1 |
/* |
2 |
* security/ccsecurity/capability.c |
3 |
* |
4 |
* Copyright (C) 2005-2010 NTT DATA CORPORATION |
5 |
* |
6 |
* Version: 1.8.0-pre 2010/10/05 |
7 |
* |
8 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
9 |
* See README.ccs for ChangeLog. |
10 |
* |
11 |
*/ |
12 |
|
13 |
#include "internal.h" |
14 |
|
15 |
const u8 ccs_c2mac[CCS_MAX_CAPABILITY_INDEX] = { |
16 |
[CCS_USE_ROUTE_SOCKET] = CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET, |
17 |
[CCS_USE_PACKET_SOCKET] = CCS_MAC_CAPABILITY_USE_PACKET_SOCKET, |
18 |
[CCS_SYS_REBOOT] = CCS_MAC_CAPABILITY_SYS_REBOOT, |
19 |
[CCS_SYS_VHANGUP] = CCS_MAC_CAPABILITY_SYS_VHANGUP, |
20 |
[CCS_SYS_SETTIME] = CCS_MAC_CAPABILITY_SYS_SETTIME, |
21 |
[CCS_SYS_NICE] = CCS_MAC_CAPABILITY_SYS_NICE, |
22 |
[CCS_SYS_SETHOSTNAME] = CCS_MAC_CAPABILITY_SYS_SETHOSTNAME, |
23 |
[CCS_USE_KERNEL_MODULE] = CCS_MAC_CAPABILITY_USE_KERNEL_MODULE, |
24 |
[CCS_SYS_KEXEC_LOAD] = CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD, |
25 |
[CCS_SYS_PTRACE] = CCS_MAC_CAPABILITY_SYS_PTRACE, |
26 |
}; |
27 |
|
28 |
/** |
29 |
* ccs_audit_capability_log - Audit capability log. |
30 |
* |
31 |
* @r: Pointer to "struct ccs_request_info". |
32 |
* |
33 |
* Returns 0 on success, negative value otherwise. |
34 |
*/ |
35 |
static int ccs_audit_capability_log(struct ccs_request_info *r) |
36 |
{ |
37 |
return ccs_supervisor(r, "capability %s\n", ccs_mac_keywords |
38 |
[ccs_c2mac[r->param.capability.operation]]); |
39 |
} |
40 |
|
41 |
static bool ccs_check_capability_acl(struct ccs_request_info *r, |
42 |
const struct ccs_acl_info *ptr) |
43 |
{ |
44 |
const struct ccs_capability_acl *acl = |
45 |
container_of(ptr, typeof(*acl), head); |
46 |
return acl->operation == r->param.capability.operation; |
47 |
} |
48 |
|
49 |
/** |
50 |
* ccs_capable - Check permission for capability. |
51 |
* |
52 |
* @operation: Type of operation. |
53 |
* |
54 |
* Returns true on success, false otherwise. |
55 |
*/ |
56 |
static bool __ccs_capable(const u8 operation) |
57 |
{ |
58 |
struct ccs_request_info r; |
59 |
int error = 0; |
60 |
const int idx = ccs_read_lock(); |
61 |
if (ccs_init_request_info(&r, ccs_c2mac[operation]) |
62 |
!= CCS_CONFIG_DISABLED) { |
63 |
r.param_type = CCS_TYPE_CAPABILITY_ACL; |
64 |
r.param.capability.operation = operation; |
65 |
do { |
66 |
ccs_check_acl(&r, ccs_check_capability_acl); |
67 |
error = ccs_audit_capability_log(&r); |
68 |
} while (error == CCS_RETRY_REQUEST); |
69 |
} |
70 |
ccs_read_unlock(idx); |
71 |
return !error; |
72 |
} |
73 |
|
74 |
static int __ccs_ptrace_permission(long request, long pid) |
75 |
{ |
76 |
return !__ccs_capable(CCS_SYS_PTRACE); |
77 |
} |
78 |
|
79 |
static bool ccs_same_capability_entry(const struct ccs_acl_info *a, |
80 |
const struct ccs_acl_info *b) |
81 |
{ |
82 |
const struct ccs_capability_acl *p1 = container_of(a, typeof(*p1), |
83 |
head); |
84 |
const struct ccs_capability_acl *p2 = container_of(b, typeof(*p2), |
85 |
head); |
86 |
return p1->operation == p2->operation; |
87 |
} |
88 |
|
89 |
/** |
90 |
* ccs_write_capability - Write "struct ccs_capability_acl" list. |
91 |
* |
92 |
* @param: Pointer to "struct ccs_acl_param". |
93 |
* |
94 |
* Returns 0 on success, negative value otherwise. |
95 |
*/ |
96 |
int ccs_write_capability(struct ccs_acl_param *param) |
97 |
{ |
98 |
struct ccs_capability_acl e = { .head.type = CCS_TYPE_CAPABILITY_ACL }; |
99 |
const char *operation = ccs_read_token(param); |
100 |
for (e.operation = 0; e.operation < CCS_MAX_CAPABILITY_INDEX; |
101 |
e.operation++) { |
102 |
if (strcmp(operation, |
103 |
ccs_mac_keywords[ccs_c2mac[e.operation]])) |
104 |
continue; |
105 |
return ccs_update_domain(&e.head, sizeof(e), param, |
106 |
ccs_same_capability_entry, NULL); |
107 |
} |
108 |
return -EINVAL; |
109 |
} |
110 |
|
111 |
void __init ccs_capability_init(void) |
112 |
{ |
113 |
ccsecurity_ops.capable = __ccs_capable; |
114 |
ccsecurity_ops.ptrace_permission = __ccs_ptrace_permission; |
115 |
} |