00001
00002
00003
00004
00005
00006
00007
00008
00009 #include <linux/types.h>
00010 #include <linux/version.h>
00011 #include <linux/security.h>
00012 #include <linux/ptrace.h>
00013 #include <linux/fs.h>
00014 #include <linux/mount.h>
00015 #include <linux/namei.h>
00016 #include <net/sock.h>
00017 #include <rsbac/types.h>
00018 #include <rsbac/adf.h>
00019 #include <rsbac/aci.h>
00020
00021 static int rsbac_aef_ptrace(struct task_struct * parent, struct task_struct * child)
00022 {
00023 union rsbac_target_id_t rsbac_target_id;
00024 union rsbac_attribute_value_t rsbac_attribute_value;
00025
00026 #ifdef CONFIG_RSBAC_DEBUG
00027 if (rsbac_debug_aef)
00028 printk(KERN_DEBUG "rsbac_aef_ptrace(): calling ADF\n");
00029 #endif
00030 rsbac_target_id.process = child->pid;
00031 rsbac_attribute_value.trace_request = PTRACE_TRACEME;
00032 if (!rsbac_adf_request(R_TRACE,
00033 parent->pid,
00034 T_PROCESS,
00035 rsbac_target_id,
00036 A_trace_request,
00037 rsbac_attribute_value))
00038 return -EPERM;
00039 else
00040 return 0;
00041 }
00042
00043 static int rsbac_aef_statfs(struct super_block * sb)
00044 {
00045 union rsbac_target_id_t rsbac_target_id;
00046 union rsbac_attribute_value_t rsbac_attribute_value;
00047
00048 #ifdef CONFIG_RSBAC_DEBUG
00049 if (rsbac_debug_aef)
00050 printk(KERN_DEBUG "rsbac_aef_statfs(): calling ADF\n");
00051 #endif
00052 rsbac_target_id.dev.type = D_block;
00053 rsbac_target_id.dev.id = sb->s_dev;
00054 rsbac_attribute_value.dummy = 0;
00055 if (!rsbac_adf_request(R_GET_STATUS_DATA,
00056 current->pid,
00057 T_DEV,
00058 rsbac_target_id,
00059 A_none,
00060 rsbac_attribute_value))
00061 return -EPERM;
00062 else
00063 return 0;
00064 }
00065
00066 static int rsbac_aef_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
00067 {
00068 union rsbac_target_id_t rsbac_target_id;
00069 union rsbac_attribute_value_t rsbac_attribute_value;
00070
00071 #ifdef CONFIG_RSBAC_DEBUG
00072 if (rsbac_debug_aef)
00073 printk(KERN_DEBUG "rsbac_aef_inode_follow_link(): calling ADF\n");
00074 #endif
00075 rsbac_target_id.symlink.device = dentry->d_sb->s_dev;
00076 rsbac_target_id.symlink.inode = dentry->d_inode->i_ino;
00077 rsbac_target_id.symlink.dentry_p = dentry;
00078 rsbac_attribute_value.dummy = 0;
00079 if (!rsbac_adf_request(R_SEARCH,
00080 current->pid,
00081 T_SYMLINK,
00082 rsbac_target_id,
00083 A_none,
00084 rsbac_attribute_value))
00085 return -EPERM;
00086 else
00087 return 0;
00088 }
00089
00090 static int rsbac_aef_inode_create(struct inode *dir,
00091 struct dentry *dentry,
00092 int mode)
00093 {
00094 union rsbac_target_id_t rsbac_target_id;
00095 union rsbac_attribute_value_t rsbac_attribute_value;
00096
00097 #ifdef CONFIG_RSBAC_DEBUG
00098 if (rsbac_debug_aef)
00099 printk(KERN_DEBUG "rsbac_aef_inode_create(): calling ADF\n");
00100 #endif
00101 rsbac_target_id.dir.device = dir->i_sb->s_dev;
00102 rsbac_target_id.dir.inode = dir->i_ino;
00103 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00104 rsbac_attribute_value.create_data.target = T_FILE;
00105 rsbac_attribute_value.create_data.dentry_p = dentry;
00106 rsbac_attribute_value.create_data.mode = mode;
00107 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00108 if (!rsbac_adf_request(R_CREATE,
00109 current->pid,
00110 T_DIR,
00111 rsbac_target_id,
00112 A_create_data,
00113 rsbac_attribute_value))
00114 return -EPERM;
00115 else
00116 return 0;
00117 }
00118
00119 static void rsbac_aef_inode_post_create(struct inode *dir,
00120 struct dentry *dentry,
00121 int mode)
00122 {
00123 union rsbac_target_id_t rsbac_target_id;
00124 union rsbac_target_id_t rsbac_new_target_id;
00125 union rsbac_attribute_value_t rsbac_attribute_value;
00126
00127 #ifdef CONFIG_RSBAC_DEBUG
00128 if (rsbac_debug_aef)
00129 printk(KERN_DEBUG "rsbac_aef_inode_post_create(): notifying ADF\n");
00130 #endif
00131 rsbac_target_id.dir.device = dir->i_sb->s_dev;
00132 rsbac_target_id.dir.inode = dir->i_ino;
00133 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00134 rsbac_attribute_value.create_data.target = T_FILE;
00135 rsbac_attribute_value.create_data.dentry_p = dentry;
00136 rsbac_attribute_value.create_data.mode = mode;
00137 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00138 rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
00139 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino;
00140 rsbac_new_target_id.file.dentry_p = dentry;
00141 if (rsbac_adf_set_attr(R_CREATE,
00142 current->pid,
00143 T_DIR,
00144 rsbac_target_id,
00145 T_FILE,
00146 rsbac_new_target_id,
00147 A_create_data,
00148 rsbac_attribute_value))
00149 {
00150 printk(KERN_WARNING
00151 "rsbac_aef_inode_post_create() [vfs_create() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error");
00152 }
00153 }
00154
00155 static int rsbac_aef_inode_mknod(struct inode *dir, struct dentry *dentry,
00156 int mode, dev_t dev)
00157 {
00158 union rsbac_target_id_t rsbac_target_id;
00159 union rsbac_attribute_value_t rsbac_attribute_value;
00160
00161 #ifdef CONFIG_RSBAC_DEBUG
00162 if (rsbac_debug_aef)
