=== main/headers/rsbac/aci_data_structures.h ================================================================== --- main/headers/rsbac/aci_data_structures.h (revision 2369) +++ main/headers/rsbac/aci_data_structures.h (local) @@ -1,8 +1,8 @@ /**************************************/ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* Data structures */ -/* Last modified: 30/Oct/2006 */ +/* Last modified: 17/Sep/2007 */ /**************************************/ #ifndef __RSBAC_DATA_STRUC_H @@ -68,17 +68,17 @@ /* max size for write_chunks */ #define RSBAC_MAX_WRITE_CHUNK ((1 << 15) - 1) -#define RSBAC_GEN_NR_FD_LISTS 4 -#define RSBAC_MAC_NR_FD_LISTS 8 -#define RSBAC_PM_NR_FD_LISTS 4 +#define RSBAC_GEN_NR_FD_LISTS 2 +#define RSBAC_MAC_NR_FD_LISTS 4 +#define RSBAC_PM_NR_FD_LISTS 2 #define RSBAC_DAZ_NR_FD_LISTS 2 -#define RSBAC_DAZ_SCANNED_NR_FD_LISTS 8 +#define RSBAC_DAZ_SCANNED_NR_FD_LISTS 4 #define RSBAC_FF_NR_FD_LISTS 4 -#define RSBAC_RC_NR_FD_LISTS 8 +#define RSBAC_RC_NR_FD_LISTS 4 #define RSBAC_AUTH_NR_FD_LISTS 2 -#define RSBAC_CAP_NR_FD_LISTS 4 +#define RSBAC_CAP_NR_FD_LISTS 2 #define RSBAC_PAX_NR_FD_LISTS 2 -#define RSBAC_RES_NR_FD_LISTS 4 +#define RSBAC_RES_NR_FD_LISTS 2 #ifdef CONFIG_RSBAC_INIT_THREAD /* Check and set init timeout */ @@ -107,7 +107,20 @@ /* Caution: whenever ACI changes, version and old_version should be increased! */ -#define RSBAC_GEN_FD_ACI_VERSION 7 +// #define CONFIG_RSBAC_FD_CACHE 1 + +#ifdef CONFIG_RSBAC_FD_CACHE +#define RSBAC_FD_CACHE_NAME "fd_cache." +#define RSBAC_FD_CACHE_VERSION 1 +#define RSBAC_FD_CACHE_KEY 3626114 +//#define RSBAC_FD_CACHE_TTL 3600 +struct rsbac_fd_cache_desc_t { + __u32 device; + rsbac_inode_nr_t inode; +}; +#endif + +#define RSBAC_GEN_FD_ACI_VERSION 8 #define RSBAC_GEN_FD_ACI_KEY 1001 struct rsbac_gen_fd_aci_t { rsbac_log_array_t log_array_low; /* file/dir based logging, */ @@ -120,6 +133,7 @@ rsbac_enum_t linux_dac_disable; rsbac_fake_root_uid_int_t fake_root_uid; rsbac_uid_t auid_exempt; + rsbac_um_set_t vset; }; #define DEFAULT_GEN_FD_ACI \ { \ @@ -147,20 +161,20 @@ .auid_exempt = RSBAC_NO_USER, \ } -#define RSBAC_GEN_FD_OLD_ACI_VERSION 6 +#define RSBAC_GEN_FD_OLD_ACI_VERSION 7 struct rsbac_gen_fd_old_aci_t { rsbac_log_array_t log_array_low; /* file/dir based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ rsbac_request_vector_t log_program_based; /* Program based logging */ + rsbac_enum_t symlink_add_remote_ip; rsbac_enum_t symlink_add_uid; rsbac_enum_t symlink_add_mac_level; rsbac_enum_t symlink_add_rc_role; rsbac_enum_t linux_dac_disable; rsbac_fake_root_uid_int_t fake_root_uid; - rsbac_uid_t auid_exempt; + rsbac_old_uid_t auid_exempt; }; - -#define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 5 +#define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 6 struct rsbac_gen_fd_old_old_aci_t { rsbac_log_array_t log_array_low; /* file/dir based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ @@ -170,9 +184,10 @@ rsbac_enum_t symlink_add_rc_role; rsbac_enum_t linux_dac_disable; rsbac_fake_root_uid_int_t fake_root_uid; + rsbac_old_uid_t auid_exempt; }; -#define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 4 +#define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 5 struct rsbac_gen_fd_old_old_old_aci_t { rsbac_log_array_t log_array_low; /* file/dir based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ @@ -181,6 +196,7 @@ rsbac_enum_t symlink_add_mac_level; rsbac_enum_t symlink_add_rc_role; rsbac_enum_t linux_dac_disable; + rsbac_fake_root_uid_int_t fake_root_uid; }; #if defined(CONFIG_RSBAC_MAC) @@ -419,7 +435,7 @@ } #endif -#define RSBAC_FD_NR_ATTRIBUTES 33 +#define RSBAC_FD_NR_ATTRIBUTES 34 #define RSBAC_FD_ATTR_LIST { \ A_security_level, \ A_mac_categories, \ @@ -453,7 +469,8 @@ A_pax_flags, \ A_fake_root_uid, \ A_auid_exempt, \ - A_daz_do_scan \ + A_daz_do_scan, \ + A_vset \ } #ifdef __KERNEL__ @@ -494,6 +511,10 @@ /* The list of devices is also a double linked list, so we define list */ /* items and a list head. */ +/* Hash size. Must be power of 2. */ + +#define RSBAC_NR_DEVICE_LISTS 8 + struct rsbac_device_list_item_t { kdev_t id; struct dentry *d_covers; @@ -702,7 +723,8 @@ #define RSBAC_PAX_ACI_USER_NAME "u_pax" #define RSBAC_RES_ACI_USER_NAME "u_res" -#define RSBAC_GEN_USER_ACI_VERSION 1 +#define RSBAC_GEN_USER_ACI_VERSION 2 +#define RSBAC_GEN_USER_OLD_ACI_VERSION 1 #define RSBAC_GEN_USER_ACI_KEY 1001 struct rsbac_gen_user_aci_t { rsbac_pseudo_t pseudo; @@ -797,7 +819,8 @@ #endif #if defined(CONFIG_RSBAC_PM) -#define RSBAC_PM_USER_ACI_VERSION 1 +#define RSBAC_PM_USER_ACI_VERSION 2 +#define RSBAC_PM_USER_OLD_ACI_VERSION 1 #define RSBAC_PM_USER_ACI_KEY 1001 struct rsbac_pm_user_aci_t { rsbac_pm_task_set_id_t pm_task_set; @@ -831,18 +854,21 @@ #endif #if defined(CONFIG_RSBAC_DAZ) -#define RSBAC_DAZ_USER_ACI_VERSION 1 +#define RSBAC_DAZ_USER_ACI_VERSION 2 +#define RSBAC_DAZ_USER_OLD_ACI_VERSION 1 #define RSBAC_DAZ_USER_ACI_KEY 1001 #endif #if defined(CONFIG_RSBAC_FF) -#define RSBAC_FF_USER_ACI_VERSION 1 +#define RSBAC_FF_USER_ACI_VERSION 2 +#define RSBAC_FF_USER_OLD_ACI_VERSION 1 #define RSBAC_FF_USER_ACI_KEY 1001 #endif #if defined(CONFIG_RSBAC_RC) -#define RSBAC_RC_USER_ACI_VERSION 2 -#define RSBAC_RC_USER_OLD_ACI_VERSION 1 +#define RSBAC_RC_USER_ACI_VERSION 3 +#define RSBAC_RC_USER_OLD_ACI_VERSION 2 +#define RSBAC_RC_USER_OLD_OLD_ACI_VERSION 1 #define RSBAC_RC_USER_ACI_KEY 1001 struct rsbac_rc_user_aci_t { rsbac_rc_role_id_t rc_role; @@ -871,14 +897,16 @@ #endif #if defined(CONFIG_RSBAC_AUTH) -#define RSBAC_AUTH_USER_ACI_VERSION 1 +#define RSBAC_AUTH_USER_ACI_VERSION 2 +#define RSBAC_AUTH_USER_OLD_ACI_VERSION 1 #define RSBAC_AUTH_USER_ACI_KEY 1001 #endif /* AUTH */ #if defined(CONFIG_RSBAC_CAP) -#define RSBAC_CAP_USER_ACI_VERSION 2 -#define RSBAC_CAP_USER_OLD_ACI_VERSION 1 +#define RSBAC_CAP_USER_ACI_VERSION 3 +#define RSBAC_CAP_USER_OLD_ACI_VERSION 2 +#define RSBAC_CAP_USER_OLD_OLD_ACI_VERSION 1 #define RSBAC_CAP_USER_ACI_KEY 1001 struct rsbac_cap_user_aci_t { rsbac_system_role_int_t cap_role; /* System role for CAP administration */ @@ -924,17 +952,20 @@ #endif #if defined(CONFIG_RSBAC_JAIL) -#define RSBAC_JAIL_USER_ACI_VERSION 1 +#define RSBAC_JAIL_USER_ACI_VERSION 2 +#define RSBAC_JAIL_USER_OLD_ACI_VERSION 1 #define RSBAC_JAIL_USER_ACI_KEY 1001 #endif #if defined(CONFIG_RSBAC_PAX) -#define RSBAC_PAX_USER_ACI_VERSION 1 +#define RSBAC_PAX_USER_ACI_VERSION 2 +#define RSBAC_PAX_USER_OLD_ACI_VERSION 1 #define RSBAC_PAX_USER_ACI_KEY 1001221 #endif #if defined(CONFIG_RSBAC_RES) -#define RSBAC_RES_USER_ACI_VERSION 1 +#define RSBAC_RES_USER_ACI_VERSION 2 +#define RSBAC_RES_USER_OLD_ACI_VERSION 1 #define RSBAC_RES_USER_ACI_KEY 1002 struct rsbac_res_user_aci_t { rsbac_system_role_int_t res_role; /* System role for RES administration */ @@ -1148,6 +1179,7 @@ rsbac_uid_t auid_exempt; __u32 remote_ip; rsbac_boolean_t kernel_thread; + rsbac_um_set_t vset; }; #define DEFAULT_GEN_P_ACI \ { \ @@ -1157,8 +1189,10 @@ .auid_exempt = RSBAC_NO_USER, \ .remote_ip = 0, \ .kernel_thread = 0, \ + .vset = 0, \ } + #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) #define RSBAC_MAC_PROCESS_ACI_VERSION 1 #define RSBAC_MAC_PROCESS_ACI_KEY 1001 @@ -1368,7 +1402,7 @@ } #endif -#define RSBAC_PROCESS_NR_ATTRIBUTES 38 +#define RSBAC_PROCESS_NR_ATTRIBUTES 39 #define RSBAC_PROCESS_ATTR_LIST { \ A_security_level, \ A_min_security_level, \ @@ -1407,7 +1441,8 @@ A_audit_uid, \ A_auid_exempt, \ A_auth_last_auth, \ - A_remote_ip \ + A_remote_ip, \ + A_vset \ } #ifdef __KERNEL__ === main/headers/rsbac/acl_types.h ================================================================== --- main/headers/rsbac/acl_types.h (revision 2369) +++ main/headers/rsbac/acl_types.h (local) @@ -1,10 +1,10 @@ /************************************ */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2005: */ +/* Author and (c) 1999-2007: */ /* Amon Ott */ /* API: Data types for attributes */ /* and standard module calls */ -/* Last modified: 09/Feb/2005 */ +/* Last modified: 25/Sep/2007 */ /************************************ */ #ifndef __RSBAC_ACL_TYPES_H @@ -19,7 +19,8 @@ enum rsbac_acl_subject_type_t {ACLS_USER, ACLS_ROLE, ACLS_GROUP, ACLS_NONE}; typedef __u8 rsbac_acl_int_subject_type_t; -typedef __u32 rsbac_acl_subject_id_t; +typedef __u64 rsbac_acl_subject_id_t; +typedef __u32 rsbac_acl_old_subject_id_t; #define RSBAC_ACL_GROUP_EVERYONE 0 @@ -103,6 +104,12 @@ rsbac_acl_subject_id_t subj_id; }; +struct rsbac_acl_old_entry_desc_t + { + rsbac_acl_int_subject_type_t subj_type; /* enum rsbac_acl_subject_type_t */ + rsbac_acl_old_subject_id_t subj_id; + }; + enum rsbac_acl_group_type_t {ACLG_GLOBAL, ACLG_PRIVATE, ACLG_NONE}; typedef __u32 rsbac_acl_group_id_t; === main/headers/rsbac/auth_data_structures.h ================================================================== --- main/headers/rsbac/auth_data_structures.h (revision 2369) +++ main/headers/rsbac/auth_data_structures.h (local) @@ -1,9 +1,9 @@ /**************************************/ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2006: */ +/* Author and (c) 1999-2007: */ /* Amon Ott */ /* Data structures / AUTH */ -/* Last modified: 12/Jan/2006 */ +/* Last modified: 16/Sep/2007 */ /**************************************/ #ifndef __RSBAC_AUTH_DATA_STRUC_H @@ -45,13 +45,20 @@ #define RSBAC_AUTH_NR_CAP_GROUP_FD_LISTS 4 #define RSBAC_AUTH_NR_CAP_GROUP_EFF_FD_LISTS 2 #define RSBAC_AUTH_NR_CAP_GROUP_FS_FD_LISTS 2 -#define RSBAC_AUTH_FD_LIST_VERSION 1 -#define RSBAC_AUTH_FD_EFF_LIST_VERSION 1 -#define RSBAC_AUTH_FD_FS_LIST_VERSION 1 -#define RSBAC_AUTH_FD_GROUP_LIST_VERSION 1 -#define RSBAC_AUTH_FD_GROUP_EFF_LIST_VERSION 1 -#define RSBAC_AUTH_FD_GROUP_FS_LIST_VERSION 1 +#define RSBAC_AUTH_FD_LIST_VERSION 2 +#define RSBAC_AUTH_FD_EFF_LIST_VERSION 2 +#define RSBAC_AUTH_FD_FS_LIST_VERSION 2 +#define RSBAC_AUTH_FD_GROUP_LIST_VERSION 2 +#define RSBAC_AUTH_FD_GROUP_EFF_LIST_VERSION 2 +#define RSBAC_AUTH_FD_GROUP_FS_LIST_VERSION 2 +#define