Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
daten / src / rsbac / linux-2.4.31-rsbac-v1.2.4 / rsbac / adf / mac

mac_syscalls.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Mandatory Access Control         */
00005 /* File: rsbac/adf/mac/syscalls.c                    */
00006 /*                                                   */
00007 /* Author and (c) 1999-2004: Amon Ott <ao@rsbac.org> */
00008 /*                                                   */
00009 /* Last modified: 14/Apr/2004                        */
00010 /*************************************************** */
00011 
00012 #include <linux/string.h>
00013 #include <rsbac/types.h>
00014 #include <rsbac/aci.h>
00015 #include <rsbac/mac.h>
00016 #include <rsbac/adf_main.h>
00017 #include <rsbac/error.h>
00018 #include <rsbac/helpers.h>
00019 #include <rsbac/getname.h>
00020 #include <rsbac/debug.h>
00021 #include <rsbac/rkmem.h>
00022 
00023 /************************************************* */
00024 /*           Global Variables                      */
00025 /************************************************* */
00026 
00027 /************************************************* */
00028 /*          Internal Help functions                */
00029 /************************************************* */
00030 
00031 #ifndef CONFIG_RSBAC_MAINT
00032 static int
00033   mac_sys_check_role(enum rsbac_system_role_t role)
00034   {
00035     union rsbac_target_id_t i_tid;
00036     union rsbac_attribute_value_t i_attr_val1;
00037 
00038     i_tid.user = current->uid;
00039     if (rsbac_get_attr(MAC,
00040                        T_USER,
00041                        i_tid,
00042                        A_mac_role,
00043                        &i_attr_val1,
00044                        TRUE))
00045       {
00046         rsbac_ds_get_error("mac_sys_check_role", A_mac_role);
00047         return -EPERM;
00048       }
00049     /* if correct role, then grant */
00050     if (i_attr_val1.system_role == role)
00051       return 0;
00052     else
00053       return -EPERM;
00054   }
00055 #endif
00056 
00057 /************************************************* */
00058 /*          Externally visible functions           */
00059 /************************************************* */
00060 
00061 /*****************************************************************************/
00062 /* This function allows processes to set their own current security level    */
00063 /* via sys_rsbac_mac_set_curr_seclevel() system call.                        */
00064 /* The level must keep within the min_write_open/max_read_open-boundary and  */
00065 /* must not be greater than owner_sec_level. Setting current_sec_level by    */
00066 /* this function also turns off auto-levelling via mac_auto.                 */
00067 
00068 int  rsbac_mac_set_curr_level(rsbac_security_level_t level,
00069                               rsbac_mac_category_vector_t categories)
00070   {
00071     union rsbac_target_id_t       tid;
00072     union rsbac_attribute_value_t attr_val1;
00073 #ifndef CONFIG_RSBAC_MAINT
00074     rsbac_mac_process_flags_t     flags;
00075 #endif
00076 
00077     if(   (level > SL_max)
00078        && (level != SL_none)
00079       )
00080       return -RSBAC_EINVALIDVALUE;
00081     
00082     tid.process = current->pid;
00083 
00084 #ifndef CONFIG_RSBAC_MAINT
00085     /* check flags */
00086     if (rsbac_get_attr(MAC,
00087                        T_PROCESS,
00088                        tid,
00089                        A_mac_process_flags,
00090                        &attr_val1,
00091                        FALSE))
00092       { /* failed! */
00093         rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00094         return(-RSBAC_EREADFAILED);
00095       }
00096     flags = attr_val1.mac_process_flags;
00097     if(   !(flags & MAC_auto)
00098        && !(flags & MAC_trusted)
00099        && !(flags & MAC_override)
00100       )
00101       {
00102 #ifdef CONFIG_RSBAC_RMSG
00103         rsbac_printk(KERN_INFO
00104                      "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: no auto, trusted or override -> not granted \n",
00105                      current->uid,
00106                      current->pid,
00107                      current->comm);
00108 #endif
00109 #ifndef CONFIG_RSBAC_RMSG_EXCL
00110         /* only log to standard syslog, if not disabled by kernel boot parameter */
00111         #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00112         if (!rsbac_nosyslog)
00113         #endif
00114           printk(KERN_INFO
00115                  "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: no auto, trusted or override -> not granted \n",
00116                  current->uid,
00117                  current->pid,