00163 printk(KERN_DEBUG "rsbac_aef_inode_mknod(): calling ADF\n");
00164 #endif
00165 rsbac_target_id.dir.device = dir->i_sb->s_dev;
00166 rsbac_target_id.dir.inode = dir->i_ino;
00167 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00168 rsbac_attribute_value.create_data.target = T_FILE;
00169 rsbac_attribute_value.create_data.dentry_p = dentry;
00170 rsbac_attribute_value.create_data.mode = mode;
00171 rsbac_attribute_value.create_data.device = dev;
00172 if (!rsbac_adf_request(R_CREATE,
00173 current->pid,
00174 T_DIR,
00175 rsbac_target_id,
00176 A_create_data,
00177 rsbac_attribute_value))
00178 return -EPERM;
00179 else
00180 return 0;
00181 }
00182
00183 static void rsbac_aef_inode_post_mknod(struct inode *dir, struct dentry *dentry,
00184 int mode, dev_t dev)
00185 {
00186 union rsbac_target_id_t rsbac_target_id;
00187 union rsbac_target_id_t rsbac_new_target_id;
00188 union rsbac_attribute_value_t rsbac_attribute_value;
00189
00190 #ifdef CONFIG_RSBAC_DEBUG
00191 if (rsbac_debug_aef)
00192 printk(KERN_DEBUG "rsbac_aef_inode_post_mknod(): notifying ADF\n");
00193 #endif
00194 rsbac_target_id.dir.device = dir->i_sb->s_dev;
00195 rsbac_target_id.dir.inode = dir->i_ino;
00196 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00197 rsbac_attribute_value.create_data.target = T_FILE;
00198 rsbac_attribute_value.create_data.dentry_p = dentry;
00199 rsbac_attribute_value.create_data.mode = mode;
00200 rsbac_attribute_value.create_data.device = dev;
00201 rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
00202 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino;
00203 rsbac_new_target_id.file.dentry_p = dentry;
00204 if (rsbac_adf_set_attr(R_CREATE,
00205 current->pid,
00206 T_DIR,
00207 rsbac_target_id,
00208 T_FILE,
00209 rsbac_new_target_id,
00210 A_create_data,
00211 rsbac_attribute_value))
00212 {
00213 printk(KERN_WARNING
00214 "rsbac_aef_inode_post_mknod() [vfs_mknod() [sys_mknod()]: rsbac_adf_set_attr() returned error");
00215 }
00216 }
00217
00218 static int rsbac_aef_inode_mkdir(struct inode *dir,
00219 struct dentry *dentry,
00220 int mode)
00221 {
00222 union rsbac_target_id_t rsbac_target_id;
00223 union rsbac_attribute_value_t rsbac_attribute_value;
00224
00225 #ifdef CONFIG_RSBAC_DEBUG
00226 if (rsbac_debug_aef)
00227 printk(KERN_DEBUG "rsbac_aef_inode_mkdir(): calling ADF\n");
00228 #endif
00229 rsbac_target_id.dir.device = dir->i_sb->s_dev;
00230 rsbac_target_id.dir.inode = dir->i_ino;
00231 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00232 rsbac_attribute_value.create_data.target = T_FILE;
00233 rsbac_attribute_value.create_data.dentry_p = dentry;
00234 rsbac_attribute_value.create_data.mode = mode;
00235 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00236 if (!rsbac_adf_request(R_CREATE,
00237 current->pid,
00238 T_DIR,
00239 rsbac_target_id,
00240 A_create_data,
00241 rsbac_attribute_value))
00242 return -EPERM;
00243 else
00244 return 0;
00245 }
00246
00247 static void rsbac_aef_inode_post_mkdir(struct inode *dir,
00248 struct dentry *dentry,
00249 int mode)
00250 {
00251 union rsbac_target_id_t rsbac_target_id;
00252 union rsbac_target_id_t rsbac_new_target_id;
00253 union rsbac_attribute_value_t rsbac_attribute_value;
00254
00255 #ifdef CONFIG_RSBAC_DEBUG
00256 if (rsbac_debug_aef)
00257 printk(KERN_DEBUG "rsbac_aef_inode_post_mkdir(): notifying ADF\n");
00258 #endif
00259 rsbac_target_id.dir.device = dir->i_sb->s_dev;
00260 rsbac_target_id.dir.inode = dir->i_ino;
00261 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00262 rsbac_attribute_value.create_data.target = T_FILE;
00263 rsbac_attribute_value.create_data.dentry_p = dentry;
00264 rsbac_attribute_value.create_data.mode = mode;
00265 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00266 rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
00267 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino;
00268 rsbac_new_target_id.file.dentry_p = dentry;
00269 if (rsbac_adf_set_attr(R_CREATE,
00270 current->pid,
00271 T_DIR,
00272 rsbac_target_id,
00273 T_FILE,
00274 rsbac_new_target_id,
00275 A_create_data,
00276 rsbac_attribute_value))
00277 {
00278 printk(KERN_WARNING
00279 "rsbac_aef_inode_post_mkdir() [vfs_mkdir() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error");
00280 }
00281 }
00282
00283 static int rsbac_aef_inode_symlink(struct inode *dir,
00284 struct dentry *dentry,
00285 const char *old_name)
00286 {
00287 union rsbac_target_id_t rsbac_target_id;
00288 union rsbac_attribute_value_t rsbac_attribute_value;
00289
00290 #ifdef CONFIG_RSBAC_DEBUG
00291 if (rsbac_debug_aef)
00292 printk(KERN_DEBUG "rsbac_aef_inode_symlink(): calling ADF\n");
00293 #endif
00294 rsbac_target_id.dir.device = dir->i_sb->s_dev;
00295 rsbac_target_id.dir.inode = dir->i_ino;
00296 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00297 rsbac_attribute_value.create_data.target = T_SYMLINK;
00298 rsbac_attribute_value.create_data.dentry_p = dentry;
00299 rsbac_attribute_value.create_data.mode = 0;
