static int dazuko_file_struct_cleanup(struct dazuko_file_struct **dfs)
{
if (dfs == NULL)
return 0;
if (*dfs == NULL)
return 0;
if ((*dfs)->filename)
xp_free((*dfs)->filename);
if ((*dfs)->extra_data)
xp_free((*dfs)->extra_data);
xp_free(*dfs);
*dfs = NULL;
return 0;
}
void FreeXprt(SVCXPRT *xprt)
{
if(!xprt)
{
LogFullDebug(COMPONENT_RPC,
"Attempt to free NULL xprt");
return;
}
LogFullDebug(COMPONENT_RPC,
"FreeXprt xprt=%p", xprt);
if(xprt->xp_ops == &Svcudp_op)
{
xp_free(Su_data(xprt));
xp_free(rpc_buffer(xprt));
}
else if (xprt->xp_ops == &Svctcp_op)
{
struct tcp_conn *cd = (struct tcp_conn *)xprt->xp_p1;
XDR_DESTROY(&(cd->xdrs));
xp_free(xprt->xp_p1); /* cd */
}
else if (xprt->xp_ops == &Svctcp_rendezvous_op)
{
xp_free(xprt->xp_p1); /* r */
}
else
{
LogCrit(COMPONENT_RPC,
"Attempt to free unknown xprt %p",
xprt);
return;
}
Mem_Free(xprt);
}
static int dummy_dazuko_sys_generic(int event, const char *filename, int daemon_is_allowed)
{
struct dazuko_file_struct *dfs = NULL;
struct event_properties event_p;
struct xp_daemon_id xp_id;
int error = 0;
int check_error = 0;
struct slot_list *sl = NULL;
xp_id.id = DUMMY_ID;
check_error = dazuko_check_access(event, daemon_is_allowed, &xp_id, &sl);
if (check_error == 0)
{
dazuko_bzero(&event_p, sizeof(event_p));
event_p.pid = xp_id.id;
event_p.set_pid = 1;
event_p.uid = 15;
event_p.set_uid = 1;
dfs = (struct dazuko_file_struct *)xp_malloc(sizeof(struct dazuko_file_struct));
if (dfs != NULL)
{
dazuko_bzero(dfs, sizeof(struct dazuko_file_struct));
dfs->extra_data = (struct xp_file_struct *)xp_malloc(sizeof(struct xp_file_struct));
if (dfs->extra_data != NULL)
{
dazuko_bzero(dfs->extra_data, sizeof(struct xp_file_struct));
dfs->extra_data->user_filename = filename;
error = dazuko_process_access(event, dfs, &event_p, sl);
dazuko_file_struct_cleanup(&dfs);
}
else
{
xp_free(dfs);
dfs = NULL;
}
}
}
return error;
}
int xp_print(const char *fmt, ...)
