static int dazuko_file_struct_cleanup(struct dazuko_file_struct **dfs) { if (dfs == NULL) return 0; if (*dfs == NULL) return 0; if ((*dfs)->filename) xp_free((*dfs)->filename); if ((*dfs)->extra_data) xp_free((*dfs)->extra_data); xp_free(*dfs); *dfs = NULL; return 0; }
void FreeXprt(SVCXPRT *xprt) { if(!xprt) { LogFullDebug(COMPONENT_RPC, "Attempt to free NULL xprt"); return; } LogFullDebug(COMPONENT_RPC, "FreeXprt xprt=%p", xprt); if(xprt->xp_ops == &Svcudp_op) { xp_free(Su_data(xprt)); xp_free(rpc_buffer(xprt)); } else if (xprt->xp_ops == &Svctcp_op) { struct tcp_conn *cd = (struct tcp_conn *)xprt->xp_p1; XDR_DESTROY(&(cd->xdrs)); xp_free(xprt->xp_p1); /* cd */ } else if (xprt->xp_ops == &Svctcp_rendezvous_op) { xp_free(xprt->xp_p1); /* r */ } else { LogCrit(COMPONENT_RPC, "Attempt to free unknown xprt %p", xprt); return; } Mem_Free(xprt); }
static int dummy_dazuko_sys_generic(int event, const char *filename, int daemon_is_allowed) { struct dazuko_file_struct *dfs = NULL; struct event_properties event_p; struct xp_daemon_id xp_id; int error = 0; int check_error = 0; struct slot_list *sl = NULL; xp_id.id = DUMMY_ID; check_error = dazuko_check_access(event, daemon_is_allowed, &xp_id, &sl); if (check_error == 0) { dazuko_bzero(&event_p, sizeof(event_p)); event_p.pid = xp_id.id; event_p.set_pid = 1; event_p.uid = 15; event_p.set_uid = 1; dfs = (struct dazuko_file_struct *)xp_malloc(sizeof(struct dazuko_file_struct)); if (dfs != NULL) { dazuko_bzero(dfs, sizeof(struct dazuko_file_struct)); dfs->extra_data = (struct xp_file_struct *)xp_malloc(sizeof(struct xp_file_struct)); if (dfs->extra_data != NULL) { dazuko_bzero(dfs->extra_data, sizeof(struct xp_file_struct)); dfs->extra_data->user_filename = filename; error = dazuko_process_access(event, dfs, &event_p, sl); dazuko_file_struct_cleanup(&dfs); } else { xp_free(dfs); dfs = NULL; } } } return error; }
int xp_print(const char *fmt, ...) { va_list args; char *p; size_t size = 1024; p = (char *)xp_malloc(size); if (!p) return -1; va_start(args, fmt); dazuko_vsnprintf(p, size, fmt, args); va_end(args); p[size-1] = 0; printk(p); rsbac_printk(p); xp_free(p); return 0; }
enum rsbac_adf_req_ret_t rsbac_adf_request_daz (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) { struct dazuko_file_struct *dfs = NULL; struct xp_daemon_id xp_id; int error = 0; int check_error = 0; struct event_properties event_p; int event; int daemon_allowed; struct slot_list *sl = NULL; union rsbac_target_id_t i_tid; union rsbac_attribute_value_t i_attr_val1; switch (request) { case R_DELETE: if (target == T_FILE) { event = DAZUKO_ON_UNLINK; daemon_allowed = 1; } else if (target == T_DIR) { event = DAZUKO_ON_RMDIR; daemon_allowed = 1; } else { return DO_NOT_CARE; } break; case R_CLOSE: if (target == T_FILE) { event = DAZUKO_ON_CLOSE; daemon_allowed = 1; } else { return DO_NOT_CARE; } break; case R_EXECUTE: if (target == T_FILE) { event = DAZUKO_ON_EXEC; daemon_allowed = 0; } else { return DO_NOT_CARE; } break; case R_APPEND_OPEN: case R_READ_WRITE_OPEN: case R_READ_OPEN: case R_WRITE_OPEN: if (target == T_FILE) { event = DAZUKO_ON_OPEN; daemon_allowed = 1; } else if (target == T_DEV) { if( (tid.dev.type == D_char) && (MAJOR(tid.dev.id) == CONFIG_RSBAC_DAZ_DEV_MAJOR) ) { i_tid.process = caller_pid; if (rsbac_get_attr(DAZ, T_PROCESS, i_tid, A_daz_scanner, &i_attr_val1, TRUE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); return(NOT_GRANTED); } /* if scanner, then grant */ if (i_attr_val1.daz_scanner) return(GRANTED); else return(NOT_GRANTED); } else return DO_NOT_CARE; } else { return DO_NOT_CARE; } break; case R_MODIFY_ATTRIBUTE: switch(attr) { case A_daz_scanned: case A_daz_scanner: case A_system_role: case A_daz_role: /* All attributes (remove target!) */ case A_none: /* Security Officer? */ i_tid.user = owner; if (rsbac_get_attr(DAZ, T_USER, i_tid, A_daz_role, &i_attr_val1, TRUE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); return(NOT_GRANTED); } /* if sec_officer, then grant */ if (i_attr_val1.system_role == SR_security_officer) return(GRANTED); else return(NOT_GRANTED); default: return(DO_NOT_CARE); } case R_READ_ATTRIBUTE: switch(attr) { /* every user may see scan status of files */ case A_daz_scanned: return(GRANTED); /* ...but only security officers may see other attributes */ case A_system_role: case A_daz_role: case A_daz_scanner: /* Security Officer? */ i_tid.user = owner; if (rsbac_get_attr(DAZ, T_USER, i_tid, A_daz_role, &i_attr_val1, TRUE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); return(NOT_GRANTED); } /* if sec_officer, then grant */ if (i_attr_val1.system_role == SR_security_officer) return(GRANTED); else return(NOT_GRANTED); default: return(DO_NOT_CARE); } case R_SWITCH_MODULE: switch(target) { case T_NONE: /* we need the switch_target */ if(attr != A_switch_target) return(UNDEFINED); /* do not care for other modules */ if( (attr_val.switch_target != DAZ) #ifdef CONFIG_RSBAC_SOFTMODE && (attr_val.switch_target != SOFTMODE) #endif ) return(DO_NOT_CARE); /* test owner's daz_role */ i_tid.user = owner; if (rsbac_get_attr(DAZ, T_USER, i_tid, A_daz_role, &i_attr_val1, TRUE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); return(NOT_GRANTED); } /* security officer? -> grant */ if (i_attr_val1.system_role == SR_security_officer) return(GRANTED); else return(NOT_GRANTED); /* all other cases are undefined */ default: return(DO_NOT_CARE); } /*********************/ default: return DO_NOT_CARE; } #if defined(CONFIG_RSBAC_DAZ_CACHE) /* get daz_scanned for file */ if (rsbac_get_attr(DAZ, T_FILE, tid, A_daz_scanned, &i_attr_val1, TRUE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n"); return(-RSBAC_EREADFAILED); } if(i_attr_val1.daz_scanned == DAZ_clean) return GRANTED; #endif xp_id.pid = current->pid; xp_id.file = NULL; xp_id.current_p = current; xp_id.files = current->files; check_error = dazuko_check_access(event, daemon_allowed, &xp_id, &sl); if (!check_error) { dazuko_bzero(&event_p, sizeof(event_p)); /* event_p.flags = flags; event_p.set_flags = 1; event_p.mode = mode; event_p.set_mode = 1; */ event_p.pid = current->pid; event_p.set_pid = 1; event_p.uid = current->uid; event_p.set_uid = 1; dfs = (struct dazuko_file_struct *)xp_malloc(sizeof(struct dazuko_file_struct)); if (dfs != NULL) { dazuko_bzero(dfs, sizeof(struct dazuko_file_struct)); dfs->extra_data = (struct xp_file_struct *)xp_malloc(sizeof(struct xp_file_struct)); if (dfs->extra_data != NULL) { dazuko_bzero(dfs->extra_data, sizeof(struct xp_file_struct)); dfs->extra_data->dentry = tid.file.dentry_p; error = dazuko_process_access(event, dfs, &event_p, sl); #if defined(CONFIG_RSBAC_DAZ_CACHE) if(!error) i_attr_val1.daz_scanned = DAZ_clean; else i_attr_val1.daz_scanned = DAZ_infected; if (rsbac_set_attr(DAZ, target, tid, A_daz_scanned, i_attr_val1)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_set_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_set_attr() returned error!\n"); return NOT_GRANTED; } #endif } else { xp_free(dfs); dfs = NULL; } dazuko_file_struct_cleanup(&dfs); } } if(!error) return GRANTED; else return NOT_GRANTED; }; /* end of rsbac_adf_request_daz() */
int xp_id_free(struct xp_daemon_id *id) { xp_free(id); return 0; }
