Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
daten / src / rsbac / linux-2.4.31-rsbac-v1.2.4 / rsbac / adf / pax

pax_main.c

Go to the documentation of this file.
00001 /**************************************************** */
00002 /* Rule Set Based Access Control                      */
00003 /* Implementation of the Access Control Decision      */
00004 /* Facility (ADF) - PAX                               */
00005 /* File: rsbac/adf/pax/pax_main.c                     */
00006 /*                                                    */
00007 /* Author and (c) 1999-2005: Amon Ott <ao@rsbac.org>  */
00008 /*                                                    */
00009 /* Last modified: 06/Jan/2005                         */
00010 /**************************************************** */
00011 
00012 #include <linux/string.h>
00013 #include <linux/binfmts.h>
00014 #include <linux/mm.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/adf_main.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/pax_getname.h>
00022 #include <rsbac/debug.h>
00023 
00024 /************************************************* */
00025 /*           Global Variables                      */
00026 /************************************************* */
00027 
00028 /************************************************* */
00029 /*          Internal Help functions                */
00030 /************************************************* */
00031 
00032 /************************************************* */
00033 /*          Externally visible functions           */
00034 /************************************************* */
00035 
00036 /**** PaX set flags func ****/
00037 #if defined(CONFIG_RSBAC_PAX) && (defined(CONFIG_PAX_HAVE_ACL_FLAGS) || defined(CONFIG_PAX_HOOK_ACL_FLAGS))
00038 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,10)
00039 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00040 void pax_set_initial_flags(struct linux_binprm * bprm)
00041 #else
00042 void rsbac_pax_set_flags_func(struct linux_binprm * bprm)
00043 #endif
00044 #else
00045 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00046 void pax_set_flags(struct linux_binprm * bprm)
00047 #else
00048 void rsbac_pax_set_flags_func(struct linux_binprm * bprm)
00049 #endif
00050 #endif
00051   {
00052     int err;
00053     union rsbac_target_id_t tid;
00054     union rsbac_attribute_value_t attr_val;
00055 
00056     if(!rsbac_is_initialized())
00057       return;
00058     tid.file.device = bprm->file->f_dentry->d_sb->s_dev;
00059     tid.file.inode = bprm->file->f_dentry->d_inode->i_ino;
00060     tid.file.dentry_p = bprm->file->f_dentry;
00061     err = rsbac_get_attr(PAX,
00062                          T_FILE,
00063                          tid,
00064                          A_pax_flags,
00065                          &attr_val,
00066                          TRUE);
00067     if(!err)
00068       {
00069         pax_check_flags(&attr_val.pax_flags);
00070 #ifdef CONFIG_RSBAC_DEBUG
00071         if(rsbac_debug_adf_pax)
00072           {
00073 #ifdef CONFIG_RSBAC_RMSG
00074             rsbac_printk(KERN_DEBUG
00075                    "rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n",
00076                    current->pid,
00077                    current->flags & RSBAC_PAX_ALL_FLAGS,
00078                    attr_val.pax_flags,
00079                    MAJOR(tid.file.device),MINOR(tid.file.device),
00080                    tid.file.inode);
00081 #endif
00082 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00083             if (!rsbac_nosyslog)
00084 #endif
00085             printk(KERN_DEBUG
00086                    "rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n",
00087                    current->pid,
00088                    current->flags & RSBAC_PAX_ALL_FLAGS,
00089                    attr_val.pax_flags,
00090                    MAJOR(tid.file.device),MINOR(tid.file.device),
00091                    tid.file.inode);
00092           }
00093 #endif
00094         /* Set flags for process */
00095 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,10)
00096         current->mm->flags = (current->mm->flags & ~RSBAC_PAX_ALL_FLAGS) | attr_val.pax_flags;
00097 #else
00098         current->flags = (current->flags & ~RSBAC_PAX_ALL_FLAGS) | attr_val.pax_flags;
00099 #endif
00100       }
00101     else
00102       {
00103 #ifdef CONFIG_RSBAC_RMSG
00104         rsbac_printk(KERN_WARNING
00105                "rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n",
00106                MAJOR(tid.file.device),
00107                MINOR(tid.file.device),
00108                tid.file.inode,
00109                err);
00110 #endif
00111 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00112         if (!rsbac_nosyslog)
00113 #endif
00114         printk(KERN_WARNING
00115                "rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n",
00116                MAJOR(tid.file.device),
00117                MINOR(tid.file.device),
00118                tid.file.inode,
00119                err);
00120       }
00121   }
00122 #endif
00123 
00124 
00125 enum rsbac_adf_req_ret_t
00126    rsbac_adf_request_pax (enum  rsbac_adf_request_t     request,
00127                                 rsbac_pid_t             caller_pid,
00128                           enum  rsbac_target_t          target,
00129                           union rsbac_target_id_t       tid,
00130                           enum  rsbac_attribute_t       attr,
00131                           union rsbac_attribute_value_t attr_val,
00132                                 rsbac_uid_t             owner)
00133   {
00134     union rsbac_target_id_t       i_tid;
00135     union rsbac_attribute_value_t i_attr_val1;
00136 
00137     switch (request)
00138       {
00139         case R_MODIFY_ATTRIBUTE:
00140             switch(attr)
00141               {
00142                 case A_system_role:
00143                 case A_pax_role:
00144                 case A_pax_flags:
00145                 #ifdef CONFIG_RSBAC_PAX_AUTH_PROT
00146                 case A_auth_may_setuid:
00147                 case A_auth_may_set_cap:
00148                 case A_auth_start_uid:
00149                 case A_auth_program_file:
00150                 case A_auth_learn:
00151                 case A_auth_add_f_cap:
00152                 case A_auth_remove_f_cap:
00153                 #endif
00154                 /* All attributes (remove target!) */
00155                 case A_none:
00156                   /* Security Officer? */
00157                   i_tid.user = owner;
00158                   if (rsbac_get_attr(PAX,
00159                                      T_USER,
00160                                      i_tid,
00161                                      A_pax_role,