00300 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00301 if (!rsbac_adf_request(R_CREATE,
00302 current->pid,
00303 T_DIR,
00304 rsbac_target_id,
00305 A_create_data,
00306 rsbac_attribute_value))
00307 return -EPERM;
00308 else
00309 return 0;
00310 }
00311
00312 static void rsbac_aef_inode_post_symlink(struct inode *dir,
00313 struct dentry *dentry,
00314 const char *old_name)
00315 {
00316 union rsbac_target_id_t rsbac_target_id;
00317 union rsbac_target_id_t rsbac_new_target_id;
00318 union rsbac_attribute_value_t rsbac_attribute_value;
00319
00320 #ifdef CONFIG_RSBAC_DEBUG
00321 if (rsbac_debug_aef)
00322 printk(KERN_DEBUG "rsbac_aef_inode_post_symlink(): notifying ADF\n");
00323 #endif
00324 rsbac_target_id.dir.device = dir->i_sb->s_dev;
00325 rsbac_target_id.dir.inode = dir->i_ino;
00326 rsbac_target_id.dir.dentry_p = dentry->d_parent;
00327 rsbac_attribute_value.create_data.target = T_FILE;
00328 rsbac_attribute_value.create_data.dentry_p = dentry;
00329 rsbac_attribute_value.create_data.mode = 0;
00330 rsbac_attribute_value.create_data.device = RSBAC_ZERO_DEV;
00331 rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
00332 rsbac_new_target_id.file.inode = dentry->d_inode->i_ino;
00333 rsbac_new_target_id.file.dentry_p = dentry;
00334 if (rsbac_adf_set_attr(R_CREATE,
00335 current->pid,
00336 T_DIR,
00337 rsbac_target_id,
00338 T_SYMLINK,
00339 rsbac_new_target_id,
00340 A_create_data,
00341 rsbac_attribute_value))
00342 {
00343 printk(KERN_WARNING
00344 "rsbac_aef_inode_post_symlink() [vfs_symlink() [open_namei() [filp_open() [do_open() [sys_open()]]]]]: rsbac_adf_set_attr() returned error");
00345 }
00346 }
00347
00348 static int rsbac_aef_inode_link(struct dentry *old_dentry,
00349 struct inode *dir,
00350 struct dentry *new_dentry)
00351 {
00352 enum rsbac_target_t rsbac_target;
00353 union rsbac_target_id_t rsbac_target_id;
00354 union rsbac_attribute_value_t rsbac_attribute_value;
00355
00356 #ifdef CONFIG_RSBAC_DEBUG
00357 if (rsbac_debug_aef)
00358 printk(KERN_DEBUG "rsbac_aef_inode_link(): calling ADF\n");
00359 #endif
00360 rsbac_target = T_FILE;
00361 if (S_ISDIR (old_dentry->d_inode->i_mode))
00362 rsbac_target = T_DIR;
00363 else if (S_ISFIFO (old_dentry->d_inode->i_mode))
00364 rsbac_target = T_FIFO;
00365 else if (S_ISLNK (old_dentry->d_inode->i_mode))
00366 rsbac_target = T_SYMLINK;
00367 rsbac_target_id.dir.device = old_dentry->d_sb->s_dev;
00368 rsbac_target_id.dir.inode = old_dentry->d_inode->i_ino;
00369 rsbac_target_id.dir.dentry_p = old_dentry;
00370 rsbac_attribute_value.dummy = 0;
00371 if (!rsbac_adf_request(R_LINK_HARD,
00372 current->pid,
00373 rsbac_target,
00374 rsbac_target_id,
00375 A_none,
00376 rsbac_attribute_value))
00377 return -EPERM;
00378 else
00379 return 0;
00380 }
00381
00382 static int rsbac_aef_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
00383 struct inode *new_dir, struct dentry *new_dentry)
00384 {
00385 enum rsbac_target_t rsbac_target;
00386 union rsbac_target_id_t rsbac_target_id;
00387 union rsbac_attribute_value_t rsbac_attribute_value;
00388
00389 #ifdef CONFIG_RSBAC_DEBUG
00390 if (rsbac_debug_aef)
00391 printk(KERN_DEBUG "rsbac_aef_inode_rename(): calling ADF\n");
00392 #endif
00393 rsbac_target = T_FILE;
00394 if (S_ISDIR(old_dentry->d_inode->i_mode))
00395 rsbac_target = T_DIR;
00396 else if (S_ISFIFO (old_dentry->d_inode->i_mode))
00397 rsbac_target = T_FIFO;
00398 else if (S_ISLNK (old_dentry->d_inode->i_mode))
00399 rsbac_target = T_SYMLINK;
00400 rsbac_target_id.file.device = old_dentry->d_sb->s_dev;
00401 rsbac_target_id.file.inode = old_dentry->d_inode->i_ino;
00402 rsbac_target_id.file.dentry_p = old_dentry;
00403 rsbac_attribute_value.new_dir_dentry_p = new_dentry->d_parent;
00404 if (!rsbac_adf_request(R_RENAME,
00405 current->pid,
00406 rsbac_target,
00407 rsbac_target_id,
00408 A_new_dir_dentry_p,
00409 rsbac_attribute_value))
00410 return -EPERM;
00411
00412 #ifdef CONFIG_RSBAC_DEBUG
00413 if (rsbac_debug_aef)
00414 printk(KERN_DEBUG "rsbac_aef_inode_rename(): calling ADF for WRITE on new dir\n");
00415 #endif
00416 rsbac_target_id.dir.device = new_dir->i_sb->s_dev;
00417 rsbac_target_id.dir.inode = new_dir->i_ino;
00418 rsbac_target_id.dir.dentry_p = new_dentry->d_parent;
00419 rsbac_attribute_value.dummy = 0;
00420 if (!rsbac_adf_request(R_WRITE,
00421 current->pid,
00422 T_DIR,
00423 rsbac_target_id,
00424 A_none,
00425 rsbac_attribute_value))
00426 return -EPERM;
00427
00428 return 0;
00429 }
00430
00431 static int rsbac_aef_sb_umount(struct vfsmount * mnt, int flags)
00432 {
00433 struct super_block * sb = mnt->mnt_sb;
00434 union rsbac_target_id_t rsbac_target_id;
00435 union rsbac_attribute_value_t rsbac_attribute_value;
00436
00437 #ifdef CONFIG_RSBAC_DEBUG
00438 if (rsbac_debug_aef)
00439 printk(KERN_DEBUG "rsbac_aef_sb_umount(): calling ADF for DIR\n");
00440 #endif
00441 rsbac_target_id.dir.device = sb->s_dev;
00442 rsbac_target_id.dir.inode = sb->s_root->d_inode->i_ino;
00443 rsbac_target_id.dir.dentry_p = sb->s_root;
00444 rsbac_attribute_value.dummy = 0;
