00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012 #include <linux/string.h>
00013 #include <rsbac/types.h>
00014 #include <rsbac/aci.h>
00015 #include <rsbac/adf_main.h>
00016 #include <rsbac/rc.h>
00017 #include <rsbac/error.h>
00018 #include <rsbac/debug.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/rc_getname.h>
00022 #include <rsbac/rkmem.h>
00023 #include <rsbac/network.h>
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033 static enum rsbac_adf_req_ret_t
00034 check_comp_rc( enum rsbac_target_t target,
00035 union rsbac_target_id_t tid,
00036 enum rsbac_adf_request_t request,
00037 rsbac_pid_t caller_pid)
00038 {
00039 int err;
00040 union rsbac_target_id_t i_tid;
00041 enum rsbac_attribute_t i_attr;
00042 union rsbac_attribute_value_t i_attr_val1;
00043 union rsbac_attribute_value_t i_attr_val2;
00044
00045 union rsbac_rc_target_id_t i_rc_subtid;
00046 enum rsbac_rc_item_t i_rc_item;
00047
00048
00049 i_tid.process = caller_pid;
00050 if ((err=rsbac_get_attr(RC,
00051 T_PROCESS,
00052 i_tid,
00053 A_rc_role,
00054 &i_attr_val1,
00055 FALSE)))
00056 {
00057 rsbac_ds_get_error("check_comp_rc", A_rc_role);
00058 return(NOT_GRANTED);
00059 }
00060 switch(target)
00061 {
00062 case T_FILE:
00063 case T_DIR:
00064 case T_FIFO:
00065 case T_SYMLINK:
00066 i_rc_item = RI_type_comp_fd;
00067 i_attr = A_rc_type_fd;
00068 break;
00069 case T_DEV:
00070 i_rc_item = RI_type_comp_dev;
00071 i_attr = A_rc_type;
00072 break;
00073 case T_USER:
00074 i_rc_item = RI_type_comp_user;
00075 i_attr = A_rc_type;
00076 break;
00077 case T_PROCESS:
00078 i_rc_item = RI_type_comp_process;
00079 i_attr = A_rc_type;
00080 break;
00081 case T_IPC:
00082 i_rc_item = RI_type_comp_ipc;
00083 i_attr = A_rc_type;
00084 break;
00085 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00086 case T_GROUP:
00087 i_rc_item = RI_type_comp_group;
00088 i_attr = A_rc_type;
00089 break;
00090 #endif
00091 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00092 case T_NETDEV:
00093 i_rc_item = RI_type_comp_netdev;
00094 i_attr = A_rc_type;
00095 break;
00096 #endif
00097 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00098 case T_NETTEMP:
00099 i_rc_item = RI_type_comp_nettemp;
00100 i_attr = A_rc_type_nt;
00101 break;
00102 case T_NETOBJ:
00103 i_rc_item = RI_type_comp_netobj;
00104 if(rsbac_net_remote_request(request))
00105 i_attr = A_remote_rc_type;
00106 else
00107 i_attr = A_local_rc_type;
00108 break;
00109 #endif
00110 default:
00111 #ifdef CONFIG_RSBAC_RMSG
00112 rsbac_printk(KERN_WARNING "check_comp_rc(): invalid target %i!\n",target);
00113 #endif
00114 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00115 if (!rsbac_nosyslog)
00116 #endif
00117 printk(KERN_WARNING "check_comp_rc(): invalid target %i!\n",target);
00118 return(NOT_GRANTED);
00119 }
00120
00121
00122 if ((err=rsbac_get_attr(RC,
00123 target,
00124 tid,
00125 i_attr,
00126 &i_attr_val2,
00127 TRUE)))
00128 {
00129 rsbac_ds_get_error("check_comp_rc", i_attr);
00130 return(NOT_GRANTED);
00131 }
00132
00133
00134 i_rc_subtid.type = i_attr_val2.rc_type;
00135 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00136 i_rc_subtid,
00137 i_rc_item,
00138 request))
00139 return(GRANTED);
00140 else
00141 {
00142 #ifdef CONFIG_RSBAC_DEBUG
00143 if(rsbac_debug_adf_rc)
00144 {
00145 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00146
00147 if(tmp)
00148 {
00149 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00150 if(tmp2)
00151 {
00152 #ifdef CONFIG_RSBAC_RMSG
00153 rsbac_printk(KERN_DEBUG "check_comp_rc(): pid %u (%.15s), owner %u, rc_role %u, %s rc_type %u, request %s -> NOT_GRANTED!\n",
00154 caller_pid, current->comm, current->uid, i_attr_val1.rc_role, get_target_name_only(tmp, target), i_attr_val2.rc_type, get_rc_special_right_name(tmp2, request));
00155 #endif
00156 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00157 if (!rsbac_nosyslog)
00158 #endif
00159 printk(KERN_DEBUG "check_comp_rc(): pid %u (%.15s), owner %u, rc_role %u, %s rc_type %u, request %s -> NOT_GRANTED!\n",
00160 caller_pid, current->comm, current->uid, i_attr_val1.rc_role, get_target_name_only(tmp, target), i_attr_val2.rc_type, get_rc_special_right_name(tmp2, request));
00161 rsbac_kfree(tmp2);
00162 }
00163 rsbac_kfree(tmp);
00164 }
00165 }
00166 #endif
00167 return(NOT_GRANTED);
00168 }
00169 }
00170
00171 static enum rsbac_adf_req_ret_t
00172 check_comp_rc_scd(enum rsbac_rc_scd_type_t scd_type,
00173 enum rsbac_adf_request_t request,
00174 rsbac_pid_t caller_pid)
00175 {
00176 int err;
00177 union rsbac_target_id_t i_tid;
00178 union rsbac_attribute_value_t i_attr_val1;
00179
00180 union rsbac_rc_target_id_t i_rc_subtid;
00181
00182
00183 i_tid.process = caller_pid;
00184 if ((err=rsbac_get_attr(RC,
00185 T_PROCESS,
00186 i_tid,
00187 A_rc_role,
00188 &i_attr_val1,
00189 FALSE)))
00190 {
00191 rsbac_ds_get_error("check_comp_rc_scd", A_rc_role);
00192 return(NOT_GRANTED);
00193 }
00194
00195 i_rc_subtid.type = scd_type;
00196 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00197 i_rc_subtid,
00198 RI_type_comp_scd,
00199 request))
00200 {
00201 return(GRANTED);
00202 }
00203 else
00204 {
00205 #ifdef CONFIG_RSBAC_DEBUG
00206 if(rsbac_debug_adf_rc)
00207 {
00208 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00209
00210 if(tmp)
00211 {
00212 #ifdef CONFIG_RSBAC_RMSG
00213 rsbac_printk(KERN_DEBUG "check_comp_rc_scd(): pid %u (%.15s), owner %u, rc_role %i, scd_type %i, request %s -> NOT_GRANTED!\n",
00214 caller_pid, current->comm, current->uid, i_attr_val1.rc_role, scd_type, get_request_name(tmp,request));
00215 #endif
00216 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00217 if (!rsbac_nosyslog)
00218 #endif
00219 printk(KERN_DEBUG "check_comp_rc_scd(): pid %u (%.15s), owner %u, rc_role %i, scd_type %i, request %s -> NOT_GRANTED!\n",
00220 caller_pid, current->comm, current->uid, i_attr_val1.rc_role, scd_type, get_request_name(tmp,request));
00221 rsbac_kfree(tmp);
00222 }
00223 }
00224 #endif
00225 return(NOT_GRANTED);
00226 }
00227 }
00228
00229
00230 int rsbac_rc_test_admin_roles(rsbac_rc_role_id_t t_role, rsbac_boolean_t modify)
00231 {
00232 int err;
00233 union rsbac_target_id_t i_tid;
00234 union rsbac_attribute_value_t i_attr_val1;
00235 union rsbac_rc_target_id_t i_rc_subtid;
00236
00237 if(t_role > RC_role_max_value)
00238 return -RSBAC_EINVALIDVALUE;
00239
00240 i_tid.process = current->pid;
00241 if ((err=rsbac_get_attr(RC, T_PROCESS,
00242 i_tid,
00243 A_rc_role,
00244 &i_attr_val1,
00245 TRUE)))
00246 {
00247 rsbac_ds_get_error("rsbac_rc_test_admin_roles", A_rc_role);
00248 return -RSBAC_EREADFAILED;
00249 }
00250
00251 i_rc_subtid.role = t_role;
00252
00253 if(!modify)
00254 {
00255 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00256 i_rc_subtid,
00257 RI_assign_roles,
00258 R_NONE))
00259 return 0;
00260
00261 }
00262
00263 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00264 i_rc_subtid,
00265 RI_admin_roles,
00266 R_NONE))
00267 return 0;
00268 else
00269 return -EPERM;
00270 }
00271
00272
00273 int rsbac_rc_test_assign_roles(enum rsbac_target_t target,
00274 union rsbac_target_id_t tid,
00275 enum rsbac_attribute_t attr,
00276 rsbac_rc_role_id_t t_role)
00277 {
00278 int err;
00279 union rsbac_target_id_t i_tid;
00280 union rsbac_attribute_value_t i_attr_val1;
00281 union rsbac_attribute_value_t i_attr_val2;
00282 union rsbac_rc_target_id_t i_rc_subtid;
00283
00284 if( ( (t_role > RC_role_max_value)
00285 && (t_role != RC_role_inherit_user)
00286 )
00287 || (target >= T_NONE)
00288 )
00289 return -RSBAC_EINVALIDVALUE;
00290
00291 i_tid.process = current->pid;
00292 if ((err=rsbac_get_attr(RC, T_PROCESS,
00293 i_tid,
00294 A_rc_role,
00295 &i_attr_val1,
00296 TRUE)))
00297 {
00298 rsbac_ds_get_error("rsbac_rc_test_assign_roles", A_rc_role);
00299 return -RSBAC_EREADFAILED;
00300 }
00301
00302 if ((err=rsbac_get_attr(RC,
00303 target,
00304 tid,
00305 attr,
00306 &i_attr_val2,
00307 TRUE)))
00308 {
00309 rsbac_ds_get_error("rsbac_rc_test_assign_roles", attr);
00310 return -RSBAC_EREADFAILED;
00311 }
00312
00313 i_rc_subtid.role = i_attr_val2.rc_role;
00314 if(!rsbac_rc_check_comp(i_attr_val1.rc_role,
00315 i_rc_subtid,
00316 RI_assign_roles,
00317 R_NONE))
00318 return -EPERM;
00319 if(t_role != RC_role_inherit_user)
00320 {
00321 i_rc_subtid.role = t_role;
00322 if(!rsbac_rc_check_comp(i_attr_val1.rc_role,
00323 i_rc_subtid,
