485 #ifdef CONFIG_RSBAC_DEBUG
02486         if(rsbac_debug_write)
02487           {
02488 #ifdef CONFIG_RSBAC_RMSG
02489             rsbac_printk(KERN_DEBUG
02490                    "rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n",
02491                    dentry_p->d_inode->i_ino,
02492                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02493                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02494                    (u_long) new_len,
02495                    (u_long) old_len-1);
02496 #endif
02497 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02498             if (!rsbac_nosyslog)
02499 #endif
02500             printk(KERN_DEBUG
02501                    "rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n",
02502                    dentry_p->d_inode->i_ino,
02503                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02504                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02505                    (u_long) new_len,
02506                    (u_long) old_len-1);
02507           }
02508 #endif
02509         /* open */
02510         err = open_by_dentry(dentry_p, &file);
02511         if(err)
02512           {
02513             rsbac_vkfree(buffer, vmalloc_used);
02514             return(err);
02515           }
02516 
02517 #ifdef CONFIG_RSBAC_DEBUG
02518         if(rsbac_debug_write)
02519           {
02520 #ifdef CONFIG_RSBAC_RMSG
02521             rsbac_printk(KERN_DEBUG
02522                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n",
02523                    dentry_p->d_inode->i_ino,
02524                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02525                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02526                    (u_long) new_len);
02527 #endif
02528 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02529             if (!rsbac_nosyslog)
02530 #endif
02531             printk(KERN_DEBUG
02532                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n",
02533                    dentry_p->d_inode->i_ino,
02534                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02535                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02536                    (u_long) new_len);
02537           }
02538 #endif
02539 
02540         /* OK, now we can start writing */
02541 
02542         /* Set current user space to kernel space, because write() reads
02543          * from user space
02544          */
02545         oldfs = get_fs();
02546         set_fs(KERNEL_DS);
02547 
02548 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02549         if(file.f_op->llseek)
02550           file.f_op->llseek(&file,new_len,0);
02551         else
02552 #endif
02553           { /* taken from fs/read_write.c */
02554             file.f_pos = new_len;
02555 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02556             file.f_reada = 0;
02557 #endif
02558 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02559             file.f_version = ++event;
02560 #else
02561             file.f_version = 0;
02562 #endif
02563           }
02564         memset(buffer,0,RSBAC_SEC_DEL_CHUNK_SIZE);
02565 
02566 #ifdef CONFIG_RSBAC_DEBUG
02567         if(rsbac_debug_write)
02568           {
02569 #ifdef CONFIG_RSBAC_RMSG
02570             rsbac_printk(KERN_DEBUG
02571                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n",
02572                    dentry_p->d_inode->i_ino,
02573                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02574                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02575 #endif
02576 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02577             if (!rsbac_nosyslog)
02578 #endif
02579             printk(KERN_DEBUG
02580                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n",
02581                    dentry_p->d_inode->i_ino,
02582                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02583                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02584           }
02585 #endif
02586 
02587         while(new_len < old_len)
02588           {
02589             len = rsbac_min(RSBAC_SEC_DEL_CHUNK_SIZE, old_len-new_len);
02590 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02591             tmperr = file.f_op->write(&file,
02592                                      buffer,
02593                                      len,
02594                                      &file.f_pos);
02595 #else
02596             if(need_lock)
02597               tmperr = file.f_op->write(&file,
02598                                         buffer,
02599                                         len,
02600                                         &file.f_pos);