00445 if (!rsbac_adf_request(R_UMOUNT,
00446 current->pid,
00447 T_DIR,
00448 rsbac_target_id,
00449 A_none,
00450 rsbac_attribute_value))
00451 return -EPERM;
00452
00453 #ifdef CONFIG_RSBAC_DEBUG
00454 if (rsbac_debug_aef)
00455 printk(KERN_DEBUG "rsbac_aef_sb_umount(): calling ADF for DEV\n");
00456 #endif
00457 rsbac_target_id.dev.type = D_block;
00458 rsbac_target_id.dev.id = sb->s_dev;
00459 rsbac_attribute_value.dummy = 0;
00460 if (!rsbac_adf_request(R_UMOUNT,
00461 current->pid,
00462 T_DEV,
00463 rsbac_target_id,
00464 A_none,
00465 rsbac_attribute_value))
00466 return -EPERM;
00467
00468 if (! (mnt == current->fs->rootmnt && !(flags & MNT_DETACH)) )
00469 {
00470 #ifdef CONFIG_RSBAC_DEBUG
00471 if (rsbac_debug_ds)
00472 printk(KERN_DEBUG "rsbac_aef_sb_umount(): calling rsbac_umount for Device %02u:%02u\n",
00473 MAJOR(sb->s_dev), MINOR(sb->s_dev));
00474 #endif
00475 rsbac_umount(sb, mnt->mnt_mountpoint);
00476 }
00477 return 0;
00478 }
00479
00480 static void rsbac_aef_sb_umount_busy(struct vfsmount * mnt)
00481 {
00482
00483 #ifdef CONFIG_RSBAC_DEBUG
00484 if (rsbac_debug_ds)
00485 printk(KERN_DEBUG
00486 "rsbac_aef_sb_umount_busy: umount failed, calling rsbac_mount for Device %02u:%02u\n",
00487 MAJOR(mnt->mnt_sb->s_dev), MINOR(mnt->mnt_sb->s_dev));
00488 #endif
00489 rsbac_mount(mnt->mnt_sb, mnt->mnt_mountpoint);
00490 }
00491
00492 static void rsbac_aef_sb_post_addmount(struct vfsmount * mnt,
00493 struct nameidata * mountpoint_nd)
00494 {
00495
00496 #ifdef CONFIG_RSBAC_DEBUG
00497 if (rsbac_debug_ds)
00498 printk(KERN_DEBUG
00499 "rsbac_aef_sb_post_addmount: calling rsbac_mount for Device %02u:%02u\n",
00500 MAJOR(mnt->mnt_sb->s_dev), MINOR(mnt->mnt_sb->s_dev));
00501 #endif
00502 rsbac_mount(mnt->mnt_sb, mnt->mnt_mountpoint);
00503 }
00504
00505 static int rsbac_aef_sb_mount(char *dev_name, struct nameidata * nd,
00506 char *type, unsigned long flags, void *data)
00507 {
00508 struct super_block * sb = nd->mnt->mnt_sb;
00509 union rsbac_target_id_t rsbac_target_id;
00510 union rsbac_attribute_value_t rsbac_attribute_value;
00511
00512 #ifdef CONFIG_RSBAC_DEBUG
00513 if (rsbac_debug_aef)
00514 printk(KERN_DEBUG "rsbac_aef_sb_mount(): calling ADF for DIR\n");
00515 #endif
00516 rsbac_target_id.dir.device = sb->s_dev;
00517 rsbac_target_id.dir.inode = sb->s_root->d_inode->i_ino;
00518 rsbac_target_id.dir.dentry_p = sb->s_root;
00519 rsbac_attribute_value.dummy = 0;
00520 if (!rsbac_adf_request(R_MOUNT,
00521 current->pid,
00522 T_DIR,
00523 rsbac_target_id,
00524 A_none,
00525 rsbac_attribute_value))
00526 return -EPERM;
00527
00528 #ifdef CONFIG_RSBAC_DEBUG
00529 if (rsbac_debug_aef)
00530 printk(KERN_DEBUG "rsbac_aef_sb_mount(): calling ADF for DEV\n");
00531 #endif
00532 rsbac_target_id.dev.type = D_block;
00533 rsbac_target_id.dev.id = sb->s_dev;
00534 rsbac_attribute_value.dummy = 0;
00535 if (!rsbac_adf_request(R_MOUNT,
00536 current->pid,
00537 T_DEV,
00538 rsbac_target_id,
00539 A_none,
00540 rsbac_attribute_value))
00541 return -EPERM;
00542 return 0;
00543 }
00544
00545 static int rsbac_aef_sb_pivotroot(struct nameidata * old_nd,
00546 struct nameidata * new_nd)
00547 {
00548 union rsbac_target_id_t rsbac_target_id;
00549 union rsbac_attribute_value_t rsbac_attribute_value;
00550
00551 #ifdef CONFIG_RSBAC_DEBUG
00552 if (rsbac_debug_aef)
00553 printk(KERN_DEBUG "rsbac_aef_sb_pivotroot(): calling ADF for MOUNT on put_old\n");
00554 #endif
00555 rsbac_target_id.dir.device = old_nd->dentry->d_sb->s_dev;
00556 rsbac_target_id.dir.inode = old_nd->dentry->d_inode->i_ino;
00557 rsbac_target_id.dir.dentry_p = old_nd->dentry;
00558 rsbac_attribute_value.dummy = 0;
00559 if (!rsbac_adf_request(R_MOUNT,
00560 current->pid,
00561 T_DIR,
00562 rsbac_target_id,
00563 A_none,
00564 rsbac_attribute_value))
00565 return -EPERM;
00566
00567 #ifdef CONFIG_RSBAC_DEBUG
00568 if (rsbac_debug_aef)
00569 printk(KERN_DEBUG "rsbac_aef_sb_pivotroot(): calling ADF for MOUNT on root DIR\n");
00570 #endif
00571 rsbac_target_id.dir.device = current->fs->rootmnt->mnt_sb->s_dev;
00572 rsbac_target_id.dir.inode = current->fs->root->d_inode->i_ino;
00573 rsbac_target_id.dir.dentry_p = current->fs->root;
00574 rsbac_attribute_value.dummy = 0;
00575 if (!rsbac_adf_request(R_MOUNT,
00576 current->pid,
00577 T_DIR,
00578 rsbac_target_id,
00579 A_none,
00580 rsbac_attribute_value))
00581 return -EPERM;
00582
00583 return 0;
00584 }
00585
00586 static int rsbac_aef_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
00587 {
00588 enum rsbac_target_t rsbac_target;
00589 union rsbac_target_id_t rsbac_target_id;
00590 union rsbac_attribute_value_t rsbac_attribute_value;
00591
00592 #ifdef CONFIG_RSBAC_DEBUG
00593 if (rsbac_debug_aef)
00594 printk(KERN_DEBUG "rsbac_aef_inode_getattr(): calling ADF\n");
00595 #endif
00596 rsbac_target = T_FILE;
00597 if (S_ISDIR (dentry->d_inode->i_mode))
00598 rsbac_target = T_DIR;
00599 else if (S_ISFIFO (dentry->d_inode->i_mode))
00600 rsbac_target = T_FIFO;
00601 else if (S_ISLNK (dentry->d_inode->i_mode))
00602 rsbac_target = T_SYMLINK;