RSBAC_AUTH_FD_OLD_LIST_VERSION 1 +#define RSBAC_AUTH_FD_EFF_OLD_LIST_VERSION 1 +#define RSBAC_AUTH_FD_FS_OLD_LIST_VERSION 1 +#define RSBAC_AUTH_FD_GROUP_OLD_LIST_VERSION 1 +#define RSBAC_AUTH_FD_GROUP_EFF_OLD_LIST_VERSION 1 +#define RSBAC_AUTH_FD_GROUP_FS_OLD_LIST_VERSION 1 + /* The list of devices is also a double linked list, so we define list */ /* items and a list head. */ === main/headers/rsbac/debug.h ================================================================== --- main/headers/rsbac/debug.h (revision 2369) +++ main/headers/rsbac/debug.h (local) @@ -1,9 +1,9 @@ /******************************* */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2006: */ +/* Author and (c) 1999-2007: */ /* Amon Ott */ /* debug definitions */ -/* Last modified: 19/Jun/2006 */ +/* Last modified: 11/Apr/2007 */ /******************************* */ #ifndef __RSBAC_DEBUG_H @@ -12,6 +12,24 @@ #include //#include +#define set_rsbac_softmode 1 +#define set_rsbac_softmode_once 2 +#define set_rsbac_softmode_never 4 +#define set_rsbac_freeze 8 +#define set_rsbac_um_no_excl 16 +#define set_rsbac_auth_learn 32 +#define set_rsbac_acl_learn_fd 64 +#define set_rsbac_cap_log_missing 128 +#define set_rsbac_jail_log_missing 256 +#define set_rsbac_dac_disable 512 +#define set_rsbac_no_delay_init 1024 +#define set_rsbac_no_defaults 2048 +#define set_rsbac_nosyslog 4096 +#define set_rsbac_cap_process_hiding 8192 + +extern unsigned long int rsbac_flags; +extern void rsbac_flags_set(unsigned long int); + extern int rsbac_debug_no_write; #ifdef CONFIG_RSBAC_DEBUG @@ -64,6 +82,15 @@ extern int rsbac_freeze; #endif +#ifdef CONFIG_RSBAC_FD_CACHE +extern rsbac_time_t rsbac_fd_cache_ttl; +extern u_int rsbac_fd_cache_disable; +#endif + +#if defined(CONFIG_RSBAC_AUTO_WRITE) && (CONFIG_RSBAC_AUTO_WRITE > 0) +extern rsbac_time_t rsbac_list_check_interval; +#endif + #if defined(CONFIG_RSBAC_CAP_PROC_HIDE) extern int rsbac_cap_process_hiding; #endif @@ -106,6 +133,20 @@ #define rsbac_pr_debug(type, fmt, arg...) do { } while (0) #endif +#define rsbac_pr_get_error(attr) \ + do { rsbac_ds_get_error (__FUNCTION__, attr); \ + } while (0) +#define rsbac_pr_set_error(attr) \ + do { rsbac_ds_set_error (__FUNCTION__, attr); \ + } while (0) + +#define rsbac_rc_pr_get_error(item) \ + do { rsbac_rc_ds_get_error (__FUNCTION__, item); \ + } while (0) +#define rsbac_rc_pr_set_error(item) \ + do { rsbac_rc_ds_set_error (__FUNCTION__, item); \ + } while (0) + #define RSBAC_LOG_MAXLINE 2040 #if defined(CONFIG_RSBAC_RMSG) === main/headers/rsbac/gen_lists.h ================================================================== --- main/headers/rsbac/gen_lists.h (revision 2369) +++ main/headers/rsbac/gen_lists.h (local) @@ -1,8 +1,8 @@ /*************************************************** */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* Generic lists - internal structures */ -/* Last modified: 23/Aug/2006 */ +/* Last modified: 13/Feb/2007 */ /*************************************************** */ #ifndef __RSBAC_GEN_LISTS_H @@ -19,7 +19,10 @@ */ #define RSBAC_LIST_MAX_NR_ITEMS 50000 +#define RSBAC_LIST_MAX_NR_SUBITEMS 50000 +#define RSBAC_LIST_MAX_NR_ITEMS_LIMIT 1000000 + #define RSBAC_LIST_DISK_VERSION 10003 #define RSBAC_LIST_DISK_OLD_VERSION 10002 #define RSBAC_LIST_NONAME "(no name)" @@ -33,13 +36,17 @@ /* If number of items per hashed list is bigger than this and flag RSBAC_LIST_AUTO_HASH_RESIZE is set, rehash */ -#define RSBAC_LIST_AUTO_REHASH_TRIGGER 100 +#define RSBAC_LIST_AUTO_REHASH_TRIGGER 50 /* Rehashing interval in s - rehashing is triggered by rsbacd, so might happen * less frequently, if rsbacd wakes up later. */ #define RSBAC_LIST_REHASH_INTERVAL 60 +/* Check lists every n seconds. Also called from rsbacd, so might take longer. */ + +//#define RSBAC_LIST_CHECK_INTERVAL 1800 + /* Prototypes */ /* Init */ @@ -131,6 +138,7 @@ rsbac_boolean_t no_write; struct rsbac_nanotime_t lastchange; u_int nr_hashes; + u_int max_items_per_hash; rsbac_list_hash_function_t * hash_function; char old_name_base[RSBAC_LIST_MAX_FILENAME + 1]; #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) @@ -159,6 +167,8 @@ rsbac_boolean_t no_write; struct rsbac_nanotime_t lastchange; u_int nr_hashes; + u_int max_items_per_hash; + u_int max_subitems; rsbac_list_hash_function_t * hash_function; char old_name_base[RSBAC_LIST_MAX_FILENAME + 1]; #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) === main/headers/rsbac/getname.h ================================================================== --- main/headers/rsbac/getname.h (revision 2369) +++ main/headers/rsbac/getname.h (local) @@ -1,15 +1,18 @@ /******************************** */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2005: */ +/* Author and (c) 1999-2007: */ /* Amon Ott */ /* Getname functions for all parts*/ -/* Last modified: 27/May/2005 */ +/* Last modified: 17/Sep/2007 */ /******************************** */ #ifndef __RSBAC_GETNAME_H #define __RSBAC_GETNAME_H #include +#ifdef CONFIG_RSBAC_XSTATS +#include +#endif #if defined(__KERNEL__) && defined(CONFIG_RSBAC_LOG_FULL_PATH) #include @@ -89,4 +92,9 @@ int get_cap_nr(const char * name); +#ifdef CONFIG_RSBAC_XSTATS +char *get_syscall_name(char *syscall_name, + enum rsbac_syscall_t syscall); #endif + +#endif === main/headers/rsbac/helpers.h ================================================================== --- main/headers/rsbac/helpers.h (revision 2369) +++ main/headers/rsbac/helpers.h (local) @@ -1,8 +1,8 @@ /************************************* */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2005: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* Helper functions for all parts */ -/* Last modified: 21/Jun/2005 */ +/* Last modified: 26/Sep/2007 */ /************************************* */ #ifndef __RSBAC_HELPER_H @@ -21,7 +21,12 @@ /* convert u_long_long to binary string representation for MAC module */ char * u64tostrmac(char[], __u64); +char * u32tostrcap(char * str, __u32 i); +__u32 strtou32cap(char * str, __u32 * i_p); + #ifndef __KERNEL__ +void locale_init(void); + int rsbac_lib_version(void); int rsbac_u32_compare(__u32 * a, __u32 * b); int rsbac_u32_void_compare(const void *a, const void *b); @@ -88,6 +93,15 @@ #ifdef __KERNEL__ #include +#ifdef CONFIG_RSBAC_UM_VIRTUAL +rsbac_um_set_t rsbac_get_vset(void); +#else +static inline rsbac_um_set_t rsbac_get_vset(void) + { + return 0; + } +#endif + int rsbac_get_owner(rsbac_uid_t * user_p); static inline int rsbac_get_user(unsigned char * kern_p, unsigned char * user_p, int size) @@ -126,14 +140,14 @@ void rsbac_get_attr_error(char * , enum rsbac_adf_request_t); -void rsbac_ds_get_error(char * function, enum rsbac_attribute_t attr); -void rsbac_ds_get_error_num(char * function, enum rsbac_attribute_t attr, int err); -void rsbac_ds_set_error(char * function, enum rsbac_attribute_t attr); -void rsbac_ds_set_error_num(char * function, enum rsbac_attribute_t attr, int err); +void rsbac_ds_get_error(const char * function, enum rsbac_attribute_t attr); +void rsbac_ds_get_error_num(const char * function, enum rsbac_attribute_t attr, int err); +void rsbac_ds_set_error(const char * function, enum rsbac_attribute_t attr); +void rsbac_ds_set_error_num(const char * function, enum rsbac_attribute_t attr, int err); #ifdef CONFIG_RSBAC_RC -void rsbac_rc_ds_get_error(char * function, enum rsbac_rc_item_t item); -void rsbac_rc_ds_set_error(char * function, enum rsbac_rc_item_t item); +void rsbac_rc_ds_get_error(const char * function, enum rsbac_rc_item_t item); +void rsbac_rc_ds_set_error(const char * function, enum rsbac_rc_item_t item); #endif #endif /* KERNEL */ === main/headers/rsbac/pm_ticket.h ================================================================== --- main/headers/rsbac/pm_ticket.h (revision 2369) +++ main/headers/rsbac/pm_ticket.h (local) @@ -396,15 +396,6 @@ /*******************/ #ifdef __KERNEL__ -struct rsbac_pm_old_tkt_data_t - { - rsbac_pm_tkt_id_t id; - rsbac_old_uid_t issuer; - enum rsbac_pm_tkt_function_type_t function_type; - union rsbac_pm_tkt_internal_function_param_t function_param; - rsbac_pm_time_stamp_t valid_until; - }; - struct rsbac_pm_tkt_data_t { rsbac_pm_tkt_id_t id; === main/headers/rsbac/syscall_rsbac.h ================================================================== --- main/headers/rsbac/syscall_rsbac.h (revision 2369) +++ main/headers/rsbac/syscall_rsbac.h (local) @@ -34,4 +34,5 @@ union rsbac_syscall_arg_t *, arg_p); #define sys_rsbac(a,b,c) rsbac(a,b,c) + #endif === main/headers/rsbac/syscalls.h ================================================================== --- main/headers/rsbac/syscalls.h (revision 2369) +++ main/headers/rsbac/syscalls.h (local) @@ -1,10 +1,10 @@ /************************************* */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2006: */ +/* Author and (c) 1999-2007: */ /* Amon Ott */ /* Syscall wrapper functions for all */ /* parts */ -/* Last modified: 13/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /************************************* */ #ifndef __RSBAC_SYSCALLS_H @@ -115,6 +115,7 @@ RSYS_acl_list_all_group, RSYS_list_all_ipc, RSYS_rc_select_fd_create_type, + RSYS_um_select_vset, RSYS_none }; @@ -580,7 +581,7 @@ { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; - rsbac_gid_t gid; + rsbac_gid_num_t gid; rsbac_time_t ttl; }; @@ -632,7 +633,7 @@ { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; - rsbac_gid_t gid; + rsbac_gid_num_t gid; }; struct rsys_um_user_exists_t @@ -657,6 +658,7 @@ struct rsys_um_get_user_list_t { rsbac_list_ta_number_t ta_number; + rsbac_um_set_t vset; rsbac_uid_t * user_array; u_int maxnum; }; @@ -665,7 +667,7 @@ { rsbac_list_ta_number_t ta_number; rsbac_uid_t user; - rsbac_gid_t * group_array; + rsbac_gid_num_t * group_array; u_int maxnum; }; @@ -673,13 +675,14 @@ { rsbac_list_ta_number_t ta_number; rsbac_gid_t group; - rsbac_uid_t * user_array; + rsbac_uid_num_t * user_array; u_int maxnum; }; struct rsys_um_get_group_list_t { rsbac_list_ta_number_t ta_number; + rsbac_um_set_t vset; rsbac_gid_t * group_array; u_int maxnum; }; @@ -728,6 +731,11 @@ char * name; }; +struct rsys_um_select_vset_t + { + rsbac_um_set_t vset; + }; + struct rsys_list_ta_begin_t { rsbac_time_t ttl; @@ -902,6 +910,7 @@ struct rsys_acl_list_all_group_t acl_list_all_group; struct rsys_list_all_ipc_t list_all_ipc; struct rsys_rc_select_fd_create_type_t rc_select_fd_create_type; + struct rsys_um_select_vset_t um_select_vset; int dummy; }; @@ -1102,7 +1111,7 @@ int rsbac_rc_get_current_role (rsbac_rc_role_id_t * role_p); -int rsbac_rc_sys_select_fd_create_type(rsbac_rc_type_id_t type); +int rsbac_rc_select_fd_create_type(rsbac_rc_type_id_t type); /************** AUTH ***************/ @@ -1260,7 +1269,7 @@ int rsbac_um_add_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, - rsbac_gid_t gid, + rsbac_gid_num_t gid, rsbac_time_t ttl); int rsbac_um_mod_user( @@ -1298,7 +1307,7 @@ int rsbac_um_remove_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, - rsbac_gid_t gid); + rsbac_gid_num_t gid); int rsbac_um_user_exists( rsbac_list_ta_number_t ta_number, @@ -1315,23 +1324,25 @@ int rsbac_um_get_user_list( rsbac_list_ta_number_t ta_number, + rsbac_um_set_t vset, rsbac_uid_t user_array[], u_int maxnum); int rsbac_um_get_gm_list( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, - rsbac_gid_t group_array[], + rsbac_gid_num_t group_array[], u_int maxnum); int rsbac_um_get_gm_user_list( rsbac_list_ta_number_t ta_number, rsbac_gid_t group, - rsbac_uid_t user_array[], + rsbac_uid_num_t user_array[], u_int maxnum); int rsbac_um_get_group_list( rsbac_list_ta_number_t ta_number, + rsbac_um_set_t vset, rsbac_gid_t group_array[], u_int maxnum); @@ -1360,6 +1371,8 @@ int rsbac_um_check_account_name(char * name); +int rsbac_um_select_vset(rsbac_um_set_t vset); + int rsbac_list_ta_begin(rsbac_time_t ttl, rsbac_list_ta_number_t * ta_number_p, rsbac_uid_t commit_uid, === main/headers/rsbac/types.h ================================================================== --- main/headers/rsbac/types.h (revision 2369) +++ main/headers/rsbac/types.h (local) @@ -4,7 +4,7 @@ /* Amon Ott */ /* API: Data types for attributes */ /* and standard module calls */ -/* Last modified: 01/Feb/2007 */ +/* Last modified: 21/Sep/2007 */ /*********************************** */ #ifndef __RSBAC_TYPES_H @@ -14,10 +14,10 @@ #ifdef CONFIG_MODULES #endif -#define RSBAC_VERSION "1.3.5" +#define RSBAC_VERSION "1.4.0-pre1" #define RSBAC_VERSION_MAJOR 1 -#define RSBAC_VERSION_MID 3 -#define RSBAC_VERSION_MINOR 5 +#define RSBAC_VERSION_MID 4 +#define RSBAC_VERSION_MINOR 0 #define RSBAC_VERSION_NR \ ((RSBAC_VERSION_MAJOR << 16) | (RSBAC_VERSION_MID << 8) | RSBAC_VERSION_MINOR) #define RSBAC_VERSION_MAKE_NR(x,y,z) \ @@ -31,13 +31,26 @@ #endif typedef __u32 rsbac_version_t; -typedef __u32 rsbac_uid_t; /* Same as user in Linux kernel */ -typedef __u32 rsbac_gid_t; /* Same as group in Linux kernel */ -typedef __u16 rsbac_old_uid_t; /* Same as user in Linux kernel */ -typedef __u16 rsbac_old_gid_t; /* Same as group in Linux kernel */ -typedef __u32 rsbac_time_t; /* Same as time_t in Linux kernel */ -typedef __u32 rsbac_cap_vector_t; /* Same as kernel_cap_t in Linux kernel */ +typedef __u64 rsbac_uid_t; /* High 32 Bit virtual set, low uid */ +typedef __u64 rsbac_gid_t; /* High 32 Bit virtual set, low gid */ +typedef __u32 rsbac_old_uid_t; /* Same as user in Linux kernel */ +typedef __u32 rsbac_uid_num_t; /* Same as user in Linux kernel */ +typedef __u32 rsbac_old_gid_t; /* Same as group in Linux kernel */ +typedef __u32 rsbac_gid_num_t; /* Same as user in Linux kernel */ +typedef __u32 rsbac_um_set_t; +typedef __u32 rsbac_time_t; /* Same as time_t in Linux kernel */ +typedef __u32 rsbac_cap_vector_t; /* Same as kernel_cap_t in Linux kernel */ +#define RSBAC_UID_SET(x) ((rsbac_um_set_t) (x >> 32)) +#define RSBAC_UID_NUM(x) ((rsbac_uid_num_t) (x & (rsbac_uid_num_t) -1)) +#define RSBAC_GEN_UID(x,y) ((rsbac_uid_t) x << 32 | RSBAC_UID_NUM(y)) +#define RSBAC_GID_SET(x) ((rsbac_um_set_t) (x >> 32)) +#define RSBAC_GID_NUM(x) ((rsbac_gid_num_t) (x & (rsbac_gid_num_t) -1)) +#define RSBAC_GEN_GID(x,y) ((rsbac_gid_t) x << 32 | RSBAC_GID_NUM(y)) +#define RSBAC_UM_VIRTUAL_KEEP ((rsbac_um_set_t) -1) +#define RSBAC_UM_VIRTUAL_ALL ((rsbac_um_set_t) -2) +#define RSBAC_UM_VIRTUAL_MAX ((rsbac_um_set_t) -10) + typedef __u32 rsbac_list_ta_number_t; struct rsbac_nanotime_t @@ -116,10 +129,10 @@ #define RSBAC_OLD_NO_USER 65533 #define RSBAC_OLD_ALL_USERS 65532 -#define RSBAC_NO_USER ((rsbac_uid_t) -3) -#define RSBAC_ALL_USERS ((rsbac_uid_t) -4) -#define RSBAC_NO_GROUP ((rsbac_gid_t) -3) -#define RSBAC_ALL_GROUPS ((rsbac_gid_t) -4) +#define RSBAC_NO_USER ((rsbac_uid_num_t) -3) +#define RSBAC_ALL_USERS ((rsbac_uid_num_t) -4) +#define RSBAC_NO_GROUP ((rsbac_gid_num_t) -3) +#define RSBAC_ALL_GROUPS ((rsbac_gid_num_t) -4) #ifndef FALSE #define FALSE 0 @@ -372,19 +385,23 @@ /**** AUTH ****/ /* special cap value, replaced by process owner at execute time */ #define RSBAC_AUTH_MAX_MAXNUM 1000000 -#define RSBAC_AUTH_OLD_OWNER_F_CAP (rsbac_old_uid_t) -3 -#define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_t) -3) -#define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_t) -4) -#define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_t) -10) -#define RSBAC_AUTH_GROUP_F_CAP ((rsbac_gid_t) -3) -#define RSBAC_AUTH_DAC_GROUP_F_CAP ((rsbac_gid_t) -4) -#define RSBAC_AUTH_MAX_RANGE_GID ((rsbac_gid_t) -10) +#define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_num_t) -3) +#define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_num_t) -4) +#define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_num_t) -10) +#define RSBAC_AUTH_GROUP_F_CAP ((rsbac_uid_num_t) -3) +#define RSBAC_AUTH_DAC_GROUP_F_CAP ((rsbac_uid_num_t) -4) +#define RSBAC_AUTH_MAX_RANGE_GID ((rsbac_uid_num_t) -10) typedef struct rsbac_fs_file_t rsbac_auth_file_t; struct rsbac_auth_cap_range_t { rsbac_uid_t first; rsbac_uid_t last; }; +struct rsbac_auth_old_cap_range_t + { + rsbac_old_uid_t first; + rsbac_old_uid_t last; + }; enum rsbac_auth_cap_type_t {ACT_real, ACT_eff, ACT_fs, ACT_group_real, ACT_group_eff, ACT_group_fs, ACT_none}; @@ -624,7 +641,7 @@ }; #endif -enum rsbac_attribute_t +enum rsbac_attribute_t { A_pseudo, A_security_level, @@ -724,6 +741,7 @@ A_remote_ip, A_cap_ld_env, A_daz_do_scan, + A_vset, #ifdef __KERNEL__ /* adf-request helpers */ A_owner, @@ -764,13 +782,14 @@ #endif A_none}; -union rsbac_attribute_value_t +union rsbac_attribute_value_t { rsbac_uid_t owner; /* process owner */ rsbac_pseudo_t pseudo; + rsbac_system_role_int_t system_role; +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC) rsbac_security_level_t security_level; rsbac_mac_category_vector_t mac_categories; - rsbac_system_role_int_t system_role; rsbac_security_level_t current_sec_level; rsbac_security_level_t min_write_open; rsbac_security_level_t max_read_open; @@ -780,6 +799,8 @@ rsbac_mac_auto_int_t mac_auto; rsbac_boolean_t mac_check; rsbac_boolean_t mac_prop_trusted; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PM) rsbac_pm_role_int_t pm_role; rsbac_pm_process_type_int_t pm_process_type; rsbac_pm_task_id_t pm_current_task; @@ -789,33 +810,55 @@ rsbac_pm_program_type_int_t pm_program_type; rsbac_pm_tp_id_t pm_tp; rsbac_pm_task_set_id_t pm_task_set; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ) rsbac_daz_scanned_t daz_scanned; rsbac_daz_scanner_t daz_scanner; + rsbac_daz_do_scan_t daz_do_scan; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF) rsbac_ff_flags_t ff_flags; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC) rsbac_rc_type_id_t rc_type; rsbac_rc_type_id_t rc_type_fd; rsbac_rc_role_id_t rc_force_role; rsbac_rc_role_id_t rc_initial_role; rsbac_rc_role_id_t rc_role; rsbac_rc_role_id_t rc_def_role; + rsbac_rc_type_id_t rc_select_type; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_AUTH) rsbac_auth_may_setuid_int_t auth_may_setuid; rsbac_boolean_t auth_may_set_cap; rsbac_pid_t auth_p_capset; rsbac_inode_nr_t auth_f_capset; rsbac_boolean_t auth_learn; + rsbac_uid_t auth_last_auth; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_CAP) rsbac_cap_vector_t min_caps; rsbac_cap_vector_t max_caps; rsbac_cap_vector_t max_caps_user; rsbac_cap_vector_t max_caps_program; + rsbac_cap_process_hiding_int_t cap_process_hiding; + rsbac_cap_ld_env_int_t cap_ld_env; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_JAIL) rsbac_jail_id_t jail_id; rsbac_jail_id_t jail_parent; rsbac_jail_ip_t jail_ip; rsbac_jail_flags_t jail_flags; - rsbac_cap_vector_t jail_max_caps; rsbac_jail_scd_vector_t jail_scd_get; rsbac_jail_scd_vector_t jail_scd_modify; + rsbac_cap_vector_t jail_max_caps; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PAX) rsbac_pax_flags_t pax_flags; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RES) rsbac_res_array_t res_array; +#endif rsbac_log_array_t log_array_low; rsbac_log_array_t log_array_high; rsbac_request_vector_t log_program_based; @@ -826,17 +869,13 @@ rsbac_boolean_t symlink_add_rc_role; rsbac_linux_dac_disable_int_t linux_dac_disable; // rsbac_net_temp_id_t net_temp; - rsbac_cap_process_hiding_int_t cap_process_hiding; rsbac_fake_root_uid_int_t fake_root_uid; rsbac_uid_t audit_uid; rsbac_uid_t auid_exempt; - rsbac_uid_t auth_last_auth; __u32 remote_ip; - rsbac_cap_ld_env_int_t cap_ld_env; - rsbac_rc_type_id_t rc_select_type; - rsbac_daz_do_scan_t daz_do_scan; + rsbac_um_set_t vset; #ifdef __KERNEL__ - rsbac_gid_t group; /* process/fd group */ + rsbac_gid_num_t group; /* process/fd group */ struct sockaddr * sockaddr_p; /* socket address */ long signal; /* signal for kill */ int mode; /* mode for create/mount */ @@ -879,7 +918,68 @@ u_long u_long_dummy; }; +/* List all values possibly used in FD Cache to find data size */ +#ifdef CONFIG_RSBAC_FD_CACHE +union rsbac_attribute_value_cache_t + { + rsbac_uid_t owner; /* process owner */ + rsbac_pseudo_t