Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
daten / src / rsbac / linux-2.4.31-rsbac-v1.2.4 / include / rsbac

aci_data_structures.h

Go to the documentation of this file.
00001 /**************************************/
00002 /* Rule Set Based Access Control      */
00003 /* Author and (c) 1999-2005: Amon Ott */
00004 /* Data structures                    */
00005 /* Last modified: 31/Jan/2005         */
00006 /**************************************/
00007 
00008 #ifndef __RSBAC_DATA_STRUC_H
00009 #define __RSBAC_DATA_STRUC_H
00010 
00011 #ifdef __KERNEL__   /* only include in kernel code */
00012 #include <linux/types.h>
00013 #include <linux/fs.h>
00014 #include <linux/wait.h>
00015 #include <linux/interrupt.h>
00016 #include <asm/semaphore.h>
00017 #include <rsbac/types.h>
00018 #include <linux/spinlock.h>
00019 #include <rsbac/pm_types.h>
00020 #include <rsbac/rc_types.h>
00021 #include <rsbac/aci.h>
00022 #include <rsbac/debug.h>
00023 #include <rsbac/lists.h>
00024 #endif /* __KERNEL__ */
00025 
00026 /* First of all we define dirname and filenames for saving the ACIs to disk. */
00027 /* The path must be a valid single dir name! Each mounted device gets its    */
00028 /* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'.                  */
00029 /* The FD filename gets a suffix for the list number (see RSBAC_NR_FD_LISTS),*/
00030 /* so we have RSBAC_NR_FD_LISTS files for file/dir ACI and one for user ACI. */
00031 /* The dynamic data structures for PM, RC and ACL are kept in their own files.*/
00032 /* All user access to these files will be denied.                            */
00033 /* Backups are kept in FILENAMEb.                                            */
00034 
00035 #ifdef __KERNEL__
00036 #define RSBAC_LOG_BUF_LEN (16384)
00037 
00038 #define RSBAC_ACI_PATH          "rsbac.dat"
00039 
00040 #define RSBAC_GEN_FD_NAME       "fd_gen."
00041 #define RSBAC_MAC_FD_NAME       "fd_mac."
00042 #define RSBAC_FC_FD_NAME        "fd_fc."
00043 #define RSBAC_SIM_FD_NAME       "fd_sim."
00044 #define RSBAC_PM_FD_NAME        "fd_pm."
00045 #define RSBAC_DAZ_FD_NAME       "fd_dazt."
00046 #define RSBAC_DAZ_SCANNED_FD_NAME "fd_dazs."
00047 #define RSBAC_FF_FD_NAME        "fd_ff."
00048 #define RSBAC_RC_FD_NAME        "fd_rc."
00049 #define RSBAC_AUTH_FD_NAME      "fd_auth."
00050 #define RSBAC_CAP_FD_NAME       "fd_cap."
00051 #define RSBAC_PAX_FD_NAME       "fd_pax."
00052 #define RSBAC_RES_FD_NAME       "fd_res."
00053 
00054 #define RSBAC_ACI_USER_NAME     "useraci"
00055 /* dir creation mode for discretionary access control: no rights*/
00056 #define RSBAC_ACI_DIR_MODE       (S_IFDIR)
00057 /* file creation mode for discretionary access control: rw for user only*/
00058 #define RSBAC_ACI_FILE_MODE      (S_IFREG | S_IRUSR | S_IWUSR)
00059 /* minimal mem chunk size available to try write_partial_fd_list, else defer */
00060 #define RSBAC_MIN_WRITE_FD_BUF_LEN 32768
00061 /* max size for write_chunks */
00062 #define RSBAC_MAX_WRITE_CHUNK ((1 << 15) - 1)
00063 
00064 /* Since we will use a simple hash function for file/dir aci, we define   */
00065 /* the table size here. WARNING: If this value is changed, aci data on    */
00066 /* disk may become invalid and should be converted explicitly using       */
00067 /* rsbac_change_nr kernel parameter on next boot!                         */
00068 /* To remain compliant with all file systems, this value should not       */
00069 /* exceed 100 (8.3 convention: 0-99 + b). */
00070 
00071 #define RSBAC_GEN_NR_FD_LISTS  8
00072 #define RSBAC_MAC_NR_FD_LISTS  32
00073 #define RSBAC_FC_NR_FD_LISTS   8
00074 #define RSBAC_SIM_NR_FD_LISTS  8
00075 #define RSBAC_PM_NR_FD_LISTS   16
00076 #define RSBAC_DAZ_NR_FD_LISTS   2
00077 #define RSBAC_DAZ_SCANNED_NR_FD_LISTS 32
00078 #define RSBAC_FF_NR_FD_LISTS   8
00079 #define RSBAC_RC_NR_FD_LISTS   16
00080 #define RSBAC_AUTH_NR_FD_LISTS 2
00081 #define RSBAC_CAP_NR_FD_LISTS  4
00082 #define RSBAC_PAX_NR_FD_LISTS  2
00083 #define RSBAC_RES_NR_FD_LISTS  4
00084 
00085 #ifdef CONFIG_RSBAC_INIT_THREAD
00086 /* Check and set init timeout */
00087 #if CONFIG_RSBAC_MAX_INIT_TIME >= 5
00088 #define RSBAC_MAX_INIT_TIME CONFIG_RSBAC_MAX_INIT_TIME
00089 #else
00090 #define RSBAC_MAX_INIT_TIME 5
00091 #endif
00092 #endif /* INIT_THREAD */
00093 
00094 #endif /* __KERNEL__ */
00095 
00096 /* The following structures privide attributes for all possible targets.  */
00097 /* The data structures are kept in double linked lists, and are optimized */
00098 /* by hash functions.                                                     */
00099 
00100 /* Only ATTRIBUTES are saved in those structures, that are saved to disk, */
00101 /* because saving sublists means breaking up the structures for every     */
00102 /* single list.                                                           */
00103 /* If a list of policy dependant items is to be stored, this is done in   */
00104 /* the policy dependant data structures. Here only an ID as a handle is   */
00105 /* supported.                                                             */
00106 
00107 /* OK, first we define the file/dir ACI, holding all file/dir information */
00108 /* the ADF needs for decisions.                                           */
00109 
00110 /* Caution: whenever ACI changes, version and old_version should be increased!            */
00111 
00112 #define RSBAC_GEN_FD_ACI_VERSION 6
00113 #define RSBAC_GEN_FD_ACI_KEY 1001
00114 struct rsbac_gen_fd_aci_t            
00115   {
00116     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00117     rsbac_log_array_t           log_array_high;   /* high and low bits */
00118     rsbac_request_vector_t      log_program_based; /* Program based logging */
00119     rsbac_enum_t                symlink_add_uid;
00120     rsbac_enum_t                symlink_add_mac_level;
00121     rsbac_enum_t                symlink_add_rc_role;
00122     rsbac_enum_t                linux_dac_disable;
00123     rsbac_fake_root_uid_int_t   fake_root_uid;
00124     rsbac_uid_t                 auid_exempt;
00125   };
00126 #define DEFAULT_GEN_FD_ACI \
00127     { \
00128       .log_array_low = -1, \
00129       .log_array_high = -1, \
00130       .log_program_based = 0, \
00131       .symlink_add_uid = FALSE, \
00132       .symlink_add_mac_level = FALSE, \
00133       .symlink_add_rc_role = FALSE, \
00134       .linux_dac_disable = LDD_inherit, \
00135       .fake_root_uid = FR_off, \
00136       .auid_exempt = RSBAC_NO_USER, \
00137     }
00138 
00139 #define DEFAULT_GEN_ROOT_DIR_ACI \
00140     { \
00141       .log_array_low = -1, \
00142       .log_array_high = -1, \
00143       .log_program_based = 0, \
00144       .symlink_add_uid = FALSE, \
00145       .symlink_add_mac_level = FALSE, \
00146       .symlink_add_rc_role = FALSE, \
00147       .linux_dac_disable = LDD_false, \
00148       .fake_root_uid = FR_off, \
00149       .auid_exempt = RSBAC_NO_USER, \
00150     }
00151 
00152 #define RSBAC_GEN_FD_OLD_ACI_VERSION 5
00153 struct rsbac_gen_fd_old_aci_t            
00154   {
00155     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00156     rsbac_log_array_t           log_array_high;   /* high and low bits */
00157     rsbac_request_vector_t      log_program_based; /* Program based logging */
00158     rsbac_enum_t                symlink_add_uid;
00159     rsbac_enum_t                symlink_add_mac_level;
00160     rsbac_enum_t                symlink_add_rc_role;
00161     rsbac_enum_t                linux_dac_disable;
00162     rsbac_fake_root_uid_int_t   fake_root_uid;
00163   };
00164 
00165 #define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 4
00166 struct rsbac_gen_fd_old_old_aci_t            
00167   {
00168     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00169     rsbac_log_array_t           log_array_high;   /* high and low bits */
00170     rsbac_request_vector_t      log_program_based; /* Program based logging */
00171     rsbac_enum_t                symlink_add_uid;
00172     rsbac_enum_t                symlink_add_mac_level;
00173     rsbac_enum_t                symlink_add_rc_role;
00174     rsbac_enum_t                linux_dac_disable;
00175   };
00176 
00177 #define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 3
00178 struct rsbac_gen_fd_old_old_old_aci_t            
00179   {
00180     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00181     rsbac_log_array_t           log_array_high;   /* high and low bits */
00182     rsbac_request_vector_t      log_program_based; /* Program based logging */
00183     rsbac_enum_t                symlink_add_uid;
00184     rsbac_enum_t                symlink_add_rc_role;
00185     rsbac_enum_t                linux_dac_disable;
00186   };
00187 
00188 #define RSBAC_GEN_FD_OLD_OLD_OLD_OLD_ACI_VERSION 2
00189 struct rsbac_gen_fd_old_old_old_old_aci_t            
00190   {
00191     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00192     rsbac_log_array_t           log_array_high;   /* high and low bits */
