rsbac-admin-1.4.0/0000755000175000017500000000000011133647444013551 5ustar gauvaingauvainrsbac-admin-1.4.0/main/0000755000175000017500000000000011131371037014463 5ustar gauvaingauvainrsbac-admin-1.4.0/main/headers/0000755000175000017500000000000011131371037016076 5ustar gauvaingauvainrsbac-admin-1.4.0/main/headers/README0000644000175000017500000000175411131371037016765 0ustar gauvaingauvainHeaders ------- RSBAC header files thoses are needed for compilation. You can also find them in ``/usr/src/linux/include/rsbac' if you are running a RSBAC kernel. Note that thoses change with each new RSBAC release. -- All RSBAC code is copyrighted by Amon Ott unless stated otherwise, and published under the restrictions of the GNU General Public Licence as to be read in file COPYING in the main directory of the kernel source tree. All statements therein apply fully to all RSBAC sources. RSBAC is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details, available in the file ``COPYING' rsbac-admin-1.4.0/main/headers/Makefile0000644000175000017500000000160411131371037017537 0ustar gauvaingauvain#!/usr/bin/make -f # Licensed under the terms of the GPLv2 # Guillaume Destuynder # # Configuration # INSTALL := install ECHO := $(shell which echo) ifeq ($(ECHO),) ECHO := echo endif DESTDIR := PREFIX := /usr/local DIR_INC := $(PREFIX)/include/rsbac FILES_HDR := $(wildcard rsbac/*.h) # # Nice make. Use make VERBOSE=1 to verbose compilation. # ifneq ($(VERBOSE), 1) .SILENT: E = @$(ECHO) -e " " else E = @: endif # # Targets # all: install clean: distclean: clean install: $(FILES_HDR) $(E) "INTO\t\t$(DESTDIR) ($(PREFIX))" $(E) "DIR\t\t $(DESTDIR)/$(DIR_INC)" $(INSTALL) -d $(DESTDIR)/$(DIR_INC) $(foreach f, $(FILES_HDR), $(ECHO) -e " INSTALL\t$(f)"; \ $(INSTALL) -m644 $(f) $(DESTDIR)/$(DIR_INC);) uninstall: $(foreach f, $(FILES_HDR), $(ECHO) -e " UNINSTALL\t$(f)"; \ rm $(DESTDIR)/$(DIR_INC)/$(f);) .PHONY: all install uninstall clean distclean rsbac-admin-1.4.0/main/headers/COPYING0000644000175000017500000004313111131371037017133 0ustar gauvaingauvain GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. rsbac-admin-1.4.0/main/headers/rsbac/0000755000175000017500000000000011131371037017170 5ustar gauvaingauvainrsbac-admin-1.4.0/main/headers/rsbac/request_groups.h0000644000175000017500000004370111131371037022435 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2008: Amon Ott */ /* Groups of ADF request for */ /* administration */ /* Last modified: 21/Jan/2008 */ /************************************ */ #ifndef __RSBAC_REQUEST_GROUPS_H #define __RSBAC_REQUEST_GROUPS_H #define RSBAC_READ_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CHDIR) | \ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \ ((rsbac_request_vector_t) 1 << R_SEARCH) | \ ((rsbac_request_vector_t) 1 << R_TERMINATE) | \ ((rsbac_request_vector_t) 1 << R_AUTHENTICATE) \ ) #define RSBAC_WRITE_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_ALTER) | \ ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CLONE) | \ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_DELETE) | \ ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_RENAME) | \ ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \ ((rsbac_request_vector_t) 1 << R_TRACE) | \ ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_IOCTL) | \ ((rsbac_request_vector_t) 1 << R_LOCK) \ ) #define RSBAC_READ_WRITE_REQUEST_VECTOR (\ RSBAC_READ_REQUEST_VECTOR | \ ((rsbac_request_vector_t) 1 << R_ALTER) | \ ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CLONE) | \ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_DELETE) | \ ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_RENAME) | \ ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \ ((rsbac_request_vector_t) 1 << R_TRACE) | \ ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_BIND) | \ ((rsbac_request_vector_t) 1 << R_LISTEN) | \ ((rsbac_request_vector_t) 1 << R_ACCEPT) | \ ((rsbac_request_vector_t) 1 << R_CONNECT) | \ ((rsbac_request_vector_t) 1 << R_SEND) | \ ((rsbac_request_vector_t) 1 << R_RECEIVE) | \ ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \ ((rsbac_request_vector_t) 1 << R_IOCTL) | \ ((rsbac_request_vector_t) 1 << R_LOCK) \ ) #define RSBAC_READ_WRITE_OPEN_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) \ ) #define RSBAC_EXECUTE_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_EXECUTE) | \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \ ) #define RSBAC_SYSTEM_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_MOUNT) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \ ((rsbac_request_vector_t) 1 << R_UMOUNT) \ ) #define RSBAC_SECURITY_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \ ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) \ ) #define RSBAC_FD_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHDIR) | \ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_DELETE) | \ ((rsbac_request_vector_t) 1 << R_EXECUTE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MOUNT) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \ ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_RENAME) | \ ((rsbac_request_vector_t) 1 << R_SEARCH) | \ ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \ ((rsbac_request_vector_t) 1 << R_UMOUNT) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) | \ ((rsbac_request_vector_t) 1 << R_LISTEN) | \ ((rsbac_request_vector_t) 1 << R_ACCEPT) | \ ((rsbac_request_vector_t) 1 << R_CONNECT) | \ ((rsbac_request_vector_t) 1 << R_SEND) | \ ((rsbac_request_vector_t) 1 << R_RECEIVE) | \ ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \ ((rsbac_request_vector_t) 1 << R_IOCTL) | \ ((rsbac_request_vector_t) 1 << R_LOCK) \ ) #define RSBAC_DEV_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_MOUNT) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \ ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_UMOUNT) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_SEND) | \ ((rsbac_request_vector_t) 1 << R_IOCTL) \ ) #define RSBAC_IPC_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_ALTER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_DELETE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \ ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \ ((rsbac_request_vector_t) 1 << R_LISTEN) | \ ((rsbac_request_vector_t) 1 << R_ACCEPT) | \ ((rsbac_request_vector_t) 1 << R_CONNECT) | \ ((rsbac_request_vector_t) 1 << R_SEND) | \ ((rsbac_request_vector_t) 1 << R_RECEIVE) | \ ((rsbac_request_vector_t) 1 << R_IOCTL) | \ ((rsbac_request_vector_t) 1 << R_LOCK) \ ) #define RSBAC_SCD_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_WRITE) \ ) #define RSBAC_USER_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_DELETE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_RENAME) | \ ((rsbac_request_vector_t) 1 << R_SEARCH) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_AUTHENTICATE) \ ) #define RSBAC_GROUP_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_DELETE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_RENAME) | \ ((rsbac_request_vector_t) 1 << R_SEARCH) | \ ((rsbac_request_vector_t) 1 << R_WRITE) \ ) #define RSBAC_PROCESS_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CLONE) | \ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \ ((rsbac_request_vector_t) 1 << R_TERMINATE) | \ ((rsbac_request_vector_t) 1 << R_TRACE) \ ) #define RSBAC_NETDEV_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_BIND) \ ) #define RSBAC_NETTEMP_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_DELETE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_WRITE) \ ) #define RSBAC_NETOBJ_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_BIND) | \ ((rsbac_request_vector_t) 1 << R_LISTEN) | \ ((rsbac_request_vector_t) 1 << R_ACCEPT) | \ ((rsbac_request_vector_t) 1 << R_CONNECT) | \ ((rsbac_request_vector_t) 1 << R_SEND) | \ ((rsbac_request_vector_t) 1 << R_RECEIVE) | \ ((rsbac_request_vector_t) 1 << R_IOCTL) \ ) #define RSBAC_NONE_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \ ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \ ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \ ) #define RSBAC_ALL_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_ALTER) | \ ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHDIR) | \ ((rsbac_request_vector_t) 1 << R_CLONE) | \ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_CREATE) | \ ((rsbac_request_vector_t) 1 << R_DELETE) | \ ((rsbac_request_vector_t) 1 << R_EXECUTE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \ ((rsbac_request_vector_t) 1 << R_MOUNT) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \ ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \ ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \ ((rsbac_request_vector_t) 1 << R_RENAME) | \ ((rsbac_request_vector_t) 1 << R_SEARCH) | \ ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \ ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \ ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \ ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \ ((rsbac_request_vector_t) 1 << R_TERMINATE) | \ ((rsbac_request_vector_t) 1 << R_TRACE) | \ ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \ ((rsbac_request_vector_t) 1 << R_UMOUNT) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) | \ ((rsbac_request_vector_t) 1 << R_BIND) | \ ((rsbac_request_vector_t) 1 << R_LISTEN) | \ ((rsbac_request_vector_t) 1 << R_ACCEPT) | \ ((rsbac_request_vector_t) 1 << R_CONNECT) | \ ((rsbac_request_vector_t) 1 << R_SEND) | \ ((rsbac_request_vector_t) 1 << R_RECEIVE) | \ ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \ ((rsbac_request_vector_t) 1 << R_IOCTL) | \ ((rsbac_request_vector_t) 1 << R_LOCK) \ ) /* NW specials */ /* NWS == RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR in ACL types */ #define RSBAC_NWR_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_EXECUTE) | \ ((rsbac_request_vector_t) 1 << R_READ_OPEN) \ ) #define RSBAC_NWW_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_ALTER) | \ ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \ ((rsbac_request_vector_t) 1 << R_WRITE) | \ ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) \ ) #define RSBAC_NWC_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_CREATE) \ ) #define RSBAC_NWE_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_DELETE) \ ) /* NWA == RSBAC_ACL_ACCESS_CONTROL_RIGHT_VECTOR in ACL types */ #define RSBAC_NWF_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CHDIR) | \ ((rsbac_request_vector_t) 1 << R_CLOSE) | \ ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \ ((rsbac_request_vector_t) 1 << R_READ) | \ ((rsbac_request_vector_t) 1 << R_SEARCH) \ ) #define RSBAC_NWM_REQUEST_VECTOR (\ ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \ ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \ ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \ ((rsbac_request_vector_t) 1 << R_RENAME) \ ) #endif rsbac-admin-1.4.0/main/headers/rsbac/repl_lists.h0000644000175000017500000000115611131371037021524 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: Amon Ott */ /* Generic lists - internal structures */ /* Last modified: 04/Apr/2005 */ /*************************************************** */ #ifndef __RSBAC_REPL_LISTS_H #define __RSBAC_REPL_LISTS_H #include #define RSBAC_LIST_REPL_PROC_NAME "repl_lists" #define RSBAC_LIST_REPL_PARTNER_VERSION 1 #define RSBAC_LIST_REPL_PARTNER_KEY 0x3632f7ae #define RSBAC_LIST_REPL_PARTNER_FILENAME "replpar" #endif rsbac-admin-1.4.0/main/headers/rsbac/rc_data_structures.h0000644000175000017500000003037511131371037023251 0ustar gauvaingauvain/*********************************/ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: */ /* Amon Ott */ /* Data structures for Role */ /* Compatibility module */ /* Last modified: 21/Dec/2005 */ /*********************************/ #ifndef __RSBAC_RC_DATA_STRUC_H #define __RSBAC_RC_DATA_STRUC_H #ifdef __KERNEL__ /* only include in kernel code */ #include #include #endif /* __KERNEL__ */ /* First of all we define dirname and filenames for saving the roles to disk. */ /* The path must be a valid single dir name! Each mounted device gets its */ /* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'. */ /* All user access to these files will be denied. */ /* Backups are kept in FILENAMEb. */ #ifdef __KERNEL__ #define RSBAC_RC_LIST_KEY 77788855 #define RSBAC_RC_NR_ROLE_LISTS 4 #define RSBAC_RC_NR_TYPE_LISTS 4 /* roles */ #define RSBAC_RC_ROLE_FILENAME "rc_r" /* roles we are compatible with ( = we can change to) */ #define RSBAC_RC_ROLE_RC_FILENAME "rc_rc" /* roles we may administrate (replaces admin_type) */ #define RSBAC_RC_ROLE_ADR_FILENAME "rc_adr" /* roles we may read and assign to users, if they were in one of these before. */ #define RSBAC_RC_ROLE_ASR_FILENAME "rc_asr" /* file/dir/fifo/symlink types for new items, by parent efftype */ /* If not found, use old global value def_fd_create_type */ #define RSBAC_RC_ROLE_DFDC_FILENAME "rc_dfdc" /* file/dir/fifo/symlink types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCFD_FILENAME "rc_tcfd" /* dev types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCDV_FILENAME "rc_tcdv" /* user types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCUS_FILENAME "rc_tcus" /* process types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCPR_FILENAME "rc_tcpr" /* IPC types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCIP_FILENAME "rc_tcip" /* SCD types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCSC_FILENAME "rc_tcsc" /* group types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCGR_FILENAME "rc_tcgr" /* NETDEV types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCND_FILENAME "rc_tcnd" /* NETTEMP types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCNT_FILENAME "rc_tcnt" /* NETOBJ types and requests we are compatible with */ #define RSBAC_RC_ROLE_TCNO_FILENAME "rc_tcno" #define RSBAC_RC_ROLE_LIST_VERSION 5 #define RSBAC_RC_ROLE_OLD_LIST_VERSION 4 #define RSBAC_RC_ROLE_OLD_OLD_LIST_VERSION 3 #define RSBAC_RC_ROLE_OLD_OLD_OLD_LIST_VERSION 2 #define RSBAC_RC_ROLE_OLD_OLD_OLD_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_RC_LIST_VERSION 1 #define RSBAC_RC_ROLE_ADR_LIST_VERSION 1 #define RSBAC_RC_ROLE_ASR_LIST_VERSION 1 #define RSBAC_RC_ROLE_DFDC_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCFD_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCDV_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCUS_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCPR_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCIP_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCSC_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCGR_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCND_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCNT_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCNO_LIST_VERSION 2 #define RSBAC_RC_ROLE_TCFD_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCDV_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCUS_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCPR_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCIP_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCSC_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCGR_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCND_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCNT_OLD_LIST_VERSION 1 #define RSBAC_RC_ROLE_TCNO_OLD_LIST_VERSION 1 #define RSBAC_RC_TYPE_FD_FILENAME "rc_tfd" #define RSBAC_RC_TYPE_DEV_FILENAME "rc_tdv" #define RSBAC_RC_TYPE_IPC_FILENAME "rc_tip" #define RSBAC_RC_TYPE_USER_FILENAME "rc_tus" #define RSBAC_RC_TYPE_PROCESS_FILENAME "rc_tpr" #define RSBAC_RC_TYPE_GROUP_FILENAME "rc_tgr" #define RSBAC_RC_TYPE_NETDEV_FILENAME "rc_tnd" #define RSBAC_RC_TYPE_NETTEMP_FILENAME "rc_tnt" #define RSBAC_RC_TYPE_NETOBJ_FILENAME "rc_tno" #define RSBAC_RC_TYPE_FD_LIST_VERSION 1 #define RSBAC_RC_TYPE_DEV_LIST_VERSION 1 #define RSBAC_RC_TYPE_IPC_LIST_VERSION 1 #define RSBAC_RC_TYPE_USER_LIST_VERSION 1 #define RSBAC_RC_TYPE_PROCESS_LIST_VERSION 1 #define RSBAC_RC_TYPE_GROUP_LIST_VERSION 1 #define RSBAC_RC_TYPE_NETDEV_LIST_VERSION 1 #define RSBAC_RC_TYPE_NETTEMP_LIST_VERSION 1 #define RSBAC_RC_TYPE_NETOBJ_LIST_VERSION 1 #endif /* __KERNEL__ */ /* * The following structures provide the role model data structures. * All RSBAC_RC_NR_ROLES roles and RSBAC_RC_NR_TYPES x target-no. types * and SCD-type definitions are kept in arrays and saved to disk as such. */ /*************************************** * Roles * ***************************************/ /* Caution: whenever role struct changes, version and old_version must be increased! */ struct rsbac_rc_role_entry_t { rsbac_enum_t admin_type; /* role admin: none, system or role admin? */ char name[RSBAC_RC_NAME_LEN]; rsbac_rc_type_id_t def_fd_create_type; rsbac_rc_type_id_t def_user_create_type; rsbac_rc_type_id_t def_process_create_type; rsbac_rc_type_id_t def_process_chown_type; rsbac_rc_type_id_t def_process_execute_type; rsbac_rc_type_id_t def_ipc_create_type; rsbac_rc_type_id_t def_group_create_type; rsbac_rc_type_id_t def_unixsock_create_type; rsbac_enum_t boot_role; rsbac_enum_t req_reauth; }; struct rsbac_rc_old_role_entry_t { rsbac_enum_t admin_type; /* role admin: none, system or role admin? */ char name[RSBAC_RC_NAME_LEN]; rsbac_rc_type_id_t def_fd_create_type; rsbac_rc_type_id_t def_user_create_type; rsbac_rc_type_id_t def_process_create_type; rsbac_rc_type_id_t def_process_chown_type; rsbac_rc_type_id_t def_process_execute_type; rsbac_rc_type_id_t def_ipc_create_type; rsbac_rc_type_id_t def_group_create_type; rsbac_enum_t boot_role; rsbac_enum_t req_reauth; }; struct rsbac_rc_old_old_role_entry_t { rsbac_enum_t admin_type; /* role admin: none, system or role admin? */ char name[RSBAC_RC_NAME_LEN]; rsbac_rc_type_id_t def_fd_create_type; rsbac_rc_type_id_t def_user_create_type; rsbac_rc_type_id_t def_process_create_type; rsbac_rc_type_id_t def_process_chown_type; rsbac_rc_type_id_t def_process_execute_type; rsbac_rc_type_id_t def_ipc_create_type; rsbac_rc_type_id_t def_group_create_type; rsbac_enum_t boot_role; }; struct rsbac_rc_old_old_old_role_entry_t { rsbac_enum_t admin_type; /* role admin: none, system or role admin? */ char name[RSBAC_RC_NAME_LEN]; rsbac_rc_type_id_t def_fd_create_type; rsbac_rc_type_id_t def_user_create_type; rsbac_rc_type_id_t def_process_create_type; rsbac_rc_type_id_t def_process_chown_type; rsbac_rc_type_id_t def_process_execute_type; rsbac_rc_type_id_t def_ipc_create_type; rsbac_enum_t boot_role; }; struct rsbac_rc_old_old_old_old_role_entry_t { rsbac_enum_t admin_type; /* role admin: none, system or role admin? */ char name[RSBAC_RC_NAME_LEN]; rsbac_rc_type_id_t def_fd_create_type; rsbac_rc_type_id_t def_process_create_type; rsbac_rc_type_id_t def_process_chown_type; rsbac_rc_type_id_t def_process_execute_type; rsbac_rc_type_id_t def_ipc_create_type; }; #define RSBAC_RC_NR_ROLE_ENTRY_ITEMS 25 #define RSBAC_RC_ROLE_ENTRY_ITEM_LIST { \ RI_role_comp, \ RI_admin_roles, \ RI_assign_roles, \ RI_type_comp_fd, \ RI_type_comp_dev, \ RI_type_comp_user, \ RI_type_comp_process, \ RI_type_comp_ipc, \ RI_type_comp_scd, \ RI_type_comp_group, \ RI_type_comp_netdev, \ RI_type_comp_nettemp, \ RI_type_comp_netobj, \ RI_admin_type, \ RI_name, \ RI_def_fd_create_type, \ RI_def_fd_ind_create_type, \ RI_def_user_create_type, \ RI_def_process_create_type, \ RI_def_process_chown_type, \ RI_def_process_execute_type, \ RI_def_ipc_create_type, \ RI_def_group_create_type, \ RI_boot_role, \ RI_req_reauth \ } /*************************************** * Type names * ***************************************/ /* Caution: whenever role struct changes, version and old_version must be increased! */ /* #define RSBAC_RC_OLD_TYPE_VERSION 1 */ #define RSBAC_RC_TYPE_VERSION 1 struct rsbac_rc_type_fd_entry_t { char name[RSBAC_RC_NAME_LEN]; __u8 need_secdel; /* rsbac_boolean_t */ }; #define RSBAC_RC_NR_TYPE_ENTRY_ITEMS 10 #define RSBAC_RC_TYPE_ENTRY_ITEM_LIST { \ RI_type_fd_name, \ RI_type_dev_name, \ RI_type_ipc_name, \ RI_type_scd_name, \ RI_type_process_name, \ RI_type_group_name, \ RI_type_netdev_name, \ RI_type_nettemp_name, \ RI_type_netobj_name, \ RI_type_fd_need_secdel \ } /**********************************************/ /* Default values */ /**********************************************/ #define RSBAC_RC_GENERAL_ROLE_ENTRY \ { \ .admin_type = RC_no_admin, \ .name = "General User", \ .def_fd_create_type = RC_type_inherit_parent, \ .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_process_create_type = RC_type_inherit_parent, \ .def_process_chown_type = RC_type_use_new_role_def_create, \ .def_process_execute_type = RC_type_inherit_parent, \ .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_unixsock_create_type = RC_type_use_fd, \ .boot_role = FALSE, \ .req_reauth = FALSE, \ } #define RSBAC_RC_ROLE_ADMIN_ROLE_ENTRY \ { \ .admin_type = RC_role_admin, \ .name = "Role Admin", \ .def_fd_create_type = RC_type_inherit_parent, \ .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_process_create_type = RC_type_inherit_parent, \ .def_process_chown_type = RC_type_use_new_role_def_create, \ .def_process_execute_type = RC_type_inherit_parent, \ .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_unixsock_create_type = RC_type_use_fd, \ .boot_role = FALSE, \ .req_reauth = FALSE, \ } #define RSBAC_RC_SYSTEM_ADMIN_ROLE_ENTRY \ { \ .admin_type = RC_system_admin, \ .name = "System Admin", \ .def_fd_create_type = RC_type_inherit_parent, \ .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_process_create_type = RC_type_inherit_parent, \ .def_process_chown_type = RC_type_use_new_role_def_create, \ .def_process_execute_type = RC_type_inherit_parent, \ .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_unixsock_create_type = RC_type_use_fd, \ .boot_role = FALSE, \ .req_reauth = FALSE, \ } #define RSBAC_RC_BOOT_ROLE_ENTRY \ { \ .admin_type = RC_no_admin, \ .name = "System Boot", \ .def_fd_create_type = RC_type_inherit_parent, \ .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_process_create_type = RC_type_inherit_parent, \ .def_process_chown_type = RC_type_use_new_role_def_create, \ .def_process_execute_type = RC_type_inherit_parent, \ .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_unixsock_create_type = RC_type_use_fd, \ .boot_role = TRUE, \ .req_reauth = FALSE, \ } #define RSBAC_RC_AUDITOR_ROLE_ENTRY \ { \ .admin_type = RC_no_admin, \ .name = "Auditor", \ .def_fd_create_type = RC_type_inherit_parent, \ .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_process_create_type = RC_type_inherit_parent, \ .def_process_chown_type = RC_type_use_new_role_def_create, \ .def_process_execute_type = RC_type_inherit_parent, \ .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \ .def_unixsock_create_type = RC_type_use_fd, \ .boot_role = FALSE, \ .req_reauth = FALSE, \ } /**********************************************/ /* Declarations */ /**********************************************/ #ifdef __KERNEL__ #endif /* __KERNEL__ */ #endif /* __RSBAC_RC_DATA_STRUC_H */ rsbac-admin-1.4.0/main/headers/rsbac/aci_data_structures.h0000644000175000017500000016151011131371037023375 0ustar gauvaingauvain/**************************************/ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: Amon Ott */ /* Data structures */ /* Last modified: 17/Sep/2007 */ /**************************************/ #ifndef __RSBAC_DATA_STRUC_H #define __RSBAC_DATA_STRUC_H #ifdef __KERNEL__ /* only include in kernel code */ #include #include #include #include #include #include #include #include #include #include #include #include #endif /* __KERNEL__ */ /* First of all we define dirname and filenames for saving the ACIs to disk. */ /* The path must be a valid single dir name! Each mounted device gets its */ /* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'. */ /* The dynamic data structures for PM, RC and ACL are kept in their own files.*/ /* All user access to these files will be denied. */ /* Backups are kept in FILENAMEb. */ #ifdef __KERNEL__ #define RSBAC_LOG_BUF_LEN (16384) #define RSBAC_ACI_PATH "rsbac.dat" #define RSBAC_GEN_FD_NAME "fd_gen" #define RSBAC_GEN_OLD_FD_NAME "fd_gen." #define RSBAC_MAC_FD_NAME "fd_mac" #define RSBAC_MAC_OLD_FD_NAME "fd_mac." #define RSBAC_PM_FD_NAME "fd_pm" #define RSBAC_PM_OLD_FD_NAME "fd_pm." #define RSBAC_DAZ_FD_NAME "fd_dazt" #define RSBAC_DAZ_OLD_FD_NAME "fd_dazt." #define RSBAC_DAZ_SCANNED_FD_NAME "fd_dazs" #define RSBAC_DAZ_SCANNED_OLD_FD_NAME "fd_dazs." #define RSBAC_FF_FD_NAME "fd_ff" #define RSBAC_FF_OLD_FD_NAME "fd_ff." #define RSBAC_RC_FD_NAME "fd_rc" #define RSBAC_RC_OLD_FD_NAME "fd_rc." #define RSBAC_AUTH_FD_NAME "fd_auth" #define RSBAC_AUTH_OLD_FD_NAME "fd_auth." #define RSBAC_CAP_FD_NAME "fd_cap" #define RSBAC_CAP_OLD_FD_NAME "fd_cap." #define RSBAC_PAX_FD_NAME "fd_pax" #define RSBAC_PAX_OLD_FD_NAME "fd_pax." #define RSBAC_RES_FD_NAME "fd_res" #define RSBAC_RES_OLD_FD_NAME "fd_res." #define RSBAC_ACI_USER_NAME "useraci" /* dir creation mode for discretionary access control: no rights*/ #define RSBAC_ACI_DIR_MODE (S_IFDIR) /* file creation mode for discretionary access control: rw for user only*/ #define RSBAC_ACI_FILE_MODE (S_IFREG | S_IRUSR | S_IWUSR) /* minimal mem chunk size available to try write_partial_fd_list, else defer */ #define RSBAC_MIN_WRITE_FD_BUF_LEN 32768 /* max size for write_chunks */ #define RSBAC_MAX_WRITE_CHUNK ((1 << 15) - 1) #define RSBAC_GEN_NR_FD_LISTS 2 #define RSBAC_MAC_NR_FD_LISTS 4 #define RSBAC_PM_NR_FD_LISTS 2 #define RSBAC_DAZ_NR_FD_LISTS 2 #define RSBAC_DAZ_SCANNED_NR_FD_LISTS 4 #define RSBAC_FF_NR_FD_LISTS 4 #define RSBAC_RC_NR_FD_LISTS 4 #define RSBAC_AUTH_NR_FD_LISTS 2 #define RSBAC_CAP_NR_FD_LISTS 2 #define RSBAC_PAX_NR_FD_LISTS 2 #define RSBAC_RES_NR_FD_LISTS 2 #ifdef CONFIG_RSBAC_INIT_THREAD /* Check and set init timeout */ #if CONFIG_RSBAC_MAX_INIT_TIME >= 5 #define RSBAC_MAX_INIT_TIME CONFIG_RSBAC_MAX_INIT_TIME #else #define RSBAC_MAX_INIT_TIME 5 #endif #endif /* INIT_THREAD */ #endif /* __KERNEL__ */ /* The following structures privide attributes for all possible targets. */ /* The data structures are kept in double linked lists, and are optimized */ /* by hash functions. */ /* Only ATTRIBUTES are saved in those structures, that are saved to disk, */ /* because saving sublists means breaking up the structures for every */ /* single list. */ /* If a list of policy dependant items is to be stored, this is done in */ /* the policy dependant data structures. Here only an ID as a handle is */ /* supported. */ /* OK, first we define the file/dir ACI, holding all file/dir information */ /* the ADF needs for decisions. */ /* Caution: whenever ACI changes, version and old_version should be increased! */ // #define CONFIG_RSBAC_FD_CACHE 1 #ifdef CONFIG_RSBAC_FD_CACHE #define RSBAC_FD_CACHE_NAME "fd_cache." #define RSBAC_FD_CACHE_VERSION 1 #define RSBAC_FD_CACHE_KEY 3626114 //#define RSBAC_FD_CACHE_TTL 3600 struct rsbac_fd_cache_desc_t { __u32 device; rsbac_inode_nr_t inode; }; #endif #define RSBAC_GEN_FD_ACI_VERSION 8 #define RSBAC_GEN_FD_ACI_KEY 1001 struct rsbac_gen_fd_aci_t { rsbac_log_array_t log_array_low; /* file/dir based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ rsbac_request_vector_t log_program_based; /* Program based logging */ rsbac_enum_t symlink_add_remote_ip; rsbac_enum_t symlink_add_uid; rsbac_enum_t symlink_add_mac_level; rsbac_enum_t symlink_add_rc_role; rsbac_enum_t linux_dac_disable; rsbac_fake_root_uid_int_t fake_root_uid; rsbac_uid_t auid_exempt; rsbac_um_set_t vset; }; #define DEFAULT_GEN_FD_ACI \ { \ .log_array_low = -1, \ .log_array_high = -1, \ .log_program_based = 0, \ .symlink_add_uid = FALSE, \ .symlink_add_mac_level = FALSE, \ .symlink_add_rc_role = FALSE, \ .linux_dac_disable = LDD_inherit, \ .fake_root_uid = FR_off, \ .auid_exempt = RSBAC_NO_USER, \ .vset = RSBAC_UM_VIRTUAL_KEEP, \ } #define DEFAULT_GEN_ROOT_DIR_ACI \ { \ .log_array_low = -1, \ .log_array_high = -1, \ .log_program_based = 0, \ .symlink_add_uid = FALSE, \ .symlink_add_mac_level = FALSE, \ .symlink_add_rc_role = FALSE, \ .linux_dac_disable = LDD_false, \ .fake_root_uid = FR_off, \ .auid_exempt = RSBAC_NO_USER, \ .vset = RSBAC_UM_VIRTUAL_KEEP, \ } #define RSBAC_GEN_FD_OLD_ACI_VERSION 7 struct rsbac_gen_fd_old_aci_t { rsbac_log_array_t log_array_low; /* file/dir based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ rsbac_request_vector_t log_program_based; /* Program based logging */ rsbac_enum_t symlink_add_remote_ip; rsbac_enum_t symlink_add_uid; rsbac_enum_t symlink_add_mac_level; rsbac_enum_t symlink_add_rc_role; rsbac_enum_t linux_dac_disable; rsbac_fake_root_uid_int_t fake_root_uid; rsbac_old_uid_t auid_exempt; }; #define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 6 struct rsbac_gen_fd_old_old_aci_t { rsbac_log_array_t log_array_low; /* file/dir based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ rsbac_request_vector_t log_program_based; /* Program based logging */ rsbac_enum_t symlink_add_uid; rsbac_enum_t symlink_add_mac_level; rsbac_enum_t symlink_add_rc_role; rsbac_enum_t linux_dac_disable; rsbac_fake_root_uid_int_t fake_root_uid; rsbac_old_uid_t auid_exempt; }; #define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 5 struct rsbac_gen_fd_old_old_old_aci_t { rsbac_log_array_t log_array_low; /* file/dir based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ rsbac_request_vector_t log_program_based; /* Program based logging */ rsbac_enum_t symlink_add_uid; rsbac_enum_t symlink_add_mac_level; rsbac_enum_t symlink_add_rc_role; rsbac_enum_t linux_dac_disable; rsbac_fake_root_uid_int_t fake_root_uid; }; #if defined(CONFIG_RSBAC_MAC) #define RSBAC_MAC_FD_ACI_VERSION 5 #define RSBAC_MAC_FD_ACI_KEY 1001 struct rsbac_mac_fd_aci_t { rsbac_security_level_t sec_level; /* MAC */ rsbac_mac_category_vector_t mac_categories; /* MAC category set */ rsbac_mac_auto_int_t mac_auto; /* auto-adjust current level */ rsbac_boolean_int_t mac_prop_trusted; /* Keep trusted flag when executing this file */ rsbac_mac_file_flags_t mac_file_flags; /* allow write_up, read_up etc. to it */ }; #define RSBAC_MAC_FD_OLD_ACI_VERSION 4 struct rsbac_mac_fd_old_aci_t { rsbac_security_level_t sec_level; /* MAC */ rsbac_uid_t mac_trusted_for_user; /* MAC (for FILE only) */ rsbac_mac_category_vector_t mac_categories; /* MAC category set */ rsbac_mac_auto_int_t mac_auto; /* auto-adjust current level */ rsbac_boolean_int_t mac_prop_trusted; /* Keep trusted flag when executing this file */ rsbac_mac_file_flags_t mac_file_flags; /* allow write_up, read_up etc. to it */ }; #define RSBAC_MAC_FD_OLD_OLD_ACI_VERSION 3 struct rsbac_mac_fd_old_old_aci_t { rsbac_security_level_t sec_level; /* MAC */ rsbac_uid_t mac_trusted_for_user; /* MAC (for FILE only) */ rsbac_mac_category_vector_t mac_categories; /* MAC category set */ rsbac_mac_auto_int_t mac_auto; /* auto-adjust current level */ rsbac_boolean_int_t mac_prop_trusted; /* Keep trusted flag when executing this file */ rsbac_boolean_int_t mac_shared; /* Shared dir, i.e., allow write_up to it */ }; #define RSBAC_MAC_FD_OLD_OLD_OLD_ACI_VERSION 2 struct rsbac_mac_fd_old_old_old_aci_t { rsbac_security_level_t sec_level; /* MAC */ rsbac_uid_t mac_trusted_for_user; /* MAC (for FILE only) */ rsbac_mac_category_vector_t mac_categories; /* MAC category set */ rsbac_mac_auto_int_t mac_auto; /* auto-adjust current level */ }; #define DEFAULT_MAC_FD_ACI_INH \ { \ .sec_level = SL_inherit, \ .mac_categories = RSBAC_MAC_INHERIT_CAT_VECTOR, \ .mac_auto = MA_inherit, \ .mac_prop_trusted = FALSE, \ .mac_file_flags = 0, \ } #define DEFAULT_MAC_FD_ACI_NO_INH \ { \ .sec_level = SL_unclassified, \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_auto = MA_yes, \ .mac_prop_trusted = FALSE, \ .mac_file_flags = 0, \ } #ifdef CONFIG_RSBAC_MAC_DEF_INHERIT #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_INH #else #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_NO_INH #endif /* MAC_DEF_INHERIT */ #define DEFAULT_MAC_ROOT_DIR_ACI \ { \ .sec_level = SL_unclassified, \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_auto = MA_yes, \ .mac_prop_trusted = FALSE, \ .mac_file_flags = 0, \ } #endif #if defined(CONFIG_RSBAC_PM) #define RSBAC_PM_FD_ACI_VERSION 1 #define RSBAC_PM_FD_ACI_KEY 1001 struct rsbac_pm_fd_aci_t { rsbac_pm_object_class_id_t pm_object_class; /* PM */ rsbac_pm_tp_id_t pm_tp; /* PM (for FILE only) */ rsbac_pm_object_type_int_t pm_object_type; /* PM (enum rsbac_pm_object_type_t -> __u8) */ }; #define DEFAULT_PM_FD_ACI \ { \ .pm_object_class = 0, \ .pm_tp = 0, \ .pm_object_type = PO_none, \ } #endif #if defined(CONFIG_RSBAC_DAZ) #define RSBAC_DAZ_FD_ACI_VERSION 2 #define RSBAC_DAZ_FD_OLD_ACI_VERSION 1 #define RSBAC_DAZ_FD_ACI_KEY 10535 #define RSBAC_DAZ_CACHE_CLEANUP_INTERVAL 86400 #define RSBAC_DAZ_SCANNED_FD_ACI_VERSION 1 struct rsbac_daz_fd_aci_t { rsbac_daz_scanner_t daz_scanner; /* DAZ (for FILE only) */ rsbac_daz_do_scan_t daz_do_scan; }; struct rsbac_daz_fd_old_aci_t { rsbac_daz_scanner_t daz_scanner; /* DAZ (for FILE only) (boolean) */ }; #define DEFAULT_DAZ_FD_ACI \ { \ .daz_scanner = FALSE, \ .daz_do_scan = DEFAULT_DAZ_FD_DO_SCAN \ } #define DEFAULT_DAZ_ROOT_DIR_ACI \ { \ .daz_scanner = FALSE, \ .daz_do_scan = DEFAULT_DAZ_FD_ROOT_DO_SCAN \ } #endif #if defined(CONFIG_RSBAC_FF) #define RSBAC_FF_FD_ACI_VERSION 1 #define RSBAC_FF_FD_ACI_KEY 1001 #endif #if defined(CONFIG_RSBAC_RC) #define RSBAC_RC_FD_ACI_VERSION 1 #define RSBAC_RC_FD_ACI_KEY 1001 struct rsbac_rc_fd_aci_t { rsbac_rc_type_id_t rc_type_fd; /* RC */ rsbac_rc_role_id_t rc_force_role; /* RC */ rsbac_rc_role_id_t rc_initial_role; /* RC */ }; #define DEFAULT_RC_FD_ACI \ { \ .rc_type_fd = RC_type_inherit_parent, \ .rc_force_role = RC_default_force_role, \ .rc_initial_role = RC_default_initial_role, \ } #define DEFAULT_RC_ROOT_DIR_ACI \ { \ .rc_type_fd = RSBAC_RC_GENERAL_TYPE, \ .rc_force_role = RC_default_root_dir_force_role, \ .rc_initial_role = RC_default_root_dir_initial_role, \ } #endif #if defined(CONFIG_RSBAC_AUTH) #define RSBAC_AUTH_FD_ACI_VERSION 2 #define RSBAC_AUTH_FD_OLD_ACI_VERSION 1 #define RSBAC_AUTH_FD_ACI_KEY 1001 struct rsbac_auth_fd_aci_t { __u8 auth_may_setuid; /* AUTH (enum) */ __u8 auth_may_set_cap; /* AUTH (boolean) */ __u8 auth_learn; /* AUTH (boolean) */ }; struct rsbac_auth_fd_old_aci_t { __u8 auth_may_setuid; /* AUTH (boolean) */ __u8 auth_may_set_cap; /* AUTH (boolean) */ }; #define DEFAULT_AUTH_FD_ACI \ { \ .auth_may_setuid = FALSE, \ .auth_may_set_cap = FALSE, \ .auth_learn = FALSE, \ } #endif #if defined(CONFIG_RSBAC_CAP) #define RSBAC_CAP_FD_ACI_VERSION 3 #define RSBAC_CAP_FD_OLD_ACI_VERSION 2 #define RSBAC_CAP_FD_ACI_KEY 1001 struct rsbac_cap_fd_aci_t { rsbac_cap_vector_t min_caps; /* Program forced minimum Linux capabilities */ rsbac_cap_vector_t max_caps; /* Program max Linux capabilities */ rsbac_cap_ld_env_int_t cap_ld_env; }; struct rsbac_cap_fd_old_aci_t { rsbac_cap_old_vector_t min_caps; /* Program forced minimum Linux capabilities */ rsbac_cap_old_vector_t max_caps; /* Program max Linux capabilities */ rsbac_cap_ld_env_int_t cap_ld_env; }; #define DEFAULT_CAP_FD_ACI \ { \ .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \ .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \ .cap_ld_env = LD_keep, \ } #endif #if defined(CONFIG_RSBAC_PAX) #define RSBAC_PAX_FD_ACI_VERSION 1 #define RSBAC_PAX_FD_ACI_KEY 100112 #endif #if defined(CONFIG_RSBAC_RES) #define RSBAC_RES_FD_ACI_VERSION 1 #define RSBAC_RES_FD_ACI_KEY 1002 struct rsbac_res_fd_aci_t { rsbac_res_array_t res_min; rsbac_res_array_t res_max; }; #define DEFAULT_RES_FD_ACI \ { \ .res_min = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ }, \ .res_max = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ } \ } #endif #define RSBAC_FD_NR_ATTRIBUTES 34 #define RSBAC_FD_ATTR_LIST { \ A_security_level, \ A_mac_categories, \ A_mac_auto, \ A_mac_prop_trusted, \ A_mac_file_flags, \ A_pm_object_class, \ A_pm_tp, \ A_pm_object_type, \ A_daz_scanner, \ A_ff_flags, \ A_rc_type_fd, \ A_rc_force_role, \ A_rc_initial_role, \ A_auth_may_setuid, \ A_auth_may_set_cap, \ A_auth_learn, \ A_log_array_low, \ A_log_array_high, \ A_log_program_based, \ A_symlink_add_remote_ip, \ A_symlink_add_uid, \ A_symlink_add_mac_level, \ A_symlink_add_rc_role, \ A_linux_dac_disable, \ A_min_caps, \ A_max_caps, \ A_cap_ld_env, \ A_res_min, \ A_res_max, \ A_pax_flags, \ A_fake_root_uid, \ A_auid_exempt, \ A_daz_do_scan, \ A_vset \ } #ifdef __KERNEL__ struct rsbac_fd_list_handles_t { rsbac_list_handle_t gen; #if defined(CONFIG_RSBAC_MAC) rsbac_list_handle_t mac; #endif #if defined(CONFIG_RSBAC_PM) rsbac_list_handle_t pm; #endif #if defined(CONFIG_RSBAC_DAZ) rsbac_list_handle_t daz; #if defined(CONFIG_RSBAC_DAZ_CACHE) rsbac_list_handle_t dazs; #endif #endif #if defined(CONFIG_RSBAC_FF) rsbac_list_handle_t ff; #endif #if defined(CONFIG_RSBAC_RC) rsbac_list_handle_t rc; #endif #if defined(CONFIG_RSBAC_AUTH) rsbac_list_handle_t auth; #endif #if defined(CONFIG_RSBAC_CAP) rsbac_list_handle_t cap; #endif #if defined(CONFIG_RSBAC_PAX) rsbac_list_handle_t pax; #endif #if defined(CONFIG_RSBAC_RES) rsbac_list_handle_t res; #endif }; /* The list of devices is also a double linked list, so we define list */ /* items and a list head. */ /* Hash size. Must be power of 2. */ #define RSBAC_NR_DEVICE_LISTS 8 struct rsbac_device_list_item_t { kdev_t id; struct dentry *d_covers; u_int mount_count; struct rsbac_fd_list_handles_t handles; struct dentry *rsbac_dir_dentry_p; struct super_block *sb_p; rsbac_inode_nr_t rsbac_dir_inode; struct rsbac_device_list_item_t *prev; struct rsbac_device_list_item_t *next; }; /* To provide consistency we use spinlocks for all list accesses. The */ /* 'curr' entry is used to avoid repeated lookups for the same item. */ struct rsbac_device_list_head_t { struct rsbac_device_list_item_t *head; struct rsbac_device_list_item_t *tail; struct rsbac_device_list_item_t *curr; u_int count; }; #endif /* __KERNEL__ */ /******************************/ /* OK, now we define the block/char device ACI, holding all dev information */ /* the ADF needs for decisions. */ #define RSBAC_GEN_ACI_DEV_NAME "dev_gen" #define RSBAC_MAC_ACI_DEV_NAME "dev_mac" #define RSBAC_PM_ACI_DEV_NAME "dev_pm" #define RSBAC_RC_ACI_DEV_MAJOR_NAME "devm_rc" #define RSBAC_RC_ACI_DEV_NAME "dev_rc" /* Caution: whenever ACI changes, version should be increased! */ #define RSBAC_GEN_DEV_ACI_VERSION 2 #define RSBAC_GEN_DEV_OLD_ACI_VERSION 1 #define RSBAC_GEN_DEV_ACI_KEY 1001 struct rsbac_gen_dev_aci_t { rsbac_log_array_t log_array_low; /* dev based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ }; #define DEFAULT_GEN_DEV_ACI \ { \ .log_array_low = -1, \ .log_array_high = -1, \ } #if defined(CONFIG_RSBAC_MAC) #define RSBAC_MAC_DEV_ACI_VERSION 2 #define RSBAC_MAC_DEV_OLD_ACI_VERSION 1 #define RSBAC_MAC_DEV_ACI_KEY 1001 struct rsbac_mac_dev_aci_t { rsbac_security_level_t sec_level; /* MAC */ rsbac_mac_category_vector_t mac_categories; /* MAC category set */ __u8 mac_check; /* MAC (boolean) */ }; #define DEFAULT_MAC_DEV_ACI \ { \ .sec_level = SL_unclassified, \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_check = FALSE, \ } #endif #if defined(CONFIG_RSBAC_PM) #define RSBAC_PM_DEV_ACI_VERSION 2 #define RSBAC_PM_DEV_OLD_ACI_VERSION 1 #define RSBAC_PM_DEV_ACI_KEY 1001 struct rsbac_pm_dev_aci_t { rsbac_pm_object_type_int_t pm_object_type; /* PM (enum rsbac_pm_object_type_t) */ rsbac_pm_object_class_id_t pm_object_class; /* dev only */ }; #define DEFAULT_PM_DEV_ACI \ { \ .pm_object_type = PO_none, \ .pm_object_class = 0, \ } #endif #if defined(CONFIG_RSBAC_RC) #define RSBAC_RC_DEV_ACI_VERSION 2 #define RSBAC_RC_DEV_OLD_ACI_VERSION 1 #define RSBAC_RC_DEV_ACI_KEY 1001 #endif #define RSBAC_DEV_NR_ATTRIBUTES 8 #define RSBAC_DEV_ATTR_LIST { \ A_security_level, \ A_mac_categories, \ A_mac_check, \ A_pm_object_type, \ A_pm_object_class, \ A_rc_type, \ A_log_array_low, \ A_log_array_high \ } #ifdef __KERNEL__ struct rsbac_dev_handles_t { rsbac_list_handle_t gen; #if defined(CONFIG_RSBAC_MAC) rsbac_list_handle_t mac; #endif #if defined(CONFIG_RSBAC_PM) rsbac_list_handle_t pm; #endif #if defined(CONFIG_RSBAC_RC) rsbac_list_handle_t rc; #endif }; #endif /* __KERNEL__ */ /**************************************************************************/ /* Next we define the ipc ACI, holding all ipc information */ /* the ADF needs for decisions. */ #define RSBAC_MAC_ACI_IPC_NAME "ipc_mac" #define RSBAC_PM_ACI_IPC_NAME "ipc_pm" #define RSBAC_RC_ACI_IPC_NAME "ipc_rc" #define RSBAC_JAIL_ACI_IPC_NAME "ipc_jai" #if defined(CONFIG_RSBAC_MAC) #define RSBAC_MAC_IPC_ACI_VERSION 1 #define RSBAC_MAC_IPC_ACI_KEY 1001 struct rsbac_mac_ipc_aci_t { rsbac_security_level_t sec_level; /* enum old_rsbac_security_level_t / __u8 */ rsbac_mac_category_vector_t mac_categories; /* MAC category set */ }; #define DEFAULT_MAC_IPC_ACI \ { \ .sec_level = SL_unclassified, \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ } #endif #if defined(CONFIG_RSBAC_PM) #define RSBAC_PM_IPC_ACI_VERSION 1 #define RSBAC_PM_IPC_ACI_KEY 1001 struct rsbac_pm_ipc_aci_t { rsbac_pm_object_class_id_t pm_object_class; /* ipc only */ rsbac_pm_purpose_id_t pm_ipc_purpose; rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */ }; #define DEFAULT_PM_IPC_ACI \ { \ .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \ .pm_ipc_purpose = 0, \ .pm_object_type = PO_ipc, \ } #endif #if defined(CONFIG_RSBAC_RC) #define RSBAC_RC_IPC_ACI_VERSION 1 #define RSBAC_RC_IPC_ACI_KEY 1001 #endif #if defined(CONFIG_RSBAC_JAIL) #define RSBAC_JAIL_IPC_ACI_VERSION 1 #define RSBAC_JAIL_IPC_ACI_KEY 1001 #endif #define RSBAC_IPC_NR_ATTRIBUTES 7 #define RSBAC_IPC_ATTR_LIST { \ A_security_level, \ A_mac_categories, \ A_pm_object_class, \ A_pm_ipc_purpose, \ A_pm_object_type, \ A_rc_type, \ A_jail_id \ } #ifdef __KERNEL__ struct rsbac_ipc_handles_t { #if defined(CONFIG_RSBAC_MAC) rsbac_list_handle_t mac; #endif #if defined(CONFIG_RSBAC_PM) rsbac_list_handle_t pm; #endif #if defined(CONFIG_RSBAC_RC) rsbac_list_handle_t rc; #endif #if defined(CONFIG_RSBAC_JAIL) rsbac_list_handle_t jail; #endif }; #endif /* __KERNEL__ */ /*************************************/ /* The user ACI holds all user information the ADF needs. */ #define RSBAC_GEN_ACI_USER_NAME "u_gen" #define RSBAC_MAC_ACI_USER_NAME "u_mac" #define RSBAC_PM_ACI_USER_NAME "u_pm" #define RSBAC_DAZ_ACI_USER_NAME "u_daz" #define RSBAC_FF_ACI_USER_NAME "u_ff" #define RSBAC_RC_ACI_USER_NAME "u_rc" #define RSBAC_AUTH_ACI_USER_NAME "u_auth" #define RSBAC_CAP_ACI_USER_NAME "u_cap" #define RSBAC_JAIL_ACI_USER_NAME "u_jail" #define RSBAC_PAX_ACI_USER_NAME "u_pax" #define RSBAC_RES_ACI_USER_NAME "u_res" #define RSBAC_GEN_USER_ACI_VERSION 2 #define RSBAC_GEN_USER_OLD_ACI_VERSION 1 #define RSBAC_GEN_USER_ACI_KEY 1001 struct rsbac_gen_user_aci_t { rsbac_pseudo_t pseudo; rsbac_request_vector_t log_user_based; /* User based logging */ }; #define DEFAULT_GEN_U_ACI \ { \ .pseudo = (rsbac_pseudo_t) 0, \ .log_user_based = 0, \ } #if defined(CONFIG_RSBAC_MAC) #define RSBAC_MAC_USER_ACI_VERSION 5 #define RSBAC_MAC_USER_OLD_ACI_VERSION 4 #define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 3 #define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 2 #define RSBAC_MAC_USER_OLD_OLD_OLD_OLD_ACI_VERSION 1 #define RSBAC_MAC_USER_ACI_KEY 1001 struct rsbac_mac_user_aci_t { rsbac_security_level_t security_level; /* maximum level */ rsbac_security_level_t initial_security_level; /* maximum level */ rsbac_security_level_t min_security_level; /* minimum level / __u8 */ rsbac_mac_category_vector_t mac_categories; /* MAC max category set */ rsbac_mac_category_vector_t mac_initial_categories; /* MAC max category set */ rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */ rsbac_system_role_int_t system_role; /* enum rsbac_system_role_t */ rsbac_mac_user_flags_t mac_user_flags; /* flags (override, trusted, allow_auto etc.) */ }; struct rsbac_mac_user_old_aci_t { rsbac_security_level_t access_appr; /* maximum level */ rsbac_security_level_t min_access_appr; /* minimum level / __u8 */ rsbac_mac_category_vector_t mac_categories; /* MAC max category set */ rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */ rsbac_system_role_int_t system_role; /* enum rsbac_system_role_t */ rsbac_boolean_int_t mac_allow_auto; /* allow to auto-adjust current level */ }; struct rsbac_mac_user_old_old_aci_t { rsbac_security_level_t access_appr; /* maximum level */ rsbac_security_level_t min_access_appr; /* minimum level / __u8 */ rsbac_mac_category_vector_t mac_categories; /* MAC max category set */ rsbac_mac_category_vector_t mac_min_categories; /* MAC min category set */ rsbac_system_role_int_t system_role; /* enum rsbac_system_role_t */ }; struct rsbac_mac_user_old_old_old_aci_t { rsbac_security_level_t access_appr; /* enum old_rsbac_security_level_t / __u8 */ rsbac_mac_category_vector_t mac_categories; /* MAC category set */ rsbac_system_role_int_t system_role; /* enum rsbac_system_role_t */ }; #define DEFAULT_MAC_U_ACI \ { \ .security_level = SL_unclassified, \ .initial_security_level = SL_unclassified, \ .min_security_level = SL_unclassified, \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \ .system_role = SR_user, \ .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \ } #define DEFAULT_MAC_U_SYSADM_ACI \ { \ .security_level = SL_unclassified, \ .initial_security_level = SL_unclassified, \ .min_security_level = SL_unclassified, \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \ .system_role = SR_administrator, \ .mac_user_flags = RSBAC_MAC_DEF_SYSADM_U_FLAGS, \ } #define DEFAULT_MAC_U_SECOFF_ACI \ { \ .security_level = SL_unclassified, \ .initial_security_level = SL_unclassified, \ .min_security_level = SL_unclassified, \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \ .system_role = SR_security_officer, \ .mac_user_flags = RSBAC_MAC_DEF_SECOFF_U_FLAGS, \ } #define DEFAULT_MAC_U_AUDITOR_ACI \ { \ .security_level = SL_unclassified, \ .initial_security_level = SL_unclassified, \ .min_security_level = SL_unclassified, \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \ .system_role = SR_auditor, \ .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \ } #endif #if defined(CONFIG_RSBAC_PM) #define RSBAC_PM_USER_ACI_VERSION 2 #define RSBAC_PM_USER_OLD_ACI_VERSION 1 #define RSBAC_PM_USER_ACI_KEY 1001 struct rsbac_pm_user_aci_t { rsbac_pm_task_set_id_t pm_task_set; rsbac_pm_role_int_t pm_role; /* enum rsbac_pm_role_t */ }; #define DEFAULT_PM_U_ACI \ { \ .pm_task_set = 0, \ .pm_role = PR_user, \ } #define DEFAULT_PM_U_SYSADM_ACI \ { \ .pm_task_set = 0, \ .pm_role = PR_system_admin, \ } #define DEFAULT_PM_U_SECOFF_ACI \ { \ .pm_task_set = 0, \ .pm_role = PR_security_officer, \ } #define DEFAULT_PM_U_DATAPROT_ACI \ { \ .pm_task_set = 0, \ .pm_role = PR_data_protection_officer, \ } #define DEFAULT_PM_U_TPMAN_ACI \ { \ .pm_task_set = 0, \ .pm_role = PR_tp_manager, \ } #endif #if defined(CONFIG_RSBAC_DAZ) #define RSBAC_DAZ_USER_ACI_VERSION 2 #define RSBAC_DAZ_USER_OLD_ACI_VERSION 1 #define RSBAC_DAZ_USER_ACI_KEY 1001 #endif #if defined(CONFIG_RSBAC_FF) #define RSBAC_FF_USER_ACI_VERSION 2 #define RSBAC_FF_USER_OLD_ACI_VERSION 1 #define RSBAC_FF_USER_ACI_KEY 1001 #endif #if defined(CONFIG_RSBAC_RC) #define RSBAC_RC_USER_ACI_VERSION 3 #define RSBAC_RC_USER_OLD_ACI_VERSION 2 #define RSBAC_RC_USER_OLD_OLD_ACI_VERSION 1 #define RSBAC_RC_USER_ACI_KEY 1001 struct rsbac_rc_user_aci_t { rsbac_rc_role_id_t rc_role; rsbac_rc_type_id_t rc_type; }; #define DEFAULT_RC_U_ACI \ { \ .rc_role = RSBAC_RC_GENERAL_ROLE, \ .rc_type = RSBAC_RC_GENERAL_TYPE, \ } #define DEFAULT_RC_U_SYSADM_ACI \ { \ .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC) */ \ .rc_type = RSBAC_RC_SYS_TYPE, \ } #define DEFAULT_RC_U_SECOFF_ACI \ { \ .rc_role = RSBAC_RC_ROLE_ADMIN_ROLE, /* rc_role (RC) */ \ .rc_type = RSBAC_RC_SEC_TYPE, \ } #define DEFAULT_RC_U_AUDITOR_ACI \ { \ .rc_role = RSBAC_RC_AUDITOR_ROLE, /* rc_role (RC) */ \ .rc_type = RSBAC_RC_SEC_TYPE, \ } #endif #if defined(CONFIG_RSBAC_AUTH) #define RSBAC_AUTH_USER_ACI_VERSION 2 #define RSBAC_AUTH_USER_OLD_ACI_VERSION 1 #define RSBAC_AUTH_USER_ACI_KEY 1001 #endif /* AUTH */ #if defined(CONFIG_RSBAC_CAP) #define RSBAC_CAP_USER_ACI_VERSION 4 #define RSBAC_CAP_USER_OLD_ACI_VERSION 3 #define RSBAC_CAP_USER_ACI_KEY 1001 struct rsbac_cap_user_aci_t { rsbac_system_role_int_t cap_role; /* System role for CAP administration */ rsbac_cap_vector_t min_caps; /* User forced minimum Linux capabilities */ rsbac_cap_vector_t max_caps; /* User max Linux capabilities */ rsbac_cap_ld_env_int_t cap_ld_env; }; struct rsbac_cap_user_old_aci_t { rsbac_system_role_int_t cap_role; /* System role for CAP administration */ rsbac_cap_old_vector_t min_caps; /* User forced minimum Linux capabilities */ rsbac_cap_old_vector_t max_caps; /* User max Linux capabilities */ rsbac_cap_ld_env_int_t cap_ld_env; }; #define DEFAULT_CAP_U_ACI \ { \ .cap_role = SR_user, \ .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \ .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \ .cap_ld_env = LD_keep, \ } #define DEFAULT_CAP_U_SYSADM_ACI \ { \ .cap_role = SR_administrator, \ .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \ .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \ .cap_ld_env = LD_keep, \ } #define DEFAULT_CAP_U_SECOFF_ACI \ { \ .cap_role = SR_security_officer, \ .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \ .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \ .cap_ld_env = LD_keep, \ } #define DEFAULT_CAP_U_AUDITOR_ACI \ { \ .cap_role = SR_auditor, \ .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \ .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \ .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \ .cap_ld_env = LD_keep, \ } #endif #if defined(CONFIG_RSBAC_JAIL) #define RSBAC_JAIL_USER_ACI_VERSION 2 #define RSBAC_JAIL_USER_OLD_ACI_VERSION 1 #define RSBAC_JAIL_USER_ACI_KEY 1001 #endif #if defined(CONFIG_RSBAC_PAX) #define RSBAC_PAX_USER_ACI_VERSION 2 #define RSBAC_PAX_USER_OLD_ACI_VERSION 1 #define RSBAC_PAX_USER_ACI_KEY 1001221 #endif #if defined(CONFIG_RSBAC_RES) #define RSBAC_RES_USER_ACI_VERSION 2 #define RSBAC_RES_USER_OLD_ACI_VERSION 1 #define RSBAC_RES_USER_ACI_KEY 1002 struct rsbac_res_user_aci_t { rsbac_system_role_int_t res_role; /* System role for RES administration */ rsbac_res_array_t res_min; rsbac_res_array_t res_max; }; #define DEFAULT_RES_U_ACI \ { \ .res_role = SR_user, \ .res_min = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ }, \ .res_max = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ }, \ } #define DEFAULT_RES_U_SYSADM_ACI \ { \ .res_role = SR_administrator, \ .res_min = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ }, \ .res_max = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ } \ } #define DEFAULT_RES_U_SECOFF_ACI \ { \ .res_role = SR_security_officer, \ .res_min = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ }, \ .res_max = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ } \ } #define DEFAULT_RES_U_AUDITOR_ACI \ { \ .res_role = SR_auditor, \ .res_min = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ }, \ .res_max = { \ RSBAC_RES_UNSET, /* cpu time */ \ RSBAC_RES_UNSET, /* file size */ \ RSBAC_RES_UNSET, /* process data segment size */ \ RSBAC_RES_UNSET, /* stack size */ \ RSBAC_RES_UNSET, /* core dump size */ \ RSBAC_RES_UNSET, /* resident memory set size */ \ RSBAC_RES_UNSET, /* number of processes for this user */ \ RSBAC_RES_UNSET, /* number of files */ \ RSBAC_RES_UNSET, /* locked-in-memory address space */ \ RSBAC_RES_UNSET, /* address space (virtual memory) limit */ \ RSBAC_RES_UNSET /* maximum file locks */ \ } \ } #endif #define RSBAC_USER_NR_ATTRIBUTES 24 #define RSBAC_USER_ATTR_LIST { \ A_pseudo, \ A_log_user_based, \ A_security_level, \ A_initial_security_level, \ A_min_security_level, \ A_mac_categories, \ A_mac_initial_categories, \ A_mac_min_categories, \ A_mac_role, \ A_mac_user_flags, \ A_daz_role, \ A_ff_role, \ A_auth_role, \ A_pm_task_set, \ A_pm_role, \ A_rc_def_role, \ A_rc_type, \ A_min_caps, \ A_max_caps, \ A_cap_role, \ A_cap_ld_env, \ A_jail_role, \ A_res_role, \ A_pax_role \ } #ifdef __KERNEL__ struct rsbac_user_handles_t { rsbac_list_handle_t gen; #if defined(CONFIG_RSBAC_MAC) rsbac_list_handle_t mac; #endif #if defined(CONFIG_RSBAC_PM) rsbac_list_handle_t pm; #endif #if defined(CONFIG_RSBAC_DAZ) rsbac_list_handle_t daz; #endif #if defined(CONFIG_RSBAC_FF) rsbac_list_handle_t ff; #endif #if defined(CONFIG_RSBAC_RC) rsbac_list_handle_t rc; #endif #if defined(CONFIG_RSBAC_AUTH) rsbac_list_handle_t auth; #endif #if defined(CONFIG_RSBAC_CAP) rsbac_list_handle_t cap; #endif #if defined(CONFIG_RSBAC_JAIL) rsbac_list_handle_t jail; #endif #if defined(CONFIG_RSBAC_PAX) rsbac_list_handle_t pax; #endif #if defined(CONFIG_RSBAC_RES) rsbac_list_handle_t res; #endif }; #endif /********************************/ /* Process ACI. */ #define RSBAC_GEN_ACI_PROCESS_NAME "process_gen" #define RSBAC_MAC_ACI_PROCESS_NAME "process_mac" #define RSBAC_PM_ACI_PROCESS_NAME "process_pm" #define RSBAC_DAZ_ACI_PROCESS_NAME "process_daz" #define RSBAC_RC_ACI_PROCESS_NAME "process_rc" #define RSBAC_AUTH_ACI_PROCESS_NAME "process_auth" #define RSBAC_CAP_ACI_PROCESS_NAME "process_cap" #define RSBAC_JAIL_ACI_PROCESS_NAME "process_jail" #define RSBAC_GEN_PROCESS_ACI_VERSION 2 #define RSBAC_GEN_PROCESS_ACI_KEY 1001 struct rsbac_gen_process_aci_t { rsbac_request_vector_t log_program_based; rsbac_fake_root_uid_int_t fake_root_uid; rsbac_uid_t audit_uid; rsbac_uid_t auid_exempt; __u32 remote_ip; rsbac_boolean_t kernel_thread; rsbac_um_set_t vset; }; #define DEFAULT_GEN_P_ACI \ { \ .log_program_based = 0, \ .fake_root_uid = FR_off, \ .audit_uid = RSBAC_NO_USER, \ .auid_exempt = RSBAC_NO_USER, \ .remote_ip = 0, \ .kernel_thread = 0, \ .vset = 0, \ } #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) #define RSBAC_MAC_PROCESS_ACI_VERSION 1 #define RSBAC_MAC_PROCESS_ACI_KEY 1001 struct rsbac_mac_process_aci_t { rsbac_security_level_t owner_sec_level; /* enum old_rsbac_security_level_t */ rsbac_security_level_t owner_initial_sec_level; /* enum old_rsbac_security_level_t */ rsbac_security_level_t owner_min_sec_level; /* enum old_rsbac_security_level_t */ rsbac_mac_category_vector_t mac_owner_categories; /* MAC category set */ rsbac_mac_category_vector_t mac_owner_initial_categories; /* MAC category set */ rsbac_mac_category_vector_t mac_owner_min_categories; /* MAC category set */ rsbac_security_level_t current_sec_level; /* enum rsbac_security_level_t */ rsbac_mac_category_vector_t mac_curr_categories; /* MAC current category set */ rsbac_security_level_t min_write_open; /* for *-property, enum rsbac_security_level_t */ rsbac_mac_category_vector_t min_write_categories; /* MAC, for *-property */ rsbac_security_level_t max_read_open; /* for *-property, enum rsbac_security_level_t */ rsbac_mac_category_vector_t max_read_categories; /* MAC, for *-property */ rsbac_mac_process_flags_t mac_process_flags; /* flags (override, trusted, auto etc.) */ }; #define DEFAULT_MAC_P_ACI \ { \ .owner_sec_level = SL_unclassified, \ .owner_initial_sec_level = SL_unclassified, \ .owner_min_sec_level = SL_unclassified, \ .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \ .current_sec_level = SL_unclassified, \ .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .min_write_open = SL_max, \ .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \ .max_read_open = SL_unclassified, \ .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \ .mac_process_flags = RSBAC_MAC_DEF_P_FLAGS, \ } #define DEFAULT_MAC_P_INIT_ACI \ { \ .owner_sec_level = SL_unclassified, \ .owner_initial_sec_level = SL_unclassified, \ .owner_min_sec_level = SL_unclassified, \ .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \ .current_sec_level = SL_unclassified, \ .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ .min_write_open = SL_max, \ .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \ .max_read_open = SL_unclassified, \ .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \ .mac_process_flags = RSBAC_MAC_DEF_INIT_P_FLAGS, \ } #endif #if defined(CONFIG_RSBAC_PM) #define RSBAC_PM_PROCESS_ACI_VERSION 1 #define RSBAC_PM_PROCESS_ACI_KEY 1001 struct rsbac_pm_process_aci_t { rsbac_pm_tp_id_t pm_tp; rsbac_pm_task_id_t pm_current_task; rsbac_pm_process_type_int_t pm_process_type; /* enum rsbac_pm_process_type_t */ }; #define DEFAULT_PM_P_ACI \ { \ .pm_tp = 0, \ .pm_current_task = 0, \ .pm_process_type = PP_none, \ } #endif #if defined(CONFIG_RSBAC_DAZ) #define RSBAC_DAZ_PROCESS_ACI_VERSION 1 #define RSBAC_DAZ_PROCESS_ACI_KEY 1001 struct rsbac_daz_process_aci_t { rsbac_boolean_int_t daz_scanner; /* DAZ, boolean */ }; #define DEFAULT_DAZ_P_ACI \ { \ .daz_scanner = FALSE, \ } #endif #if defined(CONFIG_RSBAC_RC) #define RSBAC_RC_PROCESS_ACI_VERSION 1 #define RSBAC_RC_PROCESS_ACI_KEY 1001 struct rsbac_rc_process_aci_t { rsbac_rc_role_id_t rc_role; /* RC */ rsbac_rc_type_id_t rc_type; /* RC */ rsbac_rc_role_id_t rc_force_role; /* RC */ rsbac_rc_type_id_t rc_select_type; /* RC */ }; #define DEFAULT_RC_P_ACI \ { \ .rc_role = RSBAC_RC_GENERAL_ROLE, \ .rc_type = RSBAC_RC_GENERAL_TYPE, \ .rc_force_role = RC_default_force_role, \ .rc_select_type = RC_type_use_fd, \ } #define DEFAULT_RC_P_INIT_ACI \ { \ .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \ .rc_type = RSBAC_RC_GENERAL_TYPE, \ .rc_force_role = RC_default_force_role, \ .rc_select_type = RC_type_use_fd, \ } #define DEFAULT_RC_P_KERNEL_ACI \ { \ .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \ .rc_type = CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE, \ .rc_force_role = RC_default_force_role, \ .rc_select_type = RC_type_use_fd, \ } #endif #if defined(CONFIG_RSBAC_AUTH) #define RSBAC_AUTH_PROCESS_ACI_VERSION 1 #define RSBAC_AUTH_PROCESS_ACI_KEY 1001 struct rsbac_auth_process_aci_t { __u8 auth_may_setuid; /* AUTH (boolean) */ __u8 auth_may_set_cap; /* AUTH (boolean) */ rsbac_uid_t auth_last_auth; #if defined(CONFIG_RSBAC_AUTH_LEARN) && defined(__KERNEL__) struct rsbac_fs_file_t auth_program_file; rsbac_uid_t auth_start_uid; #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER rsbac_uid_t auth_start_euid; #endif #ifdef CONFIG_RSBAC_AUTH_GROUP rsbac_gid_t auth_start_gid; #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP rsbac_gid_t auth_start_egid; #endif #endif __u8 auth_learn; /* AUTH (boolean) */ #endif }; #if defined(CONFIG_RSBAC_AUTH_LEARN) #define DEFAULT_AUTH_P_ACI \ { \ .auth_may_setuid = FALSE, \ .auth_may_set_cap = FALSE, \ .auth_last_auth = RSBAC_NO_USER, \ .auth_program_file = { RSBAC_ZERO_DEV, 0, NULL }, \ .auth_start_uid = 0, \ .auth_learn = 0, \ } #else #define DEFAULT_AUTH_P_ACI \ { \ .auth_may_setuid = FALSE, \ .auth_may_set_cap = FALSE, \ .auth_last_auth = RSBAC_NO_USER, \ } #endif #endif #if defined(CONFIG_RSBAC_CAP) #define RSBAC_CAP_PROCESS_ACI_VERSION 2 #define RSBAC_CAP_PROCESS_ACI_KEY 10013283 struct rsbac_cap_process_aci_t { rsbac_cap_process_hiding_int_t cap_process_hiding; #ifdef CONFIG_RSBAC_CAP_LOG_MISSING rsbac_cap_vector_t max_caps_user; rsbac_cap_vector_t max_caps_program; #endif rsbac_cap_ld_env_int_t cap_ld_env; }; #ifdef CONFIG_RSBAC_CAP_LOG_MISSING #define DEFAULT_CAP_P_ACI \ { \ .cap_process_hiding = PH_off, \ .max_caps_user.cap[0] = RSBAC_CAP_DEFAULT_MAX, \ .max_caps_user.cap[1] = RSBAC_CAP_DEFAULT_MAX, \ .max_caps_program.cap[0] = RSBAC_CAP_DEFAULT_MAX, \ .max_caps_program.cap[1] = RSBAC_CAP_DEFAULT_MAX, \ .cap_ld_env = LD_allow, \ } #else #define DEFAULT_CAP_P_ACI \ { \ .cap_process_hiding = PH_off, \ .cap_ld_env = LD_allow, \ } #endif #endif #if defined(CONFIG_RSBAC_JAIL) #define RSBAC_JAIL_PROCESS_ACI_VERSION 1 #define RSBAC_JAIL_PROCESS_ACI_KEY 1001 struct rsbac_jail_process_aci_t { rsbac_jail_id_t id; rsbac_jail_id_t parent; rsbac_jail_ip_t ip; rsbac_jail_flags_t flags; rsbac_cap_vector_t max_caps; /* Program max Linux capabilities */ rsbac_jail_scd_vector_t scd_get; /* SCD targets GET_STATUS_DATA */ rsbac_jail_scd_vector_t scd_modify; /* SCD targets MODIFY_SYSTEM_DATA */ }; #define DEFAULT_JAIL_P_ACI \ { \ .id = 0, \ .parent = 0, \ .ip = 0, \ .flags = 0, \ .max_caps.cap[0] = -1, \ .max_caps.cap[1] = -1, \ .scd_get = 0, \ .scd_modify = 0, \ } #endif #define RSBAC_PROCESS_NR_ATTRIBUTES 39 #define RSBAC_PROCESS_ATTR_LIST { \ A_security_level, \ A_min_security_level, \ A_mac_categories, \ A_mac_min_categories, \ A_current_sec_level, \ A_mac_curr_categories, \ A_min_write_open, \ A_min_write_categories, \ A_max_read_open, \ A_max_read_categories, \ A_mac_process_flags, \ A_pm_tp, \ A_pm_current_task, \ A_pm_process_type, \ A_daz_scanner, \ A_rc_role, \ A_rc_type, \ A_rc_force_role, \ A_rc_select_type, \ A_auth_may_setuid, \ A_auth_may_set_cap, \ A_auth_learn, \ A_cap_process_hiding, \ A_max_caps_user, \ A_max_caps_program, \ A_cap_ld_env, \ A_jail_id, \ A_jail_ip, \ A_jail_flags, \ A_jail_max_caps, \ A_jail_scd_get, \ A_jail_scd_modify, \ A_log_program_based, \ A_fake_root_uid, \ A_audit_uid, \ A_auid_exempt, \ A_auth_last_auth, \ A_remote_ip, \ A_vset \ } #ifdef __KERNEL__ struct rsbac_process_handles_t { rsbac_list_handle_t gen; #if defined(CONFIG_RSBAC_MAC) rsbac_list_handle_t mac; #endif #if defined(CONFIG_RSBAC_PM) rsbac_list_handle_t pm; #endif #if defined(CONFIG_RSBAC_DAZ) rsbac_list_handle_t daz; #endif #if defined(CONFIG_RSBAC_RC) rsbac_list_handle_t rc; #endif #if defined(CONFIG_RSBAC_AUTH) rsbac_list_handle_t auth; #endif #if defined(CONFIG_RSBAC_CAP) rsbac_list_handle_t cap; #endif #if defined(CONFIG_RSBAC_JAIL) rsbac_list_handle_t jail; #endif }; #endif /* __KERNEL__ */ /******************************/ /* OK, now we define the UM group ACI, holding all information */ /* the ADF needs for decisions. */ #define RSBAC_RC_ACI_GROUP_NAME "grouprc" /* Caution: whenever ACI changes, version should be increased! */ #if defined(CONFIG_RSBAC_RC_UM_PROT) #define RSBAC_RC_GROUP_ACI_VERSION 1 #define RSBAC_RC_GROUP_ACI_KEY 13276142 #endif #define RSBAC_GROUP_NR_ATTRIBUTES 1 #define RSBAC_GROUP_ATTR_LIST { \ A_rc_type \ } #ifdef __KERNEL__ struct rsbac_group_handles_t { #if defined(CONFIG_RSBAC_RC_UM_PROT) rsbac_list_handle_t rc; #endif }; #endif /* __KERNEL__ */ /********************************/ /* NETDEV ACI */ #define RSBAC_GEN_ACI_NETDEV_NAME "nd_gen" #define RSBAC_RC_ACI_NETDEV_NAME "nd_rc" #define RSBAC_GEN_NETDEV_ACI_VERSION 1 #define RSBAC_GEN_NETDEV_ACI_KEY 1001 struct rsbac_gen_netdev_aci_t { rsbac_log_array_t log_array_low; /* netdev based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ }; #define DEFAULT_GEN_NETDEV_ACI \ { \ .log_array_low = -1, \ .log_array_high = -1, \ } #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) #define RSBAC_RC_NETDEV_ACI_VERSION 1 #define RSBAC_RC_NETDEV_ACI_KEY 1001 #endif #define RSBAC_NETDEV_NR_ATTRIBUTES 3 #define RSBAC_NETDEV_ATTR_LIST { \ A_rc_type, \ A_log_array_low, \ A_log_array_high \ } #ifdef __KERNEL__ struct rsbac_netdev_handles_t { #if defined(CONFIG_RSBAC_IND_NETDEV_LOG) rsbac_list_handle_t gen; #endif #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) rsbac_list_handle_t rc; #endif }; #endif /* __KERNEL__ */ /********************************/ /* NETTEMP ACI */ #define RSBAC_GEN_ACI_NETTEMP_NAME "nt_gen" #define RSBAC_MAC_ACI_NETTEMP_NAME "nt_mac" #define RSBAC_PM_ACI_NETTEMP_NAME "nt_pm" #define RSBAC_RC_ACI_NETTEMP_NAME "nt_rc" #define RSBAC_MAC_ACI_LNETOBJ_NAME "lnetobj_mac" #define RSBAC_PM_ACI_LNETOBJ_NAME "lnetobj_pm" #define RSBAC_RC_ACI_LNETOBJ_NAME "lnetobj_rc" #define RSBAC_MAC_ACI_RNETOBJ_NAME "rnetobj_mac" #define RSBAC_PM_ACI_RNETOBJ_NAME "rnetobj_pm" #define RSBAC_RC_ACI_RNETOBJ_NAME "rnetobj_rc" #define RSBAC_GEN_NETOBJ_ACI_VERSION 1 #define RSBAC_GEN_NETOBJ_ACI_KEY 1001 struct rsbac_gen_netobj_aci_t { rsbac_log_array_t log_array_low; /* nettemp/netobj based logging, */ rsbac_log_array_t log_array_high; /* high and low bits */ }; #define DEFAULT_GEN_NETOBJ_ACI \ { \ .log_array_low = -1, \ .log_array_high = -1, \ } #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) #define RSBAC_MAC_NETOBJ_ACI_VERSION 1 #define RSBAC_MAC_NETOBJ_ACI_KEY 1001 struct rsbac_mac_netobj_aci_t { rsbac_security_level_t sec_level; /* enum old_rsbac_security_level_t / __u8 */ rsbac_mac_category_vector_t mac_categories; /* MAC category set */ }; #define DEFAULT_MAC_NETOBJ_ACI \ { \ .sec_level = SL_unclassified, /* security_level (MAC) */ \ .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \ } #endif #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) #define RSBAC_PM_NETOBJ_ACI_VERSION 1 #define RSBAC_PM_NETOBJ_ACI_KEY 1001 struct rsbac_pm_netobj_aci_t { rsbac_pm_object_class_id_t pm_object_class; /* netobj only */ rsbac_pm_purpose_id_t pm_ipc_purpose; rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */ }; #define DEFAULT_PM_NETOBJ_ACI \ { \ .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \ .pm_ipc_purpose = 0, \ .pm_object_type = PO_ipc, \ } #endif #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) #define RSBAC_RC_NETOBJ_ACI_VERSION 1 #define RSBAC_RC_NETOBJ_ACI_KEY 1001 #define RSBAC_RC_NETTEMP_ACI_VERSION 1 #define RSBAC_RC_NETTEMP_ACI_KEY 1002 struct rsbac_rc_nettemp_aci_t { rsbac_rc_type_id_t netobj_type; /* type inherited to netobj */ rsbac_rc_type_id_t nettemp_type; /* type of this tenplate */ }; #define DEFAULT_RC_NETTEMP_ACI \ { \ .netobj_type = RSBAC_RC_GENERAL_TYPE, \ .nettemp_type = RSBAC_RC_GENERAL_TYPE, \ } #endif #define RSBAC_NETTEMP_NR_ATTRIBUTES 9 #define RSBAC_NETTEMP_ATTR_LIST { \ A_security_level, \ A_mac_categories, \ A_pm_object_class, \ A_pm_ipc_purpose, \ A_pm_object_type, \ A_rc_type, \ A_rc_type_nt, \ A_log_array_low, \ A_log_array_high \ } #define RSBAC_NETOBJ_NR_ATTRIBUTES 16 #define RSBAC_NETOBJ_ATTR_LIST { \ A_local_sec_level, \ A_remote_sec_level, \ A_local_mac_categories, \ A_remote_mac_categories, \ A_local_pm_object_class, \ A_remote_pm_object_class, \ A_local_pm_ipc_purpose, \ A_remote_pm_ipc_purpose, \ A_local_pm_object_type, \ A_remote_pm_object_type, \ A_local_rc_type, \ A_remote_rc_type, \ A_local_log_array_low, \ A_remote_log_array_low, \ A_local_log_array_high, \ A_remote_log_array_high \ } #ifdef __KERNEL__ struct rsbac_nettemp_handles_t { #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG) rsbac_list_handle_t gen; #endif #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) rsbac_list_handle_t mac; #endif #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) rsbac_list_handle_t pm; #endif #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) rsbac_list_handle_t rc; #endif }; struct rsbac_lnetobj_handles_t { #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) rsbac_list_handle_t mac; #endif #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) rsbac_list_handle_t pm; #endif #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) rsbac_list_handle_t rc; #endif }; struct rsbac_rnetobj_handles_t { #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT) rsbac_list_handle_t mac; #endif #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) rsbac_list_handle_t pm; #endif #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) rsbac_list_handle_t rc; #endif }; #endif /* __KERNEL__ */ /**********************************************/ /* Declarations */ /**********************************************/ #ifdef __KERNEL__ extern kdev_t rsbac_root_dev; int rsbac_read_open(char *, struct file *, /* file */ kdev_t); int rsbac_write_open(char *, struct file *, /* file */ kdev_t); void rsbac_read_close(struct file *); void rsbac_write_close(struct file *); extern struct semaphore rsbac_write_sem; /**********************************************/ /* Locks */ /**********************************************/ extern inline void rsbac_read_lock(rwlock_t * lock_p, u_long * flags_p) { read_lock(lock_p); }; extern inline void rsbac_read_unlock(rwlock_t * lock_p, u_long * flags_p) { read_unlock(lock_p); }; extern inline void rsbac_write_lock(rwlock_t * lock_p, u_long * flags_p) { write_lock(lock_p); }; extern inline void rsbac_write_unlock(rwlock_t * lock_p, u_long * flags_p) { write_unlock(lock_p); }; extern inline void rsbac_write_lock_irq(rwlock_t * lock_p, u_long * flags_p) { write_lock_irq(lock_p); }; extern inline void rsbac_write_unlock_irq(rwlock_t * lock_p, u_long * flags_p) { write_unlock_irq(lock_p); }; #endif /* __KERNEL__ */ /**********************************************/ /* External Declarations */ /**********************************************/ #ifdef __KERNEL__ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) static inline struct dentry *lock_parent(struct dentry *dentry) { struct dentry *dir = dget(dentry->d_parent); mutex_lock(&dir->d_inode->i_mutex); return dir; } static inline void unlock_dir(struct dentry *dir) { mutex_unlock(&dir->d_inode->i_mutex); dput(dir); } static inline void double_mutex_lock(struct mutex *m1, struct mutex *m2) { if (m1 != m2) { if ((unsigned long) m1 < (unsigned long) m2) { struct mutex *tmp = m2; m2 = m1; m1 = tmp; } mutex_lock(m1); } mutex_lock(m2); } static inline void double_mutex_unlock(struct mutex *m1, struct mutex *m2) { mutex_unlock(m1); if (m1 != m2) mutex_unlock(m2); } static inline void double_lock(struct dentry *d1, struct dentry *d2) { double_mutex_lock(&d1->d_inode->i_mutex, &d2->d_inode->i_mutex); } static inline void double_unlock(struct dentry *d1, struct dentry *d2) { double_mutex_unlock(&d1->d_inode->i_mutex, &d2->d_inode->i_mutex); dput(d1); dput(d2); } #else extern inline struct dentry *lock_parent(struct dentry *dentry); #endif #ifdef CONFIG_RSBAC_DEBUG static inline unsigned long rsbac_stack_free_space(void) { unsigned long *n = (unsigned long *)(current + 1); while (!*n) n++; return (unsigned long)n - (unsigned long)(current + 1); } #else #define rsbac_stack_free_space() 0 #endif #endif /* __KERNEL__ */ #endif rsbac-admin-1.4.0/main/headers/rsbac/network.h0000644000175000017500000000525011131371037021034 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2004: */ /* Amon Ott */ /* Network helper functions */ /* Last modified: 07/Dec/2004 */ /************************************* */ #ifndef __RSBAC_NETWORK_H #define __RSBAC_NETWORK_H #include #include #include #include #include #include #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) #include #endif #include #include /* functions */ int rsbac_ta_net_list_all_netdev(rsbac_list_ta_number_t ta_number, rsbac_netdev_id_t ** id_pp); static inline int rsbac_net_list_all_netdev(rsbac_netdev_id_t ** id_pp) { return rsbac_ta_net_list_all_netdev(0, id_pp); } //__u32 rsbac_net_make_mask_u32(__u8 valid_bits); int rsbac_net_compare_data(void * data1, void * data2); int rsbac_net_get_id( rsbac_list_ta_number_t ta_number, struct rsbac_net_description_t * desc_p, rsbac_net_temp_id_t * id_p); // void rsbac_net_obj_cleanup(rsbac_net_obj_id_t netobj); int rsbac_ta_net_lookup_templates( rsbac_list_ta_number_t ta_number, struct rsbac_net_obj_desc_t * netobj_p, rsbac_net_temp_id_t * local_temp_p, rsbac_net_temp_id_t * remote_temp_p); static inline int rsbac_net_lookup_templates( struct rsbac_net_obj_desc_t * netobj_p, rsbac_net_temp_id_t * local_temp_p, rsbac_net_temp_id_t * remote_temp_p) { return rsbac_ta_net_lookup_templates(0, netobj_p, local_temp_p, remote_temp_p); } int rsbac_ta_net_template( rsbac_list_ta_number_t ta_number, enum rsbac_net_temp_syscall_t call, rsbac_net_temp_id_t id, union rsbac_net_temp_syscall_data_t * data_p); static inline int rsbac_net_template(enum rsbac_net_temp_syscall_t call, rsbac_net_temp_id_t id, union rsbac_net_temp_syscall_data_t * data_p) { return rsbac_ta_net_template(0, call, id, data_p); } int rsbac_ta_net_list_all_template(rsbac_list_ta_number_t ta_number, rsbac_net_temp_id_t ** id_pp); static inline int rsbac_net_list_all_template(rsbac_net_temp_id_t ** id_pp) { return rsbac_ta_net_list_all_template(0, id_pp); } int rsbac_ta_net_template_exist(rsbac_list_ta_number_t ta_number, rsbac_net_temp_id_t temp); static inline int rsbac_net_template_exist(rsbac_net_temp_id_t temp) { return rsbac_ta_net_template_exist(0, temp); } /* Whether request should be checked for remote endpoint */ int rsbac_net_remote_request(enum rsbac_adf_request_t request); #endif rsbac-admin-1.4.0/main/headers/rsbac/getname.h0000644000175000017500000000573111131371037020767 0ustar gauvaingauvain/******************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: */ /* Amon Ott */ /* Getname functions for all parts*/ /* Last modified: 17/Sep/2007 */ /******************************** */ #ifndef __RSBAC_GETNAME_H #define __RSBAC_GETNAME_H #include #ifdef CONFIG_RSBAC_XSTATS #include #endif #if defined(__KERNEL__) && defined(CONFIG_RSBAC_LOG_FULL_PATH) #include #if (CONFIG_RSBAC_MAX_PATH_LEN > 2000) #undef CONFIG_RSBAC_MAX_PATH_LEN #define CONFIG_RSBAC_MAX_PATH_LEN 2000 #endif #if (CONFIG_RSBAC_MAX_PATH_LEN < RSBAC_MAXNAMELEN) #undef CONFIG_RSBAC_MAX_PATH_LEN #define CONFIG_RSBAC_MAX_PATH_LEN RSBAC_MAXNAMELEN #endif #endif extern char * get_request_name(char * , enum rsbac_adf_request_t); extern enum rsbac_adf_request_t get_request_nr(const char *); extern char * get_result_name(char * , enum rsbac_adf_req_ret_t); extern enum rsbac_adf_req_ret_t get_result_nr(const char *); extern enum rsbac_switch_target_t get_attr_module(enum rsbac_attribute_t attr); extern char * get_attribute_name(char * , enum rsbac_attribute_t); extern char * get_attribute_value_name( char * attr_val_name, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p); extern enum rsbac_attribute_t get_attribute_nr(const char *); extern char * get_target_name(char * , enum rsbac_target_t, char * , union rsbac_target_id_t); extern char * get_target_name_only(char * target_type_name, enum rsbac_target_t target); extern enum rsbac_target_t get_target_nr(const char *); extern char * get_ipc_target_name(char *, enum rsbac_ipc_type_t); extern enum rsbac_ipc_type_t get_ipc_target_nr(const char *); extern char * get_scd_type_name(char *, enum rsbac_scd_type_t); extern enum rsbac_scd_type_t get_scd_type_nr(const char *); extern char * get_switch_target_name(char *, enum rsbac_switch_target_t); extern enum rsbac_switch_target_t get_switch_target_nr(const char *); extern char * get_error_name(char *, int); #ifndef __KERNEL__ extern char * get_attribute_param(char * , enum rsbac_attribute_t); #endif extern char * get_log_level_name(char *, enum rsbac_log_level_t); extern enum rsbac_log_level_t get_log_level_nr(const char *); #ifdef __KERNEL__ int rsbac_get_full_path(struct dentry * dentry_p, char path[], int maxlen); #endif #ifdef __KERNEL__ int rsbac_get_full_path_length(struct dentry * dentry_p); #endif char * get_cap_name(char * name, u_int value); int get_cap_nr(const char * name); #ifdef CONFIG_RSBAC_XSTATS char *get_syscall_name(char *syscall_name, enum rsbac_syscall_t syscall); #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/pm_types.h0000644000175000017500000001735511131371037021214 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2001: */ /* Amon Ott */ /* API: Data types for privacy */ /* model calls */ /* Last modified: 06/Sep/2001 */ /************************************ */ #ifndef __RSBAC_PM_TYPES_H #define __RSBAC_PM_TYPES_H #include /* Basic types */ typedef __u32 rsbac_pm_task_id_t; typedef __u32 rsbac_pm_task_set_id_t; typedef __u32 rsbac_pm_tp_id_t; /* transformation procedure id */ typedef __u32 rsbac_pm_tp_set_id_t; /* transformation procedure set id */ typedef __u32 rsbac_pm_ru_set_id_t; /* responsible user set id */ typedef __u32 rsbac_pm_purpose_id_t; typedef __s32 rsbac_pm_pp_set_id_t; /* purpose set id */ typedef rsbac_pid_t rsbac_pm_in_pp_set_id_t; /* input purpose set id */ typedef rsbac_pm_in_pp_set_id_t rsbac_pm_out_pp_set_id_t; /* output purpose set id */ typedef __u32 rsbac_pm_object_class_id_t; typedef __u32 rsbac_pm_tkt_id_t; /* ticket id */ typedef rsbac_time_t rsbac_pm_time_stamp_t; /* for ticket time stamps, same as */ /* parameter for sys_time */ typedef __u8 rsbac_pm_accesses_t; /* for necessary accesses */ #define RSBAC_PM_A_READ 1 #define RSBAC_PM_A_WRITE 2 #define RSBAC_PM_A_DELETE 4 #define RSBAC_PM_A_CREATE 8 #define RSBAC_PM_A_APPEND 16 #define RSBAC_PM_A_ALL 31 #define RSBAC_PM_A_WRITING (RSBAC_PM_A_WRITE | RSBAC_PM_A_DELETE \ | RSBAC_PM_A_CREATE | RSBAC_PM_A_APPEND) #define RSBAC_PM_A_WRITE_TO_FILE (RSBAC_PM_A_WRITE | RSBAC_PM_A_APPEND) #define RSBAC_PM_ROOT_TASK_SET_ID (rsbac_pm_task_set_id_t) -1 #define RSBAC_PM_IPC_OBJECT_CLASS_ID (rsbac_pm_object_class_id_t) 60000 #define RSBAC_PM_DEV_OBJECT_CLASS_ID (rsbac_pm_object_class_id_t) 60001 /* enum attributes */ enum rsbac_pm_list_t {PL_task,PL_class,PL_na,PL_cs,PL_tp,PL_pp,PL_tkt,PL_none}; enum rsbac_pm_all_list_t {PA_task,PA_class,PA_na,PA_cs,PA_tp,PA_pp,PA_tkt, PA_task_set,PA_tp_set,PA_ru_set,PA_pp_set, PA_in_pp_set,PA_out_pp_set,PA_none}; enum rsbac_pm_role_t {PR_user, PR_security_officer, PR_data_protection_officer, PR_tp_manager, PR_system_admin, PR_none}; typedef rsbac_enum_t rsbac_pm_role_int_t; enum rsbac_pm_process_type_t {PP_none, PP_TP}; typedef rsbac_enum_t rsbac_pm_process_type_int_t; enum rsbac_pm_object_type_t {PO_none, PO_TP, PO_personal_data, PO_non_personal_data, PO_ipc, PO_dir}; typedef rsbac_enum_t rsbac_pm_object_type_int_t; typedef rsbac_pm_process_type_int_t rsbac_pm_program_type_int_t; #ifdef __KERNEL__ enum rsbac_pm_set_t {PS_TASK,PS_TP,PS_RU,PS_PP,PS_IN_PP,PS_OUT_PP,PS_NONE}; /* unions */ union rsbac_pm_set_id_t { rsbac_pm_task_set_id_t task_set; rsbac_pm_tp_set_id_t tp_set; rsbac_pm_ru_set_id_t ru_set; rsbac_pm_pp_set_id_t pp_set; rsbac_pm_in_pp_set_id_t in_pp_set; rsbac_pm_out_pp_set_id_t out_pp_set; }; union rsbac_pm_set_member_t { rsbac_pm_task_id_t task; rsbac_pm_tp_id_t tp; rsbac_uid_t ru; rsbac_pm_purpose_id_t pp; }; struct rsbac_pm_na_id_t { rsbac_pm_task_id_t task; rsbac_pm_object_class_id_t object_class; rsbac_pm_tp_id_t tp; }; struct rsbac_pm_cs_id_t { rsbac_pm_purpose_id_t purpose; struct rsbac_fs_file_t file; }; /*****************/ /* api types */ /*****************/ struct rsbac_pm_task_data_t { rsbac_pm_task_id_t id; rsbac_pm_purpose_id_t purpose; rsbac_pm_tp_set_id_t tp_set; rsbac_pm_ru_set_id_t ru_set; }; struct rsbac_pm_class_data_t { rsbac_pm_object_class_id_t id; rsbac_pm_pp_set_id_t pp_set; }; struct rsbac_pm_na_data_t { rsbac_pm_task_id_t task; rsbac_pm_object_class_id_t object_class; rsbac_pm_tp_id_t tp; rsbac_pm_accesses_t accesses; }; struct rsbac_pm_cs_data_t { rsbac_pm_purpose_id_t purpose; struct rsbac_fs_file_t file; }; struct rsbac_pm_tp_data_t { rsbac_pm_tp_id_t id; }; struct rsbac_pm_pp_data_t { rsbac_pm_purpose_id_t id; rsbac_pm_object_class_id_t def_class; }; #endif /* __KERNEL__ */ struct rsbac_pm_purpose_list_item_t { rsbac_pm_purpose_id_t id; struct rsbac_pm_purpose_list_item_t * next; }; /******* ticket ********/ #include #ifdef __KERNEL__ /****************************************************************************/ /* For all pm lists all manipulation is encapsulated by the function calls */ /* rsbac_pm_set_data, rsbac_pm_get_data and rsbac_pm_remove_target. */ /* For those, we declare some extra types to specify target and attribute. */ enum rsbac_pm_target_t {PMT_TASK, PMT_CLASS, PMT_NA, PMT_CS, PMT_TP, PMT_PP, PMT_TKT, PMT_NONE}; typedef rsbac_enum_t rsbac_pm_target_int_t; union rsbac_pm_target_id_t { rsbac_pm_task_id_t task; rsbac_pm_object_class_id_t object_class; struct rsbac_pm_na_id_t na; struct rsbac_pm_cs_id_t cs; rsbac_pm_tp_id_t tp; rsbac_pm_purpose_id_t pp; rsbac_pm_tkt_id_t tkt; int dummy; }; enum rsbac_pm_data_t { PD_purpose, PD_tp_set, PD_ru_set, PD_pp_set, PD_task, PD_class, PD_tp, PD_accesses, PD_file, PD_issuer, PD_function_type, PD_function_param, PD_valid_until, PD_def_class, PD_none }; typedef rsbac_enum_t rsbac_pm_data_int_t; union rsbac_pm_data_value_t { rsbac_pm_purpose_id_t purpose; rsbac_pm_tp_set_id_t tp_set; rsbac_pm_ru_set_id_t ru_set; rsbac_pm_pp_set_id_t pp_set; rsbac_pm_task_id_t task; rsbac_pm_object_class_id_t object_class; rsbac_pm_tp_id_t tp; rsbac_pm_accesses_t accesses; struct rsbac_fs_file_t file; rsbac_uid_t issuer; enum rsbac_pm_tkt_function_type_t function_type; union rsbac_pm_tkt_internal_function_param_t function_param; rsbac_pm_time_stamp_t valid_until; rsbac_pm_object_class_id_t def_class; int dummy; }; union rsbac_pm_all_data_value_t { struct rsbac_pm_task_data_t task; struct rsbac_pm_class_data_t object_class; struct rsbac_pm_na_data_t na; struct rsbac_pm_cs_data_t cs; struct rsbac_pm_tp_data_t tp; struct rsbac_pm_pp_data_t pp; struct rsbac_pm_tkt_data_t tkt; int dummy; }; #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/jail_getname.h0000644000175000017500000000060411131371037021760 0ustar gauvaingauvain/********************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: */ /* Amon Ott */ /* Getname functions for JAIL module */ /* Last modified: 27/May/2005 */ /********************************** */ #ifndef __RSBAC_JAIL_GETNAME_H #define __RSBAC_JAIL_GETNAME_H void rsbac_jail_log_missing_cap(int cap); #endif rsbac-admin-1.4.0/main/headers/rsbac/syscall_rsbac.h0000644000175000017500000000201111131371037022157 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2004: */ /* Amon Ott */ /* */ /* System Calls */ /* */ /* Last modified: 13/Apr/2004 */ /************************************ */ #ifndef __RSBAC_SYSCALL_RSBAC_H #define __RSBAC_SYSCALL_RSBAC_H /* to keep include/asm-alpha/unistd.h happy */ //#define __LIBRARY__ #include #include #include #ifdef __PIC__ #undef _syscall3 #define _syscall3(type,name,type1,arg1,type2,arg2,type3,arg3) \ type name(type1 arg1,type2 arg2,type3 arg3) \ {\ return syscall(__NR_##name, arg1, arg2, arg3);\ } #endif static inline _syscall3(int, rsbac, rsbac_version_t, version, enum rsbac_syscall_t, call, union rsbac_syscall_arg_t *, arg_p); #define sys_rsbac(a,b,c) rsbac(a,b,c) #endif rsbac-admin-1.4.0/main/headers/rsbac/gen_lists.h0000644000175000017500000001605611131371037021340 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: Amon Ott */ /* Generic lists - internal structures */ /* Last modified: 13/Feb/2007 */ /*************************************************** */ #ifndef __RSBAC_GEN_LISTS_H #define __RSBAC_GEN_LISTS_H #include #include #include #include /* Maximum number of items per single list, the real limit is at * RSBAC_LIST_MAX_NR_ITEMS * nr_hashes. * Limit can be disabled per list with RSBAC_LIST_NO_MAX flag. */ #define RSBAC_LIST_MAX_NR_ITEMS 50000 #define RSBAC_LIST_MAX_NR_SUBITEMS 50000 #define RSBAC_LIST_MAX_NR_ITEMS_LIMIT 1000000 #define RSBAC_LIST_DISK_VERSION 10003 #define RSBAC_LIST_DISK_OLD_VERSION 10002 #define RSBAC_LIST_NONAME "(no name)" #define RSBAC_LIST_PROC_NAME "gen_lists" #define RSBAC_LIST_COUNTS_PROC_NAME "gen_lists_counts" #define RSBAC_LIST_TA_KEY 0xface99 #define RSBAC_LIST_MAX_OLD_HASH 32 #define RSBAC_LIST_LOL_MAX_OLD_HASH 16 /* If number of items per hashed list is bigger than this and flag RSBAC_LIST_AUTO_HASH_RESIZE is set, rehash */ #define RSBAC_LIST_AUTO_REHASH_TRIGGER 50 /* Rehashing interval in s - rehashing is triggered by rsbacd, so might happen * less frequently, if rsbacd wakes up later. */ #define RSBAC_LIST_REHASH_INTERVAL 60 /* Check lists every n seconds. Also called from rsbacd, so might take longer. */ //#define RSBAC_LIST_CHECK_INTERVAL 1800 /* Prototypes */ /* Init */ #ifdef CONFIG_RSBAC_INIT_DELAY int rsbac_list_init(void); #else int __init rsbac_list_init(void); #endif /* mount / umount */ int rsbac_list_mount(kdev_t kdev); int rsbac_list_umount(kdev_t kdev); /* Status checking */ int rsbac_check_lists(int correct); #if defined(CONFIG_RSBAC_AUTO_WRITE) int rsbac_write_lists(rsbac_boolean_t need_lock); #endif /* Data Structures */ /* All items will be organized in double linked lists * However, we do not know the descriptor or item sizes, so we will access them with offsets later and only define the list links here. */ struct rsbac_list_item_t { struct rsbac_list_item_t *prev; struct rsbac_list_item_t *next; rsbac_time_t max_age; }; /* lists of lists ds */ struct rsbac_list_lol_item_t { struct rsbac_list_lol_item_t *prev; struct rsbac_list_lol_item_t *next; struct rsbac_list_item_t *head; struct rsbac_list_item_t *tail; struct rsbac_list_item_t *curr; u_long count; rsbac_time_t max_age; }; typedef __u32 rsbac_list_count_t; struct rsbac_list_hashed_t { struct rsbac_list_item_t *head; struct rsbac_list_item_t *tail; struct rsbac_list_item_t *curr; rsbac_list_count_t count; #ifdef CONFIG_RSBAC_LIST_TRANS rsbac_ta_number_t ta_copied; struct rsbac_list_item_t *ta_head; struct rsbac_list_item_t *ta_tail; struct rsbac_list_item_t *ta_curr; rsbac_list_count_t ta_count; #endif }; struct rsbac_list_lol_hashed_t { struct rsbac_list_lol_item_t *head; struct rsbac_list_lol_item_t *tail; struct rsbac_list_lol_item_t *curr; rsbac_list_count_t count; #ifdef CONFIG_RSBAC_LIST_TRANS rsbac_ta_number_t ta_copied; struct rsbac_list_lol_item_t *ta_head; struct rsbac_list_lol_item_t *ta_tail; struct rsbac_list_lol_item_t *ta_curr; rsbac_list_count_t ta_count; #endif }; /* Since all registrations will be organized in double linked lists, we must * have list items and a list head. * The pointer to this item will also be used as list handle. */ struct rsbac_list_reg_item_t { struct rsbac_list_info_t info; u_int flags; rsbac_list_compare_function_t *compare; rsbac_list_get_conv_t *get_conv; void *def_data; char name[RSBAC_LIST_MAX_FILENAME + 1]; kdev_t device; rwlock_t lock; rsbac_boolean_t dirty; rsbac_boolean_t no_write; struct rsbac_nanotime_t lastchange; u_int nr_hashes; u_int max_items_per_hash; rsbac_list_hash_function_t * hash_function; char old_name_base[RSBAC_LIST_MAX_FILENAME + 1]; #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) struct proc_dir_entry *proc_entry_p; #endif struct rsbac_list_reg_item_t *prev; struct rsbac_list_reg_item_t *next; struct rsbac_list_reg_item_t *self; /* The hashed list heads are allocated dynamically! */ struct rsbac_list_hashed_t * hashed; }; struct rsbac_list_lol_reg_item_t { struct rsbac_list_lol_info_t info; u_int flags; rsbac_list_compare_function_t *compare; rsbac_list_compare_function_t *subcompare; rsbac_list_get_conv_t *get_conv; rsbac_list_get_conv_t *get_subconv; void *def_data; void *def_subdata; char name[RSBAC_LIST_MAX_FILENAME + 1]; kdev_t device; rwlock_t lock; rsbac_boolean_t dirty; rsbac_boolean_t no_write; struct rsbac_nanotime_t lastchange; u_int nr_hashes; u_int max_items_per_hash; u_int max_subitems; rsbac_list_hash_function_t * hash_function; char old_name_base[RSBAC_LIST_MAX_FILENAME + 1]; #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS) struct proc_dir_entry *proc_entry_p; #endif struct rsbac_list_lol_reg_item_t *prev; struct rsbac_list_lol_reg_item_t *next; struct rsbac_list_lol_reg_item_t *self; /* The hashed list heads are allocated dynamically! */ struct rsbac_list_lol_hashed_t * hashed; }; /* To provide consistency we use spinlocks for all list accesses. The 'curr' entry is used to avoid repeated lookups for the same item. */ struct rsbac_list_reg_head_t { struct rsbac_list_reg_item_t *head; struct rsbac_list_reg_item_t *tail; struct rsbac_list_reg_item_t *curr; rwlock_t lock; u_int count; }; struct rsbac_list_lol_reg_head_t { struct rsbac_list_lol_reg_item_t *head; struct rsbac_list_lol_reg_item_t *tail; struct rsbac_list_lol_reg_item_t *curr; rwlock_t lock; u_int count; }; /* Internal helper list of filled write buffers */ struct rsbac_list_buffer_t { struct rsbac_list_buffer_t * next; u_int len; char data[0]; }; #define RSBAC_LIST_BUFFER_SIZE 8192 #define RSBAC_LIST_BUFFER_DATA_SIZE (RSBAC_LIST_BUFFER_SIZE - sizeof(struct rsbac_list_buffer_t)) struct rsbac_list_write_item_t { struct rsbac_list_write_item_t *prev; struct rsbac_list_write_item_t *next; struct rsbac_list_reg_item_t *list; struct rsbac_list_buffer_t *buffer; char name[RSBAC_LIST_MAX_FILENAME + 1]; kdev_t device; }; struct rsbac_list_write_head_t { struct rsbac_list_write_item_t *head; struct rsbac_list_write_item_t *tail; u_int count; }; struct rsbac_list_lol_write_item_t { struct rsbac_list_lol_write_item_t *prev; struct rsbac_list_lol_write_item_t *next; struct rsbac_list_lol_reg_item_t *list; struct rsbac_list_buffer_t *buffer; char name[RSBAC_LIST_MAX_FILENAME + 1]; kdev_t device; }; struct rsbac_list_lol_write_head_t { struct rsbac_list_lol_write_item_t *head; struct rsbac_list_lol_write_item_t *tail; u_int count; }; /* Data structs for file timeout book keeping list filelist */ struct rsbac_list_filelist_desc_t { char filename[RSBAC_LIST_MAX_FILENAME + 1]; }; struct rsbac_list_filelist_data_t { rsbac_time_t timestamp; rsbac_time_t max_age; }; struct rsbac_list_ta_data_t { rsbac_time_t start; rsbac_time_t timeout; rsbac_uid_t commit_uid; char password[RSBAC_LIST_TA_MAX_PASSLEN]; }; #endif rsbac-admin-1.4.0/main/headers/rsbac/acl_getname.h0000644000175000017500000000232111131371037021576 0ustar gauvaingauvain/********************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2001: */ /* Amon Ott */ /* Getname functions for ACL parts */ /* Last modified: 02/Aug/2001 */ /********************************* */ #ifndef __RSBAC_ACL_GETNAME_H #define __RSBAC_ACL_GETNAME_H #include char * get_acl_subject_type_name(char * name, enum rsbac_acl_subject_type_t value); #ifndef __KERNEL__ enum rsbac_acl_subject_type_t get_acl_subject_type_nr(const char * name); #endif char * get_acl_group_syscall_name(char * name, enum rsbac_acl_group_syscall_type_t value); #ifndef __KERNEL__ enum rsbac_acl_group_syscall_type_t get_acl_group_syscall_nr(const char * name); #endif char * get_acl_special_right_name(char * name, enum rsbac_acl_special_rights_t value); #ifndef __KERNEL__ enum rsbac_acl_special_rights_t get_acl_special_right_nr(const char * name); #endif char * get_acl_scd_type_name(char * name, enum rsbac_acl_scd_type_t value); #ifndef __KERNEL__ enum rsbac_acl_scd_type_t get_acl_scd_type_nr(const char * name); #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/error.h0000644000175000017500000000360711131371037020500 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999,2000: Amon Ott */ /* Helper functions for all parts */ /* Last modified: 29/Sep/2000 */ /************************************* */ #ifndef __RSBAC_ERROR_H #define __RSBAC_ERROR_H #ifdef __KERNEL__ #include #else #include #endif /* Error values */ #define RSBAC_EPERM 1001 #define RSBAC_EACCESS 1002 #define RSBAC_EREADFAILED 1003 #define RSBAC_EWRITEFAILED 1004 #define RSBAC_EINVALIDPOINTER 1005 #define RSBAC_ENOROOTDIR 1006 #define RSBAC_EPATHTOOLONG 1007 #define RSBAC_ENOROOTDEV 1008 #define RSBAC_ENOTFOUND 1009 #define RSBAC_ENOTINITIALIZED 1010 #define RSBAC_EREINIT 1011 #define RSBAC_ECOULDNOTADDDEVICE 1012 #define RSBAC_ECOULDNOTADDITEM 1013 #define RSBAC_ECOULDNOTCREATEPATH 1014 #define RSBAC_EINVALIDATTR 1015 #define RSBAC_EINVALIDDEV 1016 #define RSBAC_EINVALIDTARGET 1017 #define RSBAC_EINVALIDVALUE 1018 #define RSBAC_EEXISTS 1019 #define RSBAC_EINTERNONLY 1020 #define RSBAC_EINVALIDREQUEST 1021 #define RSBAC_ENOTWRITABLE 1022 #define RSBAC_EMALWAREDETECTED 1023 #define RSBAC_ENOMEM 1024 #define RSBAC_EDECISIONMISMATCH 1025 #define RSBAC_EINVALIDVERSION 1026 #define RSBAC_EINVALIDMODULE 1027 #define RSBAC_EEXPIRED 1028 #define RSBAC_EMUSTCHANGE 1029 #define RSBAC_EBUSY 1030 #define RSBAC_EINVALIDTRANSACTION 1031 #define RSBAC_EWEAKPASSWORD 1032 #define RSBAC_EINVALIDLIST 1033 #define RSBAC_EMAX 1033 #define RSBAC_ERROR( res ) ((res <= -RSBAC_EPERM) && (res >= -RSBAC_EMAX)) #ifndef __KERNEL__ /* exit on error */ void error_exit(int error); /* show error */ void show_error(int error); #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/pm_getname.h0000644000175000017500000000421611131371037021460 0ustar gauvaingauvain/******************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999: Amon Ott */ /* Getname functions for PM parts */ /* Last modified: 08/Feb/99 */ /******************************** */ #ifndef __RSBAC_PM_GETNAME_H #define __RSBAC_PM_GETNAME_H #include #ifndef NULL #define NULL ((void *) 0) #endif #include #include char * get_pm_list_name(char *, enum rsbac_pm_list_t); enum rsbac_pm_list_t get_pm_list_nr(const char *); char * get_pm_all_list_name(char *, enum rsbac_pm_all_list_t); enum rsbac_pm_all_list_t get_pm_all_list_nr(const char *); char * get_pm_role_name(char *, enum rsbac_pm_role_t); enum rsbac_pm_role_t get_pm_role_nr(const char *); char * get_pm_process_type_name(char *, enum rsbac_pm_process_type_t); enum rsbac_pm_process_type_t get_pm_process_type_nr(const char *); char * get_pm_object_type_name(char *, enum rsbac_pm_object_type_t); enum rsbac_pm_object_type_t get_pm_object_type_nr(const char *); #ifdef __KERNEL__ char * get_pm_set_name(char *, enum rsbac_pm_set_t); enum rsbac_pm_set_t get_pm_set_nr(const char *); char * get_pm_target_name(char *, enum rsbac_pm_target_t); enum rsbac_pm_target_t get_pm_target_nr(const char *); char * get_pm_data_name(char *, enum rsbac_pm_data_t); enum rsbac_pm_data_t get_pm_data_nr(const char *); #endif char * get_pm_function_type_name(char *, enum rsbac_pm_function_type_t); enum rsbac_pm_function_type_t get_pm_function_type_nr(const char *); #ifndef __KERNEL__ char * get_pm_function_param(char *, enum rsbac_pm_function_type_t); char * get_pm_tkt_function_param(char *, enum rsbac_pm_tkt_function_type_t); #endif char * get_pm_tkt_function_type_name(char *, enum rsbac_pm_tkt_function_type_t); enum rsbac_pm_tkt_function_type_t get_pm_tkt_function_type_nr(const char *); #endif rsbac-admin-1.4.0/main/headers/rsbac/pm_ticket.h0000644000175000017500000003503711131371037021330 0ustar gauvaingauvain/******************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: */ /* Amon Ott */ /* API: Data types for privacy */ /* model calls / tickets */ /* Last modified: 09/Feb/2005 */ /******************************* */ #ifndef __RSBAC_PM_TICKET_H #define __RSBAC_PM_TICKET_H #include enum rsbac_pm_tkt_function_type_t {/* issued by data_prot_officer */ PTF_add_na, PTF_delete_na, PTF_add_task, PTF_delete_task, PTF_add_object_class, PTF_delete_object_class, PTF_add_authorized_tp, PTF_delete_authorized_tp, PTF_add_consent, PTF_delete_consent, PTF_add_purpose, PTF_delete_purpose, PTF_add_responsible_user, PTF_delete_responsible_user, PTF_delete_user_aci, PTF_set_role, PTF_set_object_class, PTF_switch_pm, PTF_switch_auth, PTF_set_device_object_type, PTF_set_auth_may_setuid, PTF_set_auth_may_set_cap, /* issued by user also */ PTF_add_authorized_task, PTF_delete_authorized_task, /* never issued, internal */ PTF_none}; struct rsbac_pm_add_na_t { rsbac_pm_task_id_t task; rsbac_pm_object_class_id_t object_class; rsbac_pm_tp_id_t tp; rsbac_pm_accesses_t accesses; }; struct rsbac_pm_delete_na_t { rsbac_pm_task_id_t task; rsbac_pm_object_class_id_t object_class; rsbac_pm_tp_id_t tp; rsbac_pm_accesses_t accesses; }; struct rsbac_pm_add_task_t { rsbac_pm_task_id_t id; rsbac_pm_purpose_id_t purpose; }; struct rsbac_pm_delete_task_t { rsbac_pm_task_id_t id; }; #ifdef __KERNEL__ struct rsbac_pm_tkt_add_object_class_t { rsbac_pm_object_class_id_t id; rsbac_pm_pp_set_id_t pp_set; }; #endif struct rsbac_pm_add_object_class_t { rsbac_pm_object_class_id_t id; struct rsbac_pm_purpose_list_item_t * pp_list_p; }; struct rsbac_pm_delete_object_class_t { rsbac_pm_object_class_id_t id; }; struct rsbac_pm_add_authorized_tp_t { rsbac_pm_task_id_t task; rsbac_pm_tp_id_t tp; }; struct rsbac_pm_delete_authorized_tp_t { rsbac_pm_task_id_t task; rsbac_pm_tp_id_t tp; }; #ifdef __KERNEL__ struct rsbac_pm_tkt_add_consent_t { struct rsbac_fs_file_t file; rsbac_pm_purpose_id_t purpose; }; #endif struct rsbac_pm_add_consent_t { char * filename; rsbac_pm_purpose_id_t purpose; }; #ifdef __KERNEL__ struct rsbac_pm_tkt_delete_consent_t { struct rsbac_fs_file_t file; rsbac_pm_purpose_id_t purpose; }; #endif struct rsbac_pm_delete_consent_t { char * filename; rsbac_pm_purpose_id_t purpose; }; struct rsbac_pm_add_purpose_t { rsbac_pm_purpose_id_t id; rsbac_pm_object_class_id_t def_class; }; struct rsbac_pm_delete_purpose_t { rsbac_pm_purpose_id_t id; }; struct rsbac_pm_add_responsible_user_t { rsbac_uid_t user; rsbac_pm_task_id_t task; }; struct rsbac_pm_delete_responsible_user_t { rsbac_uid_t user; rsbac_pm_task_id_t task; }; struct rsbac_pm_delete_user_aci_t { rsbac_uid_t id; }; struct rsbac_pm_set_role_t { rsbac_uid_t user; enum rsbac_pm_role_t role; }; #ifdef __KERNEL__ struct rsbac_pm_tkt_set_object_class_t { struct rsbac_fs_file_t file; rsbac_pm_object_class_id_t object_class; }; #endif struct rsbac_pm_set_object_class_t { char * filename; rsbac_pm_object_class_id_t object_class; }; struct rsbac_pm_switch_pm_t { rsbac_boolean_t value; }; struct rsbac_pm_switch_auth_t { rsbac_boolean_t value; }; #ifdef __KERNEL__ struct rsbac_pm_tkt_set_device_object_type_t { struct rsbac_dev_desc_t dev; enum rsbac_pm_object_type_t object_type; rsbac_pm_object_class_id_t object_class; }; #endif struct rsbac_pm_set_device_object_type_t { char * filename; enum rsbac_pm_object_type_t object_type; rsbac_pm_object_class_id_t object_class; }; #ifdef __KERNEL__ struct rsbac_pm_tkt_set_auth_may_setuid_t { struct rsbac_fs_file_t file; rsbac_boolean_t value; }; #endif struct rsbac_pm_set_auth_may_setuid_t { char * filename; rsbac_boolean_t value; }; #ifdef __KERNEL__ struct rsbac_pm_tkt_set_auth_may_set_cap_t { struct rsbac_fs_file_t file; rsbac_boolean_t value; }; #endif struct rsbac_pm_set_auth_may_set_cap_t { char * filename; rsbac_boolean_t value; }; /***************/ struct rsbac_pm_add_authorized_task_t { rsbac_uid_t user; rsbac_pm_task_id_t task; }; struct rsbac_pm_delete_authorized_task_t { rsbac_uid_t user; rsbac_pm_task_id_t task; }; /***************/ struct rsbac_pm_create_tp_t { rsbac_pm_tp_id_t id; }; struct rsbac_pm_delete_tp_t { rsbac_pm_tp_id_t id; }; struct rsbac_pm_set_tp_t { char * filename; rsbac_pm_tp_id_t tp; }; /***************/ #ifdef __KERNEL__ union rsbac_pm_tkt_internal_function_param_t { struct rsbac_pm_add_na_t add_na; struct rsbac_pm_delete_na_t delete_na; struct rsbac_pm_add_task_t add_task; struct rsbac_pm_delete_task_t delete_task; struct rsbac_pm_tkt_add_object_class_t tkt_add_object_class; struct rsbac_pm_delete_object_class_t delete_object_class; struct rsbac_pm_add_authorized_tp_t add_authorized_tp; struct rsbac_pm_delete_authorized_tp_t delete_authorized_tp; struct rsbac_pm_tkt_add_consent_t tkt_add_consent; struct rsbac_pm_tkt_delete_consent_t tkt_delete_consent; struct rsbac_pm_add_purpose_t add_purpose; struct rsbac_pm_delete_purpose_t delete_purpose; struct rsbac_pm_add_responsible_user_t add_responsible_user; struct rsbac_pm_delete_responsible_user_t delete_responsible_user; struct rsbac_pm_delete_user_aci_t delete_user_aci; struct rsbac_pm_set_role_t set_role; struct rsbac_pm_tkt_set_object_class_t tkt_set_object_class; struct rsbac_pm_switch_pm_t switch_pm; struct rsbac_pm_switch_pm_t switch_auth; struct rsbac_pm_tkt_set_device_object_type_t tkt_set_device_object_type; struct rsbac_pm_tkt_set_auth_may_setuid_t tkt_set_auth_may_setuid; struct rsbac_pm_tkt_set_auth_may_set_cap_t tkt_set_auth_may_set_cap; struct rsbac_pm_add_authorized_task_t add_authorized_task; struct rsbac_pm_delete_authorized_task_t delete_authorized_task; int dummy; }; #endif union rsbac_pm_tkt_function_param_t { struct rsbac_pm_add_na_t add_na; struct rsbac_pm_delete_na_t delete_na; struct rsbac_pm_add_task_t add_task; struct rsbac_pm_delete_task_t delete_task; struct rsbac_pm_add_object_class_t add_object_class; struct rsbac_pm_delete_object_class_t delete_object_class; struct rsbac_pm_add_authorized_tp_t add_authorized_tp; struct rsbac_pm_delete_authorized_tp_t delete_authorized_tp; struct rsbac_pm_add_consent_t add_consent; struct rsbac_pm_delete_consent_t delete_consent; struct rsbac_pm_add_purpose_t add_purpose; struct rsbac_pm_delete_purpose_t delete_purpose; struct rsbac_pm_add_responsible_user_t add_responsible_user; struct rsbac_pm_delete_responsible_user_t delete_responsible_user; struct rsbac_pm_delete_user_aci_t delete_user_aci; struct rsbac_pm_set_role_t set_role; struct rsbac_pm_set_object_class_t set_object_class; struct rsbac_pm_switch_pm_t switch_pm; struct rsbac_pm_switch_pm_t switch_auth; struct rsbac_pm_set_device_object_type_t set_device_object_type; struct rsbac_pm_set_auth_may_setuid_t set_auth_may_setuid; struct rsbac_pm_set_auth_may_set_cap_t set_auth_may_set_cap; struct rsbac_pm_add_authorized_task_t add_authorized_task; struct rsbac_pm_delete_authorized_task_t delete_authorized_task; int dummy; }; /***********************/ enum rsbac_pm_function_type_t {/* tkt issued by data_prot_officer, */ /* called by security_officer */ PF_add_na, PF_delete_na, PF_add_task, PF_delete_task, PF_add_object_class, PF_delete_object_class, PF_add_authorized_tp, PF_delete_authorized_tp, PF_add_consent, PF_delete_consent, PF_add_purpose, PF_delete_purpose, PF_add_responsible_user, PF_delete_responsible_user, PF_delete_user_aci, PF_set_role, PF_set_object_class, PF_switch_pm, PF_switch_auth, PF_set_device_object_type, PF_set_auth_may_setuid, PF_set_auth_may_set_cap, /* tkt issued by data_prot_officer and */ /* resp. user, called by security_officer */ PF_add_authorized_task, PF_delete_authorized_task, /* called by tp_manager, no ticket */ PF_create_tp, PF_delete_tp, PF_set_tp, /* called by data_prot_officer and */ /* responsible user */ PF_create_ticket, /* never to be called, internal */ PF_none}; struct rsbac_pm_create_ticket_t { rsbac_pm_tkt_id_t id; rsbac_pm_time_stamp_t valid_for; /* validity in secs */ enum rsbac_pm_tkt_function_type_t function_type; union rsbac_pm_tkt_function_param_t function_param; }; union rsbac_pm_function_param_t { struct rsbac_pm_add_na_t add_na; struct rsbac_pm_delete_na_t delete_na; struct rsbac_pm_add_task_t add_task; struct rsbac_pm_delete_task_t delete_task; struct rsbac_pm_add_object_class_t add_object_class; struct rsbac_pm_delete_object_class_t delete_object_class; struct rsbac_pm_add_authorized_tp_t add_authorized_tp; struct rsbac_pm_delete_authorized_tp_t delete_authorized_tp; struct rsbac_pm_add_consent_t add_consent; struct rsbac_pm_delete_consent_t delete_consent; struct rsbac_pm_add_purpose_t add_purpose; struct rsbac_pm_delete_purpose_t delete_purpose; struct rsbac_pm_add_responsible_user_t add_responsible_user; struct rsbac_pm_delete_responsible_user_t delete_responsible_user; struct rsbac_pm_delete_user_aci_t delete_user_aci; struct rsbac_pm_set_role_t set_role; struct rsbac_pm_set_object_class_t set_object_class; struct rsbac_pm_switch_pm_t switch_pm; struct rsbac_pm_switch_pm_t switch_auth; struct rsbac_pm_set_device_object_type_t set_device_object_type; struct rsbac_pm_set_auth_may_setuid_t set_auth_may_setuid; struct rsbac_pm_set_auth_may_set_cap_t set_auth_may_set_cap; struct rsbac_pm_add_authorized_task_t add_authorized_task; struct rsbac_pm_delete_authorized_task_t delete_authorized_task; struct rsbac_pm_create_tp_t create_tp; struct rsbac_pm_delete_tp_t delete_tp; struct rsbac_pm_set_tp_t set_tp; struct rsbac_pm_create_ticket_t create_ticket; int dummy; }; /*******************/ #ifdef __KERNEL__ struct rsbac_pm_tkt_data_t { rsbac_pm_tkt_id_t id; rsbac_uid_t issuer; enum rsbac_pm_tkt_function_type_t function_type; union rsbac_pm_tkt_internal_function_param_t function_param; rsbac_pm_time_stamp_t valid_until; }; #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/network_types.h0000644000175000017500000000704711131371037022266 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: */ /* Amon Ott */ /* Network access control data structs */ /* Last modified: 21/Dec/2005 */ /************************************* */ #ifndef __RSBAC_NETWORK_TYPES_H #define __RSBAC_NETWORK_TYPES_H #define RSBAC_NET_ANY 0 #define RSBAC_NET_UNKNOWN 0 #define RSBAC_NET_TEMP_VERSION 2 #define RSBAC_NET_TEMP_OLD_VERSION 1 #define RSBAC_NET_TEMP_KEY 0x815affe #define RSBAC_NET_TEMP_NAME "nettemp" typedef __u32 rsbac_net_temp_id_t; #define RSBAC_NET_MAX_ADDRESS_LEN 128 #define RSBAC_NET_TEMP_NAMELEN 16 #define RSBAC_NET_MAX_PORT 65535 #define RSBAC_NET_NR_INET_ADDR 25 #define RSBAC_NET_NR_PORTS 10 struct rsbac_net_temp_port_range_t { __u16 min; __u16 max; }; struct rsbac_net_temp_inet_addr_t { __u32 addr[RSBAC_NET_NR_INET_ADDR]; __u8 valid_bits[RSBAC_NET_NR_INET_ADDR]; __u8 nr_addr; }; struct rsbac_net_temp_other_addr_t { char addr[RSBAC_NET_MAX_ADDRESS_LEN]; __u8 valid_len; }; struct rsbac_net_temp_ports_t { struct rsbac_net_temp_port_range_t ports[RSBAC_NET_NR_PORTS]; __u8 nr_ports; }; union rsbac_net_temp_addr_t { struct rsbac_net_temp_inet_addr_t inet; struct rsbac_net_temp_other_addr_t other; }; struct rsbac_net_temp_data_t { /* must be first for alignment */ union rsbac_net_temp_addr_t address; __u8 address_family; __u8 type; __u8 protocol; rsbac_netdev_id_t netdev; struct rsbac_net_temp_ports_t ports; /* for those address families that support them */ char name[RSBAC_NET_TEMP_NAMELEN]; }; struct rsbac_net_temp_old_data_t { /* must be first for alignment */ char address[RSBAC_NET_MAX_ADDRESS_LEN]; __u8 address_family; __u8 valid_len; /* Bytes for AF_UNIX, Bits for all others */ __u8 type; __u8 protocol; rsbac_netdev_id_t netdev; __u16 min_port; /* for those address families that support them */ __u16 max_port; char name[RSBAC_NET_TEMP_NAMELEN]; }; #define RSBAC_NET_TEMP_LNET_ID 100101 #define RSBAC_NET_TEMP_LNET_ADDRESS "127.0.0.0" #define RSBAC_NET_TEMP_LAN_ID 100102 #define RSBAC_NET_TEMP_LAN_ADDRESS "192.168.0.0" #define RSBAC_NET_TEMP_AUTO_ID 100105 #define RSBAC_NET_TEMP_AUTO_ADDRESS "0.0.0.0" #define RSBAC_NET_TEMP_INET_ID 100110 #define RSBAC_NET_TEMP_ALL_ID ((rsbac_net_temp_id_t) -1) /* default templates moved into aci_data_structures.c */ struct rsbac_net_description_t { __u8 address_family; void *address; __u8 address_len; __u8 type; __u8 protocol; rsbac_netdev_id_t netdev; __u16 port; }; enum rsbac_net_temp_syscall_t { NTS_new_template, NTS_copy_template, NTS_delete_template, NTS_check_id, NTS_get_address, NTS_get_address_family, NTS_get_type, NTS_get_protocol, NTS_get_netdev, NTS_get_ports, NTS_get_name, NTS_set_address, NTS_set_address_family, NTS_set_type, NTS_set_protocol, NTS_set_netdev, NTS_set_ports, NTS_set_name, NTS_none }; union rsbac_net_temp_syscall_data_t { rsbac_net_temp_id_t id; union rsbac_net_temp_addr_t address; __u8 address_family; __u8 type; __u8 protocol; rsbac_netdev_id_t netdev; struct rsbac_net_temp_ports_t ports; /* for those address families that support them */ char name[RSBAC_NET_TEMP_NAMELEN]; }; /* * Display an IP address in readable format. */ #ifndef NIPQUAD #define NIPQUAD(addr) \ ((unsigned char *)&addr)[0], \ ((unsigned char *)&addr)[1], \ ((unsigned char *)&addr)[2], \ ((unsigned char *)&addr)[3] #define HIPQUAD(addr) \ ((unsigned char *)&addr)[3], \ ((unsigned char *)&addr)[2], \ ((unsigned char *)&addr)[1], \ ((unsigned char *)&addr)[0] #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/helpers.h0000644000175000017500000001070511131371037021006 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: Amon Ott */ /* Helper functions for all parts */ /* Last modified: 26/Sep/2007 */ /************************************* */ #ifndef __RSBAC_HELPER_H #define __RSBAC_HELPER_H #include #include #ifdef __KERNEL__ #include #endif char * inttostr(char[], int); char * ulongtostr(char[], u_long); /* convert u_long_long to binary string representation for MAC module */ char * u64tostrmac(char[], __u64); char * u32tostrcap(char * str, __u32 i); __u32 strtou32cap(char * str, __u32 * i_p); #ifndef __KERNEL__ void locale_init(void); int rsbac_lib_version(void); int rsbac_u32_compare(__u32 * a, __u32 * b); int rsbac_u32_void_compare(const void *a, const void *b); int rsbac_user_compare(const void * a, const void * b); int rsbac_group_compare(const void * a, const void * b); int rsbac_nettemp_id_compare(const void * a, const void * b); int rsbac_dev_compare(const void * desc1, const void * desc2); char * get_user_name(rsbac_list_ta_number_t ta_number, rsbac_uid_t user, char * name); char * get_group_name(rsbac_list_ta_number_t ta_number, rsbac_gid_t group, char * name); int rsbac_get_vset_num(char * sourcename, rsbac_um_set_t * vset_p); int rsbac_get_uid_name(rsbac_list_ta_number_t ta_number, rsbac_uid_t * uid, char * name, char * sourcename); int rsbac_get_fullname(rsbac_list_ta_number_t ta_number, char * fullname, rsbac_uid_t uid); static inline int rsbac_get_uid(rsbac_list_ta_number_t ta_number, rsbac_uid_t * uid, char * sourcename) { return rsbac_get_uid_name(ta_number, uid, NULL, sourcename); } int rsbac_get_gid_name(rsbac_list_ta_number_t ta_number, rsbac_gid_t * gid, char * name, char * sourcename); static inline int rsbac_get_gid(rsbac_list_ta_number_t ta_number, rsbac_gid_t * gid, char * sourcename) { return rsbac_get_gid_name(ta_number, gid, NULL, sourcename); } /* convert u_long_long to binary string representation for log array */ char * u64tostrlog(char[], __u64); /* and back */ __u64 strtou64log(char[], __u64 *); /* convert u_long_long to binary string representation for MAC module */ /* and back */ __u64 strtou64mac(char[], __u64 *); /* convert u_long_long to binary string representation for RC module */ char * u64tostrrc(char[], __u64); /* and back */ __u64 strtou64rc(char[], __u64 *); /* convert u_long_long to binary string representation for RC module / rights */ char * u64tostrrcr(char[], __u64); /* and back */ __u64 strtou64rcr(char[], __u64 *); /* ACL back */ __u64 strtou64acl(char[], __u64 *); char * devdesctostr(char * str, struct rsbac_dev_desc_t dev); int strtodevdesc(char * str, struct rsbac_dev_desc_t * dev_p); #endif /* convert u_long_long to binary string representation for ACL module */ char * u64tostracl(char[], __u64); char * longtostr(char[], long); #ifdef __KERNEL__ #include #ifdef CONFIG_RSBAC_UM_VIRTUAL rsbac_um_set_t rsbac_get_vset(void); #else static inline rsbac_um_set_t rsbac_get_vset(void) { return 0; } #endif int rsbac_get_owner(rsbac_uid_t * user_p); static inline int rsbac_get_user(unsigned char * kern_p, unsigned char * user_p, int size) { if(kern_p && user_p && (size > 0)) { return copy_from_user(kern_p, user_p, size); } return 0; } static inline int rsbac_put_user(unsigned char * kern_p, unsigned char * user_p, int size) { if(kern_p && user_p && (size > 0)) { return copy_to_user(user_p,kern_p,size); } return 0; } static inline char * rsbac_getname(const char * name) { return getname(name); } static inline void rsbac_putname(const char * name) { putname(name); } static inline int clear_user_buf(char * ubuf, int len) { return clear_user(ubuf,len); } void rsbac_get_attr_error(char * , enum rsbac_adf_request_t); void rsbac_ds_get_error(const char * function, enum rsbac_attribute_t attr); void rsbac_ds_get_error_num(const char * function, enum rsbac_attribute_t attr, int err); void rsbac_ds_set_error(const char * function, enum rsbac_attribute_t attr); void rsbac_ds_set_error_num(const char * function, enum rsbac_attribute_t attr, int err); #ifdef CONFIG_RSBAC_RC void rsbac_rc_ds_get_error(const char * function, enum rsbac_rc_item_t item); void rsbac_rc_ds_set_error(const char * function, enum rsbac_rc_item_t item); #endif #endif /* KERNEL */ #endif rsbac-admin-1.4.0/main/headers/rsbac/cap_getname.h0000644000175000017500000000060011131371037021600 0ustar gauvaingauvain/********************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: */ /* Amon Ott */ /* Getname functions for CAP module */ /* Last modified: 28/Jan/2005 */ /********************************** */ #ifndef __RSBAC_CAP_GETNAME_H #define __RSBAC_CAP_GETNAME_H void rsbac_cap_log_missing_cap(int cap); #endif rsbac-admin-1.4.0/main/headers/rsbac/net_getname.h0000644000175000017500000000253311131371037021632 0ustar gauvaingauvain/********************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2003: */ /* Amon Ott */ /* Getname functions for CAP module */ /* Last modified: 22/Dec/2003 */ /********************************** */ #ifndef __RSBAC_NET_GETNAME_H #define __RSBAC_NET_GETNAME_H #include #define RSBAC_NET_PROTO_MAX 256 #define RSBAC_NET_TYPE_MAX 11 #ifdef __KERNEL__ extern int rsbac_net_str_to_inet(char * str, __u32 * addr); #else #ifndef AF_MAX #define AF_MAX 32 #endif #endif extern char * rsbac_get_net_temp_syscall_name(char * name, enum rsbac_net_temp_syscall_t value); extern char * rsbac_get_net_family_name(char * name, u_int value); extern char * rsbac_get_net_protocol_name(char * name, u_int value); extern char * rsbac_get_netlink_protocol_name(char * name, u_int value); extern char * rsbac_get_net_type_name(char * name, u_int value); #ifndef __KERNEL__ enum rsbac_net_temp_syscall_t rsbac_get_net_temp_syscall_nr(const char * name); int rsbac_get_net_family_nr(const char * name); int rsbac_get_net_protocol_nr(const char * name); int rsbac_get_net_type_nr(const char * name); #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/um.h0000644000175000017500000001052011131371037017760 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: */ /* Amon Ott */ /* API: Data structures */ /* and functions for User Management */ /* Last modified: 20/Sep/2007 */ /************************************ */ #ifndef __RSBAC_UM_H #define __RSBAC_UM_H #include #include #include /***************************************************/ /* General Prototypes */ /***************************************************/ /* All functions return 0, if no error occurred, and a negative error code */ /* otherwise. The error codes are defined in rsbac_error.h. */ /****************************************************************************/ /* Initialization, including ACI restoration for all mounted devices from */ /* disk. After this call, all ACI is kept in memory for performance reasons,*/ /* but user and file/dir object ACI are written to disk on every change. */ #ifdef CONFIG_RSBAC_INIT_DELAY extern int rsbac_init_um(void); #else extern int rsbac_init_um(void) __init; #endif /* Some information about the current status is also available */ extern int rsbac_stats_um(void); /************************************************* */ /* Access functions */ /************************************************* */ /* Trying to access a never created or removed user entry returns an error! */ /* rsbac_um_add_user (fills *user_p with new uid) */ int rsbac_um_add_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t * user_p, struct rsbac_um_user_entry_t * entry_p, char * pass, rsbac_time_t ttl); int rsbac_um_add_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t * group_p, struct rsbac_um_group_entry_t * entry_p, char * pass, rsbac_time_t ttl); int rsbac_um_add_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, rsbac_gid_num_t group, rsbac_time_t ttl); int rsbac_um_mod_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p); int rsbac_um_mod_group( rsbac_list_ta_number_t ta_number, rsbac_uid_t group, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p); int rsbac_um_get_user_item( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p); int rsbac_um_get_group_item( rsbac_list_ta_number_t ta_number, rsbac_gid_t group, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p); int rsbac_um_user_exists( rsbac_list_ta_number_t ta_number, rsbac_uid_t user); int rsbac_um_group_exists( rsbac_list_ta_number_t ta_number, rsbac_gid_t group); int rsbac_um_remove_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t user); int rsbac_um_remove_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t group); int rsbac_um_remove_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, rsbac_gid_num_t group); int rsbac_um_get_next_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t old_user, rsbac_uid_t * next_user_p); int rsbac_um_get_user_list( rsbac_list_ta_number_t ta_number, rsbac_um_set_t vset, rsbac_uid_t ** list_pp); int rsbac_um_get_gm_list( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, rsbac_gid_num_t ** list_pp); int rsbac_um_get_gm_user_list( rsbac_list_ta_number_t ta_number, rsbac_gid_t group, rsbac_uid_num_t ** list_pp); int rsbac_um_get_group_list( rsbac_list_ta_number_t ta_number, rsbac_um_set_t vset, rsbac_gid_t ** list_pp); int rsbac_um_get_user_entry( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, struct rsbac_um_user_entry_t * entry_p, rsbac_time_t * ttl_p); int rsbac_um_get_uid( rsbac_list_ta_number_t ta_number, char * name, rsbac_uid_t * uid_p); int rsbac_um_get_gid( rsbac_list_ta_number_t ta_number, char * name, rsbac_gid_t * gid_p); int rsbac_um_check_pass(rsbac_uid_t uid, char * pass); /* Check for good password (min length etc.) */ int rsbac_um_good_pass(rsbac_uid_t uid, char * pass); int rsbac_um_set_pass(rsbac_uid_t uid, char * pass); int rsbac_um_set_group_pass(rsbac_gid_t gid, char * pass); int rsbac_um_check_account(rsbac_uid_t user); #endif rsbac-admin-1.4.0/main/headers/rsbac/reg_main.h0000644000175000017500000000415611131371037021130 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: Amon Ott */ /* REG - Module Registration */ /* Internal declarations and types */ /* Last modified: 22/Jul/2005 */ /************************************ */ #ifndef __RSBAC_REG_MAIN_H #define __RSBAC_REG_MAIN_H #include #include #include #define RSBAC_REG_PROC_NAME "reg_entries" /***************************************************/ /* Types */ /***************************************************/ #ifdef __KERNEL__ /* Since all registrations will be organized in double linked lists, we must */ /* have list items and a list head. */ struct rsbac_reg_list_item_t { struct rsbac_reg_entry_t entry; struct rsbac_reg_list_item_t * prev; struct rsbac_reg_list_item_t * next; }; struct rsbac_reg_sc_list_item_t { struct rsbac_reg_syscall_entry_t entry; struct rsbac_reg_sc_list_item_t * prev; struct rsbac_reg_sc_list_item_t * next; }; /* To provide consistency we use spinlocks for all list accesses. The */ /* 'curr' entry is used to avoid repeated lookups for the same item. */ struct rsbac_reg_list_head_t { struct rsbac_reg_list_item_t * head; struct rsbac_reg_list_item_t * tail; struct rsbac_reg_list_item_t * curr; spinlock_t lock; int readers; u_int count; }; struct rsbac_reg_sc_list_head_t { struct rsbac_reg_sc_list_item_t * head; struct rsbac_reg_sc_list_item_t * tail; struct rsbac_reg_sc_list_item_t * curr; spinlock_t lock; int readers; u_int count; }; #endif /* __KERNEL__ */ /***************************************************/ /* Prototypes */ /***************************************************/ #endif rsbac-admin-1.4.0/main/headers/rsbac/reg.h0000644000175000017500000001326411131371037020124 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: Amon Ott */ /* API: for REG */ /* Module Registration */ /* Last modified: 09/Feb/2005 */ /************************************ */ #ifndef __RSBAC_REG_H #define __RSBAC_REG_H #include #include #define RSBAC_REG_VERSION 1 /***************************************************/ /* Types */ /***************************************************/ #define RSBAC_REG_NAME_LEN 30 /* Decision function */ typedef \ int rsbac_reg_request_func_t ( enum rsbac_adf_request_t, rsbac_pid_t, enum rsbac_target_t, union rsbac_target_id_t, enum rsbac_attribute_t, union rsbac_attribute_value_t, rsbac_uid_t); /* process owner */ /* Attribute setting / notification function */ typedef \ int rsbac_reg_set_attr_func_t ( enum rsbac_adf_request_t, rsbac_pid_t, enum rsbac_target_t, union rsbac_target_id_t, enum rsbac_target_t, union rsbac_target_id_t, enum rsbac_attribute_t, union rsbac_attribute_value_t, rsbac_uid_t); /* process owner */ /* Whether module wants this file to be overwritten on delete / truncate */ typedef rsbac_boolean_t rsbac_reg_need_overwrite_func_t(struct dentry * dentry_p); /* * rsbac_reg_write_func_t * * Called by rsbac_write function to save all dirty lists, must return number * of files written or negative error. If auto_write is active, this function * will be called regularly and allows for asynchronous data writing to disk. * * If need_lock is TRUE, a lock_kernel() / unlock_kernel() pair must be used * around the write function. */ typedef int rsbac_reg_write_func_t(rsbac_boolean_t need_lock); /* Called on every mount, allows updating of fs based data */ typedef int rsbac_reg_mount_func_t(kdev_t kdev); /* Called on every umount, allows updating of fs based data */ typedef int rsbac_reg_umount_func_t(kdev_t kdev); /* Called on rsbac_reg syscalls for handle syscall_handle */ /* Generic Syscall interface - note: data is a user space pointer! */ typedef int rsbac_reg_syscall_func_t(void * data); /* Status and data structures integrity checking, called from sys_rsbac_check */ /* correct: if TRUE, errors are corrected, else just report */ /* check_inode: for inode number based data, check, if inode still exists */ typedef int rsbac_reg_check_func_t(int correct, int check_inode); /*********/ struct rsbac_reg_entry_t { rsbac_reg_handle_t handle; char name[RSBAC_REG_NAME_LEN+1]; rsbac_reg_request_func_t * request_func; rsbac_reg_set_attr_func_t * set_attr_func; rsbac_reg_need_overwrite_func_t * need_overwrite_func; rsbac_reg_write_func_t * write_func; rsbac_reg_mount_func_t * mount_func; rsbac_reg_umount_func_t * umount_func; rsbac_reg_check_func_t * check_func; rsbac_boolean_t switch_on; /* turned on initially? */ }; struct rsbac_reg_syscall_entry_t { rsbac_reg_handle_t registration_handle; rsbac_reg_handle_t dispatcher_handle; char name[RSBAC_REG_NAME_LEN+1]; rsbac_reg_syscall_func_t * syscall_func; }; /***************************************************/ /* Prototypes */ /***************************************************/ /* See rsbac/types.h for types */ /* * Register an ADF decision module * Returns given positive handle or negative error code from rsbac/error.h * Errors: -RSBAC_EINVALIDVALUE (all functions are empty or handle is not positive) * -RSBAC_EEXISTS (handle exists - choose another one) * -RSBAC_ECOULDNOTADDITEM (no entry available) * -RSBAC_EINVALIDVERSION (wrong REG version) */ rsbac_reg_handle_t rsbac_reg_register( rsbac_version_t version, struct rsbac_reg_entry_t entry); /* * Switch module on or off - for 'normal' modules this is done by general * function. This is a dummy, if module switching is disabled. * Returns 0 on success or -EINVALIDTARGET, if handle is invalid. */ int rsbac_reg_switch (rsbac_reg_handle_t handle, rsbac_boolean_t value); /* * Unregister an ADF decision module * Returns 0 on success or -EINVALIDTARGET, if handle is invalid. */ int rsbac_reg_unregister(rsbac_reg_handle_t handle); /* * Register a system call * Returns given positive handle or negative error code from rsbac/error.h * Errors: -RSBAC_EINVALIDVALUE (function is empty or handle is not positive) * -RSBAC_EEXISTS (handle exists - choose another one) * -RSBAC_ECOULDNOTADDITEM (no entry available) * -RSBAC_EINVALIDVERSION (wrong REG version) */ rsbac_reg_handle_t rsbac_reg_register_syscall( rsbac_version_t version, struct rsbac_reg_syscall_entry_t entry); /* * Unregister a system call * Returns 0 on success or -EINVALIDTARGET, if handle is invalid. */ int rsbac_reg_unregister_syscall(rsbac_reg_handle_t handle); #endif rsbac-admin-1.4.0/main/headers/rsbac/debug.h0000644000175000017500000001507611131371037020440 0ustar gauvaingauvain/******************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: */ /* Amon Ott */ /* debug definitions */ /* Last modified: 11/Apr/2007 */ /******************************* */ #ifndef __RSBAC_DEBUG_H #define __RSBAC_DEBUG_H #include //#include #define set_rsbac_softmode 1 #define set_rsbac_softmode_once 2 #define set_rsbac_softmode_never 4 #define set_rsbac_freeze 8 #define set_rsbac_um_no_excl 16 #define set_rsbac_auth_learn 32 #define set_rsbac_acl_learn_fd 64 #define set_rsbac_cap_log_missing 128 #define set_rsbac_jail_log_missing 256 #define set_rsbac_dac_disable 512 #define set_rsbac_no_delay_init 1024 #define set_rsbac_no_defaults 2048 #define set_rsbac_nosyslog 4096 #define set_rsbac_cap_process_hiding 8192 extern unsigned long int rsbac_flags; extern void rsbac_flags_set(unsigned long int); extern int rsbac_debug_no_write; #ifdef CONFIG_RSBAC_DEBUG extern int rsbac_debug_ds; extern int rsbac_debug_write; extern int rsbac_debug_stack; extern int rsbac_debug_lists; extern int rsbac_debug_aef; #endif extern int rsbac_debug_adf_default; extern rsbac_log_entry_t rsbac_log_levels[R_NONE+1]; #define RSBAC_LOG_LEVELS_NAME "log_levels" #define RSBAC_LOG_LEVEL_LIST_NAME "ll" #define RSBAC_LOG_LEVEL_VERSION 4 #define RSBAC_LOG_LEVEL_OLD_VERSION 3 #define RSBAC_LOG_LEVEL_OLD_OLD_VERSION 2 #define RSBAC_LOG_LEVEL_KEY 13123231 extern int rsbac_no_defaults; #ifdef CONFIG_RSBAC_INIT_DELAY extern void rsbac_init_debug(void); #else extern void rsbac_init_debug(void) __init; #endif extern rsbac_boolean_t rsbac_parse_koptions(char *); #define RSBAC_WAKEUP_KEY 'w' #define RSBAC_WAKEUP_UKEY 'W' #ifdef CONFIG_RSBAC_SOFTMODE #define RSBAC_SOFTMODE_KEY 'x' #define RSBAC_SOFTMODE_UKEY 'X' extern int rsbac_softmode; extern int rsbac_softmode_prohibit; static inline int rsbac_in_softmode(void) { return rsbac_softmode; } #ifdef CONFIG_RSBAC_SOFTMODE_IND extern int rsbac_ind_softmode[SW_NONE]; #endif #endif #if defined(CONFIG_RSBAC_FREEZE) extern int rsbac_freeze; #endif #ifdef CONFIG_RSBAC_FD_CACHE extern rsbac_time_t rsbac_fd_cache_ttl; extern u_int rsbac_fd_cache_disable; #endif #if defined(CONFIG_RSBAC_AUTO_WRITE) && (CONFIG_RSBAC_AUTO_WRITE > 0) extern rsbac_time_t rsbac_list_check_interval; #endif #if defined(CONFIG_RSBAC_CAP_PROC_HIDE) extern int rsbac_cap_process_hiding; #endif #ifdef CONFIG_RSBAC_CAP_LOG_MISSING extern int rsbac_cap_log_missing; #endif #ifdef CONFIG_RSBAC_JAIL_LOG_MISSING extern int rsbac_jail_log_missing; #endif #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_FULL extern int rsbac_dac_disable; extern int rsbac_dac_is_disabled(void); #endif #ifdef CONFIG_RSBAC_RMSG_NOSYSLOG extern int rsbac_nosyslog; #endif #ifdef CONFIG_RSBAC_INIT_DELAY extern int rsbac_no_delay_init; extern kdev_t rsbac_delayed_root; extern char rsbac_delayed_root_str[]; #endif /* rsbac_printk(): You must always prepend the loglevel. As sequence numbers * are per rsbac_printk() message, it is strongly recommended to output single * full lines only. * Example: * rsbac_printk(KERN_DEBUG "Test value: %u\n", testval); */ extern int rsbac_printk(const char *, ...); #ifdef CONFIG_RSBAC_DEBUG #define rsbac_pr_debug(type, fmt, arg...) \ do { if (rsbac_debug_##type) \ rsbac_printk(KERN_DEBUG "%s(): " fmt, __FUNCTION__, ##arg); \ } while (0) #else #define rsbac_pr_debug(type, fmt, arg...) do { } while (0) #endif #define rsbac_pr_get_error(attr) \ do { rsbac_ds_get_error (__FUNCTION__, attr); \ } while (0) #define rsbac_pr_set_error(attr) \ do { rsbac_ds_set_error (__FUNCTION__, attr); \ } while (0) #define rsbac_rc_pr_get_error(item) \ do { rsbac_rc_ds_get_error (__FUNCTION__, item); \ } while (0) #define rsbac_rc_pr_set_error(item) \ do { rsbac_rc_ds_set_error (__FUNCTION__, item); \ } while (0) #define RSBAC_LOG_MAXLINE 2040 #if defined(CONFIG_RSBAC_RMSG) extern int rsbac_log(int, char *, int); #define RSBAC_LOG_MAXREADBUF (rsbac_min(8192,RSBAC_MAX_KMALLOC)) struct rsbac_log_list_item_t { struct rsbac_log_list_item_t *next; u16 size; char buffer[0]; }; struct rsbac_log_list_head_t { struct rsbac_log_list_item_t *head; struct rsbac_log_list_item_t *tail; u_int count; u_long lost; }; #if defined(CONFIG_RSBAC_LOG_REMOTE) extern rsbac_pid_t rsbaclogd_pid; #endif #endif #ifdef CONFIG_RSBAC_NET extern int rsbac_debug_ds_net; extern int rsbac_debug_aef_net; extern int rsbac_debug_adf_net; #endif extern void wakeup_rsbacd(u_long dummy); /* switch log level for request */ void rsbac_adf_log_switch(rsbac_adf_request_int_t request, enum rsbac_target_t target, rsbac_enum_t value); int rsbac_get_adf_log(rsbac_adf_request_int_t request, enum rsbac_target_t target, u_int * value_p); #ifdef CONFIG_RSBAC_DEBUG #if defined(CONFIG_RSBAC_AUTO_WRITE) && (CONFIG_RSBAC_AUTO_WRITE > 0) extern int rsbac_debug_auto; #endif /* CONFIG_RSBAC_AUTO_WRITE > 0 */ #if defined(CONFIG_RSBAC_MAC) extern int rsbac_debug_ds_mac; extern int rsbac_debug_aef_mac; extern int rsbac_debug_adf_mac; #endif #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT) extern int rsbac_debug_ds_pm; extern int rsbac_debug_aef_pm; extern int rsbac_debug_adf_pm; #endif #if defined(CONFIG_RSBAC_DAZ) || defined(CONFIG_RSBAC_DAZ_MAINT) extern int rsbac_debug_adf_daz; #endif #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT) extern int rsbac_debug_ds_rc; extern int rsbac_debug_aef_rc; extern int rsbac_debug_adf_rc; #endif #if defined(CONFIG_RSBAC_AUTH) || defined(CONFIG_RSBAC_AUTH_MAINT) extern int rsbac_debug_ds_auth; extern int rsbac_debug_aef_auth; extern int rsbac_debug_adf_auth; #endif #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) extern int rsbac_debug_reg; #endif #if defined(CONFIG_RSBAC_ACL) || defined(CONFIG_RSBAC_ACL_MAINT) extern int rsbac_debug_ds_acl; extern int rsbac_debug_aef_acl; extern int rsbac_debug_adf_acl; #endif #if defined(CONFIG_RSBAC_JAIL) extern int rsbac_debug_aef_jail; extern int rsbac_debug_adf_jail; #endif #if defined(CONFIG_RSBAC_PAX) extern int rsbac_debug_adf_pax; #endif #if defined(CONFIG_RSBAC_UM) extern int rsbac_debug_ds_um; extern int rsbac_debug_aef_um; extern int rsbac_debug_adf_um; #endif #endif /* DEBUG */ #if defined(CONFIG_RSBAC_UM_EXCL) extern int rsbac_um_no_excl; #endif #if defined(CONFIG_RSBAC_AUTH) || defined(CONFIG_RSBAC_AUTH_MAINT) extern int rsbac_auth_enable_login; #if defined(CONFIG_RSBAC_AUTH_LEARN) extern int rsbac_auth_learn; #endif #endif #if defined(CONFIG_RSBAC_ACL_LEARN) extern int rsbac_acl_learn_fd; #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/auth_data_structures.h0000644000175000017500000000644311131371037023605 0ustar gauvaingauvain/**************************************/ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: */ /* Amon Ott */ /* Data structures / AUTH */ /* Last modified: 16/Sep/2007 */ /**************************************/ #ifndef __RSBAC_AUTH_DATA_STRUC_H #define __RSBAC_AUTH_DATA_STRUC_H #include #include #include /**********************************************/ /* Capability lists */ /**********************************************/ #define RSBAC_AUTH_LIST_KEY 626281 #define RSBAC_AUTH_P_LIST_VERSION 1 #define RSBAC_AUTH_P_LIST_NAME "authproc" #define RSBAC_AUTH_P_EFF_LIST_NAME "authproceff" #define RSBAC_AUTH_P_FS_LIST_NAME "authprocfs" #define RSBAC_AUTH_P_GROUP_LIST_NAME "authprocgr" #define RSBAC_AUTH_P_GROUP_EFF_LIST_NAME "authprocgreff" #define RSBAC_AUTH_P_GROUP_FS_LIST_NAME "authprocgrfs" #define RSBAC_AUTH_FD_FILENAME "authfd" #define RSBAC_AUTH_FD_EFF_FILENAME "authfde" #define RSBAC_AUTH_FD_FS_FILENAME "authfdf" #define RSBAC_AUTH_FD_GROUP_FILENAME "authfg" #define RSBAC_AUTH_FD_GROUP_EFF_FILENAME "authfge" #define RSBAC_AUTH_FD_GROUP_FS_FILENAME "authfgf" #define RSBAC_AUTH_FD_OLD_FILENAME "authfd." #define RSBAC_AUTH_FD_OLD_EFF_FILENAME "authfde." #define RSBAC_AUTH_FD_OLD_FS_FILENAME "authfdf." #define RSBAC_AUTH_FD_OLD_GROUP_FILENAME "authfg." #define RSBAC_AUTH_FD_OLD_GROUP_EFF_FILENAME "authfge." #define RSBAC_AUTH_FD_OLD_GROUP_FS_FILENAME "authfgf." #define RSBAC_AUTH_NR_CAP_FD_LISTS 4 #define RSBAC_AUTH_NR_CAP_EFF_FD_LISTS 2 #define RSBAC_AUTH_NR_CAP_FS_FD_LISTS 2 #define RSBAC_AUTH_NR_CAP_GROUP_FD_LISTS 4 #define RSBAC_AUTH_NR_CAP_GROUP_EFF_FD_LISTS 2 #define RSBAC_AUTH_NR_CAP_GROUP_FS_FD_LISTS 2 #define RSBAC_AUTH_FD_LIST_VERSION 2 #define RSBAC_AUTH_FD_EFF_LIST_VERSION 2 #define RSBAC_AUTH_FD_FS_LIST_VERSION 2 #define RSBAC_AUTH_FD_GROUP_LIST_VERSION 2 #define RSBAC_AUTH_FD_GROUP_EFF_LIST_VERSION 2 #define RSBAC_AUTH_FD_GROUP_FS_LIST_VERSION 2 #define RSBAC_AUTH_FD_OLD_LIST_VERSION 1 #define RSBAC_AUTH_FD_EFF_OLD_LIST_VERSION 1 #define RSBAC_AUTH_FD_FS_OLD_LIST_VERSION 1 #define RSBAC_AUTH_FD_GROUP_OLD_LIST_VERSION 1 #define RSBAC_AUTH_FD_GROUP_EFF_OLD_LIST_VERSION 1 #define RSBAC_AUTH_FD_GROUP_FS_OLD_LIST_VERSION 1 /* The list of devices is also a double linked list, so we define list */ /* items and a list head. */ struct rsbac_auth_device_list_item_t { kdev_t id; /* set to 0 before deletion */ u_int mount_count; rsbac_list_handle_t handle; #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER rsbac_list_handle_t eff_handle; rsbac_list_handle_t fs_handle; #endif #ifdef CONFIG_RSBAC_AUTH_GROUP rsbac_list_handle_t group_handle; #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER rsbac_list_handle_t group_eff_handle; rsbac_list_handle_t group_fs_handle; #endif #endif struct rsbac_auth_device_list_item_t *prev; struct rsbac_auth_device_list_item_t *next; }; /* To provide consistency we use spinlocks for all list accesses. The */ /* 'curr' entry is used to avoid repeated lookups for the same item. */ struct rsbac_auth_device_list_head_t { struct rsbac_auth_device_list_item_t *head; struct rsbac_auth_device_list_item_t *tail; struct rsbac_auth_device_list_item_t *curr; u_int count; }; #endif rsbac-admin-1.4.0/main/headers/rsbac/res_getname.h0000644000175000017500000000076111131371037021636 0ustar gauvaingauvain/********************************** */ /* Rule Set Based Access Control */ /* Author and (c) 2002: */ /* Amon Ott */ /* Getname functions for RES module */ /* Last modified: 22/Nov/2002 */ /********************************** */ #ifndef __RSBAC_RES_GETNAME_H #define __RSBAC_RES_GETNAME_H #include #ifndef __KERNEL__ char * get_res_name(char * name, u_int value); int get_res_nr(const char * name); #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/types.h0000644000175000017500000010140011131371037020501 0ustar gauvaingauvain/*********************************** */ /* Rule Set Based Access Control */ /* Author and (c)1999-2008: */ /* Amon Ott */ /* API: Data types for attributes */ /* and standard module calls */ /* Last modified: 11/Nov/2008 */ /*********************************** */ #ifndef __RSBAC_TYPES_H #define __RSBAC_TYPES_H /* trigger module dependency for EXPORT_SYMBOL */ #ifdef CONFIG_MODULES #endif #define RSBAC_VERSION "1.4.0" #define RSBAC_VERSION_MAJOR 1 #define RSBAC_VERSION_MID 4 #define RSBAC_VERSION_MINOR 0 #define RSBAC_VERSION_NR \ ((RSBAC_VERSION_MAJOR << 16) | (RSBAC_VERSION_MID << 8) | RSBAC_VERSION_MINOR) #define RSBAC_VERSION_MAKE_NR(x,y,z) \ ((x << 16) | (y << 8) | z) #ifdef __KERNEL__ #include #else #include #include #define _LINUX_CAPABILITY_VERSION_1 0x19980330 #define _LINUX_CAPABILITY_U32S_1 1 #define _LINUX_CAPABILITY_VERSION_2 0x20071026 #define _LINUX_CAPABILITY_U32S_2 2 #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_2 #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2 typedef struct kernel_cap_struct { __u32 cap[_LINUX_CAPABILITY_U32S]; } kernel_cap_t; #endif typedef __u32 rsbac_version_t; typedef __u64 rsbac_uid_t; /* High 32 Bit virtual set, low uid */ typedef __u64 rsbac_gid_t; /* High 32 Bit virtual set, low gid */ typedef __u32 rsbac_old_uid_t; /* Same as user in Linux kernel */ typedef __u32 rsbac_uid_num_t; /* Same as user in Linux kernel */ typedef __u32 rsbac_old_gid_t; /* Same as group in Linux kernel */ typedef __u32 rsbac_gid_num_t; /* Same as user in Linux kernel */ typedef __u32 rsbac_um_set_t; typedef __u32 rsbac_time_t; /* Same as time_t in Linux kernel */ typedef struct { __u32 cap[2]; } rsbac_cap_vector_t; /* Same as kernel_cap_t in newer Linux 2.6 kernel */ typedef __u32 rsbac_cap_old_vector_t; /* Same as kernel_cap_t in Linux kernel */ #define RSBAC_UID_SET(x) ((rsbac_um_set_t) (x >> 32)) #define RSBAC_UID_NUM(x) ((rsbac_uid_num_t) (x & (rsbac_uid_num_t) -1)) #define RSBAC_GEN_UID(x,y) ((rsbac_uid_t) x << 32 | RSBAC_UID_NUM(y)) #define RSBAC_GID_SET(x) ((rsbac_um_set_t) (x >> 32)) #define RSBAC_GID_NUM(x) ((rsbac_gid_num_t) (x & (rsbac_gid_num_t) -1)) #define RSBAC_GEN_GID(x,y) ((rsbac_gid_t) x << 32 | RSBAC_GID_NUM(y)) #define RSBAC_UM_VIRTUAL_KEEP ((rsbac_um_set_t) -1) #define RSBAC_UM_VIRTUAL_ALL ((rsbac_um_set_t) -2) #define RSBAC_UM_VIRTUAL_MAX ((rsbac_um_set_t) -10) typedef __u32 rsbac_list_ta_number_t; struct rsbac_nanotime_t { rsbac_time_t sec; __u32 nsec; }; #ifdef __KERNEL__ #include #include #include #include /* version checks */ #ifndef LINUX_VERSION_CODE #include #endif #if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,19) #error "RSBAC: unsupported kernel version" #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) #define RSBAC_MAJOR MAJOR #define RSBAC_MINOR MINOR #define RSBAC_MKDEV(major,minor) MKDEV(major,minor) static inline rsbac_time_t rsbac_current_time(void) { struct timespec ts = CURRENT_TIME; return ts.tv_sec; } static inline void rsbac_get_current_nanotime(struct rsbac_nanotime_t * nanotime) { struct timespec ts = CURRENT_TIME; nanotime->sec = ts.tv_sec; nanotime->nsec = ts.tv_nsec; } #ifndef kdev_t #define kdev_t dev_t #endif #define RSBAC_CURRENT_TIME (rsbac_current_time()) #else #define RSBAC_MAJOR MAJOR #define RSBAC_MINOR MINOR #define RSBAC_MKDEV(major,minor) MKDEV(major,minor) #define RSBAC_CURRENT_TIME CURRENT_TIME #include static inline void rsbac_get_current_nanotime(struct rsbac_nanotime_t * nanotime) { nanotime->sec = xtime.tv_sec; nanotime->nsec = xtime.tv_usec * 1000; } #endif #define RSBAC_ZERO_DEV RSBAC_MKDEV(0,0) #define RSBAC_AUTO_DEV RSBAC_MKDEV(99,99) #define RSBAC_IS_ZERO_DEV(kdev) (!RSBAC_MAJOR(kdev) && !RSBAC_MINOR(kdev)) #define RSBAC_IS_AUTO_DEV(kdev) ((RSBAC_MAJOR(kdev) == 99) && (RSBAC_MINOR(kdev) == 99)) #ifdef CONFIG_RSBAC_INIT_DELAY #define R_INIT #else #define R_INIT __init #endif #endif /* General */ #ifndef NULL #define NULL ((void *) 0) #endif #define rsbac_min(a,b) (((a)<(b))?(a):(b)) #define rsbac_max(a,b) (((a)>(b))?(a):(b)) #define RSBAC_OLD_NO_USER 65533 #define RSBAC_OLD_ALL_USERS 65532 #define RSBAC_NO_USER ((rsbac_uid_num_t) -3) #define RSBAC_ALL_USERS ((rsbac_uid_num_t) -4) #define RSBAC_NO_GROUP ((rsbac_gid_num_t) -3) #define RSBAC_ALL_GROUPS ((rsbac_gid_num_t) -4) #ifndef FALSE #define FALSE 0 #endif #ifndef TRUE #define TRUE 1 #endif typedef u_int rsbac_boolean_t; typedef __u8 rsbac_boolean_int_t; #define RSBAC_IFNAMSIZ 16 typedef u_char rsbac_netdev_id_t[RSBAC_IFNAMSIZ + 1]; #define RSBAC_SEC_DEL_CHUNK_SIZE 65536 /* Adjust these, if you have to, but if you do, adjust them all! */ /* Note: no / allowed, file must be exactly in second level! */ #define RSBAC_AUTH_LOGIN_PATH "/bin/login" #define RSBAC_AUTH_LOGIN_PATH_DIR "bin" #define RSBAC_AUTH_LOGIN_PATH_FILE "login" /* These data structures work parallel to the Linux data structures, */ /* so all data for RSBAC decisions is maintained seperately. */ /* Any change to RSBAC data will NOT modify any other linux data, */ /* e.g. userlists, process lists or inodes. */ /* Special generic lists time-to-live (ttl) value to keep old setting */ #define RSBAC_LIST_TTL_KEEP ((rsbac_time_t) -1) typedef __u8 rsbac_enum_t; /* internally used for all enums */ #define RSBAC_SYSADM_UID 0 #define RSBAC_BIN_UID 1 #ifdef CONFIG_RSBAC_SECOFF_UID #define RSBAC_SECOFF_UID CONFIG_RSBAC_SECOFF_UID #else #define RSBAC_SECOFF_UID 400 #endif #define RSBAC_DATAPROT_UID (RSBAC_SECOFF_UID+1) #define RSBAC_TPMAN_UID (RSBAC_SECOFF_UID+2) #define RSBAC_AUDITOR_UID (RSBAC_SECOFF_UID+4) typedef __u32 rsbac_pseudo_t; /* For Pseudonymic Logging */ typedef __u32 rsbac_pid_t; /* Same as pid in Linux */ typedef __u32 rsbac_ta_number_t; typedef __u8 rsbac_security_level_t; #define SL_max 252 #define SL_min 0 // #define SL_rsbac_internal 253 #define SL_inherit 254 #define SL_none 255 enum rsbac_old_security_level_t {SL_unclassified, SL_confidential, SL_secret, SL_top_secret, SL_old_rsbac_internal, SL_old_inherit, SL_old_none}; /* MAC security levels */ typedef __u64 rsbac_mac_category_vector_t; /* MAC category sets */ #define RSBAC_MAC_GENERAL_CATEGORY 0 #define RSBAC_MAC_DEF_CAT_VECTOR ((rsbac_mac_category_vector_t) 1) /* 1 << GENERAL_CAT */ #define RSBAC_MAC_MAX_CAT_VECTOR ((rsbac_mac_category_vector_t) -1) /* all bits set */ #define RSBAC_MAC_MIN_CAT_VECTOR ((rsbac_mac_category_vector_t) 0) /* no bits set */ #define RSBAC_MAC_INHERIT_CAT_VECTOR ((rsbac_mac_category_vector_t) 0) /* for fd: no bits set */ #define RSBAC_MAC_NR_CATS 64 #define RSBAC_MAC_MAX_CAT 63 #define RSBAC_MAC_CAT_VECTOR(x) ((rsbac_mac_category_vector_t) 1 << (x)) typedef u_int rsbac_cwi_relation_id_t; /* For MAC, FF, AUTH */ enum rsbac_system_role_t {SR_user, SR_security_officer, SR_administrator, SR_auditor, SR_none}; typedef rsbac_enum_t rsbac_system_role_int_t; /* For all models */ enum rsbac_fake_root_uid_t {FR_off, FR_uid_only, FR_euid_only, FR_both, FR_none}; typedef rsbac_enum_t rsbac_fake_root_uid_int_t; enum rsbac_scd_type_t {ST_time_strucs, ST_clock, ST_host_id, ST_net_id, ST_ioports, ST_rlimit, ST_swap, ST_syslog, ST_rsbac, ST_rsbac_log, ST_other, ST_kmem, ST_network, ST_firewall, ST_priority, ST_sysfs, ST_rsbac_remote_log, ST_quota, ST_sysctl, ST_nfsd, ST_ksyms, ST_mlock, ST_capability, ST_kexec, ST_none}; typedef __u32 rsbac_scd_vector_t; #define RSBAC_SCD_VECTOR(x) ((rsbac_scd_vector_t) 1 << (x)) enum rsbac_dev_type_t {D_block, D_char, D_block_major, D_char_major, D_none}; enum rsbac_ipc_type_t {I_sem, I_msg, I_shm, I_anonpipe, I_mqueue, I_anonunix, I_none}; union rsbac_ipc_id_t { u_long id_nr; }; typedef __u32 rsbac_inode_nr_t; enum rsbac_linux_dac_disable_t {LDD_false, LDD_true, LDD_inherit, LDD_none}; typedef rsbac_enum_t rsbac_linux_dac_disable_int_t; #ifdef __KERNEL__ /* We need unique identifiers for each file/dir. inode means inode in */ /* the file system. */ struct rsbac_fs_file_t { kdev_t device; rsbac_inode_nr_t inode; struct dentry * dentry_p; /* used for inheritance recursion */ }; struct rsbac_dev_t { enum rsbac_dev_type_t type; kdev_t id; }; #endif /* __KERNEL */ /* We need unique ids for dev objects */ struct rsbac_dev_desc_t { __u32 type; __u32 major; __u32 minor; }; static inline struct rsbac_dev_desc_t rsbac_mkdev_desc(__u32 type, __u32 major, __u32 minor) { struct rsbac_dev_desc_t dev_desc; dev_desc.type = type; dev_desc.major = major; dev_desc.minor = minor; return dev_desc; } #define RSBAC_ZERO_DEV_DESC rsbac_mkdev_desc(D_none, 0, 0) #define RSBAC_AUTO_DEV_DESC rsbac_mkdev_desc(D_none, 99, 99) #define RSBAC_IS_ZERO_DEV_DESC(dev) ((dev.type == D_none) && !dev.major && !dev.minor) #define RSBAC_IS_AUTO_DEV_DESC(dev) ((dev.type == D_none) && (dev.major == 99) && (dev.minor == 99)) /* And we need unique ids for ipc objects */ struct rsbac_ipc_t { enum rsbac_ipc_type_t type; union rsbac_ipc_id_t id; }; /* log levels: nothing, denied requests only, all, refer to request log level */ enum rsbac_log_level_t {LL_none, LL_denied, LL_full, LL_request, LL_invalid}; typedef __u64 rsbac_log_array_t; /* request bitvectors */ typedef __u64 rsbac_request_vector_t; #define RSBAC_REQUEST_VECTOR(x) ((rsbac_request_vector_t) 1 << (x)) /* The max length of each filename is kept in a macro */ #define RSBAC_MAXNAMELEN 256 #define RSBAC_LIST_TA_MAX_PASSLEN 36 /* MAC */ typedef __u8 rsbac_mac_user_flags_t; typedef __u16 rsbac_mac_process_flags_t; typedef __u8 rsbac_mac_file_flags_t; typedef struct rsbac_fs_file_t rsbac_mac_file_t; #define RSBAC_MAC_MAX_MAXNUM 1000000 #define MAC_override 1 #define MAC_auto 2 #define MAC_trusted 4 #define MAC_write_up 8 #define MAC_read_up 16 #define MAC_write_down 32 #define MAC_allow_auto 64 #define MAC_prop_trusted 128 #define MAC_program_auto 256 #define RSBAC_MAC_U_FLAGS (MAC_override | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_allow_auto) #define RSBAC_MAC_P_FLAGS (MAC_override | MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_prop_trusted | MAC_program_auto) #define RSBAC_MAC_F_FLAGS (MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down) #define RSBAC_MAC_DEF_U_FLAGS 0 #define RSBAC_MAC_DEF_SYSADM_U_FLAGS MAC_allow_auto #define RSBAC_MAC_DEF_SECOFF_U_FLAGS MAC_override #define RSBAC_MAC_DEF_P_FLAGS 0 #define RSBAC_MAC_DEF_INIT_P_FLAGS MAC_auto typedef rsbac_enum_t rsbac_mac_auto_int_t; enum rsbac_mac_auto_t {MA_no, MA_yes, MA_inherit}; /* PM */ #include /* DAZ */ typedef __u8 rsbac_daz_scanned_t; #define DAZ_unscanned 0 #define DAZ_infected 1 #define DAZ_clean 2 #define DAZ_max 2 #define DEFAULT_DAZ_FD_SCANNED DAZ_unscanned typedef __u8 rsbac_daz_scanner_t; typedef __u8 rsbac_daz_do_scan_t; #define DAZ_never 0 #define DAZ_registered 1 #define DAZ_always 2 #define DAZ_inherit 3 #define DAZ_max_do_scan 3 #define DEFAULT_DAZ_FD_DO_SCAN DAZ_inherit #define DEFAULT_DAZ_FD_ROOT_DO_SCAN DAZ_registered /* FF */ typedef __u16 rsbac_ff_flags_t; #define FF_read_only 1 #define FF_execute_only 2 #define FF_search_only 4 #define FF_write_only 8 #define FF_secure_delete 16 #define FF_no_execute 32 #define FF_no_delete_or_rename 64 #define FF_append_only 256 #define FF_no_mount 512 #define FF_no_search 1024 #define FF_add_inherited 128 #define RSBAC_FF_DEF FF_add_inherited #define RSBAC_FF_ROOT_DEF 0 /***** RC *****/ #include /**** AUTH ****/ /* special cap value, replaced by process owner at execute time */ #define RSBAC_AUTH_MAX_MAXNUM 1000000 #define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_num_t) -3) #define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_num_t) -4) #define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_num_t) -10) #define RSBAC_AUTH_GROUP_F_CAP ((rsbac_uid_num_t) -3) #define RSBAC_AUTH_DAC_GROUP_F_CAP ((rsbac_uid_num_t) -4) #define RSBAC_AUTH_MAX_RANGE_GID ((rsbac_uid_num_t) -10) typedef struct rsbac_fs_file_t rsbac_auth_file_t; struct rsbac_auth_cap_range_t { rsbac_uid_t first; rsbac_uid_t last; }; struct rsbac_auth_old_cap_range_t { rsbac_old_uid_t first; rsbac_old_uid_t last; }; enum rsbac_auth_cap_type_t {ACT_real, ACT_eff, ACT_fs, ACT_group_real, ACT_group_eff, ACT_group_fs, ACT_none}; typedef rsbac_enum_t rsbac_auth_cap_type_int_t; enum rsbac_auth_may_setuid_t {AMS_off, AMS_full, AMS_last_auth_only, AMS_last_auth_and_gid, AMS_none}; typedef rsbac_enum_t rsbac_auth_may_setuid_int_t; /**** ACL ****/ /* include at end of types.h */ /**** CAP ****/ enum rsbac_cap_process_hiding_t {PH_off, PH_from_other_users, PH_full, PH_none}; typedef rsbac_enum_t rsbac_cap_process_hiding_int_t; enum rsbac_cap_ld_env_t { LD_deny, LD_allow, LD_keep, LD_inherit }; typedef rsbac_enum_t rsbac_cap_ld_env_int_t; #define RSBAC_CAP_DEFAULT_MIN ((rsbac_cap_vector_t) 0) #define RSBAC_CAP_DEFAULT_MAX ((rsbac_cap_vector_t) -1) #include #define CAP_NONE 34 #define CAP_NONE_OLD 29 #define RSBAC_CAP_MAX CAP_NONE #ifndef CAP_FS_MASK #define CAP_FS_MASK 0x1f #endif /**** JAIL ****/ #define RSBAC_JAIL_VERSION 1 typedef __u32 rsbac_jail_id_t; #define RSBAC_JAIL_DEF_ID 0 typedef __u32 rsbac_jail_ip_t; typedef __u32 rsbac_jail_scd_vector_t; typedef __u32 rsbac_jail_flags_t; #define JAIL_allow_external_ipc 1 #define JAIL_allow_all_net_family 2 #define JAIL_allow_inet_raw 8 #define JAIL_auto_adjust_inet_any 16 #define JAIL_allow_inet_localhost 32 #define JAIL_allow_dev_get_status 128 #define JAIL_allow_dev_mod_system 256 #define JAIL_allow_dev_read 512 #define JAIL_allow_dev_write 1024 #define JAIL_allow_tty_open 2048 #define JAIL_allow_parent_ipc 4096 #define JAIL_allow_suid_files 8192 #define JAIL_allow_mount 16384 #define JAIL_this_is_syslog 32768 #define JAIL_allow_ipc_to_syslog 65536 #define RSBAC_JAIL_LOCALHOST ((1 << 24) | 127) /**** PAX ****/ typedef unsigned long rsbac_pax_flags_t; /* for PaX defines */ #ifdef __KERNEL__ #include #include #endif #ifndef PF_PAX_PAGEEXEC #define PF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */ #define PF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */ #define PF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */ #define PF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */ #define PF_PAX_RANDEXEC 0x10000000 /* Randomize ET_EXEC base */ #define PF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */ #endif #define RSBAC_PAX_DEF_FLAGS (PF_PAX_SEGMEXEC | PF_PAX_PAGEEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP) #define RSBAC_PAX_ALL_FLAGS ((rsbac_pax_flags_t) 255 << 24) /**** UM User management ****/ /* Included from um_types.h */ /**** RES ****/ typedef __u32 rsbac_res_limit_t; #define RSBAC_RES_UNSET 0 #define RSBAC_RES_MAX 10 /* RLIMIT_LOCKS in 2.4.x kernels */ #define RSBAC_RES_NONE 11 typedef rsbac_res_limit_t rsbac_res_array_t[RSBAC_RES_MAX + 1]; /**** REG ****/ typedef __s32 rsbac_reg_handle_t; /****************************************************************************/ /* ADF types */ /****************************************************************************/ #include #ifdef __KERNEL__ typedef struct socket * rsbac_net_obj_id_t; #else typedef void * rsbac_net_obj_id_t; #endif struct rsbac_net_obj_desc_t { rsbac_net_obj_id_t sock_p; void * local_addr; u_int local_len; void * remote_addr; u_int remote_len; rsbac_net_temp_id_t local_temp; rsbac_net_temp_id_t remote_temp; }; #define RSBAC_ADF_REQUEST_ARRAY_VERSION 2 enum rsbac_adf_request_t { R_ADD_TO_KERNEL, R_ALTER, R_APPEND_OPEN, R_CHANGE_GROUP, R_CHANGE_OWNER, R_CHDIR, R_CLONE, R_CLOSE, R_CREATE, R_DELETE, R_EXECUTE, R_GET_PERMISSIONS_DATA, R_GET_STATUS_DATA, R_LINK_HARD, R_MODIFY_ACCESS_DATA, R_MODIFY_ATTRIBUTE, R_MODIFY_PERMISSIONS_DATA, R_MODIFY_SYSTEM_DATA, R_MOUNT, R_READ, R_READ_ATTRIBUTE, R_READ_WRITE_OPEN, R_READ_OPEN, R_REMOVE_FROM_KERNEL, R_RENAME, R_SEARCH, R_SEND_SIGNAL, R_SHUTDOWN, R_SWITCH_LOG, R_SWITCH_MODULE, R_TERMINATE, R_TRACE, R_TRUNCATE, R_UMOUNT, R_WRITE, R_WRITE_OPEN, R_MAP_EXEC, R_BIND, R_LISTEN, R_ACCEPT, R_CONNECT, R_SEND, R_RECEIVE, R_NET_SHUTDOWN, R_CHANGE_DAC_EFF_OWNER, R_CHANGE_DAC_FS_OWNER, R_CHANGE_DAC_EFF_GROUP, R_CHANGE_DAC_FS_GROUP, R_IOCTL, R_LOCK, R_AUTHENTICATE, R_NONE }; typedef rsbac_enum_t rsbac_adf_request_int_t; #include /* This type is returned from the rsbac_adf_request() function. Since a */ /* decision of undefined means an error, it is never returned. */ enum rsbac_adf_req_ret_t {NOT_GRANTED,GRANTED,DO_NOT_CARE,UNDEFINED}; /****************************************************************************/ /* ACI types */ /****************************************************************************/ /* For switching adf-modules */ enum rsbac_switch_target_t {SW_GEN,SW_MAC,SW_PM,SW_DAZ,SW_FF,SW_RC,SW_AUTH, SW_REG,SW_ACL,SW_CAP,SW_JAIL,SW_RES,SW_PAX,SW_SOFTMODE, SW_DAC_DISABLE,SW_UM,SW_FREEZE,SW_NONE}; #define RSBAC_MAX_MOD (SW_SOFTMODE - 1) typedef rsbac_enum_t rsbac_switch_target_int_t; /****************************************************************************/ /* For objects, users and processes all manipulation is encapsulated by the */ /* function calls rsbac_set_attr, rsbac_get_attr and rsbac_remove_target. */ /* For those, we declare some extra types to specify target and attribute. */ enum rsbac_target_t {T_FILE, T_DIR, T_FIFO, T_SYMLINK, T_DEV, T_IPC, T_SCD, T_USER, T_PROCESS, T_NETDEV, T_NETTEMP, T_NETOBJ, T_NETTEMP_NT, T_GROUP, T_FD, T_UNIXSOCK, T_NONE}; union rsbac_target_id_t { #ifdef __KERNEL__ struct rsbac_fs_file_t file; struct rsbac_fs_file_t dir; struct rsbac_fs_file_t fifo; struct rsbac_fs_file_t symlink; struct rsbac_fs_file_t unixsock; #endif struct rsbac_dev_desc_t dev; struct rsbac_ipc_t ipc; rsbac_enum_t scd; rsbac_uid_t user; rsbac_gid_t group; rsbac_pid_t process; rsbac_netdev_id_t netdev; rsbac_net_temp_id_t nettemp; struct rsbac_net_obj_desc_t netobj; int dummy; }; #ifdef __KERNEL__ typedef rsbac_enum_t rsbac_log_entry_t[T_NONE+1]; typedef rsbac_enum_t rsbac_old_log_entry_t[T_NONE]; struct rsbac_create_data_t { enum rsbac_target_t target; struct dentry * dentry_p; int mode; kdev_t device; /* for mknod etc. */ }; #endif enum rsbac_attribute_t { A_pseudo, A_security_level, A_initial_security_level, A_local_sec_level, A_remote_sec_level, A_min_security_level, A_mac_categories, A_mac_initial_categories, A_local_mac_categories, A_remote_mac_categories, A_mac_min_categories, A_mac_user_flags, A_mac_process_flags, A_mac_file_flags, A_system_role, A_mac_role, A_daz_role, A_ff_role, A_auth_role, A_cap_role, A_jail_role, A_pax_role, A_current_sec_level, A_mac_curr_categories, A_min_write_open, A_min_write_categories, A_max_read_open, A_max_read_categories, A_mac_auto, A_mac_check, A_mac_prop_trusted, A_pm_role, A_pm_process_type, A_pm_current_task, A_pm_object_class, A_local_pm_object_class, A_remote_pm_object_class, A_pm_ipc_purpose, A_local_pm_ipc_purpose, A_remote_pm_ipc_purpose, A_pm_object_type, A_local_pm_object_type, A_remote_pm_object_type, A_pm_program_type, A_pm_tp, A_pm_task_set, A_daz_scanned, A_daz_scanner, A_ff_flags, A_rc_type, A_rc_select_type, A_local_rc_type, A_remote_rc_type, A_rc_type_fd, A_rc_type_nt, A_rc_force_role, A_rc_initial_role, A_rc_role, A_rc_def_role, A_auth_may_setuid, A_auth_may_set_cap, A_auth_learn, A_min_caps, A_max_caps, A_max_caps_user, A_max_caps_program, A_jail_id, A_jail_parent, A_jail_ip, A_jail_flags, A_jail_max_caps, A_jail_scd_get, A_jail_scd_modify, A_pax_flags, A_res_role, A_res_min, A_res_max, A_log_array_low, A_local_log_array_low, A_remote_log_array_low, A_log_array_high, A_local_log_array_high, A_remote_log_array_high, A_log_program_based, A_log_user_based, A_symlink_add_remote_ip, A_symlink_add_uid, A_symlink_add_mac_level, A_symlink_add_rc_role, A_linux_dac_disable, A_cap_process_hiding, A_fake_root_uid, A_audit_uid, A_auid_exempt, A_auth_last_auth, A_remote_ip, A_cap_ld_env, A_daz_do_scan, A_vset, #ifdef __KERNEL__ /* adf-request helpers */ A_owner, A_group, A_signal, A_mode, A_nlink, A_switch_target, A_mod_name, A_request, A_trace_request, A_auth_add_f_cap, A_auth_remove_f_cap, A_auth_get_caplist, A_prot_bits, A_internal, /* used with CREATE on DIR */ A_create_data, A_new_object, A_rlimit, A_new_dir_dentry_p, A_auth_program_file, A_auth_start_uid, A_auth_start_euid, A_auth_start_gid, A_auth_start_egid, A_acl_learn, A_priority, A_pgid, A_kernel_thread, A_open_flag, A_reboot_cmd, A_setsockopt_level, A_ioctl_cmd, A_f_mode, A_process, A_sock_type, #endif A_none}; union rsbac_attribute_value_t { rsbac_uid_t owner; /* process owner */ rsbac_pseudo_t pseudo; rsbac_system_role_int_t system_role; #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC) rsbac_security_level_t security_level; rsbac_mac_category_vector_t mac_categories; rsbac_security_level_t current_sec_level; rsbac_security_level_t min_write_open; rsbac_security_level_t max_read_open; rsbac_mac_user_flags_t mac_user_flags; rsbac_mac_process_flags_t mac_process_flags; rsbac_mac_file_flags_t mac_file_flags; rsbac_mac_auto_int_t mac_auto; rsbac_boolean_t mac_check; rsbac_boolean_t mac_prop_trusted; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PM) rsbac_pm_role_int_t pm_role; rsbac_pm_process_type_int_t pm_process_type; rsbac_pm_task_id_t pm_current_task; rsbac_pm_object_class_id_t pm_object_class; rsbac_pm_purpose_id_t pm_ipc_purpose; rsbac_pm_object_type_int_t pm_object_type; rsbac_pm_program_type_int_t pm_program_type; rsbac_pm_tp_id_t pm_tp; rsbac_pm_task_set_id_t pm_task_set; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ) rsbac_daz_scanned_t daz_scanned; rsbac_daz_scanner_t daz_scanner; rsbac_daz_do_scan_t daz_do_scan; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF) rsbac_ff_flags_t ff_flags; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC) rsbac_rc_type_id_t rc_type; rsbac_rc_type_id_t rc_type_fd; rsbac_rc_role_id_t rc_force_role; rsbac_rc_role_id_t rc_initial_role; rsbac_rc_role_id_t rc_role; rsbac_rc_role_id_t rc_def_role; rsbac_rc_type_id_t rc_select_type; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_AUTH) rsbac_auth_may_setuid_int_t auth_may_setuid; rsbac_boolean_t auth_may_set_cap; rsbac_pid_t auth_p_capset; rsbac_inode_nr_t auth_f_capset; rsbac_boolean_t auth_learn; rsbac_uid_t auth_last_auth; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_CAP) rsbac_cap_vector_t min_caps; rsbac_cap_vector_t max_caps; rsbac_cap_vector_t max_caps_user; rsbac_cap_vector_t max_caps_program; rsbac_cap_process_hiding_int_t cap_process_hiding; rsbac_cap_ld_env_int_t cap_ld_env; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_JAIL) rsbac_jail_id_t jail_id; rsbac_jail_id_t jail_parent; rsbac_jail_ip_t jail_ip; rsbac_jail_flags_t jail_flags; rsbac_jail_scd_vector_t jail_scd_get; rsbac_jail_scd_vector_t jail_scd_modify; rsbac_cap_vector_t jail_max_caps; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PAX) rsbac_pax_flags_t pax_flags; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RES) rsbac_res_array_t res_array; #endif rsbac_log_array_t log_array_low; rsbac_log_array_t log_array_high; rsbac_request_vector_t log_program_based; rsbac_request_vector_t log_user_based; rsbac_enum_t symlink_add_remote_ip; rsbac_boolean_t symlink_add_uid; rsbac_boolean_t symlink_add_mac_level; rsbac_boolean_t symlink_add_rc_role; rsbac_linux_dac_disable_int_t linux_dac_disable; // rsbac_net_temp_id_t net_temp; rsbac_fake_root_uid_int_t fake_root_uid; rsbac_uid_t audit_uid; rsbac_uid_t auid_exempt; __u32 remote_ip; rsbac_um_set_t vset; #ifdef __KERNEL__ rsbac_gid_num_t group; /* process/fd group */ struct sockaddr * sockaddr_p; /* socket address */ long signal; /* signal for kill */ int mode; /* mode for create/mount */ int nlink; /* for DELETE/unlink */ enum rsbac_switch_target_t switch_target; /* for SWITCH_MODULE */ char * mod_name; /* for ADD_TO_KERNEL */ enum rsbac_adf_request_t request; /* for SWITCH_LOG */ long trace_request; /* request for sys_trace */ struct rsbac_auth_cap_range_t auth_cap_range; int prot_bits;/* prot bits for mmap()/mprotect() */ rsbac_boolean_t internal; /* used with CREATE on DIR */ struct rsbac_create_data_t create_data; /* newly created object in OPEN requests? */ rsbac_boolean_t new_object; u_int rlimit; struct dentry * new_dir_dentry_p; struct rsbac_fs_file_t auth_program_file; /* for learning mode */ rsbac_uid_t auth_start_uid; rsbac_uid_t auth_start_euid; rsbac_gid_t auth_start_gid; rsbac_gid_t auth_start_egid; rsbac_boolean_t acl_learn; int priority; rsbac_pid_t pgid; rsbac_boolean_t kernel_thread; u_int open_flag; u_int reboot_cmd; int setsockopt_level; u_int ioctl_cmd; mode_t f_mode; rsbac_pid_t process; short sock_type; #endif u_char u_char_dummy; u_short u_short_dummy; int dummy; u_int u_dummy; long long_dummy; u_long u_long_dummy; }; /* List all values possibly used in FD Cache to find data size */ #ifdef CONFIG_RSBAC_FD_CACHE union rsbac_attribute_value_cache_t { rsbac_uid_t owner; /* process owner */ rsbac_pseudo_t pseudo; rsbac_system_role_int_t system_role; #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC) rsbac_security_level_t security_level; rsbac_mac_category_vector_t mac_categories; rsbac_security_level_t current_sec_level; rsbac_security_level_t min_write_open; rsbac_security_level_t max_read_open; rsbac_mac_user_flags_t mac_user_flags; rsbac_mac_process_flags_t mac_process_flags; rsbac_mac_file_flags_t mac_file_flags; rsbac_mac_auto_int_t mac_auto; rsbac_boolean_t mac_check; rsbac_boolean_t mac_prop_trusted; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ) rsbac_daz_scanned_t daz_scanned; rsbac_daz_scanner_t daz_scanner; rsbac_daz_do_scan_t daz_do_scan; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF) rsbac_ff_flags_t ff_flags; #endif #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC) rsbac_rc_type_id_t rc_type; rsbac_rc_type_id_t rc_type_fd; rsbac_rc_role_id_t rc_force_role; rsbac_rc_role_id_t rc_initial_role; rsbac_rc_role_id_t rc_role; rsbac_rc_role_id_t rc_def_role; rsbac_rc_type_id_t rc_select_type; #endif rsbac_log_array_t log_array_low; rsbac_log_array_t log_array_high; rsbac_request_vector_t log_program_based; rsbac_request_vector_t log_user_based; rsbac_enum_t symlink_add_remote_ip; rsbac_boolean_t symlink_add_uid; rsbac_boolean_t symlink_add_mac_level; rsbac_boolean_t symlink_add_rc_role; rsbac_linux_dac_disable_int_t linux_dac_disable; // rsbac_net_temp_id_t net_temp; rsbac_fake_root_uid_int_t fake_root_uid; rsbac_uid_t audit_uid; rsbac_uid_t auid_exempt; __u32 remote_ip; rsbac_um_set_t vset; u_char u_char_dummy; u_short u_short_dummy; int dummy; u_int u_dummy; long long_dummy; u_long u_long_dummy; }; #endif /**** ACL + UM ****/ #include #include #endif rsbac-admin-1.4.0/main/headers/rsbac/acl_types.h0000644000175000017500000001647011131371037021334 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: */ /* Amon Ott */ /* API: Data types for attributes */ /* and standard module calls */ /* Last modified: 25/Sep/2007 */ /************************************ */ #ifndef __RSBAC_ACL_TYPES_H #define __RSBAC_ACL_TYPES_H #include #define RSBAC_ACL_TTL_KEEP RSBAC_LIST_TTL_KEEP #define RSBAC_ACL_MAX_MAXNUM 1000000 enum rsbac_acl_subject_type_t {ACLS_USER, ACLS_ROLE, ACLS_GROUP, ACLS_NONE}; typedef __u8 rsbac_acl_int_subject_type_t; typedef __u64 rsbac_acl_subject_id_t; typedef __u32 rsbac_acl_old_subject_id_t; #define RSBAC_ACL_GROUP_EVERYONE 0 #define RSBAC_ACL_ROLE_EVERYROLE 64 #define RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE 48 #define RSBAC_ACL_SPECIAL_RIGHT_BASE 56 enum rsbac_acl_special_rights_t { ACLR_FORWARD = RSBAC_ACL_SPECIAL_RIGHT_BASE, ACLR_ACCESS_CONTROL, ACLR_SUPERVISOR, ACLR_NONE}; typedef __u64 rsbac_acl_rights_vector_t; #define RSBAC_ACL_RIGHTS_VECTOR(x) ((rsbac_acl_rights_vector_t) 1 << (x)) #define RSBAC_ACL_SPECIAL_RIGHTS_VECTOR (\ ((rsbac_acl_rights_vector_t) 1 << ACLR_FORWARD) | \ ((rsbac_acl_rights_vector_t) 1 << ACLR_ACCESS_CONTROL) | \ ((rsbac_acl_rights_vector_t) 1 << ACLR_SUPERVISOR) \ ) #define RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR (\ ((rsbac_acl_rights_vector_t) 1 << ACLR_SUPERVISOR) \ ) #define RSBAC_NWS_REQUEST_VECTOR RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR #define RSBAC_ACL_ACCESS_CONTROL_RIGHT_VECTOR (\ ((rsbac_acl_rights_vector_t) 1 << ACLR_ACCESS_CONTROL) \ ) #define RSBAC_NWA_REQUEST_VECTOR RSBAC_ACL_ACCESS_CONTROL_RIGHT_VECTOR #define RSBAC_ACL_ALL_RIGHTS_VECTOR (RSBAC_ALL_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_DEFAULT_FD_MASK (RSBAC_FD_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_DEFAULT_DEV_MASK (RSBAC_DEV_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_DEFAULT_SCD_MASK (RSBAC_SCD_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_DEFAULT_U_MASK (RSBAC_USER_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_DEFAULT_G_MASK (RSBAC_GROUP_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_DEFAULT_NETDEV_MASK (RSBAC_NETDEV_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_DEFAULT_NETTEMP_MASK (RSBAC_NETTEMP_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_DEFAULT_NETOBJ_MASK (RSBAC_NETOBJ_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR) #define RSBAC_ACL_USER_RIGHTS_VECTOR (RSBAC_USER_REQUEST_VECTOR \ | RSBAC_ACL_RIGHTS_VECTOR(R_DELETE)) #define RSBAC_ACL_GROUP_RIGHTS_VECTOR RSBAC_GROUP_REQUEST_VECTOR #define RSBAC_ACL_GEN_RIGHTS_VECTOR 0 #define RSBAC_ACL_ACMAN_RIGHTS_VECTOR (\ ((rsbac_acl_rights_vector_t) 1 << ACLR_FORWARD) | \ ((rsbac_acl_rights_vector_t) 1 << ACLR_ACCESS_CONTROL) | \ ((rsbac_acl_rights_vector_t) 1 << ACLR_SUPERVISOR) \ ) #define RSBAC_ACL_SYSADM_RIGHTS_VECTOR 0 /* * System Control Types, including general SCD types * (start at 32 to allow future SCD types, max is 63) * (should always be same as in RC model) */ #define AST_min 32 enum rsbac_acl_scd_type_t{AST_auth_administration = AST_min, AST_none}; /* note: the desc struct must be the same as the beginning of the entry struct! */ struct rsbac_acl_entry_t { rsbac_acl_int_subject_type_t subj_type; /* enum rsbac_acl_subject_type_t */ rsbac_acl_subject_id_t subj_id; rsbac_acl_rights_vector_t rights; }; struct rsbac_acl_entry_desc_t { rsbac_acl_int_subject_type_t subj_type; /* enum rsbac_acl_subject_type_t */ rsbac_acl_subject_id_t subj_id; }; struct rsbac_acl_old_entry_desc_t { rsbac_acl_int_subject_type_t subj_type; /* enum rsbac_acl_subject_type_t */ rsbac_acl_old_subject_id_t subj_id; }; enum rsbac_acl_group_type_t {ACLG_GLOBAL, ACLG_PRIVATE, ACLG_NONE}; typedef __u32 rsbac_acl_group_id_t; #define RSBAC_ACL_GROUP_NAMELEN 16 #define RSBAC_ACL_GROUP_VERSION 2 struct rsbac_acl_group_entry_t { rsbac_acl_group_id_t id; rsbac_uid_t owner; enum rsbac_acl_group_type_t type; char name[RSBAC_ACL_GROUP_NAMELEN]; }; /**** syscalls ****/ enum rsbac_acl_syscall_type_t { ACLC_set_acl_entry, ACLC_remove_acl_entry, ACLC_remove_acl, ACLC_add_to_acl_entry, ACLC_remove_from_acl_entry, ACLC_set_mask, ACLC_remove_user, ACLC_none }; struct rsbac_acl_syscall_arg_t { enum rsbac_target_t target; union rsbac_target_id_t tid; enum rsbac_acl_subject_type_t subj_type; rsbac_acl_subject_id_t subj_id; rsbac_acl_rights_vector_t rights; rsbac_time_t ttl; }; struct rsbac_acl_syscall_n_arg_t { enum rsbac_target_t target; char * name; enum rsbac_acl_subject_type_t subj_type; rsbac_acl_subject_id_t subj_id; rsbac_acl_rights_vector_t rights; rsbac_time_t ttl; }; enum rsbac_acl_group_syscall_type_t { ACLGS_add_group, ACLGS_change_group, ACLGS_remove_group, ACLGS_get_group_entry, ACLGS_list_groups, ACLGS_add_member, ACLGS_remove_member, ACLGS_get_user_groups, ACLGS_get_group_members, ACLGS_none }; struct rsbac_acl_add_group_arg_t { enum rsbac_acl_group_type_t type; char * name; rsbac_acl_group_id_t * group_id_p; }; struct rsbac_acl_change_group_arg_t { rsbac_acl_group_id_t id; rsbac_uid_t owner; enum rsbac_acl_group_type_t type; char * name; }; struct rsbac_acl_remove_group_arg_t { rsbac_acl_group_id_t id; }; struct rsbac_acl_get_group_entry_arg_t { rsbac_acl_group_id_t id; struct rsbac_acl_group_entry_t * entry_p; }; struct rsbac_acl_list_groups_arg_t { rsbac_boolean_t include_global; struct rsbac_acl_group_entry_t * group_entry_array; u_int maxnum; }; struct rsbac_acl_add_member_arg_t { rsbac_acl_group_id_t group; rsbac_uid_t user; rsbac_time_t ttl; }; struct rsbac_acl_remove_member_arg_t { rsbac_acl_group_id_t group; rsbac_uid_t user; }; struct rsbac_acl_get_user_groups_arg_t { rsbac_uid_t user; rsbac_acl_group_id_t * group_array; rsbac_time_t * ttl_array; u_int maxnum; }; struct rsbac_acl_get_group_members_arg_t { rsbac_acl_group_id_t group; rsbac_uid_t * user_array; rsbac_time_t * ttl_array; u_int maxnum; }; union rsbac_acl_group_syscall_arg_t { struct rsbac_acl_add_group_arg_t add_group; struct rsbac_acl_change_group_arg_t change_group; struct rsbac_acl_remove_group_arg_t remove_group; struct rsbac_acl_get_group_entry_arg_t get_group_entry; struct rsbac_acl_list_groups_arg_t list_groups; struct rsbac_acl_add_member_arg_t add_member; struct rsbac_acl_remove_member_arg_t remove_member; struct rsbac_acl_get_user_groups_arg_t get_user_groups; struct rsbac_acl_get_group_members_arg_t get_group_members; }; #endif rsbac-admin-1.4.0/main/headers/rsbac/fs.h0000644000175000017500000000343111131371037017752 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2004: Amon Ott */ /* File system */ /* helper functions for all parts */ /* Last modified: 30/Apr/2004 */ /************************************* */ #ifndef __RSBAC_FS_H #define __RSBAC_FS_H #include #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) #include #include #include #endif /* original lookup_dentry function without rsbac patch for adf call */ struct dentry * rsbac_lookup_hash(struct qstr *name, struct dentry * base); struct dentry * rsbac_lookup_one_len(const char * name, struct dentry * base, int len); #ifndef SOCKFS_MAGIC #define SOCKFS_MAGIC 0x534F434B #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) #ifndef SYSFS_MAGIC #define SYSFS_MAGIC 0x62656572 #endif #endif struct super_block * rsbac_get_super_block(kdev_t kdev); #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) extern void FASTCALL(__fput(struct file *)); #else #ifndef __fput extern void __fput(struct file *); #endif #endif #ifndef SHM_FS_MAGIC #define SHM_FS_MAGIC 0x02011994 #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) static inline int init_private_file(struct file *filp, struct dentry *dentry, int mode) { memset(filp, 0, sizeof(*filp)); filp->f_mode = mode; atomic_set(&filp->f_count, 1); filp->f_dentry = dentry; filp->f_uid = current->fsuid; filp->f_gid = current->fsgid; filp->f_op = dentry->d_inode->i_fop; #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,2) filp->f_mapping = dentry->d_inode->i_mapping; file_ra_state_init(&filp->f_ra, filp->f_mapping); #endif if (filp->f_op->open) return filp->f_op->open(dentry->d_inode, filp); else return 0; } #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/um_types.h0000644000175000017500000000556611131371037021222 0ustar gauvaingauvain/**************************************/ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: Amon Ott */ /* User Management Data structures */ /* Last modified: 16/Sep/2007 */ /**************************************/ #ifndef __RSBAC_UM_TYPES_H #define __RSBAC_UM_TYPES_H //#include #if 0 #ifdef __KERNEL__ /* only include in kernel code */ #include #include #endif /* __KERNEL__ */ #endif #define RSBAC_UM_MAX_MAXNUM 1000000 #define RSBAC_UM_USER_LIST_NAME "um_user" #define RSBAC_UM_GROUP_LIST_NAME "um_grp" #define RSBAC_UM_USER_PWHISTORY_LIST_NAME "um_pwh" #define RSBAC_UM_OLD_USER_LIST_NAME "um_u." #define RSBAC_UM_OLD_GROUP_LIST_NAME "um_g." #define RSBAC_UM_OLD_USER_PWHISTORY_LIST_NAME "um_pwh." #define RSBAC_UM_NR_USER_LISTS 8 #define RSBAC_UM_NR_GROUP_LISTS 8 #define RSBAC_UM_NR_USER_PWHISTORY_LISTS 8 #define RSBAC_UM_USER_LIST_VERSION 2 #define RSBAC_UM_GROUP_LIST_VERSION 2 #define RSBAC_UM_USER_PWHISTORY_LIST_VERSION 2 #define RSBAC_UM_USER_OLD_LIST_VERSION 1 #define RSBAC_UM_GROUP_OLD_LIST_VERSION 1 #define RSBAC_UM_USER_PWHISTORY_OLD_LIST_VERSION 1 #define RSBAC_UM_USER_LIST_KEY 6363636 #define RSBAC_UM_GROUP_LIST_KEY 9847298 #define RSBAC_UM_USER_PWHISTORY_LIST_KEY 8854687 #define RSBAC_UM_NAME_LEN 65 #define RSBAC_UM_OLD_NAME_LEN 16 #define RSBAC_UM_PASS_LEN 24 #define RSBAC_UM_FULLNAME_LEN 65 #define RSBAC_UM_OLD_FULLNAME_LEN 30 #define RSBAC_UM_HOMEDIR_LEN 101 #define RSBAC_UM_OLD_HOMEDIR_LEN 50 #define RSBAC_UM_SHELL_LEN 45 #define RSBAC_UM_OLD_SHELL_LEN 24 typedef __s32 rsbac_um_days_t; enum rsbac_um_mod_t { UM_name, UM_pass, UM_fullname, UM_homedir, UM_shell, UM_group, UM_lastchange, UM_minchange, UM_maxchange, UM_warnchange, UM_inactive, UM_expire, UM_ttl, UM_cryptpass, UM_none }; union rsbac_um_mod_data_t { char string[RSBAC_MAXNAMELEN]; rsbac_gid_num_t group; rsbac_um_days_t days; rsbac_time_t ttl; }; struct rsbac_um_user_entry_t { rsbac_gid_num_t group; rsbac_um_days_t lastchange; rsbac_um_days_t minchange; rsbac_um_days_t maxchange; rsbac_um_days_t warnchange; rsbac_um_days_t inactive; rsbac_um_days_t expire; char name[RSBAC_UM_NAME_LEN]; char pass[RSBAC_UM_PASS_LEN]; char fullname[RSBAC_UM_FULLNAME_LEN]; char homedir[RSBAC_UM_HOMEDIR_LEN]; char shell[RSBAC_UM_SHELL_LEN]; }; #define DEFAULT_UM_U_ENTRY \ { \ 65534, /* group */ \ 100000, /* lastchange */ \ 0, /* minchange */ \ 365, /* maxchange */ \ 10, /* warnchange */ \ 3, /* inactive */ \ 100000, /* expire */ \ "", /* name */ \ "", /* pass */ \ "", /* fullname */ \ "/home", /* homedir */ \ "/bin/sh" /* shell */ \ } struct rsbac_um_group_entry_t { char name[RSBAC_UM_NAME_LEN]; char pass[RSBAC_UM_PASS_LEN]; }; #define DEFAULT_UM_G_ENTRY \ { \ "", /* name */ \ "" /* pass */ \ } #endif rsbac-admin-1.4.0/main/headers/rsbac/pax_getname.h0000644000175000017500000000103311131371037021626 0ustar gauvaingauvain/********************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2004: */ /* Amon Ott */ /* Getname functions for CAP module */ /* Last modified: 06/Jan/2004 */ /********************************** */ #ifndef __RSBAC_PAX_GETNAME_H #define __RSBAC_PAX_GETNAME_H #include char * pax_print_flags(char * string, rsbac_pax_flags_t flags); #ifndef __KERNEL__ rsbac_pax_flags_t pax_strtoflags(char * string, rsbac_pax_flags_t init_flags); #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/repl_types.h0000644000175000017500000000155411131371037021534 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: Amon Ott */ /* Generic lists - internal structures */ /* Last modified: 04/Apr/2005 */ /*************************************************** */ #ifndef __RSBAC_REPL_TYPES_H #define __RSBAC_REPL_TYPES_H #include #define RSBAC_LIST_REPL_NAME_LEN 16 #define RSBAC_LIST_REPL_CRYPTKEY_LEN 256 #define RSBAC_LIST_REPL_CRYPTALGO_LEN 64 typedef __u32 rsbac_list_repl_partner_number_t; struct rsbac_list_repl_partner_entry_t { char name[RSBAC_LIST_REPL_NAME_LEN]; __u32 ip_addr; char crypt_algo[RSBAC_LIST_REPL_CRYPTALGO_LEN]; char crypt_key[RSBAC_LIST_REPL_CRYPTKEY_LEN]; __u32 crypt_key_len; }; #endif rsbac-admin-1.4.0/main/headers/rsbac/pax.h0000644000175000017500000000116611131371037020135 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2004: Amon Ott */ /* API: */ /* Functions for Access */ /* Control Information / PAX */ /* Last modified: 12/Jan/2004 */ /************************************ */ #ifndef __RSBAC_PAX_H #define __RSBAC_PAX_H #include /***************************************************/ /* General Prototypes */ /***************************************************/ void rsbac_pax_set_flags_func(struct linux_binprm * bprm); #endif rsbac-admin-1.4.0/main/headers/rsbac/syscalls.h0000644000175000017500000011241311131371037021200 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2008: */ /* Amon Ott */ /* Syscall wrapper functions for all */ /* parts */ /* Last modified: 03/Mar/2008 */ /************************************* */ #ifndef __RSBAC_SYSCALLS_H #define __RSBAC_SYSCALLS_H #include #include #include #include #include enum rsbac_syscall_t { RSYS_version, RSYS_stats, RSYS_check, RSYS_get_attr, RSYS_get_attr_n, RSYS_set_attr, RSYS_set_attr_n, RSYS_remove_target, RSYS_remove_target_n, RSYS_net_list_all_netdev, RSYS_net_template, RSYS_net_list_all_template, RSYS_switch, RSYS_get_switch, RSYS_adf_log_switch, RSYS_get_adf_log, RSYS_write, RSYS_log, RSYS_mac_set_curr_level, RSYS_mac_get_curr_level, RSYS_mac_get_max_level, RSYS_mac_get_min_level, RSYS_mac_add_p_tru, RSYS_mac_remove_p_tru, RSYS_mac_add_f_tru, RSYS_mac_remove_f_tru, RSYS_mac_get_f_trulist, RSYS_mac_get_p_trulist, RSYS_stats_pm, RSYS_pm, RSYS_pm_change_current_task, RSYS_pm_create_file, RSYS_daz_flush_cache, RSYS_rc_copy_role, RSYS_rc_copy_type, RSYS_rc_get_item, RSYS_rc_set_item, RSYS_rc_change_role, RSYS_rc_get_eff_rights_n, RSYS_rc_get_list, RSYS_auth_add_p_cap, RSYS_auth_remove_p_cap, RSYS_auth_add_f_cap, RSYS_auth_remove_f_cap, RSYS_auth_get_f_caplist, RSYS_auth_get_p_caplist, RSYS_acl, RSYS_acl_n, RSYS_acl_get_rights, RSYS_acl_get_rights_n, RSYS_acl_get_tlist, RSYS_acl_get_tlist_n, RSYS_acl_get_mask, RSYS_acl_get_mask_n, RSYS_acl_group, RSYS_reg, RSYS_jail, RSYS_init, RSYS_rc_get_current_role, RSYS_um_auth_name, RSYS_um_auth_uid, RSYS_um_add_user, RSYS_um_add_group, RSYS_um_add_gm, RSYS_um_mod_user, RSYS_um_mod_group, RSYS_um_get_user_item, RSYS_um_get_group_item, RSYS_um_remove_user, RSYS_um_remove_group, RSYS_um_remove_gm, RSYS_um_user_exists, RSYS_um_group_exists, RSYS_um_get_next_user, RSYS_um_get_user_list, RSYS_um_get_gm_list, RSYS_um_get_gm_user_list, RSYS_um_get_group_list, RSYS_um_get_uid, RSYS_um_get_gid, RSYS_um_set_pass, RSYS_um_set_pass_name, RSYS_um_set_group_pass, RSYS_um_check_account, RSYS_um_check_account_name, RSYS_list_ta_begin, RSYS_list_ta_refresh, RSYS_list_ta_commit, RSYS_list_ta_forget, RSYS_list_all_dev, RSYS_acl_list_all_dev, RSYS_list_all_user, RSYS_acl_list_all_user, RSYS_list_all_group, RSYS_acl_list_all_group, RSYS_list_all_ipc, RSYS_rc_select_fd_create_type, RSYS_um_select_vset, RSYS_um_add_onetime, RSYS_um_add_onetime_name, RSYS_um_remove_all_onetime, RSYS_um_remove_all_onetime_name, RSYS_um_count_onetime, RSYS_um_count_onetime_name, RSYS_none }; struct rsys_check_t { int correct; int check_inode; }; struct rsys_get_attr_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t module; rsbac_enum_t target; union rsbac_target_id_t * tid; rsbac_enum_t attr; union rsbac_attribute_value_t * value; int inherit; }; struct rsys_get_attr_n_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t module; rsbac_enum_t target; char * t_name; rsbac_enum_t attr; union rsbac_attribute_value_t * value; int inherit; }; struct rsys_set_attr_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t module; rsbac_enum_t target; union rsbac_target_id_t * tid; rsbac_enum_t attr; union rsbac_attribute_value_t * value; }; struct rsys_set_attr_n_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t module; rsbac_enum_t target; char * t_name; rsbac_enum_t attr; union rsbac_attribute_value_t * value; }; struct rsys_remove_target_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; union rsbac_target_id_t * tid; }; struct rsys_remove_target_n_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; char * t_name; }; struct rsys_net_list_all_netdev_t { rsbac_list_ta_number_t ta_number; rsbac_netdev_id_t * id_p; u_long maxnum; }; struct rsys_net_template_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t call; rsbac_net_temp_id_t id; union rsbac_net_temp_syscall_data_t * data_p; }; struct rsys_net_list_all_template_t { rsbac_list_ta_number_t ta_number; rsbac_net_temp_id_t * id_p; u_long maxnum; }; struct rsys_switch_t { rsbac_enum_t module; int value; }; struct rsys_get_switch_t { rsbac_enum_t module; int * value_p; int * switchable_p; }; struct rsys_adf_log_switch_t { rsbac_enum_t request; rsbac_enum_t target; u_int value; }; struct rsys_get_adf_log_t { rsbac_enum_t request; rsbac_enum_t target; u_int * value_p; }; struct rsys_log_t { int type; char * buf; int len; }; struct rsys_mac_set_curr_level_t { rsbac_security_level_t level; rsbac_mac_category_vector_t * categories_p; }; struct rsys_mac_get_curr_level_t { rsbac_security_level_t * level_p; rsbac_mac_category_vector_t * categories_p; }; struct rsys_mac_get_max_level_t { rsbac_security_level_t * level_p; rsbac_mac_category_vector_t * categories_p; }; struct rsys_mac_get_min_level_t { rsbac_security_level_t * level_p; rsbac_mac_category_vector_t * categories_p; }; struct rsys_mac_add_p_tru_t { rsbac_list_ta_number_t ta_number; rsbac_pid_t pid; rsbac_uid_t uid; rsbac_time_t ttl; }; struct rsys_mac_remove_p_tru_t { rsbac_list_ta_number_t ta_number; rsbac_pid_t pid; rsbac_uid_t uid; }; struct rsys_mac_add_f_tru_t { rsbac_list_ta_number_t ta_number; char * filename; rsbac_uid_t uid; rsbac_time_t ttl; }; struct rsys_mac_remove_f_tru_t { rsbac_list_ta_number_t ta_number; char * filename; rsbac_uid_t uid; }; struct rsys_mac_get_f_trulist_t { rsbac_list_ta_number_t ta_number; char * filename; rsbac_uid_t * trulist; rsbac_time_t * ttllist; u_int maxnum; }; struct rsys_mac_get_p_trulist_t { rsbac_list_ta_number_t ta_number; rsbac_pid_t pid; rsbac_uid_t * trulist; rsbac_time_t * ttllist; u_int maxnum; }; struct rsys_pm_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t function; union rsbac_pm_function_param_t * param_p; rsbac_pm_tkt_id_t ticket; }; struct rsys_pm_change_current_task_t { rsbac_pm_task_id_t task; }; struct rsys_pm_create_file_t { const char * filename; int mode; rsbac_pm_object_class_id_t object_class; }; struct rsys_rc_copy_role_t { rsbac_list_ta_number_t ta_number; rsbac_rc_role_id_t from_role; rsbac_rc_role_id_t to_role; }; struct rsys_rc_copy_type_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; rsbac_rc_type_id_t from_type; rsbac_rc_type_id_t to_type; }; struct rsys_rc_get_item_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; union rsbac_rc_target_id_t * tid_p; union rsbac_rc_target_id_t * subtid_p; rsbac_enum_t item; union rsbac_rc_item_value_t * value_p; rsbac_time_t * ttl_p; }; struct rsys_rc_set_item_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; union rsbac_rc_target_id_t * tid_p; union rsbac_rc_target_id_t * subtid_p; rsbac_enum_t item; union rsbac_rc_item_value_t * value_p; rsbac_time_t ttl; }; struct rsys_rc_get_list_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; union rsbac_rc_target_id_t * tid_p; rsbac_enum_t item; u_int maxnum; __u32 * array_p; rsbac_time_t * ttl_array_p; }; struct rsys_rc_change_role_t { rsbac_rc_role_id_t role; char * pass; }; struct rsys_rc_get_eff_rights_n_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; char * t_name; rsbac_rc_request_vector_t * request_vector_p; rsbac_time_t * ttl_p; }; struct rsys_rc_get_current_role_t { rsbac_rc_role_id_t * role_p; }; struct rsys_auth_add_p_cap_t { rsbac_list_ta_number_t ta_number; rsbac_pid_t pid; rsbac_enum_t cap_type; struct rsbac_auth_cap_range_t cap_range; rsbac_time_t ttl; }; struct rsys_auth_remove_p_cap_t { rsbac_list_ta_number_t ta_number; rsbac_pid_t pid; rsbac_enum_t cap_type; struct rsbac_auth_cap_range_t cap_range; }; struct rsys_auth_add_f_cap_t { rsbac_list_ta_number_t ta_number; char * filename; rsbac_enum_t cap_type; struct rsbac_auth_cap_range_t cap_range; rsbac_time_t ttl; }; struct rsys_auth_remove_f_cap_t { rsbac_list_ta_number_t ta_number; char * filename; rsbac_enum_t cap_type; struct rsbac_auth_cap_range_t cap_range; }; struct rsys_auth_get_f_caplist_t { rsbac_list_ta_number_t ta_number; char * filename; rsbac_enum_t cap_type; struct rsbac_auth_cap_range_t * caplist; rsbac_time_t * ttllist; u_int maxnum; }; struct rsys_auth_get_p_caplist_t { rsbac_list_ta_number_t ta_number; rsbac_pid_t pid; rsbac_enum_t cap_type; struct rsbac_auth_cap_range_t * caplist; rsbac_time_t * ttllist; u_int maxnum; }; struct rsys_acl_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t call; struct rsbac_acl_syscall_arg_t * arg; }; struct rsys_acl_n_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t call; struct rsbac_acl_syscall_n_arg_t * arg; }; struct rsys_acl_get_rights_t { rsbac_list_ta_number_t ta_number; struct rsbac_acl_syscall_arg_t * arg; rsbac_acl_rights_vector_t * rights_p; u_int effective; }; struct rsys_acl_get_rights_n_t { rsbac_list_ta_number_t ta_number; struct rsbac_acl_syscall_n_arg_t * arg; rsbac_acl_rights_vector_t * rights_p; u_int effective; }; struct rsys_acl_get_tlist_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; union rsbac_target_id_t * tid; struct rsbac_acl_entry_t * entry_array; rsbac_time_t * ttl_array; u_int maxnum; }; struct rsys_acl_get_tlist_n_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; char * t_name; struct rsbac_acl_entry_t * entry_array; rsbac_time_t * ttl_array; u_int maxnum; }; struct rsys_acl_get_mask_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; union rsbac_target_id_t * tid; rsbac_acl_rights_vector_t * mask_p; }; struct rsys_acl_get_mask_n_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t target; char * t_name; rsbac_acl_rights_vector_t * mask_p; }; struct rsys_acl_group_t { rsbac_list_ta_number_t ta_number; rsbac_enum_t call; union rsbac_acl_group_syscall_arg_t * arg_p; }; struct rsys_reg_t { long handle; void * arg; }; struct rsys_jail_t { rsbac_version_t version; char * path; rsbac_jail_ip_t ip; rsbac_jail_flags_t flags; rsbac_cap_vector_t max_caps; rsbac_jail_scd_vector_t scd_get; rsbac_jail_scd_vector_t scd_modify; }; struct rsys_init_t { char * root_dev; }; struct rsys_um_auth_name_t { char * name; char * pass; }; struct rsys_um_auth_uid_t { rsbac_uid_t uid; char * pass; }; struct rsys_um_add_user_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; struct rsbac_um_user_entry_t * entry_p; char * pass; rsbac_time_t ttl; }; struct rsys_um_add_group_t { rsbac_list_ta_number_t ta_number; rsbac_gid_t gid; struct rsbac_um_group_entry_t * entry_p; char * pass; rsbac_time_t ttl; }; struct rsys_um_add_gm_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; rsbac_gid_num_t gid; rsbac_time_t ttl; }; struct rsys_um_mod_user_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; rsbac_enum_t mod; union rsbac_um_mod_data_t * data_p; }; struct rsys_um_mod_group_t { rsbac_list_ta_number_t ta_number; rsbac_gid_t gid; rsbac_enum_t mod; union rsbac_um_mod_data_t * data_p; }; struct rsys_um_get_user_item_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; rsbac_enum_t mod; union rsbac_um_mod_data_t * data_p; }; struct rsys_um_get_group_item_t { rsbac_list_ta_number_t ta_number; rsbac_gid_t gid; rsbac_enum_t mod; union rsbac_um_mod_data_t * data_p; }; struct rsys_um_remove_user_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; }; struct rsys_um_remove_group_t { rsbac_list_ta_number_t ta_number; rsbac_gid_t gid; }; struct rsys_um_remove_gm_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; rsbac_gid_num_t gid; }; struct rsys_um_user_exists_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t uid; }; struct rsys_um_group_exists_t { rsbac_list_ta_number_t ta_number; rsbac_gid_t gid; }; struct rsys_um_get_next_user_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t old_user; rsbac_uid_t * next_user_p; }; struct rsys_um_get_user_list_t { rsbac_list_ta_number_t ta_number; rsbac_um_set_t vset; rsbac_uid_t * user_array; u_int maxnum; }; struct rsys_um_get_gm_list_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t user; rsbac_gid_num_t * group_array; u_int maxnum; }; struct rsys_um_get_gm_user_list_t { rsbac_list_ta_number_t ta_number; rsbac_gid_t group; rsbac_uid_num_t * user_array; u_int maxnum; }; struct rsys_um_get_group_list_t { rsbac_list_ta_number_t ta_number; rsbac_um_set_t vset; rsbac_gid_t * group_array; u_int maxnum; }; struct rsys_um_get_uid_t { rsbac_list_ta_number_t ta_number; char * name; rsbac_uid_t * uid_p; }; struct rsys_um_get_gid_t { rsbac_list_ta_number_t ta_number; char * name; rsbac_gid_t * gid_p; }; struct rsys_um_set_pass_t { rsbac_uid_t uid; char * old_pass; char * new_pass; }; struct rsys_um_set_pass_name_t { char * name; char * old_pass; char * new_pass; }; struct rsys_um_add_onetime_t { rsbac_uid_t uid; char * old_pass; char * new_pass; rsbac_time_t ttl; }; struct rsys_um_add_onetime_name_t { char * name; char * old_pass; char * new_pass; rsbac_time_t ttl; }; struct rsys_um_remove_all_onetime_t { rsbac_uid_t uid; char * old_pass; }; struct rsys_um_remove_all_onetime_name_t { char * name; char * old_pass; }; struct rsys_um_count_onetime_t { rsbac_uid_t uid; char * old_pass; }; struct rsys_um_count_onetime_name_t { char * name; char * old_pass; }; struct rsys_um_set_group_pass_t { rsbac_gid_t gid; char * new_pass; }; struct rsys_um_check_account_t { rsbac_uid_t uid; }; struct rsys_um_check_account_name_t { char * name; }; struct rsys_um_select_vset_t { rsbac_um_set_t vset; }; struct rsys_list_ta_begin_t { rsbac_time_t ttl; rsbac_list_ta_number_t * ta_number_p; rsbac_uid_t commit_uid; char * password; }; struct rsys_list_ta_refresh_t { rsbac_time_t ttl; rsbac_list_ta_number_t ta_number; char * password; }; struct rsys_list_ta_commit_t { rsbac_list_ta_number_t ta_number; char * password; }; struct rsys_list_ta_forget_t { rsbac_list_ta_number_t ta_number; char * password; }; struct rsys_list_all_dev_t { rsbac_list_ta_number_t ta_number; struct rsbac_dev_desc_t * id_p; u_long maxnum; }; struct rsys_acl_list_all_dev_t { rsbac_list_ta_number_t ta_number; struct rsbac_dev_desc_t * id_p; u_long maxnum; }; struct rsys_list_all_user_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t * id_p; u_long maxnum; }; struct rsys_acl_list_all_user_t { rsbac_list_ta_number_t ta_number; rsbac_uid_t * id_p; u_long maxnum; }; struct rsys_list_all_group_t { rsbac_list_ta_number_t ta_number; rsbac_gid_t * id_p; u_long maxnum; }; struct rsys_acl_list_all_group_t { rsbac_list_ta_number_t ta_number; rsbac_gid_t * id_p; u_long maxnum; }; struct rsys_list_all_ipc_t { rsbac_list_ta_number_t ta_number; struct rsbac_ipc_t *id_p; u_long maxnum; }; struct rsys_rc_select_fd_create_type_t { rsbac_rc_type_id_t type; }; union rsbac_syscall_arg_t { struct rsys_check_t check; struct rsys_get_attr_t get_attr; struct rsys_get_attr_n_t get_attr_n; struct rsys_set_attr_t set_attr; struct rsys_set_attr_n_t set_attr_n; struct rsys_remove_target_t remove_target; struct rsys_remove_target_n_t remove_target_n; struct rsys_net_list_all_netdev_t net_list_all_netdev; struct rsys_net_template_t net_template; struct rsys_net_list_all_template_t net_list_all_template; struct rsys_switch_t switch_module; struct rsys_get_switch_t get_switch_module; struct rsys_adf_log_switch_t adf_log_switch; struct rsys_get_adf_log_t get_adf_log; struct rsys_log_t log; struct rsys_mac_set_curr_level_t mac_set_curr_level; struct rsys_mac_get_curr_level_t mac_get_curr_level; struct rsys_mac_get_max_level_t mac_get_max_level; struct rsys_mac_get_min_level_t mac_get_min_level; struct rsys_mac_add_p_tru_t mac_add_p_tru; struct rsys_mac_remove_p_tru_t mac_remove_p_tru; struct rsys_mac_add_f_tru_t mac_add_f_tru; struct rsys_mac_remove_f_tru_t mac_remove_f_tru; struct rsys_mac_get_f_trulist_t mac_get_f_trulist; struct rsys_mac_get_p_trulist_t mac_get_p_trulist; struct rsys_pm_t pm; struct rsys_pm_change_current_task_t pm_change_current_task; struct rsys_pm_create_file_t pm_create_file; struct rsys_rc_copy_role_t rc_copy_role; struct rsys_rc_copy_type_t rc_copy_type; struct rsys_rc_get_item_t rc_get_item; struct rsys_rc_set_item_t rc_set_item; struct rsys_rc_get_list_t rc_get_list; struct rsys_rc_change_role_t rc_change_role; struct rsys_rc_get_eff_rights_n_t rc_get_eff_rights_n; struct rsys_rc_get_current_role_t rc_get_current_role; struct rsys_auth_add_p_cap_t auth_add_p_cap; struct rsys_auth_remove_p_cap_t auth_remove_p_cap; struct rsys_auth_add_f_cap_t auth_add_f_cap; struct rsys_auth_remove_f_cap_t auth_remove_f_cap; struct rsys_auth_get_f_caplist_t auth_get_f_caplist; struct rsys_auth_get_p_caplist_t auth_get_p_caplist; struct rsys_acl_t acl; struct rsys_acl_n_t acl_n; struct rsys_acl_get_rights_t acl_get_rights; struct rsys_acl_get_rights_n_t acl_get_rights_n; struct rsys_acl_get_tlist_t acl_get_tlist; struct rsys_acl_get_tlist_n_t acl_get_tlist_n; struct rsys_acl_get_mask_t acl_get_mask; struct rsys_acl_get_mask_n_t acl_get_mask_n; struct rsys_acl_group_t acl_group; struct rsys_reg_t reg; struct rsys_jail_t jail; struct rsys_init_t init; struct rsys_um_auth_name_t um_auth_name; struct rsys_um_auth_uid_t um_auth_uid; struct rsys_um_add_user_t um_add_user; struct rsys_um_add_group_t um_add_group; struct rsys_um_add_gm_t um_add_gm; struct rsys_um_mod_user_t um_mod_user; struct rsys_um_mod_group_t um_mod_group; struct rsys_um_get_user_item_t um_get_user_item; struct rsys_um_get_group_item_t um_get_group_item; struct rsys_um_remove_user_t um_remove_user; struct rsys_um_remove_group_t um_remove_group; struct rsys_um_remove_gm_t um_remove_gm; struct rsys_um_user_exists_t um_user_exists; struct rsys_um_group_exists_t um_group_exists; struct rsys_um_get_next_user_t um_get_next_user; struct rsys_um_get_user_list_t um_get_user_list; struct rsys_um_get_gm_list_t um_get_gm_list; struct rsys_um_get_gm_user_list_t um_get_gm_user_list; struct rsys_um_get_group_list_t um_get_group_list; struct rsys_um_get_uid_t um_get_uid; struct rsys_um_get_gid_t um_get_gid; struct rsys_um_set_pass_t um_set_pass; struct rsys_um_set_pass_name_t um_set_pass_name; struct rsys_um_add_onetime_t um_add_onetime; struct rsys_um_add_onetime_name_t um_add_onetime_name; struct rsys_um_remove_all_onetime_t um_remove_all_onetime; struct rsys_um_remove_all_onetime_name_t um_remove_all_onetime_name; struct rsys_um_count_onetime_t um_count_onetime; struct rsys_um_count_onetime_name_t um_count_onetime_name; struct rsys_um_set_group_pass_t um_set_group_pass; struct rsys_um_check_account_t um_check_account; struct rsys_um_check_account_name_t um_check_account_name; struct rsys_list_ta_begin_t list_ta_begin; struct rsys_list_ta_refresh_t list_ta_refresh; struct rsys_list_ta_commit_t list_ta_commit; struct rsys_list_ta_forget_t list_ta_forget; struct rsys_list_all_dev_t list_all_dev; struct rsys_acl_list_all_dev_t acl_list_all_dev; struct rsys_list_all_user_t list_all_user; struct rsys_acl_list_all_user_t acl_list_all_user; struct rsys_list_all_group_t list_all_group; struct rsys_acl_list_all_group_t acl_list_all_group; struct rsys_list_all_ipc_t list_all_ipc; struct rsys_rc_select_fd_create_type_t rc_select_fd_create_type; struct rsys_um_select_vset_t um_select_vset; int dummy; }; #ifndef __KERNEL__ int rsbac_version(void); int rsbac_stats(void); int rsbac_check(int correct, int check_inode); int rsbac_write(void); int rsbac_get_attr( rsbac_list_ta_number_t ta_number, enum rsbac_switch_target_t module, enum rsbac_target_t target, union rsbac_target_id_t * tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * value, int inherit); int rsbac_get_attr_n( rsbac_list_ta_number_t ta_number, enum rsbac_switch_target_t module, enum rsbac_target_t target, char * t_name, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * value, int inherit); int rsbac_set_attr( rsbac_list_ta_number_t ta_number, enum rsbac_switch_target_t module, enum rsbac_target_t target, union rsbac_target_id_t * tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * value); int rsbac_set_attr_n( rsbac_list_ta_number_t ta_number, enum rsbac_switch_target_t module, enum rsbac_target_t target, char * t_name, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * value); int rsbac_remove_target( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, union rsbac_target_id_t * tid); int rsbac_remove_target_n( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, char * t_name); int rsbac_net_list_all_netdev( rsbac_list_ta_number_t ta_number, rsbac_netdev_id_t * id_p, u_long maxnum); int rsbac_net_template( rsbac_list_ta_number_t ta_number, enum rsbac_net_temp_syscall_t call, rsbac_net_temp_id_t id, union rsbac_net_temp_syscall_data_t * data_p); int rsbac_net_list_all_template( rsbac_list_ta_number_t ta_number, rsbac_net_temp_id_t * id_p, u_long maxnum); int rsbac_switch(enum rsbac_switch_target_t module, int value); int rsbac_get_switch(enum rsbac_switch_target_t module, int * value_p, int * switchable_p); /************** MAC ***************/ int rsbac_mac_set_curr_level(rsbac_security_level_t level, rsbac_mac_category_vector_t * categories_p); int rsbac_mac_get_curr_level(rsbac_security_level_t * level_p, rsbac_mac_category_vector_t * categories_p); int rsbac_mac_get_max_level(rsbac_security_level_t * level_p, rsbac_mac_category_vector_t * categories_p); int rsbac_mac_get_min_level(rsbac_security_level_t * level_p, rsbac_mac_category_vector_t * categories_p); int rsbac_mac_add_p_tru( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, rsbac_uid_t uid, rsbac_time_t ttl); int rsbac_mac_remove_p_tru( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, rsbac_uid_t uid); int rsbac_mac_add_f_tru( rsbac_list_ta_number_t ta_number, char * filename, rsbac_uid_t uid, rsbac_time_t ttl); int rsbac_mac_remove_f_tru( rsbac_list_ta_number_t ta_number, char * filename, rsbac_uid_t uid); /* trulist must have space for maxnum rsbac_uid_t entries! */ int rsbac_mac_get_f_trulist( rsbac_list_ta_number_t ta_number, char * filename, rsbac_uid_t trulist[], rsbac_time_t ttllist[], u_int maxnum); int rsbac_mac_get_p_trulist( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, rsbac_uid_t trulist[], rsbac_time_t ttllist[], u_int maxnum); /************** PM ***************/ int rsbac_stats_pm(void); int rsbac_pm( rsbac_list_ta_number_t ta_number, enum rsbac_pm_function_type_t function, union rsbac_pm_function_param_t * param_p, rsbac_pm_tkt_id_t ticket); int rsbac_pm_change_current_task(rsbac_pm_task_id_t task); int rsbac_pm_create_file(const char * filename, int mode, rsbac_pm_object_class_id_t object_class); /************** DAZ **************/ int rsbac_daz_flush_cache(void); /************** RC ***************/ int rsbac_rc_copy_role( rsbac_list_ta_number_t ta_number, rsbac_rc_role_id_t from_role, rsbac_rc_role_id_t to_role); int rsbac_rc_copy_type( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, rsbac_rc_type_id_t from_type, rsbac_rc_type_id_t to_type); int rsbac_rc_get_item( rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, union rsbac_rc_target_id_t * tid_p, union rsbac_rc_target_id_t * subtid_p, enum rsbac_rc_item_t item, union rsbac_rc_item_value_t * value_p, rsbac_time_t * ttl_p); /* Setting values */ int rsbac_rc_set_item( rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, union rsbac_rc_target_id_t * tid_p, union rsbac_rc_target_id_t * subtid_p, enum rsbac_rc_item_t item, union rsbac_rc_item_value_t * value_p, rsbac_time_t ttl); int rsbac_rc_get_list( rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, union rsbac_rc_target_id_t * tid_p, enum rsbac_rc_item_t item, u_int maxnum, __u32 * array_p, rsbac_time_t * ttl_array_p); int rsbac_rc_change_role (rsbac_rc_role_id_t role, char * pass); int rsbac_rc_get_eff_rights_n( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, char * t_name, rsbac_rc_request_vector_t * request_vector_p, rsbac_time_t * ttl_p); int rsbac_rc_get_current_role (rsbac_rc_role_id_t * role_p); int rsbac_rc_select_fd_create_type(rsbac_rc_type_id_t type); /************** AUTH ***************/ /* Provide means for adding and removing of capabilities */ int rsbac_auth_add_p_cap( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t cap_range, rsbac_time_t ttl); int rsbac_auth_remove_p_cap( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t cap_range); int rsbac_auth_add_f_cap( rsbac_list_ta_number_t ta_number, char * filename, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t cap_range, rsbac_time_t ttl); int rsbac_auth_remove_f_cap( rsbac_list_ta_number_t ta_number, char * filename, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t cap_range); /* caplist must have space for maxnum cap_range entries - first and last each! */ int rsbac_auth_get_f_caplist( rsbac_list_ta_number_t ta_number, char * filename, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t caplist[], rsbac_time_t ttllist[], u_int maxnum); int rsbac_auth_get_p_caplist( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t caplist[], rsbac_time_t ttllist[], u_int maxnum); /**********************************/ /************** REG ***************/ int rsbac_reg(rsbac_reg_handle_t handle, void * arg); /**********************************/ /************** ACL ***************/ int rsbac_acl( rsbac_list_ta_number_t ta_number, enum rsbac_acl_syscall_type_t call, struct rsbac_acl_syscall_arg_t * arg); int rsbac_acl_n( rsbac_list_ta_number_t ta_number, enum rsbac_acl_syscall_type_t call, struct rsbac_acl_syscall_n_arg_t * arg); int rsbac_acl_get_rights( rsbac_list_ta_number_t ta_number, struct rsbac_acl_syscall_arg_t * arg, rsbac_acl_rights_vector_t * rights_p, u_int effective); int rsbac_acl_get_rights_n( rsbac_list_ta_number_t ta_number, struct rsbac_acl_syscall_n_arg_t * arg, rsbac_acl_rights_vector_t * rights_p, u_int effective); int rsbac_acl_get_tlist ( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, union rsbac_target_id_t * tid, struct rsbac_acl_entry_t entry_array[], rsbac_time_t ttl_array[], u_int maxnum); int rsbac_acl_get_tlist_n( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, char * t_name, struct rsbac_acl_entry_t entry_array[], rsbac_time_t ttl_array[], u_int maxnum); int rsbac_acl_get_mask ( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, union rsbac_target_id_t * tid, rsbac_acl_rights_vector_t * mask_p); int rsbac_acl_get_mask_n( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, char * t_name, rsbac_acl_rights_vector_t * mask_p); /******** ACL groups *********/ int rsbac_acl_group( rsbac_list_ta_number_t ta_number, enum rsbac_acl_group_syscall_type_t call, union rsbac_acl_group_syscall_arg_t * arg_p); /**********************************/ /************** JAIL **************/ int rsbac_jail(rsbac_version_t version, char * path, rsbac_jail_ip_t ip, rsbac_jail_flags_t flags, rsbac_cap_vector_t max_caps, rsbac_jail_scd_vector_t scd_get, rsbac_jail_scd_vector_t scd_modify ); int rsbac_list_all_ipc(rsbac_list_ta_number_t ta_number, struct rsbac_ipc_t * id_p, u_long maxnum); /**********************************/ /************** UM **************/ int rsbac_um_auth_name(char * name, char * pass); int rsbac_um_auth_uid(rsbac_uid_t uid, char * pass); int rsbac_um_add_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, struct rsbac_um_user_entry_t * entry_p, char * pass, rsbac_time_t ttl); int rsbac_um_add_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid, struct rsbac_um_group_entry_t * entry_p, char * pass, rsbac_time_t ttl); int rsbac_um_add_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, rsbac_gid_num_t gid, rsbac_time_t ttl); int rsbac_um_mod_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p); int rsbac_um_mod_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p); int rsbac_um_get_user_item( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p); int rsbac_um_get_group_item( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p); int rsbac_um_remove_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid); int rsbac_um_remove_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid); int rsbac_um_remove_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, rsbac_gid_num_t gid); int rsbac_um_user_exists( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid); int rsbac_um_group_exists( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid); int rsbac_um_get_next_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t old_user, rsbac_uid_t * next_user_p); int rsbac_um_get_user_list( rsbac_list_ta_number_t ta_number, rsbac_um_set_t vset, rsbac_uid_t user_array[], u_int maxnum); int rsbac_um_get_gm_list( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, rsbac_gid_num_t group_array[], u_int maxnum); int rsbac_um_get_gm_user_list( rsbac_list_ta_number_t ta_number, rsbac_gid_t group, rsbac_uid_num_t user_array[], u_int maxnum); int rsbac_um_get_group_list( rsbac_list_ta_number_t ta_number, rsbac_um_set_t vset, rsbac_gid_t group_array[], u_int maxnum); int rsbac_um_get_uid( rsbac_list_ta_number_t ta_number, char * name, rsbac_uid_t * uid_p); int rsbac_um_get_gid( rsbac_list_ta_number_t ta_number, char * name, rsbac_gid_t * gid_p); int rsbac_um_set_pass(rsbac_uid_t uid, char * old_pass, char * new_pass); int rsbac_um_set_pass_name(char * name, char * old_pass, char * new_pass); int rsbac_um_add_onetime(rsbac_uid_t uid, char * old_pass, char * new_pass, rsbac_time_t ttl); int rsbac_um_add_onetime_name(char * name, char * old_pass, char * new_pass, rsbac_time_t ttl); int rsbac_um_remove_all_onetime(rsbac_uid_t uid, char * old_pass); int rsbac_um_remove_all_onetime_name(char * name, char * old_pass); int rsbac_um_count_onetime(rsbac_uid_t uid, char * old_pass); int rsbac_um_count_onetime_name(char * name, char * old_pass); int rsbac_um_set_group_pass(rsbac_gid_t gid, char * new_pass); int rsbac_um_check_account(rsbac_uid_t uid); int rsbac_um_check_account_name(char * name); int rsbac_um_select_vset(rsbac_um_set_t vset); int rsbac_list_ta_begin(rsbac_time_t ttl, rsbac_list_ta_number_t * ta_number_p, rsbac_uid_t commit_uid, char * password); int rsbac_list_ta_refresh(rsbac_time_t ttl, rsbac_list_ta_number_t ta_number, char * password); int rsbac_list_ta_commit(rsbac_list_ta_number_t ta_number, char * password); int rsbac_list_ta_forget(rsbac_list_ta_number_t ta_number, char * password); int rsbac_list_all_dev( rsbac_list_ta_number_t ta_number, struct rsbac_dev_desc_t * id_p, u_long maxnum); int rsbac_acl_list_all_dev( rsbac_list_ta_number_t ta_number, struct rsbac_dev_desc_t * id_p, u_long maxnum); int rsbac_list_all_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t * id_p, u_long maxnum); int rsbac_acl_list_all_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t * id_p, u_long maxnum); int rsbac_list_all_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t * id_p, u_long maxnum); int rsbac_acl_list_all_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t * id_p, u_long maxnum); /************************************************* */ /* DEBUG/LOG functions */ /************************************************* */ int rsbac_adf_log_switch(enum rsbac_adf_request_t request, enum rsbac_target_t target, u_int value); int rsbac_get_adf_log(enum rsbac_adf_request_t request, enum rsbac_target_t target, u_int * value_p); /* * Commands to rsbac_log: * * 0 -- Close the log. Currently a NOP. * 1 -- Open the log. Currently a NOP. * 2 -- Read from the log. * 3 -- Read up to the last 4k of messages in the ring buffer. * 4 -- Read and clear last 4k of messages in the ring buffer * 5 -- Clear ring buffer. */ int rsbac_log(int type, char * buf, int len); int rsbac_init(char * root_dev); #endif /* ifndef __KERNEL__ */ #endif rsbac-admin-1.4.0/main/headers/rsbac/rc_getname.h0000644000175000017500000000222011131371037021441 0ustar gauvaingauvain/******************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999: Amon Ott */ /* Getname functions for RC parts */ /* Last modified: 18/Jan/99 */ /******************************** */ #ifndef __RSBAC_RC_GETNAME_H #define __RSBAC_RC_GETNAME_H #include #ifndef NULL #define NULL ((void *) 0) #endif char *get_rc_target_name(char *name, enum rsbac_rc_target_t value); enum rsbac_rc_target_t get_rc_target_nr(const char *name); char *get_rc_admin_name(char *name, enum rsbac_rc_admin_type_t value); enum rsbac_rc_admin_type_t get_rc_admin_nr(const char *name); char *get_rc_scd_type_name(char *name, enum rsbac_rc_scd_type_t value); enum rsbac_rc_scd_type_t get_rc_scd_type_nr(const char *name); char *get_rc_item_name(char *name, enum rsbac_rc_item_t value); enum rsbac_rc_item_t get_rc_item_nr(const char *name); #ifndef __KERNEL__ char *get_rc_item_param(char *name, enum rsbac_rc_item_t value); #endif char *get_rc_special_right_name(char *name, enum rsbac_rc_special_rights_t value); #ifndef __KERNEL__ enum rsbac_rc_special_rights_t get_rc_special_right_nr(const char *name); #endif #endif rsbac-admin-1.4.0/main/headers/rsbac/rc_types.h0000644000175000017500000003520411131371037021175 0ustar gauvaingauvain/************************************ */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2005: Amon Ott */ /* API: Data types for */ /* Role Compatibility Module */ /* Last modified: 21/Dec/2005 */ /************************************ */ #ifndef __RSBAC_RC_TYPES_H #define __RSBAC_RC_TYPES_H #include /***** RC *****/ #define RSBAC_RC_GENERAL_ROLE 0 #define RSBAC_RC_ROLE_ADMIN_ROLE 1 #define RSBAC_RC_SYSTEM_ADMIN_ROLE 2 #define RSBAC_RC_AUDITOR_ROLE 3 #define RSBAC_RC_BOOT_ROLE 999999 #define RSBAC_RC_GENERAL_TYPE 0 #define RSBAC_RC_SEC_TYPE 1 #define RSBAC_RC_SYS_TYPE 2 #define RSBAC_RC_KERNEL_P_TYPE 999999 #define RSBAC_RC_NAME_LEN 16 #define RSBAC_RC_ALL_REQUESTS ((rsbac_rc_request_vector_t) -1) #define RSBAC_RC_OLD_SPECIAL_RIGHT_BASE 48 #define RSBAC_RC_SPECIAL_RIGHT_BASE 56 enum rsbac_rc_special_rights_t { RCR_ADMIN = RSBAC_RC_SPECIAL_RIGHT_BASE, RCR_ASSIGN, RCR_ACCESS_CONTROL, RCR_SUPERVISOR, RCR_MODIFY_AUTH, RCR_CHANGE_AUTHED_OWNER, RCR_SELECT, RCR_NONE }; typedef __u64 rsbac_rc_rights_vector_t; /* backwards compatibility only! */ typedef __u64 rsbac_rc_role_vector_t; #define RSBAC_RC_RIGHTS_VECTOR(x) ((rsbac_rc_rights_vector_t) 1 << (x)) #define RSBAC_RC_ROLE_VECTOR(x) ((rsbac_rc_role_vector_t) 1 << (x)) #define RSBAC_RC_TYPE_VECTOR(x) ((rsbac_rc_type_vector_t) 1 << (x)) #define RSBAC_RC_SPECIAL_RIGHTS_VECTOR (\ RSBAC_RC_RIGHTS_VECTOR(RCR_ADMIN) | \ RSBAC_RC_RIGHTS_VECTOR(RCR_ASSIGN) | \ RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL) | \ RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR) | \ RSBAC_RC_RIGHTS_VECTOR(RCR_MODIFY_AUTH) | \ RSBAC_RC_RIGHTS_VECTOR(RCR_CHANGE_AUTHED_OWNER) | \ RSBAC_RC_RIGHTS_VECTOR(RCR_SELECT) \ ) #define RSBAC_RC_SUPERVISOR_RIGHT_VECTOR (\ RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR) | \ ) #define RSBAC_RC_ALL_RIGHTS_VECTOR (RSBAC_ALL_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR) #define RSBAC_RC_PROCESS_RIGHTS_VECTOR (RSBAC_PROCESS_REQUEST_VECTOR | \ RSBAC_RC_RIGHTS_VECTOR(R_CONNECT) | \ RSBAC_RC_RIGHTS_VECTOR(R_ACCEPT) | \ RSBAC_RC_RIGHTS_VECTOR(R_SEND) | \ RSBAC_RC_RIGHTS_VECTOR(R_RECEIVE) \ ) #define RSBAC_RC_DEFAULT_RIGHTS_VECTOR 0 #define RSBAC_RC_GEN_RIGHTS_VECTOR RSBAC_RC_DEFAULT_RIGHTS_VECTOR typedef __u32 rsbac_rc_role_id_t; typedef __u32 rsbac_rc_type_id_t; typedef rsbac_request_vector_t rsbac_rc_request_vector_t; enum rsbac_rc_admin_type_t { RC_no_admin, RC_role_admin, RC_system_admin, RC_none }; /* * System Control Types, including general SCD types * (start at 32 to allow future SCD types, max is 63) */ #define RST_min 32 enum rsbac_rc_scd_type_t { RST_auth_administration = RST_min, RST_none }; /* what should always be there to keep system functional */ #ifdef CONFIG_RSBAC_USER_MOD_IOPERM #define RSBAC_RC_GENERAL_COMP_SCD { \ 0, \ 0, \ 0, \ 0, \ /* ST_ioports */ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA), \ /* ST_rlimit */ RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \ /* ST_swap */ 0, \ /* ST_syslog */ 0, \ /* ST_rsbac */ 0, \ /* ST_rsbac_log */ 0, \ /* ST_other */ ( \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \ ), \ /* ST_kmem */ 0, \ /* ST_network */ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \ /* 13 = ST_none */ 0 \ } #else #define RSBAC_RC_GENERAL_COMP_SCD { \ 0, \ 0, \ 0, \ 0, \ 0, \ /* ST_rlimit */ RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \ /* ST_swap */ 0, \ /* ST_syslog */ 0, \ /* ST_rsbac */ 0, \ /* ST_rsbac_log */ 0, \ /* ST_other */ ( \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \ ), \ /* ST_kmem */ 0, \ /* ST_network */ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \ /* ST_firewall */ 0, \ /* ST_priority */ 0, \ /* 15 = ST_none */ 0 \ } #endif #define RSBAC_RC_ROLEADM_COMP_SCD { \ /* 0 = ST_time_structs */ 0, \ /* ST_clock */ 0, \ /* ST_host_id */ 0, \ /* ST_net_id */ 0, \ /* ST_ioports */ 0, \ /* ST_rlimit */ RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \ /* ST_swap */ 0, \ /* ST_syslog */ 0, \ /* ST_rsbac */ RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \ /* ST_rsbac_log */ RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \ /* ST_other */ ( \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \ | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \ | ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) \ | ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) \ | ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) \ ) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \ /* ST_kmem */ 0, \ /* ST_network */ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \ /* ST_firewall */ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \ /* ST_nice */ 0, \ /* 15 = ST_none */ 0, \ 0, \ 0, \ 0, \ 0, \ /* 20 */ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ /* 30 */ 0, \ 0, \ /* 32 = RST_auth_admin */ RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \ /* 33 = RST_none */ 0 \ } #define RSBAC_RC_SYSADM_COMP_SCD { \ /* 0 = ST_time_structs */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_clock */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_host_id */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_net_id */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_ioports */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_rlimit */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_swap */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_syslog */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_rsbac */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_rsbac_log */ 0, \ /* ST_other */ ( \ ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) \ | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \ | ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \ | ((rsbac_request_vector_t) 1 << R_MOUNT) \ | ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) \ | ((rsbac_request_vector_t) 1 << R_UMOUNT) \ | ((rsbac_request_vector_t) 1 << R_SHUTDOWN) \ ), \ /* ST_kmem */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_network */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_firewall */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* ST_priority */ RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \ /* 15 = ST_none */ 0, \ 0, \ 0, \ 0, \ 0, \ /* 20 */ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ 0, \ /* 30 */ 0, \ 0, \ /* 32 = RST_auth_admin */ 0, \ /* 33 = RST_none */ 0 \ } #ifdef CONFIG_RSBAC_USER_MOD_IOPERM #define RSBAC_RC_AUDITOR_COMP_SCD { \ 0, \ 0, \ 0, \ 0, \ /* ST_ioports */ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA), \ /* ST_rlimit */ RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \ /* ST_swap */ 0, \ /* ST_syslog */ 0, \ /* ST_rsbac */ 0, \ /* ST_rsbac_log */ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA), \ /* ST_other */ ( \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \ ), \ /* ST_kmem */ 0, \ /* ST_network */ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \ /* ST_firewall */ 0, \ /* ST_priority */ 0, \ /* 15 = ST_none */ 0 \ } #else #define RSBAC_RC_AUDITOR_COMP_SCD { \ 0, \ 0, \ 0, \ 0, \ 0, \ /* ST_rlimit */ RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \ /* ST_swap */ 0, \ /* ST_syslog */ 0, \ /* ST_rsbac */ 0, \ /* ST_rsbac_log */ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA), \ /* ST_other */ ( \ ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \ ), \ /* ST_kmem */ 0, \ /* ST_network */ ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \ /* ST_firewall */ 0, \ /* ST_priority */ 0, \ /* 15 = ST_none */ 0 \ } #endif #define RC_type_inherit_process ((rsbac_rc_type_id_t) -1) #define RC_type_inherit_parent ((rsbac_rc_type_id_t) -2) #define RC_type_no_create ((rsbac_rc_type_id_t) -3) #define RC_type_no_execute ((rsbac_rc_type_id_t) -4) #define RC_type_use_new_role_def_create ((rsbac_rc_type_id_t) -5) /* for process chown (setuid) */ #define RC_type_no_chown ((rsbac_rc_type_id_t) -6) #define RC_type_use_fd ((rsbac_rc_type_id_t) -7) #define RC_type_min_special ((rsbac_rc_type_id_t) -7) #define RC_type_max_value ((rsbac_rc_type_id_t) -32) #define RC_role_inherit_user ((rsbac_rc_role_id_t) -1) #define RC_role_inherit_process ((rsbac_rc_role_id_t) -2) #define RC_role_inherit_parent ((rsbac_rc_role_id_t) -3) #define RC_role_inherit_up_mixed ((rsbac_rc_role_id_t) -4) #define RC_role_use_force_role ((rsbac_rc_role_id_t) -5) #define RC_role_min_special ((rsbac_rc_role_id_t) -5) #define RC_role_max_value ((rsbac_rc_role_id_t) -32) #define RC_default_force_role RC_role_inherit_parent #define RC_default_root_dir_force_role RC_role_inherit_up_mixed #define RC_default_init_force_role RC_role_inherit_user #define RC_default_initial_role RC_role_inherit_parent #define RC_default_root_dir_initial_role RC_role_use_force_role /****************************************************************************/ /* RC ACI types */ /****************************************************************************/ enum rsbac_rc_target_t { RT_ROLE, RT_TYPE, RT_NONE }; union rsbac_rc_target_id_t { rsbac_rc_role_id_t role; rsbac_rc_type_id_t type; }; enum rsbac_rc_item_t { RI_role_comp, RI_admin_roles, RI_assign_roles, RI_type_comp_fd, RI_type_comp_dev, RI_type_comp_user, RI_type_comp_process, RI_type_comp_ipc, RI_type_comp_scd, RI_type_comp_group, RI_type_comp_netdev, RI_type_comp_nettemp, RI_type_comp_netobj, RI_admin_type, RI_name, RI_def_fd_create_type, RI_def_fd_ind_create_type, RI_def_user_create_type, RI_def_process_create_type, RI_def_process_chown_type, RI_def_process_execute_type, RI_def_ipc_create_type, RI_def_group_create_type, RI_def_unixsock_create_type, RI_boot_role, RI_req_reauth, RI_type_fd_name, RI_type_dev_name, RI_type_ipc_name, RI_type_user_name, RI_type_process_name, RI_type_group_name, RI_type_netdev_name, RI_type_nettemp_name, RI_type_netobj_name, RI_type_fd_need_secdel, RI_type_scd_name, /* Pseudo, using get_rc_scd_name() */ RI_remove_role, RI_def_fd_ind_create_type_remove, RI_type_fd_remove, RI_type_dev_remove, RI_type_ipc_remove, RI_type_user_remove, RI_type_process_remove, RI_type_group_remove, RI_type_netdev_remove, RI_type_nettemp_remove, RI_type_netobj_remove, #ifdef __KERNEL__ #endif RI_none }; union rsbac_rc_item_value_t { rsbac_rc_rights_vector_t rights; enum rsbac_rc_admin_type_t admin_type; char name[RSBAC_RC_NAME_LEN]; rsbac_rc_role_id_t role_id; rsbac_rc_type_id_t type_id; rsbac_boolean_t need_secdel; rsbac_boolean_t comp; rsbac_boolean_t boot_role; rsbac_boolean_t req_reauth; #ifdef __KERNEL__ #endif u_char u_char_dummy; int dummy; u_int u_dummy; long long_dummy; long long long_long_dummy; }; #endif rsbac-admin-1.4.0/main/rklogd/0000755000175000017500000000000011131371034015742 5ustar gauvaingauvainrsbac-admin-1.4.0/main/rklogd/src/0000755000175000017500000000000011131371034016531 5ustar gauvaingauvainrsbac-admin-1.4.0/main/rklogd/src/pidfile.h0000644000175000017500000000307311131371034020321 0ustar gauvaingauvain/* pidfile.h - interact with pidfiles Copyright (c) 1995 Martin Schulze This file is part of the sysklogd package, a kernel and system log daemon. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. */ /* read_pid * * Reads the specified pidfile and returns the read pid. * 0 is returned if either there's no pidfile, it's empty * or no pid can be read. */ int read_pid (char *pidfile); /* check_pid * * Reads the pid using read_pid and looks up the pid in the process * table (using /proc) to determine if the process already exists. If * so 1 is returned, otherwise 0. */ int check_pid (char *pidfile); /* write_pid * * Writes the pid to the specified file. If that fails 0 is * returned, otherwise the pid. */ int write_pid (char *pidfile); /* remove_pid * * Remove the the specified file. The result from unlink(2) * is returned */ int remove_pid (char *pidfile); rsbac-admin-1.4.0/main/rklogd/src/pidfile.c0000644000175000017500000000611711131371034020316 0ustar gauvaingauvain/* pidfile.c - interact with pidfiles Copyright (c) 1995 Martin Schulze This file is part of the sysklogd package, a kernel and system log daemon. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA */ /* * Sat Aug 19 13:24:33 MET DST 1995: Martin Schulze * First version (v0.2) released */ #include #include #include #include #include #include #include /* read_pid * * Reads the specified pidfile and returns the read pid. * 0 is returned if either there's no pidfile, it's empty * or no pid can be read. */ int read_pid (char *pidfile) { FILE *f; int pid; if (!(f=fopen(pidfile,"r"))) return 0; fscanf(f,"%d", &pid); fclose(f); return pid; } /* check_pid * * Reads the pid using read_pid and looks up the pid in the process * table (using /proc) to determine if the process already exists. If * so 1 is returned, otherwise 0. */ int check_pid (char *pidfile) { int pid = read_pid(pidfile); /* Amazing ! _I_ am already holding the pid file... */ if ((!pid) || (pid == getpid ())) return 0; /* * The 'standard' method of doing this is to try and do a 'fake' kill * of the process. If an ESRCH error is returned the process cannot * be found -- GW */ /* But... errno is usually changed only on error.. */ if (kill(pid, 0) && errno == ESRCH) return(0); return pid; } /* write_pid * * Writes the pid to the specified file. If that fails 0 is * returned, otherwise the pid. */ int write_pid (char *pidfile) { FILE *f; int fd; int pid; if ( ((fd = open(pidfile, O_RDWR|O_CREAT, 0644)) == -1) || ((f = fdopen(fd, "r+")) == NULL) ) { fprintf(stderr, "Can't open or create %s.\n", pidfile); return 0; } if (flock(fd, LOCK_EX|LOCK_NB) == -1) { fscanf(f, "%d", &pid); fclose(f); printf("Can't lock, lock is held by pid %d.\n", pid); return 0; } pid = getpid(); if (!fprintf(f,"%d\n", pid)) { printf("Can't write pid , %s.\n", strerror(errno)); close(fd); return 0; } fflush(f); if (flock(fd, LOCK_UN) == -1) { printf("Can't unlock pidfile %s, %s.\n", pidfile, strerror(errno)); close(fd); return 0; } close(fd); return pid; } /* remove_pid * * Remove the the specified file. The result from unlink(2) * is returned */ int remove_pid (char *pidfile) { return unlink (pidfile); } rsbac-admin-1.4.0/main/rklogd/src/rklogd.init0000755000175000017500000000162311131371034020705 0ustar gauvaingauvain#!/bin/sh # # rklogd Starts rklogd. # # # chkconfig: 2345 30 98 # description: rklogd is a log daemon for RSBAC kernel. \ # Security system messages write separately to special log file.\ # You can protect this file from intruders using RSBAC.\ # Note: You must add 400 capability for /sbin/rklogd file. # Source function library. . /etc/rc.d/init.d/functions [ -f /sbin/rklogd ] || exit 0 RETVAL=0 # See how we were called. case "$1" in start) echo -n "Starting security kernel logger: " daemon rklogd RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rklogd ;; stop) echo -n "Shutting down security kernel logger: " killproc rklogd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rklogd ;; status) status rklogd RETVAL=$? ;; restart|reload) $0 stop $0 start RETVAL=$? ;; *) echo "Usage: rklogd {start|stop|status|restart}" exit 1 esac exit $RETVAL rsbac-admin-1.4.0/main/rklogd/src/debug.c0000644000175000017500000000521211131371034017763 0ustar gauvaingauvain/* debug.c - Debugging primitives * * Copyright (c) 2003 Peter Busser * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA */ #include #include #include #include #include #include "debug.h" /* Local variables */ /* This variable controls the output of debugging messages * A value of DEBUG_ON enables debugging output * A value of DEBUG_OFF disables debugging output * The default is no debugging output * The value can be changed using the set_debug() function. */ static enum debugval debugstate = DEBUG_OFF; /* Set debugging */ void set_debug( enum debugval val ) { assert( ((val == DEBUG_OFF) || (val == DEBUG_ON)) ); if( (val == DEBUG_OFF) || (val == DEBUG_ON) ) { debugstate = val; } } /* Print a debug message to stderr * * This piece of code was derived from a code in the vsnprintf man page */ void debug( const char *fmt, ... ) { /* Guess we need no more than 100 bytes. */ int n; size_t size; char *buf; va_list ap; size = 100; /* Do not print any message when debugging is turned off */ if( debugstate == DEBUG_OFF ) { return; } buf = malloc( size ); if( buf == NULL ) { fprintf( stderr, "Out of memory\n" ); exit( 1 ); } for(;;) { /* Try to print in the allocated space. */ va_start( ap, fmt ); n = vsnprintf( buf, size, fmt, ap ); va_end( ap ); /* If that worked, stop. */ if( n > -1 && n < size ) { break; } /* Else try again with more space. */ if( n > -1 ) { /* glibc 2.1 */ /* Precisely what is needed */ size = n + 1; } else { /* glibc 2.0 */ /* Twice the old size */ size *= 2; } buf = realloc( buf, size ); if( buf == NULL) { fprintf( stderr, "Out of memory\n" ); exit( 1 ); } } /* Output the message to stdout */ debugstr( buf ); free( buf ); } /* Print a debugging string */ void debugstr( const char *str ) { /* Only print if debugging is enabled */ if( debugstate == DEBUG_ON ) { syslog( LOG_INFO, str ); } } rsbac-admin-1.4.0/main/rklogd/src/rklogd.c0000644000175000017500000002541711131371034020170 0ustar gauvaingauvain/* Simple daemon logger for RSBAC * * rklog (c) - Stanislav I. Ievlev, 2000-2001 * RSBAC (c) - Amon Ott., 1995-2001 * Some parts from klogd (c) 1995 Martin Schulze * Some changes made by Amon Ott, 2000 * Copyright (c) 2003 by Peter Busser * Performed some code cleanup. */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern int errno; #include "debug.h" #include "pidfile.h" char *hostname=NULL; struct sockaddr_in remote_server; int use_proc=1; #define INPUT_LOG "/proc/rsbac-info/rmsg" #define OUTPUT_LOG "/security-log" #define SECOFF_UID 400 #define PATH_VARRUN "/var/run/" static char *pidfile = PATH_VARRUN"rklogd.pid"; #define MAX_LINE 8100 #define PORTNUM 1500 int check_father( pid_t father ) { if( kill( father, 0 ) && errno == ESRCH ) { debugstr( "father process is dead\n" ); return 0; }else{ debugstr( "father process is alive\n" ); return 1; } } void stop_work( int sig ) { syslog( LOG_INFO, "security kernel logger stopped" ); debugstr( "exiting...\n" ); remove_pid( pidfile ); if( !use_proc ) { char tmpstring[0]; /* Close kernel log buffer */ rsbac_log( 0, tmpstring, sizeof( tmpstring ) ); } exit( EXIT_SUCCESS ); } char *getlogname( uid_t secoffuid ) { struct passwd *pwd = NULL; char *retval = NULL; pwd = getpwuid( secoffuid ); if( pwd != NULL ) { if ( asprintf(&retval,"%s/log/"OUTPUT_LOG, pwd->pw_dir) <= 0){ perror("asprintf"); exit(EXIT_FAILURE); } } else { fprintf( stderr, "Non-existent user id %u\n",secoffuid ); exit(EXIT_FAILURE); } return retval; } void open_out_net( char *servername ) { struct hostent *hp = NULL; if( (hp = gethostbyname( servername )) == NULL ) { fprintf(stderr, "cannot resolve hostname:%s",hstrerror(h_errno)); exit( EXIT_FAILURE ); } memset( &remote_server, 0, sizeof( remote_server ) ); memcpy( &remote_server.sin_addr, hp->h_addr, hp->h_length ); remote_server.sin_family = hp->h_addrtype; remote_server.sin_port = htons( PORTNUM ); } void write_net( char *data ) { struct sockaddr_in clnt_addr; int fd; int count; debugstr( "writing to net...\n" ); if( (fd = socket( AF_INET, SOCK_DGRAM, 0 )) < 0 ) { syslog( LOG_WARNING, "cannot open socket to send messages to remote host" ); } memset( &clnt_addr, 0, sizeof( clnt_addr ) ); clnt_addr.sin_family = AF_INET; clnt_addr.sin_addr.s_addr = INADDR_ANY; if( bind( fd, (struct sockaddr *)&clnt_addr, sizeof(clnt_addr) ) < 0 ) { syslog( LOG_WARNING, "cannot bind socket to send messages to remote host" ); } count = sendto( fd, data, strlen( data ), 0, (struct sockaddr*)&remote_server, sizeof( remote_server ) ); if( count <= 0 ) { syslog( LOG_ERR, "error during sending messages to remote host" ); } } int open_in( void ) { int fd; if( use_proc ) { if( (fd = open( INPUT_LOG, O_RDONLY|O_NOFOLLOW )) < 0 ) { perror( "open input log:"); exit( EXIT_FAILURE ); } } else { char tmpstring[0]; /* open kernel log buffer */ if( rsbac_log( 1, tmpstring, sizeof(tmpstring) ) < 0 ) { fputs("open of kernel log buffer", stderr); exit( EXIT_FAILURE ); } } return fd; } int open_out( char *name ) { int fd = -1; if( (fd = open( name, O_WRONLY|O_APPEND|O_CREAT|O_NOFOLLOW, 00600 ) ) < 0 ) { perror("open output log:"); exit( EXIT_FAILURE ); } fchmod( fd, 0600 ); return fd; } int open_in_net( void ) { int fd = -1; struct sockaddr_in serv_addr; if( (fd = socket( AF_INET, SOCK_DGRAM, 0 )) < 0 ) { syslog( LOG_ERR, "open of network socket failed" ); exit( EXIT_FAILURE ); } memset( &serv_addr, 0, sizeof(serv_addr) ); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons( PORTNUM ); if( bind( fd, (struct sockaddr *)&serv_addr, sizeof(serv_addr) ) == -1 ) { syslog( LOG_ERR, "bind failed" ); exit( EXIT_FAILURE ); } return fd; } void write_out( int fd, char* prefix, char *buf, int count ) { char *point; char tmpstr[MAX_LINE]; char *found; struct flock lock ; point = buf; /* Lock logfile */ lock.l_type = F_WRLCK; lock.l_whence = SEEK_SET; lock.l_start = 0; lock.l_len = 0; if (fcntl(fd, F_SETLKW, &lock )) { syslog( LOG_ERR,"cannot lock output file" ); } debugstr( "writing to log ...\n" ); do{ found = strchr( point, '\n' ); if( found != NULL ) { strncpy( tmpstr, point, (size_t)(found-point) + 1 ); tmpstr[found-point + 1] = '\0'; write( fd, prefix, strlen( prefix ) ); write( fd, tmpstr, found-point + 1 ); if( hostname != NULL ) { write_net( tmpstr ); } found++; count -= found-point; } else { if( count > 0 ) { strncpy( tmpstr, point, count ); tmpstr[count] = 0; write( fd, prefix, strlen( prefix ) ); write( fd, tmpstr, count ); if( hostname != NULL ) { write_net( tmpstr ); } } } point=found; } while( point != NULL ); /* ulock logfile */ lock.l_type = F_UNLCK; if (fcntl(fd, F_SETLKW, &lock)){ syslog( LOG_ERR,"cannot lock output file" ); } } void read_in( int fd, int out ) { char buf[MAX_LINE]; char prefix[MAX_LINE]; size_t count; time_t now; char *timestamp; now = time( NULL ); timestamp = ctime( &now ); memset( buf, 0, sizeof( buf ) ); memset( prefix, 0, sizeof( prefix ) ); debugstr( "reading log...\n" ); if( use_proc ) { /* Read from proc */ count = read( fd, buf, sizeof( buf ) ); } else { /* Read from log kernel buffer */ count = rsbac_log( 2, buf, sizeof( buf ) ); } strncpy( prefix, timestamp, strlen( timestamp ) - 1 ); strncat( prefix," :", 3 ); write_out( out, prefix, buf, count ); } void read_net( int fd, int out ) { struct sockaddr_in clnt_addr; socklen_t maxaddrlen; int count; char read_buf[MAX_LINE]; char log_buf[MAX_LINE]; char prefix[MAX_LINE]; time_t now; char *timestamp; now = time( NULL ); timestamp = ctime( &now ); maxaddrlen = sizeof( clnt_addr ); memset( read_buf, 0, sizeof( read_buf ) ); memset( log_buf, 0, sizeof( log_buf ) ); memset( prefix, 0, sizeof( prefix ) ); debugstr( "reading net ...\n" ); count = recvfrom( fd, read_buf, sizeof( read_buf ), 0, (struct sockaddr *)&clnt_addr, &maxaddrlen ); snprintf( log_buf, MAX_LINE - 1, "from host %s :%s", inet_ntoa( clnt_addr.sin_addr ), read_buf ); log_buf[MAX_LINE - 1] = '\0'; snprintf( prefix, MAX_LINE - 1, "%s :", timestamp ); prefix[MAX_LINE - 1] = '\0'; write_out( out, prefix, log_buf, strlen( log_buf ) ); } int main( int argc, char *argv[] ) { fd_set read_fds; int log,net,out,null_fd; int ch,i; pid_t child_pid; char *logname = NULL; int secoffuid = SECOFF_UID; int netlisten = 0; int background = 1; /* Open central system log for bug errors */ openlog( "rklogd", LOG_PID | LOG_CONS, LOG_DAEMON ); while( (ch = getopt( argc, argv, "bdf:ln:su:v") ) != EOF ) { switch( (char)ch ) { /* Do not switch to the background */ case 'b': background = 0; break; /* Enable debugging */ case 'd': enable_debug(); break; /* Define an output file. */ case 'f': logname = optarg; break; case 'l': netlisten = 1; break; case 'n': hostname = optarg; break; case 's': use_proc = 0; break; /* Define an secoff uid. */ case 'u': secoffuid = strtol( optarg, 0, 0 ); break; default: fprintf( stderr, "Unknown option in switch() (%c)\n", ch); exit( 1 ); } } if( logname == NULL ) { logname = getlogname( secoffuid ); } debug( "secoff uid:%u\n", secoffuid ); debug( "logname:%s\n", logname ); debug( "netlisten:%u\n", netlisten ); debug( "use_proc:%u\n", use_proc ); if( hostname != NULL ) { debug( "remote:%s\n", hostname ); } for( i = 1; i < NSIG; i++ ) { signal( i, SIG_IGN ); } signal( SIGTERM, stop_work ); child_pid = fork(); if (child_pid <0){ perror("fork"); exit(EXIT_FAILURE); } /* Fork process, stay in child */ if( child_pid != 0 ) { exit(EXIT_SUCCESS); } /* We need stay in root for create pid file */ if( !check_pid( pidfile ) ) { if( mkdir( PATH_VARRUN "rklogd", 0700 ) && errno != EEXIST ) { perror("mkdir"); exit(EXIT_FAILURE); } if( chown( PATH_VARRUN"rklogd", secoffuid, 0 ) ) { perror("chown"); exit(EXIT_FAILURE); } if ((unlink(pidfile) < 0) && errno != ENOENT ){ perror("unlink"); exit(EXIT_FAILURE); } if( symlink( "rklogd/rklogd.pid", pidfile ) < 0) { perror("symlink"); exit(EXIT_FAILURE); } pidfile = PATH_VARRUN"rklogd/rklogd.pid"; if( !write_pid( pidfile ) ) { fprintf(stderr,"unable to write_pid: %s\n",pidfile); exit(EXIT_FAILURE); } }else{ fputs( "rklogd: Already running.\n", stderr ); exit(EXIT_FAILURE); } /* Change uid to secoff */ if( setuid( secoffuid ) < 0 ) { perror("setuid"); exit(EXIT_FAILURE); } /*open input and output descriptors*/ log = open_in(); if( netlisten ) { net = open_in_net(); } out = open_out( logname ); if( hostname != NULL ) { open_out_net( hostname ); } /* redirect standart file descriptors into /dev/null */ if ((null_fd = open("/dev/null",O_RDWR|O_NOFOLLOW))<0){ perror("open /dev/null for reading and writing"); exit(EXIT_FAILURE); } dup2(null_fd, STDIN_FILENO); dup2(null_fd, STDOUT_FILENO); dup2(null_fd, STDERR_FILENO); /* Finally go to daemon mode */ setsid(); syslog( LOG_INFO, "RSBAC system logger started" ); /* I cannot use select() for syscalls */ if( use_proc ) { /* Go to infinity loop */ for(;;) { FD_ZERO( &read_fds ); FD_SET( log, &read_fds ); if( netlisten ) { FD_SET( net, &read_fds ); } debugstr( "selecting...\n" ); if( select( 20, &read_fds, NULL, NULL, NULL ) > 0 ) { if( FD_ISSET( log, &read_fds ) ) { read_in( log, out ); } if( (netlisten) && (FD_ISSET( net, &read_fds )) ) { read_net( net,out ); } } } } else { /* Separate thread to read messages from the network */ child_pid = fork(); if (child_pid < 0){ syslog( LOG_ERR, "unable second fork" ); exit(EXIT_FAILURE); } if( !child_pid ) { pid_t parent; parent=getppid(); if( !netlisten ) { exit( EXIT_SUCCESS ); } debugstr( "running second thread...\n" ); debug( "parent pid is %d\n", parent ); for(;;) { /*read messages from the network*/ read_net( net, out ); if( !check_father( parent ) ) { /* Father process is dead */ exit( EXIT_FAILURE ); } } } else { /* Read messages from the localhost */ for(;;) { read_in( 0, out ); } } } } rsbac-admin-1.4.0/main/rklogd/src/debug.h0000644000175000017500000000243411131371034017773 0ustar gauvaingauvain/* debug.h - Definitions and declarations for the debugging primitives * * Copyright (c) 2003 Peter Busser * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA */ /* Define the values for turning debugging on and off. */ enum debugval {DEBUG_OFF = 0, DEBUG_ON}; /* Enable debugging output */ #define enable_debug() (set_debug(DEBUG_ON)) /* Enable debugging output */ #define disable_debug() (set_debug(DEBUG_OFF)) /* Set the debugging */ void set_debug( enum debugval val ); /* Print a formatted debug message */ void debug( const char *fmt, ... ); /* Print a debugging string */ void debugstr( const char *str ); rsbac-admin-1.4.0/main/rklogd/viewer/0000755000175000017500000000000011131371034017243 5ustar gauvaingauvainrsbac-admin-1.4.0/main/rklogd/viewer/rklogd-viewer.c0000644000175000017500000005322511131371034022177 0ustar gauvaingauvain /*viewer.c - main viewer file*/ /*log viewer - very usefull program to see RSBAC (or other) log files. * * (c) Stanislav Ievlev inger@linux.ru.net */ #include #include #include #include #include #include #include #include #include "rklogd-viewer.h" WINDOW *win, *view_win, *top_win; /*view window */ /*curr_point, vertical and horizontal shift*/ int curr_select = 0, curr_shift = 0, curr_h_shift = 0; /*limits for horizontal scrolling*/ int left_limit = 0, right_limit = 0; unsigned long loaded = 0; /*loaded string to view */ char *logname = NULL; FILE *logfile = NULL; /*forward*/ void help_win (int, int); void about_win (int, int); void stat_menu (int, int); void file_menu (int, int); void options_menu (int, int); void exit_logger (char *); void select_line (int num, int mode); void line_print (WINDOW * curr_win, int y_point, int x_point, char *string, int hlimit); /*external functions*/ extern int in_filter (log_info tmp_log); extern int open_log (); extern int close_log (); extern log_info read_log (); extern log_info filter_log; /*widgets*/ extern int confirm_win (char *head, char *text); extern int menu_win (menu_item * items, int nr_items, char *title, int xpos, int ypos); extern int top_menu_win (top_menu_item * items, int nr_items); extern void inform_win (char *head, char *text, char *buttontext); extern char *enterline_win (char *head, char *val_name, char *old_value); void check_menu_win (menu_item * items, int nr_items, char *title, int posx, int posy); /*usage of program*/ usage usage_list[COUNT_OPTIONS] = { {"F1", "This window"}, {"F2", "Re-read log"}, {"F3", "Statictics"}, {"F4", "Select columns to view"}, {"F9", "Go to menu"}, {"u", "By user filter"}, {"r", "By request filter"}, {"p", "By program filter"}, {"t", "By target type"}, {"i", "By target id"}, {"a", "By attribute"}, {"z", "By result"}, {"q", "Exit program"}, }; /*stat menu*/ menu_item stat_items[3] = { {"1", "User denies "}, {"2", "Program denies"}, {"3", "Target denies "} }; /*file menu*/ menu_item file_items[4] = { {"1", "Open log "}, {"1", "Refresh "}, {"2", "------------"}, {"3", "Exit logger "} }; /*options menu*/ menu_item options_items[7] = { {"1", "Filter by user... "}, {"2", "Filter by program..."}, {"3", "Filter by target... "}, {"4", "Filter by request..."}, {"5", "Filter by tid... "}, {"6", "Filter by attr... "}, {"7", "Filter by result... "} }; /*top menu*/ top_menu_item top_items[5] = { {file_menu, "File"}, {stat_menu, "Statistics"}, {options_menu, "Options"}, {help_win, "Help"}, {about_win, "About"} }; /*width of columns*/ int column[COUNT_DATA + 2] = { 20, /*time */ 21, /*request */ 5, /*pid */ 30, /*progname */ 10, /*username */ 10, /*target type */ 50, /*tid */ 15, /*attr */ 10, /*value */ 20 /*result */ /*by */ }; /*check views*/ menu_item view_check_items[COUNT_DATA + 1] = { {"*", "Time "}, {"*", "Request "}, {"*", "PID "}, {"*", "Program "}, {"*", "User "}, {"*", "Target "}, {"*", "Target ID "}, {"*", "Attribute "}, {"*", "Value "}, {"*", "Result "} }; /*print clock*/ void print_time () { time_t now; now = time (0); wattrset (stdscr, COLOR_PAIR (2) | A_BOLD); mvwprintw (stdscr, LINES - 1, COLS - strlen ("time time time time"), "%s", ctime (&now)); alarm (1); refresh (); wrefresh (top_win); } /*print head of table*/ void print_menu_top () { int i = 0, horizontal = 1; char tmpstr[MAX_LINE]; wclear (top_win); wrefresh (top_win); init_pair (1, COLOR_BLACK, COLOR_CYAN); wattrset (top_win, COLOR_PAIR (1)); while (i <= COUNT_DATA) { if (strchr (view_check_items[i].key, '*') == NULL) { /*don't display this */ i++; continue; } switch (i) { case 0: strncpy (tmpstr, "Time", MAX_LINE); break; case 1: strncpy (tmpstr, "Request", MAX_LINE); break; case 2: strncpy (tmpstr, "PID", MAX_LINE); break; case 3: strncpy (tmpstr, "Program name", MAX_LINE); break; case 4: strncpy (tmpstr, "User", MAX_LINE); break; case 5: strncpy (tmpstr, "Target", MAX_LINE); break; case 6: strncpy (tmpstr, "Target Id", MAX_LINE); break; case 7: strncpy (tmpstr, "Attribute", MAX_LINE); break; case 8: strncpy (tmpstr, "Value", MAX_LINE); break; case 9: strncpy (tmpstr, "Result", MAX_LINE); break; default: break; } line_print (top_win, 0, horizontal + curr_h_shift, tmpstr, COLS); horizontal += column[i]; i++; } wrefresh (top_win); } /*print menu */ void print_menu () { int width = COLS; int height = 2; top_win = newwin (height, width, 0, 0); /*bottom info */ init_pair (2, COLOR_CYAN, COLOR_BLACK); wattrset (stdscr, COLOR_PAIR (2)); mvwaddstr (stdscr, LINES - 1, 0, "Press F1 for help, F9 for menu"); /*setup clock */ signal (SIGALRM, print_time); print_time (); return; } /*print view window*/ void print_view () { int width = COLS, height = LINES - 2; /*view helper */ view_win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); /*view main */ width = COLS - 2; height = LINES - 4; win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); /*menu */ width = COLS; height = 1; top_win = newwin (height, width, 0, 0); /*check for failure */ if ((win == NULL) || (view_win == NULL) || (top_win == NULL)) { endwin (); return; } /*print top menu */ print_menu_top (); init_pair (2, COLOR_CYAN, COLOR_BLACK); wattrset (view_win, COLOR_PAIR (2)); wattrset (win, COLOR_PAIR (2)); box (view_win, ACS_VLINE, ACS_HLINE); waddstr (view_win, "log-viewer (beta 1)"); wrefresh (top_win); wrefresh (view_win); wrefresh (win); return; } /*special version of function for horizontal scroling*/ void line_print (WINDOW * curr_win, int y_point, int x_point, char *string, int hlimit) { int str_point = 0; if (x_point < 0) str_point += (-x_point); if (str_point > strlen (string)) return; while (string[str_point]) { if ((str_point + x_point) > hlimit) return; mvwaddch (curr_win, y_point, (str_point + x_point), string[str_point]); str_point++; } /*while we have a string */ return; } /*print one line*/ void print_log_line (log_info curr_info, int point) { int horizontal = 0, count = 0; char *tmpstr; while (count <= COUNT_DATA) { if (strchr (view_check_items[count].key, '*') == NULL) { /*don't display this */ count++; continue; } switch (count) { case 0: tmpstr = curr_info.time; break; case 1: tmpstr = curr_info.request; break; case 2: tmpstr = malloc (MAX_NAME); snprintf (tmpstr, MAX_NAME, "%u", curr_info.pid); break; case 3: tmpstr = curr_info.progname; break; case 4: tmpstr = curr_info.username; break; case 5: tmpstr = curr_info.target_type; break; case 6: tmpstr = curr_info.tid; break; case 7: tmpstr = curr_info.attr; break; case 8: tmpstr = malloc (MAX_NAME); snprintf (tmpstr, MAX_NAME, "%u", curr_info.value); break; case 9: tmpstr = curr_info.result; break; default: break; } line_print (win, point, curr_h_shift + horizontal, tmpstr, COLS - 4); if ((count == 2) || (count == 8)) free (tmpstr); horizontal += column[count]; count++; } } /*light version of re-reading*/ void light_fill_view () { int curr_point; /*clear window */ wclear (win); wrefresh (win); /*set color */ init_pair (3, COLOR_YELLOW, COLOR_BLACK); wattrset (win, COLOR_PAIR (3)); /*draw items per screen */ for (curr_point = 0; (curr_point < LINES - 2) && (curr_point < loaded); curr_point++) if (!(in_filter (log_buffer[curr_point + curr_shift]))) print_log_line (log_buffer[curr_point + curr_shift], curr_point); /*set line as selected */ select_line (curr_select, 1); wrefresh (win); } /*re-read data*/ void fill_view () { log_info curr_info; int curr_point; /*init data */ curr_shift = 0; curr_select = 0; loaded = 0; wclear (win); wrefresh (win); init_pair (3, COLOR_YELLOW, COLOR_BLACK); wattrset (win, COLOR_PAIR (3)); open_log (); for (curr_point = 0, loaded = 0; loaded < MAX_BUFFER;) { /*while */ /*read next line */ curr_info = read_log (); log_buffer[curr_point] = curr_info; if (curr_info.res == -1 || curr_info.res == -2) break; if (curr_info.res == -3) continue; print_log_line (curr_info, curr_point); loaded++; curr_point++; } close_log (); wrefresh (win); } /* select/unselect line */ void select_line (int num, int mode) { log_info curr_info = log_buffer[num + curr_shift]; if (!(loaded)) return; /*return if list is empty */ if (mode) { init_pair (4, COLOR_BLACK, COLOR_YELLOW); wattrset (win, COLOR_PAIR (4)); } else { wattrset (win, COLOR_PAIR (3)); } print_log_line (curr_info, num); wrefresh (win); return; } /*horizontal scrolling*/ void h_scroll_view (int num) { curr_h_shift += num; light_fill_view (); print_menu_top (); } /*vertical scrolling*/ void scroll_view (int num) { log_info curr_info; /*increment or decrement window shift */ if (num > 0) { curr_shift++; } else { curr_shift--; } /*get last or first line */ if (num > 0) { curr_info = log_buffer[LINES - 5 + curr_shift]; } else { curr_info = log_buffer[curr_shift]; } /*scroll window down */ wscrl (win, num); /*print last line */ print_log_line (curr_info, (num > 0) ? LINES - 5 : 0); /*refresh data */ wrefresh (win); } /*draw about window*/ void about_win (int xpos, int ypos) { WINDOW *tmp_win; int width = 50, height = 10; tmp_win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); init_pair (6, COLOR_WHITE, COLOR_BLACK); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); mvwaddstr (tmp_win, 0, (int) ((width - strlen ("About this ...")) / 2), "About this ..."); wattrset (tmp_win, COLOR_PAIR (2) | A_BOLD); mvwaddstr (tmp_win, (int) (height / 2) - 1, (int) ((width - strlen ("Smart logger for RSBAC")) / 2), "Smart logger for RSBAC"); mvwaddstr (tmp_win, (int) (height / 2) + 1, (int) ((width - strlen ("(c) Stanislav Ievlev ")) / 2), "(c) Stanislav Ievlev "); mvwaddstr (tmp_win, (int) (height / 2) + 2, (int) ((width - strlen ("2000")) / 2), "2000"); wrefresh (tmp_win); (void) getch (); delwin (tmp_win); redrawwin (win); } /*draw help window*/ void help_win (int xpos, int ypos) { WINDOW *tmp_win; int width = 35, height = 15; int curr_point; tmp_win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); init_pair (6, COLOR_WHITE, COLOR_BLACK); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); waddstr (tmp_win, "HELP WINDOW"); for (curr_point = 0; curr_point < COUNT_OPTIONS; curr_point++) { wattrset (tmp_win, COLOR_PAIR (6) | A_BOLD); mvwaddstr (tmp_win, curr_point + 1, 1, usage_list[curr_point].key); wattrset (tmp_win, COLOR_PAIR (2)); mvwprintw (tmp_win, curr_point + 1, 6, "%s", usage_list[curr_point].description); } wrefresh (tmp_win); (void) getch (); delwin (tmp_win); redrawwin (win); } /*draw filter window*/ void filter_win (char type) { char *tmpstr; char *value_name = malloc (MAX_LINE); switch (type) { case KEY_USER: strncpy (value_name, "Username", MAX_LINE); tmpstr = filter_log.username; break; case KEY_REQUEST: strncpy (value_name, "Request", MAX_LINE); tmpstr = filter_log.request; break; case KEY_PROGRAM: strncpy (value_name, "Program", MAX_LINE); tmpstr = filter_log.progname; break; case KEY_TARGET_TYPE: strncpy (value_name, "Target type", MAX_LINE); tmpstr = filter_log.target_type; break; case KEY_TARGET_ID: strncpy (value_name, "Target ID", MAX_LINE); tmpstr = filter_log.tid; break; case KEY_ATTR: strncpy (value_name, "Attribute", MAX_LINE); tmpstr = filter_log.attr; break; case KEY_RESULT: strncpy (value_name, "Result", MAX_LINE); tmpstr = filter_log.result; break; } strncpy (tmpstr, enterline_win ("View Filter", value_name, tmpstr), MAX_NAME); free (value_name); } /*compute deny count of item*/ int stat_item_deny (int type, char *who) { int count = 0, res = 0; while (count < loaded) { char *tmpstr; switch (type) { case KEY_USER: tmpstr = log_buffer[count].username; break; case KEY_PROGRAM: tmpstr = log_buffer[count].progname; break; case KEY_TARGET_TYPE: tmpstr = log_buffer[count].target_type; break; default: break; } if ((strstr (log_buffer[count].result, "NOT")) && (!(strcmp (who, tmpstr)))) res++; count++; } return res; } /*draw statistic window*/ void stat_deny_win (int type, char *title) { WINDOW *tmp_win; int key; int width = 70, height = 20, curr_point = 1; struct passwd *user_info_p; tmp_win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); wattrset (tmp_win, COLOR_PAIR (2) | A_BOLD); mvwaddstr (tmp_win, 0, (int) ((width - strlen (title)) / 2), title); wattrset (tmp_win, COLOR_PAIR (2)); if (type == KEY_USER) { /*process all users */ while ((user_info_p = getpwent ())) { if (((user_info_p->pw_uid) >= MIN_USER_LIMIT) || ((user_info_p->pw_uid) == 0) || ((user_info_p->pw_uid) == 400)) mvwprintw (tmp_win, curr_point++, 1, "user %s\tdenies %u times", user_info_p->pw_name, stat_item_deny (KEY_USER, user_info_p-> pw_name)); } /*while */ endpwent (); /*end process all users */ }; /*if KEY_USER */ if (type == KEY_PROGRAM || type == KEY_TARGET_TYPE) { #define MAX_PROGS 30 char programs[MAX_PROGS][MAX_LINE]; int finded = 0, i, j; for (i = 0; i < loaded; i++) { for (j = 0; ((j < finded) && (strcmp ((type == KEY_PROGRAM) ? log_buffer[i]. progname : log_buffer[i].target_type, programs[j]))); j++) ; if ((j >= finded) && (finded < MAX_PROGS)) strncpy (programs[finded++], (type == KEY_PROGRAM) ? log_buffer[i]. progname : log_buffer[i].target_type, MAX_LINE); } for (i = 0; i < finded; i++) mvwprintw (tmp_win, curr_point++, 1, "%s %s\tdenies %u times", (type == KEY_PROGRAM) ? "program" : "target type", programs[i], stat_item_deny (type, programs[i])); } wrefresh (tmp_win); /*wait key pressed */ key = getch (); delwin (tmp_win); /*refresh data */ redrawwin (win); wrefresh (win); } /*draw data window*/ void data_win () { WINDOW *tmp_win; int width = 60, height = 15, curr_point; log_info curr_info = log_buffer[curr_select + curr_shift]; char *tmpstr; tmp_win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); waddstr (tmp_win, "FULL LOG DATA"); init_pair (5, COLOR_RED, COLOR_BLACK); for (curr_point = 0; curr_point <= COUNT_DATA; curr_point++) { wattrset (tmp_win, COLOR_PAIR (2) | A_BOLD); switch (curr_point) { case 0: mvwaddstr (tmp_win, curr_point + 1, 1, "time:"); break; case 1: mvwaddstr (tmp_win, curr_point + 1, 1, "request:"); break; case 2: mvwaddstr (tmp_win, curr_point + 1, 1, "PID:"); break; case 3: mvwaddstr (tmp_win, curr_point + 1, 1, "program:"); break; case 4: mvwaddstr (tmp_win, curr_point + 1, 1, "username:"); break; case 5: mvwaddstr (tmp_win, curr_point + 1, 1, "target type:"); break; case 6: mvwaddstr (tmp_win, curr_point + 1, 1, "target ID:"); break; case 7: mvwaddstr (tmp_win, curr_point + 1, 1, "Attribute:"); break; case 8: mvwaddstr (tmp_win, curr_point + 1, 1, "Value:"); break; case 9: mvwaddstr (tmp_win, curr_point + 1, 1, "result:"); break; default: break; } wattrset (tmp_win, COLOR_PAIR (2)); switch (curr_point) { case 0: tmpstr = curr_info.time; break; case 1: tmpstr = curr_info.request; break; case 2: tmpstr = malloc (MAX_NAME); snprintf (tmpstr, MAX_NAME, "%u", curr_info.pid); break; case 3: tmpstr = curr_info.progname; break; case 4: tmpstr = curr_info.username; break; case 5: tmpstr = curr_info.target_type; break; case 6: tmpstr = curr_info.tid; break; case 7: tmpstr = curr_info.attr; break; case 8: tmpstr = malloc (MAX_NAME); snprintf (tmpstr, MAX_NAME, "%u", curr_info.value); break; case 9: tmpstr = curr_info.result; break; default: break; } mvwaddstr (tmp_win, curr_point + 1, 15, tmpstr); if ((curr_point == 2) || (curr_point == 8)) free (tmpstr); } wrefresh (tmp_win); /*wait any key pressed */ (void) getch (); delwin (tmp_win); redrawwin (win); } /*statistics menu */ void stat_menu (int xpos, int ypos) { int res = 0; res = menu_win (stat_items, 3, "Statistics", xpos, ypos); if (res == -1) return; switch (res) { case 1: stat_deny_win (KEY_USER, "By User Deny Statistics"); break; case 2: stat_deny_win (KEY_PROGRAM, "By Program Deny Statistics"); break; case 3: stat_deny_win (KEY_TARGET_TYPE, "By Target Deny Statistics"); break; default: break; } } /*file menu*/ void file_menu (int xpos, int ypos) { int res = 0; res = menu_win (file_items, 4, " File ", xpos, ypos); if (res == -1) return; switch (res) { case 1: strncpy (logname, enterline_win ("Log-file name", "File name", logname), MAX_NAME); case 2: /*refresh */ fill_view (); break; case 3: /*separator */ break; case 4: /*exit */ if (confirm_win ("Wow!", "Exit this program?")) exit_logger (""); break; default: break; } } /*options*/ void options_menu (int xpos, int ypos) { int res = 0; res = menu_win (options_items, 7, " Options ", xpos, ypos); if (res == -1) return; switch (res) { case 1: res = KEY_USER; break; case 2: res = KEY_PROGRAM; break; case 3: res = KEY_TARGET_TYPE; break; case 4: res = KEY_REQUEST; break; case 5: res = KEY_TARGET_ID; break; case 6: res = KEY_ATTR; break; case 7: res = KEY_RESULT; break; default: break; } filter_win (res); fill_view (); } /*exit this program*/ void exit_logger (char *exit_str) { if (exit_str[0] != 0) inform_win ("Error", exit_str, " OK "); /*end of work */ free (logname); clear (); refresh (); standend (); endwin (); fprintf (stderr, "%s\n", exit_str); exit (EXIT_SUCCESS); } /*fill again after selecting columns to see*/ void fill_again () { int i = 0; right_limit = 0; left_limit = 0; curr_h_shift = 0; while (i <= COUNT_DATA) { if (strchr (view_check_items[i].key, '*') == NULL) { /*don't display this */ i++; continue; } right_limit += column[i]; i++; } fill_view (); print_menu_top (); } /*main work*/ int main (int argc, char *argv[]) { int key; int do_exit; /*first compute of right horizontal limit */ for (key = 0; key <= COUNT_DATA; key++) right_limit += column[key]; logname = malloc (MAX_LINE); if (argc > 1) { strncpy (logname, argv[1], MAX_LINE); } else { strncpy (logname, LOG_FILE_NAME, MAX_LINE); } /*init curses */ initscr (); start_color (); /*print menu and view */ print_menu (); print_view (); /*fill view-window with data */ fill_view (); /*allow to scroll windows */ scrollok (win, TRUE); keypad (stdscr, 1); keypad (win, 1); noecho (); nonl (); /*main loop */ do_exit = 1; while (1) { select_line (curr_select, 1); key = getch (); switch (key) { case KEY_DOWN: if ((curr_select + curr_shift) < (loaded - 1)) select_line (curr_select++, 0); if (curr_select > LINES - 5) { scroll_view (1); curr_select--; } break; case KEY_UP: if ((curr_select + curr_shift) >= 0) select_line (curr_select--, 0); if (curr_select < 0) { curr_select++; if (curr_shift > 0) scroll_view (-1); } break; case KEY_RIGHT: if ((right_limit) > (COLS - 3)) { left_limit--; right_limit--; h_scroll_view (-1); } break; case KEY_LEFT: if ((left_limit) < 0) { left_limit++; right_limit++; h_scroll_view (1); } break; case KEY_DONE: case KEY_EXT: if (confirm_win ("Exit", "Do you want to exit?")) exit_logger (""); break; case KEY_F (1): help_win (0, 0); break; case KEY_F (2): fill_view (); break; case KEY_F (3): stat_menu (1, 1); break; case KEY_F (4): (void) check_menu_win (view_check_items, COUNT_DATA + 1, " View ", 1, 1); fill_again (); break; case KEY_F (9): top_menu_win (top_items, 5); break; case KEY_ENT: case KEY_DATA: data_win (); break; case KEY_USER: filter_win (KEY_USER); fill_view (); break; case KEY_TARGET_TYPE: filter_win (KEY_TARGET_TYPE); fill_view (); break; case KEY_PROGRAM: filter_win (KEY_PROGRAM); fill_view (); break; case KEY_REQUEST: filter_win (KEY_REQUEST); fill_view (); break; case KEY_TARGET_ID: filter_win (KEY_TARGET_ID); fill_view (); break; case KEY_ATTR: filter_win (KEY_ATTR); fill_view (); break; case KEY_RESULT: filter_win (KEY_RESULT); fill_view (); break; default: break; } } /*while */ exit_logger ("strange exit"); } rsbac-admin-1.4.0/main/rklogd/viewer/widget.c0000644000175000017500000002430611131371034020677 0ustar gauvaingauvain/*widget.c - Some usefull widgets*/ /* * (c) Stanislav Ievlev inger@linux.ru.net */ #include #include #include #include "rklogd-viewer.h" extern WINDOW *win; extern WINDOW *view_win; extern WINDOW *top_win; #define DIFF_LEN 3 WINDOW * button_win (WINDOW * parent, int posx, int posy, char *text) { int width = strlen (text) + 2; int height = 3; WINDOW *button_win = derwin (parent, height, width, posx, posy); init_pair (7, COLOR_RED, COLOR_BLACK); wattrset (button_win, COLOR_PAIR (7)); box (button_win, ACS_VLINE, ACS_HLINE); mvwaddstr (button_win, 1, 1, text); wrefresh (button_win); return (button_win); } void select_button (WINDOW * select_win, char *text, int type) { if (type) { wattrset (select_win, COLOR_PAIR (7) | A_BOLD); } else { wattrset (select_win, COLOR_PAIR (7)); } box (select_win, ACS_VLINE, ACS_HLINE); mvwaddstr (select_win, 1, 1, text); wrefresh (select_win); } /*confirm box widget*/ int confirm_win (char *head, char *text) { WINDOW *tmp_win, *button_ok, *button_no; int width = strlen (text) + DIFF_LEN * 2; int height = 6; int key = 0, res = 0; tmp_win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); init_pair (6, COLOR_WHITE, COLOR_BLACK); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); mvwaddstr (tmp_win, 0, (int) ((width - strlen (head)) / 2), head); wattrset (tmp_win, COLOR_PAIR (2) | A_BOLD); mvwaddstr (tmp_win, 1, (int) ((width - strlen (text)) / 2), text); button_ok = button_win (tmp_win, 2, DIFF_LEN, " OK "); button_no = button_win (tmp_win, 2, (width - DIFF_LEN - strlen (" NO ") - 2), " NO "); select_button (button_no, " NO ", 1); wrefresh (tmp_win); while (key != KEY_ENT) { key = getch (); switch (key) { case KEY_LEFT: case KEY_RIGHT: case KEY_UP: case KEY_DOWN: case KEY_NXT: if (res) { select_button (button_ok, " OK ", 0); select_button (button_no, " NO ", 1); res = 0; } else { select_button (button_no, " NO ", 0); select_button (button_ok, " OK ", 1); res = 1; } break; default: break; } } delwin (tmp_win); delwin (button_ok); delwin (button_no); redrawwin (win); return res; } void menu_select (WINDOW * tmpwin, menu_item * items, int num, int type) { if (type) { init_pair (8, COLOR_WHITE, COLOR_RED); wattrset (tmpwin, COLOR_PAIR (8) | A_BOLD); mvwaddstr (tmpwin, num, 1, items[num - 1].key); mvwaddstr (tmpwin, num, 3, items[num - 1].description); } else { wattrset (tmpwin, COLOR_PAIR (7) | A_BOLD); mvwaddstr (tmpwin, num, 1, items[num - 1].key); wattrset (tmpwin, COLOR_PAIR (7)); mvwaddstr (tmpwin, num, 3, items[num - 1].description); } wrefresh (tmpwin); } /*menu widget*/ int menu_win (menu_item * items, int nr_items, char *title, int posx, int posy) { int width = strlen (title) + 2 * DIFF_LEN + 3; int height = nr_items + 2; int selected = 1, key = -1; WINDOW *tmp_win = newwin (height, width, posx, posy); init_pair (6, COLOR_WHITE, COLOR_BLACK); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); mvwaddstr (tmp_win, 0, (int) ((width - strlen (title)) / 2), title); init_pair (7, COLOR_RED, COLOR_BLACK); for (selected = 0; selected < nr_items; selected++) { wattrset (tmp_win, COLOR_PAIR (7) | A_BOLD); mvwaddstr (tmp_win, selected + 1, 1, items[selected].key); wattrset (tmp_win, COLOR_PAIR (7)); mvwaddstr (tmp_win, selected + 1, 3, items[selected].description); } wrefresh (tmp_win); selected = 1; menu_select (tmp_win, items, selected, 1); while ((key != KEY_ENT) && (key != KEY_EXT)) { key = getch (); menu_select (tmp_win, items, selected, 0); switch (key) { case KEY_UP: if (selected > 1) selected--; break; case KEY_DOWN: if (selected < nr_items) selected++; break; default: break; } menu_select (tmp_win, items, selected, 1); } delwin (tmp_win); redrawwin (win); wrefresh (win); redrawwin (view_win); wrefresh (view_win); redrawwin (top_win); wrefresh (top_win); if (key != KEY_EXT) { return (selected); } else { return -1; } } /*menu_select*/ void top_menu_select (WINDOW * tmpwin, top_menu_item * items, int step, int num, int type) { if (type) { init_pair (8, COLOR_WHITE, COLOR_RED); wattrset (tmpwin, COLOR_PAIR (8) | A_BOLD); mvwaddstr (tmpwin, 0, step * num, items[num].description); } else { wattrset (tmpwin, COLOR_PAIR (7) | A_BOLD); mvwaddstr (tmpwin, 0, step * num, items[num].description); } wrefresh (tmpwin); } /*top menu widget*/ int top_menu_win (top_menu_item * items, int nr_items) { int width = COLS; int height = 1; int step = (int) (COLS / nr_items); int key = 0, selected = 0, do_exit = 1; WINDOW *tmp_win = newwin (height, width, 0, 0); init_pair (7, COLOR_RED, COLOR_BLACK); wattrset (tmp_win, COLOR_PAIR (7)); /*draw items */ width = 0; for (selected = 0; selected < nr_items; selected++) { mvwaddstr (tmp_win, 0, width, items[selected].description); width += step; } wrefresh (tmp_win); selected = 0; top_menu_select (tmp_win, items, step, selected, 1); while (do_exit) { key = getch (); top_menu_select (tmp_win, items, step, selected, 0); switch (key) { case KEY_LEFT: case KEY_UP: if (selected > 0) { selected--; } else { selected = nr_items - 1; }; break; case KEY_RIGHT: case KEY_DOWN: if (selected < (nr_items - 1)) { selected++; } else { selected = 0; }; break; case KEY_EXT: do_exit = 0; break; /*work */ case KEY_ENT: items[selected].menu_fun (1, step * selected); do_exit = 0; break; default: break; } top_menu_select (tmp_win, items, step, selected, 1); } delwin (tmp_win); redrawwin (stdscr); refresh (); redrawwin (top_win); wrefresh (top_win); redrawwin (view_win); wrefresh (view_win); redrawwin (win); wrefresh (win); return (selected); } void inform_win (char *head, char *text, char *buttontext) { WINDOW *tmp_win, *button_inf; int width = ((strlen (text) > strlen (head)) ? strlen (text) : strlen (head)) + DIFF_LEN * 2; int height = 8; int key = 0; tmp_win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); init_pair (6, COLOR_WHITE, COLOR_BLACK); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); mvwaddstr (tmp_win, 0, (int) ((width - strlen (head)) / 2), head); wattrset (tmp_win, COLOR_PAIR (2) | A_BOLD); mvwaddstr (tmp_win, 2, (int) ((width - strlen (text)) / 2), text); button_inf = button_win (tmp_win, 4, (int) ((width - strlen (buttontext)) / 2 - 1), buttontext); select_button (button_inf, buttontext, 1); wrefresh (tmp_win); nonl (); noecho (); while (key != KEY_ENT) key = getch (); delwin (tmp_win); delwin (button_inf); redrawwin (win); wrefresh (win); } /*one line enter widget*/ char * enterline_win (char *head, char *value_name, char *old_value) { char *tmpstr = malloc (MAX_LINE); int str_pointer = 0; WINDOW *tmp_win; int width, height = 6; int key = 0; if (old_value == NULL) { width = 20 + 2 * DIFF_LEN + strlen (value_name); } else { width = 20 + strlen (old_value) + 2 * DIFF_LEN + strlen (value_name); } tmp_win = newwin (height, width, (LINES - height) / 2, (COLS - width) / 2); init_pair (6, COLOR_WHITE, COLOR_BLACK); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); mvwaddstr (tmp_win, 0, (int) ((width - strlen (head)) / 2), head); wattrset (tmp_win, COLOR_PAIR (2) | A_BOLD); snprintf (tmpstr, MAX_LINE, "Current %s:%s", value_name, old_value); mvwaddstr (tmp_win, 2, 1, tmpstr); memset (tmpstr, 0, MAX_LINE - 2); snprintf (tmpstr, MAX_LINE, "New %s:", value_name); mvwaddstr (tmp_win, 3, 1, tmpstr); memset (tmpstr, 0, MAX_LINE - 2); wrefresh (tmp_win); wattrset (tmp_win, COLOR_PAIR (2)); nonl (); noecho (); /*view string */ while ((key != KEY_ENT) && (key != KEY_EXT) && (str_pointer < MAX_LINE)) { key = getch (); if (key != KEY_BACKSPACE) { tmpstr[str_pointer++] = key; mvwaddch (tmp_win, 3, 5 + strlen (value_name) + str_pointer, key); } else { if (str_pointer > 0) mvwaddch (tmp_win, 3, 5 + strlen (value_name) + (str_pointer--), ' '); } wrefresh (tmp_win); } tmpstr[--str_pointer] = 0; delwin (tmp_win); redrawwin (win); wrefresh (win); if (key != KEY_EXT) { return (tmpstr); } else { return old_value; } } /*menu with check boxes -- on/off switches*/ void check_menu_win (menu_item * items, int nr_items, char *title, int posx, int posy) { int width = strlen (title) + 2 * DIFF_LEN + 3; int height = nr_items + 2; int selected = 0, key = -1; WINDOW *tmp_win = newwin (height, width, posx, posy); init_pair (6, COLOR_WHITE, COLOR_BLACK); wattrset (tmp_win, COLOR_PAIR (2)); box (tmp_win, ACS_VLINE, ACS_HLINE); mvwaddstr (tmp_win, 0, (int) ((width - strlen (title)) / 2), title); init_pair (7, COLOR_RED, COLOR_BLACK); for (selected = 0; selected < nr_items; selected++) { wattrset (tmp_win, COLOR_PAIR (7) | A_BOLD); mvwaddstr (tmp_win, selected + 1, 1, items[selected].key); wattrset (tmp_win, COLOR_PAIR (7)); mvwaddstr (tmp_win, selected + 1, 3, items[selected].description); } wrefresh (tmp_win); selected = 0; (void) getch (); menu_select (tmp_win, items, selected, 1); while ((key != KEY_ENT) && (key != KEY_EXT)) { key = getch (); menu_select (tmp_win, items, selected, 0); switch (key) { case KEY_UP: if (selected > 1) selected--; break; case KEY_DOWN: if (selected < nr_items) selected++; break; default: break; } menu_select (tmp_win, items, selected, 1); /*switch item on/off */ if (key == ' ') { if (strchr (items[selected - 1].key, '*') != NULL) { strcpy (items[selected - 1].key, " "); } else { strcpy (items[selected - 1].key, "*"); } menu_select (tmp_win, items, selected, 1); } //if } //while delwin (tmp_win); redrawwin (win); wrefresh (win); redrawwin (view_win); wrefresh (view_win); redrawwin (top_win); wrefresh (top_win); return; } rsbac-admin-1.4.0/main/rklogd/viewer/log.c0000644000175000017500000001243611131371034020176 0ustar gauvaingauvain /*log.c - general work with log-file*/ /* * (c) Stanislav Ievlev inger@linux.ru.net */ #include #include #include #include #include "rklogd-viewer.h" #define RSBAC_IDENT_STR "rsbac_adf_request(): request" /*external data*/ extern char *logname; extern void exit_logger (char *str); extern char *enterline_win (char *head, char *val_name, char *old_value); extern FILE *logfile; /*filter*/ log_info filter_log = { "", "", 0, "", "", "", "", "", 0, "", "", 0 }; /*filter */ int in_filter (log_info tmp_log) { if ((filter_log.username[0]) && (strstr (tmp_log.username, filter_log.username) == NULL)) return 1; if ((filter_log.request[0]) && (strstr (tmp_log.request, filter_log.request) == NULL)) return 1; if ((filter_log.progname[0]) && (strstr (tmp_log.progname, filter_log.progname) == NULL)) return 1; if ((filter_log.target_type[0]) && (strstr (tmp_log.target_type, filter_log.target_type) == NULL)) return 1; if ((filter_log.tid[0]) && (strstr (tmp_log.tid, filter_log.tid) == NULL)) return 1; if ((filter_log.attr[0]) && (strstr (tmp_log.attr, filter_log.attr) == NULL)) return 1; if ((filter_log.result[0]) && (strstr (tmp_log.result, filter_log.result) == NULL)) return 1; return 0; } /*open log file*/ int open_log () { int do_exit = 0; do { logfile = fopen (logname, "r"); if (!logfile) { strncpy (logname, enterline_win ("Correct file name", "File name", logname), MAX_NAME); fprintf (stderr, "\a"); do_exit = 1; } else { do_exit = 0; } } while (do_exit); return 0; } /*finish work with log-file*/ int close_log () { fclose (logfile); return 0; } /*read next line from log file*/ log_info read_log () { log_info tmp_log; char tmp[MAX_LINE]; char tmp1[MAX_LINE]; char *find_point, *find1_point; int i, count; struct passwd *mypasswd; static char parse_list[COUNT_DATA][MAX_NAME] = { "request ", "pid ", "prog_name ", "uid", "target_type", "tid", "attr", "value", "result" /*by */ }; static char stop_list[COUNT_DATA][MAX_NAME] = { ",", ",", ",", ",", ",", ",", ",", ",", "by" /*by */ }; /*bad value by default */ tmp_log.res = -2; /*already end of file */ if (feof (logfile)) { return tmp_log; } /*read line until success */ while (!feof (logfile)) { /*exit if done */ if (!fgets (tmp, MAX_LINE, logfile)) return tmp_log; /*check for identification string */ if (strstr (tmp, RSBAC_IDENT_STR) != NULL) break; } tmp_log.res = 0; /*get date *//*!!!FIXME!!! */ find_point = strstr (tmp, "<6>"); if (find_point == NULL) { find_point = strstr (tmp, "rsbac"); if (find_point == NULL) { tmp_log.res = -1; return tmp_log; } else { strncpy (tmp_log.time, tmp, (int) (find_point - tmp)); tmp_log.time[(int) (find_point - tmp)] = 0; } } else { strncpy (tmp_log.time, tmp, (int) (find_point - tmp) - 2); tmp_log.time[(int) (find_point - tmp) - 2] = 0; } /*Parse data */ find_point = tmp; for (count = 0; count < COUNT_DATA; count++) { find_point = strstr (find_point, parse_list[count]); if (!(find_point)) { tmp_log.res = -1; return tmp_log; } for (i = 0; i < strlen (parse_list[count]); i++) find_point++; find1_point = strstr (find_point, stop_list[count]); if (!(find1_point)) { tmp_log.res = -1; return tmp_log; } switch (count) { case 0: strncpy (tmp_log.request, find_point, (int) (find1_point - find_point)); tmp_log.request[(int) (find1_point - find_point)] = 0; break; case 1: strncpy (tmp1, find_point, (int) (find1_point - find_point)); tmp1[(int) (find1_point - find_point)] = 0; tmp_log.pid = atoi (tmp1); break; case 2: strncpy (tmp_log.progname, find_point, (int) (find1_point - find_point)); tmp_log.progname[(int) (find1_point - find_point)] = 0; break; case 3: strncpy (tmp1, find_point, (int) (find1_point - find_point)); tmp1[(int) (find1_point - find_point)] = 0; mypasswd = getpwuid (atoi (tmp1)); if (mypasswd) { strncpy (tmp_log.username, mypasswd->pw_name, MAX_NAME); } else { snprintf (tmp_log.username, MAX_NAME, "user#%d", atoi (tmp1)); } break; case 4: strncpy (tmp_log.target_type, ++find_point, (int) (find1_point - find_point)); tmp_log.target_type[(int) (find1_point - find_point)] = 0; break; case 5: strncpy (tmp_log.tid, ++find_point, (int) (find1_point - find_point)); tmp_log.tid[(int) (find1_point - find_point)] = 0; break; case 6: strncpy (tmp_log.attr, ++find_point, (int) (find1_point - find_point)); tmp_log.attr[(int) (find1_point - find_point)] = 0; break; case 7: strncpy (tmp1, find_point, (int) (find1_point - find_point)); tmp1[(int) (find1_point - find_point)] = 0; tmp_log.value = atoi (tmp1); break; case 8: strncpy (tmp_log.result, ++find_point, (int) (find1_point - find_point)); tmp_log.result[(int) (find1_point - find_point)] = 0; break; default: break; } } /*End Parse data */ /*Filter results */ if (in_filter (tmp_log)) { tmp_log.res = -3; } return tmp_log; } rsbac-admin-1.4.0/main/rklogd/viewer/rklogd-viewer.h0000644000175000017500000000254511131371034022203 0ustar gauvaingauvain /*viewer.h - main viewer definitions*/ /* * (c) Stanislav Ievlev inger@linux.ru.net */ #ifndef _VIEWER_H #define _VIEWER_H /*main definitions*/ #define LOG_FILE_NAME "/secoff/log/security-log" #define MAX_NAME 50 #define MAX_LINE 5000 #define MAX_BUFFER 3000 #define MIN_USER_LIMIT 500 /*command keys*/ #define KEY_USER 'u' #define KEY_REQUEST 'r' #define KEY_PROGRAM 'p' #define KEY_TARGET_TYPE 't' #define KEY_TARGET_ID 'i' #define KEY_ATTR 'a' #define KEY_RESULT 'z' #define KEY_DONE 'q' #define KEY_DATA 'd' #define KEY_ENT 13 /*Enter */ #define KEY_NXT 9 /*Tab */ #define KEY_EXT 27 /*Esc */ /*numbers*/ #define COUNT_DATA 9 #define COUNT_OPTIONS 13 typedef struct log_info { char time[MAX_NAME]; /* copy of original url */ char request[MAX_NAME]; int pid; char progname[MAX_NAME]; char username[MAX_NAME]; char target_type[10]; char tid[MAX_NAME]; char attr[MAX_NAME]; int value; char result[MAX_NAME]; char modules[MAX_NAME]; /*my */ int res; } log_info; typedef struct usage { char key[5]; char description[30]; } usage; typedef struct menu_item { char key[2]; char description[MAX_LINE]; } menu_item; typedef struct top_menu_item { void (*menu_fun) (int xpos, int ypos); char description[MAX_LINE]; } top_menu_item; log_info log_buffer[MAX_BUFFER]; #endif /*_VIEWER_H*/ rsbac-admin-1.4.0/main/rklogd/AUTHORS0000644000175000017500000000004611131371034017012 0ustar gauvaingauvainStanislav Ievlev rsbac-admin-1.4.0/main/rklogd/README0000644000175000017500000000043111131371034016620 0ustar gauvaingauvainThis is a set of usefull RSBAC utilites: =||= rklogd - replacement of standart klogd. Spetial version for /proc/rsbac-info/rmsg =||= rklogd-viewer - log-viewer with some analitical and statistical features Please send bug reports and patches to inger@linux.ru.net rsbac-admin-1.4.0/main/rklogd/Makefile0000644000175000017500000000545711131371034017415 0ustar gauvaingauvain#!/usr/bin/make -f # Licensed under the terms of the GPLv2 # Guillaume Destuynder # # Configuration # VERSION := 1.2 PACKAGE := rklogd INSTALL := install STRIP := strip CC := gcc GZIP := gzip ECHO := $(shell which echo) ifeq ($(ECHO),) ECHO := echo endif DESTDIR := PREFIX := /usr/local LOCALEDIR := $(PREFIX)/share/locale DIR_BIN := $(PREFIX)/bin DIR_SBIN := $(PREFIX)/sbin DIR_MAN := $(PREFIX)/share/man/man8 CFLAGS := -fPIC -O2 -fomit-frame-pointer CFLAGS += -Isrc -I. -I../headers -I/usr/include -I/usr/local/include \ -I$(PREFIX)/include LDFLAGS := DEFINES := -DVERSION=\"$(VERSION)\" \ -DLOCALEDIR=\"$(LOCALEDIR)\" \ -DPACKAGE=\"$(PACKAGE)\" LIBS := -L../libs/.libs -L$(PREFIX)/lib -lrsbac FILES_RKLOGD := $(wildcard src/*.c) FILES_RKLOGDV := $(wildcard viewer/*.c) FILES_MAN := $(wildcard man/*.8) # # Nice make. Use make VERBOSE=1 to verbose compilation. # ifneq ($(VERBOSE), 1) .SILENT: E = @$(ECHO) -e " " else E = @: endif # # Targets # all: rklogd rklogd-viewer rklogd: $(FILES_RKLOGD:.c=.o) $(E) "CC\t\t$@" $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) $(LIBS) $(FILES_RKLOGD:.c=.o) -o $@ $(FILES_RKLOGD:.c=): $(FILES_RKLOGD) $(E) "CC\t\t$@" $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) -c $@.c -o $@.o rklogd-viewer: $(FILES_RKLOGDV:.c=.o) $(E) "CC\t\t$@" $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) $(LIBS) -lncurses $(FILES_RKLOGDV:.c=.o) -o $@ $(FILES_RKLOGDV:.c=): $(FILES_RKLOGDV) $(E) "CC\t\t$@" $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) -c $@.c -o $@.o clean: $(E) "CLEAN\t\t$(FILES_RKLOGD:.c=.o)" rm -f $(FILES_RKLOGD:.c=.o) $(E) "CLEAN\t\t$(FILES_RKLOGDV:.c=.o)" rm -f $(FILES_RKLOGDV:.c=.o) distclean: clean $(E) "CLEAN\t\trklogd" rm -f rklogd $(E) "CLEAN\t\trklogd-viewer" rm -f rklogd-viewer $(E) "CLEAN\t\t$(FILES_MAN:.8=.8.gz)" rm -f $(FILES_MAN:.8=.8.gz) install: all $(E) "INTO\t\t$(DESTDIR) ($(PREFIX))" $(E) "DIR\t\t$(DIR_SBIN) $(DIR_BIN) $(DIR_MAN)" $(INSTALL) -d $(DESTDIR)/$(DIR_SBIN) $(DESTDIR)/$(DIR_BIN) $(DESTDIR)/$(DIR_MAN) $(E) "INSTALL\trklogd" $(INSTALL) -m755 rklogd $(DESTDIR)/$(DIR_SBIN) $(E) "INSTALL\trklogd-viewer" $(INSTALL) -m755 rklogd-viewer $(DESTDIR)/$(DIR_BIN) $(foreach f, $(FILES_MAN), $(ECHO) -e " GZIP\t\t$(f)"; \ $(GZIP) -9c $(f) > $(f:.8=.8.gz);) $(foreach f, $(FILES_MAN), $(ECHO) -e " INSTALL\t$(f:.8=.8.gz)"; \ $(INSTALL) -m664 $(f:.8=.8.gz) $(DESTDIR)/$(DIR_MAN);) install-strip: install $(E) "STRIP\t\trklogd rklogd-viewer" $(STRIP) -s $(DESTDIR)/$(DIR_SBIN)/rklogd $(DESTDIR)/$(DIR_BIN)/rklogd-viewer uninstall: $(E) "UNINSTALL\trklogd" rm -f $(DESTDIR)/$(DIR_SBIN)/rklogd $(E) "UNINSTALL\trklogd-viewer" rm -f $(DESTDIR)/$(DIR_BIN)/rklogd-viewer $(foreach f, $(FILES_MAN), $(ECHO) -e " UINSTALL\t$(f:.8=.8.gz)"; \ rm -f $(DESTDIR)/$(DIR_MAN)/$(f:.8=.8.gz);) .PHONY: all install uninstall clean distclean rsbac-admin-1.4.0/main/rklogd/man/0000755000175000017500000000000011131371034016515 5ustar gauvaingauvainrsbac-admin-1.4.0/main/rklogd/man/rklogd.rus.80000644000175000017500000000406211131371034020702 0ustar gauvaingauvain.\" Copyright 2000,Stanislav I. Ievlev. .\" íÏÖÅÔ Ó×ÏÂÏÄÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÔØÓÑ ÐÏÄ ÌÉÃÅÎÚÉÅÊ GPL. .\" .TH RKLOGD 8 "17 May 2000" "Version 0.0" "RSBAC Administration" .SH NAME rklogd \- ÄÅÍÏÎ ÐÅÒÅÈ×ÁÔÁ ÓÏÏÂÝÅÎÉÊ ÑÄÒÁ Ó RSBAC. .LP .SH óéîôáëóéó .B rklogd .RB [ " \-s "] .RB [ " \-l "] .RB [ " \-p " ] .RB [ " \-f " .I fname ] .RB [ " \-u " .I uid ] .RB [ " \-n " .I host ] .LP .SH ïðéóáîéå .B klogd ÜÔÏ ÓÅÒ×ÅÒÎÙÊ ÐÒÏÃÅÓÓ (ÄÅÍÏÎ) ËÏÔÏÒÙÊ ÐÅÒÅÈ×ÁÔÙ×ÁÅÔ ÓÏÏÂÝÅÎÉÑ ÑÄÒÁ ÓÐÅÃÉÆÉÞÎÙÅ ÄÌÑ RSBAC É ËÌÁÄÅÔ ÉÈ × ÏÔÄÅÌØÎÙÊ ÆÁÊÌ (ÎÅ ÏÂÝÅÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ). .LP .SH ðáòáíåôòù .TP .BI "\-s " éÓÐÏÌØÚÏ×ÁÔØ ÓÉÓÔÅÍÎÙÊ ×ÙÚÏ× ×ÍÅÓÔÏ ÞÔÅÎÉÑ ÆÁÊÌÁ ÉÚ proc.ðÏÌÅÚÎÏ ÅÓÌÉ proc ÐÏ ËÁËÉÍ-ÔÏ ÐÒÉÞÉÎÁÍ ÎÅÄÏÓÔÕÐÎÁ. .TP .B "\-p" éÓÐÏÌØÚÏ×ÁÔØ ÆÁÊÌ × /proc ÄÌÑ ÞÔÅÎÉÑ ÓÏÏÂÝÅÎÉÊ ÉÚ ÂÕÆÅÒÁ ÑÄÒÁ. ðÒÏÇÒÁÍÍÁ ÉÓÐÏÌØÚÕÅÔ ÜÔÏÔ ÍÅÔÏÄ ÐÏ ÕÍÏÌÞÁÎÉÀ. .TP .BI "\-f " file úÁÐÉÓÙ×ÁÔØ ÓÏÏÂÝÅÎÉÑ × ÕËÁÚÁÎÎÙÊ ÆÁÊÌ. ðÏ-ÕÍÏÌÞÁÎÉÀ ÓÏÏÂÝÅÎÉÑ ÏÔÐÒÁ×ÌÑÀÔÓÑ × ÆÁÊÌ SECOFF_HOME/security-out. .TP .BI "\-u " uid éÓÐÏÌØÚÏ×ÁÔØ ÕËÁÚÁÎÎÙÊ UID ×ÍÅÓÔÏ UID ÏÆÉÃÅÒÁ ÂÅÚÏÐÁÓÎÏÓÔÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ. .TP .BI "\-l " ðÒÏÓÌÕÛÉ×ÁÔØ ÓÅÔØ ÎÁ ÐÒÅÄÍÅÔ ÓÏÏÂÝÅÎÉÊ ÏÔ ÄÒÕÇÉÈ ÓÅÒ×ÅÒÏ×. òÅÖÉÍ log-ÓÅÒ×ÅÒÁ.óÏÏÂÝÅÎÉÑ ÂÕÄÕÔ ËÏÐÉÒÏ×ÁÔØÓÑ × ÆÁÊÌ <ÎÁÚ×ÁÎÉÅ ÌÏËÁÌØÎÏÇÏ ÖÕÒÎÁÌÁ>-fromnet. .TP .BI "\-n " hostname ëÏÐÉÒÏ×ÁÔØ ÌÏËÁÌØÎÙÅ ÓÏÏÂÝÅÎÉÑ ÎÁ ÕËÁÚÁÎÎÙÊ log-ÓÅÒ×ÅÒ. .SH ïâúïò óÔÁÎÄÁÒÔÎÙÊ \fI klogd \fP ÎÅ × ÓÏÓÔÏÑÎÉÉ ÐÒÏÞÉÔÁÔØ ÉÚ ÂÕÆÅÒÁ ÓÏÏÂÝÅÎÉÊ RSBAC. üÔÁ ÐÒÏÇÒÁÍÍÁ ÐÏÓÙÌÁÅÔ ×ÓÅ ÓÏÏÂÝÅÎÉÑ × ÏÔÄÅÌØÎÙÊ ÆÁÊÌ. ÷Ù ÍÏÖÅÔÅ ÚÁÝÉÔÉÔØ ÅÇÏ, ÉÓÐÏÌØÚÕÑ, ÎÁÐÒÉÍÅÒ, RC. ôÁË, ÞÔÏ ×ÚÌÏÍÝÉË ÏÓÔÁÎÅÔÓÑ Ó ÎÏÓÏÍ. .SH æáêìù .PD 0 .TP .I /proc/rsbac-info/rmsg ÂÕÆÅÒ ÓÏÏÂÝÅÎÉÊ ÑÄÒÁ. .B rklogd ÓÏÂÓÔ×ÅÎÎÏ ÐÒÏÇÒÁÍÍÁ .TP .I /var/run/rklogd.pid æÁÊÌ ÓÏÄÅÒÖÁÝÉÊ PID ÚÁÐÕÝÅÎÎÏÇÏ ÐÒÏÃÅÓÓÁ, ÉÓÐÏÌØÚÕÅÔÓÑ × ÓÃÅÎÁÒÉÑÈ rc.d . .B rklogd .SH ïûéâëé îÅÐÒÅÍÅÎÎÏ ÐÒÉÓÕÔÓÔ×ÕÀÔ. ðÏÖÁÊÌÕÓÔÁ ÐÏÓÙÌÁÊÔÅ ÐÁÔÞÉ, Á ÎÅ ÉÚÍÅÎÅÎÎÙÅ ÆÁÊÌÙ. .LP .SH á÷ôïò ñ ÉÓÐÏÌØÚÏ×ÁÌ ÞÁÓÔØ ËÏÄÁ ÉÚ .B klogd ôÏÔ × Ó×ÏÀ ÏÞÅÒÅÄØ ÂÙÌ ÎÁÐÉÓÁÎ ÉÚÎÁÞÁÌØÎÏ Steve Lord (lord@cray.com),Dr. Greg Wettstein (greg@wind.enjellic.com) ×ÎÅÓ × ÎÅÇÏ ÎÅÍÁÌÏ ÉÚÍÅÎÅÎÉÊ .TP \fIRSBAC\fP (c) Amon Ott .TP \fIrklogd\fP (c) Stanislav Ievlev rsbac-admin-1.4.0/main/rklogd/man/rklogd.80000644000175000017500000000367411131371034020102 0ustar gauvaingauvain.\" Copyright 2000,Stanislav I. Ievlev. .\" May be distributed under the GNU General Public License .\" .TH RKLOGD 8 "17 May 2000" "Version 0.0" "RSBAC Administration" .SH NAME rklogd \- RSBAC kernel log daemon. .LP .SH SYNOPSIS .B rklogd .RB [ " \-s "] .RB [ " \-a "] .RB [ " \-l "] .RB [ " \-p " ] .RB [ " \-f " .I fname ] .RB [ " \-u " .I uid ] .RB [ " \-n " .I host ] .LP .SH DESCRIPTION .B rklogd is a system daemon which only intercepts and logs RSBAC kernel messages to a separate log file. It is started by root and sets UID to 400. .LP .SH OPTIONS .TP .BI "\-a " Alert (sound) on NOT_GRANTED. .TP .BI "\-s " Use kernel syscalls instead "proc" file reading (if proc filesystem don't work). .TP .B "\-p" Use file in /proc for message reading. Program use it way by default. .TP .BI "\-f " file Log messages to the specified filename. By default messages go to SECOFF_HOME/security-out file . .TP .BI "\-u " uid Change to the specified UID instead of the default 400. .TP .BI "\-l " Listen for network connections.Log-server mode. Messages will copy to -fromnet file. .TP .BI "\-n " hostname Copy messages to log-server on specified host. .SH OVERVIEW Standard \fI klogd \fP daemon can't read RSBAC kernel message buffers. This program does and sends the messages to a separate file. You can protect this file using any RSBAC model, e.g. RC, so a possible intruder cannot delete security alert logs. .SH FILES .PD 0 .TP .I /proc/rsbac-info/rmsg kernel messages buffer. .TP .I rklogd daemon itself. .TP .I /var/run/rklogd.pid The file containing the process id of .B rklogd .SH BUGS May be. Please, send patches, not changed files. .LP .SH AUTHOR I use some of .B klogd code.It was originally written by Steve Lord (lord@cray.com), Dr. Greg Wettstein (greg@wind.enjellic.com) made major improvements. .TP \fIRSBAC\fP (c) Amon Ott .TP \fIrklogd\fP (c) Stanislav Ievlev , some changes made by Amon Ott rsbac-admin-1.4.0/main/rklogd/COPYING0000644000175000017500000004313111131371034016777 0ustar gauvaingauvain GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. rsbac-admin-1.4.0/main/rklogd/TODO0000644000175000017500000000006111131371034016427 0ustar gauvaingauvainto 2.0 - return sound feature - rework pidfiles rsbac-admin-1.4.0/main/rklogd/ChangeLog0000644000175000017500000000057611131371034017524 0ustar gauvaingauvainFri Sep 14 17:44:22 MSD 2001 - Completely rework program design. * Second fork changed with select. * Remove a lot of malloc's. Mon Sep 17 13:05:54 MSD 2001 - Corrected work with pidfiles (like klogd) - Return support of reading log using syscall (option -s). Options "p" and "a" removed - I had to made double fork for -s option. select() can work only with descriptors. rsbac-admin-1.4.0/main/tools/0000755000175000017500000000000011131371033015617 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/src/0000755000175000017500000000000011131371033016406 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/src/acl_rm_user.c0000644000175000017500000000637711131371033021062 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Remove all groups and memberships of a user\n\n")); printf(gettext("Use: %s [flags] user\n"), progname); printf(gettext(" -y: remove without asking\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; rsbac_list_ta_number_t ta_number = 0; int allyes = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'y': allyes=1; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { struct rsbac_acl_syscall_arg_t arg; char yn; if(rsbac_get_uid(ta_number, &arg.tid.user, argv[1])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[1]); exit(1); } arg.target = T_USER; arg.subj_type = ACLS_USER; arg.subj_id = arg.tid.user; if(!allyes) { if (RSBAC_UID_SET(arg.tid.user)) printf(gettext("Remove all groups and memberships of user %u/%u '%s' [y/n]\n"), RSBAC_UID_SET(arg.tid.user), RSBAC_UID_NUM(arg.tid.user), argv[1]); else printf(gettext("Remove all groups and memberships of user %u '%s' [y/n]\n"), RSBAC_UID_NUM(arg.tid.user), argv[1]); yn = getchar(); if(yn != 'y') exit(0); } res = rsbac_acl(ta_number, ACLC_remove_user, &arg); error_exit(res); exit(0); } else { use(); exit(1); } } rsbac-admin-1.4.0/main/tools/src/attr_get_user.c0000644000175000017500000003513011131371032021422 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 04/Sep/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] module user attribute [position|request-name]\n\n"), progname); printf(gettext(" -e = show effective (maybe inherited) value, not real\n")); printf(gettext(" -n = numeric value, -b = both names and numbers,\n")); printf(gettext(" -l list all users, -L list all Linux groups\n")); printf(gettext(" -p = print request names instead of values\n")); printf(gettext(" -c list all Linux capabilities, -R = list all RES resource names\n")); printf(gettext(" -a = list attributes and values\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = CAP, GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n")); printf(gettext(" mac_[min_]categories\t\t(with additional parameter position)\n\t\t\t0=no, 1=yes\n")); printf(gettext(" log_user_based\t(with additional parameter request-name)\n\t\t\t0=no, 1=yes\n")); } int main(int argc, char ** argv) { int attr_list[RSBAC_USER_NR_ATTRIBUTES] = RSBAC_USER_ATTR_LIST; int res = 0; u_int position; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; int inherit = 0; int numeric = 0; int both = 0; int bothr = 0; int printall = 0; int scripting = 0; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'e': inherit=1; break; case 'p': printall=1; break; case 'n': numeric=1; break; case 'b': both=1; break; case 'B': bothr=1; break; case 's': scripting=1; break; case 'l': { struct passwd * user_info_p; setpwent(); while((user_info_p = getpwent())) { if(numeric) printf("%u\n", user_info_p->pw_uid); else if(both) printf("%s %u\n", user_info_p->pw_name, user_info_p->pw_uid); else if(bothr) printf("%u %s\n", user_info_p->pw_uid, user_info_p->pw_name); else printf("%s\n", user_info_p->pw_name); } exit(0); } case 'L': { struct group * group_info_p; setgrent(); while((group_info_p = getgrent())) { if(numeric) printf("%u\n", group_info_p->gr_gid); else if(both) printf("%s %u\n", group_info_p->gr_name, group_info_p->gr_gid); else if(bothr) printf("%u %s\n", group_info_p->gr_gid, group_info_p->gr_name); else printf("%s\n", group_info_p->gr_name); } exit(0); } case 'u': if(argc > 2) { rsbac_uid_t uid; if(rsbac_get_uid(ta_number, &uid, argv[2])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[2]); exit(1); } if (RSBAC_UID_SET(uid)) printf("%u/%u\n", RSBAC_UID_SET(uid), RSBAC_UID_NUM(uid)); else printf("%u\n", RSBAC_UID_NUM(uid)); exit(0); } else { fprintf(stderr, "Missing argument to parameter u!\n"); exit(1); } case 'c': { char tmp[RSBAC_MAXNAMELEN]; int i; for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following list:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } switch(argc) { case 3: if( !strcmp("group_nr",argv[2]) || !strcmp("group_name",argv[2]) ) { if(rsbac_get_gid_name(ta_number, &tid.group, tmp1, argv[1])) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, argv[1]); exit(1); } if(!strcmp("group_nr",argv[2])) { if (RSBAC_GID_SET(tid.group)) printf("%u/%u\n", RSBAC_GID_SET(tid.group), RSBAC_GID_NUM(tid.group)); else printf("%u\n", RSBAC_GID_NUM(tid.group)); exit(0); } else { printf("%s\n", tmp1); exit(0); } } value.dummy = -1; if(rsbac_get_uid_name(ta_number, &tid.user, tmp1, argv[1])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[1]); exit(1); } if(!strcmp("user_nr",argv[2])) { if (RSBAC_UID_SET(tid.user)) printf("%u/%u\n", RSBAC_UID_SET(tid.user), RSBAC_UID_NUM(tid.user)); else printf("%u\n", RSBAC_UID_NUM(tid.user)); exit(0); } if(!strcmp("user_name",argv[2])) { printf("%s\n", tmp1); exit(0); } if(!strcmp("full_name",argv[2])) { if(!rsbac_get_fullname(ta_number, tmp2, tid.user)) printf("%s\n", tmp2); exit(0); } attr = get_attribute_nr(argv[2]); if(attr == A_none) { fprintf(stderr, gettext("%s: Invalid Attribute %s!\n"), progname, argv[2]); exit(1); } res = rsbac_get_attr(ta_number, module, T_USER, &tid, attr, &value, inherit); error_exit(res); switch(attr) { case A_mac_role: case A_mac_user_flags: case A_pm_role: case A_daz_role: case A_ff_role: case A_auth_role: case A_cap_role: case A_jail_role: case A_res_role: case A_pax_role: case A_system_role: case A_security_level: case A_initial_security_level: case A_min_security_level: case A_cap_ld_env: printf("%u\n",value.u_char_dummy); break; case A_rc_type: case A_rc_type_fd: case A_rc_force_role: case A_rc_role: case A_rc_def_role: printf("%u\n",value.rc_role); break; case A_mac_categories: case A_mac_initial_categories: case A_mac_min_categories: printf("%s\n",u64tostrmac(tmp1,value.mac_categories)); break; case A_log_user_based: if(printall) { int i; for (i=0; i RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[3]); exit(1); } res = rsbac_get_attr(ta_number, module, T_USER, &tid, attr, &value, inherit); error_exit(res); printf("%u\n", (u_int) (value.mac_categories >> position) & 1); exit(0); case A_log_user_based: position = get_request_nr(argv[3]); if(position >= R_NONE) { fprintf(stderr, gettext("Invalid request %s\n"), argv[3]); exit(1); } res = rsbac_get_attr(ta_number, module, T_USER, &tid, A_log_user_based, &value, inherit); error_exit(res); printf("%u\n", (u_int) (value.log_program_based >> position) & 1); exit(0); case A_res_min: case A_res_max: position = get_res_nr(argv[3]); if(position == RSBAC_RES_NONE) { position = strtoul(argv[3],0,10); if( (!position && strcmp(argv[3], "0")) || (position > RSBAC_RES_MAX) ) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[3]); exit(1); } } res = rsbac_get_attr(ta_number, module, T_USER, &tid, attr, &value, FALSE); error_exit(res); printf("%u\n", value.res_array[position]); exit(0); default: break; } default: use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/pm_ct_exec.c0000644000175000017500000000247011131371032020662 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int main(int argc, char ** argv) { int res = 0; rsbac_pm_task_id_t task; locale_init(); if (argc >= 3) { task=strtol(argv[1],0,10); printf(gettext("%s: executing %s with task %i\n"), argv[0],argv[2],task); res = rsbac_pm_change_current_task(task); error_exit(res); res = execvp(argv[2],&argv[2]); error_exit(res); } else { printf(gettext("%s (RSBAC %s)\n***\n"), argv[0], VERSION); printf(gettext("Use: %s task-nr prog args\n"), argv[0]); printf(gettext("This program will set rsbac_pm_current_task to task-nr and then\n")); printf(gettext("execute prog via execvp()\n")); } return (res); } rsbac-admin-1.4.0/main/tools/src/net_temp.c0000644000175000017500000006104211131371032020367 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 27/Dec/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define SETPROG "net_temp" #define LISTROOM 10 int verbose=0; int backup=0; int add=0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_list_ta_number_t ta_number = 0; char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] function id [set-param]\n"), progname); printf(gettext(" %s [switches] list_temp_{names|nr}\n"), progname); printf(gettext(" %s [switches] list_template id\n"), progname); printf(gettext(" -v = verbose, -l = list functions\n")); printf(gettext(" -b = backup mode, -s = scripting mode,\n")); printf(gettext(" -n = take number as address, -u = take string as address,\n")); printf(gettext(" -d = take DNS name as address and convert to IP address,\n")); printf(gettext(" -A = add new addresses or ports, do not replace old list\n")); printf(gettext(" -a = list all templates in detail\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } char * get_temp_name(rsbac_net_temp_id_t temp, char * name) { union rsbac_net_temp_syscall_data_t data; if(!rsbac_net_template(ta_number, NTS_get_name, temp, &data)) { strcpy(name, data.name); } else { strcpy(name, gettext("*unknown*")); } return name; } void arg_exit(char * call) { fprintf(stderr, "Too few arguments for call %s\n", call); exit(1); } void list_template(rsbac_net_temp_id_t id) { union rsbac_net_temp_syscall_data_t data; union rsbac_net_temp_syscall_data_t data2; char tmp[RSBAC_MAXNAMELEN]; int i; if(verbose) printf("\nGetting data of template %u\n", id); else printf("\n"); error_exit(rsbac_net_template(ta_number, NTS_get_name, id, &data)); if(backup) { printf("%s -V %u new_template %u \"%s\"\n", SETPROG, RSBAC_VERSION_NR, id, data.name); printf("%s -V %u set_name %u \"%s\"\n", SETPROG, RSBAC_VERSION_NR, id, data.name); } else printf("ID:\t\t%u\nName:\t\t%s\n", id, data.name); error_exit(rsbac_net_template(ta_number, NTS_get_address_family, id, &data2)); if(backup) printf("%s -V %u set_address_family %u %s\n", SETPROG, RSBAC_VERSION_NR, id, rsbac_get_net_family_name(tmp, data2.address_family)); else printf("Family:\t\t%s\n", rsbac_get_net_family_name(tmp, data2.address_family)); error_exit(rsbac_net_template(ta_number, NTS_get_type, id, &data)); if(backup) printf("%s -V %u set_type %u %s\n", SETPROG, RSBAC_VERSION_NR, id, rsbac_get_net_type_name(tmp, data.type)); else printf("Socket type:\t%s\n", rsbac_get_net_type_name(tmp, data.type)); error_exit(rsbac_net_template(ta_number, NTS_get_address, id, &data)); switch(data2.address_family) { case AF_INET: if(backup) { if(data.address.inet.nr_addr > 0) { printf("%s -V %u set_address %u", SETPROG, RSBAC_VERSION_NR, id); for(i=0; i 0) { for(i=0; i 0) { printf("%s -V %u set_ports %u", SETPROG, RSBAC_VERSION_NR, id); for(i=0; i 0) { for(i=0; i 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'b': backup=1; break; case 'n': numerical=1; break; case 'd': dnsname=1; break; case 's': scripting=1; break; case 'l': { char tmp[RSBAC_MAXNAMELEN]; for(i=0; i< NTS_none ; i++) printf("%s\n", rsbac_get_net_temp_syscall_name(tmp, i)); exit(0); } case 'L': if(argc > 2) { rsbac_net_temp_id_t id; for(i=2 ; i< argc ; i++) { id = strtoul(argv[i],0,10); if(id) list_template(id); else show_error(-RSBAC_EINVALIDTARGET); } exit(0); } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } case 'a': listall=1; break; case 'A': add=1; break; case 'V': if(argc < 3) { fprintf(stderr, gettext("%s: no version number for switch V\n"), progname); exit(1); } version = strtol(argv[2],0,10); argv++; argc--; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if( (argc == 2) && ( !strcmp(argv[1], "list_temp_names") || !strcmp(argv[1], "list_temp_nr") ) ) { rsbac_net_temp_id_t * temp_array; union rsbac_net_temp_syscall_data_t data; long count; int show_names = 0; int j; if(!strcmp(argv[1], "list_temp_names")) show_names = 1; count = rsbac_net_list_all_template(ta_number, NULL, 0); error_exit(count); count += LISTROOM; temp_array = malloc(count * sizeof(*temp_array)); if(!temp_array) error_exit(-ENOMEM); count = rsbac_net_list_all_template(ta_number, temp_array, count); for(i = 0; i< count ; i++) { if(show_names) { res = rsbac_net_template(ta_number, NTS_get_name, temp_array[i], &data); if(!res) { for(j=0; j= 3) && !strcmp(argv[1], "list_template") ) || (listall) ) { if(listall) { rsbac_net_temp_id_t * temp_array; long count; count = rsbac_net_list_all_template(ta_number, NULL, 0); error_exit(count); count += LISTROOM; temp_array = malloc(count * sizeof(*temp_array)); if(!temp_array) error_exit(-ENOMEM); count = rsbac_net_list_all_template(ta_number, temp_array, count); for(i = 0; i< count ; i++) list_template(temp_array[i]); free(temp_array); } else { rsbac_net_temp_id_t id; for(i=2 ; i< argc ; i++) { id = strtoul(argv[i],0,10); if(id) list_template(id); else show_error(-RSBAC_EINVALIDTARGET); } } exit(0); } else if(argc > 2) { enum rsbac_net_temp_syscall_t call; rsbac_net_temp_id_t id; union rsbac_net_temp_syscall_data_t data; char tmp[RSBAC_MAXNAMELEN]; call = rsbac_get_net_temp_syscall_nr(argv[1]); id = strtoul(argv[2],0,10); if(!id) error_exit(-RSBAC_EINVALIDTARGET); switch(call) { case NTS_set_address: if(argc > 2) { int i; char * pos; int offset = 0; if(add) { error_exit(rsbac_net_template(ta_number, NTS_get_address, id, &data)); offset = data.address.inet.nr_addr; } for(i=3 ; (i < argc) && (offset + i < RSBAC_NET_NR_INET_ADDR + 3); i++) { pos = argv[i]; if(!*pos || (*pos == '/')) { fprintf(stderr, gettext("Invalid Address %s\n"), pos); error_exit(-RSBAC_EINVALIDVALUE); } while(*pos && (*pos != '/')) pos++; if(*pos) { *pos = 0; pos++; if(!*pos || (*pos == '/')) { fprintf(stderr, gettext("Invalid Address %s\n"), pos); error_exit(-RSBAC_EINVALIDVALUE); } data.address.inet.valid_bits[offset + i-3] = strtoul(pos,0,0); } else data.address.inet.valid_bits[offset + i-3] = 32; if(numerical) data.address.inet.addr[offset + i-3] = strtoul(argv[i],0,0); else if(dnsname) { struct hostent * host; struct in_addr * addr_p; host = gethostbyname(argv[i]); if(!host) { fprintf(stderr, gettext("DNS lookup of address %s failed!\n"), argv[i]); error_exit(-RSBAC_ENOTFOUND); } addr_p = (struct in_addr *) host->h_addr; data.address.inet.addr[offset + i-3] = addr_p->s_addr; } else { struct in_addr addr; error_exit(inet_aton(argv[i], &addr)); data.address.inet.addr[offset + i-3] = addr.s_addr; } if(verbose) printf("Adding IP address %u.%u.%u.%u/%u for template %u\n", NIPQUAD(data.address.inet.addr[offset + i-3]), data.address.inet.valid_bits[offset + i-3], id); } if(verbose) { int j; printf("Setting %u IP addresses for template %u:", offset + i-3, id); for(j=0; j < offset + i-3; j++) printf(" %u.%u.%u.%u/%u", NIPQUAD(data.address.inet.addr[j]), data.address.inet.valid_bits[j]); printf("\n"); } data.address.inet.nr_addr = offset + i-3; } else arg_exit(argv[1]); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_set_address_family: if(argc > 3) { data.address_family = rsbac_get_net_family_nr(argv[3]); if(data.address_family == AF_MAX) data.address_family = strtoul(argv[3],0,10); } else arg_exit(argv[1]); if(verbose) printf("Setting address_family for template %u to %u (%s)\n", id, data.address_family, rsbac_get_net_family_name(tmp, data.address_family)); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_set_type: if(argc > 3) { data.type = rsbac_get_net_type_nr(argv[3]); if(data.type == RSBAC_NET_TYPE_MAX) data.type = strtoul(argv[3],0,10); } else arg_exit(argv[1]); if(verbose) printf("Setting socket type for template %u to %u (%s)\n", id, data.type, rsbac_get_net_type_name(tmp, data.type)); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_set_protocol: if(argc > 3) { u_int proto; proto = rsbac_get_net_protocol_nr(argv[3]); if(proto == RSBAC_NET_PROTO_MAX) proto = rsbac_get_netlink_protocol_nr(argv[3]); if(proto == RSBAC_NET_PROTO_MAX) proto = strtoul(argv[3],0,10); if(proto >= RSBAC_NET_PROTO_MAX) error_exit(-RSBAC_EINVALIDVALUE); data.protocol = proto; } else arg_exit(argv[1]); if(verbose) printf("Setting protocol for template %u to %u (%s)\n", id, data.protocol, rsbac_get_net_protocol_name(tmp, data.protocol)); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_set_netdev: if(argc > 3) { strncpy((char *)data.netdev, argv[3], RSBAC_IFNAMSIZ); data.netdev[RSBAC_IFNAMSIZ] = 0; } else arg_exit(argv[1]); if(verbose) printf("Setting netdev for template %u to %s\n", id, data.netdev); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_set_ports: if(argc > 2) { int i; char * pos; int offset = 0; if(add) { error_exit(rsbac_net_template(ta_number, NTS_get_ports, id, &data)); offset = data.ports.nr_ports; } for(i=3 ; (i < argc) && (offset + i < RSBAC_NET_NR_PORTS + 3); i++) { pos = argv[i]; if(!*pos || (*pos == ':')) { fprintf(stderr, "Invalid Port %s\n", pos); error_exit(-RSBAC_EINVALIDVALUE); } while(*pos && (*pos != ':')) pos++; if(*pos) { *pos = 0; pos++; data.ports.ports[offset+i-3].min = strtoul(argv[i],0,0); if(*pos) { data.ports.ports[offset+i-3].max = strtoul(pos,0,0); if(data.ports.ports[offset+i-3].max < data.ports.ports[offset+i-3].min) error_exit(-RSBAC_EINVALIDVALUE); } else data.ports.ports[offset+i-3].max = data.ports.ports[offset+i-3].min; } else { data.ports.ports[offset+i-3].min = strtoul(argv[i],0,0); data.ports.ports[offset+i-3].max = data.ports.ports[offset+i-3].min; } if(verbose) printf("Adding port range %u:%u for template %u\n", data.ports.ports[offset+i-3].min, data.ports.ports[offset+i-3].max, id); } if(verbose) { int j; printf("Setting %u port ranges for template %u:", offset+i-3, id); for(j=0; j 3) { strncpy(data.name, argv[3], RSBAC_NET_TEMP_NAMELEN-1); data.name[RSBAC_NET_TEMP_NAMELEN-1] = 0; } else arg_exit(argv[1]); if(verbose) printf("Setting name for template %u to %s\n", id, data.name); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_new_template: if(argc > 3) { strncpy(data.name, argv[3], RSBAC_NET_TEMP_NAMELEN-1); data.name[RSBAC_NET_TEMP_NAMELEN-1] = 0; } else strcpy(data.name, "(unknown)"); if(verbose) printf("Creating template %u with name %s\n", id, data.name); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_copy_template: if(argc > 3) data.id = strtoul(argv[3],0,10); else arg_exit(argv[1]); if(verbose) printf("Copying template %u from template %u\n", id, data.id); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_delete_template: if(verbose) printf("Deleting template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); exit(0); case NTS_check_id: if(verbose) printf("Checking for template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); printf("%u\n", data.id); exit(0); case NTS_get_address: { union rsbac_net_temp_syscall_data_t data2; if(verbose) printf("Getting address of template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); error_exit(rsbac_net_template(ta_number, NTS_get_address_family, id, &data2)); switch(data2.address_family) { case AF_INET: if(data.address.inet.nr_addr > 0) { int i; for(i=0; i < data.address.inet.nr_addr; i++) printf("%u.%u.%u.%u/%u ", NIPQUAD(data.address.inet.addr[i]), data.address.inet.valid_bits[i]); printf("\n"); } break; default: printf("(address family not supported)\n"); } exit(0); } case NTS_get_address_family: if(verbose) printf("Getting address_family of template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); printf("%s\n", rsbac_get_net_family_name(tmp, data.address_family)); exit(0); case NTS_get_type: if(verbose) printf("Getting socket type of template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); printf("%s\n", rsbac_get_net_type_name(tmp, data.type)); exit(0); case NTS_get_protocol: { union rsbac_net_temp_syscall_data_t data2; if(verbose) printf("Getting protocol of template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); error_exit(rsbac_net_template(ta_number, NTS_get_address_family, id, &data2)); switch(data2.address_family) { case AF_INET: printf("%s\n", rsbac_get_net_protocol_name(tmp, data.protocol)); break; case AF_NETLINK: printf("%s\n", rsbac_get_netlink_protocol_name(tmp, data.protocol)); break; default: printf("(address family not supported)\n"); } exit(0); } case NTS_get_netdev: if(verbose) printf("Getting netdev of template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); printf("%s\n", data.netdev); exit(0); case NTS_get_ports: if(verbose) printf("Getting port ranges of template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); if(data.ports.nr_ports > 0) { int i; for(i=0; i < data.ports.nr_ports; i++) printf("%u:%u ", data.ports.ports[i].min, data.ports.ports[i].max); printf("\n"); } exit(0); case NTS_get_name: if(verbose) printf("Getting name of template %u\n", id); error_exit(rsbac_net_template(ta_number, call, id, &data)); printf("%s\n", data.name); exit(0); default: if((argc > 3) && !strcmp(argv[1], "set_min_port")) { error_exit(rsbac_net_template(ta_number, NTS_get_ports, id, &data)); if(data.ports.nr_ports > 0) { data.ports.ports[0].min = strtoul(argv[3],0,0); } else { data.ports.ports[0].min = strtoul(argv[3],0,0); data.ports.ports[0].max = data.ports.ports[0].min; data.ports.nr_ports = 1; } if(verbose) { int j; printf("Setting %u port ranges for template %u:", data.ports.nr_ports, id); for(j=0; j 3) && !strcmp(argv[1], "set_max_port")) { error_exit(rsbac_net_template(ta_number, NTS_get_ports, id, &data)); if(data.ports.nr_ports > 0) { data.ports.ports[0].max = strtoul(argv[3],0,0); } else { data.ports.ports[0].min = strtoul(argv[3],0,0); data.ports.ports[0].max = data.ports.ports[0].min; data.ports.nr_ports = 1; } if(verbose) { int j; printf("Setting %u port ranges for template %u:", data.ports.nr_ports, id); for(j=0; j 3) && !strcmp(argv[1], "set_valid_len")) { error_exit(rsbac_net_template(ta_number, NTS_get_address_family, id, &data)); if(data.address_family == AF_INET) { error_exit(rsbac_net_template(ta_number, NTS_get_address, id, &data)); if(data.address.inet.nr_addr > 0) { data.address.inet.valid_bits[0] = strtoul(argv[3],0,0); error_exit(rsbac_net_template(ta_number, NTS_set_address, id, &data)); } } } else { fprintf(stderr, "Invalid call %s!\n", argv[1]); exit(1); } } exit(0); } else { use(); return 1; } exit(0); } rsbac-admin-1.4.0/main/tools/src/rsbac_login.c0000644000175000017500000001141311131371033021034 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 20/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define ROOM 20 int main(int argc, char ** argv) { int res = 0; char * progname; rsbac_uid_t user = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); char hostname[RSBAC_MAXNAMELEN + 1]; int verbose = 0; int preserve = 0; int err; char * pass; char * username; union rsbac_um_mod_data_t um_data; rsbac_gid_num_t * group_array; struct termios old_term; struct termios tmp_term; locale_init(); progname = argv[0]; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; if(*pos == '-') { argv++; argc--; break; } while(*pos) { switch(*pos) { case 'v': verbose++; break; case 'p': preserve = 1; break; case 'h': printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] [username]\n"), progname); printf(gettext(" -v = verbose, -p = preserve environment\n")); exit(0); default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } err = gethostname(hostname, RSBAC_MAXNAMELEN); error_exit(err); if (argc > 1) { username = argv[1]; } else { username = malloc(255); if(!username) error_exit(-ENOMEM); printf("%s login: ", hostname); if(scanf("%254s", username) <= 0) { fprintf(stderr, gettext("%s: invalid login name!\n"), progname); exit(1); } } pass = malloc(255); if(!pass) error_exit(-ENOMEM); res = mlock(pass, 255); if (res) { fprintf(stderr, gettext("Unable to lock password into physical memory, continue anyway!\n")); } printf("%s's RSBAC password: ", username); if(isatty(STDIN_FILENO)) { res = tcgetattr(STDIN_FILENO, &old_term); error_exit(res); memcpy(&tmp_term, &old_term, sizeof(old_term)); tmp_term.c_lflag &= ~(ECHO); res = tcsetattr(STDIN_FILENO, TCSAFLUSH, &tmp_term); error_exit(res); } res = scanf("%254s", pass); if(isatty(STDIN_FILENO)) tcsetattr(STDIN_FILENO, TCSAFLUSH, &old_term); printf("\n"); if((rsbac_um_auth_name(username, pass) != 0) || (res <=0)) { memset(pass, 0, 255); munlock(pass, 255); fprintf(stderr, gettext("Login incorrect\n")); exit(1); } memset(pass, 0, 255); munlock(pass, 255); res = rsbac_um_get_uid(0, username, &user); // printf("Uid: %u/%u\n", RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); error_exit(res); res = rsbac_um_get_user_item(0, user, UM_group, &um_data); error_exit(res); res = setgid(um_data.group); error_exit(res); res = rsbac_um_get_gm_list(0, user, NULL, 0); error_exit(res); if(res > 0) { res += ROOM; group_array = malloc(res * sizeof(*group_array)); if(!group_array) error_exit(-RSBAC_ENOMEM); res = rsbac_um_get_gm_list(0, user, group_array, res); if(res > 0) res = setgroups(res, group_array); free(group_array); error_exit(res); } res = rsbac_um_get_user_item(0, user, UM_homedir, &um_data); error_exit(res); res = setuid(RSBAC_UID_NUM(user)); error_exit(res); res = chdir(um_data.string); if(res) { fprintf(stderr, "Could not chdir to home dir %s: ", um_data.string); show_error(res); } res = rsbac_um_get_user_item(0, user, UM_shell, &um_data); error_exit(res); { char * execargs[2]; char arg0[RSBAC_MAXNAMELEN]; if(!preserve) { char * termvar; termvar = getenv("TERM"); if(termvar) { strncpy(arg0, termvar, RSBAC_MAXNAMELEN - 1); arg0[RSBAC_MAXNAMELEN - 1] = 0; } clearenv(); if(termvar) setenv("TERM", arg0, 0); } /* always to be set (although we have excluded MAIL)*/ res = rsbac_um_get_user_item(0, user, UM_name, &um_data); setenv("LOGNAME", um_data.string, 1); res = rsbac_um_get_user_item(0, user, UM_homedir, &um_data); setenv("HOME", um_data.string, 1); res = rsbac_um_get_user_item(0, user, UM_shell, &um_data); setenv("SHELL", um_data.string, 1); if(user == 0) putenv("PATH=/sbin:/usr/sbin:/bin:/usr/bin"); else putenv("PATH=/bin:/usr/bin"); snprintf(arg0, RSBAC_MAXNAMELEN - 1, "-%s", um_data.string); execargs[0] = arg0; execargs[1] = NULL; res = execv(um_data.string, execargs); } error_exit(res); exit(0); } rsbac-admin-1.4.0/main/tools/src/switch_adf_log.c0000644000175000017500000002335011131371033021531 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 25/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define SETPROG "switch_adf_log" char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s request [target] [value]\n"), progname); printf(gettext("request = request name or ALL, value = [012]\n")); printf(gettext("target = target type name, leave out for ALL\n")); printf(gettext("- -n = list all requests, -t = list all target types\n")); printf(gettext("- -b = backup log level settings\n")); printf(gettext("- -g = get not set, -s = scripting mode\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); } int main(int argc, char ** argv) { int res = 0; int i,j; u_int request,target,value; char name[RSBAC_MAXNAMELEN]; int verbose = 0; int getmode = 0; int scripting = 0; rsbac_version_t version=RSBAC_VERSION_NR; locale_init(); progname = argv[0]; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'g': getmode=1; break; case 's': scripting=1; break; case 'n': { int i; for(i=0; i LL_request) || (!value && strcmp(argv[2],"0")) ) error_exit(-RSBAC_EINVALIDVALUE); if(verbose) printf(gettext("%s: switching logging for ALL requests and targets to %i\n"), progname,value); for(i=0;i LL_request) || (!value && strcmp(argv[2],"0")) ) error_exit(-RSBAC_EINVALIDVALUE); if(verbose) printf(gettext("%s: switching logging for request %s and all target types to %i\n"), progname,argv[1],value); for(j=0;j<=T_NONE;j++) { if(j != T_FD) { if(verbose) printf(gettext("%s: target %s\n"), progname,get_target_name_only(name,j)); res = rsbac_adf_log_switch(request,j,value); error_exit(res); } } } } else if (argc == 4) { if(!strcmp(argv[1],"ALL")) { target=get_target_nr(argv[2]); if( (target == T_NONE) && strcmp(argv[2],"NONE") ) error_exit(-RSBAC_EINVALIDTARGET); if(target == T_FD) error_exit(-RSBAC_EINVALIDTARGET); value=strtol(argv[3],0,10); if( (value > LL_request) || (!value && strcmp(argv[3],"0")) ) error_exit(-RSBAC_EINVALIDVALUE); if(verbose) printf(gettext("%s: switching logging for ALL requests and target type %s to %i\n"), progname,argv[2], value); for(i=0;i LL_request) || (!value && strcmp(argv[3],"0")) ) error_exit(-RSBAC_EINVALIDVALUE); if(verbose) printf(gettext("%s: switching logging for request %s and target type %s to %i\n"), progname,argv[1],argv[2],value); res = rsbac_adf_log_switch(request,target,value); error_exit(res); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_list_ta.c0000644000175000017500000001336711131371033021375 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; struct termios old_term; struct termios tmp_term; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] {begin|refresh|commit|forget}\n"), progname); printf(gettext(" -v = verbose, -b = print bash export of RSBAC_TA\n")); printf(gettext(" -t ttl = reduce transaction timeout from kernel config default to ttl\n")); printf(gettext(" -p password = use this password\n")); printf(gettext(" -P = ask for password\n")); printf(gettext(" -N ta = transaction number (for refresh, commit, forget)\n")); printf(gettext(" (default = value of RSBAC_TA, if set, or 0 otherwise)\n")); } int env_init(void) { struct rlimit rlimit; rlimit.rlim_cur = 0; rlimit.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlimit); return 0; } int main(int argc, char ** argv) { int res = 0; int ttl = 0; int verbose = 0; int bashexport = 0; int ask_password = 0; char * password = NULL; rsbac_list_ta_number_t ta_number = 0; rsbac_uid_t commit_uid = RSBAC_ALL_USERS; env_init(); password = malloc(255); if (!password) exit(-ENOMEM); res = mlock(password, 255); if(res) fprintf(stderr, gettext("Warning: password was not locked into physical memory.\n")); locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'p': if(argc > 2) { password = argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing password for parameter %c\n"), progname, *pos); break; case 'P': ask_password = 1; break; case 'u': if(argc > 2) { if(rsbac_get_uid(ta_number, &commit_uid, argv[2])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[2]); exit(1); } argc--; argv++; } else fprintf(stderr, gettext("%s: missing user for parameter %c\n"), progname, *pos); break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); break; case 'v': verbose++; break; case 'b': bashexport = 1; break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (ask_password) { printf("Password: "); if (isatty(STDIN_FILENO)) { tcgetattr(STDIN_FILENO, &old_term); memcpy(&tmp_term, &old_term, sizeof(old_term)); tmp_term.c_lflag &= ~(ECHO); tcsetattr(STDIN_FILENO, TCSAFLUSH, &tmp_term); } res = scanf("%254s", password); if (isatty(STDIN_FILENO)) tcsetattr(STDIN_FILENO, TCSAFLUSH, &old_term); printf("\n"); if (!res) { fprintf(stderr, gettext("%s: invalid password!\n"), progname); exit(1); } } if (argc > 1) { if(!strcmp(argv[1], "begin")) { res = rsbac_list_ta_begin(ttl, &ta_number, commit_uid, password); if(!res) { if(bashexport) printf("export RSBAC_TA=%u\n", ta_number); else printf("%u\n", ta_number); } } else if(!strcmp(argv[1], "refresh")) res = rsbac_list_ta_refresh(ttl, ta_number, password); else if(!strcmp(argv[1], "commit")) res = rsbac_list_ta_commit(ta_number, password); else if(!strcmp(argv[1], "forget")) res = rsbac_list_ta_forget(ta_number, password); else { fprintf(stderr, "Invalid command %s!\n", argv[1]); exit(1); } error_exit(res); exit(0); } else { use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/rc_set_item.c0000644000175000017500000007311611131371032021056 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif /* reserve list room for so many extra items - to avoid racing problems */ #define LISTROOM 10 char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] rc-target-type id item [role/type [list-of-rights]] [value]\n"), progname); printf(gettext(" %s -c TYPE target-id item source-id [first_role [last_role]],\n"), progname); printf(gettext(" -v = verbose, -p = print right names,\n")); printf(gettext(" -a = add, not set, -k = revoke, not set,\n")); printf(gettext(" -b = accept rights as bitstring,\n")); printf(gettext(" -c = copy all/given roles' rights to type from other type,\n")); printf(gettext(" -d = delete all roles' rights to this type,\n")); printf(gettext(" -i = list items and values\n")); printf(gettext(" -t = set relative time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -T = set absolute time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -D = set relative time-to-live in days (role/type comp, admin, assign only)\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" rc-target-type = ROLE or TYPE,\n")); printf(gettext(" id-nr = ROLE or TYPE number,\n")); printf(gettext(" item = entry line,\n")); printf(gettext(" role/type = for this type only (role/type comp, admin, assign only),\n")); printf(gettext(" right = request name or number (type_comp items only),\n")); printf(gettext(" also special rights and groups R (read requests),\n")); printf(gettext(" RW (read-write), SY (system), SE (security), A (all)\n")); exit(1); } int main(int argc, char ** argv) { int res = 0; enum rsbac_adf_request_t right; rsbac_rc_rights_vector_t rights_vector = 0; rsbac_time_t ttl=RSBAC_LIST_TTL_KEEP; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN]; int i,j; rsbac_boolean_t rused = FALSE; rsbac_boolean_t wused = FALSE; enum rsbac_rc_target_t target; union rsbac_rc_target_id_t tid; union rsbac_rc_target_id_t subtid; enum rsbac_rc_item_t item; union rsbac_rc_item_value_t value; int verbose=0; int printall=0; int add=0; int revoke=0; int bitstring=0; int copy=0; int delrights=0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': printall=1; break; case 'a': add=1; break; case 'k': revoke=1; break; case 'b': bitstring=1; break; case 'c': copy=1; break; case 'd': delrights=1; break; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'i': { int role_entry_item_list[RSBAC_RC_NR_ROLE_ENTRY_ITEMS] = RSBAC_RC_ROLE_ENTRY_ITEM_LIST; int type_entry_item_list[RSBAC_RC_NR_TYPE_ENTRY_ITEMS] = RSBAC_RC_TYPE_ENTRY_ITEM_LIST; if( (argc > 2) && ((item = get_rc_item_nr(argv[2])) != RI_none) ) { get_rc_item_name(tmp1, item); get_rc_item_param(tmp2, item); printf("%s\t%s\n",tmp1,tmp2); exit(0); } printf(gettext("- items and returned values = see following list:\n")); printf("- ROLE:\n"); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc < 4) { use(); return 1; } target = get_rc_target_nr(argv[1]); switch(target) { case RT_ROLE: tid.role = strtol(argv[2],0,10); break; case RT_TYPE: tid.type = strtol(argv[2],0,10); break; default: fprintf(stderr, gettext("Invalid target %s\n"), argv[1]); exit(1); } item = get_rc_item_nr(argv[3]); if(item == RI_none) { fprintf(stderr, gettext("Invalid item %s\n"), argv[3]); exit(1); } if(copy) { rsbac_rc_type_id_t s_type; rsbac_rc_type_id_t t_type; rsbac_rc_role_id_t first_role = 0; rsbac_rc_role_id_t last_role = RC_role_max_value; union rsbac_rc_target_id_t t_subtid; __u32 * role_array; int nr_roles; int tmpres = 0; if(argc < 5) { fprintf(stderr, gettext("Too few arguments with option -c\n")); exit(1); } s_type = strtoul(argv[4],0,10); if(s_type > RC_type_max_value) { fprintf(stderr, gettext("Invalid source type %u\n"), s_type); exit(1); } if(argc > 5) { first_role = strtoul(argv[5],0,10); if(first_role > RC_role_max_value) { fprintf(stderr, gettext("Invalid first role %u\n"), first_role); exit(1); } last_role = first_role; } if(argc > 6) { last_role = strtoul(argv[6],0,10); if(last_role > RC_role_max_value) { fprintf(stderr, gettext("Invalid last role %u\n"), last_role); exit(1); } } t_type = tid.type; if(t_type > RC_type_max_value) { fprintf(stderr, gettext("Invalid target type %u\n"), t_type); exit(1); } if(s_type == t_type) { fprintf(stderr, gettext("Source and target must differ\n")); exit(1); } switch(item) { case RI_type_comp_fd: case RI_type_fd_name: item = RI_type_comp_fd; break; case RI_type_comp_dev: case RI_type_dev_name: item = RI_type_comp_dev; break; case RI_type_comp_user: case RI_type_user_name: item = RI_type_comp_user; break; case RI_type_comp_process: case RI_type_process_name: item = RI_type_comp_process; break; case RI_type_comp_ipc: case RI_type_ipc_name: item = RI_type_comp_ipc; break; case RI_type_comp_scd: case RI_type_scd_name: item = RI_type_comp_scd; break; case RI_type_comp_group: case RI_type_group_name: item = RI_type_comp_group; break; case RI_type_comp_netdev: case RI_type_netdev_name: item = RI_type_comp_netdev; break; case RI_type_comp_nettemp: case RI_type_nettemp_name: item = RI_type_comp_nettemp; break; case RI_type_comp_netobj: case RI_type_netobj_name: item = RI_type_comp_netobj; break; default: fprintf(stderr, gettext("Invalid item %s\n"), argv[3]); exit(1); } if(verbose) { printf(gettext("Copying rights vector %s for type %u to type %u in role(s) %u to %u\n"), get_rc_item_name(tmp1, item), s_type, t_type, first_role, last_role); } subtid.type = s_type; t_subtid.type = t_type; nr_roles = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_name, 0, NULL, NULL); error_exit(nr_roles); nr_roles += LISTROOM; role_array = malloc(nr_roles * sizeof(__u32)); if(!role_array) { error_exit(-ENOMEM); } nr_roles = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_name, nr_roles, role_array, NULL); for(i=0; i last_role) ) continue; tid.role = role_array[i]; if(!(tmpres = rsbac_rc_get_item(ta_number, RT_ROLE, &tid, &subtid, item, &value, &ttl))) { if((tmpres = rsbac_rc_set_item(ta_number, RT_ROLE, &tid, &t_subtid, item, &value, ttl))) { fprintf(stderr, gettext("Changing role %u failed: %s\n"), role_array[i], get_error_name(tmp1, tmpres)); res = tmpres; } } else { if(errno != RSBAC_EINVALIDTARGET) { fprintf(stderr, gettext("Reading from role %u failed: %s\n"), role_array[i], get_error_name(tmp1, tmpres)); res = tmpres; } } } free(role_array); exit(res); } /* end of type rights copy */ if(delrights) { int tmpres = 0; rsbac_rc_type_id_t t_type; __u32 * role_array; int nr_roles; t_type = tid.type; if(t_type > RC_type_max_value) { fprintf(stderr, gettext("Invalid target type %u\n"), t_type); exit(1); } switch(item) { case RI_type_comp_fd: case RI_type_fd_name: item = RI_type_comp_fd; break; case RI_type_comp_dev: case RI_type_dev_name: item = RI_type_comp_dev; break; case RI_type_comp_user: case RI_type_user_name: item = RI_type_comp_dev; break; case RI_type_comp_process: case RI_type_process_name: item = RI_type_comp_process; break; case RI_type_comp_ipc: case RI_type_ipc_name: item = RI_type_comp_ipc; break; case RI_type_comp_scd: case RI_type_scd_name: item = RI_type_comp_scd; break; case RI_type_comp_group: case RI_type_group_name: item = RI_type_comp_group; break; case RI_type_comp_netdev: case RI_type_netdev_name: item = RI_type_comp_netdev; break; case RI_type_comp_nettemp: case RI_type_nettemp_name: item = RI_type_comp_nettemp; break; case RI_type_comp_netobj: case RI_type_netobj_name: item = RI_type_comp_netobj; break; default: fprintf(stderr, gettext("Invalid item %s\n"), argv[3]); exit(1); } if(verbose) { printf(gettext("Setting rights vector %s for type %u in all roles to 0\n"), get_rc_item_name(tmp1, item), t_type); } subtid.type = t_type; value.rights = 0; nr_roles = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_name, 0, NULL, NULL); error_exit(nr_roles); nr_roles += LISTROOM; role_array = malloc(nr_roles * sizeof(__u32)); if(!role_array) { error_exit(-ENOMEM); } nr_roles = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_name, nr_roles, role_array, NULL); if(verbose) { printf(gettext("%u roles\n"), nr_roles); } for(i=0; i RC_role_max_value) { fprintf(stderr, gettext("Invalid role %u!\n"), subtid.role); exit(1); } #endif value.comp = strtol(argv[5],0,10); } else { fprintf(stderr, gettext("Invalid number of arguments for item %s!\n"), get_rc_item_name(tmp1, item)); exit(1); } break; case RI_def_fd_ind_create_type: if(argc==6) { subtid.type = strtoul(argv[4],0,10); if(subtid.type > RC_type_max_value) { fprintf(stderr, gettext("Invalid type %u!\n"), subtid.type); exit(1); } value.type_id = strtoul(argv[5],0,10); } else { fprintf(stderr, gettext("Invalid number of arguments for item %s!\n"), get_rc_item_name(tmp1, item)); exit(1); } break; case RI_def_fd_ind_create_type_remove: if(argc==5) { subtid.type = strtoul(argv[4],0,10); if(subtid.type > RC_type_max_value) { fprintf(stderr, gettext("Invalid type %u!\n"), subtid.type); exit(1); } } else { fprintf(stderr, gettext("Invalid number of arguments for item %s!\n"), get_rc_item_name(tmp1, item)); exit(1); } break; case RI_type_comp_fd: case RI_type_comp_dev: case RI_type_comp_user: case RI_type_comp_process: case RI_type_comp_ipc: case RI_type_comp_scd: case RI_type_comp_group: case RI_type_comp_netdev: case RI_type_comp_nettemp: case RI_type_comp_netobj: if(argc<5) { fprintf(stderr, gettext("parameter comp_type missing\n")); exit(1); } subtid.type = strtoul(argv[4],0,10); if(subtid.type > RC_type_max_value) { fprintf(stderr, gettext("invalid subtid.type %s\n"), argv[4]); exit(1); } if(add || revoke) res = rsbac_rc_get_item(ta_number, target, &tid, &subtid, item, &value, NULL); error_exit(res); if(bitstring) { if(argc > 5) { if(strlen(argv[5]) != RCR_NONE) { fprintf(stderr, gettext("Invalid bitstring length %u, must be %u!\n"), strlen(argv[5]), RCR_NONE); exit(1); } } else { fprintf(stderr, gettext("No bitstring given!\n")); exit(1); } strtou64rcr(argv[5], &rights_vector); argv++; argc--; } else for(i=5; i= R_NONE) && (right < RSBAC_RC_SPECIAL_RIGHT_BASE) ) || (right >= RCR_NONE) || ( (right == 0) && strcmp(argv[i],"0") ) ) { if(!strcmp(argv[i],"W")) { rights_vector |= RSBAC_WRITE_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[i],"RW")) { rights_vector |= RSBAC_READ_WRITE_REQUEST_VECTOR; } else if(!strcmp(argv[i],"SY")) { rights_vector |= RSBAC_SYSTEM_REQUEST_VECTOR; } else if(!strcmp(argv[i],"SE")) { rights_vector |= RSBAC_SECURITY_REQUEST_VECTOR; } else if(!strcmp(argv[i],"S")) { rights_vector |= RSBAC_RC_SPECIAL_RIGHTS_VECTOR; } else if(!strcmp(argv[i],"R")) { rights_vector |= RSBAC_READ_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[i],"UA")) { rights_vector &= RSBAC_RC_SPECIAL_RIGHTS_VECTOR; } else if(!strcmp(argv[i],"A")) { rights_vector |= RSBAC_ALL_REQUEST_VECTOR; } else if(!strcmp(argv[i],"NWS")) { rights_vector |= RSBAC_NWS_REQUEST_VECTOR; } else if(!strcmp(argv[i],"NWR")) { rights_vector |= RSBAC_NWR_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[i],"NWW")) { rights_vector |= RSBAC_NWW_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[i],"NWC")) { rights_vector |= RSBAC_NWC_REQUEST_VECTOR; } else if(!strcmp(argv[i],"NWE")) { rights_vector |= RSBAC_NWE_REQUEST_VECTOR; } else if(!strcmp(argv[i],"NWA")) { rights_vector |= RSBAC_NWA_REQUEST_VECTOR; } else if(!strcmp(argv[i],"NWF")) { rights_vector |= RSBAC_NWF_REQUEST_VECTOR; } else if(!strcmp(argv[i],"NWM")) { rights_vector |= RSBAC_NWM_REQUEST_VECTOR; } else { /* end of rights */ break; } } } else { rights_vector |= RSBAC_RC_RIGHTS_VECTOR(right); } } if(printall) { for (i=0; i= RSBAC_RC_NAME_LEN) { fprintf(stderr, gettext("Name string too long\n")); exit(1); } strcpy(value.name, argv[4]); break; case RI_admin_type: if(argc<5) { fprintf(stderr, gettext("parameter admin_type missing\n")); exit(1); } value.admin_type = get_rc_admin_nr(argv[4]); if(value.admin_type == RC_none) value.admin_type = strtol(argv[4],0,10); break; case RI_boot_role: if(argc<5) { fprintf(stderr, gettext("parameter boot_role missing\n")); exit(1); } value.boot_role = strtol(argv[4],0,10); break; case RI_req_reauth: if(argc<5) { fprintf(stderr, gettext("parameter req_reauth missing\n")); exit(1); } value.req_reauth = strtol(argv[4],0,10); break; default: if(argc>4) value.u_dummy = strtoul(argv[4],0,10); else value.dummy = -1; } res = rsbac_rc_set_item(ta_number, target, &tid, &subtid, item, &value, ttl); error_exit(res); exit(0); } rsbac-admin-1.4.0/main/tools/src/acl_mask.c0000644000175000017500000006310611131371033020332 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 26/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define MASK_PROG "acl_mask" #define ROOM 10 int verbose=0; int recurse=0; int printall=0; int backup=0; int alluser = 0; int numdev = 0; int alldev = 0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_list_ta_number_t ta_number = 0; union rsbac_attribute_value_t value; enum rsbac_target_t target; char * target_n; enum rsbac_attribute_t attr; char * progname; rsbac_acl_rights_vector_t rights_vector; rsbac_boolean_t set = FALSE; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] [rights] target-type file/dirname(s)\n"), progname); printf(gettext(" -v = verbose, -r = recurse into subdirs,\n")); printf(gettext(" -p = print right names, -s = set mask, not get\n")); printf(gettext(" -b = backup mode, -n = list valid SCD names\n")); printf(gettext(" -d = numeric device specification ({b|c}major[:minor])\n")); printf(gettext(" -D = process all existing device masks,\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" rights = list of space-separated right names (requests and ACL specials),\n")); printf(gettext(" also request groups R (read requests), RW (read-write),\n")); printf(gettext(" SY (system), SE (security), A (all)\n")); printf(gettext(" S (ACL special rights)\n")); printf(gettext(" and NWx with x = S R W C E A F M (similar to well-known network system)\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK, DEV, SCD, NETDEV,\n")); printf(gettext(" NETTEMP_NT, NETTEMP, NETOBJ or FD\n")); printf(gettext(" (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n"), progname); } int process(char * name, struct rsbac_dev_desc_t * desc_p, rsbac_uid_t uid) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; rsbac_acl_rights_vector_t def_mask; struct stat buf; struct rsbac_acl_syscall_arg_t arg; struct rsbac_acl_syscall_n_arg_t arg_n; if(name && !strcmp(name,":DEFAULT:")) { def_mask = 0; switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: arg_n.name = NULL; break; case T_DEV: if(numdev) arg.tid.dev = RSBAC_ZERO_DEV_DESC; else arg_n.name = NULL; break; case T_IPC: arg.tid.ipc.type = I_none; break; case T_SCD: arg.tid.scd = AST_none; break; case T_USER: arg.tid.user = RSBAC_NO_USER; break; case T_PROCESS: arg.tid.process = 0; break; case T_GROUP: arg.tid.group = RSBAC_NO_GROUP; break; case T_NETDEV: arg.tid.netdev[0] = 0; break; case T_NETTEMP_NT: arg.tid.nettemp = 0; break; case T_NETOBJ: arg.tid.netobj.sock_p = NULL; arg.tid.netobj.local_addr = NULL; arg.tid.netobj.local_len = 0; arg.tid.netobj.remote_addr = NULL; arg.tid.netobj.remote_len = 0; break; default: fprintf(stderr, gettext("Invalid target %u for %s, skipped!\n"), target, name); return(1); } } else { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: arg_n.name = name; def_mask = RSBAC_ACL_DEFAULT_FD_MASK; break; case T_DEV: if(numdev) { if(desc_p) arg.tid.dev = *desc_p; else if(strtodevdesc(name, &arg.tid.dev)) { fprintf(stderr, gettext("%s is no valid device specification, skipped\n"), name); return(1); } } else arg_n.name = name; def_mask = RSBAC_ACL_DEFAULT_DEV_MASK; break; case T_SCD: arg.tid.scd = get_acl_scd_type_nr(name); if((arg.tid.scd == ST_none) || (arg.tid.scd == AST_none)) { fprintf(stderr, gettext("%s is no valid SCD name, skipped\n"), name); return(1); } def_mask = RSBAC_ACL_DEFAULT_SCD_MASK; break; case T_USER: if(name && rsbac_get_uid(ta_number, &uid, name)) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, name); exit(1); } else arg.tid.user = uid; def_mask = RSBAC_ACL_DEFAULT_U_MASK; break; case T_GROUP: if(rsbac_get_gid(ta_number, &arg.tid.group, name)) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, name); exit(1); } def_mask = RSBAC_ACL_DEFAULT_G_MASK; break; case T_NETDEV: strncpy((char *)arg.tid.netdev, name, RSBAC_IFNAMSIZ); arg.tid.netdev[RSBAC_IFNAMSIZ] = 0; def_mask = RSBAC_ACL_DEFAULT_NETDEV_MASK; break; case T_NETTEMP_NT: arg.tid.nettemp = strtoul(name, 0, 10); def_mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK; break; case T_NETTEMP: arg.tid.nettemp = strtoul(name, 0, 10); def_mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; break; case T_NETOBJ: arg.tid.netobj.sock_p = (void *) strtoul(name, 0, 0); arg.tid.netobj.remote_addr = NULL; arg.tid.netobj.remote_len = 0; def_mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK; break; default: fprintf(stderr, gettext("Invalid target %u for %s, skipped!\n"), target, name); def_mask = 0; return(1); } } if(verbose) { if(name) printf(gettext("# Processing %s '%s'\n"), target_n, name); else if(desc_p) printf(gettext("# Processing %s '%s'\n"), target_n, devdesctostr(tmp1, *desc_p)); } if(set) { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: arg_n.target = target; arg_n.rights = rights_vector; res = rsbac_acl_n(ta_number, ACLC_set_mask, &arg_n); break; case T_DEV: if(!numdev) { arg_n.target = target; arg_n.rights = rights_vector; res = rsbac_acl_n(ta_number, ACLC_set_mask, &arg_n); break; } /* fall through */ default: arg.target = target; arg.rights = rights_vector; res = rsbac_acl(ta_number, ACLC_set_mask, &arg); } } else { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: res = rsbac_acl_get_mask_n(ta_number, target, name, &rights_vector); break; case T_DEV: if(numdev) res = rsbac_acl_get_mask(ta_number, target, &arg.tid, &rights_vector); else res = rsbac_acl_get_mask_n(ta_number, target, name, &rights_vector); break; default: res = rsbac_acl_get_mask(ta_number, target, &arg.tid, &rights_vector); } } if(res) { if( verbose || (errno != RSBAC_EINVALIDTARGET) ) { get_error_name(tmp1,res); if(name) fprintf(stderr, gettext("%s: error: %s\n"), name, tmp1); else fprintf(stderr, gettext("%s: error: %s\n"), devdesctostr(tmp2, *desc_p), tmp1); } goto do_recurse; } if(!set) { if(backup) { if(rights_vector != def_mask) { printf("%s -V %u -sv%c", MASK_PROG, RSBAC_VERSION_NR, numdev ? 'd' : ' '); if(printall) { int i; for (i=0; id_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2, NULL, RSBAC_NO_USER); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int res = 0; int i; enum rsbac_acl_special_rights_t right; rsbac_boolean_t rused = FALSE; rsbac_boolean_t wused = FALSE; char none_name[] = "FD"; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': recurse=1; break; case 's': set = TRUE; break; case 'p': printall=1; break; case 'b': backup=1; break; case 'a': alluser=1; break; case 'd': numdev=1; break; case 'D': alldev=1; numdev=1; break; case 'n': { char tmp[RSBAC_MAXNAMELEN]; for(i=0; i 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1 || alluser || alldev) { while(argc > 2) { if(strlen(argv[1]) == ACLR_NONE) { int j; rsbac_acl_rights_vector_t tmp_rv; for(j=0; j= R_NONE) && (right < RSBAC_ACL_SPECIAL_RIGHT_BASE) ) || (right >= ACLR_NONE) || ( (right == 0) && strcmp(argv[1],"0") ) ) { if(!strcmp(argv[1],"UA")) { rights_vector &= RSBAC_ACL_SPECIAL_RIGHTS_VECTOR; } else if(!strcmp(argv[1],"RW")) { rights_vector |= RSBAC_READ_WRITE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SY")) { rights_vector |= RSBAC_SYSTEM_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SE")) { rights_vector |= RSBAC_SECURITY_REQUEST_VECTOR; } else if(!strcmp(argv[1],"S")) { rights_vector |= RSBAC_ACL_SPECIAL_RIGHTS_VECTOR; } else if(!strcmp(argv[1],"R")) { rights_vector |= RSBAC_READ_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"W")) { rights_vector |= RSBAC_WRITE_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"A")) { rights_vector |= RSBAC_ALL_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWS")) { rights_vector |= RSBAC_NWS_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWR")) { rights_vector |= RSBAC_NWR_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"NWW")) { rights_vector |= RSBAC_NWW_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"NWC")) { rights_vector |= RSBAC_NWC_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWE")) { rights_vector |= RSBAC_NWE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWA")) { rights_vector |= RSBAC_NWA_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWF")) { rights_vector |= RSBAC_NWF_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWM")) { rights_vector |= RSBAC_NWM_REQUEST_VECTOR; } else { /* end of rights */ break; } } } else { rights_vector |= ((rsbac_acl_rights_vector_t) 1 << right); } argv++; argc--; } if(rused && wused) { rights_vector |= RSBAC_READ_WRITE_OPEN_REQUEST_VECTOR; } target = get_target_nr(argv[1]); target_n = argv[1]; /* trim rights_vector for target */ switch(target) { case T_DIR: case T_FILE: case T_FIFO: case T_SYMLINK: case T_FD: argv++; argc--; rights_vector &= (RSBAC_ALL_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_DEV: argv++; argc--; rights_vector &= (RSBAC_ALL_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_IPC: argv++; argc--; rights_vector &= (RSBAC_IPC_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_SCD: argv++; argc--; rights_vector &= (RSBAC_SCD_REQUEST_VECTOR | RSBAC_NONE_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_USER: argv++; argc--; rights_vector &= (RSBAC_ACL_USER_RIGHTS_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_GROUP: argv++; argc--; rights_vector &= (RSBAC_ACL_GROUP_RIGHTS_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_PROCESS: argv++; argc--; rights_vector &= (RSBAC_PROCESS_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_NETDEV: argv++; argc--; rights_vector &= (RSBAC_NETDEV_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_NETTEMP_NT: argv++; argc--; rights_vector &= (RSBAC_NETTEMP_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_NETTEMP: case T_NETOBJ: argv++; argc--; rights_vector &= (RSBAC_NETOBJ_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_NONE: if(!alldev) fprintf(stderr, "%s: No target type given, assuming FD\n", progname); target = T_FD; target_n = none_name; rights_vector &= (RSBAC_ALL_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; default: fprintf(stderr, gettext("%s: Invalid target type %s\n"), progname, argv[1]); exit(1); } if(verbose) { char tmp1[RSBAC_MAXNAMELEN]; if(set) { printf(gettext("Set mask: %s\n"), u64tostracl(tmp1, rights_vector)); if(printall) { int i; for (i=0; i1) printf(gettext("\n# %s: %i targets\n\n"), progname, argc - 1); if(target == T_USER && alluser) { int count; rsbac_uid_t * id_array; if(verbose) printf(gettext("# %s: processing all users\n"), progname); count = rsbac_acl_list_all_user(ta_number, NULL, 0); error_exit(count); if(!count) exit(0); count += ROOM; id_array = malloc(count * sizeof(*id_array)); if(!id_array) error_exit(-ENOMEM); count = rsbac_acl_list_all_user(ta_number, id_array, count); error_exit(count); if(verbose) printf(gettext("# %s: %i targets\n"), progname, count); if(count > 0) { char tmp[RSBAC_MAXNAMELEN]; qsort(id_array, count, sizeof(*id_array), rsbac_user_compare); target = T_USER; target_n = "USER"; for(i=0; i < count ; i++) { if(get_user_name(ta_number, id_array[i], tmp)) process(tmp, NULL, id_array[i]); else process(NULL, NULL, id_array[i]); } } free(id_array); } else if(alldev) { int count; struct rsbac_dev_desc_t * id_array; if(verbose) printf(gettext("# %s: processing all devices\n"), progname); count = rsbac_acl_list_all_dev(ta_number, NULL, 0); error_exit(count); if(!count) exit(0); if(verbose) printf(gettext("# %s: %i targets\n"), progname, count); count += ROOM; id_array = malloc(count * sizeof(*id_array)); if(!id_array) error_exit(-ENOMEM); count = rsbac_acl_list_all_dev(ta_number, id_array, count); if(count > 0) { qsort(id_array, count, sizeof(*id_array), rsbac_dev_compare); target = T_DEV; target_n = "DEV"; for(i=0; i < count ; i++) process(NULL, &id_array[i], RSBAC_NO_USER); } free(id_array); } else for (i=1;i < (argc);i++) { process(argv[i], NULL, RSBAC_NO_USER); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_back_user.c0000644000175000017500000004425711131371032021555 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 04/Sep/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define ROOM 10 const char set_prog[] = "attr_set_user"; __s64 attr_list[RSBAC_USER_NR_ATTRIBUTES] = RSBAC_USER_ATTR_LIST; int alluser = 0; int verbose = 0; int printall = 0; int numeric = 0; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_ALL; rsbac_list_ta_number_t ta_number = 0; FILE * tfile; char * filename = NULL; union rsbac_target_id_t tid; union rsbac_attribute_value_t value; rsbac_res_array_t res_min_def; rsbac_res_array_t res_max_def; rsbac_boolean_t res_usable = FALSE; char * progname; int def_attr[RSBAC_USER_NR_ATTRIBUTES] = { 0, /* pseudo */ 0, /* log_user_based */ SL_unclassified, /* security_level */ SL_unclassified, /* initial_security_level */ SL_unclassified, /* min_security_level */ RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories */ RSBAC_MAC_DEF_CAT_VECTOR, /* mac_initial_categories */ RSBAC_MAC_MIN_CAT_VECTOR, /* mac_min_categories */ SR_user, /* mac_role */ RSBAC_MAC_DEF_U_FLAGS, /* mac_user_flags */ SR_user, /* daz_role */ SR_user, /* ff_role */ SR_user, /* auth_role */ 0, /* pm_task_set */ PR_user, /* pm_role */ RSBAC_RC_GENERAL_ROLE, /* rc_def_role */ RSBAC_RC_GENERAL_TYPE, /* rc_type */ 0, /* min_caps */ (__u32) -1, /* max_caps */ SR_user, /* cap_role */ LD_keep, /* cap_ld_env */ SR_user, /* jail_role */ SR_user, /* res_role */ SR_user, /* pax_role */ }; void use() { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] [username(s)]\n"), progname); printf(gettext(" -a = process all users, -v = verbose,\n")); printf(gettext(" -p = print requests, -n = show numeric uid not username,\n")); printf(gettext(" -o target-file = write to file, not stdout,\n")); printf(gettext(" -A = list attributes and values,\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int process(rsbac_uid_t user, char * name) { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN]; char intname[RSBAC_MAXNAMELEN]; int j; tid.user = user; if(verbose) { if(name) printf(gettext("# Processing user %s\n"), name); else { if (RSBAC_UID_SET(user)) printf(gettext("# Processing user %u/%u\n"), RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); else printf(gettext("# Processing user %u\n"), RSBAC_UID_NUM(user)); } } if(numeric || !name) { if (RSBAC_UID_SET(user)) sprintf(intname, "%u/%u", RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); else sprintf(intname, "%u", RSBAC_UID_NUM(user)); } else strcpy(intname,name); for (j=0;j < RSBAC_USER_NR_ATTRIBUTES;j++) { value.dummy = -1; res = rsbac_get_attr(ta_number, get_attr_module(attr_list[j]), T_USER, &tid, attr_list[j], &value, 0); if(res) { if( (errno != RSBAC_EINVALIDMODULE) && ( verbose || (errno != RSBAC_EINVALIDTARGET) ) ) { get_error_name(tmp1,res); get_attribute_name(tmp2,attr_list[j]); fprintf(stderr, "%s (%s): %s\n", intname, tmp2, tmp1); } } else { switch(attr_list[j]) { case A_rc_def_role: if(value.rc_role != def_attr[j]) fprintf(tfile, "%s -V %u %s %s %u\n", set_prog, RSBAC_VERSION_NR, intname, get_attribute_name(tmp1,attr_list[j]), value.rc_role); break; case A_security_level: case A_initial_security_level: case A_min_security_level: case A_mac_role: case A_mac_user_flags: case A_pm_role: case A_daz_role: case A_ff_role: case A_auth_role: case A_cap_role: case A_jail_role: case A_res_role: case A_pax_role: case A_cap_ld_env: if(value.u_char_dummy != def_attr[j]) fprintf(tfile, "%s -V %u %s %s %u\n", set_prog, RSBAC_VERSION_NR, intname, get_attribute_name(tmp1,attr_list[j]), value.u_char_dummy); break; case A_log_user_based: if (value.log_user_based & RSBAC_ALL_REQUEST_VECTOR) fprintf(tfile, "%s -V %u %s %s %s\n", set_prog, RSBAC_VERSION_NR, intname, get_attribute_name(tmp1,attr_list[j]), u64tostrlog(tmp2,value.log_user_based)); break; case A_max_caps: case A_min_caps: if ((value.max_caps.cap[0] != def_attr[j]) || (value.max_caps.cap[1] != def_attr[j])) { if (printall) { int i; fprintf(tfile, "%s -V %u %s %s", set_prog, RSBAC_VERSION_NR, intname, get_attribute_name(tmp1,attr_list[j])); for (i=0; i<32; i++) if(value.min_caps.cap[0] & ((__u32) 1 << i)) fprintf(tfile, " %s", get_cap_name(tmp1,i)); for (i=32; i 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': printall=1; break; case 'a': alluser=1; break; case 'n': numeric=1; break; case 'o': if(argc > 2) { filename = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter o\n"), progname); break; case 'T': if(argc > 2) { filelistname = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter %c\n"), progname, *pos); break; case 'A': printf(gettext("- attributes and values in backup = see following list:\n")); for (j=0;j 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if ( (argc > 1) || (alluser) || filelistname ) { if(!filename) tfile = stdout; else { if (!(tfile=fopen(filename,"w"))) { fprintf(stderr, gettext("opening target file returned error: %s\n"), strerror(errno)); } } tid.user = RSBAC_ALL_USERS; res = rsbac_get_attr(ta_number, SW_RES, T_USER, &tid, A_res_min, &value, 0); if(!res) { for(i=0; i<= RSBAC_RES_MAX; i++) { res_min_def[i] = value.res_array[i]; if( alluser && res_min_def[i] ) fprintf(tfile, "%s -V %u %u res_min %s %u\n", set_prog, RSBAC_VERSION_NR, RSBAC_ALL_USERS, get_res_name(tmp1, i), res_min_def[i]); } res = rsbac_get_attr(ta_number, SW_RES, T_USER, &tid, A_res_max, &value, 0); if(!res) { for(i=0; i<= RSBAC_RES_MAX; i++) { res_max_def[i] = value.res_array[i]; if( alluser && res_max_def[i] ) fprintf(tfile, "%s -V %u %u res_max %s %u\n", set_prog, RSBAC_VERSION_NR, RSBAC_ALL_USERS, get_res_name(tmp1, i), res_max_def[i]); } res_usable = TRUE; } } if(alluser) { int count; rsbac_uid_t * id_array; if(verbose) printf(gettext("# %s: processing all users\n"), progname); count = rsbac_list_all_user(ta_number, NULL, 0); error_exit(count); count += ROOM; id_array = malloc(count * sizeof(*id_array)); if(!id_array) error_exit(-ENOMEM); count = rsbac_list_all_user(ta_number, id_array, count); if(verbose) printf(gettext("# %s: %i targets\n"), progname, count); if(count > 0) { qsort(id_array, count, sizeof(*id_array), rsbac_user_compare); for(i=0; i < count ; i++) { if ( (vset == RSBAC_UM_VIRTUAL_ALL) || (vset == RSBAC_UID_SET(id_array[i])) ) { if(get_user_name(ta_number, id_array[i], tmp1)) process(id_array[i], tmp1); else process(id_array[i], NULL); } } } } else { if(filelistname) { if(!strcmp(filelistname, "-")) listfile = stdin; else if (!(listfile=fopen(filelistname,"r"))) { fprintf(stderr, gettext("opening target list file returned error: %s\n"), strerror(errno)); exit(1); } } if(verbose) { printf(gettext("# %s: %i targets\n"), progname, argc - 2); if(filelistname) printf(gettext("# - plus targets from file %s\n"), filelistname); } for (i=1;i < argc;i++) { if(rsbac_get_uid_name(ta_number, &user, tmp1, argv[i])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[i]); } else process(user, tmp1); } if(filelistname) { char item[4096]; char * pos; int last; pos = item; while(fgets(item, 4095, listfile)) { if(!*item) continue; last = strlen(item) - 1; if(item[last] == '\n') item[last] = 0; if(*item) { if(rsbac_get_uid_name(ta_number, &user, tmp1, item)) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, item); } else process(user, tmp1); } } fclose(listfile); } } if(tfile != stdout) fclose(tfile); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_groupmod.c0000644000175000017500000002411611131371032021563 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; char password[RSBAC_MAXNAMELEN] = ""; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] groupname\n"), progname); printf(gettext(" -p password = password in plaintext,\n")); printf(gettext(" -P = disable password,\n")); printf(gettext(" -Q password = encrypted password (from backup),\n")); printf(gettext(" -g name = change groupname,\n")); printf(gettext(" -t = set relative time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -T = set absolute time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -D = set relative time-to-live in days (role/type comp, admin, assign only)\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int password_read(char * to, char * from) { char * f = from; char * t = to; char tmp[3]; int i; if(strlen(from) != RSBAC_UM_PASS_LEN * 2) { fprintf(stderr, "Wrong encrypted password length!\n"); return -RSBAC_EINVALIDVALUE; } tmp[2] = 0; while(f[0] && f[1]) { tmp[0] = f[0]; tmp[1] = f[1]; i = strtoul(tmp, 0, 16); if(i < 0 || i > 255) return -RSBAC_EINVALIDVALUE; *t = i; t++; f += 2; } return 0; } void mod_show_error(int res, char * item) { if(res < 0) { char tmp1[80]; fprintf(stderr, "%s: %s\n", item, get_error_name(tmp1,res)); } } int main(int argc, char ** argv) { int res = 0; rsbac_gid_t group; int verbose = 0; int err; union rsbac_um_mod_data_t data; int do_pass = 0; char * pass = NULL; char * crypt_pass = NULL; char * name = NULL; int do_ttl = 0; rsbac_time_t ttl = 0; rsbac_list_ta_number_t ta_number = 0; int i; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': if(argc > 2) { pass=argv[2]; do_pass = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'P': pass = NULL; do_pass = 1; break; case 'Q': if(argc > 2) { err = password_read(password, argv[2]); error_exit(err); crypt_pass = password; do_pass = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'g': if(argc > 2) { name=argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); do_ttl = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); do_ttl = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; do_ttl = 1; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } group = RSBAC_GEN_GID(vset, group); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { for(i=1; i< argc; i++) { rsbac_gid_t group = RSBAC_GEN_GID(vset, RSBAC_NO_GROUP); if(rsbac_um_get_gid(ta_number, argv[i], &group)) { char * tmp_name = argv[i]; char * p = tmp_name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; if (rsbac_get_vset_num(tmp_name, &tmp_vset)) { fprintf(stderr, gettext("%s: invalid virtual set number %s, skipping\n"), tmp_name); continue; } *p = '/'; p++; tmp_name = p; } group = strtoul(tmp_name, NULL, 0); if(!group && strcmp(tmp_name,"0")) { fprintf(stderr, gettext("%s: Unknown group %s\n"), progname, argv[i]); return 1; } group = RSBAC_GEN_GID(tmp_vset, group); } group = RSBAC_GEN_GID(vset, RSBAC_GID_NUM(group)); res = rsbac_um_get_group_item(ta_number, group, UM_name, &data); if(res) { fprintf(stderr, gettext("%s: Unknown group %s\n"), progname, argv[i]); exit(1); } if(do_pass) { if(crypt_pass) { memcpy(data.string, crypt_pass, RSBAC_UM_PASS_LEN); memset(crypt_pass, 0, RSBAC_UM_PASS_LEN); res = rsbac_um_mod_group(ta_number, group, UM_cryptpass, &data); memset(&data, 0, sizeof(data)); } else if(pass) { strncpy(data.string, pass, RSBAC_MAXNAMELEN); data.string[RSBAC_MAXNAMELEN - 1] = 0; memset(pass, 0, strlen(pass)); res = rsbac_um_mod_group(ta_number, group, UM_pass, &data); memset(&data, 0, sizeof(data)); } else res = rsbac_um_mod_group(ta_number, group, UM_pass, NULL); mod_show_error(res, "Password"); } if(name) { strncpy(data.string, name, RSBAC_MAXNAMELEN); data.string[RSBAC_MAXNAMELEN - 1] = 0; res = rsbac_um_mod_group(ta_number, group, UM_name, &data); mod_show_error(res, "Groupname"); } if(do_ttl) { data.ttl = ttl; res = rsbac_um_mod_group(ta_number, group, UM_ttl, &data); mod_show_error(res, "TTL"); } } exit(0); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_get_up.c0000644000175000017500000001623211131371033021073 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] module target-type attribute user(s)/proc-no.\n\n"), progname); printf(gettext(" -a = list attributes and values\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n")); printf(gettext(" target-type = USER or PROCESS,\n")); } int main(int argc, char ** argv) { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN]; int i; int id; enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; enum rsbac_target_t target; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; int inherit = 0; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'e': inherit=1; break; case 'a': case 'A': { int u_attr_list[RSBAC_USER_NR_ATTRIBUTES] = RSBAC_USER_ATTR_LIST; int p_attr_list[RSBAC_PROCESS_NR_ATTRIBUTES] = RSBAC_PROCESS_ATTR_LIST; char tmp3[RSBAC_MAXNAMELEN]; if( (argc > 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following list:\n")); printf("USER:\n"); for (i=0;i 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if (argc > 3) { printf(gettext("%s: %i targets\n\n"), progname, argc - 3); target = get_target_nr(argv[1]); if( (target != T_PROCESS) && (target != T_USER)) { fprintf(stderr, gettext("%s: Invalid Target %s!\n"), progname, argv[1]); exit(1); } attr = get_attribute_nr(argv[2]); if(attr == A_none) { fprintf(stderr, gettext("%s: Invalid Attribute %s!\n"), progname, argv[2]); exit(1); } for (i=1;i < (argc-2);i++) { value.dummy = -1; if (target == T_PROCESS) { id = strtol(argv[i+2],0,10); printf(gettext("Processing process %i, attribute %s (No. %i)\n"), id, argv[2], attr); tid.process = id; inherit = 0; } else { if(rsbac_get_uid(ta_number, &tid.user, argv[i+2])) { fprintf(stderr, gettext("Invalid user %s!\n\n"), argv[i+2]); continue; } if(RSBAC_UID_SET(tid.user)) printf(gettext("Processing user %s (uid %u/%u), attribute %s (No. %i)\n"), argv[i+2], RSBAC_UID_SET(tid.user), RSBAC_UID_NUM(tid.user), argv[2], attr); else printf(gettext("Processing user %s (uid %u), attribute %s (No. %i)\n"), argv[i+2], RSBAC_UID_NUM(tid.user), argv[2], attr); } res = rsbac_get_attr(ta_number, module, target, &tid, attr, &value, inherit); error_exit(res); switch(attr) { case A_mac_role: case A_pm_role: case A_daz_role: case A_ff_role: case A_pm_process_type: case A_daz_scanner: case A_rc_type: case A_rc_type_fd: case A_rc_force_role: case A_rc_role: case A_rc_def_role: case A_auth_role: case A_cap_role: case A_jail_role: case A_res_role: case A_pax_role: case A_min_caps: case A_max_caps: case A_security_level: case A_current_sec_level: case A_min_write_open: case A_max_read_open: case A_cap_process_hiding: case A_fake_root_uid: case A_cap_ld_env: printf(gettext("Returned value: %u\n"),value.u_char_dummy); break; default: printf(gettext("Returned value: %i\n"),value.dummy); } } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_set_file_dir.c0000644000175000017500000007654411131371033022254 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 04/Sep/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s module target-type file/dirname attribute [request] value\n"), progname); printf(gettext("Use: %s module target-type file/dirname attribute [position] value\n"), progname); printf(gettext("Use: %s [switches] module target-type filename log_program_based [list-of-requests]\n"), progname); printf(gettext(" -a = add, not set, -m = remove not set, -p = print resulting requests,\n")); printf(gettext(" -d = numeric device specification ({b|c}major[:minor])\n")); printf(gettext(" -A = list attributes and values\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK or DEV,\n")); } int main(int argc, char ** argv) { enum rsbac_attribute_t attr_list[RSBAC_FD_NR_ATTRIBUTES] = RSBAC_FD_ATTR_LIST; enum rsbac_attribute_t attr_list_dev[RSBAC_DEV_NR_ATTRIBUTES] = RSBAC_DEV_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; u_int position,catval; rsbac_res_limit_t res_limit; union rsbac_attribute_value_t value,value2; enum rsbac_switch_target_t module = SW_NONE; enum rsbac_target_t target; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; enum rsbac_log_level_t log_level; __u64 k; int verbose = 0; int printall = 0; int add = 0; int remove = 0; int numdev = 0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': printall=1; break; case 'a': add=1; break; case 'm': remove=1; break; case 'd': numdev=1; break; case 'n': { char tmp[80]; int i; for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and value (integer) = see following list:\n")); printf(gettext("[GEN ] log_level (additional parameter request-type)\n\t0=none, 1=denied, 2=full, 3=request-based\n")); printf(gettext("[GEN ] mac_categories (with additional parameter position)\n\t0=no, 1=yes\n")); printf(gettext("- FILE, DIR, FIFO and SYMLINK:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if( (argc>3) && !strcmp(argv[3],"log_program_based") ) { char * filename = argv[2]; rsbac_boolean_t rused = FALSE; rsbac_boolean_t wused = FALSE; enum rsbac_adf_request_t request; rsbac_request_vector_t request_vector = 0; target = get_target_nr(argv[1]); value.log_program_based = 0; argv+=3; argc-=3; if(numdev) error_exit(strtodevdesc(argv[2], &tid.dev)); if(add || remove) { if(numdev) res = rsbac_get_attr(ta_number, module, target, &tid, A_log_program_based, &value, FALSE); else res = rsbac_get_attr_n(ta_number, module, target, filename, A_log_program_based, &value, FALSE); if(res) { fprintf(stderr, "%s: %s: ", progname, filename); error_exit(res); } } while(argc > 1) { if(strlen(argv[1]) == R_NONE) { int j; rsbac_request_vector_t tmp_rv; for(j=0; j= R_NONE) || ( (request == 0) && strcmp(argv[1],"0") ) ) { if(!strcmp(argv[1],"RW")) { request_vector |= RSBAC_READ_WRITE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SY")) { request_vector |= RSBAC_SYSTEM_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SE")) { request_vector |= RSBAC_SECURITY_REQUEST_VECTOR; } else if(!strcmp(argv[1],"R")) { request_vector |= RSBAC_READ_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"W")) { request_vector |= RSBAC_WRITE_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"A")) { request_vector |= RSBAC_ALL_REQUEST_VECTOR; } else if(!strcmp(argv[1],"UA")) { request_vector = 0; } else if(!strcmp(argv[1],"NWS")) { request_vector |= RSBAC_NWS_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWR")) { request_vector |= RSBAC_NWR_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"NWW")) { request_vector |= RSBAC_NWW_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"NWC")) { request_vector |= RSBAC_NWC_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWE")) { request_vector |= RSBAC_NWE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWA")) { request_vector |= RSBAC_NWA_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWF")) { request_vector |= RSBAC_NWF_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWM")) { request_vector |= RSBAC_NWM_REQUEST_VECTOR; } else { /* end of requests */ break; } } } else { request_vector |= ((rsbac_request_vector_t) 1 << request); } argv++; argc--; } if(rused && wused) { request_vector |= RSBAC_READ_WRITE_OPEN_REQUEST_VECTOR; } if(remove) value.log_program_based &= ~request_vector; else value.log_program_based |= request_vector; if(printall) { int i; for (i=0; i3) && ( !strcmp(argv[3],"min_caps") || !strcmp(argv[3],"max_caps") ) ) { char * filename = argv[2]; int cap; int bitlen; rsbac_boolean_t mincalled; rsbac_cap_vector_t cap_vector; cap_vector.cap[0] = (__u32) 0; cap_vector.cap[1] = (__u32) 0; if (!strcmp(argv[3],"min_caps")) mincalled = TRUE; else mincalled = FALSE; target = get_target_nr(argv[1]); attr = get_attribute_nr(argv[3]); value.min_caps.cap[0] = (__u32) 0; value.min_caps.cap[1] = (__u32) 0; argv+=3; argc-=3; if(add || remove) { res = rsbac_get_attr_n(ta_number, module, target, filename, attr, &value, FALSE); if(res) { fprintf(stderr, "%s: %s: ", progname, filename); error_exit(res); } } while(argc > 1) { /* Bit string: Allow for backwards compatibility */ bitlen = strlen(argv[1]); if(bitlen == CAP_NONE || bitlen == CAP_NONE_OLD) { int j; rsbac_cap_vector_t tmp_cv; for(j=0; j= CAP_NONE) || ( (cap == 0) && strcmp(argv[1],"0") ) ) { if(!strcmp(argv[1],"A")) { cap_vector.cap[0] = (__u32) -1; cap_vector.cap[1] = (__u32) -1; } else if(!strcmp(argv[1],"UA")) { cap_vector.cap[0] = (__u32) 0; cap_vector.cap[1] = (__u32) 0; } else if(!strcmp(argv[1],"FS_MASK")) { /* one day we're going to have problem here. it only works now because all that capabilities in CAP_FS_MASK are in the lower (old) half of capabilities structure. if someday a new fs cap is added it's going to be in the upper (new) half and we will have to put some logic in here. CAP_TO_INDEX() macro will be necesary - for all bits in this vector. actualy, isn't FCAP such a one? */ cap_vector.cap[0] |= CAP_FS_MASK; } else { /* end of caps */ fprintf(stderr, "%s: Wrong CAP %s\n", progname, argv[1]); exit(1); } } else { fprintf(stderr, "%s: Wrong CAP %s\n", progname, argv[1]); exit(1); } } else { cap_vector.cap[CAP_TO_INDEX(cap)] |= ((__u32) 1 << (cap % 32)); } argv++; argc--; } if(remove) { value.min_caps.cap[0] &= ~cap_vector.cap[0]; value.min_caps.cap[1] &= ~cap_vector.cap[1]; } else { value.min_caps.cap[0] |= cap_vector.cap[0]; value.min_caps.cap[1] |= cap_vector.cap[1]; } if(printall) { int i; for (i=0; i= LL_invalid) || ( (log_level == LL_none) && strcmp(argv[5], "0")) ) { fprintf(stderr, gettext("Invalid log_level value %s\n"), argv[5]); exit(1); } } if(numdev) res = rsbac_get_attr(ta_number, module, target, &tid, A_log_array_low, &value, FALSE); else res = rsbac_get_attr_n(ta_number, module, target, argv[2], A_log_array_low, &value, FALSE); if(res) { fprintf(stderr, "%s: %s: ", progname, argv[2]); error_exit(res); } if(numdev) res = rsbac_get_attr(ta_number, module, target, &tid, A_log_array_high, &value2, FALSE); else res = rsbac_get_attr_n(ta_number, module, target, argv[2], A_log_array_high, &value2, FALSE); if(res) { fprintf(stderr, "%s: %s: ", progname, argv[2]); error_exit(res); } k = ((__u64) 1) << request; if(log_level & 1) value.log_array_low |= k; else value.log_array_low &= ~k; if(log_level & 2) value2.log_array_high |= k; else value2.log_array_high &= ~k; if(numdev) res = rsbac_set_attr(ta_number, module, target, &tid, A_log_array_low, &value); else res = rsbac_set_attr_n(ta_number, module, target, argv[2], A_log_array_low, &value); if(res) { fprintf(stderr, "%s: %s: ", progname, argv[2]); error_exit(res); } if(numdev) res = rsbac_set_attr(ta_number, module, target, &tid, A_log_array_high, &value2); else res = rsbac_set_attr_n(ta_number, module, target, argv[2], A_log_array_high, &value2); if(res) { fprintf(stderr, "%s: %s: ", progname, argv[2]); error_exit(res); } exit(0); } else if(!strcmp(argv[3],"mac_categories")) { target = get_target_nr(argv[1]); position = strtol(argv[4],0,10); if(position > RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[4]); exit(1); } catval = strtol(argv[5],0,10); if(catval > 1) { fprintf(stderr, gettext("Invalid value %s\n"), argv[5]); exit(1); } if(numdev) res = rsbac_get_attr(ta_number, module, target, &tid, A_mac_categories, &value, FALSE); else res = rsbac_get_attr_n(ta_number, module, target, argv[2], A_mac_categories, &value, FALSE); if(res) { fprintf(stderr, "%s: %s: ", progname, argv[2]); error_exit(res); } k = ((__u64) 1) << position; if(catval) value.mac_categories |= k; else value.mac_categories &= ~k; if(numdev) res = rsbac_set_attr(ta_number, module, target, &tid, A_mac_categories, &value); else res = rsbac_set_attr_n(ta_number, module, target, argv[2], A_mac_categories, &value); if(res) { fprintf(stderr, "%s: %s: ", progname, argv[2]); error_exit(res); } exit(0); } else if( !strcmp(argv[3],"res_min") || !strcmp(argv[3],"res_max") ) { target = get_target_nr(argv[1]); position = get_res_nr(argv[4]); if(position == RSBAC_RES_NONE) { position = strtol(argv[4],0,10); if( (!position && strcmp(argv[4], "0")) || (position > RSBAC_RES_MAX) ) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[4]); exit(1); } } res_limit = strtoul(argv[5],0,10); if(!strcmp(argv[3],"res_min")) attr = A_res_min; else attr = A_res_max; res = rsbac_get_attr_n(ta_number, module, target, argv[2], attr, &value, FALSE); if(res) { fprintf(stderr, "%s: %s: ", progname, argv[2]); error_exit(res); } value.res_array[position] = res_limit; res = rsbac_set_attr_n(ta_number, module, target, argv[2], attr, &value); if(res) { fprintf(stderr, "%s: %s: ", progname, argv[2]); error_exit(res); } exit(0); } default: use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/rc_role_wrap.c0000644000175000017500000000466211131371033021240 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2006: Amon Ott */ /* */ /* Last modified: 09/Sep/2006 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-p pass] new_role_id prog args\n"), progname); printf(gettext("This program will set the process rc_role to new_role and then\n")); printf(gettext("execute prog via execvp()\n")); printf(gettext("-v = verbose\n")); printf(gettext("-p pass = use this role password\n")); } int main(int argc, char ** argv) { int res = 0; rsbac_rc_role_id_t role; int verbose = 0; char * pass = NULL; locale_init(); progname = argv[0]; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': if(argc > 2) { pass=argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc >= 3) { role=strtol(argv[1],0,10); if(verbose) printf(gettext("%s: executing %s with role %i\n"), progname,argv[2],role); res = rsbac_rc_change_role(role, pass); error_exit(res); res = execvp(argv[2],&argv[2]); error_exit(res); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_version.c0000644000175000017500000000337011131371031021412 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 16/May/2007 */ /*************************************************** */ #include #include #include #include #include #include #include "nls.h" int main(int argc, char ** argv) { int res = 0; int scripting = 0; char * progname = argv[0]; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 's': scripting=1; break; case 'h': printf("Use: %s [-s]\n", progname); exit(0); default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } res = rsbac_version(); if(res<0) error_exit(res); if(scripting) printf("%u.%u.%u %u.%u.%u %s\n", RSBAC_VERSION_MAJOR, RSBAC_VERSION_MID, RSBAC_VERSION_MINOR, res >> 16, res >> 8 & 255, res & 255, RSBAC_VERSION); else printf("Tools: %u.%u.%u, Kernel: %u.%u.%u, Tools-String: %s\n", RSBAC_VERSION_MAJOR, RSBAC_VERSION_MID, RSBAC_VERSION_MINOR, res >> 16, res >> 8 & 255, res & 255, RSBAC_VERSION); return 0; } rsbac-admin-1.4.0/main/tools/src/rsbac_pm.c0000644000175000017500000010572411131371033020351 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(int exit_code) { char name[80]; char pars[160]; char * key = (void *) 0; int i; printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] call args\n"), progname); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext("call = one of the following calls, args = call dependent\n")); for (i=0;i<18;i++) { get_pm_function_type_name(name,i); get_pm_function_param(pars,i); printf("%s \t%s\n",name,pars); } printf(gettext("-- press return --")); scanf("%c", key); for (i=18;i 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc >= 2) { function = get_pm_function_type_nr(argv[1]); if(function == PF_none) { printf(gettext("\n%s: invalid pm function %s!\n\n"), progname, argv[1]); use(1); } printf(gettext("%s: requesting pm-call %s (No. %i)\n"), progname,argv[1],function); switch(function) { case PF_add_na: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.add_na.task = strtol(argv[3],0,10); if(!strcmp(argv[4],"IPC")) param.add_na.object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID; else if(!strcmp(argv[4],"DEV")) param.add_na.object_class = RSBAC_PM_DEV_OBJECT_CLASS_ID; else if(!strcmp(argv[4],"NIL")) param.add_na.object_class = 0; else param.add_na.object_class = strtol(argv[4],0,10); param.add_na.tp = strtol(argv[5],0,10); param.add_na.accesses = strtol(argv[6],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_na: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_na.task = strtol(argv[3],0,10); if(!strcmp(argv[4],"IPC")) param.add_na.object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID; else if(!strcmp(argv[4],"DEV")) param.add_na.object_class = RSBAC_PM_DEV_OBJECT_CLASS_ID; else if(!strcmp(argv[4],"NIL")) param.add_na.object_class = 0; else param.add_na.object_class = strtol(argv[4],0,10); param.delete_na.tp = strtol(argv[5],0,10); param.delete_na.accesses = strtol(argv[6],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_add_task: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.add_task.id = strtol(argv[3],0,10); param.add_task.purpose = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_task: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_task.id = strtol(argv[3],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_add_object_class: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.add_object_class.id = strtol(argv[3],0,10); if(argc > 4) { /* creating list of purposes */ if(!(pp_list_p = (struct rsbac_pm_purpose_list_item_t *) malloc(sizeof(*pp_list_p)) )) { printf(gettext("%s: Could not allocate list memory!"), progname); exit(1); } param.add_object_class.pp_list_p = pp_list_p; pp_list_p->id = strtol(argv[4],0,10); for(i=5;iid = strtol(argv[i],0,10); pp_list_p->next = pp_list_tmp_p; pp_list_p = pp_list_tmp_p; } pp_list_p->next = NULL; } else param.add_object_class.pp_list_p = NULL; res = rsbac_pm(ta_number, function, ¶m, ticket); if(argc > 4) { /* clean up */ pp_list_p = param.add_object_class.pp_list_p; while(pp_list_p) { pp_list_tmp_p = pp_list_p->next; free(pp_list_p); pp_list_p = pp_list_tmp_p; } } /* ready */ break; case PF_delete_object_class: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_object_class.id = strtol(argv[3],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_add_authorized_tp: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.add_authorized_tp.task = strtol(argv[3],0,10); param.add_authorized_tp.tp = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_authorized_tp: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_authorized_tp.task = strtol(argv[3],0,10); param.delete_authorized_tp.tp = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_add_consent: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.add_consent.filename = argv[3]; param.add_consent.purpose = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_consent: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_consent.filename = argv[3]; param.delete_consent.purpose = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_add_purpose: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.add_purpose.id = strtol(argv[3],0,10); param.add_purpose.def_class = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_purpose: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_purpose.id = strtol(argv[3],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_add_responsible_user: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.add_responsible_user.user = strtol(argv[3],0,10); param.add_responsible_user.task = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_responsible_user: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_responsible_user.user = strtol(argv[3],0,10); param.delete_responsible_user.task = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_user_aci: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_user_aci.id = strtol(argv[3],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_set_role: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.set_role.user = strtol(argv[3],0,10); if((param.set_role.role = get_pm_role_nr(argv[4])) == PR_none) param.set_role.role = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_set_object_class: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.set_object_class.filename = argv[3]; param.set_object_class.object_class = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_switch_pm: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.switch_pm.value = strtol(argv[3],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_switch_auth: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.switch_auth.value = strtol(argv[3],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_set_device_object_type: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.set_device_object_type.filename = argv[3]; if((param.set_device_object_type.object_type = get_pm_object_type_nr(argv[4])) == PO_none) param.set_device_object_type.object_type = strtol(argv[4],0,10); param.set_device_object_type.object_class = RSBAC_PM_DEV_OBJECT_CLASS_ID; if(argc > 5) { if(!strcmp(argv[5],"IPC")) param.set_device_object_type.object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID; else if(!strcmp(argv[5],"DEV")) param.set_device_object_type.object_class = RSBAC_PM_DEV_OBJECT_CLASS_ID; else if(!strcmp(argv[5],"NIL")) param.set_device_object_type.object_class = 0; else param.set_device_object_type.object_class = strtol(argv[5],0,10); } res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_set_auth_may_setuid: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.set_auth_may_setuid.filename = argv[3]; param.set_auth_may_setuid.value = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_set_auth_may_set_cap: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.set_auth_may_set_cap.filename = argv[3]; param.set_auth_may_set_cap.value = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; /********/ case PF_add_authorized_task: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.add_authorized_task.user = strtol(argv[3],0,10); param.add_authorized_task.task = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_authorized_task: if(argc < 5) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = strtol(argv[2],0,10); param.delete_authorized_task.user = strtol(argv[3],0,10); param.delete_authorized_task.task = strtol(argv[4],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; /********/ case PF_create_tp: if(argc < 3) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = 0; param.create_tp.id = strtol(argv[2],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_delete_tp: if(argc < 3) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = 0; param.delete_tp.id = strtol(argv[2],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; case PF_set_tp: if(argc < 4) { printf(gettext("Too few arguments: argc is %i\n"), argc); use(1); } ticket = 0; param.set_tp.filename = argv[2]; param.set_tp.tp = strtol(argv[3],0,10); res = rsbac_pm(ta_number, function, ¶m, ticket); break; /********/ case PF_create_ticket: if(argc < 6) { printf(gettext("\nToo few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.id = strtol(argv[2],0,10); param.create_ticket.valid_for = strtol(argv[3],0,10); param.create_ticket.function_type = get_pm_tkt_function_type_nr(argv[4]); switch(param.create_ticket.function_type) { case PF_add_na: if(argc < 9) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.add_na.task = strtol(argv[5],0,10); if(!strcmp(argv[6],"IPC")) param.create_ticket.function_param.add_na.object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID; else if(!strcmp(argv[6],"DEV")) param.create_ticket.function_param.add_na.object_class = RSBAC_PM_DEV_OBJECT_CLASS_ID; else if(!strcmp(argv[6],"NIL")) param.create_ticket.function_param.add_na.object_class = 0; else param.create_ticket.function_param.add_na.object_class = strtol(argv[6],0,10); param.create_ticket.function_param.add_na.tp = strtol(argv[7],0,10); param.create_ticket.function_param.add_na.accesses = strtol(argv[8],0,10); break; case PF_delete_na: if(argc < 9) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_na.task = strtol(argv[5],0,10); if(!strcmp(argv[6],"IPC")) param.create_ticket.function_param.delete_na.object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID; else if(!strcmp(argv[6],"DEV")) param.create_ticket.function_param.delete_na.object_class = RSBAC_PM_DEV_OBJECT_CLASS_ID; else if(!strcmp(argv[6],"NIL")) param.create_ticket.function_param.delete_na.object_class = 0; else param.create_ticket.function_param.delete_na.object_class = strtol(argv[6],0,10); param.create_ticket.function_param.delete_na.tp = strtol(argv[7],0,10); param.create_ticket.function_param.delete_na.accesses = strtol(argv[8],0,10); break; case PF_add_task: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.add_task.id = strtol(argv[5],0,10); param.create_ticket.function_param.add_task.purpose = strtol(argv[6],0,10); break; case PF_delete_task: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_task.id = strtol(argv[5],0,10); break; case PF_add_object_class: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.add_object_class.id = strtol(argv[5],0,10); if(argc > 6) { /* creating list of purposes */ if(!