int piga_proc_mode_write(struct file *file, const char *buffer, unsigned long count, void *data)
{
char tmp[count + 1];
if (copy_from_user(tmp, buffer, count)) {
return -EFAULT;
}
tmp[count] = '\0';
if (*tmp == '0') {
*piga_audit_only_mode() = false;
printk(KERN_INFO "PIGA: Audit only mode : off");
} else if (*tmp == '1') {
*piga_audit_only_mode() = true;
printk(KERN_INFO "PIGA: Audit only mode : on");
}
return count;
}
int piga_proc_mode_read(char *buffer, char **buffer_location, off_t offset, int buffer_length, int *eof, void *data)
{
int result;
if (offset > 0) {
result = 0; /* we have finished reading, return 0 */
} else if (*piga_audit_only_mode() == 0) {
result = sprintf(buffer, "Disabled: Full check\n"); /* fill the buffer, return the buffer size */
} else {
result = sprintf(buffer, "Enabled: Audit only\n");
}
return result;
}
int piga_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct common_audit_data *auditdata, int rc, struct av_decision * avd)
{
// int link;
struct sequence * seqs = NULL;
struct sequence * s = NULL;
unsigned int i = 0;
u32 denied = 0, audited = 0;
// struct list_head * seq_list;
int ret = 0;
u32 tmp = 0;
if (*piga_status() == true) {
/**
* Resolve if SELinux decided to allow or deny or log the syscall.
*
* For each vector in a PIGA signature/seqeunce, you should add
* the corresponding SELinux auditallow rule.
* This simple change will save us time as we don't have to check
* for this vector "being" in any PIGA signature.
**/
if (avd) {
denied = requested & ~avd->allowed;
if (*piga_audit_only_mode() == true) {
if (denied) {
audited = denied;
if (!(audited & avd->auditdeny))
return rc;
} else {
audited = requested;
if (!(audited & avd->auditallow))
return rc;
}
}
}
// printk(KERN_INFO "PIGA: looking into sequences");
rc = PIGA_ALLOW;
seqs = piga_get_sequence_at(ssid, tsid, tclass);
for (i = 0; i < s_len; ++i) {
s = seqs + i;
// ret = security_context_to_sid("system_u:object_r:locale_t", 26, &tmp);
// if (tmp == ssid || tmp == tsid) {
// print_vector(ssid, tsid, tclass, requested, auditdata, rc, avd);
// }
// ret = security_context_to_sid("root:object_r:user_tmp_t", 24, &tmp);
// if (tmp == ssid || tmp == tsid) {
// print_vector(ssid, tsid, tclass, requested, auditdata, rc, avd);
// }
if (piga_seq_get_cs(s) == ssid
&& piga_seq_get_cc(s) == tsid
// FIXME enable tclass and check it
// FIXME also check requested :
// is it a xor, nor, or, and nand ?
&& piga_seq_get_tclass(s) == tclass
&& (piga_seq_get_requested(s) & requested) > 0) {
print_vector(ssid, tsid, tclass, requested, auditdata, rc, avd);
// printk(KERN_INFO "PIGA: looking into seq: %s\n", s->seq_string);
if (piga_seq_end(s) == true) {
printk(KERN_INFO "PIGA: DENIED\n"); //seq: %s\n", s->seq_string);
rc = PIGA_DENY;
} else {
piga_seq_next(s);
}
}
}
}
return rc;
}