00118                  current->comm);
00119 #endif
00120         #ifdef CONFIG_RSBAC_SOFTMODE
00121         if(   !rsbac_softmode
00122         #ifdef CONFIG_RSBAC_SOFTMODE_IND
00123            && !rsbac_ind_softmode[MAC]
00124         #endif
00125           )
00126         #endif
00127           return -EPERM;
00128       }
00129 
00130     /* override allows full range */
00131     if(!(flags & MAC_override))
00132       {
00133         if(level != SL_none)
00134           {
00135             /* get maximum security level */
00136             tid.process = current->pid;
00137             if (rsbac_get_attr(MAC,
00138                                T_PROCESS,
00139                                tid,
00140                                A_security_level,
00141                                &attr_val1,
00142                                FALSE))
00143               { /* failed! */
00144                 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00145                 return(-RSBAC_EREADFAILED);
00146               }
00147             /* if level is too high -> error */
00148             if (level > attr_val1.security_level)
00149               {
00150 #ifdef CONFIG_RSBAC_RMSG
00151                 rsbac_printk(KERN_INFO
00152                              "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over max level %u, no override -> not granted \n",
00153                              current->uid,
00154                              current->pid,
00155                              current->comm,
00156                              level,
00157                              attr_val1.security_level);
00158 #endif
00159 #ifndef CONFIG_RSBAC_RMSG_EXCL
00160                 /* only log to standard syslog, if not disabled by kernel boot parameter */
00161                 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00162                 if (!rsbac_nosyslog)
00163                 #endif
00164                   printk(KERN_INFO
00165                          "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over max level %u, no override -> not granted \n",
00166                          current->uid,
00167                          current->pid,
00168                          current->comm,
00169                          level,
00170                          attr_val1.security_level);
00171 #endif
00172                 #ifdef CONFIG_RSBAC_SOFTMODE
00173                 if(   !rsbac_softmode
00174                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00175                    && !rsbac_ind_softmode[MAC]
00176                 #endif
00177                   )
00178                 #endif
00179                   return -EPERM;
00180               }
00181             /* get minimum security level */
00182             tid.process = current->pid;
00183             if (rsbac_get_attr(MAC,
00184                                T_PROCESS,
00185                                tid,
00186                                A_min_security_level,
00187                                &attr_val1,
00188                                FALSE))
00189               { /* failed! */
00190                 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00191                 return(-RSBAC_EREADFAILED);
00192               }
00193             /* if level is too low -> error */
00194             if (level < attr_val1.security_level)
00195               {
00196 #ifdef CONFIG_RSBAC_RMSG
00197                 rsbac_printk(KERN_INFO
00198                              "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u under min level %u, no override -> not granted \n",
00199                              current->uid,
00200                              current->pid,
00201                              current->comm,
00202                              level,
00203                              attr_val1.security_level);
00204 #endif
00205 #ifndef CONFIG_RSBAC_RMSG_EXCL
00206                 /* only log to standard syslog, if not disabled by kernel boot parameter */
00207                 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00208                 if (!rsbac_nosyslog)
00209                 #endif
00210                   printk(KERN_INFO
00211                          "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u under min level %u, no override -> not granted \n",
00212                          current->uid,
00213                          current->pid,
00214                          current->comm,
00215                          level,
00216                          attr_val1.security_level);
00217 #endif
00218                 #ifdef CONFIG_RSBAC_SOFTMODE
00219                 if(   !rsbac_softmode
00220                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00221                    && !rsbac_ind_softmode[MAC]