(pp_list_p = (struct rsbac_pm_purpose_list_item_t *) malloc(sizeof(*pp_list_p)) )) { printf(gettext("%s: Could not allocate list memory!"), progname); exit(1); } param.create_ticket.function_param.add_object_class.pp_list_p = pp_list_p; pp_list_p->id = strtol(argv[6],0,10); for(i=7;iid = strtol(argv[i],0,10); pp_list_p->next = pp_list_tmp_p; pp_list_p = pp_list_tmp_p; } pp_list_p->next = NULL; } else param.create_ticket.function_param.add_object_class.pp_list_p = NULL; /* calling sys_rsbac_pm */ res = rsbac_pm(ta_number, function, ¶m, ticket); if(argc > 6) { /* clean up */ pp_list_p = param.create_ticket.function_param.add_object_class.pp_list_p; while(pp_list_p) { pp_list_tmp_p = pp_list_p->next; free(pp_list_p); pp_list_p = pp_list_tmp_p; } } break; case PF_delete_object_class: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_object_class.id = strtol(argv[5],0,10); break; case PF_add_authorized_tp: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.add_authorized_tp.task = strtol(argv[5],0,10); param.create_ticket.function_param.add_authorized_tp.tp = strtol(argv[6],0,10); break; case PF_delete_authorized_tp: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_authorized_tp.task = strtol(argv[5],0,10); param.create_ticket.function_param.delete_authorized_tp.tp = strtol(argv[6],0,10); break; case PF_add_consent: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.add_consent.filename = argv[5]; param.create_ticket.function_param.add_consent.purpose = strtol(argv[6],0,10); break; case PF_delete_consent: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_consent.filename = argv[5]; param.create_ticket.function_param.delete_consent.purpose = strtol(argv[6],0,10); break; case PF_add_purpose: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.add_purpose.id = strtol(argv[5],0,10); param.create_ticket.function_param.add_purpose.def_class = strtol(argv[6],0,10); break; case PF_delete_purpose: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_purpose.id = strtol(argv[5],0,10); break; case PF_add_responsible_user: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.add_responsible_user.user = strtol(argv[5],0,10); param.create_ticket.function_param.add_responsible_user.task = strtol(argv[6],0,10); break; case PF_delete_responsible_user: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_responsible_user.user = strtol(argv[5],0,10); param.create_ticket.function_param.delete_responsible_user.task = strtol(argv[6],0,10); break; case PF_delete_user_aci: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_user_aci.id = strtol(argv[5],0,10); break; case PF_set_role: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.set_role.user = strtol(argv[5],0,10); if((param.create_ticket.function_param.set_role.role = get_pm_role_nr(argv[6])) == PR_none) param.create_ticket.function_param.set_role.role = strtol(argv[6],0,10); break; case PF_set_object_class: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.set_object_class.filename = argv[5]; param.create_ticket.function_param.set_object_class.object_class = strtol(argv[6],0,10); break; case PF_switch_pm: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.switch_pm.value = strtol(argv[5],0,10); break; case PF_switch_auth: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.switch_auth.value = strtol(argv[5],0,10); break; case PF_set_device_object_type: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.set_device_object_type.filename = argv[5]; if((param.create_ticket.function_param.set_device_object_type.object_type = get_pm_object_type_nr(argv[6])) == PO_none) param.create_ticket.function_param.set_device_object_type.object_type = strtol(argv[6],0,10); param.create_ticket.function_param.set_device_object_type.object_class = RSBAC_PM_DEV_OBJECT_CLASS_ID; if(argc > 7) { if(!strcmp(argv[7],"IPC")) param.create_ticket.function_param.set_device_object_type.object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID; else if(!strcmp(argv[7],"DEV")) param.create_ticket.function_param.set_device_object_type.object_class = RSBAC_PM_DEV_OBJECT_CLASS_ID; else if(!strcmp(argv[7],"NIL")) param.create_ticket.function_param.set_device_object_type.object_class = 0; else param.create_ticket.function_param.set_device_object_type.object_class = strtol(argv[7],0,10); } break; case PF_set_auth_may_setuid: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.set_auth_may_setuid.filename = argv[5]; param.create_ticket.function_param.set_auth_may_setuid.value = strtol(argv[6],0,10); break; case PF_set_auth_may_set_cap: if(argc < 6) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.set_auth_may_set_cap.filename = argv[5]; param.create_ticket.function_param.set_auth_may_set_cap.value = strtol(argv[6],0,10); break; /**********/ case PF_add_authorized_task: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.add_authorized_task.user = strtol(argv[5],0,10); param.create_ticket.function_param.add_authorized_task.task = strtol(argv[6],0,10); break; case PF_delete_authorized_task: if(argc < 7) { printf(gettext("Too few arguments: argc is %i\n"), argc); use_ct(1); } param.create_ticket.function_param.delete_authorized_task.user = strtol(argv[5],0,10); param.create_ticket.function_param.delete_authorized_task.task = strtol(argv[6],0,10); break; default: use_ct(1); } if(param.create_ticket.function_type != PF_add_object_class) res = rsbac_pm(ta_number, function, ¶m, ticket); break; default: use(1); } error_exit(res); } else { use(0); } return (res); } rsbac-admin-1.4.0/main/tools/src/pm_create.c0000644000175000017500000000265011131371032020513 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s class mode filename(s)\n\n"), progname); } int main(int argc, char ** argv) { int res = 0; int i,mode; rsbac_pm_object_class_id_t class; locale_init(); progname = argv[0]; if (argc > 3) { class = strtol(argv[1],0,10); mode = strtol(argv[2],0,8); printf(gettext("%s: %i files of class %i, mode %o to be created\n\n"), argv[0], argc - 3, class, mode); for (i=1;i < (argc-2);i++) { printf(gettext("Processing %s (No. %i)\n"), argv[i+2], i); res = rsbac_pm_create_file(argv[i+2],mode,class); error_exit(res); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/get_attribute_name.c0000644000175000017500000000210411131371031022407 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int main(int argc, char ** argv) { char name[80]; int value; locale_init(); if (argc == 2) { value = strtol(argv[1],0,10); if((value < 0) || (value > A_none)) printf("%i\n", A_none); else printf("%s\n", get_attribute_name(name,value)); } else { printf(gettext("%s (RSBAC %s)\n***\n"), argv[0], VERSION); printf(gettext("Use: %s value\n"), argv[0]); printf(gettext("value = attribute number\n\n")); exit(1); } exit(0); } rsbac-admin-1.4.0/main/tools/src/attr_back_dev.c0000644000175000017500000003203611131371032021345 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif const char set_prog[] = "attr_set_file_dir"; #define ROOM 10 enum rsbac_attribute_t attr_list[RSBAC_DEV_NR_ATTRIBUTES] = RSBAC_DEV_ATTR_LIST; int recurse = 0; int verbose = 0; int backall = 0; FILE * tfile; char * filename = NULL; char * filelistname = NULL; rsbac_list_ta_number_t ta_number = 0; char * progname; __s64 def_attr[RSBAC_DEV_NR_ATTRIBUTES] = { SL_unclassified, /* sec_level */ RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories */ FALSE, /* mac_check */ PO_none, /* pm_object_type */ 0, /* pm_object_class */ RSBAC_RC_GENERAL_TYPE /* rc_type */ }; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-o target-file] file/dirname(s)\n"), progname); printf(gettext("- should be called by root with all rsbac modules switched off,\n")); printf(gettext(" -r = recurse in subdirs, -v = verbose, no symlinks followed,\n")); printf(gettext(" -T file = read file/dirname list from file (- for stdin),\n")); printf(gettext(" -o target-file = write to file, not stdout,\n")); printf(gettext(" -b = backup all device entries known to RSBAC,\n")); printf(gettext(" -A = list attributes and values,\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int process(char * name, struct rsbac_dev_desc_t * desc_p) { int res = 0; char tmpname[RSBAC_MAXNAMELEN]; char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; int j; union rsbac_attribute_value_t value; struct stat buf; union rsbac_target_id_t tid; if(verbose && name) printf(gettext("# Processing DEV '%s'\n"), name); for (j=0;j < RSBAC_DEV_NR_ATTRIBUTES;j++) { value.dummy = -1; if(backall) { tid.dev = *desc_p; res = rsbac_get_attr(ta_number, get_attr_module(attr_list[j]), T_DEV, &tid, attr_list[j], &value, 0); } else res = rsbac_get_attr_n(ta_number, get_attr_module(attr_list[j]), T_DEV, name, attr_list[j], &value, 0); if(res) { if( (errno != RSBAC_EINVALIDMODULE) && ( verbose || (errno != RSBAC_EINVALIDTARGET) ) ) { get_error_name(tmp1,res); fprintf(stderr, "%s (%s): %s\n", name, get_attribute_name(tmp2,attr_list[j]), tmp1); } } else switch(attr_list[j]) { case A_log_array_low: case A_log_array_high: if (value.log_array_low != -1) { if(backall) fprintf(tfile, "%s -V %u -d DEV \"%s\" %s %s\n", set_prog, RSBAC_VERSION_NR, devdesctostr(tmpname,*desc_p), get_attribute_name(tmp1,attr_list[j]), u64tostrlog(tmp2,value.log_array_low)); else fprintf(tfile, "%s -V %u DEV \"%s\" %s %s\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), u64tostrlog(tmp2,value.log_array_low)); } break; case A_security_level: case A_pm_object_type: if(value.security_level != def_attr[j]) { if(backall) fprintf(tfile, "%s -V %u -d DEV \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, devdesctostr(tmpname,*desc_p), get_attribute_name(tmp1,attr_list[j]), value.security_level); else fprintf(tfile, "%s -V %u DEV \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), value.security_level); } break; case A_rc_type: if(backall) { if( ( (desc_p->type > D_char) && (value.rc_type != def_attr[j]) ) || ( (desc_p->type <= D_char) && (value.rc_type != RC_type_inherit_parent) ) ) fprintf(tfile, "%s -V %u -d DEV \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, devdesctostr(tmpname,*desc_p), get_attribute_name(tmp1,attr_list[j]), value.rc_type); } else { if(value.rc_type != RC_type_inherit_parent) fprintf(tfile, "%s -V %u DEV \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), value.rc_type); } break; default: if(value.dummy != def_attr[j]) { if(backall) fprintf(tfile, "%s -V %u -d DEV \"%s\" %s %i\n", set_prog, RSBAC_VERSION_NR, devdesctostr(tmpname,*desc_p), get_attribute_name(tmp1,attr_list[j]), value.dummy); else fprintf(tfile, "%s -V %u DEV \"%s\" %s %i\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), value.dummy); } } } if( recurse && !backall && !lstat(name,&buf) && S_ISDIR(buf.st_mode)) { DIR * dir_stream_p; struct dirent * dirent_p; char name2[PATH_MAX]; if(S_ISLNK(buf.st_mode)) return(0); if(!(dir_stream_p = opendir(name))) { fprintf(stderr, gettext("opendir for dir %s returned error: %s\n"), name, strerror(errno)); return(-2); } while((dirent_p = readdir(dir_stream_p))) { if( (strcmp(".",dirent_p->d_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2, NULL); } } closedir(dir_stream_p); } return(res); } int main(int argc, char ** argv) { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; FILE * listfile = NULL; int i,j; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': recurse=1; break; case 'b': backall=1; break; case 'o': if(argc > 2) { filename = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter o\n"), progname); break; case 'T': if(argc > 2) { filelistname = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter %c\n"), progname, *pos); break; case 'a': case 'A': printf(gettext("Attributes and values in backup = see following list:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if ( (argc > 1) || backall || filelistname ) { if(!filename) tfile = stdout; else { if (!(tfile=fopen(filename,"w"))) { fprintf(stderr, gettext("opening target file returned error: %s\n"), strerror(errno)); } } if(backall) { int count; struct rsbac_dev_desc_t * id_array; count = rsbac_list_all_dev(ta_number, NULL, 0); error_exit(count); if(verbose) printf(gettext("# %s: %i targets\n"), progname, count); count += ROOM; id_array = malloc(count * sizeof(*id_array)); if(!id_array) error_exit(-ENOMEM); count = rsbac_list_all_dev(ta_number, id_array, count); if(count > 0) { qsort(id_array, count, sizeof(*id_array), rsbac_dev_compare); for(i=0; i < count ; i++) process(NULL, &id_array[i]); } } else { if(filelistname) { if(!strcmp(filelistname, "-")) listfile = stdin; else if (!(listfile=fopen(filelistname,"r"))) { fprintf(stderr, gettext("opening target list file returned error: %s\n"), strerror(errno)); exit(1); } } if(verbose) { printf(gettext("# %s: %i targets\n"), progname, argc - 1); if(filelistname) printf(gettext("# - plus targets from file %s\n"), filelistname); } for (i=1;i < argc;i++) { process(argv[i], NULL); } if(filelistname) { char item[4096]; char * pos; int last; pos = item; while(fgets(item, 4095, listfile)) { if(!*item) continue; last = strlen(item) - 1; if(item[last] == '\n') item[last] = 0; if(*item) process(item, NULL); } fclose(listfile); } } if(tfile != stdout) fclose(tfile); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/auth_back_cap.c0000644000175000017500000004547611131371031021334 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif const char set_prog[] = "auth_set_cap"; int recurse = 0; int verbose = 0; /* default max number of cap entries per file */ #define MAXNUM 200 int maxnum = MAXNUM; char * filename = NULL; char * filelistname = NULL; struct rsbac_auth_cap_range_t * caplist; rsbac_time_t * ttllist; rsbac_list_ta_number_t ta_number = 0; char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-r] [-v] [-o output-file] file/dirname(s)\n"), progname); printf(gettext(" should be called by root with all rsbac modules switched off,\n")); printf(gettext(" -r = recurse in subdirs, -v = verbose, no symlinks followed,\n")); printf(gettext(" -T file = read file/dirname list from file (- for stdin),\n")); printf(gettext(" -m = set maximum length of cap entry list per file, default is %u\n"), MAXNUM); printf(gettext(" -o target-file = write to file, not stdout\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int process(char * name, FILE * tfile) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; int i; struct stat buf; if(verbose) printf(gettext("Processing FILE/DIR '%s'\n"), name); res = rsbac_auth_get_f_caplist(ta_number, name, ACT_real, caplist, ttllist, maxnum); if(res<0) { if( verbose || (errno != RSBAC_EINVALIDTARGET) ) { get_error_name(tmp1,res); fprintf(stderr, "%s: %s\n", name, tmp1); } } else { rsbac_time_t now = time(NULL); if(verbose) printf("# %s: %i real caps\n", name, res); for(i=0;i0) { rsbac_time_t now = time(NULL); if(verbose) printf("# %s: %i eff caps\n", name, res); for(i=0;i0) { rsbac_time_t now = time(NULL); if(verbose) printf("# %s: %i fs caps\n", name, res); for(i=0;i0) { rsbac_time_t now = time(NULL); if(verbose) printf("# %s: %i group eff caps\n", name, res); for(i=0;i0) { rsbac_time_t now = time(NULL); if(verbose) printf("# %s: %i group fs caps\n", name, res); for(i=0;id_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2, tfile); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int res = 0; int i; FILE * tfile; FILE * listfile = NULL; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'm': if(argc > 2) { maxnum = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing maxnum value for parameter %c\n"), progname, *pos); break; case 'r': recurse=1; break; case 'o': if(argc > 2) { filename = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { filelistname = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter %c\n"), progname, *pos); break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1 || filelistname) { if(!filename) tfile = stdout; else if (!(tfile=fopen(filename,"w"))) { fprintf(stderr, gettext("opening target file returned error: %s\n"), strerror(errno)); } if(filelistname) { if(!strcmp(filelistname, "-")) listfile = stdin; else if (!(listfile=fopen(filelistname,"r"))) { fprintf(stderr, gettext("opening target list file returned error: %s\n"), strerror(errno)); exit(1); } } if(verbose) { printf(gettext("%s: %i targets"), progname, argc - 1); if(recurse) printf(gettext(" - recursing")); if(filelistname) printf(gettext(" - plus targets from file %s"), filelistname); printf("\n"); } caplist = malloc(sizeof(*caplist) * maxnum); ttllist = malloc(sizeof(*ttllist) * maxnum); if(!caplist || !ttllist) error_exit(-ENOMEM); for (i=1;i < argc;i++) { process(argv[i],tfile); } if(filelistname) { char item[4096]; char * pos; int last; pos = item; while(fgets(item, 4095, listfile)) { if(!*item) continue; last = strlen(item) - 1; if(item[last] == '\n') item[last] = 0; if(*item) process(item, tfile); } fclose(listfile); } if(tfile != stdout) fclose(tfile); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_get_net.c0000644000175000017500000003253311131371033021237 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define LISTROOM 10 union rsbac_attribute_value_t value; enum rsbac_switch_target_t module; enum rsbac_target_t target; enum rsbac_attribute_t attr; char * progname; int verbose=0; int recurse=0; int inherit=0; char * target_n; char * attr_n; rsbac_list_ta_number_t ta_number = 0; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-e] module target-type attribute [CAT category] [request] id(s)\n"), progname); printf(gettext(" -v = verbose, -e = show effective (maybe inherited) value, not real\n")); printf(gettext(" -r = recurse into subdirs, -n [target] = list all requests [for target]\n")); printf(gettext(" -a = list attributes and values\n")); printf(gettext(" -d = list NETDEV targets with non-default attribute values\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS or RC\n")); printf(gettext(" target-type = NETDEV, NETTEMP or NETOBJ\n")); printf(gettext(" category = category number for mac_categories\n")); printf(gettext(" request = request number for log_array_low|high\n")); } int process(char * name, u_int request) { int res = 0; char tmp1[120]; union rsbac_target_id_t tid; switch(target) { case T_NETDEV: strncpy((char *)tid.netdev, name, RSBAC_IFNAMSIZ); tid.netdev[RSBAC_IFNAMSIZ] = 0; break; case T_NETTEMP: tid.nettemp = strtoul(name, NULL, 10); if( !tid.nettemp && strcmp(name, "0") ) { fprintf(stderr, "Invalid network template %s!\n", name); return -RSBAC_EINVALIDTARGET; } break; case T_NETOBJ: break; default: fprintf(stderr, gettext("Internal error on %s %s!\n"), target_n, name); return(1); } if(verbose) printf(gettext("Processing %s '%s', attribute %s\n"), target_n, name, attr_n); value.dummy = -1; if(target == T_NETOBJ) res = rsbac_get_attr_n(ta_number, module, target, name, attr, &value, inherit); else res = rsbac_get_attr(ta_number, module, target, &tid, attr, &value, inherit); show_error(res); if(res) return res; switch (attr) { case A_mac_categories: case A_local_mac_categories: case A_remote_mac_categories: if(request <= RSBAC_MAC_MAX_CAT) if(verbose) printf(gettext("%s: Returned value: %u\n"), name, (u_int) (value.mac_categories & RSBAC_MAC_CAT_VECTOR(request)) >> request); else printf("%u\n", (u_int) (value.mac_categories & RSBAC_MAC_CAT_VECTOR(request)) >> request); else if(verbose) printf(gettext("%s: Returned value: %s\n"), name, u64tostrmac(tmp1,value.mac_categories)); else printf("%s\n", u64tostrmac(tmp1,value.mac_categories)); break; case A_log_array_low: case A_log_array_high: if(request == R_NONE) { if(verbose) printf(gettext("%s: Returned value: %s\n"), name, u64tostrlog(tmp1,value.log_array_low)); else printf("%s\n",u64tostrlog(tmp1,value.log_array_low)); } else { union rsbac_attribute_value_t value2; int log_level; res = rsbac_get_attr(ta_number, module, target, &tid, A_log_array_low, &value, FALSE); error_exit(res); res = rsbac_get_attr(ta_number, module, target, &tid, A_log_array_high, &value2, FALSE); error_exit(res); log_level = ((value.log_array_low >> request) & 1) | ( ((value2.log_array_high >> request) & 1) << 1); printf("%u\n",log_level); return(0); } break; case A_pm_object_type: case A_security_level: case A_local_sec_level: case A_remote_sec_level: if(verbose) printf(gettext("%s: Returned value: %u\n"), name, value.u_char_dummy); else printf("%u\n", value.u_char_dummy); break; case A_local_pm_object_type: case A_remote_pm_object_type: case A_rc_type: case A_local_rc_type: case A_remote_rc_type: case A_rc_type_nt: if(verbose) printf(gettext("%s: Returned value: %u\n"), name, value.u_dummy); else printf("%u\n", value.u_dummy); break; default: if(verbose) printf(gettext("%s: Returned value: %i\n"), name, value.dummy); else printf("%i\n", value.dummy); } return(0); } int main(int argc, char ** argv) { enum rsbac_attribute_t attr_list_dev[RSBAC_NETDEV_NR_ATTRIBUTES] = RSBAC_NETDEV_ATTR_LIST; enum rsbac_attribute_t attr_list_temp[RSBAC_NETTEMP_NR_ATTRIBUTES] = RSBAC_NETTEMP_ATTR_LIST; enum rsbac_attribute_t attr_list_obj[RSBAC_NETOBJ_NR_ATTRIBUTES] = RSBAC_NETOBJ_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i,j; u_int request = R_NONE; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': recurse=1; break; case 'e': inherit=1; break; case 'n': { rsbac_request_vector_t rvector = -1; if(argc > 2) { target = get_target_nr(argv[2]); switch(target) { case T_NETDEV: rvector = RSBAC_NETDEV_REQUEST_VECTOR; break; case T_NETTEMP: rvector = RSBAC_NETTEMP_REQUEST_VECTOR; break; case T_NETOBJ: rvector = RSBAC_NETOBJ_REQUEST_VECTOR; break; default: if(!strcmp(argv[2], "NET")) rvector = RSBAC_NETTEMP_REQUEST_VECTOR | RSBAC_NETOBJ_REQUEST_VECTOR; } } for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following lists:\n")); printf("NETDEV:\n"); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if (argc > 3) { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 3); target = get_target_nr(argv[1]); switch(target) { case T_NETDEV: case T_NETTEMP: case T_NETOBJ: break; default: fprintf(stderr, gettext("%s: invalid target %s\n"), progname, argv[1]); } target_n = argv[1]; attr = get_attribute_nr(argv[2]); attr_n = argv[2]; switch(attr) { case A_log_array_low: case A_local_log_array_low: case A_remote_log_array_low: case A_log_array_high: case A_local_log_array_high: case A_remote_log_array_high: request = get_request_nr(argv[3]); if(request != R_NONE) { argv++; argc--; } break; case A_mac_categories: case A_local_mac_categories: case A_remote_mac_categories: if( !strcmp(argv[3], "CAT") && (argc > 4) ) { request = strtoul(argv[4],0,10); if( (request > 0) || !strcmp(argv[4],"0") ) { argv+=2; argc-=2; } else { fprintf(stderr, "Invalid category after CAT parameter!\n"); exit(1); } } else request = RSBAC_MAC_MAX_CAT + 1; break; default: break; } for (i=3;i < (argc);i++) { process(argv[i], request); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/get_attribute_nr.c0000644000175000017500000000163211131371032022114 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int main(int argc, char ** argv) { int value; locale_init(); if (argc == 2) { value = get_attribute_nr(argv[1]); printf("%i\n", value); } else { printf(gettext("%s (RSBAC %s)\n***\n"), argv[0], VERSION); printf(gettext("Use: %s attribute_name\n"), argv[0]); exit(1); } exit(0); } rsbac-admin-1.4.0/main/tools/src/rsbac_groupadd.c0000644000175000017500000003353111131371033021536 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2009: Amon Ott */ /* */ /* Last modified: 07/Jan/2009 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; char password[RSBAC_MAXNAMELEN] = ""; char * crypt_pass = NULL; rsbac_time_t ttl = 0; int verbose = 0; int useold = 0; int sysgroup = 0; int addallold = 0; rsbac_list_ta_number_t ta_number = 0; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] groupname\n"), progname); printf(gettext(" -p password = password in plaintext,\n")); printf(gettext(" -g gid = gid to use,\n")); printf(gettext(" -G = create system group (gid >= 100),\n")); printf(gettext(" -t = set relative time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -T = set absolute time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -D = set relative time-to-live in days (role/type comp, admin, assign only)\n")); printf(gettext(" -o = use values from old group entry,\n")); printf(gettext(" -O = add all existing groups (implies -o)\n")); printf(gettext(" -C group = copy existing group\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int password_read(char * to, char * from) { char * f = from; char * t = to; char tmp[3]; int i; if(strlen(from) != RSBAC_UM_PASS_LEN * 2) { fprintf(stderr, "Wrong encrypted password length!\n"); return -RSBAC_EINVALIDVALUE; } tmp[2] = 0; while(f[0] && f[1]) { tmp[0] = f[0]; tmp[1] = f[1]; i = strtoul(tmp, 0, 16); if(i < 0 || i > 255) return -RSBAC_EINVALIDVALUE; *t = i; t++; f += 2; } return 0; } int process(char * name, rsbac_gid_t group, struct rsbac_um_group_entry_t entry, char ** gr_mem) { int res; if(useold) { if(verbose) { if(RSBAC_GID_SET(group) != RSBAC_UM_VIRTUAL_KEEP) printf("Adding old group %s with gid %u/%u\n", name, RSBAC_GID_SET(group), RSBAC_GID_NUM(group)); else printf("Adding old group %s with gid %u\n", name, RSBAC_GID_NUM(group)); } } else if(sysgroup) { if(RSBAC_GID_NUM(group) == RSBAC_NO_GROUP) group = RSBAC_GEN_GID(RSBAC_GID_SET(group), 100); while (rsbac_um_group_exists(ta_number, group)) group++; } if(verbose) { if(RSBAC_GID_SET(group) != RSBAC_UM_VIRTUAL_KEEP) printf("Adding group %u/%u:%s\n", RSBAC_GID_SET(group), RSBAC_GID_NUM(group), name); else printf("Adding group %u:%s\n", RSBAC_GID_NUM(group), name); } strncpy(entry.name, name, RSBAC_UM_NAME_LEN); entry.name[RSBAC_UM_NAME_LEN - 1] = 0; res = rsbac_um_add_group(ta_number, group, &entry, password, ttl); if(res) { fprintf(stderr, "%s: ", name); show_error(res); } if(gr_mem) { rsbac_uid_t tmp_uid; while(*gr_mem) { if(verbose) printf("Adding group %s member %s\n", name, *gr_mem); tmp_uid = RSBAC_GEN_UID(vset, RSBAC_NO_USER); res = rsbac_um_get_uid(ta_number, *gr_mem, &tmp_uid); if(res) { if(vset != RSBAC_UM_VIRTUAL_KEEP) fprintf(stderr, "Lookup group %u/%s member %s: ", vset, name, *gr_mem); else fprintf(stderr, "Lookup group %s member %s: ", name, *gr_mem); show_error(res); } else { res = rsbac_um_add_gm(ta_number, tmp_uid, RSBAC_GID_NUM(group), ttl); if(res) { if(vset != RSBAC_UM_VIRTUAL_KEEP) fprintf(stderr, "Adding group %u/%s member %s (uid %u): ", vset, name, *gr_mem, RSBAC_UID_NUM(tmp_uid)); else fprintf(stderr, "Adding group %s member %s (uid %u): ", name, *gr_mem, RSBAC_UID_NUM(tmp_uid)); show_error(res); } } gr_mem++; } } if(crypt_pass) { union rsbac_um_mod_data_t data; memcpy(data.string, crypt_pass, RSBAC_UM_PASS_LEN); res = rsbac_um_mod_group(ta_number, group, UM_cryptpass, &data); show_error(res); } return res; } int fill_entry(rsbac_gid_t group, struct rsbac_um_group_entry_t * entry_p) { int res; union rsbac_um_mod_data_t data; res = rsbac_um_get_group_item(ta_number, group, UM_name, &data); if(!res) strcpy(entry_p->name, data.string); else return res; res = rsbac_um_get_group_item(ta_number, group, UM_ttl, &data); if(!res) ttl = data.ttl; return 0; } int main(int argc, char ** argv) { int res = 0; struct rsbac_um_group_entry_t entry = DEFAULT_UM_G_ENTRY; rsbac_gid_t group = RSBAC_GEN_GID(vset, RSBAC_NO_GROUP); locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'o': useold = 1; break; case 'G': sysgroup = 1; break; case 'O': addallold = 1; useold = 1; break; case 'C': if(argc > 2) { rsbac_gid_t egroup = RSBAC_GEN_GID(vset, RSBAC_NO_GROUP); if(rsbac_um_get_gid(ta_number, argv[2], &egroup)) { char * tmp_name = argv[2]; char * p = tmp_name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; tmp_vset = strtoul(tmp_name, NULL, 0); *p = '/'; p++; tmp_name = p; } egroup = strtoul(tmp_name, NULL, 0); if(!egroup && strcmp(tmp_name,"0")) { fprintf(stderr, gettext("%s: Unknown group %s\n"), progname, argv[2]); return 1; } egroup = RSBAC_GEN_GID(tmp_vset, egroup); } if (fill_entry (egroup, &entry)) { fprintf(stderr, gettext("%s: Reading group %s (%u/%u) failed, exiting!\n"), progname, argv[2], RSBAC_GID_SET(egroup), RSBAC_GID_NUM(egroup)); return 1; } group = egroup; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'p': if(argc > 2) { strncpy(password, argv[2], RSBAC_MAXNAMELEN); password[RSBAC_MAXNAMELEN - 1] = 0; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'Q': if(argc > 2) { crypt_pass = malloc(RSBAC_MAXNAMELEN); if(!crypt_pass) error_exit(-ENOMEM); res = password_read(crypt_pass, argv[2]); error_exit(res); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'g': if(argc > 2) { group = strtoul(argv[2],0,0); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } group = RSBAC_GEN_GID(vset, group); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(addallold) { struct group * group_info_p; setgrent(); while((group_info_p = getgrent())) process(group_info_p->gr_name, group_info_p->gr_gid, entry, group_info_p->gr_mem); endgrent(); memset(password, 0, RSBAC_MAXNAMELEN); exit(0); } else if (argc > 1) { int i; struct group * group_info_p; for(i=1; i< argc; i++) { if(useold) { group_info_p = getgrnam(argv[i]); if(!group_info_p) fprintf(stderr, "%s: old entry not found!\n", argv[i]); else process(group_info_p->gr_name, group_info_p->gr_gid, entry, group_info_p->gr_mem); } else { char * tmp_name = argv[i]; char * p = tmp_name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; if (rsbac_get_vset_num(tmp_name, &tmp_vset)) { fprintf(stderr, gettext("%s: invalid virtual set number %s, skipping\n"), tmp_name); continue; } *p = '/'; p++; tmp_name = p; } process(tmp_name, RSBAC_GEN_GID(tmp_vset, group), entry, NULL); } } memset(password, 0, RSBAC_MAXNAMELEN); exit(0); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_userdel.c0000644000175000017500000001407211131371032021372 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; int verbose = 0; int delhome = 0; rsbac_list_ta_number_t ta_number = 0; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] user [user2 ...]\n"), progname); printf(gettext(" -v = verbose,\n")); printf(gettext(" -r = remove user's home dir\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int process(char * name) { int res = 0; int dh_tmp = delhome; rsbac_uid_t user = RSBAC_GEN_UID(vset, RSBAC_NO_USER); union rsbac_um_mod_data_t data; if(rsbac_um_get_uid(ta_number, name, &user)) { char * p = name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; if (rsbac_get_vset_num(name, &tmp_vset)) { fprintf(stderr, gettext("%s: invalid virtual set number %s, skipping\n"), name); return 1; } *p = '/'; p++; name = p; } user = strtoul(name, NULL, 0); if(!user && strcmp(name,"0")) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, name); return 1; } user = RSBAC_GEN_UID(tmp_vset, user); } if(verbose) { if (vset != RSBAC_UM_VIRTUAL_KEEP) printf("Deleting user %s, uid %u/%u\n", name, RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); else printf("Deleting user %s, uid %u\n", name, RSBAC_UID_NUM(user)); } if(dh_tmp) { res = rsbac_um_get_user_item(ta_number, user, UM_homedir, &data); if(res < 0) { if (vset != RSBAC_UM_VIRTUAL_KEEP) fprintf(stderr, "Getting user %u/%s homedir failed with error", RSBAC_UID_SET(user), name); else fprintf(stderr, "Getting user %s homedir failed with error", name); show_error(res); fprintf(stderr, ", homedir will not be deleted!\n"); dh_tmp = 0; } } res = rsbac_um_remove_user(ta_number, user); if(res) { if (vset != RSBAC_UM_VIRTUAL_KEEP) fprintf(stderr, "%u/%s: ", RSBAC_UID_SET(user), name); else fprintf(stderr, "%s: ", name); show_error(res); return res; } if(dh_tmp) { char command[RSBAC_MAXNAMELEN]; FILE * pfile; snprintf(command, RSBAC_MAXNAMELEN, "/bin/rm -rf \"%s\"", data.string); pfile = popen(command, "w"); if(!pfile) { if (vset != RSBAC_UM_VIRTUAL_KEEP) fprintf(stderr, "Removing user %u/%s homedir %s failed with error", RSBAC_UID_SET(user), name, data.string); else fprintf(stderr, "Removing user %s homedir %s failed with error", name, data.string); show_error(res); fprintf(stderr, "\n"); } else { pclose(pfile); } } return 0; } int main(int argc, char ** argv) { locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': delhome=1; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { int i; for(i=1; i< argc; i++) process(argv[i]); exit(0); } else { use(); return 1; } return (0); } rsbac-admin-1.4.0/main/tools/src/attr_get_ipc.c0000644000175000017500000001341311131371032021217 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define ROOM 20 char * progname; void use(void) { int j; char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; int attr_list[RSBAC_IPC_NR_ATTRIBUTES] = RSBAC_IPC_ATTR_LIST; printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] module ipc-type id attribute\n"), progname); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" -i = list all IPC ids with non-default attributes\n")); printf(gettext(" ipc-types: sem, msg, shm, anonpipe, anonunix\n")); printf(gettext(" attribute (string) and returned value = see following list:\n")); for (j=0;j 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'i': { int count; struct rsbac_ipc_t * id_array; char tmp[RSBAC_MAXNAMELEN]; count = rsbac_list_all_ipc(ta_number, NULL, 0); error_exit(count); count += ROOM; id_array = malloc(count * sizeof(*id_array)); if(!id_array) error_exit(-ENOMEM); count = rsbac_list_all_ipc(ta_number, id_array, count); if(count > 0) { qsort(id_array, count, sizeof(*id_array), rsbac_user_compare); for(i=0; i < count ; i++) { printf("%s %lu\n", get_ipc_target_name(tmp, id_array[i].type), id_array[i].id.id_nr); } } free(id_array); } return 0; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if( ((argc == 5) || (argc == 6)) && (!strcmp(argv[3],"mac_categories"))) { if((ipc_target = get_ipc_target_nr(argv[1])) == I_none) { fprintf(stderr, gettext("%s: Invalid IPC type %s!\n"), progname, argv[1]); exit(1); } tid.ipc.type = ipc_target; tid.ipc.id.id_nr = strtol(argv[2],0,10); /* value.dummy = -1; */ position = strtol(argv[3],0,10); if(position > RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[3]); exit(1); } res = rsbac_get_attr(ta_number, module, T_IPC, &tid, A_mac_categories, &value, 0); error_exit(res); printf("%u\n", (u_int) (value.mac_categories >> position) & 1); exit(0); } if ((argc == 4)||(argc == 5)) { if((ipc_target = get_ipc_target_nr(argv[1])) == I_none) { fprintf(stderr, gettext("%s: Invalid IPC type %s!\n"), progname, argv[1]); exit(1); } tid.ipc.type = ipc_target; tid.ipc.id.id_nr = strtol(argv[2],0,10); attr = get_attribute_nr(argv[3]); if(attr == A_none) { fprintf(stderr, gettext("%s: Invalid Attribute %s!\n"), tmp2, argv[3]); exit(1); } /* value.dummy = -1; */ res = rsbac_get_attr(ta_number, module, T_IPC, &tid, attr, &value, 0); error_exit(res); switch(attr) { case A_rc_type: case A_rc_type_fd: case A_rc_force_role: case A_rc_role: case A_rc_def_role: printf("%u\n",value.rc_type); break; case A_security_level: printf("%u\n",value.u_char_dummy); break; default: printf("%i\n",value.dummy); } exit(0); } use(); exit(1); } rsbac-admin-1.4.0/main/tools/src/attr_get_fd.c0000644000175000017500000002231011131371032021031 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif union rsbac_attribute_value_t value; enum rsbac_switch_target_t module; enum rsbac_target_t target; enum rsbac_attribute_t attr; char * progname; char * target_n; int verbose=0; int recurse=0; int inherit=0; rsbac_list_ta_number_t ta_number = 0; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] module target-type attribute file/dirname(s)\n"), progname); printf(gettext(" -v = verbose, -e = show effective (maybe inherited) value, not real\n")); printf(gettext(" -r = recurse into subdirs, -n = list all requests\n")); printf(gettext(" -a = list attributes and values\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK, DEV or FD\n")); printf(gettext(" (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV)\n"), progname); } int process(char * name) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; struct stat buf; if(verbose) printf(gettext("Processing %s '%s', attribute %s\n"), target_n, name, get_attribute_name(tmp1,attr)); value.dummy = -1; res = rsbac_get_attr_n(ta_number, module, target, name, attr, &value, inherit); if(res) { if( verbose || (errno != RSBAC_EINVALIDTARGET) ) { get_error_name(tmp1,res); fprintf(stderr, gettext("%s: %s\n"), name, tmp1); } } else switch (attr) { case A_log_array_low: case A_log_array_high: case A_log_program_based: printf(gettext("%s: Returned value: %s\n"), name, u64tostrlog(tmp1,value.log_array_low)); break; case A_mac_categories: printf(gettext("%s: Returned value: %s\n"), name, u64tostrmac(tmp1,value.mac_categories)); break; case A_ff_flags: printf(gettext("%s: Returned value: %u\n"), name, value.ff_flags); break; case A_mac_auto: case A_mac_prop_trusted: case A_mac_file_flags: case A_pm_role: case A_daz_do_scan: case A_daz_scanner: case A_daz_scanned: case A_auth_may_setuid: case A_security_level: case A_symlink_add_remote_ip: case A_symlink_add_uid: case A_symlink_add_rc_role: case A_linux_dac_disable: case A_fake_root_uid: case A_cap_ld_env: printf(gettext("%s: Returned value: %u\n"), name, value.u_char_dummy); break; case A_min_caps: case A_max_caps: kcaptostrcap(tmp1,value.min_caps); printf(gettext("%s: Returned value: %s\n"), name, tmp1); break; case A_rc_type: case A_rc_type_fd: case A_rc_force_role: case A_rc_initial_role: case A_rc_role: case A_rc_def_role: printf(gettext("%s: Returned value: %u\n"), name, value.rc_type); break; case A_pax_flags: pax_print_flags(tmp1,value.pax_flags); printf(gettext("%s: Returned value: %s\n"), name, tmp1); break; case A_auid_exempt: case A_vset: printf("%s: Returned value: %u\n", name, value.u_dummy); break; default: printf(gettext("%s: Returned value: %i\n"), name, value.dummy); } if( !lstat(name,&buf) && S_ISDIR(buf.st_mode) && recurse) { DIR * dir_stream_p; struct dirent * dirent_p; char name2[PATH_MAX]; if(S_ISLNK(buf.st_mode)) return(0); if(!(dir_stream_p = opendir(name))) { fprintf(stderr, gettext("opendir for dir %s returned error: %s\n"), name, strerror(errno)); return(-2); } while((dirent_p = readdir(dir_stream_p))) { if( (strcmp(".",dirent_p->d_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { enum rsbac_attribute_t attr_list[RSBAC_FD_NR_ATTRIBUTES] = RSBAC_FD_ATTR_LIST; enum rsbac_attribute_t attr_list_dev[RSBAC_DEV_NR_ATTRIBUTES] = RSBAC_DEV_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i,j; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': recurse=1; break; case 'e': inherit=1; break; case 'n': { char tmp[80]; int i; for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following lists:\n")); printf(gettext("- FILE, DIR, FIFO and SYMLINK:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if (argc > 3) { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 3); target = get_target_nr(argv[1]); if(target == T_NONE) { fprintf(stderr, gettext("%s: invalid target type %s\n"), progname, argv[1]); exit(1); } target_n = argv[1]; attr = get_attribute_nr(argv[2]); for (i=3;i < (argc);i++) { process(argv[i]); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/scripts/0000755000175000017500000000000011131371032020074 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/src/scripts/rsbac_process_menu0000755000175000017500000022163111131371032023703 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC general process attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # We also need the proc fs mounted. [ ! -f /proc/stat ] && { echo "This menu requires proc fs mounted" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC Process Administration" HELPTITLE="`whoami`@`hostname`: RSBAC Process Administration Help" ERRTITLE="RSBAC Process Administration - ERROR" #RCUSERINHERIT=64 #RCPROCINHERIT=65 #RCPARINHERIT=66 #RCMIXINHERIT=67 RCTYPEINHPROC=4294967295 RCTYPEINHPAR=4294967294 RCUSERINHERIT=4294967295 RCPROCINHERIT=4294967294 RCPARINHERIT=4294967293 RCMIXINHERIT=4294967292 RCUSEFR=4294967291 show_help () { case "$RSBACLANG" in *) show_help_english "$1" ;; esac } show_help_english () { { echo "$1" echo "" case "$1" in 'Process List:') echo "Choose new process object from list." ;; "Process:") echo "Enter new process ID." ;; 'Owner Security Level:') echo "MAC model maximum security level of the process owner at the time of process" echo "creation (fork). Also used as maximum possible level." echo "" $RSBACPATH""attr_get_process -A security_level ;; 'Owner Initial Security Level:') echo "MAC model initial security level of the process owner at the time of process" echo "creation (fork) or execution." echo "" $RSBACPATH""attr_get_process -A initial_security_level ;; 'Owner Min Security Level:') echo "MAC model minimum security level of the process owner at the time of process" echo "creation (fork). Also used as minimum possible level." echo "" $RSBACPATH""attr_get_process -A min_security_level ;; 'Owner MAC Categories:') echo "MAC model maximum category set of the process owner at the time of process" echo "creation (fork). Also used as maximum possible category set." echo "" $RSBACPATH""attr_get_process -A mac_categories ;; 'Owner MAC Initial Categories:') echo "MAC model initial category set of the process owner at the time of process" echo "creation (fork) or execute." echo "" $RSBACPATH""attr_get_process -A mac_initial_categories ;; 'Owner MAC Min Categories:') echo "MAC model minimum category set of the process owner at the time of process" echo "creation (fork). Also used as minimum possible category set." echo "" $RSBACPATH""attr_get_process -A mac_min_categories ;; 'Current Security Level:') echo "Current MAC model security level of the process. Must always be less" echo "than or equal to Owner Security Level and Min Write Open (except when" echo "process is MAC trusted) and at least Max Read Open." echo "" $RSBACPATH""attr_get_process -A current_sec_level ;; 'Current MAC Categories:') echo "Current MAC model category set of the process. Must always be subset" echo "of Owner MAC Categories and Min Write Categories (except when process" echo "is MAC trusted) and superset of Max Read Categories." echo "" $RSBACPATH""attr_get_process -A mac_curr_categories ;; 'Min Write Open:') echo "Minimum MAC security level of all objects this process has ever opened" echo "for writing since the last EXECUTE. Used as upper boundary for Current" echo "Security Level (*-property)." echo "" $RSBACPATH""attr_get_process -A min_write_open ;; 'Min Write Categories:') echo "Maximum MAC category subset of all objects this process has ever opened" echo "for writing since the last EXECUTE. Used as upper boundary for Current" echo "MAC Categories (*-property)." echo "" $RSBACPATH""attr_get_process -A min_write_categories ;; 'Max Read Open:') echo "Maximum MAC security level of all objects this process has ever opened" echo "for reading since the last EXECUTE. Used as lower boundary for Current" echo "Security Level (*-property)." echo "" $RSBACPATH""attr_get_process -A max_read_open ;; 'Max Read Categories:') echo "Minimum MAC category superset of all objects this process has ever opened" echo "for reading since the last EXECUTE. Used as lower boundary for Current" echo "MAC categories (*-property)." echo "" $RSBACPATH""attr_get_process -A max_read_categories ;; 'Mac Process Flags:') echo "The MAC Process flags allow to give a user some special MAC rights." echo "" $RSBACPATH""attr_get_process -A mac_process_flags ;; 'PM TP:') echo "The PM model transaction procedure ID." echo "" $RSBACPATH""attr_get_process -A pm_tp ;; 'PM Current Task:') echo "The PM model current task of this process." echo "" $RSBACPATH""attr_get_process -A pm_current_task ;; 'PM Process Type:') echo "Set process type for PM model." echo "" $RSBACPATH""attr_get_process -A pm_process_type ;; 'DAZ Scanner:') echo "Toggle, whether this process is a DAZ scanner. Only scanners" echo "may attach to the Dazuko interface." echo "" $RSBACPATH""attr_get_process -A daz_scanner ;; 'RC Current Role:') echo "Select the RC model current role." echo "" $RSBACPATH""attr_get_process -A rc_role ;; 'RC Type:') echo "Select the RC model process object type." echo "" $RSBACPATH""attr_get_process -A rc_type ;; 'RC Force Role:') echo "Select an RC role, which is kept for this process as long as the same" echo "program runs. User default roles are ignored even on a CHANGE_OWNER" echo "(setuid)." echo "" $RSBACPATH""attr_get_process -A rc_force_role ;; 'AUTH May Setuid:') echo "Toggle, whether this process is allowed to CHANGE_OWNER (setuid) to" echo "any user ID by AUTH model." echo "" $RSBACPATH""attr_get_process -A auth_may_setuid ;; 'AUTH May Set Cap:') echo "Toggle, whether this process may set AUTH setuid capabilities for any" echo "process (but not for files)." echo "This flag is useful e.g. for authentication daemons. See AUTH" echo "description for details." echo "" $RSBACPATH""attr_get_process -A auth_may_set_cap ;; 'AUTH Learn:') echo "Toggle, whether this process runs in AUTH learning mode to get missing" echo "AUTH caps added automatically." echo "Learning mode must be enabled in RSBAC kernel config." echo "" $RSBACPATH""attr_get_process -A auth_learn ;; 'JAIL ID:') echo "Specify the JAIL ID. If you set this to 0, the process becomes" echo "unjailed." echo "" $RSBACPATH""attr_get_process -A jail_id ;; 'JAIL Parent:') echo "Specify the JAIL Parent. If you set this to 0, the process has" echo "no parent jail." echo "" $RSBACPATH""attr_get_process -A jail_parent ;; 'JAIL IP:') echo "Specify the IP address for this jailed process." echo "If you set this to 0.0.0.0, the process may use any address." echo "" $RSBACPATH""attr_get_process -A jail_ip ;; 'JAIL Flags:') echo "Specify the JAIL Flags." echo "" $RSBACPATH""attr_get_process -A jail_flags ;; 'Log Program Based:') echo "Specify the request types, which should always be logged, when" echo "issued by this process." echo "" $RSBACPATH""attr_get_process -A log_program_based ;; 'Fake Root UID:') echo "Fake result of getuid() and/or geteuid() for this process." echo "" $RSBACPATH""attr_get_file_dir -A fake_root_uid ;; 'Audit UID:') echo "The first non-0 real uid is saved as audit_uid when a" echo "process setuids away from it. The audit_uid shows up" echo "in all request logs to find the original user e.g. when" echo "working with su." echo "" $RSBACPATH""attr_get_file_dir -A audit_uid ;; 'Audit UID Exempt:') echo "Usually, the first non-0 real uid is saved as audit_uid when" echo "a process setuids away from it." echo "If an auid_exempt value is set, this exempt uid works like 0:" echo "setting another uid away from this uid does _not_ lead to an" echo "audit_uid being set. The auid_exempt is e.g. needed for sshd" echo "with privilege separation, which uses an intermediate uid" echo "for network operations." echo "" $RSBACPATH""attr_get_file_dir -A auid_exempt ;; 'CAP Process Hiding:') echo "Let process properties be hidden from noone, other users or every user." echo "Note: CAP Security Officers and Admins may always read the properties." echo "" $RSBACPATH""attr_get_process -A cap_process_hiding ;; 'PAX Flags:') echo "Show the effective PAX flags." echo "" $RSBACPATH""attr_get_process -A pax_flags ;; 'Virtual UM Set:') echo "Set Virtual User Management Set id of this process." echo "" $RSBACPATH""attr_get_process -A vset ;; 'ACL Menu:') echo "Go to ACL menu." ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_attributes () { if test "$1" != "" then \ # OWNER=`$RSBACPATH""attr_get_process $1 owner` # if test -z "$OWNER" # then OWNER=`ps axu|cut -c 1-14|grep ' '$1'$'|cut -f 1 -d ' '` # fi if test "$SHOW_GEN" = "yes" then LOGPROG=`$RSBACPATH""attr_get_process $1 log_program_based` FAKERUID=`$RSBACPATH""attr_get_process $1 fake_root_uid` AUDITUID=`$RSBACPATH""attr_get_process $1 audit_uid` AUIDEXEM=`$RSBACPATH""attr_get_process $1 auid_exempt` VSET=`$RSBACPATH""attr_get_process $1 vset` fi OWNER=`ps axu|cut -c 1-14|grep ' '$1'$'|cut -f 1 -d ' '` if test -n "VSET" then if $RSBACPATH""attr_get_user $VSET/$OWNER user_nr >$TMPFILE then OWNER=`cat $TMPFILE` fi else if $RSBACPATH""attr_get_user $OWNER user_nr >$TMPFILE then OWNER=`cat $TMPFILE` fi fi OWNERNAME=`$RSBACPATH""attr_get_user $OWNER user_name` if test "$SHOW_MAC" = "yes" then SECLEVEL=`$RSBACPATH""attr_get_process $1 security_level` ISECLEVEL=`$RSBACPATH""attr_get_process $1 initial_security_level` MSECLEVEL=`$RSBACPATH""attr_get_process $1 min_security_level` MACCAT=`$RSBACPATH""attr_get_process $1 mac_categories` MACICAT=`$RSBACPATH""attr_get_process $1 mac_initial_categories` MACMCAT=`$RSBACPATH""attr_get_process $1 mac_min_categories` CURRSECL=`$RSBACPATH""attr_get_process $1 current_sec_level` CURRCAT=`$RSBACPATH""attr_get_process $1 mac_curr_categories` MINWRITE=`$RSBACPATH""attr_get_process $1 min_write_open` MINWCAT=`$RSBACPATH""attr_get_process $1 min_write_categories` MAXREAD=`$RSBACPATH""attr_get_process $1 max_read_open` MAXRCAT=`$RSBACPATH""attr_get_process $1 max_read_categories` MACFLAGS=`$RSBACPATH""attr_get_process $1 mac_process_flags` fi if test "$SHOW_PM" = "yes" then PMTP=`$RSBACPATH""attr_get_process $1 pm_tp` PMCTASK=`$RSBACPATH""attr_get_process $1 pm_current_task` PMPROCTYPE=`$RSBACPATH""attr_get_process $1 pm_process_type` fi if test "$SHOW_DAZ" = "yes" then DAZSCANNER=`$RSBACPATH""attr_get_process $1 daz_scanner` fi if test "$SHOW_RC" = "yes" then RCROLE=`$RSBACPATH""attr_get_process $1 rc_role` RCTYPE=`$RSBACPATH""attr_get_process $1 rc_type` RCFROLE=`$RSBACPATH""attr_get_process $1 rc_force_role` fi if test "$SHOW_AUTH" = "yes" then AUTHSUID=`$RSBACPATH""attr_get_process $1 auth_may_setuid` AUTHSCAP=`$RSBACPATH""attr_get_process $1 auth_may_set_cap` AUTHLEARN=`$RSBACPATH""attr_get_process $1 auth_learn` fi if test "$SHOW_CAP" = "yes" then PROCHIDE=`$RSBACPATH""attr_get_process $1 cap_process_hiding` fi if test "$SHOW_JAIL" = "yes" then JAILID=`$RSBACPATH""attr_get_process $1 jail_id` JAILPARENT=`$RSBACPATH""attr_get_process $1 jail_parent` JAILIP=`$RSBACPATH""attr_get_process $1 jail_ip` JAILFLAGS=`$RSBACPATH""attr_get_process $1 jail_flags` fi if test "$SHOW_PAX" = "yes" then PAXFLAGS=`$RSBACPATH""attr_get_process $1 pax_flags` fi fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } list_item () { TMP2="" if test -f /proc/$1/cmdline then TMP2=`cat /proc/$1/stat|cut -f 2 -d ' '` fi if test "$TMP2" = "" then echo "not_available" else echo $TMP2 fi } role_name () { if test -z "$PROCESS" -o -z "$1" then echo " " else \ case $1 in $RCUSERINHERIT) echo "always inherit from user" ;; $RCPROCINHERIT) echo "inherit from process (keep)" ;; $RCPARINHERIT) echo "inherit from parent (keep)" ;; $RCMIXINHERIT) echo "inh. from user on chown only" ;; Error*) echo N/A ;; Use*) echo N/A ;; *) if ! $RSBACPATH""rc_get_item ROLE $1 name 2>/dev/null then echo $1 fi ;; esac fi } type_name () { if test -z "$PROCESS" -o -z "$1" then echo " " else if ! $RSBACPATH""rc_get_item TYPE $1 type_process_name 2>/dev/null then echo "(unknown)" fi fi } get_vname () { case $1 in seclevel) case $2 in 0) echo unclassified ;; 1) echo confidential ;; 2) echo secret ;; 3) echo top secret ;; 252) echo max. level ;; 253) echo rsbac-internal ;; 254) echo inherit ;; esac ;; pmproctype) case $2 in 0) echo None ;; 1) echo TP ;; *) echo N/A ;; esac ;; mssock) case $2 in 0) echo Not Trusted ;; 1) echo Active ;; 2) echo Full ;; *) echo N/A ;; esac ;; mstrusted) case $2 in 0) echo Not trusted ;; 1) echo Read trusted ;; 2) echo Full trusted ;; *) echo N/A ;; esac ;; fakeruid) case $2 in 0) echo off ;; 1) echo uid only ;; 2) echo euid only ;; 3) echo both ;; *) echo N/A ;; esac ;; prochiding) case $2 in 0) echo Off ;; 1) echo From other users ;; 2) echo Full ;; *) echo N/A ;; esac ;; onoff) case $2 in 0) echo Off ;; 1) echo On ;; *) echo N/A ;; esac ;; esac } full_name () { if test "$1" = "" then echo "*unknown*" else if ! $RSBACPATH""attr_get_user "$1" full_name 2>/dev/null then echo "*unknown*" fi fi } declare -i MAXCATLEN=$BC-38 cat_print () { if test $MAXCATLEN -ge 64 then echo $1 else echo "(too long)" fi } gen_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_process $PROCESS mac_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_initial_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_process $PROCESS mac_initial_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_min_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_process $PROCESS mac_min_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_curr_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_process $PROCESS mac_curr_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_max_read_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_process $PROCESS max_read_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_min_write_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_process $PROCESS min_write_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_request_list () { if test -z "$REQUESTS" then REQUESTS=`$RSBACPATH""attr_get_process -n` fi SETREQUESTS=`$RSBACPATH""attr_get_process -p $PROCESS log_program_based` for i in $REQUESTS do if echo $SETREQUESTS | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } gen_mac_flags_menu_items() { if (($MACFLAGS & 1)) ; then echo 1 override on else echo 1 override off fi if (($MACFLAGS & 2)) ; then echo 2 auto on else echo 2 auto off fi if (($MACFLAGS & 4)) ; then echo 4 trusted on else echo 4 trusted off fi if (($MACFLAGS & 8)) ; then echo 8 write_up on else echo 8 write_up off fi if (($MACFLAGS & 16)) ; then echo 16 read_up on else echo 16 read_up off fi if (($MACFLAGS & 32)) ; then echo 32 write_down on else echo 32 write_down off fi if (($MACFLAGS & 128)) ; then echo 128 prop_trusted on else echo 128 prop_trusted off fi if (($MACFLAGS & 256)) ; then echo 256 program_auto on else echo 256 program_auto off fi } mac_flags_menu () { if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --separate-output \ --checklist "Process $PROCESS: MAC Process Flags" $BL $BC `gl 8` \ `gen_mac_flags_menu_items` \ 2>$TMPFILE then return fi FLAGS_ON=`cat $TMPFILE` declare -i VAL=0 # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL for i in $FLAGS_ON ; do \ VAL=$VAL+$i done # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL # sleep 2 if $RSBACPATH""attr_set_process $PROCESS mac_process_flags $VAL &>$TMPFILE then MACFLAGS=$VAL if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_process_flags $VAL >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi return } gen_jail_flags_menu_items() { if (($JAILFLAGS & 1)) ; then echo 1 allow_external_ipc on else echo 1 allow_external_ipc off fi if (($JAILFLAGS & 2)) ; then echo 2 allow_all_net_family on else echo 2 allow_all_net_family off fi if (($JAILFLAGS & 4)) ; then echo 4 allow_rlimit on else echo 4 allow_rlimit off fi if (($JAILFLAGS & 8)) ; then echo 8 allow_inet_raw on else echo 8 allow_inet_raw off fi if (($JAILFLAGS & 16)) ; then echo 16 auto_adjust_inet_any on else echo 16 auto_adjust_inet_any off fi } jail_flags_menu () { if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --separate-output \ --checklist "Process $PROCESS: JAIL Flags" $BL $BC `gl 5` \ `gen_jail_flags_menu_items` \ 2>$TMPFILE then return fi FLAGS_ON=`cat $TMPFILE` declare -i VAL=0 # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL for i in $FLAGS_ON ; do \ VAL=$VAL+$i done # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL # sleep 2 if $RSBACPATH""attr_set_process $PROCESS jail_flags $VAL &>$TMPFILE then JAILFLAGS=$VAL if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS jail_flags $VAL >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi return } if test "$1" != "" then PROCESS=$1 else PROCESS=$$ fi if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi get_attributes $PROCESS { echo 'process_menu ()' echo ' {' echo " $DIALOG --title \"$TITLE\" \\" echo ' --backtitle "$BACKTITLE" \' echo ' --help-button --default-item "$CHOICE" \' echo ' --menu "Main Process Menu" $BL $BC `gl 45` \' echo ' "Process List:" "Choose process from list" \' echo ' "-------------------" " " \' echo ' "Process:" "$PROCESS / `list_item $PROCESS`" \' echo ' "Owner:" "$OWNER | $OWNERNAME | `full_name $OWNER`" \' if test "$SHOW_GEN" = "yes" then echo ' "Virtual UM Set:" "$VSET" \' fi if test "$SHOW_MAC" = "yes" then echo ' "Owner Security Level:" "$SECLEVEL / `get_vname seclevel $SECLEVEL`" \' echo ' "Owner Initial Security Level:" "$ISECLEVEL / `get_vname seclevel $ISECLEVEL`" \' echo ' "Owner Min Security Level:" "$MSECLEVEL / `get_vname seclevel $MSECLEVEL`" \' echo ' "Owner MAC Categories:" "`cat_print $MACCAT`" \' echo ' "Owner MAC Initial Categories:" "`cat_print $MACICAT`" \' echo ' "Owner MAC Min Categories:" "`cat_print $MACMCAT`" \' echo ' "Current Security Level:" "$CURRSECL / `get_vname seclevel $CURRSECL`" \' echo ' "Current MAC Categories:" "`cat_print $CURRCAT`" \' echo ' "Min Write Open:" "$MINWRITE / `get_vname seclevel $MINWRITE`" \' echo ' "Min Write Categories:" "`cat_print $MINWCAT`" \' echo ' "Max Read Open:" "$MAXREAD / `get_vname seclevel $MAXREAD`" \' echo ' "Max Read Categories:" "`cat_print $MAXRCAT`" \' echo ' "Mac Process Flags:" "$MACFLAGS" \' fi if test "$SHOW_PM" = "yes" then echo ' "PM TP:" "$PMTP" \' echo ' "PM Current Task:" "$PMCTASK" \' echo ' "PM Process Type:" "$PMPROCTYPE / `get_vname pmproctype $PMPROCTYPE`" \' fi if test "$SHOW_DAZ" = "yes" then echo ' "DAZ Scanner:" "$DAZSCANNER / `get_vname onoff $DAZSCANNER`" \' fi if test "$SHOW_RC" = "yes" then echo ' "RC Current Role:" "$RCROLE / `role_name $RCROLE`" \' echo ' "RC Type:" "$RCTYPE / `type_name $RCTYPE`" \' echo ' "RC Force Role:" "$RCFROLE / `role_name $RCFROLE`" \' fi if test "$SHOW_AUTH" = "yes" then echo ' "AUTH May Setuid:" "$AUTHSUID / `get_vname onoff $AUTHSUID`" \' echo ' "AUTH May Set Cap:" "$AUTHSCAP / `get_vname onoff $AUTHSCAP`" \' echo ' "AUTH Learn:" "$AUTHLEARN / `get_vname onoff $AUTHLEARN`" \' fi if test "$SHOW_CAP" = "yes" then echo ' "CAP Process Hiding:" "$PROCHIDE / `get_vname prochiding $PROCHIDE`" \' fi if test "$SHOW_JAIL" = "yes" then echo ' "JAIL ID:" "$JAILID" \' echo ' "JAIL Parent:" "$JAILPARENT" \' echo ' "JAIL IP:" "$JAILIP" \' echo ' "JAIL Flags:" "$JAILFLAGS" \' fi if test "$SHOW_PAX" = "yes" then echo ' "PAX Flags:" "$PAXFLAGS (read only)" \' fi if test "$SHOW_GEN" = "yes" then echo ' "Log Program Based:" "$LOGPROG" \' echo ' "Fake Root UID:" "$FAKERUID / `get_vname fakeruid $FAKERUID`" \' echo ' "Audit UID:" "$AUDITUID" \' echo ' "Audit UID Exempt:" "$AUIDEXEM" \' fi if test "$SHOW_ACL" = "yes" then echo ' "----------------" " " \' echo ' "ACL Menu:" "Go to ACL menu" \' fi echo ' "----------------" " " \' echo ' "Quit" ""' echo ' }' } > $TMPFILE . $TMPFILE #cp $TMPFILE /tmp/menu while true do if ! process_menu 2>$TMPFILE then rm $TMPFILE ; exit fi CHOICE=`cat $TMPFILE` case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; Process:) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Process ID" $BL $BC $PROCESS \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test -d /proc/$TMP then PROCESS=$TMP get_attributes $PROCESS else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Process: Unknown process $TMP!" 5 $BC fi fi ;; 'Process List:') TMP=`ps axh|cut -c 1-5|sort -n` # echo `for i in $TMP ; do echo $i "\`list_item $i\`" ; done` # sleep 2 if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$PROCESS" \ --menu "Process" $BL $BC $MAXLINES \ `for i in $TMP ; do echo $i "\`list_item $i\`" ; done` \ 2>$TMPFILE then TMP2=`cat $TMPFILE` if test -d /proc/$TMP2 then PROCESS=$TMP2 get_attributes $PROCESS else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Process: Unknown process $TMP2!" 5 $BC fi fi ;; 'Owner Security Level:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Owner Maximum Security Level for $PROCESS" $BL $BC 5 \ 0 "`get_vname seclevel 0`" `onoff 0 $SECLEVEL` \ 1 "`get_vname seclevel 1`" `onoff 1 $SECLEVEL` \ 2 "`get_vname seclevel 2`" `onoff 2 $SECLEVEL` \ 3 "`get_vname seclevel 3`" `onoff 3 $SECLEVEL` \ 252 "`get_vname seclevel 252`" `onoff 252 $SECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS security_level $TMP &>$TMPFILE then SECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS security_level $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Owner Security Level: No process specified!" 5 $BC fi ;; 'Owner Initial Security Level:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Owner Initial Security Level for $PROCESS" $BL $BC 5 \ 0 "`get_vname seclevel 0`" `onoff 0 $ISECLEVEL` \ 1 "`get_vname seclevel 1`" `onoff 1 $ISECLEVEL` \ 2 "`get_vname seclevel 2`" `onoff 2 $ISECLEVEL` \ 3 "`get_vname seclevel 3`" `onoff 3 $ISECLEVEL` \ 252 "`get_vname seclevel 252`" `onoff 252 $ISECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS initial_security_level $TMP &>$TMPFILE then ISECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS initial_security_level $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Owner Initial Security Level: No process specified!" 5 $BC fi ;; 'Owner Min Security Level:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Owner Minimum Security Level for $PROCESS" $BL $BC 5 \ 0 "`get_vname seclevel 0`" `onoff 0 $MSECLEVEL` \ 1 "`get_vname seclevel 1`" `onoff 1 $MSECLEVEL` \ 2 "`get_vname seclevel 2`" `onoff 2 $MSECLEVEL` \ 3 "`get_vname seclevel 3`" `onoff 3 $MSECLEVEL` \ 252 "`get_vname seclevel 252`" `onoff 252 $MSECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS min_security_level $TMP &>$TMPFILE then MSECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS min_security_level $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Owner Min Security Level: No process specified!" 5 $BC fi ;; 'Owner MAC Categories:') if test "$PROCESS" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "Owner MAC Categories for process $PROCESS" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACCAT" $BL $BC $MAXLINES \ `gen_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_process $PROCESS mac_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_process $PROCESS mac_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACCAT=`$RSBACPATH""attr_get_process $PROCESS mac_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Owner MAC Categories: No process specified!" 5 $BC fi ;; 'Owner MAC Initial Categories:') if test "$PROCESS" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "Owner MAC Initial Categories for process $PROCESS" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACICAT" $BL $BC $MAXLINES \ `gen_initial_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_process $PROCESS mac_initial_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_initial_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_process $PROCESS mac_initial_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_initial_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACICAT=`$RSBACPATH""attr_get_process $PROCESS mac_initial_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Owner MAC Min Categories: No process specified!" 5 $BC fi ;; 'Owner MAC Min Categories:') if test "$PROCESS" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "Owner MAC Min Categories for process $PROCESS" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACMCAT" $BL $BC $MAXLINES \ `gen_min_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_process $PROCESS mac_min_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_min_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_process $PROCESS mac_min_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_min_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACMCAT=`$RSBACPATH""attr_get_process $PROCESS mac_min_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Owner MAC Min Categories: No process specified!" 5 $BC fi ;; 'Current Security Level:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Current Security Level for $PROCESS" $BL $BC 5 \ 0 "`get_vname seclevel 0`" `onoff 0 $CURRSECL` \ 1 "`get_vname seclevel 1`" `onoff 1 $CURRSECL` \ 2 "`get_vname seclevel 2`" `onoff 2 $CURRSECL` \ 3 "`get_vname seclevel 3`" `onoff 3 $CURRSECL` \ 252 "`get_vname seclevel 252`" `onoff 252 $CURRSECL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS current_sec_level $TMP &>$TMPFILE then CURRSECL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS current_sec_level $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Current Security Level: No process specified!" 5 $BC fi ;; 'Current MAC Categories:') if test "$PROCESS" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "Current MAC Categories for process $PROCESS" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $CURRCAT" $BL $BC $MAXLINES \ `gen_curr_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_process $PROCESS mac_curr_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_curr_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_process $PROCESS mac_curr_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS mac_curr_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done CURRCAT=`$RSBACPATH""attr_get_process $PROCESS mac_curr_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Current MAC Categories: No process specified!" 5 $BC fi ;; 'Min Write Open:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Min Write Open for $PROCESS" $BL $BC 5 \ 0 "`get_vname seclevel 0`" `onoff 0 $MINWRITE` \ 1 "`get_vname seclevel 1`" `onoff 1 $MINWRITE` \ 2 "`get_vname seclevel 2`" `onoff 2 $MINWRITE` \ 3 "`get_vname seclevel 3`" `onoff 3 $MINWRITE` \ 252 "`get_vname seclevel 252`" `onoff 252 $MINWRITE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS min_write_open $TMP &>$TMPFILE then MINWRITE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS min_write_open $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Min Write Open: No process specified!" 5 $BC fi ;; 'Min Write Categories:') if test "$PROCESS" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "Min Write Categories for process $PROCESS" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MINWCAT" $BL $BC $MAXLINES \ `gen_min_write_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_process $PROCESS min_write_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS min_write_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_process $PROCESS min_write_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS min_write_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MINWCAT=`$RSBACPATH""attr_get_process $PROCESS min_write_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Min Write Categories: No process specified!" 5 $BC fi ;; 'Max Read Open:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Max Read Open for $PROCESS" $BL $BC 5 \ 0 "`get_vname seclevel 0`" `onoff 0 $MAXREAD` \ 1 "`get_vname seclevel 1`" `onoff 1 $MAXREAD` \ 2 "`get_vname seclevel 2`" `onoff 2 $MAXREAD` \ 3 "`get_vname seclevel 3`" `onoff 3 $MAXREAD` \ 252 "`get_vname seclevel 252`" `onoff 252 $MAXREAD` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS max_read_open $TMP &>$TMPFILE then MAXREAD=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS max_read_open $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Max Read Open: No process specified!" 5 $BC fi ;; 'Max Read Categories:') if test "$PROCESS" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "Max Read Categories for process $PROCESS" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MAXRCAT" $BL $BC $MAXLINES \ `gen_max_read_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_process $PROCESS max_read_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS max_read_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_process $PROCESS max_read_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS max_read_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MAXRCAT=`$RSBACPATH""attr_get_process $PROCESS max_read_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Max Read Categories: No process specified!" 5 $BC fi ;; 'Mac Process Flags:') if test "$PROCESS" != "" then mac_flags_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Mac Process Flags: No process specified!" 5 $BC fi ;; 'PM TP:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "PM TP ID for process $PROCESS" $BL $BC "$PMTP" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS pm_tp $TMP &>$TMPFILE then PMTP=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS pm_tp $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM TP: No process specified!" 5 $BC fi ;; 'PM Current Task:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "PM Current Task ID for process $PROCESS" $BL $BC "$PMCTASK" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS pm_current_task $TMP &>$TMPFILE then PMCTASK=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS pm_current_task $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Current Task: No process specified!" 5 $BC fi ;; 'PM Process Type:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose PM Process Type for $PROCESS" $BL $BC 4 \ 0 `get_vname proctype 0` `onoff 0 $PMPROCTYPE` \ 1 `get_vname proctype 1` `onoff 1 $PMPROCTYPE` \ 2 `get_vname proctype 2` `onoff 2 $PMPROCTYPE` \ 3 `get_vname proctype 3` `onoff 3 $PMPROCTYPE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS pm_process_type $TMP &>$TMPFILE then PMPROCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS pm_process_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Process Type: No process specified!" 5 $BC fi ;; 'DAZ Scanner:') if test "$PROCESS" != "" then \ if test $DAZSCANNER = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_process $PROCESS daz_scanner $TMP &>$TMPFILE then DAZSCANNER=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS daz_scanner $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "DAZ Scanner: No process specified!" 5 $BC fi ;; 'RC Current Role:') if test "$PROCESS" != "" then \ if $RSBACPATH""rc_get_item list_roles >$TMPFILE then \ TMP="$RCROLE" ROLELIST=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP" \ --menu "Choose RC Current Role for $PROCESS" $BL $BC $MAXLINES \ $ROLELIST \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS rc_role $TMP &>$TMPFILE then RCROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS rc_role $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Current Role for process $PROCESS" $BL $BC "$RCROLE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS rc_role $TMP &>$TMPFILE then RCROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS rc_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Current Role: No process specified!" 5 $BC fi ;; 'RC Type:') if test "$PROCESS" != "" then \ if $RSBACPATH""rc_get_item list_process_types >$TMPFILE then \ TMP=$RCTYPE TYPELIST=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP" \ --menu "Choose RC Type for $PROCESS" $BL $BC $MAXLINES \ $TYPELIST \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS rc_type $TMP &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS rc_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Type for process $PROCESS" $BL $BC "$RCTYPE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS rc_type $TMP &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS rc_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Type: No process specified!" 5 $BC fi ;; 'RC Force Role:') if test "$PROCESS" != "" then \ if $RSBACPATH""rc_get_item list_used_roles >$TMPFILE then \ TMP="$RCROLE" ROLELIST=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$TMP" \ --menu "Choose RC Force Role for Process $PROCESS" $BL $BC $MAXLINES \ $RCUSERINHERIT "always inherit from user" \ $RCPROCINHERIT "inherit from process (keep role)" \ $RCMIXINHERIT "mixed inherit from proc/user (default)" \ $ROLELIST \ 2>$TMPFILE then TMP=`cat $TMPFILE` case "$TMP" in HELP*) show_help "${TMP:5}" TMP="${TMP:5}" ;; *) if $RSBACPATH""attr_set_process $PROCESS rc_force_role $TMP &>$TMPFILE then RCFROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS rc_force_role $TMP >>"$RSBACLOGFILE" fi break else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi esac fi else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Force Role for process $PROCESS ($RCUSERINHERIT = inherit from user (default), $RCPROCINHERIT = inherit from process (keep role))" \ $BL $BC "$RCROLE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS rc_force_role $TMP &>$TMPFILE then RCFROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS rc_force_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Force Role: No process specified!" 5 $BC fi ;; 'AUTH May Setuid:') if test "$PROCESS" != "" then \ if test $AUTHSUID = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_process $PROCESS auth_may_setuid $TMP &>$TMPFILE then AUTHSUID=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS auth_may_setuid $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "AUTH May Setuid: No process specified!" 5 $BC fi ;; 'AUTH May Set Cap:') if test "$PROCESS" != "" then \ if test $AUTHSCAP = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_process $PROCESS auth_may_set_cap $TMP &>$TMPFILE then AUTHSCAP=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS auth_may_set_cap $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "AUTH May Set Cap: No process specified!" 5 $BC fi ;; 'AUTH Learn:') if test "$PROCESS" != "" then \ if test $AUTHLEARN = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_process $PROCESS auth_learn $TMP &>$TMPFILE then AUTHLEARN=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS auth_learn $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "AUTH Learn: No process specified!" 5 $BC fi ;; 'JAIL ID:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "JAIL ID for process $PROCESS" $BL $BC "$JAILID" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS jail_id $TMP &>$TMPFILE then JAILID=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS jail_id $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "JAIL ID: No process specified!" 5 $BC fi ;; 'JAIL Parent:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "JAIL Parent for process $PROCESS" $BL $BC "$JAILPARENT" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS jail_parent $TMP &>$TMPFILE then JAILPARENT=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS jail_parent $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "JAIL Parent: No process specified!" 5 $BC fi ;; 'JAIL IP:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "JAIL IP for process $PROCESS" $BL $BC "$JAILIP" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS jail_ip $TMP &>$TMPFILE then JAILIP=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS jail_ip $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "JAIL IP: No process specified!" 5 $BC fi ;; 'JAIL Flags:') if test "$PROCESS" != "" then \ jail_flags_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "JAIL Flags: No process specified!" 5 $BC fi ;; 'PAX Flags:') $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PAX Flags are read only!" 5 $BC ;; 'Log Program Based:') if test "$PROCESS" != "" then \ if $DIALOG --title "log_program_based for process $PROCESS" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $LOGPROG" $BL $BC $MAXLINES \ `gen_request_list` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ R 'Set Read Requests' off \ RW 'Set Read-Write R.' off \ W 'Set Write Requests' off \ SY 'Set System R.' off \ SE 'Set Security R.' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if $RSBACPATH""attr_set_process $PROCESS log_program_based $TMP &>$TMPFILE then LOGPROG=`$RSBACPATH""attr_get_process $PROCESS log_program_based` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS log_program_based $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Program Based: No process specified!" 5 $BC fi ;; 'CAP Process Hiding:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose CAP Process Hiding for process $PROCESS" $BL $BC 6 \ 0 "`get_vname prochiding 0`" `onoff 0 $PROCHIDE` \ 1 "`get_vname prochiding 1`" `onoff 1 $PROCHIDE` \ 2 "`get_vname prochiding 2`" `onoff 2 $PROCHIDE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS cap_process_hiding $TMP &>$TMPFILE then PROCHIDE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS cap_process_hiding $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "CAP Process Hiding: No process specified!" 5 $BC fi ;; 'Fake Root UID:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Fake root uid for $PROCESS" $BL $BC 6 \ 0 "`get_vname fakeruid 0`" `onoff 0 $FAKERUID` \ 1 "`get_vname fakeruid 1`" `onoff 1 $FAKERUID` \ 2 "`get_vname fakeruid 2`" `onoff 2 $FAKERUID` \ 3 "`get_vname fakeruid 3`" `onoff 3 $FAKERUID` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS fake_root_uid $TMP &>$TMPFILE then FAKERUID=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS fake_root_uid $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Fake Root UID: No process specified!" 5 $BC fi ;; 'Audit UID:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Audit UID for process $PROCESS (4294967293 = -3 for unset)" $BL $BC "$AUDITUID" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS audit_uid $TMP &>$TMPFILE then AUDITUID=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS audit_uid $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Audit UID: No process specified!" 5 $BC fi ;; 'Audit UID Exempt:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Audit UID Exception for process $PROCESS (4294967293 = -3 for unset)" $BL $BC "$AUIDEXEM" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS auid_exempt $TMP &>$TMPFILE then AUIDEXEM=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS auid_exempt $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Audit UID Exempt: No process specified!" 5 $BC fi ;; 'Virtual UM Set:') if test "$PROCESS" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Virtual UM Set: for process $PROCESS (0 for main set)" $BL $BC "$VSET" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_process $PROCESS vset $TMP &>$TMPFILE then VSET=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_process $PROCESS vset $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Virtual UM Set: No process specified!" 5 $BC fi ;; 'ACL Menu:') $RSBACPATH""rsbac_acl_menu PROCESS ;; Quit) rm $TMPFILE ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_acl_menu0000755000175000017500000017414211131371032022770 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC ACLs # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='.' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi if ! TMPFILETWO=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILETWO=$TMPDIR/rsbac_dialog.$$.2 if test -e $TMPFILETWO then rm $TMPFILETWO fi fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXWIDTH=$BC-26 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC ACL Administration" HELPTITLE="`whoami`@`hostname`: RSBAC ACL Administration Help" ERRTITLE="RSBAC ACL Administration - ERROR" ## no changes below this line! NO_USER=65533 ALL_USERS=65532 GETMODE=real GETSWITCH= show_help () { { echo "$1" echo "" case "$1" in FD) echo File/Dir/Fifo/Symlink ACLs ;; DEV) echo Device ACLs ;; USER) echo User ACLs ;; PROCESS) echo Process ACLs ;; IPC) echo Inter Process Communication ACLs ;; SCD) echo System Control Data ACLs ;; GROUP) echo Linux Group ACLs ;; NETDEV) echo Network Devices ;; NETTEMP_NT) echo Network Templates - ACL for template accesses. ;; NETTEMP) echo Network Templates - ACL for network object accesses. ;; NETOBJ) echo Network objects ;; :DEFAULT:) echo "$TARGET default ACL, the top parent object for all inheritance." ;; 'File/Dir/Fifo/Symlink List') echo "Choose object from a list." ;; 'Device List') echo "Choose device from /dev." ;; 'Dev-Major-List:') echo "Choose major device specification from list." ;; "DEV-Specification:") echo "Enter a device specification {b|c}major[:minor]," echo "e.g. b8:1 for /dev/sda1 or c2 for pseudo tty masters." ;; 'SCD List') echo "Choose object from a list." ;; 'User List') echo "Choose object from a list." ;; 'Linux Group List') echo "Choose object from a list." ;; 'Network Device List') echo "Choose object from a list." ;; 'Network Template List') echo "Choose object from a list." ;; "File/Dir/Fifo/Symlink" | "Device" | "SCD") echo "Enter object name." ;; "User" | "Process" | "IPC") echo "Enter object name." ;; "Follow") echo "Follow a symbolic link." ;; "Choose Target") echo "Choose target type." ;; 'Add ACL Entry') echo "Add an ACL entry for this object." ;; "Remove Entry") echo "Remove an ACL entry from this object." ;; "Change TTL") echo "Change time-to-live for an ACL entry of this object. After this" echo "time the entry will be removed." ;; "Name / Rights") echo "Switch between subject names and rights to be shown in menu." ;; 'Who has here') echo "Show which subjects have which effective rights to this object." ;; 'Change Mask') echo "Change the inheritance mask of this object." echo "" echo "The mask specifies, which rights can be inherited from the object at the" echo "next higher level, e.g. the parent directory." echo "" echo "The highest level parent is the :DEFAULT: object." ;; GROUP* | ROLE* | USER* | GROUP*) echo "Rights in this ACL entry." ;; "Clear ACL") echo "Remove all ACL entries for this object." ;; 'Groups') echo "Go to groups menu." ;; 'Roles') echo "Go to RC roles menu." ;; 'FD attr') echo "Go to File/Dir/Fifo/Symlink attribute menu." ;; 'DEV attr') echo "Go to Device attribute menu." ;; 'IPC attr') echo "Go to IPC attribute menu." ;; 'SCD attr') echo "Go to SCD attribute menu." ;; 'USER attr') echo "Go to User attribute menu." ;; 'PROCESS attr') echo "Go to Process attribute menu." ;; 'NETTEMP attr') echo "Go to Network Template attribute menu." ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_attributes () { case $TARGET in "FD") if test -n "$OBJECT" then if test "$OBJECT" = ":DEFAULT:" then TYPE=FD elif test -L "$OBJECT" then TYPE=SYMLINK SYMLINK="`ls -l \"$OBJECT\"|cut -d '>' -f 2|cut -c 2-`" SUBTYPE="SYMLINK" elif test -f "$OBJECT" then TYPE=FILE ; SUBTYPE=FILE elif test -b "$OBJECT" then TYPE=FILE ; SUBTYPE=BLOCK elif test -c "$OBJECT" then TYPE=FILE ; SUBTYPE=CHAR elif test -p "$OBJECT" then TYPE=FIFO ; SUBTYPE=FIFO elif test -d "$OBJECT" then TYPE=DIR ; SUBTYPE=DIR LASTDIR=`( cd "$OBJECT" && pwd ) || echo "$OBJECT"` OBJECT=$LASTDIR if test -n "$RSBACLOGFILE" then echo "cd `pwd`" >>"$RSBACLOGFILE" fi else TYPE=NONE fi else TYPE=NONE fi ;; "DEV") if test -z "$OBJECT" then TYPE=DEV case "$DEVSPEC" in b* | B*) SUBTYPE=BLOCK ;; c* | C*) SUBTYPE=CHAR ;; *) SUBTYPE=unknown esac elif test "$OBJECT" = ":DEFAULT:" then TYPE=DEV ; SUBTYPE=$OBJECT elif test -L "$OBJECT" then TYPE=NONE SYMLINK="`ls -l \"$OBJECT\"|cut -d '>' -f 2|cut -c 2-`" SUBTYPE="SYMLINK" elif test -b "$OBJECT" then TYPE=DEV ; SUBTYPE=BLOCK elif test -c "$OBJECT" then TYPE=DEV ; SUBTYPE=CHAR elif test -d "$OBJECT" then TYPE=NONE ; SUBTYPE=DIR LASTDIR=`( cd "$OBJECT" && pwd ) || echo "$OBJECT"` OBJECT=$LASTDIR else if test -n "$DEVSPEC" then TYPE=DEV case "$DEVSPEC" in b* | B*) SUBTYPE=BLOCK ;; c* | C*) SUBTYPE=CHAR ;; *) SUBTYPE=unknown esac else TYPE=NONE ; SUBTYPE=NONE fi fi ;; NETDEV) if test "$OBJECT" != "" then TYPE=$TARGET ; SUBTYPE=$TARGET else TYPE=NONE fi ;; NETTEMP_NT) if test "$OBJECT" != "" then TYPE=$TARGET ; SUBTYPE=$TARGET else TYPE=NONE fi ;; NET*) if test "$OBJECT" != "" then TYPE=$TARGET ; SUBTYPE=$TARGET else TYPE=NONE fi ;; *) if test "$OBJECT" != "" then TYPE=$TARGET ; SUBTYPE=$TARGET else TYPE=NONE fi ;; esac } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } list_item () { if test -L "$1" then echo $1 "SYMLINK->`ls -l \"$1\"|cut -d '>' -f 2|cut -c 2-`" elif test -d "$1" then echo $1 DIR elif test -f "$1" -o -b "$1" -o -c "$1" then echo $1 FILE elif test -p "$1" then echo $1 FIFO elif test "$1" = ":DEFAULT:" then echo $1 FILE else echo $1 NONE fi } list_dev_item () { if test -L "$1" then echo $1 "SYMLINK->`ls -l \"$1\"|cut -d '>' -f 2|cut -c 2-`" elif test -b "$1" then echo $1 BLOCK elif test -c "$1" then echo $1 CHAR elif test -d "$1" then echo $1 DIR elif test "$1" = ":DEFAULT:" then echo $1 DEV else echo $1 NONE fi } get_vname () { if test "$TYPE" = "NONE" then echo " " return fi if test -z "$2" then echo "N/A" return fi case $1 in onoff) case $2 in 1) echo On ;; *) echo Off ;; esac ;; *) echo ERROR! ;; esac } full_name () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 full_name` fi } get_uid () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 user_nr` fi } get_name () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 user_name` fi } split_subj () { echo $1|tr '_' ' ' } choose_major () { if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$(echo "$DEVSPEC"|cut -d ':' -f 1)" \ --menu "Select Device Major" $BL $BC $MAXLINES \ c0 "char Unnamed devices (e.g. non-device mounts)" \ b0 "block Unnamed devices (e.g. non-device mounts)" \ c1 "char Memory devices" \ b1 "block RAM disk" \ c2 "char Pseudo-TTY masters" \ b2 "block Floppy disks" \ c3 "char Pseudo-TTY slaves" \ b3 "block First MFM, RLL and IDE hard disk/CD-ROM interface" \ c4 "char TTY devices" \ c5 "char Alternate TTY devices" \ c6 "char Parallel printer devices" \ c7 "char Virtual console capture devices" \ b7 "block Loopback devices" \ b8 "block SCSI disk devices (0-15)" \ c9 "char SCSI tape devices" \ b9 "block Metadisk (RAID) devices" \ c10 "char Non-serial mice, misc features" \ c11 "char Raw keyboard device" \ b11 "block SCSI CD-ROM devices" \ c12 "char QIC-02 tape" \ b12 "block MSCDEX CD-ROM callback support {2.6}" \ c13 "char Input core" \ b13 "block 8-bit MFM/RLL/IDE controller" \ c14 "char Open Sound System (OSS)" \ b14 "block BIOS harddrive callback support {2.6}" \ c15 "char Joystick" \ b15 "block Sony CDU-31A/CDU-33A CD-ROM" \ c16 "char Non-SCSI scanners" \ b16 "block GoldStar CD-ROM" \ c17 "char Chase serial card" \ b17 "block Optics Storage CD-ROM" \ c18 "char Chase serial card - alternate devices" \ b18 "block Sanyo CD-ROM" \ c19 "char Cyclades serial card" \ b19 "block Double compressed disk" \ c20 "char Cyclades serial card - alternate devices" \ b20 "block Hitachi CD-ROM (under development)" \ c21 "char Generic SCSI access" \ b21 "block Acorn MFM hard drive interface" \ c22 "char Digiboard serial card" \ b22 "block Second IDE hard disk/CD-ROM interface" \ c23 "char Digiboard serial card - alternate devices" \ b23 "block Mitsumi proprietary CD-ROM" \ c24 "char Stallion serial card" \ b24 "block Sony CDU-535 CD-ROM" \ c25 "char Stallion serial card - alternate devices" \ b25 "block First Matsushita (Panasonic/SoundBlaster) CD-ROM" \ c26 "char Quanta WinVision frame grabber {2.6}" \ b26 "block Second Matsushita (Panasonic/SoundBlaster) CD-ROM" \ c27 "char QIC-117 tape" \ b27 "block Third Matsushita (Panasonic/SoundBlaster) CD-ROM" \ c28 "char Stallion serial card - card programming" \ c28 "char Atari SLM ACSI laser printer (68k/Atari)" \ b28 "block Fourth Matsushita (Panasonic/SoundBlaster) CD-ROM" \ b28 "block ACSI disk (68k/Atari)" \ c29 "char Universal frame buffer" \ b29 "block Aztech/Orchid/Okano/Wearnes CD-ROM" \ c30 "char iBCS-2 compatibility devices" \ b30 "block Philips LMS CM-205 CD-ROM" \ c31 "char MPU-401 MIDI" \ b31 "block ROM/flash memory card" \ c32 "char Specialix serial card" \ b32 "block Philips LMS CM-206 CD-ROM" \ c33 "char Specialix serial card - alternate devices" \ b33 "block Third IDE hard disk/CD-ROM interface" \ c34 "char Z8530 HDLC driver" \ b34 "block Fourth IDE hard disk/CD-ROM interface" \ c35 "char tclmidi MIDI driver" \ b35 "block Slow memory ramdisk" \ c36 "char Netlink support" \ b36 "block MCA ESDI hard disk" \ c37 "char IDE tape" \ b37 "block Zorro II ramdisk" \ c38 "char Myricom PCI Myrinet board" \ b38 "block Reserved for Linux/AP+" \ c39 "char ML-16P experimental I/O board" \ b39 "block Reserved for Linux/AP+" \ c40 "char Matrox Meteor frame grabber {2.6}" \ b40 "block Syquest EZ135 parallel port removable drive" \ c41 "char Yet Another Micro Monitor" \ b41 "block MicroSolutions BackPack parallel port CD-ROM" \ c42 "char Demo/sample use" \ b42 "block Demo/sample use" \ c43 "char isdn4linux virtual modem" \ b43 "block Network block devices" \ c44 "char isdn4linux virtual modem - alternate devices" \ b44 "block Flash Translatio Layer (FTL) filesystems" \ c45 "char isdn4linux ISDN BRI driver" \ b45 "block Parallel port IDE disk devices" \ c46 "char Comtrol Rocketport serial card" \ b46 "block Parallel port ATAPI CD-ROM devices" \ c47 "char Comtrol Rocketport serial card - alternate devices" \ b47 "block Parallel port ATAPI disk devices" \ c48 "char SDL RISCom serial card" \ b48 "block Mylex DAC960 PCI RAID controller; first controller" \ c49 "char SDL RISCom serial card - alternate devices" \ b49 "block Mylex DAC960 PCI RAID controller; second controller" \ c50 "char Reserved for GLINT" \ b50 "block Mylex DAC960 PCI RAID controller; third controller" \ c51 "char Baycom radio modem" \ b51 "block Mylex DAC960 PCI RAID controller; fourth controller" \ c52 "char Spellcaster DataComm/BRI ISDN card" \ b52 "block Mylex DAC960 PCI RAID controller; fifth controller" \ c53 "char BDM interface for remote debugging MC683xx microcontrollers" \ b53 "block Mylex DAC960 PCI RAID controller; sixth controller" \ c54 "char Electrocardiognosis Holter serial card" \ b54 "block Mylex DAC960 PCI RAID controller; seventh controller" \ c55 "char DSP56001 digital signal processor" \ b55 "block Mylex DAC960 PCI RAID controller; eigth controller" \ c56 "char Apple Desktop Bus" \ b56 "block Fifth IDE hard disk/CD-ROM interface" \ c57 "char Hayes ESP serial card" \ b57 "block Sixth IDE hard disk/CD-ROM interface" \ c58 "char Hayes ESP serial card - alternate devices" \ b58 "block Reserved for logical volume manager" \ c59 "char sf firewall package" \ b59 "block Generic PDA filesystem device" \ c60 "char LOCAL/EXPERIMENTAL USE" \ b60 "block LOCAL/EXPERIMENTAL USE" \ c61 "char LOCAL/EXPERIMENTAL USE" \ b61 "block LOCAL/EXPERIMENTAL USE" \ c62 "char LOCAL/EXPERIMENTAL USE" \ b62 "block LOCAL/EXPERIMENTAL USE" \ c63 "char LOCAL/EXPERIMENTAL USE" \ b63 "block LOCAL/EXPERIMENTAL USE" \ c64 "char ENskip kernel encryption package" \ c65 "char Sundance plink Transputer boards" \ b65 "block SCSI disk devices (16-31)" \ c66 "char YARC PowerPC PCI coprocessor card" \ b66 "block SCSI disk devices (32-47)" \ c67 "char Coda network file system" \ b67 "block SCSI disk devices (48-63)" \ c68 "char CAPI 2.0 interface" \ b68 "block SCSI disk devices (64-79)" \ c69 "char MA16 numeric accelerator card" \ b69 "block SCSI disk devices (80-95)" \ c70 "char SpellCaster Protocol Services Interface" \ b70 "block SCSI disk devices (96-111)" \ c71 "char Computone IntelliPort II serial card" \ b71 "block SCSI disk devices (112-127)" \ c72 "char Computone IntelliPort II serial card - alternate devices" \ b72 "block Compaq Intelligent Drive Array, first controller" \ c73 "char Computone IntelliPort II serial card - control devices" \ b73 "block Compaq Intelligent Drive Array, second controller" \ c74 "char SCI bridge" \ b74 "block Compaq Intelligent Drive Array, third controller" \ c75 "char Specialix IO8+ serial card" \ b75 "block Compaq Intelligent Drive Array, fourth controller" \ c76 "char Specialix IO8+ serial card - alternate devices" \ b76 "block Compaq Intelligent Drive Array, fifth controller" \ c77 "char ComScire Quantum Noise Generator" \ b77 "block Compaq Intelligent Drive Array, sixth controller" \ c78 "char PAM Software multimodem boards" \ b78 "block Compaq Intelligent Drive Array, seventh controller" \ c79 "char PAM Software multimodem boards - alternate devices" \ b79 "block Compaq Intelligent Drive Array, eigth controller" \ c80 "char Photometrics AT200 CCD camera" \ b80 "block I2O hard disk" \ c81 "char video4linux" \ b81 "block I2O hard disk" \ c82 "char WiNRADiO communications receiver card" \ b82 "block I2O hard disk" \ c83 "char Teletext/videotext interfaces {2.6}" \ b83 "block I2O hard disk" \ c84 "char Ikon 1011[57] Versatec Greensheet Interface" \ b84 "block I2O hard disk" \ c85 "char Linux/SGI shared memory input queue" \ b85 "block I2O hard disk" \ c86 "char SCSI media changer" \ b86 "block I2O hard disk" \ c87 "char Sony Control-A1 stereo control bus" \ b87 "block I2O hard disk" \ c88 "char COMX synchronous serial card" \ b88 "block Seventh IDE hard disk/CD-ROM interface" \ c89 "char I2C bus interface" \ b89 "block Eighth IDE hard disk/CD-ROM interface" \ c90 "char Memory Technology Device (RAM, ROM, Flash)" \ b90 "block Ninth IDE hard disk/CD-ROM interface" \ c91 "char CAN-Bus devices" \ b91 "block Tenth IDE hard disk/CD-ROM interface" \ c92 "char Reserved for ith Kommunikationstechnik MIC ISDN card" \ b92 "block PPDD encrypted disk driver" \ c93 "char IBM Smart Capture Card frame grabber {2.6}" \ b93 "block NAND Flash Translation Layer filesystem" \ c94 "char miroVIDEO DC10/30 capture/playback device {2.6}" \ b94 "block IBM S/390 DASD block storage" \ c95 "char IP filter" \ b95 "block IBM S/390 VM/ESA minidisk" \ c96 "char Parallel port ATAPI tape devices" \ c97 "char Parallel port generic ATAPI interface" \ b97 "block Packet writing for CD/DVD devices" \ c98 "char Control and Measurement Device (comedi)" \ b98 "block User-mode virtual block device" \ c99 "char Raw parallel ports" \ b99 "block JavaStation flash disk" \ c100 "char Telephony for Linux" \ c101 "char Motorola DSP 56xxx board" \ b101 "block AMI HyperDisk RAID controller" \ c102 "char Philips SAA5249 Teletext signal decoder {2.6}" \ b102 "block Compressed block device" \ c103 "char Arla network file system" \ b103 "block Audit device" \ c104 "char Flash BIOS support" \ b104 "block Compaq Next Generation Drive Array, first controller" \ c105 "char Comtrol VS-1000 serial controller" \ b105 "block Compaq Next Generation Drive Array, second controller" \ c106 "char Comtrol VS-1000 serial controller - alternate devices" \ b106 "block Compaq Next Generation Drive Array, third controller" \ c107 "char 3Dfx Voodoo Graphics device" \ b107 "block Compaq Next Generation Drive Array, fourth controller" \ c108 "char Device independent PPP interface" \ b108 "block Compaq Next Generation Drive Array, fifth controller" \ c109 "char Reserved for logical volume manager" \ b109 "block Compaq Next Generation Drive Array, sixth controller" \ c110 "char miroMEDIA Surround board" \ b110 "block Compaq Next Generation Drive Array, seventh controller" \ c111 "char Philips SAA7146-based audio/video card {2.6}" \ b111 "block Compaq Next Generation Drive Array, eigth controller" \ c112 "char ISI serial card" \ b112 "block IBM iSeries virtual disk" \ c113 "char ISI serial card - alternate devices" \ b113 "block IBM iSeries virtual CD-ROM" \ c114 "char Picture Elements ISE board" \ c115 "char Console driver speaker" \ c116 "char Advanced Linux Sound Driver (ALSA)" \ c117 "char COSA/SRP synchronous serial card" \ c118 "char Solidum ???" \ c119 "char VMware virtual network control" \ c120 "char LOCAL/EXPERIMENTAL USE" \ b120 "block LOCAL/EXPERIMENTAL USE" \ c120 "char LOCAL/EXPERIMENTAL USE" \ b120 "block LOCAL/EXPERIMENTAL USE" \ c121 "char LOCAL/EXPERIMENTAL USE" \ b121 "block LOCAL/EXPERIMENTAL USE" \ c122 "char LOCAL/EXPERIMENTAL USE" \ b122 "block LOCAL/EXPERIMENTAL USE" \ c123 "char LOCAL/EXPERIMENTAL USE" \ b123 "block LOCAL/EXPERIMENTAL USE" \ c124 "char LOCAL/EXPERIMENTAL USE" \ b124 "block LOCAL/EXPERIMENTAL USE" \ c125 "char LOCAL/EXPERIMENTAL USE" \ b125 "block LOCAL/EXPERIMENTAL USE" \ c126 "char LOCAL/EXPERIMENTAL USE" \ b126 "block LOCAL/EXPERIMENTAL USE" \ c127 "char LOCAL/EXPERIMENTAL USE" \ b127 "block LOCAL/EXPERIMENTAL USE" \ c128 "char Unix98 PTY masters" \ c129 "char Unix98 PTY masters" \ c130 "char Unix98 PTY masters" \ c131 "char Unix98 PTY masters" \ c132 "char Unix98 PTY masters" \ c133 "char Unix98 PTY masters" \ c134 "char Unix98 PTY masters" \ c135 "char Unix98 PTY masters" \ c136 "char Unix98 PTY slaves" \ c137 "char Unix98 PTY slaves" \ c138 "char Unix98 PTY slaves" \ c139 "char Unix98 PTY slaves" \ c140 "char Unix98 PTY slaves" \ c141 "char Unix98 PTY slaves" \ c142 "char Unix98 PTY slaves" \ c143 "char Unix98 PTY slaves" \ c144 "char Encapsulated PPP" \ c145 "char SAM9407-based soundcard" \ c146 "char SYSTRAM SCRAMNet mirrored-memory network" \ c147 "char Aueral Semiconductor Vortex Audio device" \ c148 "char Technology Concepts serial card" \ c149 "char Technology Concepts serial card - alternate devices" \ c150 "char Real-Time Linux FIFOs" \ c151 "char DPT I2O SmartRaid V controller" \ c154 "char Specialix RIO serial card" \ c155 "char Specialix RIO serial card - alternate devices" \ c156 "char Specialix RIO serial card" \ c157 "char Specialix RIO serial card - alternate devices" \ c158 "char Dialogic GammaLink fax driver" \ c160 "char General Purpose Instrument Bus (GPIB)" \ c161 "char IrCOMM devices (IrDA serial/parallel emulation)" \ c162 "char Raw block device interface" \ c163 "char Radio Tech BIM-XXX-RS232 radio modem" \ c164 "char Chase Research AT/PCI-Fast serial card" \ c165 "char Chase Research AT/PCI-Fast serial card - alternate devices" \ c166 "char ACM USB modems" \ c167 "char ACM USB modems - alternate devices" \ c168 "char Eracom CSA7000 PCI encryption adaptor" \ c169 "char Eracom CSA8000 PCI encryption adaptor" \ c170 "char AMI MegaRAC remote access controller" \ c171 "char Reserved for IEEE 1394 (Firewire)" \ c172 "char Moxa Intellio serial card" \ c173 "char Moxa Intellio serial card - alternate devices" \ c174 "char SmartIO serial card" \ c175 "char SmartIO serial card - alternate devices" \ c176 "char nCipher nFast PCI crypto accelerator" \ c177 "char TI PCILynx memory spaces" \ c178 "char Giganet cLAN1xxx virtual interface adapter" \ c179 "char CCube DVXChip-based PCI products" \ c180 "char USB devices" \ c181 "char Conrad Electronic parallel port radio clocks" \ c182 "char Picture Elements THR2 binarizer" \ c183 "char SST 5136-DN DeviceNet interface" \ c184 "char Picture Elements video simulator/sender" \ c185 "char InterMezzo high availability file system" \ c186 "char Object-based storage control device" \ c187 "char DESkey hardware encryption device" \ c188 "char USB serial converters" \ c189 "char USB serial converters - alternate devices" \ c190 "char Kansas City tracker/tuner card" \ c191 "char Reserved for PCMCIA" \ c192 "char Kernel profiling interface" \ c193 "char Kernel event-tracing interface" \ c194 "char linVideoStreams (LINVS)" \ c195 "char Nvidia graphics devices" \ c196 "char Tormenta T1 card" \ c197 "char OpenTNF tracing facility" \ c198 "char Total Impact TPMP2 quad coprocessor PCI card" \ c199 "char Veritas volume manager (VxVM) volumes" \ b199 "block Veritas volume manager (VxVM) volumes" \ c200 "char Veritas VxVM configuration interface" \ c201 "char Veritas VxVM dynamic multipathing driver" \ b201 "block Veritas VxVM dynamic multipathing driver" \ c202 "char CPU model-specific registers" \ c203 "char CPU CPUID information" \ c204 "char Low-density serial ports" \ c205 "char Low-density serial ports (alternate device)" \ c206 "char OnStream SC-x0 tape devices" \ c207 "char Compaq ProLiant health feature indicate" \ c208 "char User space serial ports" \ c209 "char User space serial ports (alternate devices)" \ c210 "char SBE, Inc. sync/async serial card" \ c211 "char Addinum CPCI1500 digital I/O card" \ c216 "char USB BlueTooth devices" \ c217 "char USB BlueTooth devices (alternate devices)" \ c218 "char The Logical Company bus Unibus/Qbus adapters" \ c219 "char The Logical Company DCI-1300 digital I/O card" \ c220 "char Myricom Myrinet GM board" \ c221 "char VME bus" \ c224 "char A2232 serial card" \ c225 "char A2232 serial card (alternate devices)" \ c226 "char Direct Rendering Infrastructure (DRI)" \ c227 "char IBM 3270 terminal Unix tty access" \ c228 "char IBM 3270 terminal block-mode access" \ c229 "char IBM iSeries virtual console" \ c230 "char IBM iSeries virtual tape" \ 2>$TMPFILE then DEVSPEC=`cat $TMPFILE` OBJECT= get_attributes fi } gen_tlist () { if test "$TYPE" != "NONE" then if test "$TYPE" = "DEV" then if $RSBACPATH""acl_tlist -sd $TYPE "$DEVSPEC" > $TMPFILE then TMP=`cat $TMPFILE | sort | tr ' ' '_'` if test "$SHOW" = Rights then for i in $TMP do echo $i `$RSBACPATH""acl_rights -sdD --\`split_subj $i\` $TYPE "$DEVSPEC"` done else for i in $TMP do TMP2=`echo $i|cut -d '_' -f 2` case $i in GROUP_*) if $RSBACPATH""acl_group -s get_group_entry $TMP2 >$TMPFILE 2>/dev/null then TMP3=`cat $TMPFILE | tr ' ' '_'` else TMP3='(private)' fi echo $i $TMP3 ;; ROLE_*) if $RSBACPATH""rc_get_item ROLE $TMP2 name > $TMPFILE 2>/dev/null then echo $i `cat $TMPFILE | tr ' ' '_'` else echo $i '(unknown)' fi ;; USER_*) echo $i `$RSBACPATH""attr_get_user $TMP2 user_name` ;; *) ;; esac done fi fi else if $RSBACPATH""acl_tlist -s $TYPE "$OBJECT" > $TMPFILE then TMP=`cat $TMPFILE | sort | tr ' ' '_'` if test "$SHOW" = Rights then for i in $TMP do echo $i `$RSBACPATH""acl_rights -sD --\`split_subj $i\` $TYPE "$OBJECT"` done else for i in $TMP do TMP2=`echo $i|cut -d '_' -f 2` case $i in GROUP_*) if $RSBACPATH""acl_group -s get_group_entry $TMP2 >$TMPFILE 2>/dev/null then TMP3=`cat $TMPFILE | tr ' ' '_'` else TMP3='(private)' fi echo $i $TMP3 ;; ROLE_*) if $RSBACPATH""rc_get_item ROLE $TMP2 name > $TMPFILE 2>/dev/null then echo $i `cat $TMPFILE | tr ' ' '_'` else echo $i '(unknown)' fi ;; USER_*) echo $i `$RSBACPATH""attr_get_user $TMP2 user_name` ;; *) ;; esac done fi fi fi fi } gen_subj_list () { if test "$TYPE" != "NONE" then case $1 in GROUP) TMP=`$RSBACPATH""acl_group -gsn list_groups` for i in $TMP do TMP2=`$RSBACPATH""acl_group -s get_group_entry $i|tr ' ' '_'` echo $i $TMP2 done ;; ROLE) rc_get_item list_roles ;; USER) ${RSBACPATH}attr_get_user -bl|sort -n -k 2 ;; *) echo ERROR ! ;; esac fi } gen_right_list () { ALLREQUESTS=`$RSBACPATH""acl_rights -R $TARGET $OBJECT` if test "$TYPE" = "DEV" then TMP=`${RSBACPATH}acl_rights -sdDp --\`split_subj $1\` $TYPE "$DEVSPEC"` else TMP=`${RSBACPATH}acl_rights -sdDp --\`split_subj $1\` $TYPE "$OBJECT"` fi for i in $ALLREQUESTS do if echo $TMP | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } check_rights () { if test "$TYPE" = "DEV" then if $RSBACPATH""acl_rights -sdD --`split_subj $1` $TYPE "$DEVSPEC" > $TMPFILE 2>$TMPFILETWO then RIGHTBITS=`cat $TMPFILE` if $DIALOG --title "Rights for $1 to $TYPE $DEVSPEC ($OBJECT)" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $RIGHTBITS" $BL $BC $MAXLINES \ `gen_right_list $1` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ R 'Set Read Requests' off \ W 'Set Write Requests' off \ SY 'Set System R.' off \ SE 'Set Security R.' off \ S 'Set ACL Special R.' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if $RSBACPATH""acl_grant -sd `split_subj $1` $TMP $TYPE "$DEVSPEC" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -sd `split_subj $1` $TMP $TYPE \"$DEVSPEC\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILETWO`" $BL $BC fi else if $RSBACPATH""acl_rights -sD --`split_subj $1` $TYPE "$OBJECT" > $TMPFILE 2>$TMPFILETWO then RIGHTBITS=`cat $TMPFILE` if $DIALOG --title "Rights for $1 to $TYPE $OBJECT" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $RIGHTBITS" $BL $BC $MAXLINES \ `gen_right_list $1` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ R 'Set Read Requests' off \ W 'Set Write Requests' off \ SY 'Set System R.' off \ SE 'Set Security R.' off \ S 'Set ACL Special R.' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if $RSBACPATH""acl_grant -s `split_subj $1` $TMP $TYPE "$OBJECT" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -s `split_subj $1` $TMP $TYPE \"$OBJECT\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILETWO`" $BL $BC fi fi rm $TMPFILETWO } show_mask () { if test "$TYPE" != "NONE" then if test "$OBJECT" = ":DEFAULT:" then echo '(none)' else if test "$TYPE" = "DEV" then $RSBACPATH""acl_mask -d $TYPE "$DEVSPEC" | cut -d ' ' -f 2 | cut -c2- else $RSBACPATH""acl_mask $TYPE "$OBJECT" | cut -d ':' -f 2 | cut -c2- fi fi else echo '(none)' fi } gen_mask_right_list () { if test "$TYPE" = "DEV" then TMP=`${RSBACPATH}acl_mask -pd $TYPE "$DEVSPEC" | grep -v 000` else TMP=`${RSBACPATH}acl_mask -p $TYPE "$OBJECT" | grep -v 000` fi ALLREQUESTS=`$RSBACPATH""acl_rights -R $TARGET $OBJECT` for i in $ALLREQUESTS do if echo $TMP | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } check_mask_rights () { if test "$TYPE" = "DEV" then RIGHTBITS=`$RSBACPATH""acl_mask -d $TYPE "$DEVSPEC"` else RIGHTBITS=`$RSBACPATH""acl_mask $TYPE "$OBJECT"` fi if $DIALOG --title "Inheritance Mask for $TYPE $OBJECT" \ --backtitle "$BACKTITLE" \ --checklist "$RIGHTBITS" $BL $BC $MAXLINES \ `gen_mask_right_list` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ R 'Set Read Requests' off \ W 'Set Write Requests' off \ SY 'Set System R.' off \ SE 'Set Security R.' off \ S 'Set ACL Special R.' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if test "$TYPE" = "DEV" then if $RSBACPATH""acl_mask -sd $TMP $TYPE "$DEVSPEC" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_mask -sd $TMP $TYPE \"$DEVSPEC\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi else if $RSBACPATH""acl_mask -s $TMP $TYPE "$OBJECT" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_mask -s $TMP $TYPE \"$OBJECT\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi fi fi } gen_menu_choose_items () { case $TARGET in FD) case $1 in 1) echo File/Dir/Fifo/Symlink List ;; 2) echo Choose from `name_print "$LASTDIR"` ;; 3) echo File/Dir/Fifo/Symlink ;; 4) echo `name_print "$OBJECT / $SUBTYPE"` ;; *) ;; esac ;; DEV) case $1 in 1) echo Device List ;; 2) echo Choose from `name_print "$LASTDIR"` ;; 3) echo Device ;; 4) echo `name_print "$OBJECT / $SUBTYPE"` ;; *) ;; esac ;; USER) case $1 in 1) echo User List ;; 2) echo Choose from list ;; 3) echo User ;; 4) echo `name_print "$OBJECT"` ;; *) ;; esac ;; PROCESS) case $1 in 1) echo Process ;; 2) echo :DEFAULT: only ;; 3) echo Process ;; 4) echo `name_print "$OBJECT"` ;; *) ;; esac ;; IPC) case $1 in 1) echo IPC ;; 2) echo :DEFAULT: only ;; 3) echo IPC ;; 4) echo `name_print "$OBJECT"` ;; *) ;; esac ;; SCD) case $1 in 1) echo SCD List ;; 2) echo Choose from list ;; 3) echo SCD ;; 4) echo `name_print "$OBJECT"` ;; *) ;; esac ;; GROUP) case $1 in 1) echo Linux Group List ;; 2) echo Choose from list ;; 3) echo Linux Group ;; 4) echo `name_print "$OBJECT"` ;; *) ;; esac ;; NETDEV) case $1 in 1) echo Network Device List ;; 2) echo Choose from list ;; 3) echo Network Device ;; 4) echo `name_print "$OBJECT"` ;; *) ;; esac ;; NETTEMP | NETTEMP_NT) case $1 in 1) echo Network Template List ;; 2) echo Choose from list ;; 3) echo Network Template ;; 4) echo `name_print "$OBJECT"` ;; *) ;; esac ;; NETOBJ) case $1 in 1) echo Network Object List ;; 2) echo Choose from list ;; 3) echo Network Object ;; 4) echo `name_print "$OBJECT"` ;; *) ;; esac ;; *) ;; esac } get_target_name () { case $1 in FD) echo File/Dir/Fifo/Symlink ;; DEV) echo Device ;; USER) echo User ;; PROCESS) echo Process ;; IPC) echo Inter Process Communication ;; SCD) echo System Control Data ;; GROUP) echo Linux Group ;; NETDEV) echo Network Device ;; NETTEMP_NT) echo Network Template for template accesses ;; NETTEMP) echo Network Template for netobj accesses ;; NETOBJ) echo Network Object ;; *) echo " " ;; esac } choose_target () { while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$TARGET" \ --menu "$1" $BL $BC 11 \ FD "`get_target_name FD`" \ DEV "`get_target_name DEV`" \ USER "`get_target_name USER`" \ PROCESS "`get_target_name PROCESS`" \ IPC "`get_target_name IPC`" \ SCD "`get_target_name SCD`" \ GROUP "`get_target_name GROUP`" \ NETDEV "`get_target_name NETDEV`" \ NETTEMP_NT "`get_target_name NETTEMP_NT`" \ NETTEMP "`get_target_name NETTEMP`" \ NETOBJ "`get_target_name NETOBJ`" \ 2>$TMPFILE do TARGET=`cat $TMPFILE` case $TARGET in HELP*) show_help "${TARGET:5}" TARGET="${TARGET:5}" ;; FD) TYPE=NONE OBJECT=":DEFAULT:" break ;; DEV) TYPE=$TARGET LASTDIR=/dev OBJECT=":DEFAULT:" DEVSPEC=":DEFAULT:" break ;; IPC|SCD|USER|PROCESS|GROUP|NETDEV|NETTEMP_NT|NETOBJ) TYPE=$TARGET OBJECT=":DEFAULT:" break ;; NETTEMP) TYPE=$TARGET OBJECT= break ;; esac done } declare -i MAXNAMELEN=$BC-34 name_print () { if test ${#1} -gt $MAXNAMELEN then declare -i START=${#1}-$MAXNAMELEN echo "$1" | cut -c$START-${#1} else echo "$1" fi } gen_follow_symlink () { case $1 in 1) if test "$TYPE" = "SYMLINK" -o "$SUBTYPE" = "SYMLINK" then echo 'Follow' fi ;; 2) if test "$TYPE" = "SYMLINK" -o "$SUBTYPE" = "SYMLINK" then echo "`name_print \"$SYMLINK\"`" fi ;; esac } gen_dev_spec () { case $1 in 1) if test "$TYPE" = "DEV" then echo 'DEV-Specification' fi ;; 2) if test "$TYPE" = "DEV" then if test -n "$DEVSPEC" then echo "$DEVSPEC" else echo "Unknown" fi fi ;; esac } gen_dev_major () { case $1 in 1) if test "$TYPE" = "DEV" then echo 'DEV-Major-List' fi ;; 2) if test "$TYPE" = "DEV" then echo "Choose_DEV_Major_from_List" fi ;; esac } ###################### Menu ################# if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" echo "cd `pwd`" } >>"$RSBACLOGFILE" fi case $1 in FD|FILE|DIR|FIFO|SYMLINK) TARGET=FD TYPE=NONE if test -n "$2" then OBJECT="$2" else OBJECT=":DEFAULT:" fi ;; DEV) TARGET=$1 TYPE=$1 LASTDIR=/dev if test -n "$2" then if test -b "$2" -o -c "$2" then OBJECT="$2" DEVSPEC=$($RSBACPATH""attr_get_file_dir -C "$OBJECT") else OBJECT= DEVSPEC="$2" fi else OBJECT=":DEFAULT:" DEVSPEC=":DEFAULT:" fi ;; SCD) TARGET=$1 TYPE=$1 OBJECT=":DEFAULT:" ;; IPC|USER|PROCESS|GROUP) TARGET=$1 TYPE=$1 if test -n "$2" then OBJECT="$2" else OBJECT=":DEFAULT:" fi OBJECT=":DEFAULT:" ;; NETDEV|NETTEMP_NT|NETOBJ) TARGET=$1 TYPE=$1 if test -n "$2" then OBJECT="$2" else OBJECT=":DEFAULT:" fi ;; NETTEMP) TARGET=$1 TYPE=$1 if test -n "$2" then OBJECT="$2" else OBJECT= fi ;; "-h" | "--help") echo Use: $0 '[target-type [object-name [Rights|Name]]]' exit ;; *) choose_target if test -z "$TARGET" then test -e $TMPFILE && rm $TMPFILE test -e $TMPFILETWO && rm $TMPFILETWO exit fi ;; esac get_attributes "$OBJECT" if test "$3" = "Rights" -o "$3" = "rights" then SHOW=Rights else SHOW=Name fi while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$SELECTED" \ --menu "Main Menu" $BL $BC $MAXLINES \ "`gen_menu_choose_items 1`" "`gen_menu_choose_items 2`" \ "`gen_menu_choose_items 3`" "`gen_menu_choose_items 4`" \ `gen_follow_symlink 1` `gen_follow_symlink 2` \ `gen_dev_spec 1` `gen_dev_spec 2` \ `gen_dev_major 1` `gen_dev_major 2` \ "Choose Target" "$TARGET" \ "-------------" "" \ "Add ACL Entry" "Add group, role or user entry" \ "Remove Entry" "" \ "Change TTL" "Change time-to-live for an entry" \ "Name / Rights" "$SHOW" \ "Who has here" "" \ "Change Mask" "$(show_mask)" \ "-------------" "" \ `gen_tlist` \ "-------------" "" \ "Clear ACL" "" \ "Groups" "Go to ACL groups menu" \ "Roles" "Go to RC roles menu" \ "$TARGET attr" "Go to $TARGET general attributes" \ "Quit" "" \ 2>$TMPFILE then rm $TMPFILE test -e $TMPFILETWO && rm $TMPFILETWO exit fi SELECTED=`cat $TMPFILE` case $SELECTED in HELP*) show_help "${SELECTED:5}" SELECTED="${SELECTED:5}" ;; 'File/Dir/Fifo/Symlink List') if test ! -d $LASTDIR then LASTDIR='/' fi TMP=`ls -1ad "$LASTDIR"/* "$LASTDIR"/.*` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OBJECT" \ --menu "File/Dir/Fifo Name (choose cancel for $OBJECT)" $BL $BC $MAXLINES \ ':DEFAULT:' "Default ACL" \ `for i in $TMP ; do list_item "$i" ; done` \ 2>$TMPFILE do OBJECT=`cat $TMPFILE` get_attributes TMP=`ls -1ad "$LASTDIR"/* "$LASTDIR"/.*|tr '*' ' '` if test $TYPE != "DIR" then break fi done ;; 'Device List') FILETMP="$OBJECT" if test ! -d $LASTDIR then $LASTDIR='/dev' fi TMP=`ls -1ad "$LASTDIR"/* "$LASTDIR"/.*` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$FILETMP" \ --menu "Device Name (choose cancel for $OBJECT)" $BL $BC $MAXLINES \ `for i in $TMP ; do list_dev_item "$i" ; done` \ 2>$TMPFILE do FILETMP=`cat $TMPFILE` case "$FILETMP" in *) OBJECT="$FILETMP" if test -b "$OBJECT" -o -c "$OBJECT" then DEVSPEC=$($RSBACPATH""attr_get_file_dir -C "$OBJECT") else DEVSPEC= fi get_attributes TMP=`ls -1ad "$LASTDIR"/* "$LASTDIR"/.*` if test -L "$OBJECT" -o ! -d "$OBJECT" then break fi esac done ;; 'DEV-Specification') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Device Specification" $BL $BC "$DEVSPEC" \ 2>$TMPFILE then DEVSPEC=`cat $TMPFILE` OBJECT= get_attributes fi ;; 'DEV-Major-List') choose_major ;; 'SCD List') TMP=`$RSBACPATH""acl_rights -n` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OBJECT" \ --menu "SCD Name" $BL $BC $MAXLINES \ ':DEFAULT:' "Default ACL" \ `for i in $TMP ; do echo "$i" "-" ; done` \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; 'User List') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OBJECT" \ --menu "User Name" $BL $BC $MAXLINES \ ':DEFAULT:' "Default ACL" \ $($RSBACPATH""attr_get_user -bl|sort -n -k 2) \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; 'Linux Group List') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OBJECT" \ --menu "Linux Group Name" $BL $BC $MAXLINES \ ':DEFAULT:' "Default ACL" \ $($RSBACPATH""attr_get_user -bL|sort -n -k 2) \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; 'Network Device List') TMP=`cat /proc/net/dev|grep ':'|cut -d ':' -f 1` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OBJECT" \ --menu "Network Device Name" $BL $BC $MAXLINES \ ':DEFAULT:' "Default ACL" \ `for i in $TMP ; do echo $i "-" ; done` \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; 'Network Template List') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OBJECT" \ --menu "Network Template Number" $BL $BC $MAXLINES \ ':DEFAULT:' "Default ACL" \ `$RSBACPATH""net_temp list_temp_names` \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; 'Network Object List') ;; "File/Dir/Fifo/Symlink" | "Device" | "SCD" | "User" | "Linux Group" | "Network Device" | "Network Template" \ | "Network Object") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Enter `get_target_name $TARGET`" $BL $BC "$OBJECT" \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` if test "$TYPE" = DEV then DEVSPEC=$($RSBACPATH""attr_get_file_dir -C "$OBJECT") fi get_attributes fi ;; "Process" | "IPC") OBJECT=:DEFAULT: get_attributes ;; "Follow") OBJECT="$SYMLINK" get_attributes ;; "Choose Target") choose_target ;; 'Add ACL Entry') if test "$TYPE" != "NONE" then \ while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$STYPE" \ --menu "Choose new entry's subject type" $BL $BC 3 \ GROUP "ACL group" \ ROLE "RC role" \ USER "Normal user" \ 2>$TMPFILE do STYPE=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$SUBJ" \ --menu "Choose $STYPE" $BL $BC $MAXLINES \ `gen_subj_list $STYPE` \ 2>$TMPFILE then SUBJ=`cat $TMPFILE` if test "$TYPE" = DEV then if $RSBACPATH""acl_grant -d $STYPE $SUBJ $TYPE "$DEVSPEC" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -d $STYPE $SUBJ $TYPE \"$DEVSPEC\" >>"$RSBACLOGFILE" fi check_rights ${STYPE}_${SUBJ} else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else if $RSBACPATH""acl_grant $STYPE $SUBJ $TYPE "$OBJECT" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant $STYPE $SUBJ $TYPE \"$OBJECT\" >>"$RSBACLOGFILE" fi check_rights ${STYPE}_${SUBJ} else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi break fi done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Add ACL Entry: No object specified!" 5 $BC fi ;; "Remove Entry") if test "$TYPE" != "NONE" then \ while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP" \ --menu "Choose entry to delete" $BL $BC $MAXLINES \ `gen_tlist` \ 2>$TMPFILE do TMP=`cat $TMPFILE` if test "$TYPE" = DEV then if $RSBACPATH""acl_grant -md `split_subj $TMP` $TYPE "$DEVSPEC" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -md `split_subj $TMP` $TYPE \"$DEVSPEC\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else if $RSBACPATH""acl_grant -m `split_subj $TMP` $TYPE "$OBJECT" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -m `split_subj $TMP` $TYPE \"$OBJECT\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Remove Entry: No object specified!" 5 $BC fi ;; "Change TTL") if test "$TYPE" != "NONE" then \ while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP" \ --menu "Choose entry to set time-to-live" $BL $BC $MAXLINES \ `gen_tlist` \ 2>$TMPFILE do TMP=`cat $TMPFILE` TTL=`echo $TMP|cut -d ':' -f 2|cut -d 's' -f 1` if test "$TTL" = "$TMP" -o -z "$TTL" then TTL=0 fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Enter TTL in seconds for $TMP (0 for unlimited)" $BL $BC "$TTL" \ 2>$TMPFILE then TTL=`cat $TMPFILE` if test "$TYPE" = DEV then if $RSBACPATH""acl_grant -d -t $TTL `split_subj $TMP` $TYPE "$DEVSPEC" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -d -t $TTL `split_subj $TMP` $TYPE \"$DEVSPEC\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else if $RSBACPATH""acl_grant -t $TTL `split_subj $TMP` $TYPE "$OBJECT" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -t $TTL `split_subj $TMP` $TYPE \"$OBJECT\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Change TTL: No object specified!" 5 $BC fi ;; "Name / Rights") if test "$SHOW" = Rights then SHOW=Name else SHOW=Rights fi ;; 'Who has here') if test "$TYPE" != "NONE" then \ while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$STYPE" \ --menu "Who has rights to $TYPE $OBJECT: Choose subject type" $BL $BC 4 \ ALL "All types" \ GROUP "ACL group" \ ROLE "RC role" \ USER "Normal user" \ 2>$TMPFILE do STYPE=`cat $TMPFILE` case $STYPE in GROUP) TMP=`$RSBACPATH""acl_group -gsn list_groups` for i in $TMP do if test "$TYPE" = DEV then TMP2=`$RSBACPATH""acl_rights -sgd $i $TYPE "$DEVSPEC"` else TMP2=`$RSBACPATH""acl_rights -sg $i $TYPE "$OBJECT"` fi echo GROUP_${i} $TMP2 done > $TMPFILETWO ;; ROLE) TMP=`rc_get_item list_role_nr` for i in $TMP do if test "$TYPE" = DEV then TMP2=`$RSBACPATH""acl_rights -sdl $i $TYPE "$DEVSPEC"` else TMP2=`$RSBACPATH""acl_rights -sl $i $TYPE "$OBJECT"` fi echo ROLE_${i} $TMP2 done > $TMPFILETWO ;; USER) TMP=`${RSBACPATH}attr_get_user -nl|sort -n` for i in $TMP do if test "$TYPE" = DEV then TMP2=`$RSBACPATH""acl_rights -sdu $i $TYPE "$DEVSPEC"` else TMP2=`$RSBACPATH""acl_rights -su $i $TYPE "$OBJECT"` fi echo USER_${i} $TMP2 done > $TMPFILETWO ;; ALL) TMP=`$RSBACPATH""acl_group -gsn list_groups` for i in $TMP do if test "$TYPE" = DEV then TMP2=`$RSBACPATH""acl_rights -sgd $i $TYPE "$DEVSPEC"` else TMP2=`$RSBACPATH""acl_rights -sg $i $TYPE "$OBJECT"` fi echo GROUP_${i} $TMP2 done > $TMPFILETWO TMP=`rc_get_item list_role_nr` for i in $TMP do if test "$TYPE" = DEV then TMP2=`$RSBACPATH""acl_rights -sdl $i $TYPE "$DEVSPEC"` else TMP2=`$RSBACPATH""acl_rights -sl $i $TYPE "$OBJECT"` fi echo ROLE_${i} $TMP2 done >> $TMPFILETWO TMP=`${RSBACPATH}attr_get_user -nl|sort -n` for i in $TMP do if test "$TYPE" = DEV then TMP2=`$RSBACPATH""acl_rights -sdu $i $TYPE "$DEVSPEC"` else TMP2=`$RSBACPATH""acl_rights -su $i $TYPE "$OBJECT"` fi echo USER_${i} $TMP2 done >> $TMPFILETWO ;; esac while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$SUBJ" \ --menu "Who has rights to $TYPE $OBJECT" $BL $BC $MAXLINES \ `cat $TMPFILETWO | grep -v "000000000000000000000000000000000000000000000000000"` \ 2>$TMPFILE do SUBJ=`cat $TMPFILE` TMP=`echo $SUBJ|cut -d '_' -f 2` case $SUBJ in GROUP_*) if $RSBACPATH""acl_group -s get_group_entry $TMP >$TMPFILE 2>/dev/null then TMP="$SUBJ / `cat $TMPFILE | tr ' ' '_'`" else TMP="$SUBJ / '(private)'" fi ;; ROLE_*) if $RSBACPATH""rc_get_item ROLE $TMP name > $TMPFILE 2>/dev/null then TMP="$SUBJ / `cat $TMPFILE | tr ' ' '_'`" else TMP="$SUBJ / '(unknown)'" fi ;; USER_*) TMP="$SUBJ / `$RSBACPATH""attr_get_user $TMP user_name`" ;; esac echo "$TMP" rights to $TYPE $OBJECT >$TMPFILE echo --------------------------------------- >>$TMPFILE if test "$TYPE" = DEV then if $RSBACPATH""acl_rights -sdp --`split_subj $SUBJ` $TYPE "$DEVSPEC" >>$TMPFILE then $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC fi else if $RSBACPATH""acl_rights -sp --`split_subj $SUBJ` $TYPE "$OBJECT" >>$TMPFILE then $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC fi fi done rm $TMPFILETWO done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Who has here: No object specified!" 5 $BC fi ;; 'Change Mask') check_mask_rights ;; GROUP* | ROLE* | USER*) check_rights $SELECTED ;; "Clear ACL") if test "$TYPE" != "NONE" then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Remove all ACL entries for $TYPE $OBJECT?" 6 $BC \ 2>$TMPFILE then if test "$TYPE" = DEV then TMP=`$RSBACPATH""acl_tlist -sd $TYPE "$DEVSPEC" | tr ' ' '_'` for i in $TMP do $RSBACPATH""acl_grant -md `split_subj $i` $TYPE "$DEVSPEC" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -md `split_subj $i` $TYPE \"$DEVSPEC\" >>"$RSBACLOGFILE" fi done else TMP=`$RSBACPATH""acl_tlist -s $TYPE "$OBJECT" | tr ' ' '_'` for i in $TMP do $RSBACPATH""acl_grant -m `split_subj $i` $TYPE "$OBJECT" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_grant -m `split_subj $i` $TYPE \"$OBJECT\" >>"$RSBACLOGFILE" fi done fi fi fi ;; 'Groups') $RSBACPATH""rsbac_acl_group_menu ;; 'Roles') $RSBACPATH""rsbac_rc_role_menu ;; 'FD attr') $RSBACPATH""rsbac_fd_menu "$OBJECT" ;; 'DEV attr') $RSBACPATH""rsbac_dev_menu "$OBJECT" ;; 'IPC attr') $RSBACPATH""rsbac_ipc_menu ;; 'SCD attr') $RSBACPATH""rsbac_scd_menu "$OBJECT" ;; 'USER attr') $RSBACPATH""rsbac_user_menu ;; 'PROCESS attr') $RSBACPATH""rsbac_process_menu ;; 'NETDEV attr') $RSBACPATH""rsbac_netdev_menu $OBJECT ;; 'NETTEMP attr'|'NETTEMP_NT attr') $RSBACPATH""rsbac_nettemp_menu $OBJECT get_attributes "$OBJECT" ;; 'NETOBJ attr') $RSBACPATH""rsbac_netobj_menu $OBJECT ;; Quit) rm $TMPFILE test -e $TMPFILETWO && rm $TMPFILETWO exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_nettemp_def_menu0000755000175000017500000005313611131371032024522 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC Network Templates # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # This must be a unique temporary filename TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` if test -z $TMPFILE then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi TMPFILETWO=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` if test -z $TMPFILETWO then TMPFILETWO=$TMPDIR/rsbac_dialog.$$.2 if test -e $TMPFILETWO then rm $TMPFILETWO fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='.' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXWIDTH=$BC-26 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC Network Template Administration" HELPTITLE="$TITLE Help" ERRTITLE="RSBAC Network Template Administration - ERROR" ## no changes below this line! NO_USER=65533 ALL_USERS=65532 GETMODE=real GETSWITCH= declare -i MAXCOMPLEN=$BC-40 comp_print () { if test ${#1} -le $MAXCOMPLEN then echo $1 else echo ${1:0:$MAXCOMPLEN}'*' fi } show_help () { { echo "$1" echo "" case "$1" in 'Add Template') echo "Add another template with ID number and name." ;; "Remove Template") echo "Remove a template." ;; Name) echo "New name for template." ;; "Address Family") echo "Choose Address Family. Select ANY to match any family." ;; "Socket Type") echo "Type of socket: Mostly stream, datagram or raw." echo "" echo "Set to ANY to match any type." ;; Address) echo "Enter Address - only INET (IPv4, a.b.c.d/n address)" echo "family addresses are currently supported. For all other families, the" echo "address is ignored by the matching code." echo "" echo "Leave empty to never match any INET address." echo "" echo "The number of supported families will be increased later." ;; "Protocol") echo "INET (IPv4) family protocol type." echo "" echo "Set to ANY to match any protocol." ;; "Network Device") echo "Local device name. Only usable for local addresses, otherwise any string" echo "entered here will result in no match!" echo "" echo "Leave empty to match any device." ;; "Ports") echo "Port ranges matched. Useful mostly for INET family." echo "Note: ICMP protocol packet types are also matched as port numbers." ;; "NetTemp Attributes") echo "Go to Network Template attribute menu for this template." ;; Quit) echo 'Quit this menu.' ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } onoff () { if test "$1" = "$2" then echo on else echo off fi } gen_tlist () { $RSBACPATH""net_temp list_temp_names|sort -n } template_menu () { TEMPLATE=$1 if $RSBACPATH""net_temp get_name $TEMPLATE >$TMPFILE 2>$TMPFILETWO then NAME=`cat $TMPFILE` else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILETWO`" $BL $BC return fi ADDRFAM=`$RSBACPATH""net_temp get_address_family $TEMPLATE` ADDR=`$RSBACPATH""net_temp get_address $TEMPLATE` TYPE=`$RSBACPATH""net_temp get_type $TEMPLATE` PROTO=`$RSBACPATH""net_temp get_protocol $TEMPLATE` NETDEV=`$RSBACPATH""net_temp get_netdev $TEMPLATE` PORTS=`$RSBACPATH""net_temp get_ports $TEMPLATE` while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$SELECTED" \ --menu "Template Menu - Template $TEMPLATE" $BL $BC 12 \ "Name" "$NAME" \ "Address Family" "$ADDRFAM" \ "Socket Type" "$TYPE" \ "Address" "$(comp_print "$ADDR")" \ "Protocol" "$PROTO" \ "Network Device" "$NETDEV" \ "Ports" "$(comp_print "$PORTS")" \ "--------------" "" \ "Remove Template" "Remove this template" \ "--------------" "" \ "NetTemp Attributes" "Go to NetTemp attributes" \ "Quit" "" \ 2>$TMPFILE then rm $TMPFILETWO ; return fi SELECTED=`cat $TMPFILE` case $SELECTED in HELP*) show_help "${SELECTED:5}" SELECTED="${SELECTED:5}" ;; Name) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "New name for Template $TEMPLATE (maxlen = 15)" $BL $BC "$NAME" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""net_temp set_name $TEMPLATE "$TMP" &>$TMPFILE then NAME="$TMP" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp set_name $TEMPLATE \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; "Address Family") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$ADDRFAM" \ --menu "Choose Address Family for Template $TEMPLATE / $NAME" $BL $BC `gl 27` \ "ANY" "0 Match any Address Family" \ "UNIX" "1 Unix sockets - never matched" \ "INET" "2 Internet IP Protocol" \ "AX25" "3 Amateur Radio AX.25" \ "IPX" "4 Novell IPX" \ "APPLETALK" "5 AppleTalk DDP" \ "NETROM" "6 Amateur Radio NET/ROM" \ "BRIDGE" "7 Multiprotocol bridge" \ "ATMPVC" "8 ATM PVCs" \ "X25" "9 Reserved for X.25 project" \ "INET6" "10 IP version 6" \ "ROSE" "11 Amateur Radio X.25 PLP" \ "DECnet" "12 Reserved for DECnet project" \ "NETBEUI" "13 Reserved for 802.2LLC project" \ "SECURITY" "14 Security callback pseudo AF" \ "KEY" "15 PF_KEY key management API" \ "NETLINK" "16" \ "PACKET" "17 Packet family" \ "ASH" "18 Ash" \ "ECONET" "19 Acorn Econet" \ "ATMSVC" "20 ATM SVCs" \ "SNA" "22 Linux SNA Project (nutters!)" \ "IRDA" "23 IRDA sockets" \ "PPPOX" "24 PPPoX sockets" \ "WANPIPE" "25 Wanpipe API Sockets" \ "BLUETOOTH" "31 Bluetooth sockets" \ "MAX" "32 Maximum Value - never matched" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""net_temp set_address_family $TEMPLATE $TMP &>$TMPFILE then ADDRFAM=$TMP ADDR=`$RSBACPATH""net_temp get_address $TEMPLATE` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp set_address_family $TEMPLATE $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; "Socket Type") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TYPE" \ --menu "Choose Socket Type for Template $TEMPLATE / $NAME" $BL $BC `gl 27` \ "ANY" "0 Match any Socket Type" \ "STREAM" "1 stream (connection) socket" \ "DGRAM" "2 datagram (conn.less) socket" \ "RAW" "3 raw socket" \ "RDM" "4 reliably-delivered message" \ "SEQPACKET" "5 sequential packet socket" \ "PACKET" "10 getting packets at the dev/user level (rarp etc.)" \ "MAX" "32 Maximum Value - never matched" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""net_temp set_type $TEMPLATE $TMP &>$TMPFILE then TYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp set_type $TEMPLATE $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; Address) case $ADDRFAM in INET) ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Cannot set address for $ADDRFAM address family!" $BL $BC continue esac if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 127 \ --inputbox "New $ADDRFAM Addresses for Template $TEMPLATE (a.b.c.d/n, separate multiple addresses with spaces (max. 20), leave empty to never match)" \ $BL $BC "$ADDR" \ 2>$TMPFILE then TMP="`cat $TMPFILE`" case $ADDRFAM in INET) if $RSBACPATH""net_temp -d set_address $TEMPLATE $TMP &>$TMPFILE then ADDR="`$RSBACPATH""net_temp get_address $TEMPLATE`" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp -d set_address $TEMPLATE $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi ;; *) esac fi ;; "Protocol") case "$ADDRFAM" in INET) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$PROTO" \ --menu "Choose INET Protocol for Template $TEMPLATE / $NAME" $BL $BC `gl 27` \ "ANY" "0 Match any Socket Type" \ "ICMP" "1 Internet Control Message Protocol" \ "IGMP" "2 Internet Group Management Protocol" \ "IPIP" "4 IPIP tunnels (older KA9Q tunnels use 94)" \ "TCP" "6 Transmission Control Protocol" \ "EGP" "8 Exterior Gateway Protocol" \ "PUP" "12 PUP protocol" \ "UDP" "17 User Datagram Protocol" \ "IDP" "22 XNS IDP protocol" \ "IPV6" "41 IPv6-in-IPv4 tunnelling" \ "RSVP" "46 RSVP protocol" \ "GRE" "47 Cisco GRE tunnels (rfc 1701,1702)" \ "ESP" "50 Encapsulation Security Payload protocol" \ "AH" "51 Authentication Header protocol" \ "PIM" "103 Protocol Independent Multicast" \ "COMP" "108 Compression Header protocol" \ "RAW" "255 Raw IP packets" \ "MAX" "256 Maximum Value - never matched" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""net_temp set_protocol $TEMPLATE $TMP &>$TMPFILE then PROTO=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp set_protocol $TEMPLATE $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; NETLINK) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$PROTO" \ --menu "Choose NETLINK Protocol for Template $TEMPLATE / $NAME" $BL $BC `gl 20` \ "ROUTE" "0 Routing/device hook" \ "UNUSED" "1 Unused number" \ "USERSOCK" "2 Reserved for user mode socket protocols" \ "FIREWALL" "3 Firewalling hook" \ "INET_DIAG" "4 INET socket monitoring" \ "NFLOG" "5 netfilter/iptables ULOG" \ "XFRM", "6 ipsec" \ "SELINUX" "7 SELinux event notifications" \ "ISCSI" "8 Open-iSCSI" \ "AUDIT" "9 auditing" \ "FIB_LOOKUP" "10 FIB Lookup" \ "CONNECTOR" "11 Connector" \ "NETFILTER" "12 netfilter subsystem" \ "IP6_FW" "13 IPv6 Firewall" \ "DNRTMSG" "14 DECnet routing messages" \ "KOBJECT_UEVENT" "15 Kernel messages to userspace" \ "GENERIC" "16 Generic for various uses" \ "DM", "17 (DM Events)" \ "SCSITRANSPORT" "18 SCSI Transports" \ "ECRYPTFS" "19 ECryptFS" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""net_temp set_protocol $TEMPLATE $TMP &>$TMPFILE then PROTO=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp set_protocol $TEMPLATE $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Cannot set protocol for $ADDRFAM address family!" $BL $BC ;; esac ;; "Network Device") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 16 \ --inputbox "New local Network Device for Template $TEMPLATE (maxlen = 16)" \ $BL $BC "$NETDEV" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""net_temp set_netdev $TEMPLATE "$TMP" &>$TMPFILE then NETDEV="$TMP" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp set_netdev $TEMPLATE \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; "Ports") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "New Port ranges for Template $TEMPLATE (a:b, empty = any, separate multiple port ranges with spaces (max 10))" \ $BL $BC "$PORTS" \ 2>$TMPFILE then TMP="`cat $TMPFILE`" if $RSBACPATH""net_temp set_ports $TEMPLATE $TMP &>$TMPFILE then PORTS="$TMP" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp set_ports $TEMPLATE $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; "Remove Template") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Delete template $TEMPLATE ($NAME)?" 5 $BC \ 2>/dev/null then if $RSBACPATH""net_temp delete_template $TEMPLATE &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp delete_template $TEMPLATE >>"$RSBACLOGFILE" fi TEMPLATE= SELECTED= return else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; "NetTemp Attributes") $RSBACPATH""rsbac_nettemp_menu $TEMPLATE return ;; Quit) rm $TMPFILETWO return ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Template Menu: Selection Error!" 5 $BC ;; esac done } ###################### Menu ################# if test "$1" = "-h" -o "$1" = "--help" then echo Use: $0 '[template-id]' exit fi if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >> "$RSBACLOGFILE" fi if test -n "$1" then SELECTED=$1 template_menu $1 exit fi while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$SELECTED" \ --menu "Main Menu" $BL $BC $MAXLINES \ "Add Template" "" \ "Remove Template" "" \ "--------------" "" \ `gen_tlist` \ "--------------" "" \ "Quit" "" \ 2>$TMPFILE then rm $TMPFILE ; exit fi SELECTED=`cat $TMPFILE` case $SELECTED in HELP*) show_help "${SELECTED:5}" SELECTED="${SELECTED:5}" ;; 'Add Template') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Number for new template" $BL $BC "" \ 2>$TMPFILE then TEMPID=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for new template (maxlen = 15)" $BL $BC "New Template" \ 2>$TMPFILE then TEMPNAME=`cat $TMPFILE` if test -n "$TEMPNAME" then if $RSBACPATH""net_temp new_template $TEMPID "$TEMPNAME" &>$TMPFILE then SELECTED=$TEMPID if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp new_template $TEMPID \"$TEMPNAME\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi fi ;; "Remove Template") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$SELECTED" \ --menu "Choose template to delete" $BL $BC $MAXLINES \ `gen_tlist` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Delete template $TMP?" 5 $BC \ 2>/dev/null then if $RSBACPATH""net_temp delete_template $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""net_temp delete_template $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi ;; Quit) rm $TMPFILE ; exit ;; -------------------) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC ;; *) template_menu $SELECTED ;; esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_fd_menu0000755000175000017500000033274511131371031022626 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC general file/dir attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f "$RSBACCONF" then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog_tmp.$$ if test -e $TMPFILE then rm $TMPFILE fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='.' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC File/Dir/Fifo/Symlink Administration" HELPTITLE="`whoami`@`hostname`: RSBAC File/Dir/Fifo/Symlink Administration Help" ERRTITLE="RSBAC File/Dir/Fifo/Symlink Administration - ERROR" ## no changes below this line! NO_USER=4294967293 ALL_USERS=4294967292 GETMODE=real GETSWITCH= AUTHSELF=4294967293 AUTHDACS=4294967292 #RCTYPEINHPROC=64 #RCTYPEINHPAR=65 #RCUSERINHERIT=64 #RCPROCINHERIT=65 #RCPARINHERIT=66 #RCMIXINHERIT=67 #RCUSEFR=68 RCTYPEINHPROC=4294967295 RCTYPEINHPAR=4294967294 RCUSERINHERIT=4294967295 RCPROCINHERIT=4294967294 RCPARINHERIT=4294967293 RCMIXINHERIT=4294967292 RCUSEFR=4294967291 VSETKEEP=4294967295 show_help () { case "$RSBACLANG" in *) show_help_english "$1" ;; esac } show_help_english () { { echo "$1" echo "" case "$1" in 'FD List:') echo "Choose new filesystem object from list." ;; "FD Name:") echo "Enter path to new filesystem object." ;; "Follow") echo "Follow this symbolic link." ;; 'Attribute Get Mode:') echo "Toggle whether real or effective (possibly inherited) attribute values" echo "are displayed." ;; 'MAC Security Level:') echo "Set the MAC model security level." echo "" $RSBACPATH""attr_get_file_dir -A security_level ;; 'MAC Categories:') echo "Set the MAC model categories." echo "" $RSBACPATH""attr_get_file_dir -A mac_categories ;; 'MAC Trusted for Users:') echo "Which users can run this program as a MAC model trusted program." ;; 'MAC Auto:') echo "MAC model auto adjusting of current level and categories within the" echo "valid boundaries. This attribute's effective value yes is only used," echo "if the process owner also has the mac_allow_auto flags set." echo "" $RSBACPATH""attr_get_file_dir -A mac_auto ;; 'MAC Prop Trusted:') echo "MAC model trusted processes may keep they trusted flag when executing" echo "this file, if Propagate Trusted is set." echo "" $RSBACPATH""attr_get_file_dir -A mac_prop_trusted ;; 'MAC File Flags:') echo "Allow MAC model write up, write down, read up to this object, if the" echo "object's level is dominated by the user's security level." echo "The value trusted is an alias for all others." echo "This option is useful for shared directories like /tmp or /var/log." echo "" echo "If the auto value is set and access has been granted only because of" echo "the object flags, the object's level gets raised to the lowest upper" echo "boundary of current_level(Subject) and level(Object) to prevent" echo "illegal flow of information." echo "" $RSBACPATH""attr_get_file_dir -A mac_shared ;; 'PM Object Type:') echo "Set object type for PM model." echo "" $RSBACPATH""attr_get_file_dir -A pm_object_type ;; 'PM TP:') echo "Enter the PM model transaction procedure ID." echo "" $RSBACPATH""attr_get_file_dir -A pm_tp ;; 'PM Object Class:') echo "Select the PM model object class." echo "" $RSBACPATH""attr_get_file_dir -A pm_object_class ;; 'DAZ Do Scan:') echo "This attribute shows, whether a file should be scanned by the DAZ module:" echo "Never, when Dazuko registration says, or always. Default is inherit." echo "" $RSBACPATH""attr_get_file_dir -A daz_do_scan ;; 'DAZ Scanned:') echo "This attribute shows, whether and with which result the file has been" echo "scanned by the DAZ module. Reset to unscanned to force a rescan." echo "" echo "Rejected files can only be opened by DAZ trusted programs." echo "" $RSBACPATH""attr_get_file_dir -A daz_scanned ;; 'DAZ Scanner:') echo "Toggle, whether this program file is a DAZ scanner. Only scanners" echo "may attach to the Dazuko interface." echo "" $RSBACPATH""attr_get_file_dir -A daz_scanner ;; 'FF Flags:') echo "Select the FF model flags for this object, e.g. read-only." echo "" $RSBACPATH""attr_get_file_dir -A ff_flags ;; 'RC Type FD:') echo "Select the RC model filesystem object type." echo "" $RSBACPATH""attr_get_file_dir -A rc_type_fd ;; 'RC Force Role:') echo "Select an RC role, which is assigned and kept for the process running" echo "this program as long as the program runs. User default roles are ignored" echo "even on a CHANGE_OWNER (setuid)." echo "" $RSBACPATH""attr_get_file_dir -A rc_force_role ;; 'RC Initial Role:') echo "Select an RC role, which is assigned to the process starting this" echo "program. User default roles are applied on the next CHANGE_OWNER" echo "(setuid)." echo "" echo "Initial roles have precedence over forced roles, so you can use both" echo "mechanisms with the same program: the initial role is as given here," echo "but the forced role will be applied on the next CHANGE_OWNER (setuid)." echo "" $RSBACPATH""attr_get_file_dir -A rc_initial_role ;; 'AUTH May Setuid:') echo "Set whether this program is allowed to CHANGE_OWNER and" echo "CHANGE_GROUP (setuid and setgid) to user and group IDs" echo "in its AUTH cap sets only (off), to any ID (full), to the" echo "last authenticated user ID and the cap set IDs (auth_only)," echo "or to last authenticated uid, cap set uids and and all gids" echo "(last_auth_and_group)." echo "" $RSBACPATH""attr_get_file_dir -A auth_may_setuid ;; 'AUTH May Set Cap:') echo "Toggle, whether this program may set AUTH setuid capabilities for any" echo "process (but not for files)." echo "This flag is useful e.g. for authentication daemons. See AUTH" echo "description for details." echo "" $RSBACPATH""attr_get_file_dir -A auth_may_set_cap ;; 'AUTH Learn:') echo "Toggle, whether this program will be started in AUTH learning mode" echo "to get all necessary AUTH caps added automatically." echo "Learning mode must be activated in RSBAC kernel configuration!" echo "" $RSBACPATH""attr_get_file_dir -A auth_learn ;; 'AUTH Capabilities:') echo "These are ranges of user IDs, which this program may use in a" echo "CHANGE_OWNER (setuid) request. The capabilities are inherited to the" echo "process running the program." ;; 'AUTH Eff Capabilities:') echo "These are ranges of user IDs, which this program may use in a" echo "CHANGE_DAC_EFF_OWNER (seteuid) request. The capabilities are inherited to the" echo "process running the program." ;; 'AUTH FS Capabilities:') echo "These are ranges of user IDs, which this program may use in a" echo "CHANGE_DAC_FS_OWNER (setfsuid) request. The capabilities are inherited to the" echo "process running the program." ;; 'AUTH Group Capabilities:') echo "These are ranges of group IDs, which this program may use in a" echo "CHANGE_GROUP (setgid) request. The capabilities are inherited to the" echo "process running the program." ;; 'AUTH Group Eff Capabilities:') echo "These are ranges of group IDs, which this program may use in a" echo "CHANGE_DAC_EFF_GROUP (setegid) request. The capabilities are inherited to the" echo "process running the program." ;; 'AUTH FS Group Capabilities:') echo "These are ranges of group IDs, which this program may use in a" echo "CHANGE_DAC_FS_GROUP (setfsgid) request. The capabilities are inherited to the" echo "process running the program." ;; 'CAP Min Caps:') echo "Specify a set of Linux capabilities, which will always be set, when" echo "this program is run (ignoring the Max Caps set)." echo "Useful to start privileged (root) programs as normal user." echo "" $RSBACPATH""attr_get_file_dir -A min_caps ;; 'RES Min Resources:') echo "Set the minimum resource limits for this program when executed." echo "Zero values are ignored." ;; 'RES Max Resources:') echo "Set the maximum resource limits for this program when executed." echo "Zero values are ignored." ;; 'PAX Flags:') echo "Select the PAX model flags for this object." echo "" $RSBACPATH""attr_get_file_dir -A pax_flags ;; 'Virtual UM Set:') echo "Set Virtual User Management Set id for a program." echo "Default is -1, keep current set." echo "" $RSBACPATH""attr_get_file_dir -A vset ;; 'cpu') echo "CPU time limit in milliseconds." ;; 'fsize') echo "Size limit for each file." ;; 'data') echo "Process data segment size limit in bytes." ;; 'stack') echo "Process stack size limit in bytes." ;; 'core') echo "Core dump size limit in bytes." ;; 'rss') echo "Max resident set size in bytes." ;; 'nproc') echo "Maximum number of processes for process owner (global value!)." ;; 'nofile') echo "Limit on the number of open files." ;; 'memlock') echo "Limit on locked-in-memory address space." ;; 'as') echo "Address space (virtual memory) limit." ;; 'locks') echo "Limit on number of file locks held (ignored in 2.2 kernels)." ;; 'CAP Max Caps:') echo "Specify the maximum set of Linux capabilities, which are kept, when" echo "this program is run." echo "Useful to limit the privileges of a program run by root, e.g. the" echo "mailer daemon." echo "" $RSBACPATH""attr_get_file_dir -A max_caps ;; 'CAP ld_env:') echo "Unset do disallow thus user executing program fles" echo "with LD_ flags set" echo "" $RSBACPATH""attr_get_file_dir -A cap_ld_env ;; 'Log Array Low:' | 'Log Array High:') echo "Choose object based logging levels for this object." echo "" $RSBACPATH""attr_get_file_dir -A log_array_low ;; 'Log Program Based:') echo "Specify the request types, which should always be logged, when" echo "issued by this program." echo "" $RSBACPATH""attr_get_file_dir -A log_program_based ;; 'Symlink Add Remote IP:') echo "Add one to four bytes of the remote IP of the user of the calling process" echo "to the contents of this symbolic link. Local users get 0 bytes added, e.g." echo "\"0.0.0\"." echo "This can be used to e.g. point to individual /tmp dirs for all users." echo "" $RSBACPATH""attr_get_file_dir -A symlink_add_remote_ip ;; 'Symlink Add UID:') echo "Add the numeric ID of the user of the calling process to the contents" echo "of this symbolic link." echo "This can be used to e.g. point to individual /tmp dirs for all users." echo "" $RSBACPATH""attr_get_file_dir -A symlink_add_uid ;; 'Symlink Add MAC Level:') echo "Add the current security level of the calling process to the contents" echo "of this symbolic link." echo "This can be used to e.g. point to individual /tmp dirs for all roles." echo "" $RSBACPATH""attr_get_file_dir -A symlink_add_mac_level ;; 'Symlink Add RC Role:') echo "Add the role number of the calling process to the contents of this symbolic" echo "link." echo "This can be used to e.g. point to individual /tmp dirs for all roles." echo "" $RSBACPATH""attr_get_file_dir -A symlink_add_rc_role ;; 'Linux DAC disable:') echo "Disable the Linux access control for this object." echo "Specially useful, if you want to do access control by RSBAC only" echo "in some selected directory trees, without being hindered by Linux" echo "modes." echo "" echo "Note: This flag is only applied, when RSBAC is running, so you should" echo "rather use it than allow full Linux mode access." echo "" $RSBACPATH""attr_get_file_dir -A linux_dac_disable ;; 'Fake Root UID:') echo "Fake result of getuid() and/or geteuid() for this program." echo "" $RSBACPATH""attr_get_file_dir -A fake_root_uid ;; 'Audit UID Exempt:') echo "Usually, the first non-0 real uid is saved as audit_uid when" echo "a process setuids away from it." echo "If an auid_exempt value is set, this exempt uid works like 0:" echo "setting another uid away from this uid does _not_ lead to an" echo "audit_uid being set. The auid_exempt is e.g. needed for sshd" echo "with privilege separation, which uses an intermediate uid" echo "for network operations." echo "" $RSBACPATH""attr_get_file_dir -A auid_exempt ;; 'Dev Attributes:') echo "Go to device attribute menu." ;; 'ACL Menu:') echo "Go to ACL menu." ;; 'Reset Attributes:') echo "Call attr_rm_fd to get the attribute object for this filesystem object" echo "removed. As result, all attribute values will be reset to their" echo "default values. Use with care!" ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_attributes () { if test "$FILE" != "" then if test -L "$FILE" ; then TYPE=SYMLINK SYMLINK="`ls -l \"$FILE\"|cut -d '>' -f 2|cut -c 2-`" SUBTYPE="SYMLINK" elif test -f "$FILE" ; then TYPE=FILE ; SUBTYPE=FILE elif test -b "$FILE" ; then TYPE=FILE ; SUBTYPE=BLOCK elif test -c "$FILE" ; then TYPE=FILE ; SUBTYPE=CHAR elif test -p "$FILE" ; then TYPE=FIFO ; SUBTYPE=FIFO elif test -S "$FILE" ; then TYPE=UNIXSOCK ; SUBTYPE=UNIXSOCK elif test -d "$FILE" then TYPE=DIR ; SUBTYPE=DIR LASTDIR=`( cd "$FILE" && pwd ) || echo "$FILE"` FILE=$LASTDIR if test -n "$RSBACLOGFILE" then echo "cd `pwd`" >>"$RSBACLOGFILE" fi else TYPE=NONE SECLEVEL="" MACCAT="" MACTRUSER="" MACAUTO="" MACPROPTR="" MACFLAGS="" NEWMTUSER="" OBJCAT="" DATATYPE="" PMCLASS="" PMTP="" PMOBJTYPE="" DAZSCANNED="" DAZDOSCAN="" DAZSCANNER="" FFFLAGS="" RCTYPEFD="" RCFORRO="" RCINRO="" AUTHSUID="" AUTHSCAP="" LOGLOW="" LOGHIGH="" LOGPROG="" MINCAPS="" MAXCAPS="" CAPLDENV="" RESMIN="" RESMAX="" SYMADDUID="" SYMADDRC="" DACDIS="" VSET= return fi if test "$TYPE" != "DIR" then LASTDIR="`dirname \"$FILE\"`" fi if test "$SHOW_MAC" = "yes" then SECLEVEL=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" security_level 2>/dev/null` MACCAT=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_categories 2>/dev/null` MACTRUSER=`$RSBACPATH""mac_set_trusted $TYPE get "$FILE" 2>/dev/null | sed -e "s/$ALL_USERS/ALL/g"` MACAUTO=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_auto 2>/dev/null` MACPROPTR=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_prop_trusted 2>/dev/null` MACFLAGS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_file_flags 2>/dev/null` fi if test "$SHOW_PM" = "yes" then PMCLASS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_object_class 2>/dev/null` PMTP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_tp 2>/dev/null` PMOBJTYPE=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_object_type 2>/dev/null` fi if test "$SHOW_DAZ" = "yes" then DAZSCANNED=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" daz_scanned 2>/dev/null` DAZDOSCAN=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" daz_do_scan 2>/dev/null` DAZSCANNER=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" daz_scanner 2>/dev/null` fi if test "$SHOW_FF" = "yes" then FFFLAGS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ff_flags 2>/dev/null` fi if test "$SHOW_RC" = "yes" then RCTYPEFD=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_type_fd 2>/dev/null` RCFORRO=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_force_role 2>/dev/null` RCINRO=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_initial_role 2>/dev/null` fi if test "$SHOW_AUTH" = "yes" then AUTHSUID=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" auth_may_setuid 2>/dev/null` AUTHSCAP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" auth_may_set_cap 2>/dev/null` AUTHLEARN=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" auth_learn 2>/dev/null` fi if test "$SHOW_CAP" = "yes" then MINCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" min_caps 2>/dev/null` MAXCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" max_caps 2>/dev/null` CAPLDENV=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" cap_ld_env 2>/dev/null` fi if test "$SHOW_RES" = "yes" then RESMIN=`$RSBACPATH""attr_get_file_dir -s $GETSWITCH $TYPE "$FILE" res_min 2>/dev/null` RESMAX=`$RSBACPATH""attr_get_file_dir -s $GETSWITCH $TYPE "$FILE" res_max 2>/dev/null` fi if test "$SHOW_PAX" = "yes" then PAXFLAGS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pax_flags 2>/dev/null` fi if test "$SHOW_GEN" = "yes" then LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low 2>/dev/null` LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high 2>/dev/null` LOGPROG=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_program_based 2>/dev/null` SYMADDIP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_remote_ip 2>/dev/null` SYMADDUID=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_uid 2>/dev/null` SYMADDMAC=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_mac_level 2>/dev/null` SYMADDRC=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_rc_role 2>/dev/null` DACDIS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" linux_dac_disable 2>/dev/null` FAKERUID=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" fake_root_uid 2>/dev/null` AUIDEXEM=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" auid_exempt 2>/dev/null` VSET=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" vset 2>/dev/null` fi fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } list_item () { if test -L "$1" then echo $1 "SYMLINK->`ls -l \"$1\"|cut -d '>' -f 2|cut -c 2-`" elif test -d $1 then echo $1 DIR elif test -f "$1" then echo $1 FILE elif test -b "$1" then echo $1 BLOCK elif test -c "$1" then echo $1 CHAR elif test -p "$1" then echo $1 FIFO else echo $1 NONE fi } get_vname () { if test "$TYPE" = "NONE" then echo " " return fi if test -z "$2" then echo "N/A" return fi case $1 in onoff) case $2 in 1) echo On ;; *) echo Off ;; esac ;; seclevel) case $2 in 0) echo unclassified ;; 1) echo confidential ;; 2) echo secret ;; 3) echo top secret ;; 252) echo max. level ;; 253) echo rsbac-internal ;; 254) echo inherit ;; *) echo N/A ;; esac ;; macauto) case $2 in 0) echo No ;; 1) echo Yes ;; 2) echo inherit ;; *) echo N/A ;; esac ;; objcat) case $2 in 0) echo General ;; 1) echo Security ;; 2) echo System ;; 3) echo inherit ;; *) echo N/A ;; esac ;; datatype) case $2 in 0) echo None ;; 1) echo SI ;; 2) echo inherit ;; *) echo N/A ;; esac ;; pmobjtype) case $2 in 0) echo None ;; 1) echo TP ;; 2) echo Personal Data ;; 3) echo Non-Personal Data ;; 4) echo IPC ;; 5) echo Directory ;; *) echo N/A ;; esac ;; mactruser) case $2 in $NO_USER) echo NONE ;; $ALL_USERS) echo ALL ;; Error*) echo N/A ;; Use*) echo N/A ;; *) echo "`get_name $2` / `full_name $2`" ;; esac ;; mactruserrev) case $2 in NONE) echo $NO_USER ;; $NO_USER) echo $NO_USER ;; ALL) echo $ALL_USERS ;; $ALL_USERS) echo $ALL_USERS ;; Error*) echo N/A ;; Use*) echo N/A ;; *) echo `get_uid $2` ;; esac ;; dazscanned) case $2 in 0) echo Unscanned ;; 1) echo Infected ;; 2) echo Clean ;; *) echo N/A ;; esac ;; dazdoscan) case $2 in 0) echo Never ;; 1) echo Registered ;; 2) echo Always ;; 3) echo Inherit ;; *) echo N/A ;; esac ;; rctypefd) case $2 in $RCTYPEINHPAR) echo inherit parent dir ;; Error*) echo N/A ;; Use*) echo N/A ;; *) if ! $RSBACPATH""rc_get_item TYPE $2 type_fd_name 2>/dev/null then echo $2 fi ;; esac ;; rcforro) case $2 in $RCUSERINHERIT) echo "always inherit from user" ;; $RCPROCINHERIT) echo "inherit process (keep always)" ;; $RCPARINHERIT) echo "inherit parent dir (default)" ;; $RCMIXINHERIT) echo "inh. from user on chown only" ;; Error*) echo N/A ;; Use*) echo N/A ;; *) if ! $RSBACPATH""rc_get_item ROLE $2 name 2>/dev/null then echo $2 fi ;; esac ;; rcinro) case $2 in $RCPARINHERIT) echo "inherit parent dir (default)" ;; $RCUSEFR) echo "use force_role (root default)" ;; Error*) echo N/A ;; Use*) echo N/A ;; *) if ! $RSBACPATH""rc_get_item ROLE $2 name 2>/dev/null then echo $2 fi ;; esac ;; authsuid) case $2 in 0) echo Off ;; 1) echo On ;; 2) echo "Last Authenticated User Only" ;; 3) echo "Last Auth and all Groups" ;; *) echo N/A ;; esac ;; dacdis) case $2 in 0) echo False ;; 1) echo True ;; 2) echo 'inherit (default)' ;; *) echo N/A ;; esac ;; fakeruid) case $2 in 0) echo off ;; 1) echo uid only ;; 2) echo euid only ;; 3) echo both ;; *) echo N/A ;; esac ;; loglevel) case $2 in 0) echo None ;; 1) echo Denied ;; 2) echo Full ;; 3) echo Request ;; *) echo N/A ;; esac ;; *) echo ERROR! ;; esac } full_name () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 full_name` fi } get_uid () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 user_nr` fi } get_name () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 user_name` fi } gen_cap_rem_user () { if test "$1" != "" then for i in $* ; do echo $i `$RSBACPATH""attr_get_user $i user_name | sed -e "s/$AUTHSELF/Start-User/g" -e "s/$AUTHDACS/Start-Eff-FS-User/g"` ; done fi } gen_cap_rem_group () { if test "$1" != "" then for i in $* do echo $i $($RSBACPATH""attr_get_user $i group_name) done fi } gen_mac_trusted_rem_user () { if test "$1" != "" then for i in $* ; do echo $i `$RSBACPATH""attr_get_user $i user_name | sed -e "s/$ALL_USERS/ALL/g"` ; done fi } get_caps () { if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then $RSBACPATH""auth_set_cap $1 FILE get "$FILE" 2>/dev/null else if test "$TYPE" = "DIR" then $RSBACPATH""auth_set_cap $1 DIR get "$FILE" 2>/dev/null else echo " " fi fi } get_mac_trusted () { if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then $RSBACPATH""mac_set_trusted FILE get "$FILE" 2>/dev/null else echo " " fi } gen_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_file_dir $TYPE "$FILE" mac_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } choose_user () { while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP2" \ --menu "Username/ID" $BL $BC `gl 15` \ "Enter" "Name / Uid / Range A:B" \ "$AUTHSELF" "Special: user who started program" \ "$AUTHDACS" "Special for eff/fs caps: eff/fs user who started program" \ `${RSBACPATH}attr_get_user -bl` \ 2>$TMPFILE do TMP2=`cat $TMPFILE` case "$TMP2" in "Enter") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Username/number, range from A to B with A:B" $BL $BC "" \ 2>$TMPFILE then NEWMTUSER="`cat $TMPFILE|tr ':' ' '`" else NEWMTUSER="" fi return ;; *) if $RSBACPATH""attr_get_user $TMP2 user_nr >$TMPFILE then NEWMTUSER=`cat $TMPFILE` return else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "User: Unknown user $TMP2!" 5 $BC NEWMTUSER="" fi esac done NEWMTUSER="" } choose_group () { while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP2" \ --menu "Groupname/ID" $BL $BC `gl 15` \ "Enter" "Name / Gid / Range A:B" \ `${RSBACPATH}attr_get_user -bL` \ 2>$TMPFILE do TMP2=`cat $TMPFILE` case "$TMP2" in "Enter") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Groupname/number, range from A to B with A:B" $BL $BC "" \ 2>$TMPFILE then NEWMTUSER="`cat $TMPFILE|tr ':' ' '`" else NEWMTUSER="" fi return ;; *) if $RSBACPATH""attr_get_user $TMP2 group_nr >$TMPFILE then NEWMTUSER=`cat $TMPFILE` return else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "User: Unknown group $TMP2!" 5 $BC NEWMTUSER="" fi esac done NEWMTUSER="" } choose_user_mac_trusted () { while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP2" \ --menu "Username/ID" $BL $BC `gl 15` \ "Enter" "Name / Uid" \ "$ALL_USERS" "Special: all users" \ `${RSBACPATH}attr_get_user -bl` \ 2>$TMPFILE do TMP2=`cat $TMPFILE` case "$TMP2" in "Enter") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Username/number" $BL $BC "" \ 2>$TMPFILE then NEWMTUSER="`cat $TMPFILE|tr ':' ' '`" else NEWMTUSER="" fi return ;; *) if $RSBACPATH""attr_get_user $TMP2 user_nr >$TMPFILE then NEWMTUSER=`cat $TMPFILE` return else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "User: Unknown user $TMP2!" 5 $BC NEWMTUSER="" fi esac done NEWMTUSER="" } gen_log_menu_items() { if test -e ${TMPFILE}.2 then rm ${TMPFILE}.2 fi for i in $REQUESTS do TMP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_level $i` echo $i `get_vname loglevel $TMP`>>${TMPFILE}.2 done } gen_flags_menu_items() { if (($FFFLAGS & 128)) ; then echo 128 add_inherited on else echo 128 add_inherited off fi if (($FFFLAGS & 1)) ; then echo 1 read_only on else echo 1 read_only off fi if (($FFFLAGS & 2)) ; then echo 2 execute_only on else echo 2 execute_only off fi if (($FFFLAGS & 4)) ; then echo 4 search_only on else echo 4 search_only off fi if (($FFFLAGS & 8)) ; then echo 8 write_only on else echo 8 write_only off fi if (($FFFLAGS & 16)) ; then echo 16 secure_delete on else echo 16 secure_delete off fi if (($FFFLAGS & 32)) ; then echo 32 no_execute on else echo 32 no_execute off fi if (($FFFLAGS & 64)) ; then echo 64 no_delete_or_rename on else echo 64 no_delete_or_rename off fi if (($FFFLAGS & 256)) ; then echo 256 append_only on else echo 256 append_only off fi if (($FFFLAGS & 512)) ; then echo 512 no_mount on else echo 512 no_mount off fi if (($FFFLAGS & 1024)) ; then echo 1024 no_search on else echo 1024 no_search off fi } flags_menu () { if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --separate-output \ --checklist "$FILE: FF Flags ($GETMODE mode)" $BL $BC `gl 10` \ `gen_flags_menu_items` \ 2>$TMPFILE then return fi FLAGS_ON=`cat $TMPFILE` declare -i VAL=0 # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL for i in $FLAGS_ON ; do \ VAL=$VAL+$i done # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL # sleep 2 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ff_flags $VAL &>$TMPFILE then FFFLAGS=$VAL if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ff_flags $VAL >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi return } paxonoff () { if echo "$1" | grep -q "$2" then echo on else echo off fi } pax_flags_menu () { if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --separate-output \ --checklist "$FILE: PAX Flags ($GETMODE mode)" $BL $BC `gl 7` \ "Reset" "Reset flags to default values" "off" \ "P" "Enforce paging based non-exec pages" "$(paxonoff $PAXFLAGS P)" \ "E" "Emulate trampolines" "$(paxonoff $PAXFLAGS E)" \ "M" "Restrict mprotect" "$(paxonoff $PAXFLAGS M)" \ "R" "Randomize mmap base (ELF only)" "$(paxonoff $PAXFLAGS R)" \ "X" "Randomize ET_EXEC base (ELF only)" "$(paxonoff $PAXFLAGS X)" \ "S" "Enforce segmentation based non-exec pages" "$(paxonoff $PAXFLAGS S)" \ 2>$TMPFILE then return fi FLAGS_ON=$(for i in $(cat $TMPFILE) ; do echo -n $i ; done) VAL=$FLAGS_ON # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL if echo $FLAGS_ON|grep -q "Reset" then if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pax_flags "" &>$TMPFILE then PAXFLAGS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pax_flags 2>/dev/null` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pax_flags \"\" >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else echo $FLAGS_ON|grep -q "P" || VAL="${VAL}p" echo $FLAGS_ON|grep -q "E" || VAL="${VAL}e" echo $FLAGS_ON|grep -q "M" || VAL="${VAL}m" echo $FLAGS_ON|grep -q "R" || VAL="${VAL}r" echo $FLAGS_ON|grep -q "X" || VAL="${VAL}x" echo $FLAGS_ON|grep -q "S" || VAL="${VAL}s" # sleep 2 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pax_flags $VAL &>$TMPFILE then PAXFLAGS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pax_flags 2>/dev/null` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pax_flags $VAL >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi return } gen_mac_flags_menu_items() { if (($MACFLAGS & 2)) ; then echo 2 auto on else echo 2 auto off fi if (($MACFLAGS & 4)) ; then echo 4 trusted on else echo 4 trusted off fi if (($MACFLAGS & 8)) ; then echo 8 write_up on else echo 8 write_up off fi if (($MACFLAGS & 16)) ; then echo 16 read_up on else echo 16 read_up off fi if (($MACFLAGS & 32)) ; then echo 32 write_down on else echo 32 write_down off fi } mac_flags_menu () { if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --separate-output \ --checklist "$FILE: MAC File Flags ($GETMODE mode)" $BL $BC `gl 9` \ `gen_mac_flags_menu_items` \ 2>$TMPFILE then return fi if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC return fi FLAGS_ON=`cat $TMPFILE` declare -i VAL=0 # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL for i in $FLAGS_ON ; do \ VAL=$VAL+$i done # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL # sleep 2 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_file_flags $VAL &>$TMPFILE then MACFLAGS=$VAL if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_file_flags $VAL >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi return } log_menu () { if test -z "$REQUESTS" then REQUESTS=`$RSBACPATH""attr_get_file_dir -n $TYPE` fi gen_log_menu_items while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$REQ" \ --menu "$FILE: Log Levels for Requests" $BL $BC `gl 37` \ `cat ${TMPFILE}.2` \ "Quit" " " \ 2>$TMPFILE then rm ${TMPFILE}.2 LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low` LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high` return fi REQ=`cat $TMPFILE` case "$REQ" in Quit) rm ${TMPFILE}.2 LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low` LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high` return ;; *) VAL=`grep "^$REQ " ${TMPFILE}.2|cut -f 2 -d ' '` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Log Level for $FILE / $REQ" $BL $BC 4 \ 0 `get_vname loglevel 0` `onoff None $VAL` \ 1 `get_vname loglevel 1` `onoff Denied $VAL` \ 2 `get_vname loglevel 2` `onoff Full $VAL` \ 3 `get_vname loglevel 3` `onoff Request $VAL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" log_level $REQ $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" log_level $REQ $TMP >>"$RSBACLOGFILE" fi gen_log_menu_items else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi esac done } gen_request_list () { if test -z "$REQUESTS" then REQUESTS=`$RSBACPATH""attr_get_file_dir -n` fi SETREQUESTS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" log_program_based` for i in $REQUESTS do if echo $SETREQUESTS | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } gen_min_caps_list () { if test -z "$CAPS" then CAPS=`$RSBACPATH""attr_get_file_dir -c` fi SETCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" min_caps` for i in $CAPS do if echo $SETCAPS | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } gen_max_caps_list () { if test -z "$CAPS" then CAPS=`$RSBACPATH""attr_get_file_dir -c` fi SETCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" max_caps` for i in $CAPS do if echo $SETCAPS | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } declare -i MAXCATLEN=$BC-38 cat_print () { if test $MAXCATLEN -ge 64 then echo $1 else echo "(too long)" fi } declare -i MAXNAMELEN=$BC-44 name_print () { echo "$1" | cut -c1-$MAXNAMELEN } gen_follow_symlink () { case $1 in 1) if test "$TYPE" = "SYMLINK" then echo 'Follow:' fi ;; 2) if test "$TYPE" = "SYMLINK" then echo "`name_print \"$SYMLINK\"`" fi ;; esac } ###################### Menu ################# if test "$1" != "" then FILE=$1 else FILE=$LASTDIR fi if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi get_attributes "$FILE" if test "$TYPE" != "DIR" -a -n "$RSBACLOGFILE" then echo "cd `pwd`" >>"$RSBACLOGFILE" fi { echo 'fd_menu ()' echo ' {' echo " $DIALOG --title \"$TITLE\" \\" echo ' --backtitle "$BACKTITLE" \' echo ' --help-button --default-item "$CHOICE" \' echo ' --menu "Main FD Menu" $BL $BC `gl 52` \' echo ' "FD List:" "Choose from listing of last dir" \' echo ' "FD Name:" "`name_print \"$FILE / $SUBTYPE\"`" \' echo ' `gen_follow_symlink 1` `gen_follow_symlink 2` \' echo ' "Attribute Get Mode:" "$GETMODE" \' echo ' "-------------------" " " \' if test "$SHOW_MAC" = "yes" then echo ' "MAC Security Level:" "$SECLEVEL / `get_vname seclevel $SECLEVEL`" \' echo ' "MAC Categories:" "`cat_print $MACCAT`" \' echo ' "MAC Trusted for Users:" "$MACTRUSER" \' echo ' "MAC Auto:" "$MACAUTO / `get_vname macauto $MACAUTO`" \' echo ' "MAC Prop Trusted:" "$MACPROPTR / `get_vname onoff $MACPROPTR`" \' echo ' "MAC File Flags:" "$MACFLAGS" \' fi if test "$SHOW_PM" = "yes" then echo ' "PM Object Class:" "$PMCLASS" \' echo ' "PM TP:" "$PMTP" \' echo ' "PM Object Type:" "$PMOBJTYPE / `get_vname pmobjtype $PMOBJTYPE`" \' fi if test "$SHOW_DAZ" = "yes" then echo ' "DAZ Scanned:" "$DAZSCANNED / $(get_vname dazscanned $DAZSCANNED)" \' echo ' "DAZ Do Scan:" "$DAZDOSCAN / $(get_vname dazdoscan $DAZDOSCAN)" \' echo ' "DAZ Scanner:" "$DAZSCANNER / $(get_vname onoff $DAZSCANNER)" \' fi if test "$SHOW_FF" = "yes" then echo ' "FF Flags:" "$FFFLAGS" \' fi if test "$SHOW_RC" = "yes" then echo ' "RC Type FD:" "$RCTYPEFD / `get_vname rctypefd $RCTYPEFD`" \' echo ' "RC Force Role:" "$RCFORRO / `get_vname rcforro $RCFORRO`" \' echo ' "RC Initial Role:" "$RCINRO / `get_vname rcinro $RCINRO`" \' fi if test "$SHOW_AUTH" = "yes" then echo ' "AUTH May Setuid:" "$AUTHSUID / `get_vname authsuid $AUTHSUID`" \' echo ' "AUTH May Set Cap:" "$AUTHSCAP / `get_vname onoff $AUTHSCAP`" \' echo ' "AUTH Learn:" "$AUTHLEARN / `get_vname onoff $AUTHLEARN`" \' echo ' "AUTH Capabilities:" "`get_caps`" \' echo ' "AUTH Eff Capabilities:" "`get_caps -e`" \' echo ' "AUTH FS Capabilities:" "`get_caps -f`" \' echo ' "AUTH Group Capabilities:" "`get_caps -g`" \' echo ' "AUTH Group Eff Capabilities:" "`get_caps -E`" \' echo ' "AUTH Group FS Capabilities:" "`get_caps -F`" \' fi if test "$SHOW_CAP" = "yes" then echo ' "CAP Min Caps:" "$MINCAPS" \' echo ' "CAP Max Caps:" "$MAXCAPS" \' echo ' "CAP ld_env:" "$CAPLDENV"\' fi if test "$SHOW_RES" = "yes" then echo ' "RES Min Resources:" "$RESMIN" \' echo ' "RES Max Resources:" "$RESMAX" \' fi if test "$SHOW_PAX" = "yes" then echo ' "PAX Flags:" "$PAXFLAGS" \' fi if test "$SHOW_GEN" = "yes" then echo ' "Log Array Low:" "$LOGLOW" \' echo ' "Log Array High:" "$LOGHIGH" \' echo ' "Log Program Based:" "$LOGPROG" \' echo ' "Symlink Add Remote IP:" "$SYMADDIP" \' echo ' "Symlink Add UID:" "$SYMADDUID" \' echo ' "Symlink Add MAC Level:" "$SYMADDMAC" \' echo ' "Symlink Add RC Role:" "$SYMADDRC" \' echo ' "Linux DAC disable:" "$DACDIS / `get_vname dacdis $DACDIS`" \' echo ' "Fake Root UID:" "$FAKERUID / `get_vname fakeruid $FAKERUID`" \' echo ' "Audit UID Exempt:" "$AUIDEXEM" \' echo ' "Virtual UM Set:" "$VSET" \' fi echo ' "----------------" " " \' echo ' "Dev Attributes:" "Go to block/char dev attribute menu" \' if test "$SHOW_ACL" = "yes" then echo ' "ACL Menu:" "Go to ACL menu" \' fi echo ' "----------------" " " \' echo ' "Reset Attributes:" "Reset all values to default values" \' echo ' "Quit" ""' echo ' }' } > $TMPFILE . $TMPFILE #cp $TMPFILE /tmp/menu while true do if ! fd_menu 2>$TMPFILE then rm $TMPFILE ; exit fi CHOICE="`cat $TMPFILE`" # echo $CHOICE >>/tmp/temp case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; 'FD List:') FILETMP="$FILE" if test ! -d $LASTDIR then $LASTDIR='/' fi TMP=`ls -1ad $LASTDIR/* $LASTDIR/.*` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$FILETMP" \ --menu "File/Dir/Fifo Name (choose cancel for $FILE)" $BL $BC $MAXLINES \ $(for i in $TMP ; do list_item $i ; done) \ 2>$TMPFILE do FILETMP="`cat $TMPFILE`" FILE="$FILETMP" get_attributes if test $TYPE != "DIR" then break else TMP=`ls -1ad $LASTDIR/* $LASTDIR/.*` fi done ;; "FD Name:") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "File/Dir/Fifo/Symlink name" $BL $BC "$FILE" \ 2>$TMPFILE then FILE=`cat $TMPFILE` get_attributes fi ;; "Follow:") case "$SYMLINK" in /*) FILE="$SYMLINK" ;; *) FILE="`dirname $FILE`/$SYMLINK" ;; esac get_attributes ;; 'Attribute Get Mode:') if test $GETMODE = "real" then GETMODE="effective" ; GETSWITCH="-e" else GETMODE="real" ; GETSWITCH="" fi get_attributes ;; 'MAC Security Level:') if test "$TYPE" != "NONE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Security Level for $FILE (old value: $SECLEVEL)" $BL $BC 8 \ "Enter" "Numeric Value" off \ 0 "`get_vname seclevel 0`" `onoff 0 $SECLEVEL` \ 1 "`get_vname seclevel 1`" `onoff 1 $SECLEVEL` \ 2 "`get_vname seclevel 2`" `onoff 2 $SECLEVEL` \ 3 "`get_vname seclevel 3`" `onoff 3 $SECLEVEL` \ 252 "`get_vname seclevel 252`" `onoff 252 $SECLEVEL` \ 253 "`get_vname seclevel 253`" `onoff 253 $SECLEVEL` \ 254 "`get_vname seclevel 254`" `onoff 254 $SECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test "$TMP" = "Enter" then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "MAC security level" $BL $BC "$SECLEVEL" \ 2>$TMPFILE then TMP="`cat $TMPFILE`" if test $TMP -gt 254 then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Invalid security level value $TMP!" $BL $BC TMP="" fi else TMP="" fi fi if test -n "$TMP" then if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" security_level $TMP &>$TMPFILE then SECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" security_level $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Security Level: No file/dir specified!" 5 $BC fi ;; 'MAC Categories:') if test "$TYPE" != "NONE" then ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "MAC Categories for $TYPE $FILE (all 0 = inherit)" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACCAT" $BL $BC $MAXLINES \ `gen_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi for i in $ALLCATNR do if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACCAT=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Categories: No file/dir specified!" 5 $BC fi ;; 'MAC Trusted for Users:') if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then while true ; do if \ SUBCHOICE= $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$SUBCHOICE" \ --menu "$FILE: $CHOICE $MACTRUSER" $BL $BC `gl 3` \ "Add" "Trusted User" \ "Remove" "Trusted User" \ "Quit" "" \ 2>$TMPFILE then SUBCHOICE=`cat $TMPFILE` case $SUBCHOICE in Quit) break ;; Add) if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi choose_user_mac_trusted if test -n "$NEWMTUSER" then if ! $RSBACPATH""mac_set_trusted FILE add "$FILE" $NEWMTUSER &>$TMPFILE then \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC else MACTRUSER=`$RSBACPATH""mac_set_trusted $TYPE get "$FILE" 2>/dev/null | sed -e "s/$ALL_USERS/ALL/g"` fi fi ;; Remove) if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi TMP=`get_mac_trusted` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Username/ID to be removed from $FILE file mac_trusted" $BL $BC $MAXLINES \ `gen_mac_trusted_rem_user $TMP` \ 2>$TMPFILE do TMP=`cat $TMPFILE|tr ':' ' '` if test "$TMP" == "ALL" then TMP=$ALL_USERS fi if $RSBACPATH""mac_set_trusted FILE remove "$FILE" $TMP &>$TMPFILE then \ MACTRUSER=`$RSBACPATH""mac_set_trusted $TYPE get "$FILE" 2>/dev/null | sed -e "s/$ALL_USERS/ALL/g"` break else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi done ;; esac else break fi done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "$CHOICE: No regular file specified!" 5 $BC fi ;; 'MAC Auto:') if test "$TYPE" != "NONE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose MAC Auto for $FILE" $BL $BC 3 \ 0 "`get_vname macauto 0`" `onoff 0 $MACAUTO` \ 1 "`get_vname macauto 1`" `onoff 1 $MACAUTO` \ 2 "`get_vname macauto 2`" `onoff 2 $MACAUTO` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_auto $TMP &>$TMPFILE then MACAUTO=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_auto $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Auto: No file/dir specified!" 5 $BC fi ;; 'MAC Prop Trusted:') if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if test $MACPROPTR = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_prop_trusted $TMP &>$TMPFILE then MACPROPTR=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_prop_trusted $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Prop Trusted: No regular file specified!" 5 $BC fi ;; 'MAC File Flags:') if test "$TYPE" != "NONE" then mac_flags_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC File Flags: No file/dir specified!" 5 $BC fi ;; 'PM Object Class:') if test "$TYPE" != "NONE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "PM Object Class (long integer) for $FILE" \ $BL $BC "$PMCLASS" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_object_class $TMP &>$TMPFILE then PMCLASS=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_object_class $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Object Class: No file/dir specified!" 5 $BC fi ;; 'PM TP:') if test "$TYPE" != "NONE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "PM TP (long integer) for $FILE" \ $BL $BC "$PMTP" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_tp $TMP &>$TMPFILE then PMTP=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_tp $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM TP: No file/dir specified!" 5 $BC fi ;; 'PM Object Type:') if test "$TYPE" != "NONE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose PM Object Type for $FILE" $BL $BC 6 \ 0 "`get_vname pmobjtype 0`" `onoff 0 $PMOBJTYPE` \ 1 "`get_vname pmobjtype 1`" `onoff 1 $PMOBJTYPE` \ 2 "`get_vname pmobjtype 2`" `onoff 2 $PMOBJTYPE` \ 3 "`get_vname pmobjtype 3`" `onoff 3 $PMOBJTYPE` \ 4 "`get_vname pmobjtype 4`" `onoff 4 $PMOBJTYPE` \ 5 "`get_vname pmobjtype 5`" `onoff 5 $PMOBJTYPE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_object_type $TMP &>$TMPFILE then PMOBJTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_object_type $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Object Type: No file/dir specified!" 5 $BC fi ;; 'DAZ Scanned:') if test "$TYPE" != "NONE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose DAZ Scanned Status for $FILE" $BL $BC 5 \ 0 "`get_vname dazscanned 0`" `onoff 0 $DAZSCANNED` \ 1 "`get_vname dazscanned 1`" `onoff 1 $DAZSCANNED` \ 2 "`get_vname dazscanned 2`" `onoff 2 $DAZSCANNED` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" daz_scanned $TMP &>$TMPFILE then DAZSCANNED=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" daz_scanned $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "DAZ Scanned: No file/dir specified!" 5 $BC fi ;; 'DAZ Do Scan:') if test "$TYPE" != "NONE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose DAZ Scanned Status for $FILE" $BL $BC 4 \ 0 "`get_vname dazdoscan 0`" `onoff 0 $DAZDOSCAN` \ 1 "`get_vname dazdoscan 1`" `onoff 1 $DAZDOSCAN` \ 2 "`get_vname dazdoscan 2`" `onoff 2 $DAZDOSCAN` \ 3 "`get_vname dazdoscan 3`" `onoff 3 $DAZDOSCAN` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" daz_do_scan $TMP &>$TMPFILE then DAZDOSCAN=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" daz_do_scan $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "DAZ Do Scan: No file/dir specified!" 5 $BC fi ;; 'DAZ Scanner:') if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if test $DAZSCANNER = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" daz_scanner $TMP &>$TMPFILE then DAZSCANNER=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" daz_scanner $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "DAZ Scanner: No regular file specified!" 5 $BC fi ;; 'FF Flags:') if test "$TYPE" != "NONE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi flags_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "FF Flags: No file/dir specified!" 5 $BC fi ;; 'PAX Flags:') if test "$TYPE" != "NONE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi pax_flags_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PAX Flags: No file/dir specified!" 5 $BC fi ;; 'RC Type FD:') if test "$TYPE" != "NONE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""rc_get_item list_fd_types >$TMPFILE then \ TYPELIST=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$RCTYPE" \ --menu "Choose RC Type FD for $FILE" $BL $BC $MAXLINES \ $RCTYPEINHPAR "Inherit from parent dir" \ $TYPELIST \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_type_fd $TMP &>$TMPFILE then RCTYPEFD=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_type_fd $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Type FD (integer) for $FILE ($RCTYPEINHPAR = inherit)" \ $BL $BC "$RCTYPEFD" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_type_fd $TMP &>$TMPFILE then RCTYPEFD=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_type_fd $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Type FD: No file/dir specified!" 5 $BC fi ;; 'RC Force Role:') if test "$TYPE" != "NONE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""rc_get_item list_roles >$TMPFILE then \ TMP="$RCFORRO" ROLELIST=`cat $TMPFILE` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$TMP" \ --menu "Choose RC Forced Role for $TYPE $FILE" $BL $BC $MAXLINES \ $RCUSERINHERIT "always inherit from user" \ $RCPROCINHERIT "inherit process (keep role)" \ $RCPARINHERIT "inherit parent dir (default)" \ $RCMIXINHERIT "mixed inherit proc/user (root dir default)" \ $ROLELIST \ 2>$TMPFILE do TMP=`cat $TMPFILE` case "$TMP" in HELP*) show_help "${TMP:5}" TMP="${TMP:5}" ;; *) if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_force_role $TMP &>$TMPFILE then RCFORRO=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_force_role $TMP >>"$RSBACLOGFILE" fi break else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi esac done else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Force Role (integer) for $TYPE $FILE ($RCUSERINHERIT = always inherit from user, $RCPROCINHERIT = inherit from process (keep role), $RCMIXINHERIT = mixed inherit (default))" \ $BL $BC "$RCFORRO" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_force_role $TMP &>$TMPFILE then RCFORRO=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_force_role $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Force Role: No file/dir specified!" 5 $BC fi ;; 'RC Initial Role:') if test "$TYPE" != "NONE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""rc_get_item list_roles >$TMPFILE then \ TMP="$RCINRO" ROLELIST=`cat $TMPFILE` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$TMP" \ --menu "Choose RC Initial Role for $TYPE $FILE" $BL $BC $MAXLINES \ $RCPARINHERIT "inherit parent dir (default)" \ $RCUSEFR "use force_role value (root dir default)" \ $ROLELIST \ 2>$TMPFILE do TMP=`cat $TMPFILE` case "$TMP" in HELP*) show_help "${TMP:5}" TMP="${TMP:5}" ;; *) if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_initial_role $TMP &>$TMPFILE then RCINRO=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_initial_role $TMP >>"$RSBACLOGFILE" fi break else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi esac done else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Initial Role (integer) for $TYPE $FILE ($RCPARINHERIT = inherit parent (default), $RCUSEFR = use force_role value (root default))" \ $BL $BC "$RCINRO" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_initial_role $TMP &>$TMPFILE then RCINRO=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_initial_role $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Initial Role: No file/dir specified!" 5 $BC fi ;; 'AUTH May Setuid:') if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Auth May Setuid for $FILE" $BL $BC 4 \ 0 "`get_vname authsuid 0`" `onoff 0 $AUTHSUID` \ 1 "`get_vname authsuid 1`" `onoff 1 $AUTHSUID` \ 2 "`get_vname authsuid 2`" `onoff 2 $AUTHSUID` \ 3 "`get_vname authsuid 3`" `onoff 3 $AUTHSUID` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" auth_may_setuid $TMP &>$TMPFILE then AUTHSUID=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" auth_may_setuid $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "AUTH May Setuid: No regular file specified!" 5 $BC fi ;; 'AUTH May Set Cap:') if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if test $AUTHSCAP = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" auth_may_set_cap $TMP &>$TMPFILE then AUTHSCAP=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" auth_may_set_cap $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "AUTH May Set Cap: No regular file specified!" 5 $BC fi ;; 'AUTH Learn:') if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if test $AUTHLEARN = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" auth_learn $TMP &>$TMPFILE then AUTHLEARN=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" auth_learn $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "AUTH Learn: No regular file specified!" 5 $BC fi ;; 'AUTH Capabilities:' | 'AUTH Eff Capabilities:' | 'AUTH FS Capabilities:'\ | 'AUTH Group Capabilities:' | 'AUTH Group Eff Capabilities:' \ | 'AUTH Group FS Capabilities:') if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" || test "$TYPE" = "DIR" then case "$CHOICE" in 'AUTH Eff Capabilities:') CAPFLAGS='-e' CHOOSER=choose_user ;; 'AUTH FS Capabilities:') CAPFLAGS='-f' CHOOSER=choose_user ;; 'AUTH Group Capabilities:') CAPFLAGS='-g' CHOOSER=choose_group ;; 'AUTH Group Eff Capabilities:') CAPFLAGS='-E' CHOOSER=choose_group ;; 'AUTH Group FS Capabilities:') CAPFLAGS='-F' CHOOSER=choose_group ;; *) CAPFLAGS='' CHOOSER=choose_user ;; esac while true ; do if \ SUBCHOICE= $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$SUBCHOICE" \ --menu "$FILE: $CHOICE `get_caps $CAPFLAGS`" $BL $BC `gl 3` \ "Add" "Capability" \ "Remove" "Capability" \ "Quit" "" \ 2>$TMPFILE then SUBCHOICE=`cat $TMPFILE` case $SUBCHOICE in Quit) break ;; Add) if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi $CHOOSER if test -n "$NEWMTUSER" then if $RSBACPATH""auth_set_cap $CAPFLAGS FD add "$FILE" $NEWMTUSER &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""auth_set_cap $CAPFLAGS FD add \"$FILE\" $NEWMTUSER >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; Remove) if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi TMP=`get_caps $CAPFLAGS` if test "$CHOOSER" = "choose_group" then while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Groupname/ID to be removed from $FILE file caps" $BL $BC $MAXLINES \ `gen_cap_rem_group $TMP` \ 2>$TMPFILE do TMP=`cat $TMPFILE|tr ':' ' '` if $RSBACPATH""auth_set_cap $CAPFLAGS FD remove "$FILE" $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""auth_set_cap $CAPFLAGS FD remove \"$FILE\" $TMP >>"$RSBACLOGFILE" fi break else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi done else while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Username/ID to be removed from $FILE file caps" $BL $BC $MAXLINES \ `gen_cap_rem_user $TMP` \ 2>$TMPFILE do TMP=`cat $TMPFILE|tr ':' ' '` if $RSBACPATH""auth_set_cap $CAPFLAGS FD remove "$FILE" $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""auth_set_cap $CAPFLAGS FD remove \"$FILE\" $TMP >>"$RSBACLOGFILE" fi break else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi done fi ;; esac else break fi done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "$CHOICE: No regular file specified!" 5 $BC fi ;; 'CAP Min Caps:') if test "$TYPE" = "FILE" then if $DIALOG --title "CAP min_caps for $TYPE $FILE" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MINCAPS" $BL $BC $MAXLINES \ `gen_min_caps_list` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ FS_MASK 'Set all filesystem caps' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" min_caps $TMP &>$TMPFILE then \ MINCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" min_caps` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" min_caps $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "CAP Min Caps: No file specified!" 5 $BC fi ;; 'CAP Max Caps:') if test "$TYPE" = "FILE" then if $DIALOG --title "CAP max_caps for $TYPE $FILE" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MAXCAPS" $BL $BC $MAXLINES \ `gen_max_caps_list` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ FS_MASK 'Set all filesystem caps' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" max_caps $TMP &>$TMPFILE then \ MAXCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" max_caps` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" max_caps $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "CAP Max Caps: No file specified!" 5 $BC fi ;; 'CAP ld_env:') if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if test $CAPLDENV = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" cap_ld_env $TMP &>$TMPFILE then CAPLDENV=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" cap_ld_env $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "CAP ld_env: No regular file specified!" 5 $BC fi ;; 'RES Min Resources:') if test "$TYPE" = "FILE" then while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$RESSEL" \ --menu "RES Minimum Resources for $TYPE $FILE" $BL $BC $MAXLINES \ `$RSBACPATH""attr_get_file_dir $TYPE "$FILE" res_min` \ 2>$TMPFILE do RESSEL=`cat $TMPFILE` case "$RESSEL" in HELP*) show_help "${RESSEL:5}" RESSEL="${RESSEL:5}" ;; *) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Minimum $RESSEL resource limit for $FILE (0 = unset)" \ $BL $BC "`$RSBACPATH""attr_get_file_dir $TYPE "$FILE" res_min $RESSEL`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" res_min $RESSEL $TMP &>$TMPFILE then RESMIN=`$RSBACPATH""attr_get_file_dir -s $TYPE "$FILE" res_min` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" res_min $RESSEL $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; esac done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RES Min Resources: No file specified!" 5 $BC fi ;; 'RES Max Resources:') if test "$TYPE" = "FILE" then while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$RESSEL" \ --menu "RES Maximum Resources for $TYPE $FILE" $BL $BC $MAXLINES \ `$RSBACPATH""attr_get_file_dir $TYPE "$FILE" res_max` \ 2>$TMPFILE do RESSEL=`cat $TMPFILE` case "$RESSEL" in HELP*) show_help "${RESSEL:5}" RESSEL="${RESSEL:5}" ;; *) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Maximum $RESSEL resource limit for $FILE (0 = unset)" \ $BL $BC "`$RSBACPATH""attr_get_file_dir $TYPE "$FILE" res_max $RESSEL`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" res_max $RESSEL $TMP &>$TMPFILE then RESMAX=`$RSBACPATH""attr_get_file_dir -s $TYPE "$FILE" res_max` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" res_max $RESSEL $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; esac done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RES Max Resources: No file specified!" 