00193     rsbac_request_vector_t      log_program_based; /* Program based logging */
00194     rsbac_enum_t                symlink_add_uid;
00195   };
00196 
00197 #define RSBAC_GEN_FD_OLD_OLD_OLD_OLD_OLD_ACI_VERSION 1
00198 struct rsbac_gen_fd_old_old_old_old_old_aci_t            
00199   {
00200     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00201     rsbac_log_array_t           log_array_high;   /* high and low bits */
00202     rsbac_request_vector_t      log_program_based; /* Program based logging */
00203   };
00204 
00205 
00206 #if defined(CONFIG_RSBAC_MAC)
00207 #define RSBAC_MAC_FD_ACI_VERSION 5
00208 #define RSBAC_MAC_FD_ACI_KEY 1001
00209 struct rsbac_mac_fd_aci_t            
00210   {
00211     rsbac_security_level_t      sec_level;        /* MAC */
00212     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00213     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00214     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00215     rsbac_mac_file_flags_t      mac_file_flags;   /* allow write_up, read_up etc. to it */
00216   };
00217 
00218 #define RSBAC_MAC_FD_OLD_ACI_VERSION 4
00219 struct rsbac_mac_fd_old_aci_t            
00220   {
00221     rsbac_security_level_t      sec_level;        /* MAC */
00222     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00223     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00224     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00225     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00226     rsbac_mac_file_flags_t      mac_file_flags;   /* allow write_up, read_up etc. to it */
00227   };
00228 
00229 #define RSBAC_MAC_FD_OLD_OLD_ACI_VERSION 3
00230 struct rsbac_mac_fd_old_old_aci_t            
00231   {
00232     rsbac_security_level_t      sec_level;        /* MAC */
00233     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00234     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00235     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00236     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00237     rsbac_boolean_int_t         mac_shared;       /* Shared dir, i.e., allow write_up to it */
00238   };
00239 
00240 #define RSBAC_MAC_FD_OLD_OLD_OLD_ACI_VERSION 2
00241 struct rsbac_mac_fd_old_old_old_aci_t            
00242   {
00243     rsbac_security_level_t      sec_level;        /* MAC */
00244     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00245     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00246     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00247   };
00248 
00249 #define DEFAULT_MAC_FD_ACI_INH \
00250     { \
00251       .sec_level = SL_inherit, \
00252       .mac_categories = RSBAC_MAC_INHERIT_CAT_VECTOR, \
00253       .mac_auto = MA_inherit, \
00254       .mac_prop_trusted = FALSE, \
00255       .mac_file_flags = 0, \
00256     }
00257 #define DEFAULT_MAC_FD_ACI_NO_INH \
00258     { \
00259       .sec_level = SL_unclassified, \
00260       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00261       .mac_auto = MA_yes, \
00262       .mac_prop_trusted = FALSE, \
00263       .mac_file_flags = 0, \
00264     }
00265 
00266 #ifdef CONFIG_RSBAC_MAC_DEF_INHERIT
00267 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_INH
00268 #else
00269 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_NO_INH
00270 #endif /* MAC_DEF_INHERIT */
00271 
00272 #define DEFAULT_MAC_ROOT_DIR_ACI \
00273     { \
00274       .sec_level = SL_unclassified, \
00275       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00276       .mac_auto = MA_yes, \
00277       .mac_prop_trusted = FALSE, \
00278       .mac_file_flags = 0, \
00279     }
00280 #endif
00281 
00282 #if defined(CONFIG_RSBAC_FC)
00283 #define RSBAC_FC_FD_ACI_VERSION 1
00284 #define RSBAC_FC_FD_ACI_KEY 1001
00285 #endif
00286 
00287 #if defined(CONFIG_RSBAC_SIM)
00288 #define RSBAC_SIM_FD_ACI_VERSION 1
00289 #define RSBAC_SIM_FD_ACI_KEY 1001
00290 #endif
00291 
00292 #if defined(CONFIG_RSBAC_PM)
00293 #define RSBAC_PM_FD_ACI_VERSION 1
00294 #define RSBAC_PM_FD_ACI_KEY 1001
00295 struct rsbac_pm_fd_aci_t            
00296   {
00297     rsbac_pm_object_class_id_t  pm_object_class;  /* PM  */
00298     rsbac_pm_tp_id_t            pm_tp;            /* PM (for FILE only) */
00299     rsbac_pm_object_type_int_t  pm_object_type;   /* PM (enum rsbac_pm_object_type_t -> __u8) */
00300   };
00301 
00302 #define DEFAULT_PM_FD_ACI \
00303     { \
00304       .pm_object_class = 0, \
00305       .pm_tp = 0, \
00306       .pm_object_type = PO_none, \
00307     }
00308 #endif
00309 
00310 #if defined(CONFIG_RSBAC_DAZ)
00311 #define RSBAC_DAZ_FD_ACI_VERSION 1
00312 #define RSBAC_DAZ_FD_ACI_KEY 10535
00313 #define RSBAC_DAZ_CACHE_CLEANUP_INTERVAL 86400
00314 #define RSBAC_DAZ_SCANNED_FD_ACI_VERSION 1
00315 struct rsbac_daz_fd_aci_t            
00316   {
00317     rsbac_daz_scanner_t   daz_scanner;       /* DAZ (for FILE only) (boolean) */
00318   };
00319 
00320 #define DEFAULT_DAZ_FD_ACI \
00321     { \
00322       .daz_scanner = FALSE \
00323     }
00324 
00325 #define DEFAULT_DAZ_ROOT_DIR_ACI \
00326     { \
00327       .daz_scanner = FALSE \
00328     }
00329 #endif
00330 
00331 #if defined(CONFIG_RSBAC_FF)
00332 #define RSBAC_FF_FD_ACI_VERSION 1
00333 #define RSBAC_FF_FD_ACI_KEY 1001
00334 #endif
00335 
00336 #if defined(CONFIG_RSBAC_RC)
00337 #define RSBAC_RC_FD_ACI_VERSION 1
00338 #define RSBAC_RC_FD_ACI_KEY 1001
00339 struct rsbac_rc_fd_aci_t            
00340   {
00341     rsbac_rc_type_id_t          rc_type_fd;       /* RC */
00342     rsbac_rc_role_id_t          rc_force_role;    /* RC */
00343     rsbac_rc_role_id_t          rc_initial_role;  /* RC */
00344   };
00345 
00346 #define DEFAULT_RC_FD_ACI \
00347     { \
00348       .rc_type_fd = RC_type_inherit_parent, \
00349       .rc_force_role = RC_default_force_role, \
00350       .rc_initial_role = RC_default_initial_role, \
00351     }
00352 #define DEFAULT_RC_ROOT_DIR_ACI \
00353     { \
00354       .rc_type_fd = RSBAC_RC_GENERAL_TYPE, \
00355       .rc_force_role = RC_default_root_dir_force_role, \
00356       .rc_initial_role = RC_default_root_dir_initial_role, \
00357     }
00358 #endif
00359 
00360 #if defined(CONFIG_RSBAC_AUTH)
00361 #define RSBAC_AUTH_FD_ACI_VERSION 2
00362 #define RSBAC_AUTH_FD_OLD_ACI_VERSION 1
00363 #define RSBAC_AUTH_FD_ACI_KEY 1001
00364 struct rsbac_auth_fd_aci_t            
00365   {
00366     __u8                        auth_may_setuid;  /* AUTH (enum) */
00367     __u8                        auth_may_set_cap; /* AUTH (boolean) */
00368     __u8                        auth_learn;       /* AUTH (boolean) */
00369   };
00370 
00371 struct rsbac_auth_fd_old_aci_t            
00372   {
00373     __u8                        auth_may_setuid;  /* AUTH (boolean) */
00374     __u8                        auth_may_set_cap; /* AUTH (boolean) */
00375   };
00376 
00377 #define DEFAULT_AUTH_FD_ACI \
00378     { \
00379       .auth_may_setuid = FALSE, \
00380       .auth_may_set_cap = FALSE, \
00381       .auth_learn = FALSE, \
00382     }
00383 #endif
00384 
00385 #if defined(CONFIG_RSBAC_CAP)
00386 #define RSBAC_CAP_FD_ACI_VERSION 1
00387 #define RSBAC_CAP_FD_ACI_KEY 1001
00388 struct rsbac_cap_fd_aci_t            
00389   {
00390     rsbac_cap_vector_t          min_caps;      /* Program forced minimum Linux capabilities */
00391     rsbac_cap_vector_t          max_caps;      /* Program max Linux capabilities */
00392   };
00393 #define DEFAULT_CAP_FD_ACI \
00394     { \
00395       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00396       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00397     }
00398 #endif
00399 
00400 #if defined(CONFIG_RSBAC_PAX)
00401 #define RSBAC_PAX_FD_ACI_VERSION 1
00402 #define RSBAC_PAX_FD_ACI_KEY 100112
00403 #endif
00404 
00405 #if defined(CONFIG_RSBAC_RES)
00406 #define RSBAC_RES_FD_ACI_VERSION 1
00407 #define RSBAC_RES_FD_ACI_KEY 1002
00408 struct rsbac_res_fd_aci_t            
00409   {
00410     rsbac_res_array_t           res_min;
00411     rsbac_res_array_t           res_max;
00412   };
00413 #define DEFAULT_RES_FD_ACI \
00414     { \
00415       .res_min = { \
00416         RSBAC_RES_UNSET,           /* cpu time */ \
00417         RSBAC_RES_UNSET,           /* file size */ \
00418         RSBAC_RES_UNSET,           /* process data segment size */ \
00419         RSBAC_RES_UNSET,           /* stack size */ \
00420         RSBAC_RES_UNSET,           /* core dump size */ \
00421         RSBAC_RES_UNSET,           /* resident memory set size */ \
00422         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00423         RSBAC_RES_UNSET,           /* number of files */ \
00424         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00425         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00426         RSBAC_RES_UNSET            /* maximum file locks */ \
00427       }, \
00428       .res_max = { \
00429         RSBAC_RES_UNSET,           /* cpu time */ \
00430         RSBAC_RES_UNSET,           /* file size */ \
00431         RSBAC_RES_UNSET,           /* process data segment size */ \