00324 RI_assign_roles,
00325 R_NONE))
00326 return -EPERM;
00327 }
00328 return 0;
00329 }
00330
00331 enum rsbac_adf_req_ret_t
00332 rsbac_rc_check_type_comp(enum rsbac_target_t target,
00333 rsbac_rc_type_id_t type,
00334 enum rsbac_adf_request_t request,
00335 rsbac_pid_t caller_pid)
00336 {
00337 int err;
00338 union rsbac_target_id_t i_tid;
00339 union rsbac_attribute_value_t i_attr_val1;
00340
00341 union rsbac_rc_target_id_t i_rc_subtid;
00342 enum rsbac_rc_item_t i_rc_item;
00343
00344 if(!caller_pid)
00345 caller_pid = current->pid;
00346
00347
00348
00349
00350 if(type > RC_type_max_value)
00351 {
00352 if(request == RCR_ASSIGN)
00353 return GRANTED;
00354 else
00355 return NOT_GRANTED;
00356 }
00357
00358
00359 i_tid.process = caller_pid;
00360 if ((err=rsbac_get_attr(RC,
00361 T_PROCESS,
00362 i_tid,
00363 A_rc_role,
00364 &i_attr_val1,
00365 FALSE)))
00366 {
00367 rsbac_ds_get_error("rsbac_rc_check_type_comp", A_rc_role);
00368 return(NOT_GRANTED);
00369 }
00370 switch(target)
00371 {
00372 case T_FILE:
00373 case T_DIR:
00374 case T_FIFO:
00375 case T_SYMLINK:
00376 case T_FD:
00377 i_rc_item = RI_type_comp_fd;
00378 break;
00379 case T_DEV:
00380 i_rc_item = RI_type_comp_dev;
00381 break;
00382 case T_USER:
00383 i_rc_item = RI_type_comp_user;
00384 break;
00385 case T_PROCESS:
00386 i_rc_item = RI_type_comp_process;
00387 break;
00388 case T_IPC:
00389 i_rc_item = RI_type_comp_ipc;
00390 break;
00391 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00392 case T_GROUP:
00393 i_rc_item = RI_type_comp_group;
00394 break;
00395 #endif
00396 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00397 case T_NETDEV:
00398 i_rc_item = RI_type_comp_netdev;
00399 break;
00400 #endif
00401 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00402 case T_NETTEMP:
00403 i_rc_item = RI_type_comp_nettemp;
00404 break;
00405 case T_NETOBJ:
00406 i_rc_item = RI_type_comp_netobj;
00407 break;
00408 #endif
00409
00410 default:
00411 #ifdef CONFIG_RSBAC_RMSG
00412 rsbac_printk(KERN_WARNING "rsbac_rc_check_type_comp(): invalid target %i!\n",target);
00413 #endif
00414 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00415 if (!rsbac_nosyslog)
00416 #endif
00417 printk(KERN_WARNING "rsbac_rc_check_type_comp(): invalid target %i!\n",target);
00418 return(NOT_GRANTED);
00419 }
00420
00421 i_rc_subtid.type = type;
00422 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00423 i_rc_subtid,
00424 i_rc_item,
00425 request))
00426 return(GRANTED);
00427 else
00428 {
00429 #ifdef CONFIG_RSBAC_DEBUG
00430 if(rsbac_debug_adf_rc)
00431 {
00432 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00433
00434 if(tmp)
00435 {
00436 #ifdef CONFIG_RSBAC_RMSG
00437 rsbac_printk(KERN_DEBUG "rsbac_rc_check_type_comp(): rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n",
00438 i_attr_val1.rc_role, type, get_rc_special_right_name(tmp, request));
00439 #endif
00440 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00441 if (!rsbac_nosyslog)
00442 #endif
00443 printk(KERN_DEBUG "rsbac_rc_check_type_comp(): rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n",
00444 i_attr_val1.rc_role, type, get_rc_special_right_name(tmp, request));
00445 rsbac_kfree(tmp);
00446 }
00447 }
00448 #endif
00449 return(NOT_GRANTED);
00450 }
00451 }
00452
00453
00454 int rsbac_rc_test_role_admin(rsbac_boolean_t modify)
00455 {
00456 int err;
00457 union rsbac_target_id_t i_tid;
00458 union rsbac_attribute_value_t i_attr_val1;
00459 union rsbac_rc_target_id_t i_rc_tid;
00460 union rsbac_rc_item_value_t i_rc_item_val1;
00461
00462
00463 i_tid.process = current->pid;
00464 if ((err=rsbac_get_attr(RC, T_PROCESS,
00465 i_tid,
00466 A_rc_role,
00467 &i_attr_val1,
00468 TRUE)))
00469 {
00470 rsbac_ds_get_error("rsbac_rc_test_role_admin", A_rc_role);
00471 return -RSBAC_EREADFAILED;
00472 }
00473
00474
00475 i_rc_tid.role = i_attr_val1.rc_role;
00476 if ((err=rsbac_rc_get_item(0,
00477 RT_ROLE,
00478 i_rc_tid,
00479 i_rc_tid,
00480 RI_admin_type,
00481 &i_rc_item_val1,
00482 NULL)))
00483 {
00484 rsbac_rc_ds_get_error("rsbac_rc_test_role_admin", RI_admin_type);
00485 return -RSBAC_EREADFAILED;
00486 }
00487
00488
00489 if ( (i_rc_item_val1.admin_type == RC_role_admin)
00490 || ( !modify
00491 && (i_rc_item_val1.admin_type == RC_system_admin)
00492 )
00493 )
00494 return 0;
00495 else
00496 return -EPERM;
00497 }
00498
00499
00500
00501
00502
00503 enum rsbac_adf_req_ret_t
00504 rsbac_adf_request_rc (enum rsbac_adf_request_t request,
00505 rsbac_pid_t caller_pid,
00506 enum rsbac_target_t target,
00507 union rsbac_target_id_t tid,
00508 enum rsbac_attribute_t attr,
00509 union rsbac_attribute_value_t attr_val,
00510 rsbac_uid_t owner)
00511 {
00512 int err;
00513 enum rsbac_adf_req_ret_t result = DO_NOT_CARE;
00514 union rsbac_attribute_value_t i_attr_val1;
00515 union rsbac_rc_target_id_t i_rc_tid;
00516 union rsbac_rc_target_id_t i_rc_subtid;
00517 union rsbac_rc_item_value_t i_rc_item_val1;
00518 union rsbac_target_id_t i_tid;
00519 union rsbac_attribute_value_t i_attr_val2;
00520
00521 switch (request)
00522 {
00523 case R_ADD_TO_KERNEL:
00524 switch(target)
00525 {
00526 case T_NONE:
00527
00528 return(check_comp_rc_scd(ST_other, request, caller_pid));
00529
00530
00531 default:
00532 return(DO_NOT_CARE);
00533 }
00534
00535
00536 case R_ALTER:
00537
00538 switch(target)
00539 {
00540 case T_IPC:
00541 return(check_comp_rc(target, tid, request, caller_pid));
00542
00543
00544 default: return(DO_NOT_CARE);
00545 }
00546
00547 case R_APPEND_OPEN:
00548 case R_READ_WRITE_OPEN:
00549 switch(target)
00550 {
00551 case T_FILE:
00552 case T_DEV:
00553 case T_FIFO:
00554 case T_IPC:
00555 return(check_comp_rc(target, tid, request, caller_pid));
00556
00557
00558 default: return(DO_NOT_CARE);
00559 }
00560
00561 case R_CHANGE_GROUP:
00562 switch(target)
00563 {
00564 case T_FILE:
00565 case T_DIR:
00566 case T_FIFO:
00567 case T_SYMLINK:
00568 case T_IPC:
00569 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00570 case T_USER:
00571 #endif
00572 return(check_comp_rc(target, tid, request, caller_pid));
00573
00574 case T_PROCESS:
00575 return(DO_NOT_CARE);
00576
00577 default: return(DO_NOT_CARE);
00578 }
00579
00580 case R_CHANGE_OWNER:
00581 switch(target)
00582 {
00583 case T_FILE:
00584 case T_DIR:
00585 case T_FIFO:
00586 case T_SYMLINK:
00587 case T_IPC:
00588 return(check_comp_rc(target, tid, request, caller_pid));
00589
00590 case T_PROCESS:
00591
00592 if ((err=rsbac_get_attr(RC, T_PROCESS,
00593 tid,
00594 A_rc_role,
00595 &i_attr_val1,
00596 FALSE)))
00597 {
00598 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_role);
00599 return(-RSBAC_EREADFAILED);
00600 }
00601
00602 i_rc_tid.role = i_attr_val1.rc_role;
00603 if ((err=rsbac_rc_get_item(0,
00604 RT_ROLE,
00605 i_rc_tid,
00606 i_rc_tid,
00607 RI_def_process_chown_type,
00608 &i_rc_item_val1,
00609 NULL)))
00610 {
00611 rsbac_rc_ds_get_error("rsbac_adf_request_rc()",
00612 RI_def_process_chown_type);
00613 return(-RSBAC_EREADFAILED);
00614 }
00615 if( (i_rc_item_val1.type_id == RC_type_no_chown)
00616 || (i_rc_item_val1.type_id == RC_type_no_create)
00617 )
00618 return(NOT_GRANTED);
00619 else
00620 return(GRANTED);
00621
00622
00623 default:
00624 return(DO_NOT_CARE);
00625 }
00626
00627 case R_CHDIR:
00628 switch(target)
00629 {
00630 case T_DIR:
00631 return(check_comp_rc(target, tid, request, caller_pid));
00632
00633
00634 default: return(DO_NOT_CARE);
00635 }
00636
00637 case R_CLONE:
00638 if (target == T_PROCESS)
00639 {
00640
00641
00642 i_tid.process = caller_pid;
00643 if ((err=rsbac_get_attr(RC, T_PROCESS,
00644 i_tid,
00645 A_rc_role,
00646 &i_attr_val1,
00647 FALSE)))
00648 {
00649 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_role);
00650 return(NOT_GRANTED);
00651 }
00652
00653 i_rc_tid.role = i_attr_val1.rc_role;
00654 if ((err=rsbac_rc_get_item(0,
00655 RT_ROLE,
00656 i_rc_tid,
00657 i_rc_tid,
00658 RI_def_process_create_type,
00659 &i_rc_item_val1,
00660 NULL)))
00661 {
00662 rsbac_rc_ds_get_error("rsbac_adf_request_rc()",
00663 RI_def_process_create_type);
00664 return(-RSBAC_EREADFAILED);
00665 }
00666 switch(i_rc_item_val1.type_id)
00667 {
00668 case RC_type_no_create:
00669 return(NOT_GRANTED);
00670
00671 case RC_type_use_new_role_def_create:
00672
00673 #ifdef CONFIG_RSBAC_RMSG
00674 rsbac_printk(KERN_WARNING
00675 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