00162                                      &i_attr_val1,
00163                                      TRUE))
00164                     {
00165                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00166                       return(NOT_GRANTED);
00167                     }
00168                   /* if sec_officer, then grant */
00169                   if (i_attr_val1.system_role == SR_security_officer)
00170                     return(GRANTED);
00171                   else
00172                     return(NOT_GRANTED);
00173 
00174                 default:
00175                   return(DO_NOT_CARE);
00176               }
00177 
00178         case R_READ_ATTRIBUTE:
00179             switch(attr)
00180               {
00181                 case A_system_role:
00182                 case A_pax_role:
00183                 case A_pax_flags:
00184                 /* All attributes (remove target!) */
00185                 case A_none:
00186                   /* Security Officer or Admin? */
00187                   i_tid.user = owner;
00188                   if (rsbac_get_attr(PAX,
00189                                      T_USER,
00190                                      i_tid,
00191                                      A_pax_role,
00192                                      &i_attr_val1,
00193                                      TRUE))
00194                     {
00195                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00196                       return(NOT_GRANTED);
00197                     }
00198                   /* if sec_officer, then grant */
00199                   if(   (i_attr_val1.system_role == SR_security_officer)
00200                      || (i_attr_val1.system_role == SR_administrator)
00201                     )
00202                     return(GRANTED);
00203                   else
00204                     return(NOT_GRANTED);
00205 
00206                 default:
00207                   return(DO_NOT_CARE);
00208               }
00209 
00210         case R_SWITCH_LOG:
00211             switch(target)
00212               {
00213                 case T_NONE:
00214                   /* test owner's pax_role */
00215                   i_tid.user = owner;
00216                   if (rsbac_get_attr(PAX,
00217                                      T_USER,
00218                                      i_tid,
00219                                      A_pax_role,
00220                                      &i_attr_val1,
00221                                      TRUE))
00222                     {
00223                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00224                       return(NOT_GRANTED);
00225                     }
00226                   /* security officer? -> grant  */
00227                   if (i_attr_val1.system_role == SR_security_officer)
00228                     return(GRANTED);
00229                   else
00230                     return(NOT_GRANTED);
00231 
00232                 /* all other cases are unknown */
00233                 default: return(DO_NOT_CARE);
00234               }
00235 
00236         case R_SWITCH_MODULE:
00237             switch(target)
00238               {
00239                 case T_NONE:
00240                   /* we need the switch_target */
00241                   if(attr != A_switch_target)
00242                     return(UNDEFINED);
00243                   /* do not care for other modules */
00244                   if(   (attr_val.switch_target != PAX)
00245                      #ifdef CONFIG_RSBAC_PAX_AUTH_PROT
00246                      && (attr_val.switch_target != AUTH)
00247                      #endif
00248                      #ifdef CONFIG_RSBAC_SOFTMODE
00249                      && (attr_val.switch_target != SOFTMODE)
00250                      #endif
00251                      #ifdef CONFIG_RSBAC_FREEZE
00252                      && (attr_val.switch_target != FREEZE)
00253                      #endif
00254                     )
00255                     return(DO_NOT_CARE);
00256                   /* test owner's pax_role */
00257                   i_tid.user = owner;
00258                   if (rsbac_get_attr(PAX,
00259                                      T_USER,
00260                                      i_tid,
00261                                      A_pax_role,
00262                                      &i_attr_val1,
00263                                      TRUE))
00264                     {
00265                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00266                       return(NOT_GRANTED);
00267                     }
00268                   /* security officer? -> grant  */
00269                   if (i_attr_val1.system_role == SR_security_officer)
00270                     return(GRANTED);
00271                   else
00272                     return(NOT_GRANTED);
00273 
00274                 /* all other cases are unknown */
00275                 default: return(DO_NOT_CARE);
00276               }
00277 
00278 /*********************/
00279         default: return DO_NOT_CARE;
00280       }
00281 
00282     return(DO_NOT_CARE);
00283   }; /* end of rsbac_adf_request_pax() */
00284 
00285 
00286 /*****************************************************************************/
00287 /* If the request returned granted and the operation is performed,           */
00288 /* the following function can be called by the AEF to get all aci set        */
00289 /* correctly. For write accesses that are performed fully within the kernel, */
00290 /* this is usually not done to prevent extra calls, including R_CLOSE for    */
00291 /* cleaning up.                                                              */
00292 /* The second instance of target specification is the new target, if one has */
00293 /* been created, otherwise its values are ignored.                           */
00294 /* On success, 0 is returned, and an error from rsbac/error.h otherwise.     */
00295 
00296 int  rsbac_adf_set_attr_pax(
00297                       enum  rsbac_adf_request_t     request,
00298                             rsbac_pid_t             caller_pid,
00299                       enum  rsbac_target_t          target,
00300                       union rsbac_target_id_t       tid,
00301                       enum  rsbac_target_t          new_target,
00302                       union rsbac_target_id_t       new_tid,
00303                       enum  rsbac_attribute_t       attr,
00304                       union rsbac_attribute_value_t attr_val,
00305                             rsbac_uid_t             owner)
00306   {
00307     return 0;
00308   }; /* end of rsbac_adf_set_attr_pax() */
00309 
00310 /* end of rsbac/adf/pax/pax_main.c */
Generated on Fri Jun 17 09:45:19 2005 for RSBAC by  doxygen 1.4.2