pseudo; + rsbac_system_role_int_t system_role; +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC) + rsbac_security_level_t security_level; + rsbac_mac_category_vector_t mac_categories; + rsbac_security_level_t current_sec_level; + rsbac_security_level_t min_write_open; + rsbac_security_level_t max_read_open; + rsbac_mac_user_flags_t mac_user_flags; + rsbac_mac_process_flags_t mac_process_flags; + rsbac_mac_file_flags_t mac_file_flags; + rsbac_mac_auto_int_t mac_auto; + rsbac_boolean_t mac_check; + rsbac_boolean_t mac_prop_trusted; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ) + rsbac_daz_scanned_t daz_scanned; + rsbac_daz_scanner_t daz_scanner; + rsbac_daz_do_scan_t daz_do_scan; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF) + rsbac_ff_flags_t ff_flags; +#endif +#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC) + rsbac_rc_type_id_t rc_type; + rsbac_rc_type_id_t rc_type_fd; + rsbac_rc_role_id_t rc_force_role; + rsbac_rc_role_id_t rc_initial_role; + rsbac_rc_role_id_t rc_role; + rsbac_rc_role_id_t rc_def_role; + rsbac_rc_type_id_t rc_select_type; +#endif + rsbac_log_array_t log_array_low; + rsbac_log_array_t log_array_high; + rsbac_request_vector_t log_program_based; + rsbac_request_vector_t log_user_based; + rsbac_enum_t symlink_add_remote_ip; + rsbac_boolean_t symlink_add_uid; + rsbac_boolean_t symlink_add_mac_level; + rsbac_boolean_t symlink_add_rc_role; + rsbac_linux_dac_disable_int_t linux_dac_disable; +// rsbac_net_temp_id_t net_temp; + rsbac_fake_root_uid_int_t fake_root_uid; + rsbac_uid_t audit_uid; + rsbac_uid_t auid_exempt; + __u32 remote_ip; + rsbac_um_set_t vset; + u_char u_char_dummy; + u_short u_short_dummy; + int dummy; + u_int u_dummy; + long long_dummy; + u_long u_long_dummy; + }; +#endif + /**** ACL + UM ****/ #include === main/headers/rsbac/um.h ================================================================== --- main/headers/rsbac/um.h (revision 2369) +++ main/headers/rsbac/um.h (local) @@ -1,10 +1,10 @@ /************************************ */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2005: */ +/* Author and (c) 1999-2007: */ /* Amon Ott */ /* API: Data structures */ /* and functions for User Management */ -/* Last modified: 08/Jul/2005 */ +/* Last modified: 20/Sep/2007 */ /************************************ */ #ifndef __RSBAC_UM_H @@ -60,7 +60,7 @@ int rsbac_um_add_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, - rsbac_gid_t group, + rsbac_gid_num_t group, rsbac_time_t ttl); int rsbac_um_mod_user( @@ -106,7 +106,7 @@ int rsbac_um_remove_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, - rsbac_gid_t group); + rsbac_gid_num_t group); int rsbac_um_get_next_user( rsbac_list_ta_number_t ta_number, @@ -115,20 +115,22 @@ int rsbac_um_get_user_list( rsbac_list_ta_number_t ta_number, + rsbac_um_set_t vset, rsbac_uid_t ** list_pp); int rsbac_um_get_gm_list( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, - rsbac_gid_t ** list_pp); + rsbac_gid_num_t ** list_pp); int rsbac_um_get_gm_user_list( rsbac_list_ta_number_t ta_number, rsbac_gid_t group, - rsbac_uid_t ** list_pp); + rsbac_uid_num_t ** list_pp); int rsbac_um_get_group_list( rsbac_list_ta_number_t ta_number, + rsbac_um_set_t vset, rsbac_gid_t ** list_pp); int rsbac_um_get_user_entry( === main/headers/rsbac/um_types.h ================================================================== --- main/headers/rsbac/um_types.h (revision 2369) +++ main/headers/rsbac/um_types.h (local) @@ -1,8 +1,8 @@ /**************************************/ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2004: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* User Management Data structures */ -/* Last modified: 29/Sep/2005 */ +/* Last modified: 16/Sep/2007 */ /**************************************/ #ifndef __RSBAC_UM_TYPES_H @@ -30,15 +30,17 @@ #define RSBAC_UM_NR_GROUP_LISTS 8 #define RSBAC_UM_NR_USER_PWHISTORY_LISTS 8 -#define RSBAC_UM_USER_LIST_VERSION 1 -#define RSBAC_UM_GROUP_LIST_VERSION 1 -#define RSBAC_UM_USER_PWHISTORY_LIST_VERSION 1 +#define RSBAC_UM_USER_LIST_VERSION 2 +#define RSBAC_UM_GROUP_LIST_VERSION 2 +#define RSBAC_UM_USER_PWHISTORY_LIST_VERSION 2 +#define RSBAC_UM_USER_OLD_LIST_VERSION 1 +#define RSBAC_UM_GROUP_OLD_LIST_VERSION 1 +#define RSBAC_UM_USER_PWHISTORY_OLD_LIST_VERSION 1 #define RSBAC_UM_USER_LIST_KEY 6363636 #define RSBAC_UM_GROUP_LIST_KEY 9847298 #define RSBAC_UM_USER_PWHISTORY_LIST_KEY 8854687 - #define RSBAC_UM_NAME_LEN 16 #define RSBAC_UM_PASS_LEN 24 #define RSBAC_UM_FULLNAME_LEN 30 @@ -55,7 +57,7 @@ union rsbac_um_mod_data_t { char string[RSBAC_MAXNAMELEN]; - rsbac_gid_t group; + rsbac_gid_num_t group; rsbac_um_days_t days; rsbac_time_t ttl; }; @@ -66,7 +68,7 @@ char fullname[RSBAC_UM_FULLNAME_LEN]; char homedir[RSBAC_UM_HOMEDIR_LEN]; char shell[RSBAC_UM_SHELL_LEN]; - rsbac_gid_t group; + rsbac_gid_num_t group; rsbac_um_days_t lastchange; rsbac_um_days_t minchange; rsbac_um_days_t maxchange; === main/libs/helpers/getname.c ================================================================== --- main/libs/helpers/getname.c (revision 2369) +++ main/libs/helpers/getname.c (local) @@ -1,9 +1,9 @@ /************************************* */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2006: */ +/* Author and (c) 1999-2007: */ /* Amon Ott */ /* Helper functions for all parts */ -/* Last modified: 30/Oct/2006 */ +/* Last modified: 17/Sep/2007 */ /************************************* */ #include @@ -189,6 +189,7 @@ SW_GEN, /* remote_ip */ SW_CAP, /* cap_ld_env */ SW_DAZ, /* daz_do_scan */ + SW_GEN, /* vset */ #ifdef __KERNEL__ /* adf-request helpers */ SW_NONE, /* group */ @@ -327,6 +328,7 @@ "remote_ip", "cap_ld_env", "daz_do_scan", + "vset", #ifdef __KERNEL__ /* adf-request helpers */ "owner", @@ -583,7 +585,8 @@ "-3 = unset, uid otherwise", /* auth_last_auth */ "32 Bit value in network byte order", /* remote_ip */ "0 = disallow executing of program file with LD_ variables set,\n\t1 = do not care (default)", /* cap_ld_env */ - "0 = never, 1 = registered, 2 = always, 3 = inherit", + "0 = never, 1 = registered, 2 = always, 3 = inherit", /* daz_do_scan */ + "non-negative virtual set number, 0 = default main set", "INVALID!" }; #endif @@ -806,9 +809,20 @@ break; case A_auth_add_f_cap: case A_auth_remove_f_cap: +#ifdef CONFIG_RSBAC_UM_VIRTUAL + if( RSBAC_UID_SET(attr_val_p->auth_cap_range.first) + || RSBAC_UID_SET(attr_val_p->auth_cap_range.last) + ) + sprintf(attr_val_name, "%u/%u:%u/%u", + RSBAC_UID_SET(attr_val_p->auth_cap_range.first), + RSBAC_UID_NUM(attr_val_p->auth_cap_range.first), + RSBAC_UID_SET(attr_val_p->auth_cap_range.last), + RSBAC_UID_NUM(attr_val_p->auth_cap_range.last)); + else +#endif sprintf(attr_val_name, "%u:%u", - attr_val_p->auth_cap_range.first, - attr_val_p->auth_cap_range.last); + RSBAC_UID_NUM(attr_val_p->auth_cap_range.first), + RSBAC_UID_NUM(attr_val_p->auth_cap_range.last)); break; case A_switch_target: get_switch_target_name(attr_val_name, @@ -835,8 +849,15 @@ case A_auth_start_uid: case A_auth_start_euid: #endif +#ifdef CONFIG_RSBAC_UM_VIRTUAL + if(RSBAC_UID_SET(attr_val_p->auth_last_auth)) + sprintf(attr_val_name, "%u/%u", + RSBAC_UID_SET(attr_val_p->auth_last_auth), + RSBAC_UID_NUM(attr_val_p->auth_last_auth)); + else +#endif sprintf(attr_val_name, "%u", - attr_val_p->auth_last_auth); + RSBAC_UID_NUM(attr_val_p->auth_last_auth)); break; #endif #ifdef CONFIG_RSBAC_AUTH_GROUP @@ -844,8 +865,15 @@ #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP case A_auth_start_egid: #endif +#ifdef CONFIG_RSBAC_UM_VIRTUAL + if(RSBAC_GID_SET(attr_val_p->auth_last_auth)) + sprintf(attr_val_name, "%u/%u", + RSBAC_GID_SET(attr_val_p->auth_last_auth), + RSBAC_GID_NUM(attr_val_p->auth_last_auth)); + else +#endif sprintf(attr_val_name, "%u", - attr_val_p->auth_start_gid); + RSBAC_GID_NUM(attr_val_p->auth_start_gid)); break; #endif default: @@ -1336,8 +1364,16 @@ break; case T_USER: strcpy(target_type_name, "USER"); - if (target_id_name) - sprintf(target_id_name, "%u", tid.user); + if (target_id_name) { +#ifdef CONFIG_RSBAC_UM_VIRTUAL + if(RSBAC_UID_SET(tid.user)) + sprintf(target_id_name, "%u/%u", + RSBAC_UID_SET(tid.user), + RSBAC_UID_NUM(tid.user)); + else +#endif + sprintf(target_id_name, "%u", RSBAC_UID_NUM(tid.user)); + } break; case T_PROCESS: strcpy(target_type_name, "PROCESS"); @@ -1346,8 +1382,16 @@ break; case T_GROUP: strcpy(target_type_name, "GROUP"); - if (target_id_name) - sprintf(target_id_name, "%u", tid.group); + if (target_id_name) { +#ifdef CONFIG_RSBAC_UM_VIRTUAL + if(RSBAC_GID_SET(tid.group)) + sprintf(target_id_name, "%u/%u", + RSBAC_GID_SET(tid.group), + RSBAC_GID_NUM(tid.group)); + else +#endif + sprintf(target_id_name, "%u", RSBAC_GID_NUM(tid.group)); + } break; case T_NETDEV: strcpy(target_type_name, "NETDEV"); === main/libs/helpers/helpers.c ================================================================== --- main/libs/helpers/helpers.c (revision 2369) +++ main/libs/helpers/helpers.c (local) @@ -252,8 +252,23 @@ int rsbac_get_uid_name(rsbac_uid_t * uid, char * name, char * sourcename) { struct passwd * user_info_p; - rsbac_uid_t uid_i; + rsbac_uid_t uid_i = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); + char * p = sourcename; + rsbac_um_set_t tmp_vset = RSBAC_UM_VIRTUAL_KEEP; + if(!sourcename) + return -RSBAC_EINVALIDPOINTER; + + while (*p && (*p != '/')) + p++; + if (*p) { + *p = 0; + tmp_vset = strtoul(sourcename, NULL, 0); + *p = '/'; + p++; + sourcename = p; + } + if(!(user_info_p = getpwnam(sourcename))) { uid_i = strtoul(sourcename,0,10); @@ -265,10 +280,10 @@ } if(name) { - if((user_info_p = getpwuid(uid_i))) + if((user_info_p = getpwuid(RSBAC_UID_NUM(uid_i)))) strcpy(name, user_info_p->pw_name); else - sprintf(name, "%u", uid_i); + sprintf(name, "%u", RSBAC_UID_NUM(uid_i)); } } else @@ -277,6 +292,7 @@ if(name) strcpy(name, user_info_p->pw_name); } + uid_i = RSBAC_GEN_UID(tmp_vset, uid_i); if(uid) *uid = uid_i; return 0; @@ -289,9 +305,9 @@ if(!fullname) return -RSBAC_EINVALIDPOINTER; - if(!