00222                 #endif
00223                   )
00224                 #endif
00225                   return -EPERM;
00226               }
00227 
00228             /* auto needed? -> stay inside boundaries */
00229             if(!flags & MAC_trusted)
00230               {
00231                 /* check against upper/write boundary */ 
00232                 if (rsbac_get_attr(MAC,
00233                                    T_PROCESS,
00234                                    tid,
00235                                    A_min_write_open,
00236                                    &attr_val1,
00237                                    FALSE))
00238                   { /* failed! */
00239                     rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00240                     return(-RSBAC_EREADFAILED);
00241                   }
00242                 if (level > attr_val1.min_write_open)
00243                   {
00244 #ifdef CONFIG_RSBAC_RMSG
00245                     rsbac_printk(KERN_INFO
00246                                  "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over min_write_open %u, no override or trusted -> not granted \n",
00247                                  current->uid,
00248                                  current->pid,
00249                                  current->comm,
00250                                  level,
00251                                  attr_val1.min_write_open);
00252 #endif
00253 #ifndef CONFIG_RSBAC_RMSG_EXCL
00254                     /* only log to standard syslog, if not disabled by kernel boot parameter */
00255                     #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00256                     if (!rsbac_nosyslog)
00257                     #endif
00258                       printk(KERN_INFO
00259                              "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over min_write_open %u, no override or trusted -> not granted \n",
00260                              current->uid,
00261                              current->pid,
00262                              current->comm,
00263                              level,
00264                              attr_val1.min_write_open);
00265 #endif
00266                     #ifdef CONFIG_RSBAC_SOFTMODE
00267                     if(   !rsbac_softmode
00268                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00269                        && !rsbac_ind_softmode[MAC]
00270                     #endif
00271                       )
00272                     #endif
00273                       return -EPERM;
00274                   }
00275 
00276                 /* check against lower/read boundary */ 
00277                 if (rsbac_get_attr(MAC,
00278                                    T_PROCESS,
00279                                    tid,
00280                                    A_max_read_open,
00281                                    &attr_val1,
00282                                    FALSE))
00283                   { /* failed! */
00284                     rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00285                     return(-RSBAC_EREADFAILED);
00286                   }
00287                 if (level < attr_val1.max_read_open)
00288                   return(-EPERM);
00289               }
00290           }
00291         if(categories != RSBAC_MAC_MIN_CAT_VECTOR)
00292           {
00293             /* get maximum categories */
00294             tid.process = current->pid;
00295             if (rsbac_get_attr(MAC,
00296                                T_PROCESS,
00297                                tid,
00298                                A_mac_categories,
00299                                &attr_val1,
00300                                FALSE))
00301               { /* failed! */
00302                 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00303                 return(-RSBAC_EREADFAILED);
00304               }
00305             /* if categories are no subset -> error */
00306             if ((categories & attr_val1.mac_categories) != categories)
00307               {
00308                 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00309 
00310                 if(tmp)
00311                   {
00312                     char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00313 
00314                     if(tmp2)
00315                       {
00316 #ifdef CONFIG_RSBAC_RMSG
00317                         rsbac_printk(KERN_INFO
00318                                      "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over max categories %s, no override -> not granted \n",
00319                                      current->uid,