00432         RSBAC_RES_UNSET,           /* stack size */ \
00433         RSBAC_RES_UNSET,           /* core dump size */ \
00434         RSBAC_RES_UNSET,           /* resident memory set size */ \
00435         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00436         RSBAC_RES_UNSET,           /* number of files */ \
00437         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00438         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00439         RSBAC_RES_UNSET            /* maximum file locks */ \
00440       } \
00441     }
00442 #endif
00443 
00444 #define RSBAC_FD_NR_ATTRIBUTES 32
00445 #define RSBAC_FD_ATTR_LIST { \
00446       A_security_level, \
00447       A_mac_categories, \
00448       A_mac_auto, \
00449       A_mac_prop_trusted, \
00450       A_mac_file_flags, \
00451       A_object_category, \
00452       A_data_type, \
00453       A_pm_object_class, \
00454       A_pm_tp, \
00455       A_pm_object_type, \
00456       A_daz_scanner, \
00457       A_ff_flags, \
00458       A_rc_type_fd, \
00459       A_rc_force_role, \
00460       A_rc_initial_role, \
00461       A_auth_may_setuid, \
00462       A_auth_may_set_cap, \
00463       A_auth_learn, \
00464       A_log_array_low, \
00465       A_log_array_high, \
00466       A_log_program_based, \
00467       A_symlink_add_uid, \
00468       A_symlink_add_mac_level, \
00469       A_symlink_add_rc_role, \
00470       A_linux_dac_disable, \
00471       A_min_caps, \
00472       A_max_caps, \
00473       A_res_min, \
00474       A_res_max, \
00475       A_pax_flags, \
00476       A_fake_root_uid, \
00477       A_auid_exempt \
00478       }
00479 
00480 #ifdef __KERNEL__
00481 struct rsbac_fd_list_handles_t
00482     {
00483       rsbac_list_handle_t gen[RSBAC_GEN_NR_FD_LISTS];
00484 #if defined(CONFIG_RSBAC_MAC)
00485       rsbac_list_handle_t mac[RSBAC_MAC_NR_FD_LISTS];
00486 #endif
00487 #if defined(CONFIG_RSBAC_FC)
00488       rsbac_list_handle_t fc[RSBAC_FC_NR_FD_LISTS];
00489 #endif
00490 #if defined(CONFIG_RSBAC_SIM)
00491       rsbac_list_handle_t sim[RSBAC_SIM_NR_FD_LISTS];
00492 #endif
00493 #if defined(CONFIG_RSBAC_PM)
00494       rsbac_list_handle_t pm[RSBAC_PM_NR_FD_LISTS];
00495 #endif
00496 #if defined(CONFIG_RSBAC_DAZ)
00497       rsbac_list_handle_t daz[RSBAC_DAZ_NR_FD_LISTS];
00498 #if defined(CONFIG_RSBAC_DAZ_CACHE)
00499       rsbac_list_handle_t dazs[RSBAC_DAZ_SCANNED_NR_FD_LISTS];
00500 #endif
00501 #endif
00502 #if defined(CONFIG_RSBAC_FF)
00503       rsbac_list_handle_t ff[RSBAC_FF_NR_FD_LISTS];
00504 #endif
00505 #if defined(CONFIG_RSBAC_RC)
00506       rsbac_list_handle_t rc[RSBAC_RC_NR_FD_LISTS];
00507 #endif
00508 #if defined(CONFIG_RSBAC_AUTH)
00509       rsbac_list_handle_t auth[RSBAC_AUTH_NR_FD_LISTS];
00510 #endif
00511 #if defined(CONFIG_RSBAC_CAP)
00512       rsbac_list_handle_t cap[RSBAC_CAP_NR_FD_LISTS];
00513 #endif
00514 #if defined(CONFIG_RSBAC_PAX)
00515       rsbac_list_handle_t pax[RSBAC_PAX_NR_FD_LISTS];
00516 #endif
00517 #if defined(CONFIG_RSBAC_RES)
00518       rsbac_list_handle_t res[RSBAC_RES_NR_FD_LISTS];
00519 #endif
00520     };
00521 
00522 /* The list of devices is also a double linked list, so we define list    */
00523 /* itedaz and a list head.                                                 */
00524 
00525 struct rsbac_device_list_item_t
00526     {
00527       kdev_t                              id;
00528       struct dentry                     * d_covers;
00529       u_int                               mount_count;
00530       struct rsbac_fd_list_handles_t      handles;
00531       struct dentry                     * rsbac_dir_dentry_p;
00532       struct super_block                * sb_p;
00533       rsbac_inode_nr_t                    rsbac_dir_inode;
00534       struct rsbac_device_list_item_t   * prev;
00535       struct rsbac_device_list_item_t   * next;
00536     };
00537     
00538 /* To provide consistency we use spinlocks for all list accesses. The     */
00539 /* 'curr' entry is used to avoid repeated lookups for the same item.       */    
00540     
00541 struct rsbac_device_list_head_t
00542     {
00543       struct rsbac_device_list_item_t * head;
00544       struct rsbac_device_list_item_t * tail;
00545       struct rsbac_device_list_item_t * curr;
00546       rwlock_t                          lock;
00547       u_int                             count;
00548     };
00549 
00550 #endif /* __KERNEL__ */
00551 
00552 /******************************/
00553 /* OK, now we define the block/char device ACI, holding all dev information */
00554 /* the ADF needs for decisions.                                           */
00555 
00556 #define RSBAC_GEN_ACI_DEV_NAME   "dev_gen"
00557 #define RSBAC_MAC_ACI_DEV_NAME   "dev_mac"
00558 #define RSBAC_FC_ACI_DEV_NAME    "dev_fc"
00559 #define RSBAC_SIM_ACI_DEV_NAME   "dev_sim"
00560 #define RSBAC_PM_ACI_DEV_NAME    "dev_pm"
00561 #define RSBAC_RC_ACI_DEV_NAME    "dev_rc"
00562 
00563 /* Caution: whenever ACI changes, version should be increased!            */
00564 
00565 #define RSBAC_GEN_DEV_ACI_VERSION 2
00566 #define RSBAC_GEN_DEV_OLD_ACI_VERSION 1
00567 #define RSBAC_GEN_DEV_ACI_KEY 1001
00568 
00569 struct rsbac_gen_dev_aci_t            
00570   {                                
00571            rsbac_log_array_t          log_array_low;   /* dev based logging, */
00572            rsbac_log_array_t          log_array_high;  /* high and low bits */
00573   };
00574 #define DEFAULT_GEN_DEV_ACI \
00575     { \
00576       .log_array_low = -1, \
00577       .log_array_high = -1, \
00578     }
00579 
00580 #if defined(CONFIG_RSBAC_MAC)
00581 #define RSBAC_MAC_DEV_ACI_VERSION 2
00582 #define RSBAC_MAC_DEV_OLD_ACI_VERSION 1
00583 #define RSBAC_MAC_DEV_ACI_KEY 1001
00584 struct rsbac_mac_dev_aci_t            
00585   {                                
00586            rsbac_security_level_t     sec_level;       /* MAC */
00587            rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00588            __u8                       mac_check;       /* MAC (boolean) */
00589   };
00590 #define DEFAULT_MAC_DEV_ACI \
00591     { \
00592       .sec_level = SL_unclassified, \
00593       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00594       .mac_check = FALSE, \
00595     }
00596 #endif
00597 
00598 #if defined(CONFIG_RSBAC_FC)
00599 #define RSBAC_FC_DEV_ACI_VERSION 2
00600 #define RSBAC_FC_DEV_OLD_ACI_VERSION 1
00601 #define RSBAC_FC_DEV_ACI_KEY 1001
00602 #endif
00603 
00604 #if defined(CONFIG_RSBAC_SIM)
00605 #define RSBAC_SIM_DEV_ACI_VERSION 2
00606 #define RSBAC_SIM_DEV_OLD_ACI_VERSION 1
00607 #define RSBAC_SIM_DEV_ACI_KEY 1001
00608 #endif
00609 
00610 #if defined(CONFIG_RSBAC_PM)
00611 #define RSBAC_PM_DEV_ACI_VERSION 2
00612 #define RSBAC_PM_DEV_OLD_ACI_VERSION 1
00613 #define RSBAC_PM_DEV_ACI_KEY 1001
00614 struct rsbac_pm_dev_aci_t            
00615   {
00616     rsbac_pm_object_type_int_t pm_object_type;  /* PM (enum rsbac_pm_object_type_t) */
00617     rsbac_pm_object_class_id_t pm_object_class; /* dev only */
00618   };
00619 
00620 #define DEFAULT_PM_DEV_ACI \
00621     { \
00622       .pm_object_type = PO_none, \
00623       .pm_object_class = 0, \
00624     }
00625 #endif
00626 
00627 #if defined(CONFIG_RSBAC_RC)
00628 #define RSBAC_RC_DEV_ACI_VERSION 2
00629 #define RSBAC_RC_DEV_OLD_ACI_VERSION 1
00630 #define RSBAC_RC_DEV_ACI_KEY 1001
00631 #endif
00632 
00633 #define RSBAC_DEV_NR_ATTRIBUTES 10
00634 #define RSBAC_DEV_ATTR_LIST { \
00635       A_security_level, \
00636       A_mac_categories, \
00637       A_object_category, \
00638       A_data_type, \
00639       A_mac_check, \
00640       A_pm_object_type, \
00641       A_pm_object_class, \
00642       A_rc_type, \
00643       A_log_array_low, \
00644       A_log_array_high \
00645       }
00646 
00647 #ifdef __KERNEL__
00648 struct rsbac_dev_handles_t
00649     {
00650       rsbac_list_handle_t gen;
00651 #if defined(CONFIG_RSBAC_MAC)
00652       rsbac_list_handle_t mac;
00653 #endif
00654 #if defined(CONFIG_RSBAC_FC)
00655       rsbac_list_handle_t fc;
00656 #endif
00657 #if defined(CONFIG_RSBAC_SIM)
00658       rsbac_list_handle_t sim;
00659 #endif
00660 #if defined(CONFIG_RSBAC_PM)
00661       rsbac_list_handle_t pm;
00662 #endif
00663 #if defined(CONFIG_RSBAC_RC)
00664       rsbac_list_handle_t rc;
00665 #endif
00666     };
00667 #endif /* __KERNEL__ */
00668 
00669 /**************************************************************************/
00670 /* Next we define the ipc ACI, holding all ipc information                */
00671 /* the ADF needs for decisions.                                           */
00672 
00673 #define RSBAC_MAC_ACI_IPC_NAME   "ipc_mac"
00674 #define RSBAC_FC_ACI_IPC_NAME    "ipc_fc"
00675 #define RSBAC_SIM_ACI_IPC_NAME   "ipc_sim"
00676 #define RSBAC_PM_ACI_IPC_NAME    "ipc_pm"
00677 #define RSBAC_RC_ACI_IPC_NAME    "ipc_rc"
00678 #define RSBAC_JAIL_ACI_IPC_NAME  "ipc_jai"
00679 
00680 #if defined(CONFIG_RSBAC_MAC)
00681 #define RSBAC_MAC_IPC_ACI_VERSION 1
00682 #define RSBAC_MAC_IPC_ACI_KEY 1001
00683 struct rsbac_mac_ipc_aci_t