00603 rsbac_target_id.dir.device = dentry->d_sb->s_dev;
00604 rsbac_target_id.dir.inode = dentry->d_inode->i_ino;
00605 rsbac_target_id.dir.dentry_p = dentry;
00606 rsbac_attribute_value.dummy = 0;
00607 if (!rsbac_adf_request(R_GET_STATUS_DATA,
00608 current->pid,
00609 rsbac_target,
00610 rsbac_target_id,
00611 A_none,
00612 rsbac_attribute_value))
00613 return -EPERM;
00614 else
00615 return 0;
00616 }
00617
00618 static int rsbac_aef_inode_readlink(struct dentry *dentry)
00619 {
00620 union rsbac_target_id_t rsbac_target_id;
00621 union rsbac_attribute_value_t rsbac_attribute_value;
00622
00623 #ifdef CONFIG_RSBAC_DEBUG
00624 if (rsbac_debug_aef)
00625 printk(KERN_DEBUG "rsbac_aef_inode_readlink(): calling ADF\n");
00626 #endif
00627 rsbac_target_id.dir.device = dentry->d_sb->s_dev;
00628 rsbac_target_id.dir.inode = dentry->d_inode->i_ino;
00629 rsbac_target_id.dir.dentry_p = dentry;
00630 rsbac_attribute_value.dummy = 0;
00631 if (!rsbac_adf_request(R_GET_STATUS_DATA,
00632 current->pid,
00633 T_SYMLINK,
00634 rsbac_target_id,
00635 A_none,
00636 rsbac_attribute_value))
00637 return -EPERM;
00638 else
00639 return 0;
00640 }
00641
00642 static int rsbac_aef_file_permission(struct file * file, int mask)
00643 {
00644 enum rsbac_adf_request_t rsbac_request;
00645 enum rsbac_target_t rsbac_target = T_NONE;
00646 union rsbac_target_id_t rsbac_target_id;
00647 union rsbac_attribute_value_t rsbac_attribute_value;
00648
00649 #ifdef CONFIG_RSBAC_DEBUG
00650 if (rsbac_debug_aef)
00651 printk(KERN_DEBUG "rsbac_aef_file_permission(): calling ADF\n");
00652 #endif
00653 if(mask & MAY_WRITE)
00654 rsbac_request = R_WRITE;
00655 else
00656 rsbac_request = R_READ;
00657 #ifdef CONFIG_RSBAC_NET_OBJ_RW
00658 if(S_ISSOCK(file->f_dentry->d_inode->i_mode))
00659 {
00660 #if !defined(CONFIG_RSBAC_NET_OBJ_UNIX)
00661 if( file->f_dentry->d_inode->u.socket_i.ops
00662 && (file->f_dentry->d_inode->u.socket_i.ops->family != AF_UNIX)
00663 )
00664 #endif
00665 {
00666 rsbac_target = T_NETOBJ;
00667 rsbac_target_id.netobj.sock_p
00668 = SOCKET_I(file->f_dentry->d_inode);
00669 rsbac_target_id.netobj.local_addr = NULL;
00670 rsbac_target_id.netobj.local_len = 0;
00671 rsbac_target_id.netobj.remote_addr = NULL;
00672 rsbac_target_id.netobj.remote_len = 0;
00673 }
00674 }
00675 else
00676 #endif
00677 #ifdef CONFIG_RSBAC_RW
00678 if( S_ISFIFO(file->f_dentry->d_inode->i_mode)
00679
00680 && (file->f_dentry->d_sb->s_magic != PIPEFS_MAGIC)
00681 )
00682 {
00683 rsbac_target = T_FIFO;
00684 rsbac_target_id.file.device = file->f_dentry->d_sb->s_dev;
00685 rsbac_target_id.fifo.inode = file->f_dentry->d_inode->i_ino;
00686 rsbac_target_id.fifo.dentry_p = file->f_dentry;
00687 }
00688 else
00689 if(S_ISREG(file->f_dentry->d_inode->i_mode))
00690 {
00691 rsbac_target = T_FILE;
00692 rsbac_target_id.file.device = file->f_dentry->d_sb->s_dev;
00693 rsbac_target_id.file.inode = file->f_dentry->d_inode->i_ino;
00694 rsbac_target_id.file.dentry_p = file->f_dentry;
00695 }
00696 else
00697 if(S_ISBLK(file->f_dentry->d_inode->i_mode))
00698 {
00699 rsbac_target = T_DEV;
00700 rsbac_target_id.dev.type = D_block;
00701 rsbac_target_id.dev.id = file->f_dentry->d_inode->i_rdev;
00702 }
00703 else
00704 if(S_ISCHR(file->f_dentry->d_inode->i_mode))
00705 {
00706 rsbac_target = T_DEV;
00707 rsbac_target_id.dev.type = D_char;
00708 rsbac_target_id.dev.id = file->f_dentry->d_inode->i_rdev;
00709 }
00710 else
00711 #endif
00712 if(S_ISDIR(file->f_dentry->d_inode->i_mode))
00713 {
00714 rsbac_target = T_DIR;
00715 rsbac_target_id.dir.device = file->f_dentry->d_sb->s_dev;
00716 rsbac_target_id.dir.inode = file->f_dentry->d_inode->i_ino;
00717 rsbac_target_id.dir.dentry_p = file->f_dentry;
00718 }
00719 rsbac_attribute_value.dummy = 0;
00720 if ( (rsbac_target != T_NONE)
00721 && !rsbac_adf_request(rsbac_request,
00722 current->pid,
00723 rsbac_target,
00724 rsbac_target_id,
00725 A_none,
00726 rsbac_attribute_value))
00727 return -EPERM;
00728 else
00729 return 0;
00730 }
00731
00732 static int rsbac_aef_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
00733 {
00734 union rsbac_target_id_t rsbac_target_id;
00735 union rsbac_attribute_value_t rsbac_attribute_value;
00736
00737 #ifdef CONFIG_RSBAC_DEBUG
00738 if (rsbac_debug_aef)
00739 printk(KERN_DEBUG "rsbac_aef_task_setgid(): calling ADF\n");
00740 #endif
00741 rsbac_target_id.process = current->pid;
00742 switch(flags)
00743 {
00744 case LSM_SETID_RE:
00745 case LSM_SETID_ID:
00746 case LSM_SETID_RES:
00747 if(id0 != (gid_t) -1)
00748 {
00749 rsbac_attribute_value.group = id0;
00750 if (!rsbac_adf_request(R_CHANGE_GROUP,
00751 current->pid,
00752 T_PROCESS,
00753 rsbac_target_id,
00754 A_group,
00755 rsbac_attribute_value))
00756 return -EPERM;
00757 }
00758 break;
00759 case LSM_SETID_FS:
00760 break;
00761
00762 default:
00763 printk(KERN_WARNING "rsbac_aef_task_setgid(): called with unknown flags value!\n");
00764 break;
00765 }
00766 return 0;
00767 }
00768
00769 static int rsbac_aef_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
00770 {