00320                                      current->pid,
00321                                      current->comm,
00322                                      u64tostrmac(tmp, categories),
00323                                      u64tostrmac(tmp2, attr_val1.mac_categories));
00324 #endif
00325 #ifndef CONFIG_RSBAC_RMSG_EXCL
00326                         /* only log to standard syslog, if not disabled by kernel boot parameter */
00327                         #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00328                         if (!rsbac_nosyslog)
00329                         #endif
00330                           printk(KERN_INFO
00331                                  "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over max categories %s, no override -> not granted \n",
00332                                  current->uid,
00333                                  current->pid,
00334                                  current->comm,
00335                                  u64tostrmac(tmp, categories),
00336                                  u64tostrmac(tmp2, attr_val1.mac_categories));
00337 #endif
00338                         rsbac_kfree(tmp2);
00339                       }
00340                     rsbac_kfree(tmp);
00341                   }
00342                 #ifdef CONFIG_RSBAC_SOFTMODE
00343                 if(   !rsbac_softmode
00344                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00345                    && !rsbac_ind_softmode[MAC]
00346                 #endif
00347                   )
00348                 #endif
00349                   return -EPERM;
00350               }
00351             /* get minimum categories */
00352             tid.process = current->pid;
00353             if (rsbac_get_attr(MAC,
00354                                T_PROCESS,
00355                                tid,
00356                                A_mac_min_categories,
00357                                &attr_val1,
00358                                FALSE))
00359               { /* failed! */
00360                 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00361                 return(-RSBAC_EREADFAILED);
00362               }
00363             /* if level is too low -> error */
00364             if ((categories & attr_val1.mac_categories) != attr_val1.mac_categories)
00365               {
00366                 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00367 
00368                 if(tmp)
00369                   {
00370                     char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00371 
00372                     if(tmp2)
00373                       {
00374 #ifdef CONFIG_RSBAC_RMSG
00375                         rsbac_printk(KERN_INFO
00376                                      "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under min categories %s, no override -> not granted \n",
00377                                      current->uid,
00378                                      current->pid,
00379                                      current->comm,
00380                                      u64tostrmac(tmp, categories),
00381                                      u64tostrmac(tmp2, attr_val1.mac_categories));
00382 #endif
00383 #ifndef CONFIG_RSBAC_RMSG_EXCL
00384                         /* only log to standard syslog, if not disabled by kernel boot parameter */
00385                         #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00386                         if (!rsbac_nosyslog)
00387                         #endif
00388                           printk(KERN_INFO
00389                                  "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under min categories %s, no override -> not granted \n",
00390                                  current->uid,
00391                                  current->pid,
00392                                  current->comm,
00393                                  u64tostrmac(tmp, categories),
00394                                  u64tostrmac(tmp2, attr_val1.mac_categories));
00395 #endif
00396                         rsbac_kfree(tmp2);
00397                       }
00398                     rsbac_kfree(tmp);
00399                   }
00400                 #ifdef CONFIG_RSBAC_SOFTMODE
00401                 if(   !rsbac_softmode
00402                 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00403                    && !rsbac_ind_softmode[MAC]
00404                 #endif
00405                   )
00406                 #endif
00407                   return -EPERM;
00408               }
00409 
00410             /* auto needed? -> stay inside boundaries */
00411             if(!flags & MAC_trusted)
00412               {
00413                 /* check against upper/write boundary */ 