(user_info_p = getpwuid(uid))) + if(!(user_info_p = getpwuid(RSBAC_UID_NUM(uid)))) { - sprintf(fullname, "%u", uid); + sprintf(fullname, "%u", RSBAC_UID_NUM(uid)); } else { @@ -304,13 +320,13 @@ { struct passwd * user_info_p; - if((user_info_p = getpwuid(user))) + if((user_info_p = getpwuid(RSBAC_UID_NUM(user)))) { strcpy(name, user_info_p->pw_name); } else { - sprintf(name, "%u", user); + sprintf(name, "%u", RSBAC_UID_NUM(user)); } return name; } @@ -319,13 +335,13 @@ { struct group * group_info_p; - if((group_info_p = getgrgid(group))) + if((group_info_p = getgrgid(RSBAC_GID_NUM(group)))) { strcpy(name, group_info_p->gr_name); } else { - sprintf(name, "%u", group); + sprintf(name, "%u", RSBAC_GID_NUM(group)); } return name; } @@ -333,8 +349,23 @@ int rsbac_get_gid_name(rsbac_gid_t * gid, char * name, char * sourcename) { struct group * group_info_p; - rsbac_gid_t gid_i; + rsbac_gid_t gid_i = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_GROUP); + char * p = sourcename; + rsbac_um_set_t tmp_vset = RSBAC_UM_VIRTUAL_KEEP; + if(!sourcename) + return -RSBAC_EINVALIDPOINTER; + + while (*p && (*p != '/')) + p++; + if (*p) { + *p = 0; + tmp_vset = strtoul(sourcename, NULL, 0); + *p = '/'; + p++; + sourcename = p; + } + if(!(group_info_p = getgrnam(sourcename))) { gid_i = strtoul(sourcename,0,10); @@ -346,10 +377,10 @@ } if(name) { - if((group_info_p = getgrgid(gid_i))) + if((group_info_p = getgrgid(RSBAC_GID_NUM(gid_i)))) strcpy(name, group_info_p->gr_name); else - sprintf(name, "%u", gid_i); + sprintf(name, "%u", RSBAC_GID_NUM(gid_i)); } } else @@ -358,6 +389,7 @@ if(name) strcpy(name, group_info_p->gr_name); } + gid_i = RSBAC_GEN_GID(tmp_vset, gid_i); if(gid) *gid = gid_i; return 0; === main/libs/helpers/syscall_wrapper.c ================================================================== --- main/libs/helpers/syscall_wrapper.c (revision 2369) +++ main/libs/helpers/syscall_wrapper.c (local) @@ -1,10 +1,10 @@ /************************************* */ /* Rule Set Based Access Control */ -/* Author and (c) 1999-2006: */ +/* Author and (c) 1999-2007: */ /* Amon Ott */ /* Syscall wrapper functions for all */ /* admin tools */ -/* Last modified: 13/Jun/2006 */ +/* Last modified: 24/Sep/2007 */ /************************************* */ #include @@ -874,7 +874,7 @@ int rsbac_um_add_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, - rsbac_gid_t gid, + rsbac_gid_num_t gid, rsbac_time_t ttl) { union rsbac_syscall_arg_t s_arg; @@ -971,7 +971,7 @@ int rsbac_um_remove_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, - rsbac_gid_t gid) + rsbac_gid_num_t gid) { union rsbac_syscall_arg_t s_arg; @@ -1018,12 +1018,14 @@ int rsbac_um_get_user_list( rsbac_list_ta_number_t ta_number, + rsbac_um_set_t vset, rsbac_uid_t user_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_user_list.ta_number = ta_number; + s_arg.um_get_user_list.vset = vset; s_arg.um_get_user_list.user_array = user_array; s_arg.um_get_user_list.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_user_list, &s_arg); @@ -1032,7 +1034,7 @@ int rsbac_um_get_gm_list( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, - rsbac_gid_t group_array[], + rsbac_gid_num_t group_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; @@ -1047,7 +1049,7 @@ int rsbac_um_get_gm_user_list( rsbac_list_ta_number_t ta_number, rsbac_gid_t group, - rsbac_uid_t user_array[], + rsbac_uid_num_t user_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; @@ -1061,12 +1063,14 @@ int rsbac_um_get_group_list( rsbac_list_ta_number_t ta_number, + rsbac_um_set_t vset, rsbac_gid_t group_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_group_list.ta_number = ta_number; + s_arg.um_get_group_list.vset = vset; s_arg.um_get_group_list.group_array = group_array; s_arg.um_get_group_list.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_group_list, &s_arg); @@ -1148,6 +1152,14 @@ return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_check_account_name, &s_arg); } +int rsbac_um_select_vset(rsbac_um_set_t vset) + { + union rsbac_syscall_arg_t s_arg; + + s_arg.um_select_vset.vset = vset; + return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_select_vset, &s_arg); + } + int rsbac_list_ta_begin(rsbac_time_t ttl, rsbac_list_ta_number_t * ta_number_p, rsbac_uid_t commit_uid, === main/nss/Makefile ================================================================== --- main/nss/Makefile (revision 2369) +++ main/nss/Makefile (local) @@ -39,7 +39,7 @@ QUIET := > /dev/null -DVERSION := 1.0.0 +DVERSION := 1.0.1 DPACKAGE := libnss-rsbac === main/nss/interface.c ================================================================== --- main/nss/interface.c (revision 2369) +++ main/nss/interface.c (local) @@ -4,7 +4,7 @@ * Copyright (c) 2001 by Joerg Wendland, Bret Mogilefsky * see included file COPYING for details * - * Copyright (c) 2004-2005 by Amon Ott + * Copyright (c) 2004-2007 by Amon Ott * see included file COPYING for license details * */ @@ -20,10 +20,10 @@ static pthread_mutex_t lock; -static rsbac_uid_t user_index = 0; +static int user_index = 0; static rsbac_uid_t * user_array = NULL; static int user_num = 0; -static rsbac_gid_t group_index = 0; +static int group_index = 0; static rsbac_gid_t * group_array = NULL; static int group_num = 0; @@ -35,7 +35,7 @@ pthread_mutex_lock(&lock); if(user_array) free(user_array); - user_num = rsbac_um_get_user_list(0, NULL, 0); + user_num = rsbac_um_get_user_list(0, RSBAC_UM_VIRTUAL_KEEP, NULL, 0); if(user_num < 0) { pthread_mutex_unlock(&lock); @@ -49,7 +49,7 @@ return NSS_STATUS_UNAVAIL; } - user_num = rsbac_um_get_user_list(0, user_array, user_num); + user_num = rsbac_um_get_user_list(0, RSBAC_UM_VIRTUAL_KEEP, user_array, user_num); if(user_num < 0) { pthread_mutex_unlock(&lock); @@ -71,7 +71,7 @@ pthread_mutex_lock(&lock); if(user_array) free(user_array); - user_num = rsbac_um_get_user_list(0, NULL, 0); + user_num = rsbac_um_get_user_list(0, RSBAC_UM_VIRTUAL_KEEP, NULL, 0); if(user_num < 0) { pthread_mutex_unlock(&lock); @@ -85,7 +85,7 @@ return NSS_STATUS_UNAVAIL; } - user_num = rsbac_um_get_user_list(0, user_array, user_num); + user_num = rsbac_um_get_user_list(0, RSBAC_UM_VIRTUAL_KEEP, user_array, user_num); if(user_num < 0) { pthread_mutex_unlock(&lock); @@ -178,7 +178,7 @@ if(!result || !buffer || !errnop || !buflen) return NSS_STATUS_UNAVAIL; *errnop = 0; - result->pw_uid = user; + result->pw_uid = RSBAC_UID_NUM(user); buffer[0] = 0; result->pw_passwd = buffer; buffer++; @@ -364,7 +364,7 @@ int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; - rsbac_uid_t user; + rsbac_uid_t user = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); int res; pthread_mutex_lock(&lock); @@ -395,7 +395,7 @@ enum nss_status retval = NSS_STATUS_UNAVAIL; pthread_mutex_lock(&lock); - retval = fill_passwd(uid, + retval = fill_passwd(RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP,uid), result, buffer, buflen, @@ -483,12 +483,12 @@ int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; - rsbac_uid_t * g_user_array; + rsbac_uid_num_t * g_user_array; int member_count; if(!result || !buffer || !errnop) return retval; - result->gr_gid = group; + result->gr_gid = RSBAC_GID_NUM(group); buffer[0] = 0; result->gr_passwd = buffer; buffer++; @@ -533,7 +533,11 @@ buflen -= (member_count + 1) * sizeof(char *); for(i=0; i #include #include +#include #include #include #include @@ -290,7 +291,6 @@ { int i; enum rsbac_acl_special_rights_t right; - struct passwd * user_info_p; rsbac_boolean_t rused = FALSE; rsbac_boolean_t wused = FALSE; char none_name[] = "FD"; @@ -660,27 +660,54 @@ switch(call) { case ACLC_set_acl_entry: - printf(gettext("Set rights: %s\nfor %s %u\n"), + if (RSBAC_UID_SET(subj_id)) + printf(gettext("Set rights: %s\nfor %s %u/%u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), - subj_id); + RSBAC_UID_SET(subj_id), + RSBAC_UID_NUM(subj_id)); + else + printf(gettext("Set rights: %s\nfor %s %u\n"), + u64tostracl(tmp1, rights_vector), + get_acl_subject_type_name(tmp2, subj_type), + RSBAC_UID_NUM(subj_id)); break; case ACLC_add_to_acl_entry: - printf(gettext("Add rights: %s\nfor %s %u\n"), + if (RSBAC_UID_SET(subj_id)) + printf(gettext("Add rights: %s\nfor %s %u/%u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), - subj_id); + RSBAC_UID_SET(subj_id), + RSBAC_UID_NUM(subj_id)); + else + printf(gettext("Add rights: %s\nfor %s %u\n"), + u64tostracl(tmp1, rights_vector), + get_acl_subject_type_name(tmp2, subj_type), + RSBAC_UID_NUM(subj_id)); break; case ACLC_remove_from_acl_entry: - printf(gettext("Revoke rights: %s\nfor %s %u\n"), + if (RSBAC_UID_SET(subj_id)) + printf(gettext("Revoke rights: %s\nfor %s %u/%u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), - subj_id); + RSBAC_UID_SET(subj_id), + RSBAC_UID_NUM(subj_id)); + else + printf(gettext("Revoke rights: %s\nfor %s %u\n"), + u64tostracl(tmp1, rights_vector), + get_acl_subject_type_name(tmp2, subj_type), + RSBAC_UID_NUM(subj_id)); break; case ACLC_remove_acl_entry: - printf(gettext("Remove entry for %s %u.\n"), + if (RSBAC_UID_SET(subj_id)) + printf(gettext("Remove entry for %s %u/%u.\n"), get_acl_subject_type_name(tmp2, subj_type), - subj_id); + RSBAC_UID_SET(subj_id), + RSBAC_UID_NUM(subj_id)); + else + printf(gettext("Remove entry for %s %u.\n"), + get_acl_subject_type_name(tmp2, subj_type), + RSBAC_UID_NUM(subj_id)); break; default: fprintf(stderr, gettext("%s: Internal error in call switch!\n"), progname); === main/tools/src/acl_group.c ================================================================== --- main/tools/src/acl_group.c (revision 2369) +++ main/tools/src/acl_group.