00771 union rsbac_target_id_t rsbac_target_id;
00772 union rsbac_attribute_value_t rsbac_attribute_value;
00773
00774 #ifdef CONFIG_RSBAC_DEBUG
00775 if (rsbac_debug_aef)
00776 printk(KERN_DEBUG "rsbac_aef_task_setuid(): calling ADF\n");
00777 #endif
00778 rsbac_target_id.process = current->pid;
00779 switch(flags)
00780 {
00781 case LSM_SETID_RE:
00782 if(id0 != (uid_t) -1)
00783 {
00784 rsbac_attribute_value.owner = id0;
00785 if (!rsbac_adf_request(R_CHANGE_OWNER,
00786 current->pid,
00787 T_PROCESS,
00788 rsbac_target_id,
00789 A_owner,
00790 rsbac_attribute_value))
00791 return -EPERM;
00792 }
00793 #ifdef CONFIG_RSBAC_DAC_OWNER
00794 if(id1 != (uid_t) -1)
00795 {
00796 rsbac_attribute_value.owner = id1;
00797 if (!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER,
00798 current->pid,
00799 T_PROCESS,
00800 rsbac_target_id,
00801 A_owner,
00802 rsbac_attribute_value))
00803 return -EPERM;
00804 }
00805 #endif
00806 break;
00807 case LSM_SETID_ID:
00808 rsbac_attribute_value.owner = id0;
00809 if (!rsbac_adf_request(R_CHANGE_OWNER,
00810 current->pid,
00811 T_PROCESS,
00812 rsbac_target_id,
00813 A_owner,
00814 rsbac_attribute_value))
00815 return -EPERM;
00816 #ifdef CONFIG_RSBAC_DAC_OWNER
00817 if (!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER,
00818 current->pid,
00819 T_PROCESS,
00820 rsbac_target_id,
00821 A_owner,
00822 rsbac_attribute_value))
00823 return -EPERM;
00824 if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER,
00825 current->pid,
00826 T_PROCESS,
00827 rsbac_target_id,
00828 A_owner,
00829 rsbac_attribute_value))
00830 return -EPERM;
00831 #endif
00832 break;
00833 case LSM_SETID_RES:
00834 if(id0 != (uid_t) -1)
00835 {
00836 rsbac_attribute_value.group = id0;
00837 if (!rsbac_adf_request(R_GET_STATUS_DATA,
00838 current->pid,
00839 T_PROCESS,
00840 rsbac_target_id,
00841 A_group,
00842 rsbac_attribute_value))
00843 return -EPERM;
00844 }
00845 #ifdef CONFIG_RSBAC_DAC_OWNER
00846 if(id1 != (uid_t) -1)
00847 {
00848 rsbac_attribute_value.owner = id1;
00849 if (!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER,
00850 current->pid,
00851 T_PROCESS,
00852 rsbac_target_id,
00853 A_owner,
00854 rsbac_attribute_value))
00855 return -EPERM;
00856 }
00857 else
00858 rsbac_attribute_value.owner = current->euid;
00859 if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER,
00860 current->pid,
00861 T_PROCESS,
00862 rsbac_target_id,
00863 A_owner,
00864 rsbac_attribute_value))
00865 return -EPERM;
00866 #endif
00867 break;
00868 case LSM_SETID_FS:
00869 #ifdef CONFIG_RSBAC_DAC_OWNER
00870 rsbac_attribute_value.owner = id0;
00871 if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER,
00872 current->pid,
00873 T_PROCESS,
00874 rsbac_target_id,
00875 A_owner,
00876 rsbac_attribute_value))
00877 return -EPERM;
00878 #endif
00879 break;
00880
00881 default:
00882 printk(KERN_WARNING "rsbac_aef_task_setuid(): called with unknown flags value!\n");
00883 break;
00884 }
00885 return 0;
00886 }
00887
00888 static int rsbac_aef_task_setgroups(int gidsetsize, gid_t * grouplist)
00889 {
00890 union rsbac_target_id_t rsbac_target_id;
00891 union rsbac_attribute_value_t rsbac_attribute_value;
00892
00893 #ifdef CONFIG_RSBAC_DEBUG
00894 if (rsbac_debug_aef)
00895 printk(KERN_DEBUG "rsbac_aef_task_setgroups(): calling ADF\n");
00896 #endif
00897 rsbac_target_id.process = current->pid;
00898 rsbac_attribute_value.dummy = 0;
00899 if (!rsbac_adf_request(R_CHANGE_GROUP,
00900 current->pid,
00901 T_PROCESS,
00902 rsbac_target_id,
00903 A_none,
00904 rsbac_attribute_value))
00905 return -EPERM;
00906 else
00907 return 0;
00908 }
00909
00910 static int rsbac_aef_task_setrlimit(unsigned int resource, struct rlimit * new_rlim)
00911 {
00912 union rsbac_target_id_t rsbac_target_id;
00913 union rsbac_attribute_value_t rsbac_attribute_value;
00914
00915 #ifdef CONFIG_RSBAC_DEBUG
00916 if (rsbac_debug_aef)
00917 printk(KERN_DEBUG "rsbac_aef_task_setrlimit(): calling ADF\n");
00918 #endif
00919 rsbac_target_id.scd = ST_rlimit;
00920 rsbac_attribute_value.dummy = 0;
00921 if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
00922 current->pid,
00923 T_SCD,
00924 rsbac_target_id,
00925 A_none,
00926 rsbac_attribute_value))
00927 return -EPERM;
00928 else
00929 return 0;
00930 }
00931
00932 static int rsbac_aef_task_kill(struct task_struct * p,
00933 struct siginfo * info, int sig)
00934 {
00935 union rsbac_target_id_t rsbac_target_id;
00936 union rsbac_attribute_value_t rsbac_attribute_value;
00937
00938 #if 0
00939 if( (!info || ((unsigned long)info != 1 &&
00940 (unsigned long)info != 2 && SI_FROMUSER(info)))
00941 && ((sig != SIGCONT) || (current->session != p->session))
00942 )
00943 #endif
00944 {
00945 if(in_interrupt())
00946 printk(KERN_DEBUG "signal in interrupt, caller_pid %u, target pid %u, signal %u\n",
00947 current->pid, p->pid, sig);
00948 #ifdef CONFIG_RSBAC_DEBUG
00949 if (rsbac_debug_aef)
00950 printk(KERN_DEBUG "rsbac_aef_task_kill(): calling ADF\n");
00951 #endif
00952 rsbac_target_id.process = p->pid;