00684     {
00685       rsbac_security_level_t     sec_level; /* enum old_rsbac_security_level_t / __u8 */
00686       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00687     };
00688 #define DEFAULT_MAC_IPC_ACI \
00689     { \
00690       .sec_level = SL_unclassified, \
00691       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00692     }
00693 #endif
00694 
00695 #if defined(CONFIG_RSBAC_FC)
00696 #define RSBAC_FC_IPC_ACI_VERSION 1
00697 #define RSBAC_FC_IPC_ACI_KEY 1001
00698 #endif
00699 
00700 #if defined(CONFIG_RSBAC_SIM)
00701 #define RSBAC_SIM_IPC_ACI_VERSION 1
00702 #define RSBAC_SIM_IPC_ACI_KEY 1001
00703 #endif
00704 
00705 #if defined(CONFIG_RSBAC_PM)
00706 #define RSBAC_PM_IPC_ACI_VERSION 1
00707 #define RSBAC_PM_IPC_ACI_KEY 1001
00708 struct rsbac_pm_ipc_aci_t
00709     {
00710       rsbac_pm_object_class_id_t pm_object_class; /* ipc only */
00711       rsbac_pm_purpose_id_t      pm_ipc_purpose;
00712       rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */
00713     };
00714 #define DEFAULT_PM_IPC_ACI \
00715     { \
00716       .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
00717       .pm_ipc_purpose = 0, \
00718       .pm_object_type = PO_ipc, \
00719     }
00720 #endif
00721 
00722 #if defined(CONFIG_RSBAC_RC)
00723 #define RSBAC_RC_IPC_ACI_VERSION 1
00724 #define RSBAC_RC_IPC_ACI_KEY 1001
00725 #endif
00726 
00727 #if defined(CONFIG_RSBAC_JAIL)
00728 #define RSBAC_JAIL_IPC_ACI_VERSION 1
00729 #define RSBAC_JAIL_IPC_ACI_KEY 1001
00730 #endif
00731 
00732 #define RSBAC_IPC_NR_ATTRIBUTES 9
00733 #define RSBAC_IPC_ATTR_LIST { \
00734       A_security_level, \
00735       A_mac_categories, \
00736       A_object_category, \
00737       A_data_type, \
00738       A_pm_object_class, \
00739       A_pm_ipc_purpose, \
00740       A_pm_object_type, \
00741       A_rc_type, \
00742       A_jail_id \
00743       }
00744 
00745 #ifdef __KERNEL__
00746 struct rsbac_ipc_handles_t
00747     {
00748 #if defined(CONFIG_RSBAC_MAC)
00749       rsbac_list_handle_t mac;
00750 #endif
00751 #if defined(CONFIG_RSBAC_FC)
00752       rsbac_list_handle_t fc;
00753 #endif
00754 #if defined(CONFIG_RSBAC_SIM)
00755       rsbac_list_handle_t sim;
00756 #endif
00757 #if defined(CONFIG_RSBAC_PM)
00758       rsbac_list_handle_t pm;
00759 #endif
00760 #if defined(CONFIG_RSBAC_RC)
00761       rsbac_list_handle_t rc;
00762 #endif
00763 #if defined(CONFIG_RSBAC_JAIL)
00764       rsbac_list_handle_t jail;
00765 #endif
00766     };
00767 #endif /* __KERNEL__ */
00768 
00769 /*************************************/
00770 /* The user ACI holds all user information the ADF needs. */
00771 
00772 #define RSBAC_GEN_ACI_USER_NAME   "u_gen"
00773 #define RSBAC_MAC_ACI_USER_NAME   "u_mac"
00774 #define RSBAC_FC_ACI_USER_NAME    "u_fc"
00775 #define RSBAC_SIM_ACI_USER_NAME   "u_sim"
00776 #define RSBAC_PM_ACI_USER_NAME    "u_pm"
00777 #define RSBAC_DAZ_ACI_USER_NAME    "u_daz"
00778 #define RSBAC_FF_ACI_USER_NAME    "u_ff"
00779 #define RSBAC_RC_ACI_USER_NAME    "u_rc"
00780 #define RSBAC_AUTH_ACI_USER_NAME  "u_auth"
00781 #define RSBAC_CAP_ACI_USER_NAME   "u_cap"
00782 #define RSBAC_JAIL_ACI_USER_NAME  "u_jail"
00783 #define RSBAC_PAX_ACI_USER_NAME   "u_pax"
00784 #define RSBAC_RES_ACI_USER_NAME   "u_res"
00785 
00786 #define RSBAC_GEN_USER_ACI_VERSION 1
00787 #define RSBAC_GEN_USER_ACI_KEY 1001
00788 struct rsbac_gen_user_aci_t
00789     {
00790       rsbac_pseudo_t           pseudo;
00791       rsbac_request_vector_t   log_user_based; /* User based logging */
00792     };
00793 #define DEFAULT_GEN_U_ACI \
00794     { \
00795       .pseudo = (rsbac_pseudo_t) 0, \
00796       .log_user_based = 0, \
00797     }
00798 
00799 #if defined(CONFIG_RSBAC_MAC)
00800 #define RSBAC_MAC_USER_ACI_VERSION 4
00801 #define RSBAC_MAC_USER_OLD_ACI_VERSION 3
00802 #define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 2
00803 #define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 1
00804 #define RSBAC_MAC_USER_ACI_KEY 1001
00805 struct rsbac_mac_user_aci_t
00806     {
00807       rsbac_security_level_t      security_level;    /* maximum level */
00808       rsbac_security_level_t      initial_security_level;    /* maximum level */
00809       rsbac_security_level_t      min_security_level;    /* minimum level / __u8 */
00810       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00811       rsbac_mac_category_vector_t mac_initial_categories;   /* MAC max category set */
00812       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00813       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00814       rsbac_mac_user_flags_t      mac_user_flags; /* flags (override, trusted, allow_auto etc.) */
00815     };
00816 struct rsbac_mac_user_old_aci_t
00817     {
00818       rsbac_security_level_t      access_appr;    /* maximum level */
00819       rsbac_security_level_t      min_access_appr;    /* minimum level / __u8 */
00820       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00821       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00822       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00823       rsbac_boolean_int_t         mac_allow_auto; /* allow to auto-adjust current level */
00824     };
00825 struct rsbac_mac_user_old_old_aci_t
00826     {
00827       rsbac_security_level_t      access_appr;    /* maximum level */
00828       rsbac_security_level_t      min_access_appr;    /* minimum level / __u8 */
00829       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00830       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00831       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00832     };
00833 struct rsbac_mac_user_old_old_old_aci_t
00834     {
00835       rsbac_security_level_t      access_appr;    /* enum old_rsbac_security_level_t / __u8 */
00836       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00837       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00838     };
00839 #define DEFAULT_MAC_U_ACI \
00840     { \
00841       .security_level = SL_unclassified, \
00842       .initial_security_level = SL_unclassified, \
00843       .min_security_level = SL_unclassified, \
00844       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00845       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00846       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00847       .system_role = SR_user, \
00848       .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
00849     }
00850 #define DEFAULT_MAC_U_SYSADM_ACI \
00851     { \
00852       .security_level = SL_unclassified, \
00853       .initial_security_level = SL_unclassified, \
00854       .min_security_level = SL_unclassified, \
00855       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00856       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00857       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00858       .system_role = SR_administrator, \
00859       .mac_user_flags = RSBAC_MAC_DEF_SYSADM_U_FLAGS, \
00860     }
00861 #define DEFAULT_MAC_U_SECOFF_ACI \
00862     { \
00863       .security_level = SL_unclassified, \
00864       .initial_security_level = SL_unclassified, \
00865       .min_security_level = SL_unclassified, \
00866       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00867       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00868       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00869       .system_role = SR_security_officer, \
00870       .mac_user_flags = RSBAC_MAC_DEF_SECOFF_U_FLAGS, \
00871     }
00872 #define DEFAULT_MAC_U_AUDITOR_ACI \
00873     { \
00874       .security_level = SL_unclassified, \
00875       .initial_security_level = SL_unclassified, \
00876       .min_security_level = SL_unclassified, \
00877       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00878       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00879       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00880       .system_role = SR_auditor, \
00881       .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
00882     }
00883 #endif
00884 
00885 #if defined(CONFIG_RSBAC_FC)
00886 #define RSBAC_FC_USER_ACI_VERSION 1
00887 #define RSBAC_FC_USER_ACI_KEY 1001
00888 #endif
00889 
00890 #if defined(CONFIG_RSBAC_SIM)
00891 #define RSBAC_SIM_USER_ACI_VERSION 1
00892 #define RSBAC_SIM_USER_ACI_KEY 1001
00893 #endif
00894 
00895 #if defined(CONFIG_RSBAC_PM)
00896 #define RSBAC_PM_USER_ACI_VERSION 1
00897 #define RSBAC_PM_USER_ACI_KEY 1001
00898 struct rsbac_pm_user_aci_t
00899     {
00900       rsbac_pm_task_set_id_t   pm_task_set;
00901       rsbac_pm_role_int_t      pm_role;        /* enum rsbac_pm_role_t */
00902     };
00903 #define DEFAULT_PM_U_ACI \
00904     { \
00905       .pm_task_set = 0, \
00906       .pm_role = PR_user, \
00907     }
00908 #define DEFAULT_PM_U_SYSADM_ACI \
00909     { \
00910       .pm_task_set = 0, \
00911       .pm_role = PR_system_admin, \
00912     }
00913 #define DEFAULT_PM_U_SECOFF_ACI \
00914     { \
00915       .pm_task_set = 0, \
00916       .pm_role = PR_security_officer, \
00917     }