00676 i_attr_val1.rc_role);
00677 #endif
00678 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00679 if (!rsbac_nosyslog)
00680 #endif
00681 printk(KERN_WARNING
00682 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
00683 i_attr_val1.rc_role);
00684 return(NOT_GRANTED);
00685
00686 case RC_type_inherit_parent:
00687 case RC_type_inherit_process:
00688 return GRANTED;
00689
00690 default:
00691
00692
00693 i_rc_subtid.type = i_rc_item_val1.type_id;
00694 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00695 i_rc_subtid,
00696 RI_type_comp_process,
00697 R_CREATE))
00698 return(GRANTED);
00699 else
00700 {
00701 #ifdef CONFIG_RSBAC_RMSG
00702 rsbac_printk(KERN_WARNING
00703 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_process_create_type %i -> NOT_GRANTED!\n",
00704 i_attr_val1.rc_role, i_rc_item_val1.type_id);
00705 #endif
00706 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00707 if (!rsbac_nosyslog)
00708 #endif
00709 printk(KERN_WARNING
00710 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_process_create_type %i -> NOT_GRANTED!\n",
00711 i_attr_val1.rc_role, i_rc_item_val1.type_id);
00712 return(NOT_GRANTED);
00713 }
00714 }
00715 }
00716 else
00717 return(DO_NOT_CARE);
00718
00719
00720 case R_CREATE:
00721 switch(target)
00722 {
00723 case T_DIR:
00724
00725 result = check_comp_rc(target, tid, request, caller_pid);
00726 if((result != GRANTED) && (result != DO_NOT_CARE))
00727 return result;
00728
00729
00730
00731 i_tid.process = caller_pid;
00732 if ((err=rsbac_get_attr(RC, T_PROCESS,
00733 i_tid,
00734 A_rc_role,
00735 &i_attr_val1,
00736 FALSE)))
00737 {
00738 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_role);
00739 return(NOT_GRANTED);
00740 }
00741
00742
00743 if ((err=rsbac_get_attr(RC,
00744 target,
00745 tid,
00746 A_rc_type_fd,
00747 &i_attr_val2,
00748 TRUE)))
00749 {
00750 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_type_fd);
00751 return(NOT_GRANTED);
00752 }
00753 i_rc_tid.role = i_attr_val1.rc_role;
00754 i_rc_subtid.type = i_attr_val2.rc_type;
00755 if ((err=rsbac_rc_get_item(0,
00756 RT_ROLE,
00757 i_rc_tid,
00758 i_rc_subtid,
00759 RI_def_fd_ind_create_type,
00760 &i_rc_item_val1,
00761 NULL)))
00762 {
00763 if ((err=rsbac_rc_get_item(0,
00764 RT_ROLE,
00765 i_rc_tid,
00766 i_rc_subtid,
00767 RI_def_fd_create_type,
00768 &i_rc_item_val1,
00769 NULL)))
00770 {
00771 rsbac_rc_ds_get_error("rsbac_adf_request_rc()",
00772 RI_def_fd_create_type);
00773 return(-RSBAC_EREADFAILED);
00774 }
00775 }
00776 switch(i_rc_item_val1.type_id)
00777 {
00778 case RC_type_no_create:
00779 return(NOT_GRANTED);
00780 break;
00781
00782 case RC_type_use_new_role_def_create:
00783 case RC_type_inherit_process:
00784
00785 #ifdef CONFIG_RSBAC_RMSG
00786 rsbac_printk(KERN_WARNING
00787 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00788 i_attr_val1.rc_role);
00789 #endif
00790 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00791 if (!rsbac_nosyslog)
00792 #endif
00793 printk(KERN_WARNING
00794 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
00795 i_attr_val1.rc_role);
00796 return(NOT_GRANTED);
00797
00798 case RC_type_inherit_parent:
00799 return GRANTED;
00800
00801 default:
00802
00803
00804 i_rc_subtid.type = i_rc_item_val1.type_id;
00805 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00806 i_rc_subtid,
00807 RI_type_comp_fd,
00808 R_CREATE))
00809 return(GRANTED);
00810 else
00811 {
00812 #ifdef CONFIG_RSBAC_RMSG
00813 rsbac_printk(KERN_WARNING
00814 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_fd_create_type %i -> NOT_GRANTED!\n",
00815 i_attr_val1.rc_role, i_rc_item_val1.type_id);
00816 #endif
00817 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00818 if (!rsbac_nosyslog)
00819 #endif
00820 printk(KERN_WARNING
00821 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_fd_create_type %i -> NOT_GRANTED!\n",
00822 i_attr_val1.rc_role, i_rc_item_val1.type_id);
00823 return(NOT_GRANTED);
00824 }
00825 }
00826
00827 case T_IPC:
00828
00829
00830 i_tid.process = caller_pid;
00831 if ((err=rsbac_get_attr(RC, T_PROCESS,
00832 i_tid,
00833 A_rc_role,
00834 &i_attr_val1,
00835 FALSE)))
00836 {
00837 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_role);
00838 return(NOT_GRANTED);
00839 }
00840
00841 i_rc_tid.role = i_attr_val1.rc_role;
00842 if ((err=rsbac_rc_get_item(0,
00843 RT_ROLE,
00844 i_rc_tid,
00845 i_rc_tid,
00846 RI_def_ipc_create_type,
00847 &i_rc_item_val1,
00848 NULL)))
00849 {
00850 rsbac_rc_ds_get_error("rsbac_adf_request_rc()",
00851 RI_def_ipc_create_type);
00852 return(-RSBAC_EREADFAILED);
00853 }
00854 switch(i_rc_item_val1.type_id)
00855 {
00856 case RC_type_no_create:
00857 return(NOT_GRANTED);
00858
00859 case RC_type_use_new_role_def_create:
00860
00861 #ifdef CONFIG_RSBAC_RMSG
00862 rsbac_printk(KERN_WARNING
00863 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n",
00864 i_attr_val1.rc_role);
00865 #endif
00866 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00867 if (!rsbac_nosyslog)
00868 #endif
00869 printk(KERN_WARNING
00870 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n",
00871 i_attr_val1.rc_role);
00872 return(NOT_GRANTED);
00873
00874 case RC_type_inherit_parent:
00875 case RC_type_inherit_process:
00876
00877 #ifdef CONFIG_RSBAC_RMSG
00878 rsbac_printk(KERN_WARNING
00879 "rsbac_adf_request_rc(): invalid type inherit_parent in def_ipc_create_type of role %i!\n",
00880 i_attr_val1.rc_role);
00881 #endif
00882 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00883 if (!rsbac_nosyslog)
00884 #endif
00885 printk(KERN_WARNING
00886 "rsbac_adf_request_rc(): invalid type inherit_parent in def_ipc_create_type of role %i!\n",
00887 i_attr_val1.rc_role);
00888 return(NOT_GRANTED);
00889
00890 default:
00891
00892
00893 i_rc_subtid.type = i_rc_item_val1.type_id;
00894 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00895 i_rc_subtid,
00896 RI_type_comp_ipc,
00897 R_CREATE))
00898 return(GRANTED);
00899 else
00900 {
00901 #ifdef CONFIG_RSBAC_RMSG
00902 rsbac_printk(KERN_WARNING
00903 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_ipc_create_type %i -> NOT_GRANTED!\n",
00904 i_attr_val1.rc_role, i_rc_item_val1.type_id);
00905 #endif
00906 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00907 if (!rsbac_nosyslog)
00908 #endif
00909 printk(KERN_WARNING
00910 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_ipc_create_type %i -> NOT_GRANTED!\n",
00911 i_attr_val1.rc_role, i_rc_item_val1.type_id);
00912 return(NOT_GRANTED);
00913 }
00914 }
00915
00916 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00917 case T_USER:
00918
00919
00920 i_tid.process = caller_pid;
00921 if ((err=rsbac_get_attr(RC, T_PROCESS,
00922 i_tid,
00923 A_rc_role,
00924 &i_attr_val1,
00925 FALSE)))
00926 {
00927 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_role);
00928 return(NOT_GRANTED);
00929 }
00930
00931 i_rc_tid.role = i_attr_val1.rc_role;
00932 if ((err=rsbac_rc_get_item(0,
00933 RT_ROLE,
00934 i_rc_tid,
00935 i_rc_tid,
00936 RI_def_user_create_type,
00937 &i_rc_item_val1,
00938 NULL)))
00939 {
00940 rsbac_rc_ds_get_error("rsbac_adf_request_rc()",
00941 RI_def_user_create_type);
00942 return(-RSBAC_EREADFAILED);
00943 }
00944 switch(i_rc_item_val1.type_id)
00945 {
00946 case RC_type_no_create:
00947 return(NOT_GRANTED);
00948
00949 case RC_type_use_new_role_def_create:
00950
00951 #ifdef CONFIG_RSBAC_RMSG
00952 rsbac_printk(KERN_WARNING
00953 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_user_create_type of role %i!\n",
00954 i_attr_val1.rc_role);
00955 #endif
00956 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00957 if (!rsbac_nosyslog)
00958 #endif
00959 printk(KERN_WARNING
00960 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_user_create_type of role %i!\n",
00961 i_attr_val1.rc_role);
00962 return(NOT_GRANTED);
00963
00964 case RC_type_inherit_parent:
00965 case RC_type_inherit_process:
00966
00967 #ifdef CONFIG_RSBAC_RMSG
00968 rsbac_printk(KERN_WARNING
00969 "rsbac_adf_request_rc(): invalid type inherit_parent in def_user_create_type of role %i!\n",
00970 i_attr_val1.rc_role);
00971 #endif
00972 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00973 if (!rsbac_nosyslog)
00974 #endif
00975 printk(KERN_WARNING
00976 "rsbac_adf_request_rc(): invalid type inherit_parent in def_user_create_type of role %i!\n",
00977 i_attr_val1.rc_role);
00978 return(NOT_GRANTED);
00979