00953 rsbac_attribute_value.signal = sig;
00954 if (!rsbac_adf_request(R_SEND_SIGNAL,
00955 current->pid,
00956 T_PROCESS,
00957 rsbac_target_id,
00958 A_signal,
00959 rsbac_attribute_value))
00960 return -EPERM;
00961 }
00962 return 0;
00963 }
00964
00965 #ifdef CONFIG_RSBAC_SYSLOG
00966 static int rsbac_aef_syslog(int type)
00967 {
00968 enum rsbac_adf_request_t rsbac_request;
00969 union rsbac_target_id_t rsbac_target_id;
00970 union rsbac_attribute_value_t rsbac_attribute_value;
00971
00972 #ifdef CONFIG_RSBAC_DEBUG
00973 if (rsbac_debug_aef)
00974 printk(KERN_DEBUG "rsbac_aef_syslog(): calling ADF\n");
00975 #endif
00976 switch(type)
00977 {
00978 case 2:
00979 case 3:
00980 rsbac_request = R_GET_STATUS_DATA;
00981 break;
00982 case 4:
00983 case 5:
00984 case 6:
00985 case 7:
00986 case 8:
00987 rsbac_request = R_MODIFY_SYSTEM_DATA;
00988 break;
00989
00990 default:
00991 return 0;
00992 }
00993 rsbac_target_id.scd = ST_syslog;
00994 rsbac_attribute_value.dummy = 0;
00995 if (!rsbac_adf_request(rsbac_request,
00996 current->pid,
00997 T_SCD,
00998 rsbac_target_id,
00999 A_signal,
01000 rsbac_attribute_value))
01001 return -EPERM;
01002 else
01003 return 0;
01004 }
01005 #endif
01006
01007 static int rsbac_aef_sysctl(ctl_table * table, int op)
01008 {
01009 union rsbac_target_id_t rsbac_target_id;
01010 union rsbac_attribute_value_t rsbac_attribute_value;
01011
01012 #ifdef CONFIG_RSBAC_DEBUG
01013 if (rsbac_debug_aef)
01014 printk(KERN_DEBUG "rsbac_aef_sysctl(): calling ADF\n");
01015 #endif
01016 if(!(op & S_IWUGO))
01017 return 0;
01018 switch(table->ctl_name)
01019 {
01020 case KERN_NODENAME:
01021 rsbac_target_id.scd = ST_host_id;
01022 break;
01023 case KERN_DOMAINNAME:
01024 rsbac_target_id.scd = ST_net_id;
01025 break;
01026 default:
01027 rsbac_target_id.scd = ST_other;
01028 }
01029 rsbac_attribute_value.dummy = 0;
01030 if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
01031 current->pid,
01032 T_SCD,
01033 rsbac_target_id,
01034 A_signal,
01035 rsbac_attribute_value))
01036 return -EPERM;
01037 else
01038 return 0;
01039 }
01040
01041 static int rsbac_aef_msg_queue_alloc_security(struct msg_queue * msq)
01042 {
01043 union rsbac_target_id_t rsbac_target_id;
01044 union rsbac_attribute_value_t rsbac_attribute_value;
01045
01046 #ifdef CONFIG_RSBAC_DEBUG
01047 if (rsbac_debug_aef)
01048 printk(KERN_DEBUG "rsbac_aef_msg_queue_alloc_security(): calling ADF\n");
01049 #endif
01050 rsbac_target_id.ipc.type = I_msg;
01051 rsbac_target_id.ipc.id.id_nr = 0;
01052 rsbac_attribute_value.dummy = 0;
01053 if (!rsbac_adf_request(R_CREATE,
01054 current->pid,
01055 T_IPC,
01056 rsbac_target_id,
01057 A_none,
01058 rsbac_attribute_value))
01059 return -EPERM;
01060 else
01061 return 0;
01062 }
01063
01064 static void rsbac_aef_shm_free_security(struct shmid_kernel * shp)
01065 {
01066 union rsbac_target_id_t rsbac_target_id;
01067
01068 #ifdef CONFIG_RSBAC_DEBUG
01069 if (rsbac_debug_aef)
01070 printk(KERN_DEBUG "rsbac_aef_shm_free_security: calling ACI remove_target()\n");
01071 #endif
01072 rsbac_target_id.ipc.type = I_shm;
01073 rsbac_target_id.ipc.id.id_nr = shp->id;
01074 rsbac_remove_target(T_IPC, rsbac_target_id);
01075 }
01076
01077 static int rsbac_aef_shm_alloc_security(struct shmid_kernel * shp)
01078 {
01079 union rsbac_target_id_t rsbac_target_id;
01080 union rsbac_attribute_value_t rsbac_attribute_value;
01081
01082 #ifdef CONFIG_RSBAC_DEBUG
01083 if (rsbac_debug_aef)
01084 printk(KERN_DEBUG "rsbac_aef_shm_alloc_security(): calling ADF\n");
01085 #endif
01086 rsbac_target_id.ipc.type = I_shm;
01087 rsbac_target_id.ipc.id.id_nr = 0;
01088 rsbac_attribute_value.dummy = 0;
01089 if (!rsbac_adf_request(R_CREATE,
01090 current->pid,
01091 T_IPC,
01092 rsbac_target_id,
01093 A_none,
01094 rsbac_attribute_value))
01095 return -EPERM;
01096 else
01097 return 0;
01098 }
01099
01100 static int rsbac_aef_shm_shmat(struct shmid_kernel * shp,
01101 char *shmaddr, int shmflg)
01102 {
01103 enum rsbac_adf_request_t rsbac_request;
01104 union rsbac_target_id_t rsbac_target_id;
01105 union rsbac_attribute_value_t rsbac_attribute_value;
01106
01107 #ifdef CONFIG_RSBAC_DEBUG
01108 if (rsbac_debug_aef)
01109 printk(KERN_DEBUG "rsbac_aef_shm_shmat(): calling ADF\n");
01110 #endif
01111 if ((shmflg & SHM_RDONLY))
01112 rsbac_request = R_READ_OPEN;
01113 else
01114 rsbac_request = R_READ_WRITE_OPEN;
01115 rsbac_target_id.ipc.type = I_shm;
01116 rsbac_target_id.ipc.id.id_nr = shp->id;
01117 rsbac_attribute_value.dummy = 0;
01118 if (!rsbac_adf_request(rsbac_request,
01119 current->pid,
01120 T_IPC,
01121 rsbac_target_id,
01122 A_none,
01123 rsbac_attribute_value))
01124 return -EPERM;
01125 else
01126 return 0;
01127 }
01128
01129 #ifdef CONFIG_RSBAC_IPC_SEM
01130 static int rsbac_aef_sem_alloc_security(struct sem_array * sma)
01131 {
01132 union rsbac_target_id_t rsbac_target_id;
01133 union rsbac_attribute_value_t rsbac_attribute_value;
01134
01135 #ifdef CONFIG_RSBAC_DEBUG
01136 if (rsbac_debug_aef)
01137 printk(KERN_DEBUG "rsbac_aef_sem_alloc_security(): calling ADF\n");