00414                 if (rsbac_get_attr(MAC,
00415                                    T_PROCESS,
00416                                    tid,
00417                                    A_min_write_categories,
00418                                    &attr_val1,
00419                                    FALSE))
00420                   { /* failed! */
00421                     rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00422                     return(-RSBAC_EREADFAILED);
00423                   }
00424                 if ((categories & attr_val1.mac_categories) != categories)
00425                   {
00426                     char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00427 
00428                     if(tmp)
00429                       {
00430                         char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00431 
00432                         if(tmp2)
00433                           {
00434 #ifdef CONFIG_RSBAC_RMSG
00435                             rsbac_printk(KERN_INFO
00436                                          "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over min_write categories %s, no override or trusted -> not granted \n",
00437                                          current->uid,
00438                                          current->pid,
00439                                          current->comm,
00440                                          u64tostrmac(tmp, categories),
00441                                          u64tostrmac(tmp2, attr_val1.mac_categories));
00442 #endif
00443 #ifndef CONFIG_RSBAC_RMSG_EXCL
00444                             /* only log to standard syslog, if not disabled by kernel boot parameter */
00445                             #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00446                             if (!rsbac_nosyslog)
00447                             #endif
00448                               printk(KERN_INFO
00449                                      "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over min_write categories %s, no override or trusted -> not granted \n",
00450                                      current->uid,
00451                                      current->pid,
00452                                      current->comm,
00453                                      u64tostrmac(tmp, categories),
00454                                      u64tostrmac(tmp2, attr_val1.mac_categories));
00455 #endif
00456                             rsbac_kfree(tmp2);
00457                           }
00458                         rsbac_kfree(tmp);
00459                       }
00460                     #ifdef CONFIG_RSBAC_SOFTMODE
00461                     if(   !rsbac_softmode
00462                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00463                        && !rsbac_ind_softmode[MAC]
00464                     #endif
00465                       )
00466                     #endif
00467                       return -EPERM;
00468                   }
00469                 /* check against lower/read boundary */ 
00470                 if (rsbac_get_attr(MAC,
00471                                    T_PROCESS,
00472                                    tid,
00473                                    A_max_read_categories,
00474                                    &attr_val1,
00475                                    FALSE))
00476                   { /* failed! */
00477                     rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00478                     return(-RSBAC_EREADFAILED);
00479                   }
00480                 if ((categories & attr_val1.mac_categories) != attr_val1.mac_categories)
00481                   {
00482                     char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00483 
00484                     if(tmp)
00485                       {
00486                         char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00487 
00488                         if(tmp2)
00489                           {
00490 #ifdef CONFIG_RSBAC_RMSG
00491                             rsbac_printk(KERN_INFO
00492                                          "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under max_read categories %s, no override or trusted -> not granted \n",
00493                                          current->uid,
00494                                          current->pid,
00495                                          current->comm,
00496                                          u64tostrmac(tmp, categories),
00497                                          u64tostrmac(tmp2, attr_val1.mac_categories));
00498 #endif
00499 #ifndef CONFIG_RSBAC_RMSG_EXCL
00500                             /* only log to standard syslog, if not disabled by kernel boot parameter */
