RSBAC: /daten/src/rsbac/linux-2.4.31-rsbac-v1.2.4/rsbac/adf/auth/auth

00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Authentification module          */
00005 /* File: rsbac/adf/auth/syscalls.c                   */
00006 /*                                                   */
00007 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */
00008 /*                                                   */
00009 /* Last modified: 07/Dec/2004                        */
00010 /*************************************************** */
00011 
00012 #include <linux/string.h>
00013 #include <linux/sched.h>
00014 #include <linux/errno.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/error.h>
00018 #include <rsbac/auth.h>
00019 #include <rsbac/debug.h>
00020 #include <rsbac/helpers.h>
00021 #include <rsbac/adf_main.h>
00022 
00023 /************************************************* */
00024 /*           Global Variables                      */
00025 /************************************************* */
00026 
00027 /************************************************* */
00028 /*          Internal Help functions                */
00029 /************************************************* */
00030 
00031 /************************************************* */
00032 /*          Externally visible functions           */
00033 /************************************************* */
00034 
00035 int rsbac_auth_add_p_cap(
00036          rsbac_list_ta_number_t ta_number,
00037          rsbac_pid_t pid,
00038   enum   rsbac_auth_cap_type_t cap_type,
00039   struct rsbac_auth_cap_range_t cap_range,
00040          rsbac_time_t ttl)
00041   {
00042 /* check only in non-maint mode */
00043 #if !defined(CONFIG_RSBAC_MAINT)
00044 #ifdef CONFIG_RSBAC_SWITCH
00045     if(rsbac_switch_auth)
00046 #endif
00047       {
00048         union rsbac_target_id_t       i_tid;
00049         union rsbac_attribute_value_t i_attr_val1;
00050 
00051         /* check auth_may_set_cap of calling process */
00052         i_tid.process = current->pid;
00053         if (rsbac_get_attr(AUTH,
00054                            T_PROCESS,
00055                            i_tid,
00056                            A_auth_may_set_cap,
00057                            &i_attr_val1,
00058                            FALSE))
00059           {
00060             rsbac_ds_get_error("rsbac_auth_add_p_cap()", A_auth_may_set_cap);
00061             return(-RSBAC_EREADFAILED);
00062           }
00063         /* if auth_may_set_cap is not set, then reject */
00064         if (!i_attr_val1.auth_may_set_cap)
00065           {
00066 #ifdef CONFIG_RSBAC_RMSG
00067             rsbac_printk(KERN_INFO
00068                    "rsbac_auth_add_p_cap(): adding AUTH cap %u:%u to process %u denied for process %u!\n",
00069                    cap_range.first,
00070                    cap_range.last,
00071                    pid,
00072                    current->pid);
00073 #endif
00074 #ifndef CONFIG_RSBAC_RMSG_EXCL
00075             printk(KERN_INFO
00076                    "rsbac_auth_add_p_cap(): adding AUTH cap %u:%u to process %u denied for process %u!\n",
00077                    cap_range.first,
00078                    cap_range.last,
00079                    pid,
00080                    current->pid);
00081 #endif
00082             #ifdef CONFIG_RSBAC_SOFTMODE
00083             if(   !rsbac_softmode
00084             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00085                && !rsbac_ind_softmode[AUTH]
00086             #endif
00087               )
00088             #endif
00089               return(-EPERM);
00090           }
00091       }
00092 #endif
00093 
00094     /* OK, check passed. Add the capability. */
00095     if(rsbac_auth_add_to_p_capset(ta_number, pid, cap_type, cap_range, ttl))
00096       {
00097 #ifdef CONFIG_RSBAC_RMSG
00098         rsbac_printk(KERN_WARNING
00099                "rsbac_auth_add_p_cap(): rsbac_auth_add_to_p_capset() returned error!\n");
00100 #endif
00101 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00102         if (!rsbac_nosyslog)