00980 default:
00981
00982
00983 i_rc_subtid.type = i_rc_item_val1.type_id;
00984 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00985 i_rc_subtid,
00986 RI_type_comp_user,
00987 R_CREATE))
00988 return(GRANTED);
00989 else
00990 {
00991 #ifdef CONFIG_RSBAC_RMSG
00992 rsbac_printk(KERN_WARNING
00993 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_user_create_type %i -> NOT_GRANTED!\n",
00994 i_attr_val1.rc_role, i_rc_item_val1.type_id);
00995 #endif
00996 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00997 if (!rsbac_nosyslog)
00998 #endif
00999 printk(KERN_WARNING
01000 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_user_create_type %i -> NOT_GRANTED!\n",
01001 i_attr_val1.rc_role, i_rc_item_val1.type_id);
01002 return(NOT_GRANTED);
01003 }
01004 }
01005
01006 case T_GROUP:
01007
01008
01009 i_tid.process = caller_pid;
01010 if ((err=rsbac_get_attr(RC, T_PROCESS,
01011 i_tid,
01012 A_rc_role,
01013 &i_attr_val1,
01014 FALSE)))
01015 {
01016 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_role);
01017 return(NOT_GRANTED);
01018 }
01019
01020 i_rc_tid.role = i_attr_val1.rc_role;
01021 if ((err=rsbac_rc_get_item(0,
01022 RT_ROLE,
01023 i_rc_tid,
01024 i_rc_tid,
01025 RI_def_group_create_type,
01026 &i_rc_item_val1,
01027 NULL)))
01028 {
01029 rsbac_rc_ds_get_error("rsbac_adf_request_rc()",
01030 RI_def_group_create_type);
01031 return(-RSBAC_EREADFAILED);
01032 }
01033 switch(i_rc_item_val1.type_id)
01034 {
01035 case RC_type_no_create:
01036 return(NOT_GRANTED);
01037
01038 case RC_type_use_new_role_def_create:
01039
01040 #ifdef CONFIG_RSBAC_RMSG
01041 rsbac_printk(KERN_WARNING
01042 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_group_create_type of role %i!\n",
01043 i_attr_val1.rc_role);
01044 #endif
01045 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01046 if (!rsbac_nosyslog)
01047 #endif
01048 printk(KERN_WARNING
01049 "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_group_create_type of role %i!\n",
01050 i_attr_val1.rc_role);
01051 return(NOT_GRANTED);
01052
01053 case RC_type_inherit_parent:
01054 case RC_type_inherit_process:
01055
01056 #ifdef CONFIG_RSBAC_RMSG
01057 rsbac_printk(KERN_WARNING
01058 "rsbac_adf_request_rc(): invalid type inherit_parent in def_group_create_type of role %i!\n",
01059 i_attr_val1.rc_role);
01060 #endif
01061 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01062 if (!rsbac_nosyslog)
01063 #endif
01064 printk(KERN_WARNING
01065 "rsbac_adf_request_rc(): invalid type inherit_parent in def_group_create_type of role %i!\n",
01066 i_attr_val1.rc_role);
01067 return(NOT_GRANTED);
01068
01069 default:
01070
01071
01072 i_rc_subtid.type = i_rc_item_val1.type_id;
01073 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
01074 i_rc_subtid,
01075 RI_type_comp_group,
01076 R_CREATE))
01077 return(GRANTED);
01078 else
01079 {
01080 #ifdef CONFIG_RSBAC_RMSG
01081 rsbac_printk(KERN_WARNING
01082 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_group_create_type %i -> NOT_GRANTED!\n",
01083 i_attr_val1.rc_role, i_rc_item_val1.type_id);
01084 #endif
01085 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01086 if (!rsbac_nosyslog)
01087 #endif
01088 printk(KERN_WARNING
01089 "rsbac_adf_request_rc(): rc_role %i has no CREATE right on its def_group_create_type %i -> NOT_GRANTED!\n",
01090 i_attr_val1.rc_role, i_rc_item_val1.type_id);
01091 return(NOT_GRANTED);
01092 }
01093 }
01094 #endif
01095
01096 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01097 case T_NETTEMP:
01098
01099 i_tid.process = caller_pid;
01100 if ((err=rsbac_get_attr(RC,
01101 T_PROCESS,
01102 i_tid,
01103 A_rc_role,
01104 &i_attr_val1,
01105 FALSE)))
01106 {
01107 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_role);
01108 return(NOT_GRANTED);
01109 }
01110
01111 i_rc_subtid.type = RSBAC_RC_GENERAL_TYPE;
01112 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
01113 i_rc_subtid,
01114 RI_type_comp_nettemp,
01115 request))
01116 return(GRANTED);
01117 else
01118 {
01119 #ifdef CONFIG_RSBAC_DEBUG
01120 if(rsbac_debug_adf_rc)
01121 {
01122 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01123
01124 if(tmp)
01125 {
01126 #ifdef CONFIG_RSBAC_RMSG
01127 rsbac_printk(KERN_DEBUG
01128 "rsbac_adf_request_rc(): rc_role is %i, rc_nettemp_type is %i, request is CREATE -> NOT_GRANTED!\n",
01129 i_attr_val1.rc_role, RSBAC_RC_GENERAL_TYPE);
01130 #endif
01131 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01132 if (!rsbac_nosyslog)
01133 #endif
01134 printk(KERN_DEBUG
01135 "rsbac_adf_request_rc(): rc_role is %i, rc_nettemp_type is %i, request is CREATE -> NOT_GRANTED!\n",
01136 i_attr_val1.rc_role, RSBAC_RC_GENERAL_TYPE);
01137 rsbac_kfree(tmp);
01138 }
01139 }
01140 #endif
01141 return(NOT_GRANTED);
01142 }
01143
01144 case T_NETOBJ:
01145
01146 return(check_comp_rc(target, tid, request, caller_pid));
01147 #endif
01148
01149
01150 default: return(DO_NOT_CARE);
01151 }
01152
01153 case R_DELETE:
01154 switch(target)
01155 {
01156 case T_FILE:
01157 case T_DIR:
01158 case T_FIFO:
01159 case T_SYMLINK:
01160 case T_IPC:
01161 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01162 case T_NETTEMP:
01163 case T_NETOBJ:
01164 #endif
01165 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01166 case T_USER:
01167 case T_GROUP:
01168 #endif
01169 return(check_comp_rc(target, tid, request, caller_pid));
01170
01171
01172 default: return(DO_NOT_CARE);
01173 }
01174
01175 case R_EXECUTE:
01176 switch(target)
01177 {
01178 case T_FILE:
01179
01180 if ((err=rsbac_get_attr(RC, T_PROCESS,
01181 tid,
01182 A_rc_role,
01183 &i_attr_val1,
01184 FALSE)))
01185 {
01186 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_role);
01187 return(-RSBAC_EREADFAILED);
01188 }
01189
01190 i_rc_tid.role = i_attr_val1.rc_role;
01191 if ((err=rsbac_rc_get_item(0,
01192 RT_ROLE,
01193 i_rc_tid,
01194 i_rc_tid,
01195 RI_def_process_execute_type,
01196 &i_rc_item_val1,
01197 NULL)))
01198 {
01199 rsbac_rc_ds_get_error("rsbac_adf_request_rc()",
01200 RI_def_process_execute_type);
01201 return(-RSBAC_EREADFAILED);
01202 }
01203 if(i_rc_item_val1.type_id == RC_type_no_execute)
01204 return(NOT_GRANTED);
01205 else
01206 return(check_comp_rc(target, tid, request, caller_pid));
01207
01208
01209 default:
01210 return(DO_NOT_CARE);
01211 }
01212
01213 case R_GET_PERMISSIONS_DATA:
01214 switch(target)
01215 {
01216 case T_SCD:
01217 return(check_comp_rc_scd(tid.scd, request, caller_pid));
01218 case T_FILE:
01219 case T_DIR:
01220 case T_FIFO:
01221 case T_SYMLINK:
01222 case T_IPC:
01223 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01224 case T_USER:
01225 case T_GROUP:
01226 #endif
01227 return(check_comp_rc(target, tid, request, caller_pid));
01228
01229 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
01230 case T_NETDEV:
01231 return(check_comp_rc(target, tid, request, caller_pid));
01232 #endif
01233
01234 default:
01235 return(DO_NOT_CARE);
01236 };
01237
01238 case R_GET_STATUS_DATA:
01239 switch(target)
01240 {
01241 case T_SCD:
01242 return(check_comp_rc_scd(tid.scd, request, caller_pid));
01243 case T_FILE:
01244 case T_DIR:
01245 case T_FIFO:
01246 case T_SYMLINK:
01247 case T_IPC:
01248 case T_PROCESS:
01249 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01250 case T_USER:
01251 case T_GROUP:
01252 #endif
01253 return(check_comp_rc(target, tid, request, caller_pid));
01254
01255 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
01256 case T_NETDEV:
01257 return(check_comp_rc(target, tid, request, caller_pid));
01258 #endif
01259
01260 default:
01261 return(DO_NOT_CARE);
01262 };
01263
01264 case R_LINK_HARD:
01265 switch(target)
01266 {
01267 case T_FILE:
01268 case T_FIFO:
01269 case T_SYMLINK:
01270 return(check_comp_rc(target, tid, request, caller_pid));
01271
01272
01273 default: return(DO_NOT_CARE);
01274 }
01275
01276 case R_MAP_EXEC:
01277 switch(target)
01278 {
01279 case T_FILE:
01280 return(check_comp_rc(target, tid, request, caller_pid));
01281
01282
01283 default:
01284 return(DO_NOT_CARE);
01285 }
01286
01287 case R_MODIFY_ACCESS_DATA:
01288 switch(target)
01289 {
01290 case T_FILE:
01291 case T_DIR:
01292 case T_FIFO:
01293 case T_SYMLINK:
01294 return(check_comp_rc(target, tid, request, caller_pid));
01295
01296
01297 default: return(DO_NOT_CARE);
01298 }
01299
01300 case R_MODIFY_ATTRIBUTE:
01301 switch(attr)
01302 {
01303 case A_owner:
01304 return(NOT_GRANTED);