00501                             #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00502                             if (!rsbac_nosyslog)
00503                             #endif
00504                               printk(KERN_INFO
00505                                      "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under max_read categories %s, no override or trusted -> not granted \n",
00506                                      current->uid,
00507                                      current->pid,
00508                                      current->comm,
00509                                      u64tostrmac(tmp, categories),
00510                                      u64tostrmac(tmp2, attr_val1.mac_categories));
00511 #endif
00512                             rsbac_kfree(tmp2);
00513                           }
00514                         rsbac_kfree(tmp);
00515                       }
00516                     #ifdef CONFIG_RSBAC_SOFTMODE
00517                     if(   !rsbac_softmode
00518                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00519                        && !rsbac_ind_softmode[MAC]
00520                     #endif
00521                       )
00522                     #endif
00523                       return -EPERM;
00524                   }
00525               }
00526           }
00527       }
00528 #endif /* ifndef CONFIG_RSBAC_MAINT */
00529 
00530     /* OK, checks passed: set values */
00531     if(level != SL_none)
00532       {
00533         attr_val1.current_sec_level = level;
00534         if (rsbac_set_attr(MAC,
00535                            T_PROCESS,
00536                            tid,
00537                            A_current_sec_level,
00538                            attr_val1))
00539           { /* failed! */
00540             rsbac_ds_set_error("rsbac_mac_set_curr_level", A_none);
00541             return(-RSBAC_EWRITEFAILED);
00542           }
00543       }
00544     if(categories != RSBAC_MAC_MIN_CAT_VECTOR)
00545       {
00546         attr_val1.mac_categories = categories;
00547         if (rsbac_set_attr(MAC,
00548                            T_PROCESS,
00549                            tid,
00550                            A_mac_curr_categories,
00551                            attr_val1))
00552           { /* failed! */
00553             rsbac_ds_set_error("rsbac_mac_set_curr_level", A_none);
00554             return(-RSBAC_EWRITEFAILED);
00555           }
00556       }
00557     return(0);
00558   }
00559 
00560 /*  getting own levels as well - no restrictions */
00561 int  rsbac_mac_get_curr_level(rsbac_security_level_t * level_p,
00562                               rsbac_mac_category_vector_t * categories_p)
00563   {
00564     union rsbac_target_id_t       tid;
00565     union rsbac_attribute_value_t attr_val;
00566 
00567     tid.process = current->pid;
00568     if(level_p)
00569       {
00570         if (rsbac_get_attr(MAC,
00571                            T_PROCESS,
00572                            tid,
00573                            A_current_sec_level,
00574                            &attr_val,
00575                            FALSE))
00576           { /* failed! */
00577             rsbac_ds_get_error("rsbac_mac_get_curr_level", A_none);
00578             return(-RSBAC_EREADFAILED);
00579           }
00580         *level_p = attr_val.current_sec_level;
00581       }
00582     if(categories_p)
00583       {
00584         if (rsbac_get_attr(MAC,
00585                            T_PROCESS,
00586                            tid,
00587                            A_mac_curr_categories,
00588                            &attr_val,
00589                            FALSE))
00590           { /* failed! */
00591             rsbac_ds_get_error("rsbac_mac_get_curr_level", A_none);
00592             return(-RSBAC_EREADFAILED);
00593           }
00594         *categories_p = attr_val.mac_categories;
00595       }
00596     return 0;
00597   }
00598 
00599 int  rsbac_mac_get_max_level(rsbac_security_level_t * level_p,
00600                               rsbac_mac_category_vector_t * categories_p)
00601   {
00602     union rsbac_target_id_t       tid;
00603     union rsbac_attribute_value_t attr_val;
00604 
00605     tid.process = current->pid;
00606     if(level_p)
00607       {
00608         if (rsbac_get_attr(MAC,
00609                            T_PROCESS,
00610                            tid,
00611                            A_security_level,
00612                            &attr_val,
00613                            FALSE))
00614           { /* failed! */
00615             rsbac_ds_get_error("rsbac_mac_get_max_level", A_none);
00616             return(-RSBAC_EREADFAILED);