02601             else
02602               {
02603                 struct iovec local_iov = { .iov_base = (void __user *)buffer,
02604                                         .iov_len = len };
02605 
02606                 tmperr = generic_file_write_nolock(&file,
02607                                                    &local_iov,
02608                                                    1,
02609                                                    &file.f_pos);
02610               }
02611 #endif
02612             /* if none written, end of file is reached -> complain and return */
02613             if (tmperr <= 0)
02614               {
02615 #ifdef CONFIG_RSBAC_RMSG
02616                 rsbac_printk(KERN_WARNING
02617                        "rsbac_sec_trunc(): write error on file!\n");
02618 #endif
02619 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02620                 if (!rsbac_nosyslog)
02621 #endif
02622                 printk(KERN_WARNING
02623                        "rsbac_sec_trunc(): write error on file!\n");
02624                 err = -RSBAC_EWRITEFAILED;
02625                 goto out;
02626               }
02627             new_len += tmperr;
02628           }
02629 
02630         out:
02631         /* Set current user space back to user space, because read() writes */
02632         /* to user space */
02633         set_fs(oldfs);
02634 
02635 #ifdef CONFIG_RSBAC_DEBUG
02636 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0))
02637         if(need_lock)
02638 #endif
02639         if(rsbac_debug_write)
02640           {
02641 #ifdef CONFIG_RSBAC_RMSG
02642             rsbac_printk(KERN_DEBUG
02643                    "rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n",
02644                    dentry_p->d_inode->i_ino,
02645                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02646                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02647 #endif
02648 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02649             if (!rsbac_nosyslog)
02650 #endif
02651             printk(KERN_DEBUG
02652                    "rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n",
02653                    dentry_p->d_inode->i_ino,
02654                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02655                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02656           }
02657 #endif
02658 
02659 //        err = fsync_inode_buffers(dentry_p->d_inode);
02660 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02661         err = fsync_inode_data_buffers(dentry_p->d_inode);
02662 #else
02663         if(need_lock)
02664           err = file_fsync(&file, dentry_p, 1);
02665 #endif
02666           
02667 /*
02668         if (file.f_op->flush)
02669           file.f_op->flush(&file);
02670         if (file.f_op->release)
02671           file.f_op->release(dentry_p->d_inode,&file);
02672 */
02673         /* End of write access                     */
02674 //        put_write_access(dentry_p->d_inode);
02675 
02676         rsbac_vkfree(buffer, vmalloc_used);
02677       }
02678 
02679     /* Ready. */
02680     return(err);
02681 
02682 #endif /* else of MAINT */
02683   }
02684 
02685 EXPORT_SYMBOL(rsbac_sec_trunc);
02686 int rsbac_sec_trunc(struct dentry * dentry_p,
02687                     loff_t new_len, loff_t old_len)
02688   {
02689     return do_rsbac_sec_trunc(dentry_p, new_len, old_len, TRUE);
02690   }
02691 
02692 EXPORT_SYMBOL(rsbac_sec_del);
02693 int rsbac_sec_del(struct dentry * dentry_p)
02694   {
02695     return do_rsbac_sec_trunc(dentry_p,
02696                               0,
02697                               dentry_p->d_inode->i_size,
02698                               FALSE);
02699   }
02700 
02701 #else /* no SECDEL */
02702 EXPORT_SYMBOL(rsbac_sec_trunc);
02703 int rsbac_sec_trunc(struct dentry * dentry_p,
02704                     loff_t new_len, loff_t old_len)
02705   {
02706     return 0;
02707   }
02708 EXPORT_SYMBOL(rsbac_sec_del);
02709 int rsbac_sec_del(struct dentry * dentry_p)
02710   {
02711     return 0;
02712   }
02713 #endif /* SECDEL */
02714 
02715 #ifdef CONFIG_RSBAC_SYM_REDIR
02716 EXPORT_SYMBOL(rsbac_symlink_redirect);
02717 
02718 void rsbac_symlink_redirect(struct dentry * dentry_p, char * name)
02719   {
02720     int                            err;
02721     union rsbac_target_id_t        i_tid;
02722 #if defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC)
02723     union rsbac_target_id_t        i_tid2;
02724 #endif
02725     union rsbac_attribute_value_t  i_attr_val;
02726 
02727     if(!name || !dentry_p || !dentry_p->d_inode)
02728       return;
02729     if (!rsbac_is_initialized())
02730       return;
02731 
02732     i_tid.symlink.device = dentry_p->d_inode->i_sb->s_dev;