00918 #define DEFAULT_PM_U_DATAPROT_ACI \
00919     { \
00920       .pm_task_set = 0, \
00921       .pm_role = PR_data_protection_officer, \
00922     }
00923 #define DEFAULT_PM_U_TPMAN_ACI \
00924     { \
00925       .pm_task_set = 0, \
00926       .pm_role = PR_tp_manager, \
00927     }
00928 #endif
00929 
00930 #if defined(CONFIG_RSBAC_DAZ)
00931 #define RSBAC_DAZ_USER_ACI_VERSION 1
00932 #define RSBAC_DAZ_USER_ACI_KEY 1001
00933 #endif
00934 
00935 #if defined(CONFIG_RSBAC_FF)
00936 #define RSBAC_FF_USER_ACI_VERSION 1
00937 #define RSBAC_FF_USER_ACI_KEY 1001
00938 #endif
00939 
00940 #if defined(CONFIG_RSBAC_RC)
00941 #define RSBAC_RC_USER_ACI_VERSION 2
00942 #define RSBAC_RC_USER_OLD_ACI_VERSION 1
00943 #define RSBAC_RC_USER_ACI_KEY 1001
00944 struct rsbac_rc_user_aci_t
00945     {
00946       rsbac_rc_role_id_t          rc_role;
00947       rsbac_rc_type_id_t          rc_type;
00948     };
00949 #define DEFAULT_RC_U_ACI \
00950     { \
00951       .rc_role = RSBAC_RC_GENERAL_ROLE, \
00952       .rc_type = RSBAC_RC_GENERAL_TYPE, \
00953     }
00954 #define DEFAULT_RC_U_SYSADM_ACI \
00955     { \
00956       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC) */ \
00957       .rc_type = RSBAC_RC_SYS_TYPE, \
00958     }
00959 #define DEFAULT_RC_U_SECOFF_ACI \
00960     { \
00961       .rc_role = RSBAC_RC_ROLE_ADMIN_ROLE, /* rc_role (RC) */ \
00962       .rc_type = RSBAC_RC_SEC_TYPE, \
00963     }
00964 #define DEFAULT_RC_U_AUDITOR_ACI \
00965     { \
00966       .rc_role = RSBAC_RC_AUDITOR_ROLE, /* rc_role (RC) */ \
00967       .rc_type = RSBAC_RC_SEC_TYPE, \
00968     }
00969 #endif
00970 
00971 #if defined(CONFIG_RSBAC_AUTH)
00972 #define RSBAC_AUTH_USER_ACI_VERSION 1
00973 #define RSBAC_AUTH_USER_ACI_KEY 1001
00974 
00975 #endif /* AUTH */
00976 
00977 #if defined(CONFIG_RSBAC_CAP)
00978 #define RSBAC_CAP_USER_ACI_VERSION 1
00979 #define RSBAC_CAP_USER_ACI_KEY 1001
00980 struct rsbac_cap_user_aci_t            
00981   {
00982     rsbac_system_role_int_t     cap_role;      /* System role for CAP administration */
00983     rsbac_cap_vector_t          min_caps;      /* User forced minimum Linux capabilities */
00984     rsbac_cap_vector_t          max_caps;      /* User max Linux capabilities */
00985   };
00986 #define DEFAULT_CAP_U_ACI \
00987     { \
00988       .cap_role = SR_user, \
00989       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00990       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00991     }
00992 #define DEFAULT_CAP_U_SYSADM_ACI \
00993     { \
00994       .cap_role = SR_administrator, \
00995       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00996       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00997     }
00998 #define DEFAULT_CAP_U_SECOFF_ACI \
00999     { \
01000       .cap_role = SR_security_officer, \
01001       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
01002       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
01003     }
01004 #define DEFAULT_CAP_U_AUDITOR_ACI \
01005     { \
01006       .cap_role = SR_auditor, \
01007       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
01008       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
01009     }
01010 #endif
01011 
01012 #if defined(CONFIG_RSBAC_JAIL)
01013 #define RSBAC_JAIL_USER_ACI_VERSION 1
01014 #define RSBAC_JAIL_USER_ACI_KEY 1001
01015 #endif
01016 
01017 #if defined(CONFIG_RSBAC_PAX)
01018 #define RSBAC_PAX_USER_ACI_VERSION 1
01019 #define RSBAC_PAX_USER_ACI_KEY 1001221
01020 #endif
01021 
01022 #if defined(CONFIG_RSBAC_RES)
01023 #define RSBAC_RES_USER_ACI_VERSION 1
01024 #define RSBAC_RES_USER_ACI_KEY 1002
01025 struct rsbac_res_user_aci_t            
01026   {
01027     rsbac_system_role_int_t     res_role;          /* System role for RES administration */
01028     rsbac_res_array_t           res_min;
01029     rsbac_res_array_t           res_max;
01030   };
01031 #define DEFAULT_RES_U_ACI \
01032     { \
01033       .res_role = SR_user, \
01034       .res_min = { \
01035         RSBAC_RES_UNSET,           /* cpu time */ \
01036         RSBAC_RES_UNSET,           /* file size */ \
01037         RSBAC_RES_UNSET,           /* process data segment size */ \
01038         RSBAC_RES_UNSET,           /* stack size */ \
01039         RSBAC_RES_UNSET,           /* core dump size */ \
01040         RSBAC_RES_UNSET,           /* resident memory set size */ \
01041         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01042         RSBAC_RES_UNSET,           /* number of files */ \
01043         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01044         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01045         RSBAC_RES_UNSET            /* maximum file locks */ \
01046       }, \
01047       .res_max = { \
01048         RSBAC_RES_UNSET,           /* cpu time */ \
01049         RSBAC_RES_UNSET,           /* file size */ \
01050         RSBAC_RES_UNSET,           /* process data segment size */ \
01051         RSBAC_RES_UNSET,           /* stack size */ \
01052         RSBAC_RES_UNSET,           /* core dump size */ \
01053         RSBAC_RES_UNSET,           /* resident memory set size */ \
01054         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01055         RSBAC_RES_UNSET,           /* number of files */ \
01056         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01057         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01058         RSBAC_RES_UNSET            /* maximum file locks */ \
01059       }, \
01060     }
01061 #define DEFAULT_RES_U_SYSADM_ACI \
01062     { \
01063       .res_role = SR_administrator, \
01064       .res_min = { \
01065         RSBAC_RES_UNSET,           /* cpu time */ \
01066         RSBAC_RES_UNSET,           /* file size */ \
01067         RSBAC_RES_UNSET,           /* process data segment size */ \
01068         RSBAC_RES_UNSET,           /* stack size */ \
01069         RSBAC_RES_UNSET,           /* core dump size */ \
01070         RSBAC_RES_UNSET,           /* resident memory set size */ \
01071         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01072         RSBAC_RES_UNSET,           /* number of files */ \
01073         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01074         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01075         RSBAC_RES_UNSET            /* maximum file locks */ \
01076       }, \
01077       .res_max = { \
01078         RSBAC_RES_UNSET,           /* cpu time */ \
01079         RSBAC_RES_UNSET,           /* file size */ \
01080         RSBAC_RES_UNSET,           /* process data segment size */ \
01081         RSBAC_RES_UNSET,           /* stack size */ \
01082         RSBAC_RES_UNSET,           /* core dump size */ \
01083         RSBAC_RES_UNSET,           /* resident memory set size */ \
01084         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01085         RSBAC_RES_UNSET,           /* number of files */ \
01086         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01087         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01088         RSBAC_RES_UNSET            /* maximum file locks */ \
01089       } \
01090     }
01091 #define DEFAULT_RES_U_SECOFF_ACI \
01092     { \
01093       .res_role = SR_security_officer, \
01094       .res_min = { \
01095         RSBAC_RES_UNSET,           /* cpu time */ \
01096         RSBAC_RES_UNSET,           /* file size */ \
01097         RSBAC_RES_UNSET,           /* process data segment size */ \
01098         RSBAC_RES_UNSET,           /* stack size */ \
01099         RSBAC_RES_UNSET,           /* core dump size */ \
01100         RSBAC_RES_UNSET,           /* resident memory set size */ \
01101         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01102         RSBAC_RES_UNSET,           /* number of files */ \
01103         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01104         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01105         RSBAC_RES_UNSET            /* maximum file locks */ \
01106       }, \
01107       .res_max = { \
01108         RSBAC_RES_UNSET,           /* cpu time */ \
01109         RSBAC_RES_UNSET,           /* file size */ \
01110         RSBAC_RES_UNSET,           /* process data segment size */ \
01111         RSBAC_RES_UNSET,           /* stack size */ \
01112         RSBAC_RES_UNSET,           /* core dump size */ \
01113         RSBAC_RES_UNSET,           /* resident memory set size */ \
01114         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01115         RSBAC_RES_UNSET,           /* number of files */ \
01116         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01117         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01118         RSBAC_RES_UNSET            /* maximum file locks */ \
01119       } \
01120     }
01121 #define DEFAULT_RES_U_AUDITOR_ACI \
01122     { \
01123       .res_role = SR_auditor, \
01124       .res_min = { \
01125         RSBAC_RES_UNSET,           /* cpu time */ \
01126         RSBAC_RES_UNSET,           /* file size */ \