00617           }
00618         *level_p = attr_val.security_level;
00619       }
00620     if(categories_p)
00621       {
00622         if (rsbac_get_attr(MAC,
00623                            T_PROCESS,
00624                            tid,
00625                            A_mac_categories,
00626                            &attr_val,
00627                            FALSE))
00628           { /* failed! */
00629             rsbac_ds_get_error("rsbac_mac_get_max_level", A_none);
00630             return(-RSBAC_EREADFAILED);
00631           }
00632         *categories_p = attr_val.mac_categories;
00633       }
00634     return 0;
00635   }
00636 
00637 
00638 int  rsbac_mac_get_min_level(rsbac_security_level_t * level_p,
00639                               rsbac_mac_category_vector_t * categories_p)
00640   {
00641     union rsbac_target_id_t       tid;
00642     union rsbac_attribute_value_t attr_val;
00643 
00644     tid.process = current->pid;
00645     if(level_p)
00646       {
00647         if (rsbac_get_attr(MAC,
00648                            T_PROCESS,
00649                            tid,
00650                            A_min_security_level,
00651                            &attr_val,
00652                            FALSE))
00653           { /* failed! */
00654             rsbac_ds_get_error("rsbac_mac_get_min_level", A_none);
00655             return(-RSBAC_EREADFAILED);
00656           }
00657         *level_p = attr_val.security_level;
00658       }
00659     if(categories_p)
00660       {
00661         if (rsbac_get_attr(MAC,
00662                            T_PROCESS,
00663                            tid,
00664                            A_mac_min_categories,
00665                            &attr_val,
00666                            FALSE))
00667           { /* failed! */
00668             rsbac_ds_get_error("rsbac_mac_get_min_level", A_none);
00669             return(-RSBAC_EREADFAILED);
00670           }
00671         *categories_p = attr_val.mac_categories;
00672       }
00673     return 0;
00674   }
00675 
00676 int rsbac_mac_add_p_tru(
00677   rsbac_list_ta_number_t ta_number,
00678   rsbac_pid_t pid,
00679   rsbac_uid_t uid,
00680   rsbac_time_t ttl)
00681   {
00682 /* check only in non-maint mode */
00683 #if !defined(CONFIG_RSBAC_MAINT)
00684 #ifdef CONFIG_RSBAC_SWITCH
00685     if(rsbac_switch_mac)
00686 #endif
00687       {
00688         if(mac_sys_check_role(SR_security_officer))
00689           {
00690 #ifdef CONFIG_RSBAC_RMSG
00691             rsbac_printk(KERN_INFO
00692                    "rsbac_mac_add_p_tru(): adding MAC trusted user %u to process %u denied for process %u!\n",
00693                    uid,
00694                    pid,
00695                    current->pid);
00696 #endif
00697 #ifndef CONFIG_RSBAC_RMSG_EXCL
00698             printk(KERN_INFO
00699                    "rsbac_mac_add_p_tru(): adding MAC trusted user %u to process %u denied for process %u!\n",
00700                    uid,
00701                    pid,
00702                    current->pid);
00703 #endif
00704             #ifdef CONFIG_RSBAC_SOFTMODE
00705             if(   !rsbac_softmode
00706             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00707                && !rsbac_ind_softmode[MAC]
00708             #endif
00709               )
00710             #endif
00711               return(-EPERM);
00712           }
00713       }
00714 #endif
00715 
00716     /* OK, check passed. Add the truability. */
00717     if(rsbac_mac_add_to_p_truset(ta_number, pid, uid, ttl))
00718       {
00719 #ifdef CONFIG_RSBAC_RMSG
00720         rsbac_printk(KERN_WARNING
00721                "rsbac_mac_add_p_tru(): rsbac_mac_add_to_p_truset() returned error!\n");
00722 #endif
00723 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00724         if (!rsbac_nosyslog)
00725 #endif
00726         printk(KERN_WARNING
00727                "rsbac_mac_add_p_tru(): rsbac_mac_add_to_p_truset() returned error!\n");
00728         return(-RSBAC_EWRITEFAILED);
00729       }
00730     return 0;
00731   }
00732 
00733 int rsbac_mac_remove_p_tru(
00734   rsbac_list_ta_number_t ta_number,
00735   rsbac_pid_t pid,
00736   rsbac_uid_t uid)
00737   {
00738 /* check only in non-maint mode */
00739 #if !defined(CONFIG_RSBAC_MAINT)
00740 #ifdef CONFIG_RSBAC_SWITCH
00741     if(rsbac_switch_mac)
00742 #endif
00743       {
00744         if(mac_sys_check_role(SR_security_officer))
00745           {
00746 #ifdef CONFIG_RSBAC_RMSG
00747             rsbac_printk(KERN_INFO
00748                    "rsbac_mac_remove_p_tru(): removing MAC trusted user %u from process %u denied for process %u!\n",
00749                    uid,
00750                    pid,
00751                    current->pid);
00752 #endif
00753 #ifndef CONFIG_RSBAC_RMSG_EXCL