02733     i_tid.symlink.inode = dentry_p->d_inode->i_ino;
02734     i_tid.symlink.dentry_p = dentry_p;
02735     if(!S_ISLNK(dentry_p->d_inode->i_mode))
02736       {
02737 #ifdef CONFIG_RSBAC_RMSG
02738         rsbac_printk(KERN_DEBUG
02739                "rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n",
02740                i_tid.symlink.inode,
02741                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02742 #endif
02743 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02744         if (!rsbac_nosyslog)
02745 #endif
02746         printk(KERN_DEBUG
02747                "rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n",
02748                i_tid.symlink.inode,
02749                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02750         return;
02751       }
02752 
02753 #ifdef CONFIG_RSBAC_DEBUG
02754     if (rsbac_debug_aef)
02755       {
02756 #ifdef CONFIG_RSBAC_RMSG
02757         rsbac_printk(KERN_DEBUG
02758                "rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n",
02759                i_tid.symlink.inode,
02760                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02761 #endif
02762 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02763         if (!rsbac_nosyslog)
02764 #endif
02765         printk(KERN_DEBUG
02766                "rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n",
02767                i_tid.symlink.inode,
02768                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02769       }
02770 #endif
02771 
02772 #ifdef CONFIG_RSBAC_SYM_REDIR_UID
02773     if ((err = rsbac_get_attr(GEN,
02774                               T_SYMLINK,
02775                               i_tid,
02776                               A_symlink_add_uid,
02777                               &i_attr_val,
02778                               FALSE) ))
02779       {
02780         rsbac_ds_get_error("rsbac_symlink_redirect()", A_symlink_add_uid);
02781         return;  /* something weird happened */
02782       }
02783     if(i_attr_val.symlink_add_uid)
02784       {
02785         rsbac_uid_t user;
02786         u_int len;
02787 
02788         len = strlen(name);
02789         while(   len
02790               && (name[len-1] >= '0')
02791               && (name[len-1] <= '9')
02792              )
02793           len--;
02794         if(len > (PAGE_SIZE - 20))
02795           return;
02796         if(!rsbac_get_owner(&user))
02797           ulongtostr(name+len, user);
02798       }
02799 #endif
02800 
02801 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC
02802     if ((err = rsbac_get_attr(GEN,
02803                               T_SYMLINK,
02804                               i_tid,
02805                               A_symlink_add_mac_level,
02806                               &i_attr_val,
02807                               FALSE) ))
02808       {
02809         rsbac_ds_get_error("rsbac_symlink_redirect()", A_symlink_add_mac_level);
02810         return;  /* something weird happened */
02811       }
02812     if(i_attr_val.symlink_add_mac_level)
02813       {
02814         u_int len;
02815 
02816         len = strlen(name);
02817         while(   len
02818               && (   (   (name[len-1] >= '0')
02819                       && (name[len-1] <= '9')
02820                      )
02821 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02822                   || (name[len-1] == ':')
02823 #endif
02824                  )
02825              )
02826           len--;
02827 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02828         if(len > (PAGE_SIZE - 85))
02829 #else
02830         if(len > (PAGE_SIZE - 20))
02831 #endif
02832           return;
02833 
02834         i_tid2.process = current->pid;
02835         if ((err = rsbac_get_attr(MAC,
02836                                   T_PROCESS,
02837                                   i_tid2,
02838                                   A_current_sec_level,
02839                                   &i_attr_val,
02840                                   FALSE) ))
02841           {
02842             rsbac_ds_get_error("rsbac_symlink_redirect()", A_current_sec_level);
02843             return;  /* something weird happened */
02844           }
02845 
02846 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02847         len+=sprintf(name+len, "%u:", i_attr_val.current_sec_level);
02848 #else
02849         len+=sprintf(name+len, "%u", i_attr_val.current_sec_level);
02850 #endif
02851 
02852 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02853         if ((err = rsbac_get_attr(MAC,
02854                                   T_PROCESS,
02855                                   i_tid2,
02856                                   A_mac_curr_categories,