5 $BC fi ;; 'Log Array Low:') if test "$TYPE" != "NONE" then log_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Array Low: No file/dir specified!" 5 $BC fi ;; 'Log Array High:') if test "$TYPE" != "NONE" then log_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Array High: No file/dir specified!" 5 $BC fi ;; 'Log Program Based:') if test "$TYPE" != "NONE" then if $DIALOG --title "log_program_based for $TYPE $FILE" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $LOGPROG" $BL $BC $MAXLINES \ `gen_request_list` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ R 'Set Read Requests' off \ RW 'Set Read-Write R.' off \ W 'Set Write Requests' off \ SY 'Set System R.' off \ SE 'Set Security R.' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" log_program_based $TMP &>$TMPFILE then \ LOGPROG=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_program_based` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" log_program_based $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Program Based: No file/dir specified!" 5 $BC fi ;; 'Symlink Add Remote IP:') if test "$TYPE" = "SYMLINK" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose number if remote IP bytes to be added for $FILE" $BL $BC 5 \ 0 "off" `onoff 0 $SYMADDIP` \ 1 "e.g. 192" `onoff 1 $SYMADDIP` \ 2 "e.g. 192.168" `onoff 2 $SYMADDIP` \ 3 "e.g. 192.168.10" `onoff 3 $SYMADDIP` \ 4 "e.g. 192.168.10.254" `onoff 4 $SYMADDIP` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_remote_ip $TMP &>$TMPFILE then SYMADDIP=$TMP SYMLINK="`ls -l \"$FILE\"|cut -d '>' -f 2|cut -c 2-`" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_remote_ip $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Symlink Add Remote IP: No symlink specified!" 5 $BC fi ;; 'Symlink Add UID:') if test "$TYPE" = "SYMLINK" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if test $SYMADDUID = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_uid $TMP &>$TMPFILE then SYMADDUID=$TMP SYMLINK="`ls -l \"$FILE\"|cut -d '>' -f 2|cut -c 2-`" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_uid $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Symlink Add UID: No symlink specified!" 5 $BC fi ;; 'Symlink Add MAC Level:') if test "$TYPE" = "SYMLINK" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if test $SYMADDMAC = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_mac_level $TMP &>$TMPFILE then SYMADDMAC=$TMP SYMLINK="`ls -l \"$FILE\"|cut -d '>' -f 2|cut -c 2-`" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_mac_level $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Symlink Add MAC Level: No symlink specified!" 5 $BC fi ;; 'Symlink Add RC Role:') if test "$TYPE" = "SYMLINK" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if test $SYMADDRC = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_rc_role $TMP &>$TMPFILE then SYMADDRC=$TMP SYMLINK="`ls -l \"$FILE\"|cut -d '>' -f 2|cut -c 2-`" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_rc_role $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Symlink Add RC Role: No symlink specified!" 5 $BC fi ;; 'Linux DAC disable:') if test "$TYPE" != "NONE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Linux DAC disable value for $FILE" $BL $BC 6 \ 0 "`get_vname dacdis 0`" `onoff 0 $DACDIS` \ 1 "`get_vname dacdis 1`" `onoff 1 $DACDIS` \ 2 "`get_vname dacdis 2`" `onoff 2 $DACDIS` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" linux_dac_disable $TMP &>$TMPFILE then DACDIS=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" linux_dac_disable $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Linux DAC disable: No file/dir specified!" 5 $BC fi ;; 'Fake Root UID:') if test "$TYPE" != "NONE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose when the root uid is faked for $FILE" $BL $BC 4 \ 0 "`get_vname fakeruid 0`" `onoff 0 $FAKERUID` \ 1 "`get_vname fakeruid 1`" `onoff 1 $FAKERUID` \ 2 "`get_vname fakeruid 2`" `onoff 2 $FAKERUID` \ 3 "`get_vname fakeruid 3`" `onoff 3 $FAKERUID` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" fake_root_uid $TMP &>$TMPFILE then FAKERUID=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" fake_root_uid $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Fake Root UID: No file/dir specified!" 5 $BC fi ;; 'Audit UID Exempt:') if test "$TYPE" != "NONE" then \ if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Exemption UID for $FILE (-3 to unset)" \ $BL $BC "$AUIDEXEM" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" auid_exempt $TMP &>$TMPFILE then AUIDEXEM=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" auid_exempt $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Audit UID Exempt: No file/dir specified!" 5 $BC fi ;; 'Virtual UM Set:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Virtual User Management Set for $FILE (-1 / $VSETKEEP to keep current set)" \ $BL $BC "$VSET" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" vset $TMP &>$TMPFILE then VSET=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" vset $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Virtual UM Set: No file/dir specified!" 5 $BC fi ;; 'Dev Attributes:') $RSBACPATH""rsbac_dev_menu "$FILE" ;; 'ACL Menu:') $RSBACPATH""rsbac_acl_menu FD "$FILE" ;; 'Reset Attributes:') if test "$TYPE" != "NONE" then if test "$GETMODE" = "effective" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "No changes in effective mode please!" 5 $BC continue fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Reset all attributes to default values?" 5 $BC \ 2>/dev/null then if $RSBACPATH""attr_rm_file_dir $TYPE "$FILE" &>$TMPFILE then get_attributes else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Reset Attributes: No file/dir specified!" 5 $BC fi ;; Quit) rm $TMPFILE ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_group_menu0000755000175000017500000002273711131371032023367 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC general group attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi if ! TMPFILETWO=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILETWO=$TMPDIR/rsbac_dialog.$$.2 if test -e $TMPFILETWO then rm $TMPFILETWO fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='.' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC Group Administration" ERRTITLE="RSBAC Group Administration - ERROR" ALL_GROUPS=4294967292 show_help () { { echo "$1" echo "" case "$1" in Group:) echo "Enter the group name or id." ;; Grouplist:) echo "Choose group from list." ;; 'RC Type:') echo "RC model type for this group as an object." echo "" $RSBACPATH""attr_get_group -A rc_type ;; 'ACL Menu:') echo "Go to ACL menu." ;; 'Reset Attributes:') echo "Call attr_rm_group to get the attribute object for this group object" echo "removed. As result, all attribute values will be reset to their" echo "default values. Use with care!" ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_attributes () { if test "$1" != "" then if test "$SHOW_RC" = "yes" then RCTYPE=`$RSBACPATH""attr_get_group $1 rc_type` fi else RCTYPE= fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } get_value_name () { case $1 in onoff) case $2 in 1) echo On ;; *) echo Off ;; esac ;; esac } get_gid () { if test "$GROUPID" = "" then echo " " else echo `$RSBACPATH""attr_get_group $1 group_nr` fi } type_name () { if test -z "$GROUPID" -o -z "$1" then echo " " else if ! $RSBACPATH""rc_get_item TYPE $1 type_group_name then echo "(unknown)" fi fi } if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi if test "$1" != "" then GROUPID=$1 get_attributes $GROUPID fi { echo 'group_menu ()' echo ' {' echo " $DIALOG --title \"$TITLE\" \\" echo ' --backtitle "$BACKTITLE" \' echo ' --help-button --default-item "$CHOICE" \' echo ' --menu "Main Group Menu" $BL $BC `gl 7` \' echo ' "Grouplist:" "Choose group from list" \' echo ' "-------------------" " " \' echo ' "Group:" "$GROUPID / `get_gid $GROUPID`" \' if test "$SHOW_RC" = "yes" then echo ' "RC Type:" "$RCTYPE / `type_name $RCTYPE`" \' fi echo ' "----------------" " " \' echo ' "Reset Attributes:" "Reset all values to default values" \' echo ' "Quit" ""' echo ' }' } > $TMPFILE . $TMPFILE #cp $TMPFILE /tmp/menu while true do if ! group_menu 2>$TMPFILE then rm $TMPFILE ; exit fi CHOICE="`cat $TMPFILE`" case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; Group:) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Groupname/ID" $BL $BC $GROUPID \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_get_group $TMP group_name >$TMPFILE then GROUPID=`cat $TMPFILE` get_attributes $GROUPID else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Group: Unknown group $TMP!" 5 $BC fi fi ;; Grouplist:) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$GROUPID" \ --menu "Groupname/ID" $BL $BC $MAXLINES \ `${RSBACPATH}attr_get_group -bL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_get_group $TMP group_name >$TMPFILE then GROUPID=`cat $TMPFILE` get_attributes $GROUPID else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Group: Unknown group $TMP!" 5 $BC fi fi ;; 'RC Type:') if test "$GROUPID" != "" then \ if $RSBACPATH""rc_get_item list_group_types >$TMPFILETWO then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$RCTYPE" \ --menu "Choose RC Type for group $GROUPID" $BL $BC $MAXLINES \ `cat $TMPFILETWO` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_group $GROUPID rc_type $TMP &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_group $GROUPID rc_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi rm $TMPFILETWO else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Type for $GROUPID" $BL $BC "$RCTYPE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_group $GROUPID rc_type $TMP &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_group $GROUPID rc_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Type: No group specified!" 5 $BC fi ;; 'ACL Menu:') $RSBACPATH""rsbac_acl_menu GROUP ;; 'Reset Attributes:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Reset all attributes to default values?" 5 $BC \ 2>/dev/null then if $RSBACPATH""attr_rm_group $GROUPID &>$TMPFILE then get_attributes $GROUPID else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Reset Attributes: No group specified!" 5 $BC fi ;; Quit) rm $TMPFILE ; rm $TMPFILETWO ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_nettemp_menu0000755000175000017500000010200211131371032023667 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC Network Template attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # not used ATTRIBUTES="security_level mac_categories object_category data_type \ pm_object_type pm_ipc_purpose pm_object_class rc_type rc_type_nt \ log_array_low log_array_high" # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi touch $TMPFILE chmod 600 $TMPFILE fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='/proc' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC Network Object Administration" HELPTITLE="$TITLE Help" ERRTITLE="RSBAC Net Object Administration - ERROR" ## no changes below this line! TYPE=NETTEMP show_help () { case "$RSBACLANG" in DE) show_help_german "$1" ;; RU) show_help_russian "$1" ;; *) show_help_english "$1" ;; esac } show_help_english () { { echo "$1" echo "" case "$1" in Quit) echo "Quit this menu." ;; 'NetTemp List:') echo "Choose Network Template from list." ;; "Template number:") echo "Enter Network Template number." ;; 'Template Definition:') echo "Go to Definition of this Network Template." ;; 'Network Templates:') echo "Go to Network Template Definition menu." ;; 'MAC Security Level:') echo "Set the MAC model security level." echo "" $RSBACPATH""attr_get_net -A security_level ;; 'MAC Categories:') echo "Set the MAC model categories." echo "" $RSBACPATH""attr_get_net -A mac_categories ;; 'PM Object Type:') echo "Set object type for PM model." echo "" $RSBACPATH""attr_get_net -A pm_object_type ;; 'PM IPC Purpose:') echo "Set IPC purpose for PM model." echo "" $RSBACPATH""attr_get_net -A pm_ipc_purpose ;; 'PM Object Class:') echo "Select the PM model object class." echo "" $RSBACPATH""attr_get_net -A pm_object_class ;; 'RC Type:') echo "Select the RC model NETOBJ type for this template. This value will be" echo "inherited to the network objects." echo "" $RSBACPATH""attr_get_net -A rc_type ;; 'RC Type NT:') echo "Select the RC model NETTEMP type. This value is used for accesses to" echo "the Network Template definition." echo "" $RSBACPATH""attr_get_net -A rc_type_nt ;; 'Log Array Low:' | 'Log Array High:') echo "Choose object based logging levels for this object." echo "" $RSBACPATH""attr_get_net -A log_array_low ;; 'ACL Menu:') echo "Go to ACL menu." ;; 'Reset Attributes:') echo "Call \'attr_set_net -m\' to get the attribute object for this object" echo "removed. As result, all attribute values will be reset to their" echo "default values. Use with care!" ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_german () { { echo "$1" echo "" case "$1" in Quit) echo "Beende dieses Menü." ;; 'NetTemp List:') echo "Wähle Netzwerk-Template aus einer Liste." ;; "Template number:") echo "Nummer des Netzwerk-Templates eingeben." ;; 'Template Definition:') echo "Gehe zur Definition dieses Netzwerk-Templates." ;; 'Network Templates:') echo "Gehe zum Netzwerk-Template-Definitions-Menü." ;; 'MAC Security Level:') echo "Setze den Sicherheitslevel für das MAC-Modell." echo "" $RSBACPATH""attr_get_net -A security_level ;; 'MAC Categories:') echo "Wähle die Kategorien für das MAC-Modell." echo "" $RSBACPATH""attr_get_net -A mac_categories ;; 'PM Object Type:') echo "Setze den Objekttyp für das PM-Modell." echo "" $RSBACPATH""attr_get_net -A pm_object_type ;; 'PM IPC Purpose:') echo "Setze den IPC-Zweck für das PM-Modell." echo "" $RSBACPATH""attr_get_net -A pm_ipc_purpose ;; 'PM Object Class:') echo "Wähle die Objekt-Klasse für das PM-Modell." echo "" $RSBACPATH""attr_get_net -A pm_object_class ;; 'RC Type:') echo "Wähle den RC-NETOBJ-Typ für dieses Template. Dieser Wert wird auf" echo "die Netzwerk-Objekte vererbt." echo "" $RSBACPATH""attr_get_net -A rc_type ;; 'RC Type NT:') echo "Wähle den RC-NETTEMP-Typ für dieses Template. Dieser Wert wird" echo "für Zugriffe auf die Netzwerk-Template-Definition verwendet." echo "" $RSBACPATH""attr_get_net -A rc_type_nt ;; 'Log Array Low:' | 'Log Array High:') echo 'Wähle objektabhängige Logging-Stufen für dieses Objekt.' echo "" $RSBACPATH""attr_get_net -A log_array_low ;; 'ACL Menu:') echo "Gehe zum ACL-Menü." ;; 'Reset Attributes:') echo "Rufe \'attr_set_net -m\' auf, um die Attribut-Objekte für dieses" echo "Objekt zu entfernen. Als Ergebnis werden alle Attribute auf ihre" echo "Standardwerte zurückgesetzt. Mit Vorsicht verwenden!" ;; *) echo "Keine Hilfe für $1 verfügbar!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_russian () { { echo "$1" echo "" case "$1" in Quit) echo "Quit this menu." ;; 'NetTemp List:') echo "Choose Network Template from list." ;; "Template number:") echo "Enter Network Template number." ;; 'Template Definition:') echo "Go to Definition of this Network Template." ;; 'Network Templates:') echo "Go to Network Template Definition menu." ;; 'MAC Security Level:') echo "Set the MAC model security level." echo "" $RSBACPATH""attr_get_net -A security_level ;; 'MAC Categories:') echo "Set the MAC model categories." echo "" $RSBACPATH""attr_get_net -A mac_categories ;; 'PM Object Type:') echo "Set object type for PM model." echo "" $RSBACPATH""attr_get_net -A pm_object_type ;; 'PM IPC Purpose:') echo "Set IPC purpose for PM model." echo "" $RSBACPATH""attr_get_net -A pm_ipc_purpose ;; 'PM Object Class:') echo "Select the PM model object class." echo "" $RSBACPATH""attr_get_net -A pm_object_class ;; 'RC Type:') echo "Select the RC model NETOBJ type for this template. This value will be" echo "inherited to the network objects." echo "" $RSBACPATH""attr_get_net -A rc_type ;; 'RC Type NT:') echo "Select the RC model NETTEMP type. This value is used for accesses to" echo "the Network Template definition." echo "" $RSBACPATH""attr_get_net -A rc_type_nt ;; 'Log Array Low:' | 'Log Array High:') echo "Choose object based logging levels for this object." echo "" $RSBACPATH""attr_get_net -A log_array_low ;; 'ACL Menu:') echo "Go to ACL menu." ;; 'Reset Attributes:') echo "Call \'attr_set_net -m\' to get the attribute object for this object" echo "removed. As result, all attribute values will be reset to their" echo "default values. Use with care!" ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_attributes () { if test "$OBJECT" != "" then OBJNAME=`get_vname nettemp $OBJECT` if test "$SHOW_MAC" = "yes" then SECLEVEL=`$RSBACPATH""attr_get_net MAC $TYPE security_level $OBJECT` MACCAT=`$RSBACPATH""attr_get_net MAC $TYPE mac_categories $OBJECT` fi if test "$SHOW_PM" = "yes" then PMOBJTYPE=`$RSBACPATH""attr_get_net PM $TYPE pm_object_type $OBJECT` PMIPCP=`$RSBACPATH""attr_get_net PM $TYPE pm_ipc_purpose $OBJECT` PMCLASS=`$RSBACPATH""attr_get_net PM $TYPE pm_object_class $OBJECT` fi if test "$SHOW_RC" = "yes" then RCTYPE=`$RSBACPATH""attr_get_net RC $TYPE rc_type $OBJECT` RCTYPENT=`$RSBACPATH""attr_get_net RC $TYPE rc_type_nt $OBJECT` fi if test "$SHOW_GEN" = "yes" then LOGLOW=`$RSBACPATH""attr_get_net GEN $TYPE log_array_low $OBJECT` LOGHIGH=`$RSBACPATH""attr_get_net GEN $TYPE log_array_high $OBJECT` fi else OBJNAME="" SECLEVEL="" MACCAT="" OBJCAT="" DATATYPE="" PMOBJTYPE="" PMIPCP="" PMCLASS="" RCTYPE="" RCTYPENT="" LOGLOW="" LOGHIGH="" fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } type_name () { if test "$TYPE" = "NONE" -o -z "$1" then echo " " else if ! $RSBACPATH""rc_get_item TYPE $1 type_nettemp_name then echo "(unknown)" fi fi } get_vname () { if test "$TYPE" = "NONE" then echo " " return fi if test -z "$2" then echo "N/A" return fi case $1 in nettemp) case $2 in Error*) echo N/A ;; Use*) echo N/A ;; *) if ! $RSBACPATH""net_temp get_name $2 2>/dev/null then echo $2 fi ;; esac ;; seclevel) case $2 in 0) echo unclassified ;; 1) echo confidential ;; 2) echo secret ;; 3) echo top secret ;; 252) echo max. level ;; 254) echo inherit ;; *) echo N/A ;; esac ;; objcat) case $2 in 0) echo General ;; 1) echo Security ;; 2) echo System ;; *) echo N/A ;; esac ;; datatype) case $2 in 0) echo None ;; 1) echo SI ;; *) echo N/A ;; esac ;; pmobjtype) case $2 in 0) echo None ;; 1) echo TP ;; 2) echo Personal Data ;; 3) echo Non-Personal Data ;; 4) echo IPC ;; 5) echo Directory ;; *) echo N/A ;; esac ;; rctype) case $2 in Error*) echo N/A ;; Use*) echo N/A ;; *) if ! $RSBACPATH""rc_get_item TYPE $2 type_netobj_name 2>/dev/null then echo $2 fi ;; esac ;; rctypent) case $2 in Error*) echo N/A ;; Use*) echo N/A ;; *) if ! $RSBACPATH""rc_get_item TYPE $2 type_nettemp_name 2>/dev/null then echo $2 fi ;; esac ;; loglevel) case $2 in 0) echo None ;; 1) echo Denied ;; 2) echo Full ;; 3) echo Request ;; *) echo N/A ;; esac ;; *) echo ERROR! ;; esac } gen_log_menu_items() { echo -n "" >${TMPFILE}.2 for i in $REQUESTS do TMP=`$RSBACPATH""attr_get_net $TYPE log_array_low $i $OBJECT` echo $i `get_vname loglevel $TMP`>>${TMPFILE}.2 done } log_menu () { if test -z "$REQUESTS" then REQUESTS=`$RSBACPATH""attr_get_net -n NET` fi gen_log_menu_items while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$REQ" \ --menu "$OBJECT / $OBJNAME: Log Levels for Requests" $BL $BC `gl 45` \ `cat ${TMPFILE}.2` \ "Quit" "" \ 2>$TMPFILE then rm ${TMPFILE}.2 LOGLOW=`$RSBACPATH""attr_get_net $TYPE log_array_low $OBJECT` LOGHIGH=`$RSBACPATH""attr_get_net $TYPE log_array_high $OBJECT` return fi REQ=`cat $TMPFILE` case "$REQ" in Quit) rm ${TMPFILE}.2 LOGLOW=`$RSBACPATH""attr_get_net $TYPE log_array_low $OBJECT` LOGHIGH=`$RSBACPATH""attr_get_net $TYPE log_array_high $OBJECT` return ;; *) VAL=`grep "^$REQ " ${TMPFILE}.2|cut -f 2 -d ' '` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Log Level for $OBJECT / $REQ" $BL $BC 5 \ 0 `get_vname loglevel 0` `onoff None $VAL` \ 1 `get_vname loglevel 1` `onoff Denied $VAL` \ 2 `get_vname loglevel 2` `onoff Full $VAL` \ 3 `get_vname loglevel 3` `onoff Request $VAL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE log_array_low $REQ $TMP $OBJECT &>$TMPFILE then gen_log_menu_items if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE log_array_low $REQ $TMP $OBJECT >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi esac done } declare -i MAXCATLEN=$BC-38 cat_print () { if test $MAXCATLEN -ge 64 then echo $1 else echo "(too long)" fi } gen_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_net $TYPE mac_categories CAT $i $OBJECT` echo $i `onoffb $TMP` `onoffb $TMP` done } declare -i MAXNAMELEN=$BC-34 name_print () { if test ${#1} -gt $MAXNAMELEN then declare -i START=${#1}-$MAXNAMELEN echo "$1" | cut -c$START-${#1} else echo "$1" fi } ###################### Menu ################# if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi if test "$1" != "" then OBJECT=$1 else if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Network Template" $BL $BC $MAXLINES \ `$RSBACPATH""net_temp list_temp_names` \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` fi fi get_attributes $OBJECT { echo 'nettemp_menu ()' echo ' {' echo " $DIALOG --title \"$TITLE\" \\" echo ' --backtitle "$BACKTITLE" \' echo ' --help-button --default-item "$CHOICE" \' echo ' --menu "Main NETTEMP Menu" $BL $BC `gl 21` \' echo ' "NetTemp List:" "Choose from listing of templates" \' echo ' "-------------------" " " \' echo ' "Template number:" "$OBJECT / $OBJNAME" \' echo ' "Template Definition:" "Go to Network Template Definition" \' echo ' "----------------" " " \' if test "$SHOW_MAC" = "yes" then echo ' "MAC Security Level:" "$SECLEVEL / `get_vname seclevel $SECLEVEL`" \' echo ' "MAC Categories:" "`cat_print $MACCAT`" \' fi if test "$SHOW_PM" = "yes" then echo ' "PM Object Class:" "$PMCLASS" \' echo ' "PM IPC Purpose:" "$PMIPCP" \' echo ' "PM Object Type:" "$PMOBJTYPE / `get_vname pmobjtype $PMOBJTYPE`" \' fi if test "$SHOW_RC" = "yes" then echo ' "RC Type:" "$RCTYPE / `get_vname rctype $RCTYPE`" \' echo ' "RC Type NT:" "$RCTYPENT / `get_vname rctypent $RCTYPENT`" \' fi if test "$SHOW_GEN" = "yes" then echo ' "Log Array Low:" "$LOGLOW" \' echo ' "Log Array High:" "$LOGHIGH" \' fi echo ' "----------------" " " \' if test "$SHOW_ACL" = "yes" then echo ' "ACL Menu:" "Go to ACL menu" \' fi echo ' "Network Templates:" "Go to Network Template Definition Menu" \' echo ' "Reset Attributes:" "Reset all values to default values" \' echo ' "Quit" ""' echo ' }' } > $TMPFILE . $TMPFILE #cp $TMPFILE /tmp/menu while true do if ! nettemp_menu 2>$TMPFILE then rm $TMPFILE ; exit fi CHOICE=`cat $TMPFILE` case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; 'NetTemp List:') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OBJECT" \ --menu "Network Template" $BL $BC $MAXLINES \ `$RSBACPATH""net_temp list_temp_names` \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; "Template number:") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Template Number:" $BL $BC $OBJECT \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; 'Template Definition:') $RSBACPATH""rsbac_nettemp_def_menu "$OBJECT" ;; 'MAC Security Level:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Security Level for $OBJECT / $OBJNAME (old value: $SECLEVEL)" $BL $BC 7 \ "Enter" "Numeric Value" off \ 0 "`get_vname seclevel 0`" `onoff 0 $SECLEVEL` \ 1 "`get_vname seclevel 1`" `onoff 1 $SECLEVEL` \ 2 "`get_vname seclevel 2`" `onoff 2 $SECLEVEL` \ 3 "`get_vname seclevel 3`" `onoff 3 $SECLEVEL` \ 252 "`get_vname seclevel 252`" `onoff 252 $SECLEVEL` \ 254 "`get_vname seclevel 254`" `onoff 254 $SECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test "$TMP" = "Enter" then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "MAC security level" $BL $BC "$SECLEVEL" \ 2>$TMPFILE then TMP="`cat $TMPFILE`" if test $TMP -gt 254 then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Invalid security level value $TMP!" $BL $BC TMP="" fi else TMP="" fi fi if test -n "$TMP" then if $RSBACPATH""attr_set_net $TYPE security_level $TMP $OBJECT &>$TMPFILE then SECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE security_level $TMP $OBJECT >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Security Level: No object specified!" 5 $BC fi ;; 'MAC Categories:') if test "$TYPE" != "NONE" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "MAC Categories for NetTemp $OBJECT / $OBJNAME" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACCAT" $BL $BC $MAXLINES \ `gen_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_net $TYPE mac_categories CAT $i 0 $OBJECT &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE mac_categories CAT $i 0 $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_net $TYPE mac_categories CAT $i 1 $OBJECT &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE mac_categories CAT $i 1 $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACCAT=`$RSBACPATH""attr_get_net $TYPE mac_categories $OBJECT` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Categories: No user specified!" 5 $BC fi ;; 'PM Object Type:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose PM Object Type for $OBJECT / $OBJNAME" $BL $BC 6 \ 0 "`get_vname pmobjtype 0`" `onoff 0 $PMOBJTYPE` \ 1 "`get_vname pmobjtype 1`" `onoff 1 $PMOBJTYPE` \ 2 "`get_vname pmobjtype 2`" `onoff 2 $PMOBJTYPE` \ 3 "`get_vname pmobjtype 3`" `onoff 3 $PMOBJTYPE` \ 4 "`get_vname pmobjtype 4`" `onoff 4 $PMOBJTYPE` \ 5 "`get_vname pmobjtype 5`" `onoff 5 $PMOBJTYPE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE pm_object_type $TMP $OBJECT &>$TMPFILE then PMOBJTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE pm_object_type $TMP $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Object Type: No object specified!" 5 $BC fi ;; 'PM Object Class:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "PM Object Class (long integer) for $OBJECT / $OBJNAME" \ $BL $BC "$PMCLASS" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE pm_object_class $TMP $OBJECT &>$TMPFILE then PMCLASS=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE pm_object_class $TMP $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Object Class: No object specified!" 5 $BC fi ;; 'PM IPC Purpose:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "PM IPC Purpose (long integer) for $OBJECT / $OBJNAME" \ $BL $BC "$PMIPCP" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE pm_ipc_purpose $TMP $OBJECT &>$TMPFILE then PMIPCP=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE pm_ipc_purpose $TMP $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Object Class: No object specified!" 5 $BC fi ;; 'RC Type:') if test "$TYPE" != "NONE" then \ if $RSBACPATH""rc_get_item list_netobj_types >$TMPFILE then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$RCTYPE" \ --menu "Choose RC Type for $OBJECT / $OBJNAME" $BL $BC $MAXLINES \ `cat $TMPFILE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE rc_type $TMP $OBJECT &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE rc_type $TMP $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Type (integer) for $OBJECT / $OBJNAME" \ $BL $BC "$RCTYPE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE rc_type $TMP $OBJECT &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE rc_type $TMP $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Type: No object specified!" 5 $BC fi ;; 'RC Type NT:') if test "$TYPE" != "NONE" then \ if $RSBACPATH""rc_get_item list_nettemp_types >$TMPFILE then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$RCTYPENT" \ --menu "Choose RC Type NetTemp for $OBJECT / $OBJNAME" $BL $BC $MAXLINES \ `cat $TMPFILE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE rc_type_nt $TMP $OBJECT &>$TMPFILE then RCTYPENT=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE rc_type_nt $TMP $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Type NetTemp (integer) for $OBJECT / $OBJNAME" \ $BL $BC "$RCTYPENT" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE rc_type_nt $TMP $OBJECT &>$TMPFILE then RCTYPENT=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE rc_type_nt $TMP $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Type NT: No object specified!" 5 $BC fi ;; 'Log Array Low:') if test "$TYPE" != "NONE" then \ log_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Array Low: No object specified!" 5 $BC fi ;; 'Log Array High:') if test "$TYPE" != "NONE" then \ log_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Array High: No object specified!" 5 $BC fi ;; 'ACL Menu:') $RSBACPATH""rsbac_acl_menu NETTEMP "$OBJECT" ;; 'Network Templates:') $RSBACPATH""rsbac_nettemp_def_menu ;; 'Reset Attributes:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Reset all attributes to default values?" 5 $BC \ 2>/dev/null then if $RSBACPATH""attr_set_net -m NETTEMP $OBJECT &>$TMPFILE then get_attributes if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net -m NETTEMP $OBJECT >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Reset Attributes: No object specified!" 5 $BC fi ;; Quit) rm $TMPFILE ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_settings_menu0000755000175000017500000003357311131371032024073 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC general attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash - sorry!" 1>&2; exit 1; } # # We also need the proc fs mounted. [ ! -f /proc/stat ] && { echo "This menu requires proc fs mounted" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm -f $TMPFILE fi fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 setonoff () { if echo $RSBACMOD | grep -q "\\<$1\\>" then echo on else echo off fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } export BACKTITLE="RSBAC Administration Tools 1.4.0" TITLE="`whoami`@`hostname`: RSBAC Administration" ERRTITLE="RSBAC Administration - ERROR" MODIFIED=no show_help () { case "$RSBACLANG" in DE) show_help_german "$1" ;; RU) show_help_russian "$1" ;; *) show_help_english "$1" ;; esac } show_help_english () { { echo "$1" echo "" case "$1" in 'Modules:') echo "Choose the modules you would like to see in the menues." ;; 'Dialog Tool:') echo "Choose the dialog program. If it is not in a PATH directory, you can" echo "enter the full path here." ;; 'Menu Help Language:') echo "Choose the language the menues use in their help texts." ;; 'TMP Dir:') echo "Where RSBAC menues store there temporary files." ;; 'Tool Path:') echo "Directory, where the RSBAC tools are. This variable must either be" echo "empty or end with a slash (/)." ;; 'Menu Log File:') echo "File, where all set operations are logged." ;; 'Reload:') echo "Restore startup settings by reloading config file." ;; 'Save:') echo "Save changed settings to global or personal config file." ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_german () { { echo "$1" echo "" case "$1" in 'Modules:') echo "Wähle die Module, die in den Menüs angezeigt werden sollen." ;; 'Dialog Tool:') echo "Wähle das dialog-Programm. Wenn es nicht in einem PATH-Verzeichnis" echo "liegt, bitte den vollen Pfad eingeben." ;; 'Menu Help Language:') echo "Wähle die Sprache der Menü-Hilfen." ;; 'TMP Dir:') echo "Temporäres Verzeichnis für die RSBAC-Menüs." ;; 'Tool Path:') echo "Verzeichnis, in dem sich die RSBAC-Hilfsprogramme befinden." echo "Diese Variable muß entweder leer sein oder mit einem Schrägstrich" echo "(/) enden!" ;; 'Menu Log File:') echo "Logdatei, in der alle Attribut-Setzungen der Menüs protokolliert" echo "werden." ;; 'Reload:') echo "Starteinstellungen durch erneutes Lesen der Konfigurations-Datei" echo "wiederherstellen." ;; 'Save:') echo "Geänderte Einstellungen in globale oder persönliche" echo "Konfigurationsdatei speichern." ;; Quit) echo "Beende dieses Menü." ;; *) echo "Keine Hilfe für $1 verfügbar!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_russian () { { echo "$1" echo "" case "$1" in 'Modules:') echo "Choose the modules you would like to see in the menues." ;; 'Dialog Tool:') echo "Choose the dialog program. If it is not in a PATH directory, you can" echo "enter the full path here." ;; 'Menu Help Language:') echo "Choose the language the menues use in their help texts." ;; 'TMP Dir:') echo "Where RSBAC menues store there temporary files." ;; 'Tool Path:') echo "Directory, where the RSBAC tools are. This variable must either be" echo "empty or end with a slash (/)." ;; 'Menu Log File:') echo "File, where all set operations are logged." ;; 'Reload:') echo "Restore startup settings by reloading config file." ;; 'Save:') echo "Save changed settings to global or personal config file." ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$CHOICE" \ --menu "Settings Menu" $BL $BC `gl 11` \ "Modules:" "$RSBACMOD" \ "Dialog Tool:" "$DIALOG" \ "Menu Help Language:" "$RSBACLANG" \ "TMP Dir:" "$TMPDIR" \ "Tool Path:" "(empty = use \$PATH) $RSBACPATH" \ "Menu Log File:" "$RSBACLOGFILE" \ "---------------" "" \ "Reload:" "Reload settings" \ "Save:" "Save settings" \ "---------------" "" \ "Quit" "" \ 2>$TMPFILE then if test "$MODIFIED" = "yes" then if ! $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Settings have been modified. Exit anyway?" 5 $BC \ 2>/dev/null then continue fi fi rm $TMPFILE ; exit fi CHOICE=`cat $TMPFILE` case $CHOICE in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; 'Modules:') if \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --checklist "Select Modules to Show" $BL $BC `gl 12` \ "GEN" "General attributes for all modules" "`setonoff GEN`" \ "MAC" "Mandatory Access Control (Bell-LaPadula)" "`setonoff MAC`" \ "PM" "Privacy Model" "`setonoff PM`" \ "DAZ" "Dazuko (Malware Scan)" "`setonoff DAZ`" \ "FF" "File Flags" "`setonoff FF`" \ "RC" "Role Compatibility" "`setonoff RC`" \ "ACL" "Access Control Lists" "`setonoff ACL`" \ "AUTH" "Authorization" "`setonoff AUTH`" \ "CAP" "Linux Capabilities" "`setonoff CAP`" \ "JAIL" "Process JAILs" "`setonoff JAIL`" \ "RES" "Linux RESources" "`setonoff RES`" \ "PAX" "PaX Administration" "`setonoff PAX`" \ 2>$TMPFILE then RSBACMOD=`cat $TMPFILE|tr -d '"'` MODIFIED=yes fi ;; 'Dialog Tool:') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Dialog program" $BL $BC "$DIALOG" \ 2>$TMPFILE then DIALOG=`cat $TMPFILE` MODIFIED=yes fi ;; 'Menu Help Language:') if \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Select Language to use in Menu Help" $BL $BC `gl 4` \ "" "No pre-selection" "`onoff $RSBACLANG ''`" \ "EN" "English" "`onoff $RSBACLANG EN`" \ "DE" "German" "`onoff $RSBACLANG DE`" \ "RU" "Russian" "`onoff $RSBACLANG RU`" \ 2>$TMPFILE then RSBACLANG=`cat $TMPFILE|tr -d '"'` MODIFIED=yes fi ;; 'TMP Dir:') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Directory for Temporary Files" $BL $BC "$TMPDIR" \ 2>$TMPFILE then TMPDIR=`cat $TMPFILE` MODIFIED=yes fi ;; 'Tool Path:') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox 'Path to RSBAC tools dir (empty = use $PATH, end with /)' \ $BL $BC "$RSBACPATH" \ 2>$TMPFILE then RSBACPATH=`cat $TMPFILE` MODIFIED=yes fi ;; 'Menu Log File:') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Menu Log File (empty = none)" $BL $BC "$RSBACLOGFILE" \ 2>$TMPFILE then RSBACLOGFILE=`cat $TMPFILE` MODIFIED=yes fi ;; 'Reload:') if test "$MODIFIED" = "yes" then if ! $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Settings were modified. Reload anyway?" 5 $BC \ 2>/dev/null then continue fi fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Load settings from" 10 $BC 3 \ "$HOME/.rsbacrc" "Personal Settings" \ "$RSBACCONF" "Global Settings" \ "Enter name" "$FILE" \ 2>$TMPFILE then TMP="`cat $TMPFILE`" if test "$TMP" = "Enter name" then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Filename to load settings from" $BL $BC "$FILE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` else continue fi fi FILE=$TMP . $FILE fi ;; 'Save:') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Save settings to" 10 $BC 3 \ "$HOME/.rsbacrc" "Personal Settings" \ "$RSBACCONF" "Global Settings" \ "Enter name" "$FILE" \ 2>$TMPFILE then TMP="`cat $TMPFILE`" if test "$TMP" = "Enter name" then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Filename to save settings to" $BL $BC "$FILE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` else continue fi fi FILE=$TMP { echo '# RSBAC menu configuration' echo "# `date`" if test -n "$RSBACMOD" then echo "RSBACMOD=\"$RSBACMOD\"" else echo "# RSBACMOD is not set" fi if test -n "$DIALOG" then echo "DIALOG=\"$DIALOG\"" else echo "# DIALOG is not set" fi if test -n "$RSBACLANG" then echo "RSBACLANG=\"$RSBACLANG\"" else echo "# RSBACLANG is not set" fi if test -n "$TMPDIR" then echo "TMPDIR=\"$TMPDIR\"" else echo "# TMPDIR is not set" fi if test -n "$RSBACPATH" then echo "RSBACPATH=\"$RSBACPATH\"" else echo "# RSBACPATH is not set" fi if test -n "$RSBACLOGFILE" then echo "RSBACLOGFILE=\"$RSBACLOGFILE\"" else echo "# RSBACLOGFILE is not set" fi } >$FILE && MODIFIED=no || \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Saving settings to $FILE failed!" 5 $BC \ 2>/dev/null fi ;; Quit) if test "$MODIFIED" = "yes" then if ! $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Settings have been modified. Exit anyway?" 5 $BC \ 2>/dev/null then continue fi fi rm $TMPFILE ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_rc_role_menu0000755000175000017500000020002211131371031023640 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC RC Role entries # # Author and (c) 1999-2006 Amon Ott # # Last changed on 12/Sep/2006 # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix ITEMS="name role_comp admin_roles assign_roles type_comp_fd type_comp_dev \ type_comp_ipc type_comp_process type_comp_group type_comp_netdev \ type_comp_netobj type_comp_nettemp \ type_comp_scd admin_type \ def_fd_create_type def_process_create_type \ def_process_chown_type def_process_execute_type \ def_ipc_create_type def_group_create_type def_unixsock_create_type" # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC FC SIM PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi if ! TMPFILETWO=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILETWO=$TMPDIR/rsbac_dialog.$$.2 if test -e $TMPFILETWO then rm $TMPFILETWO fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='.' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then declare -i LINES=25 ; fi if test -z "$COLUMNS" ; then declare -i COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC RC Role Administration" HELPTITLE="$TITLE Help" ERRTITLE="RSBAC RC Role Administration - ERROR" # Special values for types #INHPR=64 #INHPA=65 #NOCR=66 #NOEX=67 #USENEW=68 INHPR=4294967295 INHPA=4294967294 NOCR=4294967293 NOEX=4294967292 USENEW=4294967291 NOCH=4294967290 USEFD=4294967289 # Special values for roles #RINHUSER=64 #RINHPR=65 #RINHPA=66 RINHUSER=4294967295 RINHPR=4294967294 RINHPA=4294967293 RINHMIX=4294967292 show_help () { { echo "$1" echo "" case "$1" in "Role Number:") echo "Enter number of role to administrate." ;; Rolelist:) echo "Select role to administrate from a list of all defined roles." ;; "New Role") echo "Create a new role." ;; "Copy Role") echo "Copy a role to another. All role attributes and rights are copied." echo "The target role may already exist or can be created automatically." ;; "Delete Role") echo "Delete a role. All attributes and compatibility settings will be" echo "removed." ;; 'Name:') echo "Change the role name." echo "" $RSBACPATH""rc_get_item -i name ;; 'Role Comp:') echo "Select the roles this role is compatible with." echo "" echo "When running in a role, a process may change to all other roles this" echo "role is compatible with. After changing the role, all attributes of the" echo "new role are used, including the compatible roles. This means that the" echo "process might not be able to switch back to its original role." echo "" echo "All roles you add or remove from the compatible role set must be in the" echo "set of Assign Roles of your current role." ;; 'Admin Roles:') echo "Select the roles this role is allowed to administrate." echo "" echo "When running in a role, a process may only administrate those roles that" echo "are in the Admin Roles set of the process role." echo "" echo "Only roles with Admin Type value Role Admin may change the set of Admin" echo "Roles." echo "" echo "Warning: Roles with Admin Type value Role Admin may always administrate" echo "all roles!" ;; 'Assign Roles:') echo "Select the roles this role is allowed to assign as default to users and" echo "as initial or forced role to programs." echo "" echo "To assign a default role to a user, you need both the old and the new" echo "role of the user in your assign set." echo "To assign a role as initial or forced role to a program, you also need" echo "to be compatible with the FD type of the program file for request" echo "MODIFY_ATTRIBUTE." echo "" echo "Only roles with Admin Type value Role Admin may change the set of Assign" echo "Roles." echo "" echo "Warning: Roles with Admin Type value Role Admin may always assign all" echo "roles!" ;; 'Type Comp FD:') echo "Select an FD type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp DEV:') echo "Select a DEV type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp User:') echo "Select a User type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp Process:') echo "Select a Process type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp IPC:') echo "Select an IPC type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp SCD:') echo "Select an SCD type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp Group:') echo "Select a Linux Group type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp NETDEV:') echo "Select a NETDEV type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp NETTEMP:') echo "Select a NETTEMP type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Type Comp NETOBJ:') echo "Select a NETOBJ type and then the requests for which this role is" echo "compatible with the selected type." ;; 'Admin Type:') echo "This attribute overrides the Admin Roles and Assign Roles and the" echo "special type compatibility rights." echo "" echo "System Admins may read all settings, Role Admins may read and modify all" echo "settings. Role Admin is also needed to change Admin Roles, Assign Roles" echo "and Admin Type values." echo "" $RSBACPATH""rc_get_item -i admin_type ;; 'Def FD Create Type:') echo "Select the type that is assigned to all filesystem objects created by this" echo "role." echo "Additional to this setting, the CREATE right must be granted for the" echo "type." echo "" $RSBACPATH""rc_get_item -i def_fd_create_type ;; 'Def FD Ind Create Type:') echo "Select the type that is assigned to all filesystem objects created by" echo "this role in directories with a given effective type." echo "Additional to this setting, the CREATE right must be granted for the" echo "type. If no individual value is set for a directory type, the global" echo "Def FD Create Type is used." echo "" $RSBACPATH""rc_get_item -i def_fd_ind_create_type ;; 'Def User Create Type:') echo "Select the type that is assigned to all user objects created in RSBAC" echo "User Management by this role. Additional to this setting, the CREATE" echo "right must be granted for the type." echo "" $RSBACPATH""rc_get_item -i def_user_create_type ;; 'Def Process Create Type:') echo "Select the type that is assigned to all processes created by this role." echo "Additional to this setting, the CREATE right must be granted for the" echo "type." echo "" $RSBACPATH""rc_get_item -i def_process_create_type ;; 'Def Process Chown Type:') echo "Select the type that is assigned to a process running in this role after" echo "CHANGE_OWNER (setuid)." echo "" echo "The special value Use Def Create of new Owner uses the Def Process" echo "Create Type of the process role after the CHANGE_OWNER request," echo "depending on the force_role setting of the process. Usually, this is the" echo "default role of the new process owner." echo "" $RSBACPATH""rc_get_item -i def_process_chown_type ;; 'Def Process Execute Type:') echo "Select the type that is assigned to a process running in this role when" echo "executing another program." echo "" echo "Useful, if only the original program is meant to be protected through a" echo "special type." echo "" $RSBACPATH""rc_get_item -i def_process_execute_type ;; 'Def IPC Create Type:') echo "Select the type that is assigned to all IPC objects created by this role." echo "Additional to this setting, the CREATE right must be granted for the" echo "type." echo "" $RSBACPATH""rc_get_item -i def_ipc_create_type ;; 'Def Group Create Type:') echo "Select the type that is assigned to all group objects created in RSBAC" echo "User Management by this role. Additional to this setting, the CREATE" echo "right must be granted for the type." echo "" $RSBACPATH""rc_get_item -i def_group_create_type ;; 'Def Unixsock Create Type:') echo "Select the type that is assigned as type to all unixsock objects" echo "created by this role. Additional to this setting, the CREATE right" echo "must be granted for the type. The special value use_fd means use" echo "def_fd_create_type." echo "" $RSBACPATH""rc_get_item -i def_unixsock_create_type ;; 'Boot Role:') echo "Toggle, whether this role is used to start the system." echo "" echo "Only one role should be selected as boot role. If more than one role has" echo "been selected, the lowest role number is chosen. Without a distinguished" echo "boot role, the system starts with the default role of user 0 (root)." echo "" $RSBACPATH""rc_get_item -i boot_role ;; 'Req Reauth:') echo "Toggle, to indicate if one has to authenticate before changing to this role." echo "" echo "If it is set on additional user UM password has to be passed before beeing" echo "granted to change current RC role to this role." echo "" $RSBACPATH""rc_get_item -i req_reauth ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_items () { if test "$1" != "" then \ NAME=`$RSBACPATH""rc_get_item ROLE $1 name` COMPROLE=`$RSBACPATH""rc_get_item ROLE $1 list_role_comp_nr` ADMROLES=`$RSBACPATH""rc_get_item ROLE $1 list_admin_role_nr` ASSROLES=`$RSBACPATH""rc_get_item ROLE $1 list_assign_role_nr` ADMTYPE=`$RSBACPATH""rc_get_item ROLE $1 admin_type` DEFFDCR=`$RSBACPATH""rc_get_item ROLE $1 def_fd_create_type` DEFFDICR=`$RSBACPATH""rc_get_item list_def_fd_ind_create_type_values $1` DEFUCR=`$RSBACPATH""rc_get_item ROLE $1 def_user_create_type` DEFPCR=`$RSBACPATH""rc_get_item ROLE $1 def_process_create_type` DEFPCH=`$RSBACPATH""rc_get_item ROLE $1 def_process_chown_type` DEFPEX=`$RSBACPATH""rc_get_item ROLE $1 def_process_execute_type` DEFIPCCR=`$RSBACPATH""rc_get_item ROLE $1 def_ipc_create_type` DEFGCR=`$RSBACPATH""rc_get_item ROLE $1 def_group_create_type` DEFUSCR=`$RSBACPATH""rc_get_item ROLE $1 def_unixsock_create_type` BOOTROLE=`$RSBACPATH""rc_get_item ROLE $1 boot_role` REQREAUTH=`$RSBACPATH""rc_get_item ROLE $1 req_reauth` else \ NAME= COMPROLE= ADMTYPE= DEFFDCR= DEFUCR= DEFPCR= DEFPCH= DEFPEX= DEFIPCCR= DEFGCR= BOOTROLE= REQREAUTH= fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffi () { if test $1 -eq $2 then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } get_value_name () { case $1 in admtype) case $2 in 0) echo No Admin ;; 1) echo Role Admin ;; 2) echo System Admin ;; esac ;; esac } role_name () { if test "$ROLE" = "" then echo " " else case $1 in $RINHUSER) echo Inherit from User ;; $RINHPR) echo Inherit from Process ;; $RINHPA) echo Inherit from Parent ;; $RINHMIX) echo Mixed inherit ;; *) if ! $RSBACPATH""rc_get_item ROLE $1 name then echo "(unknown)" fi ;; esac fi } type_name () { if test -z "$ROLE" -o -z "$2" then echo " " else \ case $2 in $INHPR) echo Inherit from Process ;; $INHPA) echo Inherit from Parent ;; $NOCR) echo No create allowed ;; $NOEX) echo No execute allowed ;; $USENEW) echo Use def_create of new role ;; $NOCH) echo No change_owner allowed ;; $USEFD) echo Use def_fd_create_type ;; *) case $1 in fd) if ! $RSBACPATH""rc_get_item TYPE $2 type_fd_name then echo "(unknown)" fi ;; dev) if ! $RSBACPATH""rc_get_item TYPE $2 type_dev_name then echo "(unknown)" fi ;; user) if ! $RSBACPATH""rc_get_item TYPE $2 type_user_name then echo "(unknown)" fi ;; process) if ! $RSBACPATH""rc_get_item TYPE $2 type_process_name then echo "(unknown)" fi ;; ipc) if ! $RSBACPATH""rc_get_item TYPE $2 type_ipc_name then echo "(unknown)" fi ;; scd) if ! $RSBACPATH""rc_get_item TYPE $2 type_scd_name then echo "(unknown)" fi ;; group) if ! $RSBACPATH""rc_get_item TYPE $2 type_group_name then echo "(unknown)" fi ;; netdev) if ! $RSBACPATH""rc_get_item TYPE $2 type_netdev_name then echo "(unknown)" fi ;; nettemp) if ! $RSBACPATH""rc_get_item TYPE $2 type_nettemp_name then echo "(unknown)" fi ;; netobj) if ! $RSBACPATH""rc_get_item TYPE $2 type_netobj_name then echo "(unknown)" fi ;; esac ;; esac fi } gen_role_list () { for i in $ALLROLENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE $1 $i` TMP2=`${RSBACPATH}rc_get_item ROLE $i name|tr ' ' '_'` if test -z $TMP2 then TMP2="(unused)" fi echo $i \ $TMP2 \ `onoffb $TMP` done } gen_type_list () { case $1 in fd) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_fd $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_fd_name|tr ' ' '_'` \ `onoffb $TMP` done ;; dev) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_dev $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_dev_name|tr ' ' '_'` \ `onoffb $TMP` done ;; user) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_user $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_user_name|tr ' ' '_'` \ `onoffb $TMP` done ;; process) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_process $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_process_name|tr ' ' '_'` \ `onoffb $TMP` done ;; ipc) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_ipc $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_ipc_name|tr ' ' '_'` \ `onoffb $TMP` done ;; scd) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_scd $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_scd_name|tr ' ' '_'` \ `onoffb $TMP` done ;; group) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_group $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_group_name|tr ' ' '_'` \ `onoffb $TMP` done ;; netdev) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_netdev $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_netdev_name|tr ' ' '_'` \ `onoffb $TMP` done ;; nettemp) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_nettemp $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_nettemp_name|tr ' ' '_'` \ `onoffb $TMP` done ;; netobj) for i in $ALLTYPENR do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_netobj $i` echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_netobj_name|tr ' ' '_'` \ `onoffb $TMP` done ;; deffdcr) ALLTYPENR=`$RSBACPATH""rc_get_item list_fd_type_nr` echo $INHPR "Inherit_from_process" `onoff $INHPR $DEFFDCR` echo $INHPA "Inherit_from_parent" `onoff $INHPA $DEFFDCR` echo $NOCR "No_create_allowed" `onoff $NOCR $DEFFDCR` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_fd_name|tr ' ' '_'` \ `onoffi $i $DEFFDCR` done ;; deffdind) ALLTYPENR=`$RSBACPATH""rc_get_item list_fd_type_nr` for i in $ALLTYPENR do TMP=$(${RSBACPATH}rc_get_item ROLE $ROLE def_fd_ind_create_type $i 2>/dev/null) if test -n "$TMP" then echo "$i/$(type_name fd $i|tr ' ' '_')" \ $TMP/$(type_name fd $TMP|tr ' ' '_') else echo "$i/$(type_name fd $i|tr ' ' '_')" \ "(unused)" fi done ;; deffdicr) ALLTYPENR=`$RSBACPATH""rc_get_item list_fd_type_nr` TMP=$(${RSBACPATH}rc_get_item ROLE $ROLE def_fd_ind_create_type $2 2>/dev/null) echo Remove "Use_Def_FD_Create_Type" `onoff "" "$TMP"` echo $INHPR "Inherit_from_process" `onoff $INHPR "$TMP"` echo $INHPA "Inherit_from_parent" `onoff $INHPA "$TMP"` echo $NOCR "No_create_allowed" `onoff $NOCR "$TMP"` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_fd_name|tr ' ' '_'` \ `onoff "$i" "$TMP"` done ;; defucr) ALLTYPENR=`$RSBACPATH""rc_get_item list_user_type_nr` echo $INHPR "Inherit_from_process" `onoff $INHPR $DEFUCR` echo $NOCR "No_create_allowed" `onoff $NOCR $DEFUCR` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_user_name|tr ' ' '_'` \ `onoffi $i $DEFUCR` done ;; defpcr) ALLTYPENR=`$RSBACPATH""rc_get_item list_process_type_nr` echo $INHPA "Inherit_from_parent_(keep)" `onoff $INHPA $DEFPCR` echo $NOCR "No_create_allowed" `onoff $NOCR $DEFPCR` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_process_name|tr ' ' '_'` \ `onoffi $i $DEFPCR` done ;; defpch) ALLTYPENR=`$RSBACPATH""rc_get_item list_process_type_nr` echo $INHPA "Inherit_from_parent_(keep)" `onoff $INHPA $DEFPCH` echo $NOCR "No_create_allowed" `onoff $NOCR $DEFPCH` echo $USENEW "Use_def_create_of_new_role" `onoff $USENEW $DEFPCH` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_process_name|tr ' ' '_'` \ `onoffi $i $DEFPCH` done ;; defpex) ALLTYPENR=`$RSBACPATH""rc_get_item list_process_type_nr` echo $INHPR "Inherit_from_process_(keep)" `onoff $INHPR $DEFPEX` echo $NOEX "No_execute_allowed" `onoff $NOEX $DEFPEX` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_process_name|tr ' ' '_'` \ `onoffi $i $DEFPEX` done ;; defipccr) ALLTYPENR=`$RSBACPATH""rc_get_item list_ipc_type_nr` echo $INHPR "Inherit_from_process" `onoff $INHPR $DEFIPCCR` echo $NOCR "No_create_allowed" `onoff $NOCR $DEFIPCCR` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_ipc_name|tr ' ' '_'` \ `onoffi $i $DEFIPCCR` done ;; defgcr) ALLTYPENR=`$RSBACPATH""rc_get_item list_group_type_nr` echo $INHPR "Inherit_from_process" `onoff $INHPR $DEFGCR` echo $NOCR "No_create_allowed" `onoff $NOCR $DEFGCR` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_group_name|tr ' ' '_'` \ `onoffi $i $DEFGCR` done ;; defuscr) ALLTYPENR=`$RSBACPATH""rc_get_item list_fd_type_nr` echo $USEFD "Use_FD" `onoff $USEFD $DEFUSCR` echo $NOCR "No_create_allowed" `onoff $NOCR $DEFUSCR` for i in $ALLTYPENR do echo $i \ `${RSBACPATH}rc_get_item TYPE $i type_fd_name|tr ' ' '_'` \ `onoffi $i $DEFUSCR` done ;; esac } choose_role () { if $RSBACPATH""rc_get_item list_roles >$TMPFILE then \ if test "$1" = "allrole" then UNUSED="`rc_get_item list_unused_role_nr`" echo "$UNUSED" "(unused)" >>$TMPFILE echo "Enter" "(type-in)" >>$TMPFILE fi ROLELIST=`cat $TMPFILE` TMP=$ROLE while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP" \ --menu "$2" $BL $BC $MAXLINES \ $ROLELIST \ 2>$TMPFILE do TMP=`cat $TMPFILE` if test "$TMP" = "Enter" then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "$2: Enter role number" $BL $BC "$UNUSED" \ 2>$TMPFILE then TMP=`cat $TMPFILE` else rm $TMPFILE fi fi return done rm $TMPFILE else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "$2" $BL $BC "$3" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if ! $RSBACPATH""rc_get_item ROLE $TMP name >$TMPFILE then \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Role: Invalid role $TMP!" 5 $BC rm $TMPFILE fi fi fi } gen_right_list () { for i in $ALLREQUESTS do TMP=`${RSBACPATH}rc_get_item ROLE $ROLE type_comp_$1 $2 $i` echo $i "`onoffb $TMP`" \ `onoffb $TMP` done } check_rights () { ALLREQUESTS=`$RSBACPATH""rc_get_item list_$2_rights` COMPBITS=`$RSBACPATH""rc_get_item ROLE $ROLE type_comp_$2 $3` TYPENAME="`${RSBACPATH}rc_get_item TYPE $3 type_$2_name`" if $DIALOG --title "$1 Compatibilites for Role $ROLE \"$NAME\", Type $3 \"$TYPENAME\"" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $COMPBITS" $BL $BC $MAXLINES \ `gen_right_list $2 $3` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ R 'Set Read Requests' off \ RW 'Set Read-Write R.' off \ W 'Set Write Requests' off \ SY 'Set System R.' off \ SE 'Set Security R.' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if $RSBACPATH""rc_set_item ROLE $ROLE type_comp_$2 $3 $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE type_comp_$2 $3 $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi # COMPBITS=`$RSBACPATH""rc_get_item ROLE $ROLE type_comp_$2 $3` fi } declare -i MAXCOMPLEN=$BC-45 declare -i COMPLENRES=64-$MAXCOMPLEN comp_print () { if test ${#1} -le $MAXCOMPLEN then echo $1 else echo -n '*';echo $1|cut -c$COMPLENRES-65 fi # echo $1 } if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi if test "$1" != "" then ROLE=$1 else choose_role usedrole "Startup: Choose role to edit" "" if test -f $TMPFILE then ROLE=`cat $TMPFILE` else ROLE=0 fi fi if test "$ROLE" != "" then get_items $ROLE fi while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$CHOICE" \ --menu "Main Menu" $BL $BC `gl 33` \ "Rolelist:" "Choose role from list" \ "---------------" " "\ "Role Number:" "$ROLE" \ "Name:" "$NAME" \ "Role Comp:" "`comp_print \"$COMPROLE\"`" \ "Admin Roles:" "`comp_print \"$ADMROLES\"`" \ "Assign Roles:" "`comp_print \"$ASSROLES\"`" \ "Type Comp FD:" "(Matrix not printable)" \ "Type Comp DEV:" "(Matrix not printable)" \ "Type Comp User:" "(Matrix not printable)" \ "Type Comp Process:" "(Matrix not printable)" \ "Type Comp IPC:" "(Matrix not printable)" \ "Type Comp SCD:" "(Matrix not printable)" \ "Type Comp Group:" "(Matrix not printable)" \ "Type Comp NETDEV:" "(Matrix not printable)" \ "Type Comp NETTEMP:" "(Matrix not printable)" \ "Type Comp NETOBJ:" "(Matrix not printable)" \ "Admin Type:" "$ADMTYPE / `get_value_name admtype $ADMTYPE`" \ "Def FD Create Type:" "$DEFFDCR / `type_name fd $DEFFDCR`" \ "Def FD Ind Create Type:" "`comp_print \"$DEFFDICR\"`" \ "Def User Create Type:" "$DEFUCR / `type_name user $DEFUCR`" \ "Def Process Create Type:" "$DEFPCR / `type_name process $DEFPCR`" \ "Def Process Chown Type:" "$DEFPCH / `type_name process $DEFPCH`" \ "Def Process Execute Type:" "$DEFPEX / `type_name process $DEFPEX`" \ "Def IPC Create Type:" "$DEFIPCCR / `type_name ipc $DEFIPCCR`" \ "Def Group Create Type:" "$DEFGCR / `type_name group $DEFGCR`" \ "Def Unixsock Create Type:" "$DEFUSCR / `type_name fd $DEFUSCR`" \ "Boot Role:" "$(onoffb $BOOTROLE)" \ "Req Reauth:" "$(onoffb $REQREAUTH)" \ "---------------" " "\ "New Role" "" \ "Copy Role" "(To other role)" \ "Delete Role" "" \ "Go to Type Menu" "" \ "Go to ACL Menu" "" \ "Quit" "" \ 2>$TMPFILE then rm $TMPFILE ; rm $TMPFILETWO ; exit fi CHOICE=`cat $TMPFILE` case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; "Role Number:") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Role ID" $BL $BC $ROLE \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_get_item ROLE $TMP name >$TMPFILE then ROLE=$TMP get_items $ROLE else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Role: Unknown role $TMP!" 5 $BC fi fi ;; Rolelist:) choose_role usedrole "Rolelist: Choose role" $ROLE if test -f $TMPFILE then ROLE=`cat $TMPFILE` get_items $ROLE fi ;; "New Role") if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Enter role number to add" 8 $BC \ `${RSBACPATH}rc_get_item list_unused_role_nr` \ 2>$TMPFILE then rm $TMPFILE ; continue fi TMP=`cat $TMPFILE` if ${RSBACPATH}rc_get_item ROLE $TMP name >$TMPFILE then \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Role `cat $TMPFILE` exists!" $BL $BC else if $RSBACPATH""rc_set_item ROLE $TMP name "Role $TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $TMP name \"Role $TMP\" >>"$RSBACLOGFILE" fi CHOICE="Name:" ROLE=$TMP get_items $ROLE else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; "Copy Role") choose_role usedrole "Copy Role: Choose source role" $ROLE if test ! -f $TMPFILE then continue fi TMPROLE=`cat $TMPFILE` choose_role allrole "Copy Role: Choose target role" "" if test ! -f $TMPFILE then continue fi TGTROLE=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" --defaultno \ --yesno "Copy role $TMPROLE (`${RSBACPATH}rc_get_item ROLE $TMPROLE name`) to $TGTROLE (`${RSBACPATH}rc_get_item ROLE $TGTROLE name`)?" $BL $BC \ 2>/dev/null then if $RSBACPATH""rc_copy_role $TMPROLE $TGTROLE &>$TMPFILE then ROLE=$TGTROLE get_items $ROLE else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; "Delete Role") choose_role used_role "Delete Role: Choose role to delete" $ROLE if test ! -f $TMPFILE then continue fi TMPROLE=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" --defaultno \ --yesno "Delete role $TMPROLE (`${RSBACPATH}rc_get_item ROLE $TMPROLE name`)?" $BL $BC \ 2>/dev/null then if $RSBACPATH""rc_set_item ROLE $TMPROLE remove_role &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $TMPROLE remove_role >>"$RSBACLOGFILE" fi if test $ROLE -eq $TMPROLE then choose_role used_role "Role deleted: Choose another role" "" if test -f $TMPFILE then ROLE=`cat $TMPFILE` get_items $ROLE else ROLE= fi get_items $ROLE fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; 'Name:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for Role $ROLE (maxlen = 15)" $BL $BC "$NAME" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE name "$TMP" &>$TMPFILE then NAME=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Name: No role specified!" 5 $BC fi ;; 'Role Comp:') if test "$ROLE" != "" then \ ALLROLENR=`$RSBACPATH""rc_get_item list_role_nr` if $DIALOG --title "Role Compatibilites for Role $ROLE" \ --backtitle "$BACKTITLE" \ --checklist "List: `echo $COMPROLE`" $BL $BC $MAXLINES \ `gen_role_list role_comp` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $COMPROLE do if ! echo $TMP | grep -q "\\<$i\\>" then if $RSBACPATH""rc_set_item ROLE $ROLE role_comp $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE role_comp $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Unset $ROLE/$i: `head -n 1 $TMPFILE`" $BL $BC fi fi done for i in $TMP do if ! echo $COMPROLE | grep -q "\\<$i\\>" then if $RSBACPATH""rc_set_item ROLE $ROLE role_comp $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE role_comp $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Set $ROLE/$i: `head -n 1 $TMPFILE`" $BL $BC fi fi done COMPROLE=`$RSBACPATH""rc_get_item ROLE $ROLE list_role_comp_nr` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Role Comp: No role specified!" 5 $BC fi ;; 'Admin Roles:') if test "$ROLE" != "" then \ ALLROLENR=`$RSBACPATH""rc_get_item list_role_nr` if $DIALOG --title "Admin Roles for Role $ROLE" \ --backtitle "$BACKTITLE" \ --checklist "List: `echo $ADMROLES`" $BL $BC $MAXLINES \ `gen_role_list admin_roles` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ADMROLES do if ! echo $TMP | grep -q "\\<$i\\>" then if $RSBACPATH""rc_set_item ROLE $ROLE admin_roles $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE admin_roles $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Unset $ROLE/$i: `head -n 1 $TMPFILE`" $BL $BC fi fi done for i in $TMP do if ! echo $ADMROLES | grep -q "\\<$i\\>" then if $RSBACPATH""rc_set_item ROLE $ROLE admin_roles $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE admin_roles $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Set $ROLE/$i: `head -n 1 $TMPFILE`" $BL $BC fi fi done ADMROLES=`$RSBACPATH""rc_get_item ROLE $ROLE list_admin_role_nr` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Admin Roles: No role specified!" 5 $BC fi ;; 'Assign Roles:') if test "$ROLE" != "" then \ ALLROLENR=`$RSBACPATH""rc_get_item list_role_nr` if $DIALOG --title "Assign Roles for Role $ROLE" \ --backtitle "$BACKTITLE" \ --checklist "List: `echo $ASSROLES`" $BL $BC $MAXLINES \ $RINHUSER "always inherit from user" \ $(onoffb $(${RSBACPATH}rc_get_item ROLE $ROLE assign_roles $RINHUSER)) \ $RINHPR "inherit process (keep role)" \ $(onoffb $(${RSBACPATH}rc_get_item ROLE $ROLE assign_roles $RINHPR)) \ $RINHPA "inherit parent dir (default)" \ $(onoffb $(${RSBACPATH}rc_get_item ROLE $ROLE assign_roles $RINHPA)) \ $RINHMIX "mixed inherit proc/user (root dir default)" \ $(onoffb $(${RSBACPATH}rc_get_item ROLE $ROLE assign_roles $RINHMIX)) \ `gen_role_list assign_roles` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ASSROLES do if ! echo $TMP | grep -q "\\<$i\\>" then if $RSBACPATH""rc_set_item ROLE $ROLE assign_roles $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE assign_roles $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Unset $ROLE/$i: `head -n 1 $TMPFILE`" $BL $BC fi fi done for i in $TMP do if ! echo $ASSROLES | grep -q "\\<$i\\>" then if $RSBACPATH""rc_set_item ROLE $ROLE assign_roles $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE assign_roles $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Set $ROLE/$i: `head -n 1 $TMPFILE`" $BL $BC fi fi done ASSROLES=`$RSBACPATH""rc_get_item ROLE $ROLE list_assign_role_nr` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Assign Roles: No role specified!" 5 $BC fi ;; 'Type Comp FD:') if test "$ROLE" != "" then \ TMPTYPE= while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "FD Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_fd_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights FD fd $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp FD: No role specified!" 5 $BC fi ;; 'Type Comp DEV:') if test "$ROLE" != "" then \ TMPTYPE= while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "DEV Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_dev_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights DEV dev $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp DEV: No role specified!" 5 $BC fi ;; 'Type Comp User:') if test "$ROLE" != "" then \ TMPTYPE= ALLTYPENR=`$RSBACPATH""rc_get_item list_user_type_nr` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "User Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_user_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights User user $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp User: No role specified!" 5 $BC fi ;; 'Type Comp Process:') if test "$ROLE" != "" then \ TMPTYPE= ALLTYPENR=`$RSBACPATH""rc_get_item list_process_type_nr` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "Process Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_process_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights Process process $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp Process: No role specified!" 5 $BC fi ;; 'Type Comp IPC:') if test "$ROLE" != "" then \ TMPTYPE= ALLTYPENR=`$RSBACPATH""rc_get_item list_ipc_type_nr` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "IPC Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_ipc_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights IPC ipc $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp IPC: No role specified!" 5 $BC fi ;; 'Type Comp SCD:') if test "$ROLE" != "" then \ TMPTYPE= ALLTYPENR=`$RSBACPATH""rc_get_item list_scd_type_nr` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "SCD Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_scd_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights SCD scd $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp SCD: No role specified!" 5 $BC fi ;; 'Type Comp Group:') if test "$ROLE" != "" then \ TMPTYPE= ALLTYPENR=`$RSBACPATH""rc_get_item list_group_type_nr` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "Group Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_group_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights Group group $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp Group: No role specified!" 5 $BC fi ;; 'Type Comp NETDEV:') if test "$ROLE" != "" then \ TMPTYPE= ALLTYPENR=`$RSBACPATH""rc_get_item list_netdev_type_nr` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "NETDEV Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_netdev_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights NETDEV netdev $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp NETDEV: No role specified!" 5 $BC fi ;; 'Type Comp NETTEMP:') if test "$ROLE" != "" then \ TMPTYPE= ALLTYPENR=`$RSBACPATH""rc_get_item list_nettemp_type_nr` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "NETTEMP Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_nettemp_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights NETTEMP nettemp $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp NETTEMP: No role specified!" 5 $BC fi ;; 'Type Comp NETOBJ:') if test "$ROLE" != "" then \ TMPTYPE= ALLTYPENR=`$RSBACPATH""rc_get_item list_netobj_type_nr` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMPTYPE" \ --menu "NETOBJ Type Compatibilites for Role $ROLE \"$NAME\" - Choose type" $BL $BC $MAXLINES \ `${RSBACPATH}rc_get_item list_netobj_types` \ 2>$TMPFILE do TMPTYPE=`cat $TMPFILE|tr -d '"'` check_rights NETOBJ netobj $TMPTYPE done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Type Comp NETOBJ: No role specified!" 5 $BC fi ;; 'Admin Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Admin Type for Role $ROLE" $BL $BC 3 \ 0 "`get_value_name admtype 0`" `onoff 0 $ADMTYPE` \ 1 "`get_value_name admtype 1`" `onoff 1 $ADMTYPE` \ 2 "`get_value_name admtype 2`" `onoff 2 $ADMTYPE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE admin_type $TMP &>$TMPFILE then ADMTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE admin_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Admin Type: No role specified!" 5 $BC fi ;; 'Def FD Create Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default FD Create Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list deffdcr` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE def_fd_create_type $TMP &>$TMPFILE then DEFFDCR=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_fd_create_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default FD Create Type: No role specified!" 5 $BC fi ;; 'Def FD Ind Create Type:') if test "$ROLE" != "" then while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Choose Parent Dir Type for Default FD Ind Create Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list deffdind` \ 2>$TMPFILE do TMP2=`cat $TMPFILE|cut -d "/" -f 1` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default FD Individual Create Type for Role $ROLE to Type $TMP2" $BL $BC $MAXLINES \ `gen_type_list deffdicr $TMP2` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test "$TMP" = "Remove" then if $RSBACPATH""rc_set_item ROLE $ROLE def_fd_ind_create_type_remove $TMP2 &>$TMPFILE then DEFFDICR=`$RSBACPATH""rc_get_item list_def_fd_ind_create_type_values $1` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_fd_ind_create_type_remove $TMP2 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else if $RSBACPATH""rc_set_item ROLE $ROLE def_fd_ind_create_type $TMP2 $TMP &>$TMPFILE then DEFFDICR=`$RSBACPATH""rc_get_item list_def_fd_ind_create_type_values $1` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_fd_ind_create_type $TMP2 $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default FD Ind Create Type: No role specified!" 5 $BC fi ;; 'Def User Create Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default User Create Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list defucr` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE def_user_create_type $TMP &>$TMPFILE then DEFUCR=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_user_create_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default User Create Type: No role specified!" 5 $BC fi ;; 'Def Process Create Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default Process Create Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list defpcr` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE def_process_create_type $TMP &>$TMPFILE then DEFPCR=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_process_create_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default Process Create Type: No role specified!" 5 $BC fi ;; 'Def Process Chown Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default Process Chown Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list defpch` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE def_process_chown_type $TMP &>$TMPFILE then DEFPCH=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_process_chown_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default Process Chown Type: No role specified!" 5 $BC fi ;; 'Def Process Execute Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default Process Execute Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list defpex` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE def_process_execute_type $TMP &>$TMPFILE then DEFPEX=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_process_execute_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default Process Execute Type: No role specified!" 5 $BC fi ;; 'Def IPC Create Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default IPC Create Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list defipccr` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE def_ipc_create_type $TMP &>$TMPFILE then DEFIPCCR=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_ipc_create_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default IPC Create Type: No role specified!" 5 $BC fi ;; 'Def Group Create Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default Group Create Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list defgcr` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE def_group_create_type $TMP &>$TMPFILE then DEFGCR=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_group_create_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default Group Create Type: No role specified!" 5 $BC fi ;; 'Def Unixsock Create Type:') if test "$ROLE" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Default Unixsock Create Type for Role $ROLE" $BL $BC $MAXLINES \ `gen_type_list defuscr` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item ROLE $ROLE def_unixsock_create_type $TMP &>$TMPFILE then DEFUSCR=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE def_unixsock_create_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Default Unixsock Create Type: No role specified!" 5 $BC fi ;; 'Boot Role:') if test "$ROLE" != "" then if test "$BOOTROLE" = "0" then TMP=1 else TMP=0 fi if $RSBACPATH""rc_set_item ROLE $ROLE boot_role $TMP &>$TMPFILE then BOOTROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE boot_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "boot_role: No role specified!" 5 $BC fi ;; 'Req Reauth:') if test "$ROLE" != "" then if test "$REQREAUTH" = "0" then TMP=1 else TMP=0 fi if $RSBACPATH""rc_set_item ROLE $ROLE req_reauth $TMP &>$TMPFILE then REQREAUTH=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item ROLE $ROLE req_reauth $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "req_reauth: No role specified!" 5 $BC fi ;; "Go to Type Menu") ${RSBACPATH}rsbac_rc_type_menu ;; "Go to ACL Menu") ${RSBACPATH}rsbac_acl_menu ;; Quit) rm $TMPFILE ; rm $TMPFILETWO ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_rc_type_menu0000755000175000017500000006341611131371032023677 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC RC Type entries # # Author and (c) 1999-2006 Amon Ott # # Last changed on 13/Jan/2006 # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix ITEMS="type_fd_name type_dev_name type_user_name type_process_name \ type_ipc_name type_group_name type_netdev_name type_nettemp_name \ type_netobj_name type_fd_need_secdel" # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC FC SIM PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi if ! TMPFILETWO=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILETWO=$TMPDIR/rsbac_dialog.$$.2 if test -e $TMPFILETWO then rm $TMPFILETWO fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='.' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then declare -i LINES=25 ; fi if test -z "$COLUMNS" ; then declare -i COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC RC Type Administration" HELPTITLE="$TITLE Help" ERRTITLE="RSBAC RC Type Administration - ERROR" show_help () { { echo "$1" echo "" case "$1" in FD) echo "Filesystem Objects." ;; FDSD) echo "Secure Delete setting for FILE objects." ;; DEV) echo "Device objects." ;; USER) echo "User objects." ;; PROCESS) echo "Process objects." ;; IPC) echo "Inter Process Communication objects: Shared Memory, Messages," echo "Semaphores." ;; SCD) echo "System Control Data objects: system wide objects." ;; GROUP) echo "Linux group objects." ;; NETDEV) echo "Network device objects." ;; NETTEMP) echo "Network template objects." ;; NETOBJ) echo "Network objects." ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffi () { if test $1 -eq $2 then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } gen_type_list () { case $1 in FD) ${RSBACPATH}rc_get_item list_fd_types ;; FDSD) for i in `${RSBACPATH}rc_get_item list_fd_type_nr` do echo -n $i "" onoffb `${RSBACPATH}rc_get_item TYPE $i type_fd_need_secdel` done ;; DEV) ${RSBACPATH}rc_get_item list_dev_types ;; USER) ${RSBACPATH}rc_get_item list_user_types ;; PROCESS) ${RSBACPATH}rc_get_item list_process_types ;; IPC) ${RSBACPATH}rc_get_item list_ipc_types ;; SCD) ${RSBACPATH}rc_get_item list_scd_types ;; GROUP) ${RSBACPATH}rc_get_item list_group_types ;; NETDEV) ${RSBACPATH}rc_get_item list_netdev_types ;; NETTEMP) ${RSBACPATH}rc_get_item list_nettemp_types ;; NETOBJ) ${RSBACPATH}rc_get_item list_netobj_types ;; *) ;; esac } get_target_name () { case $1 in FD) echo File/Dir type name ;; FDSD) echo File/Dir secure delete ;; DEV) echo Device type name ;; USER) echo User type name ;; PROCESS) echo Process type name ;; IPC) echo IPC type name ;; SCD) echo "SCD type name (read only)" ;; GROUP) echo Linux Group type name ;; NETDEV) echo NETDEV type name ;; NETTEMP) echo NETTEMP type name ;; NETOBJ) echo NETOBJ type name ;; *) echo " " ;; esac } item_name () { case $1 in FD) echo type_fd_name ;; FDSD) echo type_fd_need_secdel ;; DEV) echo type_dev_name ;; USER) echo type_user_name ;; PROCESS) echo type_process_name ;; IPC) echo type_ipc_name ;; SCD) echo type_scd_name ;; GROUP) echo type_group_name ;; NETDEV) echo type_netdev_name ;; NETTEMP) echo type_nettemp_name ;; NETOBJ) echo type_netobj_name ;; *) echo " " ;; esac } rm_item_name () { case $1 in FD) echo type_fd_remove ;; FDSD) echo type_fd_need_secdel ;; DEV) echo type_dev_remove ;; USER) echo type_user_remove ;; PROCESS) echo type_process_remove ;; IPC) echo type_ipc_remove ;; SCD) echo type_scd_remove ;; GROUP) echo type_group_remove ;; NETDEV) echo type_netdev_remove ;; NETTEMP) echo type_nettemp_remove ;; NETOBJ) echo type_netobj_remove ;; *) echo " " ;; esac } unused_type () { case $1 in FD) ${RSBACPATH}rc_get_item list_unused_fd_type_nr ;; FDSD) ${RSBACPATH}rc_get_item list_unused_fd_type_nr ;; DEV) ${RSBACPATH}rc_get_item list_unused_dev_type_nr ;; USER) ${RSBACPATH}rc_get_item list_unused_user_type_nr ;; PROCESS) ${RSBACPATH}rc_get_item list_unused_process_type_nr ;; IPC) ${RSBACPATH}rc_get_item list_unused_ipc_type_nr ;; GROUP) ${RSBACPATH}rc_get_item list_unused_group_type_nr ;; NETDEV) ${RSBACPATH}rc_get_item list_unused_netdev_type_nr ;; NETTEMP) ${RSBACPATH}rc_get_item list_unused_nettemp_type_nr ;; NETOBJ) ${RSBACPATH}rc_get_item list_unused_netobj_type_nr ;; *) echo " " ;; esac } choose_target () { TARGETTMP=$TARGET while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$TARGETTMP" \ --menu "$1" $BL $BC 11 \ FD "`get_target_name FD`" \ FDSD "`get_target_name FDSD`" \ DEV "`get_target_name DEV`" \ USER "`get_target_name USER`" \ PROCESS "`get_target_name PROCESS`" \ IPC "`get_target_name IPC`" \ SCD "`get_target_name SCD`" \ GROUP "`get_target_name GROUP`" \ NETDEV "`get_target_name NETDEV`" \ NETTEMP "`get_target_name NETTEMP`" \ NETOBJ "`get_target_name NETOBJ`" \ 2>$TMPFILE do TARGETTMP=`cat $TMPFILE` case $TARGETTMP in HELP*) show_help "${TARGETTMP:5}" TARGETTMP="${TARGETTMP:5}" ;; *) return esac done rm $TMPFILE } if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi case $1 in FD | FDSD | DEV | USER | PROCESS | IPC | SCD | GROUP | NETDEV | NETTEMP | NETOBJ) TARGET=$1 ;; *) choose_target "Startup: Choose initial type target" "" if test -f $TMPFILE then TARGET=`cat $TMPFILE` fi esac while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$TYPE" \ --menu "Main Menu" $BL $BC $MAXLINES \ "Choose Type Target:" "$TARGET / `get_target_name $TARGET`" \ "New Type" ""\ "Delete Type" ""\ "Copy Complete Type" ""\ "Copy Rights to Type" ""\ "-------------------" ""\ `gen_type_list $TARGET` \ "-------------------" ""\ "Quit" "" \ 2>$TMPFILE then rm $TMPFILE ; exit fi TYPE="`cat $TMPFILE`" case "$TYPE" in HELP*) show_help "${TYPE:5}" TYPE="${TYPE:5}" ;; "Choose Type Target:") choose_target "Choose target" $TARGET if test -f $TMPFILE then TARGET=`cat $TMPFILE` fi ;; "New Type") if test -z "$TARGET" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "New Type: target is invalid!" 5 $BC continue fi if test "$TARGET" = "FDSD" then TMPTGT=FD else TMPTGT=$TARGET fi if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Enter type number to add" 8 $BC \ `unused_type $TARGET` \ 2>$TMPFILE then rm $TMPFILE ; continue fi TMP=`cat $TMPFILE` if test -n "`${RSBACPATH}rc_get_item TYPE $TMP \`item_name $TMPTGT\``" then continue fi if $RSBACPATH""rc_set_item TYPE $TMP `item_name $TMPTGT` "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TMP `item_name $TMPTGT` \"$TMP\" >>"$RSBACLOGFILE" fi TYPE=$TMP else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi ;; "Delete Type") if test -z "$TARGET" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Delete Type: target is invalid!" 5 $BC continue fi if test "$TARGET" = "FDSD" then TMPTGT=FD else TMPTGT=$TARGET fi TMP=$TYPE while \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP" \ --menu "Choose type to delete" $BL $BC $MAXLINES \ `gen_type_list $TMPTGT` \ 2>$TMPFILE do TMP=`cat $TMPFILE` OLDNAME="`${RSBACPATH}rc_get_item TYPE $TMP \`item_name $TMPTGT\``" if test -n "$OLDNAME" then if ! $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" --defaultno \ --yesno "Delete $TMPTGT type $TMP ($OLDNAME) with all rights to it?" $BL $BC \ 2>/dev/null then continue fi if ${RSBACPATH}rc_set_item TYPE $TMP `rm_item_name $TMPTGT` &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TMP `rm_item_name $TMPTGT` >>"$RSBACLOGFILE" fi break else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC fi fi done ;; "Copy Complete Type") if test -z "$TARGET" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Copy Complete Type: target is invalid!" 5 $BC continue fi if test "$TARGET" = "FDSD" then TMPTGT=FD else TMPTGT=$TARGET fi if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TYPE" \ --menu "Choose type to copy from" $BL $BC $MAXLINES \ `gen_type_list $TMPTGT` \ 2>$TMPFILE then rm $TMPFILE ; continue fi TMP=`cat $TMPFILE` UNUSED="`rc_get_item list_unused_role_nr`" if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Type $TMP: Choose type to copy to" $BL $BC $MAXLINES \ `gen_type_list $TMPTGT` \ "$UNUSED" "(unused)" \ "Enter" "(type-in)" \ 2>$TMPFILE then rm $TMPFILE ; continue fi TMP2=`cat $TMPFILE` if test "$TMP2" = "Enter" then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Enter type number as copy target" $BL $BC "$UNUSED" \ 2>$TMPFILE then TMP2=`cat $TMPFILE` else continue fi fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" --defaultno \ --yesno "Copy $TMPTGT type $TMP ($(${RSBACPATH}rc_get_item TYPE $TMP $(item_name $TMPTGT))) to $TMP2 ($(${RSBACPATH}rc_get_item TYPE $TMP2 $(item_name $TMPTGT)))?" $BL $BC \ 2>/dev/null then if $RSBACPATH""rc_copy_type $TMPTGT $TMP $TMP2 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_copy_type $TMPTGT $TMP $TMP2 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC fi fi ;; "Copy Rights to Type") if test -z "$TARGET" then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Copy Rights to this Type: target is invalid!" 5 $BC continue fi if test "$TARGET" = "FDSD" then TMPTGT=FD else TMPTGT=$TARGET fi if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TYPE" \ --menu "Choose type to copy rights from" $BL $BC $MAXLINES \ `gen_type_list $TMPTGT` \ 2>$TMPFILE then rm $TMPFILE ; continue fi TMP=`cat $TMPFILE` if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Type $TMP: Choose type to copy rights to" $BL $BC $MAXLINES \ `gen_type_list $TMPTGT` \ 2>$TMPFILE then rm $TMPFILE ; continue fi TMP2=`cat $TMPFILE` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" --defaultno \ --yesno "Copy rights to $TMPTGT type $TMP ($(${RSBACPATH}rc_get_item TYPE $TMP $(item_name $TMPTGT))) to $TMP2 ($(${RSBACPATH}rc_get_item TYPE $TMP2 $(item_name $TMPTGT)))?" $BL $BC \ 2>/dev/null then if $RSBACPATH""rc_set_item -c TYPE $TMP2 `item_name $TMPTGT` $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item -c TYPE $TMP2 `item_name $TMPTGT` $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC fi fi ;; Quit) rm $TMPFILE ; exit ;; "---------------") $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC ;; *) case $TARGET in FD) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for FD Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_fd_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_fd_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_fd_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; FDSD) if test "`${RSBACPATH}rc_get_item TYPE $TYPE type_fd_need_secdel`" = "1" then TMPVAL=0 else TMPVAL=1 fi if $RSBACPATH""rc_set_item TYPE $TYPE type_fd_need_secdel $TMPVAL &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_fd_need_secdel $TMPVAL >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi ;; DEV) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for DEV Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_dev_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_dev_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_dev_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; USER) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for User Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_user_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_user_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_user_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; PROCESS) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for Process Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_process_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_process_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_process_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; IPC) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for IPC Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_ipc_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_ipc_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_ipc_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; GROUP) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for Linux Group Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_group_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_group_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_group_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; NETDEV) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for NETDEV Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_netdev_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_netdev_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_netdev_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; NETTEMP) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for NETTEMP Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_nettemp_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_nettemp_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_nettemp_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; NETOBJ) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 15 \ --inputbox "Name for NETOBJ Type $TYPE (maxlen = 15)" $BL $BC \ "`${RSBACPATH}rc_get_item TYPE $TYPE type_netobj_name`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""rc_set_item TYPE $TYPE type_netobj_name "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""rc_set_item TYPE $TYPE type_netobj_name \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head $TMPFILE`" $BL $BC fi fi ;; SCD) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: target SCD is read only!" 5 $BC ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: target is invalid!" 5 $BC ;; esac ;; esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_user_menu0000755000175000017500000016252011131371032023204 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC general user attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi if ! TMPFILETWO=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILETWO=$TMPDIR/rsbac_dialog.$$.2 if test -e $TMPFILETWO then rm $TMPFILETWO fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='.' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC User Administration" ERRTITLE="RSBAC User Administration - ERROR" ALL_USERS=4294967292 show_help () { case "$RSBACLANG" in *) show_help_english "$1" ;; esac } show_help_english () { { echo "$1" echo "" case "$1" in User:) echo "Enter the user name or id." ;; Userlist:) echo "Choose user from list." ;; 'MAC Security Level:') echo "MAC model maximum security level for this user." echo "" $RSBACPATH""attr_get_user -A security_level ;; 'MAC Initial Security Level:') echo "MAC model initial current security level for this user." echo "This must always be between min and max values. echo "" $RSBACPATH""attr_get_user -A security_level ;; 'MAC Min Security Level:') echo "MAC model minimum security level for this user." echo "" $RSBACPATH""attr_get_user -A min_security_level ;; 'MAC Categories:') echo "MAC model maximum categories for this user." echo "" $RSBACPATH""attr_get_user -A mac_categories ;; 'MAC Initial Categories:') echo "MAC model initial current categories for this user." echo "This must always be between min and max values. echo "" $RSBACPATH""attr_get_user -A mac_categories ;; 'MAC Min Categories:') echo "MAC model minimum categories for this user." echo "" $RSBACPATH""attr_get_user -A mac_min_categories ;; 'MAC Role:') echo "MAC model system role for this user." echo "" $RSBACPATH""attr_get_user -A mac_role ;; 'MAC User Flags:') echo "The MAC User flags allow to give a user some special MAC rights," echo "e.g. allow_auto:" echo "Allow to inherit the MAC model mac_auto flag from executables for this" echo "user's processes. The mac_auto flag makes the current security level" echo "and current category set adjust themselves as necessary, but within" echo "the valid ranges." echo "Please MAC documentation for details." echo "" $RSBACPATH""attr_get_user -A mac_user_flags ;; 'DAZ Role:') echo "DAZuko model system role for this user." echo "" $RSBACPATH""attr_get_user -A daz_role ;; 'FF Role:') echo "FF model system role for this user." echo "" $RSBACPATH""attr_get_user -A ff_role ;; 'AUTH Role:') echo "AUTH model system role for this user." echo "" $RSBACPATH""attr_get_user -A auth_role ;; 'PM Role:') echo "PM model system role for this user." echo "" $RSBACPATH""attr_get_user -A pm_role ;; 'PM Task Set:') echo "PM model set ID of allowed tasks for this user. This value is only an" echo "index into the PM task_set data structures and thus read-only." echo "" $RSBACPATH""attr_get_user -A pm_task_set ;; 'Pseudo:') echo "Logging pseudonym for this user. If this value is not 0, it will be used" echo "as pseudonym instead of the user id for all request and set_attr logging" echo "messages." echo "" $RSBACPATH""attr_get_user -A pseudo ;; 'RC Default Role:') echo "RC model default role for this user." echo "" $RSBACPATH""attr_get_user -A rc_def_role ;; 'RC Type:') echo "RC model type for this user as an object." echo "" $RSBACPATH""attr_get_user -A rc_type ;; 'CAP Min Caps:') echo "Specify a set of Linux capabilities, which will always be set, when a" echo "process changes to this user, or when this user executes a program." echo "The Max Caps set for the user is ignored, but the Max Caps set of the" echo "executed program will be applied." echo "Useful to start privileged (root) programs as normal user." echo "" $RSBACPATH""attr_get_user -A min_caps ;; 'CAP Max Caps:') echo "Specify the maximum set of Linux capabilities, which can be set, when a" echo "process changes to this user, or when this user executes a program." echo "Useful to limit the privileges of a user running setuid root programs," echo "e.g. the passwd command." echo "" $RSBACPATH""attr_get_user -A max_caps ;; 'CAP Role:') echo "CAP model system role for this user." echo "" $RSBACPATH""attr_get_user -A cap_role ;; 'CAP ld_env:') echo "Unset to disallow this user executing program files" echo "with LD_ flags set" echo "" $RSBACPATH""attr_get_user -A cap_ld_env ;; 'JAIL Role:') echo "JAIL model system role for this user." echo "" $RSBACPATH""attr_get_user -A jail_role ;; 'RES Role:') echo "RES model system role for this user." echo "" $RSBACPATH""attr_get_user -A res_role ;; 'RES Min Resources:') echo "Set the minimum resource limits for this program when executed." echo "Zero values are ignored." echo "" $RSBACPATH""attr_get_user -A res_min ;; 'RES Max Resources:') echo "Set the maximum resource limits for this program when executed." echo "Zero values are ignored." echo "" $RSBACPATH""attr_get_user -A res_max ;; 'PAX Role:') echo "PAX model system role for this user." echo "" $RSBACPATH""attr_get_user -A pax_role ;; 'cpu') echo "CPU time limit in milliseconds." ;; 'fsize') echo "Size limit for each file." ;; 'data') echo "Process data segment size limit in bytes." ;; 'stack') echo "Process stack size limit in bytes." ;; 'core') echo "Core dump size limit in bytes." ;; 'rss') echo "Max resident set size in bytes." ;; 'nproc') echo "Maximum number of processes for process owner (global value!)." ;; 'nofile') echo "Limit on the number of open files." ;; 'memlock') echo "Limit on locked-in-memory address space." ;; 'as') echo "Address space (virtual memory) limit." ;; 'locks') echo "Limit on number of file locks held (ignored in 2.2 kernels)." ;; 'Log User Based:') echo "Specify the request types, which should always be logged, when" echo "this user runs a program." echo "" $RSBACPATH""attr_get_user -A log_user_based ;; 'ACL Menu:') echo "Go to ACL menu." ;; 'Reset Attributes:') echo "Call attr_rm_user to get the attribute object for this user object" echo "removed. As result, all attribute values will be reset to their" echo "default values. Use with care!" ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_attributes () { if test "$1" != "" then if test "$SHOW_MAC" = "yes" then SECLEVEL=`$RSBACPATH""attr_get_user $1 security_level` ISECLEVEL=`$RSBACPATH""attr_get_user $1 initial_security_level` MSECLEVEL=`$RSBACPATH""attr_get_user $1 min_security_level` MACCAT=`$RSBACPATH""attr_get_user $1 mac_categories` MACICAT=`$RSBACPATH""attr_get_user $1 mac_initial_categories` MACMCAT=`$RSBACPATH""attr_get_user $1 mac_min_categories` MACROLE=`$RSBACPATH""attr_get_user $1 mac_role` MACFLAGS=`$RSBACPATH""attr_get_user $1 mac_user_flags` fi if test "$SHOW_PM" = "yes" then PMROLE=`$RSBACPATH""attr_get_user $1 pm_role` PMTASKSET=`$RSBACPATH""attr_get_user $1 pm_task_set` fi if test "$SHOW_DAZ" = "yes" then DAZROLE=`$RSBACPATH""attr_get_user $1 daz_role` fi if test "$SHOW_FF" = "yes" then FFROLE=`$RSBACPATH""attr_get_user $1 ff_role` fi if test "$SHOW_RC" = "yes" then RCDEFROLE=`$RSBACPATH""attr_get_user $1 rc_def_role` RCTYPE=`$RSBACPATH""attr_get_user $1 rc_type` fi if test "$SHOW_AUTH" = "yes" then AUTHROLE=`$RSBACPATH""attr_get_user $1 auth_role` fi if test "$SHOW_CAP" = "yes" then MINCAPS=`$RSBACPATH""attr_get_user $1 min_caps` MAXCAPS=`$RSBACPATH""attr_get_user $1 max_caps` CAPROLE=`$RSBACPATH""attr_get_user $1 cap_role` CAPLDENV=`$RSBACPATH""attr_get_user $1 cap_ld_env` fi if test "$SHOW_JAIL" = "yes" then JAILROLE=`$RSBACPATH""attr_get_user $1 jail_role` fi if test "$SHOW_RES" = "yes" then RESMIN=`$RSBACPATH""attr_get_user -s $1 res_min` RESMAX=`$RSBACPATH""attr_get_user -s $1 res_max` RESROLE=`$RSBACPATH""attr_get_user $1 res_role` fi if test "$SHOW_PAX" = "yes" then PAXROLE=`$RSBACPATH""attr_get_user $1 pax_role` fi if test "$SHOW_GEN" = "yes" then PSEUDO=`$RSBACPATH""attr_get_user $1 pseudo` LOGUSER=`$RSBACPATH""attr_get_user $1 log_user_based` fi fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } get_value_name () { case $1 in onoff) case $2 in 1) echo On ;; *) echo Off ;; esac ;; seclevel) case $2 in 0) echo unclassified ;; 1) echo confidential ;; 2) echo secret ;; 3) echo top secret ;; 252) echo max. level ;; esac ;; sysrole) case $2 in 0) echo General User ;; 1) echo Security Officer ;; 2) echo Administrator ;; 3) echo Auditor ;; esac ;; pmrole) case $2 in 0) echo General User ;; 1) echo Security Officer ;; 2) echo Data Protection Officer ;; 3) echo TP-Manager ;; 4) echo System-Administrator ;; esac ;; esac } full_name () { if test "$USERID" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 full_name` fi } get_uid () { if test "$USERID" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 user_nr` fi } role_name () { if test -z "$USERID" -o -z "$1" then echo " " else if ! $RSBACPATH""rc_get_item ROLE $1 name then echo "(unknown)" fi fi } type_name () { if test -z "$USERID" -o -z "$1" then echo " " else if ! $RSBACPATH""rc_get_item TYPE $1 type_user_name then echo "(unknown)" fi fi } declare -i MAXCATLEN=$BC-38 cat_print () { if test $MAXCATLEN -ge 64 then echo $1 else echo "(too long)" fi } gen_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_user $USERID mac_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_initial_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_user $USERID mac_initial_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_min_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_user $USERID mac_min_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } gen_request_list () { if test -z "$REQUESTS" then REQUESTS=`$RSBACPATH""attr_get_file_dir -n` fi SETREQUESTS=`$RSBACPATH""attr_get_user -p $USERID log_user_based` for i in $REQUESTS do if echo $SETREQUESTS | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } gen_min_caps_list () { if test -z "$CAPS" then CAPS=`$RSBACPATH""attr_get_file_dir -c` fi SETCAPS=`$RSBACPATH""attr_get_user -p $USERID min_caps` for i in $CAPS do if echo $SETCAPS | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } gen_max_caps_list () { if test -z "$CAPS" then CAPS=`$RSBACPATH""attr_get_file_dir -c` fi SETCAPS=`$RSBACPATH""attr_get_user -p $USERID max_caps` for i in $CAPS do if echo $SETCAPS | grep -q "\\<$i\\>" then echo $i on on else echo $i off off fi done } gen_flags_menu_items() { if (($MACFLAGS & 1)) ; then echo 1 override on else echo 1 override off fi if (($MACFLAGS & 4)) ; then echo 4 trusted on else echo 4 trusted off fi if (($MACFLAGS & 8)) ; then echo 8 write_up on else echo 8 write_up off fi if (($MACFLAGS & 16)) ; then echo 16 read_up on else echo 16 read_up off fi if (($MACFLAGS & 32)) ; then echo 32 write_down on else echo 32 write_down off fi if (($MACFLAGS & 64)) ; then echo 64 allow_auto on else echo 64 allow_auto off fi } flags_menu () { if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --separate-output \ --checklist "$USERID: MAC User Flags" $BL $BC `gl 9` \ `gen_flags_menu_items` \ 2>$TMPFILE then return fi FLAGS_ON=`cat $TMPFILE` declare -i VAL=0 # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL for i in $FLAGS_ON ; do \ VAL=$VAL+$i done # echo FLAGS_ON is $FLAGS_ON, VAL is $VAL # sleep 2 if $RSBACPATH""attr_set_user $USERID mac_user_flags $VAL &>$TMPFILE then MACFLAGS=$VAL if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID mac_user_flags $VAL >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi return } if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi if test "$1" != "" then USERID=$(attr_get_user $1 user_name) get_attributes $USERID fi { echo 'user_menu ()' echo ' {' echo " $DIALOG --title \"$TITLE\" \\" echo ' --backtitle "$BACKTITLE" \' echo ' --help-button --default-item "$CHOICE" \' echo ' --menu "Main User Menu" $BL $BC `gl 32` \' echo ' "Userlist:" "Choose user from list" \' echo ' "-------------------" " " \' echo ' "User:" "$USERID | `get_uid $USERID` | `full_name $USERID`" \' if test "$SHOW_MAC" = "yes" then echo ' "MAC Security Level:" "$SECLEVEL / `get_value_name seclevel $SECLEVEL`" \' echo ' "MAC Initial Security Level:" "$ISECLEVEL / `get_value_name seclevel $ISECLEVEL`" \' echo ' "MAC Min Security Level:" "$MSECLEVEL / `get_value_name seclevel $MSECLEVEL`" \' echo ' "MAC Categories:" "`cat_print $MACCAT`" \' echo ' "MAC Initial Categories:" "`cat_print $MACICAT`" \' echo ' "MAC Min Categories:" "`cat_print $MACMCAT`" \' echo ' "MAC Role:" "$MACROLE / `get_value_name sysrole $MACROLE`" \' echo ' "MAC User Flags:" "$MACFLAGS" \' fi if test "$SHOW_PM" = "yes" then echo ' "PM Role:" "$PMROLE / `get_value_name pmrole $PMROLE`" \' echo ' "PM Task Set:" "$PMTASKSET (read-only)" \' fi if test "$SHOW_DAZ" = "yes" then echo ' "DAZ Role:" "$DAZROLE / `get_value_name sysrole $DAZROLE`" \' fi if test "$SHOW_FF" = "yes" then echo ' "FF Role:" "$FFROLE / `get_value_name sysrole $FFROLE`" \' fi if test "$SHOW_RC" = "yes" then echo ' "RC Default Role:" "$RCDEFROLE / `role_name $RCDEFROLE`" \' echo ' "RC Type:" "$RCTYPE / `type_name $RCTYPE`" \' fi if test "$SHOW_AUTH" = "yes" then echo ' "AUTH Role:" "$AUTHROLE / `get_value_name sysrole $AUTHROLE`" \' fi if test "$SHOW_CAP" = "yes" then echo ' "CAP Min Caps:" "$MINCAPS" \' echo ' "CAP Max Caps:" "$MAXCAPS" \' echo ' "CAP Role:" "$CAPROLE / `get_value_name sysrole $CAPROLE`" \' echo ' "CAP ld_env:" "$CAPLDENV" \' fi if test "$SHOW_JAIL" = "yes" then echo ' "JAIL Role:" "$JAILROLE / `get_value_name sysrole $JAILROLE`" \' fi if test "$SHOW_RES" = "yes" then echo ' "RES Min Resources:" "$RESMIN" \' echo ' "RES Max Resources:" "$RESMAX" \' echo ' "RES Role:" "$RESROLE / `get_value_name sysrole $RESROLE`" \' fi if test "$SHOW_PAX" = "yes" then echo ' "PAX Role:" "$PAXROLE / `get_value_name sysrole $PAXROLE`" \' fi if test "$SHOW_GEN" = "yes" then echo ' "Pseudo:" "$PSEUDO" \' echo ' "Log User Based:" "$LOGUSER" \' fi if test "$SHOW_ACL" = "yes" then echo ' "----------------" " " \' echo ' "ACL Menu:" "Go to ACL menu" \' fi echo ' "----------------" " " \' echo ' "Reset Attributes:" "Reset all values to default values" \' echo ' "Quit" ""' echo ' }' } > $TMPFILE . $TMPFILE #cp $TMPFILE /tmp/menu while true do if ! user_menu 2>$TMPFILE then rm $TMPFILE ; exit fi CHOICE="`cat $TMPFILE`" case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; User:) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Username/ID" $BL $BC $USERID \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_get_user $TMP user_name >$TMPFILE then USERID=`cat $TMPFILE` get_attributes $USERID else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "User: Unknown user $TMP!" 5 $BC fi fi ;; Userlist:) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$USERID" \ --menu "Username/ID" $BL $BC $MAXLINES \ "$ALL_USERS" "RES default user" \ `${RSBACPATH}attr_get_user -bl` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_get_user $TMP user_name >$TMPFILE then USERID=`cat $TMPFILE` get_attributes $USERID else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "User: Unknown user $TMP!" 5 $BC fi fi ;; 'MAC Security Level:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Security Level for $USERID" $BL $BC 5 \ 0 unclassified `onoff 0 $SECLEVEL` \ 1 confidential `onoff 1 $SECLEVEL` \ 2 secret `onoff 2 $SECLEVEL` \ 3 "top secret" `onoff 3 $SECLEVEL` \ 252 "max. level" `onoff 252 $SECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID security_level $TMP &>$TMPFILE then SECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID security_level $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Security Level: No user specified!" 5 $BC fi ;; 'MAC Initial Security Level:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Initial Current Security Level for $USERID" $BL $BC 5 \ 0 unclassified `onoff 0 $ISECLEVEL` \ 1 confidential `onoff 1 $ISECLEVEL` \ 2 secret `onoff 2 $ISECLEVEL` \ 3 "top secret" `onoff 3 $ISECLEVEL` \ 252 "max. level" `onoff 252 $ISECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID initial_security_level $TMP &>$TMPFILE then ISECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID initial_security_level $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Initial Security Level: No user specified!" 5 $BC fi ;; 'MAC Min Security Level:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Minimum Security Level for $USERID" $BL $BC 5 \ 0 unclassified `onoff 0 $MSECLEVEL` \ 1 confidential `onoff 1 $MSECLEVEL` \ 2 secret `onoff 2 $MSECLEVEL` \ 3 "top secret" `onoff 3 $MSECLEVEL` \ 252 "max. level" `onoff 252 $MSECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID min_security_level $TMP &>$TMPFILE then MSECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID min_security_level $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Min Security Level: No user specified!" 5 $BC fi ;; 'MAC Categories:') if test "$USERID" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "MAC Categories for user $USERID" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACCAT" $BL $BC $MAXLINES \ `gen_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_user $USERID mac_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID mac_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_user $USERID mac_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID mac_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACCAT=`$RSBACPATH""attr_get_user $USERID mac_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Categories: No user specified!" 5 $BC fi ;; 'MAC Initial Categories:') if test "$USERID" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "MAC Initial Current Categories for user $USERID" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACICAT" $BL $BC $MAXLINES \ `gen_initial_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_user $USERID mac_initial_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID mac_initial_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_user $USERID mac_initial_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID mac_initial_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACICAT=`$RSBACPATH""attr_get_user $USERID mac_initial_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Initial Categories: No user specified!" 5 $BC fi ;; 'MAC Min Categories:') if test "$USERID" != "" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "MAC Min Categories for user $USERID" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACMCAT" $BL $BC $MAXLINES \ `gen_min_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_user $USERID mac_min_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID mac_min_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_user $USERID mac_min_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID mac_min_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACMCAT=`$RSBACPATH""attr_get_user $USERID mac_min_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Min Categories: No user specified!" 5 $BC fi ;; 'MAC Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose MAC Role for $USERID" $BL $BC 4 \ 0 "General User" `onoff 0 $MACROLE` \ 1 "Security Officer" `onoff 1 $MACROLE` \ 2 "Administrator" `onoff 2 $MACROLE` \ 3 "Auditor" `onoff 3 $MACROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID mac_role $TMP &>$TMPFILE then MACROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID mac_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Role: No user specified!" 5 $BC fi ;; 'MAC User Flags:') if test "$USERID" != "" then flags_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC User Flags: No user specified!" 5 $BC fi ;; 'DAZ Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose DAZ Role for $USERID" $BL $BC 4 \ 0 "General User" `onoff 0 $DAZROLE` \ 1 "Security Officer" `onoff 1 $DAZROLE` \ 2 "Administrator" `onoff 2 $DAZROLE` \ 3 "Auditor" `onoff 3 $DAZROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID daz_role $TMP &>$TMPFILE then DAZROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID daz_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "DAZ Role: No user specified!" 5 $BC fi ;; 'FF Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose FF Role for $USERID" $BL $BC 4 \ 0 "General User" `onoff 0 $FFROLE` \ 1 "Security Officer" `onoff 1 $FFROLE` \ 2 "Administrator" `onoff 2 $FFROLE` \ 3 "Auditor" `onoff 3 $FFROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID ff_role $TMP &>$TMPFILE then FFROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID ff_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "FF Role: No user specified!" 5 $BC fi ;; 'AUTH Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose AUTH Role for $USERID" $BL $BC 4 \ 0 "General User" `onoff 0 $AUTHROLE` \ 1 "Security Officer" `onoff 1 $AUTHROLE` \ 2 "Administrator" `onoff 2 $AUTHROLE` \ 3 "Auditor" `onoff 3 $AUTHROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID auth_role $TMP &>$TMPFILE then AUTHROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID auth_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "AUTH Role: No user specified!" 5 $BC fi ;; 'PM Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose PM-Role for $USERID" $BL $BC 5 \ 0 "General User" `onoff 0 $PMROLE` \ 1 "Security Officer" `onoff 1 $PMROLE` \ 2 "Data Protection Officer" `onoff 2 $PMROLE` \ 3 "TP-Manager" `onoff 3 $PMROLE` \ 4 "System Administrator" `onoff 4 $PMROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID pm_role $TMP &>$TMPFILE then PMROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID pm_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM-Role: No user specified!" 5 $BC fi ;; 'Pseudo:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Pseudonym (long integer) for $USERID" $BL $BC "$PSEUDO" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID pseudo $TMP &>$TMPFILE then PSEUDO=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID pseudo $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Pseudo: No user specified!" 5 $BC fi ;; 'RC Default Role:') if test "$USERID" != "" then \ if $RSBACPATH""rc_get_item list_roles >$TMPFILETWO then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$RCDEFROLE" \ --menu "Choose RC Default Role for $USERID" $BL $BC $MAXLINES \ `cat $TMPFILETWO` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID rc_def_role $TMP &>$TMPFILE then RCDEFROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID rc_def_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi rm $TMPFILETWO else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Default Role for user $USERID" $BL $BC "$RCDEFROLE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID rc_def_role $TMP &>$TMPFILE then RCDEFROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID rc_def_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Default Role: No user specified!" 5 $BC fi ;; 'RC Type:') if test "$USERID" != "" then \ if $RSBACPATH""rc_get_item list_user_types >$TMPFILETWO then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$RCTYPE" \ --menu "Choose RC Type for user $USERID" $BL $BC $MAXLINES \ `cat $TMPFILETWO` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID rc_type $TMP &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID rc_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi rm $TMPFILETWO else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Type for $USERID" $BL $BC "$RCTYPE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID rc_type $TMP &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID rc_type $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Type: No user specified!" 5 $BC fi ;; 'CAP Min Caps:') if test -n "$USER" then \ if $DIALOG --title "CAP min_caps for $USERID" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MINCAPS" $BL $BC $MAXLINES \ `gen_min_caps_list` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ FS_MASK 'Set Filesystem Caps' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if $RSBACPATH""attr_set_user $USERID min_caps $TMP &>$TMPFILE then MINCAPS=`$RSBACPATH""attr_get_user $USERID min_caps` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID min_caps $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "CAP Min Caps: No user specified!" 5 $BC fi ;; 'CAP Max Caps:') if test -n "$USER" then \ if $DIALOG --title "CAP max_caps for $USERID" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MAXCAPS" $BL $BC $MAXLINES \ `gen_max_caps_list` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ FS_MASK 'Set Filesystem Caps' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if $RSBACPATH""attr_set_user $USERID max_caps $TMP &>$TMPFILE then MAXCAPS=`$RSBACPATH""attr_get_user $USERID max_caps` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID max_caps $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "CAP Max Caps: No user specified!" 5 $BC fi ;; 'CAP Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose CAP Role for $USERID" $BL $BC 4 \ 0 "General User" `onoff 0 $CAPROLE` \ 1 "Security Officer" `onoff 1 $CAPROLE` \ 2 "Administrator" `onoff 2 $CAPROLE` \ 3 "Auditor" `onoff 3 $CAPROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID cap_role $TMP &>$TMPFILE then CAPROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID cap_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "CAP Role: No user specified!" 5 $BC fi ;; 'CAP ld_env:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose CAP LD Env for $USERID" $BL $BC 3 \ 0 "deny" `onoff 0 $CAPLDENV` \ 1 "allow" `onoff 1 $CAPLDENV` \ 2 "keep" `onoff 2 $CAPLDENV` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID cap_ld_env $TMP &>$TMPFILE then CAPLDENV=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID cap_ld_env $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "CAP ld_env: No user specified!" 5 $BC fi ;; 'JAIL Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose JAIL Role for $USERID" $BL $BC 3 \ 0 "General User" `onoff 0 $JAILROLE` \ 1 "Security Officer" `onoff 1 $JAILROLE` \ 2 "Administrator" `onoff 2 $JAILROLE` \ 3 "Auditor" `onoff 3 $JAILROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID jail_role $TMP &>$TMPFILE then JAILROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID jail_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "JAIL Role: No user specified!" 5 $BC fi ;; 'RES Min Resources:') if test -n "$USERID" then while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$RESSEL" \ --menu "RES Minimum Resources for User $USERID" $BL $BC $MAXLINES \ `$RSBACPATH""attr_get_user "$USERID" res_min` \ 2>$TMPFILE do RESSEL=`cat $TMPFILE` case "$RESSEL" in HELP*) show_help "${RESSEL:5}" RESSEL="${RESSEL:5}" ;; *) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Minimum $RESSEL resource limit for $USERID (0 = unset)" \ $BL $BC "`$RSBACPATH""attr_get_user "$USERID" res_min $RESSEL`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID res_min $RESSEL $TMP &>$TMPFILE then RESMIN=`$RSBACPATH""attr_get_user -s $USERID res_min` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID res_min $RESSEL $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; esac done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RES Min Resources: No user specified!" 5 $BC fi ;; 'RES Max Resources:') if test -n "$USERID" then while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$RESSEL" \ --menu "RES Maximum Resources for User $USERID" $BL $BC $MAXLINES \ `$RSBACPATH""attr_get_user "$USERID" res_max` \ 2>$TMPFILE do RESSEL=`cat $TMPFILE` case "$RESSEL" in HELP*) show_help "${RESSEL:5}" RESSEL="${RESSEL:5}" ;; *) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Maximum $RESSEL resource limit for $USERID (0 = unset)" \ $BL $BC "`$RSBACPATH""attr_get_user "$USERID" res_max $RESSEL`" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID res_max $RESSEL $TMP &>$TMPFILE then RESMAX=`$RSBACPATH""attr_get_user -s $USERID res_max` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID res_max $RESSEL $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; esac done else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RES Max Resources: No user specified!" 5 $BC fi ;; 'RES Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose RES Role for $USERID" $BL $BC 3 \ 0 "General User" `onoff 0 $RESROLE` \ 1 "Security Officer" `onoff 1 $RESROLE` \ 2 "Administrator" `onoff 2 $RESROLE` \ 3 "Auditor" `onoff 3 $RESROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID res_role $TMP &>$TMPFILE then RESROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID res_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RES Role: No user specified!" 5 $BC fi ;; 'PAX Role:') if test "$USERID" != "" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose PAX Role for $USERID" $BL $BC 3 \ 0 "General User" `onoff 0 $PAXROLE` \ 1 "Security Officer" `onoff 1 $PAXROLE` \ 2 "Administrator" `onoff 2 $PAXROLE` \ 3 "Auditor" `onoff 3 $PAXROLE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_user $USERID pax_role $TMP &>$TMPFILE then PAXROLE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID pax_role $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PAX Role: No user specified!" 5 $BC fi ;; 'Log User Based:') if test -n "$USER" then \ if $DIALOG --title "log_user_based for $USERID" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $LOGUSER" $BL $BC $MAXLINES \ `gen_request_list` \ '--------------' '-----------------' off \ UA 'Unset ALL' off \ A 'Set ALL' off \ R 'Set Read Requests' off \ RW 'Set Read-Write R.' off \ W 'Set Write Requests' off \ SY 'Set System R.' off \ SE 'Set Security R.' off \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` if $RSBACPATH""attr_set_user $USERID log_user_based $TMP &>$TMPFILE then LOGUSER=`$RSBACPATH""attr_get_user $USERID log_user_based` if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_user $USERID log_user_based $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log User Based: No user specified!" 5 $BC fi ;; 'ACL Menu:') $RSBACPATH""rsbac_acl_menu USER ;; 'Reset Attributes:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Reset all attributes to default values?" 5 $BC \ 2>/dev/null then if $RSBACPATH""attr_rm_user $USERID &>$TMPFILE then get_attributes $USERID else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Reset Attributes: No user specified!" 5 $BC fi ;; Quit) rm $TMPFILE ; rm $TMPFILETWO ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/user_aci.sh0000644000175000017500000000052511131371032022224 0ustar gauvaingauvain#!/bin/sh attr_set_user root security_level 3 attr_set_user root system_role 2 attr_set_user root pm_role 4 attr_set_user root rc_def_role 2 attr_set_user bin system_role 2 attr_set_user secoff system_role 1 attr_set_user secoff pm_role 1 attr_set_user secoff rc_def_role 1 attr_set_user dataprot pm_role 2 attr_set_user tpmanager pm_role 3 rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_menu0000755000175000017500000005207111131371032022145 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC general attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash - sorry!" 1>&2; exit 1; } # # We also need the proc fs mounted. [ ! -f /proc/stat ] && { echo "This menu requires proc fs mounted" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi # test for LINES and COLUMNS (should be exported e.g. in /etc/profile) set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } export BACKTITLE="RSBAC Administration Tools 1.4.0" TITLE="`whoami`@`hostname`: RSBAC Administration" HELPTITLE="`whoami`@`hostname`: RSBAC Administration Help" ERRTITLE="RSBAC Administration - ERROR" show_help () { case "$RSBACLANG" in DE) show_help_german "$1" ;; *) show_help_english "$1" ;; esac } show_help_english () { { echo "$1" echo "" case "$1" in 'User Attributes:') echo "Set all user object related attributes." ;; 'Group Attributes:') echo "Set all Linux group object related attributes." ;; 'File/Dir Attributes:') echo "Set all filesystem object related attributes." ;; 'Block/Char Device Attributes:') echo "Set all device object related attributes." ;; 'Process Attributes:') echo "Set all process object related attributes." ;; 'Network Device Attributes:') echo "Go to Network Device attribute menu." ;; 'Network Template Definition:') echo "Go to Network Template Definition menu." ;; 'Network Template Attributes:') echo "Go to Network Template attribute menu." ;; 'RC Roles:') echo "RC model role administration." ;; 'RC Types:') echo "RC model type administration." ;; 'ACL Management:') echo "ACL model ACL administration for all target types." ;; 'ACL Group Management:') echo "ACL model group administration." ;; 'Settings:') echo "Change RSBAC menu settings, e.g. selection of models." ;; 'Logging:') echo "Setup general logging for all request and target types." ;; 'Switch Modules:') echo "Switch decision modules on or off, requires kernel config setting" echo "and sufficient privileges." ;; 'Switch Softmode:') echo "Switch softmode globally or for single decision modules on or off," echo "requires kernel config setting and sufficient privileges." ;; 'Check Status:') echo "Call rsbac_check 1 1 to check internal status. Results are shown " echo "in the system log." ;; 'Show Status') echo "Display /proc/rsbac-info/stats with status information." ;; 'Show PM Status') echo "Display /proc/rsbac-info/stats_pm with PM model status information." ;; 'Show RC Status') echo "Display /proc/rsbac-info/stats_rc with RC model status information." ;; 'Show ACL Lists') echo "Display /proc/rsbac-info/acl_acllist with a listing of all ACL" echo "model ACLs." ;; 'Show ACL Groups') echo "Display /proc/rsbac-info/acl_grouplist with a listing of all ACL groups." ;; 'Show eXtended Status') echo "Display /proc/rsbac-info/xstats with extended statistics." ;; 'Bash Shell') echo "Provide a bash shell." ;; Quit) echo "Quit this menu." ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_german () { { echo "$1" echo "" case "$1" in 'User Attributes:') echo "Setzen aller Benutzer-Attribute." ;; 'Group Attributes:') echo "Setzen aller Gruppen-Attribute." ;; 'File/Dir Attributes:') echo "Setzen aller Dateisystem-Objekt-Attribute." ;; 'Block/Char Device Attributes:') echo "Setzen aller Device-Objekt-Attribute." ;; 'Process Attributes:') echo "Setzen aller Prozeß-Attribute." ;; 'Network Device Attributes:') echo "Setzen aller Netzwerk-Device-Attribute." ;; 'Network Template Definition:') echo "Definition von Netzwerk-Templates." ;; 'Network Template Attributes:') echo "Setzen aller Netzwerk-Template-Attribute." ;; 'RC Roles:') echo "Administration der RC-Modell-Rollen." ;; 'RC Types:') echo "Administration der RC-Modell-Typen." ;; 'ACL Management:') echo "ACL-Administration für alle Ziel-Typen." ;; 'ACL Group Management:') echo "ACL-Gruppen-Verwaltung." ;; 'Settings:') echo "RSBAC-Einstellungen setzen und speichern." ;; 'Logging:') echo "Generelle Logging-Einstellungen." ;; 'Switch Modules:') echo "Entscheidungs-Module an- oder abschalten, erfordert Aktivierung" echo "in der Kern-Konfiguration und ausreichende Privilegien." ;; 'Switch Softmode:') echo "Softmode global oder für einzelne Module an- oder abschalten," echo "erfordert Aktivierung in der Kern-Konfiguration und ausreichende" echo "Privilegien." ;; 'Check Status:') echo "Aufruf von rsbac_check 1 1 zur internen Status-Prüfung." echo "Ergebnisse erscheinen im System-Log." ;; 'Show Status') echo "Ausgabe von /proc/rsbac-info/stats mit Status-Informationen." ;; 'Show PM Status') echo "Ausgabe von /proc/rsbac-info/stats_pm mit PM-Status-Informationen." ;; 'Show RC Status') echo "Ausgabe von /proc/rsbac-info/stats_rc mit RC-Status-Informationen." ;; 'Show ACL Lists') echo "Ausgabe von /proc/rsbac-info/acl_acllist mit einer Liste aller" echo "ACL-Einträge der ACL-Modells." ;; 'Show ACL Groups') echo "Ausgabe von /proc/rsbac-info/acl_grouplist mit einer Liste aller" echo "ACL-Gruppen." ;; 'Show eXtended Status') echo "Ausgabe von /proc/rsbac-info/xstats mit erweiterter Statistik." ;; 'Bash Shell') echo "Aufruf einer bash-Kommandozeile." ;; Quit) echo "Beende dieses Menü." ;; *) echo "Keine Hilfe für $1 verfügbar!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_llname () { case $1 in 0) echo None ;; 1) echo Denied ;; 2) echo Full ;; *) echo N/A ;; esac } gen_log_menu_items() { echo -n "" >${TMPFILE}.2 for i in $REQUESTS do TMP=`$RSBACPATH""switch_adf_log -gs $i` echo $i $TMP>>${TMPFILE}.2 done } gen_log_menu_subitems() { echo -n "" >${TMPFILE}.2 for i in $TARGETS do TMP=`$RSBACPATH""switch_adf_log -gs $1 $i` echo $i `get_llname $TMP`>>${TMPFILE}.2 done } onoff () { if test "$1" = "$2" then echo on else echo off fi } log_menu () { if test -z "$REQUESTS" then REQUESTS=`$RSBACPATH""switch_adf_log -n` fi if test -z "$TARGETS" then TARGETS=`$RSBACPATH""switch_adf_log -t` fi while true do gen_log_menu_items if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$REQ" \ --menu "Log Levels for Requests" $BL $BC `gl 45` \ `cat ${TMPFILE}.2` \ "Quit" "" \ 2>$TMPFILE then rm ${TMPFILE}.2 return fi REQ=`cat $TMPFILE` case "$REQ" in Quit) rm ${TMPFILE}.2 return ;; *) while true do gen_log_menu_subitems $REQ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TARGET" \ --menu "Log Levels for Requests: Choose Target Type" $BL $BC `gl 15` \ "ALL" "" \ `cat ${TMPFILE}.2` \ 2>$TMPFILE then rm ${TMPFILE}.2 break fi TARGET=`cat ${TMPFILE}` if test "$TARGET" = "ALL" then VAL= else VAL=`${RSBACPATH}switch_adf_log -gs $REQ $TARGET` fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Log Level for $REQ / $TARGET" $BL $BC 3 \ 0 `get_llname 0` `onoff 0 $VAL` \ 1 `get_llname 1` `onoff 1 $VAL` \ 2 `get_llname 2` `onoff 2 $VAL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test "$TARGET" = "ALL" then if $RSBACPATH""switch_adf_log $REQ $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""switch_adf_log $REQ $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else if $RSBACPATH""switch_adf_log $REQ $TARGET $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""switch_adf_log $REQ $TARGET $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi done esac done } { echo 'main_menu ()' echo ' {' echo " $DIALOG --title \"$TITLE\" \\" echo ' --backtitle "$BACKTITLE" \' echo ' --help-button --default-item "$CHOICE" \' echo ' --menu "Main FD Menu" $BL $BC `gl 29` \' echo ' "User Attributes:" "Go to user attribute menu" \' echo ' "Group Attributes:" "Go to Linux group attribute menu" \' echo ' "File/Dir Attributes:" "Go to file/dir attribute menu" \' echo ' "Block/Char Device Attributes:" "Go to dev attribute menu" \' echo ' "Process Attributes:" "Go to process attribute menu" \' echo ' "Network Device Attributes:" "Go to Network Device attribute menu" \' echo ' "Network Template Definition:" "Go to Network Template Definition menu" \' echo ' "Network Template Attributes:" "Go to Network Template attribute menu" \' if test "$SHOW_RC" = "yes" then echo ' "RC Roles:" "Go to RC role menu" \' echo ' "RC Types:" "Go to RC type menu" \' fi if test "$SHOW_ACL" = "yes" then echo ' "ACL Management:" "Go to ACL menu" \' echo ' "ACL Group Management:" "Go to ACL group menu" \' fi echo ' "---------------" "" \' echo ' "Settings:" "RSBAC menu settings" \' echo ' "Logging:" "Setup general logging" \' echo ' "Switch Modules:" "Switch modules on or off" \' echo ' "Switch Softmode:" "Switch global or module softmode" \' echo ' "---------------" "" \' echo ' "Check Status:" "rsbac_check 1 1" \' echo ' "Show Status" "" \' if test "$SHOW_PM" = "yes" then echo ' "Show PM Status" "" \' fi if test "$SHOW_RC" = "yes" then echo ' "Show RC Status" "" \' fi if test "$SHOW_ACL" = "yes" then echo ' "Show ACL Lists" "" \' echo ' "Show ACL Groups" "" \' fi echo ' "Show eXtended Status" "" \' echo ' "---------------" "" \' echo ' "Bash Shell" "" \' echo ' "----------------" " " \' echo ' "Quit" ""' echo ' }' } > $TMPFILE . $TMPFILE #cp $TMPFILE /tmp/menu if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi while true do if ! main_menu 2>$TMPFILE then rm $TMPFILE ; exit fi CHOICE=`cat $TMPFILE` case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; 'User Attributes:') $RSBACPATH""rsbac_user_menu ;; 'Group Attributes:') $RSBACPATH""rsbac_group_menu ;; 'File/Dir Attributes:') $RSBACPATH""rsbac_fd_menu ;; 'Block/Char Device Attributes:') $RSBACPATH""rsbac_dev_menu ;; 'Process Attributes:') $RSBACPATH""rsbac_process_menu ;; "Network Device Attributes:") $RSBACPATH""rsbac_netdev_menu ;; "Network Template Definition:") $RSBACPATH""rsbac_nettemp_def_menu ;; "Network Template Attributes:") $RSBACPATH""rsbac_nettemp_menu ;; 'RC Roles:') $RSBACPATH""rsbac_rc_role_menu ;; 'RC Types:') $RSBACPATH""rsbac_rc_type_menu ;; 'ACL Management:') $RSBACPATH""rsbac_acl_menu ;; 'ACL Group Management:') $RSBACPATH""rsbac_acl_group_menu ;; 'Settings:') $RSBACPATH""rsbac_settings_menu # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi ;; 'Logging:') log_menu ;; 'Switch Modules:') TMP= while \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP" \ --menu "Select Module to Switch" $BL $BC `gl 11` \ "MAC" "Mandatory Access Control (Bell-LaPadula)" \ "PM" "Privacy Model" \ "DAZ" "Dazuko" \ "FF" "File Flags" \ "RC" "Role Compatibility" \ "ACL" "Access Control Lists" \ "AUTH" "Authorization" \ "CAP" "Linux Capabilities" \ "JAIL" "Process JAILs" \ "RES" "Linux Resources" \ "PAX" "PaX flags" \ 2>$TMPFILE do TMP=`cat $TMPFILE` case $TMP in HELP*) show_help "${TMP:5}" TMP="${TMP:5}" ;; *) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Switch $TMP to" $BL $BC 2 \ 0 "off" off \ 1 "on" off \ 2>$TMPFILE then if ! $RSBACPATH""switch_module $TMP `cat $TMPFILE` &>$TMPFILE then \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi esac done ;; 'Switch Softmode:') TMP= while \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$TMP" \ --menu "Select Module to Switch Softmode for" $BL $BC `gl 12` \ "GLOBAL" "Global Softmode" \ "MAC" "Mandatory Access Control (Bell-LaPadula)" \ "PM" "Privacy Model" \ "DAZ" "Dazuko" \ "FF" "File Flags" \ "RC" "Role Compatibility" \ "ACL" "Access Control Lists" \ "AUTH" "Authorization" \ "CAP" "Linux Capabilities" \ "JAIL" "Process JAILs" \ "RES" "Linux Resources" \ "PAX" "PaX flags" \ 2>$TMPFILE do TMP=`cat $TMPFILE` case $TMP in HELP*) show_help "${TMP:5}" TMP="${TMP:5}" ;; *) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Switch $TMP Softmode to" $BL $BC 2 \ 0 "off" off \ 1 "on" off \ 2>$TMPFILE then if test "$TMP" = "GLOBAL" then if ! $RSBACPATH""switch_module SOFTMODE `cat $TMPFILE` &>$TMPFILE then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else if ! echo "debug ind_softmode $TMP `cat $TMPFILE`" >/proc/rsbac-info/debug 2>$TMPFILE then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi esac done ;; 'Check Status:') if test -f /proc/rsbac-info/stats then if ! ${RSBACPATH}rsbac_check 1 1 &>$TMPFILE then $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC fi fi ;; 'Show Status') if test -f /proc/rsbac-info/stats then less /proc/rsbac-info/stats # $DIALOG --title "$TITLE" \ # --backtitle "$BACKTITLE" \ # --textbox /proc/rsbac-info/stats $BL $BC fi ;; 'Show PM Status') if test -f /proc/rsbac-info/stats_pm then less /proc/rsbac-info/stats_pm # $DIALOG --title "$TITLE" \ # --backtitle "$BACKTITLE" \ # --textbox /proc/rsbac-info/stats_pm $BL $BC fi ;; 'Show RC Status') if test -f /proc/rsbac-info/stats_rc then less /proc/rsbac-info/stats_rc # $DIALOG --title "$TITLE" \ # --backtitle "$BACKTITLE" \ # --textbox /proc/rsbac-info/stats_rc $BL $BC fi ;; 'Show ACL Lists') if test -f /proc/rsbac-info/acl_acllist then less /proc/rsbac-info/acl_acllist # $DIALOG --title "$TITLE" \ # --backtitle "$BACKTITLE" \ # --textbox /proc/rsbac-info/acl_acllist $BL $BC fi ;; 'Show ACL Groups') if test -f /proc/rsbac-info/acl_grouplist then less /proc/rsbac-info/acl_grouplist # $DIALOG --title "$TITLE" \ # --backtitle "$BACKTITLE" \ # --textbox /proc/rsbac-info/acl_grouplist $BL $BC fi ;; 'Show eXtended Status') if test -f /proc/rsbac-info/xstats then less /proc/rsbac-info/xstats # $DIALOG --title "$TITLE" \ # --backtitle "$BACKTITLE" \ # --textbox /proc/rsbac-info/xstats $BL $BC fi ;; 'Bash Shell') echo Return with exit! bash --login || bash -login || bash -l ;; Quit) rm $TMPFILE ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/backup_all0000755000175000017500000000426011131371032022121 0ustar gauvaingauvain#!/bin/bash # # Backup RSBAC attributes # # This script generates a backup of most RSBAC settings on stdout. # # Current exceptions: PM data structures, ADF log levels # # Please make sure you have READ right in all Directories and # READ_ATTRIBUTES for all objects, # e.g. use setuid 0, RC force_role 'Role Admin', etc., # or set min_caps to DAC_READ_SEARCH for non-root user with READ_ATTRIBUTE etc. # or ( set softmode | switch off all modules | start Maintenance kernel ) and run as root # if test "$1" == "-p" then PRINTALL="-p" fi echo "#!/bin/sh" echo "#" echo "# RSBAC Backup of all attributes" echo "#" echo "# `date`" echo "#" # Log Levels switch_adf_log -b # Network Templates echo "" net_temp -a -b # MAC echo "" mac_back_trusted -r / # PM # Sorry, no backup yet. Copy /rsbac/backup/pm* to backup # dir. To restore boot non-RSBAC kernel and copy back. # AUTH echo "" auth_back_cap -r / # RC echo "" rc_get_item $PRINTALL backup # ACL echo "" acl_tlist -br $PRINTALL FD :DEFAULT: / acl_tlist -b $PRINTALL DEV :DEFAULT: acl_tlist -Db $PRINTALL acl_tlist -br $PRINTALL IPC :DEFAULT: acl_tlist -br $PRINTALL SCD :DEFAULT: `acl_tlist -n` acl_tlist -ab $PRINTALL acl_tlist -br $PRINTALL PROCESS :DEFAULT: acl_tlist -br $PRINTALL NETDEV :DEFAULT: ALLTEMP=`net_temp list_temp_nr` acl_tlist -br $PRINTALL NETTEMP_NT :DEFAULT: $ALLTEMP acl_tlist -br $PRINTALL NETTEMP $ALLTEMP acl_tlist -br $PRINTALL NETOBJ :DEFAULT: acl_mask -br $PRINTALL FD / acl_mask -Db $PRINTALL acl_mask -ab $PRINTALL acl_mask -b $PRINTALL SCD `acl_tlist -n` # User management rsbac_groupshow -S all -b -p -a rsbac_usershow -S all -b -p -a # RES default user settings attr_get_user RES 4294967292 res_min | while read name value do if test "$value" != "0" then echo attr_set_user RES $user res_min $name $value fi done attr_get_user RES 4294967292 res_max | while read name value do if test "$value" != "0" then echo attr_set_user RES $user res_max $name $value fi done # General attributes (last because of RC types at restore time - if RC is active) echo "" attr_back_fd -r -m / attr_back_dev -b attr_back_user -a attr_back_net -a NETDEV attr_back_net -a NETTEMP echo "#" echo "# RSBAC Backup finished at `date`" rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_netdev_menu0000755000175000017500000004042511131371031023511 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC Network Template attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # not used ATTRIBUTES="rc_type \ log_array_low log_array_high" # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi touch $TMPFILE chmod 600 $TMPFILE fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='/proc' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC Network Device Administration" HELPTITLE="$TITLE Help" ERRTITLE="RSBAC Net Object Administration - ERROR" ## no changes below this line! TYPE=NETDEV show_help () { case "$RSBACLANG" in DE) show_help_german "$1" ;; RU) show_help_russian "$1" ;; *) show_help_english "$1" ;; esac } show_help_english () { { echo "$1" echo "" case "$1" in Quit) echo "Quit this menu." ;; 'NetDev List:') echo "Choose Network Device from list." ;; "NetDev Name:") echo "Enter Network Device name." ;; 'RC Type:') echo "Select the RC model NETDEV type for this object." echo "" $RSBACPATH""attr_get_net -A rc_type ;; 'Log Array Low:' | 'Log Array High:') echo "Choose object based logging levels for this object." echo "" $RSBACPATH""attr_get_net -A log_array_low ;; 'ACL Menu:') echo "Go to ACL menu." ;; 'Reset Attributes:') echo "Call \'attr_set_net -m\' to get the attribute object for this object" echo "removed. As result, all attribute values will be reset to their" echo "default values. Use with care!" ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_german () { { echo "$1" echo "" case "$1" in Quit) echo "Beende dieses Menü." ;; 'NetDev List:') echo "Wähle Netzwerk-Device aus einer Liste." ;; "NetDev Name:") echo "Netzwerk-Device-Namen eingeben." ;; 'RC Type:') echo "Wähle RC-Typ für dieses Objekt." echo "" $RSBACPATH""attr_get_net -A rc_type ;; 'Log Array Low:' | 'Log Array High:') echo "Wähle objektabhängige Logging-Stufen für dieses Objekt." echo "" $RSBACPATH""attr_get_net -A log_array_low ;; 'ACL Menu:') echo "Gehe zum ACL-Menü." ;; 'Reset Attributes:') echo "Rufe \'attr_set_net -m\' auf, um die Attribut-Objekte für dieses" echo "Objekt zu entfernen. Als Ergebnis werden alle Attribute auf ihre" echo "Standardwerte zurückgesetzt. Mit Vorsicht verwenden!" ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_russian () { { echo "$1" echo "" case "$1" in Quit) echo "Quit this menu." ;; 'NetDev List:') echo "Choose Network Device from list." ;; "NetDev Name:") echo "Enter Network Device name." ;; 'RC Type:') echo "Select the RC model NETDEV type for this object." echo "" $RSBACPATH""attr_get_net -A rc_type ;; 'Log Array Low:' | 'Log Array High:') echo "Choose object based logging levels for this object." echo "" $RSBACPATH""attr_get_net -A log_array_low ;; 'ACL Menu:') echo "Go to ACL menu." ;; 'Reset Attributes:') echo "Call \'attr_set_net -m\' to get the attribute object for this object" echo "removed. As result, all attribute values will be reset to their" echo "default values. Use with care!" ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_attributes () { if test "$OBJECT" != "" then if test "$SHOW_RC" = "yes" then RCTYPE=`$RSBACPATH""attr_get_net RC $TYPE rc_type $OBJECT` fi if test "$SHOW_GEN" = "yes" then LOGLOW=`$RSBACPATH""attr_get_net GEN $TYPE log_array_low $OBJECT` LOGHIGH=`$RSBACPATH""attr_get_net GEN $TYPE log_array_high $OBJECT` fi else RCTYPE="" LOGLOW="" LOGHIGH="" fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } type_name () { if test "$TYPE" = "NONE" -o -z "$1" then echo " " else if ! $RSBACPATH""rc_get_item TYPE $1 type_netdev_name then echo "(unknown)" fi fi } get_vname () { if test "$TYPE" = "NONE" then echo " " return fi if test -z "$2" then echo "N/A" return fi case $1 in rctype) case $2 in Error*) echo N/A ;; Use*) echo N/A ;; *) if ! $RSBACPATH""rc_get_item TYPE $2 type_netdev_name 2>/dev/null then echo $2 fi ;; esac ;; loglevel) case $2 in 0) echo None ;; 1) echo Denied ;; 2) echo Full ;; 3) echo Request ;; *) echo N/A ;; esac ;; *) echo ERROR! ;; esac } gen_log_menu_items() { echo -n "" >${TMPFILE}.2 for i in $REQUESTS do TMP=`$RSBACPATH""attr_get_net $TYPE log_array_low $i $OBJECT` echo $i `get_vname loglevel $TMP`>>${TMPFILE}.2 done } log_menu () { if test -z "$REQUESTS" then REQUESTS=`$RSBACPATH""attr_get_net -n NETDEV` fi gen_log_menu_items while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$REQ" \ --menu "$OBJECT / $OBJNAME: Log Levels for Requests" $BL $BC `gl 45` \ `cat ${TMPFILE}.2` \ "Quit" "" \ 2>$TMPFILE then rm ${TMPFILE}.2 LOGLOW=`$RSBACPATH""attr_get_net $TYPE log_array_low $OBJECT` LOGHIGH=`$RSBACPATH""attr_get_net $TYPE log_array_high $OBJECT` return fi REQ=`cat $TMPFILE` case "$REQ" in Quit) rm ${TMPFILE}.2 LOGLOW=`$RSBACPATH""attr_get_net $TYPE log_array_low $OBJECT` LOGHIGH=`$RSBACPATH""attr_get_net $TYPE log_array_high $OBJECT` return ;; *) VAL=`grep "^$REQ " ${TMPFILE}.2|cut -f 2 -d ' '` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Log Level for $OBJECT / $REQ" $BL $BC 5 \ 0 `get_vname loglevel 0` `onoff None $VAL` \ 1 `get_vname loglevel 1` `onoff Denied $VAL` \ 2 `get_vname loglevel 2` `onoff Full $VAL` \ 3 `get_vname loglevel 3` `onoff Request $VAL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE log_array_low $REQ $TMP $OBJECT &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE log_array_low $REQ $TMP $OBJECT >>"$RSBACLOGFILE" fi gen_log_menu_items else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi esac done } netdev_desc () { case $1 in *:*) echo "Virtual device" ;; lo) echo "Loopback device" ;; eth*) echo "Ethernet device ${1:3}" ;; ppp*) echo "PPP device ${1:3}" ;; ippp*) echo "ISDN PPP device ${1:4}" ;; *) echo "Other device" esac } list_netdev_names () { TMP=`cat /proc/net/dev|grep ':'|cut -d ':' -f 1` for i in $TMP do echo $i `netdev_desc $i|tr ' ' '_'` done } declare -i MAXNAMELEN=$BC-34 name_print () { if test ${#1} -gt $MAXNAMELEN then declare -i START=${#1}-$MAXNAMELEN echo "$1" | cut -c$START-${#1} else echo "$1" fi } ###################### Menu ################# if test "$1" != "" then OBJECT=$1 else if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --menu "Network Device" $BL $BC $MAXLINES "" \ `list_netdev_names` \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` fi fi if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi get_attributes $OBJECT { echo 'netdev_menu ()' echo ' {' echo " $DIALOG --title \"$TITLE\" \\" echo ' --backtitle "$BACKTITLE" \' echo ' --help-button --default-item "$CHOICE" \' echo ' --menu "Main NETTEMP Menu" $BL $BC `gl 10` \' echo ' "NetDev List:" "Choose from list of known devices" \' echo ' "NetDev Name:" "$OBJECT / `netdev_desc $OBJECT`" \' echo ' "----------------" " " \' if test "$SHOW_RC" = "yes" then echo ' "RC Type:" "$RCTYPE / `get_vname rctype $RCTYPE`" \' fi if test "$SHOW_GEN" = "yes" then echo ' "Log Array Low:" "$LOGLOW" \' echo ' "Log Array High:" "$LOGHIGH" \' fi echo ' "----------------" " " \' if test "$SHOW_ACL" = "yes" then echo ' "ACL Menu:" "Go to ACL menu" \' fi echo ' "Reset Attributes:" "Reset all values to default values" \' echo ' "Quit" ""' echo ' }' } > $TMPFILE . $TMPFILE #cp $TMPFILE /tmp/menu while true do if ! netdev_menu 2>$TMPFILE then rm $TMPFILE ; exit fi CHOICE=`cat $TMPFILE` case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; 'NetDev List:') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OBJECT" \ --menu "Network Template" $BL $BC $MAXLINES \ `list_netdev_names` \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; "NetDev Name:") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --max-input 16 \ --inputbox "Network Device Name (maxlen = 16):" $BL $BC $OBJECT \ 2>$TMPFILE then OBJECT=`cat $TMPFILE` get_attributes fi ;; 'RC Type:') if test "$TYPE" != "NONE" then \ if $RSBACPATH""rc_get_item list_netdev_types >$TMPFILE then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$RCTYPE" \ --menu "Choose RC Type for $OBJECT / $OBJNAME" $BL $BC $MAXLINES \ `cat $TMPFILE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE rc_type $TMP $OBJECT &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE rc_type $TMP $OBJECT >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Type (integer) for $OBJECT / $OBJNAME" \ $BL $BC "$RCTYPE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_net $TYPE rc_type $TMP $OBJECT &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net $TYPE rc_type $TMP $OBJECT >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Type: No object specified!" 5 $BC fi ;; 'Log Array Low:') if test "$TYPE" != "NONE" then \ log_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Array Low: No object specified!" 5 $BC fi ;; 'Log Array High:') if test "$TYPE" != "NONE" then \ log_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Array High: No object specified!" 5 $BC fi ;; 'ACL Menu:') $RSBACPATH""rsbac_acl_menu NETDEV "$OBJECT" ;; 'Reset Attributes:') if test "$TYPE" != "NONE" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Reset all attributes to default values?" 5 $BC \ 2>/dev/null then if $RSBACPATH""attr_set_net -m NETDEV "$OBJECT" &>$TMPFILE then get_attributes if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_net -m NETDEV \"$OBJECT\" >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Reset Attributes: No object specified!" 5 $BC fi ;; Quit) rm $TMPFILE ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_dev_menu0000755000175000017500000012651711131371032023012 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC general file/dir attributes # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # not used ATTRIBUTES="security_level object_category data_type mac_check \ pm_object_type pm_object_class rc_type \ log_array_low log_array_high" # Set conf filename RSBACCONF=/etc/rsbac.conf # Read settings if test -f $RSBACCONF then . $RSBACCONF fi if test -f ~/.rsbacrc then . ~/.rsbacrc fi if test -z "$RSBACMOD" then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP RES PAX' fi for i in $RSBACMOD do export SHOW_${i}=yes done # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='/dev' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` gl () { if test $1 -gt $MAXLINES then echo $MAXLINES else echo $1 fi } if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC Device Administration" HELPTITLE="`whoami`@`hostname`: RSBAC Device Administration Help" ERRTITLE="RSBAC Device Administration - ERROR" RCTYPEINHPAR=4294967294 ## no changes below this line! show_help () { { echo "$1" echo "" case "$1" in Quit) echo "Quit this menu." ;; 'File/Dir List:') echo "Choose new device object from list." ;; "Dev special file:") echo "Enter new device object special file name." ;; 'Dev Major List:') echo "Choose major device specification from list." ;; "Dev specification:") echo "Enter a device specification {b|c}major[:minor]," echo "e.g. b8:1 for /dev/sda1 or c2 for pseudo tty masters." ;; "Follow") echo "Follow this symbolic link." ;; 'MAC Security Level:') echo "Set the MAC model security level." echo "" $RSBACPATH""attr_get_file_dir -A security_level ;; 'MAC Categories:') echo "Set the MAC model categories." echo "" $RSBACPATH""attr_get_file_dir -A mac_categories ;; 'MAC Check:') echo "Toggle, whether access to this device should be controlled by MAC model." echo "" $RSBACPATH""attr_get_file_dir -A mac_check ;; 'PM Object Type:') echo "Set object type for PM model." echo "" $RSBACPATH""attr_get_file_dir -A pm_object_type ;; 'PM Object Class:') echo "Select the PM model object class." echo "" $RSBACPATH""attr_get_file_dir -A pm_object_class ;; 'RC Type:') echo "Select the RC model device type." echo "" $RSBACPATH""attr_get_file_dir -A rc_type ;; 'Log Array Low:' | 'Log Array High:') echo "Choose object based logging levels for this object." echo "" $RSBACPATH""attr_get_file_dir -A log_array_low ;; 'File/Dir Attributes:') echo "Go to File/Dir/Fifo/Symlink attribute menu." ;; 'ACL Menu:') echo "Go to ACL menu." ;; 'Reset Attributes:') echo "Call attr_rm_fd to get the attribute object for this device object" echo "removed. As result, all attribute values will be reset to their" echo "default values. Use with care!" ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } get_attributes () { if test -L "$FILE" then TYPE=SYMLINK SYMLINK="`ls -l \"$FILE\"|cut -d '>' -f 2|cut -c 2-`" elif test -b "$FILE" then TYPE=BLOCK elif test -c "$FILE" then TYPE=CHAR elif test -d "$FILE" then TYPE=DIR LASTDIR=`(cd "$FILE" ; pwd)` if test -n "$RSBACLOGFILE" then echo "cd `pwd`" >>"$RSBACLOGFILE" fi else TYPE=NONE fi if test -z "$DEVSPEC" then SECLEVEL="" MACCAT="" OBJCAT="" DATATYPE="" MACCHECK="" PMOBJTYPE="" PMCLASS="" RCTYPE="" LOGLOW="" LOGHIGH="" return fi if test "$SHOW_MAC" = "yes" then SECLEVEL=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC security_level` MACCAT=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC mac_categories` MACCHECK=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC mac_check` fi if test "$SHOW_PM" = "yes" then PMOBJTYPE=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC pm_object_type` PMCLASS=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC pm_object_class` fi if test "$SHOW_RC" = "yes" then RCTYPE=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC rc_type` fi if test "$SHOW_GEN" = "yes" then LOGLOW=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC log_array_low` LOGHIGH=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC log_array_high` fi } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } list_item () { if test -L "$1" then echo $1 "SYMLINK->`ls -l \"$1\"|cut -d '>' -f 2|cut -c 2-`" elif test -b "$1" then echo $1 BLOCK elif test -c "$1" then echo $1 CHAR elif test -d "$1" then echo $1 DIR else echo $1 NONE fi } choose_major () { if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$(echo "$DEVSPEC"|cut -d ':' -f 1)" \ --menu "Select Device Major" $BL $BC $MAXLINES \ c0 "char Unnamed devices (e.g. non-device mounts)" \ b0 "block Unnamed devices (e.g. non-device mounts)" \ c1 "char Memory devices" \ b1 "block RAM disk" \ c2 "char Pseudo-TTY masters" \ b2 "block Floppy disks" \ c3 "char Pseudo-TTY slaves" \ b3 "block First MFM, RLL and IDE hard disk/CD-ROM interface" \ c4 "char TTY devices" \ c5 "char Alternate TTY devices" \ c6 "char Parallel printer devices" \ c7 "char Virtual console capture devices" \ b7 "block Loopback devices" \ b8 "block SCSI disk devices (0-15)" \ c9 "char SCSI tape devices" \ b9 "block Metadisk (RAID) devices" \ c10 "char Non-serial mice, misc features" \ c11 "char Raw keyboard device" \ b11 "block SCSI CD-ROM devices" \ c12 "char QIC-02 tape" \ b12 "block MSCDEX CD-ROM callback support {2.6}" \ c13 "char Input core" \ b13 "block 8-bit MFM/RLL/IDE controller" \ c14 "char Open Sound System (OSS)" \ b14 "block BIOS harddrive callback support {2.6}" \ c15 "char Joystick" \ b15 "block Sony CDU-31A/CDU-33A CD-ROM" \ c16 "char Non-SCSI scanners" \ b16 "block GoldStar CD-ROM" \ c17 "char Chase serial card" \ b17 "block Optics Storage CD-ROM" \ c18 "char Chase serial card - alternate devices" \ b18 "block Sanyo CD-ROM" \ c19 "char Cyclades serial card" \ b19 "block Double compressed disk" \ c20 "char Cyclades serial card - alternate devices" \ b20 "block Hitachi CD-ROM (under development)" \ c21 "char Generic SCSI access" \ b21 "block Acorn MFM hard drive interface" \ c22 "char Digiboard serial card" \ b22 "block Second IDE hard disk/CD-ROM interface" \ c23 "char Digiboard serial card - alternate devices" \ b23 "block Mitsumi proprietary CD-ROM" \ c24 "char Stallion serial card" \ b24 "block Sony CDU-535 CD-ROM" \ c25 "char Stallion serial card - alternate devices" \ b25 "block First Matsushita (Panasonic/SoundBlaster) CD-ROM" \ c26 "char Quanta WinVision frame grabber {2.6}" \ b26 "block Second Matsushita (Panasonic/SoundBlaster) CD-ROM" \ c27 "char QIC-117 tape" \ b27 "block Third Matsushita (Panasonic/SoundBlaster) CD-ROM" \ c28 "char Stallion serial card - card programming" \ c28 "char Atari SLM ACSI laser printer (68k/Atari)" \ b28 "block Fourth Matsushita (Panasonic/SoundBlaster) CD-ROM" \ b28 "block ACSI disk (68k/Atari)" \ c29 "char Universal frame buffer" \ b29 "block Aztech/Orchid/Okano/Wearnes CD-ROM" \ c30 "char iBCS-2 compatibility devices" \ b30 "block Philips LMS CM-205 CD-ROM" \ c31 "char MPU-401 MIDI" \ b31 "block ROM/flash memory card" \ c32 "char Specialix serial card" \ b32 "block Philips LMS CM-206 CD-ROM" \ c33 "char Specialix serial card - alternate devices" \ b33 "block Third IDE hard disk/CD-ROM interface" \ c34 "char Z8530 HDLC driver" \ b34 "block Fourth IDE hard disk/CD-ROM interface" \ c35 "char tclmidi MIDI driver" \ b35 "block Slow memory ramdisk" \ c36 "char Netlink support" \ b36 "block MCA ESDI hard disk" \ c37 "char IDE tape" \ b37 "block Zorro II ramdisk" \ c38 "char Myricom PCI Myrinet board" \ b38 "block Reserved for Linux/AP+" \ c39 "char ML-16P experimental I/O board" \ b39 "block Reserved for Linux/AP+" \ c40 "char Matrox Meteor frame grabber {2.6}" \ b40 "block Syquest EZ135 parallel port removable drive" \ c41 "char Yet Another Micro Monitor" \ b41 "block MicroSolutions BackPack parallel port CD-ROM" \ c42 "char Demo/sample use" \ b42 "block Demo/sample use" \ c43 "char isdn4linux virtual modem" \ b43 "block Network block devices" \ c44 "char isdn4linux virtual modem - alternate devices" \ b44 "block Flash Translatio Layer (FTL) filesystems" \ c45 "char isdn4linux ISDN BRI driver" \ b45 "block Parallel port IDE disk devices" \ c46 "char Comtrol Rocketport serial card" \ b46 "block Parallel port ATAPI CD-ROM devices" \ c47 "char Comtrol Rocketport serial card - alternate devices" \ b47 "block Parallel port ATAPI disk devices" \ c48 "char SDL RISCom serial card" \ b48 "block Mylex DAC960 PCI RAID controller; first controller" \ c49 "char SDL RISCom serial card - alternate devices" \ b49 "block Mylex DAC960 PCI RAID controller; second controller" \ c50 "char Reserved for GLINT" \ b50 "block Mylex DAC960 PCI RAID controller; third controller" \ c51 "char Baycom radio modem" \ b51 "block Mylex DAC960 PCI RAID controller; fourth controller" \ c52 "char Spellcaster DataComm/BRI ISDN card" \ b52 "block Mylex DAC960 PCI RAID controller; fifth controller" \ c53 "char BDM interface for remote debugging MC683xx microcontrollers" \ b53 "block Mylex DAC960 PCI RAID controller; sixth controller" \ c54 "char Electrocardiognosis Holter serial card" \ b54 "block Mylex DAC960 PCI RAID controller; seventh controller" \ c55 "char DSP56001 digital signal processor" \ b55 "block Mylex DAC960 PCI RAID controller; eigth controller" \ c56 "char Apple Desktop Bus" \ b56 "block Fifth IDE hard disk/CD-ROM interface" \ c57 "char Hayes ESP serial card" \ b57 "block Sixth IDE hard disk/CD-ROM interface" \ c58 "char Hayes ESP serial card - alternate devices" \ b58 "block Reserved for logical volume manager" \ c59 "char sf firewall package" \ b59 "block Generic PDA filesystem device" \ c60 "char LOCAL/EXPERIMENTAL USE" \ b60 "block LOCAL/EXPERIMENTAL USE" \ c61 "char LOCAL/EXPERIMENTAL USE" \ b61 "block LOCAL/EXPERIMENTAL USE" \ c62 "char LOCAL/EXPERIMENTAL USE" \ b62 "block LOCAL/EXPERIMENTAL USE" \ c63 "char LOCAL/EXPERIMENTAL USE" \ b63 "block LOCAL/EXPERIMENTAL USE" \ c64 "char ENskip kernel encryption package" \ c65 "char Sundance plink Transputer boards" \ b65 "block SCSI disk devices (16-31)" \ c66 "char YARC PowerPC PCI coprocessor card" \ b66 "block SCSI disk devices (32-47)" \ c67 "char Coda network file system" \ b67 "block SCSI disk devices (48-63)" \ c68 "char CAPI 2.0 interface" \ b68 "block SCSI disk devices (64-79)" \ c69 "char MA16 numeric accelerator card" \ b69 "block SCSI disk devices (80-95)" \ c70 "char SpellCaster Protocol Services Interface" \ b70 "block SCSI disk devices (96-111)" \ c71 "char Computone IntelliPort II serial card" \ b71 "block SCSI disk devices (112-127)" \ c72 "char Computone IntelliPort II serial card - alternate devices" \ b72 "block Compaq Intelligent Drive Array, first controller" \ c73 "char Computone IntelliPort II serial card - control devices" \ b73 "block Compaq Intelligent Drive Array, second controller" \ c74 "char SCI bridge" \ b74 "block Compaq Intelligent Drive Array, third controller" \ c75 "char Specialix IO8+ serial card" \ b75 "block Compaq Intelligent Drive Array, fourth controller" \ c76 "char Specialix IO8+ serial card - alternate devices" \ b76 "block Compaq Intelligent Drive Array, fifth controller" \ c77 "char ComScire Quantum Noise Generator" \ b77 "block Compaq Intelligent Drive Array, sixth controller" \ c78 "char PAM Software multimodem boards" \ b78 "block Compaq Intelligent Drive Array, seventh controller" \ c79 "char PAM Software multimodem boards - alternate devices" \ b79 "block Compaq Intelligent Drive Array, eigth controller" \ c80 "char Photometrics AT200 CCD camera" \ b80 "block I2O hard disk" \ c81 "char video4linux" \ b81 "block I2O hard disk" \ c82 "char WiNRADiO communications receiver card" \ b82 "block I2O hard disk" \ c83 "char Teletext/videotext interfaces {2.6}" \ b83 "block I2O hard disk" \ c84 "char Ikon 1011[57] Versatec Greensheet Interface" \ b84 "block I2O hard disk" \ c85 "char Linux/SGI shared memory input queue" \ b85 "block I2O hard disk" \ c86 "char SCSI media changer" \ b86 "block I2O hard disk" \ c87 "char Sony Control-A1 stereo control bus" \ b87 "block I2O hard disk" \ c88 "char COMX synchronous serial card" \ b88 "block Seventh IDE hard disk/CD-ROM interface" \ c89 "char I2C bus interface" \ b89 "block Eighth IDE hard disk/CD-ROM interface" \ c90 "char Memory Technology Device (RAM, ROM, Flash)" \ b90 "block Ninth IDE hard disk/CD-ROM interface" \ c91 "char CAN-Bus devices" \ b91 "block Tenth IDE hard disk/CD-ROM interface" \ c92 "char Reserved for ith Kommunikationstechnik MIC ISDN card" \ b92 "block PPDD encrypted disk driver" \ c93 "char IBM Smart Capture Card frame grabber {2.6}" \ b93 "block NAND Flash Translation Layer filesystem" \ c94 "char miroVIDEO DC10/30 capture/playback device {2.6}" \ b94 "block IBM S/390 DASD block storage" \ c95 "char IP filter" \ b95 "block IBM S/390 VM/ESA minidisk" \ c96 "char Parallel port ATAPI tape devices" \ c97 "char Parallel port generic ATAPI interface" \ b97 "block Packet writing for CD/DVD devices" \ c98 "char Control and Measurement Device (comedi)" \ b98 "block User-mode virtual block device" \ c99 "char Raw parallel ports" \ b99 "block JavaStation flash disk" \ c100 "char Telephony for Linux" \ c101 "char Motorola DSP 56xxx board" \ b101 "block AMI HyperDisk RAID controller" \ c102 "char Philips SAA5249 Teletext signal decoder {2.6}" \ b102 "block Compressed block device" \ c103 "char Arla network file system" \ b103 "block Audit device" \ c104 "char Flash BIOS support" \ b104 "block Compaq Next Generation Drive Array, first controller" \ c105 "char Comtrol VS-1000 serial controller" \ b105 "block Compaq Next Generation Drive Array, second controller" \ c106 "char Comtrol VS-1000 serial controller - alternate devices" \ b106 "block Compaq Next Generation Drive Array, third controller" \ c107 "char 3Dfx Voodoo Graphics device" \ b107 "block Compaq Next Generation Drive Array, fourth controller" \ c108 "char Device independent PPP interface" \ b108 "block Compaq Next Generation Drive Array, fifth controller" \ c109 "char Reserved for logical volume manager" \ b109 "block Compaq Next Generation Drive Array, sixth controller" \ c110 "char miroMEDIA Surround board" \ b110 "block Compaq Next Generation Drive Array, seventh controller" \ c111 "char Philips SAA7146-based audio/video card {2.6}" \ b111 "block Compaq Next Generation Drive Array, eigth controller" \ c112 "char ISI serial card" \ b112 "block IBM iSeries virtual disk" \ c113 "char ISI serial card - alternate devices" \ b113 "block IBM iSeries virtual CD-ROM" \ c114 "char Picture Elements ISE board" \ c115 "char Console driver speaker" \ c116 "char Advanced Linux Sound Driver (ALSA)" \ c117 "char COSA/SRP synchronous serial card" \ c118 "char Solidum ???" \ c119 "char VMware virtual network control" \ c120 "char LOCAL/EXPERIMENTAL USE" \ b120 "block LOCAL/EXPERIMENTAL USE" \ c120 "char LOCAL/EXPERIMENTAL USE" \ b120 "block LOCAL/EXPERIMENTAL USE" \ c121 "char LOCAL/EXPERIMENTAL USE" \ b121 "block LOCAL/EXPERIMENTAL USE" \ c122 "char LOCAL/EXPERIMENTAL USE" \ b122 "block LOCAL/EXPERIMENTAL USE" \ c123 "char LOCAL/EXPERIMENTAL USE" \ b123 "block LOCAL/EXPERIMENTAL USE" \ c124 "char LOCAL/EXPERIMENTAL USE" \ b124 "block LOCAL/EXPERIMENTAL USE" \ c125 "char LOCAL/EXPERIMENTAL USE" \ b125 "block LOCAL/EXPERIMENTAL USE" \ c126 "char LOCAL/EXPERIMENTAL USE" \ b126 "block LOCAL/EXPERIMENTAL USE" \ c127 "char LOCAL/EXPERIMENTAL USE" \ b127 "block LOCAL/EXPERIMENTAL USE" \ c128 "char Unix98 PTY masters" \ c129 "char Unix98 PTY masters" \ c130 "char Unix98 PTY masters" \ c131 "char Unix98 PTY masters" \ c132 "char Unix98 PTY masters" \ c133 "char Unix98 PTY masters" \ c134 "char Unix98 PTY masters" \ c135 "char Unix98 PTY masters" \ c136 "char Unix98 PTY slaves" \ c137 "char Unix98 PTY slaves" \ c138 "char Unix98 PTY slaves" \ c139 "char Unix98 PTY slaves" \ c140 "char Unix98 PTY slaves" \ c141 "char Unix98 PTY slaves" \ c142 "char Unix98 PTY slaves" \ c143 "char Unix98 PTY slaves" \ c144 "char Encapsulated PPP" \ c145 "char SAM9407-based soundcard" \ c146 "char SYSTRAM SCRAMNet mirrored-memory network" \ c147 "char Aueral Semiconductor Vortex Audio device" \ c148 "char Technology Concepts serial card" \ c149 "char Technology Concepts serial card - alternate devices" \ c150 "char Real-Time Linux FIFOs" \ c151 "char DPT I2O SmartRaid V controller" \ c154 "char Specialix RIO serial card" \ c155 "char Specialix RIO serial card - alternate devices" \ c156 "char Specialix RIO serial card" \ c157 "char Specialix RIO serial card - alternate devices" \ c158 "char Dialogic GammaLink fax driver" \ c160 "char General Purpose Instrument Bus (GPIB)" \ c161 "char IrCOMM devices (IrDA serial/parallel emulation)" \ c162 "char Raw block device interface" \ c163 "char Radio Tech BIM-XXX-RS232 radio modem" \ c164 "char Chase Research AT/PCI-Fast serial card" \ c165 "char Chase Research AT/PCI-Fast serial card - alternate devices" \ c166 "char ACM USB modems" \ c167 "char ACM USB modems - alternate devices" \ c168 "char Eracom CSA7000 PCI encryption adaptor" \ c169 "char Eracom CSA8000 PCI encryption adaptor" \ c170 "char AMI MegaRAC remote access controller" \ c171 "char Reserved for IEEE 1394 (Firewire)" \ c172 "char Moxa Intellio serial card" \ c173 "char Moxa Intellio serial card - alternate devices" \ c174 "char SmartIO serial card" \ c175 "char SmartIO serial card - alternate devices" \ c176 "char nCipher nFast PCI crypto accelerator" \ c177 "char TI PCILynx memory spaces" \ c178 "char Giganet cLAN1xxx virtual interface adapter" \ c179 "char CCube DVXChip-based PCI products" \ c180 "char USB devices" \ c181 "char Conrad Electronic parallel port radio clocks" \ c182 "char Picture Elements THR2 binarizer" \ c183 "char SST 5136-DN DeviceNet interface" \ c184 "char Picture Elements video simulator/sender" \ c185 "char InterMezzo high availability file system" \ c186 "char Object-based storage control device" \ c187 "char DESkey hardware encryption device" \ c188 "char USB serial converters" \ c189 "char USB serial converters - alternate devices" \ c190 "char Kansas City tracker/tuner card" \ c191 "char Reserved for PCMCIA" \ c192 "char Kernel profiling interface" \ c193 "char Kernel event-tracing interface" \ c194 "char linVideoStreams (LINVS)" \ c195 "char Nvidia graphics devices" \ c196 "char Tormenta T1 card" \ c197 "char OpenTNF tracing facility" \ c198 "char Total Impact TPMP2 quad coprocessor PCI card" \ c199 "char Veritas volume manager (VxVM) volumes" \ b199 "block Veritas volume manager (VxVM) volumes" \ c200 "char Veritas VxVM configuration interface" \ c201 "char Veritas VxVM dynamic multipathing driver" \ b201 "block Veritas VxVM dynamic multipathing driver" \ c202 "char CPU model-specific registers" \ c203 "char CPU CPUID information" \ c204 "char Low-density serial ports" \ c205 "char Low-density serial ports (alternate device)" \ c206 "char OnStream SC-x0 tape devices" \ c207 "char Compaq ProLiant health feature indicate" \ c208 "char User space serial ports" \ c209 "char User space serial ports (alternate devices)" \ c210 "char SBE, Inc. sync/async serial card" \ c211 "char Addinum CPCI1500 digital I/O card" \ c216 "char USB BlueTooth devices" \ c217 "char USB BlueTooth devices (alternate devices)" \ c218 "char The Logical Company bus Unibus/Qbus adapters" \ c219 "char The Logical Company DCI-1300 digital I/O card" \ c220 "char Myricom Myrinet GM board" \ c221 "char VME bus" \ c224 "char A2232 serial card" \ c225 "char A2232 serial card (alternate devices)" \ c226 "char Direct Rendering Infrastructure (DRI)" \ c227 "char IBM 3270 terminal Unix tty access" \ c228 "char IBM 3270 terminal block-mode access" \ c229 "char IBM iSeries virtual console" \ c230 "char IBM iSeries virtual tape" \ 2>$TMPFILE then DEVSPEC=`cat $TMPFILE` FILE= get_attributes fi } type_name () { if test "$TYPE" = "NONE" -o -z "$1" then echo " " else if ! $RSBACPATH""rc_get_item TYPE $1 type_dev_name then echo "(unknown)" fi fi } get_vname () { if test -z "$DEVSPEC" then echo " " return fi if test -z "$2" then echo "N/A" return fi case $1 in seclevel) case $2 in 0) echo unclassified ;; 1) echo confidential ;; 2) echo secret ;; 3) echo top secret ;; 252) echo max. level ;; 254) echo inherit ;; *) echo N/A ;; esac ;; objcat) case $2 in 0) echo General ;; 1) echo Security ;; 2) echo System ;; *) echo N/A ;; esac ;; datatype) case $2 in 0) echo None ;; 1) echo SI ;; *) echo N/A ;; esac ;; maccheck) case $2 in 0) echo Off ;; 1) echo On ;; *) echo N/A ;; esac ;; pmobjtype) case $2 in 0) echo None ;; 1) echo TP ;; 2) echo Personal Data ;; 3) echo Non-Personal Data ;; 4) echo IPC ;; 5) echo Directory ;; *) echo N/A ;; esac ;; rctype) case $2 in Error*) echo N/A ;; Use*) echo N/A ;; $RCTYPEINHPAR) echo Inherit Dev Major ;; *) if ! $RSBACPATH""rc_get_item TYPE $2 type_dev_name 2>/dev/null then echo $2 fi ;; esac ;; loglevel) case $2 in 0) echo None ;; 1) echo Denied ;; 2) echo Full ;; 3) echo Request ;; *) echo N/A ;; esac ;; *) echo ERROR! ;; esac } gen_log_menu_items() { if test -e ${TMPFILE}.2 then rm ${TMPFILE}.2 fi for i in $REQUESTS do TMP=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC log_level $i` echo $i `get_vname loglevel $TMP`>>${TMPFILE}.2 done } log_menu () { if test -z "$REQUESTS" then REQUESTS=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC log_level NONE 2>/dev/null|grep -v types` fi gen_log_menu_items while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$REQ" \ --menu "$DEVSPEC: Log Levels for Requests" $BL $BC `gl 37` \ `cat ${TMPFILE}.2` \ "Quit" "" \ 2>$TMPFILE then rm ${TMPFILE}.2 LOGLOW=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC log_array_low` LOGHIGH=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC log_array_high` return fi REQ=`cat $TMPFILE` case "$REQ" in Quit) rm ${TMPFILE}.2 LOGLOW=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC log_array_low` LOGHIGH=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC log_array_high` return ;; *) VAL=`grep "^$REQ " ${TMPFILE}.2|cut -f 2 -d ' '` if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Log Level for $DEVSPEC / $REQ" $BL $BC 5 \ 0 `get_vname loglevel 0` `onoff None $VAL` \ 1 `get_vname loglevel 1` `onoff Denied $VAL` \ 2 `get_vname loglevel 2` `onoff Full $VAL` \ 3 `get_vname loglevel 3` `onoff Request $VAL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" log_level $REQ $TMP &>$TMPFILE then gen_log_menu_items if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" log_level $REQ $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi esac done } declare -i MAXCATLEN=$BC-38 cat_print () { if test $MAXCATLEN -ge 64 then echo $1 else echo "(too long)" fi } gen_cat_list () { for i in $* do TMP=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC mac_categories $i` echo $i `onoffb $TMP` `onoffb $TMP` done } declare -i MAXNAMELEN=$BC-34 name_print () { if test ${#1} -gt $MAXNAMELEN then declare -i START=${#1}-$MAXNAMELEN echo "$1" | cut -c$START-${#1} else echo "$1" fi } gen_follow_symlink () { case $1 in 1) if test "$TYPE" = "SYMLINK" then echo 'Follow' fi ;; 2) if test "$TYPE" = "SYMLINK" then echo "`name_print \"$SYMLINK\"`" fi ;; esac } ###################### Menu ################# if test -n "$1" then if test -b "$1" -o -c "$1" then FILE=$1 DEVSPEC=$($RSBACPATH""attr_get_file_dir -C "$FILE") else FILE= DEVSPEC="$1" fi else FILE=$LASTDIR DEVSPEC= fi get_attributes if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" echo "cd `pwd`" } >>"$RSBACLOGFILE" fi { echo 'dev_menu ()' echo ' {' echo " $DIALOG --title \"$TITLE\" \\" echo ' --backtitle "$BACKTITLE" \' echo ' --help-button --default-item "$CHOICE" \' echo ' --menu "Main DEV Menu" $BL $BC `gl 20` \' echo ' "File/Dir List:" "Choose from listing of last dir" \' echo ' "Dev Major List:" "Choose from list of major numbers" \' echo ' "-------------------" " " \' echo ' "Dev special file:" "$FILE" \' echo ' "Dev specification:" "$DEVSPEC" \' echo ' `gen_follow_symlink 1` `gen_follow_symlink 2` \' echo ' "----------------" " " \' if test "$SHOW_MAC" = "yes" then echo ' "MAC Security Level:" "$SECLEVEL / `get_vname seclevel $SECLEVEL`" \' echo ' "MAC Categories:" "`cat_print $MACCAT`" \' echo ' "MAC Check:" "$MACCHECK / `get_vname maccheck $MACCHECK`" \' fi if test "$SHOW_PM" = "yes" then echo ' "PM Object Class:" "$PMCLASS" \' echo ' "PM Object Type:" "$PMOBJTYPE / `get_vname pmobjtype $PMOBJTYPE`" \' fi if test "$SHOW_RC" = "yes" then echo ' "RC Type:" "$RCTYPE / `get_vname rctype $RCTYPE`" \' fi if test "$SHOW_GEN" = "yes" then echo ' "Log Array Low:" "$LOGLOW" \' echo ' "Log Array High:" "$LOGHIGH" \' fi echo ' "----------------" " " \' echo ' "File/Dir Attributes:" "Go to File/Dir attribute menu" \' if test "$SHOW_ACL" = "yes" then echo ' "ACL Menu:" "Go to ACL menu" \' fi echo ' "Reset Attributes:" "Reset all values to default values" \' echo ' "Quit" ""' echo ' }' } > $TMPFILE . $TMPFILE #cp $TMPFILE /tmp/menu while true do if ! dev_menu 2>$TMPFILE then rm $TMPFILE ; exit fi CHOICE=`cat $TMPFILE` case "$CHOICE" in HELP*) show_help "${CHOICE:5}" CHOICE="${CHOICE:5}" ;; 'File/Dir List:') FILETMP="$FILE" if test ! -d $LASTDIR then $LASTDIR='/' fi TMP=`ls -1ad "$LASTDIR"/* "$LASTDIR"/.*` while $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$FILETMP" \ --menu "Device Name (choose cancel for $FILE)" $BL $BC $MAXLINES \ `for i in $TMP ; do list_item "$i" ; done` \ 2>$TMPFILE do FILETMP=`cat $TMPFILE` case "$FILETMP" in *) FILE="$FILETMP" if test -b "$FILE" -o -c "$FILE" then DEVSPEC=$($RSBACPATH""attr_get_file_dir -C "$FILE") else DEVSPEC= fi get_attributes TMP=`ls -1ad "$LASTDIR"/* "$LASTDIR"/.*` if test -L "$FILE" -o ! -d "$FILE" then break fi esac done ;; 'Dev Major List:') choose_major ;; "Dev special file:") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Filename" $BL $BC $FILE \ 2>$TMPFILE then FILE=`cat $TMPFILE` DEVSPEC=$($RSBACPATH""attr_get_file_dir -C "$FILE") get_attributes fi ;; "Dev specification:") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Device specification {b|c}major[:minor]" $BL $BC "$DEVSPEC" \ 2>$TMPFILE then DEVSPEC=`cat $TMPFILE` FILE= get_attributes fi ;; "Follow") case "$SYMLINK" in /*) FILE="$SYMLINK" ;; *) FILE="`dirname $FILE`/$SYMLINK" ;; esac get_attributes ;; 'MAC Security Level:') if test -n "DEVSPEC" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose Security Level for $FILE (old value: $SECLEVEL)" $BL $BC 7 \ "Enter" "Numeric Value" off \ 0 "`get_vname seclevel 0`" `onoff 0 $SECLEVEL` \ 1 "`get_vname seclevel 1`" `onoff 1 $SECLEVEL` \ 2 "`get_vname seclevel 2`" `onoff 2 $SECLEVEL` \ 3 "`get_vname seclevel 3`" `onoff 3 $SECLEVEL` \ 252 "`get_vname seclevel 252`" `onoff 252 $SECLEVEL` \ 254 "`get_vname seclevel 254`" `onoff 254 $SECLEVEL` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if test "$TMP" = "Enter" then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "MAC security level" $BL $BC "$SECLEVEL" \ 2>$TMPFILE then TMP="`cat $TMPFILE`" if test $TMP -gt 254 then $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Invalid security level value $TMP!" $BL $BC TMP="" fi else TMP="" fi fi if test -n "$TMP" then if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" security_level $TMP &>$TMPFILE then SECLEVEL=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" security_level $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Security Level: No dev special file specified!" 5 $BC fi ;; 'MAC Categories:') if test -n "DEVSPEC" then \ ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr` if $DIALOG --title "MAC Categories for device $FILE" \ --backtitle "$BACKTITLE" \ --checklist "Bits: $MACCAT" $BL $BC $MAXLINES \ `gen_cat_list $ALLCATNR` \ 2>$TMPFILE then TMP=`cat $TMPFILE|tr -d '"'` for i in $ALLCATNR do if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" mac_categories $i 0 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" mac_categories $i 0 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done for i in $TMP do if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" mac_categories $i 1 &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" mac_categories $i 1 >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC continue fi done MACCAT=`$RSBACPATH""attr_get_file_dir -d DEV $DEVSPEC mac_categories` fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "MAC Categories: No user specified!" 5 $BC fi ;; 'MAC Check:') if test -n "DEVSPEC" then \ if test $MACCHECK = "0" then TMP="1" else TMP="0" fi if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" mac_check $TMP &>$TMPFILE then MACCHECK=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" mac_check $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Mac Check: No dev special file specified!" 5 $BC fi ;; 'PM Object Type:') if test -n "DEVSPEC" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --radiolist "Choose PM Object Type for $FILE" $BL $BC 6 \ 0 "`get_vname pmobjtype 0`" `onoff 0 $PMOBJTYPE` \ 1 "`get_vname pmobjtype 1`" `onoff 1 $PMOBJTYPE` \ 2 "`get_vname pmobjtype 2`" `onoff 2 $PMOBJTYPE` \ 3 "`get_vname pmobjtype 3`" `onoff 3 $PMOBJTYPE` \ 4 "`get_vname pmobjtype 4`" `onoff 4 $PMOBJTYPE` \ 5 "`get_vname pmobjtype 5`" `onoff 5 $PMOBJTYPE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" pm_object_type $TMP &>$TMPFILE then PMOBJTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" pm_object_type $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Object Type: No dev special file specified!" 5 $BC fi ;; 'PM Object Class:') if test -n "DEVSPEC" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "PM Object Class (long integer) for $FILE" \ $BL $BC "$PMCLASS" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" pm_object_class $TMP &>$TMPFILE then PMCLASS=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" pm_object_class $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "PM Object Class: No dev special file specified!" 5 $BC fi ;; 'RC Type:') if test -n "DEVSPEC" then if $RSBACPATH""rc_get_item list_dev_types >$TMPFILE then if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$RCTYPE" \ --menu "Choose RC Type for $DEVSPEC - $FILE" $BL $BC $MAXLINES \ $RCTYPEINHPAR "Inherit from major" \ `cat $TMPFILE` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" rc_type $TMP &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" rc_type $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "RC Type (integer) for $FILE" \ $BL $BC "$RCTYPE" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""attr_set_file_dir -d DEV "$DEVSPEC" rc_type $TMP &>$TMPFILE then RCTYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""attr_set_file_dir -d DEV \"$DEVSPEC\" rc_type $TMP >>"$RSBACLOGFILE" fi else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "RC Type: No device specified!" 5 $BC fi ;; 'Log Array Low:') if test -n "DEVSPEC" then \ log_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Array Low: No dev special file specified!" 5 $BC fi ;; 'Log Array High:') if test -n "DEVSPEC" then \ log_menu else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Log Array High: No dev special file specified!" 5 $BC fi ;; 'File/Dir Attributes:') $RSBACPATH""rsbac_fd_menu "$FILE" ;; 'ACL Menu:') $RSBACPATH""rsbac_acl_menu DEV "$FILE" ;; 'Reset Attributes:') if test -n "DEVSPEC" then \ if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --yesno "Reset all attributes to default values?" 5 $BC \ 2>/dev/null then if $RSBACPATH""attr_rm_file_dir -d DEV "$DEVSPEC" &>$TMPFILE then get_attributes else \ $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Reset Attributes: No file/dir specified!" 5 $BC fi ;; Quit) rm $TMPFILE ; exit ;; *) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/scripts/backup_all_1.1.20000755000175000017500000000532111131371032022637 0ustar gauvaingauvain#!/bin/sh # # Backup RSBAC attributes for upgrade from 1.1.2 to 1.2.0 # # This script generates a backup of most RSBAC settings on stdout. # # It is intended to run with v1.1.2 admin tools under a RSBAC v1.1.2 kernel, # and the restore must run with v1.2.0 admin tools under a v1.2.0 kernel. # # Current exceptions: PM data structures, ADF log levels # # Please make sure you have READ right in all Directories and # READ_ATTRIBUTES for all objects, # e.g. use setuid 0, RC force_role 'Role Admin', etc., # or set min_caps to DAC_READ_SEARCH for non-root user with READ_ATTRIBUTE etc. # or ( set softmode | switch off all modules | start Maintenance kernel ) and run as root # echo "#!/bin/sh" echo "#" echo "# RSBAC v1.1.2 backup for restore on v1.2.0" echo "#" echo "# `date`" echo "#" # PM # Sorry, no backup yet. Boot non-RSBAC kernel and copy /rsbac/pm* to backup # dir. To restore copy back. # AUTH auth_back_cap -r / # RC rc_get_item backup|grep TYPE rc_get_item backup|grep ROLE \ | sed -e "s/type 64/type 4294967295/g" \ | sed -e "s/type 65/type 4294967294/g" \ | sed -e "s/type 66/type 4294967293/g" \ | sed -e "s/type 67/type 4294967292/g" \ | sed -e "s/type 68/type 4294967291/g" \ | sed -e "s/type 69/type 4294967290/g" \ | sed -e "s/role 64/role 4294967295/g" \ | sed -e "s/role 65/role 4294967294/g" \ | sed -e "s/role 66/role 4294967293/g" \ | sed -e "s/role 67/role 4294967292/g" \ | sed -e "s/role 68/role 4294967291/g" ALLROLE=`rc_get_item list_used_role_nr` ALLFDTYPE=`rc_get_item list_used_fd_type_nr` for role in $ALLROLE do for type in $ALLFDTYPE do if rc_get_item -p ROLE $role type_comp_fd $type | grep -q 'EXECUTE' then echo "rc_set_item -va ROLE $role type_comp_fd $type MAP_EXEC" fi done done echo "rc_set_item -va ROLE 2 type_comp_scd 10 MODIFY_SYSTEM_DATA" # ACL acl_tlist -bpr FD :DEFAULT: / | sed -e "s/EXECUTE/EXECUTE MAP_EXEC/g" acl_tlist -br DEV :DEFAULT: /dev acl_tlist -br IPC :DEFAULT: acl_tlist -bpr SCD :DEFAULT: `acl_tlist -n` | sed -e "s/EXECUTE/MAP_EXEC/g" echo "acl_grant -v USER 0 MODIFY_SYSTEM_DATA SCD other" acl_tlist -br PROCESS :DEFAULT: acl_mask -bpr FD / | sed -e "s/EXECUTE/EXECUTE MAP_EXEC/g" acl_mask -br DEV /dev acl_mask -bp SCD `acl_tlist -n` # General attributes (last because of RC types at restore time - if RC is active) attr_back_fd -r -m / \ | sed -e "s/rc_force_role 64/rc_force_role 4294967295/g" \ | sed -e "s/rc_force_role 65/rc_force_role 4294967294/g" \ | sed -e "s/rc_force_role 66/rc_force_role 4294967293/g" \ | sed -e "s/rc_force_role 67/rc_force_role 4294967292/g" \ | sed -e "s/rc_initial_role 66/rc_initial_role 4294967293/g" \ | sed -e "s/rc_initial_role 68/rc_initial_role 4294967291/g" attr_back_dev /dev/* attr_back_user -a rsbac-admin-1.4.0/main/tools/src/scripts/rsbac_acl_group_menu0000755000175000017500000004107211131371032024177 0ustar gauvaingauvain#!/bin/bash # # This script is used for Administration of RSBAC ACL groups # # # Make sure we're really running bash. # [ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; } # # Cache function definitions, turn off posix compliance # set -h +o posix # The dir for tmp files if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi # This must be a unique temporary filename TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` if test -z $TMPFILE then TMPFILE=$TMPDIR/rsbac_dialog.$$ if test -e $TMPFILE then rm $TMPFILE fi fi TMPFILETWO=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX` if test -z $TMPFILETWO then TMPFILETWO=$TMPDIR/rsbac_dialog.$$.2 if test -e $TMPFILETWO then rm $TMPFILETWO fi fi # set this to rsbac bin dir, if not in path (trailing / is mandatory!) # #if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi # set this to initial dir on script startup LASTDIR='.' # which dialog tool to use - dialog or kdialog or xdialog... if test -z $DIALOG then DIALOG=${RSBACPATH}dialog fi if ! $DIALOG --clear then echo $DIALOG menu program required! >&2 exit fi if ! $DIALOG --help 2>&1 | grep -q "help-button" then echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2 echo "required, please use dialog from admin tools contrib dir or set" >&2 echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2 exit fi set_geometry () { BL=${1:-24} BC=${2:-80} [ $BL = 0 ] && BL=24 [ $BC = 0 ] && BC=80 export LINES=$BL export COLUMNS=$BC BL=$((BL-4)) BC=$((BC-5)) MAXLINES=$((LINES-10)) } set_geometry `stty size 2>/dev/null` # test for LINES and COLUMNS (should be exported e.g. in /etc/profile) if test -z "$LINES" ; then LINES=25 ; fi if test -z "$COLUMNS" ; then COLUMNS=80 ; fi export LINES export COLUMNS declare -i BL=$LINES-4 declare -i BC=$COLUMNS-4 declare -i MAXWIDTH=$BC-26 declare -i MAXLINES=$LINES-10 if test -z "$BACKTITLE" then BACKTITLE="RSBAC Administration Tools 1.4.0" fi TITLE="`whoami`@`hostname`: RSBAC ACL Group Administration" HELPTITLE="`whoami`@`hostname`: RSBAC ACL Group Administration Help" ERRTITLE="RSBAC ACL Administration - ERROR" ## no changes below this line! NO_USER=65533 ALL_USERS=65532 GETMODE=real GETSWITCH= show_help () { case "$RSBACLANG" in DE) show_help_german "$1" ;; RU) show_help_russian "$1" ;; *) show_help_english "$1" ;; esac } show_help_english () { { echo "$1" echo "" case "$1" in Type) echo 'Set the group type: Private or Global.' ;; Owner) echo 'Set the group owner. You can transfer your own groups to other users,' echo 'but you will not be able to administrate them afterwards, because' echo 'you are no longer the group owner.' ;; Name) echo 'Change the group name. Since groups are identified by number, the' echo 'group name is for user benefit only.' ;; 'Add Members') echo 'Add group members. Only users can be added.' ;; 'Remove Members') echo 'Remove group members.' ;; 'All / Personal') echo 'Show all or only your personal groups.' ;; 'Add Group') echo 'Add a personal group.' ;; 'Remove Group') echo 'Remove one of your groups.' ;; Quit) echo 'Quit this menu.' ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_german () { { echo "$1" echo "" case "$1" in Type) echo 'Setze den Gruppen-Typ: Privat oder Global.' ;; Owner) echo 'Setze den Gruppen-Eigner. Eigene Gruppen können an andere Benutzer' echo 'übertragen werden, können dann aber nur noch vom neuen Besitzer' echo 'administriert werden.' ;; Name) echo 'Ändere den Gruppennamen. Da Gruppen nach Nummern identifiziert' echo 'werden, dient der Name nur der Benutzerfreundlichkeit.' ;; 'Add Members') echo 'Füge Gruppenmitglieder hinzu. Nur Benutzer können hinzugefügt' echo 'werden.' ;; 'Remove Members') echo 'Entferne Gruppenmitglieder.' ;; 'All / Personal') echo 'Zeige alle oder nur eigene Gruppen.' ;; 'Add Group') echo 'Füge eigene Gruppe hinzu.' ;; 'Remove Group') echo 'Entferne eigene Gruppe.' ;; Quit) echo 'Beende dieses Menü.' ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } show_help_russian () { { echo "$1" echo "" case "$1" in Type) echo 'Set the group type: Private or Global.' ;; Owner) echo 'Set the group owner. You can transfer your own groups to other users,' echo 'but you will not be able to administrate them afterwards, because' echo 'you are no longer the group owner.' ;; Name) echo 'Change the group name. Since groups are identified by number, the' echo 'group name is for user benefit only.' ;; 'Add Members') echo 'Add a group member. Only users can be added.' ;; 'Remove Members') echo 'Remove a group member.' ;; 'All / Personal') echo 'Show all or only your personal groups.' ;; 'Add Group') echo 'Add a personal group.' ;; 'Remove Group') echo 'Remove one of your groups.' ;; Quit) echo 'Quit this menu.' ;; *) echo "No help for $1 available!" esac } > $TMPFILE $DIALOG --title "$HELPTITLE" \ --backtitle "$BACKTITLE" \ --textbox $TMPFILE $BL $BC # sleep 1 } onoff () { if test "$1" = "$2" then echo on else echo off fi } onoffb () { if test "$1" = "1" then echo on else echo off fi } get_vname () { if test "$TYPE" = "NONE" then echo " " return fi if test -z "$2" then echo "N/A" return fi case $1 in onoff) case $2 in 1) echo On ;; *) echo Off ;; esac ;; *) echo ERROR! ;; esac } full_name () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 full_name` fi } get_uid () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 user_nr` fi } get_name () { if test "$1" = "" then echo " " else echo `$RSBACPATH""attr_get_user $1 user_name` fi } split_subj () { echo $1|tr '_' ' ' } gen_glist () { if test "$1" = "All" then TMP=`$RSBACPATH""acl_group -gsn list_groups` else TMP=`$RSBACPATH""acl_group -sn list_groups` fi for i in $TMP do TMP2=`$RSBACPATH""acl_group -s get_group_entry $i|tr ' ' '_'` echo $i $TMP2 done } declare -i MAXNAMELEN=$BC-34 name_print () { if test ${#1} -gt $MAXNAMELEN then declare -i START=${#1}-$MAXNAMELEN echo "$1" | cut -c$START-${#1} else echo "$1" fi } gen_ulist () { $RSBACPATH""acl_group get_group_members $1 } gen_member_add_choice () { if ${RSBACPATH}attr_get_user -nl >$TMPFILE then TMP=`cat $TMPFILE | sort -n` for i in $TMP do echo $i `get_name $i` off done fi } gen_member_remove_choice () { if $RSBACPATH""acl_group -sn get_group_members $GROUP >$TMPFILE 2>/dev/null then TMP=`cat $TMPFILE` for i in $TMP do echo $i `get_name $i` off done fi } group_menu () { GROUP=$1 if $RSBACPATH""acl_group get_group_type $GROUP >$TMPFILE 2>$TMPFILETWO then TYPE=`cat $TMPFILE` else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILETWO`" $BL $BC return fi if $RSBACPATH""acl_group get_group_owner $GROUP >$TMPFILE 2>$TMPFILETWO then OWNER=`cat $TMPFILE` else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILETWO`" $BL $BC return fi if $RSBACPATH""acl_group get_group_name $GROUP >$TMPFILE 2>$TMPFILETWO then NAME=`cat $TMPFILE` else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILETWO`" $BL $BC return fi while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$SELECTED" \ --menu "Group Menu - Group $GROUP" $BL $BC $MAXLINES \ "Type" "$TYPE" \ "Owner" "$OWNER" \ "Name" "$NAME" \ "--------------" "" \ "Add Members" "" \ "Remove Members" "" \ "--------------" "" \ `gen_ulist $GROUP` \ "--------------" "" \ "Quit" "" \ 2>$TMPFILE then rm $TMPFILETWO ; return fi SELECTED=`cat $TMPFILE` case $SELECTED in HELP*) show_help "${SELECTED:5}" SELECTED="${SELECTED:5}" ;; Type) if test "$TYPE" = PRIVATE then TMP=GLOBAL else TMP=PRIVATE fi if $RSBACPATH""acl_group change_group $GROUP $OWNER $TMP "$NAME" &>$TMPFILE then TYPE=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_group change_group $GROUP $OWNER $TMP \"$NAME\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi ;; Owner) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$OWNER" \ --menu "Choose new owner for group $GROUP" $BL $BC $MAXLINES \ `${RSBACPATH}attr_get_user -bl` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""acl_group change_group $GROUP $TMP $TYPE "$NAME" &>$TMPFILE then OWNER=$TMP if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_group change_group $GROUP $TMP $TYPE \"$NAME\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; Name) if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "New name for group $GROUP (maxlen = 15)" $BL $BC "$NAME" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""acl_group change_group $GROUP $OWNER $TYPE "$TMP" &>$TMPFILE then NAME="$TMP" if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_group change_group $GROUP $OWNER $TYPE \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; 'Add Members') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --checklist "New members for group $GROUP" $BL $BC $MAXLINES \ `gen_member_add_choice` \ 2>$TMPFILE then TMP=`cat $TMPFILE | tr -d '"'` if $RSBACPATH""acl_group add_member $GROUP $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_group add_member $GROUP $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; 'Remove Members') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --checklist "Members to be removed from group $GROUP" $BL $BC $MAXLINES \ `gen_member_remove_choice` \ 2>$TMPFILE then TMP=`cat $TMPFILE | tr -d '"'` if $RSBACPATH""acl_group remove_member $GROUP $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_group remove_member $GROUP $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; Quit) rm $TMPFILETWO return ;; "--------------") $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Group Menu: Selection Error!" 5 $BC ;; *) TMP=`get_name $SELECTED` TTL=`echo $SELECTED|cut -d ':' -f 2|cut -d 's' -f 1` if test "$TTL" = "$SELECTED" -o -z "$TTL" then TTL=0 fi if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "TTL for Group $GROUP Member $SELECTED: `grep '^'$TMP /etc/passwd`" 7 $BC "$TTL" 2>$TMPFILE then TTL=`cat $TMPFILE` if $RSBACPATH""acl_group -t "$TTL" add_member $GROUP "$SELECTED" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_group -t \"$TTL\" add_member $GROUP \"$SELECTED\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; esac done } ###################### Menu ################# SHOW=All if test "$1" = "-h" -o "$1" = "--help" then echo Use: $0 '[group-id]' exit fi if test -n "$RSBACLOGFILE" then { echo "" echo "# $0 start `date`" } >>"$RSBACLOGFILE" fi if test -n "$1" then group_menu $1 fi while true ; do \ if ! \ $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --help-button --default-item "$SELECTED" \ --menu "Main Menu" $BL $BC $MAXLINES \ "All / Personal" "$SHOW" \ "Add Group" "" \ "Remove Group" "" \ "--------------" "" \ `gen_glist $SHOW` \ "--------------" "" \ "Quit" "" \ 2>$TMPFILE then rm $TMPFILE ; exit fi SELECTED=`cat $TMPFILE` case $SELECTED in HELP*) show_help "${SELECTED:5}" SELECTED="${SELECTED:5}" ;; "All / Personal") if test "$SHOW" = "All" then SHOW=Personal else SHOW=All fi ;; 'Add Group') if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --inputbox "Name for new group (maxlen = 15)" $BL $BC "New Group" \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""acl_group add_group P "$TMP" &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_group add_group P \"$TMP\" >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; "Remove Group") if $DIALOG --title "$TITLE" \ --backtitle "$BACKTITLE" \ --default-item "$SELECTED" \ --menu "Choose group to delete" $BL $BC $MAXLINES \ `gen_glist Personal` \ 2>$TMPFILE then TMP=`cat $TMPFILE` if $RSBACPATH""acl_group remove_group $TMP &>$TMPFILE then if test -n "$RSBACLOGFILE" then echo $RSBACPATH""acl_group remove_group $TMP >>"$RSBACLOGFILE" fi else $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "`head -n 1 $TMPFILE`" $BL $BC fi fi ;; Quit) rm $TMPFILE ; exit ;; -------------------) $DIALOG --title "$ERRTITLE" \ --backtitle "$BACKTITLE" \ --msgbox "Main Menu: Selection Error!" 5 $BC ;; *) group_menu $SELECTED ;; esac # sleep 2 done rsbac-admin-1.4.0/main/tools/src/attr_back_fd.c0000644000175000017500000004667711131371033021201 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 24/Nov/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif const char set_prog[] = "attr_set_file_dir"; enum rsbac_attribute_t attr_list[RSBAC_FD_NR_ATTRIBUTES] = RSBAC_FD_ATTR_LIST; int recurse = 0; int verbose = 0; int printall = 0; int exrdat = 0; char * filename = NULL; char * filelistname = NULL; rsbac_pax_flags_t pax_flags = RSBAC_PAX_DEF_FLAGS; rsbac_list_ta_number_t ta_number = 0; char * progname; rsbac_boolean_t module_enabled[SW_NONE+1]; __s64 def_attr[RSBAC_FD_NR_ATTRIBUTES] = { SL_inherit, /* sec_level */ RSBAC_MAC_INHERIT_CAT_VECTOR, /* mac_categories */ MA_inherit, /* mac_auto */ FALSE, /* mac_prop_trusted */ 0, /* mac_file_flags */ 0, /* pm_object_class */ 0, /* pm_tp */ PO_none, /* pm_object_type */ FALSE, /* daz_scanner */ RSBAC_FF_DEF, /* ff_flags */ RC_type_inherit_parent, /* rc_type_fd */ RC_default_force_role, /* rc_force_role */ RC_default_initial_role, /* rc_initial_role */ FALSE, /* auth_may_setuid */ FALSE, /* auth_may_set_cap */ FALSE, /* auth_learn */ (rsbac_request_vector_t) -1, /* log_array_low */ (rsbac_request_vector_t) -1, /* log_array_high */ 0, /* log_program_based */ 0, /* symlink_add_remote_ip */ FALSE, /* symlink_add_uid */ FALSE, /* symlink_add_mac_level */ FALSE, /* symlink_add_rc_role */ LDD_inherit, /* linux_dac_disable */ 0, /* min_caps */ (__u32) -1, /* max_caps */ LD_keep, /* cap_ld_env */ 0, /* res_min (not used) */ 0, /* res_max (not used) */ RSBAC_PAX_DEF_FLAGS, /* pax_flags */ FR_off, /* fake_root_uid */ RSBAC_NO_USER, /* auid_exempt */ DEFAULT_DAZ_FD_DO_SCAN, /* daz_do_scan */ RSBAC_UM_VIRTUAL_KEEP /* vset */ }; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [options] file/dirname(s)\n"), progname); printf(gettext("- should be called by user with full attribute read access,\n e.g. root with all modules off\n")); printf(gettext(" -r = recurse in subdirs, -v = verbose, no symlinks followed,\n")); printf(gettext(" -p = print requests, -s = ignore daz_scanned,\n")); printf(gettext(" -T file = read target list from file (- for stdin),\n")); printf(gettext(" -i = use MAC non-inherit values as default values,\n")); printf(gettext(" -P flags = use these PaX flags as default, preset is PeMRxS,\n")); printf(gettext(" -o target-file = write to file, not stdout,\n")); printf(gettext(" -a = list attributes and values,\n")); printf(gettext(" -M module = only backup attributes for this module,\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int process(char * name, FILE * tfile) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; int j,k; struct stat buf; union rsbac_attribute_value_t value; enum rsbac_switch_target_t module; if(verbose) printf(gettext("# Processing FD '%s'\n"), name); if( exrdat && !strcmp(name, "rsbac.dat") ) return 0; for (j=0;j < RSBAC_FD_NR_ATTRIBUTES;j++) { module = get_attr_module(attr_list[j]); if (!module_enabled[module]) continue; value.dummy = -1; res = rsbac_get_attr_n(ta_number, module, T_FD, name, attr_list[j], &value, 0); if(res) { if(errno == RSBAC_EINVALIDMODULE) module_enabled[module] = FALSE; else { if( verbose || (errno != RSBAC_EINVALIDTARGET) ) { get_error_name(tmp1,res); fprintf(stderr, "%s (%s): %s\n", name, get_attribute_name(tmp2,attr_list[j]), tmp1); } } } else switch(attr_list[j]) { case A_log_array_low: case A_log_array_high: if (value.log_array_low != def_attr[j]) fprintf(tfile, "%s -V %u FD \"%s\" %s %s\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), u64tostrlog(tmp2,value.log_array_low)); break; case A_log_program_based: if (value.log_program_based != def_attr[j]) fprintf(tfile, "%s -V %u FD \"%s\" %s %s\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), u64tostrlog(tmp2,value.log_program_based)); break; case A_mac_categories: if (value.mac_categories != def_attr[j]) fprintf(tfile, "%s -V %u FD \"%s\" %s %s\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), u64tostrmac(tmp2,value.mac_categories)); break; case A_ff_flags: if (value.ff_flags != def_attr[j]) fprintf(tfile, "%s -V %u FD \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), value.ff_flags); break; case A_auid_exempt: if (value.auid_exempt != def_attr[j]) { if (RSBAC_UID_SET(value.auid_exempt)) fprintf(tfile, "%s -V %u FD \"%s\" %s %u/%u\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), RSBAC_UID_SET(value.auid_exempt), RSBAC_UID_NUM(value.auid_exempt)); else fprintf(tfile, "%s -V %u FD \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), RSBAC_UID_NUM(value.auid_exempt)); } break; case A_rc_type_fd: case A_rc_force_role: case A_rc_initial_role: if (value.rc_type_fd != def_attr[j]) fprintf(tfile, "%s -V %u FD \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), value.rc_type_fd); break; case A_security_level: case A_pm_object_type: if (value.security_level != def_attr[j]) fprintf(tfile, "%s -V %u FD \"%s\" %s %u\n", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j]), value.security_level); break; case A_max_caps: case A_min_caps: if ((value.max_caps.cap[0] != def_attr[j]) || (value.max_caps.cap[1] != def_attr[j])) { if (printall) { int i; fprintf(tfile, "%s -V %u FD \"%s\" %s", set_prog, RSBAC_VERSION_NR, name, get_attribute_name(tmp1,attr_list[j])); for (i=0; i<32; i++) if(value.min_caps.cap[0] & ((__u32) 1 << i)) fprintf(tfile, " %s", get_cap_name(tmp1,i)); for (i=32; id_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2, tfile); } } closedir(dir_stream_p); } return 0; } int main(int argc, char ** argv) { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i,j; FILE * tfile; FILE * listfile = NULL; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } for (i=0; i<=SW_NONE; i++) module_enabled[i] = TRUE; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': printall=1; break; case 'r': recurse=1; break; case 'm': break; case 'x': exrdat=1; break; case 'i': def_attr[0] = SL_unclassified; /* sec_level */ def_attr[2] = RSBAC_MAC_DEF_CAT_VECTOR; /* mac_categories */ def_attr[3] = MA_inherit; /* mac_auto */ break; case 'o': if(argc > 2) { filename = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter o\n"), progname); break; case 'T': if(argc > 2) { filelistname = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter T\n"), progname); break; case 'a': printf(gettext("attributes and values in backup = see following list:\n")); for (j=0;j 2) { enum rsbac_switch_target_t backup_module; backup_module = get_switch_target_nr(argv[2]); if (backup_module >= SW_NONE) { fprintf(stderr, gettext("%s: invalid module name %s for parameter %c\n"), progname, argv[2], *pos); exit(1); } argc--; argv++; if (module_enabled[SW_NONE] == TRUE) { for (i=0; i<=SW_NONE; i++) module_enabled[i] = FALSE; } module_enabled[backup_module] = TRUE; } else { fprintf(stderr, gettext("%s: missing module name for parameter %c\n"), progname, *pos); exit(1); } break; case 'P': if(argc > 2) { pax_flags = pax_strtoflags(argv[2], pax_flags); if(verbose) printf("# new PaX flags: %s\n", pax_print_flags(tmp2,pax_flags)); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing PaX flags for parameter %c\n"), progname, *pos); exit(1); } break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1 || filelistname) { if(!filename) tfile = stdout; else { if (!(tfile=fopen(filename,"w"))) { fprintf(stderr, gettext("opening target file returned error: %s\n"), strerror(errno)); exit(1); } } if(filelistname) { if(!strcmp(filelistname, "-")) listfile = stdin; else if (!(listfile=fopen(filelistname,"r"))) { fprintf(stderr, gettext("opening target list file returned error: %s\n"), strerror(errno)); exit(1); } } if(verbose) { printf(gettext("# %s: %i targets"), progname, argc - 1); if(recurse) printf(gettext(" - recursing")); if(filelistname) printf(gettext(" - plus targets from file %s"), filelistname); printf("\n"); } for (i=1;i < (argc);i++) { process(argv[i],tfile); } if(filelistname) { char item[4096]; char * pos; int last; pos = item; while(fgets(item, 4095, listfile)) { if(!*item) continue; last = strlen(item) - 1; if(item[last] == '\n') item[last] = 0; if(*item) process(item, tfile); } fclose(listfile); } if(tfile != stdout) fclose(tfile); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_check.c0000644000175000017500000000274111131371032021004 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 17/Jul/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int main(int argc, char ** argv) { int res = 0; int correct; int check_inode; char * progname; locale_init(); progname = argv[0]; if (argc == 3) { correct=strtol(argv[1],0,10); check_inode=strtol(argv[2],0,10); res = rsbac_check(correct, check_inode); error_exit(res); } else { printf(gettext("%s (RSBAC %s)\n***\n"), argv[0], VERSION); printf(gettext("Use: %s correct check_inode\n"), progname); printf(gettext(" correct = 0: do not correct errors\n")); printf(gettext(" correct = 1: correct errors\n")); printf(gettext(" correct = 2: correct more\n")); printf(gettext(" check_inode = 0: do not check inode numbers\n")); printf(gettext(" check_inode = 1: also check inode numbers (only ext2/3 on 2.4 kernels)\n")); } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_get_process.c0000644000175000017500000002155511131371032022130 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] module pid attribute [bit-no]\n"), progname); printf(gettext(" -p = print all request names, -n = list all request names\n")); printf(gettext(" -a = list attributes and values\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or PAX\n")); printf(gettext(" categories and log_program_based\t(with additional parameter bit-no)\n\t\t\t0=no, 1=yes\n")); } int main(int argc, char ** argv) { int attr_list[RSBAC_PROCESS_NR_ATTRIBUTES] = RSBAC_PROCESS_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j, position; enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; int printall = 0; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'p': printall=1; break; case 'n': { char tmp[80]; int i; for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following list:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } switch(argc) { case 3: attr = get_attribute_nr(argv[2]); if(attr == A_none) { fprintf(stderr, gettext("%s: Invalid Attribute %s!\n"), argv[0], argv[2]); exit(1); } value.dummy = -1; tid.process = strtol(argv[1],0,10); res = rsbac_get_attr(ta_number, module, T_PROCESS, &tid, attr, &value, FALSE); error_exit(res); switch(attr) { case A_mac_process_flags: case A_pm_process_type: case A_daz_scanner: case A_security_level: case A_initial_security_level: case A_min_security_level: case A_current_sec_level: case A_min_write_open: case A_max_read_open: case A_auth_may_setuid: case A_cap_process_hiding: case A_fake_root_uid: case A_cap_ld_env: printf("%u\n",value.u_char_dummy); break; case A_rc_type: case A_rc_type_fd: case A_rc_force_role: case A_rc_role: case A_rc_def_role: printf("%u\n",value.rc_role); break; case A_mac_categories: case A_mac_initial_categories: case A_mac_min_categories: case A_mac_curr_categories: case A_max_read_categories: case A_min_write_categories: printf("%s\n",u64tostrmac(tmp1,value.mac_categories)); break; case A_log_program_based: if(printall) { int i; for (i=0; i RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[3]); exit(1); } res = rsbac_get_attr(ta_number, module, T_PROCESS, &tid, attr, &value, 0); error_exit(res); printf("%u\n", (u_int) (value.mac_categories >> position) & 1); exit(0); default: use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/attr_back_group.c0000644000175000017500000002313511131371032021723 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 26/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define ROOM 10 const char set_prog[] = "attr_set_group"; __s64 attr_list[RSBAC_GROUP_NR_ATTRIBUTES] = RSBAC_GROUP_ATTR_LIST; int allgroup = 0; int verbose = 0; int numeric = 0; rsbac_list_ta_number_t ta_number = 0; FILE * tfile; char * filename = NULL; union rsbac_target_id_t tid; union rsbac_attribute_value_t value; char * progname; int def_attr[RSBAC_GROUP_NR_ATTRIBUTES] = { RSBAC_RC_GENERAL_TYPE, /* rc_type */ }; void use() { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] [groupname(s)]\n"), progname); printf(gettext(" -a = process all groups, -v = verbose,\n")); printf(gettext(" -T file = read file/dirname list from file (- for stdin),\n")); printf(gettext(" -n = show numeric gid not groupname,\n")); printf(gettext(" -o target-file = write to file, not stdout,\n")); printf(gettext(" -A = list attributes and values,\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int process(rsbac_gid_t group, char * name) { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN]; char intname[RSBAC_MAXNAMELEN]; int j; tid.group = group; if(verbose) { if(name) printf(gettext("# Processing group %s\n"), name); else { if (RSBAC_GID_SET(group)) printf(gettext("# Processing group %u/%u\n"), RSBAC_GID_SET(group), RSBAC_GID_NUM(group)); else printf(gettext("# Processing group %u\n"), RSBAC_GID_NUM(group)); } } if(numeric || !name) { if (RSBAC_GID_SET(group)) sprintf(intname, "%u/%u", RSBAC_GID_SET(group), RSBAC_GID_NUM(group)); else sprintf(intname, "%u", RSBAC_GID_NUM(group)); } else strcpy(intname,name); for (j=0;j < RSBAC_GROUP_NR_ATTRIBUTES;j++) { value.dummy = -1; res = rsbac_get_attr(ta_number, get_attr_module(attr_list[j]), T_GROUP, &tid, attr_list[j], &value, 0); if(res) { if( (errno != RSBAC_EINVALIDMODULE) && ( verbose || (errno != RSBAC_EINVALIDTARGET) ) ) { get_error_name(tmp1,res); get_attribute_name(tmp2,attr_list[j]); fprintf(stderr, "%s (%s): %s\n", intname, tmp2, tmp1); } } else { switch(attr_list[j]) { default: if(value.dummy != def_attr[j]) fprintf(tfile, "%s -V %u %s %s %i\n", set_prog, RSBAC_VERSION_NR, intname, get_attribute_name(tmp1,attr_list[j]), value.dummy); } } } return(res); } int main(int argc, char ** argv) { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; rsbac_gid_t group; int i,j; FILE * listfile = NULL; char * filelistname = NULL; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'a': allgroup=1; break; case 'n': numeric=1; break; case 'o': if(argc > 2) { filename = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { filelistname = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter %c\n"), progname, *pos); break; case 'A': printf(gettext("- attributes and values in backup = see following list:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if ( (argc > 1) || allgroup || filelistname ) { if(!filename) tfile = stdout; else { if (!(tfile=fopen(filename,"w"))) { fprintf(stderr, gettext("opening target file returned error: %s\n"), strerror(errno)); } } tid.group = RSBAC_ALL_GROUPS; if(allgroup) { int count; rsbac_gid_t * id_array; if(verbose) printf(gettext("# %s: processing all groups\n"), progname); count = rsbac_list_all_group(ta_number, NULL, 0); error_exit(count); count += ROOM; id_array = malloc(count * sizeof(*id_array)); if(!id_array) error_exit(-ENOMEM); count = rsbac_list_all_group(ta_number, id_array, count); if(verbose) printf(gettext("# %s: %i targets\n"), progname, count); if(count > 0) { qsort(id_array, count, sizeof(*id_array), rsbac_group_compare); for(i=0; i < count ; i++) { if(!get_group_name(ta_number, id_array[i], tmp1)) process(id_array[i], tmp1); else process(id_array[i], NULL); } } } else { if(filelistname) { if(!strcmp(filelistname, "-")) listfile = stdin; else if (!(listfile=fopen(filelistname,"r"))) { fprintf(stderr, gettext("opening target list file returned error: %s\n"), strerror(errno)); exit(1); } } if(verbose) { printf(gettext("# %s: %i targets\n"), progname, argc - 2); if(filelistname) printf(gettext("# - plus targets from file %s\n"), filelistname); } for (i=1;i < argc;i++) { if(rsbac_get_gid_name(ta_number, &group, tmp1, argv[i])) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, argv[i]); } else process(group, tmp1); } if(filelistname) { char item[4096]; char * pos; int last; pos = item; while(fgets(item, 4095, listfile)) { if(!*item) continue; last = strlen(item) - 1; if(item[last] == '\n') item[last] = 0; if(*item) { if(rsbac_get_gid_name(ta_number, &group, tmp1, item)) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, item); } else process(group, tmp1); } } fclose(listfile); } } if(tfile != stdout) fclose(tfile); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_set_user.c0000644000175000017500000005360511131371032021445 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s module user attribute [position] value\n\n"), progname); printf(gettext("Use: %s [switches] module user log_user_based [request-list]\n\n"), progname); printf(gettext(" -p = print requests names, -a = add, not set, -m = remove, not set\n")); printf(gettext(" -A = list attributes and values\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = CAP, GEN, MAC, FC, SIM, PM, DAZ, FF, RC or AUTH\n")); } int main(int argc, char ** argv) { int attr_list[RSBAC_USER_NR_ATTRIBUTES] = RSBAC_USER_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; u_int position, catval; rsbac_res_limit_t res_limit; __u64 k; int verbose = 0; int printall = 0; int add = 0; int remove = 0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': printall=1; break; case 'a': add=1; break; case 'm': remove=1; break; case 'n': { char tmp[80]; int i; for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following list:\n")); printf(gettext("[MAC ] mac_[min_|initial_]categories (with additional parameter position)\n\t0=no, 1=yes\n")); printf(gettext("[GEN ] log_user_based (with space separated list of requests)\n\t0=no, 1=yes\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if( (argc>2) && !strcmp(argv[2],"log_user_based") ) { rsbac_boolean_t rused = FALSE; rsbac_boolean_t wused = FALSE; enum rsbac_adf_request_t request; rsbac_request_vector_t request_vector = 0; value.log_user_based = 0; if(rsbac_get_uid(ta_number, &tid.user, argv[1])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[1]); exit(1); } argv+=2; argc-=2; if(add || remove) { res = rsbac_get_attr(ta_number, module, T_USER, &tid, A_log_user_based, &value, FALSE); error_exit(res); } while(argc > 1) { if(strlen(argv[1]) == R_NONE) { int j; rsbac_request_vector_t tmp_rv; for(j=0; j= R_NONE) || ( (request == 0) && strcmp(argv[1],"0") ) ) { if(!strcmp(argv[1],"RW")) { request_vector |= RSBAC_READ_WRITE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SY")) { request_vector |= RSBAC_SYSTEM_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SE")) { request_vector |= RSBAC_SECURITY_REQUEST_VECTOR; } else if(!strcmp(argv[1],"R")) { request_vector |= RSBAC_READ_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"W")) { request_vector |= RSBAC_WRITE_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"A")) { request_vector |= RSBAC_ALL_REQUEST_VECTOR; } else if(!strcmp(argv[1],"UA")) { request_vector = 0; } else if(!strcmp(argv[1],"NWS")) { request_vector |= RSBAC_NWS_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWR")) { request_vector |= RSBAC_NWR_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"NWW")) { request_vector |= RSBAC_NWW_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"NWC")) { request_vector |= RSBAC_NWC_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWE")) { request_vector |= RSBAC_NWE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWA")) { request_vector |= RSBAC_NWA_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWF")) { request_vector |= RSBAC_NWF_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWM")) { request_vector |= RSBAC_NWM_REQUEST_VECTOR; } else { /* end of requests */ break; } } } else { request_vector |= ((rsbac_request_vector_t) 1 << request); } argv++; argc--; } if(rused && wused) { request_vector |= RSBAC_READ_WRITE_OPEN_REQUEST_VECTOR; } if(remove) value.log_user_based &= ~request_vector; else value.log_user_based |= request_vector; if(printall) { int i; for (i=0; i2) && ( !strcmp(argv[2],"min_caps") || !strcmp(argv[2],"max_caps") ) ) { int cap; int bitlen; rsbac_boolean_t mincalled; rsbac_cap_vector_t cap_vector; cap_vector.cap[0] = (__u32) 0; cap_vector.cap[1] = (__u32) 0; if (!strcmp(argv[2],"min_caps")) mincalled = TRUE; else mincalled = FALSE; if(rsbac_get_uid(ta_number, &tid.user, argv[1])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[1]); exit(1); } attr = get_attribute_nr(argv[2]); value.min_caps.cap[0] = (__u32) 0; value.min_caps.cap[1] = (__u32) 0; argv+=2; argc-=2; if(add || remove) { res = rsbac_get_attr(ta_number, module, T_USER, &tid, attr, &value, FALSE); error_exit(res); } while(argc > 1) { /* Bit string: Allow for backwards compatibility */ bitlen = strlen(argv[1]); if((bitlen == CAP_NONE) || (bitlen == CAP_NONE_OLD)) { int j; rsbac_cap_vector_t tmp_cv; for(j=0; j= CAP_NONE) || ( (cap == 0) && strcmp(argv[1],"0") ) ) { if(!strcmp(argv[1],"A")) { cap_vector.cap[0] = (__u32) -1; cap_vector.cap[1] = (__u32) -1; } else if(!strcmp(argv[1],"UA")) { cap_vector.cap[0] = (__u32) 0; cap_vector.cap[1] = (__u32) 0; } else if(!strcmp(argv[1],"FS_MASK")) { /* one day we're going to have problem here. look attr_set_file_dir.c */ cap_vector.cap[0] |= CAP_FS_MASK; } else { /* end of requests */ fprintf(stderr, "%s: Wrong CAP %s\n", progname, argv[1]); exit(1); } } else { fprintf(stderr, "%s: Wrong CAP %s\n", progname, argv[1]); exit(1); } } else { cap_vector.cap[CAP_TO_INDEX(cap)] |= ((__u32) 1 << (cap % 32)); } argv++; argc--; } if(remove) { value.min_caps.cap[0] &= ~cap_vector.cap[0]; value.min_caps.cap[1] &= ~cap_vector.cap[1]; } else { value.min_caps.cap[0] |= cap_vector.cap[0]; value.min_caps.cap[1] |= cap_vector.cap[1]; } if(printall) { int i; for (i=0; i RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[4]); exit(1); } catval = strtoul(argv[4],0,10); if(catval > 1) { fprintf(stderr, gettext("Invalid value %s\n"), argv[4]); exit(1); } res = rsbac_get_attr(ta_number, module, T_USER, &tid, attr, &value, FALSE); error_exit(res); k = ((__u64) 1) << position; if(catval) value.mac_categories |= k; else value.mac_categories &= ~k; res = rsbac_set_attr(ta_number, module, T_USER, &tid, attr, &value); error_exit(res); exit(0); } else if( !strcmp(argv[2],"res_min") || !strcmp(argv[2],"res_max") ) { position = get_res_nr(argv[3]); if(position == RSBAC_RES_NONE) { position = strtoul(argv[3],0,10); if( (!position && strcmp(argv[3], "0")) || (position > RSBAC_RES_MAX) ) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[4]); exit(1); } } res_limit = strtoul(argv[4],0,10); if(!strcmp(argv[2],"res_min")) attr = A_res_min; else attr = A_res_max; res = rsbac_get_attr(ta_number, module, T_USER, &tid, attr, &value, FALSE); error_exit(res); value.res_array[position] = res_limit; res = rsbac_set_attr(ta_number, module, T_USER, &tid, attr, &value); error_exit(res); exit(0); } default: break; } exit(1); } rsbac-admin-1.4.0/main/tools/src/daz_flush.c0000644000175000017500000000115211131371033020530 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include int main(int argc, char ** argv) { int res; res = rsbac_daz_flush_cache(); error_exit(res); return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_groupdel.c0000644000175000017500000001060711131371033021551 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; int verbose = 0; rsbac_list_ta_number_t ta_number = 0; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] group [group2 ...]\n"), progname); printf(gettext(" -v = verbose,\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int process(char * name) { int res = 0; rsbac_gid_t group = RSBAC_GEN_GID(vset, RSBAC_NO_GROUP); if((res = rsbac_um_get_gid(ta_number, name, &group))) { char * p = name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; tmp_vset = strtoul(name, NULL, 0); *p = '/'; p++; name = p; } group = strtoul(name, NULL, 0); if(!group && strcmp(name,"0")) { fprintf(stderr, gettext("%s: Unknown group %s\n"), progname, name); return 1; } group = RSBAC_GEN_GID(tmp_vset, group); } if(verbose) { if (vset != RSBAC_UM_VIRTUAL_KEEP) printf("Deleting group %s, gid %u/%u\n", name, RSBAC_GID_SET(group), RSBAC_GID_NUM(group)); else printf("Deleting group %s, gid %u\n", name, RSBAC_GID_NUM(group)); } res = rsbac_um_remove_group(ta_number, group); if(res) { if (vset != RSBAC_UM_VIRTUAL_KEEP) fprintf(stderr, "%u/%s: ", RSBAC_GID_SET(group),name); else fprintf(stderr, "%s: ", name); show_error(res); return res; } return 0; } int main(int argc, char ** argv) { int res = 0; int verbose = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { int i; for(i=1; i< argc; i++) process(argv[i]); exit(0); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_get_file_dir.c0000644000175000017500000004223011131371033022221 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 04/Sep/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s module target-type file/dirname attribute [request]\n"), progname); printf(gettext("Use: %s module target-type file/dirname attribute [position]\n"), progname); printf(gettext("Use: %s list_category_nr\n"), progname); printf(gettext(" -e = show effective (maybe inherited) value, not real\n")); printf(gettext(" -d = numeric device specification ({b|c}major[:minor])\n")); printf(gettext(" -p = print requests, -n [target] = list all requests [for target]\n")); printf(gettext(" -c list all Linux capabilities, -R = list all RES resource names\n")); printf(gettext(" -C path = convert path to device special file to device specification\n")); printf(gettext(" -a = list attributes and values\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH, RES or PAX\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK or DEV\n")); } int main(int argc, char ** argv) { enum rsbac_attribute_t attr_list[RSBAC_FD_NR_ATTRIBUTES] = RSBAC_FD_ATTR_LIST; enum rsbac_attribute_t attr_list_dev[RSBAC_DEV_NR_ATTRIBUTES] = RSBAC_DEV_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; union rsbac_attribute_value_t value,value2; enum rsbac_switch_target_t module = SW_NONE; enum rsbac_target_t target; enum rsbac_attribute_t attr; enum rsbac_adf_request_t request; enum rsbac_log_level_t log_level; int inherit = 0; u_int position; int verbose = 0; int printall = 0; int scripting = 0; int numdev = 0; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': printall=1; break; case 'e': inherit=1; break; case 'd': numdev=1; break; case 's': scripting=1; break; case 'n': { int i; rsbac_request_vector_t rvector = -1; if( (argc > 2) && ((target = get_target_nr(argv[2])) != T_NONE) ) { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: rvector = RSBAC_FD_REQUEST_VECTOR; break; case T_DEV: rvector = RSBAC_DEV_REQUEST_VECTOR; break; case T_SCD: rvector = RSBAC_SCD_REQUEST_VECTOR; break; default: break; } } for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following list:\n")); printf(gettext("- FILE, DIR, FIFO and SYMLINK:\n")); printf(gettext("log_level\t\t(additional parameter request-type)\n\t\t\t0=none, 1=denied, 2=full, 3=request based\n")); printf(gettext("mac_categories\t\t(with additional parameter position)\n\t\t\t0=no, 1=yes\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'C': if(argc > 2) { struct stat buf; res = stat(argv[2], &buf); error_exit(res); if(S_ISBLK(buf.st_mode)) { printf("b%u:%u\n", major(buf.st_rdev), minor(buf.st_rdev)); } else if(S_ISCHR(buf.st_mode)) { printf("c%u:%u\n", major(buf.st_rdev), minor(buf.st_rdev)); } else { fprintf(stderr, gettext("%s: %s is no device special file\n"), progname, argv[2]); exit(1); } exit(0); } else { fprintf(stderr, gettext("%s: missing path for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { if(!strcmp(argv[1],"list_category_nr")) { for(j=0; j> request) & 1) | ( ((value2.log_array_high >> request) & 1) << 1); printf("%i\n",log_level); exit(0); } else if(!strcmp(argv[3],"mac_categories")) { target = get_target_nr(argv[1]); position = strtol(argv[4],0,10); if(position > RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[4]); exit(1); } if(numdev) { union rsbac_target_id_t tid; error_exit(strtodevdesc(argv[2], &tid.dev)); res = rsbac_get_attr(ta_number, module, target, &tid, A_mac_categories, &value, inherit); } else res = rsbac_get_attr_n(ta_number, module, target, argv[2], A_mac_categories, &value, inherit); error_exit(res); printf("%u\n", (u_int) (value.mac_categories >> position) & 1); exit(0); } else if(!strcmp(argv[3],"log_program_based")) { target = get_target_nr(argv[1]); request = get_request_nr(argv[4]); if(request == R_NONE) { fprintf(stderr, gettext("Invalid request type %s\n"), argv[4]); printf(gettext("Valid request types:\n")); for(j=0;j> request) & 1); exit(0); } else if( !strcmp(argv[3],"res_min") || !strcmp(argv[3],"res_max") ) { target = get_target_nr(argv[1]); position = get_res_nr(argv[4]); if(position == RSBAC_RES_NONE) { position = strtol(argv[4],0,10); if( (!position && strcmp(argv[4], "0")) || (position > RSBAC_RES_MAX) ) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[4]); exit(1); } } if(!strcmp(argv[3],"res_min")) attr = A_res_min; else attr = A_res_max; res = rsbac_get_attr_n(ta_number, module, target, argv[2], attr, &value, inherit); error_exit(res); printf("%u\n", value.res_array[position]); exit(0); } default: use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/rsbac_init.c0000644000175000017500000000207411131371032020671 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int main(int argc, char ** argv) { int res = 0; char * progname; locale_init(); progname = argv[0]; if (argc == 2) { res = rsbac_init(argv[1]); error_exit(res); } else { printf(gettext("%s (RSBAC %s)\n***\n"), argv[0], VERSION); printf(gettext("Use: %s root_dev\n\n"), progname); printf(gettext("root_dev: root device to initialize from, e.g. /dev/sda1\n")); } return 0; } rsbac-admin-1.4.0/main/tools/src/rsbac_passwd.c0000644000175000017500000002401311131371032021224 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 03/Mar/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int main(int argc, char ** argv) { int res = 0; char * progname; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; rsbac_uid_t user = RSBAC_GEN_UID(vset, RSBAC_NO_USER); int verbose = 0; int noold = 0; int onetime = 0; int removeonetime = 0; int countonetime = 0; rsbac_time_t ttl = 0; char * old_pass; char * new_pass; char * new_pass2; struct termios old_term; struct termios tmp_term; locale_init(); progname = argv[0]; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'v': verbose++; break; case 'n': noold = 1; break; case 'o': onetime = 1; break; case 'O': removeonetime = 1; break; case 'C': countonetime = 1; break; case 'h': printf(gettext("%s (RSBAC %s)\n***\n"), argv[0], VERSION); printf(gettext("Use: %s [flags] [username]\n"), progname); printf(gettext(" -v = verbose,\n")); printf(gettext(" -n = do not ask for old password\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -o = add a onetime password, do not change main password\n")); printf(gettext(" -O = remove all onetime passwords, do not change main password\n")); printf(gettext(" -C = count onetime passwords\n")); printf(gettext(" -t = set relative time-to-live of one-time password in secs\n")); printf(gettext(" -T = set absolute time-to-live of one-time password in secs\n")); printf(gettext(" -D = set relative time-to-live of one-time password in days\n")); exit(0); case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } user = RSBAC_GEN_UID(vset, user); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { if(rsbac_um_get_uid(0, argv[1], &user)) { char * tmp_name = argv[1]; char * p = tmp_name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; if (rsbac_get_vset_num(tmp_name, &tmp_vset)) { fprintf(stderr, gettext("%s: invalid virtual set number %s\n"), tmp_name); exit(1); } tmp_vset = strtoul(tmp_name, NULL, 0); *p = '/'; p++; tmp_name = p; } user = strtoul(tmp_name, NULL, 0); if(!user && strcmp(tmp_name,"0")) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, tmp_name); return 1; } user = RSBAC_GEN_UID(tmp_vset, user); } } else user = RSBAC_GEN_UID(vset, getuid()); if(isatty(STDIN_FILENO)) { res = tcgetattr(STDIN_FILENO, &old_term); error_exit(res); memcpy(&tmp_term, &old_term, sizeof(old_term)); tmp_term.c_lflag &= ~(ECHO); } if(noold) old_pass = NULL; else { old_pass = malloc(RSBAC_MAXNAMELEN); res = mlock(old_pass, RSBAC_MAXNAMELEN); if (res) { fprintf(stderr, gettext("Unable to lock old password into physical memory, continue anyway!\n")); } if(isatty(STDIN_FILENO)) { res = tcsetattr(STDIN_FILENO, TCSAFLUSH, &tmp_term); error_exit(res); } if(argc > 1) { if (RSBAC_UID_SET(user)) printf("Old RSBAC password for user %s (uid %u/%u): ", argv[1], RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); else printf("Old RSBAC password for user %s (uid %u): ", argv[1], RSBAC_UID_NUM(user)); } else { if (RSBAC_UID_SET(user) != RSBAC_UM_VIRTUAL_KEEP) printf("Old RSBAC password for user %u/%u: ", RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); else printf("Old RSBAC password for user %u: ", RSBAC_UID_NUM(user)); } res = scanf("%254s", old_pass); if(isatty(STDIN_FILENO)) tcsetattr(STDIN_FILENO, TCSAFLUSH, &old_term); printf("\n"); if(res <= 0) { fprintf(stderr, gettext("%s: invalid old password!\n"), progname); exit(1); } } if(countonetime) { res = rsbac_um_count_onetime(user, old_pass); error_exit(res); printf("%u one-time passwords\n", res); if (!onetime && !removeonetime) exit(0); } if(removeonetime) { if(verbose) printf("Removing all one-time passwords\n"); error_exit(rsbac_um_remove_all_onetime(user, old_pass)); if (!onetime) exit(0); } new_pass = malloc(RSBAC_MAXNAMELEN); res = mlock(new_pass, RSBAC_MAXNAMELEN); if (res) { fprintf(stderr, gettext("Unable to lock new password into physical memory, continue anyway!\n")); } if(onetime) printf("Add one-time password: "); if(noold) { if(argc > 1) { if (RSBAC_UID_SET(user) != RSBAC_UM_VIRTUAL_KEEP) printf("New RSBAC password for user %s (uid %u/%u): ", argv[1], RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); else printf("New RSBAC password for user %s (uid %u): ", argv[1], RSBAC_UID_NUM(user)); } else { if (RSBAC_UID_SET(user) != RSBAC_UM_VIRTUAL_KEEP) printf("New RSBAC password for user %u/%u: ", RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); else printf("New RSBAC password for user %u: ", RSBAC_UID_NUM(user)); } } else printf("New password: "); if(isatty(STDIN_FILENO)) { res = tcsetattr(STDIN_FILENO, TCSAFLUSH, &tmp_term); error_exit(res); } res = scanf("%254s", new_pass); if(isatty(STDIN_FILENO)) tcsetattr(STDIN_FILENO, TCSAFLUSH, &old_term); printf("\n"); if(res <= 0) { fprintf(stderr, gettext("%s: invalid new password!\n"), progname); exit(1); } new_pass2 = malloc(RSBAC_MAXNAMELEN); res = mlock(new_pass2, RSBAC_MAXNAMELEN); if (res) { fprintf(stderr, gettext("Unable to lock retyped new password into physical memory, continue anyway!\n")); } printf("Repeat new password: "); if(isatty(STDIN_FILENO)) tcsetattr(STDIN_FILENO, TCSAFLUSH, &tmp_term); res = scanf("%254s", new_pass2); if(isatty(STDIN_FILENO)) tcsetattr(STDIN_FILENO, TCSAFLUSH, &old_term); printf("\n"); if(res <= 0) { fprintf(stderr, gettext("%s: invalid repeated new password!\n"), progname); exit(1); } if(strcmp(new_pass, new_pass2)) { fprintf(stderr, gettext("%s: new passwords do not match!\n"), progname); exit(1); } if(onetime) res = rsbac_um_add_onetime(user, old_pass, new_pass, ttl); else res = rsbac_um_set_pass(user, old_pass, new_pass); error_exit(res); exit(0); } rsbac-admin-1.4.0/main/tools/src/linux2acl.c0000644000175000017500000007670011131371032020464 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define GROUP_PROG "acl_group" #define GRANT_PROG "acl_grant" #define MASK_PROG "acl_mask" #define GROUPBASE 100000 #define S_IRWU (S_IRUSR | S_IWUSR) #define S_IRXU (S_IRUSR | S_IXUSR) #define S_IWXU (S_IWUSR | S_IXUSR) #define S_IRWG (S_IRGRP | S_IWGRP) #define S_IRXG (S_IRGRP | S_IXGRP) #define S_IWXG (S_IWGRP | S_IXGRP) #define S_IRWO (S_IROTH | S_IWOTH) #define S_IRXO (S_IROTH | S_IXOTH) #define S_IWXO (S_IWOTH | S_IXOTH) #define S_IRWXUGO (S_IRWXU | S_IRWXG | S_IRWXO) #define S_IRWUGO (S_IRWU | S_IRWG | S_IRWO) int verbose=0; int recurse=0; int printall=0; int numeric=0; int create_groups=0; int only_groups=0; u_int scripting=0; union rsbac_attribute_value_t value; enum rsbac_target_t target; enum rsbac_attribute_t attr; char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] file/dir/scdname(s)\n"), progname); printf(gettext(" -v = use verbose in scripts, -r = recurse into subdirs,\n")); printf(gettext(" -g = also create group entries with members,\n")); printf(gettext(" -G = only create group entries with members,\n")); printf(gettext(" -p = print right names, -P use private groups\n")); printf(gettext(" -n = use numeric user ids where possible\n")); } /* process name with parent values (p_mode = 0, if no parent) */ int process(char * name, u_int p_owner, u_int p_group, u_int p_mode) { int res = 0; char tmp1[120]; enum rsbac_target_t type=T_NONE; char type_n[8] = ""; struct stat buf; int i; rsbac_acl_rights_vector_t rights; /* do not try reserved name */ if(!strcmp(name,":DEFAULT:")) return 0; res = lstat(name,&buf); if (res && (res != -EOVERFLOW)) { fprintf(stderr, gettext("stat for %s returned error: %s\n"), name, strerror(errno)); return(1); } if( (res == -EOVERFLOW) || (S_ISREG(buf.st_mode)) || (S_ISBLK(buf.st_mode)) || (S_ISCHR(buf.st_mode)) ) { type = T_FILE; strcpy(type_n,"FILE"); } else if(S_ISDIR(buf.st_mode)) { type = T_DIR; strcpy(type_n,"DIR"); } else if(S_ISFIFO(buf.st_mode)) { type = T_FIFO; strcpy(type_n,"FIFO"); } /* no interest in other types */ else return 0; /* no parent or different rights on parent? */ if( !p_mode || (p_owner != buf.st_uid) || (p_group != buf.st_gid) /* dirs with same mode as parent can inherit */ || ( (type == T_DIR) && ((p_mode & S_IRWXUGO) != (buf.st_mode & S_IRWXUGO)) ) /* R_EXECUTE is never set on dirs here, so inherit by files without x bits is fine, as long as the rw bits are the same */ || ( (type != T_DIR) && ((p_mode & S_IRWUGO) != (buf.st_mode & S_IRWXUGO)) ) ) { switch(type) { case T_DIR: if(printall) if(verbose) printf("%s -vs USER %u", GRANT_PROG, buf.st_uid); else printf("%s -s USER %u", GRANT_PROG, buf.st_uid); else if(verbose) printf("%s -vsb USER %u", GRANT_PROG, buf.st_uid); else printf("%s -sb USER %u", GRANT_PROG, buf.st_uid); /* all rights for user (always, if user == root)? */ if( ((buf.st_mode & S_IRWXU) == S_IRWXU) || (buf.st_uid == 0) ) { rights = RSBAC_READ_WRITE_REQUEST_VECTOR & RSBAC_FD_REQUEST_VECTOR; } else if((buf.st_mode & S_IRWU) == S_IRWU) { rights = (RSBAC_READ_WRITE_REQUEST_VECTOR & RSBAC_FD_REQUEST_VECTOR) & ~RSBAC_ACL_RIGHTS_VECTOR(R_CHDIR) & ~RSBAC_ACL_RIGHTS_VECTOR(R_SEARCH); } else if((buf.st_mode & S_IRXU) == S_IRXU) { rights = (RSBAC_READ_REQUEST_VECTOR & RSBAC_FD_REQUEST_VECTOR); } else if((buf.st_mode & S_IWXU) == S_IWXU) { rights = (RSBAC_WRITE_REQUEST_VECTOR & RSBAC_FD_REQUEST_VECTOR) | RSBAC_ACL_RIGHTS_VECTOR(R_CHDIR) | RSBAC_ACL_RIGHTS_VECTOR(R_GET_STATUS_DATA) | RSBAC_ACL_RIGHTS_VECTOR(R_SEARCH); } else if((buf.st_mode & S_IRUSR) == S_IRUSR) { rights = (RSBAC_READ_REQUEST_VECTOR & RSBAC_FD_REQUEST_VECTOR) & ~RSBAC_ACL_RIGHTS_VECTOR(R_CHDIR) & ~RSBAC_ACL_RIGHTS_VECTOR(R_SEARCH); } else if((buf.st_mode & S_IWUSR) == S_IWUSR) { rights = (RSBAC_WRITE_REQUEST_VECTOR & RSBAC_FD_REQUEST_VECTOR) | RSBAC_ACL_RIGHTS_VECTOR(R_GET_STATUS_DATA); } else if((buf.st_mode & S_IXUSR) == S_IXUSR) { rights = RSBAC_ACL_RIGHTS_VECTOR(R_CHDIR) | RSBAC_ACL_RIGHTS_VECTOR(R_GET_STATUS_DATA) | RSBAC_ACL_RIGHTS_VECTOR(R_SEARCH); } else rights = 0; /* Trim EXECUTE away - might be optional later */ rights &= ~RSBAC_ACL_RIGHTS_VECTOR(R_EXECUTE); /* Add system rights, if root */ if(buf.st_uid == 0) rights |= (RSBAC_SYSTEM_REQUEST_VECTOR & RSBAC_FD_REQUEST_VECTOR); /* Trim CHANGE_OWNER away, if not root */ else rights &= ~RSBAC_ACL_RIGHTS_VECTOR(R_CHANGE_OWNER); /* Add MODIFY_PERMISSIONS_DATA - owner may always do that */ rights |= RSBAC_ACL_RIGHTS_VECTOR(R_MODIFY_PERMISSIONS_DATA); if(printall) { for (i=0; id_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2, buf.st_uid, buf.st_gid, buf.st_mode); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int i; struct passwd * user_info_p; struct group * group_info_p; char gtype = 'G'; char ** gmem; locale_init(); progname = argv[0]; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose=1; break; case 'r': recurse=1; break; case 'g': create_groups=1; break; case 'G': create_groups=1; only_groups=1; break; case 'p': printall=1; break; case 'P': gtype='P'; break; case 'n': numeric=1; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if ( (argc < 2) && !only_groups ) { use(); return 1; } printf("#\n# linux2acl: convert linux groups and rights to RSBAC ACL rights\n#\n"); if(create_groups) { /* Create group entries */ while((group_info_p = getgrent())) { printf("%s add_group %c '%s' %u\n", GROUP_PROG, gtype, group_info_p->gr_name, GROUPBASE + group_info_p->gr_gid); gmem = group_info_p->gr_mem; if(gmem && *gmem) { printf("%s add_member %u", GROUP_PROG, GROUPBASE + group_info_p->gr_gid); while(*gmem) { printf(" %s", *gmem); gmem++; } printf("\n"); } printf("\n"); } endgrent(); /* Add users to their main groups */ printf("# User main groups\n"); while((user_info_p = getpwent())) { if(numeric) printf("%s add_member %u %u\n", GROUP_PROG, GROUPBASE + user_info_p->pw_gid, user_info_p->pw_uid); else printf("%s add_member %u %s\n", GROUP_PROG, GROUPBASE + user_info_p->pw_gid, user_info_p->pw_name); } endpwent(); } if(only_groups) return(0); printf("#\n# Object ACLs\n#\n"); for (i=1;i < (argc);i++) { /* process without parent */ process(argv[i], 0, 0, 0); } return (0); } rsbac-admin-1.4.0/main/tools/src/acl_tlist.c0000644000175000017500000005671311131371033020544 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define NR_ENTRIES 50 #define GRANT_PROG "acl_grant" #define ROOM 10 int verbose=0; int recurse=0; int printall=0; int backup=0; int numdev = 0; u_int scripting=0; rsbac_list_ta_number_t ta_number = 0; union rsbac_attribute_value_t value; enum rsbac_target_t target; char * target_n; enum rsbac_attribute_t attr; char * progname; int alluser = 0; int alldev = 0; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] target-type file/dir/scdname(s)\n"), progname); printf(gettext(" -v = verbose, -r = recurse into subdirs,\n")); printf(gettext(" -p = print right names, -b = backup mode\n")); printf(gettext(" -d = numeric device specification ({b|c}major[:minor])\n")); printf(gettext(" -D = process all existing device acls,\n")); printf(gettext(" -a = process all users,\n")); printf(gettext(" -n = list valid SCD names,\n")); printf(gettext(" -s = scripting mode,\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, NETDEV,\n")); printf(gettext(" NETTEMP_NT, NETTEMP, NETOBJ or FD\n")); printf(gettext(" (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n"), progname); printf(gettext(" (IPC, USER, PROCESS: only :DEFAULT:\n")); printf(gettext(" (NETTEMP: no :DEFAULT:\n")); printf(gettext("- Use name :DEFAULT: for default ACL\n")); } int process(char * name, struct rsbac_dev_desc_t * desc_p, rsbac_uid_t uid) { int res = 0; char tmp1[RSBAC_MAXNAMELEN], tmp2[RSBAC_MAXNAMELEN]; struct stat buf; char * i_name = NULL; struct rsbac_acl_entry_t entry_array[NR_ENTRIES]; rsbac_time_t ttl_array[NR_ENTRIES]; union rsbac_target_id_t tid; if(name && !strcmp(name,":DEFAULT:")) { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: i_name = NULL; break; case T_DEV: if(numdev) tid.dev = RSBAC_ZERO_DEV_DESC; else i_name = NULL; break; case T_IPC: tid.ipc.type = I_none; break; case T_SCD: tid.scd = AST_none; break; case T_USER: tid.user = RSBAC_NO_USER; break; case T_PROCESS: tid.process = 0; break; case T_GROUP: tid.group = RSBAC_NO_GROUP; break; case T_NETDEV: tid.netdev[0] = 0; break; case T_NETTEMP_NT: tid.nettemp = 0; break; case T_NETOBJ: tid.netobj.sock_p = NULL; tid.netobj.local_addr = NULL; tid.netobj.local_len = 0; tid.netobj.remote_addr = NULL; tid.netobj.remote_len = 0; break; default: fprintf(stderr, gettext("Invalid target %u for %s, skipped!\n"), target, name); return(1); } } else { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: i_name = name; break; case T_DEV: if(numdev) { if(desc_p) tid.dev = *desc_p; else if(strtodevdesc(name, &tid.dev)) { fprintf(stderr, gettext("%s is no valid device specification, skipped\n"), name); return(1); } } else i_name = name; break; case T_SCD: tid.scd = get_acl_scd_type_nr(name); if((tid.scd == ST_none) || (tid.scd == AST_none)) { fprintf(stderr, gettext("%s is no valid SCD name, skipped\n"), name); return(1); } break; case T_USER: if(name) { if(rsbac_get_uid(ta_number, &tid.user, name)) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, name); exit(1); } } else tid.user = uid; break; case T_GROUP: if(rsbac_get_gid(ta_number, &tid.group, name)) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, name); exit(1); } break; case T_NETDEV: strncpy((char *)tid.netdev, name, RSBAC_IFNAMSIZ); tid.netdev[RSBAC_IFNAMSIZ] = 0; break; case T_NETTEMP: case T_NETTEMP_NT: tid.nettemp = strtoul(name, 0, 10); break; case T_NETOBJ: tid.netobj.sock_p = (void *) strtoul(name, 0, 0); tid.netobj.remote_addr = NULL; tid.netobj.remote_len = 0; break; default: fprintf(stderr, gettext("Invalid target %u for %s, skipped!\n"), target, name); return(1); } } if(verbose) { if(name) printf(gettext("# Processing %s '%s'\n"), target_n, name); else if(desc_p) printf(gettext("# Processing %s '%s'\n"), target_n, devdesctostr(tmp1, *desc_p)); } switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: res = rsbac_acl_get_tlist_n(ta_number, target, i_name, entry_array, ttl_array, NR_ENTRIES); break; case T_DEV: if(numdev) res = rsbac_acl_get_tlist(ta_number, target, &tid, entry_array, ttl_array, NR_ENTRIES); else res = rsbac_acl_get_tlist_n(ta_number, target, i_name, entry_array, ttl_array, NR_ENTRIES); break; default: res = rsbac_acl_get_tlist(ta_number, target, &tid, entry_array, ttl_array, NR_ENTRIES); } if(res<0) { if( verbose || (errno != RSBAC_EINVALIDTARGET) ) { get_error_name(tmp1,res); fprintf(stderr, gettext("%s: error: %s\n"), name, tmp1); } } else { rsbac_time_t now = time(NULL); int j; if(backup) { if(printall) { int i; for(j=0; jd_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2, NULL, RSBAC_NO_USER); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int res = 0; int i; char none_name[] = "FD"; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose=1; break; case 'r': recurse=1; break; case 'p': printall=1; break; case 'b': backup=1; break; case 'a': alluser=1; break; case 's': scripting=1; break; case 'd': numdev=1; break; case 'D': alldev=1; numdev=1; break; case 'n': { char tmp[80]; for(i=0; i 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1 || alluser || alldev) { target = get_target_nr(argv[1]); target_n = argv[1]; if(alluser) { int count; rsbac_uid_t * id_array; if(verbose) printf(gettext("# %s: processing all users\n"), progname); count = rsbac_acl_list_all_user(ta_number, NULL, 0); error_exit(count); if(!count) exit(0); if(verbose) printf(gettext("# %s: %i targets\n"), progname, count); count += ROOM; id_array = malloc(count * sizeof(*id_array)); if(!id_array) error_exit(-ENOMEM); count = rsbac_acl_list_all_user(ta_number, id_array, count); if(count > 0) { qsort(id_array, count, sizeof(*id_array), rsbac_user_compare); target = T_USER; target_n = "USER"; for(i=0; i < count ; i++) process(NULL, NULL, id_array[i]); } free(id_array); } else if(alldev) { int count; struct rsbac_dev_desc_t * id_array; if(verbose) printf(gettext("# %s: processing all devices\n"), progname); count = rsbac_acl_list_all_dev(ta_number, NULL, 0); error_exit(count); if(!count) exit(0); if(verbose) printf(gettext("# %s: %i targets\n"), progname, count); count += ROOM; id_array = malloc(count * sizeof(*id_array)); if(!id_array) error_exit(-ENOMEM); count = rsbac_acl_list_all_dev(ta_number, id_array, count); if(count > 0) { qsort(id_array, count, sizeof(*id_array), rsbac_dev_compare); target = T_DEV; target_n = "DEV"; for(i=0; i < count ; i++) process(NULL, &id_array[i], RSBAC_NO_USER); } free(id_array); } else if(target == T_NONE) { if(verbose) printf(gettext("# %s: %i targets\n\n"), progname, argc - 1); fprintf(stderr, gettext("%s: No target type given, assuming FD\n"), progname); target = T_FD; target_n = none_name; if(argc < 1) process(".", NULL, RSBAC_NO_USER); else for (i=1;i < (argc);i++) { process(argv[i], NULL, RSBAC_NO_USER); } } else { if(argc > 2) { if(verbose) printf(gettext("# %s: %i targets\n\n"), progname, argc - 2); for (i=1;i < (argc-1);i++) { process(argv[i+1], NULL, RSBAC_NO_USER); } } else process(".", NULL, RSBAC_NO_USER); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_get_group.c0000644000175000017500000001747411131371032021613 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] module group attribute [position|request-name]\n\n"), progname); printf(gettext(" -n = numeric value, -b = both names and numbers,\n")); printf(gettext(" -l list all users, -L list all Linux groups\n")); printf(gettext(" -a = list attributes and values\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n")); } int main(int argc, char ** argv) { int attr_list[RSBAC_GROUP_NR_ATTRIBUTES] = RSBAC_GROUP_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; int inherit = 0; int numeric = 0; int both = 0; int bothr = 0; int printall = 0; int scripting = 0; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'e': inherit=1; break; case 'p': printall=1; break; case 'n': numeric=1; break; case 'b': both=1; break; case 'B': bothr=1; break; case 's': scripting=1; break; case 'l': { struct passwd * user_info_p; setpwent(); while((user_info_p = getpwent())) { if(numeric) printf("%u\n", user_info_p->pw_uid); else if(both) printf("%s %u\n", user_info_p->pw_name, user_info_p->pw_uid); else if(bothr) printf("%u %s\n", user_info_p->pw_uid, user_info_p->pw_name); else printf("%s\n", user_info_p->pw_name); } exit(0); } case 'L': { struct group * group_info_p; setgrent(); while((group_info_p = getgrent())) { if(numeric) printf("%u\n", group_info_p->gr_gid); else if(both) printf("%s %u\n", group_info_p->gr_name, group_info_p->gr_gid); else if(bothr) printf("%u %s\n", group_info_p->gr_gid, group_info_p->gr_name); else printf("%s\n", group_info_p->gr_name); } exit(0); } case 'g': if(argc > 2) { rsbac_gid_t gid; if(rsbac_get_gid(ta_number, &gid, argv[2])) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, argv[2]); exit(1); } if (RSBAC_GID_SET(gid)) printf("%u/%u\n", RSBAC_GID_SET(gid), RSBAC_GID_NUM(gid)); else printf("%u\n", RSBAC_GID_NUM(gid)); exit(0); } else { fprintf(stderr, "Missing argument to parameter g!\n"); exit(1); } case 'a': case 'A': if( (argc > 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following list:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } switch(argc) { case 3: value.dummy = -1; if(rsbac_get_gid_name(ta_number, &tid.group, tmp1, argv[1])) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, argv[1]); exit(1); } if(!strcmp("group_nr",argv[2])) { if (RSBAC_GID_SET(tid.group)) printf("%u/%u\n", RSBAC_GID_SET(tid.group), RSBAC_GID_NUM(tid.group)); else printf("%u\n", RSBAC_GID_NUM(tid.group)); exit(0); } if(!strcmp("group_name",argv[2])) { printf("%s\n", tmp1); exit(0); } attr = get_attribute_nr(argv[2]); if(attr == A_none) { fprintf(stderr, gettext("%s: Invalid Attribute %s!\n"), progname, argv[2]); exit(1); } res = rsbac_get_attr(ta_number, module, T_GROUP, &tid, attr, &value, inherit); error_exit(res); switch(attr) { case A_rc_type: printf("%u\n",value.rc_role); break; default: printf("%i\n",value.dummy); } exit(0); default: use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/acl_group.c0000644000175000017500000007140111131371032020527 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 26/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define GROUP_PROG "acl_group" #define MAX_ENTRIES 200 rsbac_list_ta_number_t ta_number = 0; char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] function params\n"), progname); printf(gettext(" -v = verbose, -g = also list global groups of other users,\n")); printf(gettext(" -b = backup mode, -n = use numerical values,\n")); printf(gettext(" -s = scripting mode\n")); printf(gettext(" -t = set relative time-to-live for this membership in seconds (add_member only)\n")); printf(gettext(" -T = set absolute time-to-live for this trustee in seconds (add_member only)\n")); printf(gettext(" -D = set relative time-to-live for this membership in days (add_member only)\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext("- function and params = one of\n")); printf(gettext(" add_group P[RIVATE]|G[LOBAL] name [id]\n")); printf(gettext(" change_group group-id new-owner P[RIVATE]|G[LOBAL] name\n")); printf(gettext(" remove_group group-id\n")); printf(gettext(" get_group_entry group-id\n")); printf(gettext(" get_group_name group-id\n")); printf(gettext(" get_group_type group-id\n")); printf(gettext(" get_group_owner group-id\n")); printf(gettext(" list_groups\n")); printf(gettext(" add_member group-id user1 ...\n")); printf(gettext(" remove_member group-id user1 ...\n")); printf(gettext(" get_user_groups [user]\n")); printf(gettext(" get_group_members group-id\n")); } char * acl_get_group_name(rsbac_acl_group_id_t group, char * name) { union rsbac_acl_group_syscall_arg_t arg; struct rsbac_acl_group_entry_t entry; arg.get_group_entry.id = group; arg.get_group_entry.entry_p = &entry; if(!rsbac_acl_group(ta_number, ACLGS_get_group_entry, &arg)) { strcpy(name, entry.name); } else { strcpy(name, gettext("*unknown*")); } return name; } int main(int argc, char ** argv) { int res = 0; int i; enum rsbac_acl_group_syscall_type_t call; int verbose=0; int global=0; int backup=0; int scripting=0; int numerical=0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_time_t ttl=RSBAC_LIST_TTL_KEEP; union rsbac_acl_group_syscall_arg_t arg; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'g': global=1; break; case 'b': backup=1; break; case 'n': numerical=1; break; case 's': scripting=1; break; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'V': if(argc < 3) { fprintf(stderr, gettext("%s: no version number for switch V\n"), progname); exit(1); } version = strtol(argv[2],0,10); argv++; argc--; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if( (argc > 1) && ((call = get_acl_group_syscall_nr(argv[1])) != ACLGS_none) ) { switch(call) { case ACLGS_add_group: { rsbac_acl_group_id_t group = 0; if(argc <= 3) { fprintf(stderr, gettext("%s: too few arguments for function %s\n"), progname, argv[1]); exit(1); } if(argv[2][0] == 'P') arg.add_group.type = ACLG_PRIVATE; else if(argv[2][0] == 'G') arg.add_group.type = ACLG_GLOBAL; else { fprintf(stderr, gettext("%s: %s: invalid group type %s\n"), progname, argv[1], argv[2]); exit(1); } arg.add_group.name = argv[3]; if(argc > 4) { group = strtol(argv[4],0,10); } arg.add_group.group_id_p = &group; res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); if(verbose) printf(gettext("%s group %u '%s' added\n"), argv[2], group, argv[3]); break; } case ACLGS_change_group: { if(argc <= 5) { fprintf(stderr, gettext("%s: too few arguments for function %s\n"), progname, argv[1]); exit(1); } arg.change_group.id = strtol(argv[2],0,10); if(rsbac_get_uid(ta_number, &arg.change_group.owner, argv[3])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[3]); exit(1); } if(argv[4][0] == 'P') arg.change_group.type = ACLG_PRIVATE; else if(argv[4][0] == 'G') arg.change_group.type = ACLG_GLOBAL; else { fprintf(stderr, gettext("%s: %s: invalid group type %s\n"), progname, argv[1], argv[2]); exit(1); } arg.change_group.name = argv[5]; res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); if(verbose) { if (RSBAC_UID_SET(arg.change_group.owner)) printf(gettext("Group %u changed to owner %u/%u, type %s, name '%s'\n"), arg.change_group.id, RSBAC_UID_SET(arg.change_group.owner), RSBAC_UID_NUM(arg.change_group.owner), argv[4], arg.change_group.name); else printf(gettext("Group %u changed to owner %u, type %s, name '%s'\n"), arg.change_group.id, RSBAC_UID_NUM(arg.change_group.owner), argv[4], arg.change_group.name); } break; } case ACLGS_remove_group: { char name[RSBAC_ACL_GROUP_NAMELEN]; if(argc <= 2) { fprintf(stderr, gettext("%s: too few arguments for function %s\n"), progname, argv[1]); exit(1); } arg.remove_group.id = strtol(argv[2],0,10); if(verbose) acl_get_group_name(arg.remove_group.id, name); res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); if(verbose) printf(gettext("Group %u '%s' removed\n"), arg.remove_group.id, name); break; } case ACLGS_get_group_entry: { struct rsbac_acl_group_entry_t entry; char type; char tmp[80]; if(argc <= 2) { fprintf(stderr, gettext("%s: too few arguments for function %s\n"), progname, argv[1]); exit(1); } arg.get_group_entry.id = strtol(argv[2],0,10); arg.get_group_entry.entry_p = &entry; res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); if(entry.type == ACLG_PRIVATE) type = 'P'; else type = 'G'; if(scripting) { if(numerical) { if (RSBAC_UID_SET(entry.owner)) printf("'%s'-%c-%u/%u\n", entry.name, type, RSBAC_UID_SET(entry.owner), RSBAC_UID_NUM(entry.owner)); else printf("'%s'-%c-%u\n", entry.name, type, RSBAC_UID_NUM(entry.owner)); } else printf("'%s'-%c-%s\n", entry.name, type, get_user_name(ta_number, entry.owner, tmp)); } else { if (RSBAC_UID_SET(entry.owner)) printf(gettext("Group %u: owner %u/%u (%s), type %c, name '%s'\n"), entry.id, RSBAC_UID_SET(entry.owner), RSBAC_UID_NUM(entry.owner), get_user_name(ta_number, entry.owner, tmp), type, entry.name); else printf(gettext("Group %u: owner %u (%s), type %c, name '%s'\n"), entry.id, RSBAC_UID_NUM(entry.owner), get_user_name(ta_number, entry.owner, tmp), type, entry.name); } break; } case ACLGS_list_groups: { struct rsbac_acl_group_entry_t entry_array[MAX_ENTRIES]; char type; char tmp[RSBAC_MAXNAMELEN]; arg.list_groups.maxnum = MAX_ENTRIES; arg.list_groups.include_global = global; arg.list_groups.group_entry_array = entry_array; res = rsbac_acl_group(ta_number, call, &arg); error_exit(res); if(verbose) { if(res < MAX_ENTRIES) printf(gettext("%i groups listed:\n"), res); else printf(gettext("%i groups listed (list truncated):\n"), res); } for(i=0; i0)) { rsbac_time_t now = time(NULL); printf("%s -V %u add_member %u", GROUP_PROG, RSBAC_VERSION_NR, arg.get_group_members.group); for(i=0; i 2) && (!strncmp(argv[1], "get_group_", 10)) ) { struct rsbac_acl_group_entry_t entry; char tmp[80]; arg.get_group_entry.id = strtol(argv[2],0,10); arg.get_group_entry.entry_p = &entry; res = rsbac_acl_group(ta_number, ACLGS_get_group_entry, &arg); error_exit(res); switch(argv[1][10]) { case 't': if(entry.type == ACLG_PRIVATE) printf("PRIVATE\n"); else printf("GLOBAL\n"); break; case 'o': if(numerical) { if (RSBAC_UID_SET(entry.owner)) printf("%u/%u\n", RSBAC_UID_SET(entry.owner), RSBAC_UID_NUM(entry.owner)); else printf("%u\n", RSBAC_UID_NUM(entry.owner)); } else printf("%s\n", get_user_name(ta_number, entry.owner, tmp)); break; case 'n': printf("%s\n", entry.name); break; default: break; } } else { use(); exit(1); } exit(0); } rsbac-admin-1.4.0/main/tools/src/acl_rights.c0000644000175000017500000005040711131371032020676 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int verbose=0; int recurse=0; int printall=0; int effective=1; int scripting=0; int exit_res=0; int numdev=0; rsbac_list_ta_number_t ta_number = 0; union rsbac_attribute_value_t value; enum rsbac_target_t target; char * target_n; enum rsbac_attribute_t attr; char * progname; enum rsbac_acl_subject_type_t subj_type=ACLS_USER; rsbac_acl_subject_id_t subj_id; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] target-type file/dirname(s)\n"), progname); printf(gettext(" -v = verbose, -r = recurse into subdirs,\n")); printf(gettext(" -p = print right names, -d = give direct, not effective rights\n")); printf(gettext(" -n = list valid SCD names, -s = scripting mode\n")); printf(gettext(" -D = numeric device specification ({b|c}major[:minor])\n")); printf(gettext(" -R = list valid right names [for target-type]\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" -u user = print rights for given user, not caller\n")); printf(gettext(" -g group = print rights for given group, not caller\n")); printf(gettext(" -l role = print rights for given role, not caller\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, GROUP, PROCESS,\n")); printf(gettext(" NETDEV, NETTEMP_NT, NETTEMP, NETOBJ or FD\n")); printf(gettext(" (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n"), progname); printf(gettext(" (IPC, PROCESS: only :DEFAULT:\n")); printf(gettext(" (NETTEMP: no :DEFAULT:\n")); printf(gettext("- Use name :DEFAULT: for default ACL\n")); } int process(char * name) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; struct stat buf; struct rsbac_acl_syscall_arg_t arg; struct rsbac_acl_syscall_n_arg_t arg_n; rsbac_acl_rights_vector_t rights_vector = 0; if(!strcmp(name,":DEFAULT:")) { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: arg_n.name = NULL; break; case T_DEV: if(numdev) arg.tid.dev = RSBAC_ZERO_DEV_DESC; else arg_n.name = NULL; break; case T_IPC: arg.tid.ipc.type = I_none; break; case T_SCD: arg.tid.scd = AST_none; break; case T_USER: arg.tid.user = RSBAC_NO_USER; break; case T_PROCESS: arg.tid.process = 0; break; case T_GROUP: arg.tid.group = RSBAC_NO_GROUP; break; case T_NETDEV: arg.tid.netdev[0] = 0; break; case T_NETTEMP_NT: arg.tid.nettemp = 0; break; case T_NETOBJ: arg.tid.netobj.sock_p = NULL; arg.tid.netobj.local_addr = NULL; arg.tid.netobj.local_len = 0; arg.tid.netobj.remote_addr = NULL; arg.tid.netobj.remote_len = 0; break; default: fprintf(stderr, gettext("Invalid target %u for %s, skipped!\n"), target, name); return(1); } } else { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: arg_n.name = name; break; case T_DEV: if(numdev) { if(strtodevdesc(name, &arg.tid.dev)) { fprintf(stderr, gettext("%s is no valid device specification, skipped\n"), name); return(1); } } else arg_n.name = name; break; case T_SCD: arg.tid.scd = get_acl_scd_type_nr(name); if((arg.tid.scd == ST_none) || (arg.tid.scd == AST_none)) { fprintf(stderr, gettext("%s is no valid SCD name, skipped\n"), name); return(1); } break; case T_USER: if(rsbac_get_uid(ta_number, &arg.tid.user, name)) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, name); exit(1); } break; case T_GROUP: if(rsbac_get_gid(ta_number, &arg.tid.group, name)) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, name); exit(1); } break; case T_NETDEV: strncpy((char *)arg.tid.netdev, name, RSBAC_IFNAMSIZ); arg.tid.netdev[RSBAC_IFNAMSIZ] = 0; break; case T_NETTEMP: case T_NETTEMP_NT: arg.tid.nettemp = strtoul(name, 0, 10); break; case T_NETOBJ: arg.tid.netobj.sock_p = (void *) strtoul(name, 0, 0); arg.tid.netobj.remote_addr = NULL; arg.tid.netobj.remote_len = 0; break; default: fprintf(stderr, gettext("Invalid target %u for %s, skipped!\n"), target, name); return(1); } } if(verbose) printf(gettext("Processing %s '%s'\n"), target_n, name); switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: arg_n.target = target; arg_n.subj_type = subj_type; arg_n.subj_id = subj_id; res = rsbac_acl_get_rights_n(ta_number, &arg_n, &rights_vector, effective); break; case T_DEV: if(!numdev) { arg_n.target = target; arg_n.subj_type = subj_type; arg_n.subj_id = subj_id; res = rsbac_acl_get_rights_n(ta_number, &arg_n, &rights_vector, effective); break; } /* fall through */ default: arg.target = target; arg.subj_type = subj_type; arg.subj_id = subj_id; res = rsbac_acl_get_rights(ta_number, &arg, &rights_vector, effective); } if(res) { get_error_name(tmp1,res); if( verbose || (errno != RSBAC_EINVALIDTARGET) ) fprintf(stderr, gettext("%s: error: %s\n"), name, tmp1); exit_res=1; } else { if(scripting) { if(printall) { int i; for (i=0; id_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int i; char none_name[] = "FD"; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } subj_id=getuid(); while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose=1; break; case 'r': recurse=1; break; case 'p': printall=1; break; case 's': scripting=1; break; case 'd': effective=0; break; case 'D': numdev=1; break; case 'n': { char tmp[80]; for(i=0; i 2) { target = get_target_nr(argv[2]); switch(target) { case T_FD: case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: rights_vector = RSBAC_FD_REQUEST_VECTOR; break; case T_DEV: rights_vector = RSBAC_DEV_REQUEST_VECTOR; break; case T_IPC: rights_vector = RSBAC_IPC_REQUEST_VECTOR; break; case T_SCD: rights_vector = RSBAC_SCD_REQUEST_VECTOR; if(argc > 3) { enum rsbac_acl_scd_type_t type; type = get_acl_scd_type_nr(argv[3]); if(type == ST_other) rights_vector = RSBAC_NONE_REQUEST_VECTOR; } break; case T_USER: rights_vector = RSBAC_ACL_USER_RIGHTS_VECTOR; break; case T_GROUP: rights_vector = RSBAC_ACL_GROUP_RIGHTS_VECTOR; break; case T_PROCESS: rights_vector = RSBAC_PROCESS_REQUEST_VECTOR; break; case T_NETDEV: rights_vector = RSBAC_NETDEV_REQUEST_VECTOR; break; case T_NETTEMP_NT: rights_vector = RSBAC_NETTEMP_REQUEST_VECTOR; break; case T_NETTEMP: case T_NETOBJ: rights_vector = RSBAC_NETOBJ_REQUEST_VECTOR; break; default: fprintf(stderr, gettext("%s: invalid target type %s for switch N\n"), progname, argv[2]); exit(1); } } for(i=0; i 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case '-': if(!strcmp(pos,"-USER")) { if(argc < 3) { fprintf(stderr, gettext("%s: no user for switch -USER\n"), progname); exit(1); } { rsbac_uid_t uid; if(rsbac_get_uid(ta_number, &uid, argv[2])) { fprintf(stderr, gettext("Invalid user %s!\n"), argv[2]); exit(1); } subj_id = uid; } subj_type = ACLS_USER; if(!scripting) { if (RSBAC_UID_SET(subj_id)) printf("%s: User %u/%u\n", progname, RSBAC_UID_SET(subj_id), RSBAC_UID_NUM(subj_id)); else printf("%s: User %u\n", progname, RSBAC_UID_NUM(subj_id)); } argv++; argc--; pos+=4; break; } else if(!strcmp(pos,"-GROUP")) { if(argc < 3) { fprintf(stderr, gettext("%s: no group for switch -GROUP\n"), progname); exit(1); } subj_type = ACLS_GROUP; subj_id = strtol(argv[2],0,10); if(!scripting) printf(gettext("%s: Group %u\n"), progname, RSBAC_UID_NUM(subj_id)); argv++; argc--; pos+=5; break; } else if(!strcmp(pos,"-ROLE")) { if(argc < 3) { fprintf(stderr, gettext("%s: no role for switch -ROLE\n"), progname); exit(1); } subj_type = ACLS_ROLE; subj_id = strtol(argv[2],0,10); if(!scripting) printf(gettext("%s: Role %u\n"), progname, RSBAC_UID_NUM(subj_id)); argv++; argc--; pos+=4; break; } else { fprintf(stderr, gettext("%s: unknown parameter %s\n"), progname, pos); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { target = get_target_nr(argv[1]); target_n = argv[1]; if(target == T_NONE) { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 1); fprintf(stderr, gettext("%s: No target type given, assuming FD\n"), progname); target = T_FD; target_n = none_name; if(argc < 1) process("."); else for (i=1;i < (argc);i++) { process(argv[i]); } } else { if(argc > 2) { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 2); for (i=1;i < (argc-1);i++) { process(argv[i+1]); } } else process("."); } } else { use(); return 1; } return (exit_res); } rsbac-admin-1.4.0/main/tools/src/acl_grant.c0000644000175000017500000006033311131371033020511 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int verbose=0; int recurse=0; int printall=0; int bitstring=0; int exitval=0; int numdev=0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_time_t ttl=RSBAC_ACL_TTL_KEEP; rsbac_list_ta_number_t ta_number = 0; union rsbac_attribute_value_t value; enum rsbac_target_t target; char * target_n; enum rsbac_attribute_t attr; char * progname; rsbac_acl_rights_vector_t rights_vector; enum rsbac_acl_subject_type_t subj_type = ACLS_NONE; rsbac_acl_subject_id_t subj_id; enum rsbac_acl_syscall_type_t call = ACLC_add_to_acl_entry; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] subj_type subj_id [rights] target-type file/dirname(s)\n"), progname); printf(gettext(" -v = verbose, -r = recurse into subdirs,\n")); printf(gettext(" -p = print right names, -s = set rights, not add\n")); printf(gettext(" -k = revoke rights, not add, -m remove entry (set back to inherit)\n")); printf(gettext(" -b = expect rights as bitstring, -n = list valid SCD names\n")); printf(gettext(" -d = numeric device specification ({b|c}major[:minor])\n")); printf(gettext(" -u, -g, -l = shortcuts for USER, GROUP and ROLE\n")); printf(gettext(" -t = set relative time-to-live for this trustee in seconds (add and set only)\n")); printf(gettext(" -T = set absolute time-to-live for this trustee in seconds (add and set only)\n")); printf(gettext(" -D = set relative time-to-live for this trustee in days (add and set only)\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" subj_type = USER, GROUP or ROLE,\n")); printf(gettext(" subj_id = user name or id number,\n")); printf(gettext(" rights = list of space-separated right names (requests and ACL specials),\n")); printf(gettext(" also request groups R (read requests), RW (read-write), W (write)\n")); printf(gettext(" SY (system), SE (security), A (all)\n")); printf(gettext(" S (ACL special rights)\n")); printf(gettext(" and NWx with x = S R W C E A F M (similar to well-known network system)\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, NETDEV,\n")); printf(gettext(" NETTEMP_NT, NETTEMP, NETOBJ or FD\n")); printf(gettext(" (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n"), progname); printf(gettext(" (IPC, USER, PROCESS: only :DEFAULT:\n")); printf(gettext(" (NETTEMP: no :DEFAULT:\n")); printf(gettext("- Use name :DEFAULT: for default ACL\n")); } int process(char * name) { int res = 0; char tmp1[120]; struct stat buf; struct rsbac_acl_syscall_arg_t arg; struct rsbac_acl_syscall_n_arg_t arg_n; if(!strcmp(name,":DEFAULT:")) { switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: arg_n.name = NULL; break; case T_DEV: if(numdev) arg.tid.dev = RSBAC_ZERO_DEV_DESC; else arg_n.name = NULL; break; case T_IPC: arg.tid.ipc.type = I_none; break; case T_SCD: arg.tid.scd = AST_none; break; case T_USER: arg.tid.user = RSBAC_NO_USER; break; case T_PROCESS: arg.tid.process = 0; break; case T_GROUP: arg.tid.group = RSBAC_NO_GROUP; break; case T_NETDEV: arg.tid.netdev[0] = 0; break; case T_NETTEMP_NT: arg.tid.nettemp = 0; break; case T_NETOBJ: arg.tid.netobj.sock_p = NULL; arg.tid.netobj.local_addr = NULL; arg.tid.netobj.local_len = 0; arg.tid.netobj.remote_addr = NULL; arg.tid.netobj.remote_len = 0; break; default: fprintf(stderr, gettext("Invalid target %u for %s, skipped!\n"), target, name); return(1); } if(verbose) printf(gettext("Processing default %s '%s'\n"), target_n, name); } else { arg_n.name = name; switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: break; case T_DEV: if( numdev && strtodevdesc(name, &arg.tid.dev) ) { fprintf(stderr, gettext("%s is no valid device specification, skipped\n"), name); return(1); } break; case T_SCD: arg.tid.scd = get_acl_scd_type_nr(name); if((arg.tid.scd == ST_none) || (arg.tid.scd == AST_none)) { fprintf(stderr, gettext("%s is no valid SCD name, skipped\n"), name); return(1); } break; case T_USER: if(rsbac_get_uid(ta_number, &arg.tid.user, name)) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, name); exit(1); } break; case T_GROUP: if(rsbac_get_gid(ta_number, &arg.tid.group, name)) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, name); exit(1); } break; case T_NETDEV: strncpy((char *)arg.tid.netdev, name, RSBAC_IFNAMSIZ); arg.tid.netdev[RSBAC_IFNAMSIZ] = 0; break; case T_NETTEMP: case T_NETTEMP_NT: arg.tid.nettemp = strtoul(name, 0, 10); break; case T_NETOBJ: arg.tid.netobj.sock_p = (void *) strtoul(name, 0, 0); arg.tid.netobj.remote_addr = NULL; arg.tid.netobj.remote_len = 0; break; default: fprintf(stderr, gettext("Invalid target type %u for %s, skipped!\n"), target, name); return(1); } if(verbose) printf(gettext("Processing %s '%s'\n"), target_n, name); } /* end of no default */ switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_FD: arg_n.target = target; arg_n.subj_type = subj_type; arg_n.subj_id = subj_id; arg_n.rights = rights_vector; arg_n.ttl = ttl; res = rsbac_acl_n(ta_number, call, &arg_n); break; case T_DEV: if(!numdev) { arg_n.target = target; arg_n.subj_type = subj_type; arg_n.subj_id = subj_id; arg_n.rights = rights_vector; arg_n.ttl = ttl; res = rsbac_acl_n(ta_number, call, &arg_n); break; } /* fall through */ default: arg.target = target; arg.subj_type = subj_type; arg.subj_id = subj_id; arg.rights = rights_vector; arg.ttl = ttl; res = rsbac_acl(ta_number, call, &arg); } if(res) { get_error_name(tmp1,res); fprintf(stderr, gettext("%s: error: %s\n"), name, tmp1); exitval=1; } if( !lstat(name,&buf) && S_ISDIR(buf.st_mode) && recurse) { DIR * dir_stream_p; struct dirent * dirent_p; char name2[PATH_MAX]; if(S_ISLNK(buf.st_mode)) return(0); if(!(dir_stream_p = opendir(name))) { fprintf(stderr, gettext("opendir for dir %s returned error: %s\n"), name, strerror(errno)); return(-2); } while((dirent_p = readdir(dir_stream_p))) { if( (strcmp(".",dirent_p->d_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int i; enum rsbac_acl_special_rights_t right; rsbac_boolean_t rused = FALSE; rsbac_boolean_t wused = FALSE; char none_name[] = "FD"; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': recurse=1; break; case 's': call = ACLC_set_acl_entry; break; case 'k': call = ACLC_remove_from_acl_entry; break; case 'm': call = ACLC_remove_acl_entry; break; case 'p': printall=1; break; case 'b': bitstring=1; break; case 'd': numdev=1; break; case 'n': { char tmp[80]; for(i=0; i 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'V': if(argc < 3) { fprintf(stderr, gettext("%s: no version number for switch V\n"), progname); exit(1); } version = strtol(argv[2],0,10); argv++; argc--; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 3) { if(subj_type == ACLS_NONE) { subj_type = get_acl_subject_type_nr(argv[1]); if(subj_type == ACLS_NONE) { fprintf(stderr, gettext("%s: unknown subject_type %s\n"), progname, argv[1]); exit(1); } argv++; argc--; } if(subj_type == ACLS_USER) { rsbac_uid_t uid; if(rsbac_get_uid(ta_number, &uid, argv[1])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[1]); exit(1); } subj_id = uid; } else { subj_id = strtol(argv[1],0,10); } argv++; argc--; if(bitstring && (argc > 2)) { if(strlen(argv[1]) != ACLR_NONE) { fprintf(stderr, gettext("Invalid bitstring length %u, must be %u!\n"), strlen(argv[1]), ACLR_NONE); exit(1); } strtou64acl(argv[1], &rights_vector); argv++; argc--; } else { while(argc > 2) { right = get_acl_special_right_nr(argv[1]); if((right == R_NONE) || (right == ACLR_NONE)) { if(!strcmp(argv[1],"UA")) { rights_vector &= RSBAC_ACL_SPECIAL_RIGHTS_VECTOR; } else if(!strcmp(argv[1],"RW")) { rights_vector |= RSBAC_READ_WRITE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"R")) { rights_vector |= RSBAC_READ_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"W")) { rights_vector |= RSBAC_WRITE_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"SY")) { rights_vector |= RSBAC_SYSTEM_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SE")) { rights_vector |= RSBAC_SECURITY_REQUEST_VECTOR; } else if(!strcmp(argv[1],"S")) { rights_vector |= RSBAC_ACL_SPECIAL_RIGHTS_VECTOR; } else if(!strcmp(argv[1],"A")) { rights_vector |= RSBAC_ALL_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWS")) { rights_vector |= RSBAC_NWS_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWR")) { rights_vector |= RSBAC_NWR_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"NWW")) { rights_vector |= RSBAC_NWW_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"NWC")) { rights_vector |= RSBAC_NWC_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWE")) { rights_vector |= RSBAC_NWE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWA")) { rights_vector |= RSBAC_NWA_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWF")) { rights_vector |= RSBAC_NWF_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWM")) { rights_vector |= RSBAC_NWM_REQUEST_VECTOR; } else { /* end of rights */ break; } } else { rights_vector |= ((rsbac_acl_rights_vector_t) 1 << right); } argv++; argc--; } if(rused && wused) { rights_vector |= RSBAC_READ_WRITE_REQUEST_VECTOR; } } /* end of !bitstring */ target = get_target_nr(argv[1]); target_n = argv[1]; /* trim rights_vector for target */ switch(target) { case T_DIR: case T_FILE: case T_FIFO: case T_SYMLINK: case T_FD: argv++; argc--; rights_vector &= (RSBAC_FD_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_DEV: argv++; argc--; rights_vector &= (RSBAC_DEV_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_IPC: argv++; argc--; rights_vector &= (RSBAC_IPC_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_SCD: argv++; argc--; rights_vector &= (RSBAC_SCD_REQUEST_VECTOR | RSBAC_NONE_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_USER: argv++; argc--; rights_vector &= (RSBAC_ACL_USER_RIGHTS_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_PROCESS: argv++; argc--; rights_vector &= (RSBAC_PROCESS_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_GROUP: argv++; argc--; rights_vector &= (RSBAC_ACL_GROUP_RIGHTS_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_NETDEV: argv++; argc--; rights_vector &= (RSBAC_NETDEV_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_NETTEMP_NT: argv++; argc--; rights_vector &= (RSBAC_NETTEMP_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_NETTEMP: case T_NETOBJ: argv++; argc--; rights_vector &= (RSBAC_NETOBJ_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; case T_NONE: fprintf(stderr, "%s: No target type given, assuming FD\n", progname); target = T_FD; target_n = none_name; rights_vector &= (RSBAC_FD_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR); break; default: fprintf(stderr, gettext("%s: Invalid target type %s\n"), progname, argv[1]); } if(verbose) { char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; switch(call) { case ACLC_set_acl_entry: if (RSBAC_UID_SET(subj_id)) printf(gettext("Set rights: %s\nfor %s %u/%u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), RSBAC_UID_SET(subj_id), RSBAC_UID_NUM(subj_id)); else printf(gettext("Set rights: %s\nfor %s %u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), RSBAC_UID_NUM(subj_id)); break; case ACLC_add_to_acl_entry: if (RSBAC_UID_SET(subj_id)) printf(gettext("Add rights: %s\nfor %s %u/%u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), RSBAC_UID_SET(subj_id), RSBAC_UID_NUM(subj_id)); else printf(gettext("Add rights: %s\nfor %s %u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), RSBAC_UID_NUM(subj_id)); break; case ACLC_remove_from_acl_entry: if (RSBAC_UID_SET(subj_id)) printf(gettext("Revoke rights: %s\nfor %s %u/%u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), RSBAC_UID_SET(subj_id), RSBAC_UID_NUM(subj_id)); else printf(gettext("Revoke rights: %s\nfor %s %u\n"), u64tostracl(tmp1, rights_vector), get_acl_subject_type_name(tmp2, subj_type), RSBAC_UID_NUM(subj_id)); break; case ACLC_remove_acl_entry: if (RSBAC_UID_SET(subj_id)) printf(gettext("Remove entry for %s %u/%u.\n"), get_acl_subject_type_name(tmp2, subj_type), RSBAC_UID_SET(subj_id), RSBAC_UID_NUM(subj_id)); else printf(gettext("Remove entry for %s %u.\n"), get_acl_subject_type_name(tmp2, subj_type), RSBAC_UID_NUM(subj_id)); break; default: fprintf(stderr, gettext("%s: Internal error in call switch!\n"), progname); exit(1); } if(printall) { int i; for (i=0; i1) printf(gettext("\n%s: %i targets\n\n"), progname, argc - 1); for (i=1;i < (argc);i++) { process(argv[i]); } } else { use(); return 1; } return(exitval); } rsbac-admin-1.4.0/main/tools/src/auth_set_cap.c0000644000175000017500000002676011131371033021224 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define MAXNUM 200 char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] TYPE add/remove target first_user [last_user]\n"), progname); printf(gettext("Use: %s [switches] TYPE get target\n"), progname); printf(gettext(" TYPE = PROCESS (add/remove only), DIR, FILE or FD (auto-select),\n")); printf(gettext(" target = pid or filename\n")); printf(gettext(" last_user: range from first_user to last_user\n")); printf(gettext(" -m = set maximum length of cap entry list per file, default is %u\n"), MAXNUM); printf(gettext(" -e = get or set caps for effective uids, not real\n")); printf(gettext(" -f = get or set caps for filesystem uids, not real\n")); printf(gettext(" -g = get or set caps for gids, not uids\n")); printf(gettext(" -E = get or set for eff gids, not real uids\n")); printf(gettext(" -F = get or set for fs gids, not real uids\n")); printf(gettext(" -t = set relative time-to-live for this cap entry in seconds (add only)\n")); printf(gettext(" -T = set absolute time-to-live for this cap entry in seconds (add only)\n")); printf(gettext(" -D = set relative time-to-live for this cap entry in days (add only)\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; rsbac_pid_t pid=0; struct rsbac_auth_cap_range_t cap_range; enum rsbac_target_t target; rsbac_boolean_t remove = FALSE; int verbose = 0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_time_t ttl = RSBAC_LIST_TTL_KEEP; int maxnum = MAXNUM; enum rsbac_auth_cap_type_t cap_type = ACT_real; struct rsbac_auth_cap_range_t * caplist; rsbac_time_t * ttllist; int i; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'e': cap_type = ACT_eff; break; case 'f': cap_type = ACT_fs; break; case 'g': cap_type = ACT_group_real; break; case 'E': cap_type = ACT_group_eff; break; case 'F': cap_type = ACT_group_fs; break; case 'm': if(argc > 2) { maxnum = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing maxnum value for parameter %c\n"), progname, *pos); break; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'V': if(argc < 3) { fprintf(stderr, gettext("%s: no version number for switch V\n"), progname); exit(1); } version = strtol(argv[2],0,10); argv++; argc--; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } switch(argc) { case 5: case 6: target = get_target_nr(argv[1]); if( (target != T_PROCESS) && (target != T_FILE) && (target != T_DIR) && (target != T_FD) ) { fprintf(stderr, gettext("%s: Invalid Target %s!\n"), progname, argv[1]); exit(1); } if(!strcmp(argv[2],"remove")) remove = TRUE; else if(strcmp(argv[2],"add")) { fprintf(stderr, gettext("%s: Invalid command %s!\n\n"), progname, argv[2]); exit(1); } if(target == T_PROCESS) pid=strtol(argv[3],0,10); if(rsbac_get_uid(ta_number, &cap_range.first, argv[4])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[4]); exit(1); } if(argc == 6) { if(rsbac_get_uid(ta_number, &cap_range.last, argv[5])) { fprintf(stderr, gettext("%s: Invalid User %s!\n"), progname, argv[5]); exit(1); } if(cap_range.last < cap_range.first) { fprintf(stderr, gettext("%s: Warning: first user %u/%u after last user %u/%u, exiting!\n\n"), progname, RSBAC_UID_SET(cap_range.first), RSBAC_UID_NUM(cap_range.first), RSBAC_UID_SET(cap_range.last), RSBAC_UID_NUM(cap_range.last)); exit(2); } if(RSBAC_UID_NUM(cap_range.last) > RSBAC_AUTH_MAX_RANGE_UID) { fprintf(stderr, gettext("%s: Warning: last user %u/%u uses special user ID, exiting!\n\n"), progname, RSBAC_UID_SET(cap_range.last), RSBAC_UID_NUM(cap_range.last)); exit(2); } } else { /* no last_user given */ cap_range.last = cap_range.first; } if(target == T_PROCESS) { if(remove) res = rsbac_auth_remove_p_cap(ta_number, pid, cap_type, cap_range); else res = rsbac_auth_add_p_cap(ta_number, pid, cap_type, cap_range, ttl); } else { if(remove) res = rsbac_auth_remove_f_cap(ta_number, argv[3], cap_type, cap_range); else res = rsbac_auth_add_f_cap(ta_number, argv[3], cap_type, cap_range, ttl); } if(res < 0) error_exit(res); break; case 4: target = get_target_nr(argv[1]); if( (target != T_FILE) && (target != T_DIR) && (target != T_FD) && (target != T_PROCESS) ) { fprintf(stderr, gettext("%s: Invalid Target %s!\n"), progname, argv[1]); exit(1); } if(strcmp(argv[2],"get")) { fprintf(stderr, gettext("%s: Invalid command %s!\n\n"), progname, argv[2]); exit(1); } caplist = malloc(sizeof(*caplist) * maxnum); ttllist = malloc(sizeof(*ttllist) * maxnum); if(!caplist || !ttllist) error_exit(-ENOMEM); if(target == T_PROCESS) res = rsbac_auth_get_p_caplist(ta_number, strtoul(argv[3],0,0), cap_type, caplist, ttllist, maxnum); else res = rsbac_auth_get_f_caplist(ta_number, argv[3], cap_type, caplist, ttllist, maxnum); if(res < 0) { if(errno == RSBAC_ENOTFOUND) exit(0); else error_exit(res); } for(i=0; i */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] module target-type attribute value user/proc-nr.\n\n"), progname); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n")); printf(gettext(" target-type = USER or PROCESS\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i; int id; enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; enum rsbac_target_t target; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; int verbose = 0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'a': case 'A': { int u_attr_list[RSBAC_USER_NR_ATTRIBUTES] = RSBAC_USER_ATTR_LIST; int p_attr_list[RSBAC_PROCESS_NR_ATTRIBUTES] = RSBAC_PROCESS_ATTR_LIST; if( (argc > 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and value (integer) = see following list:\n")); printf("USER:\n"); for (i=0;i 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if (argc > 4) { printf(gettext("%s: %i targets\n\n"), progname, argc - 4); target = get_target_nr(argv[1]); if( (target != T_PROCESS) && (target != T_USER)) { fprintf(stderr, gettext("%s: Invalid Target %s!\n"), progname, argv[1]); exit(1); } attr = get_attribute_nr(argv[2]); switch(attr) { case A_none: fprintf(stderr, gettext("%s: Invalid attribute %s\n"), progname, argv[3]); exit(1); case A_res_min: case A_res_max: fprintf(stderr, gettext("%s: Invalid number of arguments for attribute %s\n"), progname, argv[3]); exit(1); case A_security_level: case A_current_sec_level: case A_initial_security_level: case A_min_security_level: case A_min_write_open: case A_max_read_open: value.security_level = strtoul(argv[3],0,10); break; case A_mac_categories: case A_mac_initial_categories: case A_mac_min_categories: case A_mac_curr_categories: case A_min_write_categories: case A_max_read_categories: if(strlen(argv[3]) != RSBAC_MAC_NR_CATS) { fprintf(stderr, gettext("%s: Invalid attribute value, length must be %i\n"), progname, RSBAC_MAC_NR_CATS); exit(1); } strtou64mac(argv[3], &value.mac_categories); break; case A_mac_user_flags: value.mac_user_flags = strtoul(argv[3],0,10); break; case A_mac_process_flags: value.mac_process_flags = strtoul(argv[3],0,10); break; case A_pseudo: value.pseudo = strtoul(argv[3],0,10); break; case A_log_user_based: value.log_user_based = strtoul(argv[3],0,10); break; case A_system_role: case A_mac_role: case A_daz_role: case A_ff_role: case A_auth_role: case A_cap_role: case A_jail_role: case A_res_role: case A_pax_role: value.system_role = strtoul(argv[3],0,10); break; case A_pm_role: value.pm_role = strtoul(argv[3],0,10); break; case A_pm_tp: value.pm_tp = strtoul(argv[3],0,10); break; case A_pm_task_set: value.pm_task_set = strtoul(argv[3],0,10); break; case A_pm_current_task: value.pm_current_task = strtoul(argv[3],0,10); break; case A_pm_process_type: value.pm_process_type = strtoul(argv[3],0,10); break; case A_daz_scanner: value.daz_scanner = strtoul(argv[3],0,10); break; case A_rc_def_role: case A_rc_role: case A_rc_force_role: value.rc_role = strtoul(argv[3],0,10); break; case A_rc_type: value.rc_type = strtoul(argv[3],0,10); break; case A_auth_may_setuid: value.auth_may_setuid = strtoul(argv[3],0,10); break; case A_auth_may_set_cap: value.auth_may_set_cap = strtoul(argv[3],0,10); break; case A_auth_learn: value.auth_learn = strtoul(argv[3],0,10); break; case A_cap_process_hiding: value.cap_process_hiding = strtoul(argv[3],0,10); break; /* case A_min_caps: value.min_caps = strtoul(argv[3],0,10); break; case A_max_caps: case A_max_caps_user: case A_max_caps_program: value.max_caps = strtoul(argv[3],0,10); break;*/ case A_jail_id: value.jail_id = strtoul(argv[3],0,10); break; case A_jail_ip: value.jail_ip = strtoul(argv[3],0,10); break; case A_jail_flags: value.jail_flags = strtoul(argv[3],0,10); break; /* case A_jail_max_caps: value.jail_max_caps = strtoul(argv[3],0,10); break;*/ case A_fake_root_uid: value.fake_root_uid = strtoul(argv[3],0,10); break; case A_audit_uid: value.audit_uid = strtoul(argv[3],0,10); break; case A_auid_exempt: value.auid_exempt = strtoul(argv[3],0,10); break; case A_auth_last_auth: value.auth_last_auth = strtoul(argv[3],0,10); break; default: value.dummy = strtoul(argv[3],0,10); } for (i=1;i < (argc-3);i++) { if (target == T_PROCESS) { id = strtol(argv[i+3],0,10); printf(gettext("Processing process %i, attribute %s (No. %u), value %i\n"), id, argv[2], attr, value.dummy); tid.process = id; } else { if(rsbac_get_uid(ta_number, &tid.user, argv[i+3])) { fprintf(stderr, "Invalid User %s!\n\n", argv[i+3]); continue; } if (RSBAC_UID_SET(tid.user)) printf(gettext("Processing user %s (uid %u/%u), attribute %s (No. %u), value %i\n"), argv[i+3], RSBAC_UID_SET(tid.user), RSBAC_UID_NUM(tid.user), argv[2], attr, value.dummy); else printf(gettext("Processing user %s (uid %u), attribute %s (No. %u), value %i\n"), argv[i+3], RSBAC_UID_NUM(tid.user), argv[2], attr, value.dummy); } res = rsbac_set_attr(ta_number, module, target, &tid, attr, &value); show_error(res); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_write.c0000644000175000017500000000152111131371031021053 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include "nls.h" int main(int argc, char ** argv) { int res = 0; locale_init(); res = rsbac_write(); if(res<0) { error_exit(res); } else { printf(gettext("%s: %i lists written\n"), argv[0], res); res = 0; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_set_fd.c0000644000175000017500000003004211131371032021046 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int verbose=0; int recurse=0; rsbac_version_t version=RSBAC_VERSION_NR; union rsbac_attribute_value_t value; enum rsbac_switch_target_t module; enum rsbac_target_t target; enum rsbac_attribute_t attr; char * progname; char * target_n; rsbac_list_ta_number_t ta_number = 0; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-r] module target-type attribute value file/dirname(s)\n"), progname); printf(gettext(" -v = verbose, -r = recurse into subdirs,\n")); printf(gettext(" -n = list all requests\n")); printf(gettext(" -A = list attributes and values\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK, DEV or FD\n")); printf(gettext(" (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n"), progname); } int process(char * name) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; struct stat buf; if(verbose) printf(gettext("Processing %s '%s', attribute %s, value %i\n"), target_n, name, get_attribute_name(tmp2,attr), value.dummy); res = rsbac_set_attr_n(ta_number, module, target, name, attr, &value); if(res) { if( verbose || (errno != RSBAC_EINVALIDTARGET) ) { get_error_name(tmp1,res); fprintf(stderr, gettext("%s: error: %s\n"), name, tmp1); } } if( !lstat(name,&buf) && S_ISDIR(buf.st_mode) && recurse) { DIR * dir_stream_p; struct dirent * dirent_p; char name2[PATH_MAX]; if(S_ISLNK(buf.st_mode)) return(0); if(!(dir_stream_p = opendir(name))) { fprintf(stderr, gettext("opendir for dir %s returned error: %s\n"), name, strerror(errno)); return(-2); } while((dirent_p = readdir(dir_stream_p))) { if( (strcmp(".",dirent_p->d_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { enum rsbac_attribute_t attr_list[RSBAC_FD_NR_ATTRIBUTES] = RSBAC_FD_ATTR_LIST; enum rsbac_attribute_t attr_list_dev[RSBAC_DEV_NR_ATTRIBUTES] = RSBAC_DEV_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i,j; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': recurse=1; break; case 'n': { char tmp[80]; int i; for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and value (integer) = see following list:\n")); printf(gettext("- FILE, DIR, FIFO and SYMLINK:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if (argc > 4) { if(verbose) printf("%s: %i targets\n\n", progname, argc - 4); target = get_target_nr(argv[1]); target_n = argv[1]; if( (target != T_DIR) && (target != T_FILE) && (target != T_FIFO) && (target != T_SYMLINK) && (target != T_DEV) && (target != T_FD) ) { fprintf(stderr, gettext("%s: Invalid target type %s\n"), progname, argv[1]); exit(1); } attr = get_attribute_nr(argv[2]); switch(attr) { case A_none: fprintf(stderr, gettext("%s: Invalid attribute %s\n"), progname, argv[2]); exit(1); case A_res_min: case A_res_max: fprintf(stderr, gettext("%s: Attribute %s not supported\n"), progname, argv[2]); exit(1); case A_log_array_low: case A_log_array_high: case A_log_program_based: if(strlen(argv[3]) != R_NONE) { fprintf(stderr, gettext("%s: Invalid attribute value, length must be %i\n"), progname, R_NONE); exit(1); } for(j=0;j */ /* */ /* Last modified: 13/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; int verbose = 0; int backup = 0; int showpass = 0; int printdates = 0; rsbac_list_ta_number_t ta_number = 0; const char add_prog[] = "rsbac_useradd"; const char mod_prog[] = "rsbac_usermod"; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; #define ROOM 20 void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] username\n"), progname); printf(gettext(" -v = verbose, -a = list all users\n")); printf(gettext(" -l = short list all users, -b = backup mode\n")); printf(gettext(" -p = also show encrypted password\n")); printf(gettext(" -D = print dates as yyyymmdd, not day number\n")); printf(gettext(" -u = list calling user\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } void pass_print(__u8 * pass, u_int len) { u_int i; for(i=0; i 0) { group_num += ROOM; group_array = malloc(group_num * sizeof(*group_array)); if(!group_array) { error_exit(-RSBAC_ENOMEM); } group_num = rsbac_um_get_gm_list(ta_number, user, group_array, group_num); if(group_num > 0) { if(backup) { printf(" -G"); for(i=0; itm_year + 1900, tm_p->tm_mon + 1, tm_p->tm_mday); } else printf("Lastchange: %u\n", data.days); } res = rsbac_um_get_user_item(ta_number, user, UM_minchange, &data); if(!res) { if(backup) printf(" -n %u", data.days); else printf("Minchange: %u\n", data.days); } res = rsbac_um_get_user_item(ta_number, user, UM_maxchange, &data); if(!res) { if(backup) printf(" -x %u", data.days); else printf("Maxchange: %u\n", data.days); } res = rsbac_um_get_user_item(ta_number, user, UM_warnchange, &data); if(!res) { if(backup) printf(" -w %u", data.days); else printf("Warnchange: %u\n", data.days); } res = rsbac_um_get_user_item(ta_number, user, UM_inactive, &data); if(!res) { if(backup) printf(" -f %i", data.days); else printf("Inactive: %u\n", data.days); } res = rsbac_um_get_user_item(ta_number, user, UM_expire, &data); if(!res) { if(backup) printf(" -e %i", data.days); else if(printdates) { struct tm * tm_p; time_t secs; secs = data.days * 86400; tm_p = gmtime(&secs); if(tm_p) printf("Expire: %04u%02u%02u\n", tm_p->tm_year + 1900, tm_p->tm_mon + 1, tm_p->tm_mday); } else printf("Expire: %u\n", data.days); } res = rsbac_um_get_user_item(ta_number, user, UM_ttl, &data); if(!res) { if(backup) { if(data.ttl) printf(" -T %lu", data.ttl + time(NULL)); } else printf("Account TTL: %u\n", data.ttl); } if(backup) { printf(" %s\n", username); } return 0; } int main(int argc, char ** argv) { int res = 0; int i; int list = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'b': backup = 1; break; case 'p': showpass = 1; break; case 'D': printdates = 1; break; case 'u': process(RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP,getuid())); exit(0); case 'l': list = 1; /* fall through */ case 'a': { rsbac_uid_t * user_array = NULL; int user_num = 0; int i; user_num = rsbac_um_get_user_list(ta_number, vset, NULL, 0); error_exit(user_num); user_num += ROOM; user_array = malloc(user_num * sizeof(*user_array)); if(!user_array) { error_exit(-RSBAC_ENOMEM); } user_num = rsbac_um_get_user_list(ta_number, vset, user_array, user_num); error_exit(user_num); if(user_num > 0) { qsort(user_array, user_num, sizeof(*user_array), rsbac_user_compare); if(list) { union rsbac_um_mod_data_t data; for(i=0; i 0) printf("%u/%s %u\n", RSBAC_UID_SET(user_array[i]), data.string, RSBAC_UID_NUM(user_array[i])); else printf("%s %u\n", data.string, RSBAC_UID_NUM(user_array[i])); } } } else for(i=0; i 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { for(i=1; i */ /* */ /* Last modified: 08/Sep/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; int verbose = 0; int backup = 0; int showpass = 0; rsbac_list_ta_number_t ta_number = 0; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; const char add_prog[] = "rsbac_groupadd"; const char mod_prog[] = "rsbac_groupmod"; #define ROOM 20 void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] groupname\n"), progname); printf(gettext(" -v = verbose, -a = list all groups\n")); printf(gettext(" -l = short list all groups, -b = backup mode\n")); printf(gettext(" -p = also show encrypted password\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } void pass_print(__u8 * pass, u_int len) { u_int i; for(i=0; i 0) { user_num += ROOM; user_array = malloc(user_num * sizeof(*user_array)); if(!user_array) { error_exit(-RSBAC_ENOMEM); } user_num = rsbac_um_get_gm_user_list(ta_number, group, user_array, user_num); if(user_num > 0) { printf("Group extra members:"); for(i=0; i 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'b': backup = 1; break; case 'p': showpass = 1; break; case 'l': list = 1; /* fall through */ case 'a': { rsbac_gid_t * group_array = NULL; int group_num = 0; int i; group_num = rsbac_um_get_group_list(ta_number, vset, NULL, 0); error_exit(group_num); group_num += ROOM; group_array = malloc(group_num * sizeof(*group_array)); if(!group_array) { error_exit(-RSBAC_ENOMEM); } group_num = rsbac_um_get_group_list(ta_number, vset, group_array, group_num); error_exit(group_num); if(group_num > 0) { qsort(group_array, group_num, sizeof(*group_array), rsbac_group_compare); if(list) { union rsbac_um_mod_data_t data; for(i=0; i 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { for(i=1; i */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define MAXNUM 200 char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] TYPE add/remove target user1 user2...\n"), progname); printf(gettext("Use: %s [switches] TYPE get target\n"), progname); printf(gettext(" TYPE = PROCESS (add/remove only), DIR, FILE or FD (auto-select),\n")); printf(gettext(" target = pid or filename\n")); printf(gettext(" -m = set maximum number of returned members per file, default is %u\n"), MAXNUM); printf(gettext(" -t = set relative time-to-live for this cap entry in seconds (add only)\n")); printf(gettext(" -T = set absolute time-to-live for this cap entry in seconds (add only)\n")); printf(gettext(" -D = set relative time-to-live for this cap entry in days (add only)\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; rsbac_pid_t pid=0; rsbac_uid_t uid=RSBAC_NO_USER; enum rsbac_target_t target; rsbac_boolean_t remove = FALSE; int verbose = 0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_time_t ttl = RSBAC_LIST_TTL_KEEP; int maxnum = MAXNUM; rsbac_uid_t * userlist; rsbac_time_t * ttllist; int i; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'm': if(argc > 2) { maxnum = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing maxnum value for parameter %c\n"), progname, *pos); break; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'V': if(argc < 3) { fprintf(stderr, gettext("%s: no version number for switch V\n"), progname); exit(1); } version = strtol(argv[2],0,10); argv++; argc--; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc >= 5) { target = get_target_nr(argv[1]); if( (target != T_PROCESS) && (target != T_FILE) && (target != T_DIR) && (target != T_FD) ) { fprintf(stderr, gettext("%s: Invalid Target %s!\n"), progname, argv[1]); exit(1); } if(!strcmp(argv[2],"remove")) remove = TRUE; else if(strcmp(argv[2],"add")) { fprintf(stderr, gettext("%s: Invalid command %s!\n\n"), progname, argv[2]); exit(1); } if(target == T_PROCESS) pid=strtol(argv[3],0,10); for(i=4 ; i */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include "nls.h" int main(int argc, char ** argv) { int res = 0; rsbac_rc_role_id_t role; locale_init(); res = rsbac_rc_get_current_role(&role); if(res<0) { error_exit(res); } else { printf(gettext("%s: current role is %u\n"), argv[0], role); } return (res); } rsbac-admin-1.4.0/main/tools/src/rc_copy_type.c0000644000175000017500000000467711131371032021266 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf("%s (RSBAC %s)\n***\n", progname, VERSION); printf(gettext("Use: %s [flags] target from_type to_type\n"), progname); printf(gettext(" target = FD, DEV, IPC, USER, PROCESS, GROUP, NETDEV, NETTEMP, NETOBJ\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; enum rsbac_target_t target; int from_type, to_type; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc == 4) { target = get_target_nr(argv[1]); from_type=strtol(argv[2],0,10); to_type=strtol(argv[3],0,10); res = rsbac_rc_copy_type(ta_number, target, from_type, to_type); error_exit(res); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_auth.c0000644000175000017500000000441411131371032020667 0ustar gauvaingauvain/* * Copyright (c) 2005 Guillaume Destuynder * rfc1738 functions by Harvest Derived for Squid and * Copyrighted (C) 2001 by the Regents of the University of California * * Last modified: 25/Aug/2005 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. * */ #include #include #include #include #include #include /* * rfc1738_unescape() - Converts escaped characters (%xy numbers) in * given the string. %% is a %. %ab is the 8-bit hexadecimal number "ab" */ void rfc1738_unescape(char *s) { char hexnum[3]; int i, j; /* i is write, j is read */ unsigned int x; for (i = j = 0; s[j]; i++, j++) { s[i] = s[j]; if (s[i] != '%') continue; if (s[j + 1] == '%') { /* %% case */ j++; continue; } if (s[j + 1] && s[j + 2]) { if (s[j + 1] == '0' && s[j + 2] == '0') { /* %00 case */ j += 2; continue; } hexnum[0] = s[j + 1]; hexnum[1] = s[j + 2]; hexnum[2] = '\0'; if (1 == sscanf(hexnum, "%x", &x)) { s[i] = (char) (0x0ff & x); j += 2; } } } s[i] = '\0'; } int main(void) { char buf[256]; char *user, *passwd, *p; setbuf(stdout, NULL); while (fgets(buf, 256, stdin) != NULL) { if ((p = strchr(buf, '\n')) != NULL) *p = '\0'; if ((user = strtok(buf, " ")) == NULL) { printf("ERR\n"); continue; } if ((passwd = strtok(NULL, "")) == NULL) { printf("ERR\n"); continue; } rfc1738_unescape(user); rfc1738_unescape(passwd); if (rsbac_um_auth_name(user, passwd)) printf("ERR\n"); else printf("OK\n"); } exit(0); } rsbac-admin-1.4.0/main/tools/src/attr_set_ipc.c0000644000175000017500000001111611131371033021232 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { int j; int attr_list[RSBAC_IPC_NR_ATTRIBUTES] = RSBAC_IPC_ATTR_LIST; char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s module ipc-type id attribute value\n"), progname); printf(gettext("- ipc-types: sem, msg, shm, anonpipe or anonunix\n")); printf(gettext("- attribute (string) and value = see following list:\n")); for (j=0;j 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if( ((argc == 6) || (argc == 7)) && (!strcmp(argv[3],"mac_categories"))) { ipc_id.type = ipc_target; ipc_id.id.id_nr = strtol(argv[2],0,10); tid.ipc = ipc_id; position = strtol(argv[4],0,10); if(position > RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[4]); exit(1); } catval = strtol(argv[5],0,10); if(catval > 1) { fprintf(stderr, gettext("Invalid value %s\n"), argv[5]); exit(1); } res = rsbac_get_attr(ta_number, module, T_IPC, &tid, A_mac_categories, &value, FALSE); error_exit(res); k = ((__u64) 1) << position; if(catval) value.mac_categories |= k; else value.mac_categories &= ~k; res = rsbac_set_attr(ta_number, module, T_IPC, &tid, A_mac_categories, &value); error_exit(res); exit(0); } else if ((argc == 5)||(argc == 6)) { if( ((ipc_target = get_ipc_target_nr(argv[1])) == I_none) ) { fprintf(stderr, gettext("%s: Invalid IPC type %s!\n"), progname, argv[1]); exit(1); } ipc_id.type = ipc_target; ipc_id.id.id_nr = strtol(argv[2],0,10); attr = get_attribute_nr(argv[3]); if(attr == A_none) { fprintf(stderr, gettext("%s: Invalid Attribute %s!\n"), tmp2, argv[3]); exit(1); } tid.ipc = ipc_id; value.dummy = strtol(argv[4],0,10); res = rsbac_set_attr(ta_number, module, T_IPC, &tid, attr, &value); error_exit(res); printf("%i\n",value.dummy); exit(0); } else { use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/rsbac_gpasswd.c0000644000175000017500000002443411131371033021403 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] group\n"), progname); printf(gettext(" -v = verbose,\n")); printf(gettext(" -a user = add user to group,\n")); printf(gettext(" -d user = remove user from group,\n")); printf(gettext(" -M user,... = add user(s) to group,\n")); printf(gettext(" -A user,... = ignored, for compatibility\n")); printf(gettext(" -r = remove group password,\n")); printf(gettext(" -R = ignored, for compatibility\n")); printf(gettext(" -N ta = transaction number (group memberships only)\n")); printf(gettext(" (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; rsbac_gid_t group = RSBAC_NO_GROUP; int removepass = 0; char * useraddstring = NULL; char * userdelstring = NULL; int verbose = 0; char * new_pass; char * new_pass2; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'R': exit(0); case 'r': removepass = 1; break; case 'a': case 'M': if(argc > 2) { useraddstring = argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'd': if(argc > 2) { userdelstring = argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'A': if(argc > 2) { exit(0); } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { if(rsbac_um_get_gid(ta_number, argv[1], &group)) { group = strtoul(argv[1],0,0); if(!group && strcmp(argv[1],"0")) { fprintf(stderr, gettext("%s: Unknown group %s\n"), progname, argv[1]); exit(1); } } if(removepass) { res = rsbac_um_set_group_pass(group, NULL); error_exit(res); exit(0); } if(useraddstring) { char * p; char * m; rsbac_uid_t user; m = useraddstring; p = useraddstring; while(*m) { while(*p && (*p != ',')) p++; if(*p) { *p = 0; if(rsbac_um_get_uid(ta_number, m, &user)) { user = strtoul(m,0,0); if(!user && strcmp(m,"0")) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, m); p++; m = p; continue; } } // printf("String %s, value %u\n", m, user); p++; m = p; } else { if(rsbac_um_get_uid(ta_number, m, &user)) { user = strtoul(m,0,0); if(!user && strcmp(m,"0")) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, m); m = p; continue; } } // printf("String %s, value %u\n", m, user); m = p; } if(verbose) { if (RSBAC_GID_SET(group)) printf("Adding group %u/%u member %u\n", RSBAC_GID_SET(group), RSBAC_GID_NUM(group), RSBAC_UID_NUM(user)); else printf("Adding group %u member %u\n", RSBAC_GID_NUM(group), RSBAC_UID_NUM(user)); } res = rsbac_um_add_gm(ta_number, RSBAC_GEN_UID(RSBAC_GID_SET(group), user), RSBAC_GID_NUM(group), 0); if(res) { if (RSBAC_GID_SET(group)) fprintf(stderr, "group %u/%u membership %u: ", RSBAC_GID_SET(group), RSBAC_GID_NUM(group), RSBAC_UID_NUM(user)); else fprintf(stderr, "group %u membership %u: ", RSBAC_GID_NUM(group), RSBAC_UID_NUM(user)); show_error(res); } } exit(0); } if(userdelstring) { char * p; char * m; rsbac_uid_t user; m = userdelstring; p = userdelstring; while(*m) { while(*p && (*p != ',')) p++; if(*p) { *p = 0; if(rsbac_um_get_uid(ta_number, m, &user)) { user = strtoul(m,0,0); if(!user && strcmp(m,"0")) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, m); p++; m = p; continue; } } // printf("String %s, value %u\n", m, user); p++; m = p; } else { if(rsbac_um_get_uid(ta_number, m, &user)) { user = strtoul(m,0,0); if(!user && strcmp(m,"0")) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, m); m = p; continue; } } // printf("String %s, value %u\n", m, user); m = p; } if(verbose) { if (RSBAC_GID_SET(group)) printf("Removing group %u/%u member %u\n", RSBAC_GID_SET(group), RSBAC_GID_NUM(group), RSBAC_UID_NUM(user)); else printf("Removing group %u member %u\n", RSBAC_GID_NUM(group), RSBAC_UID_NUM(user)); } res = rsbac_um_remove_gm(ta_number, RSBAC_GEN_UID(RSBAC_GID_SET(group), user), RSBAC_GID_NUM(group)); if(res) { if (RSBAC_GID_SET(group)) fprintf(stderr, "group %u/%u membership %u: ", RSBAC_GID_SET(group), RSBAC_GID_NUM(group), RSBAC_UID_NUM(user)); else fprintf(stderr, "group %u membership %u: ", RSBAC_GID_NUM(group), RSBAC_UID_NUM(user)); show_error(res); } } exit(0); } new_pass = malloc(RSBAC_MAXNAMELEN); printf("New password: "); if(scanf("%254s", new_pass) <= 0) { fprintf(stderr, gettext("%s: invalid new password!\n"), progname); exit(1); } new_pass2 = malloc(RSBAC_MAXNAMELEN); printf("Repeat new password: "); if(scanf("%254s", new_pass2) <= 0) { fprintf(stderr, gettext("%s: invalid repeated new password!\n"), progname); exit(1); } if(strcmp(new_pass, new_pass2)) { fprintf(stderr, gettext("%s: new passwords do not match!\n"), progname); exit(1); } res = rsbac_um_set_group_pass(group, new_pass); error_exit(res); exit(0); } else { use(); exit(1); } } rsbac-admin-1.4.0/main/tools/src/mac_get_levels.c0000644000175000017500000000567111131371032021533 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-c] [-x] [-n] [-a]\n"), progname); printf(gettext("This program will show the RSBAC MAC security levels\n")); printf(gettext("and category sets of the calling process.\n")); printf(gettext("-a = show all, -c = show current level and categories\n")); printf(gettext("-x = show max, -n = show min level and categories\n")); } int main(int argc, char ** argv) { int res = 0; rsbac_security_level_t seclevel; rsbac_mac_category_vector_t categories; char tmp[RSBAC_MAXNAMELEN]; char * progname; int verbose = 0; int max = 0; int min = 0; int current = 0; int all = 1; locale_init(); progname = argv[0]; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'x': max=1; all=0; break; case 'n': min=1; all=0; break; case 'c': current=1; all=0; break; case 'a': all=1; break; default: use(); exit (1); } pos++; } argv++; argc--; } if(current || all) { res = rsbac_mac_get_curr_level(&seclevel, &categories); error_exit(res); printf(gettext("Current level: %u\ncategories: %s\n"), seclevel, u64tostrmac(tmp, categories)); } if(max || all) { res = rsbac_mac_get_max_level(&seclevel, &categories); error_exit(res); printf(gettext("Max level: %u\ncategories: %s\n"), seclevel, u64tostrmac(tmp, categories)); } if(min || all) { res = rsbac_mac_get_min_level(&seclevel, &categories); error_exit(res); printf(gettext("Min level: %u\ncategories: %s\n"), seclevel, u64tostrmac(tmp, categories)); } return 0; } rsbac-admin-1.4.0/main/tools/src/rsbac_stats.c0000644000175000017500000000114011131371032021055 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include int main(int argc, char ** argv) { int res; res = rsbac_stats(); error_exit(res); return (res); } rsbac-admin-1.4.0/main/tools/src/attr_rm_file_dir.c0000644000175000017500000000557711131371032022074 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] target-type file/dirname\n"), progname); printf(gettext(" -d = numeric device specification ({b|c}major[:minor])\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK or DEV\n")); } int main(int argc, char ** argv) { int res = 0; char tmp1[80]; enum rsbac_target_t target; rsbac_list_ta_number_t ta_number = 0; int numdev = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'd': numdev=1; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc == 3) { target = get_target_nr(argv[1]); if(numdev) { union rsbac_target_id_t tid; error_exit(strtodevdesc(argv[2], &tid.dev)); res = rsbac_remove_target(ta_number, target, &tid); } else res = rsbac_remove_target_n(ta_number, target, argv[2]); if(res) { get_error_name(tmp1,res); fprintf(stderr, gettext("%s: error: %s\n"), argv[0], tmp1); exit(1); } exit(0); } else { use(); } exit(1); } rsbac-admin-1.4.0/main/tools/src/attr_back_net.c0000644000175000017500000003756211131371032021366 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif const char set_prog[] = "attr_set_net"; enum rsbac_attribute_t netdev_attr_list[RSBAC_NETDEV_NR_ATTRIBUTES] = RSBAC_NETDEV_ATTR_LIST; enum rsbac_attribute_t nettemp_attr_list[RSBAC_NETTEMP_NR_ATTRIBUTES] = RSBAC_NETTEMP_ATTR_LIST; int verbose = 0; int backall = 0; rsbac_list_ta_number_t ta_number = 0; char * filename = NULL; enum rsbac_target_t target; union rsbac_target_id_t tid; char * progname; #define LISTROOM 10 __s64 def_netdev_attr[RSBAC_NETDEV_NR_ATTRIBUTES] = { RSBAC_RC_GENERAL_TYPE, /* rc_type */ -1, /* log_array_low */ -1 /* log_array_high */ }; __s64 def_nettemp_attr[RSBAC_NETTEMP_NR_ATTRIBUTES] = { SL_unclassified, /* sec_level */ RSBAC_MAC_DEF_CAT_VECTOR, /* mac_categories */ RSBAC_PM_IPC_OBJECT_CLASS_ID, /* pm_object_class */ 0, /* pm_ipc_purpose */ PO_ipc, /* pm_object_type */ RSBAC_RC_GENERAL_TYPE, /* rc_type */ RSBAC_RC_GENERAL_TYPE, /* rc_type_nt */ -1, /* log_array_low */ -1 /* log_array_high */ }; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [options] target name(s)/number(s)\n"), progname); printf(gettext(" should be called by user with full attribute read access,\n- e.g. with all modules off\n")); printf(gettext(" -a = backup all objects, -v = verbose, no symlinks followed,\n")); printf(gettext(" -A = list attributes and values,\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" valid targets: NETDEV, NETTEMP\n")); } int process_netdev(char * name, FILE * tfile) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; int j; union rsbac_attribute_value_t value; if(verbose) printf(gettext("# Processing NETDEV '%s'\n"), name); strncpy((char *)tid.netdev, name, RSBAC_IFNAMSIZ); tid.netdev[RSBAC_IFNAMSIZ] = 0; for (j=0;j < RSBAC_NETDEV_NR_ATTRIBUTES;j++) { value.dummy = -1; res = rsbac_get_attr(ta_number, get_attr_module(netdev_attr_list[j]), target, &tid, netdev_attr_list[j], &value, 0); if(res) { if( (errno != RSBAC_EINVALIDMODULE) && ( verbose || (errno != RSBAC_EINVALIDTARGET) ) ) { get_error_name(tmp1,res); fprintf(stderr, "%s (%s): %s\n", name, get_attribute_name(tmp2,netdev_attr_list[j]), tmp1); } } else switch(netdev_attr_list[j]) { case A_log_array_low: case A_log_array_high: if (value.log_array_low != def_netdev_attr[j]) fprintf(tfile, "%s -V %u NETDEV %s %s %s\n", set_prog, RSBAC_VERSION_NR, get_attribute_name(tmp1,netdev_attr_list[j]), u64tostrlog(tmp2,value.log_array_low), name); break; case A_rc_type: if (value.rc_type != def_netdev_attr[j]) fprintf(tfile, "%s -V %u NETDEV %s %u %s\n", set_prog, RSBAC_VERSION_NR, get_attribute_name(tmp1,netdev_attr_list[j]), value.rc_type, name); break; default: if(value.dummy != def_netdev_attr[j]) fprintf(tfile, "%s -V %u NETDEV %s %i %s\n", set_prog, RSBAC_VERSION_NR, get_attribute_name(tmp1,netdev_attr_list[j]), value.dummy, name); } } return(0); } int process_nettemp(rsbac_net_temp_id_t id, FILE * tfile) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; int j; union rsbac_attribute_value_t value; if(verbose) printf(gettext("# Processing NETTEMP %u\n"), id); tid.nettemp = id; for (j=0;j < RSBAC_NETTEMP_NR_ATTRIBUTES;j++) { value.dummy = -1; res = rsbac_get_attr(ta_number, get_attr_module(nettemp_attr_list[j]), target, &tid, nettemp_attr_list[j], &value, 0); if(res) { if( (errno != RSBAC_EINVALIDMODULE) && ( verbose || (errno != RSBAC_EINVALIDTARGET) ) ) { get_error_name(tmp1,res); fprintf(stderr, "%u (%s): %s\n", id, get_attribute_name(tmp2,nettemp_attr_list[j]), tmp1); } } else switch(nettemp_attr_list[j]) { case A_log_array_low: case A_log_array_high: if (value.log_array_low != def_nettemp_attr[j]) fprintf(tfile, "%s -V %u NETTEMP %s %s %u\n", set_prog, RSBAC_VERSION_NR, get_attribute_name(tmp1,nettemp_attr_list[j]), u64tostrlog(tmp2,value.log_array_low), id); break; case A_mac_categories: if (value.mac_categories != def_nettemp_attr[j]) fprintf(tfile, "%s -V %u NETTEMP %s %s %u\n", set_prog, RSBAC_VERSION_NR, get_attribute_name(tmp1,nettemp_attr_list[j]), u64tostrmac(tmp2,value.mac_categories), id); break; case A_rc_type: if (value.rc_type != def_nettemp_attr[j]) fprintf(tfile, "%s -V %u NETTEMP %s %u %u\n", set_prog, RSBAC_VERSION_NR, get_attribute_name(tmp1,nettemp_attr_list[j]), value.rc_type, id); break; case A_security_level: case A_pm_object_type: if (value.u_char_dummy != def_nettemp_attr[j]) fprintf(tfile, "%s -V %u NETTEMP %s %u %u\n", set_prog, RSBAC_VERSION_NR, get_attribute_name(tmp1,nettemp_attr_list[j]), value.u_char_dummy, id); break; default: if(value.u_dummy != def_nettemp_attr[j]) fprintf(tfile, "%s -V %u NETTEMP %s %u %u\n", set_prog, RSBAC_VERSION_NR, get_attribute_name(tmp1,nettemp_attr_list[j]), value.u_dummy, id); } } return(0); } int main(int argc, char ** argv) { int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i,j; FILE * tfile; FILE * listfile = NULL; char * filelistname = NULL; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'o': if(argc > 2) { filename = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter o\n"), progname); break; case 'T': if(argc > 2) { filelistname = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter %c\n"), progname, *pos); break; case 'a': backall=1; break; case 'A': printf(gettext("attributes and values in backup = see following list:\n")); printf("NETDEV:\n"); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if ( ((backall || filelistname) && (argc > 1)) || (argc > 2) ) { if(!filename) tfile = stdout; else { if (!(tfile=fopen(filename,"w"))) { fprintf(stderr, gettext("opening target file returned error: %s\n"), strerror(errno)); } } target = get_target_nr(argv[1]); switch(target) { case T_NETDEV: case T_NETTEMP: break; default: fprintf(stderr, gettext("invalid target %s\n"), argv[1]); } if(target == T_NETDEV) { if(backall) { rsbac_netdev_id_t * netdev_array; long count; count = rsbac_net_list_all_netdev(ta_number, NULL, 0); error_exit(count); count += LISTROOM; netdev_array = malloc(count * sizeof(*netdev_array)); if(!netdev_array) error_exit(-ENOMEM); count = rsbac_net_list_all_netdev(ta_number, netdev_array, count); for(i = 0; i< count ; i++) process_netdev((char *)netdev_array[i], tfile); free(netdev_array); } else { if(filelistname) { if(!strcmp(filelistname, "-")) listfile = stdin; else if (!(listfile=fopen(filelistname,"r"))) { fprintf(stderr, gettext("opening target list file returned error: %s\n"), strerror(errno)); exit(1); } } if(verbose) { printf(gettext("# %s: %i targets\n"), progname, argc - 2); if(filelistname) printf(gettext("# - plus targets from file %s\n"), filelistname); } for (i=2;i < (argc);i++) process_netdev(argv[i],tfile); if(filelistname) { char item[4096]; char * pos; int last; pos = item; while(fgets(item, 4095, listfile)) { if(!*item) continue; last = strlen(item) - 1; if(item[last] == '\n') item[last] = 0; if(*item) process_netdev(item,tfile); } fclose(listfile); } } } else { if(backall) { rsbac_net_temp_id_t * temp_array; long count; count = rsbac_net_list_all_template(ta_number, NULL, 0); error_exit(count); count += LISTROOM; temp_array = malloc(count * sizeof(*temp_array)); if(!temp_array) error_exit(-ENOMEM); count = rsbac_net_list_all_template(ta_number, temp_array, count); for(i = 0; i< count ; i++) process_nettemp(temp_array[i], tfile); free(temp_array); } else { if(filelistname) { if(!strcmp(filelistname, "-")) listfile = stdin; else if (!(listfile=fopen(filelistname,"r"))) { fprintf(stderr, gettext("opening target list file returned error: %s\n"), strerror(errno)); exit(1); } } if(verbose) { printf(gettext("# %s: %i targets\n"), progname, argc - 2); if(filelistname) printf(gettext("# - plus targets from file %s\n"), filelistname); } for (i=2;i < (argc);i++) process_nettemp(strtoul(argv[i],0,0),tfile); if(filelistname) { char item[4096]; char * pos; int last; pos = item; while(fgets(item, 4095, listfile)) { if(!*item) continue; last = strlen(item) - 1; if(item[last] == '\n') item[last] = 0; if(*item) process_nettemp(strtoul(item,0,0),tfile); } fclose(listfile); } } } if(tfile != stdout) fclose(tfile); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_rm_user.c0000644000175000017500000000546311131371032021267 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] user(s)\n\n"), progname); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; int i; union rsbac_target_id_t tid; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { printf(gettext("%s: %i users\n\n"), progname, argc - 1); for (i=1;i < (argc);i++) { if(rsbac_get_uid(ta_number, &tid.user, argv[i])) { fprintf(stderr, gettext("Invalid User %s!\n\n"), argv[i]); continue; } if (RSBAC_UID_SET(tid.user)) printf(gettext("Processing user %s (uid %u/%u)\n"), argv[i], RSBAC_UID_SET(tid.user), RSBAC_UID_NUM(tid.user)); else printf(gettext("Processing user %s (uid %u)\n"), argv[i], RSBAC_UID_NUM(tid.user)); res = rsbac_remove_target(ta_number, T_USER, &tid); show_error(res); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/nls.h0000644000175000017500000000521211131371033017353 0ustar gauvaingauvain/* Convenience header for conditional use of GNU . Copyright (C) 1995-1998, 2000-2002 Free Software Foundation, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifndef __RSBAC_LOCALE_H #define __RSBAC_LOCALE_H #endif #ifndef _LIBGETTEXT_H #define _LIBGETTEXT_H 1 #include /* NLS can be disabled through the configure --disable-nls option. */ #if ENABLE_NLS /* Get declarations of GNU message catalog functions. */ # include #else /* Disabled NLS. The casts to 'const char *' serve the purpose of producing warnings for invalid uses of the value returned from these functions. On pre-ANSI systems without 'const', the config.h file is supposed to contain "#define const". */ # define gettext(Msgid) ((const char *) (Msgid)) # define dgettext(Domainname, Msgid) ((const char *) (Msgid)) # define dcgettext(Domainname, Msgid, Category) ((const char *) (Msgid)) # define ngettext(Msgid1, Msgid2, N) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define dngettext(Domainname, Msgid1, Msgid2, N) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define dcngettext(Domainname, Msgid1, Msgid2, N, Category) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define textdomain(Domainname) ((const char *) (Domainname)) # define bindtextdomain(Domainname, Dirname) ((const char *) (Dirname)) # define bind_textdomain_codeset(Domainname, Codeset) ((const char *) (Codeset)) #endif /* A pseudo function call that serves as a marker for the automated extraction of messages, but does not call gettext(). The run-time translation is done at a different place in the code. The argument, String, should be a literal string. Concatenated strings and other string expressions won't work. The macro's expansion is not parenthesized, so that it is suitable as initializer for static 'char[]' or 'const char[]' variables. */ #define gettext_noop(String) String #endif /* _LIBGETTEXT_H */ rsbac-admin-1.4.0/main/tools/src/attr_set_process.c0000644000175000017500000003160411131371032022140 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s module process-id attribute value\n"), progname); printf(gettext(" -p = print resulting requests, -a = add, not set, -m = remove, not set\n")); printf(gettext(" -A = list attributes and values\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n")); } int main(int argc, char ** argv) { int attr_list[RSBAC_PROCESS_NR_ATTRIBUTES] = RSBAC_PROCESS_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; int position, catval; rsbac_mac_category_vector_t k; enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; int verbose = 0; int printall = 0; int add = 0; int remove = 0; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': printall=1; break; case 'a': add=1; break; case 'm': remove=1; break; case 'n': { char tmp[80]; int i; for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and value (integer) = see following list:\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if( (argc>2) && !strcmp(argv[2],"log_program_based") ) { char * progname = argv[0]; rsbac_boolean_t rused = FALSE; rsbac_boolean_t wused = FALSE; enum rsbac_adf_request_t request; rsbac_request_vector_t request_vector = 0; value.log_program_based = 0; tid.process = strtol(argv[1],0,10); argv+=2; argc-=2; if(add || remove) { res = rsbac_get_attr(ta_number, module, T_PROCESS, &tid, A_log_program_based, &value, FALSE); error_exit(res); } while(argc > 1) { if(strlen(argv[1]) == R_NONE) { int j; rsbac_request_vector_t tmp_rv; for(j=0; j= R_NONE) || ( (request == 0) && strcmp(argv[1],"0") ) ) { if(!strcmp(argv[1],"RW")) { request_vector |= RSBAC_READ_WRITE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SY")) { request_vector |= RSBAC_SYSTEM_REQUEST_VECTOR; } else if(!strcmp(argv[1],"SE")) { request_vector |= RSBAC_SECURITY_REQUEST_VECTOR; } else if(!strcmp(argv[1],"R")) { request_vector |= RSBAC_READ_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"W")) { request_vector |= RSBAC_WRITE_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"A")) { request_vector |= RSBAC_ALL_REQUEST_VECTOR; } else if(!strcmp(argv[1],"UA")) { request_vector = 0; } else if(!strcmp(argv[1],"NWS")) { request_vector |= RSBAC_NWS_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWR")) { request_vector |= RSBAC_NWR_REQUEST_VECTOR; rused = TRUE; } else if(!strcmp(argv[1],"NWW")) { request_vector |= RSBAC_NWW_REQUEST_VECTOR; wused = TRUE; } else if(!strcmp(argv[1],"NWC")) { request_vector |= RSBAC_NWC_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWE")) { request_vector |= RSBAC_NWE_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWA")) { request_vector |= RSBAC_NWA_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWF")) { request_vector |= RSBAC_NWF_REQUEST_VECTOR; } else if(!strcmp(argv[1],"NWM")) { request_vector |= RSBAC_NWM_REQUEST_VECTOR; } else { /* end of requests */ break; } } } else { request_vector |= ((rsbac_request_vector_t) 1 << request); } argv++; argc--; } if(rused && wused) { request_vector |= RSBAC_READ_WRITE_OPEN_REQUEST_VECTOR; } if(remove) value.log_program_based &= ~request_vector; else value.log_program_based |= request_vector; if(printall) { int i; for (i=0; i RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid position counter %s\n"), argv[3]); exit(1); } catval = strtol(argv[4],0,10); if(catval > 1) { fprintf(stderr, gettext("Invalid value %s\n"), argv[4]); exit(1); } res = rsbac_get_attr(ta_number, module, T_PROCESS, &tid, attr, &value, FALSE); error_exit(res); k = ((__u64) 1) << position; if(catval) value.mac_categories |= k; else value.mac_categories &= ~k; res = rsbac_set_attr(ta_number, module, T_PROCESS, &tid, attr, &value); error_exit(res); exit(0); default: use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/mac_back_trusted.c0000644000175000017500000001710611131371032022050 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif const char set_prog[] = "mac_set_trusted"; int recurse = 0; int verbose = 0; /* default max number of cap entries per file */ #define MAXNUM 200 int maxnum = MAXNUM; char * filename = NULL; rsbac_uid_t * userlist; rsbac_time_t * ttllist; rsbac_list_ta_number_t ta_number = 0; char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-r] [-v] [-o target-file] file/dirname(s)\n"), progname); printf(gettext(" -r = recurse in subdirs, -v = verbose, no symlinks followed,\n")); printf(gettext(" -m = set maximum length of cap entry list per file, default is %u\n"), MAXNUM); printf(gettext(" -o target-file = write to file, not stdout\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int process(char * name, FILE * tfile) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; int i; struct stat buf; if(verbose) printf(gettext("Processing FILE/DIR '%s'\n"), name); res = rsbac_mac_get_f_trulist(ta_number, name, userlist, ttllist, maxnum); if(res<0) { if( verbose || ( (errno != RSBAC_EINVALIDTARGET) && (errno != RSBAC_EINVALIDMODULE) ) ) { get_error_name(tmp1,res); fprintf(stderr, "%s: %s\n", name, tmp1); } } else { if(verbose) printf("# %s: %i real caps\n", name, res); for(i=0;id_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2, tfile); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int res = 0; int i; FILE * tfile; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'm': if(argc > 2) { maxnum = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing maxnum value for parameter %c\n"), progname, *pos); break; case 'r': recurse=1; break; case 'o': if(argc > 2) { filename = argv[2]; argv++; argc--; } else fprintf(stderr, gettext("%s: missing filename for parameter o\n"), progname); break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { if(!filename) tfile = stdout; else if (!(tfile=fopen(filename,"w"))) { fprintf(stderr, gettext("opening target file returned error: %s\n"), strerror(errno)); } if(verbose) { printf(gettext("%s: %i targets"), progname, argc - 1); if(recurse) printf(gettext(" - recursing")); printf("\n"); } userlist = malloc(sizeof(*userlist) * maxnum); ttllist = malloc(sizeof(*ttllist) * maxnum); if(!userlist || !ttllist) error_exit(-ENOMEM); for (i=1;i < argc;i++) { process(argv[i],tfile); } if(tfile != stdout) fclose(tfile); } else { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-r] [-v] [-o target-file] file/dirname(s)\n"), progname); printf(gettext(" -r = recurse in subdirs, -v = verbose, no symlinks followed,\n")); printf(gettext(" -m = set maximum length of cap entry list per file, default is %u\n"), MAXNUM); printf(gettext(" -o target-file = write to file, not stdout\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } return (res); } rsbac-admin-1.4.0/main/tools/src/switch_module.c0000644000175000017500000000505111131371031021417 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { int i; char name[RSBAC_MAXNAMELEN]; printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-s] module value\n"), progname); printf(gettext(" -s: switch module's individual softmode, not the whole module\n")); printf(gettext("module = module name, value = [01]\n\n")); printf(gettext("Possible module names are:\n")); for (i=0;i 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 's': softmode = 2; break; case 'v': verbose++; break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc == 3) { module=get_switch_target_nr(argv[1]); if(module == SW_NONE) { printf(gettext("%s: Invalid switch target %s\n"), progname, argv[1]); exit(1); } value=strtol(argv[2],0,10); if(verbose) { if(softmode) printf(gettext("%s: switching Module %s softmode to %i\n"), progname,argv[1],value); else printf(gettext("%s: switching Module %s to %i\n"), progname,argv[1],value); } res = rsbac_switch(module,value + softmode); error_exit(res); exit(0); } else { use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/rsbac_jail.c0000644000175000017500000004164411131371032020653 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #include #include #ifndef CLONE_NEWNS #define CLONE_NEWNS 0x00020000 #endif #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] [-I addr] [-R dir] [-C cap-list] prog args\n"), progname); printf(gettext("This program will put the process into a jail with chroot to path,\n")); printf(gettext("ip address IP and then execute prog with args\n")); printf(gettext("-I addr = limit to IP address,\n")); printf(gettext("-R dir = chroot to dir,\n")); printf(gettext("-V set = use virtual user set,\n")); printf(gettext("-N = enclose process in its private namespace,\n")); printf(gettext("-C cap-list = limit Linux capabilities for jailed processes,\n")); printf(gettext(" use bit-vector, numeric value or list names of desired caps,\n")); printf(gettext(" A = all, FS_MASK = all filesystem related,\n")); printf(gettext("-L = list all Linux capabilities,\n")); printf(gettext("-S = list all SCD targets,\n")); printf(gettext("-v = verbose, -i = allow access to IPC outside this jail,\n")); printf(gettext("-P = allow access to IPC in the parent jail,\n")); printf(gettext("-y = allow access to IPC in the syslog jail,\n")); printf(gettext("-Y = this is the syslog jail,\n")); printf(gettext("-n = allow all network families, not only UNIX and INET (IPv4),\n")); printf(gettext("-r = allow INET (IPv4) raw sockets (e.g. for ping),\n")); printf(gettext("-a = auto-adjust INET any address 0.0.0.0 to jail address, if set,\n")); printf(gettext("-o = additionally allow to/from remote INET (IPv4) address 127.0.0.1,\n")); printf(gettext("-d = allow read access on devices, -D allow write access\n")); printf(gettext("-e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA\n")); printf(gettext("-t = allow *_OPEN on tty devices\n")); printf(gettext("-s = allow to create with / set mode to suid\n")); printf(gettext("-u = allow to mount/umount\n")); printf(gettext("-G scd ... = allow GET_STATUS_DATA on these scd targets\n")); printf(gettext("-M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets\n")); printf(gettext("Deprecated old options, please use -G and -M:\n")); printf(gettext("-l = allow to modify rlimits (-M rlimit),\n")); printf(gettext("-c = allow to modify system clock (-M clock time_strucs),\n")); printf(gettext("-m = allow to lock memory (-M mlock),\n")); printf(gettext("-p = allow to modify priority (-M priority),\n")); printf(gettext("-k = allow to get kernel symbols (-G ksyms)\n")); } struct clone_args { rsbac_version_t version; char * rootdir; rsbac_jail_ip_t ip; rsbac_jail_flags_t flags; rsbac_cap_vector_t max_caps; rsbac_jail_scd_vector_t scd_get; rsbac_jail_scd_vector_t scd_modify; char ** argv; }; int rsbac_jail_ns(void * args) { int res; struct clone_args * a = (struct clone_args *) args; res = rsbac_jail(a->version, a->rootdir, a->ip, a->flags, a->max_caps, a->scd_get, a->scd_modify); if (res) return res; if (a->rootdir) { res = chdir("/"); if (res) return res; } res = execvp(a->argv[1],&a->argv[1]); return res; } int main(int argc, char ** argv) { int res = 0; rsbac_jail_flags_t jail_flags = 0; int verbose = 0; struct in_addr addr; rsbac_jail_ip_t ip = 0; char * rootdir = NULL; // rsbac_um_set_id_t um_set = RSBAC_UM_SET_AUTO; rsbac_cap_vector_t max_caps; max_caps.cap[0] = -1; max_caps.cap[1] = -1; rsbac_jail_scd_vector_t scd_get = 0; rsbac_jail_scd_vector_t scd_modify = 0; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; int err; unsigned int namespace = 0; locale_init(); progname = argv[0]; inet_aton("0.0.0.0", &addr); ip = addr.s_addr; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'N': namespace = 1; break; case 'i': jail_flags |= JAIL_allow_external_ipc; break; case 'P': jail_flags |= JAIL_allow_parent_ipc; break; case 'y': jail_flags |= JAIL_allow_ipc_to_syslog; break; case 'Y': jail_flags |= JAIL_this_is_syslog; break; case 's': jail_flags |= JAIL_allow_suid_files; break; case 'n': jail_flags |= JAIL_allow_all_net_family; break; case 'r': jail_flags |= JAIL_allow_inet_raw; break; case 'a': jail_flags |= JAIL_auto_adjust_inet_any; break; case 'o': jail_flags |= JAIL_allow_inet_localhost; break; case 'd': jail_flags |= JAIL_allow_dev_read; break; case 'D': jail_flags |= JAIL_allow_dev_write; break; case 'e': jail_flags |= JAIL_allow_dev_get_status; break; case 'E': jail_flags |= JAIL_allow_dev_mod_system; break; case 't': jail_flags |= JAIL_allow_tty_open; break; case 'u': jail_flags |= JAIL_allow_mount; break; case 'l': scd_modify |= RSBAC_SCD_VECTOR(ST_rlimit); break; case 'c': scd_modify |= RSBAC_SCD_VECTOR(ST_clock); scd_modify |= RSBAC_SCD_VECTOR(ST_time_strucs); break; case 'm': scd_modify |= RSBAC_SCD_VECTOR(ST_mlock); break; case 'p': scd_modify |= RSBAC_SCD_VECTOR(ST_priority); break; case 'k': scd_modify |= RSBAC_SCD_VECTOR(ST_ksyms); break; case 'G': if(argc > 2) { int scd; while(argc > 2) { scd = get_scd_type_nr(argv[2]); if(scd == ST_none) { scd = strtol(argv[2],0,10); if( (scd >= ST_none) || ( (scd == 0) && strcmp(argv[2],"0") ) ) { if(!strcmp(argv[2],"A")) { scd_get = -1; } else if(!strcmp(argv[2],"UA")) { scd_get = 0; } else { /* end of scd */ break; } } } else { scd_get |= RSBAC_SCD_VECTOR(scd); } argv++; argc--; } } else fprintf(stderr, gettext("%s: missing SCDs for parameter %c\n"), progname, *pos); break; case 'M': if(argc > 2) { int scd; while(argc > 2) { scd = get_scd_type_nr(argv[2]); if(scd == ST_none) { scd = strtol(argv[2],0,10); if( (scd >= ST_none) || ( (scd == 0) && strcmp(argv[2],"0") ) ) { if(!strcmp(argv[2],"A")) { scd_modify = -1; } else if(!strcmp(argv[2],"UA")) { scd_modify = 0; } else { /* end of scd */ break; } } } else { scd_modify |= RSBAC_SCD_VECTOR(scd); } argv++; argc--; } } else fprintf(stderr, gettext("%s: missing SCDs for parameter %c\n"), progname, *pos); break; case 'I': if(argc > 2) { err = inet_aton(argv[2], &addr); error_exit(err); ip = addr.s_addr; argc--; argv++; } else fprintf(stderr, gettext("%s: missing address for parameter %c\n"), progname, *pos); break; case 'R': if(argc > 2) { rootdir = argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing dirname for parameter %c\n"), progname, *pos); break; case 'V': if(argc > 2) { vset = strtol(argv[2],0,0); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; case 'C': if(argc > 2) { int cap; max_caps.cap[0] = (__u32) 0; max_caps.cap[1] = (__u32) 0; while(argc > 2) { if(strlen(argv[2]) == CAP_NONE) { int j; rsbac_cap_vector_t tmp_cv; for(j=0; j= CAP_NONE) || ( (cap == 0) && strcmp(argv[2],"0") ) ) { if(!strcmp(argv[2],"A")) { max_caps.cap[0] = (__u32) -1; max_caps.cap[1] = (__u32) -1; } else if(!strcmp(argv[2],"UA")) { max_caps.cap[0] = (__u32) 0; max_caps.cap[1] = (__u32) 0; } else if(!strcmp(argv[2],"FS_MASK")) { /* famous problem here */ max_caps.cap[0] |= CAP_FS_MASK; } else { /* end of caps */ break; } } } else { max_caps.cap[CAP_TO_INDEX(cap)] |= ((__u32) 1 << cap); } argv++; argc--; } } else fprintf(stderr, gettext("%s: missing caps for parameter %c\n"), progname, *pos); break; case 'L': { char tmp[RSBAC_MAXNAMELEN]; int i; for(i=0; i 1) { if(verbose) { if(rootdir) printf(gettext("%s: executing %s in jail at %s with IP %s, flags %u, caps %u, scd_get %u, scd_modify %u, namespace %u, vset %u\n"), progname, argv[1], rootdir, inet_ntoa(addr), jail_flags, max_caps, scd_get, scd_modify, namespace, vset); else printf(gettext("%s: executing %s in jail (no chroot) with IP %s, flags %u, caps %u, scd_get %u, scd_modify %u, namespace %u, vset %u\n"), progname, argv[1], inet_ntoa(addr), jail_flags, max_caps, scd_get, scd_modify, namespace, vset); } if (namespace) { pid_t pid; int status; struct clone_args args; args.version = RSBAC_JAIL_VERSION; args.rootdir = rootdir; args.ip = ip; args.flags = jail_flags; args.max_caps = max_caps; args.scd_get = scd_get; args.scd_modify = scd_modify; args.argv = argv; signal(SIGCHLD, SIG_DFL); pid = syscall(__NR_clone, CLONE_NEWNS | SIGCHLD, 0); switch (pid) { case -1: perror("clone"); exit(1); case 0: rsbac_jail_ns(&args); default: wait4(pid, &status, 0, 0); exit(EXIT_SUCCESS); } } if(vset != RSBAC_UM_VIRTUAL_KEEP) { res = rsbac_um_select_vset(vset); error_exit(res); } res = rsbac_jail(RSBAC_JAIL_VERSION, rootdir, ip, jail_flags, max_caps, scd_get, scd_modify); error_exit(res); if(rootdir) { /* Already done in syscall rsbac_jail, but better repeat */ res = chdir("/"); error_exit(res); } res = execvp(argv[1],&argv[1]); error_exit(res); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_rm_group.c0000644000175000017500000000547211131371033021446 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] group(s)\n\n"), progname); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; int i; union rsbac_target_id_t tid; rsbac_list_ta_number_t ta_number = 0; progname = argv[0]; locale_init(); { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { printf(gettext("%s: %i groups\n\n"), progname, argc - 1); for (i=1;i < (argc);i++) { if(rsbac_get_gid(ta_number, &tid.group, argv[i])) { fprintf(stderr, gettext("Invalid Group %s!\n\n"), argv[i]); continue; } if (RSBAC_GID_SET(tid.group)) printf(gettext("Processing group %s (gid %u/%u)\n"), argv[i], RSBAC_GID_SET(tid.group), RSBAC_GID_NUM(tid.group)); else printf(gettext("Processing group %s (gid %u)\n"), argv[i], RSBAC_GID_NUM(tid.group)); res = rsbac_remove_target(ta_number, T_GROUP, &tid); show_error(res); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/mac_wrap.c0000644000175000017500000001064611131371033020352 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-l level] [-c categories] prog args\n"), progname); printf(gettext("This program will set the current seclevel and categories, if supplied,\n")); printf(gettext("and then execute prog via execvp().\n")); printf(gettext("Please note that you need mac_auto to set the current values.\n")); printf(gettext("-v = verbose, -l = use this seclevel, -c = use this category set\n")); } int main(int argc, char ** argv) { int res = 0; rsbac_security_level_t seclevel = SL_none; int j; rsbac_mac_category_vector_t categories = RSBAC_MAC_MIN_CAT_VECTOR; int verbose = 0; locale_init(); progname = argv[0]; while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'l': if(argc > 2) { seclevel = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing value for parameter %c\n"), progname, *pos); break; case 'c': if(argc > 2) { if(strlen(argv[2]) != RSBAC_MAC_NR_CATS) { fprintf(stderr, gettext("%s: Invalid category string length %i, must be %i\n"), progname, strlen(argv[2]), RSBAC_MAC_NR_CATS); if(strlen(argv[2]) < RSBAC_MAC_NR_CATS / 2) { categories = strtol(argv[2],0,10); fprintf(stderr, gettext("%s: Using numeric value %lu instead\n"), progname, (u_long) categories); } else exit(1); } else { for(j=0;j 1) { if(verbose) { char tmp[RSBAC_MAXNAMELEN]; printf(gettext("%s: executing %s with current_sec_level %u and mac_curr_categories %s\n"), progname,argv[1],seclevel,u64tostrmac(tmp, categories)); } res = rsbac_mac_set_curr_level(seclevel, &categories); error_exit(res); res = execvp(argv[1],&argv[1]); error_exit(res); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rc_get_eff_rights_fd.c0000644000175000017500000001316611131371032022674 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int verbose=0; int recurse=0; int printall=0; union rsbac_attribute_value_t value; enum rsbac_target_t target; enum rsbac_attribute_t attr; char * progname; char * target_n; rsbac_list_ta_number_t ta_number = 0; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-r] [-p] target-type file/dirname(s)\n"), progname); printf(gettext(" -v = verbose, -r = recurse into subdirs,\n")); printf(gettext(" -p = print right names,\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK, DEV or FD\n")); printf(gettext(" (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n"), progname); } int process(char * name) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; struct stat buf; rsbac_rc_request_vector_t request_vector; rsbac_time_t ttl; if(verbose) printf(gettext("Processing %s '%s'\n"), target_n, name); res = rsbac_rc_get_eff_rights_n(ta_number, target, name, &request_vector, &ttl); if(res) { get_error_name(tmp1,res); fprintf(stderr, gettext("%s: error: %s\n"), name, tmp1); } else { if(ttl) printf("%s: %s (ttl: %us)\n", name, u64tostrlog(tmp1, request_vector), ttl); else printf("%s: %s\n", name, u64tostrlog(tmp1, request_vector)); if(printall) { int i; for (i=0; id_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int res = 0; int i; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose=1; break; case 'r': recurse=1; break; case 'p': printall=1; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { char none_name[] = "FD"; target = get_target_nr(argv[1]); if( (target != T_DIR) && (target != T_FILE) && (target != T_FIFO) && (target != T_SYMLINK) && (target != T_DEV) && (target != T_FD) ) { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 1); fprintf(stderr, gettext("%s: No target type given, assuming FD\n"), progname); target = T_FD; target_n = none_name; for (i=1;i < (argc);i++) { process(argv[i]); } } else { target_n = argv[1]; if(argc > 2) { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 2); for (i=1;i < (argc-1);i++) { process(argv[i+1]); } } } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rc_create_file.c0000644000175000017500000000263211131371032021502 0ustar gauvaingauvain/*************************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Michal Purzynski */ /* */ /* Last modified: 10/Apr/2006 */ /*************************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s rc_fd_type mode filename\n\n"), progname); } int main(int argc, char ** argv) { int res = 0; int mode; rsbac_rc_type_id_t type; locale_init(); progname = argv[0]; if (argc > 3) { type = strtol(argv[1],0,10); mode = strtol(argv[2],0,8); printf("type: %u, mode: %o, name: %s\n", type, mode, argv[3]); res = rsbac_rc_select_fd_create_type(type); error_exit(res); res = creat(argv[3],mode); error_exit(res); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_rm_fd.c0000644000175000017500000001106611131371033020677 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif int verbose=0; int recurse=0; union rsbac_attribute_value_t value; enum rsbac_target_t target; enum rsbac_attribute_t attr; char * progname; char * target_n; rsbac_list_ta_number_t ta_number = 0; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-r] target-type file/dirname(s)\n"), progname); printf(gettext(" -v = verbose, -r = recurse into subdirs,\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" target-type = FILE, DIR, FIFO, SYMLINK, DEV or FD\n")); printf(gettext(" (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n"), progname); } int process(char * name) { int res = 0; char tmp1[RSBAC_MAXNAMELEN]; struct stat buf; if(verbose) printf(gettext("Processing '%s'\n"), name); res = rsbac_remove_target_n(ta_number, target, name); if(res) { get_error_name(tmp1,res); if( verbose || (errno != RSBAC_EINVALIDTARGET) ) fprintf(stderr, gettext("%s: error: %s\n"), name, tmp1); } if( !lstat(name,&buf) && S_ISDIR(buf.st_mode) && recurse) { DIR * dir_stream_p; struct dirent * dirent_p; char name2[PATH_MAX]; if(S_ISLNK(buf.st_mode)) return(0); if(!(dir_stream_p = opendir(name))) { fprintf(stderr, gettext("opendir for dir %s returned error: %s\n"), name, strerror(errno)); return(-2); } while((dirent_p = readdir(dir_stream_p))) { if( (strcmp(".",dirent_p->d_name)) && (strcmp("..",dirent_p->d_name)) ) { strcpy(name2,name); strcat(name2,"/"); strcat(name2,dirent_p->d_name); process(name2); } } closedir(dir_stream_p); } return(0); } int main(int argc, char ** argv) { int res = 0; int i; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': recurse=1; break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 2) { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 4); target = get_target_nr(argv[1]); if( (target != T_DIR) && (target != T_FILE) && (target != T_FIFO) && (target != T_SYMLINK) && (target != T_DEV) && (target != T_FD) ) { fprintf(stderr, gettext("%s: Invalid target type %s\n"), progname, argv[1]); exit(1); } for (i=1;i < (argc-1);i++) { process(argv[i+1]); } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/attr_set_net.c0000644000175000017500000003435011131371033021252 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 26/Sep/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif union rsbac_attribute_value_t value; enum rsbac_switch_target_t module; enum rsbac_target_t target; enum rsbac_attribute_t attr; char * progname; int verbose=0; int doremove=0; int recurse=0; rsbac_version_t version=RSBAC_VERSION_NR; char * target_n; char * attr_n; rsbac_list_ta_number_t ta_number = 0; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [-v] [-e] module target-type attribute [request] value id(s)\n"), progname); printf(gettext(" -v = verbose, -m = remove all attributes\n")); printf(gettext(" -r = recurse into subdirs, -n = list all requests\n")); printf(gettext(" -a = list attributes and values\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, MS or RC\n")); printf(gettext(" target-type = NETDEV, NETTEMP or NETOBJ\n")); printf(gettext(" category = category number for mac_categories\n")); printf(gettext(" request = request number for log_array_low|high\n")); } int process(u_int request, char * tvalue, char * name) { int res = 0; char tmp1[120]; union rsbac_target_id_t tid; switch(target) { case T_NETDEV: strncpy((char *)tid.netdev, name, RSBAC_IFNAMSIZ); tid.netdev[RSBAC_IFNAMSIZ] = 0; break; case T_NETTEMP: tid.nettemp = strtoul(name, NULL, 10); break; case T_NETOBJ: break; default: fprintf(stderr, gettext("Internal error on %s %s!\n"), target_n, name); return(1); } if(doremove) { if(verbose) printf("Removing attributes for %s %s\n", target_n, name); if(target == T_NETOBJ) res = rsbac_remove_target_n(ta_number, target, name); else res = rsbac_remove_target(ta_number, target, &tid); show_error(res); return res; } switch (attr) { case A_mac_categories: case A_local_mac_categories: case A_remote_mac_categories: if(request <= RSBAC_MAC_MAX_CAT) { u_int tmpval; if(target == T_NETOBJ) res = rsbac_get_attr_n(ta_number, module, target, name, attr, &value, FALSE); else res = rsbac_get_attr(ta_number, module, target, &tid, attr, &value, FALSE); show_error(res); if(res) return res; tmpval = strtoul(tvalue,0,0); if(tmpval) value.mac_categories |= RSBAC_MAC_CAT_VECTOR(request); else value.mac_categories &= ~RSBAC_MAC_CAT_VECTOR(request); } else { if(strlen(tvalue) == RSBAC_MAC_NR_CATS) { strtou64mac(tvalue, &value.mac_categories); } else { fprintf(stderr, gettext("Wrong argument length for attr mac_categories\n")); exit(1); } } break; case A_log_array_low: case A_log_array_high: if( (target != T_NETDEV) && (target != T_NETTEMP) ) { error_exit(-RSBAC_EINVALIDTARGET); } if(strlen(tvalue) == R_NONE) { strtou64log(tvalue, &value.log_array_low); } else if(request != R_NONE) { u_int catval; union rsbac_attribute_value_t value2; rsbac_log_array_t k; if(request > RSBAC_MAC_MAX_CAT) { fprintf(stderr, gettext("Invalid request number %u\n"), request); exit(1); } catval = strtol(tvalue,0,10); if(catval > 3) { fprintf(stderr, gettext("Invalid value %s\n"), tvalue); exit(1); } if(target == T_NETOBJ) { res = rsbac_get_attr_n(ta_number, module, target, name, A_log_array_low, &value, FALSE); error_exit(res); res = rsbac_get_attr_n(ta_number, module, target, name, A_log_array_high, &value2, FALSE); error_exit(res); } else { res = rsbac_get_attr(ta_number, module, target, &tid, A_log_array_low, &value, FALSE); error_exit(res); res = rsbac_get_attr(ta_number, module, target, &tid, A_log_array_high, &value2, FALSE); error_exit(res); } k = ((__u64) 1) << request; if(catval & 1) value.log_array_low |= k; else value.log_array_low &= ~k; if(catval & 2) value2.log_array_high |= k; else value2.log_array_high &= ~k; if(target == T_NETOBJ) { res = rsbac_set_attr_n(ta_number, module, target, name, A_log_array_low, &value); error_exit(res); res = rsbac_set_attr_n(ta_number, module, target, name, A_log_array_high, &value2); error_exit(res); } else { res = rsbac_set_attr(ta_number, module, target, &tid, A_log_array_low, &value); error_exit(res); res = rsbac_set_attr(ta_number, module, target, &tid, A_log_array_high, &value2); error_exit(res); } exit(0); } else { fprintf(stderr, gettext("Wrong number of arguments for attr %u\n"), attr); exit(1); } break; case A_security_level: case A_local_sec_level: case A_remote_sec_level: value.u_char_dummy = strtoul(tvalue, NULL, 10); break; case A_rc_type: case A_rc_type_nt: case A_local_rc_type: case A_remote_rc_type: value.rc_type = strtoul(tvalue, NULL, 10); break; default: value.dummy = strtol(tvalue, NULL, 0); } if(verbose) printf(gettext("Processing %s '%s', attribute %s\n"), target_n, name, get_attribute_name(tmp1, attr)); if(target == T_NETOBJ) res = rsbac_set_attr_n(ta_number, module, target, name, attr, &value); else res = rsbac_set_attr(ta_number, module, target, &tid, attr, &value); if(res) { get_error_name(tmp1,res); fprintf(stderr, gettext("error: %s\n"), tmp1); } return(res); } int main(int argc, char ** argv) { enum rsbac_attribute_t attr_list_dev[RSBAC_NETDEV_NR_ATTRIBUTES] = RSBAC_NETDEV_ATTR_LIST; enum rsbac_attribute_t attr_list_temp[RSBAC_NETTEMP_NR_ATTRIBUTES] = RSBAC_NETTEMP_ATTR_LIST; enum rsbac_attribute_t attr_list_obj[RSBAC_NETOBJ_NR_ATTRIBUTES] = RSBAC_NETOBJ_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int i,j; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'r': recurse=1; break; case 'm': doremove=1; break; case 'n': for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following lists:\n")); printf("NETDEV:\n"); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } if ( (argc > 4) || (doremove && (argc > 2)) ) { u_int request = R_NONE; target = get_target_nr(argv[1]); switch(target) { case T_NETDEV: case T_NETTEMP: case T_NETOBJ: break; default: fprintf(stderr, gettext("%s: invalid target %s\n"), progname, argv[1]); exit(1); } target_n = argv[1]; if(!doremove) { attr = get_attribute_nr(argv[2]); attr_n = argv[2]; switch(attr) { case A_log_array_low: case A_local_log_array_low: case A_remote_log_array_low: case A_log_array_high: case A_local_log_array_high: case A_remote_log_array_high: request = get_request_nr(argv[3]); if(request != R_NONE) { argv++; argc--; } break; case A_mac_categories: case A_local_mac_categories: case A_remote_mac_categories: if( !strcmp(argv[3], "CAT") && (argc > 4) ) { request = strtoul(argv[4],0,10); if( (request > 0) || !strcmp(argv[4],"0") ) { argv+=2; argc-=2; } else { fprintf(stderr, "Invalid category after CAT parameter!\n"); exit(1); } } else request = RSBAC_MAC_MAX_CAT + 1; break; default: break; } } if(!doremove) { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 4); for (i=4;i < (argc);i++) { if(process(request, argv[3], argv[i])) res++; } } else { if(verbose) printf(gettext("%s: %i targets\n\n"), progname, argc - 2); for (i=2;i < (argc);i++) { if(process(request, NULL, argv[i])) res++; } } } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_useradd.c0000644000175000017500000010166311131371032021361 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2009: Amon Ott */ /* */ /* Last modified: 07/Jan/2009 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #ifdef HAVE_SHADOW_H #include #endif #define MAX_TRIES 3 #define ROOM 20 char * progname; char password[RSBAC_MAXNAMELEN] = ""; char * int_pass = NULL; char * crypt_pass = NULL; rsbac_time_t ttl = 0; char * moregroups = NULL; char * skeldir = "/etc/skel/"; int verbose = 0; int err; int useold = 0; int sysuser = 0; int addallold = 0; int homedirgiven = 0; int createhome = 0; int askpass = 0; int copy_pass = 0; rsbac_list_ta_number_t ta_number = 0; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; rsbac_gid_num_t * egroup_array = NULL; int egroup_num = 0; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] username\n"), progname); printf(gettext(" -c comment = fullname or comment,\n")); printf(gettext(" -d dir = homedir of user,\n")); printf(gettext(" -g group = main / initial Linux group,\n")); printf(gettext(" -G group1[,group2,...] = add more Linux groups,\n")); printf(gettext(" -p password = password in plaintext,\n")); printf(gettext(" -P = ask for password,\n")); printf(gettext(" -Q password = encrypted password (from backup),\n")); printf(gettext(" -s shell = user's shell,\n")); printf(gettext(" -u uid = uid to use,\n")); printf(gettext(" -U = create system user (uid >= 100),\n")); printf(gettext(" -m = create user home dir from skeleton,\n")); printf(gettext(" -k dir = use this skeleton dir instead of /etc/skel/,\n")); printf(gettext(" -n minchange-days = minimum days between password changes,\n")); printf(gettext(" -x maxchange-days = maximum days between password changes,\n")); printf(gettext(" -w warnchange-days = warning days before password must be changed,\n")); printf(gettext(" -f inactive-days = period between password expiry and account disabling,\n")); printf(gettext(" -e expire-days = days since 1/Jan/1970 when account gets disabled,\n")); printf(gettext(" -t = set relative time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -T = set absolute time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -D = set relative time-to-live in days (role/type comp, admin, assign only)\n")); printf(gettext(" -o = use values from old passwd/shadow entry,\n")); printf(gettext(" -O = add all existing users (implies -o)\n")); printf(gettext(" -C user = copy existing user without password\n")); printf(gettext(" -K user = copy existing user with password\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int password_read(char * to, char * from) { char * f = from; char * t = to; char tmp[3]; int i; int res = 0; if(strlen(from) != RSBAC_UM_PASS_LEN * 2) { fprintf(stderr, gettext("Wrong encrypted password length!\n")); return -RSBAC_EINVALIDVALUE; } res = mlock(&tmp, 3); if (res) { fprintf(stderr, gettext("Unable to lock password into physical memory!\n")); } tmp[2] = 0; while(f[0] && f[1]) { tmp[0] = f[0]; tmp[1] = f[1]; i = strtoul(tmp, 0, 16); if(i < 0 || i > 255) { memset(&tmp, 0, 3); munlock(&tmp, 3); return -RSBAC_EINVALIDVALUE; } *t = i; t++; f += 2; } memset(&tmp, 0, 3); munlock(&tmp, 3); return 0; } int get_pass(char * username, char ** my_int_pass_p) { char * pass1 = malloc(RSBAC_MAXNAMELEN); char * pass2 = malloc(RSBAC_MAXNAMELEN); struct termios old_term; struct termios tmp_term; int res; int i; if(!pass1) return -ENOMEM; if(!pass2) { free(pass1); return -ENOMEM; } res = mlock(pass1, RSBAC_MAXNAMELEN); if (res) { fprintf(stderr, gettext("Unable to lock password into physical memory!\n")); } res = mlock(pass2, RSBAC_MAXNAMELEN); if (res) { fprintf(stderr, gettext("Unable to lock password into physical memory!\n")); } for(i = 0; i < MAX_TRIES; i++) { printf("Password for user %s (empty password not allowed): ", username); if(isatty(STDIN_FILENO)) { res = tcgetattr(STDIN_FILENO, &old_term); if(res) { memset(pass1, 0, RSBAC_MAXNAMELEN); munlock(pass1, RSBAC_MAXNAMELEN); free(pass1); memset(pass2, 0, RSBAC_MAXNAMELEN); munlock(pass2, RSBAC_MAXNAMELEN); free(pass2); return res; } memcpy(&tmp_term, &old_term, sizeof(old_term)); tmp_term.c_lflag &= ~(ECHO); res = tcsetattr(STDIN_FILENO, TCSAFLUSH, &tmp_term); if(res) { memset(pass1, 0, RSBAC_MAXNAMELEN); munlock(pass1, RSBAC_MAXNAMELEN); free(pass1); memset(pass2, 0, RSBAC_MAXNAMELEN); munlock(pass2, RSBAC_MAXNAMELEN); free(pass2); return res; } } res = scanf("%254s", pass1); if(isatty(STDIN_FILENO)) tcsetattr(STDIN_FILENO, TCSAFLUSH, &old_term); printf("\n"); if(res < 0) { fprintf(stderr, gettext("%s: invalid password!\n"), progname); memset(pass1, 0, RSBAC_MAXNAMELEN); munlock(pass1, RSBAC_MAXNAMELEN); free(pass1); memset(pass2, 0, RSBAC_MAXNAMELEN); munlock(pass2, RSBAC_MAXNAMELEN); free(pass2); return -RSBAC_EINVALIDVALUE; } if(!res) { memset(pass1, 0, RSBAC_MAXNAMELEN); munlock(pass1, RSBAC_MAXNAMELEN); free(pass1); memset(pass2, 0, RSBAC_MAXNAMELEN); munlock(pass2, RSBAC_MAXNAMELEN); free(pass2); return 0; } printf("Repeat password for user %s: ", username); if(isatty(STDIN_FILENO)) { res = tcgetattr(STDIN_FILENO, &old_term); if(res) { memset(pass1, 0, RSBAC_MAXNAMELEN); munlock(pass1, RSBAC_MAXNAMELEN); free(pass1); memset(pass2, 0, RSBAC_MAXNAMELEN); munlock(pass2, RSBAC_MAXNAMELEN); free(pass2); return res; } memcpy(&tmp_term, &old_term, sizeof(old_term)); tmp_term.c_lflag &= ~(ECHO); res = tcsetattr(STDIN_FILENO, TCSAFLUSH, &tmp_term); if(res) { memset(pass1, 0, RSBAC_MAXNAMELEN); munlock(pass1, RSBAC_MAXNAMELEN); free(pass1); memset(pass2, 0, RSBAC_MAXNAMELEN); munlock(pass2, RSBAC_MAXNAMELEN); free(pass2); return res; } } res = scanf("%254s", pass2); if(isatty(STDIN_FILENO)) tcsetattr(STDIN_FILENO, TCSAFLUSH, &old_term); printf("\n"); if(res <= 0) { fprintf(stderr, gettext("%s: invalid password!\n"), progname); return -RSBAC_EINVALIDVALUE; } if(!strcmp(pass1,pass2)) { *my_int_pass_p = pass1; memset(pass2, 0, RSBAC_MAXNAMELEN); munlock(pass2, RSBAC_MAXNAMELEN); free(pass2); return 0; } else fprintf(stderr, gettext("%s: password mismatch!\n"), progname); } fprintf(stderr, gettext("%s: Too many tries, using default password!\n"), progname); memset(pass1, 0, RSBAC_MAXNAMELEN); munlock(pass1, RSBAC_MAXNAMELEN); free(pass1); memset(pass2, 0, RSBAC_MAXNAMELEN); munlock(pass2, RSBAC_MAXNAMELEN); free(pass2); return 0; } int process(char * name, rsbac_uid_t user, struct rsbac_um_user_entry_t entry) { int res = 0; char * my_int_pass = int_pass; if(useold) { struct passwd * pwentry; #ifdef HAVE_SHADOW_H struct spwd * spentry = NULL; #endif pwentry = getpwnam(name); if(!pwentry) { fprintf(stderr, "%s: old entry not found!\n", name); return -RSBAC_ENOTFOUND; } user = RSBAC_GEN_UID(vset, pwentry->pw_uid); entry.group = pwentry->pw_gid; strncpy(entry.fullname, pwentry->pw_gecos, RSBAC_UM_FULLNAME_LEN); entry.fullname[RSBAC_UM_FULLNAME_LEN - 1] = 0; strncpy(entry.homedir, pwentry->pw_dir, RSBAC_UM_HOMEDIR_LEN); entry.homedir[RSBAC_UM_HOMEDIR_LEN - 1] = 0; strncpy(entry.shell, pwentry->pw_shell, RSBAC_UM_SHELL_LEN); entry.shell[RSBAC_UM_SHELL_LEN - 1] = 0; entry.lastchange = 0; #ifdef HAVE_SHADOW_H spentry = getspnam(name); if(!spentry) { fprintf(stderr, "%s: old shadow entry not found, adding with default values!\n", name); } else { entry.minchange = spentry->sp_min; entry.maxchange = spentry->sp_max; entry.warnchange = spentry->sp_warn; entry.inactive = spentry->sp_inact; entry.expire = spentry->sp_expire; if(strlen(spentry->sp_pwdp) == 1) { my_int_pass = NULL; if(verbose) printf("Account %s seems to be disabled, disabling password\n", name); } else if(askpass) get_pass(name, &my_int_pass); } #else if(!strcmp(pwentry->pw_passwd, "*")) { if(askpass) get_pass(name, &my_int_pass); else fprintf(stderr, "%s: shadow not supported, adding with default values!\n", name); } else { if(strlen(pwentry->pw_passwd) == 1) { my_int_pass = NULL; if(verbose) printf("Account %s seems to be disabled, disabling password\n", name); } else if(askpass) get_pass(name, &my_int_pass); } #endif if(verbose) { if (RSBAC_UID_SET(user) == RSBAC_UM_VIRTUAL_KEEP) printf("Adding old user %u:%s\n", RSBAC_UID_NUM(user), name); else printf("Adding old user %u/%u:%s\n", RSBAC_UID_SET(user), RSBAC_UID_NUM(user), name); } } else { if(sysuser) { if(RSBAC_UID_NUM(user) == RSBAC_NO_USER) user = RSBAC_GEN_UID(RSBAC_UID_SET(user), 100); while (rsbac_um_user_exists(ta_number, user)) user++; } if(verbose) { if (RSBAC_UID_SET(user) == RSBAC_UM_VIRTUAL_KEEP) printf("Adding user %u:%s\n", RSBAC_UID_NUM(user), name); else printf("Adding user %u/%u:%s\n", RSBAC_UID_SET(user), RSBAC_UID_NUM(user), name); } if(askpass) get_pass(name, &my_int_pass); } strncpy(entry.name, name, RSBAC_UM_NAME_LEN); entry.name[RSBAC_UM_NAME_LEN - 1] = 0; if(!homedirgiven && !useold) { snprintf(entry.homedir, RSBAC_UM_HOMEDIR_LEN, "/home/%s", name); entry.homedir[RSBAC_UM_HOMEDIR_LEN - 1] = 0; } res = rsbac_um_add_user(ta_number, user, &entry, my_int_pass, ttl); if(my_int_pass && (my_int_pass != int_pass)) free(my_int_pass); if(res) { fprintf(stderr, "%s: ", name); show_error(res); return res; } /* copy user home dir from skel */ if(createhome) { struct stat statbuf; if(!stat(entry.homedir, &statbuf)) { fprintf(stderr, "User %s homedir path %s already exists\n", name, entry.homedir); } else { char command[RSBAC_MAXNAMELEN]; FILE * pfile; snprintf(command, RSBAC_MAXNAMELEN, "/bin/cp -a \"%s\" \"%s\"", skeldir, entry.homedir); pfile = popen(command, "w"); if(!pfile) { fprintf(stderr, "Copying user %s homedir %s failed with error", name, entry.homedir); show_error(res); fprintf(stderr, "\n"); } else { pclose(pfile); snprintf(command, RSBAC_MAXNAMELEN, "/bin/chown -R \"%s:\" \"%s\"", name, entry.homedir); pfile = popen(command, "w"); if(!pfile) { fprintf(stderr, "Chown of homedir %s to %s failed with error", entry.homedir, name); show_error(res); fprintf(stderr, "\n"); } else pclose(pfile); } } } if ((egroup_num > 0) && egroup_array) { int i; for (i=0; iname, data.string); else return res; res = rsbac_um_get_user_item(ta_number, user, UM_fullname, &data); if(!res) strcpy(entry_p->fullname, data.string); res = rsbac_um_get_user_item(ta_number, user, UM_shell, &data); if(!res) strcpy(entry_p->shell, data.string); res = rsbac_um_get_user_item(ta_number, user, UM_homedir, &data); if(!res) { strcpy(entry_p->homedir, data.string); homedirgiven = TRUE; } if (copy_pass) { res = rsbac_um_get_user_item(ta_number, user, UM_pass, &data); if(!res) { crypt_pass = malloc(RSBAC_UM_PASS_LEN); if (crypt_pass) memcpy(crypt_pass, data.string, RSBAC_UM_PASS_LEN); } } res = rsbac_um_get_user_item(ta_number, user, UM_group, &data); if(!res) entry_p->group = data.group; egroup_num = rsbac_um_get_gm_list(ta_number, user, NULL, 0); if(egroup_num > 0) { egroup_num += ROOM; egroup_array = malloc(egroup_num * sizeof(*egroup_array)); if(!egroup_array) return -RSBAC_ENOMEM; egroup_num = rsbac_um_get_gm_list(ta_number, user, egroup_array, egroup_num); if(egroup_num < 0) { egroup_num = 0; free(egroup_array); egroup_array = NULL; return -RSBAC_EREADFAILED; } } res = rsbac_um_get_user_item(ta_number, user, UM_lastchange, &data); if(!res) entry_p->lastchange = data.days; res = rsbac_um_get_user_item(ta_number, user, UM_minchange, &data); if(!res) entry_p->minchange = data.days; res = rsbac_um_get_user_item(ta_number, user, UM_maxchange, &data); if(!res) entry_p->maxchange = data.days; res = rsbac_um_get_user_item(ta_number, user, UM_warnchange, &data); if(!res) entry_p->warnchange = data.days; res = rsbac_um_get_user_item(ta_number, user, UM_inactive, &data); if(!res) entry_p->inactive = data.days; res = rsbac_um_get_user_item(ta_number, user, UM_expire, &data); if(!res) entry_p->expire = data.days; res = rsbac_um_get_user_item(ta_number, user, UM_ttl, &data); if(!res) ttl = data.ttl; return 0; } int main(int argc, char ** argv) { struct rsbac_um_user_entry_t entry = DEFAULT_UM_U_ENTRY; rsbac_uid_t user = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'o': useold = 1; break; case 'O': addallold = 1; useold = 1; break; case 'U': sysuser = 1; break; case 'K': copy_pass = 1; /* fall through */ case 'C': if(argc > 2) { rsbac_uid_t euser = RSBAC_GEN_UID(vset, RSBAC_NO_USER); if(rsbac_um_get_uid(ta_number, argv[2], &euser)) { char * tmp_name = argv[2]; char * p = tmp_name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; tmp_vset = strtoul(tmp_name, NULL, 0); *p = '/'; p++; tmp_name = p; } euser = strtoul(tmp_name, NULL, 0); if(!euser && strcmp(tmp_name,"0")) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, argv[2]); return 1; } euser = RSBAC_GEN_UID(tmp_vset, euser); } if (fill_entry (euser, &entry)) { fprintf(stderr, gettext("%s: Reading user %s (%u/%u) failed, exiting!\n"), progname, argv[2], RSBAC_UID_SET(euser), RSBAC_UID_NUM(euser)); return 1; } user = euser; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'c': if(argc > 2) { strncpy(entry.fullname, argv[2], RSBAC_UM_FULLNAME_LEN); entry.fullname[RSBAC_UM_FULLNAME_LEN - 1] = 0; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'd': if(argc > 2) { strncpy(entry.homedir, argv[2], RSBAC_UM_HOMEDIR_LEN); entry.homedir[RSBAC_UM_HOMEDIR_LEN - 1] = 0; homedirgiven = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'p': if(argc > 2) { err = mlock(&password, RSBAC_MAXNAMELEN); if (err) { fprintf(stderr, gettext("Unable to lock password into physical memory!\n")); } strncpy(password, argv[2], RSBAC_MAXNAMELEN); password[RSBAC_MAXNAMELEN - 1] = 0; int_pass = password; crypt_pass = NULL; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'P': askpass = 1; break; case 'Q': if(argc > 2) { err = mlock(&password, RSBAC_MAXNAMELEN); if (err) { fprintf(stderr, gettext("Unable to lock password into physical memory!\n")); } err = password_read(password, argv[2]); error_exit(err); crypt_pass = password; int_pass = NULL; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 's': if(argc > 2) { strncpy(entry.shell, argv[2], RSBAC_UM_SHELL_LEN); entry.shell[RSBAC_UM_SHELL_LEN - 1] = 0; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'g': if(argc > 2) { rsbac_gid_t tmp_group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_GROUP); if(rsbac_get_gid_name(ta_number, &tmp_group, NULL, argv[2])) { fprintf(stderr, gettext("%s: Unknown group %s\n"), progname, argv[2]); return 1; } entry.group = RSBAC_GID_NUM(tmp_group); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'G': if(argc > 2) { moregroups = argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'u': if(argc > 2) { user = RSBAC_GEN_UID(vset, strtoul(argv[2],0,0)); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'l': if(argc > 2) { entry.lastchange = strtoul(argv[2],0,0); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'n': if(argc > 2) { entry.minchange = strtoul(argv[2],0,0); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'x': if(argc > 2) { entry.maxchange = strtoul(argv[2],0,0); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'w': if(argc > 2) { entry.warnchange = strtoul(argv[2],0,0); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'i': case 'f': if(argc > 2) { entry.inactive = strtoul(argv[2],0,0); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'e': if(argc > 2) { entry.expire = strtoul(argv[2],0,0); argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'm': createhome = 1; break; case 'k': if(argc > 2) { struct stat statbuf; if(stat(argv[2], &statbuf)) { fprintf(stderr, gettext("%s: cannot lookup skel dir %s\n"), progname, argv[2]); exit(1); } else if(!S_ISDIR(statbuf.st_mode)) { fprintf(stderr, gettext("%s: skel dir %s is no dir\n"), progname, argv[2]); exit(1); } skeldir = argv[2]; if(strlen(skeldir) > RSBAC_MAXNAMELEN - 50) { fprintf(stderr, gettext("%s: skel dir name %s is too long\n"), progname, argv[2]); exit(1); } argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } user = RSBAC_GEN_UID(vset, user); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(addallold) { struct passwd * user_info_p; rsbac_uid_t tmp_uid; setpwent(); while((user_info_p = getpwent())) { if( !rsbac_um_user_exists(ta_number, user_info_p->pw_uid) && rsbac_um_get_uid(ta_number, user_info_p->pw_name, &tmp_uid) ) process(user_info_p->pw_name, user, entry); else if(verbose) printf("Skipping existing user %s / uid %u\n", user_info_p->pw_name, user_info_p->pw_uid); } endpwent(); exit(0); } else if (argc > 1) { int i; for(i=1; i< argc; i++) { char * tmp_name = argv[i]; char * p = tmp_name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; if (rsbac_get_vset_num(tmp_name, &tmp_vset)) { fprintf(stderr, gettext("%s: invalid virtual set number %s, skipping\n"), tmp_name); continue; } *p = '/'; p++; tmp_name = p; } process(tmp_name, RSBAC_GEN_UID(tmp_vset, user), entry); } memset(password, 0, RSBAC_MAXNAMELEN); munlock(&password, RSBAC_MAXNAMELEN); exit(0); } else { use(); return 1; } exit(0); } rsbac-admin-1.4.0/main/tools/src/rc_copy_role.c0000644000175000017500000000441111131371033021231 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf("%s (RSBAC %s)\n***\n", progname, VERSION); printf(gettext("Use: %s [flags] from_role to_role\n"), progname); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int main(int argc, char ** argv) { int res = 0; int from_role, to_role; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc == 3) { from_role=strtol(argv[1],0,10); to_role=strtol(argv[2],0,10); res = rsbac_rc_copy_role(ta_number, from_role, to_role); error_exit(res); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/src/rsbac_stats_pm.c0000644000175000017500000000114311131371032021554 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2005: Amon Ott */ /* */ /* Last modified: 31/May/2005 */ /*************************************************** */ #include #include #include #include int main(int argc, char ** argv) { int res; res = rsbac_stats_pm(); error_exit(res); return (res); } rsbac-admin-1.4.0/main/tools/src/attr_set_group.c0000644000175000017500000001375711131371032021627 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 25/Feb/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s module user attribute [position] value\n\n"), progname); printf(gettext("Use: %s [switches] module user log_user_based [request-list]\n\n"), progname); printf(gettext(" -p = print resulting requests, -a = add, not set, -m = remove, not set\n")); printf(gettext(" -A = list attributes and values\n")); printf(gettext(" -V version = supply RSBAC integer version number for upgrading\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" module = GEN, MAC, FC, SIM, PM, DAZ, FF, RC or AUTH\n")); } int main(int argc, char ** argv) { int attr_list[RSBAC_GROUP_NR_ATTRIBUTES] = RSBAC_GROUP_ATTR_LIST; int res = 0; char tmp1[RSBAC_MAXNAMELEN],tmp2[RSBAC_MAXNAMELEN],tmp3[RSBAC_MAXNAMELEN]; int j; enum rsbac_switch_target_t module = SW_NONE; union rsbac_attribute_value_t value; union rsbac_target_id_t tid; enum rsbac_attribute_t attr; int verbose = 0; int printall = 0; int add = 0; int remove = 0; rsbac_version_t version=RSBAC_VERSION_NR; rsbac_list_ta_number_t ta_number = 0; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'p': printall=1; break; case 'a': add=1; break; case 'm': remove=1; break; case 'n': { char tmp[80]; int i; for(i=0; i 2) && ((attr = get_attribute_nr(argv[2])) != A_none) ) { get_switch_target_name(tmp1, get_attr_module(attr)); get_attribute_name(tmp2, attr); get_attribute_param(tmp3, attr); printf("[%-4s] %s\n\t%s\n",tmp1,tmp2,tmp3); exit(0); } printf(gettext("- attribute (string) and returned value = see following list:\n")); printf(gettext("[MAC ] mac_[min_|initial_]categories (with additional parameter position)\n\t0=no, 1=yes\n")); printf(gettext("[GEN ] log_user_based (with space separated list of requests)\n\t0=no, 1=yes\n")); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if(argc > 1) { module = get_switch_target_nr(argv[1]); if(module != SW_NONE) { argv++; argc--; } } /* normal attributes */ switch(argc) { case 1: case 2: case 3: use(); return 1; case 4: attr = get_attribute_nr(argv[2]); if(attr == A_none) { fprintf(stderr, gettext("%s: Invalid Attribute %s!\n"), progname, argv[2]); exit(1); } if(rsbac_get_gid(ta_number, &tid.group, argv[1])) { fprintf(stderr, gettext("%s: Invalid Group %s!\n"), progname, argv[1]); exit(1); } switch(attr) { case A_none: fprintf(stderr, gettext("%s: Invalid attribute %s\n"), progname, argv[3]); exit(1); default: value.dummy = strtoul(argv[3],0,10); } res = rsbac_set_attr(ta_number, module, T_GROUP, &tid, attr, &value); error_exit(res); exit(0); default: break; } exit(1); } rsbac-admin-1.4.0/main/tools/src/rc_get_item.c0000644000175000017500000073451211131371032021046 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2007: Amon Ott */ /* */ /* Last modified: 01/Nov/2007 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif #define SETPROG "rc_set_item" /* reserve list room for so many extra items - to avoid racing problems */ #define LISTROOM 10 rsbac_list_ta_number_t ta_number = 0; char * progname; char * htmltitle = NULL; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [switches] rc-target-type id-nr item [sub-id-nr [right]]\n"), progname); printf(gettext(" %s list_xxx\n"), progname); printf(gettext(" %s list_unused_xxx (_nr only)\n"), progname); printf(gettext(" %s list_def_fd_ind_create_type{s|_nr|_values role-id\n"), progname); printf(gettext(" %s backup\n"), progname); printf(gettext(" %s print\n"), progname); printf(gettext(" -v = verbose, -p = print right names,\n")); printf(gettext(" -i = list items and values,\n")); printf(gettext(" -r = remove role before restore (backup only)\n")); printf(gettext(" -0 = explicitely set no rights (backup only)\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); printf(gettext(" rc-target-type = ROLE or TYPE,\n")); printf(gettext(" id-nr = ROLE or TYPE number,\n")); printf(gettext(" item = entry line,\n")); printf(gettext(" sub-id-nr = use this sub-id (_comp items only),\n")); printf(gettext(" right = right name or number (type_comp items only),\n")); printf(gettext(" xxx = roles, fd_types, dev_types, ipc_types, user_types, process_types,\n")); printf(gettext(" scd_types, group_types, role_nr, fd_type_nr, dev_type_nr, ipc_type_nr,\n")); printf(gettext(" user_type_nr, process_type_nr, scd_type_nr, rights: print a list\n")); printf(gettext(" list_def_fd_ind_create_types etc.: print a list\n")); } void print_html_rights(rsbac_rc_rights_vector_t rights, enum rsbac_target_t target) { int k; rsbac_rc_rights_vector_t vector; char tmp1[RSBAC_MAXNAMELEN]; switch(target) { case T_FD: case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: case T_UNIXSOCK: vector = RSBAC_FD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_DEV: vector = RSBAC_DEV_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_IPC: vector = RSBAC_IPC_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_SCD: vector = RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_USER: vector = RSBAC_USER_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_GROUP: vector = RSBAC_GROUP_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_PROCESS: vector = RSBAC_PROCESS_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_NETDEV: vector = RSBAC_NETDEV_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_NETTEMP: vector = RSBAC_NETTEMP_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; case T_NETOBJ: vector = RSBAC_NETTEMP_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR; break; default: vector = RSBAC_RC_ALL_REQUESTS; } for (k=0; k%s", get_request_name(tmp1,k)); else if(vector & RSBAC_READ_REQUEST_VECTOR) printf(" %s", get_request_name(tmp1,k)); else if(vector & RSBAC_READ_WRITE_REQUEST_VECTOR) printf(" %s", get_request_name(tmp1,k)); else if(vector & RSBAC_EXECUTE_REQUEST_VECTOR) printf(" %s", get_request_name(tmp1,k)); else if(vector & RSBAC_SECURITY_REQUEST_VECTOR) printf(" %s", get_request_name(tmp1,k)); else if(vector & RSBAC_SYSTEM_REQUEST_VECTOR) printf(" %s", get_request_name(tmp1,k)); else printf(" %s", get_request_name(tmp1,k)); } } for (k=RSBAC_RC_SPECIAL_RIGHT_BASE; k%s", get_rc_special_right_name(tmp1,k)); } char * print_html_bitstring(char * string, rsbac_rc_rights_vector_t rights) { char tmp1[RSBAC_MAXNAMELEN]; if(rights & (RSBAC_SECURITY_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR)) sprintf(string, " %s", u64tostrrcr(tmp1,rights)); else if(rights & (RSBAC_WRITE_REQUEST_VECTOR | RSBAC_READ_WRITE_OPEN_REQUEST_VECTOR)) sprintf(string, " %s", u64tostrrcr(tmp1,rights)); else if(rights & RSBAC_EXECUTE_REQUEST_VECTOR) sprintf(string, " %s", u64tostrrcr(tmp1,rights)); else if(rights & RSBAC_READ_REQUEST_VECTOR) sprintf(string, " %s", u64tostrrcr(tmp1,rights)); else sprintf(string, " %s", u64tostrrcr(tmp1,rights)); return string; } void print_rights(rsbac_rc_rights_vector_t rights) { int k; char tmp1[RSBAC_MAXNAMELEN]; for (k=0; k 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose=1; break; case 'p': printall=1; break; case 'r': remove=1; break; case '0': norights=1; break; case 'i': if( (argc > 2) && ((item = get_rc_item_nr(argv[2])) != RI_none) ) { get_rc_item_name(tmp1, item); get_rc_item_param(tmp2, item); printf("%s \t%s\n",tmp1,tmp2); exit(0); } printf(gettext("- items and returned values = see following list:\n")); printf("- ROLE:\n"); for (j=0;j 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'H': if(argc > 2) { htmltitle = argv[2]; argc--; argv++; } else { fprintf(stderr, gettext("%s: missing string for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } switch(argc) { case 2: if( !strcmp(argv[1],"list_rights") ) { char tmp[80]; for(i=0; i 0) { qsort(role_array, nr_roles, sizeof(*role_array), rsbac_u32_void_compare); for(j=0; j 0) { qsort(type_array, nr_types, sizeof(*type_array), rsbac_u32_void_compare); for(j=0; j 0) qsort(type_array, nr_fd_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("Types\n=====\n%u FD types defined:\n", nr_fd_types); } else if(htmlprint) { if(htmltitle) printf("RSBAC %s RC Configuration - %s\n", RSBAC_VERSION, htmltitle); else printf("RSBAC %s RC Configuration\n", RSBAC_VERSION); printf("\n\n"); if(htmltitle) printf("