00754             printk(KERN_INFO
00755                    "rsbac_mac_remove_p_tru(): removing MAC trusted user %u from process %u denied for process %u!\n",
00756                    uid,
00757                    pid,
00758                    current->pid);
00759 #endif
00760             #ifdef CONFIG_RSBAC_SOFTMODE
00761             if(   !rsbac_softmode
00762             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00763                && !rsbac_ind_softmode[MAC]
00764             #endif
00765               )
00766             #endif
00767               return(-EPERM);
00768           }
00769       }
00770 #endif
00771     /* OK, check passed. Try to remove the trusted user */
00772     return(rsbac_mac_remove_from_p_truset(ta_number, pid, uid));
00773   }
00774 
00775 int rsbac_mac_add_f_tru(
00776   rsbac_list_ta_number_t ta_number,
00777   rsbac_mac_file_t file,
00778   rsbac_uid_t uid,
00779   rsbac_time_t ttl)
00780   {
00781 /* check only in non-maint mode */
00782 #if !defined(CONFIG_RSBAC_MAINT)
00783 #ifdef CONFIG_RSBAC_SWITCH
00784     if(rsbac_switch_mac)
00785 #endif
00786       {
00787         if(mac_sys_check_role(SR_security_officer))
00788           {
00789 #ifdef CONFIG_RSBAC_RMSG
00790             rsbac_printk(KERN_INFO
00791                    "rsbac_mac_add_f_tru(): adding MAC trusted user %u to file %u on device %02u:%02u denied for process %u!\n",
00792                    uid,
00793                    file.inode,
00794                    MAJOR(file.device),
00795                    MINOR(file.device),
00796                    current->pid);
00797 #endif
00798 #ifndef CONFIG_RSBAC_RMSG_EXCL
00799             printk(KERN_INFO
00800                    "rsbac_mac_add_f_tru(): adding MAC trusted user %u to file %u on device %02u:%02u denied for process %u!\n",
00801                    uid,
00802                    file.inode,
00803                    MAJOR(file.device),
00804                    MINOR(file.device),
00805                    current->pid);
00806 #endif
00807             #ifdef CONFIG_RSBAC_SOFTMODE
00808             if(   !rsbac_softmode
00809             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00810                && !rsbac_ind_softmode[MAC]
00811             #endif
00812               )
00813             #endif
00814               return(-EPERM);
00815           }
00816       }
00817 #endif
00818 
00819     if(rsbac_mac_add_to_f_truset(ta_number, file, uid, ttl))
00820       {
00821 #ifdef CONFIG_RSBAC_RMSG
00822         rsbac_printk(KERN_WARNING
00823                "rsbac_mac_add_f_tru(): rsbac_mac_add_to_f_truset() returned error!\n");
00824 #endif
00825 #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
00826         if (!rsbac_nosyslog)
00827 #endif
00828         printk(KERN_WARNING
00829                "rsbac_mac_add_f_tru(): rsbac_mac_add_to_f_truset() returned error!\n");
00830         return(-RSBAC_EWRITEFAILED);
00831       }
00832     return 0;
00833   }
00834 
00835 int rsbac_mac_remove_f_tru(
00836   rsbac_list_ta_number_t ta_number,
00837   rsbac_mac_file_t file,
00838   rsbac_uid_t uid)
00839   {
00840 /* check only in non-maint mode */
00841 #if !defined(CONFIG_RSBAC_MAINT)
00842 #ifdef CONFIG_RSBAC_SWITCH
00843     if(rsbac_switch_mac)
00844 #endif
00845       {
00846         if(mac_sys_check_role(SR_security_officer))
00847           {
00848 #ifdef CONFIG_RSBAC_RMSG
00849             rsbac_printk(KERN_INFO
00850                    "rsbac_mac_remove_f_tru(): removing MAC trusted user %u from file %u on device %02u:%02u denied for process %u!\n",
00851                    uid,
00852                    file.inode,
00853                    MAJOR(file.device),
00854                    MINOR(file.device),
00855                    current->pid);
00856 #endif
00857 #ifndef CONFIG_RSBAC_RMSG_EXCL
00858             printk(KERN_INFO
00859                    "rsbac_mac_remove_f_tru(): removing MAC trusted user %u from file %u on device %02u:%02u denied for process %u!\n",
00860                    uid,
00861                    file.inode,
00862                    MAJOR(file.device),
00863                    MINOR(file.device),
00864                    current->pid);
00865 #endif
00866             #ifdef CONFIG_RSBAC_SOFTMODE
00867             if(   !rsbac_softmode
00868             #ifdef CONFIG_RSBAC_SOFTMODE_IND
00869                && !rsbac_ind_softmode[MAC]
00870             #endif
00871               )
00872             #endif
00873               return(-EPERM);
00874           }
00875       }
00876 #endif
00877 
00878     return(rsbac_mac_remove_from_f_truset(ta_number, file, uid));
00879   }
00880 
00881 
00882 /* end of rsbac/adf/mac/syscalls.c */
Generated on Fri Jun 17 09:45:19 2005 for RSBAC by  doxygen 1.4.2