01127         RSBAC_RES_UNSET,           /* process data segment size */ \
01128         RSBAC_RES_UNSET,           /* stack size */ \
01129         RSBAC_RES_UNSET,           /* core dump size */ \
01130         RSBAC_RES_UNSET,           /* resident memory set size */ \
01131         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01132         RSBAC_RES_UNSET,           /* number of files */ \
01133         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01134         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01135         RSBAC_RES_UNSET            /* maximum file locks */ \
01136       }, \
01137       .res_max = { \
01138         RSBAC_RES_UNSET,           /* cpu time */ \
01139         RSBAC_RES_UNSET,           /* file size */ \
01140         RSBAC_RES_UNSET,           /* process data segment size */ \
01141         RSBAC_RES_UNSET,           /* stack size */ \
01142         RSBAC_RES_UNSET,           /* core dump size */ \
01143         RSBAC_RES_UNSET,           /* resident memory set size */ \
01144         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01145         RSBAC_RES_UNSET,           /* number of files */ \
01146         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01147         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01148         RSBAC_RES_UNSET            /* maximum file locks */ \
01149       } \
01150     }
01151 #endif
01152 
01153 #define RSBAC_USER_NR_ATTRIBUTES 24
01154 #define RSBAC_USER_ATTR_LIST { \
01155       A_pseudo, \
01156       A_log_user_based, \
01157       A_security_level, \
01158       A_initial_security_level, \
01159       A_min_security_level, \
01160       A_mac_categories, \
01161       A_mac_initial_categories, \
01162       A_mac_min_categories, \
01163       A_mac_role, \
01164       A_mac_user_flags, \
01165       A_fc_role, \
01166       A_sim_role, \
01167       A_daz_role, \
01168       A_ff_role, \
01169       A_auth_role, \
01170       A_pm_task_set, \
01171       A_pm_role, \
01172       A_rc_def_role, \
01173       A_min_caps, \
01174       A_max_caps, \
01175       A_cap_role, \
01176       A_jail_role, \
01177       A_res_role, \
01178       A_pax_role \
01179       }
01180 
01181 #ifdef __KERNEL__
01182 struct rsbac_user_handles_t
01183     {
01184       rsbac_list_handle_t gen;
01185 #if defined(CONFIG_RSBAC_MAC)
01186       rsbac_list_handle_t mac;
01187 #endif
01188 #if defined(CONFIG_RSBAC_FC)
01189       rsbac_list_handle_t fc;
01190 #endif
01191 #if defined(CONFIG_RSBAC_SIM)
01192       rsbac_list_handle_t sim;
01193 #endif
01194 #if defined(CONFIG_RSBAC_PM)
01195       rsbac_list_handle_t pm;
01196 #endif
01197 #if defined(CONFIG_RSBAC_DAZ)
01198       rsbac_list_handle_t daz;
01199 #endif
01200 #if defined(CONFIG_RSBAC_FF)
01201       rsbac_list_handle_t ff;
01202 #endif
01203 #if defined(CONFIG_RSBAC_RC)
01204       rsbac_list_handle_t rc;
01205 #endif
01206 #if defined(CONFIG_RSBAC_AUTH)
01207       rsbac_list_handle_t auth;
01208 #endif
01209 #if defined(CONFIG_RSBAC_CAP)
01210       rsbac_list_handle_t cap;
01211 #endif
01212 #if defined(CONFIG_RSBAC_JAIL)
01213       rsbac_list_handle_t jail;
01214 #endif
01215 #if defined(CONFIG_RSBAC_PAX)
01216       rsbac_list_handle_t pax;
01217 #endif
01218 #if defined(CONFIG_RSBAC_RES)
01219       rsbac_list_handle_t res;
01220 #endif
01221     };
01222 #endif 
01223 
01224 /********************************/
01225 /* Process ACI. */
01226 
01227 #define RSBAC_GEN_ACI_PROCESS_NAME   "process_gen"
01228 #define RSBAC_MAC_ACI_PROCESS_NAME   "process_mac."
01229 #define RSBAC_PM_ACI_PROCESS_NAME    "process_pm"
01230 #define RSBAC_DAZ_ACI_PROCESS_NAME    "process_daz"
01231 #define RSBAC_RC_ACI_PROCESS_NAME    "process_rc."
01232 #define RSBAC_AUTH_ACI_PROCESS_NAME    "process_auth"
01233 #define RSBAC_CAP_ACI_PROCESS_NAME    "process_cap"
01234 #define RSBAC_JAIL_ACI_PROCESS_NAME    "process_jail"
01235 
01236 #define RSBAC_GEN_PROCESS_ACI_VERSION 1
01237 #define RSBAC_GEN_PROCESS_ACI_KEY 1001
01238 struct rsbac_gen_process_aci_t
01239     {
01240       rsbac_request_vector_t      log_program_based;
01241       rsbac_fake_root_uid_int_t   fake_root_uid;
01242       rsbac_uid_t                 audit_uid;
01243       rsbac_uid_t                 auid_exempt;
01244     };
01245 #define DEFAULT_GEN_P_ACI \
01246     { \
01247       .log_program_based = 0, \
01248       .fake_root_uid = FR_off, \
01249       .audit_uid = RSBAC_NO_USER, \
01250       .auid_exempt = RSBAC_NO_USER, \
01251     }
01252 
01253 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01254 #define RSBAC_MAC_PROCESS_ACI_VERSION 1
01255 #define RSBAC_MAC_PROCESS_ACI_KEY 1001
01256 struct rsbac_mac_process_aci_t
01257     {
01258       rsbac_security_level_t      owner_sec_level;     /* enum old_rsbac_security_level_t */
01259       rsbac_security_level_t      owner_initial_sec_level; /* enum old_rsbac_security_level_t */
01260       rsbac_security_level_t      owner_min_sec_level; /* enum old_rsbac_security_level_t */
01261       rsbac_mac_category_vector_t mac_owner_categories; /* MAC category set */
01262       rsbac_mac_category_vector_t mac_owner_initial_categories; /* MAC category set */
01263       rsbac_mac_category_vector_t mac_owner_min_categories; /* MAC category set */
01264       rsbac_security_level_t      current_sec_level;   /* enum rsbac_security_level_t */
01265       rsbac_mac_category_vector_t mac_curr_categories; /* MAC current category set */
01266       rsbac_security_level_t      min_write_open;      /* for *-property, enum rsbac_security_level_t */
01267       rsbac_mac_category_vector_t min_write_categories; /* MAC, for *-property */
01268       rsbac_security_level_t      max_read_open;       /* for *-property, enum rsbac_security_level_t */
01269       rsbac_mac_category_vector_t max_read_categories; /* MAC, for *-property */
01270       rsbac_mac_process_flags_t   mac_process_flags;   /* flags (override, trusted, auto etc.) */
01271     };
01272 #define DEFAULT_MAC_P_ACI \
01273     { \
01274       .owner_sec_level = SL_unclassified, \
01275       .owner_initial_sec_level = SL_unclassified, \
01276       .owner_min_sec_level = SL_unclassified, \
01277       .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01278       .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01279       .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01280       .current_sec_level = SL_unclassified, \
01281       .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01282       .min_write_open = SL_max, \
01283       .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
01284       .max_read_open = SL_unclassified, \
01285       .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01286       .mac_process_flags = RSBAC_MAC_DEF_P_FLAGS, \
01287     }
01288 #define DEFAULT_MAC_P_INIT_ACI \
01289     { \
01290       .owner_sec_level = SL_unclassified, \
01291       .owner_initial_sec_level = SL_unclassified, \
01292       .owner_min_sec_level = SL_unclassified, \
01293       .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01294       .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01295       .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01296       .current_sec_level = SL_unclassified, \
01297       .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01298       .min_write_open = SL_max, \
01299       .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
01300       .max_read_open = SL_unclassified, \
01301       .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01302       .mac_process_flags = RSBAC_MAC_DEF_INIT_P_FLAGS, \
01303     }
01304 #endif
01305 
01306 #if defined(CONFIG_RSBAC_PM)
01307 #define RSBAC_PM_PROCESS_ACI_VERSION 1
01308 #define RSBAC_PM_PROCESS_ACI_KEY 1001
01309 struct rsbac_pm_process_aci_t
01310     {
01311       rsbac_pm_tp_id_t            pm_tp;
01312       rsbac_pm_task_id_t          pm_current_task;
01313       rsbac_pm_process_type_int_t pm_process_type;     /* enum rsbac_pm_process_type_t */
01314     };
01315 #define DEFAULT_PM_P_ACI \
01316     { \
01317       .pm_tp = 0, \
01318       .pm_current_task = 0, \
01319       .pm_process_type = PP_none, \
01320     }
01321 #endif
01322 
01323 #if defined(CONFIG_RSBAC_DAZ)
01324 #define RSBAC_DAZ_PROCESS_ACI_VERSION 1
01325 #define RSBAC_DAZ_PROCESS_ACI_KEY 1001
01326 struct rsbac_daz_process_aci_t
01327     {
01328       rsbac_boolean_int_t          daz_scanner;          /* DAZ, boolean */
01329     };
01330 #define DEFAULT_DAZ_P_ACI \
01331     { \
01332       .daz_scanner = FALSE, \
01333     }
01334 #endif
01335 
01336 #if defined(CONFIG_RSBAC_RC)
01337 #define RSBAC_RC_PROCESS_ACI_VERSION 1
01338 #define RSBAC_RC_PROCESS_ACI_KEY 1001
01339 struct rsbac_rc_process_aci_t
01340     {
01341       rsbac_rc_role_id_t          rc_role;             /* RC */
01342       rsbac_rc_type_id_t          rc_type;             /* RC */
01343       rsbac_rc_role_id_t          rc_force_role;       /* RC */
01344     };
01345 #define DEFAULT_RC_P_ACI \
01346     { \
01347       .rc_role = RSBAC_RC_GENERAL_ROLE, \
