示例#1
0
int piga_proc_status_write(struct file *file, const char *buffer, unsigned long count, void *data)
{
	char tmp[count + 1];

	if (copy_from_user(tmp, buffer, count)) {
		return -EFAULT;
	}

	tmp[count] = '\0';

	if (*tmp == '0') {
		*piga_status() = false;
		printk(KERN_INFO "PIGA: Status: Disabled");
	} else if (*tmp == '1') {
// 		piga_add_sequence("locale_t, read, sysadm_t, write, tmp_t, read, sysadm_t");
		*piga_status() = true;
		printk(KERN_INFO "PIGA: Status: Enabled");
	}

	return count;
}
示例#2
0
int piga_proc_status_read(char *buffer, char **buffer_location,  off_t offset, int buffer_length, int *eof, void *data)
{
	int result;

	if (offset > 0) {
		result  = 0; /* we have finished reading, return 0 */
	} else if (*piga_status() == 0) {
		result = sprintf(buffer, "Disabled\n"); /* fill the buffer, return the buffer size */
	} else {
		result = sprintf(buffer, "Enabled\n");
	}

	return result;
}
示例#3
0
int piga_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct common_audit_data *auditdata, int rc, struct av_decision * avd)
{
// 	int link;
	struct sequence * seqs = NULL;
	struct sequence * s = NULL;
	unsigned int i = 0;
	u32 denied = 0, audited = 0;
// 	struct list_head * seq_list;
	int ret = 0;
	u32 tmp = 0;

	if (*piga_status() == true) {
		/**
		 * Resolve if SELinux decided to allow or deny or log the syscall.
		 *
		 * For each vector in a PIGA signature/seqeunce, you should add
		 * the corresponding SELinux auditallow rule.
		 * This simple change will save us time as we don't have to check
		 * for this vector "being" in any PIGA signature.
		**/
		if (avd) {
			denied = requested & ~avd->allowed;
			if (*piga_audit_only_mode() == true) {
				if (denied) {
					audited = denied;
					if (!(audited & avd->auditdeny))
						return rc;
				} else {
					audited = requested;
					if (!(audited & avd->auditallow))
						return rc;
				}
			}
		}

// 		printk(KERN_INFO "PIGA: looking into sequences");
		rc = PIGA_ALLOW;
		seqs = piga_get_sequence_at(ssid, tsid, tclass);
		for (i = 0; i < s_len; ++i) {
			s = seqs + i;
// 			ret = security_context_to_sid("system_u:object_r:locale_t", 26, &tmp);
// 			if (tmp == ssid || tmp == tsid) {
// 				print_vector(ssid, tsid, tclass, requested, auditdata, rc, avd);
// 			}
// 			ret = security_context_to_sid("root:object_r:user_tmp_t", 24, &tmp);
// 			if (tmp == ssid || tmp == tsid) {
// 				print_vector(ssid, tsid, tclass, requested, auditdata, rc, avd);
// 			}

			if (piga_seq_get_cs(s) == ssid
				&& piga_seq_get_cc(s) == tsid
				// FIXME enable tclass and check it
				// FIXME also check requested :
				// is it a xor, nor, or, and nand ?
				&& piga_seq_get_tclass(s) == tclass
				&& (piga_seq_get_requested(s) & requested) > 0) {
				print_vector(ssid, tsid, tclass, requested, auditdata, rc, avd);
// 				printk(KERN_INFO "PIGA: looking into seq: %s\n", s->seq_string);
				if (piga_seq_end(s) == true) {
					printk(KERN_INFO "PIGA: DENIED\n"); //seq: %s\n", s->seq_string);
					rc = PIGA_DENY;
				} else {
					piga_seq_next(s);
				}
			}
		}
	}

	return rc;
}