int rsbac_adf_set_attr_daz( enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_target_t new_target, union rsbac_target_id_t new_tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) { struct dazuko_file_struct *dfs = NULL; struct xp_daemon_id xp_id; int check_error = 0; struct event_properties event_p; int event; int daemon_allowed; union rsbac_target_id_t i_tid; union rsbac_attribute_value_t i_attr_val1; union rsbac_attribute_value_t i_attr_val2; struct slot_list *sl = NULL; switch (request) { case R_DELETE: if (target == T_FILE) { reset_scanned(tid.file); event = DAZUKO_ON_UNLINK; daemon_allowed = 1; } else if (target == T_DIR) { event = DAZUKO_ON_RMDIR; daemon_allowed = 1; } else { return(0); } break; case R_CLOSE: if (target == T_FILE) { event = DAZUKO_ON_CLOSE; daemon_allowed = 1; } else { return(0); } break; case R_EXECUTE: if (target == T_FILE) { /* get daz_scanner for file */ if (rsbac_get_attr(DAZ, T_FILE, tid, A_daz_scanner, &i_attr_val1, TRUE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n"); return(-RSBAC_EREADFAILED); } /* get for process */ i_tid.process = caller_pid; if (rsbac_get_attr(DAZ, T_PROCESS, i_tid, A_daz_scanner, &i_attr_val2, FALSE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n"); return(-RSBAC_EREADFAILED); } /* and set for process, if different */ if(i_attr_val1.daz_scanner != i_attr_val2.daz_scanner) if (rsbac_set_attr(DAZ, T_PROCESS, i_tid, A_daz_scanner, i_attr_val1)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_set_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_set_attr() returned error!\n"); return(-RSBAC_EWRITEFAILED); } event = DAZUKO_ON_EXEC; daemon_allowed = 0; } else { return(0); } break; case R_APPEND_OPEN: case R_READ_WRITE_OPEN: case R_WRITE_OPEN: if (target == T_FILE) { reset_scanned(tid.file); event = DAZUKO_ON_OPEN; daemon_allowed = 1; } else { return(0); } break; case R_READ_OPEN: if (target == T_FILE) { event = DAZUKO_ON_OPEN; daemon_allowed = 1; } else { return(0); } break; case R_CLONE: if (target == T_PROCESS) { /* Get daz_scanner from first process */ if (rsbac_get_attr(DAZ, T_PROCESS, tid, A_daz_scanner, &i_attr_val1, FALSE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n"); return(-RSBAC_EREADFAILED); } /* Set daz_scanner for new process, if set for first */ if ( i_attr_val1.daz_scanner && (rsbac_set_attr(DAZ, T_PROCESS, new_tid, A_daz_scanner, i_attr_val1)) ) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_set_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_set_attr() returned error!\n"); return(-RSBAC_EWRITEFAILED); } return(0); } else return(0); /*********************/ default: return(0); } #if defined(CONFIG_RSBAC_DAZ_CACHE) /* get daz_scanned for file */ if (rsbac_get_attr(DAZ, T_FILE, tid, A_daz_scanned, &i_attr_val1, TRUE)) { #ifdef CONFIG_RSBAC_RMSG rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n"); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG if (!rsbac_nosyslog) #endif printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n"); return(-RSBAC_EREADFAILED); } if(i_attr_val1.daz_scanned == DAZ_clean) return 0; #endif xp_id.pid = current->pid; xp_id.file = NULL; xp_id.current_p = current; xp_id.files = current->files; check_error = dazuko_check_access(event, daemon_allowed, &xp_id, &sl); if (!check_error) { dazuko_bzero(&event_p, sizeof(event_p)); /* event_p.flags = flags; event_p.set_flags = 1; event_p.mode = mode; event_p.set_mode = 1; */ event_p.pid = current->pid; event_p.set_pid = 1; event_p.uid = current->uid; event_p.set_uid = 1; dfs = (struct dazuko_file_struct *)xp_malloc(sizeof(struct dazuko_file_struct)); if (dfs != NULL) { dazuko_bzero(dfs, sizeof(struct dazuko_file_struct)); dfs->extra_data = (struct xp_file_struct *)xp_malloc(sizeof(struct xp_file_struct)); if (dfs->extra_data != NULL) { dazuko_bzero(dfs->extra_data, sizeof(struct xp_file_struct)); dfs->extra_data->dentry = tid.file.dentry_p; dazuko_process_access(event, dfs, &event_p, sl); } else { xp_free(dfs); dfs = NULL; } dazuko_file_struct_cleanup(&dfs); } } return(0); }; /* end of rsbac_adf_set_attr_daz() */