01348       .rc_type = RSBAC_RC_GENERAL_TYPE, \
01349       .rc_force_role = RC_default_force_role, \
01350     }
01351 #define DEFAULT_RC_P_INIT_ACI \
01352     { \
01353       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
01354       .rc_type = RSBAC_RC_GENERAL_TYPE, \
01355       .rc_force_role = RC_default_force_role, \
01356     }
01357 #define DEFAULT_RC_P_KERNEL_ACI \
01358     { \
01359       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
01360       .rc_type = CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE, \
01361       .rc_force_role = RC_default_force_role, \
01362     }
01363 #endif
01364 
01365 #if defined(CONFIG_RSBAC_AUTH)
01366 #define RSBAC_AUTH_PROCESS_ACI_VERSION 1
01367 #define RSBAC_AUTH_PROCESS_ACI_KEY 1001
01368 struct rsbac_auth_process_aci_t
01369     {
01370       __u8                        auth_may_setuid;     /* AUTH (boolean) */
01371       __u8                        auth_may_set_cap;    /* AUTH (boolean) */
01372       rsbac_uid_t                 auth_last_auth;
01373     #if defined(CONFIG_RSBAC_AUTH_LEARN) && defined(__KERNEL__)
01374       struct rsbac_fs_file_t      auth_program_file;
01375       rsbac_uid_t                 auth_start_uid;
01376       __u8                        auth_learn;          /* AUTH (boolean) */
01377     #endif
01378     };
01379 
01380 #if defined(CONFIG_RSBAC_AUTH_LEARN)
01381 #define DEFAULT_AUTH_P_ACI \
01382     { \
01383       .auth_may_setuid = FALSE, \
01384       .auth_may_set_cap = FALSE, \
01385       .auth_last_auth = RSBAC_NO_USER, \
01386       .auth_program_file = { RSBAC_ZERO_DEV, 0, NULL }, \
01387       .auth_start_uid = 0, \
01388       .auth_learn = 0, \
01389     }
01390 #else
01391 #define DEFAULT_AUTH_P_ACI \
01392     { \
01393       .auth_may_setuid = FALSE, \
01394       .auth_may_set_cap = FALSE, \
01395       .auth_last_auth = RSBAC_NO_USER, \
01396     }
01397 #endif
01398 #endif
01399 
01400 
01401 #if defined(CONFIG_RSBAC_CAP)
01402 #define RSBAC_CAP_PROCESS_ACI_VERSION 1
01403 #define RSBAC_CAP_PROCESS_ACI_KEY 10013283
01404 struct rsbac_cap_process_aci_t
01405     {
01406       rsbac_cap_process_hiding_int_t cap_process_hiding;
01407 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING
01408       rsbac_cap_vector_t             max_caps_user;
01409       rsbac_cap_vector_t             max_caps_program;
01410 #endif
01411     };
01412 
01413 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING
01414 #define DEFAULT_CAP_P_ACI \
01415     { \
01416       .cap_process_hiding = PH_off, \
01417       .max_caps_user = RSBAC_CAP_DEFAULT_MAX, \
01418       .max_caps_program = RSBAC_CAP_DEFAULT_MAX, \
01419     }
01420 #else
01421 #define DEFAULT_CAP_P_ACI \
01422     { \
01423       .cap_process_hiding = PH_off, \
01424     }
01425 #endif
01426 #endif
01427 
01428 #if defined(CONFIG_RSBAC_JAIL)
01429 #define RSBAC_JAIL_PROCESS_ACI_VERSION 1
01430 #define RSBAC_JAIL_PROCESS_ACI_KEY 1001
01431 struct rsbac_jail_process_aci_t
01432     {
01433       rsbac_jail_id_t id;
01434       rsbac_jail_ip_t ip;
01435       rsbac_jail_flags_t flags;
01436       rsbac_cap_vector_t max_caps;      /* Program max Linux capabilities */
01437     };
01438 #define DEFAULT_JAIL_P_ACI \
01439     { \
01440       .id = 0, \
01441       .ip = 0, \
01442       .flags = 0, \
01443       .max_caps = -1, \
01444     }
01445 #endif
01446 
01447 #define RSBAC_PROCESS_NR_ATTRIBUTES 33
01448 #define RSBAC_PROCESS_ATTR_LIST { \
01449       A_security_level, \
01450       A_min_security_level, \
01451       A_mac_categories, \
01452       A_mac_min_categories, \
01453       A_current_sec_level, \
01454       A_mac_curr_categories, \
01455       A_min_write_open, \
01456       A_min_write_categories, \
01457       A_max_read_open, \
01458       A_max_read_categories, \
01459       A_mac_process_flags, \
01460       A_pm_tp, \
01461       A_pm_current_task, \
01462       A_pm_process_type, \
01463       A_daz_scanner, \
01464       A_rc_role, \
01465       A_rc_type, \
01466       A_rc_force_role, \
01467       A_auth_may_setuid, \
01468       A_auth_may_set_cap, \
01469       A_auth_learn, \
01470       A_cap_process_hiding, \
01471       A_max_caps_user, \
01472       A_max_caps_program, \
01473       A_jail_id, \
01474       A_jail_ip, \
01475       A_jail_flags, \
01476       A_jail_max_caps, \
01477       A_log_program_based, \
01478       A_fake_root_uid, \
01479       A_audit_uid, \
01480       A_auid_exempt, \
01481       A_auth_last_auth \
01482       }
01483 
01484 #ifdef __KERNEL__
01485 struct rsbac_process_handles_t
01486     {
01487       rsbac_list_handle_t gen;
01488 #if defined(CONFIG_RSBAC_MAC)
01489       rsbac_list_handle_t mac[CONFIG_RSBAC_MAC_NR_P_LISTS];
01490 #endif
01491 #if defined(CONFIG_RSBAC_PM)
01492       rsbac_list_handle_t pm;
01493 #endif
01494 #if defined(CONFIG_RSBAC_DAZ)
01495       rsbac_list_handle_t daz;
01496 #endif
01497 #if defined(CONFIG_RSBAC_RC)
01498       rsbac_list_handle_t rc[CONFIG_RSBAC_RC_NR_P_LISTS];
01499 #endif
01500 #if defined(CONFIG_RSBAC_AUTH)
01501       rsbac_list_handle_t auth;
01502 #endif
01503 #if defined(CONFIG_RSBAC_CAP)
01504       rsbac_list_handle_t cap;
01505 #endif
01506 #if defined(CONFIG_RSBAC_JAIL)
01507       rsbac_list_handle_t jail[CONFIG_RSBAC_JAIL_NR_P_LISTS];
01508 #endif
01509     };
01510 #endif /* __KERNEL__ */
01511 
01512 
01513 /******************************/
01514 /* OK, now we define the UM group ACI, holding all information */
01515 /* the ADF needs for decisions.                                */
01516 
01517 #define RSBAC_RC_ACI_GROUP_NAME    "grouprc"
01518 
01519 /* Caution: whenever ACI changes, version should be increased!            */
01520 
01521 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01522 #define RSBAC_RC_GROUP_ACI_VERSION 1
01523 #define RSBAC_RC_GROUP_ACI_KEY 13276142
01524 #endif
01525 
01526 #define RSBAC_GROUP_NR_ATTRIBUTES 1
01527 #define RSBAC_GROUP_ATTR_LIST { \
01528       A_rc_type \
01529       }
01530 
01531 #ifdef __KERNEL__
01532 struct rsbac_group_handles_t
01533     {
01534 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01535       rsbac_list_handle_t rc;
01536 #endif
01537     };
01538 #endif /* __KERNEL__ */
01539 
01540 /********************************/
01541 /* NETDEV ACI */
01542 
01543 #define RSBAC_GEN_ACI_NETDEV_NAME   "nd_gen"
01544 #define RSBAC_RC_ACI_NETDEV_NAME    "nd_rc"
01545 
01546 #define RSBAC_GEN_NETDEV_ACI_VERSION 1
01547 #define RSBAC_GEN_NETDEV_ACI_KEY 1001
01548 struct rsbac_gen_netdev_aci_t
01549     {
01550       rsbac_log_array_t           log_array_low;    /* netdev based logging, */
01551       rsbac_log_array_t           log_array_high;   /* high and low bits */
01552     };
01553 #define DEFAULT_GEN_NETDEV_ACI \
01554     { \
01555       .log_array_low = -1, \
01556       .log_array_high = -1, \
01557     }
01558 
01559 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01560 #define RSBAC_RC_NETDEV_ACI_VERSION 1
01561 #define RSBAC_RC_NETDEV_ACI_KEY 1001
01562 #endif
01563 
01564 #define RSBAC_NETDEV_NR_ATTRIBUTES 3
01565 #define RSBAC_NETDEV_ATTR_LIST { \
01566       A_rc_type, \
01567       A_log_array_low, \
01568       A_log_array_high \
01569       }
01570 
01571 #ifdef __KERNEL__
01572 struct rsbac_netdev_handles_t
01573     {
01574 #if defined(CONFIG_RSBAC_IND_NETDEV_LOG)
01575       rsbac_list_handle_t gen;
01576 #endif
01577 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01578       rsbac_list_handle_t rc;
01579 #endif
01580     };
01581 #endif /* __KERNEL__ */
01582 
01583 /********************************/
01584 /* NETTEMP ACI */
01585 
01586 #define RSBAC_GEN_ACI_NETTEMP_NAME   "nt_gen"
01587 #define RSBAC_MAC_ACI_NETTEMP_NAME   "nt_mac"
01588 #define RSBAC_FC_ACI_NETTEMP_NAME    "nt_fc"
01589 #define RSBAC_SIM_ACI_NETTEMP_NAME   "nt_sim"
01590 #define RSBAC_PM_ACI_NETTEMP_NAME    "nt_pm"
01591 #define RSBAC_RC_ACI_NETTEMP_NAME    "nt_rc"
01592 
01593 #define RSBAC_MAC_ACI_LNETOBJ_NAME   "lnetobj_mac"
01594 #define RSBAC_FC_ACI_LNETOBJ_NAME    "lnetobj_fc"
01595 #define RSBAC_SIM_ACI_LNETOBJ_NAME   "lnetobj_sim"
01596 #define RSBAC_PM_ACI_LNETOBJ_NAME    "lnetobj_pm"
01597 #define RSBAC_RC_ACI_LNETOBJ_NAME    "lnetobj_rc"
01598 #define RSBAC_MAC_ACI_RNETOBJ_NAME   "rnetobj_mac"
01599 #define RSBAC_FC_ACI_RNETOBJ_NAME    "rnetobj_fc"
01600 #define RSBAC_SIM_ACI_RNETOBJ_NAME   "rnetobj_sim"
01601 #define RSBAC_PM_ACI_RNETOBJ_NAME    "rnetobj_pm"
01602 #define RSBAC_RC_ACI_RNETOBJ_NAME    "rnetobj_rc"
01603 
01604 #define RSBAC_GEN_NETOBJ_ACI_VERSION 1
01605 #define RSBAC_GEN_NETOBJ_ACI_KEY 1001
01606 struct rsbac_gen_netobj_aci_t
01607     {
01608       rsbac_log_array_t           log_array_low;    /* nettemp/netobj based logging, */
01609       rsbac_log_array_t           log_array_high;   /* high and low bits */
01610     };
01611 #define DEFAULT_GEN_NETOBJ_ACI \
01612     { \
01613       .log_array_low = -1, \
01614       .log_array_high = -1, \
01615     }
01616 