{
va_list args;
char *p;
size_t size = 1024;
p = (char *)xp_malloc(size);
if (!p)
return -1;
va_start(args, fmt);
dazuko_vsnprintf(p, size, fmt, args);
va_end(args);
p[size-1] = 0;
printk(p);
rsbac_printk(p);
xp_free(p);
return 0;
}
enum rsbac_adf_req_ret_t
rsbac_adf_request_daz (enum rsbac_adf_request_t request,
rsbac_pid_t caller_pid,
enum rsbac_target_t target,
union rsbac_target_id_t tid,
enum rsbac_attribute_t attr,
union rsbac_attribute_value_t attr_val,
rsbac_uid_t owner)
{
struct dazuko_file_struct *dfs = NULL;
struct xp_daemon_id xp_id;
int error = 0;
int check_error = 0;
struct event_properties event_p;
int event;
int daemon_allowed;
struct slot_list *sl = NULL;
union rsbac_target_id_t i_tid;
union rsbac_attribute_value_t i_attr_val1;
switch (request)
{
case R_DELETE:
if (target == T_FILE)
{
event = DAZUKO_ON_UNLINK;
daemon_allowed = 1;
}
else if (target == T_DIR)
{
event = DAZUKO_ON_RMDIR;
daemon_allowed = 1;
}
else
{
return DO_NOT_CARE;
}
break;
case R_CLOSE:
if (target == T_FILE)
{
event = DAZUKO_ON_CLOSE;
daemon_allowed = 1;
}
else
{
return DO_NOT_CARE;
}
break;
case R_EXECUTE:
if (target == T_FILE)
{
event = DAZUKO_ON_EXEC;
daemon_allowed = 0;
}
else
{
return DO_NOT_CARE;
}
break;
case R_APPEND_OPEN:
case R_READ_WRITE_OPEN:
case R_READ_OPEN:
case R_WRITE_OPEN:
if (target == T_FILE)
{
event = DAZUKO_ON_OPEN;
daemon_allowed = 1;
}
else
if (target == T_DEV)
{
if( (tid.dev.type == D_char)
&& (MAJOR(tid.dev.id) == CONFIG_RSBAC_DAZ_DEV_MAJOR)
)
{
i_tid.process = caller_pid;
if (rsbac_get_attr(DAZ,
T_PROCESS,
i_tid,
A_daz_scanner,
&i_attr_val1,
TRUE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING
"rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING
"rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
return(NOT_GRANTED);
}
/* if scanner, then grant */
if (i_attr_val1.daz_scanner)
return(GRANTED);
else
return(NOT_GRANTED);
}
else
return DO_NOT_CARE;
}
else
{
return DO_NOT_CARE;
}
break;
case R_MODIFY_ATTRIBUTE:
switch(attr)
{
case A_daz_scanned:
case A_daz_scanner:
case A_system_role:
case A_daz_role:
/* All attributes (remove target!) */
case A_none:
/* Security Officer? */
i_tid.user = owner;
if (rsbac_get_attr(DAZ,
T_USER,
i_tid,
A_daz_role,
&i_attr_val1,
TRUE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING
"rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING
"rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
return(NOT_GRANTED);
}
/* if sec_officer, then grant */
if (i_attr_val1.system_role == SR_security_officer)
return(GRANTED);
else
return(NOT_GRANTED);
default:
return(DO_NOT_CARE);
}
case R_READ_ATTRIBUTE:
switch(attr)
{
/* every user may see scan status of files */
case A_daz_scanned:
return(GRANTED);
/* ...but only security officers may see other attributes */
case A_system_role:
case A_daz_role:
case A_daz_scanner:
/* Security Officer? */
i_tid.user = owner;
if (rsbac_get_attr(DAZ,
T_USER,
i_tid,
A_daz_role,
&i_attr_val1,
TRUE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING
"rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING
"rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
return(NOT_GRANTED);
}
/* if sec_officer, then grant */
if (i_attr_val1.system_role == SR_security_officer)
return(GRANTED);
else
return(NOT_GRANTED);
default:
return(DO_NOT_CARE);
}
case R_SWITCH_MODULE:
switch(target)
{
case T_NONE:
/* we need the switch_target */
if(attr != A_switch_target)
return(UNDEFINED);
/* do not care for other modules */
if( (attr_val.switch_target != DAZ)
#ifdef CONFIG_RSBAC_SOFTMODE