RSBAC %s RC Configuration - %s

\n", RSBAC_VERSION, htmltitle); else printf("

RSBAC %s RC Configuration

\n", RSBAC_VERSION); printf("
\n

Types

\n

%u FD types defined

\n", nr_fd_types); printf("\n\n"); } for(j=0; j", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_fd_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_type_fd_need_secdel, &value, NULL); if(!res) { if(value.need_secdel) { if(doprint) printf(" (with secure delete)"); else if(htmlprint) printf("\n"); else printf("%s -V %u TYPE %u type_fd_need_secdel %u\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.need_secdel); } else if(htmlprint) printf("\n"); } if(doprint) printf("\n"); } free(type_array); if(htmlprint) printf("
NumberNameSecdel
%u%syes
no
\n"); item = RI_type_dev_name; tid.role = 0; nr_dev_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, 0, NULL, NULL); error_exit(nr_dev_types); nr_dev_types += LISTROOM; type_array = malloc(nr_dev_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_dev_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, nr_dev_types, type_array, NULL); if(nr_dev_types > 0) qsort(type_array, nr_dev_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("\n%u DEV types defined:\n", nr_dev_types); } else if(htmlprint) { printf("

%u DEV types defined

\n", nr_dev_types); printf("\n\n"); } for(j=0; j\n", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_dev_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } } free(type_array); if(htmlprint) printf("
NumberName
%u%s
\n"); item = RI_type_ipc_name; tid.role = 0; nr_ipc_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, 0, NULL, NULL); error_exit(nr_ipc_types); nr_ipc_types += LISTROOM; type_array = malloc(nr_ipc_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_ipc_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, nr_ipc_types, type_array, NULL); if(nr_dev_types > 0) qsort(type_array, nr_ipc_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("\n%u IPC types defined:\n", nr_ipc_types); } else if(htmlprint) { printf("

%u IPC types defined

\n", nr_ipc_types); printf("\n\n"); } for(j=0; j\n", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_ipc_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } } free(type_array); if(htmlprint) printf("
NumberName
%u%s
\n"); item = RI_type_user_name; tid.role = 0; nr_user_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, 0, NULL, NULL); error_exit(nr_user_types); nr_user_types += LISTROOM; type_array = malloc(nr_user_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_user_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, nr_user_types, type_array, NULL); if(nr_user_types > 0) qsort(type_array, nr_user_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("\n%u USER types defined:\n", nr_user_types); } else if(htmlprint) { printf("

%u USER types defined

\n", nr_user_types); printf("\n\n"); } for(j=0; j\n", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_user_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } } free(type_array); if(htmlprint) printf("
NumberName
%u%s
\n"); item = RI_type_process_name; tid.role = 0; nr_process_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, 0, NULL, NULL); error_exit(nr_process_types); nr_process_types += LISTROOM; type_array = malloc(nr_process_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_process_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, nr_process_types, type_array, NULL); if(nr_process_types > 0) qsort(type_array, nr_process_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("\n%u PROCESS types defined:\n", nr_process_types); } else if(htmlprint) { printf("

%u PROCESS types defined

\n", nr_process_types); printf("\n\n"); } for(j=0; j\n", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_process_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } } free(type_array); if(htmlprint) printf("
NumberName
%u%s
\n"); item = RI_type_group_name; tid.role = 0; nr_group_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, 0, NULL, NULL); error_exit(nr_group_types); nr_group_types += LISTROOM; type_array = malloc(nr_group_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_group_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, nr_group_types, type_array, NULL); if(nr_group_types > 0) qsort(type_array, nr_group_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("\n%u GROUP types defined:\n", nr_group_types); } else if(htmlprint) { printf("

%u GROUP types defined

\n", nr_group_types); printf("\n\n"); } for(j=0; j\n", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_group_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } } free(type_array); if(htmlprint) printf("
NumberName
%u%s
\n"); item = RI_type_netdev_name; tid.role = 0; nr_netdev_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, 0, NULL, NULL); error_exit(nr_netdev_types); nr_netdev_types += LISTROOM; type_array = malloc(nr_netdev_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_netdev_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, nr_netdev_types, type_array, NULL); if(nr_netdev_types > 0) qsort(type_array, nr_netdev_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("\n%u NETDEV types defined:\n", nr_netdev_types); } else if(htmlprint) { printf("

%u NETDEV types defined

\n", nr_netdev_types); printf("\n\n"); } for(j=0; j\n", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_netdev_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } } free(type_array); if(htmlprint) printf("
NumberName
%u%s
\n"); item = RI_type_nettemp_name; tid.role = 0; nr_nettemp_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, 0, NULL, NULL); error_exit(nr_nettemp_types); nr_nettemp_types += LISTROOM; type_array = malloc(nr_nettemp_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_nettemp_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, nr_nettemp_types, type_array, NULL); if(nr_nettemp_types > 0) qsort(type_array, nr_nettemp_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("\n%u NETTEMP types defined:\n", nr_nettemp_types); } else if(htmlprint) { printf("

%u NETTEMP types defined

\n", nr_nettemp_types); printf("\n\n"); } for(j=0; j\n", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_nettemp_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } } free(type_array); if(htmlprint) printf("
NumberName
%u%s
\n"); item = RI_type_netobj_name; tid.role = 0; nr_netobj_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, 0, NULL, NULL); error_exit(nr_netobj_types); nr_netobj_types += LISTROOM; type_array = malloc(nr_netobj_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_netobj_types = rsbac_rc_get_list(ta_number, RT_TYPE, &tid, item, nr_netobj_types, type_array, NULL); if(nr_netobj_types > 0) qsort(type_array, nr_netobj_types, sizeof(*type_array), rsbac_u32_void_compare); if(doprint) { printf("\n%u NETOBJ types defined:\n", nr_netobj_types); } else if(htmlprint) { printf("

%u NETOBJ types defined

\n", nr_netobj_types); printf("\n\n"); } for(j=0; j\n", type_array[j], type_array[j], value.name); else printf("%s -V %u TYPE %u type_netobj_name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, type_array[j], value.name); } } } free(type_array); if(htmlprint) printf("
NumberName
%u%s
\n
\n"); target = RT_ROLE; item = RI_name; tid.role = 0; nr_roles = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_name, 0, NULL, NULL); error_exit(nr_roles); role_array = malloc(nr_roles * sizeof(__u32)); if(!role_array) { error_exit(-ENOMEM); } nr_roles = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_name, nr_roles, role_array, NULL); if(nr_roles > 0) qsort(role_array, nr_roles, sizeof(*role_array), rsbac_u32_void_compare); if(doprint) { printf("\nRoles\n=====\n%u Roles defined:\n", nr_roles); } else if(htmlprint) { printf("

%u Roles defined

\n", nr_roles); } for(j=0; j

Role %u: %s

\n\n", role_array[j], role_array[j], value.name); else printf("%s -V %u ROLE %u name \"%s\"\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.name); /* get role_comp number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_role_comp, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_role_comp, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("Compatible roles: "); else if(htmlprint) printf("\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get admin_roles number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_admin_roles, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_admin_roles, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("Administrated roles:"); else if(htmlprint) printf("\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get assign_roles number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_assign_roles, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_assign_roles, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("Assignable roles: "); else if(htmlprint) printf("\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_admin_type, &value, NULL); if(!res) { if( (role_array[j]<3) || value.admin_type ) { if(doprint) printf("admin_type: %u\n", value.admin_type); else if(htmlprint) { if(value.admin_type == RC_role_admin) printf(""); else if(value.admin_type == RC_system_admin) printf(""); else printf(""); } else printf("%s -V %u ROLE %u admin_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.admin_type); } } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_def_fd_create_type, &value, NULL); if(!res) { if(doprint) printf("def_fd_create_type: %u\n", value.type_id); else if(htmlprint) { printf("", value.type_id, value.type_id, print_type_name(tmp1, value.type_id, RI_type_fd_name)); } else printf("%s -V %u ROLE %u def_fd_create_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.type_id); } else if(errno != RSBAC_ENOTFOUND) show_error(res); /* get def_fd_ind_create_type number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_def_fd_ind_create_type, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_def_fd_ind_create_type, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { union rsbac_rc_item_value_t value3; if(doprint) { if(printall) printf("def_fd_ind_create_type:\n"); else printf("def_fd_ind_create_type:"); } else if(htmlprint) { if(printall) printf("\n"); else printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], value.type_id, value.type_id, value3.name); else printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], value.type_id); } else printf("\n", sub_array[i], ttl_array[i], value.type_id); } else printf("%s -V %u -T %u ROLE %u def_fd_ind_create_type %u %u\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], value.type_id); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value2, NULL); if(!res) { subtid.type = value.type_id; res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value3, NULL); if(!res) printf(" %u (%s): %u (%s)\n", sub_array[i], value2.name, value.type_id, value3.name); else printf(" %u (%s): %u\n", sub_array[i], value2.name, value.type_id); } else printf(" %u: %u\n", sub_array[i], value.type_id); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value2, NULL); if(!res) { subtid.type = value.type_id; res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value3, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, value.type_id, value.type_id, value3.name); else printf("\n", sub_array[i], sub_array[i], value2.name, value.type_id); } else printf("%u\n", sub_array[i], value.type_id); } else printf("%s -V %u ROLE %u def_fd_ind_create_type %u %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], value.type_id); } else if(ttl_array[i]) if(doprint) printf(" %u(ttl %us):%u", sub_array[i], ttl_array[i], value.type_id); else if(htmlprint) { subtid.type = sub_array[i]; res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value3, NULL); printf(" %u(ttl %us):%u", sub_array[i], sub_array[i], ttl_array[i], value.type_id, value.type_id); } else printf("%s -V %u -T %u ROLE %u def_fd_ind_create_type %u %u\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], value.type_id); else if(doprint) printf(" %u:%u", sub_array[i], value.type_id); else if(htmlprint) printf(" %u:%u", sub_array[i], sub_array[i], value.type_id, value.type_id); else printf("%s -V %u ROLE %u def_fd_ind_create_type %u %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], value.type_id); } } if(!printall) { if(doprint) printf("\n"); else if(htmlprint) printf("\n"); } } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_def_user_create_type, &value, NULL); if(!res) { if(doprint) printf("def_user_create_type: %u\n", value.type_id); else if(htmlprint) { printf("", value.type_id, value.type_id, print_type_name(tmp1, value.type_id, RI_type_user_name)); } else printf("%s -V %u ROLE %u def_user_create_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.type_id); } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_def_process_create_type, &value, NULL); if(!res) { if(doprint) printf("def_process_create_type: %u\n", value.type_id); else if(htmlprint) { printf("", value.type_id, value.type_id, print_type_name(tmp1, value.type_id, RI_type_process_name)); } else printf("%s -V %u ROLE %u def_process_create_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.type_id); } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_def_process_chown_type, &value, NULL); if(!res) { if(doprint) printf("def_process_chown_type: %u\n", value.type_id); else if(htmlprint) { printf("", value.type_id, value.type_id, print_type_name(tmp1, value.type_id, RI_type_process_name)); } else printf("%s -V %u ROLE %u def_process_chown_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.type_id); } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_def_process_execute_type, &value, NULL); if(!res) { if(doprint) printf("def_process_execute_type: %u\n", value.type_id); else if(htmlprint) { printf("", value.type_id, value.type_id, print_type_name(tmp1, value.type_id, RI_type_process_name)); } else printf("%s -V %u ROLE %u def_process_execute_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.type_id); } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_def_ipc_create_type, &value, NULL); if(!res) { if(doprint) printf("def_ipc_create_type: %u\n", value.type_id); else if(htmlprint) { printf("", value.type_id, value.type_id, print_type_name(tmp1, value.type_id, RI_type_ipc_name)); } else printf("%s -V %u ROLE %u def_ipc_create_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.type_id); } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_def_group_create_type, &value, NULL); if(!res) { if(doprint) printf("def_group_create_type: %u\n", value.type_id); else if(htmlprint) { printf("", value.type_id, value.type_id, print_type_name(tmp1, value.type_id, RI_type_group_name)); } else printf("%s -V %u ROLE %u def_group_create_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.type_id); } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_def_unixsock_create_type, &value, NULL); if(!res) { if(doprint) printf("def_unixsock_create_type: %u\n", value.type_id); else if(htmlprint) { printf("", value.type_id, value.type_id, print_type_name(tmp1, value.type_id, RI_type_netobj_name)); } else printf("%s -V %u ROLE %u def_unixsock_create_type %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.type_id); } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_boot_role, &value, NULL); if(!res) { if(doprint) printf("boot_role: %u\n", value.boot_role); else if(htmlprint) { if(value.boot_role) printf(""); else printf(""); } else if( (role_array[j]<3) || value.boot_role ) printf("%s -V %u ROLE %u boot_role %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.boot_role); } else if(errno != RSBAC_ENOTFOUND) show_error(res); res = rsbac_rc_get_item(ta_number, target, &tid, &tid, RI_req_reauth, &value, NULL); if(!res) { if(doprint) printf("req_reauth: %u\n", value.req_reauth); else if(htmlprint) { if(value.req_reauth) printf(""); else printf(""); } else if( (role_array[j]<3) || value.req_reauth ) printf("%s -V %u ROLE %u req_reauth %u\n", SETPROG, RSBAC_VERSION_NR, role_array[j], value.req_reauth); } else if(errno != RSBAC_ENOTFOUND) show_error(res); if(htmlprint) printf("
Compatible roles"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i%u(ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); else printf("%s -V %u -T %u ROLE %u role_comp %u 1\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) printf(" %u", sub_array[i]); else if(htmlprint) printf(" %u", sub_array[i], sub_array[i]); else printf("%s -V %u ROLE %u role_comp %u 1\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); } if(doprint) printf("\n"); else if(htmlprint) printf("
Admninistrated roles"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i%u(ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); else printf("%s -V %u -T %u ROLE %u admin_roles %u 1\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) printf(" %u", sub_array[i]); else if(htmlprint) printf(" %u", sub_array[i], sub_array[i]); else printf("%s -V %u ROLE %u admin_roles %u 1\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); } if(doprint) printf("\n"); else if(htmlprint) printf("
Assignable roles"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i%u(ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); else printf("%s -V %u -T %u ROLE %u assign_roles %u 1\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) printf(" %u", sub_array[i]); else if(htmlprint) printf(" %u", sub_array[i], sub_array[i]); else printf("%s -V %u ROLE %u assign_roles %u 1\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); } if(doprint) printf("\n"); else if(htmlprint) printf("
Admin TypeRole Admin
Admin TypeSystem Admin
Admin TypeNo Admin
Default FD Create Type%u (%s)
Default FD Ind Create TypeParent dir typeNew object type
Default FD Ind Create Type"); } qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i%u (%s) (ttl %us)%u (%s)
%u (%s) (ttl %us)%u
%u (ttl %us)%u
%u (%s)%u (%s)
%u (%s)%u
%u
Default User Create Type%u (%s)
Default Process Create Type%u (%s)
Default Process Chown Type%u (%s)
Default Process Execute Type%u (%s)
Default IPC Create Type%u (%s)
Default Group Create Type%u (%s)
Default Unixsock Create Type%u (%s)
Boot RoleYes
Boot RoleNo
Req ReauthYes
Req ReauthNo
\n"); /* get type_comp_fd number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_fd, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_fd, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) { printf("\nFD Type Compatibilities:\n"); } else if(htmlprint) printf("

FD Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_fd %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_fd %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_fd %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_fd_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_fd %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_FD); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_dev number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_dev, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_dev, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nDEV Type Compatibilities:\n"); else if(htmlprint) printf("

DEV Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_dev_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_dev %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_dev_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_dev %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_dev %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_dev_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_dev_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_dev %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_DEV); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_ipc number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_ipc, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_ipc, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nIPC Type Compatibilities:\n"); else if(htmlprint) printf("

IPC Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_ipc_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_ipc %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_ipc_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_ipc %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_ipc %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_ipc_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_ipc_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_ipc %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_IPC); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_scd number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_scd, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_scd, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nSCD Type Compatibilities:\n"); else if(htmlprint) printf("

SCD Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_scd_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_scd %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_scd_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_scd %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_scd %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_scd_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_scd_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_scd %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_SCD); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_user number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_user, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_user, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nUSER Type Compatibilities:\n"); else if(htmlprint) printf("

USER Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_user_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_user %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_user_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_user %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_user %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_user_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_user_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_user %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_USER); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_process number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_process, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_process, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nPROCESS Type Compatibilities:\n"); else if(htmlprint) printf("

PROCESS Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_process_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_process %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_process_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_process %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_process %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_process_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_process_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_process %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_PROCESS); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_group number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_group, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_group, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nGROUP Type Compatibilities:\n"); else if(htmlprint) printf("

GROUP Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_group_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_group %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_group_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_group %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_group %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_group_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_group_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_group %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_GROUP); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_netdev number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_netdev, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_netdev, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nNETDEV Type Compatibilities:\n"); else if(htmlprint) printf("

NETDEV Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_netdev_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_netdev %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_netdev_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_netdev %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_netdev %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_netdev_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_netdev_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_netdev %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_NETDEV); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_nettemp number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_nettemp, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_nettemp, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nNETTEMP Type Compatibilities:\n"); else if(htmlprint) printf("

NETTEMP Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_nettemp_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_nettemp %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_nettemp_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_nettemp %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_nettemp %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_nettemp_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_nettemp_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_nettemp %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_NETTEMP); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); /* get type_comp_netobj number */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_netobj, 0, NULL, NULL); if(sub_nr >= 0) { /* alloc with some extra room */ sub_nr += LISTROOM; sub_array = malloc(sub_nr * sizeof(__u32)); if(!sub_array) { error_exit(-ENOMEM); } ttl_array = malloc(sub_nr * sizeof(*ttl_array)); if(!ttl_array) { error_exit(-ENOMEM); } /* get values */ sub_nr = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, RI_type_comp_netobj, sub_nr, sub_array, ttl_array); if(sub_nr > 0) { if(doprint) printf("\nNETOBJ Type Compatibilities:\n"); else if(htmlprint) printf("

NETOBJ Type Compatibilities:

\n\n"); qsort(sub_array, sub_nr, sizeof(*sub_array), rsbac_u32_void_compare); for (i=0; i"); } else print_rights(value.rights); printf("\n"); if(doprint) printf("\n"); } else if(ttl_array[i]) if(doprint) printf("%8u(ttl %us): %s\n", sub_array[i], ttl_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_netobj_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, ttl_array[i], print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], ttl_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -bT %u ROLE %u type_comp_netobj %u %s\n", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(doprint) printf("%8u: %s\n", sub_array[i], u64tostrrcr(tmp1,value.rights)); else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_netobj_name, &value2, NULL); if(!res) printf("\n", sub_array[i], sub_array[i], value2.name, print_html_bitstring(tmp1,value.rights)); else printf("\n", sub_array[i], sub_array[i], print_html_bitstring(tmp1,value.rights)); } else printf("%s -V %u -b ROLE %u type_comp_netobj %u %s\n", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i], u64tostrrcr(tmp1,value.rights)); } } } if(htmlprint) printf("
%u (%s) (ttl %us)", sub_array[i], sub_array[i], value2.name, ttl_array[i]); else printf("
%u (ttl %us)", sub_array[i], sub_array[i], ttl_array[i]); } else printf("%s -V %u -T %u ROLE %u type_comp_netobj %u", SETPROG, RSBAC_VERSION_NR, now + ttl_array[i], role_array[j], sub_array[i]); else if(doprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_netobj_name, &value2, NULL); if(!res) printf(" %u (%s):", sub_array[i], value2.name); else printf(" %u:", sub_array[i]); } else if(htmlprint) { res = rsbac_rc_get_item(ta_number, RT_TYPE, &subtid, &subtid, RI_type_netobj_name, &value2, NULL); if(!res) printf("
%u (%s)", sub_array[i], sub_array[i], value2.name); else printf("
%u", sub_array[i], sub_array[i]); } else printf("%s -V %u ROLE %u type_comp_netobj %u", SETPROG, RSBAC_VERSION_NR, role_array[j], sub_array[i]); if(htmlprint) { print_html_rights(value.rights, T_NETOBJ); printf("
%u (%s) (ttl %us)%s
%u(ttl %us)%s
%u (%s)%s
%u%s
\n"); } free(sub_array); } else if(errno != RSBAC_ENOTFOUND) show_error(sub_nr); } } else break; if(htmlprint) printf("
\n"); } if(htmlprint) { printf("RSBAC %s RC Configuration - Jump to top\n", RSBAC_VERSION); printf("\n\n"); } exit(0); } fprintf(stderr, gettext("Invalid parameter %s\n"), argv[1]); exit(1); break; case 3: if( !strcmp(argv[1],"list_def_fd_ind_create_types") || !strcmp(argv[1],"list_def_fd_ind_create_type_nr") || !strcmp(argv[1],"list_def_fd_ind_create_type_values") ) { __u32 * type_array; int nr_types; int show_values = FALSE; target = RT_ROLE; tid.role = strtoul(argv[2],0,10); item = RI_def_fd_ind_create_type; if( !strcmp(argv[1],"list_def_fd_ind_create_types") ) show_names = TRUE; else if( !strcmp(argv[1],"list_def_fd_ind_create_type_values") ) show_values = TRUE; nr_types = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, item, 0, NULL, NULL); if(nr_types < 0) { if((nr_types == -1) && (errno == RSBAC_ENOTFOUND)) exit(0); error_exit(nr_types); } nr_types += LISTROOM; type_array = malloc(nr_types * sizeof(__u32)); if(!type_array) { error_exit(-ENOMEM); } nr_types = rsbac_rc_get_list(ta_number, RT_ROLE, &tid, item, nr_types, type_array, NULL); if(verbose) { printf(gettext("%u types:\n"), nr_types); } for(j=0; j RC_role_max_value) { fprintf(stderr, gettext("Invalid subrole %s\n"), argv[4]); exit(1); } #endif } else { subtid.type = strtol(argv[4],0,10); if(subtid.type > RC_type_max_value) { fprintf(stderr, gettext("Invalid subtype %s\n"), argv[4]); exit(1); } } value.dummy = -1; res = rsbac_rc_get_item(ta_number, target, &tid, &subtid, item, &value, &ttl); error_exit(res); switch (item) { case RI_role_comp: case RI_admin_roles: case RI_assign_roles: if(verbose) { printf(gettext("Getting %s for ROLE %u to ROLE %u\n"), get_rc_item_name(tmp1, item), tid.role, subtid.role); } if(ttl) printf("%u (ttl: %us)\n", value.comp, ttl); else printf("%u\n", value.comp); break; case RI_def_fd_ind_create_type: if(verbose) { printf(gettext("Getting def_fd_ind_create_type for ROLE %u to TYPE %u\n"), tid.role, subtid.type); } if(ttl) printf("%u (ttl: %us)\n",value.type_id, ttl); else printf("%u\n",value.type_id); break; case RI_type_comp_fd: case RI_type_comp_dev: case RI_type_comp_user: case RI_type_comp_process: case RI_type_comp_ipc: case RI_type_comp_scd: case RI_type_comp_group: case RI_type_comp_netdev: case RI_type_comp_nettemp: case RI_type_comp_netobj: if(verbose) { printf(gettext("Getting %s rights for ROLE %u to TYPE %u\n"), get_rc_item_name(tmp1, item), tid.role, subtid.type); } if(ttl) printf("%s (ttl: %us)\n",u64tostrrcr(tmp1,value.rights), ttl); else printf("%s\n",u64tostrrcr(tmp1,value.rights)); if(printall) { for (i=0; i RC_type_max_value) ) { fprintf(stderr, gettext("Invalid comp_type %s\n"), argv[4]); exit(1); } rc_right = get_rc_special_right_nr(argv[5]); if( (rc_right == R_NONE) || (rc_right == RCR_NONE) ) { rc_right = strtol(argv[5],0,10); if( (rc_right >= RCR_NONE) || ( (rc_right == 0) && strcmp(argv[5],"0") ) ) { fprintf(stderr, gettext("Invalid right %s\n"), argv[4]); exit(1); } } value.dummy = -1; res = rsbac_rc_get_item(ta_number, target, &tid, &subtid, item, &value, &ttl); error_exit(res); switch (item) { case RI_type_comp_fd: case RI_type_comp_dev: case RI_type_comp_user: case RI_type_comp_process: case RI_type_comp_ipc: case RI_type_comp_scd: case RI_type_comp_group: case RI_type_comp_netdev: case RI_type_comp_nettemp: case RI_type_comp_netobj: if(ttl) { if(value.rights & RSBAC_RC_RIGHTS_VECTOR(rc_right)) printf("1 (ttl: %us)\n", ttl); else printf("0 (ttl: %us)\n", ttl); } else { if(value.rights & RSBAC_RC_RIGHTS_VECTOR(rc_right)) printf("1\n"); else printf("0\n"); } break; default: printf("ERROR!"); exit(1); } exit(0); break; default: use(); return 1; } exit(1); } rsbac-admin-1.4.0/main/tools/src/rsbac_usermod.c0000644000175000017500000005351511131371033021413 0ustar gauvaingauvain/*************************************************** */ /* Rule Set Based Access Control */ /* */ /* Author and (c) 1999-2008: Amon Ott */ /* */ /* Last modified: 18/Aug/2008 */ /*************************************************** */ #include #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" #ifdef HAVE_CONFIG_H #include "config.h" #endif char * progname; char password[RSBAC_MAXNAMELEN] = ""; rsbac_um_set_t vset = RSBAC_UM_VIRTUAL_KEEP; void use(void) { printf(gettext("%s (RSBAC %s)\n***\n"), progname, VERSION); printf(gettext("Use: %s [flags] username\n"), progname); printf(gettext(" -c comment = fullname or comment,\n")); printf(gettext(" -d dir = homedir of user,\n")); printf(gettext(" -g group = main / initial Linux group,\n")); printf(gettext(" -G group1[,group2,...] = add more Linux groups,\n")); printf(gettext(" -H group1[,group2,...] = remove Linux groups,\n")); printf(gettext(" -p password = password in plaintext,\n")); printf(gettext(" -P = disable password,\n")); printf(gettext(" -Q password = encrypted password (from backup),\n")); printf(gettext(" -s shell = user shell,\n")); printf(gettext(" -u name = change username,\n")); printf(gettext(" -n minchange-days = minimum days between password changes,\n")); printf(gettext(" -x maxchange-days = maximum days between password changes,\n")); printf(gettext(" -w warnchange-days = warning days before password must be changed,\n")); printf(gettext(" -f inactive-days = period between password expiry and account disabling,\n")); printf(gettext(" -e expire-days = days since 1/Jan/1970 when account gets disabled,\n")); printf(gettext(" -t = set relative time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -T = set absolute time-to-live in secs (role/type comp, admin, assign only)\n")); printf(gettext(" -D = set relative time-to-live in days (role/type comp, admin, assign only)\n")); printf(gettext(" -S n = virtual user set n\n")); printf(gettext(" -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n")); } int password_read(char * to, char * from) { char * f = from; char * t = to; char tmp[3]; int i; if(strlen(from) != RSBAC_UM_PASS_LEN * 2) { fprintf(stderr, "Wrong encrypted password length!\n"); return -RSBAC_EINVALIDVALUE; } tmp[2] = 0; while(f[0] && f[1]) { tmp[0] = f[0]; tmp[1] = f[1]; i = strtoul(tmp, 0, 16); if(i < 0 || i > 255) return -RSBAC_EINVALIDVALUE; *t = i; t++; f += 2; } return 0; } void mod_show_error(int res, char * item) { if(res < 0) { char tmp1[80]; fprintf(stderr, "%s: %s\n", item, get_error_name(tmp1,res)); } } int main(int argc, char ** argv) { int res = 0; rsbac_uid_t user; int verbose = 0; int err; union rsbac_um_mod_data_t data; char * full = NULL; char * dir = NULL; int do_pass = 0; char * pass = NULL; char * crypt_pass = NULL; char * shell = NULL; char * name = NULL; char * moregroups = NULL; char * lessgroups = NULL; int do_group = 0; rsbac_gid_t group = 0; int do_last = 0; rsbac_um_days_t last = 0; int do_min = 0; rsbac_um_days_t min = 0; int do_max = 0; rsbac_um_days_t max = 0; int do_warn = 0; rsbac_um_days_t warn = 0; int do_inactive = 0; rsbac_um_days_t inactive = 0; int do_expire = 0; rsbac_um_days_t expire = 0; int do_ttl = 0; rsbac_time_t ttl = 0; rsbac_list_ta_number_t ta_number = 0; int i; locale_init(); progname = argv[0]; { char * env = getenv("RSBAC_TA"); if(env) ta_number = strtoul(env,0,0); } while((argc > 1) && (argv[1][0] == '-')) { char * pos = argv[1]; pos++; while(*pos) { switch(*pos) { case 'h': use(); return 0; case 'v': verbose++; break; case 'c': if(argc > 2) { full=argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'd': if(argc > 2) { dir=argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'p': if(argc > 2) { pass=argv[2]; do_pass = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'P': pass = NULL; do_pass = 1; break; case 'Q': if(argc > 2) { err = mlock(password, RSBAC_MAXNAMELEN); if (err) { fprintf(stderr, gettext("Unable to lock password into physical memory!\n")); } err = password_read(password, argv[2]); error_exit(err); crypt_pass = password; do_pass = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 's': if(argc > 2) { shell=argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'u': if(argc > 2) { name=argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'g': if(argc > 2) { rsbac_gid_t tmp_group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_GROUP); if(rsbac_get_gid_name(ta_number, &tmp_group, NULL, argv[2])) { fprintf(stderr, gettext("%s: Unknown group %s\n"), progname, argv[2]); return 1; } group = RSBAC_GID_NUM(tmp_group); do_group = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'G': if(argc > 2) { moregroups = argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'H': if(argc > 2) { lessgroups = argv[2]; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'l': if(argc > 2) { last = strtoul(argv[2],0,0); do_last = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'n': if(argc > 2) { min = strtoul(argv[2],0,0); do_min = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'x': // cannot be smaller than minchange - albeiro if(argc > 2) { max = strtoul(argv[2],0,0); do_max = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'w': // warnchange should not be larger than maxchange is and less than minchange - albeiro if(argc > 2) { warn = strtoul(argv[2],0,0); do_warn = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'i': case 'f': if(argc > 2) { inactive = strtoul(argv[2],0,0); do_inactive = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 'e': // mayby additional sanity checks here for checking if date is not backward ? - albeiro if(argc > 2) { expire = strtoul(argv[2],0,0); do_expire = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing argument for parameter %c\n"), progname, *pos); break; case 't': if(argc > 2) { ttl = strtoul(argv[2], 0, 10); do_ttl = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'D': if(argc > 2) { ttl = 86400 * strtoul(argv[2], 0, 10); do_ttl = 1; argc--; argv++; } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'T': if(argc > 2) { rsbac_time_t now = time(NULL); ttl = strtoul(argv[2], 0, 10); if(ttl > now) { ttl -= now; do_ttl = 1; argc--; argv++; } else { fprintf(stderr, gettext("%s: ttl value for parameter %c is in the past, exiting\n"), progname, *pos); exit(1); } } else fprintf(stderr, gettext("%s: missing ttl value for parameter %c\n"), progname, *pos); break; case 'N': if(argc > 2) { ta_number = strtoul(argv[2], 0, 10); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing transaction number value for parameter %c\n"), progname, *pos); exit(1); } break; case 'S': if(argc > 2) { if (rsbac_get_vset_num(argv[2], &vset)) { fprintf(stderr, gettext("%s: invalid virtual set number for parameter %c\n"), progname, *pos); exit(1); } user = RSBAC_GEN_UID(vset, user); argc--; argv++; } else { fprintf(stderr, gettext("%s: missing virtual set number for parameter %c\n"), progname, *pos); exit(1); } break; default: fprintf(stderr, gettext("%s: unknown parameter %c\n"), progname, *pos); exit(1); } pos++; } argv++; argc--; } if (argc > 1) { for(i=1; i< argc; i++) { user = RSBAC_GEN_UID(vset, RSBAC_NO_USER); if(rsbac_um_get_uid(ta_number, argv[i], &user)) { char * tmp_name = argv[i]; char * p = tmp_name; rsbac_um_set_t tmp_vset = vset; while (*p && (*p != '/')) p++; if (*p) { *p = 0; if (rsbac_get_vset_num(tmp_name, &tmp_vset)) { fprintf(stderr, gettext("%s: invalid virtual set number %s, skipping\n"), tmp_name); continue; } *p = '/'; p++; tmp_name = p; } user = strtoul(tmp_name, NULL, 0); if(!user && strcmp(tmp_name,"0")) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, argv[i]); return 1; } user = RSBAC_GEN_UID(tmp_vset, user); } if(verbose) { printf("Modifying user %s, uid %u/%u\n", argv[i], RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); } res = rsbac_um_get_user_item(ta_number, user, UM_name, &data); if(res) { fprintf(stderr, gettext("%s: Unknown user %s\n"), progname, argv[i]); exit(1); } if(full) { strncpy(data.string, full, RSBAC_MAXNAMELEN); data.string[RSBAC_MAXNAMELEN - 1] = 0; res = rsbac_um_mod_user(ta_number, user, UM_fullname, &data); mod_show_error(res, "Fullname"); } if(dir) { strncpy(data.string, dir, RSBAC_MAXNAMELEN); data.string[RSBAC_MAXNAMELEN - 1] = 0; res = rsbac_um_mod_user(ta_number, user, UM_homedir, &data); mod_show_error(res, "Homedir"); } if(do_pass) { res = mlock(&data, RSBAC_UM_PASS_LEN); if (res) { fprintf(stderr, gettext("Unable to lock password into physical memory, continue anyway!\n")); } if(crypt_pass) { memcpy(data.string, crypt_pass, RSBAC_UM_PASS_LEN); memset(crypt_pass, 0, RSBAC_UM_PASS_LEN); res = rsbac_um_mod_user(ta_number, user, UM_cryptpass, &data); memset(&data, 0, sizeof(data)); } else if(pass) { strncpy(data.string, pass, RSBAC_MAXNAMELEN); data.string[RSBAC_MAXNAMELEN - 1] = 0; memset(pass, 0, strlen(pass)); res = rsbac_um_mod_user(ta_number, user, UM_pass, &data); memset(&data, 0, sizeof(data)); } else res = rsbac_um_mod_user(ta_number, user, UM_pass, NULL); mod_show_error(res, "Password"); memset(data.string, 0, RSBAC_UM_PASS_LEN); munlock(data.string, RSBAC_UM_PASS_LEN); } if(shell) { strncpy(data.string, shell, RSBAC_MAXNAMELEN); data.string[RSBAC_MAXNAMELEN - 1] = 0; res = rsbac_um_mod_user(ta_number, user, UM_shell, &data); mod_show_error(res, "Shell"); } if(name) { strncpy(data.string, name, RSBAC_MAXNAMELEN); data.string[RSBAC_MAXNAMELEN - 1] = 0; res = rsbac_um_mod_user(ta_number, user, UM_name, &data); mod_show_error(res, "Username"); } if(do_group) { data.group = group; res = rsbac_um_mod_user(ta_number, user, UM_group, &data); mod_show_error(res, "Group"); } if(moregroups) { char * p; rsbac_gid_t group = RSBAC_GEN_GID(vset, RSBAC_NO_GROUP); p = moregroups; while(*moregroups) { while(*p && (*p != ',')) p++; if(*p) { *p = 0; if(rsbac_get_gid_name(ta_number, &group, NULL, moregroups)) { fprintf(stderr, gettext("%s: Invalid group %s\n"), progname, moregroups); group = RSBAC_GEN_GID(vset, RSBAC_NO_USER); } p++; moregroups = p; } else { if(rsbac_get_gid_name(ta_number, &group, NULL, moregroups)) { fprintf(stderr, gettext("%s: Invalid group %s\n"), progname, moregroups); group = RSBAC_GEN_GID(vset, RSBAC_NO_USER); } moregroups = p; } if(RSBAC_GID_NUM(group) != RSBAC_NO_USER) rsbac_um_add_gm(ta_number, user, RSBAC_GID_NUM(group), 0); } } if(lessgroups) { char * p; rsbac_gid_t group = RSBAC_GEN_GID(vset, RSBAC_NO_GROUP); p = lessgroups; while(*lessgroups) { while(*p && (*p != ',')) p++; if(*p) { *p = 0; if(rsbac_get_gid_name(ta_number, &group, NULL, lessgroups)) { fprintf(stderr, gettext("%s: Invalid group %s\n"), progname, lessgroups); group = RSBAC_GEN_GID(vset, RSBAC_NO_USER); } p++; lessgroups = p; } else { if(rsbac_get_gid_name(ta_number, &group, NULL, lessgroups)) { fprintf(stderr, gettext("%s: Invalid group %s\n"), progname, lessgroups); group = RSBAC_GEN_GID(vset, RSBAC_NO_USER); } lessgroups = p; } if(RSBAC_GID_NUM(group) != RSBAC_NO_USER) rsbac_um_remove_gm(ta_number, user, RSBAC_GID_NUM(group)); } } if(do_last) { data.days = last; res = rsbac_um_mod_user(ta_number, user, UM_lastchange, &data); mod_show_error(res, "Lastchange"); } if(do_min) { data.days = min; res = rsbac_um_mod_user(ta_number, user, UM_minchange, &data); mod_show_error(res, "Minchange"); } if(do_max) { data.days = max; res = rsbac_um_mod_user(ta_number, user, UM_maxchange, &data); mod_show_error(res, "Maxchange"); } if(do_warn) { data.days = warn; res = rsbac_um_mod_user(ta_number, user, UM_warnchange, &data); mod_show_error(res, "Warnchange"); } if(do_inactive) { data.days = inactive; res = rsbac_um_mod_user(ta_number, user, UM_inactive, &data); mod_show_error(res, "Inactive"); } if(do_expire) { data.days = expire; res = rsbac_um_mod_user(ta_number, user, UM_expire, &data); mod_show_error(res, "Expire"); } if(do_ttl) { data.ttl = ttl; res = rsbac_um_mod_user(ta_number, user, UM_ttl, &data); mod_show_error(res, "TTL"); } } exit(0); } else { use(); return 1; } return (res); } rsbac-admin-1.4.0/main/tools/module.mk0000644000175000017500000000405611131371033017442 0ustar gauvaingauvainFILES_TOOLS := $(wildcard src/*.c) PROGRAMS := src/rsbac_version\ src/acl_grant\ src/acl_group\ src/acl_mask\ src/acl_rights\ src/acl_rm_user\ src/acl_tlist\ src/attr_back_dev\ src/attr_back_fd\ src/attr_back_user\ src/attr_back_group\ src/attr_back_net\ src/attr_get_fd\ src/attr_get_file_dir\ src/attr_get_ipc\ src/attr_get_process\ src/attr_get_up\ src/attr_get_net\ src/attr_get_user\ src/attr_get_group\ src/attr_rm_fd\ src/attr_rm_file_dir\ src/attr_rm_user\ src/attr_rm_group\ src/attr_set_fd\ src/attr_set_file_dir\ src/attr_set_ipc\ src/attr_set_process\ src/attr_set_up\ src/attr_set_net\ src/attr_set_user\ src/attr_set_group\ src/auth_back_cap\ src/auth_set_cap\ src/get_attribute_name\ src/get_attribute_nr\ src/mac_wrap\ src/mac_get_levels\ src/mac_set_trusted\ src/mac_back_trusted\ src/pm_create\ src/pm_ct_exec\ src/daz_flush\ src/rc_copy_role\ src/rc_copy_type\ src/rc_get_eff_rights_fd\ src/rc_get_item\ src/rc_role_wrap\ src/rc_set_item\ src/rc_get_current_role\ src/rc_create_file\ src/rsbac_check\ src/rsbac_pm\ src/rsbac_stats\ src/rsbac_stats_pm\ src/rsbac_write\ src/switch_adf_log\ src/switch_module\ src/net_temp\ src/linux2acl\ src/rsbac_jail\ src/rsbac_init\ src/rsbac_useradd\ src/rsbac_usermod\ src/rsbac_userdel\ src/rsbac_usershow\ src/rsbac_groupadd\ src/rsbac_groupmod\ src/rsbac_groupdel\ src/rsbac_groupshow\ src/rsbac_passwd\ src/rsbac_gpasswd\ src/rsbac_list_ta\ src/rsbac_auth SCRIPTS := src/scripts/backup_all\ src/scripts/backup_all_1.1.2\ src/scripts/rsbac_acl_group_menu\ src/scripts/rsbac_acl_menu\ src/scripts/rsbac_dev_menu\ src/scripts/rsbac_fd_menu\ src/scripts/rsbac_menu\ src/scripts/rsbac_process_menu\ src/scripts/rsbac_rc_role_menu\ src/scripts/rsbac_rc_type_menu\ src/scripts/rsbac_user_menu\ src/scripts/rsbac_group_menu\ src/scripts/rsbac_settings_menu\ src/scripts/rsbac_netdev_menu\ src/scripts/rsbac_nettemp_menu\ src/scripts/rsbac_nettemp_def_menu\ src/scripts/user_aci.sh PROGS_BIN := src/rsbac_login PROGS_USR_BIN += $(PROGRAMS) $(SCRIPTS) rsbac-admin-1.4.0/main/tools/po/0000755000175000017500000000000011131371034016236 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/po/ru.po0000644000175000017500000032466511131371033017243 0ustar gauvaingauvain# Russian RSBAC messages. # Copyright (C) 2000-2001 Free Software Foundation, Inc. # Stanislav Ievlev , 2000-2004. # msgid "" msgstr "" "Project-Id-Version: RSBAC v1.2.3\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2005-08-26 09:09+0000\n" "PO-Revision-Date: 2000-12-13 15:40+0300\n" "Last-Translator: Ievlev Stanislav \n" "Language-Team: Russian\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=koi8-r\n" "Content-Transfer-Encoding: 8bit\n" #: src/acl_grant.c:49 src/acl_group.c:33 src/acl_mask.c:49 src/acl_rights.c:46 #: src/acl_rm_user.c:26 src/acl_tlist.c:49 src/attr_back_dev.c:51 #: src/attr_back_fd.c:73 src/attr_back_group.c:48 src/attr_back_net.c:59 #: src/attr_back_user.c:73 src/attr_get_fd.c:39 src/attr_get_file_dir.c:29 #: src/attr_get_group.c:29 src/attr_get_ipc.c:31 src/attr_get_net.c:42 #: src/attr_get_process.c:31 src/attr_get_up.c:26 src/attr_get_user.c:29 #: src/attr_rm_fd.c:37 src/attr_rm_file_dir.c:27 src/attr_rm_group.c:26 #: src/attr_rm_user.c:26 src/attr_set_fd.c:39 src/attr_set_file_dir.c:27 #: src/attr_set_group.c:27 src/attr_set_ipc.c:31 src/attr_set_net.c:41 #: src/attr_set_process.c:30 src/attr_set_up.c:26 src/attr_set_user.c:27 #: src/auth_back_cap.c:41 src/auth_set_cap.c:30 src/get_attribute_name.c:35 #: src/get_attribute_nr.c:31 src/linux2acl.c:60 src/mac_back_trusted.c:40 #: src/mac_back_trusted.c:234 src/mac_get_levels.c:27 src/mac_set_trusted.c:30 #: src/mac_wrap.c:26 src/net_temp.c:40 src/pm_create.c:24 src/pm_ct_exec.c:40 #: src/rc_get_eff_rights_fd.c:38 src/rc_get_item.c:33 src/rc_role_wrap.c:27 #: src/rc_set_item.c:30 src/rsbac_check.c:41 src/rsbac_gpasswd.c:27 #: src/rsbac_groupadd.c:36 src/rsbac_groupdel.c:29 src/rsbac_groupmod.c:29 #: src/rsbac_groupshow.c:36 src/rsbac_init.c:37 src/rsbac_jail.c:28 #: src/rsbac_list_ta.c:25 src/rsbac_login.c:68 src/rsbac_passwd.c:58 #: src/rsbac_pm.c:31 src/rsbac_pm.c:59 src/rsbac_useradd.c:49 #: src/rsbac_userdel.c:30 src/rsbac_usermod.c:29 src/rsbac_usershow.c:38 #: src/switch_adf_log.c:27 src/switch_module.c:28 #, c-format msgid "" "%s (RSBAC %s)\n" "***\n" msgstr "" #: src/acl_grant.c:50 #, c-format msgid "" "Use: %s [switches] subj_type subj_id [rights] target-type file/dirname(s)\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ËÌÀÞÉ] ÔÉÐ-ÓÕÂßÅËÔÁ id-ÓÕÂßÅËÔÁ [ÐÒÁ×Á] ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/" "ËÁÔÁÌÏÇ\n" #: src/acl_grant.c:51 #, c-format msgid " -v = verbose, -r = recurse into subdirs,\n" msgstr " -v = ÐÏÄÒÏÂÎÏ, -r = ÒÅËÕÒÓÉ×ÎÏ ÐÏ ÐÏÄËÁÔÁÌÏÇÁÍ,\n" #: src/acl_grant.c:52 #, c-format msgid " -p = print right names, -s = set rights, not add\n" msgstr " -p = ×Ù×ÏÄÉÔØ ÉÍÅÎÁ ÐÒÁ×, -s = ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁ×Á, ÎÅ ÄÏÂÁ×ÌÑÔØ\n" #: src/acl_grant.c:53 #, c-format msgid " -k = revoke rights, not add, -m remove entry (set back to inherit)\n" msgstr "" " -k = ÕÄÁÌÑÔØ ÐÒÁ×Á, ÎÅ ÄÏÂÁ×ÌÑÔØ, -m ÕÄÁÌÉÔØ ÚÁÐÉÓØ (ÕÓÔÁÎÏ×ÉÔØ × ÒÅÖ. " "ÎÁÓÌÅÄÏ×ÁÎÉÑ)\n" #: src/acl_grant.c:54 #, c-format msgid " -b = expect rights as bitstring, -n = list valid SCD names\n" msgstr "" " -b = ÐÒÁ×Á × ×ÉÄÅ ÂÉÔÏ×ÏÊ ÓÔÒÏËÉ, -n = ÓÐÉÓÏË ÄÅÊÓÔ×ÉÔÅÌØÎÙÈ ÉͣΠÏÂßÅËÔÏ× " "SCD \n" #: src/acl_grant.c:55 #, c-format msgid " -d = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_grant.c:56 #, c-format msgid " -u, -g, -l = shortcuts for USER, GROUP and ROLE\n" msgstr " -u, -g, -l = ÓÉÎÏÎÉÍÙ USER, GROUP and ROLE\n" #: src/acl_grant.c:57 #, c-format msgid "" " -t = set relative time-to-live for this trustee in seconds (add and set " "only)\n" msgstr "" " -t = ÕÓÔÁÎÏ×ÉÔØ ÏÔÎÏÓÉÔÅÌØÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÊ ÚÁÐÉÓÉ × ÓÅËÕÎÄÁÈ" "(ÄÏÂÁ×ÉÔØ É ÔÏÌØËÏ ÕÓÔÁÎÏ×ÉÔØ)\n" #: src/acl_grant.c:58 #, c-format msgid "" " -T = set absolute time-to-live for this trustee in seconds (add and set " "only)\n" msgstr "" " -T = ÕÓÔÁÎÏ×ÉÔØ ÁÂÓÏÌÀÔÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÊ ÚÁÐÉÓÉ × ÓÅËÕÎÄÁÈ " "(ÄÏÂÁ×ÉÔØ É ÔÏÌØËÏ ÕÓÔÁÎÏ×ÉÔØ)\n" #: src/acl_grant.c:59 #, c-format msgid "" " -D = set relative time-to-live for this trustee in days (add and set " "only)\n" msgstr "" " -D = ÕÓÔÁÎÏ×ÉÔØ ÏÔÎÏÓÉÔÅÌØÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÊ ÚÁÐÉÓÉ × ÄÎÑÈ (ÄÏÂÁ×ÉÔØ " "É ÔÏÌØËÏ ÕÓÔÁÎÏ×ÉÔØ)\n" #: src/acl_grant.c:60 src/acl_group.c:41 src/switch_adf_log.c:34 #, c-format msgid " -V version = supply RSBAC integer version number for upgrading\n" msgstr " -V version = ÉÓÐÏÌØÚÏ×ÁÔØ ÕËÁÚÁÎÎÕÀ ×ÅÒÓÉÀ RSBAC ÄÌÑ ÏÂÎÏ×ÌÅÎÉÑ\n" #: src/acl_grant.c:61 src/acl_group.c:42 #, c-format msgid "" " -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/acl_grant.c:62 #, c-format msgid " subj_type = USER, GROUP or ROLE,\n" msgstr " ÔÉÐ-ÓÕÂßÅËÔÁ = USER, GROUP or ROLE,\n" #: src/acl_grant.c:63 #, c-format msgid " subj_id = user name or id number,\n" msgstr " id-ÓÕÂßÅËÔÁ = ÉÍÑ ÐÏÌØÚÏ×ÁÔÅÌÑ ÉÌÉ ÉÄÅÎÔÉÆ. ÎÏÍÅÒ,\n" #: src/acl_grant.c:64 src/acl_mask.c:58 #, c-format msgid "" " rights = list of space-separated right names (requests and ACL specials),\n" msgstr "" " rights = ÓÐÉÓÏË ÐÒÁ×, ÒÁÚÄÅÌ£ÎÎÙÈ ÐÒÏÂÅÌÁÍÉ (ÚÁÐÒÏÓÙ É ACL-ÓÐÅÃÉÆÉÞÎÙÅ),\n" #: src/acl_grant.c:65 #, c-format msgid "" " also request groups R (read requests), RW (read-write), W (write)\n" msgstr "" " ÔÁËÖÅ ÇÒÕÐÐÙ ÚÁÐÒÏÓÏ× R (ÎÁ ÞÔÅÎÉÅ), RW (ÎÁ ÞÔÅÎÉÅ-ÚÁÐÉÓØ), W (ÎÁ " "ÚÁÐÉÓØ)\n" #: src/acl_grant.c:66 src/acl_mask.c:60 #, c-format msgid " SY (system), SE (security), A (all)\n" msgstr " SY (ÓÉÓÔÅÍÎÙÅ), SE (ÂÅÚÏÐÁÓÎÏÓÔØ), A (×ÓÅ)\n" #: src/acl_grant.c:67 src/acl_mask.c:61 #, c-format msgid " S (ACL special rights)\n" msgstr " S (ÓÐÅÃÉÁÌØÎÙÅ ÐÒÁ×Á ACL)\n" #: src/acl_grant.c:68 src/acl_mask.c:62 #, c-format msgid "" " and NWx with x = S R W C E A F M (similar to well-known network " "system)\n" msgstr "" " É NWx with x = S R W C E A F M (ÔÏÖÅ ÓÁÍÏÅ ÄÌÑ ÓÅÔÅ×ÏÊ ÐÏÄÓÉÓÔÅÍÙ)\n" # #: src/acl_grant.c:69 src/acl_tlist.c:59 #, c-format msgid "" " target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, " "NETDEV,\n" msgstr "" " ÔÉÐ-ÏÂßÅËÔÁ = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, " "NETDEV,\n" #: src/acl_grant.c:70 src/acl_mask.c:64 src/acl_tlist.c:60 #, c-format msgid " NETTEMP_NT, NETTEMP, NETOBJ or FD\n" msgstr " NETTEMP_NT, NETTEMP, NETOBJ ÉÌÉ FD\n" #: src/acl_grant.c:71 src/acl_mask.c:65 src/acl_rights.c:59 src/acl_tlist.c:61 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n" msgstr " (FD: %s ×ÙÂÉÒÁÔØ ÉÚ FILE, DIR, FIFO É SYMLINK, ÎÏ ÎÅ DEV),\n" #: src/acl_grant.c:72 src/acl_tlist.c:62 #, c-format msgid " (IPC, USER, PROCESS: only :DEFAULT:\n" msgstr " (IPC, USER, PROCESS: ÔÏÌØËÏ :DEFAULT:\n" #: src/acl_grant.c:73 src/acl_rights.c:61 src/acl_tlist.c:63 #, c-format msgid " (NETTEMP: no :DEFAULT:\n" msgstr " (NETTEMP: ÎÅ :DEFAULT:\n" #: src/acl_grant.c:74 src/acl_rights.c:62 src/acl_tlist.c:64 #, c-format msgid "- Use name :DEFAULT: for default ACL\n" msgstr "- éÓÐÏÌØÚÏ×ÁÔØ :DEFAULT: ÄÌÑ ÐÁÒÁÍÅÔÒÏ× ACL ÐÏ-ÕÍÏÌÞÁÎÉÀ\n" #: src/acl_grant.c:133 src/acl_mask.c:127 src/acl_mask.c:210 #: src/acl_rights.c:121 src/acl_rights.c:190 src/acl_tlist.c:126 #: src/acl_tlist.c:203 #, c-format msgid "Invalid target %u for %s, skipped!\n" msgstr "îÅ×ÅÒÎÙÊ ÏÂßÅËÔ %u ÄÌÑ %s, ÐÒÏÐÕÝÅÎÏ!\n" #: src/acl_grant.c:138 #, c-format msgid "Processing default %s '%s'\n" msgstr "ïÂÒÁÂÏÔËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ %s '%s'\n" #: src/acl_grant.c:158 src/acl_mask.c:152 src/acl_rights.c:142 #: src/acl_tlist.c:151 #, fuzzy, c-format msgid "%s is no valid device specification, skipped\n" msgstr "%s ÎÅ×ÅÒÎÏÅ ÎÁÚ×ÁÎÉÅ SCD, ÐÒÏÐÕÝÅÎÏ\n" #: src/acl_grant.c:167 src/acl_mask.c:165 src/acl_rights.c:154 #: src/acl_tlist.c:164 #, c-format msgid "%s is no valid SCD name, skipped\n" msgstr "%s ÎÅ×ÅÒÎÏÅ ÎÁÚ×ÁÎÉÅ SCD, ÐÒÏÐÕÝÅÎÏ\n" #: src/acl_grant.c:175 src/acl_grant.c:455 src/acl_group.c:247 #: src/acl_group.c:398 src/acl_group.c:429 src/acl_group.c:456 #: src/acl_mask.c:174 src/acl_rights.c:162 src/acl_rm_user.c:94 #: src/acl_tlist.c:173 src/attr_back_user.c:444 src/attr_back_user.c:468 #: src/attr_get_user.c:147 src/attr_get_user.c:258 src/attr_get_user.c:374 #: src/attr_set_user.c:175 src/attr_set_user.c:346 src/attr_set_user.c:453 #: src/attr_set_user.c:581 src/auth_set_cap.c:214 src/auth_set_cap.c:222 #: src/mac_set_trusted.c:192 src/rsbac_list_ta.c:90 #, c-format msgid "%s: Invalid User %s!\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" #: src/acl_grant.c:183 src/acl_mask.c:184 src/acl_rights.c:170 #: src/acl_tlist.c:183 src/attr_back_group.c:274 src/attr_back_group.c:298 #: src/attr_get_group.c:143 src/attr_get_group.c:214 src/attr_get_user.c:240 #: src/attr_set_group.c:182 #, fuzzy, c-format msgid "%s: Invalid Group %s!\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" #: src/acl_grant.c:203 #, c-format msgid "Invalid target type %u for %s, skipped!\n" msgstr "îÅ×ÅÒÎÙÊ ÔÉÐ ÏÂßÅËÔÁ %u ÄÌÑ %s, ÐÒÏÐÕÝÅÎÏ!\n" #: src/acl_grant.c:208 src/acl_rights.c:196 src/rc_get_eff_rights_fd.c:56 #, c-format msgid "Processing %s '%s'\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ %s '%s'\n" #: src/acl_grant.c:252 src/acl_mask.c:289 src/acl_mask.c:291 #: src/acl_rights.c:235 src/acl_tlist.c:246 src/attr_rm_fd.c:61 #: src/attr_rm_file_dir.c:103 src/attr_set_fd.c:71 #: src/rc_get_eff_rights_fd.c:63 #, c-format msgid "%s: error: %s\n" msgstr "%s: ÏÛÉÂËÁ: %s\n" #: src/acl_grant.c:268 src/acl_mask.c:373 src/acl_rights.c:290 #: src/acl_tlist.c:401 src/attr_back_dev.c:206 src/attr_back_fd.c:279 #: src/attr_get_fd.c:141 src/attr_rm_fd.c:77 src/attr_set_fd.c:87 #: src/auth_back_cap.c:373 src/linux2acl.c:765 src/mac_back_trusted.c:108 #: src/rc_get_eff_rights_fd.c:95 #, c-format msgid "opendir for dir %s returned error: %s\n" msgstr "opendir() ÄÌÑ ËÁÔÁÌÏÇÁ %s ×ÅÒÎÕÌ ÏÛÉÂËÕ: %s\n" #: src/acl_grant.c:371 src/acl_grant.c:381 src/acl_grant.c:402 #: src/acl_group.c:133 src/acl_group.c:143 src/acl_group.c:164 #: src/auth_set_cap.c:123 src/auth_set_cap.c:133 src/auth_set_cap.c:154 #: src/mac_set_trusted.c:101 src/mac_set_trusted.c:111 #: src/mac_set_trusted.c:132 src/rc_set_item.c:128 src/rc_set_item.c:138 #: src/rc_set_item.c:159 src/rsbac_groupadd.c:213 src/rsbac_groupadd.c:223 #: src/rsbac_groupadd.c:244 src/rsbac_groupmod.c:166 src/rsbac_groupmod.c:177 #: src/rsbac_groupmod.c:199 src/rsbac_list_ta.c:73 src/rsbac_useradd.c:646 #: src/rsbac_useradd.c:656 src/rsbac_useradd.c:677 src/rsbac_usermod.c:324 #: src/rsbac_usermod.c:335 src/rsbac_usermod.c:357 #, c-format msgid "%s: missing ttl value for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÚÎÁÞÅÎÉÅ TTL(×ÒÅÍÑ ÖÉÚÎÉ) ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/acl_grant.c:397 src/acl_group.c:159 src/auth_set_cap.c:149 #: src/mac_set_trusted.c:127 src/rc_set_item.c:154 src/rsbac_groupadd.c:239 #: src/rsbac_groupmod.c:194 src/rsbac_useradd.c:672 src/rsbac_usermod.c:352 #, c-format msgid "%s: ttl value for parameter %c is in the past, exiting\n" msgstr "%s: ÚÎÁÞÅÎÉÅ TTL(×ÒÅÍÑ ÖÉÚÎÉ) ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c × ÐÒÏÛÌÏÍ, ×ÙÈÏÖÕ\n" #: src/acl_grant.c:407 src/acl_group.c:169 src/acl_mask.c:461 #: src/attr_set_fd.c:184 src/attr_set_file_dir.c:143 src/attr_set_group.c:123 #: src/attr_set_net.c:288 src/attr_set_up.c:110 src/attr_set_user.c:123 #: src/auth_set_cap.c:159 src/mac_set_trusted.c:137 src/net_temp.c:268 #: src/rc_set_item.c:201 src/switch_adf_log.c:119 #, c-format msgid "%s: no version number for switch V\n" msgstr "%s: ÎÅ ÕËÁÚÁÎÁ ×ÅÒÓÉÑ ÄÌÑ ÄÌÑ ËÌÀÞÁ V\n" #: src/acl_grant.c:423 src/acl_group.c:185 src/acl_mask.c:477 #: src/acl_rights.c:489 src/acl_rm_user.c:72 src/acl_tlist.c:491 #: src/attr_back_dev.c:303 src/attr_back_fd.c:398 src/attr_back_group.c:192 #: src/attr_back_net.c:311 src/attr_back_user.c:325 src/attr_get_fd.c:249 #: src/attr_get_file_dir.c:198 src/attr_get_group.c:185 src/attr_get_ipc.c:90 #: src/attr_get_net.c:317 src/attr_get_process.c:115 src/attr_get_up.c:117 #: src/attr_get_user.c:208 src/attr_rm_fd.c:138 src/attr_rm_file_dir.c:74 #: src/attr_rm_group.c:67 src/attr_rm_user.c:67 src/attr_set_fd.c:200 #: src/attr_set_file_dir.c:159 src/attr_set_group.c:139 src/attr_set_ipc.c:89 #: src/attr_set_net.c:304 src/attr_set_process.c:126 src/attr_set_up.c:126 #: src/attr_set_user.c:139 src/auth_back_cap.c:466 src/auth_set_cap.c:175 #: src/mac_back_trusted.c:190 src/mac_set_trusted.c:153 src/net_temp.c:284 #: src/rc_copy_role.c:66 src/rc_copy_type.c:68 src/rc_get_eff_rights_fd.c:159 #: src/rc_get_item.c:256 src/rc_set_item.c:217 src/rsbac_gpasswd.c:122 #: src/rsbac_groupadd.c:255 src/rsbac_groupdel.c:99 src/rsbac_groupmod.c:210 #: src/rsbac_groupshow.c:239 src/rsbac_list_ta.c:108 src/rsbac_pm.c:117 #: src/rsbac_useradd.c:688 src/rsbac_userdel.c:136 src/rsbac_usermod.c:368 #: src/rsbac_usershow.c:371 #, fuzzy, c-format msgid "%s: missing transaction number value for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÚÎÁÞÅÎÉÅ maxnum ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/acl_grant.c:428 src/acl_group.c:190 src/acl_mask.c:482 #: src/acl_rights.c:560 src/acl_rm_user.c:78 src/acl_tlist.c:496 #: src/attr_back_dev.c:308 src/attr_back_fd.c:403 src/attr_back_group.c:197 #: src/attr_back_net.c:316 src/attr_back_user.c:330 src/attr_get_fd.c:254 #: src/attr_get_file_dir.c:232 src/attr_get_group.c:191 src/attr_get_ipc.c:95 #: src/attr_get_net.c:323 src/attr_get_process.c:121 src/attr_get_up.c:122 #: src/attr_get_user.c:214 src/attr_rm_fd.c:143 src/attr_rm_file_dir.c:79 #: src/attr_rm_group.c:72 src/attr_rm_user.c:72 src/attr_set_fd.c:206 #: src/attr_set_file_dir.c:165 src/attr_set_group.c:145 src/attr_set_ipc.c:94 #: src/attr_set_net.c:310 src/attr_set_process.c:131 src/attr_set_up.c:131 #: src/attr_set_user.c:145 src/auth_back_cap.c:471 src/auth_set_cap.c:180 #: src/linux2acl.c:831 src/mac_back_trusted.c:195 src/mac_set_trusted.c:158 #: src/mac_wrap.c:110 src/net_temp.c:289 src/rc_copy_role.c:71 #: src/rc_copy_type.c:73 src/rc_get_eff_rights_fd.c:164 src/rc_get_item.c:262 #: src/rc_role_wrap.c:58 src/rc_set_item.c:223 src/rsbac_gpasswd.c:127 #: src/rsbac_groupadd.c:261 src/rsbac_groupdel.c:105 src/rsbac_groupmod.c:216 #: src/rsbac_groupshow.c:245 src/rsbac_jail.c:327 src/rsbac_list_ta.c:117 #: src/rsbac_login.c:74 src/rsbac_passwd.c:65 src/rsbac_pm.c:122 #: src/rsbac_useradd.c:694 src/rsbac_userdel.c:142 src/rsbac_usermod.c:374 #: src/rsbac_usershow.c:377 src/switch_adf_log.c:128 src/switch_module.c:69 #, c-format msgid "%s: unknown parameter %c\n" msgstr "%s: ÎÅÉÚ×ÅÓÔÎÙÊ ÐÁÒÁÍÅÔÒ %c\n" #: src/acl_grant.c:443 #, c-format msgid "%s: unknown subject_type %s\n" msgstr "%s: ÎÅÉÚ×ÅÓÔÎÙÊ ÔÉÐ ÓÕÂßÅËÔÁ %s\n" #: src/acl_grant.c:472 src/rc_set_item.c:644 #, c-format msgid "Invalid bitstring length %u, must be %u!\n" msgstr "îÅ×ÅÒÎÁÑ ÄÌÉÎÁ ÂÉÔÏ×ÏÊ ÓÔÒÏËÉ %u, ÄÏÌÖÎÏ ÂÙÔØ %u!\n" #: src/acl_grant.c:656 src/acl_mask.c:695 src/attr_rm_fd.c:165 #: src/attr_set_fd.c:238 #, c-format msgid "%s: Invalid target type %s\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÔÉÐ ÏÂßÅËÔÁ %s\n" #: src/acl_grant.c:666 #, c-format msgid "" "Set rights: %s\n" "for %s %u\n" msgstr "" "õÓÔÁÎÏ×ËÁ ÐÒÁ×: %s\n" "ÄÌÑ %s %u\n" #: src/acl_grant.c:672 #, c-format msgid "" "Add rights: %s\n" "for %s %u\n" msgstr "" "äÏÂÁ×ÌÅÎÉÅ ÐÒÁ×: %s\n" "ÄÌÑ %s %u\n" #: src/acl_grant.c:678 #, c-format msgid "" "Revoke rights: %s\n" "for %s %u\n" msgstr "" "õÄÁÌÅÎÉÅ ÐÒÁ×: %s\n" "ÄÌÑ %s %u\n" #: src/acl_grant.c:684 #, c-format msgid "Remove entry for %s %u.\n" msgstr "õÄÁÌÅÎÉÅ ÚÁÐÉÓÉ ÄÌÑ %s %u.\n" #: src/acl_grant.c:689 #, c-format msgid "%s: Internal error in call switch!\n" msgstr "%s: ÷ÎÕÔÒÅÎÎÑÑ ÏÛÉÂËÁ ÐÒÉ ×ÙÚÏ×Å ËÌÀÞÁ!\n" #: src/acl_grant.c:705 #, c-format msgid "" "\n" "%s: %i targets\n" "\n" msgstr "" "\n" "%s: %i ÏÂßÅËÔÏ×\n" "\n" #: src/acl_group.c:34 #, c-format msgid "Use: %s [switches] function params\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÆÕÎËÃÉÑ ÐÁÒÁÍÅÔÒÙ\n" #: src/acl_group.c:35 #, c-format msgid " -v = verbose, -g = also list global groups of other users,\n" msgstr "" "- -v = ÐÏÄÒÏÂÎÏ, -g = ÔÁËÖÅ ÓÐÉÓÏË ÇÌÏÂÁÌØÎÙÈ ÇÒÕÐÐ ÄÌÑ ÄÒÕÇÉÈ " "ÐÏÌØÚÏ×ÁÔÅÌÅÊ,\n" #: src/acl_group.c:36 #, c-format msgid " -b = backup mode, -n = use numerical values,\n" msgstr "- -b = ÒÅÖÉÍ ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÑ, -n = ÉÓÐÏÌØÚÏ×ÁÔØ ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ,\n" #: src/acl_group.c:37 #, c-format msgid " -s = scripting mode\n" msgstr " -s = ÒÅÖÉÍ ÓÃÅÎÁÒÉÑ\n" #: src/acl_group.c:38 #, c-format msgid "" " -t = set relative time-to-live for this membership in seconds (add_member " "only)\n" msgstr "" " -t = ÕÓÔÁÎÏ×ÉÔØ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÇÏ ÓÕÂßÅËÔÁ × ÓÅËÕÎÄÁÈ (ÔÏÌØËÏ ÄÌÑ " "add_member )\n" #: src/acl_group.c:39 #, c-format msgid "" " -T = set absolute time-to-live for this trustee in seconds (add_member " "only)\n" msgstr "" " -T = ÕÓÔÁÎÏ×ÉÔØ ÁÂÓÏÌÀÔÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÊ ÚÁÐÉÓÉ × ÓÅËÕÎÄÁÈ (ÔÏÌØËÏ " "ÄÌÑ add_member )\n" #: src/acl_group.c:40 #, c-format msgid "" " -D = set relative time-to-live for this membership in days (add_member " "only)\n" msgstr "" " -D = ÕÓÔÁÎÏ×ÉÔØ ÏÔÎÏÓÉÔÅÌØÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÇÏ ÓÕÂßÅËÔÁ × ÄÎÑÈ " "(ÔÏÌØËÏ ÄÌÑ add_member )\n" #: src/acl_group.c:43 #, c-format msgid "- function and params = one of\n" msgstr "- ÆÕÎËÃÉÑ É ÐÁÒÁÍÅÔÒÙ = ÏÄÎÁ ÉÚ\n" #: src/acl_group.c:44 #, c-format msgid " add_group P[RIVATE]|G[LOBAL] name [id]\n" msgstr " add_group P[RIVATE]|G[LOBAL] ÉÍÑ [id]\n" #: src/acl_group.c:45 #, c-format msgid " change_group group-id new-owner P[RIVATE]|G[LOBAL] name\n" msgstr " change_group id-ÇÒÕÐÐÙ ÎÏ×ÙÊ-×ÌÁÄÅÌÅà P[RIVATE]|G[LOBAL] ÉÍÑ\n" #: src/acl_group.c:46 #, c-format msgid " remove_group group-id\n" msgstr " remove_group id-ÇÒÕÐÐÙ\n" #: src/acl_group.c:47 #, c-format msgid " get_group_entry group-id\n" msgstr " get_group_entry id-ÇÒÕÐÐÙ\n" #: src/acl_group.c:48 #, c-format msgid " get_group_name group-id\n" msgstr " get_group_name id-ÇÒÕÐÐÙ\n" #: src/acl_group.c:49 #, c-format msgid " get_group_type group-id\n" msgstr " get_group_type id-ÇÒÕÐÐÙ\n" #: src/acl_group.c:50 #, c-format msgid " get_group_owner group-id\n" msgstr " get_group_owner id-ÇÒÕÐÐÙ\n" #: src/acl_group.c:51 #, c-format msgid " list_groups\n" msgstr "" #: src/acl_group.c:52 #, c-format msgid " add_member group-id user1 ...\n" msgstr " add_member id-ÇÒÕÐÐÙ ÐÏÌØÚÏ×ÁÔÅÌØ1 ...\n" #: src/acl_group.c:53 #, c-format msgid " remove_member group-id user1 ...\n" msgstr " remove_member id-ÇÒÕÐÐÙ ÐÏÌØÚÏ×ÁÔÅÌØ1 ...\n" #: src/acl_group.c:54 #, c-format msgid " get_user_groups [user]\n" msgstr " get_user_groups [ÐÏÌØÚÏ×ÁÔÅÌØ]\n" #: src/acl_group.c:55 #, c-format msgid " get_group_members group-id\n" msgstr " get_group_members id-ÇÒÕÐÐÙ\n" #: src/acl_group.c:71 src/net_temp.c:63 msgid "*unknown*" msgstr "*ÎÅÉÚ×ÅÓÔÎÏ*" #: src/acl_group.c:210 src/acl_group.c:241 src/acl_group.c:277 #: src/acl_group.c:299 src/acl_group.c:388 src/acl_group.c:421 #: src/acl_group.c:500 #, c-format msgid "%s: too few arguments for function %s\n" msgstr "%s: ÓÌÉÛËÏÍ ÍÎÏÇÏ ÁÒÇÕÍÅÎÔÏ× ÄÌÑ ÆÕÎËÃÉÉ %s\n" #: src/acl_group.c:220 src/acl_group.c:258 #, c-format msgid "%s: %s: invalid group type %s\n" msgstr "%s: %s: ÎÅ×ÅÒÎÙÊ ÔÉÐ ÇÒÕÐÐÙ %s\n" #: src/acl_group.c:232 #, c-format msgid "%s group %u '%s' added\n" msgstr "%s ÇÒÕÐÐÁ %u '%s' ÄÏÂÁ×ÌÅÎÁ\n" #: src/acl_group.c:265 #, c-format msgid "Group %u changed to owner %u, type %s, name '%s'\n" msgstr "çÒÕÐÐÁ %u ÉÚÍÅÎÅÎÁ ÎÁ ×ÌÁÄÅÌØÃÁ %u, ÔÉÐ %s, ÉÍÑ '%s'\n" #: src/acl_group.c:286 #, c-format msgid "Group %u '%s' removed\n" msgstr "çÒÕÐÐÁ %u '%s' ÕÄÁÌÅÎÁ\n" #: src/acl_group.c:320 src/acl_group.c:371 #, c-format msgid "Group %u: owner %u (%s), type %c, name '%s'\n" msgstr "çÒÕÐÐÁ %u: ×ÌÁÄÅÌÅà %u (%s), ÔÉÐ %c, ÉÍÑ '%s'\n" #: src/acl_group.c:339 #, c-format msgid "%i groups listed:\n" msgstr "%i ÇÒÕÐÐ × ÓÐÉÓËÅ:\n" #: src/acl_group.c:342 #, c-format msgid "%i groups listed (list truncated):\n" msgstr "%i ÇÒÕÐÐ × ÓÐÉÓËÅ (ÓÐÉÓÏË ÕÓÅÞ£Î):\n" #: src/acl_group.c:377 src/acl_group.c:487 src/acl_group.c:596 #, c-format msgid "(truncated)\n" msgstr "(ÕÓÅÞÅÎÏ)\n" #: src/acl_group.c:406 #, c-format msgid "Member %u (%s) added to group %u '%s'\n" msgstr "þÌÅÎ %u (%s) ÄÏÂÁ×ÌÅÎ × ÇÒÕÐÐÕ %u '%s'\n" #: src/acl_group.c:437 #, c-format msgid "Member %u (%s) removed from group %u '%s'\n" msgstr "þÌÅÎ %u (%s) ÕÄẠ́ΠÉÚ ÇÒÕÐÐÙ %u '%s'\n" #: src/acl_group.c:468 #, c-format msgid "%i group memberships for user %u (%s): " msgstr "%i ÞÌÅÎÓÔ×Á × ÇÒÕÐÐÁÈ ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÑ %u (%s): " #: src/acl_group.c:473 #, c-format msgid "%i group memberships for user %u (%s) (list truncated): " msgstr "%i ÞÌÅÎÓÔ×Á × ÇÒÕÐÐÁÈ ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÑ %u (%s) (ÓÐÉÓÏË ÕÓÅÞ£Î): " #: src/acl_group.c:512 #, c-format msgid "%i members of group %u '%s':\n" msgstr "%i ÞÌÅÎÏ× ÇÒÕÐÐÙ %u '%s':\n" #: src/acl_group.c:517 #, c-format msgid "%i members of group %u '%s' (list truncated):\n" msgstr "%i ÞÌÅÎÏ× ÇÒÕÐÐÙ %u '%s' (ÓÐÉÓÏË ÕÓÅÞ£Î):\n" #: src/acl_group.c:601 #, c-format msgid "%s: internal error: invalid function number %u\n" msgstr "%s: ×ÎÕÔÒÅÎÎÑÑ ÏÛÉÂËÁ: ÎÅ×ÅÒÎÙÊ ÎÏÍÅÒ ÆÕÎËÃÉÉ %u\n" #: src/acl_mask.c:50 #, c-format msgid "Use: %s [switches] [rights] target-type file/dirname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] [ÐÒÁ×Á] ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/acl_mask.c:51 src/acl_rights.c:48 src/acl_tlist.c:51 #: src/attr_rm_fd.c:39 src/attr_set_fd.c:41 src/rc_get_eff_rights_fd.c:40 #, c-format msgid " -v = verbose, -r = recurse into subdirs,\n" msgstr " -v = ÐÏÄÒÏÂÎÏ, -r = ÒÅËÕÒÓÉ×ÎÏ ÐÏ ÐÏÄËÁÔÁÌÏÇÁÍ,\n" #: src/acl_mask.c:52 #, fuzzy, c-format msgid " -p = print right names, -s = set mask, not get\n" msgstr " -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ÐÒÁ×, -s = ÕÓÔÁÎÏ×ÉÔØ ÍÁÓËÕ, ÎÅ ÐÏÌÕÞÁÔØ\n" #: src/acl_mask.c:53 #, fuzzy, c-format msgid " -b = backup mode, -n = list valid SCD names\n" msgstr "- -b = ÒÅÖÉÍ ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÑ, -n = ÓÐÉÓÏË ÄÅÊÓÔ×ÉÔÅÌØÎÙÈ ÉͣΠSCD\n" #: src/acl_mask.c:54 src/acl_tlist.c:53 src/attr_get_file_dir.c:34 #: src/attr_rm_file_dir.c:29 src/attr_set_file_dir.c:32 #, c-format msgid " -d = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_mask.c:55 #, fuzzy, c-format msgid " -D = process all existing device masks,\n" msgstr "- -a = ÏÂÒÁÂÁÔÙ×ÁÔØ ×ÓÅÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, -v = ÐÏÄÒÏÂÎÏ,\n" #: src/acl_mask.c:56 src/attr_set_fd.c:44 src/attr_set_file_dir.c:34 #: src/attr_set_group.c:32 src/attr_set_net.c:46 src/attr_set_up.c:30 #: src/attr_set_user.c:32 src/auth_set_cap.c:45 src/mac_set_trusted.c:39 #: src/net_temp.c:49 src/rc_set_item.c:42 #, fuzzy, c-format msgid " -V version = supply RSBAC integer version number for upgrading\n" msgstr " -V version = ÉÓÐÏÌØÚÏ×ÁÔØ ÕËÁÚÁÎÎÕÀ ×ÅÒÓÉÀ RSBAC ÄÌÑ ÏÂÎÏ×ÌÅÎÉÑ\n" #: src/acl_mask.c:57 src/acl_rights.c:53 src/acl_rm_user.c:30 #: src/acl_tlist.c:58 src/attr_back_dev.c:59 src/attr_back_fd.c:83 #: src/attr_back_group.c:55 src/attr_back_net.c:64 src/attr_back_user.c:79 #: src/attr_get_fd.c:44 src/attr_get_file_dir.c:39 src/attr_get_group.c:34 #: src/attr_get_ipc.c:34 src/attr_get_net.c:48 src/attr_get_process.c:35 #: src/attr_get_up.c:29 src/attr_get_user.c:36 src/attr_rm_fd.c:40 #: src/attr_rm_file_dir.c:30 src/attr_rm_group.c:28 src/attr_rm_user.c:28 #: src/attr_set_fd.c:45 src/attr_set_file_dir.c:35 src/attr_set_group.c:33 #: src/attr_set_net.c:47 src/attr_set_process.c:34 src/attr_set_up.c:31 #: src/attr_set_user.c:33 src/auth_back_cap.c:48 src/auth_set_cap.c:46 #: src/mac_back_trusted.c:45 src/mac_back_trusted.c:239 #: src/mac_set_trusted.c:40 src/net_temp.c:50 src/rc_copy_role.c:28 #: src/rc_copy_type.c:29 src/rc_get_eff_rights_fd.c:42 src/rc_get_item.c:43 #: src/rc_set_item.c:43 src/rsbac_groupadd.c:45 src/rsbac_groupdel.c:32 #: src/rsbac_groupmod.c:38 src/rsbac_groupshow.c:41 src/rsbac_pm.c:33 #: src/rsbac_useradd.c:72 src/rsbac_userdel.c:34 src/rsbac_usermod.c:49 #: src/rsbac_usershow.c:45 #, c-format msgid "" " -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/acl_mask.c:59 #, c-format msgid " also request groups R (read requests), RW (read-write),\n" msgstr " ÔÁËÖÅ ÇÒÕÐÐÙ ÚÁÐÒÏÓÏ× R (ÎÁ ÞÔÅÎÉÅ), RW (ÎÁ ÞÔÅÎÉÅ-ÚÁÐÉÓØ),\n" # #: src/acl_mask.c:63 #, fuzzy, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK, DEV, SCD, NETDEV,\n" msgstr "- ÔÉÐ-ÏÂßÅËÔÁ = FILE, DIR, FIFO, SYMLINK, DEV, SCD, NETDEV,\n" #: src/acl_mask.c:218 src/acl_mask.c:223 src/acl_tlist.c:211 #: src/acl_tlist.c:216 #, fuzzy, c-format msgid "# Processing %s '%s'\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ %s '%s'\n" #: src/acl_mask.c:504 src/attr_set_process.c:182 src/attr_set_user.c:200 #, c-format msgid "%s: Invalid mask vector %s\n" msgstr "%s: îÅ×ÅÒÎÙÊ ×ÅËÔÏÒ ÍÁÓËÉ %s\n" #: src/acl_mask.c:704 #, c-format msgid "Set mask: %s\n" msgstr "õÓÔÁÎÏ×ÌÅÎÁ ÍÁÓËÁ: %s\n" #: src/acl_mask.c:720 #, fuzzy, c-format msgid "# Get mask.\n" msgstr "ðÏÌÕÞÅÎÁ ÍÁÓËÁ.\n" #: src/acl_mask.c:724 #, fuzzy, c-format msgid "" "\n" "# %s: %i targets\n" "\n" msgstr "" "\n" "%s: %i ÏÂßÅËÔÏ×\n" "\n" #: src/acl_mask.c:731 src/acl_tlist.c:514 src/attr_back_user.c:398 #, fuzzy, c-format msgid "# %s: processing all users\n" msgstr "%s: ÏÂÒÁÂÁÔÙ×ÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌÉ\n" #: src/acl_mask.c:743 src/acl_mask.c:774 src/acl_tlist.c:520 #: src/acl_tlist.c:549 src/attr_back_dev.c:340 src/attr_back_dev.c:369 #: src/attr_back_group.c:237 src/attr_back_group.c:266 src/attr_back_net.c:383 #: src/attr_back_net.c:444 src/attr_back_user.c:407 src/attr_back_user.c:436 #, fuzzy, c-format msgid "# %s: %i targets\n" msgstr "%s: %i ÏÂßÅËÔÏ×\n" #: src/acl_mask.c:768 src/acl_tlist.c:543 #, fuzzy, c-format msgid "# %s: processing all devices\n" msgstr "%s: ÏÂÒÁÂÁÔÙ×ÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌÉ\n" #: src/acl_rights.c:47 #, c-format msgid "Use: %s [switches] target-type file/dirname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/acl_rights.c:49 #, c-format msgid " -p = print right names, -d = give direct, not effective rights\n" msgstr "" " -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ÐÒÁ×, -d = ÐÏÌÕÞÉÔØ ÎÁÐÒÑÍÕÀ, ÎÅ ÜÆÆÅËÔÉ×ÎÙÅ ÐÒÁ×Á\n" #: src/acl_rights.c:50 #, c-format msgid " -n = list valid SCD names, -s = scripting mode\n" msgstr " -n = ÓÐÉÓÏË ÄÅÊÓÔ×ÉÔÅÌØÎÙÈ ÉͣΠSCD, -s = ÒÅÖÉÍ ÓÃÅÎÁÒÉÑ\n" #: src/acl_rights.c:51 #, c-format msgid " -D = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_rights.c:52 #, fuzzy, c-format msgid " -R = list valid right names [for target-type]\n" msgstr " -N = ÓÐÉÓÏË ÄÅÊÓÔ×ÉÔÅÌØÎÙÈ ÉͣΠÐÒÁ× [ÄÌÑ ÔÉÐÁ-ÏÂßÅËÔÁ]\n" #: src/acl_rights.c:54 #, c-format msgid " -u user = print rights for given user, not caller\n" msgstr "" " -u user = ×Ù×ÅÓÔÉ ÐÒÁ×Á ÄÌÑ ÕËÁÚÁÎÎÏÇÏ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÎÅ ÄÌÑ ×ÙÚÙ×ÁÀÝÅÇÏ\n" #: src/acl_rights.c:55 #, c-format msgid " -g group = print rights for given group, not caller\n" msgstr " -g group = ×Ù×ÅÓÔÉ ÐÒÁ×Á ÄÌÑ ÕËÁÚÁÎÎÏÊ ÇÒÕÐÐÙ, ÎÅ ÄÌÑ ×ÙÚÙ×ÁÀÝÅÇÏ\n" #: src/acl_rights.c:56 #, c-format msgid " -l role = print rights for given role, not caller\n" msgstr " -l role = ×Ù×ÅÓÔÉ ÐÒÁ×Á ÄÌÑ ÕËÁÚÁÎÎÏÊ ÒÏÌÉ, ÎÅ ÄÌÑ ×ÙÚÙ×ÁÀÝÅÇÏ\n" # #: src/acl_rights.c:57 #, fuzzy, c-format msgid "" " target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, GROUP, " "PROCESS,\n" msgstr "" " ÔÉÐ-ÏÂßÅËÔÁ = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, " "NETDEV,\n" #: src/acl_rights.c:58 #, fuzzy, c-format msgid " NETDEV, NETTEMP_NT, NETTEMP, NETOBJ or FD\n" msgstr " NETTEMP_NT, NETTEMP, NETOBJ ÉÌÉ FD\n" #: src/acl_rights.c:60 #, fuzzy, c-format msgid " (IPC, PROCESS: only :DEFAULT:\n" msgstr " (IPC, USER, PROCESS: ÔÏÌØËÏ :DEFAULT:\n" #: src/acl_rights.c:420 #, c-format msgid "%s: invalid target type %s for switch N\n" msgstr "%s: ÎÅ×ÅÒÎÙÊ ÔÉÐ ÏÂßÅËÔÁ %s ÄÌÑ ËÌÀÞÁ N\n" #: src/acl_rights.c:435 #, c-format msgid "%s: no user for switch u\n" msgstr "%s: ÎÅÔ ÐÏÌØÚÏ×ÁÔÅÌÑ ÄÌÑ ËÌÀÞÁ u\n" #: src/acl_rights.c:443 src/acl_rights.c:506 #, c-format msgid "Invalid user %s!\n" msgstr "îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" #: src/acl_rights.c:450 #, c-format msgid "%s: User %u\n" msgstr "%s: ðÏÌØÚÏ×ÁÔÅÌØ %u\n" #: src/acl_rights.c:457 #, c-format msgid "%s: no group for switch g\n" msgstr "%s: ÎÅÔ ÇÒÕÐÐÙ ÄÌÑ ËÌÀÞÁ g\n" #: src/acl_rights.c:463 src/acl_rights.c:530 #, c-format msgid "%s: Group %u\n" msgstr "%s: çÒÕÐÐÁ %u\n" #: src/acl_rights.c:470 #, c-format msgid "%s: no role for switch l\n" msgstr "%s: ÎÅÔ ÒÏÌÉ ÄÌÑ ËÌÀÞÁ l\n" #: src/acl_rights.c:476 src/acl_rights.c:547 #, c-format msgid "%s: Role %u\n" msgstr "%s: òÏÌØ %u\n" #: src/acl_rights.c:498 #, c-format msgid "%s: no user for switch -USER\n" msgstr "%s: ÎÅÔ ÐÏÌØÚÏ×ÁÔÅÌÑ ÄÌÑ ËÌÀÞÁ -USER\n" #: src/acl_rights.c:524 #, c-format msgid "%s: no group for switch -GROUP\n" msgstr "%s: ÎÅÔ ÇÒÕÐÐÙ ÄÌÑ ËÌÀÞÁ -GROUP\n" #: src/acl_rights.c:541 #, c-format msgid "%s: no role for switch -ROLE\n" msgstr "%s: ÎÅÔ ÒÏÌÉ ÄÌÑ ËÌÀÞÁ -ROLE\n" #: src/acl_rights.c:555 #, c-format msgid "%s: unknown parameter %s\n" msgstr "%s: ÎÅÉÚ×ÅÓÔÎÙÊ ÐÁÒÁÍÅÔÒ %s\n" #: src/acl_rights.c:575 src/acl_rights.c:592 src/attr_get_fd.c:275 #: src/attr_get_net.c:344 src/attr_get_up.c:142 src/attr_rm_fd.c:155 #: src/attr_set_net.c:396 src/attr_set_net.c:406 src/attr_set_up.c:151 #: src/rc_get_eff_rights_fd.c:186 src/rc_get_eff_rights_fd.c:201 #, c-format msgid "" "%s: %i targets\n" "\n" msgstr "" "%s: %i ÏÂßÅËÔÏ×\n" "\n" #: src/acl_rights.c:576 src/acl_tlist.c:570 src/rc_get_eff_rights_fd.c:187 #, c-format msgid "%s: No target type given, assuming FD\n" msgstr "%s: îÅ ÐÏÌÕÞÅÎ ÔÉÐ ÏÂßÅËÔÁ, ÐÏÌÁÇÁÅÔÓÑ FD\n" #: src/acl_rm_user.c:27 #, c-format msgid "" "Remove all groups and memberships of a user\n" "\n" msgstr "" "õÄÁÌÅÎÉÅ ×ÓÅÈ ÇÒÕÐÐ É ÞÌÅÎÓÔ×Á ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÑ\n" "\n" #: src/acl_rm_user.c:28 #, fuzzy, c-format msgid "Use: %s [flags] user\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-y] ÐÏÌØÚÏ×ÁÔÅÌØ\n" #: src/acl_rm_user.c:29 #, c-format msgid " -y: remove without asking\n" msgstr " -y: ÕÄÁÌÑÔØ ÂÅÚ ÐÏÄÔ×ÅÒÖÄÅÎÉÊ\n" #: src/acl_rm_user.c:103 #, c-format msgid "Remove all groups and memberships of user %u '%s' [y/n]\n" msgstr "õÄÁÌÉÔØ ×ÓÅ ÇÒÕÐÐÙ É ÞÌÅÎÓÔ×Á ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÑ %u '%s' [y/n]\n" #: src/acl_tlist.c:50 #, c-format msgid "Use: %s [switches] target-type file/dir/scdname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ/ÉÍÑ-scd\n" #: src/acl_tlist.c:52 #, c-format msgid " -p = print right names, -b = backup mode\n" msgstr " -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ÐÒÁ×, -b = ÒÅÖÉÍ ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÑ\n" #: src/acl_tlist.c:54 #, fuzzy, c-format msgid " -D = process all existing device acls,\n" msgstr "- -a = ÏÂÒÁÂÁÔÙ×ÁÔØ ×ÓÅÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, -v = ÐÏÄÒÏÂÎÏ,\n" #: src/acl_tlist.c:55 #, fuzzy, c-format msgid " -a = process all users,\n" msgstr "- -a = ÏÂÒÁÂÁÔÙ×ÁÔØ ×ÓÅÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, -v = ÐÏÄÒÏÂÎÏ,\n" #: src/acl_tlist.c:56 #, c-format msgid " -n = list valid SCD names,\n" msgstr " -n = ÓÐÉÓÏË ÄÅÊÓÔ×ÉÔÅÌØÎÙÈ ÉͣΠSCD ,\n" #: src/acl_tlist.c:57 #, fuzzy, c-format msgid " -s = scripting mode,\n" msgstr " -s = ÒÅÖÉÍ ÓÃÅÎÁÒÉÑ\n" #: src/acl_tlist.c:352 src/acl_tlist.c:356 #, c-format msgid "%s: %i entries\n" msgstr "%s: %i ÚÁÐÉÓÅÊ\n" #: src/acl_tlist.c:569 src/acl_tlist.c:586 #, fuzzy, c-format msgid "" "# %s: %i targets\n" "\n" msgstr "" "%s: %i ÏÂßÅËÔÏ×\n" "\n" #: src/attr_back_dev.c:52 #, c-format msgid "Use: %s [-v] [-o target-file] file/dirname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] [-o ÆÁÊÌ-ÒÅÚÕÌØÔÁÔ] ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/attr_back_dev.c:53 #, c-format msgid "- should be called by root with all rsbac modules switched off,\n" msgstr "" "- ÄÏÌÖÎÏ ×ÙÚÙ×ÁÔØÓÑ ÁÄÍÉÎÉÓÔÒÁÔÏÒÏÍ ÓÏ ×ÓÅÍÉ ×ÙËÌÀÞÅÎÎÙÍÉ ÍÏÄÕÌÑÍÉ RSBAC,\n" #: src/attr_back_dev.c:54 src/attr_back_fd.c:76 src/auth_back_cap.c:44 #: src/mac_back_trusted.c:42 src/mac_back_trusted.c:236 #, fuzzy, c-format msgid " -r = recurse in subdirs, -v = verbose, no symlinks followed,\n" msgstr "" "- -r = ÒÅËÕÒÓÉ×ÎÏ ÐÏ ÐÏÄËÁÔÁÌÏÇÁÍ, -v = ÐÏÄÒÏÂÎÏ, ÎÅ ÓÌÅÄÏ×ÁÔØ ÓÉÍ×. " "ÓÓÙÌËÁÍ,\n" #: src/attr_back_dev.c:55 src/attr_back_group.c:51 src/auth_back_cap.c:45 #, c-format msgid " -T file = read file/dirname list from file (- for stdin),\n" msgstr "" #: src/attr_back_dev.c:56 src/attr_back_fd.c:81 src/attr_back_group.c:53 #: src/attr_back_user.c:77 #, fuzzy, c-format msgid " -o target-file = write to file, not stdout,\n" msgstr "- -o ÆÁÊÌ = ÐÉÓÁÔØ × ÆÁÊÌ, ÎÅ ÎÁ ÓÔÁÎÄÁÒÔÎÙÊ ×Ù×ÏÄ\n" #: src/attr_back_dev.c:57 #, c-format msgid " -b = backup all device entries known to RSBAC,\n" msgstr "" #: src/attr_back_dev.c:58 src/attr_back_group.c:54 src/attr_back_net.c:63 #: src/attr_back_user.c:78 #, fuzzy, c-format msgid " -A = list attributes and values,\n" msgstr " -A = ÓÐÉÓÏË ÁÔÒÉÂÕÔÏ× É ÚÎÁÞÅÎÉÊ\n" #: src/attr_back_dev.c:74 #, fuzzy, c-format msgid "# Processing DEV '%s'\n" msgstr "ïÂÒÁÂÏÔËÁ DEV '%s'\n" #: src/attr_back_dev.c:271 src/attr_back_fd.c:352 src/attr_back_net.c:268 #: src/attr_back_user.c:294 src/mac_back_trusted.c:179 #, c-format msgid "%s: missing filename for parameter o\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÉÍÑ ÆÁÊÌÁ ÄÌÑ ÐÁÒÁÍÅÔÒÁ Ï\n" #: src/attr_back_dev.c:281 src/attr_back_group.c:161 src/attr_back_group.c:171 #: src/attr_back_net.c:278 src/attr_back_user.c:304 src/auth_back_cap.c:445 #: src/auth_back_cap.c:455 #, fuzzy, c-format msgid "%s: missing filename for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÉÍÑ ÆÁÊÌÁ ÄÌÑ ÐÁÒÁÍÅÔÒÁ Ï\n" #: src/attr_back_dev.c:285 #, c-format msgid "Attributes and values in backup = see following list:\n" msgstr "- ÁÔÒÉÂÕÔÙ É ÚÎÁÞÅÎÉÑ ÄÌÑ ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÑ = ÓÍ. ÓÌÅÄ. ÓÐÉÓÏË:\n" #: src/attr_back_dev.c:328 src/attr_back_fd.c:420 src/attr_back_group.c:217 #: src/attr_back_net.c:335 src/attr_back_user.c:350 src/auth_back_cap.c:487 #: src/mac_back_trusted.c:211 #, c-format msgid "opening target file returned error: %s\n" msgstr "ÏÔËÒÙÔÉÅ ÆÁÊÌÁ ÏÂßÅËÔÁ ×ÅÒÎÕÌÏ ÏÛÉÂËÕ: %s\n" #: src/attr_back_dev.c:362 src/attr_back_fd.c:432 src/attr_back_group.c:259 #: src/attr_back_net.c:376 src/attr_back_net.c:437 src/attr_back_user.c:429 #: src/auth_back_cap.c:497 #, fuzzy, c-format msgid "opening target list file returned error: %s\n" msgstr "ÏÔËÒÙÔÉÅ ÆÁÊÌÁ ÏÂßÅËÔÁ ×ÅÒÎÕÌÏ ÏÛÉÂËÕ: %s\n" #: src/attr_back_dev.c:371 src/attr_back_group.c:268 src/attr_back_net.c:385 #: src/attr_back_net.c:446 src/attr_back_user.c:438 #, c-format msgid "# - plus targets from file %s\n" msgstr "" #: src/attr_back_fd.c:74 #, c-format msgid "Use: %s [options] file/dirname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÆÁÊÌ/ËÁÔÁÌÏÇ(É)\n" #: src/attr_back_fd.c:75 #, c-format msgid "" "- should be called by user with full attribute read access,\n" " e.g. root with all modules off\n" msgstr "" "- ÓÌÅÄÕÅÔ ×ÙÚÙ×ÁÔØ ÐÏÄ ÐÏÌØÚÏ×ÁÔÅÌÅÍ Ó ÐÏÌÎÙÍ ÄÏÓÔÕÐÏÍ ÐÏ ÞÔÅÎÉÀ,\n" "- ÎÁÐÒÉÍÅÒ root ÓÏ ×ÓÅÍÉ ×ÙËÌÀÞÅÎÎÙÍÉ ÍÏÄÕÌÑÍÉ\n" #: src/attr_back_fd.c:77 #, fuzzy, c-format msgid " -s = ignore daz_scanned,\n" msgstr "- -s = ÉÇÎÏÒÉÒÏ×ÁÔØ daz_scanned,\n" #: src/attr_back_fd.c:78 #, c-format msgid " -T file = read target list from file (- for stdin),\n" msgstr "" #: src/attr_back_fd.c:79 #, fuzzy, c-format msgid " -i = use MAC non-inherit values as default values,\n" msgstr "" "- -i = ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅ ÎÁÓÌÅÄÕÅÍÙÅ ÚÎÁÞÅÎÉÑ MAC ËÁË ÚÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ,\n" #: src/attr_back_fd.c:80 #, c-format msgid " -P flags = use these PaX flags as default, preset is PeMRxS,\n" msgstr "" #: src/attr_back_fd.c:82 #, fuzzy, c-format msgid " -a = list attributes and values,\n" msgstr "- -n = ÓÐÉÓÏË ÚÁÐÒÏÓÏ× É ÚÎÁÞÅÎÉÊ\n" #: src/attr_back_fd.c:96 #, fuzzy, c-format msgid "# Processing FD '%s'\n" msgstr "ïÂÒÁÂÏÔËÁ FD '%s'\n" #: src/attr_back_fd.c:362 #, fuzzy, c-format msgid "%s: missing filename for parameter T\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÉÍÑ ÆÁÊÌÁ ÄÌÑ ÐÁÒÁÍÅÔÒÁ Ï\n" #: src/attr_back_fd.c:365 src/attr_back_net.c:284 #, c-format msgid "attributes and values in backup = see following list:\n" msgstr "- ÁÔÒÉÂÕÔÙ É ÚÎÁÞÅÎÉÑ ÄÌÑ ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÑ = ÓÍ. ÓÌÅÄ. ÓÐÉÓÏË:\n" #: src/attr_back_fd.c:385 #, fuzzy, c-format msgid "%s: missing PaX flags for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÓÐÉÓÏË capabilities ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/attr_back_fd.c:439 #, fuzzy, c-format msgid "# %s: %i targets" msgstr "%s: %i ÏÂßÅËÔÏ×" #: src/attr_back_fd.c:441 src/auth_back_cap.c:506 src/mac_back_trusted.c:218 #, c-format msgid " - recursing" msgstr " - ÒÅËÕÒÓÉ×ÎÏ" #: src/attr_back_fd.c:443 src/auth_back_cap.c:508 #, c-format msgid " - plus targets from file %s" msgstr "" #: src/attr_back_group.c:49 #, fuzzy, c-format msgid "Use: %s [flags] [groupname(s)]\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s class mode ÆÁÊÌ\n" "\n" #: src/attr_back_group.c:50 #, fuzzy, c-format msgid " -a = process all groups, -v = verbose,\n" msgstr "- -a = ÏÂÒÁÂÁÔÙ×ÁÔØ ×ÓÅÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, -v = ÐÏÄÒÏÂÎÏ,\n" #: src/attr_back_group.c:52 #, fuzzy, c-format msgid " -n = show numeric gid not groupname,\n" msgstr "- -n = ÉÓÐÏÌØÚÏ×ÁÔØ UID, Á ÎÅ ÉÍÑ ÐÏÌØÚÏ×ÁÔÅÌÑ,\n" #: src/attr_back_group.c:69 #, fuzzy, c-format msgid "# Processing group %s\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØ %s\n" #: src/attr_back_group.c:71 #, fuzzy, c-format msgid "# Processing group %u\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØ %s\n" #: src/attr_back_group.c:174 src/attr_back_user.c:307 #, c-format msgid "- attributes and values in backup = see following list:\n" msgstr "- ÁÔÒÉÂÕÔÙ É ÚÎÁÞÅÎÉÑ ÄÌÑ ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÑ = ÓÍ. ÓÌÅÄ. ÓÐÉÓÏË:\n" #: src/attr_back_group.c:228 #, fuzzy, c-format msgid "# %s: processing all groups\n" msgstr "%s: ÏÂÒÁÂÁÔÙ×ÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌÉ\n" #: src/attr_back_net.c:60 #, c-format msgid "Use: %s [options] target name(s)/number(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÏÂßÅËÔ ÉÍÑ/ÎÏÍÅÒ\n" #: src/attr_back_net.c:61 #, fuzzy, c-format msgid "" " should be called by user with full attribute read access,\n" "- e.g. with all modules off\n" msgstr "" "- ÓÌÅÄÕÅÔ ×ÙÚÙ×ÁÔØ ÐÏÄ ÁÄÍÉÎÉÓÔÒÁÔÏÒÏÍ Ó ÐÏÌÎÙÍ ÄÏÓÔÕÐÏÍ ÐÏ ÞÔÅÎÉÀ,\n" "- ÎÁÐÒÉÍÅÒ ÓÏ ×ÓÅÍÉ ×ÙËÌÀÞÅÎÎÙÍÉ ÍÏÄÕÌÑÍÉ\n" #: src/attr_back_net.c:62 #, fuzzy, c-format msgid " -a = backup all objects, -v = verbose, no symlinks followed,\n" msgstr "" "- -r = ÒÅËÕÒÓÉ×ÎÏ ÐÏ ÐÏÄËÁÔÁÌÏÇÁÍ, -v = ÐÏÄÒÏÂÎÏ, ÎÅ ÓÌÅÄÏ×ÁÔØ ÓÉÍ×. " "ÓÓÙÌËÁÍ,\n" #: src/attr_back_net.c:65 #, fuzzy, c-format msgid " valid targets: NETDEV, NETTEMP\n" msgstr "- ×ÏÚÍÏÖÎÙÅ ÏÂßÅËÔÙ: NETDEV, NETTEMP\n" #: src/attr_back_net.c:77 #, fuzzy, c-format msgid "# Processing NETDEV '%s'\n" msgstr "ïÂÒÁÂÏÔËÁ NETDEV '%s'\n" #: src/attr_back_net.c:147 #, fuzzy, c-format msgid "# Processing NETTEMP %u\n" msgstr "ïÂÒÁÂÏÔËÁ NETTEMP '%u'\n" #: src/attr_back_net.c:346 #, c-format msgid "invalid target %s\n" msgstr "îÅ×ÅÒÎÙÊ ÏÂßÅËÔ %s\n" #: src/attr_back_user.c:74 #, fuzzy, c-format msgid "Use: %s [flags] [username(s)]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÆÁÊÌ/ËÁÔÁÌÏÇ(É)\n" #: src/attr_back_user.c:75 #, fuzzy, c-format msgid " -a = process all users, -v = verbose,\n" msgstr "- -a = ÏÂÒÁÂÁÔÙ×ÁÔØ ×ÓÅÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, -v = ÐÏÄÒÏÂÎÏ,\n" #: src/attr_back_user.c:76 #, fuzzy, c-format msgid " -n = show numeric uid not username,\n" msgstr "- -n = ÉÓÐÏÌØÚÏ×ÁÔØ UID, Á ÎÅ ÉÍÑ ÐÏÌØÚÏ×ÁÔÅÌÑ,\n" #: src/attr_back_user.c:93 #, fuzzy, c-format msgid "# Processing user %s\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØ %s\n" #: src/attr_back_user.c:95 #, fuzzy, c-format msgid "# Processing user %u\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØ %s\n" #: src/attr_get_fd.c:40 #, c-format msgid "Use: %s [switches] module target-type attribute file/dirname(s)\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÁÔÒÉÂÕÔ ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/attr_get_fd.c:41 src/attr_get_net.c:44 #, fuzzy, c-format msgid " -v = verbose, -e = show effective (maybe inherited) value, not real\n" msgstr "" "- -v = ÐÏÄÒÏÂÎÏ, -e = ÐÏËÁÚÙ×ÁÔØ ÜÆÆÅËÔÉ×ÎÏÅ (×ÏÚÍÏÖÎÏ ÎÁÓÌÅÄÏ×ÁÎÎÏÅ) " "ÚÎÁÞÅÎÉÅ, ÎÅ ÎÁÓÔÏÑÝÅÅ\n" #: src/attr_get_fd.c:42 src/attr_set_net.c:44 #, fuzzy, c-format msgid " -r = recurse into subdirs, -n = list all requests\n" msgstr "- -r = ×Ù×ÅÓÔÉ ÚÁÐÒÏÓÙ, -n = ÓÐÉÓÏË ×ÓÅÈ ÚÁÐÒÏÓÏ×\n" #: src/attr_get_fd.c:43 src/attr_get_file_dir.c:38 src/attr_get_group.c:33 #: src/attr_get_net.c:46 src/attr_get_process.c:34 src/attr_get_up.c:28 #: src/attr_get_user.c:35 src/attr_set_net.c:45 #, fuzzy, c-format msgid " -a = list attributes and values\n" msgstr "- -n = ÓÐÉÓÏË ÚÁÐÒÏÓÏ× É ÚÎÁÞÅÎÉÊ\n" #: src/attr_get_fd.c:45 src/attr_get_group.c:35 src/attr_get_up.c:30 #: src/attr_get_user.c:37 src/attr_set_fd.c:46 src/attr_set_process.c:35 #: src/attr_set_up.c:28 #, fuzzy, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n" msgstr "- ÍÏÄÕÌØ = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n" # #: src/attr_get_fd.c:46 src/attr_rm_fd.c:41 src/attr_set_fd.c:47 #: src/rc_get_eff_rights_fd.c:43 #, fuzzy, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK, DEV or FD\n" msgstr "- ÔÉÐ-ÏÂßÅËÔÁ = FILE, DIR, FIFO, SYMLINK, DEV ÉÌÉ FD\n" #: src/attr_get_fd.c:47 #, fuzzy, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV)\n" msgstr " (FD: %s ×ÙÂÉÒÁÔØ ÉÚ FILE, DIR, FIFO É SYMLINK, ÎÏ ÎÅ DEV),\n" #: src/attr_get_fd.c:57 src/attr_get_net.c:89 src/attr_set_net.c:191 #, c-format msgid "Processing %s '%s', attribute %s\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ %s '%s', ÁÔÔÒÉÂÕÔ %s\n" #: src/attr_get_fd.c:69 #, c-format msgid "%s: %s\n" msgstr "" #: src/attr_get_fd.c:77 src/attr_get_fd.c:81 src/attr_get_fd.c:107 #: src/attr_get_fd.c:121 src/attr_get_net.c:113 src/attr_get_net.c:124 #, c-format msgid "%s: Returned value: %s\n" msgstr "%s: ÷ÏÚ×ÒÁÝÅÎÏ ÚÎÁÞÅÎÉÅ: %s\n" #: src/attr_get_fd.c:85 src/attr_get_fd.c:101 src/attr_get_fd.c:116 #: src/attr_get_net.c:106 src/attr_get_net.c:149 src/attr_get_net.c:162 #, c-format msgid "%s: Returned value: %u\n" msgstr "%s: ÷ÏÚ×ÒÁÝÅÎÏ ÚÎÁÞÅÎÉÅ: %u\n" #: src/attr_get_fd.c:125 src/attr_get_net.c:170 #, c-format msgid "%s: Returned value: %i\n" msgstr "%s: ÷ÏÚ×ÒÁÝÅÎÏ ÚÎÁÞÅÎÉÅ: %i\n" #: src/attr_get_fd.c:222 src/attr_get_net.c:282 src/attr_set_net.c:259 #, c-format msgid "- attribute (string) and returned value = see following lists:\n" msgstr "- ÁÔÒÉÂÕÔ (ÓÔÒÏËÁ) É ×ÏÚ×ÒÁÝÁÅÍÏÅ ÚÎÁÞÅÎÉÅ = ÓÍ. ÓÌÅÄ. ÓÐÉÓËÉ:\n" # #: src/attr_get_fd.c:223 src/attr_get_file_dir.c:167 src/attr_set_fd.c:164 #: src/attr_set_file_dir.c:122 #, c-format msgid "- FILE, DIR, FIFO and SYMLINK:\n" msgstr "- FILE, DIR, FIFO É SYMLINK:\n" #: src/attr_get_fd.c:280 #, c-format msgid "%s: invalid target type %s\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÔÉÐ ÏÂßÅËÔÁ %s\n" #: src/attr_get_file_dir.c:30 #, c-format msgid "Use: %s module target-type file/dirname attribute [request]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ ÁÔÒÉÂÕÔ [ÚÁÐÒÏÓ]\n" #: src/attr_get_file_dir.c:31 #, c-format msgid "Use: %s module target-type file/dirname attribute [position]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ ÁÔÒÉÂÕÔ [ÐÏÚÉÃÉÑ]\n" #: src/attr_get_file_dir.c:32 #, c-format msgid "Use: %s list_category_nr\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s list_category_nr\n" #: src/attr_get_file_dir.c:33 src/attr_get_user.c:31 #, fuzzy, c-format msgid " -e = show effective (maybe inherited) value, not real\n" msgstr "" "- -e = ÐÏËÁÚÙ×ÁÔØ ÜÆÆÅËÔÉ×ÎÏÅ (×ÏÚÍÏÖÎÏ ÎÁÓÌÅÄÏ×ÁÎÎÏÅ) ÚÎÁÞÅÎÉÅ, ÎÅ " "ÎÁÓÔÏÑÝÅÅ\n" #: src/attr_get_file_dir.c:35 #, fuzzy, c-format msgid " -p = print requests, -n [target] = list all requests [for target]\n" msgstr "" "- -p = ×Ù×ÅÓÔÉ ÚÁÐÒÏÓÙ, -n [ÏÂßÅËÔ] = ÓÐÉÓÏË ×ÓÅÈ ÚÁÐÒÏÓÏ× [ÄÌÑ ÏÂßÅËÔÁ]\n" #: src/attr_get_file_dir.c:36 src/attr_get_user.c:34 #, fuzzy, c-format msgid " -c list all Linux capabilities, -R = list all RES resource names\n" msgstr "" "- -c ÓÐÉÓÏË ×ÓÅÈ Linux capabilities, -R = ÓÐÉÓÏË ×ÓÅÈ ÉͣΠÒÅÓÕÒÓÏ× RES\n" #: src/attr_get_file_dir.c:37 #, c-format msgid "" " -C path = convert path to device special file to device specification\n" msgstr "" #: src/attr_get_file_dir.c:40 #, fuzzy, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH, RES or PAX\n" msgstr "- ÍÏÄÕÌØ = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\n" # #: src/attr_get_file_dir.c:41 src/attr_rm_file_dir.c:31 #, fuzzy, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK or DEV\n" msgstr "- ÔÉÐ-ÏÂßÅËÔÁ = FILE, DIR, FIFO, SYMLINK ÉÌÉ DEV\n" #: src/attr_get_file_dir.c:166 src/attr_get_group.c:167 #: src/attr_get_process.c:97 src/attr_get_up.c:89 src/attr_get_user.c:189 #: src/attr_set_group.c:109 src/attr_set_user.c:109 #, c-format msgid "- attribute (string) and returned value = see following list:\n" msgstr "- ÁÔÒÉÂÕÔ (ÓÔÒÏËÁ) É ×ÏÚ×ÒÁÝÁÅÍÏÅ ÚÎÁÞÅÎÉÅ = ÓÍ. ÓÄÅÌ. ÓÐÉÓÏË:\n" #: src/attr_get_file_dir.c:168 src/attr_get_file_dir.c:179 #, c-format msgid "" "log_level\t\t(additional parameter request-type)\n" "\t\t\t0=none, 1=denied, 2=full, 3=request based\n" msgstr "" "log_level\t\t(ÄÏÐÏÌÎÉÔÅÌØÎÙÊ ÐÁÒÁÍÅÔÒ ÔÉÐ-ÚÁÐÒÏÓÁ)\n" "\t\t\t0=ÎÅÔ, 1=ÏÔËÁÚÙ, 2=ÐÏÌÎÙÊ, 3=ÐÏ-ÚÁÐÒÏÓÕ\n" #: src/attr_get_file_dir.c:169 src/attr_get_file_dir.c:180 #, c-format msgid "" "mac_categories\t\t(with additional parameter position)\n" "\t\t\t0=no, 1=yes\n" msgstr "" "mac_categories\t\t(Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÐÁÒÁÍÅÔÒÏÍ ÐÏÚÉÃÉÉ)\n" "\t\t\t0=ÎÅÔ, 1=ÄÁ\n" #: src/attr_get_file_dir.c:177 src/attr_get_user.c:197 #: src/attr_set_file_dir.c:130 #, c-format msgid "" "[RES ] res_min|res_max (with additional parameter position)\n" "\tnon-negative integer (0 for unset)\n" msgstr "" "[RES ] res_min|res_max(Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÐÁÒÁÍÅÔÒÏÍ ÐÏÚÉÃÉÉ)\n" "\tÎÅÏÔÒÉÃÁÔÅÌØÎÏÅ ÃÅÌÏÅ (0 ÏÚÎÁÞÁÅÔ ÏÔÍÅÎÕ)\n" #: src/attr_get_file_dir.c:220 #, c-format msgid "%s: %s is no device special file\n" msgstr "" #: src/attr_get_file_dir.c:227 #, fuzzy, c-format msgid "%s: missing path for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÓÐÉÓÏË capabilities ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/attr_get_file_dir.c:370 src/attr_get_file_dir.c:430 #: src/attr_set_file_dir.c:739 #, c-format msgid "Invalid request type %s\n" msgstr "îÅ×ÅÒÎÙÊ ÔÉÐ ÚÁÐÒÏÓÁ %s\n" #: src/attr_get_file_dir.c:406 src/attr_get_file_dir.c:466 #: src/attr_get_ipc.c:128 src/attr_get_process.c:262 src/attr_get_user.c:386 #: src/attr_get_user.c:418 src/attr_set_file_dir.c:813 #: src/attr_set_file_dir.c:861 src/attr_set_ipc.c:122 #: src/attr_set_process.c:399 src/attr_set_user.c:600 src/attr_set_user.c:633 #, c-format msgid "Invalid position counter %s\n" msgstr "îÅ×ÅÒÎÙÊ ÓÞ£ÔÞÉË ÐÏÚÉÃÉÉ %s\n" #: src/attr_get_file_dir.c:431 src/attr_set_file_dir.c:740 #, c-format msgid "Valid request types:\n" msgstr "÷ÅÒÎÙÅ ÔÉÐÙ ÚÁÐÒÏÓÏ×:\n" #: src/attr_get_group.c:30 #, fuzzy, c-format msgid "" "Use: %s [switches] module group attribute [position|request-name]\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÍÏÄÕÌØ ÐÏÌØÚÏ×ÁÔÅÌØ ÁÔÒÉÂÕÔ [ÐÏÚÉÃÉÑ|ÉÍÑ-" "ÚÁÐÒÏÓÁ]\n" "\n" #: src/attr_get_group.c:31 src/attr_get_user.c:32 #, fuzzy, c-format msgid " -n = numeric value, -b = both names and numbers,\n" msgstr "" "- -n = ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ, -b = É ÉÍÅÎÁ É ÞÉÓÌÁ, -l ÓÐÉÓÏË ×ÓÅÈ " "ÐÏÌØÚÏ×ÁÔÅÌÅÊ\n" #: src/attr_get_group.c:32 src/attr_get_user.c:33 #, fuzzy, c-format msgid " -l list all users, -L list all Linux groups\n" msgstr "- -n = ÓÐÉÓÏË ×ÓÅÈ ÚÁÐÒÏÓÏ×, -n = ÓÐÉÓÏË ×ÓÅÈ ÏÂßÅËÔÏ×\n" #: src/attr_get_group.c:232 src/attr_get_ipc.c:151 src/attr_get_process.c:145 #: src/attr_get_process.c:255 src/attr_get_up.c:153 src/attr_get_user.c:282 #: src/attr_set_group.c:177 src/attr_set_ipc.c:158 src/attr_set_process.c:323 #: src/attr_set_process.c:392 src/attr_set_user.c:448 #, c-format msgid "%s: Invalid Attribute %s!\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÁÔÒÉÂÕÔ %s!\n" #: src/attr_get_ipc.c:32 #, fuzzy, c-format msgid "Use: %s [flags] ipc-type id attribute\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÍÏÄÕÌØ PID ÁÔÒÉÂÕÔ ÚÎÁÞÅÎÉÅ\n" #: src/attr_get_ipc.c:35 #, fuzzy, c-format msgid " ipc-types: sem, msg, shm, anonpipe,\n" msgstr "- ÔÉÐÙ-ipc: sem, msg, shm, sockid,\n" #: src/attr_get_ipc.c:36 #, fuzzy, c-format msgid " attribute (string) and returned value = see following list:\n" msgstr "- ÁÔÒÉÂÕÔ (ÓÔÒÏËÁ) É ×ÏÚ×ÒÁÝÁÅÍÏÅ ÚÎÁÞÅÎÉÅ = ÓÍ. ÓÄÅÌ. ÓÐÉÓÏË:\n" #: src/attr_get_ipc.c:118 src/attr_get_ipc.c:142 src/attr_set_ipc.c:149 #, c-format msgid "%s: Invalid IPC type %s!\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÔÉÐ IPC %s!\n" #: src/attr_get_net.c:43 #, c-format msgid "" "Use: %s [-v] [-e] module target-type attribute [CAT category] [request] id" "(s)\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] [-e] ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÁÔÒÉÂÕÔ [CAT ËÁÔÅÇÏÒÉÑ ] " "[ÚÁÐÒÏÓ] ÉÄÅÎÔÉÆÉËÁÔÏÒ(Ù)\n" #: src/attr_get_net.c:45 #, fuzzy, c-format msgid "" " -r = recurse into subdirs, -n [target] = list all requests [for target]\n" msgstr "" "- -r = ÒÅËÕÒÓÉ×ÎÏ ÐÏ ÐÏÄËÁÔÁÌÏÇÁÍ, -n [ÏÂßÅËÔ] = ÓÐÉÓÏË ×ÓÅÈ ÚÁÐÒÏÓÏ× [ÄÌÑ " "ÏÂßÅËÔÁ]\n" #: src/attr_get_net.c:47 #, fuzzy, c-format msgid " -d = list NETDEV targets with non-default attribute values\n" msgstr "" "- -d = ÓÐÉÓÏË ×ÓÅÈ ÏÂßÅËÔÏ× NETDEV ÄÌÑ ÎÅÓÔÁÎÄÁÒÔÎÙÈ ÚÎÁÞÅÎÉÊ ÁÔÒÉÂÕÔÏ×\n" #: src/attr_get_net.c:49 src/attr_set_net.c:48 #, fuzzy, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS or RC\n" msgstr "- ÍÏÄÕÌØ = GEN, MAC, FC, SIM, PM, MS or RC\n" #: src/attr_get_net.c:50 src/attr_set_net.c:49 #, fuzzy, c-format msgid " target-type = NETDEV, NETTEMP or NETOBJ\n" msgstr "- ÔÉÐ-ÏÂßÅËÔÁ = NETDEV, NETTEMP or NETOBJ\n" #: src/attr_get_net.c:51 src/attr_set_net.c:50 #, fuzzy, c-format msgid " category = category number for mac_categories\n" msgstr "- ËÁÔÅÇÏÒÉÑ = ÎÏÍÅÒ ËÁÔÅÇÏÒÉÉ ÄÌÑ mac_categories\n" #: src/attr_get_net.c:52 src/attr_set_net.c:51 #, fuzzy, c-format msgid " request = request number for log_array_low|high\n" msgstr "- ÚÁÐÒÏÓ = ÎÏÍÅÒ ÚÁÐÒÏÓÁ ÄÌÑ log_array_low|high\n" #: src/attr_get_net.c:84 src/attr_set_net.c:76 #, c-format msgid "Internal error on %s %s!\n" msgstr "÷ÎÕÔÒÅÎÎÑÑ ÏÛÉÂËÁ ÎÁ %s %s!\n" #: src/attr_get_net.c:353 src/attr_set_net.c:342 #, c-format msgid "%s: invalid target %s\n" msgstr "%s: ÎÅ×ÅÒÎÙÊ ÏÂßÅËÔ %s\n" #: src/attr_get_process.c:32 #, c-format msgid "Use: %s [switches] module pid attribute [bit-no]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÍÏÄÕÌØ PID ÁÔÒÉÂÕÔ [ÎÏÍÅÒ-ÂÉÔÁ]\n" #: src/attr_get_process.c:33 #, fuzzy, c-format msgid " -p = print all request names, -n = list all request names\n" msgstr "- -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ×ÓÅÈ ÚÁÐÒÏÓÏ×, -n = ÓÐÉÓÏË ×ÓÅÈ ÉͣΠÚÁÐÒÏÓÏ×\n" #: src/attr_get_process.c:36 #, fuzzy, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or PAX\n" msgstr "- ÍÏÄÕÌØ = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\n" #: src/attr_get_process.c:37 #, fuzzy, c-format msgid "" " categories and log_program_based\t(with additional parameter bit-no)\n" "\t\t\t0=no, 1=yes\n" msgstr "" "categories and log_program_based\t(Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÐÁÒÁÍÅÔÒÏÍ ÎÏÍÅÒ-ÂÉÔÁ)\n" "\t\t\t0=ÎÅÔ, 1=ÄÁ\n" #: src/attr_get_up.c:27 #, c-format msgid "" "Use: %s [switches] module target-type attribute user(s)/proc-no.\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÁÔÒÉÂÕÔ ÐÏÌØÚÏ×ÁÔÅÌØ/" "ÐÒÏÃÅÓÓ.\n" "\n" #: src/attr_get_up.c:31 #, fuzzy, c-format msgid " target-type = USER or PROCESS,\n" msgstr "- ÔÉÐ-ÏÂßÅËÔÁ = USER or PROCESS,\n" #: src/attr_get_up.c:147 src/attr_set_up.c:156 src/auth_set_cap.c:199 #: src/auth_set_cap.c:269 src/mac_set_trusted.c:175 src/mac_set_trusted.c:224 #, c-format msgid "%s: Invalid Target %s!\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÏÂßÅËÔ %s!\n" #: src/attr_get_up.c:162 #, c-format msgid "Processing process %i, attribute %s (No. %i)\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÒÏÃÅÓÓ %i, ÁÔÒÉÂÕÔ %s (No. %i)\n" #: src/attr_get_up.c:171 #, c-format msgid "" "Invalid user %s!\n" "\n" msgstr "" "îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" "\n" #: src/attr_get_up.c:174 #, c-format msgid "Processing user %s (uid %i), attribute %s (No. %i)\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØ %s (uid %i), ÁÔÒÉÂÕÔ %s (No. %i)\n" #: src/attr_get_up.c:206 #, c-format msgid "Returned value: %u\n" msgstr "÷ÏÚ×ÒÁÝ£ÎÎÏÅ ÚÎÁÞÅÎÉÅ: %u\n" #: src/attr_get_up.c:209 #, c-format msgid "Returned value: %i\n" msgstr "÷ÏÚ×ÒÁÝ£ÎÎÏÅ ÚÎÁÞÅÎÉÅ: %i\n" #: src/attr_get_user.c:30 #, c-format msgid "" "Use: %s [switches] module user attribute [position|request-name]\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÍÏÄÕÌØ ÐÏÌØÚÏ×ÁÔÅÌØ ÁÔÒÉÂÕÔ [ÐÏÚÉÃÉÑ|ÉÍÑ-" "ÚÁÐÒÏÓÁ]\n" "\n" #: src/attr_get_user.c:38 #, fuzzy, c-format msgid "" " mac_[min_]categories\t\t(with additional parameter position)\n" "\t\t\t0=no, 1=yes\n" msgstr "" "mac_[min_]categories\t\t(Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÐÁÒÁÍÅÔÒÏÍ ÐÏÚÉÃÉÉ)\n" "\t\t\t0=ÎÅÔ, 1=ÄÁ\n" #: src/attr_get_user.c:39 #, fuzzy, c-format msgid "" " log_user_based\t(with additional parameter request-name)\n" "\t\t\t0=no, 1=yes\n" msgstr "" "log_user_based\t(Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÐÁÒÁÍÅÔÒÏÍ ÉÍÑ-ÚÁÐÒÏÓÁ)\n" "\t\t\t0=ÎÅÔ, 1=ÄÁ\n" #: src/attr_get_user.c:399 #, c-format msgid "Invalid request %s\n" msgstr "îÅ×ÅÒÎÙÊ ÚÁÐÒÏÓ %s\n" #: src/attr_rm_fd.c:38 #, c-format msgid "Use: %s [-v] [-r] target-type file/dirname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] [-r] ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/attr_rm_fd.c:42 src/attr_set_fd.c:48 src/rc_get_eff_rights_fd.c:44 #, fuzzy, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n" msgstr " (FD: %s ×ÙÂÉÒÁÔØ ÉÚ FILE, DIR, FIFO É SYMLINK, ÎÏ ÎÅ DEV),\n" #: src/attr_rm_fd.c:52 #, c-format msgid "Processing '%s'\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ '%s'\n" #: src/attr_rm_file_dir.c:28 #, fuzzy, c-format msgid "Use: %s [flags] target-type file/dirname\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/attr_rm_group.c:27 #, fuzzy, c-format msgid "" "Use: %s [flags] group(s)\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÐÏÌØÚÏ×ÁÔÅÌØ(ÌÉ)\n" "\n" #: src/attr_rm_group.c:83 #, fuzzy, c-format msgid "" "%s: %i groups\n" "\n" msgstr "" "%s: %i ÐÏÌØÚÏ×ÁÔÅÌÅÊ\n" "\n" #: src/attr_rm_group.c:88 #, fuzzy, c-format msgid "" "Invalid Group %s!\n" "\n" msgstr "" "îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" "\n" #: src/attr_rm_group.c:91 #, fuzzy, c-format msgid "Processing group %s (gid %i)\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØ %s (uid %i)\n" #: src/attr_rm_user.c:27 #, fuzzy, c-format msgid "" "Use: %s [flags] user(s)\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÐÏÌØÚÏ×ÁÔÅÌØ(ÌÉ)\n" "\n" #: src/attr_rm_user.c:83 #, c-format msgid "" "%s: %i users\n" "\n" msgstr "" "%s: %i ÐÏÌØÚÏ×ÁÔÅÌÅÊ\n" "\n" #: src/attr_rm_user.c:88 #, c-format msgid "" "Invalid User %s!\n" "\n" msgstr "" "îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" "\n" #: src/attr_rm_user.c:91 #, c-format msgid "Processing user %s (uid %i)\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØ %s (uid %i)\n" #: src/attr_set_fd.c:40 #, c-format msgid "Use: %s [-v] [-r] module target-type attribute value file/dirname(s)\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] [-r] ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÁÔÒÉÂÕÔ ÚÎÁÞÅÎÉÅ ÆÁÊÌ/" "ËÁÔÁÌÏÇ\n" #: src/attr_set_fd.c:42 #, fuzzy, c-format msgid " -n = list all requests\n" msgstr "- -n = ÓÐÉÓÏË ×ÓÅÈ ÚÁÐÒÏÓÏ×\n" #: src/attr_set_fd.c:43 src/attr_set_file_dir.c:33 src/attr_set_group.c:31 #: src/attr_set_process.c:33 src/attr_set_user.c:31 #, fuzzy, c-format msgid " -A = list attributes and values\n" msgstr " -A = ÓÐÉÓÏË ÁÔÒÉÂÕÔÏ× É ÚÎÁÞÅÎÉÊ\n" #: src/attr_set_fd.c:59 #, c-format msgid "Processing %s '%s', attribute %s, value %i\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ %s '%s', ÁÔÒÉÂÕÔ %s, ÚÎÁÞÅÎÉÅ %i\n" #: src/attr_set_fd.c:163 src/attr_set_file_dir.c:119 #: src/attr_set_process.c:108 src/attr_set_up.c:88 #, c-format msgid "- attribute (string) and value (integer) = see following list:\n" msgstr "- ÁÔÒÉÂÕÔ (ÓÔÒÏËÁ) É ÚÎÁÞÅÎÉÅ (ÃÅÌÏÅ) = ÓÍ. ÓÌÅÄ. ÓÐÉÓÏË:\n" #: src/attr_set_fd.c:245 src/attr_set_file_dir.c:475 src/attr_set_group.c:190 #: src/attr_set_up.c:163 src/attr_set_user.c:461 #, c-format msgid "%s: Invalid attribute %s\n" msgstr "%s: îÅ×ÅÒÎÏÅ ÚÎÁÞÅÎÉÅ %s\n" #: src/attr_set_fd.c:249 #, c-format msgid "%s: Attribute %s not supported\n" msgstr "%s: áÔÒÉÂÕÔ %s ÎÅ ÐÏÄÄÅÒÖÉ×ÁÅÔÓÑ\n" #: src/attr_set_fd.c:256 src/attr_set_file_dir.c:486 #: src/attr_set_process.c:333 src/attr_set_up.c:185 src/attr_set_user.c:472 #, c-format msgid "%s: Invalid attribute value, length must be %i\n" msgstr "%s: îÅ×ÅÒÎÏÅ ÚÎÁÞÅÎÉÅ ÁÔÒÉÂÕÔÁ, ÄÌÉÎÁ ÄÏÌÖÎÁ ÂÙÔØ %i\n" #: src/attr_set_fd.c:265 src/attr_set_fd.c:284 src/attr_set_file_dir.c:495 #: src/attr_set_file_dir.c:534 src/attr_set_process.c:342 src/mac_wrap.c:95 #, c-format msgid "%s: Invalid attribute value char, must be 0 or 1\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÓÉÍ×ÏÌ × ÚÎÁÞÅÎÉÉ ÁÔÒÉÂÕÔÁ, ÄÏÌÖÅÎ ÂÙÔØ 0 ÉÌÉ 1\n" # c-format #: src/attr_set_file_dir.c:28 #, c-format msgid "Use: %s module target-type file/dirname attribute [request] value\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ ÁÔÒÉÂÕÔ [ÚÁÐÒÏÓ] ÚÎÁÞÅÎÉÅ\n" #: src/attr_set_file_dir.c:29 #, c-format msgid "Use: %s module target-type file/dirname attribute [position] value\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ ÁÔÒÉÂÕÔ [ÐÏÚÉÃÉÑ] " "ÚÎÁÞÅÎÉÅ\n" #: src/attr_set_file_dir.c:30 #, c-format msgid "" "Use: %s [switches] module target-type filename log_program_based [list-of-" "requests]\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ log_program_based " "[ÓÐÉÓÏË-ÚÁÐÒÏÓÏ×]\n" #: src/attr_set_file_dir.c:31 #, fuzzy, c-format msgid "" " -a = add, not set, -m = remove not set, -p = print resulting requests,\n" msgstr "" "ËÌÀÞÉ: -a = ÄÏÂÁ×ÉÔØ, ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ, -m = ÕÄÁÌÉÔØ, ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ, -p = " "×Ù×ÏÄ ÒÅÚÕÌØÔÉÒ.ÚÁÐÒÏÓÏ×,\n" #: src/attr_set_file_dir.c:36 #, fuzzy, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\n" msgstr "- ÍÏÄÕÌØ = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\n" #: src/attr_set_file_dir.c:37 #, fuzzy, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK or DEV,\n" msgstr "- ÔÉÐ-ÏÂßÅËÔÁ = FILE, DIR, FIFO, SYMLINK ÉÌÉ DEV,\n" #: src/attr_set_file_dir.c:120 #, c-format msgid "" "[GEN ] log_level (additional parameter request-type)\n" "\t0=none, 1=denied, 2=full, 3=request-based\n" msgstr "" "[GEN] log_level\t\t(ÄÏÐÏÌÎÉÔÅÌØÎÙÊ ÐÁÒÁÍÅÔÒ ÔÉÐ-ÚÁÐÒÏÓÁ)\n" "\t\t\t0=ÎÅÔ, 1=ÏÔËÁÚÙ, 2=ÐÏÌÎÙÊ, 3=ÐÏ-ÚÁÐÒÏÓÕ\n" #: src/attr_set_file_dir.c:121 #, c-format msgid "" "[GEN ] mac_categories (with additional parameter position)\n" "\t0=no, 1=yes\n" msgstr "" "[GEN ] mac_categories\t\t(Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÐÁÒÁÍÅÔÒÏÍ ÐÏÚÉÃÉÉ)\n" "\t\t\t0=ÎÅÔ, 1=ÄÁ\n" #: src/attr_set_file_dir.c:223 #, c-format msgid "%s: Invalid request vector %s\n" msgstr "%s: îÅ×ÅÒÎÙÊ ×ÅËÔÏÒ ÚÁÐÒÏÓÁ %s\n" #: src/attr_set_file_dir.c:397 src/attr_set_user.c:371 #, c-format msgid "%s: Invalid cap vector %s\n" msgstr "%s: îÅ×ÅÒÎÙÊ ×ÅËÔÏÒ capabilities %s\n" #: src/attr_set_file_dir.c:479 src/attr_set_up.c:167 src/attr_set_user.c:465 #, c-format msgid "%s: Invalid number of arguments for attribute %s\n" msgstr "%s: îÅ×ÅÒÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÁÒÇÕÍÅÎÔÏ× ÄÌÑ ÁÔÒÉÂÕÔÁ %s\n" #: src/attr_set_file_dir.c:712 #, c-format msgid "Setting attribute %s for %s to value %lu\n" msgstr "õÓÔÁÎÏ×ËÁ ÁÔÒÉÂÕÔÁ %s ÄÌÑ %s × ÚÎÁÞÅÎÉÅ %lu\n" #: src/attr_set_file_dir.c:755 #, c-format msgid "Invalid log_level value %s\n" msgstr "îÅ×ÅÒÎÏÅ ÚÎÁÞÅÎÉÅ log_level %s\n" #: src/attr_set_file_dir.c:819 src/attr_set_ipc.c:128 src/attr_set_net.c:148 #: src/attr_set_process.c:405 src/attr_set_user.c:606 #, c-format msgid "Invalid value %s\n" msgstr "îÅ×ÅÒÎÏÅ ÚÎÁÞÅÎÉÅ %s\n" #: src/attr_set_group.c:28 src/attr_set_user.c:28 #, c-format msgid "" "Use: %s module user attribute [position] value\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÍÏÄÕÌØ ÐÏÌØÚÏ×ÁÔÅÌØ ÁÔÒÉÂÕÔ [ÐÏÚÉÃÉÑ] ÚÎÁÞÅÎÉÅ\n" "\n" #: src/attr_set_group.c:29 src/attr_set_user.c:29 #, c-format msgid "" "Use: %s [switches] module user log_user_based [request-list]\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÍÏÄÕÌØ ÐÏÌØÚÏ×ÁÔÅÌØ log_user_based [ÓÐÉÓÏË-" "ÚÁÐÒÏÓÏ×]\n" "\n" #: src/attr_set_group.c:30 src/attr_set_process.c:32 src/attr_set_user.c:30 #, fuzzy, c-format msgid "" " -p = print resulting requests, -a = add, not set, -m = remove, not set\n" msgstr "" "-p = ×Ù×ÏÄ ÒÅÚÕÌØÔÉÒÕÀÝÉÈ ÚÁÐÒÏÓÏ×, -a = ÄÏÂÁ×ÉÔØ, ÎÏ ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ, -m = " "ÕÄÁÌÑÔØ, ÎÏ ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ\n" #: src/attr_set_group.c:34 src/attr_set_user.c:34 #, fuzzy, c-format msgid " module = GEN, MAC, FC, SIM, PM, DAZ, FF, RC or AUTH\n" msgstr "- ÍÏÄÕÌØ = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n" #: src/attr_set_group.c:110 src/attr_set_user.c:110 #, fuzzy, c-format msgid "" "[MAC ] mac_[min_|initial_]categories (with additional parameter position)\n" "\t0=no, 1=yes\n" msgstr "" "[GEN ] mac_[min_|initial_]categories (c ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÐÁÒÁÍÅÔÒÏÍ ÐÏÚÉÃÉÉ)\n" "\t\t\t0=ÎÅÔ, 1=ÄÁ\n" #: src/attr_set_group.c:111 src/attr_set_user.c:111 #, c-format msgid "" "[GEN ] log_user_based (with space separated list of requests)\n" "\t0=no, 1=yes\n" msgstr "" "[GEN ] log_user_based\t\t(ÓÏ ÓÐÉÓËÏÍ ÚÁÐÒÏÓÏ×, ÒÁÚÄÅÌ£ÎÎÙÈ ÐÒÏÂÅÌÁÍÉ)\n" "\t\t\t0=ÎÅÔ, 1=ÄÁ\n" #: src/attr_set_ipc.c:32 #, fuzzy, c-format msgid "Use: %s ipc-type id attribute value\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÍÏÄÕÌØ PID ÁÔÒÉÂÕÔ ÚÎÁÞÅÎÉÅ\n" #: src/attr_set_ipc.c:34 #, fuzzy, c-format msgid "- ipc-types: sem, msg, shm, anonpipe,\n" msgstr "- ÔÉÐÙ-ipc: sem, msg, shm, sockid,\n" #: src/attr_set_ipc.c:35 #, c-format msgid "- attribute (string) and value = see following list:\n" msgstr "- ÁÔÒÉÂÕÔ (ÓÔÒÏËÁ) É ÚÎÁÞÅÎÉÅ = ÓÍ. ÓÌÅÄ. ÓÐÉÓÏË:\n" #: src/attr_set_net.c:42 #, c-format msgid "Use: %s [-v] [-e] module target-type attribute [request] value id(s)\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] [-r] ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÁÔÒÉÂÕÔ ÚÎÁÞÅÎÉÅ ÆÁÊÌ/" "ËÁÔÁÌÏÇ\n" #: src/attr_set_net.c:43 #, fuzzy, c-format msgid " -v = verbose, -m = remove all attributes\n" msgstr "- -v = ÐÏÄÒÏÂÎÏ, -m = ÕÄÁÌÉÔØ ×ÓÅ ÁÔÒÉÂÕÔÙ\n" #: src/attr_set_net.c:116 #, c-format msgid "Wrong argument length for attr mac_categories\n" msgstr "îÅ×ÅÒÎÁÑ ÄÌÉÎÁ ÁÒÇÕÍÅÎÔÁ ÄÌÑ ÁÔÒÉÂÕÔÁ mac_categories\n" #: src/attr_set_net.c:142 #, c-format msgid "Invalid request number %u\n" msgstr "îÅ×ÅÒÎÙÊ ÎÏÍÅÒ ÚÁÐÒÏÓÁ %u\n" #: src/attr_set_net.c:172 #, c-format msgid "Wrong number of arguments for attr %u\n" msgstr "îÅ×ÅÒÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÁÒÇÕÍÅÎÔÏ× ÄÌÑ ÁÔÒÉÂÕÔÁ %u\n" #: src/attr_set_net.c:199 #, c-format msgid "error: %s\n" msgstr "ÏÛÉÂËÁ: %s\n" #: src/attr_set_process.c:31 #, c-format msgid "Use: %s module process-id attribute value\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÍÏÄÕÌØ PID ÁÔÒÉÂÕÔ ÚÎÁÞÅÎÉÅ\n" #: src/attr_set_up.c:27 #, c-format msgid "" "Use: %s [switches] module target-type attribute value user/proc-nr.\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÍÏÄÕÌØ ÔÉÐ-ÏÂßÅËÔÁ ÁÔÒÉÂÕÔ ÚÎÁÞÅÎÉÅ " "ÐÏÌØÚÏ×ÁÔÅÌØ/ÐÒÏÃÅÓÓ.\n" "\n" #: src/attr_set_up.c:29 #, fuzzy, c-format msgid " target-type = USER or PROCESS\n" msgstr "- ÔÉÐ-ÏÂßÅËÔÁ = USER or PROCESS,\n" #: src/attr_set_up.c:293 #, c-format msgid "Processing process %i, attribute %s (No. %i), value %i\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÒÏÃÅÓÓ %i, ÁÔÒÉÂÕÔ %s (No. %i), ÚÎÁÞÅÎÉÅ %i\n" #: src/attr_set_up.c:303 #, c-format msgid "Processing user %s (uid %i), attribute %s (No. %i), value %i\n" msgstr "" "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØ %s (uid %i), ÁÔÒÉÂÕÔ %s (No. %i), ÚÎÁÞÅÎÉÅ %i\n" #: src/attr_set_user.c:548 #, c-format msgid "" "User %u: system_role without module, setting for MAC, FC, SIM, DAZ, FF, " "AUTH\n" msgstr "" "ðÏÌØÚÏ×ÁÔÅÌØ %u: ÓÉÓÔÅÍÎÁÑ ÒÏÌØ ÂÅÚ ÍÏÄÕÌÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÄÌÑ MAC, FC, " "SIM, DAZ, FF, AUTH\n" #: src/auth_back_cap.c:42 #, fuzzy, c-format msgid "Use: %s [-r] [-v] [-o output-file] file/dirname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-r] [-v] [-o ÆÁÊÌ-ÒÅÚÕÌØÔÁÔ] ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/auth_back_cap.c:43 #, fuzzy, c-format msgid " should be called by root with all rsbac modules switched off,\n" msgstr "" "- ÄÏÌÖÎÏ ×ÙÚÙ×ÁÔØÓÑ ÁÄÍÉÎÉÓÔÒÁÔÏÒÏÍ ÓÏ ×ÓÅÍÉ ×ÙËÌÀÞÅÎÎÙÍÉ ÍÏÄÕÌÑÍÉ RSBAC,\n" #: src/auth_back_cap.c:46 src/auth_set_cap.c:36 src/mac_back_trusted.c:43 #: src/mac_back_trusted.c:237 #, fuzzy, c-format msgid " -m = set maximum length of cap entry list per file, default is %u\n" msgstr "" " -m = ÕÓÔÁÎÏ×ÉÔØ ÍÁËÓÉÍÁÌØÎÙÊ ÒÁÚÍÅÒ ÓÐÉÓËÁ capabilities ÄÌÑ ÆÁÊÌÁ, " "ÕÍÏÌÞÁÎÉÅ - %u\n" #: src/auth_back_cap.c:47 src/mac_back_trusted.c:44 src/mac_back_trusted.c:238 #, fuzzy, c-format msgid " -o target-file = write to file, not stdout\n" msgstr "- -o target-file = ÐÉÓÁÔØ × ÆÁÊÌ ÎÅ ÎÁ ÓÔÁÎÄÁÒÔÎÙÊ ×Ù×ÏÄ\n" #: src/auth_back_cap.c:60 src/mac_back_trusted.c:56 #, c-format msgid "Processing FILE/DIR '%s'\n" msgstr "ïÂÒÁÂÏÔËÁ FILE/DIR '%s'\n" #: src/auth_back_cap.c:432 src/auth_set_cap.c:113 src/mac_back_trusted.c:166 #: src/mac_set_trusted.c:91 #, c-format msgid "%s: missing maxnum value for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÚÎÁÞÅÎÉÅ maxnum ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/auth_back_cap.c:504 src/mac_back_trusted.c:216 #, c-format msgid "%s: %i targets" msgstr "%s: %i ÏÂßÅËÔÏ×" #: src/auth_set_cap.c:31 #, c-format msgid "Use: %s [switches] TYPE add/remove target first_user [last_user]\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] TYPE add/remove ÏÂßÅËÔ ÐÅÒ×ÙÊ_ÐÏÌØÚÏ×ÁÔÅÌØ " "[ÐÏÓÌ_ÐÏÌØÚÏ×ÁÔÅÌØ]\n" #: src/auth_set_cap.c:32 src/mac_set_trusted.c:32 #, c-format msgid "Use: %s [switches] TYPE get target\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] TYPE get target\n" #: src/auth_set_cap.c:33 src/mac_set_trusted.c:33 #, c-format msgid " TYPE = PROCESS (add/remove only), DIR, FILE or FD (auto-select),\n" msgstr "" " TYPE = PROCESS (ÔÏÌØËÏ ÄÏÂÁ×ÉÔØ/ÕÄÁÌÉÔØ), DIR, FILE or FD (Á×ÔÏ×ÙÂÏÒ),\n" #: src/auth_set_cap.c:34 src/mac_set_trusted.c:34 #, c-format msgid " target = pid or filename\n" msgstr " ÏÂßÅËÔ = pid ÉÌÉ ÆÁÊÌ\n" #: src/auth_set_cap.c:35 #, c-format msgid " last_user: range from first_user to last_user\n" msgstr " last_user: ÄÉÁÐÁÚÏÎ ÏÔ first_user ÄÏ last_user\n" #: src/auth_set_cap.c:37 #, fuzzy, c-format msgid " -e = get or set caps for effective uids, not real\n" msgstr " -e = ÐÏÌÕÞÉÔØ/ÕÓÔÁÎÏ×ÉÔØ caps ÄÌÑ ÜÆÆÅËÔÉ×ÎÙÈ UID, Ù ÎÅ ÒÅÁÌØÎÙÈ \n" #: src/auth_set_cap.c:38 #, fuzzy, c-format msgid " -f = get or set caps for filesystem uids, not real\n" msgstr " -f = ÐÏÌÕÞÉÔØ/ÕÓÔÁÎÏ×ÉÔØ caps ÄÌÑ ÆÁÊÌÏ×ÙÈ UID, Á ÎÅ ÒÅÁÌØÎÙÈ \n" #: src/auth_set_cap.c:39 #, fuzzy, c-format msgid " -g = get or set caps for gids, not uids\n" msgstr " -e = ÐÏÌÕÞÉÔØ/ÕÓÔÁÎÏ×ÉÔØ caps ÄÌÑ ÜÆÆÅËÔÉ×ÎÙÈ UID, Ù ÎÅ ÒÅÁÌØÎÙÈ \n" #: src/auth_set_cap.c:40 #, fuzzy, c-format msgid " -E = get or set for eff gids, not real uids\n" msgstr " -e = ÐÏÌÕÞÉÔØ/ÕÓÔÁÎÏ×ÉÔØ caps ÄÌÑ ÜÆÆÅËÔÉ×ÎÙÈ UID, Ù ÎÅ ÒÅÁÌØÎÙÈ \n" #: src/auth_set_cap.c:41 #, fuzzy, c-format msgid " -F = get or set for fs gids, not real uids\n" msgstr " -f = ÐÏÌÕÞÉÔØ/ÕÓÔÁÎÏ×ÉÔØ caps ÄÌÑ ÆÁÊÌÏ×ÙÈ UID, Á ÎÅ ÒÅÁÌØÎÙÈ \n" #: src/auth_set_cap.c:42 src/mac_set_trusted.c:36 #, fuzzy, c-format msgid "" " -t = set relative time-to-live for this cap entry in seconds (add only)\n" msgstr "" " -t = ÕÓÔÁÎÏ×ÉÔØ ÏÔÎÏÓÉÔÅÌØÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÊ ÚÁÐÉÓÉ × ÓÅË. (ÔÏÌØËÏ " "ÄÏÂÁ×ÉÔØ)\n" #: src/auth_set_cap.c:43 src/mac_set_trusted.c:37 #, fuzzy, c-format msgid "" " -T = set absolute time-to-live for this cap entry in seconds (add only)\n" msgstr "" " -T = ÕÓÔÁÎÏ×ÉÔØ ÁÂÓÏÌÀÔÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÊ ÚÁÐÉÓÉ × ÓÅË. (ÔÏÌØËÏ " "ÄÏÂÁ×ÉÔØ)\n" #: src/auth_set_cap.c:44 src/mac_set_trusted.c:38 #, fuzzy, c-format msgid " -D = set relative time-to-live for this cap entry in days (add only)\n" msgstr "" " -D = ÕÓÔÁÎÏ×ÉÔØ ÏÔÎÏÓÉÔÅÌØÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ ÄÌÑ ÜÔÏÊ ÚÁÐÉÓÉ × ÄÎÑÈ (ÔÏÌØËÏ " "ÄÏÂÁ×ÉÔØ)\n" #: src/auth_set_cap.c:207 src/auth_set_cap.c:274 src/mac_set_trusted.c:183 #: src/mac_set_trusted.c:229 #, c-format msgid "" "%s: Invalid command %s!\n" "\n" msgstr "" "%s: îÅ×ÅÒÎÁÑ ËÏÍÁÎÄÁ %s!\n" "\n" #: src/auth_set_cap.c:228 #, c-format msgid "" "%s: Warning: first user %u after last user %u, exiting!\n" "\n" msgstr "" "%s: ÷ÎÉÍÁÎÉÅ: ÐÅÒ×ÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %u ÐÏÓÌÅ ÐÏÓÌÅÄÎÅÇÏ ÐÏÌØÚÏ×ÁÔÅÌÑ %u, " "ÚÁ×ÅÒÛÁÀÓØ!\n" "\n" #: src/auth_set_cap.c:234 #, c-format msgid "" "%s: Warning: last user %u is special user ID, exiting!\n" "\n" msgstr "" "%s: ÷ÎÉÍÁÎÉÅ: ÐÏÓÌÅÄÎÉÊ ÐÏÌØÚÏ×ÁÔÅÌØ r %u ÓÏ ÓÐÅÃÉÁÌØÎÙÍ ÉÄÅÎÔÉÆÉËÁÔÏÒÏÍ, " "ÚÁ×ÅÒÛÁÀÓØ!\n" "\n" #: src/get_attribute_name.c:36 #, c-format msgid "Use: %s value\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÚÎÁÞÅÎÉÅ\n" #: src/get_attribute_name.c:37 #, c-format msgid "" "value = attribute number\n" "\n" msgstr "" "ÚÎÁÞÅÎÉÅ = ÎÏÍÅÒ ÁÔÒÉÂÕÔÁ\n" "\n" #: src/get_attribute_nr.c:32 #, c-format msgid "Use: %s attribute_name\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÉÍÑ_ÁÔÔÒÉÂÕÔÁ\n" #: src/linux2acl.c:61 #, c-format msgid "Use: %s [switches] file/dir/scdname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ËÌÀÞÉ] ÆÁÊÌ/ËÁÔÁÌÏÇ(É)\n" #: src/linux2acl.c:62 #, c-format msgid " -v = use verbose in scripts, -r = recurse into subdirs,\n" msgstr " -v = ÐÏÄÒÏÂÎÏ, -r = ÒÅËÕÒÓÉ×ÎÏ ÐÏ ÐÏÄËÁÔÁÌÏÇÁÍ,\n" #: src/linux2acl.c:63 #, c-format msgid " -g = also create group entries with members,\n" msgstr " -g = ÔÁËÖÅ ÓÏÚÄÁ×ÁÔØ ÚÁÐÉÓÉ ÇÒÕÐÐ Ó ÞÌÅÎÁÍÉ,\n" #: src/linux2acl.c:64 #, c-format msgid " -G = only create group entries with members,\n" msgstr " -G = ÔÏÌØËÏ ÓÏÚÄÁ×ÁÔØ ÚÁÐÉÓÉ ÇÒÕÐÐ Ó ÞÌÅÎÁÍÉ,\n" #: src/linux2acl.c:65 #, c-format msgid " -p = print right names, -P use private groups\n" msgstr " -p = ×Ù×ÏÄÉÔØ ÉÍÅÎÁ ÐÒÁ×, -P ÉÓÐÏÌØÚÏ×ÁÔØ ÐÒÉ×ÁÔÎÙÅ ÇÒÕÐÐÙ\n" #: src/linux2acl.c:66 #, c-format msgid " -n = use numeric user ids where possible\n" msgstr "" " -n = ÉÓÐÏÌØÚÏ×ÁÔØ ÃÉÆÒÏ×ÙÅ ÉÄÅÎÔÉÆÉËÁÔÏÒÙ ÐÏÌØÚÏ×ÁÔÅÌÅÊ ÇÄÅ ×ÏÚÍÏÖÎÏ\n" #: src/linux2acl.c:87 #, c-format msgid "stat for %s returned error: %s\n" msgstr "stat() ÄÌÑ ÆÁÊÌÁ %s ×ÏÚ×ÒÁÔÉÌ ÏÛÉÂËÕ: %s\n" #: src/linux2acl.c:729 #, c-format msgid "internal error in switch\n" msgstr "×ÎÕÔÒÅÎÎÑÑ ÏÛÉÂËÁ × ÐÅÒÅËÌÀÞÁÔÅÌÅ\n" #: src/mac_back_trusted.c:41 src/mac_back_trusted.c:235 #, c-format msgid "Use: %s [-r] [-v] [-o target-file] file/dirname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-r] [-v] [-o ÆÁÊÌ-ÒÅÚÕÌØÔÁÔ] ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/mac_get_levels.c:28 #, c-format msgid "Use: %s [-v] [-c] [-x] [-n] [-a]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] [-c] [-x] [-n] [-a]\n" #: src/mac_get_levels.c:29 #, c-format msgid "This program will show the RSBAC MAC security levels\n" msgstr "üÔÁ ÐÒÏÇÒÁÍÍÁ ÐÏËÁÖÅÔ ÍÁÎÄÁÔÎÙÅ ÕÒÏ×ÎÉ RSBAC MAC\n" #: src/mac_get_levels.c:30 #, c-format msgid "and category sets of the calling process.\n" msgstr "É ËÁÔÅÇÏÒÉÉ ÄÌÑ ×ÙÚ×ÁÎÎÏÇÏ ÐÒÏÃÅÓÓÁ.\n" #: src/mac_get_levels.c:31 #, c-format msgid "-a = show all, -c = show current level and categories\n" msgstr "-a = ÐÏËÁÚÁÔØ ×ÓÅ, -c = ÐÏËÁÚÁÔØ ÔÅËÕÝÉÊ ÕÒÏ×ÅÎØ É ËÁÔÅÇÏÒÉÉ\n" #: src/mac_get_levels.c:32 #, c-format msgid "-x = show max, -n = show min level and categories\n" msgstr "" "-x = ÐÏËÁÚÁÔØ ÍÁËÓÉÍÕÍ, -n = ÐÏËÁÚÁÔØ ÍÉÎÉÍÁÌØÎÙÊ ÕÒÏ×ÅÎØ É ËÁÔÅÇÏÒÉÉ\n" #: src/mac_get_levels.c:94 #, c-format msgid "" "Current level: %u\n" "categories: %s\n" msgstr "" "ôÅËÕÝÅÊ ÕÒÏ×ÅÎØ: %u\n" "ËÁÔÅÇÏÒÉÉ: %s\n" #: src/mac_get_levels.c:102 #, c-format msgid "" "Max level: %u\n" "categories: %s\n" msgstr "" "íÁËÓÉÍÁÌØÎÙÊ ÕÒÏ×ÅÎØ: %u\n" "ËÁÔÅÇÏÒÉÉ: %s\n" #: src/mac_get_levels.c:110 #, c-format msgid "" "Min level: %u\n" "categories: %s\n" msgstr "" "íÉÎÉÍÁÌØÎÙÊ ÕÒÏ×ÅÎØ: %u\n" "ËÁÔÅÇÏÒÉÉ: %s\n" #: src/mac_set_trusted.c:31 #, c-format msgid "Use: %s [switches] TYPE add/remove target user1 user2...\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÅ] TYPE add/remove ÏÂßÅËÔ ÐÏÌØÚÏ×ÁÔÅÌØ1 " "ÐÏÌØÚÏ×ÁÔÅÌØ2...\n" #: src/mac_set_trusted.c:35 #, fuzzy, c-format msgid " -m = set maximum number of returned members per file, default is %u\n" msgstr "" " -m = ÕÓÔÁÎÏ×ÉÔØ ÍÁËÓÉÍÁÌØÎÏÅ ËÏÌÉÞÅÓÔ×Ï ×ÏÚ×ÒÁÝÁÅÍÙÈ ÞÌÅÎÏ× ÄÌÑ ÆÁÊÌÁ, " "ÕÍÏÌÞÁÎÉÅ = %u\n" #: src/mac_wrap.c:27 #, c-format msgid "Use: %s [-v] [-l level] [-c categories] prog args\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] [-l ÕÒÏ×ÅÎØ] [-c ËÁÔÅÇÏÒÉÉ] ÐÒÏÇÒÁÍÍÁ ÁÒÇÕÍÅÎÔÙ\n" #: src/mac_wrap.c:28 #, c-format msgid "" "This program will set the current seclevel and categories, if supplied,\n" msgstr "" "üÔÁ ÐÒÏÇÒÁÍÍÁ ÕÓÔÁÎÏ×ÉÔ ÔÅËÕÝÉÅ ÍÁÎÄÁÔÎÙÊ ÕÒÏ×ÅÔØ ÐÒÏÃÅÓÓÁ É ËÁÔÅÇÏÒÉÉ\n" #: src/mac_wrap.c:29 #, c-format msgid "and then execute prog via execvp().\n" msgstr "É ÚÁÐÕÓÔÉÔ ÐÒÏÇÒÁÍÍÕ ÞÅÒÅÚ execvp()\n" #: src/mac_wrap.c:30 #, c-format msgid "Please note that you need mac_auto to set the current values.\n" msgstr "îÅ ÚÁÂÕÄØÔÁ, ÞÔÏ ÔÒÅÂÕÅÔÓÑ mac_auto ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÔÅËÕÝÉÈ ÚÎÁÞÅÎÉÊ.\n" #: src/mac_wrap.c:31 #, c-format msgid "-v = verbose, -l = use this seclevel, -c = use this category set\n" msgstr "" "-v = ÐÏÄÒÏÂÎÏ, -l = ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ÕÒÏ×ÅÎØ, -c = ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ " "ËÁÔÅÇÏÒÉÉ\n" #: src/mac_wrap.c:67 src/mac_wrap.c:106 #, c-format msgid "%s: missing value for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÚÎÁÞÅÎÉÅ ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/mac_wrap.c:74 #, c-format msgid "%s: Invalid category string length %i, must be %i\n" msgstr "%s: îÅ×ÅÒÎÁÑ ÄÌÉÎÁ ÓÔÒÏËÉ ËÁÔÅÇÏÒÉÊ %i, ÄÏÌÖÎÏ ÂÙÔØ %i\n" #: src/mac_wrap.c:81 #, c-format msgid "%s: Using numeric value %lu instead\n" msgstr "%s: éÓÐÏÌØÚÕÀ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ %lu ×ÍÅÓÔÏ\n" #: src/mac_wrap.c:125 #, c-format msgid "%s: executing %s with current_sec_level %u and mac_curr_categories %s\n" msgstr "%s: ÚÁÐÕÓËÁÅÔÓÑ %s Ó current_sec_level %u É mac_curr_categories %s\n" #: src/net_temp.c:41 #, c-format msgid "Use: %s [switches] function id [set-param]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÆÕÎËÃÉÑ id [ÕÓÔÁÎÁ×ÌÉ×ÁÅÍÙÊ ÐÁÒÁÍÅÔÒ]\n" #: src/net_temp.c:44 #, fuzzy, c-format msgid " -v = verbose, -l = list functions\n" msgstr "- -v = ÐÏÄÒÏÂÎÏ, -l = ÓÐÉÓÏË ÆÕÎËÃÉÊ,\n" #: src/net_temp.c:45 #, fuzzy, c-format msgid " -b = backup mode, -s = scripting mode,\n" msgstr "- -b = ÒÅÖÉÍ ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÑ, -s = ÒÅÖÉÍ ÓÃÅÎÁÒÉÑ\n" #: src/net_temp.c:46 #, fuzzy, c-format msgid " -n = take number as address, -u = take string as address,\n" msgstr "" "- -n = ÒÁÓÓÍÏÔÒÅÔØ ÞÉÓÌÏ ËÁË ÁÄÒÅÓ, -u = ÒÁÓÓÍÏÔÒÅÔØ ÓÔÒÏËÕ ËÁË ÁÄÒÅÓ,\n" #: src/net_temp.c:47 #, fuzzy, c-format msgid " -d = take DNS name as address and convert to IP address,\n" msgstr "- -d = ÐÒÉÎÑÔØ DNS ÉÍÑ ËÁË ÁÄÒÅÓ É ÐÅÒÅ×ÅÓÔÉ × IP ÁÄÒÅÓ,\n" #: src/net_temp.c:48 #, fuzzy, c-format msgid " -a = list all templates in detail\n" msgstr "- -a = ÄÅÔÁÌØÎÙÊ ÓÐÉÓÏË ×ÓÅÈ ÛÁÂÌÏÎÏ×\n" #: src/pm_create.c:25 #, c-format msgid "" "Use: %s class mode filename(s)\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s class mode ÆÁÊÌ\n" "\n" #: src/pm_create.c:40 #, c-format msgid "" "%s: %i files of class %i, mode %o to be created\n" "\n" msgstr "" "%s: %i ÆÁÊÌÏ× ËÌÁÓÓÁ %i, ÐÒÁ×ÁÍÉ %o ÓÏÚÄÁÎÏ\n" "\n" #: src/pm_create.c:44 #, c-format msgid "Processing %s (No. %i)\n" msgstr "ïÂÒÁÂÁÔÙ×ÁÅÔÓÑ %s (No. %i)\n" #: src/pm_ct_exec.c:32 #, c-format msgid "%s: executing %s with task %i\n" msgstr "%s: ÚÁÐÕÓËÁÅÔÓÑ %s Ó ÚÁÄÁÞÅÊ %i\n" #: src/pm_ct_exec.c:41 #, c-format msgid "Use: %s task-nr prog args\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s task-nr prog args\n" #: src/pm_ct_exec.c:42 #, c-format msgid "This program will set rsbac_pm_current_task to task-nr and then\n" msgstr "üÔÁ ÐÒÏÇÒÁÍÍÁ ÕÓÔÁÎÏ×ÉÔ rsbac_pm_current_task × ÚÎÁÞÅÎÉÅ task-nr É\n" #: src/pm_ct_exec.c:43 src/rc_role_wrap.c:30 #, c-format msgid "execute prog via execvp()\n" msgstr "ÚÁÐÕÓÔÉÔ prog ÞÅÒÅÚ execvp()\n" #: src/rc_copy_role.c:27 #, fuzzy, c-format msgid "Use: %s [flags] from_role to_role\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-s] ÍÏÄÕÌØ ÚÎÁÞÅÎÉÅ\n" #: src/rc_copy_type.c:27 #, c-format msgid "Use: %s [flags] target from_type to_type\n" msgstr "" # #: src/rc_copy_type.c:28 #, fuzzy, c-format msgid " target = FD, DEV, IPC, USER, PROCESS, GROUP, NETDEV, NETTEMP, NETOBJ\n" msgstr "" " ÔÉÐ-ÏÂßÅËÔÁ = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, " "NETDEV,\n" #: src/rc_get_current_role.c:31 #, c-format msgid "%s: current role is %u\n" msgstr "%s: ÔÅËÕÝÁÑ ÒÏÌØ - %u\n" #: src/rc_get_eff_rights_fd.c:39 #, c-format msgid "Use: %s [-v] [-r] [-p] target-type file/dirname(s)\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] [-r] [-p] ÔÉÐ-ÏÂßÅËÔÁ ÆÁÊÌ/ËÁÔÁÌÏÇ\n" #: src/rc_get_eff_rights_fd.c:41 #, fuzzy, c-format msgid " -p = print right names,\n" msgstr "- -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ÐÒÁ×,\n" #: src/rc_get_item.c:34 #, c-format msgid "Use: %s [switches] rc-target-type id-nr item [sub-id-nr [right]]\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÐÁÒÁÍÅÔÒÙ] ÔÉÐ-rc-ÏÂßÅËÔÁ id-nr ÜÌÅÍÅÎÔ [sub-id-nr " "[ÐÒÁ×Ï]]\n" #: src/rc_get_item.c:35 #, c-format msgid " %s list_xxx\n" msgstr "" #: src/rc_get_item.c:36 #, c-format msgid " %s list_unused_xxx (_nr only)\n" msgstr "" #: src/rc_get_item.c:37 #, c-format msgid " %s list_def_fd_ind_create_type{s|_nr|_values role-id\n" msgstr "" #: src/rc_get_item.c:38 #, c-format msgid " %s backup\n" msgstr " %s ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÅ\n" #: src/rc_get_item.c:39 #, c-format msgid " %s print\n" msgstr " %s ÐÅÞÁÔØ\n" #: src/rc_get_item.c:40 src/rc_set_item.c:33 #, fuzzy, c-format msgid " -v = verbose, -p = print right names,\n" msgstr "- -v = ÐÏÄÒÏÂÎÏ, -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ÐÒÁ×,\n" #: src/rc_get_item.c:41 #, fuzzy, c-format msgid " -i = list items and values,\n" msgstr "- -i = ÓÐÉÓÏË ÜÌÅÍÅÎÔÏ× É ÚÎÁÞÅÎÉÊ\n" #: src/rc_get_item.c:42 #, fuzzy, c-format msgid " -r = remove role before restore (backup only)\n" msgstr "- -r = ÕÄÁÌÉÔØ ÒÏÌØ ÐÅÒÅÄ ×ÏÓÓÔÁÎÏ×ÌÅÎÉÅÍ (ÔÏÌØËÏ ÁÒÈÉ×ÉÒÏ×ÁÎÉÅ)\n" #: src/rc_get_item.c:44 src/rc_set_item.c:44 #, fuzzy, c-format msgid " rc-target-type = ROLE or TYPE,\n" msgstr "- ÔÉÐ-rc-ÏÂßÅËÔÁ = ROLE ÉÌÉ TYPE,\n" #: src/rc_get_item.c:45 src/rc_set_item.c:45 #, fuzzy, c-format msgid " id-nr = ROLE or TYPE number,\n" msgstr "- id-nr = ÎÏÍÅÒ ROLE ÉÌÉ TYPE,\n" #: src/rc_get_item.c:46 src/rc_set_item.c:46 #, fuzzy, c-format msgid " item = entry line,\n" msgstr "- ÜÌÅÍÅÎÔ = ÓÔÒÏËÁ ÚÁÐÉÓÉ,\n" #: src/rc_get_item.c:47 #, fuzzy, c-format msgid " sub-id-nr = use this sub-id (_comp items only),\n" msgstr "" "- sub-id-nr = ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ÓÕÂÉÄÅÎÔÉÆÉËÁÔÏÒ (ÔÏÌØËÏ ÄÌÑ type_comp),\n" #: src/rc_get_item.c:48 #, fuzzy, c-format msgid " right = right name or number (type_comp items only),\n" msgstr "- ÐÒÁ×Ï = ÉÍÑ ÐÒÁ×Á ÉÌÉ ÎÏÍÅÒ (tÔÏÌØËÏ ÄÌÑ type_comp),\n" #: src/rc_get_item.c:49 #, c-format msgid "" " xxx = roles, fd_types, dev_types, ipc_types, user_types, process_types,\n" msgstr "" #: src/rc_get_item.c:50 #, c-format msgid "" " scd_types, group_types, role_nr, fd_type_nr, dev_type_nr, " "ipc_type_nr,\n" msgstr "" #: src/rc_get_item.c:51 #, fuzzy, c-format msgid "" " user_type_nr, process_type_nr, scd_type_nr, rights: print a list\n" msgstr "- scd_type_nr, rights: ×Ù×ÅÓÔÉ ÓÐÉÓÏË\n" #: src/rc_get_item.c:52 #, c-format msgid " list_def_fd_ind_create_types etc.: print a list\n" msgstr "" #: src/rc_get_item.c:231 src/rc_set_item.c:175 #, c-format msgid "- items and returned values = see following list:\n" msgstr "- ÜÌÅÍÅÎÔÙ É ×ÏÚ×ÒÁÝÁÅÍÙÅ ÚÎÁÞÅÎÉÑ = ÓÍ. ÓÌÅÄ. ÓÐÉÓÏË:\n" #: src/rc_get_item.c:309 src/rc_get_item.c:3924 #, c-format msgid "%u roles:\n" msgstr "%u ÒÏÌÉ:\n" #: src/rc_get_item.c:424 src/rc_get_item.c:3824 #, c-format msgid "%u types:\n" msgstr "%u ÔÉÐÙ:\n" #: src/rc_get_item.c:550 #, c-format msgid "%s: Internal right list error, param %s!\n" msgstr "%s: ïÛÉÂËÁ ×ÎÕÔÒÅÎÎÅÇÏ ÓÐÉÓËÁ ÐÒÁ×, ÐÁÒÁÍÅÔÒ %s!\n" #: src/rc_get_item.c:3784 #, c-format msgid "Invalid parameter %s\n" msgstr "îÅ×ÅÒÎÙÊ ÐÁÒÁÍÅÔÒ %s\n" #: src/rc_get_item.c:3872 src/rc_get_item.c:4026 src/rc_get_item.c:4148 #: src/rc_set_item.c:248 #, c-format msgid "Invalid target %s\n" msgstr "îÅ×ÅÒÎÙÊ ÏÂßÅËÔ %s\n" #: src/rc_get_item.c:3982 #, c-format msgid "Invalid item %s or too few arguments\n" msgstr "îÅ×ÅÒÎÙÊ ÜÌÅÍÅÎÔ %s ÉÌÉ ÓÌÉÛËÏÍ ÍÁÌÏ ÁÒÇÕÍÅÎÔÏ×\n" #: src/rc_get_item.c:4048 #, c-format msgid "Invalid item %s or invalid number of arguments\n" msgstr "îÅ×ÅÒÎÙÊ ÜÌÅÍÅÎÔ %s ÉÌÉ ÎÅ×ÅÒÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÁÒÇÕÍÅÎÔÏ×\n" #: src/rc_get_item.c:4057 #, c-format msgid "Invalid subrole %s\n" msgstr "îÅ×ÅÒÎÁÑ ÐÏÄ-ÒÏÌØ %s\n" #: src/rc_get_item.c:4067 #, c-format msgid "Invalid subtype %s\n" msgstr "îÅ×ÅÒÎÙÊ ÐÏÄÔÉÐ %s\n" #: src/rc_get_item.c:4081 #, c-format msgid "Getting %s for ROLE %u to ROLE %u\n" msgstr "ðÏÌÕÞÅÎÉÅ %s ÄÌÑ ROLE %u × ROLE %u\n" #: src/rc_get_item.c:4092 #, fuzzy, c-format msgid "Getting def_fd_ind_create_type for ROLE %u to TYPE %u\n" msgstr "ðÏÌÕÞÅÎÉÅ %s ÐÒÁ× ÄÌÑ ROLE %u × TYPE %u\n" #: src/rc_get_item.c:4113 #, c-format msgid "Getting %s rights for ROLE %u to TYPE %u\n" msgstr "ðÏÌÕÞÅÎÉÅ %s ÐÒÁ× ÄÌÑ ROLE %u × TYPE %u\n" #: src/rc_get_item.c:4166 #, c-format msgid "Invalid item-position combination %s\n" msgstr "îÅ×ÅÒÎÁÑ ËÏÍÂÉÎÁÃÉÑ ÐÏÚÉÃÉÉ ÜÌÅÍÅÎÔÁ %s\n" #: src/rc_get_item.c:4174 #, c-format msgid "Invalid comp_type %s\n" msgstr "îÅ×ÅÒÎÙÊ comp_type %s\n" #: src/rc_get_item.c:4189 #, c-format msgid "Invalid right %s\n" msgstr "îÅ×ÅÒÎÏÅ ÐÒÁ×Ï %s\n" #: src/rc_role_wrap.c:28 #, c-format msgid "Use: %s [-v] new_role_id prog args\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-v] new_role_id ÐÒÏÇÒÁÍÍÁ ÁÒÇÕÍÅÎÔÙ\n" #: src/rc_role_wrap.c:29 #, c-format msgid "This program will set the process rc_role to new_role and then\n" msgstr "üÔÁ ÐÒÏÇÒÁÍÍÁ ÕÓÔÁÎÏ×ÉÔ rc_role ÐÒÏÃÅÓÓÁ × ÚÎÁÞÅÎÉÅ new_role É\n" #: src/rc_role_wrap.c:31 #, c-format msgid "-v = verbose\n" msgstr "-v = ÐÏÄÒÏÂÎÏ\n" #: src/rc_role_wrap.c:70 #, c-format msgid "%s: executing %s with role %i\n" msgstr "%s: ÚÁÐÕÓËÁÅÔÓÑ %s Ó ÒÏÌØÀ %i\n" #: src/rc_set_item.c:31 #, c-format msgid "" "Use: %s [switches] rc-target-type id item [role/type [list-of-rights]] " "[value]\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ËÌÀÞÉ] ÔÉÐ-rc-ÏÂßÅËÔÁ id ÜÌÅÍÅÎÔ [ÒÏÌØ/ÔÉÐ [ÓÐÉÓÏË-ÐÒÁ×]] " "[ÚÎÁÞÅÎÉÅ]\n" #: src/rc_set_item.c:32 #, c-format msgid " %s -c TYPE target-id item source-id [first_role [last_role]],\n" msgstr "" " %s -c TYPE id-ÏÂßÅËÔÁ ÜÌÅÍÅÎÔ id-ÉÓÔÏÞÎÉËÁ [ÐÅÒ×ÁÑ_ÒÏÌØ [ÐÏÓÌ_ÒÏÌØ]],\n" #: src/rc_set_item.c:34 #, fuzzy, c-format msgid " -a = add, not set, -k = revoke, not set,\n" msgstr " -a = ÄÏÂÁ×ÉÔØ, ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ, -k = ÕÄÁÌÉÔØ, ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ,\n" #: src/rc_set_item.c:35 #, fuzzy, c-format msgid " -b = accept rights as bitstring,\n" msgstr " -b = ÐÒÉÎÑÔØ ÐÒÁ×Á × ×ÉÄÅ ÂÉÔÏ×ÏÊ ÓÔÒÏËÉ,\n" #: src/rc_set_item.c:36 #, fuzzy, c-format msgid " -c = copy all/given roles' rights to type from other type,\n" msgstr "" " -c = ËÏÐÉÒÏ×ÁÔØ ÐÒÁ×Á ×ÓÅÈ/ÕËÁÚÁÎÎÙÈ ÒÏÌÅÊ ÉÚ ÏÄÎÏÇÏ ÔÉÐÁ × ÄÒÕÇÏÊ ÔÉÐ,\n" #: src/rc_set_item.c:37 #, fuzzy, c-format msgid " -d = delete all roles' rights to this type,\n" msgstr " -d = ÕÄÁÌÉÔØ ÐÒÁ×Á ×ÓÅÈ ÒÏÌÅÊ ÄÁÎÎÏÇÏ ÔÉÐÁ,\n" #: src/rc_set_item.c:38 #, fuzzy, c-format msgid " -i = list items and values\n" msgstr "- -i = ÓÐÉÓÏË ÜÌÅÍÅÎÔÏ× É ÚÎÁÞÅÎÉÊ\n" #: src/rc_set_item.c:39 src/rsbac_groupadd.c:40 src/rsbac_groupmod.c:35 #: src/rsbac_useradd.c:67 src/rsbac_usermod.c:46 #, fuzzy, c-format msgid "" " -t = set relative time-to-live in secs (role/type comp, admin, assign " "only)\n" msgstr "" " -t = ÕÓÔÁÎÏ×ÉÔØ ÏÔÎÏÓÉÔÅÌØÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ × ÓÅËÕÎÄÁÈ (ÔÏÌØËÏ ÄÌÑ role/type " "comp, admin, assign )\n" #: src/rc_set_item.c:40 src/rsbac_groupadd.c:41 src/rsbac_groupmod.c:36 #: src/rsbac_useradd.c:68 src/rsbac_usermod.c:47 #, fuzzy, c-format msgid "" " -T = set absolute time-to-live in secs (role/type comp, admin, assign " "only)\n" msgstr "" " -T = ÕÓÔÁÎÏ×ÉÔØ ÁÂÓÏÌÀÔÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ × ÓÅËÕÎÄÁÈ (ÔÏÌØËÏ ÄÌÑ role/type " "comp, admin, assign )\n" #: src/rc_set_item.c:41 src/rsbac_groupadd.c:42 src/rsbac_groupmod.c:37 #: src/rsbac_useradd.c:69 src/rsbac_usermod.c:48 #, fuzzy, c-format msgid "" " -D = set relative time-to-live in days (role/type comp, admin, assign " "only)\n" msgstr "" " -D = ÕÓÔÁÎÏ×ÉÔØ ÏÔÎÏÓÉÔÅÌØÎÏÅ ×ÒÅÍÑ ÖÉÚÎÉ × ÄÎÑÈ (ÔÏÌØËÏ ÄÌÑ role/type " "comp, admin, assign )\n" #: src/rc_set_item.c:47 #, fuzzy, c-format msgid " role/type = for this type only (role/type comp, admin, assign only),\n" msgstr "" "- ÒÏÌØ/ÔÉÐ = ÔÏÌØËÏ ÄÌÑ ÜÔÏÇÏ ÔÉÐÁ (ÔÏÌØËÏ ÄÌÑ (role/type comp, admin, " "assign only),\n" #: src/rc_set_item.c:48 #, fuzzy, c-format msgid " right = request name or number (type_comp items only),\n" msgstr "- right = ÉÍÑ ÉÌÉ ÎÏÍÅÒ ÚÁÐÒÏÓÁ (ÔÏÌØËÏ ÄÌÑ ÜÌÅÍÅÎÔÏ× type_comp),\n" #: src/rc_set_item.c:49 #, c-format msgid " also special rights and groups R (read requests),\n" msgstr " ÔÁËÖÅ ÓÐÅÃÉÁÌØÎÙÅ ÐÒÁ×Á É ÇÒÕÐÐÙ R (ÚÁÐÒÏÓÙ ÞÔÅÎÉÑ),\n" #: src/rc_set_item.c:50 #, c-format msgid " RW (read-write), SY (system), SE (security), A (all)\n" msgstr "" " RW (ÞÔÅÎÉÅ-ÚÁÐÉÓØ), SY (ÓÉÓÔÅÍÎÙÅ), SE (ÂÅÚÏÐÁÓÎÏÓÔØ), A (×ÓÅ)\n" #: src/rc_set_item.c:254 src/rc_set_item.c:353 src/rc_set_item.c:464 #: src/rc_set_item.c:781 #, c-format msgid "Invalid item %s\n" msgstr "îÅ×ÅÒÎÙÊ ÜÌÅÍÅÎÔ %s\n" #: src/rc_set_item.c:271 #, c-format msgid "Too few arguments with option -c\n" msgstr "óÌÉÛËÏÍ ÍÁÌÏ ÁÒÇÕÍÅÎÔÏ× ÄÌÑ ÐÁÒÁÍÅÔÒÁ -c\n" #: src/rc_set_item.c:277 #, c-format msgid "Invalid source type %u\n" msgstr "îÅ×ÅÒÎÙÊ ÔÉÐ ÉÓÔÏÞÎÉËÁ %u\n" #: src/rc_set_item.c:285 #, c-format msgid "Invalid first role %u\n" msgstr "îÅ×ÅÒÎÁÑ ÐÅÒ×ÁÑ ÒÏÌØ %u\n" #: src/rc_set_item.c:295 #, c-format msgid "Invalid last role %u\n" msgstr "îÅ×ÅÒÎÁÑ ÐÏÓÌÅÄÎÑÑ ÒÏÌØ %u\n" #: src/rc_set_item.c:302 src/rc_set_item.c:418 #, c-format msgid "Invalid target type %u\n" msgstr "îÅ×ÅÒÎÙÊ ÔÉÐ ÏÂßÅËÔÁ %u\n" #: src/rc_set_item.c:307 #, c-format msgid "Source and target must differ\n" msgstr "ãÅÌØ É ÉÓÔÏÞÎÉË ÄÏÌÖÎÙ ÏÔÌÉÞÁÔØÓÑ\n" #: src/rc_set_item.c:358 #, c-format msgid "Copying rights vector %s for type %u to type %u in role(s) %u to %u\n" msgstr "ëÏÐÉÒÏ×ÁÎÉÅ ×ÅËÔÏÒÁ ÐÒÁ× %s ÔÉÐÁ %u × ÔÉÐ %u × ÒÏÌØ %u × %u\n" #: src/rc_set_item.c:387 src/rc_set_item.c:496 #, c-format msgid "Changing role %u failed: %s\n" msgstr "éÚÍÅÎÅÎÉÅ ÒÏÌÉ %u ÎÅÕÄÁÞÎÏ: %s\n" #: src/rc_set_item.c:397 #, c-format msgid "Reading from role %u failed: %s\n" msgstr "þÔÅÎÉÅ ÉÚ ÒÏÌÉ %u ÎÅÕÄÁÞÎÏ: %s\n" #: src/rc_set_item.c:469 #, c-format msgid "Setting rights vector %s for type %u in all roles to 0\n" msgstr "õÓÔÁÎÏ×ÌÅÎÉÅ ×ÅËÔÏÒÁ ÐÒÁ× %s ÄÌÑ ÔÉÐÁ %u ×Ï ×ÓÅÈ ÒÏÌÑÈ × 0\n" #: src/rc_set_item.c:486 #, c-format msgid "%u roles\n" msgstr "%u ÒÏÌÅÊ\n" #: src/rc_set_item.c:520 #, c-format msgid "Setting %s of ROLE %i (old bitvector mode)\n" msgstr "õÓÔÁÎÏ×ËÁ %s × òïìé %i (ÓÔÁÒÙÊ ÒÅÖÉÍ ÂÉÔÏÇÏ ×ÅËÔÏÒÁ)\n" #: src/rc_set_item.c:544 #, c-format msgid "Setting for role %u failed: %s\n" msgstr "õÓÔÁÎÏ×ËÁ ÄÌÑ ÒÏÌÉ %u ÎÅ ÐÒÏÛÌÁ: %s\n" #: src/rc_set_item.c:559 #, c-format msgid "Invalid role %u!\n" msgstr "îÅ×ÅÒÎÁÑ ÒÏÌØ %u!\n" #: src/rc_set_item.c:569 src/rc_set_item.c:589 src/rc_set_item.c:608 #, c-format msgid "Invalid number of arguments for item %s!\n" msgstr "îÅ×ÅÒÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÁÒÇÕÍÅÎÔÏ× ÄÌÑ ÜÌÅÍÅÎÔÁ %s!\n" #: src/rc_set_item.c:581 src/rc_set_item.c:601 #, fuzzy, c-format msgid "Invalid type %u!\n" msgstr "îÅ×ÅÒÎÙÊ ÐÏÄÔÉÐ %s\n" #: src/rc_set_item.c:626 #, c-format msgid "parameter comp_type missing\n" msgstr "ÐÁÒÁÍÅÔÒ comp_type ÏÔÓÕÔÓÔ×ÕÅÔ\n" #: src/rc_set_item.c:632 #, c-format msgid "invalid subtid.type %s\n" msgstr "ÎÅ×ÅÒÎÙÊ subtid.type %s\n" #: src/rc_set_item.c:652 #, c-format msgid "No bitstring given!\n" msgstr "îÅ ÐÏÌÕÞÅÎÏ ÂÉÔÏ×ÏÊ ÓÔÒÏËÉ!\n" #: src/rc_set_item.c:820 #, c-format msgid "Adding %s rights for ROLE %u to TYPE %u\n" msgstr "äÏÂÁ×ÌÅÎÉÅ %s ÐÒÁ× ÄÌÑ ROLE %u × TYPE %u\n" #: src/rc_set_item.c:830 #, c-format msgid "Revoking %s rights for ROLE %u from TYPE %u\n" msgstr "õÄÁÌÅÎÉÅ %s ÐÒÁ× ÄÌÑ ROLE %u ÉÚ TYPE %u\n" #: src/rc_set_item.c:839 #, c-format msgid "Setting %s rights for ROLE %u to TYPE %u\n" msgstr "õÓÔÁÎÏ×ÌÅÎÉÅ %s ÐÒÁ× ÄÌÑ ROLE %u × TYPE %u\n" #: src/rc_set_item.c:867 #, c-format msgid "parameter name missing\n" msgstr "ÐÁÒÁÍÅÔÒ name(ÉÍÑ) ÏÔÓÕÔÓÔ×ÕÅÔ\n" #: src/rc_set_item.c:872 #, c-format msgid "Name string too long\n" msgstr "óÔÒÏËÁ ÉÍÅÎÉ ÓÌÉÛËÏÍ ÄÌÉÎÎÁ\n" #: src/rc_set_item.c:881 #, c-format msgid "parameter admin_type missing\n" msgstr "ÐÁÒÁÍÅÔÒ admin_type ÏÔÓÕÔÓÔ×ÕÅÔ\n" #: src/rc_set_item.c:892 #, c-format msgid "parameter boot_role missing\n" msgstr "ÐÁÒÁÍÅÔÒ boot_role ÏÔÓÕÔÓÔ×ÕÅÔ\n" #: src/rsbac_check.c:42 #, c-format msgid "Use: %s correct check_inode\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s correct check_inode\n" #: src/rsbac_check.c:43 #, fuzzy, c-format msgid " correct = 0: do not correct errors\n" msgstr " åÓÌÉ correct = 0 ÎÅ ÉÓÐÒÁ×ÌÑÔØ ÏÛÉÂÏË\n" #: src/rsbac_check.c:44 #, fuzzy, c-format msgid " correct = 1: correct errors\n" msgstr " åÓÌÉ correct = 1 ÉÓÐÒÁ×ÌÑÔØ ÏÛÉÂËÉ\n" #: src/rsbac_check.c:45 #, fuzzy, c-format msgid " correct = 2: correct more\n" msgstr " åÓÌÉ correct = 2 ÉÓÐÒÁ×ÌÑÔØ ÂÏÌØÛÅ\n" #: src/rsbac_check.c:46 #, fuzzy, c-format msgid " check_inode = 0: do not check inode numbers\n" msgstr " åÓÌÉ check_inode = 0 ÎÅ ÐÒÏ×ÅÒÑÔØ ÎÏÍÅÒÁ ÉÎÏÄÏ×\n" #: src/rsbac_check.c:47 #, fuzzy, c-format msgid "" " check_inode = 1: also check inode numbers (only ext2/3 on 2.4 kernels)\n" msgstr " åÓÌÉ check_inode = 1 ÔÏ ÔÁËÖÅ ÐÒÏ×ÅÒÑÔØ ÎÏÍÅÒÁ ÉÎÏÄÏ×\n" #: src/rsbac_gpasswd.c:28 #, fuzzy, c-format msgid "Use: %s [flags] group\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-y] ÐÏÌØÚÏ×ÁÔÅÌØ\n" #: src/rsbac_gpasswd.c:29 src/rsbac_groupdel.c:31 src/rsbac_userdel.c:32 #, fuzzy, c-format msgid " -v = verbose,\n" msgstr "-v = ÐÏÄÒÏÂÎÏ\n" #: src/rsbac_gpasswd.c:30 #, c-format msgid " -a user = add user to group,\n" msgstr "" #: src/rsbac_gpasswd.c:31 #, c-format msgid " -d user = remove user from group,\n" msgstr "" #: src/rsbac_gpasswd.c:32 #, c-format msgid " -M user,... = add user(s) to group,\n" msgstr "" #: src/rsbac_gpasswd.c:33 #, c-format msgid " -A user,... = ignored, for compatibility\n" msgstr "" #: src/rsbac_gpasswd.c:34 #, fuzzy, c-format msgid " -r = remove group password,\n" msgstr " remove_group id-ÇÒÕÐÐÙ\n" #: src/rsbac_gpasswd.c:35 #, c-format msgid " -R = ignored, for compatibility\n" msgstr "" #: src/rsbac_gpasswd.c:36 #, c-format msgid " -N ta = transaction number (group memberships only)\n" msgstr "" #: src/rsbac_gpasswd.c:37 #, c-format msgid " (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/rsbac_gpasswd.c:93 src/rsbac_gpasswd.c:103 src/rsbac_gpasswd.c:111 #: src/rsbac_groupadd.c:179 src/rsbac_groupadd.c:193 src/rsbac_groupadd.c:203 #: src/rsbac_groupmod.c:128 src/rsbac_groupmod.c:145 src/rsbac_groupmod.c:155 #: src/rsbac_useradd.c:454 src/rsbac_useradd.c:466 src/rsbac_useradd.c:479 #: src/rsbac_useradd.c:495 src/rsbac_useradd.c:506 src/rsbac_useradd.c:524 #: src/rsbac_useradd.c:534 src/rsbac_useradd.c:544 src/rsbac_useradd.c:554 #: src/rsbac_useradd.c:564 src/rsbac_useradd.c:574 src/rsbac_useradd.c:584 #: src/rsbac_useradd.c:595 src/rsbac_useradd.c:605 src/rsbac_useradd.c:636 #: src/rsbac_usermod.c:157 src/rsbac_usermod.c:167 src/rsbac_usermod.c:178 #: src/rsbac_usermod.c:195 src/rsbac_usermod.c:205 src/rsbac_usermod.c:215 #: src/rsbac_usermod.c:226 src/rsbac_usermod.c:236 src/rsbac_usermod.c:246 #: src/rsbac_usermod.c:257 src/rsbac_usermod.c:268 src/rsbac_usermod.c:279 #: src/rsbac_usermod.c:290 src/rsbac_usermod.c:302 src/rsbac_usermod.c:313 #, fuzzy, c-format msgid "%s: missing argument for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÚÎÁÞÅÎÉÅ ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/rsbac_gpasswd.c:143 src/rsbac_groupdel.c:45 src/rsbac_groupmod.c:232 #: src/rsbac_groupmod.c:239 src/rsbac_groupshow.c:263 src/rsbac_useradd.c:361 #: src/rsbac_useradd.c:378 src/rsbac_useradd.c:516 #, fuzzy, c-format msgid "%s: Unknown group %s\n" msgstr "%s: ÎÅÉÚ×ÅÓÔÎÙÊ ÐÁÒÁÍÅÔÒ %s\n" #: src/rsbac_gpasswd.c:173 src/rsbac_gpasswd.c:190 src/rsbac_gpasswd.c:229 #: src/rsbac_gpasswd.c:246 src/rsbac_login.c:102 src/rsbac_passwd.c:81 #: src/rsbac_userdel.c:49 src/rsbac_usermod.c:390 src/rsbac_usermod.c:397 #: src/rsbac_usershow.c:395 #, fuzzy, c-format msgid "%s: Unknown user %s\n" msgstr "%s: ÎÅÉÚ×ÅÓÔÎÙÊ ÐÁÒÁÍÅÔÒ %s\n" #: src/rsbac_gpasswd.c:269 src/rsbac_passwd.c:141 #, fuzzy, c-format msgid "%s: invalid new password!\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" #: src/rsbac_gpasswd.c:276 src/rsbac_passwd.c:154 #, fuzzy, c-format msgid "%s: invalid repeated new password!\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÔÉÐ ÏÂßÅËÔÁ %s\n" #: src/rsbac_gpasswd.c:281 src/rsbac_passwd.c:159 #, c-format msgid "%s: new passwords do not match!\n" msgstr "" #: src/rsbac_groupadd.c:37 src/rsbac_groupmod.c:30 src/rsbac_groupshow.c:37 #, fuzzy, c-format msgid "Use: %s [flags] groupname\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-s] ÍÏÄÕÌØ ÚÎÁÞÅÎÉÅ\n" #: src/rsbac_groupadd.c:38 src/rsbac_groupmod.c:31 src/rsbac_useradd.c:55 #: src/rsbac_usermod.c:36 #, c-format msgid " -p password = password in plaintext,\n" msgstr "" #: src/rsbac_groupadd.c:39 #, c-format msgid " -g gid = gid to use,\n" msgstr "" #: src/rsbac_groupadd.c:43 #, c-format msgid " -o = use values from old group entry,\n" msgstr "" #: src/rsbac_groupadd.c:44 #, c-format msgid " -O = add all existing groups (implies -o)\n" msgstr "" #: src/rsbac_groupdel.c:30 #, c-format msgid "Use: %s [flags] group [group2 ...]\n" msgstr "" #: src/rsbac_groupmod.c:32 src/rsbac_usermod.c:37 #, c-format msgid " -P = disable password,\n" msgstr "" #: src/rsbac_groupmod.c:33 src/rsbac_useradd.c:57 src/rsbac_usermod.c:38 #, c-format msgid " -Q password = encrypted password (from backup),\n" msgstr "" #: src/rsbac_groupmod.c:34 #, c-format msgid " -g name = change groupname,\n" msgstr "" #: src/rsbac_groupshow.c:38 #, fuzzy, c-format msgid " -v = verbose, -a = list all groups\n" msgstr "- -v = ÐÏÄÒÏÂÎÏ, -l = ÓÐÉÓÏË ÆÕÎËÃÉÊ,\n" #: src/rsbac_groupshow.c:39 src/rsbac_usershow.c:41 #, fuzzy, c-format msgid " -l = short list all groups, -b = backup mode\n" msgstr " -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ÐÒÁ×, -b = ÒÅÖÉÍ ÒÅÚÅÒ×ÉÒÏ×ÁÎÉÑ\n" #: src/rsbac_groupshow.c:40 src/rsbac_usershow.c:42 #, c-format msgid " -p = also show encrypted password\n" msgstr "" #: src/rsbac_groupshow.c:77 #, fuzzy, c-format msgid "%s: Unknown group %u\n" msgstr "%s: çÒÕÐÐÁ %u\n" #: src/rsbac_init.c:38 #, c-format msgid "" "Use: %s root_dev\n" "\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s root_dev\n" "\n" #: src/rsbac_init.c:39 #, c-format msgid "root_dev: root device to initialize from, e.g. /dev/sda1\n" msgstr "" #: src/rsbac_jail.c:29 #, c-format msgid "Use: %s [flags] [-I addr] [-R dir] [-C cap-list] prog args\n" msgstr "" "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [ÆÌÁÇÉ] [-I ÁÄÒÅÓ] [-R ËÁÔÁÌÏÇ] [-C cap-list] ÐÒÏÇÒÁÍÍÁ " "ÁÒÇÕÍÅÎÔÙ\n" #: src/rsbac_jail.c:30 #, c-format msgid "This program will put the process into a jail with chroot to path,\n" msgstr "üÔÁ ÐÒÏÇÒÁÍÍÁ ÐÏÍÅÓÔÉÔ ÐÒÏÃÅÓÓ × jail ÓÏ ÓÍÅÎÏÊ ËÏÒÎÅ×ÏÇÏ ËÁÔÁÌÏÇÁ,\n" #: src/rsbac_jail.c:31 #, c-format msgid "ip address IP and then execute prog with args\n" msgstr "ip ÁÄÒÅÓÏÍ IP, Á ÚÁÔÅÍ ÚÁÐÕÓÔÉÔ ÐÒÏÇÒÁÍÍÕ prog Ó ÁÒÇÕÍÅÎÔÁÍÉ args\n" #: src/rsbac_jail.c:32 #, c-format msgid "-I addr = limit to IP address,\n" msgstr "-I addr = ÏÇÒÁÎÉÞÅÎÉÅ ÄÌÑ IP ÁÄÒÅÓÁ,\n" #: src/rsbac_jail.c:33 #, c-format msgid "-R dir = chroot to dir,\n" msgstr "-R dir = ËÁÔÁÌÏÇ ÄÌÑ chroot,\n" #: src/rsbac_jail.c:34 #, c-format msgid "-C cap-list = limit Linux capabilities for jailed processes,\n" msgstr "-C cap-list = ÏÇÒÁÎÉÞÉÔØ Linux capabilities ÄÌÑ ÐÒÏÃÅÓÓÁ × jail,\n" #: src/rsbac_jail.c:35 #, c-format msgid "" " use bit-vector, numeric value or list names of desired caps,\n" msgstr "" #: src/rsbac_jail.c:36 #, c-format msgid " A = all, FS_MASK = all filesystem related,\n" msgstr "" #: src/rsbac_jail.c:37 #, c-format msgid "-L = list all Linux capabilities,\n" msgstr "-L = ÓÐÉÓÏË ×ÓÅÈ Linux capabilities,\n" #: src/rsbac_jail.c:38 #, fuzzy, c-format msgid "-S = list all SCD targets,\n" msgstr " -n = ÓÐÉÓÏË ÄÅÊÓÔ×ÉÔÅÌØÎÙÈ ÉͣΠSCD ,\n" #: src/rsbac_jail.c:39 #, c-format msgid "-v = verbose, -i = allow access to IPC outside this jail,\n" msgstr " -v = ÐÏÄÒÏÂÎÏ, -i = ÐÏÚ×ÏÌÉÔØ ÄÏÓÔÕÐ Ë IPC ×ÎÅ ÜÔÏÇÏ jail,\n" #: src/rsbac_jail.c:40 #, c-format msgid "-n = allow all network families, not only UNIX and INET (IPv4),\n" msgstr "-n = ÐÏÚ×ÏÌÑÔØ ×ÓÅ ×ÉÄÙ ÓÏËÅÔÏ×, ÎÅ ÔÏÌØËÏ UNIX É INET (IPv4),\n" #: src/rsbac_jail.c:41 #, c-format msgid "-r = allow INET (IPv4) raw sockets (e.g. for ping),\n" msgstr "-r = ÐÏÚ×ÏÌÑÔØ ÎÉÚËÏÕÒÏ×ÎÅ×ÙÅ ÓÏËÅÔÙ IPv4 (ÎÁÐÒÉÍÅÒ ÄÌÑ ping),\n" #: src/rsbac_jail.c:42 #, c-format msgid "-a = auto-adjust INET any address 0.0.0.0 to jail address, if set,\n" msgstr "" "-a = Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ×ÏÄÉÔØ ×ÓÅ ÁÄÒÅÓÁ 0.0.0.0 Ë ÁÄÒÅÓÁÍ jail, ÅÓÌÉ " "×ËÌÀÞÅÎÏ,\n" #: src/rsbac_jail.c:43 #, fuzzy, c-format msgid "-o = additionally allow to/from remote INET (IPv4) address 127.0.0.1,\n" msgstr "" "-o = ÄÏÐÏÌÎÉÔÅÌØÎÏ ÒÁÚÒÅÛÉÔØ ÉÚ/× ÕÄÁÌÅÎÎÏÇÏ INET (IPv4) ÁÄÒÅÓÁ 127.0.0.1\n" #: src/rsbac_jail.c:44 #, c-format msgid "-d = allow read access on devices, -D allow write access\n" msgstr "" #: src/rsbac_jail.c:45 #, c-format msgid "-e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA\n" msgstr "" #: src/rsbac_jail.c:46 #, c-format msgid "-G scd ... = allow GET_STATUS_DATA on these scd targets\n" msgstr "" #: src/rsbac_jail.c:47 #, c-format msgid "-M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets\n" msgstr "" #: src/rsbac_jail.c:48 #, c-format msgid "Deprecated old options, please use -G and -M:\n" msgstr "" #: src/rsbac_jail.c:49 #, c-format msgid "-l = allow to modify rlimits (-M rlimit),\n" msgstr "" #: src/rsbac_jail.c:50 #, c-format msgid "-c = allow to modify system clock (-M SCD clock time_strucs),\n" msgstr "" #: src/rsbac_jail.c:51 #, c-format msgid "-m = allow to lock memory (-M mlock),\n" msgstr "" #: src/rsbac_jail.c:52 #, c-format msgid "-p = allow to modify priority (-M priority),\n" msgstr "" #: src/rsbac_jail.c:53 #, c-format msgid "-k = allow to get kernel symbols (-G ksyms)\n" msgstr "" #: src/rsbac_jail.c:173 src/rsbac_jail.c:216 #, fuzzy, c-format msgid "%s: missing SCDs for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÓÐÉÓÏË capabilities ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/rsbac_jail.c:228 #, c-format msgid "%s: missing address for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÁÄÒÅÓ ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/rsbac_jail.c:238 #, c-format msgid "%s: missing dirname for parameter %c\n" msgstr "%s: ÏÓÔÕÔÓÔ×ÕÅÔ ÉÍÑ ËÁÔÁÌÏÇÁ ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/rsbac_jail.c:305 #, c-format msgid "%s: missing caps for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÓÐÉÓÏË capabilities ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/rsbac_jail.c:340 #, fuzzy, c-format msgid "" "%s: executing %s in jail at %s with IP %s, flags %u, caps %u, scd_get %u, " "scd_modify %u\n" msgstr "%s: ÚÁÐÕÓËÁÅÔÓÑ %s × jail %s Ó IP %s, ÆÌÁÇÁÍÉ %u, caps %u\n" #: src/rsbac_jail.c:350 #, fuzzy, c-format msgid "" "%s: executing %s in jail (no chroot) with IP %s, flags %u, caps %u, scd_get %" "u, scd_modify %u\n" msgstr "%s: ÚÁÐÕÓËÁÅÔÓÑ %s × jail (ÎÅ chroot) Ó IP %s, ÆÌÁÇÉ %u, caps %u\n" #: src/rsbac_list_ta.c:26 #, c-format msgid "Use: %s [flags] {begin|refresh|commit|forget}\n" msgstr "" #: src/rsbac_list_ta.c:27 #, fuzzy, c-format msgid " -v = verbose, -b = print bash export of RSBAC_TA\n" msgstr " -v = ÐÏÄÒÏÂÎÏ, -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ÐÒÁ×,\n" #: src/rsbac_list_ta.c:28 #, c-format msgid "" " -t ttl = change transaction timeout from kernel config default to ttl\n" msgstr "" #: src/rsbac_list_ta.c:29 #, c-format msgid " -p password = use this password\n" msgstr "" #: src/rsbac_list_ta.c:30 #, c-format msgid " -N ta = transaction number (for refresh, commit, forget)\n" msgstr "" #: src/rsbac_list_ta.c:31 #, c-format msgid " (default = value of RSBAC_TA, if set, or 0 otherwise)\n" msgstr "" #: src/rsbac_list_ta.c:83 #, fuzzy, c-format msgid "%s: missing password for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÓÐÉÓÏË capabilities ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/rsbac_list_ta.c:98 #, fuzzy, c-format msgid "%s: missing user for parameter %c\n" msgstr "%s: ÏÔÓÕÔÓÔ×ÕÅÔ ÚÎÁÞÅÎÉÅ ÄÌÑ ÐÁÒÁÍÅÔÒÁ %c\n" #: src/rsbac_login.c:69 src/rsbac_passwd.c:59 #, fuzzy, c-format msgid "Use: %s [flags] [username]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-y] ÐÏÌØÚÏ×ÁÔÅÌØ\n" #: src/rsbac_login.c:70 #, fuzzy, c-format msgid " -v = verbose, -p = preserve environment\n" msgstr " -v = ÐÏÄÒÏÂÎÏ, -p = ×Ù×ÅÓÔÉ ÉÍÅÎÁ ÐÒÁ×,\n" #: src/rsbac_login.c:96 #, fuzzy, c-format msgid "%s: invalid login name!\n" msgstr "" "%s: îÅ×ÅÒÎÁÑ ËÏÍÁÎÄÁ %s!\n" "\n" #: src/rsbac_login.c:125 src/rsbac_useradd.c:146 src/rsbac_useradd.c:181 #, fuzzy, c-format msgid "%s: invalid password!\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" #: src/rsbac_passwd.c:60 #, fuzzy, c-format msgid " -v = verbose,\n" msgstr "-v = ÐÏÄÒÏÂÎÏ\n" #: src/rsbac_passwd.c:61 #, c-format msgid " -n = do not ask for old password\n" msgstr "" #: src/rsbac_passwd.c:116 #, fuzzy, c-format msgid "%s: invalid old password!\n" msgstr "" "%s: îÅ×ÅÒÎÁÑ ËÏÍÁÎÄÁ %s!\n" "\n" #: src/rsbac_pm.c:32 #, fuzzy, c-format msgid "Use: %s [flags] call args\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s call args\n" #: src/rsbac_pm.c:34 src/rsbac_pm.c:62 #, c-format msgid "call = one of the following calls, args = call dependent\n" msgstr "call = ÏÄÉÎ ÉÚ ÓÌÅÄÕÀÝÉÈ ×ÙÚÏ×Ï×, args = ÚÁ×ÉÓÉÔ ÏÔ ×ÙÚÏ×Á\n" #: src/rsbac_pm.c:41 src/rsbac_pm.c:69 #, c-format msgid "-- press return --" msgstr "-- ÎÁÖÍÉÔÅ Enter --" #: src/rsbac_pm.c:60 #, fuzzy, c-format msgid "Use: %s [flags] create_ticket ticket-nr valid-secs call args\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s create_ticket ticket-nr valid-secs call args\n" #: src/rsbac_pm.c:61 #, c-format msgid " -N ta = transaction number\n" msgstr "" #: src/rsbac_pm.c:137 #, c-format msgid "" "\n" "%s: invalid pm function %s!\n" "\n" msgstr "" "\n" "%s: ÎÅ×ÅÒÎÁÑ pm-ÆÕÎËÃÉÑ %s!\n" "\n" #: src/rsbac_pm.c:140 #, c-format msgid "%s: requesting pm-call %s (No. %i)\n" msgstr "%s: ÚÁÐÒÁÛÉ×ÁÅÔÓÑ pm-×ÙÚÏ× %s (No. %i)\n" #: src/rsbac_pm.c:147 src/rsbac_pm.c:170 src/rsbac_pm.c:193 src/rsbac_pm.c:205 #: src/rsbac_pm.c:216 src/rsbac_pm.c:266 src/rsbac_pm.c:277 src/rsbac_pm.c:289 #: src/rsbac_pm.c:301 src/rsbac_pm.c:313 src/rsbac_pm.c:325 src/rsbac_pm.c:337 #: src/rsbac_pm.c:348 src/rsbac_pm.c:360 src/rsbac_pm.c:372 src/rsbac_pm.c:383 #: src/rsbac_pm.c:396 src/rsbac_pm.c:408 src/rsbac_pm.c:419 src/rsbac_pm.c:430 #: src/rsbac_pm.c:457 src/rsbac_pm.c:469 src/rsbac_pm.c:483 src/rsbac_pm.c:495 #: src/rsbac_pm.c:509 src/rsbac_pm.c:520 src/rsbac_pm.c:531 src/rsbac_pm.c:556 #: src/rsbac_pm.c:584 src/rsbac_pm.c:612 src/rsbac_pm.c:624 src/rsbac_pm.c:634 #: src/rsbac_pm.c:684 src/rsbac_pm.c:694 src/rsbac_pm.c:706 src/rsbac_pm.c:718 #: src/rsbac_pm.c:730 src/rsbac_pm.c:742 src/rsbac_pm.c:754 src/rsbac_pm.c:764 #: src/rsbac_pm.c:776 src/rsbac_pm.c:788 src/rsbac_pm.c:798 src/rsbac_pm.c:812 #: src/rsbac_pm.c:824 src/rsbac_pm.c:834 src/rsbac_pm.c:844 src/rsbac_pm.c:875 #: src/rsbac_pm.c:887 src/rsbac_pm.c:901 src/rsbac_pm.c:913 #, c-format msgid "Too few arguments: argc is %i\n" msgstr "óÌÉÛËÏÍ ÍÁÌÏ ÁÒÇÕÍÅÎÔÏ×: argc %i\n" #: src/rsbac_pm.c:227 src/rsbac_pm.c:238 src/rsbac_pm.c:645 src/rsbac_pm.c:656 #, c-format msgid "%s: Could not allocate list memory!" msgstr "%s: îÅ×ÏÚÍÏÖÎÏ ÐÏÌÕÞÉÔØ ÐÁÍÑÔØ ÐÏÄ ÓÐÉÓÏË!" #: src/rsbac_pm.c:545 #, c-format msgid "" "\n" "Too few arguments: argc is %i\n" msgstr "" "\n" "óÌÉÛËÏÍ ÍÁÌÏ ÁÒÇÕÍÅÎÔÏ×: argc %i\n" #: src/rsbac_useradd.c:50 src/rsbac_usermod.c:30 src/rsbac_usershow.c:39 #, fuzzy, c-format msgid "Use: %s [flags] username\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-y] ÐÏÌØÚÏ×ÁÔÅÌØ\n" #: src/rsbac_useradd.c:51 src/rsbac_usermod.c:31 #, c-format msgid " -c comment = fullname or comment,\n" msgstr "" #: src/rsbac_useradd.c:52 src/rsbac_usermod.c:32 #, fuzzy, c-format msgid " -d dir = homedir of user,\n" msgstr "-R dir = ËÁÔÁÌÏÇ ÄÌÑ chroot,\n" #: src/rsbac_useradd.c:53 src/rsbac_usermod.c:33 #, fuzzy, c-format msgid " -g group = main / initial Linux group,\n" msgstr " -g group = ×Ù×ÅÓÔÉ ÐÒÁ×Á ÄÌÑ ÕËÁÚÁÎÎÏÊ ÇÒÕÐÐÙ, ÎÅ ÄÌÑ ×ÙÚÙ×ÁÀÝÅÇÏ\n" #: src/rsbac_useradd.c:54 src/rsbac_usermod.c:34 #, c-format msgid " -G group1[,group2,...] = add more Linux groups,\n" msgstr "" #: src/rsbac_useradd.c:56 #, c-format msgid " -P = ask for password,\n" msgstr "" #: src/rsbac_useradd.c:58 #, c-format msgid " -s shell = user's shell,\n" msgstr "" #: src/rsbac_useradd.c:59 #, fuzzy, c-format msgid " -u uid = uid to use,\n" msgstr "- -n = ÉÓÐÏÌØÚÏ×ÁÔØ UID, Á ÎÅ ÉÍÑ ÐÏÌØÚÏ×ÁÔÅÌÑ,\n" #: src/rsbac_useradd.c:60 #, c-format msgid " -m = create user home dir from skeleton,\n" msgstr "" #: src/rsbac_useradd.c:61 #, c-format msgid " -k dir = use this skeleton dir instead of /etc/skel/,\n" msgstr "" #: src/rsbac_useradd.c:62 src/rsbac_usermod.c:41 #, c-format msgid " -n minchange-days = minimum days between password changes,\n" msgstr "" #: src/rsbac_useradd.c:63 src/rsbac_usermod.c:42 #, c-format msgid " -x maxchange-days = maximum days between password changes,\n" msgstr "" #: src/rsbac_useradd.c:64 src/rsbac_usermod.c:43 #, c-format msgid " -w warnchange-days = warning days before password must be changed,\n" msgstr "" #: src/rsbac_useradd.c:65 src/rsbac_usermod.c:44 #, c-format msgid "" " -f inactive-days = period between password expiry and account disabling,\n" msgstr "" #: src/rsbac_useradd.c:66 src/rsbac_usermod.c:45 #, c-format msgid " -e expire-days = days since 1/Jan/1970 when account gets disabled,\n" msgstr "" #: src/rsbac_useradd.c:70 #, c-format msgid " -o = use values from old passwd/shadow entry,\n" msgstr "" #: src/rsbac_useradd.c:71 #, c-format msgid " -O = add all existing users (implies -o)\n" msgstr "" #: src/rsbac_useradd.c:191 #, c-format msgid "%s: password mismatch!\n" msgstr "" #: src/rsbac_useradd.c:193 #, c-format msgid "%s: Too many tries, using default password!\n" msgstr "" #: src/rsbac_useradd.c:617 #, c-format msgid "%s: cannot lookup skel dir %s\n" msgstr "" #: src/rsbac_useradd.c:623 #, c-format msgid "%s: skel dir %s is no dir\n" msgstr "" #: src/rsbac_useradd.c:629 #, c-format msgid "%s: skel dir name %s is too long\n" msgstr "" #: src/rsbac_userdel.c:31 #, fuzzy, c-format msgid "Use: %s [flags] user [user2 ...]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-y] ÐÏÌØÚÏ×ÁÔÅÌØ\n" #: src/rsbac_userdel.c:33 #, c-format msgid " -r = remove user's home dir\n" msgstr "" #: src/rsbac_usermod.c:35 #, c-format msgid " -H group1[,group2,...] = remove Linux groups,\n" msgstr "" #: src/rsbac_usermod.c:39 #, c-format msgid " -s shell = user shell,\n" msgstr "" #: src/rsbac_usermod.c:40 #, fuzzy, c-format msgid " -u name = change username,\n" msgstr "- -n = ÉÓÐÏÌØÚÏ×ÁÔØ UID, Á ÎÅ ÉÍÑ ÐÏÌØÚÏ×ÁÔÅÌÑ,\n" #: src/rsbac_usermod.c:475 src/rsbac_usermod.c:491 src/rsbac_usermod.c:522 #: src/rsbac_usermod.c:538 #, fuzzy, c-format msgid "%s: Invalid group %s\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ %s!\n" #: src/rsbac_usershow.c:40 #, fuzzy, c-format msgid " -v = verbose, -a = list all users\n" msgstr "- -v = ÐÏÄÒÏÂÎÏ, -l = ÓÐÉÓÏË ÆÕÎËÃÉÊ,\n" #: src/rsbac_usershow.c:43 #, c-format msgid " -D = print dates as yyyymmdd, not day number\n" msgstr "" #: src/rsbac_usershow.c:44 #, fuzzy, c-format msgid " -u = list calling user\n" msgstr "- -n = ÓÐÉÓÏË ×ÓÅÈ ÚÁÐÒÏÓÏ×\n" #: src/rsbac_usershow.c:81 #, fuzzy, c-format msgid "%s: Unknown user %u\n" msgstr "%s: ðÏÌØÚÏ×ÁÔÅÌØ %u\n" #: src/rsbac_write.c:30 #, c-format msgid "%s: %i lists written\n" msgstr "%s: %i ÓÐÉÓËÏ× ÚÁÐÉÓÁÎÏ\n" #: src/switch_adf_log.c:28 #, c-format msgid "Use: %s request [target] [value]\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s ÚÁÐÒÏÓ [ÏÂßÅËÔ] [ÚÎÁÞÅÎÉÅ]\n" #: src/switch_adf_log.c:29 #, c-format msgid "request = request name or ALL, value = [012]\n" msgstr "ÚÁÐÒÏÓ = ÉÍÑ ÚÁÐÒÏÓÁ ÉÌÉ ALL, ÚÎÁÞÅÎÉÅ = [012]\n" #: src/switch_adf_log.c:30 #, c-format msgid "target = target type name, leave out for ALL\n" msgstr "ÏÂßÅËÔ = ÉÍÑ ÏÂßÅËÔÁ, ÐÏ-ÕÍÏÌÞÁÎÉÀ ALL\n" #: src/switch_adf_log.c:31 #, c-format msgid "- -n = list all requests, -t = list all target types\n" msgstr "- -n = ÓÐÉÓÏË ×ÓÅÈ ÚÁÐÒÏÓÏ×, -n = ÓÐÉÓÏË ×ÓÅÈ ÏÂßÅËÔÏ×\n" #: src/switch_adf_log.c:32 #, c-format msgid "- -b = backup log level settings\n" msgstr "- -b = ÒÅÚÅÒ×ÉÒÏ×ÁÔØ ÕÓÔÁÎÏ×ËÉ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ\n" #: src/switch_adf_log.c:33 #, c-format msgid "- -g = get not set, -s = scripting mode\n" msgstr "- -g = ÐÏÌÕÞÉÔØ, ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ, -s = ÒÅÖÉÍ ÓÃÅÎÁÒÉÑ\n" #: src/switch_adf_log.c:148 #, c-format msgid "%s: getting log settings for request %s\n" msgstr "%s: ÐÏÌÕÞÅÎÉÅ ÕÓÔÁÎÏ×ÏË ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÄÌÑ ÚÁÐÒÏÓÁ %s\n" #: src/switch_adf_log.c:225 #, c-format msgid "%s: switching logging for ALL requests and targets to %i\n" msgstr "%s: ÐÅÒÅËÌÀÞÅÎÉÅ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÄÌÑ ÷óåè ÚÁÐÒÏÓÏ× É ÏÂßÅËÔÏ× × %i\n" #: src/switch_adf_log.c:250 #, c-format msgid "%s: switching logging for request %s and all target types to %i\n" msgstr "" "%s: ÐÅÒÅËÌÀÞÅÎÉÅ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÄÌÑ ÚÁÐÒÏÓÁ %s É ×ÓÅÈ ÏÂßÅËÔÏ× × %i\n" #: src/switch_adf_log.c:256 src/switch_adf_log.c:287 #, c-format msgid "%s: target %s\n" msgstr "%s: ÏÂßÅËÔ %s\n" #: src/switch_adf_log.c:282 #, c-format msgid "%s: switching logging for ALL requests and target type %s to %i\n" msgstr "" "%s: ÐÅÒÅËÌÀÞÅÎÉÅ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÷óåè ÚÁÐÒÏÓÏ× É ÏÂßÅËÔÏ× ÔÉÐÁ %s × %i\n" #: src/switch_adf_log.c:311 #, c-format msgid "%s: switching logging for request %s and target type %s to %i\n" msgstr "%s: ÐÅÒÅËÌÀÞÅÎÉÅ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÄÌÑ ÚÁÐÒÏÓÁ %s É ÏÂßÅËÔÁ %s × %i\n" #: src/switch_module.c:29 #, c-format msgid "Use: %s [-s] module value\n" msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-s] ÍÏÄÕÌØ ÚÎÁÞÅÎÉÅ\n" #: src/switch_module.c:30 #, c-format msgid " -s: switch module's individual softmode, not the whole module\n" msgstr " -s: ×ËÌ/×ÙËÌ ÉÎÄÉ×ÉÄÕÁÌØÎÙÊ ÏÔÌÁÄÏÞÎÙÊ ÒÅÖÉÍ, ÎÅ ×ÅÓØ ÍÏÄÕÌØ\n" #: src/switch_module.c:31 #, c-format msgid "" "module = module name, value = [01]\n" "\n" msgstr "" "ÍÏÄÕÌØ = ÉÍÑ ÍÏÄÕÌÑ, ÚÎÁÞÅÎÉÅ = [01]\n" "\n" #: src/switch_module.c:32 #, c-format msgid "Possible module names are:\n" msgstr "÷ÏÚÍÏÖÎÙÅ ÉÍÅÎÁ ÍÏÄÕÌÅÊ:\n" #: src/switch_module.c:84 #, c-format msgid "%s: Invalid switch target %s\n" msgstr "%s: îÅ×ÅÒÎÙÊ ÏÂßÅËÔ ÐÅÒÅËÌÀÞÅÎÉÑ %s\n" #: src/switch_module.c:91 #, c-format msgid "%s: switching Module %s softmode to %i\n" msgstr "%s: ÍÏÄÕÌØ %s ÐÅÒÅ×ÏÄÉÔÓÑ × ÏÔÌÁÄÏÞÎÙÊ ÒÅÖÉÍ %i\n" #: src/switch_module.c:93 #, c-format msgid "%s: switching Module %s to %i\n" msgstr "%s: ÐÅÒÅËÌÀÞÁÅÔÓÑ ÍÏÄÕÌØ %s × %i\n" #~ msgid "- -v = verbose, -r = recurse into subdirs,\n" #~ msgstr "- -v = ÐÏÄÒÏÂÎÏ, -r = ÒÅËÕÒÓÉ×ÎÏ ÐÏ ÐÏÄËÁÔÁÌÏÇÁÍ,\n" #~ msgid "Use: %s [-a] [-v] [-o target-file] [username(s)]\n" #~ msgstr "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s [-a] [-v] [-o ÆÁÊÌ-ÒÅÚÕÌØÔÁÔ] [ÐÏÌØÚÏ×ÁÔÅÌØ]\n" #~ msgid "- -A = list attributes and values\n" #~ msgstr "- -A = ÓÐÉÓÏË ×ÓÅÈ ÁÔÒÉÂÕÔÏ× É ÚÎÁÞÅÎÉÊ\n" #~ msgid "Use: %s (sockid process-id socket-fd)|(ipc-type id) attribute\n" #~ msgstr "" #~ "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s (id-ÓÏËÅÔÁ id-ÐÒÏÃÅÓÓÁ socket-fd)|(ÔÉÐ-ipc id) ÁÔÒÉÂÕÔ\n" #~ msgid " -A = list attributes and values\n" #~ msgstr " -A = ÓÐÉÓÏË ÁÔÒÉÂÕÔÏ× É ÚÎÁÞÅÎÉÊ\n" #~ msgid "" #~ "Use: %s (sockid process-id socket-fd)|(ipc-type id) attribute value\n" #~ msgstr "" #~ "éÓÐÏÌØÚÏ×ÁÎÉÅ: %s (id-ÓÏËÅÔÁ id-ÐÒÏÃÅÓÓÁ socket-fd)|(ÔÉÐ-ipc id) ÁÔÒÉÂÕÔ " #~ "ÚÎÁÞÅÎÉÅ\n" #~ msgid "-l = allow jailed processes to change their rlimits,\n" #~ msgstr "" #~ "-l = ÐÏÚ×ÏÌÑÔØ ÐÒÏÃÅÓÓÁÍ × jail ÍÅÎÑÔØ ÉÈ ÏÇÒÁÎÉÞÅÎÉÑ ÎÁ ÒÅÓÕÒÓÙ " #~ "(rlimits),\n" #~ msgid "-c = allow jailed processes to change system clock (for ntpd),\n" #~ msgstr "" #~ "-c = ÐÏÚ×ÏÌÉÔØ ÐÒÏÃÅÓÓÁÍ × jail ÉÚÍÅÎÁÔØ ÓÉÓÔÅÍÎÏÅ ×ÒÅÍÑ (ÄÌÑ ntpd),\n" rsbac-admin-1.4.0/main/tools/po/fr.po0000644000175000017500000023542011131371034017213 0ustar gauvaingauvain# RSBAC Tool translation (French). # Copyright (C) 2005 Guillaume Destuynder # This file is distributed under the same license as the rsbac-tools package. # Guillaume Destuynder , 2005. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: rsbac-tools 1.2.5rc2\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2005-08-26 09:09+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: g d \n" "Language-Team: FR \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: src/acl_grant.c:49 src/acl_group.c:33 src/acl_mask.c:49 src/acl_rights.c:46 #: src/acl_rm_user.c:26 src/acl_tlist.c:49 src/attr_back_dev.c:51 #: src/attr_back_fd.c:73 src/attr_back_group.c:48 src/attr_back_net.c:59 #: src/attr_back_user.c:73 src/attr_get_fd.c:39 src/attr_get_file_dir.c:29 #: src/attr_get_group.c:29 src/attr_get_ipc.c:31 src/attr_get_net.c:42 #: src/attr_get_process.c:31 src/attr_get_up.c:26 src/attr_get_user.c:29 #: src/attr_rm_fd.c:37 src/attr_rm_file_dir.c:27 src/attr_rm_group.c:26 #: src/attr_rm_user.c:26 src/attr_set_fd.c:39 src/attr_set_file_dir.c:27 #: src/attr_set_group.c:27 src/attr_set_ipc.c:31 src/attr_set_net.c:41 #: src/attr_set_process.c:30 src/attr_set_up.c:26 src/attr_set_user.c:27 #: src/auth_back_cap.c:41 src/auth_set_cap.c:30 src/get_attribute_name.c:35 #: src/get_attribute_nr.c:31 src/linux2acl.c:60 src/mac_back_trusted.c:40 #: src/mac_back_trusted.c:234 src/mac_get_levels.c:27 src/mac_set_trusted.c:30 #: src/mac_wrap.c:26 src/net_temp.c:40 src/pm_create.c:24 src/pm_ct_exec.c:40 #: src/rc_get_eff_rights_fd.c:38 src/rc_get_item.c:33 src/rc_role_wrap.c:27 #: src/rc_set_item.c:30 src/rsbac_check.c:41 src/rsbac_gpasswd.c:27 #: src/rsbac_groupadd.c:36 src/rsbac_groupdel.c:29 src/rsbac_groupmod.c:29 #: src/rsbac_groupshow.c:36 src/rsbac_init.c:37 src/rsbac_jail.c:28 #: src/rsbac_list_ta.c:25 src/rsbac_login.c:68 src/rsbac_passwd.c:58 #: src/rsbac_pm.c:31 src/rsbac_pm.c:59 src/rsbac_useradd.c:49 #: src/rsbac_userdel.c:30 src/rsbac_usermod.c:29 src/rsbac_usershow.c:38 #: src/switch_adf_log.c:27 src/switch_module.c:28 #, c-format msgid "" "%s (RSBAC %s)\n" "***\n" msgstr "" #: src/acl_grant.c:50 #, c-format msgid "" "Use: %s [switches] subj_type subj_id [rights] target-type file/dirname(s)\n" msgstr "" "Usage: %s [options] subj_type subj_id [droits] type-cible fichier/répertoire(s)\n" #: src/acl_grant.c:51 #, c-format msgid " -v = verbose, -r = recurse into subdirs,\n" msgstr " -v = verbeux, -r = recursif dans les répertoiers,\n" #: src/acl_grant.c:52 #, c-format msgid " -p = print right names, -s = set rights, not add\n" msgstr " -p = afficher les noms de droits, -s = appliquer les droits, sans ajout\n" #: src/acl_grant.c:53 #, c-format msgid " -k = revoke rights, not add, -m remove entry (set back to inherit)\n" msgstr " -k = revoquer les droits, sans ajout, -m effacer une entrée (ré-applique l'inheritance\n" #: src/acl_grant.c:54 #, c-format msgid " -b = expect rights as bitstring, -n = list valid SCD names\n" msgstr "" #: src/acl_grant.c:55 #, c-format msgid " -d = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_grant.c:56 #, c-format msgid " -u, -g, -l = shortcuts for USER, GROUP and ROLE\n" msgstr "" #: src/acl_grant.c:57 #, c-format msgid "" " -t = set relative time-to-live for this trustee in seconds (add and set " "only)\n" msgstr "" #: src/acl_grant.c:58 #, c-format msgid "" " -T = set absolute time-to-live for this trustee in seconds (add and set " "only)\n" msgstr "" #: src/acl_grant.c:59 #, c-format msgid "" " -D = set relative time-to-live for this trustee in days (add and set " "only)\n" msgstr "" #: src/acl_grant.c:60 src/acl_group.c:41 src/switch_adf_log.c:34 #, c-format msgid " -V version = supply RSBAC integer version number for upgrading\n" msgstr "" #: src/acl_grant.c:61 src/acl_group.c:42 #, c-format msgid "" " -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/acl_grant.c:62 #, c-format msgid " subj_type = USER, GROUP or ROLE,\n" msgstr "" #: src/acl_grant.c:63 #, c-format msgid " subj_id = user name or id number,\n" msgstr "" #: src/acl_grant.c:64 src/acl_mask.c:58 #, c-format msgid "" " rights = list of space-separated right names (requests and ACL specials),\n" msgstr "" #: src/acl_grant.c:65 #, c-format msgid "" " also request groups R (read requests), RW (read-write), W (write)\n" msgstr "" #: src/acl_grant.c:66 src/acl_mask.c:60 #, c-format msgid " SY (system), SE (security), A (all)\n" msgstr "" #: src/acl_grant.c:67 src/acl_mask.c:61 #, c-format msgid " S (ACL special rights)\n" msgstr "" #: src/acl_grant.c:68 src/acl_mask.c:62 #, c-format msgid "" " and NWx with x = S R W C E A F M (similar to well-known network " "system)\n" msgstr "" #: src/acl_grant.c:69 src/acl_tlist.c:59 #, c-format msgid "" " target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, " "NETDEV,\n" msgstr "" #: src/acl_grant.c:70 src/acl_mask.c:64 src/acl_tlist.c:60 #, c-format msgid " NETTEMP_NT, NETTEMP, NETOBJ or FD\n" msgstr "" #: src/acl_grant.c:71 src/acl_mask.c:65 src/acl_rights.c:59 src/acl_tlist.c:61 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n" msgstr "" #: src/acl_grant.c:72 src/acl_tlist.c:62 #, c-format msgid " (IPC, USER, PROCESS: only :DEFAULT:\n" msgstr "" #: src/acl_grant.c:73 src/acl_rights.c:61 src/acl_tlist.c:63 #, c-format msgid " (NETTEMP: no :DEFAULT:\n" msgstr "" #: src/acl_grant.c:74 src/acl_rights.c:62 src/acl_tlist.c:64 #, c-format msgid "- Use name :DEFAULT: for default ACL\n" msgstr "" #: src/acl_grant.c:133 src/acl_mask.c:127 src/acl_mask.c:210 #: src/acl_rights.c:121 src/acl_rights.c:190 src/acl_tlist.c:126 #: src/acl_tlist.c:203 #, c-format msgid "Invalid target %u for %s, skipped!\n" msgstr "" #: src/acl_grant.c:138 #, c-format msgid "Processing default %s '%s'\n" msgstr "" #: src/acl_grant.c:158 src/acl_mask.c:152 src/acl_rights.c:142 #: src/acl_tlist.c:151 #, c-format msgid "%s is no valid device specification, skipped\n" msgstr "" #: src/acl_grant.c:167 src/acl_mask.c:165 src/acl_rights.c:154 #: src/acl_tlist.c:164 #, c-format msgid "%s is no valid SCD name, skipped\n" msgstr "" #: src/acl_grant.c:175 src/acl_grant.c:455 src/acl_group.c:247 #: src/acl_group.c:398 src/acl_group.c:429 src/acl_group.c:456 #: src/acl_mask.c:174 src/acl_rights.c:162 src/acl_rm_user.c:94 #: src/acl_tlist.c:173 src/attr_back_user.c:444 src/attr_back_user.c:468 #: src/attr_get_user.c:147 src/attr_get_user.c:258 src/attr_get_user.c:374 #: src/attr_set_user.c:175 src/attr_set_user.c:346 src/attr_set_user.c:453 #: src/attr_set_user.c:581 src/auth_set_cap.c:214 src/auth_set_cap.c:222 #: src/mac_set_trusted.c:192 src/rsbac_list_ta.c:90 #, c-format msgid "%s: Invalid User %s!\n" msgstr "" #: src/acl_grant.c:183 src/acl_mask.c:184 src/acl_rights.c:170 #: src/acl_tlist.c:183 src/attr_back_group.c:274 src/attr_back_group.c:298 #: src/attr_get_group.c:143 src/attr_get_group.c:214 src/attr_get_user.c:240 #: src/attr_set_group.c:182 #, c-format msgid "%s: Invalid Group %s!\n" msgstr "" #: src/acl_grant.c:203 #, c-format msgid "Invalid target type %u for %s, skipped!\n" msgstr "" #: src/acl_grant.c:208 src/acl_rights.c:196 src/rc_get_eff_rights_fd.c:56 #, c-format msgid "Processing %s '%s'\n" msgstr "" #: src/acl_grant.c:252 src/acl_mask.c:289 src/acl_mask.c:291 #: src/acl_rights.c:235 src/acl_tlist.c:246 src/attr_rm_fd.c:61 #: src/attr_rm_file_dir.c:103 src/attr_set_fd.c:71 #: src/rc_get_eff_rights_fd.c:63 #, c-format msgid "%s: error: %s\n" msgstr "" #: src/acl_grant.c:268 src/acl_mask.c:373 src/acl_rights.c:290 #: src/acl_tlist.c:401 src/attr_back_dev.c:206 src/attr_back_fd.c:279 #: src/attr_get_fd.c:141 src/attr_rm_fd.c:77 src/attr_set_fd.c:87 #: src/auth_back_cap.c:373 src/linux2acl.c:765 src/mac_back_trusted.c:108 #: src/rc_get_eff_rights_fd.c:95 #, c-format msgid "opendir for dir %s returned error: %s\n" msgstr "" #: src/acl_grant.c:371 src/acl_grant.c:381 src/acl_grant.c:402 #: src/acl_group.c:133 src/acl_group.c:143 src/acl_group.c:164 #: src/auth_set_cap.c:123 src/auth_set_cap.c:133 src/auth_set_cap.c:154 #: src/mac_set_trusted.c:101 src/mac_set_trusted.c:111 #: src/mac_set_trusted.c:132 src/rc_set_item.c:128 src/rc_set_item.c:138 #: src/rc_set_item.c:159 src/rsbac_groupadd.c:213 src/rsbac_groupadd.c:223 #: src/rsbac_groupadd.c:244 src/rsbac_groupmod.c:166 src/rsbac_groupmod.c:177 #: src/rsbac_groupmod.c:199 src/rsbac_list_ta.c:73 src/rsbac_useradd.c:646 #: src/rsbac_useradd.c:656 src/rsbac_useradd.c:677 src/rsbac_usermod.c:324 #: src/rsbac_usermod.c:335 src/rsbac_usermod.c:357 #, c-format msgid "%s: missing ttl value for parameter %c\n" msgstr "" #: src/acl_grant.c:397 src/acl_group.c:159 src/auth_set_cap.c:149 #: src/mac_set_trusted.c:127 src/rc_set_item.c:154 src/rsbac_groupadd.c:239 #: src/rsbac_groupmod.c:194 src/rsbac_useradd.c:672 src/rsbac_usermod.c:352 #, c-format msgid "%s: ttl value for parameter %c is in the past, exiting\n" msgstr "" #: src/acl_grant.c:407 src/acl_group.c:169 src/acl_mask.c:461 #: src/attr_set_fd.c:184 src/attr_set_file_dir.c:143 src/attr_set_group.c:123 #: src/attr_set_net.c:288 src/attr_set_up.c:110 src/attr_set_user.c:123 #: src/auth_set_cap.c:159 src/mac_set_trusted.c:137 src/net_temp.c:268 #: src/rc_set_item.c:201 src/switch_adf_log.c:119 #, c-format msgid "%s: no version number for switch V\n" msgstr "" #: src/acl_grant.c:423 src/acl_group.c:185 src/acl_mask.c:477 #: src/acl_rights.c:489 src/acl_rm_user.c:72 src/acl_tlist.c:491 #: src/attr_back_dev.c:303 src/attr_back_fd.c:398 src/attr_back_group.c:192 #: src/attr_back_net.c:311 src/attr_back_user.c:325 src/attr_get_fd.c:249 #: src/attr_get_file_dir.c:198 src/attr_get_group.c:185 src/attr_get_ipc.c:90 #: src/attr_get_net.c:317 src/attr_get_process.c:115 src/attr_get_up.c:117 #: src/attr_get_user.c:208 src/attr_rm_fd.c:138 src/attr_rm_file_dir.c:74 #: src/attr_rm_group.c:67 src/attr_rm_user.c:67 src/attr_set_fd.c:200 #: src/attr_set_file_dir.c:159 src/attr_set_group.c:139 src/attr_set_ipc.c:89 #: src/attr_set_net.c:304 src/attr_set_process.c:126 src/attr_set_up.c:126 #: src/attr_set_user.c:139 src/auth_back_cap.c:466 src/auth_set_cap.c:175 #: src/mac_back_trusted.c:190 src/mac_set_trusted.c:153 src/net_temp.c:284 #: src/rc_copy_role.c:66 src/rc_copy_type.c:68 src/rc_get_eff_rights_fd.c:159 #: src/rc_get_item.c:256 src/rc_set_item.c:217 src/rsbac_gpasswd.c:122 #: src/rsbac_groupadd.c:255 src/rsbac_groupdel.c:99 src/rsbac_groupmod.c:210 #: src/rsbac_groupshow.c:239 src/rsbac_list_ta.c:108 src/rsbac_pm.c:117 #: src/rsbac_useradd.c:688 src/rsbac_userdel.c:136 src/rsbac_usermod.c:368 #: src/rsbac_usershow.c:371 #, c-format msgid "%s: missing transaction number value for parameter %c\n" msgstr "" #: src/acl_grant.c:428 src/acl_group.c:190 src/acl_mask.c:482 #: src/acl_rights.c:560 src/acl_rm_user.c:78 src/acl_tlist.c:496 #: src/attr_back_dev.c:308 src/attr_back_fd.c:403 src/attr_back_group.c:197 #: src/attr_back_net.c:316 src/attr_back_user.c:330 src/attr_get_fd.c:254 #: src/attr_get_file_dir.c:232 src/attr_get_group.c:191 src/attr_get_ipc.c:95 #: src/attr_get_net.c:323 src/attr_get_process.c:121 src/attr_get_up.c:122 #: src/attr_get_user.c:214 src/attr_rm_fd.c:143 src/attr_rm_file_dir.c:79 #: src/attr_rm_group.c:72 src/attr_rm_user.c:72 src/attr_set_fd.c:206 #: src/attr_set_file_dir.c:165 src/attr_set_group.c:145 src/attr_set_ipc.c:94 #: src/attr_set_net.c:310 src/attr_set_process.c:131 src/attr_set_up.c:131 #: src/attr_set_user.c:145 src/auth_back_cap.c:471 src/auth_set_cap.c:180 #: src/linux2acl.c:831 src/mac_back_trusted.c:195 src/mac_set_trusted.c:158 #: src/mac_wrap.c:110 src/net_temp.c:289 src/rc_copy_role.c:71 #: src/rc_copy_type.c:73 src/rc_get_eff_rights_fd.c:164 src/rc_get_item.c:262 #: src/rc_role_wrap.c:58 src/rc_set_item.c:223 src/rsbac_gpasswd.c:127 #: src/rsbac_groupadd.c:261 src/rsbac_groupdel.c:105 src/rsbac_groupmod.c:216 #: src/rsbac_groupshow.c:245 src/rsbac_jail.c:327 src/rsbac_list_ta.c:117 #: src/rsbac_login.c:74 src/rsbac_passwd.c:65 src/rsbac_pm.c:122 #: src/rsbac_useradd.c:694 src/rsbac_userdel.c:142 src/rsbac_usermod.c:374 #: src/rsbac_usershow.c:377 src/switch_adf_log.c:128 src/switch_module.c:69 #, c-format msgid "%s: unknown parameter %c\n" msgstr "" #: src/acl_grant.c:443 #, c-format msgid "%s: unknown subject_type %s\n" msgstr "" #: src/acl_grant.c:472 src/rc_set_item.c:644 #, c-format msgid "Invalid bitstring length %u, must be %u!\n" msgstr "" #: src/acl_grant.c:656 src/acl_mask.c:695 src/attr_rm_fd.c:165 #: src/attr_set_fd.c:238 #, c-format msgid "%s: Invalid target type %s\n" msgstr "" #: src/acl_grant.c:666 #, c-format msgid "" "Set rights: %s\n" "for %s %u\n" msgstr "" #: src/acl_grant.c:672 #, c-format msgid "" "Add rights: %s\n" "for %s %u\n" msgstr "" #: src/acl_grant.c:678 #, c-format msgid "" "Revoke rights: %s\n" "for %s %u\n" msgstr "" #: src/acl_grant.c:684 #, c-format msgid "Remove entry for %s %u.\n" msgstr "" #: src/acl_grant.c:689 #, c-format msgid "%s: Internal error in call switch!\n" msgstr "" #: src/acl_grant.c:705 #, c-format msgid "" "\n" "%s: %i targets\n" "\n" msgstr "" #: src/acl_group.c:34 #, c-format msgid "Use: %s [switches] function params\n" msgstr "" #: src/acl_group.c:35 #, c-format msgid " -v = verbose, -g = also list global groups of other users,\n" msgstr "" #: src/acl_group.c:36 #, c-format msgid " -b = backup mode, -n = use numerical values,\n" msgstr "" #: src/acl_group.c:37 #, c-format msgid " -s = scripting mode\n" msgstr "" #: src/acl_group.c:38 #, c-format msgid "" " -t = set relative time-to-live for this membership in seconds (add_member " "only)\n" msgstr "" #: src/acl_group.c:39 #, c-format msgid "" " -T = set absolute time-to-live for this trustee in seconds (add_member " "only)\n" msgstr "" #: src/acl_group.c:40 #, c-format msgid "" " -D = set relative time-to-live for this membership in days (add_member " "only)\n" msgstr "" #: src/acl_group.c:43 #, c-format msgid "- function and params = one of\n" msgstr "" #: src/acl_group.c:44 #, c-format msgid " add_group P[RIVATE]|G[LOBAL] name [id]\n" msgstr "" #: src/acl_group.c:45 #, c-format msgid " change_group group-id new-owner P[RIVATE]|G[LOBAL] name\n" msgstr "" #: src/acl_group.c:46 #, c-format msgid " remove_group group-id\n" msgstr "" #: src/acl_group.c:47 #, c-format msgid " get_group_entry group-id\n" msgstr "" #: src/acl_group.c:48 #, c-format msgid " get_group_name group-id\n" msgstr "" #: src/acl_group.c:49 #, c-format msgid " get_group_type group-id\n" msgstr "" #: src/acl_group.c:50 #, c-format msgid " get_group_owner group-id\n" msgstr "" #: src/acl_group.c:51 #, c-format msgid " list_groups\n" msgstr "" #: src/acl_group.c:52 #, c-format msgid " add_member group-id user1 ...\n" msgstr "" #: src/acl_group.c:53 #, c-format msgid " remove_member group-id user1 ...\n" msgstr "" #: src/acl_group.c:54 #, c-format msgid " get_user_groups [user]\n" msgstr "" #: src/acl_group.c:55 #, c-format msgid " get_group_members group-id\n" msgstr "" #: src/acl_group.c:71 src/net_temp.c:63 msgid "*unknown*" msgstr "" #: src/acl_group.c:210 src/acl_group.c:241 src/acl_group.c:277 #: src/acl_group.c:299 src/acl_group.c:388 src/acl_group.c:421 #: src/acl_group.c:500 #, c-format msgid "%s: too few arguments for function %s\n" msgstr "" #: src/acl_group.c:220 src/acl_group.c:258 #, c-format msgid "%s: %s: invalid group type %s\n" msgstr "" #: src/acl_group.c:232 #, c-format msgid "%s group %u '%s' added\n" msgstr "" #: src/acl_group.c:265 #, c-format msgid "Group %u changed to owner %u, type %s, name '%s'\n" msgstr "" #: src/acl_group.c:286 #, c-format msgid "Group %u '%s' removed\n" msgstr "" #: src/acl_group.c:320 src/acl_group.c:371 #, c-format msgid "Group %u: owner %u (%s), type %c, name '%s'\n" msgstr "" #: src/acl_group.c:339 #, c-format msgid "%i groups listed:\n" msgstr "" #: src/acl_group.c:342 #, c-format msgid "%i groups listed (list truncated):\n" msgstr "" #: src/acl_group.c:377 src/acl_group.c:487 src/acl_group.c:596 #, c-format msgid "(truncated)\n" msgstr "" #: src/acl_group.c:406 #, c-format msgid "Member %u (%s) added to group %u '%s'\n" msgstr "" #: src/acl_group.c:437 #, c-format msgid "Member %u (%s) removed from group %u '%s'\n" msgstr "" #: src/acl_group.c:468 #, c-format msgid "%i group memberships for user %u (%s): " msgstr "" #: src/acl_group.c:473 #, c-format msgid "%i group memberships for user %u (%s) (list truncated): " msgstr "" #: src/acl_group.c:512 #, c-format msgid "%i members of group %u '%s':\n" msgstr "" #: src/acl_group.c:517 #, c-format msgid "%i members of group %u '%s' (list truncated):\n" msgstr "" #: src/acl_group.c:601 #, c-format msgid "%s: internal error: invalid function number %u\n" msgstr "" #: src/acl_mask.c:50 #, c-format msgid "Use: %s [switches] [rights] target-type file/dirname(s)\n" msgstr "" #: src/acl_mask.c:51 src/acl_rights.c:48 src/acl_tlist.c:51 #: src/attr_rm_fd.c:39 src/attr_set_fd.c:41 src/rc_get_eff_rights_fd.c:40 #, c-format msgid " -v = verbose, -r = recurse into subdirs,\n" msgstr "" #: src/acl_mask.c:52 #, c-format msgid " -p = print right names, -s = set mask, not get\n" msgstr "" #: src/acl_mask.c:53 #, c-format msgid " -b = backup mode, -n = list valid SCD names\n" msgstr "" #: src/acl_mask.c:54 src/acl_tlist.c:53 src/attr_get_file_dir.c:34 #: src/attr_rm_file_dir.c:29 src/attr_set_file_dir.c:32 #, c-format msgid " -d = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_mask.c:55 #, c-format msgid " -D = process all existing device masks,\n" msgstr "" #: src/acl_mask.c:56 src/attr_set_fd.c:44 src/attr_set_file_dir.c:34 #: src/attr_set_group.c:32 src/attr_set_net.c:46 src/attr_set_up.c:30 #: src/attr_set_user.c:32 src/auth_set_cap.c:45 src/mac_set_trusted.c:39 #: src/net_temp.c:49 src/rc_set_item.c:42 #, c-format msgid " -V version = supply RSBAC integer version number for upgrading\n" msgstr "" #: src/acl_mask.c:57 src/acl_rights.c:53 src/acl_rm_user.c:30 #: src/acl_tlist.c:58 src/attr_back_dev.c:59 src/attr_back_fd.c:83 #: src/attr_back_group.c:55 src/attr_back_net.c:64 src/attr_back_user.c:79 #: src/attr_get_fd.c:44 src/attr_get_file_dir.c:39 src/attr_get_group.c:34 #: src/attr_get_ipc.c:34 src/attr_get_net.c:48 src/attr_get_process.c:35 #: src/attr_get_up.c:29 src/attr_get_user.c:36 src/attr_rm_fd.c:40 #: src/attr_rm_file_dir.c:30 src/attr_rm_group.c:28 src/attr_rm_user.c:28 #: src/attr_set_fd.c:45 src/attr_set_file_dir.c:35 src/attr_set_group.c:33 #: src/attr_set_net.c:47 src/attr_set_process.c:34 src/attr_set_up.c:31 #: src/attr_set_user.c:33 src/auth_back_cap.c:48 src/auth_set_cap.c:46 #: src/mac_back_trusted.c:45 src/mac_back_trusted.c:239 #: src/mac_set_trusted.c:40 src/net_temp.c:50 src/rc_copy_role.c:28 #: src/rc_copy_type.c:29 src/rc_get_eff_rights_fd.c:42 src/rc_get_item.c:43 #: src/rc_set_item.c:43 src/rsbac_groupadd.c:45 src/rsbac_groupdel.c:32 #: src/rsbac_groupmod.c:38 src/rsbac_groupshow.c:41 src/rsbac_pm.c:33 #: src/rsbac_useradd.c:72 src/rsbac_userdel.c:34 src/rsbac_usermod.c:49 #: src/rsbac_usershow.c:45 #, c-format msgid "" " -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/acl_mask.c:59 #, c-format msgid " also request groups R (read requests), RW (read-write),\n" msgstr "" #: src/acl_mask.c:63 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK, DEV, SCD, NETDEV,\n" msgstr "" #: src/acl_mask.c:218 src/acl_mask.c:223 src/acl_tlist.c:211 #: src/acl_tlist.c:216 #, c-format msgid "# Processing %s '%s'\n" msgstr "" #: src/acl_mask.c:504 src/attr_set_process.c:182 src/attr_set_user.c:200 #, c-format msgid "%s: Invalid mask vector %s\n" msgstr "" #: src/acl_mask.c:704 #, c-format msgid "Set mask: %s\n" msgstr "" #: src/acl_mask.c:720 #, c-format msgid "# Get mask.\n" msgstr "" #: src/acl_mask.c:724 #, c-format msgid "" "\n" "# %s: %i targets\n" "\n" msgstr "" #: src/acl_mask.c:731 src/acl_tlist.c:514 src/attr_back_user.c:398 #, c-format msgid "# %s: processing all users\n" msgstr "" #: src/acl_mask.c:743 src/acl_mask.c:774 src/acl_tlist.c:520 #: src/acl_tlist.c:549 src/attr_back_dev.c:340 src/attr_back_dev.c:369 #: src/attr_back_group.c:237 src/attr_back_group.c:266 src/attr_back_net.c:383 #: src/attr_back_net.c:444 src/attr_back_user.c:407 src/attr_back_user.c:436 #, c-format msgid "# %s: %i targets\n" msgstr "" #: src/acl_mask.c:768 src/acl_tlist.c:543 #, c-format msgid "# %s: processing all devices\n" msgstr "" #: src/acl_rights.c:47 #, c-format msgid "Use: %s [switches] target-type file/dirname(s)\n" msgstr "" #: src/acl_rights.c:49 #, c-format msgid " -p = print right names, -d = give direct, not effective rights\n" msgstr "" #: src/acl_rights.c:50 #, c-format msgid " -n = list valid SCD names, -s = scripting mode\n" msgstr "" #: src/acl_rights.c:51 #, c-format msgid " -D = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_rights.c:52 #, c-format msgid " -R = list valid right names [for target-type]\n" msgstr "" #: src/acl_rights.c:54 #, c-format msgid " -u user = print rights for given user, not caller\n" msgstr "" #: src/acl_rights.c:55 #, c-format msgid " -g group = print rights for given group, not caller\n" msgstr "" #: src/acl_rights.c:56 #, c-format msgid " -l role = print rights for given role, not caller\n" msgstr "" #: src/acl_rights.c:57 #, c-format msgid "" " target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, GROUP, " "PROCESS,\n" msgstr "" #: src/acl_rights.c:58 #, c-format msgid " NETDEV, NETTEMP_NT, NETTEMP, NETOBJ or FD\n" msgstr "" #: src/acl_rights.c:60 #, c-format msgid " (IPC, PROCESS: only :DEFAULT:\n" msgstr "" #: src/acl_rights.c:420 #, c-format msgid "%s: invalid target type %s for switch N\n" msgstr "" #: src/acl_rights.c:435 #, c-format msgid "%s: no user for switch u\n" msgstr "" #: src/acl_rights.c:443 src/acl_rights.c:506 #, c-format msgid "Invalid user %s!\n" msgstr "" #: src/acl_rights.c:450 #, c-format msgid "%s: User %u\n" msgstr "" #: src/acl_rights.c:457 #, c-format msgid "%s: no group for switch g\n" msgstr "" #: src/acl_rights.c:463 src/acl_rights.c:530 #, c-format msgid "%s: Group %u\n" msgstr "" #: src/acl_rights.c:470 #, c-format msgid "%s: no role for switch l\n" msgstr "" #: src/acl_rights.c:476 src/acl_rights.c:547 #, c-format msgid "%s: Role %u\n" msgstr "" #: src/acl_rights.c:498 #, c-format msgid "%s: no user for switch -USER\n" msgstr "" #: src/acl_rights.c:524 #, c-format msgid "%s: no group for switch -GROUP\n" msgstr "" #: src/acl_rights.c:541 #, c-format msgid "%s: no role for switch -ROLE\n" msgstr "" #: src/acl_rights.c:555 #, c-format msgid "%s: unknown parameter %s\n" msgstr "" #: src/acl_rights.c:575 src/acl_rights.c:592 src/attr_get_fd.c:275 #: src/attr_get_net.c:344 src/attr_get_up.c:142 src/attr_rm_fd.c:155 #: src/attr_set_net.c:396 src/attr_set_net.c:406 src/attr_set_up.c:151 #: src/rc_get_eff_rights_fd.c:186 src/rc_get_eff_rights_fd.c:201 #, c-format msgid "" "%s: %i targets\n" "\n" msgstr "" #: src/acl_rights.c:576 src/acl_tlist.c:570 src/rc_get_eff_rights_fd.c:187 #, c-format msgid "%s: No target type given, assuming FD\n" msgstr "" #: src/acl_rm_user.c:27 #, c-format msgid "" "Remove all groups and memberships of a user\n" "\n" msgstr "" #: src/acl_rm_user.c:28 #, c-format msgid "Use: %s [flags] user\n" msgstr "" #: src/acl_rm_user.c:29 #, c-format msgid " -y: remove without asking\n" msgstr "" #: src/acl_rm_user.c:103 #, c-format msgid "Remove all groups and memberships of user %u '%s' [y/n]\n" msgstr "" #: src/acl_tlist.c:50 #, c-format msgid "Use: %s [switches] target-type file/dir/scdname(s)\n" msgstr "" #: src/acl_tlist.c:52 #, c-format msgid " -p = print right names, -b = backup mode\n" msgstr "" #: src/acl_tlist.c:54 #, c-format msgid " -D = process all existing device acls,\n" msgstr "" #: src/acl_tlist.c:55 #, c-format msgid " -a = process all users,\n" msgstr "" #: src/acl_tlist.c:56 #, c-format msgid " -n = list valid SCD names,\n" msgstr "" #: src/acl_tlist.c:57 #, c-format msgid " -s = scripting mode,\n" msgstr "" #: src/acl_tlist.c:352 src/acl_tlist.c:356 #, c-format msgid "%s: %i entries\n" msgstr "" #: src/acl_tlist.c:569 src/acl_tlist.c:586 #, c-format msgid "" "# %s: %i targets\n" "\n" msgstr "" #: src/attr_back_dev.c:52 #, c-format msgid "Use: %s [-v] [-o target-file] file/dirname(s)\n" msgstr "" #: src/attr_back_dev.c:53 #, c-format msgid "- should be called by root with all rsbac modules switched off,\n" msgstr "" #: src/attr_back_dev.c:54 src/attr_back_fd.c:76 src/auth_back_cap.c:44 #: src/mac_back_trusted.c:42 src/mac_back_trusted.c:236 #, c-format msgid " -r = recurse in subdirs, -v = verbose, no symlinks followed,\n" msgstr "" #: src/attr_back_dev.c:55 src/attr_back_group.c:51 src/auth_back_cap.c:45 #, c-format msgid " -T file = read file/dirname list from file (- for stdin),\n" msgstr "" #: src/attr_back_dev.c:56 src/attr_back_fd.c:81 src/attr_back_group.c:53 #: src/attr_back_user.c:77 #, c-format msgid " -o target-file = write to file, not stdout,\n" msgstr "" #: src/attr_back_dev.c:57 #, c-format msgid " -b = backup all device entries known to RSBAC,\n" msgstr "" #: src/attr_back_dev.c:58 src/attr_back_group.c:54 src/attr_back_net.c:63 #: src/attr_back_user.c:78 #, c-format msgid " -A = list attributes and values,\n" msgstr "" #: src/attr_back_dev.c:74 #, c-format msgid "# Processing DEV '%s'\n" msgstr "" #: src/attr_back_dev.c:271 src/attr_back_fd.c:352 src/attr_back_net.c:268 #: src/attr_back_user.c:294 src/mac_back_trusted.c:179 #, c-format msgid "%s: missing filename for parameter o\n" msgstr "" #: src/attr_back_dev.c:281 src/attr_back_group.c:161 src/attr_back_group.c:171 #: src/attr_back_net.c:278 src/attr_back_user.c:304 src/auth_back_cap.c:445 #: src/auth_back_cap.c:455 #, c-format msgid "%s: missing filename for parameter %c\n" msgstr "" #: src/attr_back_dev.c:285 #, c-format msgid "Attributes and values in backup = see following list:\n" msgstr "" #: src/attr_back_dev.c:328 src/attr_back_fd.c:420 src/attr_back_group.c:217 #: src/attr_back_net.c:335 src/attr_back_user.c:350 src/auth_back_cap.c:487 #: src/mac_back_trusted.c:211 #, c-format msgid "opening target file returned error: %s\n" msgstr "" #: src/attr_back_dev.c:362 src/attr_back_fd.c:432 src/attr_back_group.c:259 #: src/attr_back_net.c:376 src/attr_back_net.c:437 src/attr_back_user.c:429 #: src/auth_back_cap.c:497 #, c-format msgid "opening target list file returned error: %s\n" msgstr "" #: src/attr_back_dev.c:371 src/attr_back_group.c:268 src/attr_back_net.c:385 #: src/attr_back_net.c:446 src/attr_back_user.c:438 #, c-format msgid "# - plus targets from file %s\n" msgstr "" #: src/attr_back_fd.c:74 #, c-format msgid "Use: %s [options] file/dirname(s)\n" msgstr "" #: src/attr_back_fd.c:75 #, c-format msgid "" "- should be called by user with full attribute read access,\n" " e.g. root with all modules off\n" msgstr "" #: src/attr_back_fd.c:77 #, c-format msgid " -s = ignore daz_scanned,\n" msgstr "" #: src/attr_back_fd.c:78 #, c-format msgid " -T file = read target list from file (- for stdin),\n" msgstr "" #: src/attr_back_fd.c:79 #, c-format msgid " -i = use MAC non-inherit values as default values,\n" msgstr "" #: src/attr_back_fd.c:80 #, c-format msgid " -P flags = use these PaX flags as default, preset is PeMRxS,\n" msgstr "" #: src/attr_back_fd.c:82 #, c-format msgid " -a = list attributes and values,\n" msgstr "" #: src/attr_back_fd.c:96 #, c-format msgid "# Processing FD '%s'\n" msgstr "" #: src/attr_back_fd.c:362 #, c-format msgid "%s: missing filename for parameter T\n" msgstr "" #: src/attr_back_fd.c:365 src/attr_back_net.c:284 #, c-format msgid "attributes and values in backup = see following list:\n" msgstr "" #: src/attr_back_fd.c:385 #, c-format msgid "%s: missing PaX flags for parameter %c\n" msgstr "" #: src/attr_back_fd.c:439 #, c-format msgid "# %s: %i targets" msgstr "" #: src/attr_back_fd.c:441 src/auth_back_cap.c:506 src/mac_back_trusted.c:218 #, c-format msgid " - recursing" msgstr "" #: src/attr_back_fd.c:443 src/auth_back_cap.c:508 #, c-format msgid " - plus targets from file %s" msgstr "" #: src/attr_back_group.c:49 #, c-format msgid "Use: %s [flags] [groupname(s)]\n" msgstr "" #: src/attr_back_group.c:50 #, c-format msgid " -a = process all groups, -v = verbose,\n" msgstr "" #: src/attr_back_group.c:52 #, c-format msgid " -n = show numeric gid not groupname,\n" msgstr "" #: src/attr_back_group.c:69 #, c-format msgid "# Processing group %s\n" msgstr "" #: src/attr_back_group.c:71 #, c-format msgid "# Processing group %u\n" msgstr "" #: src/attr_back_group.c:174 src/attr_back_user.c:307 #, c-format msgid "- attributes and values in backup = see following list:\n" msgstr "" #: src/attr_back_group.c:228 #, c-format msgid "# %s: processing all groups\n" msgstr "" #: src/attr_back_net.c:60 #, c-format msgid "Use: %s [options] target name(s)/number(s)\n" msgstr "" #: src/attr_back_net.c:61 #, c-format msgid "" " should be called by user with full attribute read access,\n" "- e.g. with all modules off\n" msgstr "" #: src/attr_back_net.c:62 #, c-format msgid " -a = backup all objects, -v = verbose, no symlinks followed,\n" msgstr "" #: src/attr_back_net.c:65 #, c-format msgid " valid targets: NETDEV, NETTEMP\n" msgstr "" #: src/attr_back_net.c:77 #, c-format msgid "# Processing NETDEV '%s'\n" msgstr "" #: src/attr_back_net.c:147 #, c-format msgid "# Processing NETTEMP %u\n" msgstr "" #: src/attr_back_net.c:346 #, c-format msgid "invalid target %s\n" msgstr "" #: src/attr_back_user.c:74 #, c-format msgid "Use: %s [flags] [username(s)]\n" msgstr "" #: src/attr_back_user.c:75 #, c-format msgid " -a = process all users, -v = verbose,\n" msgstr "" #: src/attr_back_user.c:76 #, c-format msgid " -n = show numeric uid not username,\n" msgstr "" #: src/attr_back_user.c:93 #, c-format msgid "# Processing user %s\n" msgstr "" #: src/attr_back_user.c:95 #, c-format msgid "# Processing user %u\n" msgstr "" #: src/attr_get_fd.c:40 #, c-format msgid "Use: %s [switches] module target-type attribute file/dirname(s)\n" msgstr "" #: src/attr_get_fd.c:41 src/attr_get_net.c:44 #, c-format msgid " -v = verbose, -e = show effective (maybe inherited) value, not real\n" msgstr "" #: src/attr_get_fd.c:42 src/attr_set_net.c:44 #, c-format msgid " -r = recurse into subdirs, -n = list all requests\n" msgstr "" #: src/attr_get_fd.c:43 src/attr_get_file_dir.c:38 src/attr_get_group.c:33 #: src/attr_get_net.c:46 src/attr_get_process.c:34 src/attr_get_up.c:28 #: src/attr_get_user.c:35 src/attr_set_net.c:45 #, c-format msgid " -a = list attributes and values\n" msgstr "" #: src/attr_get_fd.c:45 src/attr_get_group.c:35 src/attr_get_up.c:30 #: src/attr_get_user.c:37 src/attr_set_fd.c:46 src/attr_set_process.c:35 #: src/attr_set_up.c:28 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n" msgstr "" #: src/attr_get_fd.c:46 src/attr_rm_fd.c:41 src/attr_set_fd.c:47 #: src/rc_get_eff_rights_fd.c:43 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK, DEV or FD\n" msgstr "" #: src/attr_get_fd.c:47 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV)\n" msgstr "" #: src/attr_get_fd.c:57 src/attr_get_net.c:89 src/attr_set_net.c:191 #, c-format msgid "Processing %s '%s', attribute %s\n" msgstr "" #: src/attr_get_fd.c:69 #, c-format msgid "%s: %s\n" msgstr "" #: src/attr_get_fd.c:77 src/attr_get_fd.c:81 src/attr_get_fd.c:107 #: src/attr_get_fd.c:121 src/attr_get_net.c:113 src/attr_get_net.c:124 #, c-format msgid "%s: Returned value: %s\n" msgstr "" #: src/attr_get_fd.c:85 src/attr_get_fd.c:101 src/attr_get_fd.c:116 #: src/attr_get_net.c:106 src/attr_get_net.c:149 src/attr_get_net.c:162 #, c-format msgid "%s: Returned value: %u\n" msgstr "" #: src/attr_get_fd.c:125 src/attr_get_net.c:170 #, c-format msgid "%s: Returned value: %i\n" msgstr "" #: src/attr_get_fd.c:222 src/attr_get_net.c:282 src/attr_set_net.c:259 #, c-format msgid "- attribute (string) and returned value = see following lists:\n" msgstr "" #: src/attr_get_fd.c:223 src/attr_get_file_dir.c:167 src/attr_set_fd.c:164 #: src/attr_set_file_dir.c:122 #, c-format msgid "- FILE, DIR, FIFO and SYMLINK:\n" msgstr "" #: src/attr_get_fd.c:280 #, c-format msgid "%s: invalid target type %s\n" msgstr "" #: src/attr_get_file_dir.c:30 #, c-format msgid "Use: %s module target-type file/dirname attribute [request]\n" msgstr "" #: src/attr_get_file_dir.c:31 #, c-format msgid "Use: %s module target-type file/dirname attribute [position]\n" msgstr "" #: src/attr_get_file_dir.c:32 #, c-format msgid "Use: %s list_category_nr\n" msgstr "" #: src/attr_get_file_dir.c:33 src/attr_get_user.c:31 #, c-format msgid " -e = show effective (maybe inherited) value, not real\n" msgstr "" #: src/attr_get_file_dir.c:35 #, c-format msgid " -p = print requests, -n [target] = list all requests [for target]\n" msgstr "" #: src/attr_get_file_dir.c:36 src/attr_get_user.c:34 #, c-format msgid " -c list all Linux capabilities, -R = list all RES resource names\n" msgstr "" #: src/attr_get_file_dir.c:37 #, c-format msgid "" " -C path = convert path to device special file to device specification\n" msgstr "" #: src/attr_get_file_dir.c:40 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH, RES or PAX\n" msgstr "" #: src/attr_get_file_dir.c:41 src/attr_rm_file_dir.c:31 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK or DEV\n" msgstr "" #: src/attr_get_file_dir.c:166 src/attr_get_group.c:167 #: src/attr_get_process.c:97 src/attr_get_up.c:89 src/attr_get_user.c:189 #: src/attr_set_group.c:109 src/attr_set_user.c:109 #, c-format msgid "- attribute (string) and returned value = see following list:\n" msgstr "" #: src/attr_get_file_dir.c:168 src/attr_get_file_dir.c:179 #, c-format msgid "" "log_level\t\t(additional parameter request-type)\n" "\t\t\t0=none, 1=denied, 2=full, 3=request based\n" msgstr "" #: src/attr_get_file_dir.c:169 src/attr_get_file_dir.c:180 #, c-format msgid "" "mac_categories\t\t(with additional parameter position)\n" "\t\t\t0=no, 1=yes\n" msgstr "" #: src/attr_get_file_dir.c:177 src/attr_get_user.c:197 #: src/attr_set_file_dir.c:130 #, c-format msgid "" "[RES ] res_min|res_max (with additional parameter position)\n" "\tnon-negative integer (0 for unset)\n" msgstr "" #: src/attr_get_file_dir.c:220 #, c-format msgid "%s: %s is no device special file\n" msgstr "" #: src/attr_get_file_dir.c:227 #, c-format msgid "%s: missing path for parameter %c\n" msgstr "" #: src/attr_get_file_dir.c:370 src/attr_get_file_dir.c:430 #: src/attr_set_file_dir.c:739 #, c-format msgid "Invalid request type %s\n" msgstr "" #: src/attr_get_file_dir.c:406 src/attr_get_file_dir.c:466 #: src/attr_get_ipc.c:128 src/attr_get_process.c:262 src/attr_get_user.c:386 #: src/attr_get_user.c:418 src/attr_set_file_dir.c:813 #: src/attr_set_file_dir.c:861 src/attr_set_ipc.c:122 #: src/attr_set_process.c:399 src/attr_set_user.c:600 src/attr_set_user.c:633 #, c-format msgid "Invalid position counter %s\n" msgstr "" #: src/attr_get_file_dir.c:431 src/attr_set_file_dir.c:740 #, c-format msgid "Valid request types:\n" msgstr "" #: src/attr_get_group.c:30 #, c-format msgid "" "Use: %s [switches] module group attribute [position|request-name]\n" "\n" msgstr "" #: src/attr_get_group.c:31 src/attr_get_user.c:32 #, c-format msgid " -n = numeric value, -b = both names and numbers,\n" msgstr "" #: src/attr_get_group.c:32 src/attr_get_user.c:33 #, c-format msgid " -l list all users, -L list all Linux groups\n" msgstr "" #: src/attr_get_group.c:232 src/attr_get_ipc.c:151 src/attr_get_process.c:145 #: src/attr_get_process.c:255 src/attr_get_up.c:153 src/attr_get_user.c:282 #: src/attr_set_group.c:177 src/attr_set_ipc.c:158 src/attr_set_process.c:323 #: src/attr_set_process.c:392 src/attr_set_user.c:448 #, c-format msgid "%s: Invalid Attribute %s!\n" msgstr "" #: src/attr_get_ipc.c:32 #, c-format msgid "Use: %s [flags] ipc-type id attribute\n" msgstr "" #: src/attr_get_ipc.c:35 #, c-format msgid " ipc-types: sem, msg, shm, anonpipe,\n" msgstr "" #: src/attr_get_ipc.c:36 #, c-format msgid " attribute (string) and returned value = see following list:\n" msgstr "" #: src/attr_get_ipc.c:118 src/attr_get_ipc.c:142 src/attr_set_ipc.c:149 #, c-format msgid "%s: Invalid IPC type %s!\n" msgstr "" #: src/attr_get_net.c:43 #, c-format msgid "" "Use: %s [-v] [-e] module target-type attribute [CAT category] [request] id" "(s)\n" msgstr "" #: src/attr_get_net.c:45 #, c-format msgid "" " -r = recurse into subdirs, -n [target] = list all requests [for target]\n" msgstr "" #: src/attr_get_net.c:47 #, c-format msgid " -d = list NETDEV targets with non-default attribute values\n" msgstr "" #: src/attr_get_net.c:49 src/attr_set_net.c:48 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS or RC\n" msgstr "" #: src/attr_get_net.c:50 src/attr_set_net.c:49 #, c-format msgid " target-type = NETDEV, NETTEMP or NETOBJ\n" msgstr "" #: src/attr_get_net.c:51 src/attr_set_net.c:50 #, c-format msgid " category = category number for mac_categories\n" msgstr "" #: src/attr_get_net.c:52 src/attr_set_net.c:51 #, c-format msgid " request = request number for log_array_low|high\n" msgstr "" #: src/attr_get_net.c:84 src/attr_set_net.c:76 #, c-format msgid "Internal error on %s %s!\n" msgstr "" #: src/attr_get_net.c:353 src/attr_set_net.c:342 #, c-format msgid "%s: invalid target %s\n" msgstr "" #: src/attr_get_process.c:32 #, c-format msgid "Use: %s [switches] module pid attribute [bit-no]\n" msgstr "" #: src/attr_get_process.c:33 #, c-format msgid " -p = print all request names, -n = list all request names\n" msgstr "" #: src/attr_get_process.c:36 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or PAX\n" msgstr "" #: src/attr_get_process.c:37 #, c-format msgid "" " categories and log_program_based\t(with additional parameter bit-no)\n" "\t\t\t0=no, 1=yes\n" msgstr "" #: src/attr_get_up.c:27 #, c-format msgid "" "Use: %s [switches] module target-type attribute user(s)/proc-no.\n" "\n" msgstr "" #: src/attr_get_up.c:31 #, c-format msgid " target-type = USER or PROCESS,\n" msgstr "" #: src/attr_get_up.c:147 src/attr_set_up.c:156 src/auth_set_cap.c:199 #: src/auth_set_cap.c:269 src/mac_set_trusted.c:175 src/mac_set_trusted.c:224 #, c-format msgid "%s: Invalid Target %s!\n" msgstr "" #: src/attr_get_up.c:162 #, c-format msgid "Processing process %i, attribute %s (No. %i)\n" msgstr "" #: src/attr_get_up.c:171 #, c-format msgid "" "Invalid user %s!\n" "\n" msgstr "" #: src/attr_get_up.c:174 #, c-format msgid "Processing user %s (uid %i), attribute %s (No. %i)\n" msgstr "" #: src/attr_get_up.c:206 #, c-format msgid "Returned value: %u\n" msgstr "" #: src/attr_get_up.c:209 #, c-format msgid "Returned value: %i\n" msgstr "" #: src/attr_get_user.c:30 #, c-format msgid "" "Use: %s [switches] module user attribute [position|request-name]\n" "\n" msgstr "" #: src/attr_get_user.c:38 #, c-format msgid "" " mac_[min_]categories\t\t(with additional parameter position)\n" "\t\t\t0=no, 1=yes\n" msgstr "" #: src/attr_get_user.c:39 #, c-format msgid "" " log_user_based\t(with additional parameter request-name)\n" "\t\t\t0=no, 1=yes\n" msgstr "" #: src/attr_get_user.c:399 #, c-format msgid "Invalid request %s\n" msgstr "" #: src/attr_rm_fd.c:38 #, c-format msgid "Use: %s [-v] [-r] target-type file/dirname(s)\n" msgstr "" #: src/attr_rm_fd.c:42 src/attr_set_fd.c:48 src/rc_get_eff_rights_fd.c:44 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n" msgstr "" #: src/attr_rm_fd.c:52 #, c-format msgid "Processing '%s'\n" msgstr "" #: src/attr_rm_file_dir.c:28 #, c-format msgid "Use: %s [flags] target-type file/dirname\n" msgstr "" #: src/attr_rm_group.c:27 #, c-format msgid "" "Use: %s [flags] group(s)\n" "\n" msgstr "" #: src/attr_rm_group.c:83 #, c-format msgid "" "%s: %i groups\n" "\n" msgstr "" #: src/attr_rm_group.c:88 #, c-format msgid "" "Invalid Group %s!\n" "\n" msgstr "" #: src/attr_rm_group.c:91 #, c-format msgid "Processing group %s (gid %i)\n" msgstr "" #: src/attr_rm_user.c:27 #, c-format msgid "" "Use: %s [flags] user(s)\n" "\n" msgstr "" #: src/attr_rm_user.c:83 #, c-format msgid "" "%s: %i users\n" "\n" msgstr "" #: src/attr_rm_user.c:88 #, c-format msgid "" "Invalid User %s!\n" "\n" msgstr "" #: src/attr_rm_user.c:91 #, c-format msgid "Processing user %s (uid %i)\n" msgstr "" #: src/attr_set_fd.c:40 #, c-format msgid "Use: %s [-v] [-r] module target-type attribute value file/dirname(s)\n" msgstr "" #: src/attr_set_fd.c:42 #, c-format msgid " -n = list all requests\n" msgstr "" #: src/attr_set_fd.c:43 src/attr_set_file_dir.c:33 src/attr_set_group.c:31 #: src/attr_set_process.c:33 src/attr_set_user.c:31 #, c-format msgid " -A = list attributes and values\n" msgstr "" #: src/attr_set_fd.c:59 #, c-format msgid "Processing %s '%s', attribute %s, value %i\n" msgstr "" #: src/attr_set_fd.c:163 src/attr_set_file_dir.c:119 #: src/attr_set_process.c:108 src/attr_set_up.c:88 #, c-format msgid "- attribute (string) and value (integer) = see following list:\n" msgstr "" #: src/attr_set_fd.c:245 src/attr_set_file_dir.c:475 src/attr_set_group.c:190 #: src/attr_set_up.c:163 src/attr_set_user.c:461 #, c-format msgid "%s: Invalid attribute %s\n" msgstr "" #: src/attr_set_fd.c:249 #, c-format msgid "%s: Attribute %s not supported\n" msgstr "" #: src/attr_set_fd.c:256 src/attr_set_file_dir.c:486 #: src/attr_set_process.c:333 src/attr_set_up.c:185 src/attr_set_user.c:472 #, c-format msgid "%s: Invalid attribute value, length must be %i\n" msgstr "" #: src/attr_set_fd.c:265 src/attr_set_fd.c:284 src/attr_set_file_dir.c:495 #: src/attr_set_file_dir.c:534 src/attr_set_process.c:342 src/mac_wrap.c:95 #, c-format msgid "%s: Invalid attribute value char, must be 0 or 1\n" msgstr "" #: src/attr_set_file_dir.c:28 #, c-format msgid "Use: %s module target-type file/dirname attribute [request] value\n" msgstr "" #: src/attr_set_file_dir.c:29 #, c-format msgid "Use: %s module target-type file/dirname attribute [position] value\n" msgstr "" #: src/attr_set_file_dir.c:30 #, c-format msgid "" "Use: %s [switches] module target-type filename log_program_based [list-of-" "requests]\n" msgstr "" #: src/attr_set_file_dir.c:31 #, c-format msgid "" " -a = add, not set, -m = remove not set, -p = print resulting requests,\n" msgstr "" #: src/attr_set_file_dir.c:36 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\n" msgstr "" #: src/attr_set_file_dir.c:37 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK or DEV,\n" msgstr "" #: src/attr_set_file_dir.c:120 #, c-format msgid "" "[GEN ] log_level (additional parameter request-type)\n" "\t0=none, 1=denied, 2=full, 3=request-based\n" msgstr "" #: src/attr_set_file_dir.c:121 #, c-format msgid "" "[GEN ] mac_categories (with additional parameter position)\n" "\t0=no, 1=yes\n" msgstr "" #: src/attr_set_file_dir.c:223 #, c-format msgid "%s: Invalid request vector %s\n" msgstr "" #: src/attr_set_file_dir.c:397 src/attr_set_user.c:371 #, c-format msgid "%s: Invalid cap vector %s\n" msgstr "" #: src/attr_set_file_dir.c:479 src/attr_set_up.c:167 src/attr_set_user.c:465 #, c-format msgid "%s: Invalid number of arguments for attribute %s\n" msgstr "" #: src/attr_set_file_dir.c:712 #, c-format msgid "Setting attribute %s for %s to value %lu\n" msgstr "" #: src/attr_set_file_dir.c:755 #, c-format msgid "Invalid log_level value %s\n" msgstr "" #: src/attr_set_file_dir.c:819 src/attr_set_ipc.c:128 src/attr_set_net.c:148 #: src/attr_set_process.c:405 src/attr_set_user.c:606 #, c-format msgid "Invalid value %s\n" msgstr "" #: src/attr_set_group.c:28 src/attr_set_user.c:28 #, c-format msgid "" "Use: %s module user attribute [position] value\n" "\n" msgstr "" #: src/attr_set_group.c:29 src/attr_set_user.c:29 #, c-format msgid "" "Use: %s [switches] module user log_user_based [request-list]\n" "\n" msgstr "" #: src/attr_set_group.c:30 src/attr_set_process.c:32 src/attr_set_user.c:30 #, c-format msgid "" " -p = print resulting requests, -a = add, not set, -m = remove, not set\n" msgstr "" #: src/attr_set_group.c:34 src/attr_set_user.c:34 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, DAZ, FF, RC or AUTH\n" msgstr "" #: src/attr_set_group.c:110 src/attr_set_user.c:110 #, c-format msgid "" "[MAC ] mac_[min_|initial_]categories (with additional parameter position)\n" "\t0=no, 1=yes\n" msgstr "" #: src/attr_set_group.c:111 src/attr_set_user.c:111 #, c-format msgid "" "[GEN ] log_user_based (with space separated list of requests)\n" "\t0=no, 1=yes\n" msgstr "" #: src/attr_set_ipc.c:32 #, c-format msgid "Use: %s ipc-type id attribute value\n" msgstr "" #: src/attr_set_ipc.c:34 #, c-format msgid "- ipc-types: sem, msg, shm, anonpipe,\n" msgstr "" #: src/attr_set_ipc.c:35 #, c-format msgid "- attribute (string) and value = see following list:\n" msgstr "" #: src/attr_set_net.c:42 #, c-format msgid "Use: %s [-v] [-e] module target-type attribute [request] value id(s)\n" msgstr "" #: src/attr_set_net.c:43 #, c-format msgid " -v = verbose, -m = remove all attributes\n" msgstr "" #: src/attr_set_net.c:116 #, c-format msgid "Wrong argument length for attr mac_categories\n" msgstr "" #: src/attr_set_net.c:142 #, c-format msgid "Invalid request number %u\n" msgstr "" #: src/attr_set_net.c:172 #, c-format msgid "Wrong number of arguments for attr %u\n" msgstr "" #: src/attr_set_net.c:199 #, c-format msgid "error: %s\n" msgstr "" #: src/attr_set_process.c:31 #, c-format msgid "Use: %s module process-id attribute value\n" msgstr "" #: src/attr_set_up.c:27 #, c-format msgid "" "Use: %s [switches] module target-type attribute value user/proc-nr.\n" "\n" msgstr "" #: src/attr_set_up.c:29 #, c-format msgid " target-type = USER or PROCESS\n" msgstr "" #: src/attr_set_up.c:293 #, c-format msgid "Processing process %i, attribute %s (No. %i), value %i\n" msgstr "" #: src/attr_set_up.c:303 #, c-format msgid "Processing user %s (uid %i), attribute %s (No. %i), value %i\n" msgstr "" #: src/attr_set_user.c:548 #, c-format msgid "" "User %u: system_role without module, setting for MAC, FC, SIM, DAZ, FF, " "AUTH\n" msgstr "" #: src/auth_back_cap.c:42 #, c-format msgid "Use: %s [-r] [-v] [-o output-file] file/dirname(s)\n" msgstr "" #: src/auth_back_cap.c:43 #, c-format msgid " should be called by root with all rsbac modules switched off,\n" msgstr "" #: src/auth_back_cap.c:46 src/auth_set_cap.c:36 src/mac_back_trusted.c:43 #: src/mac_back_trusted.c:237 #, c-format msgid " -m = set maximum length of cap entry list per file, default is %u\n" msgstr "" #: src/auth_back_cap.c:47 src/mac_back_trusted.c:44 src/mac_back_trusted.c:238 #, c-format msgid " -o target-file = write to file, not stdout\n" msgstr "" #: src/auth_back_cap.c:60 src/mac_back_trusted.c:56 #, c-format msgid "Processing FILE/DIR '%s'\n" msgstr "" #: src/auth_back_cap.c:432 src/auth_set_cap.c:113 src/mac_back_trusted.c:166 #: src/mac_set_trusted.c:91 #, c-format msgid "%s: missing maxnum value for parameter %c\n" msgstr "" #: src/auth_back_cap.c:504 src/mac_back_trusted.c:216 #, c-format msgid "%s: %i targets" msgstr "" #: src/auth_set_cap.c:31 #, c-format msgid "Use: %s [switches] TYPE add/remove target first_user [last_user]\n" msgstr "" #: src/auth_set_cap.c:32 src/mac_set_trusted.c:32 #, c-format msgid "Use: %s [switches] TYPE get target\n" msgstr "" #: src/auth_set_cap.c:33 src/mac_set_trusted.c:33 #, c-format msgid " TYPE = PROCESS (add/remove only), DIR, FILE or FD (auto-select),\n" msgstr "" #: src/auth_set_cap.c:34 src/mac_set_trusted.c:34 #, c-format msgid " target = pid or filename\n" msgstr "" #: src/auth_set_cap.c:35 #, c-format msgid " last_user: range from first_user to last_user\n" msgstr "" #: src/auth_set_cap.c:37 #, c-format msgid " -e = get or set caps for effective uids, not real\n" msgstr "" #: src/auth_set_cap.c:38 #, c-format msgid " -f = get or set caps for filesystem uids, not real\n" msgstr "" #: src/auth_set_cap.c:39 #, c-format msgid " -g = get or set caps for gids, not uids\n" msgstr "" #: src/auth_set_cap.c:40 #, c-format msgid " -E = get or set for eff gids, not real uids\n" msgstr "" #: src/auth_set_cap.c:41 #, c-format msgid " -F = get or set for fs gids, not real uids\n" msgstr "" #: src/auth_set_cap.c:42 src/mac_set_trusted.c:36 #, c-format msgid "" " -t = set relative time-to-live for this cap entry in seconds (add only)\n" msgstr "" #: src/auth_set_cap.c:43 src/mac_set_trusted.c:37 #, c-format msgid "" " -T = set absolute time-to-live for this cap entry in seconds (add only)\n" msgstr "" #: src/auth_set_cap.c:44 src/mac_set_trusted.c:38 #, c-format msgid " -D = set relative time-to-live for this cap entry in days (add only)\n" msgstr "" #: src/auth_set_cap.c:207 src/auth_set_cap.c:274 src/mac_set_trusted.c:183 #: src/mac_set_trusted.c:229 #, c-format msgid "" "%s: Invalid command %s!\n" "\n" msgstr "" #: src/auth_set_cap.c:228 #, c-format msgid "" "%s: Warning: first user %u after last user %u, exiting!\n" "\n" msgstr "" #: src/auth_set_cap.c:234 #, c-format msgid "" "%s: Warning: last user %u is special user ID, exiting!\n" "\n" msgstr "" #: src/get_attribute_name.c:36 #, c-format msgid "Use: %s value\n" msgstr "" #: src/get_attribute_name.c:37 #, c-format msgid "" "value = attribute number\n" "\n" msgstr "" #: src/get_attribute_nr.c:32 #, c-format msgid "Use: %s attribute_name\n" msgstr "" #: src/linux2acl.c:61 #, c-format msgid "Use: %s [switches] file/dir/scdname(s)\n" msgstr "" #: src/linux2acl.c:62 #, c-format msgid " -v = use verbose in scripts, -r = recurse into subdirs,\n" msgstr "" #: src/linux2acl.c:63 #, c-format msgid " -g = also create group entries with members,\n" msgstr "" #: src/linux2acl.c:64 #, c-format msgid " -G = only create group entries with members,\n" msgstr "" #: src/linux2acl.c:65 #, c-format msgid " -p = print right names, -P use private groups\n" msgstr "" #: src/linux2acl.c:66 #, c-format msgid " -n = use numeric user ids where possible\n" msgstr "" #: src/linux2acl.c:87 #, c-format msgid "stat for %s returned error: %s\n" msgstr "" #: src/linux2acl.c:729 #, c-format msgid "internal error in switch\n" msgstr "" #: src/mac_back_trusted.c:41 src/mac_back_trusted.c:235 #, c-format msgid "Use: %s [-r] [-v] [-o target-file] file/dirname(s)\n" msgstr "" #: src/mac_get_levels.c:28 #, c-format msgid "Use: %s [-v] [-c] [-x] [-n] [-a]\n" msgstr "" #: src/mac_get_levels.c:29 #, c-format msgid "This program will show the RSBAC MAC security levels\n" msgstr "" #: src/mac_get_levels.c:30 #, c-format msgid "and category sets of the calling process.\n" msgstr "" #: src/mac_get_levels.c:31 #, c-format msgid "-a = show all, -c = show current level and categories\n" msgstr "" #: src/mac_get_levels.c:32 #, c-format msgid "-x = show max, -n = show min level and categories\n" msgstr "" #: src/mac_get_levels.c:94 #, c-format msgid "" "Current level: %u\n" "categories: %s\n" msgstr "" #: src/mac_get_levels.c:102 #, c-format msgid "" "Max level: %u\n" "categories: %s\n" msgstr "" #: src/mac_get_levels.c:110 #, c-format msgid "" "Min level: %u\n" "categories: %s\n" msgstr "" #: src/mac_set_trusted.c:31 #, c-format msgid "Use: %s [switches] TYPE add/remove target user1 user2...\n" msgstr "" #: src/mac_set_trusted.c:35 #, c-format msgid " -m = set maximum number of returned members per file, default is %u\n" msgstr "" #: src/mac_wrap.c:27 #, c-format msgid "Use: %s [-v] [-l level] [-c categories] prog args\n" msgstr "" #: src/mac_wrap.c:28 #, c-format msgid "" "This program will set the current seclevel and categories, if supplied,\n" msgstr "" #: src/mac_wrap.c:29 #, c-format msgid "and then execute prog via execvp().\n" msgstr "" #: src/mac_wrap.c:30 #, c-format msgid "Please note that you need mac_auto to set the current values.\n" msgstr "" #: src/mac_wrap.c:31 #, c-format msgid "-v = verbose, -l = use this seclevel, -c = use this category set\n" msgstr "" #: src/mac_wrap.c:67 src/mac_wrap.c:106 #, c-format msgid "%s: missing value for parameter %c\n" msgstr "" #: src/mac_wrap.c:74 #, c-format msgid "%s: Invalid category string length %i, must be %i\n" msgstr "" #: src/mac_wrap.c:81 #, c-format msgid "%s: Using numeric value %lu instead\n" msgstr "" #: src/mac_wrap.c:125 #, c-format msgid "%s: executing %s with current_sec_level %u and mac_curr_categories %s\n" msgstr "" #: src/net_temp.c:41 #, c-format msgid "Use: %s [switches] function id [set-param]\n" msgstr "" #: src/net_temp.c:44 #, c-format msgid " -v = verbose, -l = list functions\n" msgstr "" #: src/net_temp.c:45 #, c-format msgid " -b = backup mode, -s = scripting mode,\n" msgstr "" #: src/net_temp.c:46 #, c-format msgid " -n = take number as address, -u = take string as address,\n" msgstr "" #: src/net_temp.c:47 #, c-format msgid " -d = take DNS name as address and convert to IP address,\n" msgstr "" #: src/net_temp.c:48 #, c-format msgid " -a = list all templates in detail\n" msgstr "" #: src/pm_create.c:25 #, c-format msgid "" "Use: %s class mode filename(s)\n" "\n" msgstr "" #: src/pm_create.c:40 #, c-format msgid "" "%s: %i files of class %i, mode %o to be created\n" "\n" msgstr "" #: src/pm_create.c:44 #, c-format msgid "Processing %s (No. %i)\n" msgstr "" #: src/pm_ct_exec.c:32 #, c-format msgid "%s: executing %s with task %i\n" msgstr "" #: src/pm_ct_exec.c:41 #, c-format msgid "Use: %s task-nr prog args\n" msgstr "" #: src/pm_ct_exec.c:42 #, c-format msgid "This program will set rsbac_pm_current_task to task-nr and then\n" msgstr "" #: src/pm_ct_exec.c:43 src/rc_role_wrap.c:30 #, c-format msgid "execute prog via execvp()\n" msgstr "" #: src/rc_copy_role.c:27 #, c-format msgid "Use: %s [flags] from_role to_role\n" msgstr "" #: src/rc_copy_type.c:27 #, c-format msgid "Use: %s [flags] target from_type to_type\n" msgstr "" #: src/rc_copy_type.c:28 #, c-format msgid " target = FD, DEV, IPC, USER, PROCESS, GROUP, NETDEV, NETTEMP, NETOBJ\n" msgstr "" #: src/rc_get_current_role.c:31 #, c-format msgid "%s: current role is %u\n" msgstr "" #: src/rc_get_eff_rights_fd.c:39 #, c-format msgid "Use: %s [-v] [-r] [-p] target-type file/dirname(s)\n" msgstr "" #: src/rc_get_eff_rights_fd.c:41 #, c-format msgid " -p = print right names,\n" msgstr "" #: src/rc_get_item.c:34 #, c-format msgid "Use: %s [switches] rc-target-type id-nr item [sub-id-nr [right]]\n" msgstr "" #: src/rc_get_item.c:35 #, c-format msgid " %s list_xxx\n" msgstr "" #: src/rc_get_item.c:36 #, c-format msgid " %s list_unused_xxx (_nr only)\n" msgstr "" #: src/rc_get_item.c:37 #, c-format msgid " %s list_def_fd_ind_create_type{s|_nr|_values role-id\n" msgstr "" #: src/rc_get_item.c:38 #, c-format msgid " %s backup\n" msgstr "" #: src/rc_get_item.c:39 #, c-format msgid " %s print\n" msgstr "" #: src/rc_get_item.c:40 src/rc_set_item.c:33 #, c-format msgid " -v = verbose, -p = print right names,\n" msgstr "" #: src/rc_get_item.c:41 #, c-format msgid " -i = list items and values,\n" msgstr "" #: src/rc_get_item.c:42 #, c-format msgid " -r = remove role before restore (backup only)\n" msgstr "" #: src/rc_get_item.c:44 src/rc_set_item.c:44 #, c-format msgid " rc-target-type = ROLE or TYPE,\n" msgstr "" #: src/rc_get_item.c:45 src/rc_set_item.c:45 #, c-format msgid " id-nr = ROLE or TYPE number,\n" msgstr "" #: src/rc_get_item.c:46 src/rc_set_item.c:46 #, c-format msgid " item = entry line,\n" msgstr "" #: src/rc_get_item.c:47 #, c-format msgid " sub-id-nr = use this sub-id (_comp items only),\n" msgstr "" #: src/rc_get_item.c:48 #, c-format msgid " right = right name or number (type_comp items only),\n" msgstr "" #: src/rc_get_item.c:49 #, c-format msgid "" " xxx = roles, fd_types, dev_types, ipc_types, user_types, process_types,\n" msgstr "" #: src/rc_get_item.c:50 #, c-format msgid "" " scd_types, group_types, role_nr, fd_type_nr, dev_type_nr, " "ipc_type_nr,\n" msgstr "" #: src/rc_get_item.c:51 #, c-format msgid "" " user_type_nr, process_type_nr, scd_type_nr, rights: print a list\n" msgstr "" #: src/rc_get_item.c:52 #, c-format msgid " list_def_fd_ind_create_types etc.: print a list\n" msgstr "" #: src/rc_get_item.c:231 src/rc_set_item.c:175 #, c-format msgid "- items and returned values = see following list:\n" msgstr "" #: src/rc_get_item.c:309 src/rc_get_item.c:3924 #, c-format msgid "%u roles:\n" msgstr "" #: src/rc_get_item.c:424 src/rc_get_item.c:3824 #, c-format msgid "%u types:\n" msgstr "" #: src/rc_get_item.c:550 #, c-format msgid "%s: Internal right list error, param %s!\n" msgstr "" #: src/rc_get_item.c:3784 #, c-format msgid "Invalid parameter %s\n" msgstr "" #: src/rc_get_item.c:3872 src/rc_get_item.c:4026 src/rc_get_item.c:4148 #: src/rc_set_item.c:248 #, c-format msgid "Invalid target %s\n" msgstr "" #: src/rc_get_item.c:3982 #, c-format msgid "Invalid item %s or too few arguments\n" msgstr "" #: src/rc_get_item.c:4048 #, c-format msgid "Invalid item %s or invalid number of arguments\n" msgstr "" #: src/rc_get_item.c:4057 #, c-format msgid "Invalid subrole %s\n" msgstr "" #: src/rc_get_item.c:4067 #, c-format msgid "Invalid subtype %s\n" msgstr "" #: src/rc_get_item.c:4081 #, c-format msgid "Getting %s for ROLE %u to ROLE %u\n" msgstr "" #: src/rc_get_item.c:4092 #, c-format msgid "Getting def_fd_ind_create_type for ROLE %u to TYPE %u\n" msgstr "" #: src/rc_get_item.c:4113 #, c-format msgid "Getting %s rights for ROLE %u to TYPE %u\n" msgstr "" #: src/rc_get_item.c:4166 #, c-format msgid "Invalid item-position combination %s\n" msgstr "" #: src/rc_get_item.c:4174 #, c-format msgid "Invalid comp_type %s\n" msgstr "" #: src/rc_get_item.c:4189 #, c-format msgid "Invalid right %s\n" msgstr "" #: src/rc_role_wrap.c:28 #, c-format msgid "Use: %s [-v] new_role_id prog args\n" msgstr "" #: src/rc_role_wrap.c:29 #, c-format msgid "This program will set the process rc_role to new_role and then\n" msgstr "" #: src/rc_role_wrap.c:31 #, c-format msgid "-v = verbose\n" msgstr "" #: src/rc_role_wrap.c:70 #, c-format msgid "%s: executing %s with role %i\n" msgstr "" #: src/rc_set_item.c:31 #, c-format msgid "" "Use: %s [switches] rc-target-type id item [role/type [list-of-rights]] " "[value]\n" msgstr "" #: src/rc_set_item.c:32 #, c-format msgid " %s -c TYPE target-id item source-id [first_role [last_role]],\n" msgstr "" #: src/rc_set_item.c:34 #, c-format msgid " -a = add, not set, -k = revoke, not set,\n" msgstr "" #: src/rc_set_item.c:35 #, c-format msgid " -b = accept rights as bitstring,\n" msgstr "" #: src/rc_set_item.c:36 #, c-format msgid " -c = copy all/given roles' rights to type from other type,\n" msgstr "" #: src/rc_set_item.c:37 #, c-format msgid " -d = delete all roles' rights to this type,\n" msgstr "" #: src/rc_set_item.c:38 #, c-format msgid " -i = list items and values\n" msgstr "" #: src/rc_set_item.c:39 src/rsbac_groupadd.c:40 src/rsbac_groupmod.c:35 #: src/rsbac_useradd.c:67 src/rsbac_usermod.c:46 #, c-format msgid "" " -t = set relative time-to-live in secs (role/type comp, admin, assign " "only)\n" msgstr "" #: src/rc_set_item.c:40 src/rsbac_groupadd.c:41 src/rsbac_groupmod.c:36 #: src/rsbac_useradd.c:68 src/rsbac_usermod.c:47 #, c-format msgid "" " -T = set absolute time-to-live in secs (role/type comp, admin, assign " "only)\n" msgstr "" #: src/rc_set_item.c:41 src/rsbac_groupadd.c:42 src/rsbac_groupmod.c:37 #: src/rsbac_useradd.c:69 src/rsbac_usermod.c:48 #, c-format msgid "" " -D = set relative time-to-live in days (role/type comp, admin, assign " "only)\n" msgstr "" #: src/rc_set_item.c:47 #, c-format msgid " role/type = for this type only (role/type comp, admin, assign only),\n" msgstr "" #: src/rc_set_item.c:48 #, c-format msgid " right = request name or number (type_comp items only),\n" msgstr "" #: src/rc_set_item.c:49 #, c-format msgid " also special rights and groups R (read requests),\n" msgstr "" #: src/rc_set_item.c:50 #, c-format msgid " RW (read-write), SY (system), SE (security), A (all)\n" msgstr "" #: src/rc_set_item.c:254 src/rc_set_item.c:353 src/rc_set_item.c:464 #: src/rc_set_item.c:781 #, c-format msgid "Invalid item %s\n" msgstr "" #: src/rc_set_item.c:271 #, c-format msgid "Too few arguments with option -c\n" msgstr "" #: src/rc_set_item.c:277 #, c-format msgid "Invalid source type %u\n" msgstr "" #: src/rc_set_item.c:285 #, c-format msgid "Invalid first role %u\n" msgstr "" #: src/rc_set_item.c:295 #, c-format msgid "Invalid last role %u\n" msgstr "" #: src/rc_set_item.c:302 src/rc_set_item.c:418 #, c-format msgid "Invalid target type %u\n" msgstr "" #: src/rc_set_item.c:307 #, c-format msgid "Source and target must differ\n" msgstr "" #: src/rc_set_item.c:358 #, c-format msgid "Copying rights vector %s for type %u to type %u in role(s) %u to %u\n" msgstr "" #: src/rc_set_item.c:387 src/rc_set_item.c:496 #, c-format msgid "Changing role %u failed: %s\n" msgstr "" #: src/rc_set_item.c:397 #, c-format msgid "Reading from role %u failed: %s\n" msgstr "" #: src/rc_set_item.c:469 #, c-format msgid "Setting rights vector %s for type %u in all roles to 0\n" msgstr "" #: src/rc_set_item.c:486 #, c-format msgid "%u roles\n" msgstr "" #: src/rc_set_item.c:520 #, c-format msgid "Setting %s of ROLE %i (old bitvector mode)\n" msgstr "" #: src/rc_set_item.c:544 #, c-format msgid "Setting for role %u failed: %s\n" msgstr "" #: src/rc_set_item.c:559 #, c-format msgid "Invalid role %u!\n" msgstr "" #: src/rc_set_item.c:569 src/rc_set_item.c:589 src/rc_set_item.c:608 #, c-format msgid "Invalid number of arguments for item %s!\n" msgstr "" #: src/rc_set_item.c:581 src/rc_set_item.c:601 #, c-format msgid "Invalid type %u!\n" msgstr "" #: src/rc_set_item.c:626 #, c-format msgid "parameter comp_type missing\n" msgstr "" #: src/rc_set_item.c:632 #, c-format msgid "invalid subtid.type %s\n" msgstr "" #: src/rc_set_item.c:652 #, c-format msgid "No bitstring given!\n" msgstr "" #: src/rc_set_item.c:820 #, c-format msgid "Adding %s rights for ROLE %u to TYPE %u\n" msgstr "" #: src/rc_set_item.c:830 #, c-format msgid "Revoking %s rights for ROLE %u from TYPE %u\n" msgstr "" #: src/rc_set_item.c:839 #, c-format msgid "Setting %s rights for ROLE %u to TYPE %u\n" msgstr "" #: src/rc_set_item.c:867 #, c-format msgid "parameter name missing\n" msgstr "" #: src/rc_set_item.c:872 #, c-format msgid "Name string too long\n" msgstr "" #: src/rc_set_item.c:881 #, c-format msgid "parameter admin_type missing\n" msgstr "" #: src/rc_set_item.c:892 #, c-format msgid "parameter boot_role missing\n" msgstr "" #: src/rsbac_check.c:42 #, c-format msgid "Use: %s correct check_inode\n" msgstr "" #: src/rsbac_check.c:43 #, c-format msgid " correct = 0: do not correct errors\n" msgstr "" #: src/rsbac_check.c:44 #, c-format msgid " correct = 1: correct errors\n" msgstr "" #: src/rsbac_check.c:45 #, c-format msgid " correct = 2: correct more\n" msgstr "" #: src/rsbac_check.c:46 #, c-format msgid " check_inode = 0: do not check inode numbers\n" msgstr "" #: src/rsbac_check.c:47 #, c-format msgid "" " check_inode = 1: also check inode numbers (only ext2/3 on 2.4 kernels)\n" msgstr "" #: src/rsbac_gpasswd.c:28 #, c-format msgid "Use: %s [flags] group\n" msgstr "" #: src/rsbac_gpasswd.c:29 src/rsbac_groupdel.c:31 src/rsbac_userdel.c:32 #, c-format msgid " -v = verbose,\n" msgstr "" #: src/rsbac_gpasswd.c:30 #, c-format msgid " -a user = add user to group,\n" msgstr "" #: src/rsbac_gpasswd.c:31 #, c-format msgid " -d user = remove user from group,\n" msgstr "" #: src/rsbac_gpasswd.c:32 #, c-format msgid " -M user,... = add user(s) to group,\n" msgstr "" #: src/rsbac_gpasswd.c:33 #, c-format msgid " -A user,... = ignored, for compatibility\n" msgstr "" #: src/rsbac_gpasswd.c:34 #, c-format msgid " -r = remove group password,\n" msgstr "" #: src/rsbac_gpasswd.c:35 #, c-format msgid " -R = ignored, for compatibility\n" msgstr "" #: src/rsbac_gpasswd.c:36 #, c-format msgid " -N ta = transaction number (group memberships only)\n" msgstr "" #: src/rsbac_gpasswd.c:37 #, c-format msgid " (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/rsbac_gpasswd.c:93 src/rsbac_gpasswd.c:103 src/rsbac_gpasswd.c:111 #: src/rsbac_groupadd.c:179 src/rsbac_groupadd.c:193 src/rsbac_groupadd.c:203 #: src/rsbac_groupmod.c:128 src/rsbac_groupmod.c:145 src/rsbac_groupmod.c:155 #: src/rsbac_useradd.c:454 src/rsbac_useradd.c:466 src/rsbac_useradd.c:479 #: src/rsbac_useradd.c:495 src/rsbac_useradd.c:506 src/rsbac_useradd.c:524 #: src/rsbac_useradd.c:534 src/rsbac_useradd.c:544 src/rsbac_useradd.c:554 #: src/rsbac_useradd.c:564 src/rsbac_useradd.c:574 src/rsbac_useradd.c:584 #: src/rsbac_useradd.c:595 src/rsbac_useradd.c:605 src/rsbac_useradd.c:636 #: src/rsbac_usermod.c:157 src/rsbac_usermod.c:167 src/rsbac_usermod.c:178 #: src/rsbac_usermod.c:195 src/rsbac_usermod.c:205 src/rsbac_usermod.c:215 #: src/rsbac_usermod.c:226 src/rsbac_usermod.c:236 src/rsbac_usermod.c:246 #: src/rsbac_usermod.c:257 src/rsbac_usermod.c:268 src/rsbac_usermod.c:279 #: src/rsbac_usermod.c:290 src/rsbac_usermod.c:302 src/rsbac_usermod.c:313 #, c-format msgid "%s: missing argument for parameter %c\n" msgstr "" #: src/rsbac_gpasswd.c:143 src/rsbac_groupdel.c:45 src/rsbac_groupmod.c:232 #: src/rsbac_groupmod.c:239 src/rsbac_groupshow.c:263 src/rsbac_useradd.c:361 #: src/rsbac_useradd.c:378 src/rsbac_useradd.c:516 #, c-format msgid "%s: Unknown group %s\n" msgstr "" #: src/rsbac_gpasswd.c:173 src/rsbac_gpasswd.c:190 src/rsbac_gpasswd.c:229 #: src/rsbac_gpasswd.c:246 src/rsbac_login.c:102 src/rsbac_passwd.c:81 #: src/rsbac_userdel.c:49 src/rsbac_usermod.c:390 src/rsbac_usermod.c:397 #: src/rsbac_usershow.c:395 #, c-format msgid "%s: Unknown user %s\n" msgstr "" #: src/rsbac_gpasswd.c:269 src/rsbac_passwd.c:141 #, c-format msgid "%s: invalid new password!\n" msgstr "" #: src/rsbac_gpasswd.c:276 src/rsbac_passwd.c:154 #, c-format msgid "%s: invalid repeated new password!\n" msgstr "" #: src/rsbac_gpasswd.c:281 src/rsbac_passwd.c:159 #, c-format msgid "%s: new passwords do not match!\n" msgstr "" #: src/rsbac_groupadd.c:37 src/rsbac_groupmod.c:30 src/rsbac_groupshow.c:37 #, c-format msgid "Use: %s [flags] groupname\n" msgstr "" #: src/rsbac_groupadd.c:38 src/rsbac_groupmod.c:31 src/rsbac_useradd.c:55 #: src/rsbac_usermod.c:36 #, c-format msgid " -p password = password in plaintext,\n" msgstr "" #: src/rsbac_groupadd.c:39 #, c-format msgid " -g gid = gid to use,\n" msgstr "" #: src/rsbac_groupadd.c:43 #, c-format msgid " -o = use values from old group entry,\n" msgstr "" #: src/rsbac_groupadd.c:44 #, c-format msgid " -O = add all existing groups (implies -o)\n" msgstr "" #: src/rsbac_groupdel.c:30 #, c-format msgid "Use: %s [flags] group [group2 ...]\n" msgstr "" #: src/rsbac_groupmod.c:32 src/rsbac_usermod.c:37 #, c-format msgid " -P = disable password,\n" msgstr "" #: src/rsbac_groupmod.c:33 src/rsbac_useradd.c:57 src/rsbac_usermod.c:38 #, c-format msgid " -Q password = encrypted password (from backup),\n" msgstr "" #: src/rsbac_groupmod.c:34 #, c-format msgid " -g name = change groupname,\n" msgstr "" #: src/rsbac_groupshow.c:38 #, c-format msgid " -v = verbose, -a = list all groups\n" msgstr "" #: src/rsbac_groupshow.c:39 src/rsbac_usershow.c:41 #, c-format msgid " -l = short list all groups, -b = backup mode\n" msgstr "" #: src/rsbac_groupshow.c:40 src/rsbac_usershow.c:42 #, c-format msgid " -p = also show encrypted password\n" msgstr "" #: src/rsbac_groupshow.c:77 #, c-format msgid "%s: Unknown group %u\n" msgstr "" #: src/rsbac_init.c:38 #, c-format msgid "" "Use: %s root_dev\n" "\n" msgstr "" #: src/rsbac_init.c:39 #, c-format msgid "root_dev: root device to initialize from, e.g. /dev/sda1\n" msgstr "" #: src/rsbac_jail.c:29 #, c-format msgid "Use: %s [flags] [-I addr] [-R dir] [-C cap-list] prog args\n" msgstr "" #: src/rsbac_jail.c:30 #, c-format msgid "This program will put the process into a jail with chroot to path,\n" msgstr "" #: src/rsbac_jail.c:31 #, c-format msgid "ip address IP and then execute prog with args\n" msgstr "" #: src/rsbac_jail.c:32 #, c-format msgid "-I addr = limit to IP address,\n" msgstr "" #: src/rsbac_jail.c:33 #, c-format msgid "-R dir = chroot to dir,\n" msgstr "" #: src/rsbac_jail.c:34 #, c-format msgid "-C cap-list = limit Linux capabilities for jailed processes,\n" msgstr "" #: src/rsbac_jail.c:35 #, c-format msgid "" " use bit-vector, numeric value or list names of desired caps,\n" msgstr "" #: src/rsbac_jail.c:36 #, c-format msgid " A = all, FS_MASK = all filesystem related,\n" msgstr "" #: src/rsbac_jail.c:37 #, c-format msgid "-L = list all Linux capabilities,\n" msgstr "" #: src/rsbac_jail.c:38 #, c-format msgid "-S = list all SCD targets,\n" msgstr "" #: src/rsbac_jail.c:39 #, c-format msgid "-v = verbose, -i = allow access to IPC outside this jail,\n" msgstr "" #: src/rsbac_jail.c:40 #, c-format msgid "-n = allow all network families, not only UNIX and INET (IPv4),\n" msgstr "" #: src/rsbac_jail.c:41 #, c-format msgid "-r = allow INET (IPv4) raw sockets (e.g. for ping),\n" msgstr "" #: src/rsbac_jail.c:42 #, c-format msgid "-a = auto-adjust INET any address 0.0.0.0 to jail address, if set,\n" msgstr "" #: src/rsbac_jail.c:43 #, c-format msgid "-o = additionally allow to/from remote INET (IPv4) address 127.0.0.1,\n" msgstr "" #: src/rsbac_jail.c:44 #, c-format msgid "-d = allow read access on devices, -D allow write access\n" msgstr "" #: src/rsbac_jail.c:45 #, c-format msgid "-e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA\n" msgstr "" #: src/rsbac_jail.c:46 #, c-format msgid "-G scd ... = allow GET_STATUS_DATA on these scd targets\n" msgstr "" #: src/rsbac_jail.c:47 #, c-format msgid "-M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets\n" msgstr "" #: src/rsbac_jail.c:48 #, c-format msgid "Deprecated old options, please use -G and -M:\n" msgstr "" #: src/rsbac_jail.c:49 #, c-format msgid "-l = allow to modify rlimits (-M rlimit),\n" msgstr "" #: src/rsbac_jail.c:50 #, c-format msgid "-c = allow to modify system clock (-M SCD clock time_strucs),\n" msgstr "" #: src/rsbac_jail.c:51 #, c-format msgid "-m = allow to lock memory (-M mlock),\n" msgstr "" #: src/rsbac_jail.c:52 #, c-format msgid "-p = allow to modify priority (-M priority),\n" msgstr "" #: src/rsbac_jail.c:53 #, c-format msgid "-k = allow to get kernel symbols (-G ksyms)\n" msgstr "" #: src/rsbac_jail.c:173 src/rsbac_jail.c:216 #, c-format msgid "%s: missing SCDs for parameter %c\n" msgstr "" #: src/rsbac_jail.c:228 #, c-format msgid "%s: missing address for parameter %c\n" msgstr "" #: src/rsbac_jail.c:238 #, c-format msgid "%s: missing dirname for parameter %c\n" msgstr "" #: src/rsbac_jail.c:305 #, c-format msgid "%s: missing caps for parameter %c\n" msgstr "" #: src/rsbac_jail.c:340 #, c-format msgid "" "%s: executing %s in jail at %s with IP %s, flags %u, caps %u, scd_get %u, " "scd_modify %u\n" msgstr "" #: src/rsbac_jail.c:350 #, c-format msgid "" "%s: executing %s in jail (no chroot) with IP %s, flags %u, caps %u, scd_get %" "u, scd_modify %u\n" msgstr "" #: src/rsbac_list_ta.c:26 #, c-format msgid "Use: %s [flags] {begin|refresh|commit|forget}\n" msgstr "" #: src/rsbac_list_ta.c:27 #, c-format msgid " -v = verbose, -b = print bash export of RSBAC_TA\n" msgstr "" #: src/rsbac_list_ta.c:28 #, c-format msgid "" " -t ttl = change transaction timeout from kernel config default to ttl\n" msgstr "" #: src/rsbac_list_ta.c:29 #, c-format msgid " -p password = use this password\n" msgstr "" #: src/rsbac_list_ta.c:30 #, c-format msgid " -N ta = transaction number (for refresh, commit, forget)\n" msgstr "" #: src/rsbac_list_ta.c:31 #, c-format msgid " (default = value of RSBAC_TA, if set, or 0 otherwise)\n" msgstr "" #: src/rsbac_list_ta.c:83 #, c-format msgid "%s: missing password for parameter %c\n" msgstr "" #: src/rsbac_list_ta.c:98 #, c-format msgid "%s: missing user for parameter %c\n" msgstr "" #: src/rsbac_login.c:69 src/rsbac_passwd.c:59 #, c-format msgid "Use: %s [flags] [username]\n" msgstr "" #: src/rsbac_login.c:70 #, c-format msgid " -v = verbose, -p = preserve environment\n" msgstr "" #: src/rsbac_login.c:96 #, c-format msgid "%s: invalid login name!