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2005: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 31/May/2005 */ +/* Last modified: 25/Sep/2007 */ /*************************************************** */ #include @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -55,7 +56,7 @@ printf(gettext(" get_group_members group-id\n")); } -char * get_group_name(rsbac_acl_group_id_t group, char * name) +char * acl_get_group_name(rsbac_acl_group_id_t group, char * name) { union rsbac_acl_group_syscall_arg_t arg; struct rsbac_acl_group_entry_t entry; @@ -261,10 +262,19 @@ arg.change_group.name = argv[5]; res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); - if(verbose) - printf(gettext("Group %u changed to owner %u, type %s, name '%s'\n"), - arg.change_group.id, arg.change_group.owner, - argv[4], arg.change_group.name); + if(verbose) { + if (RSBAC_UID_SET(arg.change_group.owner)) + printf(gettext("Group %u changed to owner %u/%u, type %s, name '%s'\n"), + arg.change_group.id, + RSBAC_UID_SET(arg.change_group.owner), + RSBAC_UID_NUM(arg.change_group.owner), + argv[4], arg.change_group.name); + else + printf(gettext("Group %u changed to owner %u, type %s, name '%s'\n"), + arg.change_group.id, + RSBAC_UID_NUM(arg.change_group.owner), + argv[4], arg.change_group.name); + } break; } @@ -279,7 +289,7 @@ } arg.remove_group.id = strtol(argv[2],0,10); if(verbose) - get_group_name(arg.remove_group.id, name); + acl_get_group_name(arg.remove_group.id, name); res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); if(verbose) @@ -309,16 +319,29 @@ type = 'G'; if(scripting) { - if(numerical) - printf("'%s'-%c-%u\n", - entry.name, type, entry.owner); - else + if(numerical) { + if (RSBAC_UID_SET(entry.owner)) + printf("'%s'-%c-%u/%u\n", + entry.name, type, + RSBAC_UID_SET(entry.owner), + RSBAC_UID_NUM(entry.owner)); + else + printf("'%s'-%c-%u\n", + entry.name, type, RSBAC_UID_NUM(entry.owner)); + } else printf("'%s'-%c-%s\n", entry.name, type, get_user_name(entry.owner, tmp)); } - else - printf(gettext("Group %u: owner %u (%s), type %c, name '%s'\n"), - entry.id, entry.owner, get_user_name(entry.owner, tmp), type, entry.name); + else { + if (RSBAC_UID_SET(entry.owner)) + printf(gettext("Group %u: owner %u/%u (%s), type %c, name '%s'\n"), + entry.id, RSBAC_UID_SET(entry.owner), + RSBAC_UID_NUM(entry.owner), + get_user_name(entry.owner, tmp), type, entry.name); + else + printf(gettext("Group %u: owner %u (%s), type %c, name '%s'\n"), + entry.id, RSBAC_UID_NUM(entry.owner), get_user_name(entry.owner, tmp), type, entry.name); + } break; } @@ -367,11 +390,20 @@ get_user_name(entry_array[i].owner, tmp), type, entry_array[i].name); } - else - printf(gettext("Group %u: owner %u (%s), type %c, name '%s'\n"), - entry_array[i].id, entry_array[i].owner, - get_user_name(entry_array[i].owner, tmp), - type, entry_array[i].name); + else { + if (RSBAC_UID_SET(entry_array[i].owner)) + printf(gettext("Group %u: owner %u/%u (%s), type %c, name '%s'\n"), + entry_array[i].id, + RSBAC_UID_SET(entry_array[i].owner), + RSBAC_UID_NUM(entry_array[i].owner), + get_user_name(entry_array[i].owner, tmp), + type, entry_array[i].name); + else + printf(gettext("Group %u: owner %u (%s), type %c, name '%s'\n"), + entry_array[i].id, RSBAC_UID_NUM(entry_array[i].owner), + get_user_name(entry_array[i].owner, tmp), + type, entry_array[i].name); + } } if(res == MAX_ENTRIES) fprintf(stderr, gettext("(truncated)\n")); @@ -402,10 +434,18 @@ { res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); - if(verbose) - printf(gettext("Member %u (%s) added to group %u '%s'\n"), - arg.add_member.user, get_user_name(arg.add_member.user, tmp), - arg.add_member.group, get_group_name(arg.add_member.group, name)); + if(verbose) { + if (RSBAC_UID_SET(arg.add_member.user)) + printf(gettext("Member %u/%u (%s) added to group %u '%s'\n"), + RSBAC_UID_SET(arg.add_member.user), + RSBAC_UID_NUM(arg.add_member.user), + get_user_name(arg.add_member.user, tmp), + arg.add_member.group, acl_get_group_name(arg.add_member.group, name)); + else + printf(gettext("Member %u (%s) added to group %u '%s'\n"), + RSBAC_UID_NUM(arg.add_member.user), get_user_name(arg.add_member.user, tmp), + arg.add_member.group, acl_get_group_name(arg.add_member.group, name)); + } } } break; @@ -433,10 +473,18 @@ { res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); - if(verbose) - printf(gettext("Member %u (%s) removed from group %u '%s'\n"), - arg.remove_member.user, get_user_name(arg.remove_member.user, tmp), - arg.remove_member.group, get_group_name(arg.remove_member.group, name)); + if(verbose) { + if (RSBAC_UID_SET(arg.remove_member.user)) + printf(gettext("Member %u/%u (%s) removed from group %u '%s'\n"), + RSBAC_UID_SET(arg.remove_member.user), + RSBAC_UID_NUM(arg.remove_member.user), + get_user_name(arg.remove_member.user, tmp), + arg.remove_member.group, acl_get_group_name(arg.remove_member.group, name)); + else + printf(gettext("Member %u (%s) removed from group %u '%s'\n"), + RSBAC_UID_NUM(arg.remove_member.user), get_user_name(arg.remove_member.user, tmp), + arg.remove_member.group, acl_get_group_name(arg.remove_member.group, name)); + } } } break; @@ -449,7 +497,7 @@ char tmp[RSBAC_MAXNAMELEN]; if(argc <= 2) - arg.get_user_groups.user = getuid(); + arg.get_user_groups.user = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, getuid()); else if(rsbac_get_uid(&arg.get_user_groups.user, argv[2])) { @@ -464,16 +512,31 @@ error_exit(res); if(verbose) { - if(res < MAX_ENTRIES) - printf(gettext("%i group memberships for user %u (%s): "), + if(res < MAX_ENTRIES) { + if (RSBAC_UID_SET(arg.get_user_groups.user)) + printf(gettext("%i group memberships for user %u/%u (%s): "), res, - arg.get_user_groups.user, + RSBAC_UID_SET(arg.get_user_groups.user), + RSBAC_UID_NUM(arg.get_user_groups.user), get_user_name(arg.get_user_groups.user, tmp)); - else - printf(gettext("%i group memberships for user %u (%s) (list truncated): "), + else + printf(gettext("%i group memberships for user %u (%s): "), res, - arg.get_user_groups.user, + RSBAC_UID_NUM(arg.get_user_groups.user), get_user_name(arg.get_user_groups.user, tmp)); + } else { + if (RSBAC_UID_SET(arg.get_user_groups.user)) + printf(gettext("%i group memberships for user %u/%u (%s) (list truncated): "), + res, + RSBAC_UID_SET(arg.get_user_groups.user), + RSBAC_UID_NUM(arg.get_user_groups.user), + get_user_name(arg.get_user_groups.user, tmp)); + else + printf(gettext("%i group memberships for user %u (%s) (list truncated): "), + res, + RSBAC_UID_NUM(arg.get_user_groups.user), + get_user_name(arg.get_user_groups.user, tmp)); + } } for(i=0; i0)) { @@ -531,10 +594,15 @@ { if(!ttl_array[i]) { - if(numerical) - printf(" %u", - user_array[i]); - else + if(numerical) { + if (RSBAC_UID_SET(user_array[i])) + printf(" %u/%u", + RSBAC_UID_SET(user_array[i]), + RSBAC_UID_NUM(user_array[i])); + else + printf(" %u", + RSBAC_UID_NUM(user_array[i])); + } else printf(" %s", get_user_name(user_array[i], tmp)); } @@ -544,14 +612,23 @@ { if(ttl_array[i]) { - if(numerical) - printf("%s -V %u -T %u add_member %u %u\n", + if(numerical) { + if (RSBAC_UID_SET(user_array[i])) + printf("%s -V %u -T %u add_member %u %u/%u\n", GROUP_PROG, RSBAC_VERSION_NR, ttl_array[i] + now, arg.get_group_members.group, - user_array[i]); - else + RSBAC_UID_SET(user_array[i]), + RSBAC_UID_NUM(user_array[i])); + else + printf("%s -V %u -T %u add_member %u %u\n", + GROUP_PROG, + RSBAC_VERSION_NR, + ttl_array[i] + now, + arg.get_group_members.group, + RSBAC_UID_NUM(user_array[i])); + } else printf("%s -V %u -T %u add_member %u %s\n", GROUP_PROG, RSBAC_VERSION_NR, @@ -568,7 +645,12 @@ { for(i=0; i */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006 */ +/* Last modified: 25/Sep/2007 */ /*************************************************** */ #include @@ -77,6 +77,7 @@ if(name && !strcmp(name,":DEFAULT:")) { + def_mask = 0; switch(target) { case T_FILE: @@ -177,6 +178,7 @@ } else arg.tid.user = uid; + def_mask = RSBAC_ACL_DEFAULT_U_MASK; break; case T_GROUP: if(rsbac_get_gid(&arg.tid.group, name)) @@ -185,6 +187,7 @@ progname, name); exit(1); } + def_mask = RSBAC_ACL_DEFAULT_G_MASK; break; case T_NETDEV: strncpy((char *)arg.tid.netdev, name, RSBAC_IFNAMSIZ); @@ -209,6 +212,7 @@ default: fprintf(stderr, gettext("Invalid target %u for %s, skipped!\n"), target, name); + def_mask = 0; return(1); } } @@ -323,8 +327,13 @@ else if(desc_p) printf(" %s \"%s\"\n", target_n, devdesctostr(tmp1, *desc_p)); - else - printf(" %s %u\n", target_n, uid); + else { + if (RSBAC_UID_SET(uid)) + printf(" %s %u/%u\n", target_n, + RSBAC_UID_SET(uid), RSBAC_UID_NUM(uid)); + else + printf(" %s %u\n", target_n, RSBAC_UID_NUM(uid)); + } } } else /* no backup */ @@ -338,10 +347,17 @@ printf("%s: %s\n", devdesctostr(tmp2, *desc_p), u64tostracl(tmp1, rights_vector)); - else - printf("%u: %s\n", - uid, + else { + if (RSBAC_UID_SET(uid)) + printf("%u/%u: %s\n", + RSBAC_UID_SET(uid), + RSBAC_UID_NUM(uid), u64tostracl(tmp1, rights_vector)); + else + printf("%u: %s\n", + RSBAC_UID_NUM(uid), + u64tostracl(tmp1, rights_vector)); + } if(printall) { int i; === main/tools/src/acl_rights.c ================================================================== --- main/tools/src/acl_rights.c (revision 2369) +++ main/tools/src/acl_rights.