01305 case A_rc_type:
01306 case A_rc_type_fd:
01307 case A_rc_type_nt:
01308
01309 result = check_comp_rc(target, tid, request, caller_pid);
01310 if( (result == GRANTED)
01311 || (result == DO_NOT_CARE)
01312 )
01313 {
01314
01315 result = rsbac_rc_check_type_comp(target, attr_val.rc_type, RCR_ASSIGN, caller_pid);
01316 if( (result == GRANTED)
01317 || (result == DO_NOT_CARE)
01318 )
01319 return result;
01320 }
01321
01322 if ((err=rsbac_rc_test_role_admin(TRUE)))
01323 return(NOT_GRANTED);
01324 else
01325 return(GRANTED);
01326
01327 case A_rc_force_role:
01328 case A_rc_initial_role:
01329 case A_rc_role:
01330 case A_rc_def_role:
01331
01332 result = check_comp_rc(target, tid, request, caller_pid);
01333 if( (result == GRANTED)
01334 || (result == DO_NOT_CARE)
01335 )
01336 {
01337
01338 if (!(err=rsbac_rc_test_assign_roles(target, tid, attr, attr_val.rc_role)))
01339 return(GRANTED);
01340 }
01341
01342 if (rsbac_rc_test_role_admin(TRUE))
01343 return(NOT_GRANTED);
01344 else
01345 return(GRANTED);
01346
01347
01348 case A_pseudo:
01349 if(target != T_USER)
01350 return UNDEFINED;
01351
01352 if (rsbac_rc_test_assign_roles(target, tid, A_rc_def_role, RC_role_inherit_user))
01353 return(NOT_GRANTED);
01354 else
01355 return(GRANTED);
01356
01357 #ifdef CONFIG_RSBAC_RC_GEN_PROT
01358 case A_log_array_low:
01359 case A_log_array_high:
01360 case A_log_program_based:
01361 case A_log_user_based:
01362 case A_symlink_add_uid:
01363 case A_symlink_add_rc_role:
01364 case A_linux_dac_disable:
01365 case A_fake_root_uid:
01366 case A_audit_uid:
01367 case A_auid_exempt:
01368
01369 result = check_comp_rc(target, tid, request, caller_pid);
01370 if( (result == GRANTED)
01371 || (result == DO_NOT_CARE)
01372 )
01373 return result;
01374
01375 if (rsbac_rc_test_role_admin(TRUE))
01376 return(NOT_GRANTED);
01377 else
01378 return(GRANTED);
01379 #endif
01380
01381
01382 case A_none:
01383 switch(target)
01384 {
01385 case T_USER:
01386
01387 if ((err=rsbac_rc_test_assign_roles(target, tid, A_rc_def_role, RC_role_inherit_user)))
01388 return(NOT_GRANTED);
01389 else
01390 return(GRANTED);
01391
01392 default:
01393
01394 return(check_comp_rc(target, tid, request, caller_pid));
01395 }
01396
01397 #ifdef CONFIG_RSBAC_RC_AUTH_PROT
01398 case A_auth_may_setuid:
01399 case A_auth_may_set_cap:
01400 case A_auth_start_uid:
01401 case A_auth_program_file:
01402 case A_auth_learn:
01403 case A_auth_add_f_cap:
01404 case A_auth_remove_f_cap:
01405
01406 result = check_comp_rc_scd(RST_auth_administration, request, caller_pid);
01407 if( (result == GRANTED)
01408 || (result == DO_NOT_CARE)
01409 )
01410 {
01411
01412 result = check_comp_rc(target, tid, RCR_MODIFY_AUTH, caller_pid);
01413 if( (result == GRANTED)
01414 || (result == DO_NOT_CARE)
01415 )
01416 return result;
01417 }
01418
01419 if ((err=rsbac_rc_test_role_admin(TRUE)))
01420 return(NOT_GRANTED);
01421 else
01422 return(GRANTED);
01423 #endif
01424
01425 default:
01426 return(DO_NOT_CARE);
01427 }
01428
01429 case R_MODIFY_PERMISSIONS_DATA:
01430 switch(target)
01431 {
01432 case T_FILE:
01433 case T_DIR:
01434 case T_FIFO:
01435 case T_SYMLINK:
01436 case T_IPC:
01437 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01438 case T_USER:
01439 case T_GROUP:
01440 #endif
01441 return(check_comp_rc(target, tid, request, caller_pid));
01442
01443 case T_SCD:
01444 return(check_comp_rc_scd(tid.scd, request, caller_pid));
01445
01446 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE
01447 case T_NONE:
01448
01449 return(check_comp_rc_scd(ST_other, request, caller_pid));
01450 #endif
01451
01452
01453 default: return(DO_NOT_CARE);
01454 }
01455
01456 case R_MODIFY_SYSTEM_DATA:
01457 switch(target)
01458 {
01459 case T_SCD:
01460 return(check_comp_rc_scd(tid.scd, request, caller_pid));
01461
01462 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
01463 case T_NETDEV:
01464 return(check_comp_rc(target, tid, request, caller_pid));
01465 #endif
01466
01467
01468 default: return(DO_NOT_CARE);
01469 }
01470
01471 case R_MOUNT:
01472 switch(target)
01473 {
01474 case T_FILE:
01475 case T_DIR:
01476 case T_DEV:
01477 return(check_comp_rc(target, tid, request, caller_pid));
01478
01479
01480 default: return(DO_NOT_CARE);
01481 }
01482
01483 case R_READ:
01484 case R_WRITE:
01485 switch(target)
01486 {
01487 case T_DIR:
01488 #ifdef CONFIG_RSBAC_RW
01489 case T_FILE:
01490 case T_FIFO:
01491 case T_DEV:
01492 #endif
01493 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01494 case T_USER:
01495 case T_GROUP:
01496 #endif
01497 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01498 #if defined(CONFIG_RSBAC_NET_OBJ_RW)
01499 case T_NETTEMP:
01500 #endif
01501 #endif
01502 return(check_comp_rc(target, tid, request, caller_pid));
01503
01504 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01505 #if defined(CONFIG_RSBAC_NET_OBJ_RW)
01506 case T_NETOBJ:
01507 #if defined(CONFIG_RSBAC_RC_NET_OBJ_UNIX_PROCESS)
01508 if( tid.netobj.sock_p
01509 && tid.netobj.sock_p->ops
01510 && (tid.netobj.sock_p->ops->family == AF_UNIX)
01511 && tid.netobj.sock_p->sk
01512 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01513 && tid.netobj.sock_p->sk->sk_peercred.pid
01514 #else
01515 && tid.netobj.sock_p->sk->peercred.pid
01516 #endif
01517 )
01518 {
01519 enum rsbac_adf_req_ret_t tmp_result;
01520
01521 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01522 i_tid.process = tid.netobj.sock_p->sk->sk_peercred.pid;
01523 #else
01524 i_tid.process = tid.netobj.sock_p->sk->peercred.pid;
01525 #endif
01526 if(request == R_READ)
01527 tmp_result = check_comp_rc(T_PROCESS, i_tid, R_RECEIVE, caller_pid);
01528 else
01529 tmp_result = check_comp_rc(T_PROCESS, i_tid, R_SEND, caller_pid);
01530 if( (tmp_result == NOT_GRANTED)
01531 || (tmp_result == UNDEFINED)
01532 )
01533 return tmp_result;
01534 }
01535 #endif
01536 return(check_comp_rc(target, tid, request, caller_pid));
01537 #endif
01538 #endif
01539
01540
01541 default: return(DO_NOT_CARE);
01542 }
01543
01544 case R_READ_ATTRIBUTE:
01545 switch(attr)
01546 {
01547 case A_rc_type:
01548 case A_rc_type_fd:
01549 case A_rc_type_nt:
01550 case A_rc_force_role:
01551 case A_rc_initial_role:
01552 case A_rc_role:
01553 case A_rc_def_role:
01554 case A_pseudo:
01555 #ifdef CONFIG_RSBAC_RC_GEN_PROT
01556 case A_owner:
01557 case A_log_array_low:
01558 case A_log_array_high:
01559 case A_log_program_based:
01560 case A_log_user_based:
01561 case A_symlink_add_uid:
01562 case A_symlink_add_rc_role:
01563 case A_linux_dac_disable:
01564 case A_fake_root_uid:
01565 case A_audit_uid:
01566 case A_auid_exempt:
01567 #endif
01568
01569 result = check_comp_rc(target, tid, request, caller_pid);
01570 if( (result == GRANTED)
01571 || (result == DO_NOT_CARE)
01572 )
01573 return result;
01574
01575 if (rsbac_rc_test_role_admin(FALSE))
01576 return(NOT_GRANTED);
01577 else
01578 return(GRANTED);
01579
01580 #ifdef CONFIG_RSBAC_RC_AUTH_PROT
01581 case A_auth_may_setuid:
01582 case A_auth_may_set_cap:
01583 case A_auth_start_uid:
01584 case A_auth_program_file:
01585 case A_auth_learn:
01586 case A_auth_add_f_cap:
01587 case A_auth_remove_f_cap:
01588
01589 result = check_comp_rc_scd(RST_auth_administration, request, caller_pid);
01590 if( (result == GRANTED)
01591 || (result == DO_NOT_CARE)
01592 )
01593 return result;
01594
01595 if (rsbac_rc_test_role_admin(FALSE))
01596 return(NOT_GRANTED);
01597 else
01598 return(GRANTED);
01599 #endif
01600
01601 default:
01602 return(DO_NOT_CARE);
01603 }
01604
01605 case R_READ_OPEN:
01606 switch(target)
01607 {
01608 case T_FILE:
01609 case T_DIR:
01610 case T_FIFO:
01611 case T_DEV:
01612 case T_IPC:
01613 return(check_comp_rc(target, tid, request, caller_pid));
01614
01615
01616 default: return(DO_NOT_CARE);
01617 }
01618
01619 case R_REMOVE_FROM_KERNEL:
01620 switch(target)
01621 {
01622 case T_NONE:
01623 return(check_comp_rc_scd(ST_other, request, caller_pid));
01624
01625
01626 default: return(DO_NOT_CARE);
01627 }
01628
01629 case R_RENAME:
01630 switch(target)
01631 {
01632 case T_FILE:
01633 case T_DIR:
01634 case T_FIFO:
01635 case T_SYMLINK:
01636 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01637 case T_USER:
01638 case T_GROUP:
01639 #endif
01640 return(check_comp_rc(target, tid, request, caller_pid));
01641
01642
01643 default: return(DO_NOT_CARE);
01644 }
01645
01646 case R_SEARCH:
01647 switch(target)