&& (attr_val.switch_target != SOFTMODE)
#endif
)
return(DO_NOT_CARE);
/* test owner's daz_role */
i_tid.user = owner;
if (rsbac_get_attr(DAZ,
T_USER,
i_tid,
A_daz_role,
&i_attr_val1,
TRUE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
return(NOT_GRANTED);
}
/* security officer? -> grant */
if (i_attr_val1.system_role == SR_security_officer)
return(GRANTED);
else
return(NOT_GRANTED);
/* all other cases are undefined */
default: return(DO_NOT_CARE);
}
/*********************/
default: return DO_NOT_CARE;
}
#if defined(CONFIG_RSBAC_DAZ_CACHE)
/* get daz_scanned for file */
if (rsbac_get_attr(DAZ,
T_FILE,
tid,
A_daz_scanned,
&i_attr_val1,
TRUE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING
"rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING
"rsbac_adf_request_daz(): rsbac_get_attr() returned error!\n");
return(-RSBAC_EREADFAILED);
}
if(i_attr_val1.daz_scanned == DAZ_clean)
return GRANTED;
#endif
xp_id.pid = current->pid;
xp_id.file = NULL;
xp_id.current_p = current;
xp_id.files = current->files;
check_error = dazuko_check_access(event, daemon_allowed, &xp_id, &sl);
if (!check_error)
{
dazuko_bzero(&event_p, sizeof(event_p));
/*
event_p.flags = flags;
event_p.set_flags = 1;
event_p.mode = mode;
event_p.set_mode = 1;
*/
event_p.pid = current->pid;
event_p.set_pid = 1;
event_p.uid = current->uid;
event_p.set_uid = 1;
dfs = (struct dazuko_file_struct *)xp_malloc(sizeof(struct dazuko_file_struct));
if (dfs != NULL)
{
dazuko_bzero(dfs, sizeof(struct dazuko_file_struct));
dfs->extra_data = (struct xp_file_struct *)xp_malloc(sizeof(struct xp_file_struct));
if (dfs->extra_data != NULL)
{
dazuko_bzero(dfs->extra_data, sizeof(struct xp_file_struct));
dfs->extra_data->dentry = tid.file.dentry_p;
error = dazuko_process_access(event, dfs, &event_p, sl);
#if defined(CONFIG_RSBAC_DAZ_CACHE)
if(!error)
i_attr_val1.daz_scanned = DAZ_clean;
else
i_attr_val1.daz_scanned = DAZ_infected;
if (rsbac_set_attr(DAZ,
target,
tid,
A_daz_scanned,
i_attr_val1))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_set_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING "rsbac_adf_request_daz(): rsbac_set_attr() returned error!\n");
return NOT_GRANTED;
}
#endif
}
else
{
xp_free(dfs);
dfs = NULL;
}
dazuko_file_struct_cleanup(&dfs);
}
}
if(!error)
return GRANTED;
else
return NOT_GRANTED;
}; /* end of rsbac_adf_request_daz() */
int xp_id_free(struct xp_daemon_id *id)
{
xp_free(id);
return 0;
}
int rsbac_adf_set_attr_daz(
enum rsbac_adf_request_t request,
rsbac_pid_t caller_pid,
enum rsbac_target_t target,
union rsbac_target_id_t tid,
enum rsbac_target_t new_target,
union rsbac_target_id_t new_tid,
enum rsbac_attribute_t attr,
union rsbac_attribute_value_t attr_val,
rsbac_uid_t owner)
{
struct dazuko_file_struct *dfs = NULL;
struct xp_daemon_id xp_id;
int check_error = 0;
struct event_properties event_p;
int event;
int daemon_allowed;
union rsbac_target_id_t i_tid;
union rsbac_attribute_value_t i_attr_val1;
union rsbac_attribute_value_t i_attr_val2;
struct slot_list *sl = NULL;
switch (request)
{
case R_DELETE:
if (target == T_FILE)
{
reset_scanned(tid.file);
event = DAZUKO_ON_UNLINK;
daemon_allowed = 1;
}
else if (target == T_DIR)
{
event = DAZUKO_ON_RMDIR;
daemon_allowed = 1;
}
else
{
return(0);
}
break;
case R_CLOSE:
if (target == T_FILE)
{
event = DAZUKO_ON_CLOSE;
daemon_allowed = 1;
}
else
{
return(0);
}
break;
case R_EXECUTE:
if (target == T_FILE)
{
/* get daz_scanner for file */
if (rsbac_get_attr(DAZ,
T_FILE,
tid,
A_daz_scanner,
&i_attr_val1,
TRUE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING
"rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING
"rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n");
return(-RSBAC_EREADFAILED);
}
/* get for process */
i_tid.process = caller_pid;
if (rsbac_get_attr(DAZ,
T_PROCESS,
i_tid,
A_daz_scanner,
&i_attr_val2,
FALSE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING
"rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING
"rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n");
return(-RSBAC_EREADFAILED);
}
/* and set for process, if different */
if(i_attr_val1.daz_scanner != i_attr_val2.daz_scanner)
if (rsbac_set_attr(DAZ,
T_PROCESS,
i_tid,
A_daz_scanner,
i_attr_val1))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_set_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_set_attr() returned error!\n");
return(-RSBAC_EWRITEFAILED);
}
event = DAZUKO_ON_EXEC;
daemon_allowed = 0;
}
else
{
return(0);
}
break;
case R_APPEND_OPEN:
case R_READ_WRITE_OPEN:
case R_WRITE_OPEN:
if (target == T_FILE)
{
reset_scanned(tid.file);
event = DAZUKO_ON_OPEN;
daemon_allowed = 1;
}
else
{
return(0);
}
break;
case R_READ_OPEN:
if (target == T_FILE)
{
event = DAZUKO_ON_OPEN;
daemon_allowed = 1;
}
else
{
return(0);
}
break;
case R_CLONE:
if (target == T_PROCESS)
{
/* Get daz_scanner from first process */
if (rsbac_get_attr(DAZ,
T_PROCESS,
tid,
A_daz_scanner,
&i_attr_val1,
FALSE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING
"rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING
"rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n");
return(-RSBAC_EREADFAILED);
}
/* Set daz_scanner for new process, if set for first */
if ( i_attr_val1.daz_scanner
&& (rsbac_set_attr(DAZ,
T_PROCESS,
new_tid,
A_daz_scanner,
i_attr_val1)) )
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_set_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING "rsbac_adf_set_attr_daz(): rsbac_set_attr() returned error!\n");
return(-RSBAC_EWRITEFAILED);
}
return(0);
}
else
return(0);
/*********************/
default: return(0);
}
#if defined(CONFIG_RSBAC_DAZ_CACHE)
/* get daz_scanned for file */
if (rsbac_get_attr(DAZ,
T_FILE,
tid,
A_daz_scanned,
&i_attr_val1,
TRUE))
{
#ifdef CONFIG_RSBAC_RMSG
rsbac_printk(KERN_WARNING
"rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n");
#endif
#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
if (!rsbac_nosyslog)
#endif
printk(KERN_WARNING
"rsbac_adf_set_attr_daz(): rsbac_get_attr() returned error!\n");
return(-RSBAC_EREADFAILED);
}
if(i_attr_val1.daz_scanned == DAZ_clean)
return 0;
#endif
xp_id.pid = current->pid;
xp_id.file = NULL;
xp_id.current_p = current;
xp_id.files = current->files;
check_error = dazuko_check_access(event, daemon_allowed, &xp_id, &sl);
if (!check_error)
{
dazuko_bzero(&event_p, sizeof(event_p));
/*
event_p.flags = flags;
event_p.set_flags = 1;
event_p.mode = mode;
event_p.set_mode = 1;
*/
event_p.pid = current->pid;
event_p.set_pid = 1;
event_p.uid = current->uid;
event_p.set_uid = 1;
dfs = (struct dazuko_file_struct *)xp_malloc(sizeof(struct dazuko_file_struct));
if (dfs != NULL)
{
dazuko_bzero(dfs, sizeof(struct dazuko_file_struct));
dfs->extra_data = (struct xp_file_struct *)xp_malloc(sizeof(struct xp_file_struct));
if (dfs->extra_data != NULL)
{
dazuko_bzero(dfs->extra_data, sizeof(struct xp_file_struct));
dfs->extra_data->dentry = tid.file.dentry_p;
dazuko_process_access(event, dfs, &event_p, sl);
}
else
{
xp_free(dfs);
dfs = NULL;
}
dazuko_file_struct_cleanup(&dfs);
}
}
return(0);
}; /* end of rsbac_adf_set_attr_daz() */
