1 |
/* |
2 |
* security/ccsecurity/capability.c |
3 |
* |
4 |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
5 |
* |
6 |
* Version: 1.7.1 2009/11/11 |
7 |
* |
8 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
9 |
* See README.ccs for ChangeLog. |
10 |
* |
11 |
*/ |
12 |
|
13 |
#include "internal.h" |
14 |
|
15 |
/** |
16 |
* ccs_audit_capability_log - Audit capability log. |
17 |
* |
18 |
* @r: Pointer to "struct ccs_request_info". |
19 |
* @operation: Type of operation. |
20 |
* @is_granted: True if this is a granted log. |
21 |
* |
22 |
* Returns 0 on success, negative value otherwise. |
23 |
*/ |
24 |
static int ccs_audit_capability_log(struct ccs_request_info *r, |
25 |
const u8 operation, const bool is_granted) |
26 |
{ |
27 |
if (!is_granted) |
28 |
ccs_warn_log(r, "capability %s", ccs_cap2keyword(operation)); |
29 |
return ccs_write_audit_log(is_granted, r, CCS_KEYWORD_ALLOW_CAPABILITY |
30 |
"%s\n", ccs_cap2keyword(operation)); |
31 |
} |
32 |
|
33 |
/** |
34 |
* ccs_capable - Check permission for capability. |
35 |
* |
36 |
* @operation: Type of operation. |
37 |
* |
38 |
* Returns true on success, false otherwise. |
39 |
* |
40 |
* Caller holds ccs_read_lock(). |
41 |
*/ |
42 |
static bool ccs_capable2(const u8 operation) |
43 |
{ |
44 |
struct ccs_request_info r; |
45 |
struct ccs_acl_info *ptr; |
46 |
int error; |
47 |
if (ccs_init_request_info(&r, NULL, CCS_MAX_MAC_INDEX + operation) |
48 |
== CCS_CONFIG_DISABLED) |
49 |
return true; |
50 |
do { |
51 |
error = -EPERM; |
52 |
list_for_each_entry_rcu(ptr, &r.domain->acl_info_list, list) { |
53 |
struct ccs_capability_acl *acl; |
54 |
if (ptr->is_deleted || |
55 |
ptr->type != CCS_TYPE_CAPABILITY_ACL) |
56 |
continue; |
57 |
acl = container_of(ptr, struct ccs_capability_acl, |
58 |
head); |
59 |
if (acl->operation != operation || |
60 |
!ccs_condition(&r, ptr)) |
61 |
continue; |
62 |
r.cond = ptr->cond; |
63 |
error = 0; |
64 |
break; |
65 |
} |
66 |
ccs_audit_capability_log(&r, operation, !error); |
67 |
if (!error) |
68 |
break; |
69 |
error = ccs_supervisor(&r, CCS_KEYWORD_ALLOW_CAPABILITY "%s\n", |
70 |
ccs_cap2keyword(operation)); |
71 |
} while (error == 1); |
72 |
return !error; |
73 |
} |
74 |
|
75 |
/** |
76 |
* ccs_capable - Check permission for capability. |
77 |
* |
78 |
* @operation: Type of operation. |
79 |
* |
80 |
* Returns true on success, false otherwise. |
81 |
*/ |
82 |
bool ccs_capable(const u8 operation) |
83 |
{ |
84 |
const int idx = ccs_read_lock(); |
85 |
const int error = ccs_capable2(operation); |
86 |
ccs_read_unlock(idx); |
87 |
return error; |
88 |
} |
89 |
|
90 |
/** |
91 |
* ccs_write_capability_policy - Write "struct ccs_capability_acl" list. |
92 |
* |
93 |
* @data: String to parse. |
94 |
* @domain: Pointer to "struct ccs_domain_info". |
95 |
* @condition: Pointer to "struct ccs_condition". May be NULL. |
96 |
* @is_delete: True if it is a delete request. |
97 |
* |
98 |
* Returns 0 on success, negative value otherwise. |
99 |
*/ |
100 |
int ccs_write_capability_policy(char *data, struct ccs_domain_info *domain, |
101 |
struct ccs_condition *condition, |
102 |
const bool is_delete) |
103 |
{ |
104 |
struct ccs_capability_acl e = { |
105 |
.head.type = CCS_TYPE_CAPABILITY_ACL, |
106 |
.head.cond = condition, |
107 |
}; |
108 |
struct ccs_capability_acl *entry = NULL; |
109 |
struct ccs_acl_info *ptr; |
110 |
int error = is_delete ? -ENOENT : -ENOMEM; |
111 |
u8 capability; |
112 |
for (capability = 0; capability < CCS_MAX_CAPABILITY_INDEX; |
113 |
capability++) { |
114 |
if (strcmp(data, ccs_cap2keyword(capability))) |
115 |
continue; |
116 |
break; |
117 |
} |
118 |
if (capability == CCS_MAX_CAPABILITY_INDEX) |
119 |
return -EINVAL; |
120 |
e.operation = capability; |
121 |
if (!is_delete) |
122 |
entry = kmalloc(sizeof(e), GFP_KERNEL); |
123 |
mutex_lock(&ccs_policy_lock); |
124 |
list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
125 |
struct ccs_capability_acl *acl = |
126 |
container_of(ptr, struct ccs_capability_acl, |
127 |
head); |
128 |
if (ptr->type != CCS_TYPE_CAPABILITY_ACL || |
129 |
ptr->cond != condition || acl->operation != capability) |
130 |
continue; |
131 |
ptr->is_deleted = is_delete; |
132 |
error = 0; |
133 |
break; |
134 |
} |
135 |
if (!is_delete && error && ccs_commit_ok(entry, &e, sizeof(e))) { |
136 |
ccs_add_domain_acl(domain, &entry->head); |
137 |
entry = NULL; |
138 |
error = 0; |
139 |
} |
140 |
mutex_unlock(&ccs_policy_lock); |
141 |
kfree(entry); |
142 |
return error; |
143 |
} |