02857                                   &i_attr_val,
02858                                   FALSE) ))
02859           {
02860             rsbac_ds_get_error("rsbac_symlink_redirect()", A_mac_curr_categories);
02861             return;  /* something weird happened */
02862           }
02863         u64tostrmac(name+len, i_attr_val.mac_categories);
02864 #endif
02865       }
02866 #endif
02867 
02868 #ifdef CONFIG_RSBAC_SYM_REDIR_RC
02869     if ((err = rsbac_get_attr(GEN,
02870                               T_SYMLINK,
02871                               i_tid,
02872                               A_symlink_add_rc_role,
02873                               &i_attr_val,
02874                               FALSE) ))
02875       {
02876         rsbac_ds_get_error("rsbac_symlink_redirect()", A_symlink_add_rc_role);
02877         return;  /* something weird happened */
02878       }
02879     if(i_attr_val.symlink_add_rc_role)
02880       {
02881         u_int len;
02882 
02883         len = strlen(name);
02884         while(   len
02885               && (name[len-1] >= '0')
02886               && (name[len-1] <= '9')
02887              )
02888           len--;
02889         if(len > (PAGE_SIZE - 20))
02890           return;
02891 
02892         i_tid2.process = current->pid;
02893         if ((err = rsbac_get_attr(RC,
02894                                   T_PROCESS,
02895                                   i_tid2,
02896                                   A_rc_role,
02897                                   &i_attr_val,
02898                                   FALSE) ))
02899           {
02900             rsbac_ds_get_error("rsbac_symlink_redirect()", A_rc_role);
02901             return;  /* something weird happened */
02902           }
02903 
02904         ulongtostr(name+len, i_attr_val.rc_role);
02905       }
02906 #endif
02907 
02908     return;
02909   }
02910 #endif
02911 
02912 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
02913 int rsbac_dac_part_disabled(struct dentry * dentry_p)
02914   {
02915     int                            err;
02916     enum  rsbac_target_t           i_target;
02917     union rsbac_target_id_t        i_tid;
02918     union rsbac_attribute_value_t  i_attr_val;
02919 
02920     if(!dentry_p || !dentry_p->d_inode || !dentry_p->d_inode->i_sb->s_dev || !rsbac_is_initialized())
02921       return FALSE;
02922 
02923     if(S_ISREG(dentry_p->d_inode->i_mode))
02924       i_target = T_FILE;
02925     else
02926     if(S_ISDIR(dentry_p->d_inode->i_mode))
02927       i_target = T_DIR;
02928     else
02929     if(S_ISFIFO(dentry_p->d_inode->i_mode))
02930       i_target = T_FIFO;
02931     else
02932     if(S_ISLNK(dentry_p->d_inode->i_mode))
02933       i_target = T_SYMLINK;
02934     else
02935       return FALSE;
02936 
02937     i_tid.file.device = dentry_p->d_sb->s_dev;
02938     i_tid.file.inode = dentry_p->d_inode->i_ino;
02939     i_tid.file.dentry_p = dentry_p;
02940 
02941 #ifdef CONFIG_RSBAC_DEBUG
02942     if (rsbac_debug_aef)
02943       {
02944 #ifdef CONFIG_RSBAC_RMSG
02945         rsbac_printk(KERN_DEBUG
02946                "rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n",
02947                i_tid.file.inode,
02948                RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device),
02949                i_tid.file.dentry_p );
02950 #endif
02951 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02952         if (!rsbac_nosyslog)
02953 #endif
02954         printk(KERN_DEBUG
02955                "rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n",
02956                i_tid.file.inode,
02957                RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device),
02958                i_tid.file.dentry_p );
02959       }
02960 #endif
02961 
02962     if ((err = rsbac_get_attr(GEN,
02963                               i_target,
02964                               i_tid,
02965                               A_linux_dac_disable,
02966                               &i_attr_val,
02967                               TRUE) ))
02968       {
02969 #ifdef CONFIG_RSBAC_RMSG
02970         rsbac_printk(KERN_WARNING
02971                "rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n",
02972                err);
02973 #endif
02974 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02975         if (!rsbac_nosyslog)
02976 #endif
02977         printk(KERN_WARNING
02978                "rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n",
02979                err);
02980         return FALSE;  /* something weird happened */
02981       }
02982     if(i_attr_val.linux_dac_disable == LDD_true)
02983       return TRUE;
02984     else
02985       return FALSE;
02986   }
02987 #endif
02988 