01138 #endif
01139 rsbac_target_id.ipc.type = I_sem;
01140 rsbac_target_id.ipc.id.id_nr = 0;
01141 rsbac_attribute_value.dummy = 0;
01142 if (!rsbac_adf_request(R_CREATE,
01143 current->pid,
01144 T_IPC,
01145 rsbac_target_id,
01146 A_none,
01147 rsbac_attribute_value))
01148 return -EPERM;
01149 else
01150 return 0;
01151 }
01152 #endif
01153
01154 #ifdef CONFIG_RSBAC_NET_OBJ
01155 static int rsbac_aef_socket_accept(struct socket * sock, struct socket * newsock)
01156 {
01157 union rsbac_target_id_t rsbac_target_id;
01158 union rsbac_attribute_value_t rsbac_attribute_value;
01159
01160 #if !defined(CONFIG_RSBAC_NET_OBJ_UNIX)
01161 if( sock->ops
01162 && (sock->ops->family != AF_UNIX)
01163 )
01164 #endif
01165 {
01166 #ifdef CONFIG_RSBAC_DEBUG
01167 if (rsbac_debug_aef)
01168 printk(KERN_DEBUG "rsbac_aef_socket_accept(): calling ADF\n");
01169 #endif
01170 rsbac_target_id.netobj.sock_p = newsock;
01171 rsbac_target_id.netobj.local_addr = NULL;
01172 rsbac_target_id.netobj.local_len = 0;
01173 rsbac_target_id.netobj.remote_addr = NULL;
01174 rsbac_target_id.netobj.remote_len = 0;
01175 rsbac_attribute_value.dummy = 0;
01176 if (!rsbac_adf_request(R_ACCEPT,
01177 current->pid,
01178 T_NETOBJ,
01179 rsbac_target_id,
01180 A_none,
01181 rsbac_attribute_value))
01182 {
01183 #ifdef CONFIG_RSBAC_DEBUG
01184 if (rsbac_debug_aef)
01185 printk(KERN_DEBUG "rsbac_aef_socket_accept(): ADF returned NOT_GRANTED\n");
01186 #endif
01187 return -EPERM;
01188 }
01189 }
01190 return 0;
01191 }
01192
01193 static void rsbac_aef_socket_post_accept(struct socket * sock, struct socket * newsock)
01194 {
01195 union rsbac_target_id_t rsbac_target_id;
01196 union rsbac_target_id_t rsbac_new_target_id;
01197 union rsbac_attribute_value_t rsbac_attribute_value;
01198
01199 #if !defined(CONFIG_RSBAC_NET_OBJ_UNIX)
01200 if( sock->ops
01201 && (sock->ops->family != AF_UNIX)
01202 )
01203 #endif
01204 {
01205 rsbac_target_id.netobj.sock_p = newsock;
01206 rsbac_target_id.netobj.local_addr = NULL;
01207 rsbac_target_id.netobj.local_len = 0;
01208 rsbac_target_id.netobj.remote_addr = NULL;
01209 rsbac_target_id.netobj.remote_len = 0;
01210 rsbac_attribute_value.dummy = 0;
01211 rsbac_new_target_id.dummy = 0;
01212 if (rsbac_adf_set_attr(R_ACCEPT,
01213 current->pid,
01214 T_NETOBJ,
01215 rsbac_target_id,
01216 T_NONE,
01217 rsbac_new_target_id,
01218 A_none,
01219 rsbac_attribute_value))
01220 {
01221 printk(KERN_WARNING
01222 "rsbac_aef_socket_post_accept(): rsbac_adf_set_attr() returned error\n");
01223 }
01224 }
01225 }
01226 #endif
01227
01228 #ifdef CONFIG_RSBAC_INIT_DELAY
01229 static struct security_operations rsbac_sec_ops = {
01230 #else
01231 static struct security_operations rsbac_sec_ops = {
01232 #endif
01233 .ptrace = rsbac_aef_ptrace,
01234 .sb_statfs = rsbac_aef_statfs,
01235 .inode_follow_link = rsbac_aef_inode_follow_link,
01236 .inode_create = rsbac_aef_inode_create,
01237 .inode_post_create = rsbac_aef_inode_post_create,
01238 .inode_mknod = rsbac_aef_inode_mknod,
01239 .inode_post_mknod = rsbac_aef_inode_post_mknod,
01240 .inode_mkdir = rsbac_aef_inode_mkdir,
01241 .inode_post_mkdir = rsbac_aef_inode_post_mkdir,
01242 .inode_symlink = rsbac_aef_inode_symlink,
01243 .inode_post_symlink = rsbac_aef_inode_post_symlink,
01244 .inode_link = rsbac_aef_inode_link,
01245 .inode_rename = rsbac_aef_inode_rename,
01246 .sb_umount = rsbac_aef_sb_umount,
01247 .sb_umount_busy = rsbac_aef_sb_umount_busy,
01248 .sb_post_addmount = rsbac_aef_sb_post_addmount,
01249 .sb_mount = rsbac_aef_sb_mount,
01250 .sb_pivotroot = rsbac_aef_sb_pivotroot,
01251 .inode_getattr = rsbac_aef_inode_getattr,
01252 .inode_readlink = rsbac_aef_inode_readlink,
01253 .file_permission = rsbac_aef_file_permission,
01254 .task_setgid = rsbac_aef_task_setgid,
01255 .task_setuid = rsbac_aef_task_setuid,
01256 .task_setgroups = rsbac_aef_task_setgroups,
01257 .task_setrlimit = rsbac_aef_task_setrlimit,
01258 .task_kill = rsbac_aef_task_kill,
01259 #ifdef CONFIG_RSBAC_SYSLOG
01260 .syslog = rsbac_aef_syslog,
01261 #endif
01262 .sysctl = rsbac_aef_sysctl,
01263 .msg_queue_alloc_security = rsbac_aef_msg_queue_alloc_security,
01264 .shm_free_security = rsbac_aef_shm_free_security,
01265 .shm_alloc_security = rsbac_aef_shm_alloc_security,
01266 #ifdef CONFIG_RSBAC_IPC_SEM
01267 .sem_alloc_security = rsbac_aef_sem_alloc_security,
01268 #endif
01269 #ifdef CONFIG_RSBAC_NET_OBJ
01270 .socket_accept = rsbac_aef_socket_accept,
01271 .socket_post_accept = rsbac_aef_socket_post_accept,
01272 #endif
01273 .shm_shmat = rsbac_aef_shm_shmat
01274 };
01275
01276 int rsbac_lsm_register(void)
01277 {
01278 if (register_security (&rsbac_sec_ops))
01279 {
01280 printk (KERN_INFO
01281 "Failure registering RSBAC with LSM, trying to stack on primary module\n");
01282
01283 if (mod_reg_security ("RSBAC", &rsbac_sec_ops))
01284 {
01285 printk (KERN_ERR "Failure registering RSBAC "
01286 "with primary LSM security module, interceptions missing!\n");
01287 return -EINVAL;
01288 }
01289 }
01290 return 0;
01291 }