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -274,7 +274,6 @@ } } -do_recurse: if( !lstat(name,&buf) && S_ISDIR(buf.st_mode) && recurse) @@ -311,7 +310,6 @@ int main(int argc, char ** argv) { int i; - struct passwd * user_info_p; char none_name[] = "FD"; locale_init(); @@ -446,8 +444,17 @@ subj_id = uid; } subj_type = ACLS_USER; - if(!scripting) - printf(gettext("%s: User %u\n"), progname, subj_id); + if(!scripting) { + if (RSBAC_UID_SET(subj_id)) + printf(gettext("%s: User %u/%u\n"), + progname, + RSBAC_UID_SET(subj_id), + RSBAC_UID_NUM(subj_id)); + else + printf(gettext("%s: User %u\n"), + progname, + RSBAC_UID_NUM(subj_id)); + } argv++; argc--; break; @@ -460,7 +467,9 @@ subj_type = ACLS_GROUP; subj_id = strtol(argv[2],0,10); if(!scripting) - printf(gettext("%s: Group %u\n"), progname, subj_id); + printf(gettext("%s: Group %u\n"), + progname, + RSBAC_GID_NUM(subj_id)); argv++; argc--; break; @@ -473,7 +482,7 @@ subj_type = ACLS_ROLE; subj_id = strtol(argv[2],0,10); if(!scripting) - printf(gettext("%s: Role %u\n"), progname, subj_id); + printf(gettext("%s: Role %u\n"), progname, RSBAC_UID_NUM(subj_id)); argv++; argc--; break; @@ -509,8 +518,17 @@ subj_id = uid; } subj_type = ACLS_USER; - if(!scripting) - printf("%s: User %u\n", progname, subj_id); + if(!scripting) { + if (RSBAC_UID_SET(subj_id)) + printf("%s: User %u/%u\n", + progname, + RSBAC_UID_SET(subj_id), + RSBAC_UID_NUM(subj_id)); + else + printf("%s: User %u\n", + progname, + RSBAC_UID_NUM(subj_id)); + } argv++; argc--; pos+=4; @@ -527,7 +545,7 @@ subj_type = ACLS_GROUP; subj_id = strtol(argv[2],0,10); if(!scripting) - printf(gettext("%s: Group %u\n"), progname, subj_id); + printf(gettext("%s: Group %u\n"), progname, RSBAC_UID_NUM(subj_id)); argv++; argc--; pos+=5; @@ -544,7 +562,7 @@ subj_type = ACLS_ROLE; subj_id = strtol(argv[2],0,10); if(!scripting) - printf(gettext("%s: Role %u\n"), progname, subj_id); + printf(gettext("%s: Role %u\n"), progname, RSBAC_UID_NUM(subj_id)); argv++; argc--; pos+=4; === main/tools/src/acl_rm_user.c ================================================================== --- main/tools/src/acl_rm_user.c (revision 2369) +++ main/tools/src/acl_rm_user.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2005: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 31/May/2005 */ +/* Last modified: 25/Sep/2007 */ /*************************************************** */ #include @@ -85,7 +85,6 @@ } if (argc > 1) { - struct passwd * user_info_p; struct rsbac_acl_syscall_arg_t arg; char yn; @@ -100,9 +99,15 @@ arg.subj_id = arg.tid.user; if(!allyes) { - printf(gettext("Remove all groups and memberships of user %u '%s' [y/n]\n"), - arg.tid.user, + if (RSBAC_UID_SET(arg.tid.user)) + printf(gettext("Remove all groups and memberships of user %u/%u '%s' [y/n]\n"), + RSBAC_UID_SET(arg.tid.user), + RSBAC_UID_NUM(arg.tid.user), argv[1]); + else + printf(gettext("Remove all groups and memberships of user %u '%s' [y/n]\n"), + RSBAC_UID_NUM(arg.tid.user), + argv[1]); yn = getchar(); if(yn != 'y') exit(0); === main/tools/src/acl_tlist.c ================================================================== --- main/tools/src/acl_tlist.c (revision 2369) +++ main/tools/src/acl_tlist.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -69,7 +70,7 @@ int res = 0; char tmp1[RSBAC_MAXNAMELEN], tmp2[RSBAC_MAXNAMELEN]; struct stat buf; - char * i_name; + char * i_name = NULL; struct rsbac_acl_entry_t entry_array[NR_ENTRIES]; rsbac_time_t ttl_array[NR_ENTRIES]; union rsbac_target_id_t tid; @@ -167,14 +168,14 @@ } break; case T_USER: - if(name) + if(name) { if(rsbac_get_uid(&tid.user, name)) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, name); exit(1); } - else + } else tid.user = uid; break; case T_GROUP: @@ -259,21 +260,41 @@ for(j=0; j */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -102,7 +102,7 @@ { case A_log_array_low: case A_log_array_high: - if (value.log_array_low != -1) + if (value.log_array_low != -1) { if(backall) fprintf(tfile, "%s -V %u -d DEV \"%s\" %s %s\n", @@ -119,10 +119,11 @@ name, get_attribute_name(tmp1,attr_list[j]), u64tostrlog(tmp2,value.log_array_low)); + } break; case A_security_level: case A_pm_object_type: - if(value.security_level != def_attr[j]) + if(value.security_level != def_attr[j]) { if(backall) fprintf(tfile, "%s -V %u -d DEV \"%s\" %s %u\n", @@ -139,6 +140,7 @@ name, get_attribute_name(tmp1,attr_list[j]), value.security_level); + } break; case A_rc_type: if(backall) @@ -171,7 +173,7 @@ } break; default: - if(value.dummy != def_attr[j]) + if(value.dummy != def_attr[j]) { if(backall) fprintf(tfile, "%s -V %u -d DEV \"%s\" %s %i\n", @@ -188,6 +190,7 @@ name, get_attribute_name(tmp1,attr_list[j]), value.dummy); + } } } if( recurse @@ -228,7 +231,7 @@ { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; - FILE * listfile; + FILE * listfile = NULL; int i,j; locale_init(); === main/tools/src/attr_back_fd.c ================================================================== --- main/tools/src/attr_back_fd.c (revision 2369) +++ main/tools/src/attr_back_fd.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 06/Nov/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -14,6 +14,8 @@ #include #include #include +#include +#include #include #include #include @@ -67,7 +69,8 @@ RSBAC_PAX_DEF_FLAGS, /* pax_flags */ FR_off, /* fake_root_uid */ RSBAC_NO_USER, /* auid_exempt */ - DEFAULT_DAZ_FD_DO_SCAN /* daz_do_scan */ + DEFAULT_DAZ_FD_DO_SCAN, /* daz_do_scan */ + RSBAC_UM_VIRTUAL_KEEP /* vset */ }; void use(void) @@ -99,7 +102,7 @@ if( exrdat && !strcmp(name, "rsbac.dat") ) - return; + return 0; for (j=0;j < RSBAC_FD_NR_ATTRIBUTES;j++) { value.dummy = -1; @@ -164,14 +167,25 @@ value.ff_flags); break; case A_auid_exempt: - if (value.auid_exempt != def_attr[j]) - fprintf(tfile, + if (value.auid_exempt != def_attr[j]) { + if (RSBAC_UID_SET(value.auid_exempt)) + fprintf(tfile, + "%s -V %u FD \"%s\" %s %u/%u\n", + set_prog, + RSBAC_VERSION_NR, + name, + get_attribute_name(tmp1,attr_list[j]), + RSBAC_UID_SET(value.auid_exempt), + RSBAC_UID_NUM(value.auid_exempt)); + else + fprintf(tfile, "%s -V %u FD \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), - value.auid_exempt); + RSBAC_UID_NUM(value.auid_exempt)); + } break; case A_rc_type_fd: case A_rc_force_role: @@ -257,6 +271,16 @@ tmp2); } break; + case A_vset: + if (value.vset != def_attr[j]) + fprintf(tfile, + "%s -V %u FD \"%s\" %s %u\n", + set_prog, + RSBAC_VERSION_NR, + name, + get_attribute_name(tmp1,attr_list[j]), + value.vset); + break; default: if(value.dummy != def_attr[j]) fprintf(tfile, @@ -298,7 +322,7 @@ } closedir(dir_stream_p); } - return(0); + return 0; } int main(int argc, char ** argv) @@ -307,7 +331,7 @@ char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i,j; FILE * tfile; - FILE * listfile; + FILE * listfile = NULL; locale_init(); === main/tools/src/attr_back_group.c ================================================================== --- main/tools/src/attr_back_group.c (revision 2369) +++ main/tools/src/attr_back_group.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -67,12 +67,20 @@ { if(name) printf(gettext("# Processing group %s\n"), name); - else - printf(gettext("# Processing group %u\n"), group); + else { + if (RSBAC_GID_SET(group)) + printf(gettext("# Processing group %u/%u\n"), + RSBAC_GID_SET(group), RSBAC_GID_NUM(group)); + else + printf(gettext("# Processing group %u\n"), RSBAC_GID_NUM(group)); + } } - if(numeric || !name) - sprintf(intname, "%u", group); - else + if(numeric || !name) { + if (RSBAC_GID_SET(group)) + sprintf(intname, "%u/%u", RSBAC_GID_SET(group), RSBAC_GID_NUM(group)); + else + sprintf(intname, "%u", RSBAC_GID_NUM(group)); + } else strcpy(intname,name); for (j=0;j < RSBAC_GROUP_NR_ATTRIBUTES;j++) { @@ -118,7 +126,7 @@ char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; rsbac_gid_t group; int i,j; - FILE * listfile; + FILE * listfile = NULL; char * filelistname = NULL; locale_init(); === main/tools/src/attr_back_net.c ================================================================== --- main/tools/src/attr_back_net.c (revision 2369) +++ main/tools/src/attr_back_net.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -231,7 +231,7 @@ char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i,j; FILE * tfile; - FILE * listfile; + FILE * listfile = NULL; char * filelistname = NULL; locale_init(); === main/tools/src/attr_back_user.c ================================================================== --- main/tools/src/attr_back_user.c (revision 2369) +++ main/tools/src/attr_back_user.c (local) @@ -3,7 +3,7 @@ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 10/May/2007 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -15,6 +15,8 @@ #include #include #include +#include +#include #include #include #include @@ -92,12 +94,20 @@ { if(name) printf(gettext("# Processing user %s\n"), name); - else - printf(gettext("# Processing user %u\n"), user); + else { + if (RSBAC_UID_SET(user)) + printf(gettext("# Processing user %u/%u\n"), + RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); + else + printf(gettext("# Processing user %u\n"), RSBAC_UID_NUM(user)); + } } - if(numeric || !name) - sprintf(intname, "%u", user); - else + if(numeric || !name) { + if (RSBAC_UID_SET(user)) + sprintf(intname, "%u/%u", RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); + else + sprintf(intname, "%u", RSBAC_UID_NUM(user)); + } else strcpy(intname,name); for (j=0;j < RSBAC_USER_NR_ATTRIBUTES;j++) { @@ -252,8 +262,7 @@ char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; rsbac_uid_t user; int i,j; - struct passwd * user_info_p; - FILE * listfile; + FILE * listfile = NULL; char * filelistname = NULL; locale_init(); === main/tools/src/attr_get_fd.c ================================================================== --- main/tools/src/attr_get_fd.c (revision 2369) +++ main/tools/src/attr_get_fd.