01648 {
01649 case T_DIR:
01650 case T_SYMLINK:
01651 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01652 case T_USER:
01653 case T_GROUP:
01654 #endif
01655 return(check_comp_rc(target, tid, request, caller_pid));
01656
01657
01658 default: return(DO_NOT_CARE);
01659 }
01660
01661 case R_SEND_SIGNAL:
01662 case R_TRACE:
01663 if (target == T_PROCESS)
01664 return(check_comp_rc(target, tid, request, caller_pid));
01665 else
01666 return(DO_NOT_CARE);
01667
01668 case R_SHUTDOWN:
01669 switch(target)
01670 {
01671 case T_NONE:
01672 return(check_comp_rc_scd(ST_other, request, caller_pid));
01673
01674
01675 default: return(DO_NOT_CARE);
01676 }
01677
01678 case R_SWITCH_LOG:
01679 switch(target)
01680 {
01681 case T_NONE:
01682 return(check_comp_rc_scd(ST_other, request, caller_pid));
01683
01684
01685 default: return(DO_NOT_CARE);
01686 }
01687
01688 case R_SWITCH_MODULE:
01689 switch(target)
01690 {
01691 case T_NONE:
01692
01693 if(attr != A_switch_target)
01694 return(UNDEFINED);
01695
01696 if( (attr_val.switch_target != RC)
01697 #ifdef CONFIG_RSBAC_SOFTMODE
01698 && (attr_val.switch_target != SOFTMODE)
01699 #endif
01700 #ifdef CONFIG_RSBAC_FREEZE
01701 && (attr_val.switch_target != FREEZE)
01702 #endif
01703 #ifdef CONFIG_RSBAC_RC_AUTH_PROT
01704 && (attr_val.switch_target != AUTH)
01705 #endif
01706 )
01707 return(DO_NOT_CARE);
01708 return(check_comp_rc_scd(ST_other, request, caller_pid));
01709
01710
01711 default: return(DO_NOT_CARE);
01712 }
01713
01714 case R_TERMINATE:
01715 if (target == T_PROCESS)
01716 return(DO_NOT_CARE);
01717 else
01718 return(DO_NOT_CARE);
01719
01720 case R_TRUNCATE:
01721 switch(target)
01722 {
01723 case T_FILE:
01724 return(check_comp_rc(target, tid, request, caller_pid));
01725
01726
01727 default: return(DO_NOT_CARE);
01728 }
01729
01730 case R_WRITE_OPEN:
01731 switch(target)
01732 {
01733 case T_FILE:
01734 case T_DEV:
01735 case T_FIFO:
01736 case T_IPC:
01737 return(check_comp_rc(target, tid, request, caller_pid));
01738
01739
01740 default: return(DO_NOT_CARE);
01741 }
01742
01743 case R_UMOUNT:
01744 switch(target)
01745 {
01746 case T_FILE:
01747 case T_DIR:
01748 case T_DEV:
01749 return(check_comp_rc(target, tid, request, caller_pid));
01750
01751
01752 default: return(DO_NOT_CARE);
01753 }
01754
01755
01756 #if defined(CONFIG_RSBAC_NET)
01757 case R_BIND:
01758 switch(target)
01759 {
01760 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
01761 case T_NETDEV:
01762 return(check_comp_rc(target, tid, request, caller_pid));
01763 #endif
01764
01765 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01766 case T_NETOBJ:
01767 return(check_comp_rc(target, tid, request, caller_pid));
01768 #endif
01769
01770
01771 default: return(DO_NOT_CARE);
01772 }
01773 #endif
01774
01775 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
01776 case R_LISTEN:
01777 case R_NET_SHUTDOWN:
01778 switch(target)
01779 {
01780 case T_NETOBJ:
01781 return(check_comp_rc(target, tid, request, caller_pid));
01782
01783
01784 default: return(DO_NOT_CARE);
01785 }
01786 case R_ACCEPT:
01787 case R_CONNECT:
01788 case R_SEND:
01789 case R_RECEIVE:
01790 switch(target)
01791 {
01792 case T_NETOBJ:
01793 #if defined(CONFIG_RSBAC_RC_NET_OBJ_UNIX_PROCESS)
01794 if( tid.netobj.sock_p
01795 && tid.netobj.sock_p->ops
01796 && (tid.netobj.sock_p->ops->family == AF_UNIX)
01797 && tid.netobj.sock_p->sk
01798 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01799 && tid.netobj.sock_p->sk->sk_peercred.pid
01800 #else
01801 && tid.netobj.sock_p->sk->peercred.pid
01802 #endif
01803 )
01804 {
01805 enum rsbac_adf_req_ret_t tmp_result;
01806
01807 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01808 i_tid.process = tid.netobj.sock_p->sk->sk_peercred.pid;
01809 #else
01810 i_tid.process = tid.netobj.sock_p->sk->peercred.pid;
01811 #endif
01812 tmp_result = check_comp_rc(T_PROCESS, i_tid, request, caller_pid);
01813 if( (tmp_result == NOT_GRANTED)
01814 || (tmp_result == UNDEFINED)
01815 )
01816 return tmp_result;
01817 }
01818 #endif
01819
01820 return(check_comp_rc(target, tid, request, caller_pid));
01821
01822
01823 default: return(DO_NOT_CARE);
01824 }
01825 #endif
01826
01827
01828 default: return DO_NOT_CARE;
01829 }
01830
01831 return(result);
01832 };
01833
01834
01835
01836
01837
01838
01839
01840
01841
01842
01843
01844
01845
01846 int rsbac_adf_set_attr_rc(
01847 enum rsbac_adf_request_t request,
01848 rsbac_pid_t caller_pid,
01849 enum rsbac_target_t target,
01850 union rsbac_target_id_t tid,
01851 enum rsbac_target_t new_target,
01852 union rsbac_target_id_t new_tid,
01853 enum rsbac_attribute_t attr,
01854 union rsbac_attribute_value_t attr_val,
01855 rsbac_uid_t owner)
01856 {
01857 int err;
01858 union rsbac_target_id_t i_tid;
01859 union rsbac_attribute_value_t i_attr_val1;
01860 union rsbac_attribute_value_t i_attr_val2;
01861 union rsbac_rc_target_id_t i_rc_tid;
01862 union rsbac_rc_target_id_t i_rc_subtid;
01863 union rsbac_rc_item_value_t i_rc_item_val1;
01864
01865 switch (request)
01866 {
01867 case R_CHANGE_OWNER:
01868 switch (target)
01869 {
01870 case T_PROCESS:
01871
01872
01873
01874 if(attr != A_owner)
01875 return(-RSBAC_EINVALIDATTR);
01876
01877
01878 i_tid.process = caller_pid;
01879 if ((err=rsbac_get_attr(RC, T_PROCESS,
01880 i_tid,
01881 A_rc_role,
01882 &i_attr_val1,
01883 TRUE)))
01884 {
01885 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_role);
01886 return(-RSBAC_EREADFAILED);
01887 }
01888
01889 i_rc_tid.role = i_attr_val1.rc_role;
01890 if ((err=rsbac_rc_get_item(0,
01891 RT_ROLE,
01892 i_rc_tid,
01893 i_rc_tid,
01894 RI_def_process_chown_type,
01895 &i_rc_item_val1,
01896 NULL)))
01897 {
01898 rsbac_rc_ds_get_error("rsbac_adf_set_attr_rc()",
01899 RI_def_process_chown_type);
01900 return(-RSBAC_EREADFAILED);
01901 }
01902
01903
01904 i_tid.process = caller_pid;
01905 if ((err=rsbac_get_attr(RC, T_PROCESS,
01906 i_tid,
01907 A_rc_force_role,
01908 &i_attr_val1,
01909 TRUE)))
01910 {
01911 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_force_role);
01912 return(-RSBAC_EREADFAILED);
01913 }
01914
01915 if( (i_attr_val1.rc_force_role == RC_role_inherit_user)
01916 || (i_attr_val1.rc_force_role == RC_role_inherit_up_mixed)
01917 )
01918 {
01919
01920 i_tid.user = attr_val.owner;
01921 if ((err=rsbac_get_attr(RC, T_USER,
01922 i_tid,
01923 A_rc_def_role,
01924 &i_attr_val1,
01925 TRUE)))
01926 {
01927 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_def_role);
01928 return(-RSBAC_EREADFAILED);
01929 }
01930
01931 if(i_attr_val1.rc_def_role > RC_role_max_value)
01932 {
01933 #ifdef CONFIG_RSBAC_RMSG
01934 rsbac_printk(KERN_WARNING
01935 "rsbac_adf_set_attr_rc(): rc_def_role %u of user %u is higher than MAX_ROLE %u, setting role of process %u to GENERAL_ROLE %u!\n",
01936 i_attr_val1.rc_def_role, attr_val.owner, RC_role_max_value, caller_pid, RSBAC_RC_GENERAL_ROLE);
01937 #endif
01938 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
01939 if (!rsbac_nosyslog)
01940 #endif
01941 printk(KERN_WARNING
01942 "rsbac_adf_set_attr_rc(): rc_def_role %u of user %u is higher than MAX_ROLE %u, setting role of process %u to GENERAL_ROLE %u!\n",
01943 i_attr_val1.rc_def_role, attr_val.owner, RC_role_max_value, caller_pid, RSBAC_RC_GENERAL_ROLE);
01944 i_attr_val1.rc_def_role = RSBAC_RC_GENERAL_ROLE;
01945 }
01946
01947 i_tid.process = caller_pid;
01948 if ((err=rsbac_set_attr(RC, T_PROCESS,
01949 i_tid,
01950 A_rc_role,
01951 i_attr_val1)))
01952 {
01953 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_role);
01954 return(-RSBAC_EWRITEFAILED);
01955 }
01956 }
01957 else
01958 if( (i_attr_val1.rc_force_role <= RC_role_max_value)
01959 )
01960 {
01961
01962 i_tid.process = caller_pid;
01963 if ((err=rsbac_set_attr(RC, T_PROCESS,
01964 i_tid,
01965 A_rc_role,
01966 i_attr_val1)))
01967 {
01968 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_role);
01969 return(-RSBAC_EWRITEFAILED);
01970 }
01971 }
01972
01973
01974 switch(i_rc_item_val1.type_id)
01975 {
01976 case RC_type_inherit_parent:
01977 case RC_type_inherit_process:
01978
01979 break;
01980 case RC_type_use_new_role_def_create:
01981
01982 if(i_attr_val1.rc_role > RC_role_max_value)
01983 break;
01984
01985 i_rc_tid.role = i_attr_val1.rc_role;
01986 if ((err=rsbac_rc_get_item(0,
01987 RT_ROLE,
01988 i_rc_tid,
01989 i_rc_tid,
01990 RI_def_process_create_type,
01991 &i_rc_item_val1,
01992 NULL)))