02989 #ifdef CONFIG_RSBAC_FAKE_ROOT_UID
02990 rsbac_uid_t rsbac_fake_uid(void)
02991   {
02992     int                            err;
02993     union rsbac_target_id_t        i_tid;
02994     union rsbac_attribute_value_t  i_attr_val;
02995 
02996     if(!current->uid)
02997       return 0;
02998     if (!rsbac_is_initialized())
02999       return current->uid;
03000 
03001     i_tid.process = current->pid;
03002     if ((err = rsbac_get_attr(GEN,
03003                               T_PROCESS,
03004                               i_tid,
03005                               A_fake_root_uid,
03006                               &i_attr_val,
03007                               FALSE) ))
03008       {
03009         rsbac_ds_get_error("rsbac_fake_uid()", A_fake_root_uid);
03010         return current->uid;  /* something weird happened */
03011       }
03012     switch(i_attr_val.fake_root_uid)
03013       {
03014         case FR_both:
03015         case FR_uid_only:
03016           return 0;
03017         default:
03018           return current->uid;
03019       }
03020   }
03021 
03022 rsbac_uid_t rsbac_fake_euid(void)
03023   {
03024     int                            err;
03025     union rsbac_target_id_t        i_tid;
03026     union rsbac_attribute_value_t  i_attr_val;
03027 
03028     if(!current->euid)
03029       return 0;
03030     if (!rsbac_is_initialized())
03031       return current->euid;
03032 
03033     i_tid.process = current->pid;
03034     if ((err = rsbac_get_attr(GEN,
03035                               T_PROCESS,
03036                               i_tid,
03037                               A_fake_root_uid,
03038                               &i_attr_val,
03039                               FALSE) ))
03040       {
03041         rsbac_ds_get_error("rsbac_fake_euid()", A_fake_root_uid);
03042         return current->euid;  /* something weird happened */
03043       }
03044     switch(i_attr_val.fake_root_uid)
03045       {
03046         case FR_both:
03047         case FR_euid_only:
03048           return 0;
03049         default:
03050           return current->euid;
03051       }
03052   }
03053 
03054 int rsbac_uid_faked(void)
03055   {
03056     int                            err;
03057     union rsbac_target_id_t        i_tid;
03058     union rsbac_attribute_value_t  i_attr_val;
03059 
03060     if (!rsbac_is_initialized())
03061       return 0;
03062 
03063     i_tid.process = current->pid;
03064     if ((err = rsbac_get_attr(GEN,
03065                               T_PROCESS,
03066                               i_tid,
03067                               A_fake_root_uid,
03068                               &i_attr_val,
03069                               FALSE) ))
03070       {
03071         rsbac_ds_get_error("rsbac_uid_faked()", A_fake_root_uid);
03072         return 0;  /* something weird happened */
03073       }
03074     switch(i_attr_val.fake_root_uid)
03075       {
03076         case FR_both:
03077         case FR_uid_only:
03078           return 1;
03079         default:
03080           return 0;
03081       }
03082   }
03083 
03084 #endif
03085 
03086 int rsbac_set_audit_uid(rsbac_uid_t uid)
03087   {
03088     union rsbac_target_id_t       tid;
03089     union rsbac_attribute_value_t attr_val;
03090 
03091     if(!uid || (uid == current->uid))
03092       return 0;
03093     tid.process = current->pid;
03094     if (rsbac_get_attr(GEN,
03095                        T_PROCESS,
03096                        tid,
03097                        A_audit_uid,
03098                        &attr_val,
03099                        FALSE))
03100       {
03101         rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid);
03102         return -RSBAC_EREADFAILED;
03103       }
03104     if(attr_val.audit_uid != RSBAC_NO_USER)
03105       return 0;
03106 
03107     if (rsbac_get_attr(GEN,
03108                        T_PROCESS,
03109                        tid,
03110                        A_auid_exempt,
03111                        &attr_val,
03112                        FALSE))
03113       {
03114         rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt);
03115         return -RSBAC_EREADFAILED;
03116       }
03117     if(attr_val.auid_exempt == uid)
03118       return 0;
03119 
03120     attr_val.audit_uid = uid;
03121     if (rsbac_set_attr(GEN,
03122                        T_PROCESS,
03123                        tid,
03124                        A_audit_uid,
03125                        attr_val))
03126       {
03127         rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid);
03128         return -RSBAC_EWRITEFAILED;
03129       }
03130     return 0;
03131   }
03132 
03133 /* end of rsbac/adf/main.c */
Generated on Fri Jun 17 09:45:19 2005 for RSBAC by  doxygen 1.4.2