00103 #endif
00104         printk(KERN_WARNING
00105                "rsbac_auth_add_p_cap(): rsbac_auth_add_to_p_capset() returned error!\n");
00106         return(-RSBAC_EWRITEFAILED);
00107       }
00108     return 0;
00109   }
00110 
00111 int rsbac_auth_remove_p_cap(
00112          rsbac_list_ta_number_t ta_number,
00113          rsbac_pid_t pid,
00114   enum   rsbac_auth_cap_type_t cap_type,
00115   struct rsbac_auth_cap_range_t cap_range)
00116   {
00117 /* check only in non-maint mode */
00118 #if !defined(CONFIG_RSBAC_MAINT)
00119 #ifdef CONFIG_RSBAC_SWITCH
00120     if(rsbac_switch_auth)
00121 #endif
00122       {
00123         union rsbac_target_id_t       i_tid;
00124         union rsbac_attribute_value_t i_attr_val1;
00125 
00126         /* check auth_may_set_cap of calling process */
00127         i_tid.process = current->pid;
00128         if (rsbac_get_attr(AUTH,
00129                            T_PROCESS,
00130                            i_tid,
00131                            A_auth_may_set_cap,
00132                            &i_attr_val1,
00133                            FALSE))
00134           {
00135             rsbac_ds_get_error("rsbac_auth_remove_p_cap()", A_auth_may_set_cap);
00136             return(-RSBAC_EREADFAILED);
00137           }
00138         /* if auth_may_set_cap is not set, then reject */
00139         if (!i_attr_val1.auth_may_set_cap)
00140           {
00141 #ifdef CONFIG_RSBAC_RMSG
00142             rsbac_printk(KERN_INFO
00143                    "rsbac_auth_remove_p_cap(): removing AUTH cap %u:%u from process %u denied for process %u!\n",
00144                    cap_range.first,
00145                    cap_range.last,
00146                    pid,
00147                    current->pid);
00148 #endif
00149 #ifndef CONFIG_RSBAC_RMSG_EXCL
00150             printk(KERN_INFO
00151                    "rsbac_auth_remove_p_cap(): removing AUTH cap %u:%u from process %u denied for process %u!\n",
00152                    cap_range.first,
00153                    cap_range.last,
00154                    pid,
00155                    current->pid);
00156 #endif
00157             #ifdef CONFIG_RSBAC_SOFTMODE
00158             if(   !rsbac_softmode
00159             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00160                && !rsbac_ind_softmode[AUTH]
00161             #endif
00162               )
00163             #endif
00164               return(-EPERM);
00165           }
00166       }
00167 #endif
00168 
00169     /* OK, check passed. Try to remove the capability. */
00170     return(rsbac_auth_remove_from_p_capset(ta_number, pid, cap_type, cap_range));
00171   }
00172 
00173 int rsbac_auth_add_f_cap(
00174          rsbac_list_ta_number_t ta_number,
00175          rsbac_auth_file_t file,
00176   enum   rsbac_auth_cap_type_t cap_type,
00177   struct rsbac_auth_cap_range_t cap_range,
00178          rsbac_time_t ttl)
00179   {
00180     /* check has been done in help/syscalls.c: sys_rsbac_auth_add_f_cap */
00181     if(rsbac_auth_add_to_f_capset(ta_number, file, cap_type, cap_range, ttl))
00182       {
00183 #ifdef CONFIG_RSBAC_RMSG
00184         rsbac_printk(KERN_WARNING
00185                "rsbac_auth_add_f_cap(): rsbac_auth_add_to_f_capset() returned error!\n");
00186 #endif
00187 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00188         if (!rsbac_nosyslog)
00189 #endif
00190         printk(KERN_WARNING
00191                "rsbac_auth_add_f_cap(): rsbac_auth_add_to_f_capset() returned error!\n");
00192         return(-RSBAC_EWRITEFAILED);
00193       }
00194     return 0;
00195   }
00196 
00197 int rsbac_auth_remove_f_cap(
00198          rsbac_list_ta_number_t ta_number,
00199          rsbac_auth_file_t file,
00200   enum   rsbac_auth_cap_type_t cap_type,
00201   struct rsbac_auth_cap_range_t cap_range)
00202   {
00203     /* check has been done in help/syscalls.c: sys_rsbac_auth_remove_f_cap */
00204     return(rsbac_auth_remove_from_f_capset(ta_number, file, cap_type, cap_range));
00205   }
00206 
00207 /* end of rsbac/adf/auth/syscalls.c */
auth_syscalls.c