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 06/Nov/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include @@ -124,6 +125,11 @@ printf(gettext("%s: Returned value: %s\n"), name, tmp1); break; + case A_auid_exempt: + case A_vset: + printf("%s: Returned value: %u\n", + name, value.u_dummy); + break; default: printf(gettext("%s: Returned value: %i\n"), name, value.dummy); === main/tools/src/attr_get_file_dir.c ================================================================== --- main/tools/src/attr_get_file_dir.c (revision 2369) +++ main/tools/src/attr_get_file_dir.c (local) @@ -1,19 +1,22 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 06/Nov/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include +#include #include #include #include #include #include #include +#include +#include #include #include #include @@ -49,7 +52,7 @@ char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; union rsbac_attribute_value_t value,value2; - enum rsbac_switch_target_t module; + enum rsbac_switch_target_t module = SW_NONE; enum rsbac_target_t target; enum rsbac_attribute_t attr; enum rsbac_adf_request_t request; @@ -99,7 +102,6 @@ break; case 'n': { - char tmp[RSBAC_MAXNAMELEN]; int i; rsbac_request_vector_t rvector = -1; @@ -355,6 +357,7 @@ printf("%s\n", tmp1); break; case A_auid_exempt: + case A_vset: printf("%u\n",value.u_dummy); break; default: === main/tools/src/attr_get_group.c ================================================================== --- main/tools/src/attr_get_group.c (revision 2369) +++ main/tools/src/attr_get_group.c (local) @@ -1,13 +1,14 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2005: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 08/Jul/2005 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include +#include #include #include #include @@ -39,10 +40,9 @@ { int attr_list[RSBAC_GROUP_NR_ATTRIBUTES] = RSBAC_GROUP_ATTR_LIST; int res = 0; - u_int position; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; - enum rsbac_switch_target_t module; + enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; @@ -52,7 +52,6 @@ int bothr = 0; int printall = 0; int scripting = 0; - rsbac_boolean_t use_ori = FALSE; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; @@ -144,7 +143,10 @@ progname, argv[2]); exit(1); } - printf("%u\n", gid); + if (RSBAC_GID_SET(gid)) + printf("%u/%u\n", RSBAC_GID_SET(gid), RSBAC_GID_NUM(gid)); + else + printf("%u\n", RSBAC_GID_NUM(gid)); exit(0); } else @@ -217,7 +219,10 @@ } if(!strcmp("group_nr",argv[2])) { - printf("%i\n", tid.group); + if (RSBAC_GID_SET(tid.group)) + printf("%u/%u\n", RSBAC_GID_SET(tid.group), RSBAC_GID_NUM(tid.group)); + else + printf("%u\n", RSBAC_GID_NUM(tid.group)); exit(0); } if(!strcmp("group_name",argv[2])) === main/tools/src/attr_get_ipc.c ================================================================== --- main/tools/src/attr_get_ipc.c (revision 2369) +++ main/tools/src/attr_get_ipc.c (local) @@ -1,13 +1,14 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2005: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 20/Dec/2005 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include +#include #include #include #include @@ -51,13 +52,11 @@ u_int position; int i; char tmp2[RSBAC_MAXNAMELEN]; - enum rsbac_switch_target_t module; + enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_ipc_type_t ipc_target; enum rsbac_attribute_t attr; - rsbac_pid_t pid; - int sid; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; @@ -99,7 +98,7 @@ qsort(id_array, count, sizeof(*id_array), rsbac_user_compare); for(i=0; i < count ; i++) { - printf("%s %u\n", + printf("%s %lu\n", get_ipc_target_name(tmp, id_array[i].type), id_array[i].id.id_nr); } === main/tools/src/attr_get_net.c ================================================================== --- main/tools/src/attr_get_net.c (revision 2369) +++ main/tools/src/attr_get_net.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -56,7 +56,6 @@ { int res = 0; char tmp1[120]; - char tmp2[256]; union rsbac_target_id_t tid; switch(target) @@ -104,10 +103,10 @@ if(request <= RSBAC_MAC_MAX_CAT) if(verbose) printf(gettext("%s: Returned value: %u\n"), - name, (value.mac_categories & RSBAC_MAC_CAT_VECTOR(request)) >> request); + name, (u_int) (value.mac_categories & RSBAC_MAC_CAT_VECTOR(request)) >> request); else printf("%u\n", - (value.mac_categories & RSBAC_MAC_CAT_VECTOR(request)) >> request); + (u_int) (value.mac_categories & RSBAC_MAC_CAT_VECTOR(request)) >> request); else if(verbose) printf(gettext("%s: Returned value: %s\n"), @@ -261,7 +260,7 @@ error_exit(-ENOMEM); count = rsbac_net_list_all_netdev(ta_number, netdev_array, count); if(verbose) - printf("%u entries:\n", count); + printf("%li entries:\n", count); for(i = 0; i< count ; i++) printf("%s\n", netdev_array[i]); free(netdev_array); === main/tools/src/attr_get_process.c ================================================================== --- main/tools/src/attr_get_process.c (revision 2369) +++ main/tools/src/attr_get_process.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 11/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -43,7 +44,7 @@ int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j, position; - enum rsbac_switch_target_t module; + enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; @@ -232,8 +233,16 @@ case A_audit_uid: case A_auid_exempt: case A_auth_last_auth: - printf("%u\n",value.audit_uid); + if (RSBAC_UID_SET(value.audit_uid)) + printf("%u/%u\n", + RSBAC_UID_SET(value.audit_uid), + RSBAC_UID_NUM(value.audit_uid)); + else + printf("%u\n", RSBAC_UID_NUM(value.audit_uid)); break; + case A_vset: + printf("%u\n",value.u_dummy); + break; default: printf("%i\n",value.dummy); === main/tools/src/attr_get_up.c ================================================================== --- main/tools/src/attr_get_up.c (revision 2369) +++ main/tools/src/attr_get_up.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 11/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -35,10 +35,9 @@ { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN]; - char *key = (void *) 0; int i; int id; - enum rsbac_switch_target_t module; + enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; enum rsbac_target_t target; union rsbac_target_id_t tid; @@ -171,8 +170,12 @@ fprintf(stderr, gettext("Invalid user %s!\n\n"), argv[i+2]); continue; } - printf(gettext("Processing user %s (uid %i), attribute %s (No. %i)\n"), - argv[i+2], tid.user, argv[2], attr); + if(RSBAC_UID_SET(tid.user)) + printf(gettext("Processing user %s (uid %u/%u), attribute %s (No. %i)\n"), + argv[i+2], RSBAC_UID_SET(tid.user), RSBAC_UID_NUM(tid.user), argv[2], attr); + else + printf(gettext("Processing user %s (uid %u), attribute %s (No. %i)\n"), + argv[i+2], RSBAC_UID_NUM(tid.user), argv[2], attr); } res = rsbac_get_attr(ta_number, module, target, &tid, attr, &value, inherit); === main/tools/src/attr_get_user.c ================================================================== --- main/tools/src/attr_get_user.c (revision 2369) +++ main/tools/src/attr_get_user.c (local) @@ -1,19 +1,21 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 11/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include +#include #include #include #include #include #include #include +#include #include #include #include @@ -47,7 +49,7 @@ u_int position; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; - enum rsbac_switch_target_t module; + enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; @@ -57,7 +59,6 @@ int bothr = 0; int printall = 0; int scripting = 0; - rsbac_boolean_t use_ori = FALSE; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; @@ -149,7 +150,10 @@ progname, argv[2]); exit(1); } - printf("%u\n", uid); + if (RSBAC_UID_SET(uid)) + printf("%u/%u\n", RSBAC_UID_SET(uid), RSBAC_UID_NUM(uid)); + else + printf("%u\n", RSBAC_UID_NUM(uid)); exit(0); } else @@ -244,7 +248,10 @@ } if(!strcmp("group_nr",argv[2])) { - printf("%i\n", tid.group); + if (RSBAC_GID_SET(tid.group)) + printf("%u/%u\n", RSBAC_GID_SET(tid.group), RSBAC_GID_NUM(tid.group)); + else + printf("%u\n", RSBAC_GID_NUM(tid.group)); exit(0); } else @@ -262,7 +269,10 @@ } if(!strcmp("user_nr",argv[2])) { - printf("%i\n", tid.user); + if (RSBAC_UID_SET(tid.user)) + printf("%u/%u\n", RSBAC_UID_SET(tid.user), RSBAC_UID_NUM(tid.user)); + else + printf("%u\n", RSBAC_UID_NUM(tid.user)); exit(0); } if(!strcmp("user_name",argv[2])) === main/tools/src/attr_rm_fd.c ================================================================== --- main/tools/src/attr_rm_fd.c (revision 2369) +++ main/tools/src/attr_rm_fd.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -61,7 +61,6 @@ fprintf(stderr, gettext("%s: error: %s\n"), name, tmp1); } -do_recurse: if( !lstat(name,&buf) && S_ISDIR(buf.st_mode) && recurse) === main/tools/src/attr_rm_group.c ================================================================== --- main/tools/src/attr_rm_group.c (revision 2369) +++ main/tools/src/attr_rm_group.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2005: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 14/Jul/2005 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -88,8 +88,12 @@ fprintf(stderr, gettext("Invalid Group %s!\n\n"), argv[i]); continue; } - printf(gettext("Processing group %s (gid %i)\n"), - argv[i], tid.group); + if (RSBAC_GID_SET(tid.group)) + printf(gettext("Processing group %s (gid %u/%u)\n"), + argv[i], RSBAC_GID_SET(tid.group), RSBAC_GID_NUM(tid.group)); + else + printf(gettext("Processing group %s (gid %u)\n"), + argv[i], RSBAC_GID_NUM(tid.group)); res = rsbac_remove_target(ta_number, T_GROUP, &tid); show_error(res); === main/tools/src/attr_rm_user.c ================================================================== --- main/tools/src/attr_rm_user.c (revision 2369) +++ main/tools/src/attr_rm_user.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2005: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 31/May/2005 */ +/* Last modified: 26/Sep/2007 */ /*************************************************** */ #include @@ -88,8 +88,12 @@ fprintf(stderr, gettext("Invalid User %s!\n\n"), argv[i]); continue; } - printf(gettext("Processing user %s (uid %i)\n"), - argv[i], tid.user); + if (RSBAC_UID_SET(tid.user)) + printf(gettext("Processing user %s (uid %u/%u)\n"), + argv[i], RSBAC_UID_SET(tid.user), RSBAC_UID_NUM(tid.user)); + else + printf(gettext("Processing user %s (uid %u)\n"), + argv[i], RSBAC_UID_NUM(tid.user)); res = rsbac_remove_target(ta_number, T_USER, &tid); show_error(res); === main/tools/src/attr_set_fd.c ================================================================== --- main/tools/src/attr_set_fd.c (revision 2369) +++ main/tools/src/attr_set_fd.c (local) @@ -1,9 +1,9 @@ /*************************************************** */ /* Rule Set Based Access Control */ /* */ -/* Author and (c) 1999-2006: Amon Ott */ +/* Author and (c) 1999-2007: Amon Ott */ /* */ -/* Last modified: 19/Jul/2006