01617 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01618 #define RSBAC_MAC_NETOBJ_ACI_VERSION 1
01619 #define RSBAC_MAC_NETOBJ_ACI_KEY 1001
01620 struct rsbac_mac_netobj_aci_t
01621     {
01622       rsbac_security_level_t     sec_level; /* enum old_rsbac_security_level_t / __u8 */
01623       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
01624     };
01625 #define DEFAULT_MAC_NETOBJ_ACI \
01626     { \
01627       .sec_level = SL_unclassified,  /* security_level (MAC) */ \
01628       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01629     }
01630 #endif
01631 
01632 #if defined(CONFIG_RSBAC_FC) || defined(CONFIG_RSBAC_FC_MAINT)
01633 #define RSBAC_FC_NETOBJ_ACI_VERSION 1
01634 #define RSBAC_FC_NETOBJ_ACI_KEY 1001
01635 #endif
01636 
01637 #if defined(CONFIG_RSBAC_SIM) || defined(CONFIG_RSBAC_SIM_MAINT)
01638 #define RSBAC_SIM_NETOBJ_ACI_VERSION 1
01639 #define RSBAC_SIM_NETOBJ_ACI_KEY 1001
01640 #endif
01641 
01642 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01643 #define RSBAC_PM_NETOBJ_ACI_VERSION 1
01644 #define RSBAC_PM_NETOBJ_ACI_KEY 1001
01645 struct rsbac_pm_netobj_aci_t
01646     {
01647       rsbac_pm_object_class_id_t pm_object_class; /* netobj only */
01648       rsbac_pm_purpose_id_t      pm_ipc_purpose;
01649       rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */
01650     };
01651 #define DEFAULT_PM_NETOBJ_ACI \
01652     { \
01653       .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
01654       .pm_ipc_purpose = 0, \
01655       .pm_object_type = PO_ipc, \
01656     }
01657 #endif
01658 
01659 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01660 #define RSBAC_RC_NETOBJ_ACI_VERSION 1
01661 #define RSBAC_RC_NETOBJ_ACI_KEY 1001
01662 #define RSBAC_RC_NETTEMP_ACI_VERSION 1
01663 #define RSBAC_RC_NETTEMP_ACI_KEY 1002
01664 
01665 struct rsbac_rc_nettemp_aci_t
01666     {
01667       rsbac_rc_type_id_t          netobj_type;    /* type inherited to netobj */
01668       rsbac_rc_type_id_t          nettemp_type;   /* type of this tenplate */
01669     };
01670 #define DEFAULT_RC_NETTEMP_ACI \
01671     { \
01672       .netobj_type = RSBAC_RC_GENERAL_TYPE, \
01673       .nettemp_type = RSBAC_RC_GENERAL_TYPE, \
01674     }
01675 #endif
01676 
01677 #define RSBAC_NETTEMP_NR_ATTRIBUTES 11
01678 #define RSBAC_NETTEMP_ATTR_LIST { \
01679       A_security_level, \
01680       A_mac_categories, \
01681       A_object_category, \
01682       A_data_type, \
01683       A_pm_object_class, \
01684       A_pm_ipc_purpose, \
01685       A_pm_object_type, \
01686       A_rc_type, \
01687       A_rc_type_nt, \
01688       A_log_array_low, \
01689       A_log_array_high \
01690       }
01691 
01692 #define RSBAC_NETOBJ_NR_ATTRIBUTES 20
01693 #define RSBAC_NETOBJ_ATTR_LIST { \
01694       A_local_sec_level, \
01695       A_remote_sec_level, \
01696       A_local_mac_categories, \
01697       A_remote_mac_categories, \
01698       A_local_object_category, \
01699       A_remote_object_category, \
01700       A_local_data_type, \
01701       A_remote_data_type, \
01702       A_local_pm_object_class, \
01703       A_remote_pm_object_class, \
01704       A_local_pm_ipc_purpose, \
01705       A_remote_pm_ipc_purpose, \
01706       A_local_pm_object_type, \
01707       A_remote_pm_object_type, \
01708       A_local_rc_type, \
01709       A_remote_rc_type, \
01710       A_local_log_array_low, \
01711       A_remote_log_array_low, \
01712       A_local_log_array_high, \
01713       A_remote_log_array_high \
01714       }
01715 
01716 #ifdef __KERNEL__
01717 struct rsbac_nettemp_handles_t
01718     {
01719 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
01720       rsbac_list_handle_t gen;
01721 #endif
01722 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01723       rsbac_list_handle_t mac;
01724 #endif
01725 #if defined(CONFIG_RSBAC_FC) || defined(CONFIG_RSBAC_FC_MAINT)
01726       rsbac_list_handle_t fc;
01727 #endif
01728 #if defined(CONFIG_RSBAC_SIM) || defined(CONFIG_RSBAC_SIM_MAINT)
01729       rsbac_list_handle_t sim;
01730 #endif
01731 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01732       rsbac_list_handle_t pm;
01733 #endif
01734 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01735       rsbac_list_handle_t rc;
01736 #endif
01737     };
01738 
01739 struct rsbac_lnetobj_handles_t
01740     {
01741 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01742       rsbac_list_handle_t mac;
01743 #endif
01744 #if defined(CONFIG_RSBAC_FC) || defined(CONFIG_RSBAC_FC_MAINT)
01745       rsbac_list_handle_t fc;
01746 #endif
01747 #if defined(CONFIG_RSBAC_SIM) || defined(CONFIG_RSBAC_SIM_MAINT)
01748       rsbac_list_handle_t sim;
01749 #endif
01750 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01751       rsbac_list_handle_t pm;
01752 #endif
01753 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01754       rsbac_list_handle_t rc;
01755 #endif
01756     };
01757 struct rsbac_rnetobj_handles_t
01758     {
01759 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01760       rsbac_list_handle_t mac;
01761 #endif
01762 #if defined(CONFIG_RSBAC_FC) || defined(CONFIG_RSBAC_FC_MAINT)
01763       rsbac_list_handle_t fc;
01764 #endif
01765 #if defined(CONFIG_RSBAC_SIM) || defined(CONFIG_RSBAC_SIM_MAINT)
01766       rsbac_list_handle_t sim;
01767 #endif
01768 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01769       rsbac_list_handle_t pm;
01770 #endif
01771 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01772       rsbac_list_handle_t rc;
01773 #endif
01774     };
01775 #endif /* __KERNEL__ */
01776 
01777 
01778 /**********************************************/
01779 /*              Declarations                  */
01780 /**********************************************/
01781 
01782 #ifdef __KERNEL__
01783 extern kdev_t rsbac_root_dev;
01784 
01785 int rsbac_read_open (char *,
01786                      struct file  *,    /* file */
01787                      kdev_t);
01788 
01789 int rsbac_write_open(char *,
01790                      struct file  *,    /* file */
01791                      kdev_t);
01792 
01793 void rsbac_read_close(struct file *);
01794 
01795 void rsbac_write_close(struct file *);
01796 
01797 extern struct semaphore rsbac_write_sem;
01798 
01799 /**********************************************/
01800 /*              Locks                         */
01801 /**********************************************/
01802 
01803 extern inline void rsbac_read_lock(rwlock_t * lock_p, u_long * flags_p)
01804   {
01805     read_lock(lock_p);
01806   };
01807 
01808 extern inline void rsbac_read_unlock(rwlock_t * lock_p, u_long * flags_p)
01809   {
01810     read_unlock(lock_p);
01811   };
01812 
01813 extern inline void rsbac_write_lock(rwlock_t * lock_p, u_long * flags_p)
01814   {
01815     write_lock(lock_p);
01816   };
01817 
01818 extern inline void rsbac_write_unlock(rwlock_t * lock_p, u_long * flags_p)
01819   {
01820     write_unlock(lock_p);
01821   };
01822 
01823 extern inline void rsbac_write_lock_irq(rwlock_t * lock_p, u_long * flags_p)
01824   {
01825     write_lock_irq(lock_p);
01826   };
01827 
01828 extern inline void rsbac_write_unlock_irq(rwlock_t * lock_p, u_long * flags_p)
01829   {
01830     write_unlock_irq(lock_p);
01831   };
01832 
01833 #endif /* __KERNEL__ */
01834 
01835 /**********************************************/
01836 /*          External Declarations             */
01837 /**********************************************/
01838 
01839 #ifdef __KERNEL__
01840 
01841 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01842 static inline struct dentry *lock_parent(struct dentry *dentry)
01843 {
01844         struct dentry *dir = dget(dentry->d_parent);
01845 
01846         down(&dir->d_inode->i_sem);
01847         return dir;
01848 }
01849 
01850 static inline void unlock_dir(struct dentry *dir)
01851 {
01852         up(&dir->d_inode->i_sem);
01853         dput(dir);
01854 }
01855 
01856 static inline void double_down(struct semaphore *s1, struct semaphore *s2)
01857 {
01858         if (s1 != s2) {
01859                 if ((unsigned long) s1 < (unsigned long) s2) {
01860                         struct semaphore *tmp = s2;
01861                         s2 = s1; s1 = tmp;
01862                 }
01863                 down(s1);
01864         }
01865         down(s2);
01866 }
01867 
01868 static inline void double_up(struct semaphore *s1, struct semaphore *s2)
01869 {
01870         up(s1);
01871         if (s1 != s2)
01872                 up(s2);
01873 }
01874 
01875 static inline void double_lock(struct dentry *d1, struct dentry *d2)
01876 {
01877         double_down(&d1->d_inode->i_sem, &d2->d_inode->i_sem);
01878 }
01879 
01880 static inline void double_unlock(struct dentry *d1, struct dentry *d2)
01881 {
01882         double_up(&d1->d_inode->i_sem,&d2->d_inode->i_sem);
01883         dput(d1);
01884         dput(d2);
01885 }
01886 #else
01887 extern inline struct dentry *lock_parent(struct dentry *dentry);
01888 #endif
01889 
01890 #endif /* __KERNEL__ */
01891 
01892 #endif
Generated on Fri Jun 17 09:45:18 2005 for RSBAC by  doxygen 1.4.2