01993 {
01994 rsbac_rc_ds_get_error("rsbac_adf_set_attr_rc()",
01995 RI_def_process_create_type);
01996 return(-RSBAC_EREADFAILED);
01997 }
01998 switch(i_rc_item_val1.type_id)
01999 {
02000 case RC_type_inherit_parent:
02001 case RC_type_inherit_process:
02002
02003 break;
02004 case RC_type_use_new_role_def_create:
02005
02006 #ifdef CONFIG_RSBAC_RMSG
02007 rsbac_printk(KERN_WARNING
02008 "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
02009 i_attr_val1.rc_role);
02010 #endif
02011 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02012 if (!rsbac_nosyslog)
02013 #endif
02014 printk(KERN_WARNING
02015 "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
02016 i_attr_val1.rc_role);
02017 break;
02018 case RC_type_no_create:
02019
02020 i_rc_item_val1.type_id = RSBAC_RC_GENERAL_TYPE;
02021
02022 default:
02023
02024 i_attr_val1.rc_type = i_rc_item_val1.type_id;
02025 if ((err=rsbac_set_attr(RC, T_PROCESS,
02026 i_tid,
02027 A_rc_type,
02028 i_attr_val1)))
02029 {
02030 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_type);
02031 return(-RSBAC_EWRITEFAILED);
02032 }
02033 }
02034 break;
02035 case RC_type_no_create:
02036 case RC_type_no_chown:
02037
02038 i_rc_item_val1.type_id = RSBAC_RC_GENERAL_TYPE;
02039
02040 default:
02041
02042 i_attr_val1.rc_type = i_rc_item_val1.type_id;
02043 if ((err=rsbac_set_attr(RC, T_PROCESS,
02044 i_tid,
02045 A_rc_type,
02046 i_attr_val1)))
02047 {
02048 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_type);
02049 return(-RSBAC_EWRITEFAILED);
02050 }
02051 }
02052
02053 return(0);
02054
02055
02056 default:
02057 return(0);
02058 }
02059
02060 case R_CLONE:
02061 if (target == T_PROCESS)
02062 {
02063
02064 if ((err=rsbac_get_attr(RC, T_PROCESS,
02065 tid,
02066 A_rc_role,
02067 &i_attr_val1,
02068 FALSE)))
02069 {
02070 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_role);
02071 return(-RSBAC_EREADFAILED);
02072 }
02073
02074
02075 if ((err=rsbac_get_attr(RC, T_PROCESS,
02076 tid,
02077 A_rc_force_role,
02078 &i_attr_val2,
02079 FALSE)))
02080 {
02081 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_force_role);
02082 return(-RSBAC_EREADFAILED);
02083 }
02084
02085
02086 if ((err=rsbac_set_attr(RC, T_PROCESS,
02087 new_tid,
02088 A_rc_role,
02089 i_attr_val1)))
02090 {
02091 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_role);
02092 return(-RSBAC_EWRITEFAILED);
02093 }
02094
02095
02096 if ((err=rsbac_set_attr(RC, T_PROCESS,
02097 new_tid,
02098 A_rc_force_role,
02099 i_attr_val2)))
02100 {
02101 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_force_role);
02102 return(-RSBAC_EWRITEFAILED);
02103 }
02104
02105
02106 i_rc_tid.role = i_attr_val1.rc_role;
02107 if ((err=rsbac_rc_get_item(0,
02108 RT_ROLE,
02109 i_rc_tid,
02110 i_rc_tid,
02111 RI_def_process_create_type,
02112 &i_rc_item_val1,
02113 NULL)))
02114 {
02115 rsbac_rc_ds_get_error("rsbac_adf_set_attr_rc()",
02116 RI_def_process_create_type);
02117 return(-RSBAC_EREADFAILED);
02118 }
02119 switch(i_rc_item_val1.type_id)
02120 {
02121 case RC_type_inherit_parent:
02122 case RC_type_inherit_process:
02123
02124
02125 if ((err=rsbac_get_attr(RC, T_PROCESS,
02126 tid,
02127 A_rc_type,
02128 &i_attr_val1,
02129 FALSE)))
02130 {
02131 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_type);
02132 return(-RSBAC_EREADFAILED);
02133 }
02134
02135 if ((err=rsbac_set_attr(RC, T_PROCESS,
02136 new_tid,
02137 A_rc_type,
02138 i_attr_val1)))
02139 {
02140 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_type);
02141 return(-RSBAC_EWRITEFAILED);
02142 }
02143 break;
02144 case RC_type_no_create:
02145 return(-RSBAC_EDECISIONMISMATCH);
02146 case RC_type_use_new_role_def_create:
02147
02148 #ifdef CONFIG_RSBAC_RMSG
02149 rsbac_printk(KERN_WARNING
02150 "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
02151 i_attr_val1.rc_role);
02152 #endif
02153 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02154 if (!rsbac_nosyslog)
02155 #endif
02156 printk(KERN_WARNING
02157 "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_process_create_type of role %i!\n",
02158 i_attr_val1.rc_role);
02159 return(-RSBAC_EINVALIDVALUE);
02160 default:
02161
02162 i_attr_val1.rc_type = i_rc_item_val1.type_id;
02163 if ((err=rsbac_set_attr(RC, T_PROCESS,
02164 new_tid,
02165 A_rc_type,
02166 i_attr_val1)))
02167 {
02168 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_type);
02169 return(-RSBAC_EWRITEFAILED);
02170 }
02171 }
02172 return(0);
02173 }
02174 else
02175 return(0);
02176
02177 case R_CREATE:
02178 switch(target)
02179 {
02180
02181 case T_DIR:
02182
02183
02184 i_tid.process = caller_pid;
02185 if ((err=rsbac_get_attr(RC, T_PROCESS,
02186 i_tid,
02187 A_rc_role,
02188 &i_attr_val1,
02189 FALSE)))
02190 {
02191 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_role);
02192 return(-RSBAC_EREADFAILED);
02193 }
02194
02195
02196 if ((err=rsbac_get_attr(RC,
02197 target,
02198 tid,
02199 A_rc_type_fd,
02200 &i_attr_val2,
02201 TRUE)))
02202 {
02203 rsbac_ds_get_error("rsbac_adf_request_rc", A_rc_type_fd);
02204 return(NOT_GRANTED);
02205 }
02206 i_rc_tid.role = i_attr_val1.rc_role;
02207 i_rc_subtid.type = i_attr_val2.rc_type;
02208 if ((err=rsbac_rc_get_item(0,
02209 RT_ROLE,
02210 i_rc_tid,
02211 i_rc_subtid,
02212 RI_def_fd_ind_create_type,
02213 &i_rc_item_val1,
02214 NULL)))
02215 {
02216 if ((err=rsbac_rc_get_item(0,
02217 RT_ROLE,
02218 i_rc_tid,
02219 i_rc_subtid,
02220 RI_def_fd_create_type,
02221 &i_rc_item_val1,
02222 NULL)))
02223 {
02224 rsbac_rc_ds_get_error("rsbac_adf_set_attr_rc()",
02225 RI_def_fd_create_type);
02226 return(-RSBAC_EREADFAILED);
02227 }
02228 }
02229 switch(i_rc_item_val1.type_id)
02230 {
02231 case RC_type_no_create:
02232 return(-RSBAC_EDECISIONMISMATCH);
02233 break;
02234
02235 case RC_type_use_new_role_def_create:
02236 case RC_type_inherit_process:
02237
02238 #ifdef CONFIG_RSBAC_RMSG
02239 rsbac_printk(KERN_WARNING
02240 "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
02241 i_attr_val1.rc_role);
02242 #endif
02243 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02244 if (!rsbac_nosyslog)
02245 #endif
02246 printk(KERN_WARNING
02247 "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_fd_create_type of role %i!\n",
02248 i_attr_val1.rc_role);
02249 return(-RSBAC_EINVALIDVALUE);
02250
02251 case RC_type_inherit_parent:
02252 default:
02253
02254 if ((err=rsbac_get_attr(RC, new_target,
02255 new_tid,
02256 A_rc_type_fd,
02257 &i_attr_val1,
02258 FALSE)))
02259 {
02260 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_type_fd);
02261 return(-RSBAC_EREADFAILED);
02262 }
02263
02264 if(i_attr_val1.rc_type_fd != i_rc_item_val1.type_id)
02265 {
02266 i_attr_val1.rc_type_fd = i_rc_item_val1.type_id;
02267 if ((err=rsbac_set_attr(RC, new_target,
02268 new_tid,
02269 A_rc_type_fd,
02270 i_attr_val1)))
02271 {
02272 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_type_fd);
02273 return(-RSBAC_EWRITEFAILED);
02274 }
02275 }
02276 }
02277 return(0);
02278
02279 case T_IPC:
02280
02281 i_tid.process = caller_pid;
02282 if ((err=rsbac_get_attr(RC, T_PROCESS,
02283 i_tid,
02284 A_rc_role,
02285 &i_attr_val1,
02286 FALSE)))
02287 {
02288 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_role);
02289 return(-RSBAC_EREADFAILED);
02290 }
02291
02292 i_rc_tid.role = i_attr_val1.rc_role;
02293 if ((err=rsbac_rc_get_item(0,
02294 RT_ROLE,
02295 i_rc_tid,
02296 i_rc_tid,
02297 RI_def_ipc_create_type,
02298 &i_rc_item_val1,
02299 NULL)))
02300 {
02301 rsbac_rc_ds_get_error("rsbac_adf_set_attr_rc()",
02302 RI_def_ipc_create_type);
02303 return(-RSBAC_EREADFAILED);
02304 }
02305 switch(i_rc_item_val1.type_id)
02306 {
02307 case RC_type_no_create:
02308 return(-RSBAC_EDECISIONMISMATCH);
02309 break;
02310
02311 case RC_type_use_new_role_def_create:
02312
02313 #ifdef CONFIG_RSBAC_RMSG
02314 rsbac_printk(KERN_WARNING
02315 "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n",
02316 i_attr_val1.rc_role);
02317 #endif
02318 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02319 if (!rsbac_nosyslog)
02320 #endif
02321 printk(KERN_WARNING
02322 "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n",
02323 i_attr_val1.rc_role);
02324 return(-RSBAC_EINVALIDVALUE);
02325
02326 case RC_type_inherit_parent:
02327 case RC_type_inherit_process:
02328
02329 #ifdef CONFIG_RSBAC_RMSG
02330 rsbac_printk(KERN_WARNING
02331 "rsbac_adf_set_attr_rc(): invalid type inherit_parent in def_ipc_create_type of role %i!\n",
02332 i_attr_val1.rc_role);
02333 #endif
02334 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02335 if (!rsbac_nosyslog)
02336 #endif
02337 printk(KERN_WARNING
02338 "rsbac_adf_set_attr_rc(): invalid type inherit_parent in def_ipc_create_type of role %i!\n",
02339 i_attr_val1.rc_role);
02340 return(-RSBAC_EINVALIDVALUE);
02341
02342 default:
02343
02344 i_attr_val1.rc_type = i_rc_item_val1.type_id;
02345
02346 if ((err=rsbac_get_attr(RC,
02347 target,
02348 tid,
02349 A_rc_type,
02350 &i_attr_val2,
02351 FALSE)))
02352 {
02353 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_type);
02354 return(-RSBAC_EREADFAILED);
02355 }
02356
02357 if(i_attr_val1.rc_type != i_attr_val2.rc_type)
02358 {
02359 if ((err=rsbac_set_attr(RC, target,
02360 tid,
02361 A_rc_type,
02362 i_attr_val1)))
02363 {
02364 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_type);
02365 return(-RSBAC_EWRITEFAILED);
02366 }
02367 }
02368 }
02369 return(0);
02370
02371
02372 default:
02373 return(0);
02374 }
02375
02376 case R_EXECUTE:
02377 switch(target)
02378 {
02379 case T_FILE:
02380
02381 if ((err=rsbac_get_attr(RC, T_FILE,
02382 tid,
02383 A_rc_force_role,
02384 &i_attr_val1,
02385 TRUE)))
02386 {
02387 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_force_role);
02388 return(-RSBAC_EREADFAILED);
02389 }
02390
02391 if( (i_attr_val1.rc_force_role > RC_role_max_value)
02392 && (i_attr_val1.rc_force_role < RC_role_min_special)
02393 )
02394 {
02395 #ifdef CONFIG_RSBAC_RMSG
02396 rsbac_printk(KERN_WARNING
02397 "rsbac_adf_set_attr_rc(): rc_force_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting forced role of process %u to default value %u!\n",
02398 i_attr_val1.rc_force_role, tid.file.inode,
02399 MAJOR(tid.file.device), MINOR(tid.file.device),
02400 RC_role_max_value, caller_pid, RC_default_root_dir_force_role);
02401 #endif
02402 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02403 if (!rsbac_nosyslog)
02404 #endif
02405 printk(KERN_WARNING
02406 "rsbac_adf_set_attr_rc(): rc_force_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting forced role of process %u to default value %u!\n",
02407 i_attr_val1.rc_force_role, tid.file.inode,
02408 MAJOR(tid.file.device), MINOR(tid.file.device),
02409 RC_role_max_value, caller_pid, RC_default_root_dir_force_role);
02410 i_attr_val1.rc_force_role = RC_default_root_dir_force_role;
02411 }
02412
02413 i_tid.process = caller_pid;
02414 if ((err=rsbac_set_attr(RC, T_PROCESS,
02415 i_tid,
02416 A_rc_force_role,
02417 i_attr_val1)))
02418 {
02419 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_force_role);
02420 return(-RSBAC_EWRITEFAILED);
02421 }
02422
02423 if ((err=rsbac_get_attr(RC, T_FILE,
02424 tid,
02425 A_rc_initial_role,
02426 &i_attr_val2,
02427 TRUE)))
02428 {
02429 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_initial_role);
02430 return(-RSBAC_EREADFAILED);
02431 }
02432
02433 if( (i_attr_val2.rc_initial_role > RC_role_max_value)
02434 && (i_attr_val2.rc_initial_role != RC_role_use_force_role)
02435 )
02436 {
02437 #ifdef CONFIG_RSBAC_RMSG
02438 rsbac_printk(KERN_WARNING
02439 "rsbac_adf_set_attr_rc(): rc_initial_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting initial role of process %u to default value %u!\n",
02440 i_attr_val2.rc_initial_role, tid.file.inode,
02441 MAJOR(tid.file.device), MINOR(tid.file.device),
02442 RC_role_max_value, caller_pid, RC_default_root_dir_initial_role);
02443 #endif
02444 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02445 if (!rsbac_nosyslog)
02446 #endif
02447 printk(KERN_WARNING
02448 "rsbac_adf_set_attr_rc(): rc_initial_role %u of file %u on device %02u:%02u is higher than MAX_ROLE %u, setting initial role of process %u to default value %u!\n",
02449 i_attr_val2.rc_initial_role, tid.file.inode,
02450 MAJOR(tid.file.device), MINOR(tid.file.device),
02451 RC_role_max_value, caller_pid, RC_default_root_dir_initial_role);
02452 i_attr_val2.rc_initial_role = RC_default_root_dir_initial_role;
02453 }
02454 if(i_attr_val2.rc_initial_role == RC_role_use_force_role)
02455 {
02456 switch(i_attr_val1.rc_force_role)
02457 {
02458 case RC_role_inherit_user:
02459
02460 i_tid.user = owner;
02461 if ((err=rsbac_get_attr(RC, T_USER,
02462 i_tid,
02463 A_rc_def_role,
02464 &i_attr_val1,
02465 TRUE)))
02466 {
02467 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_def_role);
02468 return(-RSBAC_EREADFAILED);
02469 }
02470
02471 i_tid.process = caller_pid;
02472 if ((err=rsbac_set_attr(RC, T_PROCESS,
02473 i_tid,
02474 A_rc_role,
02475 i_attr_val1)))
02476 {
02477 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_role);
02478 return(-RSBAC_EWRITEFAILED);
02479 }
02480 break;
02481
02482 case RC_role_inherit_parent:
02483 case RC_role_inherit_process:
02484 case RC_role_inherit_up_mixed:
02485
02486 break;
02487
02488 default:
02489
02490 i_tid.process = caller_pid;
02491 if ((err=rsbac_set_attr(RC, T_PROCESS,
02492 i_tid,
02493 A_rc_role,
02494 i_attr_val1)))
02495 {
02496 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_role);
02497 return(-RSBAC_EWRITEFAILED);
02498 }
02499 }
02500 }
02501 else
02502 {
02503
02504 i_tid.process = caller_pid;
02505 if ((err=rsbac_set_attr(RC, T_PROCESS,
02506 i_tid,
02507 A_rc_role,
02508 i_attr_val2)))
02509 {
02510 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_role);
02511 return(-RSBAC_EWRITEFAILED);
02512 }
02513 }
02514
02515 i_tid.process = caller_pid;
02516 if ((err=rsbac_get_attr(RC, T_PROCESS,
02517 i_tid,
02518 A_rc_role,
02519 &i_attr_val1,
02520 FALSE)))
02521 {
02522 rsbac_ds_get_error("rsbac_adf_set_attr_rc", A_rc_role);
02523 return(-RSBAC_EREADFAILED);
02524 }
02525
02526 i_rc_tid.role = i_attr_val1.rc_role;
02527 if ((err=rsbac_rc_get_item(0,
02528 RT_ROLE,
02529 i_rc_tid,
02530 i_rc_tid,
02531 RI_def_process_execute_type,
02532 &i_rc_item_val1,
02533 NULL)))
02534 {
02535 rsbac_rc_ds_get_error("rsbac_adf_set_attr_rc()",
02536 RI_def_process_execute_type);
02537 return(-RSBAC_EREADFAILED);
02538 }
02539 switch(i_rc_item_val1.type_id)
02540 {
02541 case RC_type_no_create:
02542 case RC_type_use_new_role_def_create:
02543
02544 #ifdef CONFIG_RSBAC_RMSG
02545 rsbac_printk(KERN_WARNING
02546 "rsbac_adf_set_attr_rc(): invalid type in def_process_execute_type of role %i!\n",
02547 i_attr_val1.rc_role);
02548 #endif
02549 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
02550 if (!rsbac_nosyslog)
02551 #endif
02552 printk(KERN_WARNING
02553 "rsbac_adf_set_attr_rc(): invalid type in def_process_execute_type of role %i!\n",
02554 i_attr_val1.rc_role);
02555 return(-RSBAC_EINVALIDVALUE);
02556 case RC_type_inherit_parent:
02557 case RC_type_inherit_process:
02558 break;
02559 case RC_type_no_execute:
02560 return(-RSBAC_EDECISIONMISMATCH);
02561 default:
02562
02563 i_attr_val1.rc_type = i_rc_item_val1.type_id;
02564 if ((err=rsbac_set_attr(RC, T_PROCESS,
02565 i_tid,
02566 A_rc_type,
02567 i_attr_val1)))
02568 {
02569 rsbac_ds_set_error("rsbac_adf_set_attr_rc", A_rc_type);
02570 return(-RSBAC_EWRITEFAILED);
02571 }
02572 }
02573
02574 return(0);
02575
02576
02577 default:
02578 return(0);
02579 }
02580
02581
02582
02583 default: return(0);
02584 }
02585
02586 return(0);
02587 };
02588
02589
02590 #ifdef CONFIG_RSBAC_SECDEL
02591 rsbac_boolean_t rsbac_need_overwrite_rc(struct dentry * dentry_p)
02592 {
02593 int err = 0;
02594 union rsbac_target_id_t i_tid;
02595 union rsbac_attribute_value_t i_attr_val1;
02596 union rsbac_rc_target_id_t i_rc_tid;
02597 union rsbac_rc_item_value_t i_rc_item_val1;
02598
02599 if( !dentry_p
02600 || !dentry_p->d_inode)
02601 return FALSE;
02602
02603 i_tid.file.device = dentry_p->d_sb->s_dev;
02604 i_tid.file.inode = dentry_p->d_inode->i_ino;
02605 i_tid.file.dentry_p = dentry_p;
02606
02607 if (rsbac_get_attr(RC, T_FILE,
02608 i_tid,
02609 A_rc_type_fd,
02610 &i_attr_val1,
02611 TRUE))
02612 {
02613 rsbac_ds_get_error("rsbac_need_overwrite_rc", A_rc_type_fd);
02614 return FALSE;
02615 }
02616
02617 i_rc_tid.role = i_attr_val1.rc_role;
02618 if ((err=rsbac_rc_get_item(0,
02619 RT_TYPE,
02620 i_rc_tid,
02621 i_rc_tid,
02622 RI_type_fd_need_secdel,
02623 &i_rc_item_val1,
02624 NULL)))
02625 {
02626 rsbac_rc_ds_get_error("rsbac_need_overwrite_rc()",
02627 RI_type_fd_need_secdel);
02628 return(FALSE);
02629 }
02630
02631
02632 return(i_rc_item_val1.need_secdel);
02633 }
02634 #endif
02635
02636