\n" msgstr "" #: src/rsbac_login.c:125 src/rsbac_useradd.c:146 src/rsbac_useradd.c:181 #, c-format msgid "%s: invalid password!\n" msgstr "" #: src/rsbac_passwd.c:60 #, c-format msgid " -v = verbose,\n" msgstr "" #: src/rsbac_passwd.c:61 #, c-format msgid " -n = do not ask for old password\n" msgstr "" #: src/rsbac_passwd.c:116 #, c-format msgid "%s: invalid old password!\n" msgstr "" #: src/rsbac_pm.c:32 #, c-format msgid "Use: %s [flags] call args\n" msgstr "" #: src/rsbac_pm.c:34 src/rsbac_pm.c:62 #, c-format msgid "call = one of the following calls, args = call dependent\n" msgstr "" #: src/rsbac_pm.c:41 src/rsbac_pm.c:69 #, c-format msgid "-- press return --" msgstr "" #: src/rsbac_pm.c:60 #, c-format msgid "Use: %s [flags] create_ticket ticket-nr valid-secs call args\n" msgstr "" #: src/rsbac_pm.c:61 #, c-format msgid " -N ta = transaction number\n" msgstr "" #: src/rsbac_pm.c:137 #, c-format msgid "" "\n" "%s: invalid pm function %s!\n" "\n" msgstr "" #: src/rsbac_pm.c:140 #, c-format msgid "%s: requesting pm-call %s (No. %i)\n" msgstr "" #: src/rsbac_pm.c:147 src/rsbac_pm.c:170 src/rsbac_pm.c:193 src/rsbac_pm.c:205 #: src/rsbac_pm.c:216 src/rsbac_pm.c:266 src/rsbac_pm.c:277 src/rsbac_pm.c:289 #: src/rsbac_pm.c:301 src/rsbac_pm.c:313 src/rsbac_pm.c:325 src/rsbac_pm.c:337 #: src/rsbac_pm.c:348 src/rsbac_pm.c:360 src/rsbac_pm.c:372 src/rsbac_pm.c:383 #: src/rsbac_pm.c:396 src/rsbac_pm.c:408 src/rsbac_pm.c:419 src/rsbac_pm.c:430 #: src/rsbac_pm.c:457 src/rsbac_pm.c:469 src/rsbac_pm.c:483 src/rsbac_pm.c:495 #: src/rsbac_pm.c:509 src/rsbac_pm.c:520 src/rsbac_pm.c:531 src/rsbac_pm.c:556 #: src/rsbac_pm.c:584 src/rsbac_pm.c:612 src/rsbac_pm.c:624 src/rsbac_pm.c:634 #: src/rsbac_pm.c:684 src/rsbac_pm.c:694 src/rsbac_pm.c:706 src/rsbac_pm.c:718 #: src/rsbac_pm.c:730 src/rsbac_pm.c:742 src/rsbac_pm.c:754 src/rsbac_pm.c:764 #: src/rsbac_pm.c:776 src/rsbac_pm.c:788 src/rsbac_pm.c:798 src/rsbac_pm.c:812 #: src/rsbac_pm.c:824 src/rsbac_pm.c:834 src/rsbac_pm.c:844 src/rsbac_pm.c:875 #: src/rsbac_pm.c:887 src/rsbac_pm.c:901 src/rsbac_pm.c:913 #, c-format msgid "Too few arguments: argc is %i\n" msgstr "" #: src/rsbac_pm.c:227 src/rsbac_pm.c:238 src/rsbac_pm.c:645 src/rsbac_pm.c:656 #, c-format msgid "%s: Could not allocate list memory!" msgstr "" #: src/rsbac_pm.c:545 #, c-format msgid "" "\n" "Too few arguments: argc is %i\n" msgstr "" #: src/rsbac_useradd.c:50 src/rsbac_usermod.c:30 src/rsbac_usershow.c:39 #, c-format msgid "Use: %s [flags] username\n" msgstr "" #: src/rsbac_useradd.c:51 src/rsbac_usermod.c:31 #, c-format msgid " -c comment = fullname or comment,\n" msgstr "" #: src/rsbac_useradd.c:52 src/rsbac_usermod.c:32 #, c-format msgid " -d dir = homedir of user,\n" msgstr "" #: src/rsbac_useradd.c:53 src/rsbac_usermod.c:33 #, c-format msgid " -g group = main / initial Linux group,\n" msgstr "" #: src/rsbac_useradd.c:54 src/rsbac_usermod.c:34 #, c-format msgid " -G group1[,group2,...] = add more Linux groups,\n" msgstr "" #: src/rsbac_useradd.c:56 #, c-format msgid " -P = ask for password,\n" msgstr "" #: src/rsbac_useradd.c:58 #, c-format msgid " -s shell = user's shell,\n" msgstr "" #: src/rsbac_useradd.c:59 #, c-format msgid " -u uid = uid to use,\n" msgstr "" #: src/rsbac_useradd.c:60 #, c-format msgid " -m = create user home dir from skeleton,\n" msgstr "" #: src/rsbac_useradd.c:61 #, c-format msgid " -k dir = use this skeleton dir instead of /etc/skel/,\n" msgstr "" #: src/rsbac_useradd.c:62 src/rsbac_usermod.c:41 #, c-format msgid " -n minchange-days = minimum days between password changes,\n" msgstr "" #: src/rsbac_useradd.c:63 src/rsbac_usermod.c:42 #, c-format msgid " -x maxchange-days = maximum days between password changes,\n" msgstr "" #: src/rsbac_useradd.c:64 src/rsbac_usermod.c:43 #, c-format msgid " -w warnchange-days = warning days before password must be changed,\n" msgstr "" #: src/rsbac_useradd.c:65 src/rsbac_usermod.c:44 #, c-format msgid "" " -f inactive-days = period between password expiry and account disabling,\n" msgstr "" #: src/rsbac_useradd.c:66 src/rsbac_usermod.c:45 #, c-format msgid " -e expire-days = days since 1/Jan/1970 when account gets disabled,\n" msgstr "" #: src/rsbac_useradd.c:70 #, c-format msgid " -o = use values from old passwd/shadow entry,\n" msgstr "" #: src/rsbac_useradd.c:71 #, c-format msgid " -O = add all existing users (implies -o)\n" msgstr "" #: src/rsbac_useradd.c:191 #, c-format msgid "%s: password mismatch!\n" msgstr "" #: src/rsbac_useradd.c:193 #, c-format msgid "%s: Too many tries, using default password!\n" msgstr "" #: src/rsbac_useradd.c:617 #, c-format msgid "%s: cannot lookup skel dir %s\n" msgstr "" #: src/rsbac_useradd.c:623 #, c-format msgid "%s: skel dir %s is no dir\n" msgstr "" #: src/rsbac_useradd.c:629 #, c-format msgid "%s: skel dir name %s is too long\n" msgstr "" #: src/rsbac_userdel.c:31 #, c-format msgid "Use: %s [flags] user [user2 ...]\n" msgstr "" #: src/rsbac_userdel.c:33 #, c-format msgid " -r = remove user's home dir\n" msgstr "" #: src/rsbac_usermod.c:35 #, c-format msgid " -H group1[,group2,...] = remove Linux groups,\n" msgstr "" #: src/rsbac_usermod.c:39 #, c-format msgid " -s shell = user shell,\n" msgstr "" #: src/rsbac_usermod.c:40 #, c-format msgid " -u name = change username,\n" msgstr "" #: src/rsbac_usermod.c:475 src/rsbac_usermod.c:491 src/rsbac_usermod.c:522 #: src/rsbac_usermod.c:538 #, c-format msgid "%s: Invalid group %s\n" msgstr "" #: src/rsbac_usershow.c:40 #, c-format msgid " -v = verbose, -a = list all users\n" msgstr "" #: src/rsbac_usershow.c:43 #, c-format msgid " -D = print dates as yyyymmdd, not day number\n" msgstr "" #: src/rsbac_usershow.c:44 #, c-format msgid " -u = list calling user\n" msgstr "" #: src/rsbac_usershow.c:81 #, c-format msgid "%s: Unknown user %u\n" msgstr "" #: src/rsbac_write.c:30 #, c-format msgid "%s: %i lists written\n" msgstr "" #: src/switch_adf_log.c:28 #, c-format msgid "Use: %s request [target] [value]\n" msgstr "" #: src/switch_adf_log.c:29 #, c-format msgid "request = request name or ALL, value = [012]\n" msgstr "" #: src/switch_adf_log.c:30 #, c-format msgid "target = target type name, leave out for ALL\n" msgstr "" #: src/switch_adf_log.c:31 #, c-format msgid "- -n = list all requests, -t = list all target types\n" msgstr "" #: src/switch_adf_log.c:32 #, c-format msgid "- -b = backup log level settings\n" msgstr "" #: src/switch_adf_log.c:33 #, c-format msgid "- -g = get not set, -s = scripting mode\n" msgstr "" #: src/switch_adf_log.c:148 #, c-format msgid "%s: getting log settings for request %s\n" msgstr "" #: src/switch_adf_log.c:225 #, c-format msgid "%s: switching logging for ALL requests and targets to %i\n" msgstr "" #: src/switch_adf_log.c:250 #, c-format msgid "%s: switching logging for request %s and all target types to %i\n" msgstr "" #: src/switch_adf_log.c:256 src/switch_adf_log.c:287 #, c-format msgid "%s: target %s\n" msgstr "" #: src/switch_adf_log.c:282 #, c-format msgid "%s: switching logging for ALL requests and target type %s to %i\n" msgstr "" #: src/switch_adf_log.c:311 #, c-format msgid "%s: switching logging for request %s and target type %s to %i\n" msgstr "" #: src/switch_module.c:29 #, c-format msgid "Use: %s [-s] module value\n" msgstr "" #: src/switch_module.c:30 #, c-format msgid " -s: switch module's individual softmode, not the whole module\n" msgstr "" #: src/switch_module.c:31 #, c-format msgid "" "module = module name, value = [01]\n" "\n" msgstr "" #: src/switch_module.c:32 #, c-format msgid "Possible module names are:\n" msgstr "" #: src/switch_module.c:84 #, c-format msgid "%s: Invalid switch target %s\n" msgstr "" #: src/switch_module.c:91 #, c-format msgid "%s: switching Module %s softmode to %i\n" msgstr "" #: src/switch_module.c:93 #, c-format msgid "%s: switching Module %s to %i\n" msgstr "" rsbac-admin-1.4.0/main/tools/po/README0000644000175000017500000000233111131371034017115 0ustar gauvaingauvainHow to add a new language: ------------------------- 1. Set or make sure your $LANG, $LANGUAGE and $LC_ALL variables are set AND exported $ echo $LANG $LANGUAGE $LC_ALL This should output your language, for example: fr_FR@euro fr_FR@euro fr_FR@euro This will be the example in the next sections, please replace it with your own language. 2. Copy po/messages to po/fr_FR.po (not fr_FR@euro.po) 3. Edit the file: * Change the header * Fill all occurences of ``msgstr' in your own language * Take care of the quotes and format strings (%s, %i, \n, \t) * If you are unsure of the translation, look it up in the program, or ask the RSBAC team. (http://www.rsbac.org/contact) 4. Make sure you have the Gettext package with development files installed: * compile your file: $ msgfmt -o po/fr_FR.mo po/fr.po If everything goes right, go to step 5, else correct. 5. Compile and install the RSBAC tools using (see the ``INSTALL' file) * Try the programs and check everything works 6. Send the .po (fr_FR.po) file to the RSBAC team so that it's included in the next release. 7. Once we release the new version, please test the translation again to make sure nothing was forgotten. Thanks for contributing! rsbac-admin-1.4.0/main/tools/po/messages.tpo0000644000175000017500000023472111131371034020602 0ustar gauvaingauvain# SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2005-08-26 09:09+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: src/acl_grant.c:49 src/acl_group.c:33 src/acl_mask.c:49 src/acl_rights.c:46 #: src/acl_rm_user.c:26 src/acl_tlist.c:49 src/attr_back_dev.c:51 #: src/attr_back_fd.c:73 src/attr_back_group.c:48 src/attr_back_net.c:59 #: src/attr_back_user.c:73 src/attr_get_fd.c:39 src/attr_get_file_dir.c:29 #: src/attr_get_group.c:29 src/attr_get_ipc.c:31 src/attr_get_net.c:42 #: src/attr_get_process.c:31 src/attr_get_up.c:26 src/attr_get_user.c:29 #: src/attr_rm_fd.c:37 src/attr_rm_file_dir.c:27 src/attr_rm_group.c:26 #: src/attr_rm_user.c:26 src/attr_set_fd.c:39 src/attr_set_file_dir.c:27 #: src/attr_set_group.c:27 src/attr_set_ipc.c:31 src/attr_set_net.c:41 #: src/attr_set_process.c:30 src/attr_set_up.c:26 src/attr_set_user.c:27 #: src/auth_back_cap.c:41 src/auth_set_cap.c:30 src/get_attribute_name.c:35 #: src/get_attribute_nr.c:31 src/linux2acl.c:60 src/mac_back_trusted.c:40 #: src/mac_back_trusted.c:234 src/mac_get_levels.c:27 src/mac_set_trusted.c:30 #: src/mac_wrap.c:26 src/net_temp.c:40 src/pm_create.c:24 src/pm_ct_exec.c:40 #: src/rc_get_eff_rights_fd.c:38 src/rc_get_item.c:33 src/rc_role_wrap.c:27 #: src/rc_set_item.c:30 src/rsbac_check.c:41 src/rsbac_gpasswd.c:27 #: src/rsbac_groupadd.c:36 src/rsbac_groupdel.c:29 src/rsbac_groupmod.c:29 #: src/rsbac_groupshow.c:36 src/rsbac_init.c:37 src/rsbac_jail.c:28 #: src/rsbac_list_ta.c:25 src/rsbac_login.c:68 src/rsbac_passwd.c:58 #: src/rsbac_pm.c:31 src/rsbac_pm.c:59 src/rsbac_useradd.c:49 #: src/rsbac_userdel.c:30 src/rsbac_usermod.c:29 src/rsbac_usershow.c:38 #: src/switch_adf_log.c:27 src/switch_module.c:28 #, c-format msgid "" "%s (RSBAC %s)\n" "***\n" msgstr "" #: src/acl_grant.c:50 #, c-format msgid "" "Use: %s [switches] subj_type subj_id [rights] target-type file/dirname(s)\n" msgstr "" #: src/acl_grant.c:51 #, c-format msgid " -v = verbose, -r = recurse into subdirs,\n" msgstr "" #: src/acl_grant.c:52 #, c-format msgid " -p = print right names, -s = set rights, not add\n" msgstr "" #: src/acl_grant.c:53 #, c-format msgid " -k = revoke rights, not add, -m remove entry (set back to inherit)\n" msgstr "" #: src/acl_grant.c:54 #, c-format msgid " -b = expect rights as bitstring, -n = list valid SCD names\n" msgstr "" #: src/acl_grant.c:55 #, c-format msgid " -d = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_grant.c:56 #, c-format msgid " -u, -g, -l = shortcuts for USER, GROUP and ROLE\n" msgstr "" #: src/acl_grant.c:57 #, c-format msgid "" " -t = set relative time-to-live for this trustee in seconds (add and set " "only)\n" msgstr "" #: src/acl_grant.c:58 #, c-format msgid "" " -T = set absolute time-to-live for this trustee in seconds (add and set " "only)\n" msgstr "" #: src/acl_grant.c:59 #, c-format msgid "" " -D = set relative time-to-live for this trustee in days (add and set " "only)\n" msgstr "" #: src/acl_grant.c:60 src/acl_group.c:41 src/switch_adf_log.c:34 #, c-format msgid " -V version = supply RSBAC integer version number for upgrading\n" msgstr "" #: src/acl_grant.c:61 src/acl_group.c:42 #, c-format msgid "" " -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/acl_grant.c:62 #, c-format msgid " subj_type = USER, GROUP or ROLE,\n" msgstr "" #: src/acl_grant.c:63 #, c-format msgid " subj_id = user name or id number,\n" msgstr "" #: src/acl_grant.c:64 src/acl_mask.c:58 #, c-format msgid "" " rights = list of space-separated right names (requests and ACL specials),\n" msgstr "" #: src/acl_grant.c:65 #, c-format msgid "" " also request groups R (read requests), RW (read-write), W (write)\n" msgstr "" #: src/acl_grant.c:66 src/acl_mask.c:60 #, c-format msgid " SY (system), SE (security), A (all)\n" msgstr "" #: src/acl_grant.c:67 src/acl_mask.c:61 #, c-format msgid " S (ACL special rights)\n" msgstr "" #: src/acl_grant.c:68 src/acl_mask.c:62 #, c-format msgid "" " and NWx with x = S R W C E A F M (similar to well-known network " "system)\n" msgstr "" #: src/acl_grant.c:69 src/acl_tlist.c:59 #, c-format msgid "" " target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, " "NETDEV,\n" msgstr "" #: src/acl_grant.c:70 src/acl_mask.c:64 src/acl_tlist.c:60 #, c-format msgid " NETTEMP_NT, NETTEMP, NETOBJ or FD\n" msgstr "" #: src/acl_grant.c:71 src/acl_mask.c:65 src/acl_rights.c:59 src/acl_tlist.c:61 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n" msgstr "" #: src/acl_grant.c:72 src/acl_tlist.c:62 #, c-format msgid " (IPC, USER, PROCESS: only :DEFAULT:\n" msgstr "" #: src/acl_grant.c:73 src/acl_rights.c:61 src/acl_tlist.c:63 #, c-format msgid " (NETTEMP: no :DEFAULT:\n" msgstr "" #: src/acl_grant.c:74 src/acl_rights.c:62 src/acl_tlist.c:64 #, c-format msgid "- Use name :DEFAULT: for default ACL\n" msgstr "" #: src/acl_grant.c:133 src/acl_mask.c:127 src/acl_mask.c:210 #: src/acl_rights.c:121 src/acl_rights.c:190 src/acl_tlist.c:126 #: src/acl_tlist.c:203 #, c-format msgid "Invalid target %u for %s, skipped!\n" msgstr "" #: src/acl_grant.c:138 #, c-format msgid "Processing default %s '%s'\n" msgstr "" #: src/acl_grant.c:158 src/acl_mask.c:152 src/acl_rights.c:142 #: src/acl_tlist.c:151 #, c-format msgid "%s is no valid device specification, skipped\n" msgstr "" #: src/acl_grant.c:167 src/acl_mask.c:165 src/acl_rights.c:154 #: src/acl_tlist.c:164 #, c-format msgid "%s is no valid SCD name, skipped\n" msgstr "" #: src/acl_grant.c:175 src/acl_grant.c:455 src/acl_group.c:247 #: src/acl_group.c:398 src/acl_group.c:429 src/acl_group.c:456 #: src/acl_mask.c:174 src/acl_rights.c:162 src/acl_rm_user.c:94 #: src/acl_tlist.c:173 src/attr_back_user.c:444 src/attr_back_user.c:468 #: src/attr_get_user.c:147 src/attr_get_user.c:258 src/attr_get_user.c:374 #: src/attr_set_user.c:175 src/attr_set_user.c:346 src/attr_set_user.c:453 #: src/attr_set_user.c:581 src/auth_set_cap.c:214 src/auth_set_cap.c:222 #: src/mac_set_trusted.c:192 src/rsbac_list_ta.c:90 #, c-format msgid "%s: Invalid User %s!\n" msgstr "" #: src/acl_grant.c:183 src/acl_mask.c:184 src/acl_rights.c:170 #: src/acl_tlist.c:183 src/attr_back_group.c:274 src/attr_back_group.c:298 #: src/attr_get_group.c:143 src/attr_get_group.c:214 src/attr_get_user.c:240 #: src/attr_set_group.c:182 #, c-format msgid "%s: Invalid Group %s!\n" msgstr "" #: src/acl_grant.c:203 #, c-format msgid "Invalid target type %u for %s, skipped!\n" msgstr "" #: src/acl_grant.c:208 src/acl_rights.c:196 src/rc_get_eff_rights_fd.c:56 #, c-format msgid "Processing %s '%s'\n" msgstr "" #: src/acl_grant.c:252 src/acl_mask.c:289 src/acl_mask.c:291 #: src/acl_rights.c:235 src/acl_tlist.c:246 src/attr_rm_fd.c:61 #: src/attr_rm_file_dir.c:103 src/attr_set_fd.c:71 #: src/rc_get_eff_rights_fd.c:63 #, c-format msgid "%s: error: %s\n" msgstr "" #: src/acl_grant.c:268 src/acl_mask.c:373 src/acl_rights.c:290 #: src/acl_tlist.c:401 src/attr_back_dev.c:206 src/attr_back_fd.c:279 #: src/attr_get_fd.c:141 src/attr_rm_fd.c:77 src/attr_set_fd.c:87 #: src/auth_back_cap.c:373 src/linux2acl.c:765 src/mac_back_trusted.c:108 #: src/rc_get_eff_rights_fd.c:95 #, c-format msgid "opendir for dir %s returned error: %s\n" msgstr "" #: src/acl_grant.c:371 src/acl_grant.c:381 src/acl_grant.c:402 #: src/acl_group.c:133 src/acl_group.c:143 src/acl_group.c:164 #: src/auth_set_cap.c:123 src/auth_set_cap.c:133 src/auth_set_cap.c:154 #: src/mac_set_trusted.c:101 src/mac_set_trusted.c:111 #: src/mac_set_trusted.c:132 src/rc_set_item.c:128 src/rc_set_item.c:138 #: src/rc_set_item.c:159 src/rsbac_groupadd.c:213 src/rsbac_groupadd.c:223 #: src/rsbac_groupadd.c:244 src/rsbac_groupmod.c:166 src/rsbac_groupmod.c:177 #: src/rsbac_groupmod.c:199 src/rsbac_list_ta.c:73 src/rsbac_useradd.c:646 #: src/rsbac_useradd.c:656 src/rsbac_useradd.c:677 src/rsbac_usermod.c:324 #: src/rsbac_usermod.c:335 src/rsbac_usermod.c:357 #, c-format msgid "%s: missing ttl value for parameter %c\n" msgstr "" #: src/acl_grant.c:397 src/acl_group.c:159 src/auth_set_cap.c:149 #: src/mac_set_trusted.c:127 src/rc_set_item.c:154 src/rsbac_groupadd.c:239 #: src/rsbac_groupmod.c:194 src/rsbac_useradd.c:672 src/rsbac_usermod.c:352 #, c-format msgid "%s: ttl value for parameter %c is in the past, exiting\n" msgstr "" #: src/acl_grant.c:407 src/acl_group.c:169 src/acl_mask.c:461 #: src/attr_set_fd.c:184 src/attr_set_file_dir.c:143 src/attr_set_group.c:123 #: src/attr_set_net.c:288 src/attr_set_up.c:110 src/attr_set_user.c:123 #: src/auth_set_cap.c:159 src/mac_set_trusted.c:137 src/net_temp.c:268 #: src/rc_set_item.c:201 src/switch_adf_log.c:119 #, c-format msgid "%s: no version number for switch V\n" msgstr "" #: src/acl_grant.c:423 src/acl_group.c:185 src/acl_mask.c:477 #: src/acl_rights.c:489 src/acl_rm_user.c:72 src/acl_tlist.c:491 #: src/attr_back_dev.c:303 src/attr_back_fd.c:398 src/attr_back_group.c:192 #: src/attr_back_net.c:311 src/attr_back_user.c:325 src/attr_get_fd.c:249 #: src/attr_get_file_dir.c:198 src/attr_get_group.c:185 src/attr_get_ipc.c:90 #: src/attr_get_net.c:317 src/attr_get_process.c:115 src/attr_get_up.c:117 #: src/attr_get_user.c:208 src/attr_rm_fd.c:138 src/attr_rm_file_dir.c:74 #: src/attr_rm_group.c:67 src/attr_rm_user.c:67 src/attr_set_fd.c:200 #: src/attr_set_file_dir.c:159 src/attr_set_group.c:139 src/attr_set_ipc.c:89 #: src/attr_set_net.c:304 src/attr_set_process.c:126 src/attr_set_up.c:126 #: src/attr_set_user.c:139 src/auth_back_cap.c:466 src/auth_set_cap.c:175 #: src/mac_back_trusted.c:190 src/mac_set_trusted.c:153 src/net_temp.c:284 #: src/rc_copy_role.c:66 src/rc_copy_type.c:68 src/rc_get_eff_rights_fd.c:159 #: src/rc_get_item.c:256 src/rc_set_item.c:217 src/rsbac_gpasswd.c:122 #: src/rsbac_groupadd.c:255 src/rsbac_groupdel.c:99 src/rsbac_groupmod.c:210 #: src/rsbac_groupshow.c:239 src/rsbac_list_ta.c:108 src/rsbac_pm.c:117 #: src/rsbac_useradd.c:688 src/rsbac_userdel.c:136 src/rsbac_usermod.c:368 #: src/rsbac_usershow.c:371 #, c-format msgid "%s: missing transaction number value for parameter %c\n" msgstr "" #: src/acl_grant.c:428 src/acl_group.c:190 src/acl_mask.c:482 #: src/acl_rights.c:560 src/acl_rm_user.c:78 src/acl_tlist.c:496 #: src/attr_back_dev.c:308 src/attr_back_fd.c:403 src/attr_back_group.c:197 #: src/attr_back_net.c:316 src/attr_back_user.c:330 src/attr_get_fd.c:254 #: src/attr_get_file_dir.c:232 src/attr_get_group.c:191 src/attr_get_ipc.c:95 #: src/attr_get_net.c:323 src/attr_get_process.c:121 src/attr_get_up.c:122 #: src/attr_get_user.c:214 src/attr_rm_fd.c:143 src/attr_rm_file_dir.c:79 #: src/attr_rm_group.c:72 src/attr_rm_user.c:72 src/attr_set_fd.c:206 #: src/attr_set_file_dir.c:165 src/attr_set_group.c:145 src/attr_set_ipc.c:94 #: src/attr_set_net.c:310 src/attr_set_process.c:131 src/attr_set_up.c:131 #: src/attr_set_user.c:145 src/auth_back_cap.c:471 src/auth_set_cap.c:180 #: src/linux2acl.c:831 src/mac_back_trusted.c:195 src/mac_set_trusted.c:158 #: src/mac_wrap.c:110 src/net_temp.c:289 src/rc_copy_role.c:71 #: src/rc_copy_type.c:73 src/rc_get_eff_rights_fd.c:164 src/rc_get_item.c:262 #: src/rc_role_wrap.c:58 src/rc_set_item.c:223 src/rsbac_gpasswd.c:127 #: src/rsbac_groupadd.c:261 src/rsbac_groupdel.c:105 src/rsbac_groupmod.c:216 #: src/rsbac_groupshow.c:245 src/rsbac_jail.c:327 src/rsbac_list_ta.c:117 #: src/rsbac_login.c:74 src/rsbac_passwd.c:65 src/rsbac_pm.c:122 #: src/rsbac_useradd.c:694 src/rsbac_userdel.c:142 src/rsbac_usermod.c:374 #: src/rsbac_usershow.c:377 src/switch_adf_log.c:128 src/switch_module.c:69 #, c-format msgid "%s: unknown parameter %c\n" msgstr "" #: src/acl_grant.c:443 #, c-format msgid "%s: unknown subject_type %s\n" msgstr "" #: src/acl_grant.c:472 src/rc_set_item.c:644 #, c-format msgid "Invalid bitstring length %u, must be %u!\n" msgstr "" #: src/acl_grant.c:656 src/acl_mask.c:695 src/attr_rm_fd.c:165 #: src/attr_set_fd.c:238 #, c-format msgid "%s: Invalid target type %s\n" msgstr "" #: src/acl_grant.c:666 #, c-format msgid "" "Set rights: %s\n" "for %s %u\n" msgstr "" #: src/acl_grant.c:672 #, c-format msgid "" "Add rights: %s\n" "for %s %u\n" msgstr "" #: src/acl_grant.c:678 #, c-format msgid "" "Revoke rights: %s\n" "for %s %u\n" msgstr "" #: src/acl_grant.c:684 #, c-format msgid "Remove entry for %s %u.\n" msgstr "" #: src/acl_grant.c:689 #, c-format msgid "%s: Internal error in call switch!\n" msgstr "" #: src/acl_grant.c:705 #, c-format msgid "" "\n" "%s: %i targets\n" "\n" msgstr "" #: src/acl_group.c:34 #, c-format msgid "Use: %s [switches] function params\n" msgstr "" #: src/acl_group.c:35 #, c-format msgid " -v = verbose, -g = also list global groups of other users,\n" msgstr "" #: src/acl_group.c:36 #, c-format msgid " -b = backup mode, -n = use numerical values,\n" msgstr "" #: src/acl_group.c:37 #, c-format msgid " -s = scripting mode\n" msgstr "" #: src/acl_group.c:38 #, c-format msgid "" " -t = set relative time-to-live for this membership in seconds (add_member " "only)\n" msgstr "" #: src/acl_group.c:39 #, c-format msgid "" " -T = set absolute time-to-live for this trustee in seconds (add_member " "only)\n" msgstr "" #: src/acl_group.c:40 #, c-format msgid "" " -D = set relative time-to-live for this membership in days (add_member " "only)\n" msgstr "" #: src/acl_group.c:43 #, c-format msgid "- function and params = one of\n" msgstr "" #: src/acl_group.c:44 #, c-format msgid " add_group P[RIVATE]|G[LOBAL] name [id]\n" msgstr "" #: src/acl_group.c:45 #, c-format msgid " change_group group-id new-owner P[RIVATE]|G[LOBAL] name\n" msgstr "" #: src/acl_group.c:46 #, c-format msgid " remove_group group-id\n" msgstr "" #: src/acl_group.c:47 #, c-format msgid " get_group_entry group-id\n" msgstr "" #: src/acl_group.c:48 #, c-format msgid " get_group_name group-id\n" msgstr "" #: src/acl_group.c:49 #, c-format msgid " get_group_type group-id\n" msgstr "" #: src/acl_group.c:50 #, c-format msgid " get_group_owner group-id\n" msgstr "" #: src/acl_group.c:51 #, c-format msgid " list_groups\n" msgstr "" #: src/acl_group.c:52 #, c-format msgid " add_member group-id user1 ...\n" msgstr "" #: src/acl_group.c:53 #, c-format msgid " remove_member group-id user1 ...\n" msgstr "" #: src/acl_group.c:54 #, c-format msgid " get_user_groups [user]\n" msgstr "" #: src/acl_group.c:55 #, c-format msgid " get_group_members group-id\n" msgstr "" #: src/acl_group.c:71 src/net_temp.c:63 msgid "*unknown*" msgstr "" #: src/acl_group.c:210 src/acl_group.c:241 src/acl_group.c:277 #: src/acl_group.c:299 src/acl_group.c:388 src/acl_group.c:421 #: src/acl_group.c:500 #, c-format msgid "%s: too few arguments for function %s\n" msgstr "" #: src/acl_group.c:220 src/acl_group.c:258 #, c-format msgid "%s: %s: invalid group type %s\n" msgstr "" #: src/acl_group.c:232 #, c-format msgid "%s group %u '%s' added\n" msgstr "" #: src/acl_group.c:265 #, c-format msgid "Group %u changed to owner %u, type %s, name '%s'\n" msgstr "" #: src/acl_group.c:286 #, c-format msgid "Group %u '%s' removed\n" msgstr "" #: src/acl_group.c:320 src/acl_group.c:371 #, c-format msgid "Group %u: owner %u (%s), type %c, name '%s'\n" msgstr "" #: src/acl_group.c:339 #, c-format msgid "%i groups listed:\n" msgstr "" #: src/acl_group.c:342 #, c-format msgid "%i groups listed (list truncated):\n" msgstr "" #: src/acl_group.c:377 src/acl_group.c:487 src/acl_group.c:596 #, c-format msgid "(truncated)\n" msgstr "" #: src/acl_group.c:406 #, c-format msgid "Member %u (%s) added to group %u '%s'\n" msgstr "" #: src/acl_group.c:437 #, c-format msgid "Member %u (%s) removed from group %u '%s'\n" msgstr "" #: src/acl_group.c:468 #, c-format msgid "%i group memberships for user %u (%s): " msgstr "" #: src/acl_group.c:473 #, c-format msgid "%i group memberships for user %u (%s) (list truncated): " msgstr "" #: src/acl_group.c:512 #, c-format msgid "%i members of group %u '%s':\n" msgstr "" #: src/acl_group.c:517 #, c-format msgid "%i members of group %u '%s' (list truncated):\n" msgstr "" #: src/acl_group.c:601 #, c-format msgid "%s: internal error: invalid function number %u\n" msgstr "" #: src/acl_mask.c:50 #, c-format msgid "Use: %s [switches] [rights] target-type file/dirname(s)\n" msgstr "" #: src/acl_mask.c:51 src/acl_rights.c:48 src/acl_tlist.c:51 #: src/attr_rm_fd.c:39 src/attr_set_fd.c:41 src/rc_get_eff_rights_fd.c:40 #, c-format msgid " -v = verbose, -r = recurse into subdirs,\n" msgstr "" #: src/acl_mask.c:52 #, c-format msgid " -p = print right names, -s = set mask, not get\n" msgstr "" #: src/acl_mask.c:53 #, c-format msgid " -b = backup mode, -n = list valid SCD names\n" msgstr "" #: src/acl_mask.c:54 src/acl_tlist.c:53 src/attr_get_file_dir.c:34 #: src/attr_rm_file_dir.c:29 src/attr_set_file_dir.c:32 #, c-format msgid " -d = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_mask.c:55 #, c-format msgid " -D = process all existing device masks,\n" msgstr "" #: src/acl_mask.c:56 src/attr_set_fd.c:44 src/attr_set_file_dir.c:34 #: src/attr_set_group.c:32 src/attr_set_net.c:46 src/attr_set_up.c:30 #: src/attr_set_user.c:32 src/auth_set_cap.c:45 src/mac_set_trusted.c:39 #: src/net_temp.c:49 src/rc_set_item.c:42 #, c-format msgid " -V version = supply RSBAC integer version number for upgrading\n" msgstr "" #: src/acl_mask.c:57 src/acl_rights.c:53 src/acl_rm_user.c:30 #: src/acl_tlist.c:58 src/attr_back_dev.c:59 src/attr_back_fd.c:83 #: src/attr_back_group.c:55 src/attr_back_net.c:64 src/attr_back_user.c:79 #: src/attr_get_fd.c:44 src/attr_get_file_dir.c:39 src/attr_get_group.c:34 #: src/attr_get_ipc.c:34 src/attr_get_net.c:48 src/attr_get_process.c:35 #: src/attr_get_up.c:29 src/attr_get_user.c:36 src/attr_rm_fd.c:40 #: src/attr_rm_file_dir.c:30 src/attr_rm_group.c:28 src/attr_rm_user.c:28 #: src/attr_set_fd.c:45 src/attr_set_file_dir.c:35 src/attr_set_group.c:33 #: src/attr_set_net.c:47 src/attr_set_process.c:34 src/attr_set_up.c:31 #: src/attr_set_user.c:33 src/auth_back_cap.c:48 src/auth_set_cap.c:46 #: src/mac_back_trusted.c:45 src/mac_back_trusted.c:239 #: src/mac_set_trusted.c:40 src/net_temp.c:50 src/rc_copy_role.c:28 #: src/rc_copy_type.c:29 src/rc_get_eff_rights_fd.c:42 src/rc_get_item.c:43 #: src/rc_set_item.c:43 src/rsbac_groupadd.c:45 src/rsbac_groupdel.c:32 #: src/rsbac_groupmod.c:38 src/rsbac_groupshow.c:41 src/rsbac_pm.c:33 #: src/rsbac_useradd.c:72 src/rsbac_userdel.c:34 src/rsbac_usermod.c:49 #: src/rsbac_usershow.c:45 #, c-format msgid "" " -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/acl_mask.c:59 #, c-format msgid " also request groups R (read requests), RW (read-write),\n" msgstr "" #: src/acl_mask.c:63 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK, DEV, SCD, NETDEV,\n" msgstr "" #: src/acl_mask.c:218 src/acl_mask.c:223 src/acl_tlist.c:211 #: src/acl_tlist.c:216 #, c-format msgid "# Processing %s '%s'\n" msgstr "" #: src/acl_mask.c:504 src/attr_set_process.c:182 src/attr_set_user.c:200 #, c-format msgid "%s: Invalid mask vector %s\n" msgstr "" #: src/acl_mask.c:704 #, c-format msgid "Set mask: %s\n" msgstr "" #: src/acl_mask.c:720 #, c-format msgid "# Get mask.\n" msgstr "" #: src/acl_mask.c:724 #, c-format msgid "" "\n" "# %s: %i targets\n" "\n" msgstr "" #: src/acl_mask.c:731 src/acl_tlist.c:514 src/attr_back_user.c:398 #, c-format msgid "# %s: processing all users\n" msgstr "" #: src/acl_mask.c:743 src/acl_mask.c:774 src/acl_tlist.c:520 #: src/acl_tlist.c:549 src/attr_back_dev.c:340 src/attr_back_dev.c:369 #: src/attr_back_group.c:237 src/attr_back_group.c:266 src/attr_back_net.c:383 #: src/attr_back_net.c:444 src/attr_back_user.c:407 src/attr_back_user.c:436 #, c-format msgid "# %s: %i targets\n" msgstr "" #: src/acl_mask.c:768 src/acl_tlist.c:543 #, c-format msgid "# %s: processing all devices\n" msgstr "" #: src/acl_rights.c:47 #, c-format msgid "Use: %s [switches] target-type file/dirname(s)\n" msgstr "" #: src/acl_rights.c:49 #, c-format msgid " -p = print right names, -d = give direct, not effective rights\n" msgstr "" #: src/acl_rights.c:50 #, c-format msgid " -n = list valid SCD names, -s = scripting mode\n" msgstr "" #: src/acl_rights.c:51 #, c-format msgid " -D = numeric device specification ({b|c}major[:minor])\n" msgstr "" #: src/acl_rights.c:52 #, c-format msgid " -R = list valid right names [for target-type]\n" msgstr "" #: src/acl_rights.c:54 #, c-format msgid " -u user = print rights for given user, not caller\n" msgstr "" #: src/acl_rights.c:55 #, c-format msgid " -g group = print rights for given group, not caller\n" msgstr "" #: src/acl_rights.c:56 #, c-format msgid " -l role = print rights for given role, not caller\n" msgstr "" #: src/acl_rights.c:57 #, c-format msgid "" " target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, GROUP, " "PROCESS,\n" msgstr "" #: src/acl_rights.c:58 #, c-format msgid " NETDEV, NETTEMP_NT, NETTEMP, NETOBJ or FD\n" msgstr "" #: src/acl_rights.c:60 #, c-format msgid " (IPC, PROCESS: only :DEFAULT:\n" msgstr "" #: src/acl_rights.c:420 #, c-format msgid "%s: invalid target type %s for switch N\n" msgstr "" #: src/acl_rights.c:435 #, c-format msgid "%s: no user for switch u\n" msgstr "" #: src/acl_rights.c:443 src/acl_rights.c:506 #, c-format msgid "Invalid user %s!\n" msgstr "" #: src/acl_rights.c:450 #, c-format msgid "%s: User %u\n" msgstr "" #: src/acl_rights.c:457 #, c-format msgid "%s: no group for switch g\n" msgstr "" #: src/acl_rights.c:463 src/acl_rights.c:530 #, c-format msgid "%s: Group %u\n" msgstr "" #: src/acl_rights.c:470 #, c-format msgid "%s: no role for switch l\n" msgstr "" #: src/acl_rights.c:476 src/acl_rights.c:547 #, c-format msgid "%s: Role %u\n" msgstr "" #: src/acl_rights.c:498 #, c-format msgid "%s: no user for switch -USER\n" msgstr "" #: src/acl_rights.c:524 #, c-format msgid "%s: no group for switch -GROUP\n" msgstr "" #: src/acl_rights.c:541 #, c-format msgid "%s: no role for switch -ROLE\n" msgstr "" #: src/acl_rights.c:555 #, c-format msgid "%s: unknown parameter %s\n" msgstr "" #: src/acl_rights.c:575 src/acl_rights.c:592 src/attr_get_fd.c:275 #: src/attr_get_net.c:344 src/attr_get_up.c:142 src/attr_rm_fd.c:155 #: src/attr_set_net.c:396 src/attr_set_net.c:406 src/attr_set_up.c:151 #: src/rc_get_eff_rights_fd.c:186 src/rc_get_eff_rights_fd.c:201 #, c-format msgid "" "%s: %i targets\n" "\n" msgstr "" #: src/acl_rights.c:576 src/acl_tlist.c:570 src/rc_get_eff_rights_fd.c:187 #, c-format msgid "%s: No target type given, assuming FD\n" msgstr "" #: src/acl_rm_user.c:27 #, c-format msgid "" "Remove all groups and memberships of a user\n" "\n" msgstr "" #: src/acl_rm_user.c:28 #, c-format msgid "Use: %s [flags] user\n" msgstr "" #: src/acl_rm_user.c:29 #, c-format msgid " -y: remove without asking\n" msgstr "" #: src/acl_rm_user.c:103 #, c-format msgid "Remove all groups and memberships of user %u '%s' [y/n]\n" msgstr "" #: src/acl_tlist.c:50 #, c-format msgid "Use: %s [switches] target-type file/dir/scdname(s)\n" msgstr "" #: src/acl_tlist.c:52 #, c-format msgid " -p = print right names, -b = backup mode\n" msgstr "" #: src/acl_tlist.c:54 #, c-format msgid " -D = process all existing device acls,\n" msgstr "" #: src/acl_tlist.c:55 #, c-format msgid " -a = process all users,\n" msgstr "" #: src/acl_tlist.c:56 #, c-format msgid " -n = list valid SCD names,\n" msgstr "" #: src/acl_tlist.c:57 #, c-format msgid " -s = scripting mode,\n" msgstr "" #: src/acl_tlist.c:352 src/acl_tlist.c:356 #, c-format msgid "%s: %i entries\n" msgstr "" #: src/acl_tlist.c:569 src/acl_tlist.c:586 #, c-format msgid "" "# %s: %i targets\n" "\n" msgstr "" #: src/attr_back_dev.c:52 #, c-format msgid "Use: %s [-v] [-o target-file] file/dirname(s)\n" msgstr "" #: src/attr_back_dev.c:53 #, c-format msgid "- should be called by root with all rsbac modules switched off,\n" msgstr "" #: src/attr_back_dev.c:54 src/attr_back_fd.c:76 src/auth_back_cap.c:44 #: src/mac_back_trusted.c:42 src/mac_back_trusted.c:236 #, c-format msgid " -r = recurse in subdirs, -v = verbose, no symlinks followed,\n" msgstr "" #: src/attr_back_dev.c:55 src/attr_back_group.c:51 src/auth_back_cap.c:45 #, c-format msgid " -T file = read file/dirname list from file (- for stdin),\n" msgstr "" #: src/attr_back_dev.c:56 src/attr_back_fd.c:81 src/attr_back_group.c:53 #: src/attr_back_user.c:77 #, c-format msgid " -o target-file = write to file, not stdout,\n" msgstr "" #: src/attr_back_dev.c:57 #, c-format msgid " -b = backup all device entries known to RSBAC,\n" msgstr "" #: src/attr_back_dev.c:58 src/attr_back_group.c:54 src/attr_back_net.c:63 #: src/attr_back_user.c:78 #, c-format msgid " -A = list attributes and values,\n" msgstr "" #: src/attr_back_dev.c:74 #, c-format msgid "# Processing DEV '%s'\n" msgstr "" #: src/attr_back_dev.c:271 src/attr_back_fd.c:352 src/attr_back_net.c:268 #: src/attr_back_user.c:294 src/mac_back_trusted.c:179 #, c-format msgid "%s: missing filename for parameter o\n" msgstr "" #: src/attr_back_dev.c:281 src/attr_back_group.c:161 src/attr_back_group.c:171 #: src/attr_back_net.c:278 src/attr_back_user.c:304 src/auth_back_cap.c:445 #: src/auth_back_cap.c:455 #, c-format msgid "%s: missing filename for parameter %c\n" msgstr "" #: src/attr_back_dev.c:285 #, c-format msgid "Attributes and values in backup = see following list:\n" msgstr "" #: src/attr_back_dev.c:328 src/attr_back_fd.c:420 src/attr_back_group.c:217 #: src/attr_back_net.c:335 src/attr_back_user.c:350 src/auth_back_cap.c:487 #: src/mac_back_trusted.c:211 #, c-format msgid "opening target file returned error: %s\n" msgstr "" #: src/attr_back_dev.c:362 src/attr_back_fd.c:432 src/attr_back_group.c:259 #: src/attr_back_net.c:376 src/attr_back_net.c:437 src/attr_back_user.c:429 #: src/auth_back_cap.c:497 #, c-format msgid "opening target list file returned error: %s\n" msgstr "" #: src/attr_back_dev.c:371 src/attr_back_group.c:268 src/attr_back_net.c:385 #: src/attr_back_net.c:446 src/attr_back_user.c:438 #, c-format msgid "# - plus targets from file %s\n" msgstr "" #: src/attr_back_fd.c:74 #, c-format msgid "Use: %s [options] file/dirname(s)\n" msgstr "" #: src/attr_back_fd.c:75 #, c-format msgid "" "- should be called by user with full attribute read access,\n" " e.g. root with all modules off\n" msgstr "" #: src/attr_back_fd.c:77 #, c-format msgid " -s = ignore daz_scanned,\n" msgstr "" #: src/attr_back_fd.c:78 #, c-format msgid " -T file = read target list from file (- for stdin),\n" msgstr "" #: src/attr_back_fd.c:79 #, c-format msgid " -i = use MAC non-inherit values as default values,\n" msgstr "" #: src/attr_back_fd.c:80 #, c-format msgid " -P flags = use these PaX flags as default, preset is PeMRxS,\n" msgstr "" #: src/attr_back_fd.c:82 #, c-format msgid " -a = list attributes and values,\n" msgstr "" #: src/attr_back_fd.c:96 #, c-format msgid "# Processing FD '%s'\n" msgstr "" #: src/attr_back_fd.c:362 #, c-format msgid "%s: missing filename for parameter T\n" msgstr "" #: src/attr_back_fd.c:365 src/attr_back_net.c:284 #, c-format msgid "attributes and values in backup = see following list:\n" msgstr "" #: src/attr_back_fd.c:385 #, c-format msgid "%s: missing PaX flags for parameter %c\n" msgstr "" #: src/attr_back_fd.c:439 #, c-format msgid "# %s: %i targets" msgstr "" #: src/attr_back_fd.c:441 src/auth_back_cap.c:506 src/mac_back_trusted.c:218 #, c-format msgid " - recursing" msgstr "" #: src/attr_back_fd.c:443 src/auth_back_cap.c:508 #, c-format msgid " - plus targets from file %s" msgstr "" #: src/attr_back_group.c:49 #, c-format msgid "Use: %s [flags] [groupname(s)]\n" msgstr "" #: src/attr_back_group.c:50 #, c-format msgid " -a = process all groups, -v = verbose,\n" msgstr "" #: src/attr_back_group.c:52 #, c-format msgid " -n = show numeric gid not groupname,\n" msgstr "" #: src/attr_back_group.c:69 #, c-format msgid "# Processing group %s\n" msgstr "" #: src/attr_back_group.c:71 #, c-format msgid "# Processing group %u\n" msgstr "" #: src/attr_back_group.c:174 src/attr_back_user.c:307 #, c-format msgid "- attributes and values in backup = see following list:\n" msgstr "" #: src/attr_back_group.c:228 #, c-format msgid "# %s: processing all groups\n" msgstr "" #: src/attr_back_net.c:60 #, c-format msgid "Use: %s [options] target name(s)/number(s)\n" msgstr "" #: src/attr_back_net.c:61 #, c-format msgid "" " should be called by user with full attribute read access,\n" "- e.g. with all modules off\n" msgstr "" #: src/attr_back_net.c:62 #, c-format msgid " -a = backup all objects, -v = verbose, no symlinks followed,\n" msgstr "" #: src/attr_back_net.c:65 #, c-format msgid " valid targets: NETDEV, NETTEMP\n" msgstr "" #: src/attr_back_net.c:77 #, c-format msgid "# Processing NETDEV '%s'\n" msgstr "" #: src/attr_back_net.c:147 #, c-format msgid "# Processing NETTEMP %u\n" msgstr "" #: src/attr_back_net.c:346 #, c-format msgid "invalid target %s\n" msgstr "" #: src/attr_back_user.c:74 #, c-format msgid "Use: %s [flags] [username(s)]\n" msgstr "" #: src/attr_back_user.c:75 #, c-format msgid " -a = process all users, -v = verbose,\n" msgstr "" #: src/attr_back_user.c:76 #, c-format msgid " -n = show numeric uid not username,\n" msgstr "" #: src/attr_back_user.c:93 #, c-format msgid "# Processing user %s\n" msgstr "" #: src/attr_back_user.c:95 #, c-format msgid "# Processing user %u\n" msgstr "" #: src/attr_get_fd.c:40 #, c-format msgid "Use: %s [switches] module target-type attribute file/dirname(s)\n" msgstr "" #: src/attr_get_fd.c:41 src/attr_get_net.c:44 #, c-format msgid " -v = verbose, -e = show effective (maybe inherited) value, not real\n" msgstr "" #: src/attr_get_fd.c:42 src/attr_set_net.c:44 #, c-format msgid " -r = recurse into subdirs, -n = list all requests\n" msgstr "" #: src/attr_get_fd.c:43 src/attr_get_file_dir.c:38 src/attr_get_group.c:33 #: src/attr_get_net.c:46 src/attr_get_process.c:34 src/attr_get_up.c:28 #: src/attr_get_user.c:35 src/attr_set_net.c:45 #, c-format msgid " -a = list attributes and values\n" msgstr "" #: src/attr_get_fd.c:45 src/attr_get_group.c:35 src/attr_get_up.c:30 #: src/attr_get_user.c:37 src/attr_set_fd.c:46 src/attr_set_process.c:35 #: src/attr_set_up.c:28 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n" msgstr "" #: src/attr_get_fd.c:46 src/attr_rm_fd.c:41 src/attr_set_fd.c:47 #: src/rc_get_eff_rights_fd.c:43 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK, DEV or FD\n" msgstr "" #: src/attr_get_fd.c:47 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV)\n" msgstr "" #: src/attr_get_fd.c:57 src/attr_get_net.c:89 src/attr_set_net.c:191 #, c-format msgid "Processing %s '%s', attribute %s\n" msgstr "" #: src/attr_get_fd.c:69 #, c-format msgid "%s: %s\n" msgstr "" #: src/attr_get_fd.c:77 src/attr_get_fd.c:81 src/attr_get_fd.c:107 #: src/attr_get_fd.c:121 src/attr_get_net.c:113 src/attr_get_net.c:124 #, c-format msgid "%s: Returned value: %s\n" msgstr "" #: src/attr_get_fd.c:85 src/attr_get_fd.c:101 src/attr_get_fd.c:116 #: src/attr_get_net.c:106 src/attr_get_net.c:149 src/attr_get_net.c:162 #, c-format msgid "%s: Returned value: %u\n" msgstr "" #: src/attr_get_fd.c:125 src/attr_get_net.c:170 #, c-format msgid "%s: Returned value: %i\n" msgstr "" #: src/attr_get_fd.c:222 src/attr_get_net.c:282 src/attr_set_net.c:259 #, c-format msgid "- attribute (string) and returned value = see following lists:\n" msgstr "" #: src/attr_get_fd.c:223 src/attr_get_file_dir.c:167 src/attr_set_fd.c:164 #: src/attr_set_file_dir.c:122 #, c-format msgid "- FILE, DIR, FIFO and SYMLINK:\n" msgstr "" #: src/attr_get_fd.c:280 #, c-format msgid "%s: invalid target type %s\n" msgstr "" #: src/attr_get_file_dir.c:30 #, c-format msgid "Use: %s module target-type file/dirname attribute [request]\n" msgstr "" #: src/attr_get_file_dir.c:31 #, c-format msgid "Use: %s module target-type file/dirname attribute [position]\n" msgstr "" #: src/attr_get_file_dir.c:32 #, c-format msgid "Use: %s list_category_nr\n" msgstr "" #: src/attr_get_file_dir.c:33 src/attr_get_user.c:31 #, c-format msgid " -e = show effective (maybe inherited) value, not real\n" msgstr "" #: src/attr_get_file_dir.c:35 #, c-format msgid " -p = print requests, -n [target] = list all requests [for target]\n" msgstr "" #: src/attr_get_file_dir.c:36 src/attr_get_user.c:34 #, c-format msgid " -c list all Linux capabilities, -R = list all RES resource names\n" msgstr "" #: src/attr_get_file_dir.c:37 #, c-format msgid "" " -C path = convert path to device special file to device specification\n" msgstr "" #: src/attr_get_file_dir.c:40 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH, RES or PAX\n" msgstr "" #: src/attr_get_file_dir.c:41 src/attr_rm_file_dir.c:31 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK or DEV\n" msgstr "" #: src/attr_get_file_dir.c:166 src/attr_get_group.c:167 #: src/attr_get_process.c:97 src/attr_get_up.c:89 src/attr_get_user.c:189 #: src/attr_set_group.c:109 src/attr_set_user.c:109 #, c-format msgid "- attribute (string) and returned value = see following list:\n" msgstr "" #: src/attr_get_file_dir.c:168 src/attr_get_file_dir.c:179 #, c-format msgid "" "log_level\t\t(additional parameter request-type)\n" "\t\t\t0=none, 1=denied, 2=full, 3=request based\n" msgstr "" #: src/attr_get_file_dir.c:169 src/attr_get_file_dir.c:180 #, c-format msgid "" "mac_categories\t\t(with additional parameter position)\n" "\t\t\t0=no, 1=yes\n" msgstr "" #: src/attr_get_file_dir.c:177 src/attr_get_user.c:197 #: src/attr_set_file_dir.c:130 #, c-format msgid "" "[RES ] res_min|res_max (with additional parameter position)\n" "\tnon-negative integer (0 for unset)\n" msgstr "" #: src/attr_get_file_dir.c:220 #, c-format msgid "%s: %s is no device special file\n" msgstr "" #: src/attr_get_file_dir.c:227 #, c-format msgid "%s: missing path for parameter %c\n" msgstr "" #: src/attr_get_file_dir.c:370 src/attr_get_file_dir.c:430 #: src/attr_set_file_dir.c:739 #, c-format msgid "Invalid request type %s\n" msgstr "" #: src/attr_get_file_dir.c:406 src/attr_get_file_dir.c:466 #: src/attr_get_ipc.c:128 src/attr_get_process.c:262 src/attr_get_user.c:386 #: src/attr_get_user.c:418 src/attr_set_file_dir.c:813 #: src/attr_set_file_dir.c:861 src/attr_set_ipc.c:122 #: src/attr_set_process.c:399 src/attr_set_user.c:600 src/attr_set_user.c:633 #, c-format msgid "Invalid position counter %s\n" msgstr "" #: src/attr_get_file_dir.c:431 src/attr_set_file_dir.c:740 #, c-format msgid "Valid request types:\n" msgstr "" #: src/attr_get_group.c:30 #, c-format msgid "" "Use: %s [switches] module group attribute [position|request-name]\n" "\n" msgstr "" #: src/attr_get_group.c:31 src/attr_get_user.c:32 #, c-format msgid " -n = numeric value, -b = both names and numbers,\n" msgstr "" #: src/attr_get_group.c:32 src/attr_get_user.c:33 #, c-format msgid " -l list all users, -L list all Linux groups\n" msgstr "" #: src/attr_get_group.c:232 src/attr_get_ipc.c:151 src/attr_get_process.c:145 #: src/attr_get_process.c:255 src/attr_get_up.c:153 src/attr_get_user.c:282 #: src/attr_set_group.c:177 src/attr_set_ipc.c:158 src/attr_set_process.c:323 #: src/attr_set_process.c:392 src/attr_set_user.c:448 #, c-format msgid "%s: Invalid Attribute %s!\n" msgstr "" #: src/attr_get_ipc.c:32 #, c-format msgid "Use: %s [flags] ipc-type id attribute\n" msgstr "" #: src/attr_get_ipc.c:35 #, c-format msgid " ipc-types: sem, msg, shm, anonpipe,\n" msgstr "" #: src/attr_get_ipc.c:36 #, c-format msgid " attribute (string) and returned value = see following list:\n" msgstr "" #: src/attr_get_ipc.c:118 src/attr_get_ipc.c:142 src/attr_set_ipc.c:149 #, c-format msgid "%s: Invalid IPC type %s!\n" msgstr "" #: src/attr_get_net.c:43 #, c-format msgid "" "Use: %s [-v] [-e] module target-type attribute [CAT category] [request] id" "(s)\n" msgstr "" #: src/attr_get_net.c:45 #, c-format msgid "" " -r = recurse into subdirs, -n [target] = list all requests [for target]\n" msgstr "" #: src/attr_get_net.c:47 #, c-format msgid " -d = list NETDEV targets with non-default attribute values\n" msgstr "" #: src/attr_get_net.c:49 src/attr_set_net.c:48 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS or RC\n" msgstr "" #: src/attr_get_net.c:50 src/attr_set_net.c:49 #, c-format msgid " target-type = NETDEV, NETTEMP or NETOBJ\n" msgstr "" #: src/attr_get_net.c:51 src/attr_set_net.c:50 #, c-format msgid " category = category number for mac_categories\n" msgstr "" #: src/attr_get_net.c:52 src/attr_set_net.c:51 #, c-format msgid " request = request number for log_array_low|high\n" msgstr "" #: src/attr_get_net.c:84 src/attr_set_net.c:76 #, c-format msgid "Internal error on %s %s!\n" msgstr "" #: src/attr_get_net.c:353 src/attr_set_net.c:342 #, c-format msgid "%s: invalid target %s\n" msgstr "" #: src/attr_get_process.c:32 #, c-format msgid "Use: %s [switches] module pid attribute [bit-no]\n" msgstr "" #: src/attr_get_process.c:33 #, c-format msgid " -p = print all request names, -n = list all request names\n" msgstr "" #: src/attr_get_process.c:36 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or PAX\n" msgstr "" #: src/attr_get_process.c:37 #, c-format msgid "" " categories and log_program_based\t(with additional parameter bit-no)\n" "\t\t\t0=no, 1=yes\n" msgstr "" #: src/attr_get_up.c:27 #, c-format msgid "" "Use: %s [switches] module target-type attribute user(s)/proc-no.\n" "\n" msgstr "" #: src/attr_get_up.c:31 #, c-format msgid " target-type = USER or PROCESS,\n" msgstr "" #: src/attr_get_up.c:147 src/attr_set_up.c:156 src/auth_set_cap.c:199 #: src/auth_set_cap.c:269 src/mac_set_trusted.c:175 src/mac_set_trusted.c:224 #, c-format msgid "%s: Invalid Target %s!\n" msgstr "" #: src/attr_get_up.c:162 #, c-format msgid "Processing process %i, attribute %s (No. %i)\n" msgstr "" #: src/attr_get_up.c:171 #, c-format msgid "" "Invalid user %s!\n" "\n" msgstr "" #: src/attr_get_up.c:174 #, c-format msgid "Processing user %s (uid %i), attribute %s (No. %i)\n" msgstr "" #: src/attr_get_up.c:206 #, c-format msgid "Returned value: %u\n" msgstr "" #: src/attr_get_up.c:209 #, c-format msgid "Returned value: %i\n" msgstr "" #: src/attr_get_user.c:30 #, c-format msgid "" "Use: %s [switches] module user attribute [position|request-name]\n" "\n" msgstr "" #: src/attr_get_user.c:38 #, c-format msgid "" " mac_[min_]categories\t\t(with additional parameter position)\n" "\t\t\t0=no, 1=yes\n" msgstr "" #: src/attr_get_user.c:39 #, c-format msgid "" " log_user_based\t(with additional parameter request-name)\n" "\t\t\t0=no, 1=yes\n" msgstr "" #: src/attr_get_user.c:399 #, c-format msgid "Invalid request %s\n" msgstr "" #: src/attr_rm_fd.c:38 #, c-format msgid "Use: %s [-v] [-r] target-type file/dirname(s)\n" msgstr "" #: src/attr_rm_fd.c:42 src/attr_set_fd.c:48 src/rc_get_eff_rights_fd.c:44 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n" msgstr "" #: src/attr_rm_fd.c:52 #, c-format msgid "Processing '%s'\n" msgstr "" #: src/attr_rm_file_dir.c:28 #, c-format msgid "Use: %s [flags] target-type file/dirname\n" msgstr "" #: src/attr_rm_group.c:27 #, c-format msgid "" "Use: %s [flags] group(s)\n" "\n" msgstr "" #: src/attr_rm_group.c:83 #, c-format msgid "" "%s: %i groups\n" "\n" msgstr "" #: src/attr_rm_group.c:88 #, c-format msgid "" "Invalid Group %s!\n" "\n" msgstr "" #: src/attr_rm_group.c:91 #, c-format msgid "Processing group %s (gid %i)\n" msgstr "" #: src/attr_rm_user.c:27 #, c-format msgid "" "Use: %s [flags] user(s)\n" "\n" msgstr "" #: src/attr_rm_user.c:83 #, c-format msgid "" "%s: %i users\n" "\n" msgstr "" #: src/attr_rm_user.c:88 #, c-format msgid "" "Invalid User %s!\n" "\n" msgstr "" #: src/attr_rm_user.c:91 #, c-format msgid "Processing user %s (uid %i)\n" msgstr "" #: src/attr_set_fd.c:40 #, c-format msgid "Use: %s [-v] [-r] module target-type attribute value file/dirname(s)\n" msgstr "" #: src/attr_set_fd.c:42 #, c-format msgid " -n = list all requests\n" msgstr "" #: src/attr_set_fd.c:43 src/attr_set_file_dir.c:33 src/attr_set_group.c:31 #: src/attr_set_process.c:33 src/attr_set_user.c:31 #, c-format msgid " -A = list attributes and values\n" msgstr "" #: src/attr_set_fd.c:59 #, c-format msgid "Processing %s '%s', attribute %s, value %i\n" msgstr "" #: src/attr_set_fd.c:163 src/attr_set_file_dir.c:119 #: src/attr_set_process.c:108 src/attr_set_up.c:88 #, c-format msgid "- attribute (string) and value (integer) = see following list:\n" msgstr "" #: src/attr_set_fd.c:245 src/attr_set_file_dir.c:475 src/attr_set_group.c:190 #: src/attr_set_up.c:163 src/attr_set_user.c:461 #, c-format msgid "%s: Invalid attribute %s\n" msgstr "" #: src/attr_set_fd.c:249 #, c-format msgid "%s: Attribute %s not supported\n" msgstr "" #: src/attr_set_fd.c:256 src/attr_set_file_dir.c:486 #: src/attr_set_process.c:333 src/attr_set_up.c:185 src/attr_set_user.c:472 #, c-format msgid "%s: Invalid attribute value, length must be %i\n" msgstr "" #: src/attr_set_fd.c:265 src/attr_set_fd.c:284 src/attr_set_file_dir.c:495 #: src/attr_set_file_dir.c:534 src/attr_set_process.c:342 src/mac_wrap.c:95 #, c-format msgid "%s: Invalid attribute value char, must be 0 or 1\n" msgstr "" #: src/attr_set_file_dir.c:28 #, c-format msgid "Use: %s module target-type file/dirname attribute [request] value\n" msgstr "" #: src/attr_set_file_dir.c:29 #, c-format msgid "Use: %s module target-type file/dirname attribute [position] value\n" msgstr "" #: src/attr_set_file_dir.c:30 #, c-format msgid "" "Use: %s [switches] module target-type filename log_program_based [list-of-" "requests]\n" msgstr "" #: src/attr_set_file_dir.c:31 #, c-format msgid "" " -a = add, not set, -m = remove not set, -p = print resulting requests,\n" msgstr "" #: src/attr_set_file_dir.c:36 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\n" msgstr "" #: src/attr_set_file_dir.c:37 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK or DEV,\n" msgstr "" #: src/attr_set_file_dir.c:120 #, c-format msgid "" "[GEN ] log_level (additional parameter request-type)\n" "\t0=none, 1=denied, 2=full, 3=request-based\n" msgstr "" #: src/attr_set_file_dir.c:121 #, c-format msgid "" "[GEN ] mac_categories (with additional parameter position)\n" "\t0=no, 1=yes\n" msgstr "" #: src/attr_set_file_dir.c:223 #, c-format msgid "%s: Invalid request vector %s\n" msgstr "" #: src/attr_set_file_dir.c:397 src/attr_set_user.c:371 #, c-format msgid "%s: Invalid cap vector %s\n" msgstr "" #: src/attr_set_file_dir.c:479 src/attr_set_up.c:167 src/attr_set_user.c:465 #, c-format msgid "%s: Invalid number of arguments for attribute %s\n" msgstr "" #: src/attr_set_file_dir.c:712 #, c-format msgid "Setting attribute %s for %s to value %lu\n" msgstr "" #: src/attr_set_file_dir.c:755 #, c-format msgid "Invalid log_level value %s\n" msgstr "" #: src/attr_set_file_dir.c:819 src/attr_set_ipc.c:128 src/attr_set_net.c:148 #: src/attr_set_process.c:405 src/attr_set_user.c:606 #, c-format msgid "Invalid value %s\n" msgstr "" #: src/attr_set_group.c:28 src/attr_set_user.c:28 #, c-format msgid "" "Use: %s module user attribute [position] value\n" "\n" msgstr "" #: src/attr_set_group.c:29 src/attr_set_user.c:29 #, c-format msgid "" "Use: %s [switches] module user log_user_based [request-list]\n" "\n" msgstr "" #: src/attr_set_group.c:30 src/attr_set_process.c:32 src/attr_set_user.c:30 #, c-format msgid "" " -p = print resulting requests, -a = add, not set, -m = remove, not set\n" msgstr "" #: src/attr_set_group.c:34 src/attr_set_user.c:34 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, DAZ, FF, RC or AUTH\n" msgstr "" #: src/attr_set_group.c:110 src/attr_set_user.c:110 #, c-format msgid "" "[MAC ] mac_[min_|initial_]categories (with additional parameter position)\n" "\t0=no, 1=yes\n" msgstr "" #: src/attr_set_group.c:111 src/attr_set_user.c:111 #, c-format msgid "" "[GEN ] log_user_based (with space separated list of requests)\n" "\t0=no, 1=yes\n" msgstr "" #: src/attr_set_ipc.c:32 #, c-format msgid "Use: %s ipc-type id attribute value\n" msgstr "" #: src/attr_set_ipc.c:34 #, c-format msgid "- ipc-types: sem, msg, shm, anonpipe,\n" msgstr "" #: src/attr_set_ipc.c:35 #, c-format msgid "- attribute (string) and value = see following list:\n" msgstr "" #: src/attr_set_net.c:42 #, c-format msgid "Use: %s [-v] [-e] module target-type attribute [request] value id(s)\n" msgstr "" #: src/attr_set_net.c:43 #, c-format msgid " -v = verbose, -m = remove all attributes\n" msgstr "" #: src/attr_set_net.c:116 #, c-format msgid "Wrong argument length for attr mac_categories\n" msgstr "" #: src/attr_set_net.c:142 #, c-format msgid "Invalid request number %u\n" msgstr "" #: src/attr_set_net.c:172 #, c-format msgid "Wrong number of arguments for attr %u\n" msgstr "" #: src/attr_set_net.c:199 #, c-format msgid "error: %s\n" msgstr "" #: src/attr_set_process.c:31 #, c-format msgid "Use: %s module process-id attribute value\n" msgstr "" #: src/attr_set_up.c:27 #, c-format msgid "" "Use: %s [switches] module target-type attribute value user/proc-nr.\n" "\n" msgstr "" #: src/attr_set_up.c:29 #, c-format msgid " target-type = USER or PROCESS\n" msgstr "" #: src/attr_set_up.c:293 #, c-format msgid "Processing process %i, attribute %s (No. %i), value %i\n" msgstr "" #: src/attr_set_up.c:303 #, c-format msgid "Processing user %s (uid %i), attribute %s (No. %i), value %i\n" msgstr "" #: src/attr_set_user.c:548 #, c-format msgid "" "User %u: system_role without module, setting for MAC, FC, SIM, DAZ, FF, " "AUTH\n" msgstr "" #: src/auth_back_cap.c:42 #, c-format msgid "Use: %s [-r] [-v] [-o output-file] file/dirname(s)\n" msgstr "" #: src/auth_back_cap.c:43 #, c-format msgid " should be called by root with all rsbac modules switched off,\n" msgstr "" #: src/auth_back_cap.c:46 src/auth_set_cap.c:36 src/mac_back_trusted.c:43 #: src/mac_back_trusted.c:237 #, c-format msgid " -m = set maximum length of cap entry list per file, default is %u\n" msgstr "" #: src/auth_back_cap.c:47 src/mac_back_trusted.c:44 src/mac_back_trusted.c:238 #, c-format msgid " -o target-file = write to file, not stdout\n" msgstr "" #: src/auth_back_cap.c:60 src/mac_back_trusted.c:56 #, c-format msgid "Processing FILE/DIR '%s'\n" msgstr "" #: src/auth_back_cap.c:432 src/auth_set_cap.c:113 src/mac_back_trusted.c:166 #: src/mac_set_trusted.c:91 #, c-format msgid "%s: missing maxnum value for parameter %c\n" msgstr "" #: src/auth_back_cap.c:504 src/mac_back_trusted.c:216 #, c-format msgid "%s: %i targets" msgstr "" #: src/auth_set_cap.c:31 #, c-format msgid "Use: %s [switches] TYPE add/remove target first_user [last_user]\n" msgstr "" #: src/auth_set_cap.c:32 src/mac_set_trusted.c:32 #, c-format msgid "Use: %s [switches] TYPE get target\n" msgstr "" #: src/auth_set_cap.c:33 src/mac_set_trusted.c:33 #, c-format msgid " TYPE = PROCESS (add/remove only), DIR, FILE or FD (auto-select),\n" msgstr "" #: src/auth_set_cap.c:34 src/mac_set_trusted.c:34 #, c-format msgid " target = pid or filename\n" msgstr "" #: src/auth_set_cap.c:35 #, c-format msgid " last_user: range from first_user to last_user\n" msgstr "" #: src/auth_set_cap.c:37 #, c-format msgid " -e = get or set caps for effective uids, not real\n" msgstr "" #: src/auth_set_cap.c:38 #, c-format msgid " -f = get or set caps for filesystem uids, not real\n" msgstr "" #: src/auth_set_cap.c:39 #, c-format msgid " -g = get or set caps for gids, not uids\n" msgstr "" #: src/auth_set_cap.c:40 #, c-format msgid " -E = get or set for eff gids, not real uids\n" msgstr "" #: src/auth_set_cap.c:41 #, c-format msgid " -F = get or set for fs gids, not real uids\n" msgstr "" #: src/auth_set_cap.c:42 src/mac_set_trusted.c:36 #, c-format msgid "" " -t = set relative time-to-live for this cap entry in seconds (add only)\n" msgstr "" #: src/auth_set_cap.c:43 src/mac_set_trusted.c:37 #, c-format msgid "" " -T = set absolute time-to-live for this cap entry in seconds (add only)\n" msgstr "" #: src/auth_set_cap.c:44 src/mac_set_trusted.c:38 #, c-format msgid " -D = set relative time-to-live for this cap entry in days (add only)\n" msgstr "" #: src/auth_set_cap.c:207 src/auth_set_cap.c:274 src/mac_set_trusted.c:183 #: src/mac_set_trusted.c:229 #, c-format msgid "" "%s: Invalid command %s!\n" "\n" msgstr "" #: src/auth_set_cap.c:228 #, c-format msgid "" "%s: Warning: first user %u after last user %u, exiting!\n" "\n" msgstr "" #: src/auth_set_cap.c:234 #, c-format msgid "" "%s: Warning: last user %u is special user ID, exiting!\n" "\n" msgstr "" #: src/get_attribute_name.c:36 #, c-format msgid "Use: %s value\n" msgstr "" #: src/get_attribute_name.c:37 #, c-format msgid "" "value = attribute number\n" "\n" msgstr "" #: src/get_attribute_nr.c:32 #, c-format msgid "Use: %s attribute_name\n" msgstr "" #: src/linux2acl.c:61 #, c-format msgid "Use: %s [switches] file/dir/scdname(s)\n" msgstr "" #: src/linux2acl.c:62 #, c-format msgid " -v = use verbose in scripts, -r = recurse into subdirs,\n" msgstr "" #: src/linux2acl.c:63 #, c-format msgid " -g = also create group entries with members,\n" msgstr "" #: src/linux2acl.c:64 #, c-format msgid " -G = only create group entries with members,\n" msgstr "" #: src/linux2acl.c:65 #, c-format msgid " -p = print right names, -P use private groups\n" msgstr "" #: src/linux2acl.c:66 #, c-format msgid " -n = use numeric user ids where possible\n" msgstr "" #: src/linux2acl.c:87 #, c-format msgid "stat for %s returned error: %s\n" msgstr "" #: src/linux2acl.c:729 #, c-format msgid "internal error in switch\n" msgstr "" #: src/mac_back_trusted.c:41 src/mac_back_trusted.c:235 #, c-format msgid "Use: %s [-r] [-v] [-o target-file] file/dirname(s)\n" msgstr "" #: src/mac_get_levels.c:28 #, c-format msgid "Use: %s [-v] [-c] [-x] [-n] [-a]\n" msgstr "" #: src/mac_get_levels.c:29 #, c-format msgid "This program will show the RSBAC MAC security levels\n" msgstr "" #: src/mac_get_levels.c:30 #, c-format msgid "and category sets of the calling process.\n" msgstr "" #: src/mac_get_levels.c:31 #, c-format msgid "-a = show all, -c = show current level and categories\n" msgstr "" #: src/mac_get_levels.c:32 #, c-format msgid "-x = show max, -n = show min level and categories\n" msgstr "" #: src/mac_get_levels.c:94 #, c-format msgid "" "Current level: %u\n" "categories: %s\n" msgstr "" #: src/mac_get_levels.c:102 #, c-format msgid "" "Max level: %u\n" "categories: %s\n" msgstr "" #: src/mac_get_levels.c:110 #, c-format msgid "" "Min level: %u\n" "categories: %s\n" msgstr "" #: src/mac_set_trusted.c:31 #, c-format msgid "Use: %s [switches] TYPE add/remove target user1 user2...\n" msgstr "" #: src/mac_set_trusted.c:35 #, c-format msgid " -m = set maximum number of returned members per file, default is %u\n" msgstr "" #: src/mac_wrap.c:27 #, c-format msgid "Use: %s [-v] [-l level] [-c categories] prog args\n" msgstr "" #: src/mac_wrap.c:28 #, c-format msgid "" "This program will set the current seclevel and categories, if supplied,\n" msgstr "" #: src/mac_wrap.c:29 #, c-format msgid "and then execute prog via execvp().\n" msgstr "" #: src/mac_wrap.c:30 #, c-format msgid "Please note that you need mac_auto to set the current values.\n" msgstr "" #: src/mac_wrap.c:31 #, c-format msgid "-v = verbose, -l = use this seclevel, -c = use this category set\n" msgstr "" #: src/mac_wrap.c:67 src/mac_wrap.c:106 #, c-format msgid "%s: missing value for parameter %c\n" msgstr "" #: src/mac_wrap.c:74 #, c-format msgid "%s: Invalid category string length %i, must be %i\n" msgstr "" #: src/mac_wrap.c:81 #, c-format msgid "%s: Using numeric value %lu instead\n" msgstr "" #: src/mac_wrap.c:125 #, c-format msgid "%s: executing %s with current_sec_level %u and mac_curr_categories %s\n" msgstr "" #: src/net_temp.c:41 #, c-format msgid "Use: %s [switches] function id [set-param]\n" msgstr "" #: src/net_temp.c:44 #, c-format msgid " -v = verbose, -l = list functions\n" msgstr "" #: src/net_temp.c:45 #, c-format msgid " -b = backup mode, -s = scripting mode,\n" msgstr "" #: src/net_temp.c:46 #, c-format msgid " -n = take number as address, -u = take string as address,\n" msgstr "" #: src/net_temp.c:47 #, c-format msgid " -d = take DNS name as address and convert to IP address,\n" msgstr "" #: src/net_temp.c:48 #, c-format msgid " -a = list all templates in detail\n" msgstr "" #: src/pm_create.c:25 #, c-format msgid "" "Use: %s class mode filename(s)\n" "\n" msgstr "" #: src/pm_create.c:40 #, c-format msgid "" "%s: %i files of class %i, mode %o to be created\n" "\n" msgstr "" #: src/pm_create.c:44 #, c-format msgid "Processing %s (No. %i)\n" msgstr "" #: src/pm_ct_exec.c:32 #, c-format msgid "%s: executing %s with task %i\n" msgstr "" #: src/pm_ct_exec.c:41 #, c-format msgid "Use: %s task-nr prog args\n" msgstr "" #: src/pm_ct_exec.c:42 #, c-format msgid "This program will set rsbac_pm_current_task to task-nr and then\n" msgstr "" #: src/pm_ct_exec.c:43 src/rc_role_wrap.c:30 #, c-format msgid "execute prog via execvp()\n" msgstr "" #: src/rc_copy_role.c:27 #, c-format msgid "Use: %s [flags] from_role to_role\n" msgstr "" #: src/rc_copy_type.c:27 #, c-format msgid "Use: %s [flags] target from_type to_type\n" msgstr "" #: src/rc_copy_type.c:28 #, c-format msgid " target = FD, DEV, IPC, USER, PROCESS, GROUP, NETDEV, NETTEMP, NETOBJ\n" msgstr "" #: src/rc_get_current_role.c:31 #, c-format msgid "%s: current role is %u\n" msgstr "" #: src/rc_get_eff_rights_fd.c:39 #, c-format msgid "Use: %s [-v] [-r] [-p] target-type file/dirname(s)\n" msgstr "" #: src/rc_get_eff_rights_fd.c:41 #, c-format msgid " -p = print right names,\n" msgstr "" #: src/rc_get_item.c:34 #, c-format msgid "Use: %s [switches] rc-target-type id-nr item [sub-id-nr [right]]\n" msgstr "" #: src/rc_get_item.c:35 #, c-format msgid " %s list_xxx\n" msgstr "" #: src/rc_get_item.c:36 #, c-format msgid " %s list_unused_xxx (_nr only)\n" msgstr "" #: src/rc_get_item.c:37 #, c-format msgid " %s list_def_fd_ind_create_type{s|_nr|_values role-id\n" msgstr "" #: src/rc_get_item.c:38 #, c-format msgid " %s backup\n" msgstr "" #: src/rc_get_item.c:39 #, c-format msgid " %s print\n" msgstr "" #: src/rc_get_item.c:40 src/rc_set_item.c:33 #, c-format msgid " -v = verbose, -p = print right names,\n" msgstr "" #: src/rc_get_item.c:41 #, c-format msgid " -i = list items and values,\n" msgstr "" #: src/rc_get_item.c:42 #, c-format msgid " -r = remove role before restore (backup only)\n" msgstr "" #: src/rc_get_item.c:44 src/rc_set_item.c:44 #, c-format msgid " rc-target-type = ROLE or TYPE,\n" msgstr "" #: src/rc_get_item.c:45 src/rc_set_item.c:45 #, c-format msgid " id-nr = ROLE or TYPE number,\n" msgstr "" #: src/rc_get_item.c:46 src/rc_set_item.c:46 #, c-format msgid " item = entry line,\n" msgstr "" #: src/rc_get_item.c:47 #, c-format msgid " sub-id-nr = use this sub-id (_comp items only),\n" msgstr "" #: src/rc_get_item.c:48 #, c-format msgid " right = right name or number (type_comp items only),\n" msgstr "" #: src/rc_get_item.c:49 #, c-format msgid "" " xxx = roles, fd_types, dev_types, ipc_types, user_types, process_types,\n" msgstr "" #: src/rc_get_item.c:50 #, c-format msgid "" " scd_types, group_types, role_nr, fd_type_nr, dev_type_nr, " "ipc_type_nr,\n" msgstr "" #: src/rc_get_item.c:51 #, c-format msgid "" " user_type_nr, process_type_nr, scd_type_nr, rights: print a list\n" msgstr "" #: src/rc_get_item.c:52 #, c-format msgid " list_def_fd_ind_create_types etc.: print a list\n" msgstr "" #: src/rc_get_item.c:231 src/rc_set_item.c:175 #, c-format msgid "- items and returned values = see following list:\n" msgstr "" #: src/rc_get_item.c:309 src/rc_get_item.c:3924 #, c-format msgid "%u roles:\n" msgstr "" #: src/rc_get_item.c:424 src/rc_get_item.c:3824 #, c-format msgid "%u types:\n" msgstr "" #: src/rc_get_item.c:550 #, c-format msgid "%s: Internal right list error, param %s!\n" msgstr "" #: src/rc_get_item.c:3784 #, c-format msgid "Invalid parameter %s\n" msgstr "" #: src/rc_get_item.c:3872 src/rc_get_item.c:4026 src/rc_get_item.c:4148 #: src/rc_set_item.c:248 #, c-format msgid "Invalid target %s\n" msgstr "" #: src/rc_get_item.c:3982 #, c-format msgid "Invalid item %s or too few arguments\n" msgstr "" #: src/rc_get_item.c:4048 #, c-format msgid "Invalid item %s or invalid number of arguments\n" msgstr "" #: src/rc_get_item.c:4057 #, c-format msgid "Invalid subrole %s\n" msgstr "" #: src/rc_get_item.c:4067 #, c-format msgid "Invalid subtype %s\n" msgstr "" #: src/rc_get_item.c:4081 #, c-format msgid "Getting %s for ROLE %u to ROLE %u\n" msgstr "" #: src/rc_get_item.c:4092 #, c-format msgid "Getting def_fd_ind_create_type for ROLE %u to TYPE %u\n" msgstr "" #: src/rc_get_item.c:4113 #, c-format msgid "Getting %s rights for ROLE %u to TYPE %u\n" msgstr "" #: src/rc_get_item.c:4166 #, c-format msgid "Invalid item-position combination %s\n" msgstr "" #: src/rc_get_item.c:4174 #, c-format msgid "Invalid comp_type %s\n" msgstr "" #: src/rc_get_item.c:4189 #, c-format msgid "Invalid right %s\n" msgstr "" #: src/rc_role_wrap.c:28 #, c-format msgid "Use: %s [-v] new_role_id prog args\n" msgstr "" #: src/rc_role_wrap.c:29 #, c-format msgid "This program will set the process rc_role to new_role and then\n" msgstr "" #: src/rc_role_wrap.c:31 #, c-format msgid "-v = verbose\n" msgstr "" #: src/rc_role_wrap.c:70 #, c-format msgid "%s: executing %s with role %i\n" msgstr "" #: src/rc_set_item.c:31 #, c-format msgid "" "Use: %s [switches] rc-target-type id item [role/type [list-of-rights]] " "[value]\n" msgstr "" #: src/rc_set_item.c:32 #, c-format msgid " %s -c TYPE target-id item source-id [first_role [last_role]],\n" msgstr "" #: src/rc_set_item.c:34 #, c-format msgid " -a = add, not set, -k = revoke, not set,\n" msgstr "" #: src/rc_set_item.c:35 #, c-format msgid " -b = accept rights as bitstring,\n" msgstr "" #: src/rc_set_item.c:36 #, c-format msgid " -c = copy all/given roles' rights to type from other type,\n" msgstr "" #: src/rc_set_item.c:37 #, c-format msgid " -d = delete all roles' rights to this type,\n" msgstr "" #: src/rc_set_item.c:38 #, c-format msgid " -i = list items and values\n" msgstr "" #: src/rc_set_item.c:39 src/rsbac_groupadd.c:40 src/rsbac_groupmod.c:35 #: src/rsbac_useradd.c:67 src/rsbac_usermod.c:46 #, c-format msgid "" " -t = set relative time-to-live in secs (role/type comp, admin, assign " "only)\n" msgstr "" #: src/rc_set_item.c:40 src/rsbac_groupadd.c:41 src/rsbac_groupmod.c:36 #: src/rsbac_useradd.c:68 src/rsbac_usermod.c:47 #, c-format msgid "" " -T = set absolute time-to-live in secs (role/type comp, admin, assign " "only)\n" msgstr "" #: src/rc_set_item.c:41 src/rsbac_groupadd.c:42 src/rsbac_groupmod.c:37 #: src/rsbac_useradd.c:69 src/rsbac_usermod.c:48 #, c-format msgid "" " -D = set relative time-to-live in days (role/type comp, admin, assign " "only)\n" msgstr "" #: src/rc_set_item.c:47 #, c-format msgid " role/type = for this type only (role/type comp, admin, assign only),\n" msgstr "" #: src/rc_set_item.c:48 #, c-format msgid " right = request name or number (type_comp items only),\n" msgstr "" #: src/rc_set_item.c:49 #, c-format msgid " also special rights and groups R (read requests),\n" msgstr "" #: src/rc_set_item.c:50 #, c-format msgid " RW (read-write), SY (system), SE (security), A (all)\n" msgstr "" #: src/rc_set_item.c:254 src/rc_set_item.c:353 src/rc_set_item.c:464 #: src/rc_set_item.c:781 #, c-format msgid "Invalid item %s\n" msgstr "" #: src/rc_set_item.c:271 #, c-format msgid "Too few arguments with option -c\n" msgstr "" #: src/rc_set_item.c:277 #, c-format msgid "Invalid source type %u\n" msgstr "" #: src/rc_set_item.c:285 #, c-format msgid "Invalid first role %u\n" msgstr "" #: src/rc_set_item.c:295 #, c-format msgid "Invalid last role %u\n" msgstr "" #: src/rc_set_item.c:302 src/rc_set_item.c:418 #, c-format msgid "Invalid target type %u\n" msgstr "" #: src/rc_set_item.c:307 #, c-format msgid "Source and target must differ\n" msgstr "" #: src/rc_set_item.c:358 #, c-format msgid "Copying rights vector %s for type %u to type %u in role(s) %u to %u\n" msgstr "" #: src/rc_set_item.c:387 src/rc_set_item.c:496 #, c-format msgid "Changing role %u failed: %s\n" msgstr "" #: src/rc_set_item.c:397 #, c-format msgid "Reading from role %u failed: %s\n" msgstr "" #: src/rc_set_item.c:469 #, c-format msgid "Setting rights vector %s for type %u in all roles to 0\n" msgstr "" #: src/rc_set_item.c:486 #, c-format msgid "%u roles\n" msgstr "" #: src/rc_set_item.c:520 #, c-format msgid "Setting %s of ROLE %i (old bitvector mode)\n" msgstr "" #: src/rc_set_item.c:544 #, c-format msgid "Setting for role %u failed: %s\n" msgstr "" #: src/rc_set_item.c:559 #, c-format msgid "Invalid role %u!\n" msgstr "" #: src/rc_set_item.c:569 src/rc_set_item.c:589 src/rc_set_item.c:608 #, c-format msgid "Invalid number of arguments for item %s!\n" msgstr "" #: src/rc_set_item.c:581 src/rc_set_item.c:601 #, c-format msgid "Invalid type %u!\n" msgstr "" #: src/rc_set_item.c:626 #, c-format msgid "parameter comp_type missing\n" msgstr "" #: src/rc_set_item.c:632 #, c-format msgid "invalid subtid.type %s\n" msgstr "" #: src/rc_set_item.c:652 #, c-format msgid "No bitstring given!\n" msgstr "" #: src/rc_set_item.c:820 #, c-format msgid "Adding %s rights for ROLE %u to TYPE %u\n" msgstr "" #: src/rc_set_item.c:830 #, c-format msgid "Revoking %s rights for ROLE %u from TYPE %u\n" msgstr "" #: src/rc_set_item.c:839 #, c-format msgid "Setting %s rights for ROLE %u to TYPE %u\n" msgstr "" #: src/rc_set_item.c:867 #, c-format msgid "parameter name missing\n" msgstr "" #: src/rc_set_item.c:872 #, c-format msgid "Name string too long\n" msgstr "" #: src/rc_set_item.c:881 #, c-format msgid "parameter admin_type missing\n" msgstr "" #: src/rc_set_item.c:892 #, c-format msgid "parameter boot_role missing\n" msgstr "" #: src/rsbac_check.c:42 #, c-format msgid "Use: %s correct check_inode\n" msgstr "" #: src/rsbac_check.c:43 #, c-format msgid " correct = 0: do not correct errors\n" msgstr "" #: src/rsbac_check.c:44 #, c-format msgid " correct = 1: correct errors\n" msgstr "" #: src/rsbac_check.c:45 #, c-format msgid " correct = 2: correct more\n" msgstr "" #: src/rsbac_check.c:46 #, c-format msgid " check_inode = 0: do not check inode numbers\n" msgstr "" #: src/rsbac_check.c:47 #, c-format msgid "" " check_inode = 1: also check inode numbers (only ext2/3 on 2.4 kernels)\n" msgstr "" #: src/rsbac_gpasswd.c:28 #, c-format msgid "Use: %s [flags] group\n" msgstr "" #: src/rsbac_gpasswd.c:29 src/rsbac_groupdel.c:31 src/rsbac_userdel.c:32 #, c-format msgid " -v = verbose,\n" msgstr "" #: src/rsbac_gpasswd.c:30 #, c-format msgid " -a user = add user to group,\n" msgstr "" #: src/rsbac_gpasswd.c:31 #, c-format msgid " -d user = remove user from group,\n" msgstr "" #: src/rsbac_gpasswd.c:32 #, c-format msgid " -M user,... = add user(s) to group,\n" msgstr "" #: src/rsbac_gpasswd.c:33 #, c-format msgid " -A user,... = ignored, for compatibility\n" msgstr "" #: src/rsbac_gpasswd.c:34 #, c-format msgid " -r = remove group password,\n" msgstr "" #: src/rsbac_gpasswd.c:35 #, c-format msgid " -R = ignored, for compatibility\n" msgstr "" #: src/rsbac_gpasswd.c:36 #, c-format msgid " -N ta = transaction number (group memberships only)\n" msgstr "" #: src/rsbac_gpasswd.c:37 #, c-format msgid " (default = value of RSBAC_TA, if set, or 0)\n" msgstr "" #: src/rsbac_gpasswd.c:93 src/rsbac_gpasswd.c:103 src/rsbac_gpasswd.c:111 #: src/rsbac_groupadd.c:179 src/rsbac_groupadd.c:193 src/rsbac_groupadd.c:203 #: src/rsbac_groupmod.c:128 src/rsbac_groupmod.c:145 src/rsbac_groupmod.c:155 #: src/rsbac_useradd.c:454 src/rsbac_useradd.c:466 src/rsbac_useradd.c:479 #: src/rsbac_useradd.c:495 src/rsbac_useradd.c:506 src/rsbac_useradd.c:524 #: src/rsbac_useradd.c:534 src/rsbac_useradd.c:544 src/rsbac_useradd.c:554 #: src/rsbac_useradd.c:564 src/rsbac_useradd.c:574 src/rsbac_useradd.c:584 #: src/rsbac_useradd.c:595 src/rsbac_useradd.c:605 src/rsbac_useradd.c:636 #: src/rsbac_usermod.c:157 src/rsbac_usermod.c:167 src/rsbac_usermod.c:178 #: src/rsbac_usermod.c:195 src/rsbac_usermod.c:205 src/rsbac_usermod.c:215 #: src/rsbac_usermod.c:226 src/rsbac_usermod.c:236 src/rsbac_usermod.c:246 #: src/rsbac_usermod.c:257 src/rsbac_usermod.c:268 src/rsbac_usermod.c:279 #: src/rsbac_usermod.c:290 src/rsbac_usermod.c:302 src/rsbac_usermod.c:313 #, c-format msgid "%s: missing argument for parameter %c\n" msgstr "" #: src/rsbac_gpasswd.c:143 src/rsbac_groupdel.c:45 src/rsbac_groupmod.c:232 #: src/rsbac_groupmod.c:239 src/rsbac_groupshow.c:263 src/rsbac_useradd.c:361 #: src/rsbac_useradd.c:378 src/rsbac_useradd.c:516 #, c-format msgid "%s: Unknown group %s\n" msgstr "" #: src/rsbac_gpasswd.c:173 src/rsbac_gpasswd.c:190 src/rsbac_gpasswd.c:229 #: src/rsbac_gpasswd.c:246 src/rsbac_login.c:102 src/rsbac_passwd.c:81 #: src/rsbac_userdel.c:49 src/rsbac_usermod.c:390 src/rsbac_usermod.c:397 #: src/rsbac_usershow.c:395 #, c-format msgid "%s: Unknown user %s\n" msgstr "" #: src/rsbac_gpasswd.c:269 src/rsbac_passwd.c:141 #, c-format msgid "%s: invalid new password!\n" msgstr "" #: src/rsbac_gpasswd.c:276 src/rsbac_passwd.c:154 #, c-format msgid "%s: invalid repeated new password!\n" msgstr "" #: src/rsbac_gpasswd.c:281 src/rsbac_passwd.c:159 #, c-format msgid "%s: new passwords do not match!\n" msgstr "" #: src/rsbac_groupadd.c:37 src/rsbac_groupmod.c:30 src/rsbac_groupshow.c:37 #, c-format msgid "Use: %s [flags] groupname\n" msgstr "" #: src/rsbac_groupadd.c:38 src/rsbac_groupmod.c:31 src/rsbac_useradd.c:55 #: src/rsbac_usermod.c:36 #, c-format msgid " -p password = password in plaintext,\n" msgstr "" #: src/rsbac_groupadd.c:39 #, c-format msgid " -g gid = gid to use,\n" msgstr "" #: src/rsbac_groupadd.c:43 #, c-format msgid " -o = use values from old group entry,\n" msgstr "" #: src/rsbac_groupadd.c:44 #, c-format msgid " -O = add all existing groups (implies -o)\n" msgstr "" #: src/rsbac_groupdel.c:30 #, c-format msgid "Use: %s [flags] group [group2 ...]\n" msgstr "" #: src/rsbac_groupmod.c:32 src/rsbac_usermod.c:37 #, c-format msgid " -P = disable password,\n" msgstr "" #: src/rsbac_groupmod.c:33 src/rsbac_useradd.c:57 src/rsbac_usermod.c:38 #, c-format msgid " -Q password = encrypted password (from backup),\n" msgstr "" #: src/rsbac_groupmod.c:34 #, c-format msgid " -g name = change groupname,\n" msgstr "" #: src/rsbac_groupshow.c:38 #, c-format msgid " -v = verbose, -a = list all groups\n" msgstr "" #: src/rsbac_groupshow.c:39 src/rsbac_usershow.c:41 #, c-format msgid " -l = short list all groups, -b = backup mode\n" msgstr "" #: src/rsbac_groupshow.c:40 src/rsbac_usershow.c:42 #, c-format msgid " -p = also show encrypted password\n" msgstr "" #: src/rsbac_groupshow.c:77 #, c-format msgid "%s: Unknown group %u\n" msgstr "" #: src/rsbac_init.c:38 #, c-format msgid "" "Use: %s root_dev\n" "\n" msgstr "" #: src/rsbac_init.c:39 #, c-format msgid "root_dev: root device to initialize from, e.g. /dev/sda1\n" msgstr "" #: src/rsbac_jail.c:29 #, c-format msgid "Use: %s [flags] [-I addr] [-R dir] [-C cap-list] prog args\n" msgstr "" #: src/rsbac_jail.c:30 #, c-format msgid "This program will put the process into a jail with chroot to path,\n" msgstr "" #: src/rsbac_jail.c:31 #, c-format msgid "ip address IP and then execute prog with args\n" msgstr "" #: src/rsbac_jail.c:32 #, c-format msgid "-I addr = limit to IP address,\n" msgstr "" #: src/rsbac_jail.c:33 #, c-format msgid "-R dir = chroot to dir,\n" msgstr "" #: src/rsbac_jail.c:34 #, c-format msgid "-C cap-list = limit Linux capabilities for jailed processes,\n" msgstr "" #: src/rsbac_jail.c:35 #, c-format msgid "" " use bit-vector, numeric value or list names of desired caps,\n" msgstr "" #: src/rsbac_jail.c:36 #, c-format msgid " A = all, FS_MASK = all filesystem related,\n" msgstr "" #: src/rsbac_jail.c:37 #, c-format msgid "-L = list all Linux capabilities,\n" msgstr "" #: src/rsbac_jail.c:38 #, c-format msgid "-S = list all SCD targets,\n" msgstr "" #: src/rsbac_jail.c:39 #, c-format msgid "-v = verbose, -i = allow access to IPC outside this jail,\n" msgstr "" #: src/rsbac_jail.c:40 #, c-format msgid "-n = allow all network families, not only UNIX and INET (IPv4),\n" msgstr "" #: src/rsbac_jail.c:41 #, c-format msgid "-r = allow INET (IPv4) raw sockets (e.g. for ping),\n" msgstr "" #: src/rsbac_jail.c:42 #, c-format msgid "-a = auto-adjust INET any address 0.0.0.0 to jail address, if set,\n" msgstr "" #: src/rsbac_jail.c:43 #, c-format msgid "-o = additionally allow to/from remote INET (IPv4) address 127.0.0.1,\n" msgstr "" #: src/rsbac_jail.c:44 #, c-format msgid "-d = allow read access on devices, -D allow write access\n" msgstr "" #: src/rsbac_jail.c:45 #, c-format msgid "-e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA\n" msgstr "" #: src/rsbac_jail.c:46 #, c-format msgid "-G scd ... = allow GET_STATUS_DATA on these scd targets\n" msgstr "" #: src/rsbac_jail.c:47 #, c-format msgid "-M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets\n" msgstr "" #: src/rsbac_jail.c:48 #, c-format msgid "Deprecated old options, please use -G and -M:\n" msgstr "" #: src/rsbac_jail.c:49 #, c-format msgid "-l = allow to modify rlimits (-M rlimit),\n" msgstr "" #: src/rsbac_jail.c:50 #, c-format msgid "-c = allow to modify system clock (-M SCD clock time_strucs),\n" msgstr "" #: src/rsbac_jail.c:51 #, c-format msgid "-m = allow to lock memory (-M mlock),\n" msgstr "" #: src/rsbac_jail.c:52 #, c-format msgid "-p = allow to modify priority (-M priority),\n" msgstr "" #: src/rsbac_jail.c:53 #, c-format msgid "-k = allow to get kernel symbols (-G ksyms)\n" msgstr "" #: src/rsbac_jail.c:173 src/rsbac_jail.c:216 #, c-format msgid "%s: missing SCDs for parameter %c\n" msgstr "" #: src/rsbac_jail.c:228 #, c-format msgid "%s: missing address for parameter %c\n" msgstr "" #: src/rsbac_jail.c:238 #, c-format msgid "%s: missing dirname for parameter %c\n" msgstr "" #: src/rsbac_jail.c:305 #, c-format msgid "%s: missing caps for parameter %c\n" msgstr "" #: src/rsbac_jail.c:340 #, c-format msgid "" "%s: executing %s in jail at %s with IP %s, flags %u, caps %u, scd_get %u, " "scd_modify %u\n" msgstr "" #: src/rsbac_jail.c:350 #, c-format msgid "" "%s: executing %s in jail (no chroot) with IP %s, flags %u, caps %u, scd_get %" "u, scd_modify %u\n" msgstr "" #: src/rsbac_list_ta.c:26 #, c-format msgid "Use: %s [flags] {begin|refresh|commit|forget}\n" msgstr "" #: src/rsbac_list_ta.c:27 #, c-format msgid " -v = verbose, -b = print bash export of RSBAC_TA\n" msgstr "" #: src/rsbac_list_ta.c:28 #, c-format msgid "" " -t ttl = change transaction timeout from kernel config default to ttl\n" msgstr "" #: src/rsbac_list_ta.c:29 #, c-format msgid " -p password = use this password\n" msgstr "" #: src/rsbac_list_ta.c:30 #, c-format msgid " -N ta = transaction number (for refresh, commit, forget)\n" msgstr "" #: src/rsbac_list_ta.c:31 #, c-format msgid " (default = value of RSBAC_TA, if set, or 0 otherwise)\n" msgstr "" #: src/rsbac_list_ta.c:83 #, c-format msgid "%s: missing password for parameter %c\n" msgstr "" #: src/rsbac_list_ta.c:98 #, c-format msgid "%s: missing user for parameter %c\n" msgstr "" #: src/rsbac_login.c:69 src/rsbac_passwd.c:59 #, c-format msgid "Use: %s [flags] [username]\n" msgstr "" #: src/rsbac_login.c:70 #, c-format msgid " -v = verbose, -p = preserve environment\n" msgstr "" #: src/rsbac_login.c:96 #, c-format msgid "%s: invalid login name!\n" msgstr "" #: src/rsbac_login.c:125 src/rsbac_useradd.c:146 src/rsbac_useradd.c:181 #, c-format msgid "%s: invalid password!\n" msgstr "" #: src/rsbac_passwd.c:60 #, c-format msgid " -v = verbose,\n" msgstr "" #: src/rsbac_passwd.c:61 #, c-format msgid " -n = do not ask for old password\n" msgstr "" #: src/rsbac_passwd.c:116 #, c-format msgid "%s: invalid old password!\n" msgstr "" #: src/rsbac_pm.c:32 #, c-format msgid "Use: %s [flags] call args\n" msgstr "" #: src/rsbac_pm.c:34 src/rsbac_pm.c:62 #, c-format msgid "call = one of the following calls, args = call dependent\n" msgstr "" #: src/rsbac_pm.c:41 src/rsbac_pm.c:69 #, c-format msgid "-- press return --" msgstr "" #: src/rsbac_pm.c:60 #, c-format msgid "Use: %s [flags] create_ticket ticket-nr valid-secs call args\n" msgstr "" #: src/rsbac_pm.c:61 #, c-format msgid " -N ta = transaction number\n" msgstr "" #: src/rsbac_pm.c:137 #, c-format msgid "" "\n" "%s: invalid pm function %s!\n" "\n" msgstr "" #: src/rsbac_pm.c:140 #, c-format msgid "%s: requesting pm-call %s (No. %i)\n" msgstr "" #: src/rsbac_pm.c:147 src/rsbac_pm.c:170 src/rsbac_pm.c:193 src/rsbac_pm.c:205 #: src/rsbac_pm.c:216 src/rsbac_pm.c:266 src/rsbac_pm.c:277 src/rsbac_pm.c:289 #: src/rsbac_pm.c:301 src/rsbac_pm.c:313 src/rsbac_pm.c:325 src/rsbac_pm.c:337 #: src/rsbac_pm.c:348 src/rsbac_pm.c:360 src/rsbac_pm.c:372 src/rsbac_pm.c:383 #: src/rsbac_pm.c:396 src/rsbac_pm.c:408 src/rsbac_pm.c:419 src/rsbac_pm.c:430 #: src/rsbac_pm.c:457 src/rsbac_pm.c:469 src/rsbac_pm.c:483 src/rsbac_pm.c:495 #: src/rsbac_pm.c:509 src/rsbac_pm.c:520 src/rsbac_pm.c:531 src/rsbac_pm.c:556 #: src/rsbac_pm.c:584 src/rsbac_pm.c:612 src/rsbac_pm.c:624 src/rsbac_pm.c:634 #: src/rsbac_pm.c:684 src/rsbac_pm.c:694 src/rsbac_pm.c:706 src/rsbac_pm.c:718 #: src/rsbac_pm.c:730 src/rsbac_pm.c:742 src/rsbac_pm.c:754 src/rsbac_pm.c:764 #: src/rsbac_pm.c:776 src/rsbac_pm.c:788 src/rsbac_pm.c:798 src/rsbac_pm.c:812 #: src/rsbac_pm.c:824 src/rsbac_pm.c:834 src/rsbac_pm.c:844 src/rsbac_pm.c:875 #: src/rsbac_pm.c:887 src/rsbac_pm.c:901 src/rsbac_pm.c:913 #, c-format msgid "Too few arguments: argc is %i\n" msgstr "" #: src/rsbac_pm.c:227 src/rsbac_pm.c:238 src/rsbac_pm.c:645 src/rsbac_pm.c:656 #, c-format msgid "%s: Could not allocate list memory!" msgstr "" #: src/rsbac_pm.c:545 #, c-format msgid "" "\n" "Too few arguments: argc is %i\n" msgstr "" #: src/rsbac_useradd.c:50 src/rsbac_usermod.c:30 src/rsbac_usershow.c:39 #, c-format msgid "Use: %s [flags] username\n" msgstr "" #: src/rsbac_useradd.c:51 src/rsbac_usermod.c:31 #, c-format msgid " -c comment = fullname or comment,\n" msgstr "" #: src/rsbac_useradd.c:52 src/rsbac_usermod.c:32 #, c-format msgid " -d dir = homedir of user,\n" msgstr "" #: src/rsbac_useradd.c:53 src/rsbac_usermod.c:33 #, c-format msgid " -g group = main / initial Linux group,\n" msgstr "" #: src/rsbac_useradd.c:54 src/rsbac_usermod.c:34 #, c-format msgid " -G group1[,group2,...] = add more Linux groups,\n" msgstr "" #: src/rsbac_useradd.c:56 #, c-format msgid " -P = ask for password,\n" msgstr "" #: src/rsbac_useradd.c:58 #, c-format msgid " -s shell = user's shell,\n" msgstr "" #: src/rsbac_useradd.c:59 #, c-format msgid " -u uid = uid to use,\n" msgstr "" #: src/rsbac_useradd.c:60 #, c-format msgid " -m = create user home dir from skeleton,\n" msgstr "" #: src/rsbac_useradd.c:61 #, c-format msgid " -k dir = use this skeleton dir instead of /etc/skel/,\n" msgstr "" #: src/rsbac_useradd.c:62 src/rsbac_usermod.c:41 #, c-format msgid " -n minchange-days = minimum days between password changes,\n" msgstr "" #: src/rsbac_useradd.c:63 src/rsbac_usermod.c:42 #, c-format msgid " -x maxchange-days = maximum days between password changes,\n" msgstr "" #: src/rsbac_useradd.c:64 src/rsbac_usermod.c:43 #, c-format msgid " -w warnchange-days = warning days before password must be changed,\n" msgstr "" #: src/rsbac_useradd.c:65 src/rsbac_usermod.c:44 #, c-format msgid "" " -f inactive-days = period between password expiry and account disabling,\n" msgstr "" #: src/rsbac_useradd.c:66 src/rsbac_usermod.c:45 #, c-format msgid " -e expire-days = days since 1/Jan/1970 when account gets disabled,\n" msgstr "" #: src/rsbac_useradd.c:70 #, c-format msgid " -o = use values from old passwd/shadow entry,\n" msgstr "" #: src/rsbac_useradd.c:71 #, c-format msgid " -O = add all existing users (implies -o)\n" msgstr "" #: src/rsbac_useradd.c:191 #, c-format msgid "%s: password mismatch!\n" msgstr "" #: src/rsbac_useradd.c:193 #, c-format msgid "%s: Too many tries, using default password!\n" msgstr "" #: src/rsbac_useradd.c:617 #, c-format msgid "%s: cannot lookup skel dir %s\n" msgstr "" #: src/rsbac_useradd.c:623 #, c-format msgid "%s: skel dir %s is no dir\n" msgstr "" #: src/rsbac_useradd.c:629 #, c-format msgid "%s: skel dir name %s is too long\n" msgstr "" #: src/rsbac_userdel.c:31 #, c-format msgid "Use: %s [flags] user [user2 ...]\n" msgstr "" #: src/rsbac_userdel.c:33 #, c-format msgid " -r = remove user's home dir\n" msgstr "" #: src/rsbac_usermod.c:35 #, c-format msgid " -H group1[,group2,...] = remove Linux groups,\n" msgstr "" #: src/rsbac_usermod.c:39 #, c-format msgid " -s shell = user shell,\n" msgstr "" #: src/rsbac_usermod.c:40 #, c-format msgid " -u name = change username,\n" msgstr "" #: src/rsbac_usermod.c:475 src/rsbac_usermod.c:491 src/rsbac_usermod.c:522 #: src/rsbac_usermod.c:538 #, c-format msgid "%s: Invalid group %s\n" msgstr "" #: src/rsbac_usershow.c:40 #, c-format msgid " -v = verbose, -a = list all users\n" msgstr "" #: src/rsbac_usershow.c:43 #, c-format msgid " -D = print dates as yyyymmdd, not day number\n" msgstr "" #: src/rsbac_usershow.c:44 #, c-format msgid " -u = list calling user\n" msgstr "" #: src/rsbac_usershow.c:81 #, c-format msgid "%s: Unknown user %u\n" msgstr "" #: src/rsbac_write.c:30 #, c-format msgid "%s: %i lists written\n" msgstr "" #: src/switch_adf_log.c:28 #, c-format msgid "Use: %s request [target] [value]\n" msgstr "" #: src/switch_adf_log.c:29 #, c-format msgid "request = request name or ALL, value = [012]\n" msgstr "" #: src/switch_adf_log.c:30 #, c-format msgid "target = target type name, leave out for ALL\n" msgstr "" #: src/switch_adf_log.c:31 #, c-format msgid "- -n = list all requests, -t = list all target types\n" msgstr "" #: src/switch_adf_log.c:32 #, c-format msgid "- -b = backup log level settings\n" msgstr "" #: src/switch_adf_log.c:33 #, c-format msgid "- -g = get not set, -s = scripting mode\n" msgstr "" #: src/switch_adf_log.c:148 #, c-format msgid "%s: getting log settings for request %s\n" msgstr "" #: src/switch_adf_log.c:225 #, c-format msgid "%s: switching logging for ALL requests and targets to %i\n" msgstr "" #: src/switch_adf_log.c:250 #, c-format msgid "%s: switching logging for request %s and all target types to %i\n" msgstr "" #: src/switch_adf_log.c:256 src/switch_adf_log.c:287 #, c-format msgid "%s: target %s\n" msgstr "" #: src/switch_adf_log.c:282 #, c-format msgid "%s: switching logging for ALL requests and target type %s to %i\n" msgstr "" #: src/switch_adf_log.c:311 #, c-format msgid "%s: switching logging for request %s and target type %s to %i\n" msgstr "" #: src/switch_module.c:29 #, c-format msgid "Use: %s [-s] module value\n" msgstr "" #: src/switch_module.c:30 #, c-format msgid " -s: switch module's individual softmode, not the whole module\n" msgstr "" #: src/switch_module.c:31 #, c-format msgid "" "module = module name, value = [01]\n" "\n" msgstr "" #: src/switch_module.c:32 #, c-format msgid "Possible module names are:\n" msgstr "" #: src/switch_module.c:84 #, c-format msgid "%s: Invalid switch target %s\n" msgstr "" #: src/switch_module.c:91 #, c-format msgid "%s: switching Module %s softmode to %i\n" msgstr "" #: src/switch_module.c:93 #, c-format msgid "%s: switching Module %s to %i\n" msgstr "" rsbac-admin-1.4.0/main/tools/po/de.po0000644000175000017500000032141311131371034017172 0ustar gauvaingauvain# SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR Free Software Foundation, Inc. # FIRST AUTHOR , YEAR. # # msgid "" msgstr "" "Project-Id-Version: RSBAC v1.2.3\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2005-08-26 09:09+0000\n" "PO-Revision-Date: 2004-06-10 10:22+2\n" "Last-Translator: Amon Ott \n" "Language-Team: DE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: de-latin1\n" msgid "" "%s (RSBAC %s)\n" "***\n" msgstr "" #: src/acl_grant.c:50 #, c-format msgid "" "Use: %s [switches] subj_type subj_id [rights] target-type file/dirname(s)\n" msgstr "" "Aufruf: %s [Schalter] Subj-Typ Subj-ID [Rechte] Ziel-Typ Objektname(n)\n" #: src/acl_grant.c:51 #, c-format msgid " -v = verbose, -r = recurse into subdirs,\n" msgstr " -v = ausführlich, -r = rekursiv,\n" #: src/acl_grant.c:52 #, c-format msgid " -p = print right names, -s = set rights, not add\n" msgstr " -p = Rechtenamen drucken, -s = Rechte setzen, nicht hinzufügen\n" #: src/acl_grant.c:53 #, c-format msgid " -k = revoke rights, not add, -m remove entry (set back to inherit)\n" msgstr " -k = Rechte widerrufen, nicht hinzufügen, -m = Eintrag entfernen\n" #: src/acl_grant.c:54 #, c-format msgid " -b = expect rights as bitstring, -n = list valid SCD names\n" msgstr " -b = erwarte Rechte als Bitvektor, -n = liste gültige SCD-Namen\n" #: src/acl_grant.c:55 #, c-format msgid " -d = numeric device specification ({b|c}major[:minor])\n" msgstr " -d = numerische Device-Spezifikation ({b|c}major[:minor])\n" #: src/acl_grant.c:56 #, c-format msgid " -u, -g, -l = shortcuts for USER, GROUP and ROLE\n" msgstr " -u, -g, -l = Abkürzungen für USER, GROUP und ROLE\n" #: src/acl_grant.c:57 #, c-format msgid "" " -t = set relative time-to-live for this trustee in seconds (add and set " "only)\n" msgstr "" " -t = setze relative Lebenszeit in Sekunden (nur hinzufügen und setzen)\n" #: src/acl_grant.c:58 #, c-format msgid "" " -T = set absolute time-to-live for this trustee in seconds (add and set " "only)\n" msgstr "" " -T = setze absolute Lebenszeit in Sekunden (nur hinzufügen und setzen)\n" #: src/acl_grant.c:59 #, c-format msgid "" " -D = set relative time-to-live for this trustee in days (add and set " "only)\n" msgstr "" " -D = setze relative Lebenszeit in Tagen (nur hinzufügen und setzen)\n" #: src/acl_grant.c:60 src/acl_group.c:41 src/switch_adf_log.c:34 #, c-format msgid " -V version = supply RSBAC integer version number for upgrading\n" msgstr " -V Version = gib numerische RSBAC-Version an zur Aktualisierung\n" #: src/acl_grant.c:61 src/acl_group.c:42 #, c-format msgid "" " -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n" msgstr " -N ta = Transaktions-Nummer (Standard = Wert von RSBAC_TA, sonst 0)\n" #: src/acl_grant.c:62 #, c-format msgid " subj_type = USER, GROUP or ROLE,\n" msgstr " Subjekt-Typ = USER, GROUP oder ROLE,\n" #: src/acl_grant.c:63 #, c-format msgid " subj_id = user name or id number,\n" msgstr " Subjekt-ID = Benutzername oder ID,\n" #: src/acl_grant.c:64 src/acl_mask.c:58 #, c-format msgid "" " rights = list of space-separated right names (requests and ACL specials),\n" msgstr " Rechte = Liste von Rechte-Namen (Requests und ACL-Specials),\n" #: src/acl_grant.c:65 #, c-format msgid "" " also request groups R (read requests), RW (read-write), W (write)\n" msgstr "" " außerdem Rechte-Gruppen R (Lesen), RW (Lesen/Schreiben), W " "(Schreiben)\n" #: src/acl_grant.c:66 src/acl_mask.c:60 #, c-format msgid " SY (system), SE (security), A (all)\n" msgstr " SY (System), SE (Sicherheit), A (Alle)\n" #: src/acl_grant.c:67 src/acl_mask.c:61 #, c-format msgid " S (ACL special rights)\n" msgstr " S (ACL-Spezialrechte)\n" #: src/acl_grant.c:68 src/acl_mask.c:62 #, c-format msgid "" " and NWx with x = S R W C E A F M (similar to well-known network " "system)\n" msgstr "" " und NWx mit x = S R W C E A F M (wie bekanntes Netzwerk-System)\n" #: src/acl_grant.c:69 src/acl_tlist.c:59 #, c-format msgid "" " target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, " "NETDEV,\n" msgstr "" " Ziel-Typ = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, PROCESS, " "NETDEV,\n" #: src/acl_grant.c:70 src/acl_mask.c:64 src/acl_tlist.c:60 #, c-format msgid " NETTEMP_NT, NETTEMP, NETOBJ or FD\n" msgstr " NETTEMP_NT, NETTEMP, NETOBJ oder FD\n" #: src/acl_grant.c:71 src/acl_mask.c:65 src/acl_rights.c:59 src/acl_tlist.c:61 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n" msgstr "" " (FD: laß %s zwischen FILE, DIR, FIFO und SYMLINK entscheiden, kein DEV),\n" #: src/acl_grant.c:72 src/acl_tlist.c:62 #, c-format msgid " (IPC, USER, PROCESS: only :DEFAULT:\n" msgstr " (IPC, USER, PROCESS: nur :DEFAULT:\n" #: src/acl_grant.c:73 src/acl_rights.c:61 src/acl_tlist.c:63 #, c-format msgid " (NETTEMP: no :DEFAULT:\n" msgstr " (NETTEMP: kein :DEFAULT:\n" #: src/acl_grant.c:74 src/acl_rights.c:62 src/acl_tlist.c:64 #, c-format msgid "- Use name :DEFAULT: for default ACL\n" msgstr "- Verwende den Namen :DEFAULT: für die default ACL\n" #: src/acl_grant.c:133 src/acl_mask.c:127 src/acl_mask.c:210 #: src/acl_rights.c:121 src/acl_rights.c:190 src/acl_tlist.c:126 #: src/acl_tlist.c:203 #, c-format msgid "Invalid target %u for %s, skipped!\n" msgstr "Ungültiger Zieltyp %u für %s, übersprungen!\n" #: src/acl_grant.c:138 #, c-format msgid "Processing default %s '%s'\n" msgstr "Bearbeite default %s '%s'\n" #: src/acl_grant.c:158 src/acl_mask.c:152 src/acl_rights.c:142 #: src/acl_tlist.c:151 #, c-format msgid "%s is no valid device specification, skipped\n" msgstr "%s ist keine gültige Geräte-Spezifikation, übersprungen\n" #: src/acl_grant.c:167 src/acl_mask.c:165 src/acl_rights.c:154 #: src/acl_tlist.c:164 #, c-format msgid "%s is no valid SCD name, skipped\n" msgstr "%s ist kein gültiger SCD-Name, übersprungen\n" #: src/acl_grant.c:175 src/acl_grant.c:455 src/acl_group.c:247 #: src/acl_group.c:398 src/acl_group.c:429 src/acl_group.c:456 #: src/acl_mask.c:174 src/acl_rights.c:162 src/acl_rm_user.c:94 #: src/acl_tlist.c:173 src/attr_back_user.c:444 src/attr_back_user.c:468 #: src/attr_get_user.c:147 src/attr_get_user.c:258 src/attr_get_user.c:374 #: src/attr_set_user.c:175 src/attr_set_user.c:346 src/attr_set_user.c:453 #: src/attr_set_user.c:581 src/auth_set_cap.c:214 src/auth_set_cap.c:222 #: src/mac_set_trusted.c:192 src/rsbac_list_ta.c:90 #, c-format msgid "%s: Invalid User %s!\n" msgstr "%s: Ungültiger Benutzer %s!\n" #: src/acl_grant.c:183 src/acl_mask.c:184 src/acl_rights.c:170 #: src/acl_tlist.c:183 src/attr_back_group.c:274 src/attr_back_group.c:298 #: src/attr_get_group.c:143 src/attr_get_group.c:214 src/attr_get_user.c:240 #: src/attr_set_group.c:182 #, c-format msgid "%s: Invalid Group %s!\n" msgstr "%s: Ungültige Gruppe %s!\n" #: src/acl_grant.c:203 #, c-format msgid "Invalid target type %u for %s, skipped!\n" msgstr "Ungültiger Zieltyp %u für %s, übersprungen!\n" #: src/acl_grant.c:208 src/acl_rights.c:196 src/rc_get_eff_rights_fd.c:56 #, c-format msgid "Processing %s '%s'\n" msgstr "Bearbeite %s '%s'\n" #: src/acl_grant.c:252 src/acl_mask.c:289 src/acl_mask.c:291 #: src/acl_rights.c:235 src/acl_tlist.c:246 src/attr_rm_fd.c:61 #: src/attr_rm_file_dir.c:103 src/attr_set_fd.c:71 #: src/rc_get_eff_rights_fd.c:63 #, c-format msgid "%s: error: %s\n" msgstr "%s: Fehler: %s\n" #: src/acl_grant.c:268 src/acl_mask.c:373 src/acl_rights.c:290 #: src/acl_tlist.c:401 src/attr_back_dev.c:206 src/attr_back_fd.c:279 #: src/attr_get_fd.c:141 src/attr_rm_fd.c:77 src/attr_set_fd.c:87 #: src/auth_back_cap.c:373 src/linux2acl.c:765 src/mac_back_trusted.c:108 #: src/rc_get_eff_rights_fd.c:95 #, c-format msgid "opendir for dir %s returned error: %s\n" msgstr "opendir für Verzeichnis %s ergab Fehler: %s\n" #: src/acl_grant.c:371 src/acl_grant.c:381 src/acl_grant.c:402 #: src/acl_group.c:133 src/acl_group.c:143 src/acl_group.c:164 #: src/auth_set_cap.c:123 src/auth_set_cap.c:133 src/auth_set_cap.c:154 #: src/mac_set_trusted.c:101 src/mac_set_trusted.c:111 #: src/mac_set_trusted.c:132 src/rc_set_item.c:128 src/rc_set_item.c:138 #: src/rc_set_item.c:159 src/rsbac_groupadd.c:213 src/rsbac_groupadd.c:223 #: src/rsbac_groupadd.c:244 src/rsbac_groupmod.c:166 src/rsbac_groupmod.c:177 #: src/rsbac_groupmod.c:199 src/rsbac_list_ta.c:73 src/rsbac_useradd.c:646 #: src/rsbac_useradd.c:656 src/rsbac_useradd.c:677 src/rsbac_usermod.c:324 #: src/rsbac_usermod.c:335 src/rsbac_usermod.c:357 #, c-format msgid "%s: missing ttl value for parameter %c\n" msgstr "%s: fehlender ttl-Wert für Parameter %c\n" #: src/acl_grant.c:397 src/acl_group.c:159 src/auth_set_cap.c:149 #: src/mac_set_trusted.c:127 src/rc_set_item.c:154 src/rsbac_groupadd.c:239 #: src/rsbac_groupmod.c:194 src/rsbac_useradd.c:672 src/rsbac_usermod.c:352 #, c-format msgid "%s: ttl value for parameter %c is in the past, exiting\n" msgstr "%s: ttl-Wert für Parameter %c in der Vergangenheit, beende\n" #: src/acl_grant.c:407 src/acl_group.c:169 src/acl_mask.c:461 #: src/attr_set_fd.c:184 src/attr_set_file_dir.c:143 src/attr_set_group.c:123 #: src/attr_set_net.c:288 src/attr_set_up.c:110 src/attr_set_user.c:123 #: src/auth_set_cap.c:159 src/mac_set_trusted.c:137 src/net_temp.c:268 #: src/rc_set_item.c:201 src/switch_adf_log.c:119 #, c-format msgid "%s: no version number for switch V\n" msgstr "%s: keine Versionsnummer für Schalter V\n" #: src/acl_grant.c:423 src/acl_group.c:185 src/acl_mask.c:477 #: src/acl_rights.c:489 src/acl_rm_user.c:72 src/acl_tlist.c:491 #: src/attr_back_dev.c:303 src/attr_back_fd.c:398 src/attr_back_group.c:192 #: src/attr_back_net.c:311 src/attr_back_user.c:325 src/attr_get_fd.c:249 #: src/attr_get_file_dir.c:198 src/attr_get_group.c:185 src/attr_get_ipc.c:90 #: src/attr_get_net.c:317 src/attr_get_process.c:115 src/attr_get_up.c:117 #: src/attr_get_user.c:208 src/attr_rm_fd.c:138 src/attr_rm_file_dir.c:74 #: src/attr_rm_group.c:67 src/attr_rm_user.c:67 src/attr_set_fd.c:200 #: src/attr_set_file_dir.c:159 src/attr_set_group.c:139 src/attr_set_ipc.c:89 #: src/attr_set_net.c:304 src/attr_set_process.c:126 src/attr_set_up.c:126 #: src/attr_set_user.c:139 src/auth_back_cap.c:466 src/auth_set_cap.c:175 #: src/mac_back_trusted.c:190 src/mac_set_trusted.c:153 src/net_temp.c:284 #: src/rc_copy_role.c:66 src/rc_copy_type.c:68 src/rc_get_eff_rights_fd.c:159 #: src/rc_get_item.c:256 src/rc_set_item.c:217 src/rsbac_gpasswd.c:122 #: src/rsbac_groupadd.c:255 src/rsbac_groupdel.c:99 src/rsbac_groupmod.c:210 #: src/rsbac_groupshow.c:239 src/rsbac_list_ta.c:108 src/rsbac_pm.c:117 #: src/rsbac_useradd.c:688 src/rsbac_userdel.c:136 src/rsbac_usermod.c:368 #: src/rsbac_usershow.c:371 #, c-format msgid "%s: missing transaction number value for parameter %c\n" msgstr "%s: fehlende Transaktions-Nummer für Parameter %c\n" #: src/acl_grant.c:428 src/acl_group.c:190 src/acl_mask.c:482 #: src/acl_rights.c:560 src/acl_rm_user.c:78 src/acl_tlist.c:496 #: src/attr_back_dev.c:308 src/attr_back_fd.c:403 src/attr_back_group.c:197 #: src/attr_back_net.c:316 src/attr_back_user.c:330 src/attr_get_fd.c:254 #: src/attr_get_file_dir.c:232 src/attr_get_group.c:191 src/attr_get_ipc.c:95 #: src/attr_get_net.c:323 src/attr_get_process.c:121 src/attr_get_up.c:122 #: src/attr_get_user.c:214 src/attr_rm_fd.c:143 src/attr_rm_file_dir.c:79 #: src/attr_rm_group.c:72 src/attr_rm_user.c:72 src/attr_set_fd.c:206 #: src/attr_set_file_dir.c:165 src/attr_set_group.c:145 src/attr_set_ipc.c:94 #: src/attr_set_net.c:310 src/attr_set_process.c:131 src/attr_set_up.c:131 #: src/attr_set_user.c:145 src/auth_back_cap.c:471 src/auth_set_cap.c:180 #: src/linux2acl.c:831 src/mac_back_trusted.c:195 src/mac_set_trusted.c:158 #: src/mac_wrap.c:110 src/net_temp.c:289 src/rc_copy_role.c:71 #: src/rc_copy_type.c:73 src/rc_get_eff_rights_fd.c:164 src/rc_get_item.c:262 #: src/rc_role_wrap.c:58 src/rc_set_item.c:223 src/rsbac_gpasswd.c:127 #: src/rsbac_groupadd.c:261 src/rsbac_groupdel.c:105 src/rsbac_groupmod.c:216 #: src/rsbac_groupshow.c:245 src/rsbac_jail.c:327 src/rsbac_list_ta.c:117 #: src/rsbac_login.c:74 src/rsbac_passwd.c:65 src/rsbac_pm.c:122 #: src/rsbac_useradd.c:694 src/rsbac_userdel.c:142 src/rsbac_usermod.c:374 #: src/rsbac_usershow.c:377 src/switch_adf_log.c:128 src/switch_module.c:69 #, c-format msgid "%s: unknown parameter %c\n" msgstr "%s: unbekannter Parameter %c\n" #: src/acl_grant.c:443 #, c-format msgid "%s: unknown subject_type %s\n" msgstr "%s: unbekannter Subjekt-Typ %s\n" #: src/acl_grant.c:472 src/rc_set_item.c:644 #, c-format msgid "Invalid bitstring length %u, must be %u!\n" msgstr "Ungültige Bitvektor-Länge %u, erwarte %u!\n" #: src/acl_grant.c:656 src/acl_mask.c:695 src/attr_rm_fd.c:165 #: src/attr_set_fd.c:238 #, c-format msgid "%s: Invalid target type %s\n" msgstr "%s: Ungültiger Ziel-Typ %s\n" #: src/acl_grant.c:666 #, c-format msgid "" "Set rights: %s\n" "for %s %u\n" msgstr "" "Setze Rechte: %s\n" "für %s %u\n" #: src/acl_grant.c:672 #, c-format msgid "" "Add rights: %s\n" "for %s %u\n" msgstr "" "Füge Rechte hinzu: %s\n" "für %s %u\n" #: src/acl_grant.c:678 #, c-format msgid "" "Revoke rights: %s\n" "for %s %u\n" msgstr "" "Widerrufe Rechte: %s\n" "für %s %u\n" #: src/acl_grant.c:684 #, c-format msgid "Remove entry for %s %u.\n" msgstr "Entferne Eintrag für %s %u.\n" #: src/acl_grant.c:689 #, c-format msgid "%s: Internal error in call switch!\n" msgstr "%s: Interner Fehler in Aufruf-Liste!\n" #: src/acl_grant.c:705 #, c-format msgid "" "\n" "%s: %i targets\n" "\n" msgstr "" "\n" "%s: %i Zielobjekte\n" "\n" #: src/acl_group.c:34 #, c-format msgid "Use: %s [switches] function params\n" msgstr "Aufruf: %s [Schalter] Funktion Parameter\n" #: src/acl_group.c:35 #, c-format msgid " -v = verbose, -g = also list global groups of other users,\n" msgstr " -v = ausführlich, -g = auch globale Gruppen andere Benutzer,\n" #: src/acl_group.c:36 #, c-format msgid " -b = backup mode, -n = use numerical values,\n" msgstr " -b = Backup-Modus, -n = Zahlenwerte verwenden,\n" #: src/acl_group.c:37 #, c-format msgid " -s = scripting mode\n" msgstr " -s = Skript-Modus\n" #: src/acl_group.c:38 #, c-format msgid "" " -t = set relative time-to-live for this membership in seconds (add_member " "only)\n" msgstr " -t = setze relative Lebenszeit in Sekunden (nur add_member)\n" #: src/acl_group.c:39 #, c-format msgid "" " -T = set absolute time-to-live for this trustee in seconds (add_member " "only)\n" msgstr " -T = setze absolute Lebenszeit in Sekunden (nur add_member)\n" #: src/acl_group.c:40 #, c-format msgid "" " -D = set relative time-to-live for this membership in days (add_member " "only)\n" msgstr " -D = setze relative Lebenszeit in Tagen (nur add_member)\n" #: src/acl_group.c:43 #, c-format msgid "- function and params = one of\n" msgstr "- Funktionen und Parameter:\n" #: src/acl_group.c:44 #, c-format msgid " add_group P[RIVATE]|G[LOBAL] name [id]\n" msgstr " add_group P[RIVATE]|G[LOBAL] Name [id]\n" #: src/acl_group.c:45 #, c-format msgid " change_group group-id new-owner P[RIVATE]|G[LOBAL] name\n" msgstr " change_group Gruppen-ID Neuer-Besitzer P[RIVATE]|G[LOBAL] Name\n" #: src/acl_group.c:46 #, c-format msgid " remove_group group-id\n" msgstr " remove_group Gruppen-ID\n" #: src/acl_group.c:47 #, c-format msgid " get_group_entry group-id\n" msgstr " get_group_entry Gruppen-ID\n" #: src/acl_group.c:48 #, c-format msgid " get_group_name group-id\n" msgstr " get_group_name Gruppen-ID\n" #: src/acl_group.c:49 #, c-format msgid " get_group_type group-id\n" msgstr " get_group_type Gruppen-ID\n" #: src/acl_group.c:50 #, c-format msgid " get_group_owner group-id\n" msgstr " get_group_owner Gruppen-ID\n" #: src/acl_group.c:51 #, c-format msgid " list_groups\n" msgstr " list_groups\n" #: src/acl_group.c:52 #, c-format msgid " add_member group-id user1 ...\n" msgstr " add_member Gruppen-ID Benutzer-1 ...\n" #: src/acl_group.c:53 #, c-format msgid " remove_member group-id user1 ...\n" msgstr " remove_member Gruppen-ID Benutzer-1 ...\n" #: src/acl_group.c:54 #, c-format msgid " get_user_groups [user]\n" msgstr " get_user_groups [Benutzer]\n" #: src/acl_group.c:55 #, c-format msgid " get_group_members group-id\n" msgstr " get_group_members Gruppen-ID\n" #: src/acl_group.c:71 src/net_temp.c:63 msgid "*unknown*" msgstr "*unbekannt*" #: src/acl_group.c:210 src/acl_group.c:241 src/acl_group.c:277 #: src/acl_group.c:299 src/acl_group.c:388 src/acl_group.c:421 #: src/acl_group.c:500 #, c-format msgid "%s: too few arguments for function %s\n" msgstr "%s: zu wenig Argumente für Funktion %s\n" #: src/acl_group.c:220 src/acl_group.c:258 #, c-format msgid "%s: %s: invalid group type %s\n" msgstr "%s: %s: Ungültiger Gruppen-Typ %s\n" #: src/acl_group.c:232 #, c-format msgid "%s group %u '%s' added\n" msgstr "%s-Gruppe %u '%s' hinzugefügt\n" #: src/acl_group.c:265 #, c-format msgid "Group %u changed to owner %u, type %s, name '%s'\n" msgstr "Gruppe %u geändert auf Besitzer %u, Typ %s, Name '%s'\n" #: src/acl_group.c:286 #, c-format msgid "Group %u '%s' removed\n" msgstr "Gruppe %u '%s' entfernt\n" #: src/acl_group.c:320 src/acl_group.c:371 #, c-format msgid "Group %u: owner %u (%s), type %c, name '%s'\n" msgstr "Gruppe %u: Besitzer %u (%s), Typ %c, Name '%s'\n" #: src/acl_group.c:339 #, c-format msgid "%i groups listed:\n" msgstr "%i Gruppen aufgeführt:\n" #: src/acl_group.c:342 #, c-format msgid "%i groups listed (list truncated):\n" msgstr "%i Gruppen aufgeführt (Liste gekürzt):\n" #: src/acl_group.c:377 src/acl_group.c:487 src/acl_group.c:596 #, c-format msgid "(truncated)\n" msgstr "(gekürzt)\n" #: src/acl_group.c:406 #, c-format msgid "Member %u (%s) added to group %u '%s'\n" msgstr "Mitglied %u (%s) zu Gruppe %u '%s' hinzugefügt\n" #: src/acl_group.c:437 #, c-format msgid "Member %u (%s) removed from group %u '%s'\n" msgstr "Mitglied %u (%s) aus Gruppe %u '%s' entfernt\n" #: src/acl_group.c:468 #, c-format msgid "%i group memberships for user %u (%s): " msgstr "%i Gruppen-Mitgliedschaften von Benutzer %u (%s): " #: src/acl_group.c:473 #, c-format msgid "%i group memberships for user %u (%s) (list truncated): " msgstr "%i Gruppen-Mitgliedschaften von Benutzer %u (%s) (Liste gekürzt): " #: src/acl_group.c:512 #, c-format msgid "%i members of group %u '%s':\n" msgstr "%i Mitglieder in Gruppe %u '%s':\n" #: src/acl_group.c:517 #, c-format msgid "%i members of group %u '%s' (list truncated):\n" msgstr "%i Mitglieder in Gruppe %u '%s' (Liste gekürzt):\n" #: src/acl_group.c:601 #, c-format msgid "%s: internal error: invalid function number %u\n" msgstr "%s: Interner Fehler: ungültige Funktionsnummer %u\n" #: src/acl_mask.c:50 #, c-format msgid "Use: %s [switches] [rights] target-type file/dirname(s)\n" msgstr "Aufruf: %s [Schalter] [Rechte] Ziel-Typ Objektname(n)\n" # #: src/acl_mask.c:51 src/acl_rights.c:48 src/acl_tlist.c:51 #: src/attr_rm_fd.c:39 src/attr_set_fd.c:41 src/rc_get_eff_rights_fd.c:40 #, c-format msgid " -v = verbose, -r = recurse into subdirs,\n" msgstr " -v = ausführlich, -r = rekursiv,\n" # #: src/acl_mask.c:52 #, c-format msgid " -p = print right names, -s = set mask, not get\n" msgstr " -p = Rechtenamen drucken, -s = Maske setzen, nicht holen\n" #: src/acl_mask.c:53 #, c-format msgid " -b = backup mode, -n = list valid SCD names\n" msgstr " -b = Backup-Modus, -n = zeige gültige SCD-Namen\n" #: src/acl_mask.c:54 src/acl_tlist.c:53 src/attr_get_file_dir.c:34 #: src/attr_rm_file_dir.c:29 src/attr_set_file_dir.c:32 #, c-format msgid " -d = numeric device specification ({b|c}major[:minor])\n" msgstr " -d = Numerische Geräte-Spezifikation ({b|c}major[:minor])\n" #: src/acl_mask.c:55 #, c-format msgid " -D = process all existing device masks,\n" msgstr " -D = alle existierenden Geräte-Maske bearbeiten,\n" #: src/acl_mask.c:56 src/attr_set_fd.c:44 src/attr_set_file_dir.c:34 #: src/attr_set_group.c:32 src/attr_set_net.c:46 src/attr_set_up.c:30 #: src/attr_set_user.c:32 src/auth_set_cap.c:45 src/mac_set_trusted.c:39 #: src/net_temp.c:49 src/rc_set_item.c:42 #, c-format msgid " -V version = supply RSBAC integer version number for upgrading\n" msgstr " -V Version = gib numerische RSBAC-Version an zur Aktualisierung\n" #: src/acl_mask.c:57 src/acl_rights.c:53 src/acl_rm_user.c:30 #: src/acl_tlist.c:58 src/attr_back_dev.c:59 src/attr_back_fd.c:83 #: src/attr_back_group.c:55 src/attr_back_net.c:64 src/attr_back_user.c:79 #: src/attr_get_fd.c:44 src/attr_get_file_dir.c:39 src/attr_get_group.c:34 #: src/attr_get_ipc.c:34 src/attr_get_net.c:48 src/attr_get_process.c:35 #: src/attr_get_up.c:29 src/attr_get_user.c:36 src/attr_rm_fd.c:40 #: src/attr_rm_file_dir.c:30 src/attr_rm_group.c:28 src/attr_rm_user.c:28 #: src/attr_set_fd.c:45 src/attr_set_file_dir.c:35 src/attr_set_group.c:33 #: src/attr_set_net.c:47 src/attr_set_process.c:34 src/attr_set_up.c:31 #: src/attr_set_user.c:33 src/auth_back_cap.c:48 src/auth_set_cap.c:46 #: src/mac_back_trusted.c:45 src/mac_back_trusted.c:239 #: src/mac_set_trusted.c:40 src/net_temp.c:50 src/rc_copy_role.c:28 #: src/rc_copy_type.c:29 src/rc_get_eff_rights_fd.c:42 src/rc_get_item.c:43 #: src/rc_set_item.c:43 src/rsbac_groupadd.c:45 src/rsbac_groupdel.c:32 #: src/rsbac_groupmod.c:38 src/rsbac_groupshow.c:41 src/rsbac_pm.c:33 #: src/rsbac_useradd.c:72 src/rsbac_userdel.c:34 src/rsbac_usermod.c:49 #: src/rsbac_usershow.c:45 #, c-format msgid "" " -N ta = transaction number (default = value of RSBAC_TA, if set, or 0)\n" msgstr " -N ta = Transaktions-Nummer (Standard = Wert von RSBAC_TA, sonst 0)\n" # #: src/acl_mask.c:59 #, c-format msgid " also request groups R (read requests), RW (read-write),\n" msgstr "" " außerdem Rechte-Gruppen R (Lesen), RW (Lesen/Schreiben), W " "(Schreiben),\n" #: src/acl_mask.c:63 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK, DEV, SCD, NETDEV,\n" msgstr " Ziel-Typ = FILE, DIR, FIFO, SYMLINK, DEV, SCD, NETDEV,\n" #: src/acl_mask.c:218 src/acl_mask.c:223 src/acl_tlist.c:211 #: src/acl_tlist.c:216 #, c-format msgid "# Processing %s '%s'\n" msgstr "# Bearbeite %s '%s'\n" #: src/acl_mask.c:504 src/attr_set_process.c:182 src/attr_set_user.c:200 #, c-format msgid "%s: Invalid mask vector %s\n" msgstr "%s: Ungültiger Masken-Vektor %s\n" #: src/acl_mask.c:704 #, c-format msgid "Set mask: %s\n" msgstr "Setze Maske: %s\n" #: src/acl_mask.c:720 #, c-format msgid "# Get mask.\n" msgstr "# Hole Maske.\n" #: src/acl_mask.c:724 #, c-format msgid "" "\n" "# %s: %i targets\n" "\n" msgstr "" "\n" "# %s: %i Zielobjekte\n" "\n" #: src/acl_mask.c:731 src/acl_tlist.c:514 src/attr_back_user.c:398 #, c-format msgid "# %s: processing all users\n" msgstr "# %s: Bearbeite alle Benutzer\n" #: src/acl_mask.c:743 src/acl_mask.c:774 src/acl_tlist.c:520 #: src/acl_tlist.c:549 src/attr_back_dev.c:340 src/attr_back_dev.c:369 #: src/attr_back_group.c:237 src/attr_back_group.c:266 src/attr_back_net.c:383 #: src/attr_back_net.c:444 src/attr_back_user.c:407 src/attr_back_user.c:436 #, c-format msgid "# %s: %i targets\n" msgstr "# %s: %i Zielobjekte\n" #: src/acl_mask.c:768 src/acl_tlist.c:543 #, c-format msgid "# %s: processing all devices\n" msgstr "# %s: Bearbeite alle Benutzer\n" #: src/acl_rights.c:47 #, c-format msgid "Use: %s [switches] target-type file/dirname(s)\n" msgstr "Aufruf: %s [Schalter] Ziel-Typ Datei-/Verzeichnisname(n)\n" # #: src/acl_rights.c:49 #, c-format msgid " -p = print right names, -d = give direct, not effective rights\n" msgstr " -p = Rechtenamen drucken, -d = direkte, nicht effektive Rechte\n" # #: src/acl_rights.c:50 #, c-format msgid " -n = list valid SCD names, -s = scripting mode\n" msgstr "-n = zeige gültige SCD-Namen, -s = Skript-Modus\n" #: src/acl_rights.c:51 #, c-format msgid " -D = numeric device specification ({b|c}major[:minor])\n" msgstr " -D = numerische Geräte-Spezifikation ({b|c}major[:minor])\n" #: src/acl_rights.c:52 #, c-format msgid " -R = list valid right names [for target-type]\n" msgstr " -R = zeige gültige Rechte-Namen [für Ziel-Typ]\n" #: src/acl_rights.c:54 #, c-format msgid " -u user = print rights for given user, not caller\n" msgstr " -u Benutzer = Rechte für anderen als aufrufenden Benutzer ausgeben\n" #: src/acl_rights.c:55 #, c-format msgid " -g group = print rights for given group, not caller\n" msgstr " -g Gruppe = Rechte für diese Gruppe ausgeben, nicht Benutzer\n" #: src/acl_rights.c:56 #, c-format msgid " -l role = print rights for given role, not caller\n" msgstr " -l Rolle = Rechte für diese Rolle ausgeben, nicht Benutzer\n" #: src/acl_rights.c:57 #, c-format msgid "" " target-type = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, GROUP, " "PROCESS,\n" msgstr "" " Ziel-Typ = FILE, DIR, FIFO, SYMLINK, DEV, IPC, SCD, USER, GROUP, " "PROCESS,\n" #: src/acl_rights.c:58 #, c-format msgid " NETDEV, NETTEMP_NT, NETTEMP, NETOBJ or FD\n" msgstr " NETDEV, NETTEMP_NT, NETTEMP, NETOBJ oder FD\n" #: src/acl_rights.c:60 #, c-format msgid " (IPC, PROCESS: only :DEFAULT:\n" msgstr " (IPC, PROCESS: nur :DEFAULT:\n" #: src/acl_rights.c:420 #, c-format msgid "%s: invalid target type %s for switch N\n" msgstr "%s: Ungültiger Ziel-Typ %s für Schalter N\n" #: src/acl_rights.c:435 #, c-format msgid "%s: no user for switch u\n" msgstr "%s: kein Benutzer für Schalter u\n" #: src/acl_rights.c:443 src/acl_rights.c:506 #, c-format msgid "Invalid user %s!\n" msgstr "Ungültiger Benutzer %s!\n" #: src/acl_rights.c:450 #, c-format msgid "%s: User %u\n" msgstr "%s: Benutzer %u\n" #: src/acl_rights.c:457 #, c-format msgid "%s: no group for switch g\n" msgstr "%s: keine Gruppe für Schalter g\n" #: src/acl_rights.c:463 src/acl_rights.c:530 #, c-format msgid "%s: Group %u\n" msgstr "%s: Gruppe %u\n" #: src/acl_rights.c:470 #, c-format msgid "%s: no role for switch l\n" msgstr "%s: keine Rolle für Schalter l\n" #: src/acl_rights.c:476 src/acl_rights.c:547 #, c-format msgid "%s: Role %u\n" msgstr "%s: Rolle %u\n" #: src/acl_rights.c:498 #, c-format msgid "%s: no user for switch -USER\n" msgstr "%s: kein Benutzer für Schalter -USER\n" #: src/acl_rights.c:524 #, c-format msgid "%s: no group for switch -GROUP\n" msgstr "%s: keine Gruppe für Schalter -GROUP\n" #: src/acl_rights.c:541 #, c-format msgid "%s: no role for switch -ROLE\n" msgstr "%s: keine Rolle für Schalter -ROLE\n" #: src/acl_rights.c:555 #, c-format msgid "%s: unknown parameter %s\n" msgstr "%s: unbekannter Parameter %s\n" #: src/acl_rights.c:575 src/acl_rights.c:592 src/attr_get_fd.c:275 #: src/attr_get_net.c:344 src/attr_get_up.c:142 src/attr_rm_fd.c:155 #: src/attr_set_net.c:396 src/attr_set_net.c:406 src/attr_set_up.c:151 #: src/rc_get_eff_rights_fd.c:186 src/rc_get_eff_rights_fd.c:201 #, c-format msgid "" "%s: %i targets\n" "\n" msgstr "" "%s: %i Zielobjekte\n" "\n" #: src/acl_rights.c:576 src/acl_tlist.c:570 src/rc_get_eff_rights_fd.c:187 #, c-format msgid "%s: No target type given, assuming FD\n" msgstr "%s: Kein Ziel-Typ angegeben, vermute FD\n" #: src/acl_rm_user.c:27 #, c-format msgid "" "Remove all groups and memberships of a user\n" "\n" msgstr "" "Entfernen aller Gruppen und Mitgliedschaften eines Benutzers\n" "\n" #: src/acl_rm_user.c:28 #, c-format msgid "Use: %s [flags] user\n" msgstr "Aufruf: %s [Schalter] Benutzer\n" #: src/acl_rm_user.c:29 #, c-format msgid " -y: remove without asking\n" msgstr " -y: Entfernen ohne Rückfrage\n" #: src/acl_rm_user.c:103 #, c-format msgid "Remove all groups and memberships of user %u '%s' [y/n]\n" msgstr "" "Alle Gruppen und Mitgliedschaften für Benutzer %u '%s' entfernen [y/n]\n" #: src/acl_tlist.c:50 #, c-format msgid "Use: %s [switches] target-type file/dir/scdname(s)\n" msgstr "Aufruf: %s [Schalter] Ziel-Typ Objektname(n)\n" #: src/acl_tlist.c:52 #, c-format msgid " -p = print right names, -b = backup mode\n" msgstr " -p = Rechtenamen drucken, -b = Backup-Modus\n" #: src/acl_tlist.c:54 #, c-format msgid " -D = process all existing device acls,\n" msgstr " -D = alle existierenden Geräte-ACLs bearbeiten,\n" #: src/acl_tlist.c:55 #, c-format msgid " -a = process all users,\n" msgstr " -a = Alle Benutzer bearbeiten,\n" #: src/acl_tlist.c:56 #, c-format msgid " -n = list valid SCD names,\n" msgstr " -n = zeige gültige SCD-Namen\n" #: src/acl_tlist.c:57 #, c-format msgid " -s = scripting mode,\n" msgstr " -s = Skript-Modus\n" #: src/acl_tlist.c:352 src/acl_tlist.c:356 #, c-format msgid "%s: %i entries\n" msgstr "%s: %i Einträge\n" #: src/acl_tlist.c:569 src/acl_tlist.c:586 #, c-format msgid "" "# %s: %i targets\n" "\n" msgstr "" "# %s: %i Zielobjekte\n" "\n" #: src/attr_back_dev.c:52 #, c-format msgid "Use: %s [-v] [-o target-file] file/dirname(s)\n" msgstr "Aufruf: %s [-v] [-o Zieldatei] Objektname(n)\n" #: src/attr_back_dev.c:53 #, c-format msgid "- should be called by root with all rsbac modules switched off,\n" msgstr "" "- sollte durch 'root' nach Abschalten aller RSBAC-Module aufgerufen werden,\n" #: src/attr_back_dev.c:54 src/attr_back_fd.c:76 src/auth_back_cap.c:44 #: src/mac_back_trusted.c:42 src/mac_back_trusted.c:236 #, c-format msgid " -r = recurse in subdirs, -v = verbose, no symlinks followed,\n" msgstr "" " -r = rekursiv, -v = ausführlich, symbolische Links werden nicht verfolgt,\n" #: src/attr_back_dev.c:55 src/attr_back_group.c:51 src/auth_back_cap.c:45 #, c-format msgid " -T file = read file/dirname list from file (- for stdin),\n" msgstr " -T Datei = Datei-/Verzeichnisliste aus Datei lesen (- für stdin),\n" #: src/attr_back_dev.c:56 src/attr_back_fd.c:81 src/attr_back_group.c:53 #: src/attr_back_user.c:77 #, c-format msgid " -o target-file = write to file, not stdout,\n" msgstr " -o Ziel-Datei = in Datei schreiben, nicht auf stdout,\n" #: src/attr_back_dev.c:57 #, c-format msgid " -b = backup all device entries known to RSBAC,\n" msgstr " -b = Backup aller RSBAC bekannten Geräteeinträge,\n" #: src/attr_back_dev.c:58 src/attr_back_group.c:54 src/attr_back_net.c:63 #: src/attr_back_user.c:78 #, c-format msgid " -A = list attributes and values,\n" msgstr " -A = Attribute und Werte auflisten\n" #: src/attr_back_dev.c:74 #, c-format msgid "# Processing DEV '%s'\n" msgstr "# Bearbeite DEV '%s'\n" #: src/attr_back_dev.c:271 src/attr_back_fd.c:352 src/attr_back_net.c:268 #: src/attr_back_user.c:294 src/mac_back_trusted.c:179 #, c-format msgid "%s: missing filename for parameter o\n" msgstr "%s: fehlender Dateiname für Parameter o\n" #: src/attr_back_dev.c:281 src/attr_back_group.c:161 src/attr_back_group.c:171 #: src/attr_back_net.c:278 src/attr_back_user.c:304 src/auth_back_cap.c:445 #: src/auth_back_cap.c:455 #, c-format msgid "%s: missing filename for parameter %c\n" msgstr "%s: fehlender Dateiname für Parameter %c\n" #: src/attr_back_dev.c:285 #, c-format msgid "Attributes and values in backup = see following list:\n" msgstr "Attribute und Werte im Backup = siehe folgende Liste:\n" #: src/attr_back_dev.c:328 src/attr_back_fd.c:420 src/attr_back_group.c:217 #: src/attr_back_net.c:335 src/attr_back_user.c:350 src/auth_back_cap.c:487 #: src/mac_back_trusted.c:211 #, c-format msgid "opening target file returned error: %s\n" msgstr "Öffnen der Zieldatei ergab Fehler: %s\n" #: src/attr_back_dev.c:362 src/attr_back_fd.c:432 src/attr_back_group.c:259 #: src/attr_back_net.c:376 src/attr_back_net.c:437 src/attr_back_user.c:429 #: src/auth_back_cap.c:497 #, c-format msgid "opening target list file returned error: %s\n" msgstr "Öffnen der Ziel-Listen-Datei ergab Fehler: %s\n" #: src/attr_back_dev.c:371 src/attr_back_group.c:268 src/attr_back_net.c:385 #: src/attr_back_net.c:446 src/attr_back_user.c:438 #, c-format msgid "# - plus targets from file %s\n" msgstr "# - plus Ziele aus Datei %s\n" #: src/attr_back_fd.c:74 #, c-format msgid "Use: %s [options] file/dirname(s)\n" msgstr "Aufruf: %s [Schalter] Objektname(n)\n" #: src/attr_back_fd.c:75 #, c-format msgid "" "- should be called by user with full attribute read access,\n" " e.g. root with all modules off\n" msgstr "" "- sollte durch einen Benutzer mit vollem Lesezugriff auf Attribute " "aufgerufen werden,\n" "- z.B. root mit allen Modulen aus\n" #: src/attr_back_fd.c:77 #, c-format msgid " -s = ignore daz_scanned,\n" msgstr " -s = daz_scanned ignorieren,\n" #: src/attr_back_fd.c:78 #, c-format msgid " -T file = read target list from file (- for stdin),\n" msgstr " -T Datei = Ziel-Liste aus Datei lesen (- für stdin),\n" #: src/attr_back_fd.c:79 #, c-format msgid " -i = use MAC non-inherit values as default values,\n" msgstr " -i = verwende MAC non-inherit-Werte als Standardwerte,\n" #: src/attr_back_fd.c:80 #, c-format msgid " -P flags = use these PaX flags as default, preset is PeMRxS,\n" msgstr " -P Schalter = Diese PaX-Schalter als Standard, Vorgabe ist PeMRxS,\n" #: src/attr_back_fd.c:82 #, c-format msgid " -a = list attributes and values,\n" msgstr " -a = liste alle Attribute und Werte\n" #: src/attr_back_fd.c:96 #, c-format msgid "# Processing FD '%s'\n" msgstr "# Bearbeite FD '%s'\n" #: src/attr_back_fd.c:362 #, c-format msgid "%s: missing filename for parameter T\n" msgstr "%s: fehlender Dateiname für Parameter T\n" #: src/attr_back_fd.c:365 src/attr_back_net.c:284 #, c-format msgid "attributes and values in backup = see following list:\n" msgstr "Attribute und Werte im Backup = siehe folgende Liste:\n" #: src/attr_back_fd.c:385 #, c-format msgid "%s: missing PaX flags for parameter %c\n" msgstr "%s: fehlende PaX-Schalter für Parameter %c\n" #: src/attr_back_fd.c:439 #, c-format msgid "# %s: %i targets" msgstr "# %s: %i Zielobjekte" #: src/attr_back_fd.c:441 src/auth_back_cap.c:506 src/mac_back_trusted.c:218 #, c-format msgid " - recursing" msgstr " - rekursiv" #: src/attr_back_fd.c:443 src/auth_back_cap.c:508 #, c-format msgid " - plus targets from file %s" msgstr " - plus Ziele aus Datei %s" #: src/attr_back_group.c:49 #, c-format msgid "Use: %s [flags] [groupname(s)]\n" msgstr "Aufruf: %s [Schalter] [Gruppenname(n)]\n" #: src/attr_back_group.c:50 #, c-format msgid " -a = process all groups, -v = verbose,\n" msgstr " -a = Alle Gruppen bearbeiten, -v = ausführlich,\n" #: src/attr_back_group.c:52 #, c-format msgid " -n = show numeric gid not groupname,\n" msgstr " -n = verwende Gruppennummern, nicht -namen\n" #: src/attr_back_group.c:69 #, c-format msgid "# Processing group %s\n" msgstr "# Bearbeite Gruppe %s\n" #: src/attr_back_group.c:71 #, c-format msgid "# Processing group %u\n" msgstr "# Bearbeite Gruppe %u\n" #: src/attr_back_group.c:174 src/attr_back_user.c:307 #, c-format msgid "- attributes and values in backup = see following list:\n" msgstr "- Attribute und Werte im Backup = siehe folgende Liste:\n" #: src/attr_back_group.c:228 #, c-format msgid "# %s: processing all groups\n" msgstr "# %s: Bearbeite alle Gruppen\n" #: src/attr_back_net.c:60 #, c-format msgid "Use: %s [options] target name(s)/number(s)\n" msgstr "Aufruf: %s [Schalter] Ziel Name(n)/Nummer(n)\n" #: src/attr_back_net.c:61 #, c-format msgid "" " should be called by user with full attribute read access,\n" "- e.g. with all modules off\n" msgstr "" "- sollte durch Benutzer mit vollem Lesezugriff auf Attribute aufgerufen " "werden,\n" "- z.B. mit allen Modulen aus\n" #: src/attr_back_net.c:62 #, c-format msgid " -a = backup all objects, -v = verbose, no symlinks followed,\n" msgstr "" " -a = alle Objekte sichern, -v = ausführlich, symb. Links nicht verfolgen,\n" #: src/attr_back_net.c:65 #, c-format msgid " valid targets: NETDEV, NETTEMP\n" msgstr " gültige Ziel-Typen: NETDEV, NETTEMP\n" #: src/attr_back_net.c:77 #, c-format msgid "# Processing NETDEV '%s'\n" msgstr "# Bearbeite NETDEV '%s'\n" #: src/attr_back_net.c:147 #, c-format msgid "# Processing NETTEMP %u\n" msgstr "# Bearbeite NETTEMP %u\n" #: src/attr_back_net.c:346 #, c-format msgid "invalid target %s\n" msgstr "ungültiges Ziel %s\n" #: src/attr_back_user.c:74 #, c-format msgid "Use: %s [flags] [username(s)]\n" msgstr "Aufruf: %s [Schalter] [Benutzername(n)]\n" #: src/attr_back_user.c:75 #, c-format msgid " -a = process all users, -v = verbose,\n" msgstr " -a = Alle Benutzer bearbeiten, -v = ausführlich,\n" #: src/attr_back_user.c:76 #, c-format msgid " -n = show numeric uid not username,\n" msgstr " -n = zeige Benutzernummern, nicht -namen\n" #: src/attr_back_user.c:93 #, c-format msgid "# Processing user %s\n" msgstr "# Bearbeite Benutzer %s\n" #: src/attr_back_user.c:95 #, c-format msgid "# Processing user %u\n" msgstr "# Bearbeite Benutzer %u\n" #: src/attr_get_fd.c:40 #, c-format msgid "Use: %s [switches] module target-type attribute file/dirname(s)\n" msgstr "" "Aufruf: %s [Schalter] Modul Ziel-Typ Attribut Datei-/Verzeichnisname(n)\n" #: src/attr_get_fd.c:41 src/attr_get_net.c:44 #, c-format msgid " -v = verbose, -e = show effective (maybe inherited) value, not real\n" msgstr "" " -v = ausführlich, -e = zeige effektiven (evt. geerbten) Wert, nicht " "realen\n" #: src/attr_get_fd.c:42 src/attr_set_net.c:44 #, c-format msgid " -r = recurse into subdirs, -n = list all requests\n" msgstr " -r = rekursiv in Unterverzeichnisse, -n liste alle Anfragen\n" #: src/attr_get_fd.c:43 src/attr_get_file_dir.c:38 src/attr_get_group.c:33 #: src/attr_get_net.c:46 src/attr_get_process.c:34 src/attr_get_up.c:28 #: src/attr_get_user.c:35 src/attr_set_net.c:45 #, c-format msgid " -a = list attributes and values\n" msgstr " -a = liste Attribute und Werte\n" #: src/attr_get_fd.c:45 src/attr_get_group.c:35 src/attr_get_up.c:30 #: src/attr_get_user.c:37 src/attr_set_fd.c:46 src/attr_set_process.c:35 #: src/attr_set_up.c:28 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\n" msgstr " Modul = GEN, MAC, FC, SIM, PM, MS, FF, RC oder AUTH\n" #: src/attr_get_fd.c:46 src/attr_rm_fd.c:41 src/attr_set_fd.c:47 #: src/rc_get_eff_rights_fd.c:43 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK, DEV or FD\n" msgstr " Ziel-Typ = FILE, DIR, FIFO, SYMLINK, DEV oder FD\n" #: src/attr_get_fd.c:47 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV)\n" msgstr "" " (FD: lass %s zwischen FILE, DIR, FIFO und SYMLINK entscheiden, kein DEV),\n" #: src/attr_get_fd.c:57 src/attr_get_net.c:89 src/attr_set_net.c:191 #, c-format msgid "Processing %s '%s', attribute %s\n" msgstr "Bearbeite %s '%s', Attribut %s\n" #: src/attr_get_fd.c:69 #, c-format msgid "%s: %s\n" msgstr "%s: %s\n" #: src/attr_get_fd.c:77 src/attr_get_fd.c:81 src/attr_get_fd.c:107 #: src/attr_get_fd.c:121 src/attr_get_net.c:113 src/attr_get_net.c:124 #, c-format msgid "%s: Returned value: %s\n" msgstr "%s: Rückgabewert: %s\n" #: src/attr_get_fd.c:85 src/attr_get_fd.c:101 src/attr_get_fd.c:116 #: src/attr_get_net.c:106 src/attr_get_net.c:149 src/attr_get_net.c:162 #, c-format msgid "%s: Returned value: %u\n" msgstr "%s: Rückgabewert: %u\n" #: src/attr_get_fd.c:125 src/attr_get_net.c:170 #, c-format msgid "%s: Returned value: %i\n" msgstr "%s: Rückgabewert: %i\n" #: src/attr_get_fd.c:222 src/attr_get_net.c:282 src/attr_set_net.c:259 #, c-format msgid "- attribute (string) and returned value = see following lists:\n" msgstr "- Attribute (Zeichenkette) und Rückgabewerte = siehe Liste:\n" #: src/attr_get_fd.c:223 src/attr_get_file_dir.c:167 src/attr_set_fd.c:164 #: src/attr_set_file_dir.c:122 #, c-format msgid "- FILE, DIR, FIFO and SYMLINK:\n" msgstr "- FILE, DIR, FIFO und SYMLINK:\n" #: src/attr_get_fd.c:280 #, c-format msgid "%s: invalid target type %s\n" msgstr "%s: Ungültiger Ziel-Typ %s\n" #: src/attr_get_file_dir.c:30 #, c-format msgid "Use: %s module target-type file/dirname attribute [request]\n" msgstr "Aufruf: %s Modul Ziel-Typ Datei-/Verzeichnisname Attribut [Anfrage]\n" #: src/attr_get_file_dir.c:31 #, c-format msgid "Use: %s module target-type file/dirname attribute [position]\n" msgstr "Aufruf: %s Modul Ziel-Typ Datei-/Verzeichnisname Attribut [Position]\n" #: src/attr_get_file_dir.c:32 #, c-format msgid "Use: %s list_category_nr\n" msgstr "Aufruf: %s list_category_nr\n" #: src/attr_get_file_dir.c:33 src/attr_get_user.c:31 #, c-format msgid " -e = show effective (maybe inherited) value, not real\n" msgstr " -e = zeige effektiven (evt. geerbten) Wert, nicht realen\n" #: src/attr_get_file_dir.c:35 #, c-format msgid " -p = print requests, -n [target] = list all requests [for target]\n" msgstr " -p = zeige Anfragenamen, -n [Ziel] = liste alle Anfragen [für Ziel]\n" #: src/attr_get_file_dir.c:36 src/attr_get_user.c:34 #, c-format msgid " -c list all Linux capabilities, -R = list all RES resource names\n" msgstr " -c = Linux Capabilities ausgeben, -R = alle RES-Resourcen ausgeben\n" #: src/attr_get_file_dir.c:37 #, c-format msgid "" " -C path = convert path to device special file to device specification\n" msgstr " -C Pfad = Geräte-Dateiname in Geräte-Spezifikation wandeln\n" #: src/attr_get_file_dir.c:40 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH, RES or PAX\n" msgstr " Modul = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH, RES oder PAX\n" #: src/attr_get_file_dir.c:41 src/attr_rm_file_dir.c:31 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK or DEV\n" msgstr " Ziel-Typ = FILE, DIR, FIFO, SYMLINK oder DEV\n" #: src/attr_get_file_dir.c:166 src/attr_get_group.c:167 #: src/attr_get_process.c:97 src/attr_get_up.c:89 src/attr_get_user.c:189 #: src/attr_set_group.c:109 src/attr_set_user.c:109 #, c-format msgid "- attribute (string) and returned value = see following list:\n" msgstr "- Attribut (Zeichenkette) und Rückgabewerte = siehe Liste:\n" #: src/attr_get_file_dir.c:168 src/attr_get_file_dir.c:179 #, c-format msgid "" "log_level\t\t(additional parameter request-type)\n" "\t\t\t0=none, 1=denied, 2=full, 3=request based\n" msgstr "" "log_level\t\t(zusätzlicher Parameter Anfrage-Typ)\n" "\t\t\t0=keine, 1=abgelehnte, 2=voll, 3=Anfrage-basiert\n" #: src/attr_get_file_dir.c:169 src/attr_get_file_dir.c:180 #, c-format msgid "" "mac_categories\t\t(with additional parameter position)\n" "\t\t\t0=no, 1=yes\n" msgstr "" "mac_categories\t\t(zusätzlicher Parameter Position)\n" "\t\t\t0=nein, 1=ja\n" #: src/attr_get_file_dir.c:177 src/attr_get_user.c:197 #: src/attr_set_file_dir.c:130 #, c-format msgid "" "[RES ] res_min|res_max (with additional parameter position)\n" "\tnon-negative integer (0 for unset)\n" msgstr "" "[RES ] res_min|res_max (zusätzlicher Parameter Position)\n" "\tnicht-negativer Integer (0 zum zurücksetzen)\n" #: src/attr_get_file_dir.c:220 #, c-format msgid "%s: %s is no device special file\n" msgstr "%s: %s ist keine Gerätedatei\n" #: src/attr_get_file_dir.c:227 #, c-format msgid "%s: missing path for parameter %c\n" msgstr "%s: fehlender Pfad für Parameter %c\n" #: src/attr_get_file_dir.c:370 src/attr_get_file_dir.c:430 #: src/attr_set_file_dir.c:739 #, c-format msgid "Invalid request type %s\n" msgstr "Ungültiger Anfrage-Typ %s\n" #: src/attr_get_file_dir.c:406 src/attr_get_file_dir.c:466 #: src/attr_get_ipc.c:128 src/attr_get_process.c:262 src/attr_get_user.c:386 #: src/attr_get_user.c:418 src/attr_set_file_dir.c:813 #: src/attr_set_file_dir.c:861 src/attr_set_ipc.c:122 #: src/attr_set_process.c:399 src/attr_set_user.c:600 src/attr_set_user.c:633 #, c-format msgid "Invalid position counter %s\n" msgstr "Ungültiger Positionszähler %s\n" #: src/attr_get_file_dir.c:431 src/attr_set_file_dir.c:740 #, c-format msgid "Valid request types:\n" msgstr "Gültige Anfrage-Typen:\n" #: src/attr_get_group.c:30 #, c-format msgid "" "Use: %s [switches] module group attribute [position|request-name]\n" "\n" msgstr "" "Aufruf: %s [Schalter] Modul Gruppe Attribut [Position|Anfrage-Name]\n" "\n" #: src/attr_get_group.c:31 src/attr_get_user.c:32 #, c-format msgid " -n = numeric value, -b = both names and numbers,\n" msgstr " -n = Zahlenwerte, -b = Namen und Zahlen,\n" #: src/attr_get_group.c:32 src/attr_get_user.c:33 #, c-format msgid " -l list all users, -L list all Linux groups\n" msgstr " -l alle Benutzer ausgeben, -L = alle Linux-Gruppen ausgeben\n" #: src/attr_get_group.c:232 src/attr_get_ipc.c:151 src/attr_get_process.c:145 #: src/attr_get_process.c:255 src/attr_get_up.c:153 src/attr_get_user.c:282 #: src/attr_set_group.c:177 src/attr_set_ipc.c:158 src/attr_set_process.c:323 #: src/attr_set_process.c:392 src/attr_set_user.c:448 #, c-format msgid "%s: Invalid Attribute %s!\n" msgstr "%s: Ungültiges Attribut %s!\n" #: src/attr_get_ipc.c:32 #, c-format msgid "Use: %s [flags] ipc-type id attribute\n" msgstr "Aufruf: %s [Schalter] IPC-Typ ID Attribut\n" #: src/attr_get_ipc.c:35 #, c-format msgid " ipc-types: sem, msg, shm, anonpipe,\n" msgstr " IPC-Typen: sem, msg, shm, anonpipe,\n" #: src/attr_get_ipc.c:36 #, c-format msgid " attribute (string) and returned value = see following list:\n" msgstr " Attribut (Zeichenkette) und Rückgabewerte = siehe Liste:\n" #: src/attr_get_ipc.c:118 src/attr_get_ipc.c:142 src/attr_set_ipc.c:149 #, c-format msgid "%s: Invalid IPC type %s!\n" msgstr "%s: Ungültiger IPC-Typ %s\n" #: src/attr_get_net.c:43 #, c-format msgid "" "Use: %s [-v] [-e] module target-type attribute [CAT category] [request] id" "(s)\n" msgstr "" "Aufruf: %s [-v] [-e] Modul Ziel-Typ Attribut [CAT Kategorie] [Anfrage] id" "(s)\n" #: src/attr_get_net.c:45 #, c-format msgid "" " -r = recurse into subdirs, -n [target] = list all requests [for target]\n" msgstr "" " -r = rekursiv in Unterverz., -n [Ziel] = liste alle Anfragen [für Ziel]\n" #: src/attr_get_net.c:47 #, c-format msgid " -d = list NETDEV targets with non-default attribute values\n" msgstr " -d = liste NETDEV-Ziele mit Nicht-Standard-Attributwerten\n" #: src/attr_get_net.c:49 src/attr_set_net.c:48 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS or RC\n" msgstr " Modul = GEN, MAC, FC, SIM, PM, MS oder RC\n" #: src/attr_get_net.c:50 src/attr_set_net.c:49 #, c-format msgid " target-type = NETDEV, NETTEMP or NETOBJ\n" msgstr " Ziel-Typ = NETDEV, NETTEMP oder NETOBJ\n" #: src/attr_get_net.c:51 src/attr_set_net.c:50 #, c-format msgid " category = category number for mac_categories\n" msgstr " Kategorie = Kategorie-Nummer für mac_categories\n" #: src/attr_get_net.c:52 src/attr_set_net.c:51 #, c-format msgid " request = request number for log_array_low|high\n" msgstr " Anfrage = Anfrage-Nummer für log_array_low|high\n" #: src/attr_get_net.c:84 src/attr_set_net.c:76 #, c-format msgid "Internal error on %s %s!\n" msgstr "Interner Fehler in %s %s!\n" #: src/attr_get_net.c:353 src/attr_set_net.c:342 #, c-format msgid "%s: invalid target %s\n" msgstr "%s: Ungültiger Ziel-Typ %s!\n" #: src/attr_get_process.c:32 #, c-format msgid "Use: %s [switches] module pid attribute [bit-no]\n" msgstr "Aufruf: %s [Schalter] Modul Prozeß Attribut [Bit-Nr.]\n" #: src/attr_get_process.c:33 #, c-format msgid " -p = print all request names, -n = list all request names\n" msgstr " -p = Rechtenamen drucken, -n = alle Anfragen ausgeben\n" #: src/attr_get_process.c:36 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or PAX\n" msgstr " Modul = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH oder PAX\n" #: src/attr_get_process.c:37 #, c-format msgid "" " categories and log_program_based\t(with additional parameter bit-no)\n" "\t\t\t0=no, 1=yes\n" msgstr "" " categories und log_program_based\t(mit Zusatz-Parameter Bit-Nr)\n" "\t\t\t0=nein, 1=ja\n" #: src/attr_get_up.c:27 #, c-format msgid "" "Use: %s [switches] module target-type attribute user(s)/proc-no.\n" "\n" msgstr "" "Aufruf: %s [Schalter] Modul Ziel-Typ Attribut Benutzer/Prozeß-Nr.\n" "\n" #: src/attr_get_up.c:31 #, c-format msgid " target-type = USER or PROCESS,\n" msgstr " Ziel-Typ = USER oder PROCESS,\n" #: src/attr_get_up.c:147 src/attr_set_up.c:156 src/auth_set_cap.c:199 #: src/auth_set_cap.c:269 src/mac_set_trusted.c:175 src/mac_set_trusted.c:224 #, c-format msgid "%s: Invalid Target %s!\n" msgstr "%s: Ungültiger Ziel-Typ %s!\n" #: src/attr_get_up.c:162 #, c-format msgid "Processing process %i, attribute %s (No. %i)\n" msgstr "Bearbeite Prozeß %i, Attribut %s (No. %i)\n" #: src/attr_get_up.c:171 #, c-format msgid "" "Invalid user %s!\n" "\n" msgstr "" "Ungültiger Benutzer %s!\n" "\n" #: src/attr_get_up.c:174 #, c-format msgid "Processing user %s (uid %i), attribute %s (No. %i)\n" msgstr "Bearbeite Benutzer %s (ID %i), Attribut %s (Nr. %i)\n" #: src/attr_get_up.c:206 #, c-format msgid "Returned value: %u\n" msgstr "Rückgabewert: %u\n" #: src/attr_get_up.c:209 #, c-format msgid "Returned value: %i\n" msgstr "Rückgabewert: %i\n" #: src/attr_get_user.c:30 #, c-format msgid "" "Use: %s [switches] module user attribute [position|request-name]\n" "\n" msgstr "" "Aufruf: %s [Schalter] Modul Benutzer Attribut [Position|Anfrage-Name]\n" "\n" #: src/attr_get_user.c:38 #, c-format msgid "" " mac_[min_]categories\t\t(with additional parameter position)\n" "\t\t\t0=no, 1=yes\n" msgstr "" " mac_[min_]categories\t\t(zusätzlicher Parameter Position)\n" "\t\t\t0=nein, 1=ja\n" #: src/attr_get_user.c:39 #, c-format msgid "" " log_user_based\t(with additional parameter request-name)\n" "\t\t\t0=no, 1=yes\n" msgstr "" " log_user_based\t(Mit Zusatz-Parameter Anfrage-Name)\n" "\t\t\t0=nein, 1=ja\n" #: src/attr_get_user.c:399 #, c-format msgid "Invalid request %s\n" msgstr "Ungültige Anfrage %s\n" #: src/attr_rm_fd.c:38 #, c-format msgid "Use: %s [-v] [-r] target-type file/dirname(s)\n" msgstr "Aufruf: %s [-v] [-r] Ziel-Typ Datei-/Verzeichnisname(n)\n" #: src/attr_rm_fd.c:42 src/attr_set_fd.c:48 src/rc_get_eff_rights_fd.c:44 #, c-format msgid " (FD: let %s decide between FILE, DIR, FIFO and SYMLINK, no DEV),\n" msgstr "" " (FD: laß %s zwischen FILE, DIR, FIFO und SYMLINK entscheiden, kein DEV),\n" #: src/attr_rm_fd.c:52 #, c-format msgid "Processing '%s'\n" msgstr "Bearbeite '%s'\n" #: src/attr_rm_file_dir.c:28 #, c-format msgid "Use: %s [flags] target-type file/dirname\n" msgstr "Aufruf: %s [Schalter] Ziel-Typ Datei-/Verzeichnis-Name\n" #: src/attr_rm_group.c:27 #, c-format msgid "" "Use: %s [flags] group(s)\n" "\n" msgstr "" "Aufruf: %s [Schalter] Gruppe(n)\n" "\n" #: src/attr_rm_group.c:83 #, c-format msgid "" "%s: %i groups\n" "\n" msgstr "" "%s: %i Gruppen\n" "\n" #: src/attr_rm_group.c:88 #, c-format msgid "" "Invalid Group %s!\n" "\n" msgstr "" "Ungültige Gruppe %s!\n" "\n" #: src/attr_rm_group.c:91 #, c-format msgid "Processing group %s (gid %i)\n" msgstr "Bearbeite Gruppe %s (GID %i)\n" #: src/attr_rm_user.c:27 #, c-format msgid "" "Use: %s [flags] user(s)\n" "\n" msgstr "" "Aufruf: %s [Schalter] Benutzer1 ...\n" "\n" #: src/attr_rm_user.c:83 #, c-format msgid "" "%s: %i users\n" "\n" msgstr "" "%s: %i Benutzer\n" "\n" #: src/attr_rm_user.c:88 #, c-format msgid "" "Invalid User %s!\n" "\n" msgstr "" "Ungültiger Benutzer %s!\n" "\n" #: src/attr_rm_user.c:91 #, c-format msgid "Processing user %s (uid %i)\n" msgstr "Bearbeite Benutzer %s (ID %i)\n" #: src/attr_set_fd.c:40 #, c-format msgid "Use: %s [-v] [-r] module target-type attribute value file/dirname(s)\n" msgstr "" "Aufruf: %s [-v] [-r] Modul Ziel-Typ Attribut Wert Datei-/Verzeichnis-Name" "(n)\n" #: src/attr_set_fd.c:42 #, c-format msgid " -n = list all requests\n" msgstr " -n = liste alle Anfragen\n" #: src/attr_set_fd.c:43 src/attr_set_file_dir.c:33 src/attr_set_group.c:31 #: src/attr_set_process.c:33 src/attr_set_user.c:31 #, c-format msgid " -A = list attributes and values\n" msgstr " -A = Attribute und Werte auflisten\n" #: src/attr_set_fd.c:59 #, c-format msgid "Processing %s '%s', attribute %s, value %i\n" msgstr "Bearbeite %s '%s', Attribut %s, Wert %i\n" #: src/attr_set_fd.c:163 src/attr_set_file_dir.c:119 #: src/attr_set_process.c:108 src/attr_set_up.c:88 #, c-format msgid "- attribute (string) and value (integer) = see following list:\n" msgstr "- Attribut (Zeichenkette) und Wert (Zahl) = siehe Liste:\n" #: src/attr_set_fd.c:245 src/attr_set_file_dir.c:475 src/attr_set_group.c:190 #: src/attr_set_up.c:163 src/attr_set_user.c:461 #, c-format msgid "%s: Invalid attribute %s\n" msgstr "%s: Ungültiges Attribut %s\n" #: src/attr_set_fd.c:249 #, c-format msgid "%s: Attribute %s not supported\n" msgstr "%s: Attribut %s nicht unterstützt\n" #: src/attr_set_fd.c:256 src/attr_set_file_dir.c:486 #: src/attr_set_process.c:333 src/attr_set_up.c:185 src/attr_set_user.c:472 #, c-format msgid "%s: Invalid attribute value, length must be %i\n" msgstr "%s: Ungültiger Attributwert, Länge muß %i sein!\n" #: src/attr_set_fd.c:265 src/attr_set_fd.c:284 src/attr_set_file_dir.c:495 #: src/attr_set_file_dir.c:534 src/attr_set_process.c:342 src/mac_wrap.c:95 #, c-format msgid "%s: Invalid attribute value char, must be 0 or 1\n" msgstr "%s: Ungültiges Zeichen im Attributwert, muß 0 oder 1 sein\n" #: src/attr_set_file_dir.c:28 #, c-format msgid "Use: %s module target-type file/dirname attribute [request] value\n" msgstr "" "Aufruf: %s Modul Ziel-Typ Datei-/Verzeichnisname Attribut [Anfrage] Wert\n" #: src/attr_set_file_dir.c:29 #, c-format msgid "Use: %s module target-type file/dirname attribute [position] value\n" msgstr "" "Aufruf: %s Modul Ziel-Typ Datei-/Verzeichnisname Attribut [Position] Wert\n" #: src/attr_set_file_dir.c:30 #, c-format msgid "" "Use: %s [switches] module target-type filename log_program_based [list-of-" "requests]\n" msgstr "" "Aufruf: %s [Schalter] Modul Ziel-Typ Dateiname log_program_based [Liste-von-" "Anfragen]\n" #: src/attr_set_file_dir.c:31 #, c-format msgid "" " -a = add, not set, -m = remove not set, -p = print resulting requests,\n" msgstr "" " -a = hinzufügen, nicht setzen, -m = entfernen, nicht setzen,\n" " -p = Anfragen ausgeben,\n" #: src/attr_set_file_dir.c:36 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\n" msgstr " Modul = GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH oder RES\n" #: src/attr_set_file_dir.c:37 #, c-format msgid " target-type = FILE, DIR, FIFO, SYMLINK or DEV,\n" msgstr " Ziel-Typ = FILE, DIR, FIFO, SYMLINK oder DEV,\n" #: src/attr_set_file_dir.c:120 #, c-format msgid "" "[GEN ] log_level (additional parameter request-type)\n" "\t0=none, 1=denied, 2=full, 3=request-based\n" msgstr "" "[GEN ] log_level (Zusätzlicher Parameter Anfrage-Typ)\n" "\t0=kein, 1=verweigert, 2=voll, 3=Anfrage-basiert\n" #: src/attr_set_file_dir.c:121 #, c-format msgid "" "[GEN ] mac_categories (with additional parameter position)\n" "\t0=no, 1=yes\n" msgstr "" "[GEN ] mac_categories (zusätzlicher Parameter Position)\n" "\t0=nein, 1=ja\n" #: src/attr_set_file_dir.c:223 #, c-format msgid "%s: Invalid request vector %s\n" msgstr "%s: Ungültiger Anfragen-Vektor %s\n" #: src/attr_set_file_dir.c:397 src/attr_set_user.c:371 #, c-format msgid "%s: Invalid cap vector %s\n" msgstr "%s: Ungültiger Cap-Vektor %s\n" #: src/attr_set_file_dir.c:479 src/attr_set_up.c:167 src/attr_set_user.c:465 #, c-format msgid "%s: Invalid number of arguments for attribute %s\n" msgstr "%s: Ungültige Anzahl Argumente für Attribut %s!\n" #: src/attr_set_file_dir.c:712 #, c-format msgid "Setting attribute %s for %s to value %lu\n" msgstr "Setze Attribut %s für %s auf Wert %lu\n" #: src/attr_set_file_dir.c:755 #, c-format msgid "Invalid log_level value %s\n" msgstr "Ungültiger log_level-Wert %s\n" #: src/attr_set_file_dir.c:819 src/attr_set_ipc.c:128 src/attr_set_net.c:148 #: src/attr_set_process.c:405 src/attr_set_user.c:606 #, c-format msgid "Invalid value %s\n" msgstr "Ungültiger Wert %s\n" #: src/attr_set_group.c:28 src/attr_set_user.c:28 #, c-format msgid "" "Use: %s module user attribute [position] value\n" "\n" msgstr "" "Aufruf: %s Modul Benutzer Attribut [Position] Wert\n" "\n" #: src/attr_set_group.c:29 src/attr_set_user.c:29 #, c-format msgid "" "Use: %s [switches] module user log_user_based [request-list]\n" "\n" msgstr "" "Aufruf: %s [Schalter] Modul Benutzer log_user_based [Anfragen-Liste]\n" "\n" #: src/attr_set_group.c:30 src/attr_set_process.c:32 src/attr_set_user.c:30 #, c-format msgid "" " -p = print resulting requests, -a = add, not set, -m = remove, not set\n" msgstr "" " -p = Anfrage-Namen ausgeben, -a = hinzufügen, nicht setzen, -m = " "entfernen\n" #: src/attr_set_group.c:34 src/attr_set_user.c:34 #, c-format msgid " module = GEN, MAC, FC, SIM, PM, DAZ, FF, RC or AUTH\n" msgstr " Modul = GEN, MAC, FC, SIM, PM, DAZ, FF, RC or AUTH\n" #: src/attr_set_group.c:110 src/attr_set_user.c:110 #, c-format msgid "" "[MAC ] mac_[min_|initial_]categories (with additional parameter position)\n" "\t0=no, 1=yes\n" msgstr "" "[MAC ] mac_[min_|initial_]categories (zusätzlicher Parameter Position)\n" "\t0=nein, 1=ja\n" #: src/attr_set_group.c:111 src/attr_set_user.c:111 #, c-format msgid "" "[GEN ] log_user_based (with space separated list of requests)\n" "\t0=no, 1=yes\n" msgstr "" "[GEN ] log_user_based (Mit leerzeichen-getrennter Liste von Anfragen)\n" "\t0=nein, 1=ja\n" #: src/attr_set_ipc.c:32 #, c-format msgid "Use: %s ipc-type id attribute value\n" msgstr "Aufruf: %s IPC-Typ ID Attribut Wert\n" #: src/attr_set_ipc.c:34 #, c-format msgid "- ipc-types: sem, msg, shm, anonpipe,\n" msgstr "- IPC-Typen: sem, msg, shm, anonpipe,\n" #: src/attr_set_ipc.c:35 #, c-format msgid "- attribute (string) and value = see following list:\n" msgstr "- Attribut (Zeichenkette) und Wert = siehe Liste:\n" #: src/attr_set_net.c:42 #, c-format msgid "Use: %s [-v] [-e] module target-type attribute [request] value id(s)\n" msgstr "Aufruf: %s [-v] [-e] Modul Ziel-Typ Attribut [Anfrage] Wert ID(s)\n" #: src/attr_set_net.c:43 #, c-format msgid " -v = verbose, -m = remove all attributes\n" msgstr " -v = ausführlich, -m = entferne alle Attribute\n" #: src/attr_set_net.c:116 #, c-format msgid "Wrong argument length for attr mac_categories\n" msgstr "Falsche Argument-Länge für Attribut mac_categories\n" #: src/attr_set_net.c:142 #, c-format msgid "Invalid request number %u\n" msgstr "Ungültige Anfrage-Nummer %u\n" #: src/attr_set_net.c:172 #, c-format msgid "Wrong number of arguments for attr %u\n" msgstr "Falsche Parameterzahl für Attribut %u\n" #: src/attr_set_net.c:199 #, c-format msgid "error: %s\n" msgstr "Fehler: %s\n" #: src/attr_set_process.c:31 #, c-format msgid "Use: %s module process-id attribute value\n" msgstr "Aufruf: %s Modul Prozeß-ID Attribut Wert\n" #: src/attr_set_up.c:27 #, c-format msgid "" "Use: %s [switches] module target-type attribute value user/proc-nr.\n" "\n" msgstr "" "Aufruf: %s [Schalter] Modul Ziel-Typ Attribut Wert Benutzer/Prozeß-Nr.\n" "\n" #: src/attr_set_up.c:29 #, c-format msgid " target-type = USER or PROCESS\n" msgstr " Ziel-Typ = USER oder PROCESS\n" #: src/attr_set_up.c:293 #, c-format msgid "Processing process %i, attribute %s (No. %i), value %i\n" msgstr "Bearbeite Prozeß %i, Attribut %s (Nr. %i), Wert %i\n" #: src/attr_set_up.c:303 #, c-format msgid "Processing user %s (uid %i), attribute %s (No. %i), value %i\n" msgstr "Bearbeite Benutzer %s (ID %i), Attribut %s (Nr. %i), Wert %i\n" #: src/attr_set_user.c:548 #, c-format msgid "" "User %u: system_role without module, setting for MAC, FC, SIM, DAZ, FF, " "AUTH\n" msgstr "" "Benutzer %u: system_role ohne Modul, setze für MAC, FC, SIM, DAZ, FF, AUTH\n" #: src/auth_back_cap.c:42 #, c-format msgid "Use: %s [-r] [-v] [-o output-file] file/dirname(s)\n" msgstr "Aufruf: %s [-r] [-v] [-o Ausgabedatei] Datei-/Verzeichnisname(n)\n" #: src/auth_back_cap.c:43 #, c-format msgid " should be called by root with all rsbac modules switched off,\n" msgstr "" " sollte durch 'root' nach Abschalten aller RSBAC-Module aufgerufen werden,\n" #: src/auth_back_cap.c:46 src/auth_set_cap.c:36 src/mac_back_trusted.c:43 #: src/mac_back_trusted.c:237 #, c-format msgid " -m = set maximum length of cap entry list per file, default is %u\n" msgstr "" " -m = setze max. Länge der Cap-Eintragsliste pro Datei, Standard ist %u\n" #: src/auth_back_cap.c:47 src/mac_back_trusted.c:44 src/mac_back_trusted.c:238 #, c-format msgid " -o target-file = write to file, not stdout\n" msgstr " -o Ziel-Datei = schreibe in Datei, nicht auf stdout\n" #: src/auth_back_cap.c:60 src/mac_back_trusted.c:56 #, c-format msgid "Processing FILE/DIR '%s'\n" msgstr "Bearbeite FILE/DIR '%s'\n" #: src/auth_back_cap.c:432 src/auth_set_cap.c:113 src/mac_back_trusted.c:166 #: src/mac_set_trusted.c:91 #, c-format msgid "%s: missing maxnum value for parameter %c\n" msgstr "%s: fehlende Maximal-Anzahl für Parameter %c\n" #: src/auth_back_cap.c:504 src/mac_back_trusted.c:216 #, c-format msgid "%s: %i targets" msgstr "%s: %i Zielobjekte" #: src/auth_set_cap.c:31 #, c-format msgid "Use: %s [switches] TYPE add/remove target first_user [last_user]\n" msgstr "" "Aufruf: %s [Schalter] Ziel-Typ add/remove Ziel erster_Benutzer " "[letzter_Benutzer]\n" #: src/auth_set_cap.c:32 src/mac_set_trusted.c:32 #, c-format msgid "Use: %s [switches] TYPE get target\n" msgstr "Aufruf: %s [Schalter] TYPE get target\n" #: src/auth_set_cap.c:33 src/mac_set_trusted.c:33 #, c-format msgid " TYPE = PROCESS (add/remove only), DIR, FILE or FD (auto-select),\n" msgstr " TYPE = PROCESS (nur add/remove), DIR, FILE oder FD (auto),\n" #: src/auth_set_cap.c:34 src/mac_set_trusted.c:34 #, c-format msgid " target = pid or filename\n" msgstr " Ziel = Prozeß-ID oder Dateiname\n" #: src/auth_set_cap.c:35 #, c-format msgid " last_user: range from first_user to last_user\n" msgstr "" " letzter_Benutzer: Bereich von erster_Benutzer bis letzter_Benutzer\n" #: src/auth_set_cap.c:37 #, c-format msgid " -e = get or set caps for effective uids, not real\n" msgstr " -e = zeige oder setze effektive Capabilities, nicht reale\n" #: src/auth_set_cap.c:38 #, c-format msgid " -f = get or set caps for filesystem uids, not real\n" msgstr " -f = zeige oder setze für Dateisystem-uids, nicht reale\n" #: src/auth_set_cap.c:39 #, c-format msgid " -g = get or set caps for gids, not uids\n" msgstr " -g = zeige oder setze für Gruppen, nicht Benutzer\n" #: src/auth_set_cap.c:40 #, c-format msgid " -E = get or set for eff gids, not real uids\n" msgstr " -E = zeige oder setze für effektive Gruppe, nicht realen Benutzer\n" #: src/auth_set_cap.c:41 #, c-format msgid " -F = get or set for fs gids, not real uids\n" msgstr " -F = zeige oder setze für Dateisystem-Gruppe, nicht realen Benutzer\n" #: src/auth_set_cap.c:42 src/mac_set_trusted.c:36 #, c-format msgid "" " -t = set relative time-to-live for this cap entry in seconds (add only)\n" msgstr " -t = setze relative Lebenszeit in Sekunden (nur hinzufügen)\n" #: src/auth_set_cap.c:43 src/mac_set_trusted.c:37 #, c-format msgid "" " -T = set absolute time-to-live for this cap entry in seconds (add only)\n" msgstr " -T = setze absolute Lebenszeit in Sekunden (nur hinzufügen)\n" #: src/auth_set_cap.c:44 src/mac_set_trusted.c:38 #, c-format msgid " -D = set relative time-to-live for this cap entry in days (add only)\n" msgstr " -D = setze relative Lebenszeit in Tagen (nur hinzufügen)\n" #: src/auth_set_cap.c:207 src/auth_set_cap.c:274 src/mac_set_trusted.c:183 #: src/mac_set_trusted.c:229 #, c-format msgid "" "%s: Invalid command %s!\n" "\n" msgstr "" "%s: Ungültiges Kommando %s!\n" "\n" #: src/auth_set_cap.c:228 #, c-format msgid "" "%s: Warning: first user %u after last user %u, exiting!\n" "\n" msgstr "" "%s: Warnung: erster Benutzer %u nach letztem Benutzer %u, Abbruch!\n" "\n" #: src/auth_set_cap.c:234 #, c-format msgid "" "%s: Warning: last user %u is special user ID, exiting!\n" "\n" msgstr "" "%s: Warnung: letzter Benutzer %u hat eine Spezial-Nummer, Abbruch!\n" "\n" #: src/get_attribute_name.c:36 #, c-format msgid "Use: %s value\n" msgstr "Aufruf: %s Wert\n" #: src/get_attribute_name.c:37 #, c-format msgid "" "value = attribute number\n" "\n" msgstr "" "Wert = Attribut-Nummer\n" "\n" #: src/get_attribute_nr.c:32 #, c-format msgid "Use: %s attribute_name\n" msgstr "Aufruf: %s Attribut-Name\n" #: src/linux2acl.c:61 #, c-format msgid "Use: %s [switches] file/dir/scdname(s)\n" msgstr "Aufruf: %s [Schalter] Objektname(n)\n" # #: src/linux2acl.c:62 #, c-format msgid " -v = use verbose in scripts, -r = recurse into subdirs,\n" msgstr " -v = ausführlich im Skript, -r = rekursiv,\n" #: src/linux2acl.c:63 #, c-format msgid " -g = also create group entries with members,\n" msgstr " -g = erzeuge auch Gruppeneinträge mit Mitgliedern,\n" #: src/linux2acl.c:64 #, c-format msgid " -G = only create group entries with members,\n" msgstr " -G = erzeuge nur Gruppeneinträge mit Mitgliedern,\n" #: src/linux2acl.c:65 #, c-format msgid " -p = print right names, -P use private groups\n" msgstr " -p = Rechtenamen drucken, -P = private Gruppen anlegen\n" #: src/linux2acl.c:66 #, c-format msgid " -n = use numeric user ids where possible\n" msgstr " -n = verwende Benutzernummern, soweit möglich\n" #: src/linux2acl.c:87 #, c-format msgid "stat for %s returned error: %s\n" msgstr "stat für %s ergab Fehler: %s\n" #: src/linux2acl.c:729 #, c-format msgid "internal error in switch\n" msgstr "Interner Fehler in switch!\n" #: src/mac_back_trusted.c:41 src/mac_back_trusted.c:235 #, c-format msgid "Use: %s [-r] [-v] [-o target-file] file/dirname(s)\n" msgstr "Aufruf: %s [-r] [-v] [-m] [-o Zieldatei] Datei-/Verzeichnisname(n)\n" #: src/mac_get_levels.c:28 #, c-format msgid "Use: %s [-v] [-c] [-x] [-n] [-a]\n" msgstr "Aufruf: %s [-v] [-c] [-x] [-n] [-a]\n" #: src/mac_get_levels.c:29 #, c-format msgid "This program will show the RSBAC MAC security levels\n" msgstr "Dieses Programm gibt die RSBAC MAC security levels\n" #: src/mac_get_levels.c:30 #, c-format msgid "and category sets of the calling process.\n" msgstr "und category sets des aufrufenden Prozesses aus\n" # #: src/mac_get_levels.c:31 #, c-format msgid "-a = show all, -c = show current level and categories\n" msgstr "-a = zeige alle, -c = zeige current level und categories,\n" #: src/mac_get_levels.c:32 #, c-format msgid "-x = show max, -n = show min level and categories\n" msgstr "-x = zeige max, -n = zeige min level und categories\n" #: src/mac_get_levels.c:94 #, c-format msgid "" "Current level: %u\n" "categories: %s\n" msgstr "" "Current level: %u\n" "categories: %s\n" #: src/mac_get_levels.c:102 #, c-format msgid "" "Max level: %u\n" "categories: %s\n" msgstr "" "Max level: %u\n" "categories: %s\n" #: src/mac_get_levels.c:110 #, c-format msgid "" "Min level: %u\n" "categories: %s\n" msgstr "" "Min level: %u\n" "categories: %s\n" #: src/mac_set_trusted.c:31 #, c-format msgid "Use: %s [switches] TYPE add/remove target user1 user2...\n" msgstr "" "Aufruf: %s [Schalter] Ziel-Typ add/remove Ziel Benutzer1 Benutzer2 ...\n" #: src/mac_set_trusted.c:35 #, c-format msgid " -m = set maximum number of returned members per file, default is %u\n" msgstr " -m = setze Maximalnummer an Ergebnissen pro Datei, Standard ist %u\n" #: src/mac_wrap.c:27 #, c-format msgid "Use: %s [-v] [-l level] [-c categories] prog args\n" msgstr "Aufruf: %s [-v] [-l Level] [-c Kategorien-Vektor] Programm Argumente\n" #: src/mac_wrap.c:28 #, c-format msgid "" "This program will set the current seclevel and categories, if supplied,\n" msgstr "" "Dieses Programm setzt current seclevel und categories, fallsangegeben,\n" #: src/mac_wrap.c:29 #, c-format msgid "and then execute prog via execvp().\n" msgstr "und startet Programm mit execvp().\n" #: src/mac_wrap.c:30 #, c-format msgid "Please note that you need mac_auto to set the current values.\n" msgstr "Achtung: Die current-Werte werden nur mit mac_auto gesetzt.\n" # #: src/mac_wrap.c:31 #, c-format msgid "-v = verbose, -l = use this seclevel, -c = use this category set\n" msgstr "" "-v = ausführlich, -l = nimm dieses sec_level, -c = nimm dieseKategorien,\n" #: src/mac_wrap.c:67 src/mac_wrap.c:106 #, c-format msgid "%s: missing value for parameter %c\n" msgstr "%s: fehlender Wert für Parameter %c\n" #: src/mac_wrap.c:74 #, c-format msgid "%s: Invalid category string length %i, must be %i\n" msgstr "%s: Ungültige Kategorien-Bitvektor-Länge %i, erwarte %i!\n" #: src/mac_wrap.c:81 #, c-format msgid "%s: Using numeric value %lu instead\n" msgstr "%s: Verwende stattdessen numerischen Wert %lu\n" #: src/mac_wrap.c:125 #, c-format msgid "%s: executing %s with current_sec_level %u and mac_curr_categories %s\n" msgstr "%s: starte %s mit current_sec_level %u und mac_curr_categories %s\n" #: src/net_temp.c:41 #, c-format msgid "Use: %s [switches] function id [set-param]\n" msgstr "Aufruf: %s [Schalter] Funktion ID [Setz-Parameter]\n" #: src/net_temp.c:44 #, c-format msgid " -v = verbose, -l = list functions\n" msgstr " -v = ausführlich, -l = Funktionen auflisten\n" #: src/net_temp.c:45 #, c-format msgid " -b = backup mode, -s = scripting mode,\n" msgstr " -b = Backup-Modus, -s = Skript-Modus,\n" #: src/net_temp.c:46 #, c-format msgid " -n = take number as address, -u = take string as address,\n" msgstr " -n = numerische Adresse, -u = Zeichenkette als Adresse,\n" #: src/net_temp.c:47 #, c-format msgid " -d = take DNS name as address and convert to IP address,\n" msgstr " -d = nimm DNS-Namen als Adresse und konvertiere zu IP-Adresse,\n" #: src/net_temp.c:48 #, c-format msgid " -a = list all templates in detail\n" msgstr " -a = alle Templates detailliert auflisten\n" #: src/pm_create.c:25 #, c-format msgid "" "Use: %s class mode filename(s)\n" "\n" msgstr "Aufruf: %s Klasse Modus Dateiname(n)\n" #: src/pm_create.c:40 #, c-format msgid "" "%s: %i files of class %i, mode %o to be created\n" "\n" msgstr "" "%s: %i Dateien der Klasse %i, Modus %o werden erzeugt\n" "\n" #: src/pm_create.c:44 #, c-format msgid "Processing %s (No. %i)\n" msgstr "Bearbeite %s (Nr. %i)\n" #: src/pm_ct_exec.c:32 #, c-format msgid "%s: executing %s with task %i\n" msgstr "%s: führe %s mit Aufgabe %i aus\n" #: src/pm_ct_exec.c:41 #, c-format msgid "Use: %s task-nr prog args\n" msgstr "Aufruf: %s Aufgaben-Nr. Programm Argumente\n" #: src/pm_ct_exec.c:42 #, c-format msgid "This program will set rsbac_pm_current_task to task-nr and then\n" msgstr "" "Dieses Programm setzt pm_current_task (aktuelle Aufgabe) auf Aufgaben-Nr. " "und\n" #: src/pm_ct_exec.c:43 src/rc_role_wrap.c:30 #, c-format msgid "execute prog via execvp()\n" msgstr "führt Programm über execvp() aus\n" #: src/rc_copy_role.c:27 #, c-format msgid "Use: %s [flags] from_role to_role\n" msgstr "Aufruf: %s [Schalter] Quell-Rolle Ziel-Rolle\n" #: src/rc_copy_type.c:27 #, c-format msgid "Use: %s [flags] target from_type to_type\n" msgstr "Aufruf: %s [Schalter] Objekt-Typ Quelle Ziel\n" #: src/rc_copy_type.c:28 #, c-format msgid " target = FD, DEV, IPC, USER, PROCESS, GROUP, NETDEV, NETTEMP, NETOBJ\n" msgstr "" " Ziel-Typ = FD, DEV, IPC, USER, PROCESS, GROUP, NETDEV, NETTEMP, NETOBJ\n" #: src/rc_get_current_role.c:31 #, c-format msgid "%s: current role is %u\n" msgstr "%s: Aktuelle Rolle %u\n" #: src/rc_get_eff_rights_fd.c:39 #, c-format msgid "Use: %s [-v] [-r] [-p] target-type file/dirname(s)\n" msgstr "Aufruf: %s [-v] [-r] [-p] Ziel-Typ Datei-/Verzeichnis-Name(n)\n" #: src/rc_get_eff_rights_fd.c:41 #, c-format msgid " -p = print right names,\n" msgstr " -p = Rechtenamen drucken,\n" #: src/rc_get_item.c:34 #, c-format msgid "Use: %s [switches] rc-target-type id-nr item [sub-id-nr [right]]\n" msgstr "Aufruf: %s [Schalter] RC-Ziel-Typ ID-Nr. Feld [Unter-ID [Recht]]\n" #: src/rc_get_item.c:35 #, c-format msgid " %s list_xxx\n" msgstr " %s list_xxx\n" #: src/rc_get_item.c:36 #, c-format msgid " %s list_unused_xxx (_nr only)\n" msgstr " %s list_unused_xxx (nur für _nr)\n" #: src/rc_get_item.c:37 #, c-format msgid " %s list_def_fd_ind_create_type{s|_nr|_values role-id\n" msgstr " %s list_def_fd_ind_create_type{s|_nr|_values Rollen-Nummer\n" #: src/rc_get_item.c:38 #, c-format msgid " %s backup\n" msgstr " %s backup\n" #: src/rc_get_item.c:39 #, c-format msgid " %s print\n" msgstr " %s print\n" #: src/rc_get_item.c:40 src/rc_set_item.c:33 #, c-format msgid " -v = verbose, -p = print right names,\n" msgstr " -v = ausführlich, -p = drucke Rechtenamen,\n" #: src/rc_get_item.c:41 #, c-format msgid " -i = list items and values,\n" msgstr " -i = liste alle Felder und Werte,\n" #: src/rc_get_item.c:42 #, c-format msgid " -r = remove role before restore (backup only)\n" msgstr " -r = entferne Rolle vor dem Restore (nur backup)\n" #: src/rc_get_item.c:44 src/rc_set_item.c:44 #, c-format msgid " rc-target-type = ROLE or TYPE,\n" msgstr " RC-Ziel-Typ = ROLE oder TYPE,\n" #: src/rc_get_item.c:45 src/rc_set_item.c:45 #, c-format msgid " id-nr = ROLE or TYPE number,\n" msgstr " ID-Nr. = Rollen- oder Typ-Nummer,\n" #: src/rc_get_item.c:46 src/rc_set_item.c:46 #, c-format msgid " item = entry line,\n" msgstr " Feld = Eintrag,\n" #: src/rc_get_item.c:47 #, c-format msgid " sub-id-nr = use this sub-id (_comp items only),\n" msgstr " Unter-ID = verwende diese Unter-Nummer (nur für _comp-Felder),\n" #: src/rc_get_item.c:48 #, c-format msgid " right = right name or number (type_comp items only),\n" msgstr " Recht = Rechtename oder -nummer (nur für type_comp-Felder),\n" #: src/rc_get_item.c:49 #, c-format msgid "" " xxx = roles, fd_types, dev_types, ipc_types, user_types, process_types,\n" msgstr "" " xxx = roles, fd_types, dev_types, ipc_types, user_types, process_types,\n" #: src/rc_get_item.c:50 #, c-format msgid "" " scd_types, group_types, role_nr, fd_type_nr, dev_type_nr, " "ipc_type_nr,\n" msgstr "" " scd_types, group_types, role_nr, fd_type_nr, dev_type_nr, ipc_type_nr, user_type_nr,\n" #: src/rc_get_item.c:51 #, c-format msgid "" " user_type_nr, process_type_nr, scd_type_nr, rights: print a list\n" msgstr " user_type_nr, process_type_nr, scd_type_nr, rights: print a list\n" #: src/rc_get_item.c:52 #, c-format msgid " list_def_fd_ind_create_types etc.: print a list\n" msgstr " list_def_fd_ind_create_types etc.: Liste ausgeben\n" #: src/rc_get_item.c:231 src/rc_set_item.c:175 #, c-format msgid "- items and returned values = see following list:\n" msgstr "- Feld (Name) und Rückgabewerte = siehe Liste:\n" #: src/rc_get_item.c:309 src/rc_get_item.c:3924 #, c-format msgid "%u roles:\n" msgstr "%u Rollen:\n" #: src/rc_get_item.c:424 src/rc_get_item.c:3824 #, c-format msgid "%u types:\n" msgstr "%u Typen:\n" #: src/rc_get_item.c:550 #, c-format msgid "%s: Internal right list error, param %s!\n" msgstr "%s: Interner Fehler in Rechte-Liste, Parameter %s!\n" #: src/rc_get_item.c:3784 #, c-format msgid "Invalid parameter %s\n" msgstr "Ungültiger Parameter %s\n" #: src/rc_get_item.c:3872 src/rc_get_item.c:4026 src/rc_get_item.c:4148 #: src/rc_set_item.c:248 #, c-format msgid "Invalid target %s\n" msgstr "Ungültiges Ziel %s\n" #: src/rc_get_item.c:3982 #, c-format msgid "Invalid item %s or too few arguments\n" msgstr "Ungültiges Feld %s oder zuwenig Argumente\n" #: src/rc_get_item.c:4048 #, c-format msgid "Invalid item %s or invalid number of arguments\n" msgstr "Ungültiges Feld %s oder ungültige Anzahl Argumente\n" #: src/rc_get_item.c:4057 #, c-format msgid "Invalid subrole %s\n" msgstr "Ungültige Ziel-Rolle %s\n" #: src/rc_get_item.c:4067 #, c-format msgid "Invalid subtype %s\n" msgstr "Ungültiger Ziel-Typ %s\n" #: src/rc_get_item.c:4081 #, c-format msgid "Getting %s for ROLE %u to ROLE %u\n" msgstr "Hole %s für Rolle %u bis Rolle %u\n" #: src/rc_get_item.c:4092 #, c-format msgid "Getting def_fd_ind_create_type for ROLE %u to TYPE %u\n" msgstr "Hole def_fd_ind_create_type für Rolle %u auf Typ %u\n" #: src/rc_get_item.c:4113 #, c-format msgid "Getting %s rights for ROLE %u to TYPE %u\n" msgstr "Hole %s Rechte für Rolle %u auf Typ %u\n" #: src/rc_get_item.c:4166 #, c-format msgid "Invalid item-position combination %s\n" msgstr "Ungültige Feld-Position-Kombination %s\n" #: src/rc_get_item.c:4174 #, c-format msgid "Invalid comp_type %s\n" msgstr "Ungültiger comp_type %s!\n" #: src/rc_get_item.c:4189 #, c-format msgid "Invalid right %s\n" msgstr "Ungültiges Recht %s\n" #: src/rc_role_wrap.c:28 #, c-format msgid "Use: %s [-v] new_role_id prog args\n" msgstr "Aufruf: %s [-v] neue_Rolle Programm Argumente\n" #: src/rc_role_wrap.c:29 #, c-format msgid "This program will set the process rc_role to new_role and then\n" msgstr "Dieses Programm setzt die RC-Rolle des Prozesses auf neue_Rolle und\n" #: src/rc_role_wrap.c:31 #, c-format msgid "-v = verbose\n" msgstr "-v = ausführlich\n" #: src/rc_role_wrap.c:70 #, c-format msgid "%s: executing %s with role %i\n" msgstr "%s: führe %s mit Rolle %i aus\n" #: src/rc_set_item.c:31 #, c-format msgid "" "Use: %s [switches] rc-target-type id item [role/type [list-of-rights]] " "[value]\n" msgstr "" "Aufruf: %s [Schalter] RC-Ziel-Typ ID Feld [Rolle/Typ [Rechteliste]] [Wert]\n" #: src/rc_set_item.c:32 #, c-format msgid " %s -c TYPE target-id item source-id [first_role [last_role]],\n" msgstr " %s -c TYP Ziel-ID Feld Quell-ID [erste_Rolle [letzte_Rolle]],\n" #: src/rc_set_item.c:34 #, c-format msgid " -a = add, not set, -k = revoke, not set,\n" msgstr " -a = hinzufügen, nicht setzen, -k = entfernen, nicht setzen,\n" #: src/rc_set_item.c:35 #, c-format msgid " -b = accept rights as bitstring,\n" msgstr " -b = erwarte Rechte als Bitvektor,\n" #: src/rc_set_item.c:36 #, c-format msgid " -c = copy all/given roles' rights to type from other type,\n" msgstr "" " -c = kopiere Rechte aller/angegebener Rollen auf Typ von anderem Typ,\n" #: src/rc_set_item.c:37 #, c-format msgid " -d = delete all roles' rights to this type,\n" msgstr " -d = entferne die Rechte aller Rollen auf diesen Typ,\n" #: src/rc_set_item.c:38 #, c-format msgid " -i = list items and values\n" msgstr " -i = liste alle Felder und Werte\n" #: src/rc_set_item.c:39 src/rsbac_groupadd.c:40 src/rsbac_groupmod.c:35 #: src/rsbac_useradd.c:67 src/rsbac_usermod.c:46 #, c-format msgid "" " -t = set relative time-to-live in secs (role/type comp, admin, assign " "only)\n" msgstr "" " -t = setze relative Lebenszeit in Sek. (nur role/type comp, admin, " "assign)\n" #: src/rc_set_item.c:40 src/rsbac_groupadd.c:41 src/rsbac_groupmod.c:36 #: src/rsbac_useradd.c:68 src/rsbac_usermod.c:47 #, c-format msgid "" " -T = set absolute time-to-live in secs (role/type comp, admin, assign " "only)\n" msgstr "" " -T = setze absolute Lebenszeit in Sek. (nur role/type comp, admin, " "assign)\n" #: src/rc_set_item.c:41 src/rsbac_groupadd.c:42 src/rsbac_groupmod.c:37 #: src/rsbac_useradd.c:69 src/rsbac_usermod.c:48 #, c-format msgid "" " -D = set relative time-to-live in days (role/type comp, admin, assign " "only)\n" msgstr "" " -D = setze relative Lebenszeit in Tagen (nur role/type comp, admin, " "assign)\n" #: src/rc_set_item.c:47 #, c-format msgid " role/type = for this type only (role/type comp, admin, assign only),\n" msgstr "" " Rolle/Typ = nur für diesen Typ (nur role/type_comp, admin, assign),\n" #: src/rc_set_item.c:48 #, c-format msgid " right = request name or number (type_comp items only),\n" msgstr " Recht = Anfrage-Name oder -Nummer (nur für type_comp-Felder),\n" #: src/rc_set_item.c:49 #, c-format msgid " also special rights and groups R (read requests),\n" msgstr " außerdem Spezial-Rechte und Gruppen R (Lesen),\n" #: src/rc_set_item.c:50 #, c-format msgid " RW (read-write), SY (system), SE (security), A (all)\n" msgstr " RW (lesen-schreiben), SY (System), SE (Sicherheit), A (Alle)\n" #: src/rc_set_item.c:254 src/rc_set_item.c:353 src/rc_set_item.c:464 #: src/rc_set_item.c:781 #, c-format msgid "Invalid item %s\n" msgstr "Ungültiges Feld %s!\n" #: src/rc_set_item.c:271 #, c-format msgid "Too few arguments with option -c\n" msgstr "Zu wenige Argumente für Option -c\n" #: src/rc_set_item.c:277 #, c-format msgid "Invalid source type %u\n" msgstr "Ungültiger Quell-Typ %u\n" #: src/rc_set_item.c:285 #, c-format msgid "Invalid first role %u\n" msgstr "Ungültige erste Rolle %u\n" #: src/rc_set_item.c:295 #, c-format msgid "Invalid last role %u\n" msgstr "Ungültige letzte Rolle %u\n" #: src/rc_set_item.c:302 src/rc_set_item.c:418 #, c-format msgid "Invalid target type %u\n" msgstr "Ungültiger Ziel-Typ %u\n" #: src/rc_set_item.c:307 #, c-format msgid "Source and target must differ\n" msgstr "Quelle und Ziel müssen verschieden sein\n" #: src/rc_set_item.c:358 #, c-format msgid "Copying rights vector %s for type %u to type %u in role(s) %u to %u\n" msgstr "" "Kopiere Rechte-Vektor %s auf Typ %u zu Typ %u in den Rollen %u bis %u\n" #: src/rc_set_item.c:387 src/rc_set_item.c:496 #, c-format msgid "Changing role %u failed: %s\n" msgstr "Ändern von Rolle %u fehlgeschlagen: %s\n" #: src/rc_set_item.c:397 #, c-format msgid "Reading from role %u failed: %s\n" msgstr "Lesen von Rolle %u fehlgeschlagen: %s\n" #: src/rc_set_item.c:469 #, c-format msgid "Setting rights vector %s for type %u in all roles to 0\n" msgstr "Setze Rechte-Vektor %s auf Typ %u in allen Rollen auf 0\n" #: src/rc_set_item.c:486 #, c-format msgid "%u roles\n" msgstr "%u Rollen\n" #: src/rc_set_item.c:520 #, c-format msgid "Setting %s of ROLE %i (old bitvector mode)\n" msgstr "Setze %s von Rolle %i (alter Bitvektor-Modus)\n" #: src/rc_set_item.c:544 #, c-format msgid "Setting for role %u failed: %s\n" msgstr "Setzen für Rolle %u fehlgeschlagen: %s\n" #: src/rc_set_item.c:559 #, c-format msgid "Invalid role %u!\n" msgstr "Ungültige Rolle %u!\n" #: src/rc_set_item.c:569 src/rc_set_item.c:589 src/rc_set_item.c:608 #, c-format msgid "Invalid number of arguments for item %s!\n" msgstr "Ungültige Anzahl Argumente für Feld %s!\n" #: src/rc_set_item.c:581 src/rc_set_item.c:601 #, c-format msgid "Invalid type %u!\n" msgstr "Ungültiger Typ %u\n" #: src/rc_set_item.c:626 #, c-format msgid "parameter comp_type missing\n" msgstr "Parameter Kompat.-Typ fehlt\n" #: src/rc_set_item.c:632 #, c-format msgid "invalid subtid.type %s\n" msgstr "Ungültiger Unter-Typ %s\n" #: src/rc_set_item.c:652 #, c-format msgid "No bitstring given!\n" msgstr "Kein Bitstring angegeben!\n" #: src/rc_set_item.c:820 #, c-format msgid "Adding %s rights for ROLE %u to TYPE %u\n" msgstr "Füge %s Rechte für Rolle %u auf Typ %u hinzu\n" #: src/rc_set_item.c:830 #, c-format msgid "Revoking %s rights for ROLE %u from TYPE %u\n" msgstr "Entferne %s Rechte von Rolle %u auf Typ %u\n" #: src/rc_set_item.c:839 #, c-format msgid "Setting %s rights for ROLE %u to TYPE %u\n" msgstr "Setze %s Rechte für Rolle %u auf Typ %u\n" #: src/rc_set_item.c:867 #, c-format msgid "parameter name missing\n" msgstr "Parameter-Name fehlt\n" #: src/rc_set_item.c:872 #, c-format msgid "Name string too long\n" msgstr "Name zu lang\n" #: src/rc_set_item.c:881 #, c-format msgid "parameter admin_type missing\n" msgstr "Parameter admin_type fehlt\n" #: src/rc_set_item.c:892 #, c-format msgid "parameter boot_role missing\n" msgstr "Parameter boot_role fehlt\n" #: src/rsbac_check.c:42 #, c-format msgid "Use: %s correct check_inode\n" msgstr "Aufruf: %s korrigieren inodes_prüfen\n" #: src/rsbac_check.c:43 #, c-format msgid " correct = 0: do not correct errors\n" msgstr " korrigieren = 0: Fehler nicht korrigieren\n" #: src/rsbac_check.c:44 #, c-format msgid " correct = 1: correct errors\n" msgstr " korrigieren = 1: Fehler korrigieren\n" #: src/rsbac_check.c:45 #, c-format msgid " correct = 2: correct more\n" msgstr " korrigieren = 2: noch mehr korrigieren\n" #: src/rsbac_check.c:46 #, c-format msgid " check_inode = 0: do not check inode numbers\n" msgstr " inodes_prüfen = 0: inode-Nummern nicht prüfen\n" #: src/rsbac_check.c:47 #, c-format msgid "" " check_inode = 1: also check inode numbers (only ext2/3 on 2.4 kernels)\n" msgstr " inodes_prüfen = 1: inode-Nummern prüfen (nur ext2/3 mit 2.4-Kernen\n" #: src/rsbac_gpasswd.c:28 #, c-format msgid "Use: %s [flags] group\n" msgstr "Aufruf: %s [Schalter] Gruppe\n" #: src/rsbac_gpasswd.c:29 src/rsbac_groupdel.c:31 src/rsbac_userdel.c:32 #, c-format msgid " -v = verbose,\n" msgstr " -v = ausführlich\n" #: src/rsbac_gpasswd.c:30 #, c-format msgid " -a user = add user to group,\n" msgstr " -a Benutzer = Benutzer zu Gruppe hinzufügen,\n" #: src/rsbac_gpasswd.c:31 #, c-format msgid " -d user = remove user from group,\n" msgstr " -d Benutzer = Benutzer aus Gruppe entfernen,\n" #: src/rsbac_gpasswd.c:32 #, c-format msgid " -M user,... = add user(s) to group,\n" msgstr " -M user,... = Benutzer zu Gruppe hinzufügen,\n" #: src/rsbac_gpasswd.c:33 #, c-format msgid " -A user,... = ignored, for compatibility\n" msgstr " -A Benutzer,... = wird ignoriert, zur Kompatibilität\n" #: src/rsbac_gpasswd.c:34 #, c-format msgid " -r = remove group password,\n" msgstr " -r = remove group password,\n" #: src/rsbac_gpasswd.c:35 #, c-format msgid " -R = ignored, for compatibility\n" msgstr " -R = wird ignoriert, zur Kompatibilität\n" #: src/rsbac_gpasswd.c:36 #, c-format msgid " -N ta = transaction number (group memberships only)\n" msgstr " -N ta = Transaktions-Nummer (nur Gruppenmitgliedschaften)\n" #: src/rsbac_gpasswd.c:37 #, c-format msgid " (default = value of RSBAC_TA, if set, or 0)\n" msgstr " (Standard = Wert von RSBAC_TA, sonst 0)\n" #: src/rsbac_gpasswd.c:93 src/rsbac_gpasswd.c:103 src/rsbac_gpasswd.c:111 #: src/rsbac_groupadd.c:179 src/rsbac_groupadd.c:193 src/rsbac_groupadd.c:203 #: src/rsbac_groupmod.c:128 src/rsbac_groupmod.c:145 src/rsbac_groupmod.c:155 #: src/rsbac_useradd.c:454 src/rsbac_useradd.c:466 src/rsbac_useradd.c:479 #: src/rsbac_useradd.c:495 src/rsbac_useradd.c:506 src/rsbac_useradd.c:524 #: src/rsbac_useradd.c:534 src/rsbac_useradd.c:544 src/rsbac_useradd.c:554 #: src/rsbac_useradd.c:564 src/rsbac_useradd.c:574 src/rsbac_useradd.c:584 #: src/rsbac_useradd.c:595 src/rsbac_useradd.c:605 src/rsbac_useradd.c:636 #: src/rsbac_usermod.c:157 src/rsbac_usermod.c:167 src/rsbac_usermod.c:178 #: src/rsbac_usermod.c:195 src/rsbac_usermod.c:205 src/rsbac_usermod.c:215 #: src/rsbac_usermod.c:226 src/rsbac_usermod.c:236 src/rsbac_usermod.c:246 #: src/rsbac_usermod.c:257 src/rsbac_usermod.c:268 src/rsbac_usermod.c:279 #: src/rsbac_usermod.c:290 src/rsbac_usermod.c:302 src/rsbac_usermod.c:313 #, c-format msgid "%s: missing argument for parameter %c\n" msgstr "%s: fehlender Wert für Parameter %c\n" #: src/rsbac_gpasswd.c:143 src/rsbac_groupdel.c:45 src/rsbac_groupmod.c:232 #: src/rsbac_groupmod.c:239 src/rsbac_groupshow.c:263 src/rsbac_useradd.c:361 #: src/rsbac_useradd.c:378 src/rsbac_useradd.c:516 #, c-format msgid "%s: Unknown group %s\n" msgstr "%s: unbekannte Gruppe %s\n" #: src/rsbac_gpasswd.c:173 src/rsbac_gpasswd.c:190 src/rsbac_gpasswd.c:229 #: src/rsbac_gpasswd.c:246 src/rsbac_login.c:102 src/rsbac_passwd.c:81 #: src/rsbac_userdel.c:49 src/rsbac_usermod.c:390 src/rsbac_usermod.c:397 #: src/rsbac_usershow.c:395 #, c-format msgid "%s: Unknown user %s\n" msgstr "%s: unbekannter Benutzer %s\n" #: src/rsbac_gpasswd.c:269 src/rsbac_passwd.c:141 #, c-format msgid "%s: invalid new password!\n" msgstr "%s: Ungültiges neues Passwort!\n" #: src/rsbac_gpasswd.c:276 src/rsbac_passwd.c:154 #, c-format msgid "%s: invalid repeated new password!\n" msgstr "%s: Ungültiges wiederholtes Passwort!\n" #: src/rsbac_gpasswd.c:281 src/rsbac_passwd.c:159 #, c-format msgid "%s: new passwords do not match!\n" msgstr "%s: neue Passworte stimmen nicht überein!\n" #: src/rsbac_groupadd.c:37 src/rsbac_groupmod.c:30 src/rsbac_groupshow.c:37 #, c-format msgid "Use: %s [flags] groupname\n" msgstr "Aufruf: %s [Schalter] Gruppenname\n" #: src/rsbac_groupadd.c:38 src/rsbac_groupmod.c:31 src/rsbac_useradd.c:55 #: src/rsbac_usermod.c:36 #, c-format msgid " -p password = password in plaintext,\n" msgstr " -p Passwort = Passwort im Klartext,\n" #: src/rsbac_groupadd.c:39 #, c-format msgid " -g gid = gid to use,\n" msgstr " -g gid = Gruppen-ID,\n" #: src/rsbac_groupadd.c:43 #, c-format msgid " -o = use values from old group entry,\n" msgstr " -o = Werte aus altem Gruppeneintrag verwenden,\n" #: src/rsbac_groupadd.c:44 #, c-format msgid " -O = add all existing groups (implies -o)\n" msgstr " -O = alle existierenden Gruppen zufügen (setzt -o)\n" #: src/rsbac_groupdel.c:30 #, c-format msgid "Use: %s [flags] group [group2 ...]\n" msgstr "Aufruf: %s [Schalter] Gruppe [Gruppe2 ...]\n" #: src/rsbac_groupmod.c:32 src/rsbac_usermod.c:37 #, c-format msgid " -P = disable password,\n" msgstr " -P = Passwort deaktivieren,\n" #: src/rsbac_groupmod.c:33 src/rsbac_useradd.c:57 src/rsbac_usermod.c:38 #, c-format msgid " -Q password = encrypted password (from backup),\n" msgstr " -Q Passwort = verschlüsseltes Passwort (aus Backup),\n" #: src/rsbac_groupmod.c:34 #, c-format msgid " -g name = change groupname,\n" msgstr " -g Name = Gruppennamen ändern,\n" #: src/rsbac_groupshow.c:38 #, c-format msgid " -v = verbose, -a = list all groups\n" msgstr " -v = ausführlich, -a = alle Gruppen auflisten\n" #: src/rsbac_groupshow.c:39 src/rsbac_usershow.c:41 #, c-format msgid " -l = short list all groups, -b = backup mode\n" msgstr " -l = kurze Liste aller Gruppen, -b = Backup-Modus\n" #: src/rsbac_groupshow.c:40 src/rsbac_usershow.c:42 #, c-format msgid " -p = also show encrypted password\n" msgstr " -p = auch verschlüsseltes Passwort anzeigen\n" #: src/rsbac_groupshow.c:77 #, c-format msgid "%s: Unknown group %u\n" msgstr "%s: Unbekannte Gruppe %u\n" #: src/rsbac_init.c:38 #, c-format msgid "" "Use: %s root_dev\n" "\n" msgstr "Aufruf: %s root_dev\n" #: src/rsbac_init.c:39 #, c-format msgid "root_dev: root device to initialize from, e.g. /dev/sda1\n" msgstr "root_dev: root-Device zur Initialisierung, z.B. /dev/sda1\n" #: src/rsbac_jail.c:29 #, c-format msgid "Use: %s [flags] [-I addr] [-R dir] [-C cap-list] prog args\n" msgstr "" "Aufruf: %s [Schalter] [-I Addr] [-R Pfad] [-C Cap-Liste] Programm Argumente\n" #: src/rsbac_jail.c:30 #, c-format msgid "This program will put the process into a jail with chroot to path,\n" msgstr "Dieses Programm packt den Prozess in ein Jail mit chroot auf Pfad\n" #: src/rsbac_jail.c:31 #, c-format msgid "ip address IP and then execute prog with args\n" msgstr "" "und IP-Adresse Addr und führt dann das Programm mit den Argumenten aus\n" #: src/rsbac_jail.c:32 #, c-format msgid "-I addr = limit to IP address,\n" msgstr "-I Addr = beschränke auf diese IP-Adresse,\n" #: src/rsbac_jail.c:33 #, c-format msgid "-R dir = chroot to dir,\n" msgstr "-R Pfad = chroot auf Pfad,\n" #: src/rsbac_jail.c:34 #, c-format msgid "-C cap-list = limit Linux capabilities for jailed processes,\n" msgstr "- -C Cap-Liste = beschränke Linux-Capabilities auf die angegebenen,\n" #: src/rsbac_jail.c:35 #, c-format msgid "" " use bit-vector, numeric value or list names of desired caps,\n" msgstr "" " verwende Bit-Vektor, Zahlenwert oder Namen der Capabilities,\n" #: src/rsbac_jail.c:36 #, c-format msgid " A = all, FS_MASK = all filesystem related,\n" msgstr " A = alle, FS_MASK = alle Dateisystem-Capabilities\n" #: src/rsbac_jail.c:37 #, c-format msgid "-L = list all Linux capabilities,\n" msgstr " -L = liste alle Linux-Capabilities\n" #: src/rsbac_jail.c:38 #, c-format msgid "-S = list all SCD targets,\n" msgstr "-S = zeige gültige SCD-Namen\n" # #: src/rsbac_jail.c:39 #, c-format msgid "-v = verbose, -i = allow access to IPC outside this jail,\n" msgstr "-v = ausführlich, -i = erlaube Zugriff auf IPC ausserhalb des Jail,\n" #: src/rsbac_jail.c:40 #, c-format msgid "-n = allow all network families, not only UNIX and INET (IPv4),\n" msgstr "-n = erlaube alle Netzwerk-Familien, nicht nur UNIX und INET (IPv4)\n" #: src/rsbac_jail.c:41 #, c-format msgid "-r = allow INET (IPv4) raw sockets (e.g. for ping),\n" msgstr "-r = erlaube INET (IPv4) raw sockets (z.B. für ping),\n" #: src/rsbac_jail.c:42 #, c-format msgid "-a = auto-adjust INET any address 0.0.0.0 to jail address, if set,\n" msgstr "-a = passe INET-Adresse 0.0.0.0 automatisch an jail-Adresse an\n" #: src/rsbac_jail.c:43 #, c-format msgid "-o = additionally allow to/from remote INET (IPv4) address 127.0.0.1,\n" msgstr "-o = erlaube zusätzlich zu/von der INET (IPv4) Adresse 127.0.0.1,\n" #: src/rsbac_jail.c:44 #, c-format msgid "-d = allow read access on devices, -D allow write access\n" msgstr "-d = Lese-Zugriff auf Geräte, -D Schreib-Zugriff\n" #: src/rsbac_jail.c:45 #, c-format msgid "-e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA\n" msgstr "-e = GET_STATUS_DATA auf Geräte, -E = MODIFY_SYSTEM_DATA\n" #: src/rsbac_jail.c:46 #, c-format msgid "-G scd ... = allow GET_STATUS_DATA on these scd targets\n" msgstr "-G scd ... = GET_STATUS_DATA auf diese SCD-Ziele\n" #: src/rsbac_jail.c:47 #, c-format msgid "-M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets\n" msgstr "-M scd ... = MODIFY_SYSTEM_DATA auf diese SCD-Ziele\n" #: src/rsbac_jail.c:48 #, c-format msgid "Deprecated old options, please use -G and -M:\n" msgstr "Alte, nicht gepflegte Optionen, bitte -G und -M verwenden:\n" #: src/rsbac_jail.c:49 #, c-format msgid "-l = allow to modify rlimits (-M rlimit),\n" msgstr "-l = Erlaube Änderung der rlimits (-M rlimit),\n" #: src/rsbac_jail.c:50 #, c-format msgid "-c = allow to modify system clock (-M SCD clock time_strucs),\n" msgstr "-c = Erlaube Änderung der System-Zeit (-M SCD clock time_strucs),\n" #: src/rsbac_jail.c:51 #, c-format msgid "-m = allow to lock memory (-M mlock),\n" msgstr "-m = Erlaube blockieren von Speicherbereichen (-M mlock),\n" #: src/rsbac_jail.c:52 #, c-format msgid "-p = allow to modify priority (-M priority),\n" msgstr "-p = Erlaube Änderung der Priorität (-M priority),\n" #: src/rsbac_jail.c:53 #, c-format msgid "-k = allow to get kernel symbols (-G ksyms)\n" msgstr "-k = Erlaube Lesen von Kern-Symbolen (-G ksyms)\n" #: src/rsbac_jail.c:173 src/rsbac_jail.c:216 #, c-format msgid "%s: missing SCDs for parameter %c\n" msgstr "%s: fehlende SCDs für Parameter %c\n" #: src/rsbac_jail.c:228 #, c-format msgid "%s: missing address for parameter %c\n" msgstr "%s: fehlende Adresse für Parameter %c\n" #: src/rsbac_jail.c:238 #, c-format msgid "%s: missing dirname for parameter %c\n" msgstr "%s: fehlender Verzeichnisname für Parameter %c\n" #: src/rsbac_jail.c:305 #, c-format msgid "%s: missing caps for parameter %c\n" msgstr "%s: fehlende Capabilities für Parameter %c\n" #: src/rsbac_jail.c:340 #, c-format msgid "" "%s: executing %s in jail at %s with IP %s, flags %u, caps %u, scd_get %u, " "scd_modify %u\n" msgstr "%s: starte %s in Jail in %s mit IP %s, Schaltern %u, caps %u, scd_get %u, " "scd_modify %u\n" #: src/rsbac_jail.c:350 #, c-format msgid "" "%s: executing %s in jail (no chroot) with IP %s, flags %u, caps %u, scd_get %" "u, scd_modify %u\n" msgstr "%s: starte %s in Jail (kein chroot) mit IP %s, Schaltern %u, caps %u, scd_get %u, " "scd_modify %u\n" #: src/rsbac_list_ta.c:26 #, c-format msgid "Use: %s [flags] {begin|refresh|commit|forget}\n" msgstr "Aufruf: %s [Schalter] {begin|refresh|commit|forget}\n" #: src/rsbac_list_ta.c:27 #, c-format msgid " -v = verbose, -b = print bash export of RSBAC_TA\n" msgstr " -v = ausführlich, -b = drucke bash-export der RSBAC_TA\n" #: src/rsbac_list_ta.c:28 #, c-format msgid "" " -t ttl = change transaction timeout from kernel config default to ttl\n" msgstr " -t ttl = Transaktions-Ablauf auf ttl Sekunden setzen\n" #: src/rsbac_list_ta.c:29 #, c-format msgid " -p password = use this password\n" msgstr " -p Passwort = dieses Passwort verwenden\n" #: src/rsbac_list_ta.c:30 #, c-format msgid " -N ta = transaction number (for refresh, commit, forget)\n" msgstr " -N ta = Transaktions-Nummer (für refresh, commit, forget)\n" #: src/rsbac_list_ta.c:31 #, c-format msgid " (default = value of RSBAC_TA, if set, or 0 otherwise)\n" msgstr " (Standard = Wert von RSBAC_TA, sonst 0)\n" #: src/rsbac_list_ta.c:83 #, c-format msgid "%s: missing password for parameter %c\n" msgstr "%s: fehlendes Passwort für Parameter %c\n" #: src/rsbac_list_ta.c:98 #, c-format msgid "%s: missing user for parameter %c\n" msgstr "%s: fehlender Benutzer für Parameter %c\n" #: src/rsbac_login.c:69 src/rsbac_passwd.c:59 #, c-format msgid "Use: %s [flags] [username]\n" msgstr "Aufruf: %s [Schalter] [Benutzer]\n" #: src/rsbac_login.c:70 #, c-format msgid " -v = verbose, -p = preserve environment\n" msgstr " -v = ausführlich, -p = Umgebungsvariablen erhalten,\n" #: src/rsbac_login.c:96 #, c-format msgid "%s: invalid login name!\n" msgstr "" "%s: ungültiger Anmeldename!\n" "\n" #: src/rsbac_login.c:125 src/rsbac_useradd.c:146 src/rsbac_useradd.c:181 #, c-format msgid "%s: invalid password!\n" msgstr "%s: ungültiges Passwort!\n" #: src/rsbac_passwd.c:60 #, c-format msgid " -v = verbose,\n" msgstr " -v = ausführlich\n" #: src/rsbac_passwd.c:61 #, c-format msgid " -n = do not ask for old password\n" msgstr " -n = nicht nach altem Passwort fragen\n" #: src/rsbac_passwd.c:116 #, c-format msgid "%s: invalid old password!\n" msgstr "" "%s: Ungültiges altes Passwort!\n" "\n" #: src/rsbac_pm.c:32 #, c-format msgid "Use: %s [flags] call args\n" msgstr "Aufruf: %s [Schalter] Funktion Argumente\n" #: src/rsbac_pm.c:34 src/rsbac_pm.c:62 #, c-format msgid "call = one of the following calls, args = call dependent\n" msgstr "Funktion = eine der folgenden, Argumente sind funktionsabhängig\n" #: src/rsbac_pm.c:41 src/rsbac_pm.c:69 #, c-format msgid "-- press return --" msgstr "-- Return drücken --" #: src/rsbac_pm.c:60 #, c-format msgid "Use: %s [flags] create_ticket ticket-nr valid-secs call args\n" msgstr "" "Aufruf: %s [Schalter] create_ticket Ticket-Nr. gültig_in_sek. Funktion Argumente\n" #: src/rsbac_pm.c:61 #, c-format msgid " -N ta = transaction number\n" msgstr " -N ta = Transaktions-Nummer\n" #: src/rsbac_pm.c:137 #, c-format msgid "" "\n" "%s: invalid pm function %s!\n" "\n" msgstr "" "\n" "%s: Ungültige PM-Funktion %s!\n" "\n" #: src/rsbac_pm.c:140 #, c-format msgid "%s: requesting pm-call %s (No. %i)\n" msgstr "%s: rufe PM-Funktion %s (Nr. %i) auf\n" #: src/rsbac_pm.c:147 src/rsbac_pm.c:170 src/rsbac_pm.c:193 src/rsbac_pm.c:205 #: src/rsbac_pm.c:216 src/rsbac_pm.c:266 src/rsbac_pm.c:277 src/rsbac_pm.c:289 #: src/rsbac_pm.c:301 src/rsbac_pm.c:313 src/rsbac_pm.c:325 src/rsbac_pm.c:337 #: src/rsbac_pm.c:348 src/rsbac_pm.c:360 src/rsbac_pm.c:372 src/rsbac_pm.c:383 #: src/rsbac_pm.c:396 src/rsbac_pm.c:408 src/rsbac_pm.c:419 src/rsbac_pm.c:430 #: src/rsbac_pm.c:457 src/rsbac_pm.c:469 src/rsbac_pm.c:483 src/rsbac_pm.c:495 #: src/rsbac_pm.c:509 src/rsbac_pm.c:520 src/rsbac_pm.c:531 src/rsbac_pm.c:556 #: src/rsbac_pm.c:584 src/rsbac_pm.c:612 src/rsbac_pm.c:624 src/rsbac_pm.c:634 #: src/rsbac_pm.c:684 src/rsbac_pm.c:694 src/rsbac_pm.c:706 src/rsbac_pm.c:718 #: src/rsbac_pm.c:730 src/rsbac_pm.c:742 src/rsbac_pm.c:754 src/rsbac_pm.c:764 #: src/rsbac_pm.c:776 src/rsbac_pm.c:788 src/rsbac_pm.c:798 src/rsbac_pm.c:812 #: src/rsbac_pm.c:824 src/rsbac_pm.c:834 src/rsbac_pm.c:844 src/rsbac_pm.c:875 #: src/rsbac_pm.c:887 src/rsbac_pm.c:901 src/rsbac_pm.c:913 #, c-format msgid "Too few arguments: argc is %i\n" msgstr "Zu wenige Argumente: argc ist %i\n" #: src/rsbac_pm.c:227 src/rsbac_pm.c:238 src/rsbac_pm.c:645 src/rsbac_pm.c:656 #, c-format msgid "%s: Could not allocate list memory!" msgstr "%s: Konnte keinen Speicher für Liste belegen!" #: src/rsbac_pm.c:545 #, c-format msgid "" "\n" "Too few arguments: argc is %i\n" msgstr "" "\n" "Zu wenige Argumente: argc ist %i\n" #: src/rsbac_useradd.c:50 src/rsbac_usermod.c:30 src/rsbac_usershow.c:39 #, c-format msgid "Use: %s [flags] username\n" msgstr "Aufruf: %s [Schalter] Benutzer\n" #: src/rsbac_useradd.c:51 src/rsbac_usermod.c:31 #, c-format msgid " -c comment = fullname or comment,\n" msgstr " -c Kommentar = Voller Name oder Kommentar,\n" #: src/rsbac_useradd.c:52 src/rsbac_usermod.c:32 #, c-format msgid " -d dir = homedir of user,\n" msgstr "-d Verzeichnis = Home-Verzeichnis des Benutzer,\n" #: src/rsbac_useradd.c:53 src/rsbac_usermod.c:33 #, c-format msgid " -g group = main / initial Linux group,\n" msgstr " -g Gruppe = Haupt- / initiale Linux-Gruppe\n" #: src/rsbac_useradd.c:54 src/rsbac_usermod.c:34 #, c-format msgid " -G group1[,group2,...] = add more Linux groups,\n" msgstr " -G Gruppe1[,Gruppe2,...] = weitere Linux-Gruppen zufügen,\n" #: src/rsbac_useradd.c:56 #, c-format msgid " -P = ask for password,\n" msgstr " -P = nach Passwort fragen,\n" #: src/rsbac_useradd.c:58 #, c-format msgid " -s shell = user's shell,\n" msgstr " -s shell = Benutzer-Shell,\n" #: src/rsbac_useradd.c:59 #, c-format msgid " -u uid = uid to use,\n" msgstr " -u uid = Benutzer-ID\n" #: src/rsbac_useradd.c:60 #, c-format msgid " -m = create user home dir from skeleton,\n" msgstr " -m = Homeverzeichnis aus Skeleton anlegen,\n" #: src/rsbac_useradd.c:61 #, c-format msgid " -k dir = use this skeleton dir instead of /etc/skel/,\n" msgstr " -k dir = Dieses Skeleton-Verzeichnis statt /etc/skel/ verwenden,\n" #: src/rsbac_useradd.c:62 src/rsbac_usermod.c:41 #, c-format msgid " -n minchange-days = minimum days between password changes,\n" msgstr " -n minchange-days = Minimalanzahl Tage zwischen Passwortänderungen,\n" #: src/rsbac_useradd.c:63 src/rsbac_usermod.c:42 #, c-format msgid " -x maxchange-days = maximum days between password changes,\n" msgstr " -x maxchange-days = Maximalanzahl Tage zwischen Passwortänderungen,\n" #: src/rsbac_useradd.c:64 src/rsbac_usermod.c:43 #, c-format msgid " -w warnchange-days = warning days before password must be changed,\n" msgstr " -w warnchange-days = Anzahl Warn-Tage vor Passwort-Ablauf,\n" #: src/rsbac_useradd.c:65 src/rsbac_usermod.c:44 #, c-format msgid "" " -f inactive-days = period between password expiry and account disabling,\n" msgstr "" #: src/rsbac_useradd.c:66 src/rsbac_usermod.c:45 #, c-format msgid " -e expire-days = days since 1/Jan/1970 when account gets disabled,\n" msgstr " -e expire-days = Tage seit 1/Jan/1970 wann der Zugang deaktiviert wird,\n" #: src/rsbac_useradd.c:70 #, c-format msgid " -o = use values from old passwd/shadow entry,\n" msgstr " -o = alte Werte aus passwd/shadow verwenden,\n" #: src/rsbac_useradd.c:71 #, c-format msgid " -O = add all existing users (implies -o)\n" msgstr " -O = alle existierenden Benutzer zufügen (setzt -o)\n" #: src/rsbac_useradd.c:191 #, c-format msgid "%s: password mismatch!\n" msgstr "%s: Passworte stimmen nicht überein!\n" #: src/rsbac_useradd.c:193 #, c-format msgid "%s: Too many tries, using default password!\n" msgstr "%s: Zu viele Versuche, verwende Standard-Passwort!\n" #: src/rsbac_useradd.c:617 #, c-format msgid "%s: cannot lookup skel dir %s\n" msgstr "%s: kann das Skeleton-Verzeichnis %s nicht finden\n" #: src/rsbac_useradd.c:623 #, c-format msgid "%s: skel dir %s is no dir\n" msgstr "%s: Skeleton-Verzeichnis %s ist kein Verzeichnis\n" #: src/rsbac_useradd.c:629 #, c-format msgid "%s: skel dir name %s is too long\n" msgstr "%s: Skeleton-Verzeichnis-Name %s ist zu lang\n" #: src/rsbac_userdel.c:31 #, c-format msgid "Use: %s [flags] user [user2 ...]\n" msgstr "Aufruf: %s [Schalter] Benutzer [Benutzer2 ...]\n" #: src/rsbac_userdel.c:33 #, c-format msgid " -r = remove user's home dir\n" msgstr " -r = Benutzer-Home-Verzeichnis löschen\n" #: src/rsbac_usermod.c:35 #, c-format msgid " -H group1[,group2,...] = remove Linux groups,\n" msgstr " -H Gruppe1[,Gruppe2,...] = Linux-Gruppen entfernen,\n" #: src/rsbac_usermod.c:39 #, c-format msgid " -s shell = user shell,\n" msgstr " -s shell = Benutzer-Shell,\n" #: src/rsbac_usermod.c:40 #, c-format msgid " -u name = change username,\n" msgstr " -u Name = Benutzernamen ändern\n" #: src/rsbac_usermod.c:475 src/rsbac_usermod.c:491 src/rsbac_usermod.c:522 #: src/rsbac_usermod.c:538 #, c-format msgid "%s: Invalid group %s\n" msgstr "%s: Ungültige Gruppe %s!\n" #: src/rsbac_usershow.c:40 #, c-format msgid " -v = verbose, -a = list all users\n" msgstr " -v = ausführlich, -a = liste alle Benutzer\n" #: src/rsbac_usershow.c:43 #, c-format msgid " -D = print dates as yyyymmdd, not day number\n" msgstr " -D = Datum als yyyymmdd ausgeben, nicht als Anzahl Tage\n" #: src/rsbac_usershow.c:44 #, c-format msgid " -u = list calling user\n" msgstr " -u = aufrufenden Benutzer auflisten\n" #: src/rsbac_usershow.c:81 #, c-format msgid "%s: Unknown user %u\n" msgstr "%s: Unbekannter Benutzer %u\n" #: src/rsbac_write.c:30 #, c-format msgid "%s: %i lists written\n" msgstr "%s: %i Listen geschrieben\n" #: src/switch_adf_log.c:28 #, c-format msgid "Use: %s request [target] [value]\n" msgstr "Aufruf: %s Anfrage [Ziel-Typ] [Wert]\n" #: src/switch_adf_log.c:29 #, c-format msgid "request = request name or ALL, value = [012]\n" msgstr "Anfrage = Anfragename oder ALL, Wert = [012]\n" #: src/switch_adf_log.c:30 #, c-format msgid "target = target type name, leave out for ALL\n" msgstr "Ziel-Typ = Ziel-Typ-Name, weglassen für 'alle'\n" #: src/switch_adf_log.c:31 #, c-format msgid "- -n = list all requests, -t = list all target types\n" msgstr "- -p = Rechtenamen drucken, -t = alle Ziel-Typen ausgeben\n" #: src/switch_adf_log.c:32 #, c-format msgid "- -b = backup log level settings\n" msgstr "- -b = Backup der Log-Level-Einstellungen\n" #: src/switch_adf_log.c:33 #, c-format msgid "- -g = get not set, -s = scripting mode\n" msgstr "- -g = holen statt setzen, -s = Skript-Modus,\n" #: src/switch_adf_log.c:148 #, c-format msgid "%s: getting log settings for request %s\n" msgstr "%s: hole Log-Einstellungen für Anfrage %s\n" #: src/switch_adf_log.c:225 #, c-format msgid "%s: switching logging for ALL requests and targets to %i\n" msgstr "%s: Setze Logging für ALLE Anfragen und Ziel-Typen auf %i\n" #: src/switch_adf_log.c:250 #, c-format msgid "%s: switching logging for request %s and all target types to %i\n" msgstr "%s: setze Logging für Anfrage %s und alle Ziel-Typen auf %i\n" #: src/switch_adf_log.c:256 src/switch_adf_log.c:287 #, c-format msgid "%s: target %s\n" msgstr "%s: Ziel-Typ %s\n" #: src/switch_adf_log.c:282 #, c-format msgid "%s: switching logging for ALL requests and target type %s to %i\n" msgstr "%s: Setze Logging für ALLE Anfragen und Ziel-Typ %s auf %i\n" #: src/switch_adf_log.c:311 #, c-format msgid "%s: switching logging for request %s and target type %s to %i\n" msgstr "%s: setze Logging für Anfrage %s und Ziel-Typ %s auf %i\n" #: src/switch_module.c:29 #, c-format msgid "Use: %s [-s] module value\n" msgstr "Aufruf: %s [-s] Modul Wert\n" #: src/switch_module.c:30 #, c-format msgid " -s: switch module's individual softmode, not the whole module\n" msgstr " -s: schalte individellen Softmode, nicht das ganze Modul\n" #: src/switch_module.c:31 #, c-format msgid "" "module = module name, value = [01]\n" "\n" msgstr "" "Modul = Modulname, Wert = [01]\n" "\n" #: src/switch_module.c:32 #, c-format msgid "Possible module names are:\n" msgstr "Mögliche Modulnamen sind:\n" #: src/switch_module.c:84 #, c-format msgid "%s: Invalid switch target %s\n" msgstr "%s: Ungültiges Umschalt-Ziel %s\n" #: src/switch_module.c:91 #, c-format msgid "%s: switching Module %s softmode to %i\n" msgstr "%s: Schalte Softmode für Modul %s auf %i\n" #: src/switch_module.c:93 #, c-format msgid "%s: switching Module %s to %i\n" msgstr "%s: schalte Modul %s auf %i\n" rsbac-admin-1.4.0/main/tools/Changes0000644000175000017500000002652711131371033017126 0ustar gauvaingauvainRSBAC Changes in recent versions -------------------------------- 1.4.0: - Added support for VUM. - PAM module does not send a message "User not authenticated" anymore if authentication failed. (To match other PAM modules behavior). - Made PAM password prompt standard and definable to RSBAC's custom prompt if the user wants it only. - OTP support for UM. - rsbac_useradd -K to copy a user with password. Upports from 1.3: - Autodetect if architecture is x86_64, in which case LIBDIR becomes /lib64 by default. (User setting still can override this). - Removed the IPC menu call from rsbac_process_menu. - Updated REG samples to par with the kernel. - Added missing request to group request groups. 1.3.5: - Libs install again in /usr. Distros will have to link and move files around. Sorry FHS, libtool doesn't like you :) - Add tools version strings to rsbac_version output. 1.3.4: - rsbac_version missing in rsbac-admin debian package - Fix user attribute backup and menu for cap_ld_env. - Fix UM password backup output with rsbac_usershow -b -p - Uniformized library directory with the LIBDIR variable (make LIBDIR=/lib64 e.g.) Old variables are still functional but are deprecated. - Libraries install to /lib by default (especially for UM) Feel free to change to /usr if you aren't using UM or nothing in RSBAC that must run at boot time 1.3.3: - English spelling - libtool fixes - mo files were not generated from target 'all', installation would fail in some cases 1.3.2: - Fixed name typo USER=>GROUP in rc_get_item see issue #84 1.3.1: - rewritten the way rsbac_jail is entering new namespace.now it works like it should. 1.3.0: - Correct right detection for check list menues. - Support role password. Support request type AUTHENTICATE. - Add rsbac_version tool to get tools and kernel version. - Fix sorting of RC roles in backup. - Allow to specify an additional title for rc_get_item htmlprint. - Mark invalid rights in "rc_get_item htmlprint" in dark brown. - Support cap_ld_env in attr_back_fd. - Sort rc_get_item output. - Removed custom _syscall* functions you need glibc 2.1+ or uclibc or something that has fPIC aware syscall functions now. - Include sys/types.h + asm/types.h instead of linux/types.h for userlan - Added a global uninstall target. - Small reformatting. Do not show -U option in rsbac_jail help. - Explicitely sets HOME SHELL PATH LOGNAME env vars (the whole env being cleared or not). - Echo's "Login incorrect" even if user does not exists (no information leak). - Preserve TERM env variable in all cases. - New JAIL parameter -N, for enclosing jailed process in its private namespace. - Add -i option to attr_get_ipc to list all ipcs with non-default attributes - Change network template tool net_temp to support multiple INET addresses and port ranges, remove UNIX address support. - Add flag -A to net_temp to add new addresses or ports instead of replacing the old list. 1.2.5: - New make based build system. - Add attr_{get|set|back}_group, rsbac_group_menu - Make all tools print help screen with -h - rsbac_list_ta now can now prompt for a password. - Tools now attempt to lock passwords into physical memory. - New rsbac_auth tool for Squid. - Fix RSBAC NSS lib bug related to additional user groups (e.g. id -G crashes with segmentation fault). 1.2.4: - Add user management tools with all {user|group}{add|mod|del} functionality - Add GROUP target to tools - Add PAM and NSSwitch modules to access the new user management to contrib dir - Cross linked HTML output in rc_get_item htmlprint. - Add rsbac_list_ta tool for transaction support for administration: begin, add a set of desired changes, commit atomically or forget. Change all existing tools to use transaction numbers. - Correct role and type values in rc_getname item parameters. - Add rc_copy_type - Add RC type copying to rsbac_rc_type_menu - Add PaX default value switch to attr_back_fd, because PaX defaults are now configurable. 1.2.3: - Made librsbac.a a dynamic lib librsbac.so with version numbers - Added PaX module support - Added support for new attributes - RC pretty-print config output with rc_get_item print - Reject unknown usernames in all tools instead of using numerical value 0. - Fix admin tools segfault when using -V without parameter - New rc_get_current_role - New mac_set_trusted tool for mac_trusted_for_user with list instead of single user. - Change ''rsbac_jail'' syntax to make ''chroot()'' and IP address optional - New optional rsbac_jail parameter max_caps, which limits the Linux capabilities of all processes in the jail - New JAIL module regression suite in contrib - Added backup of RES user settings 1.2.2: - Added MS need_scan attribute - Syscall version numbers - New attributes for RES module - rsbac_init tool for delayed init - New AUTH caps for eff/fd owner in FD menu - MAC wrap and attribute changes for new MAC implementation - New system role Auditor in user menu 1.2.1: - Removed target type checks, which are now all in kernel (including FD target type). - Added recursion support for attr_back_dev. - Added JAIL module support - Added logging of all RSBAC setting modifications through menues (RSBACLOGFILE setting) 1.2.0: - Added module parameter to all rsbac_get/set_attr calls - Updated user menu to use new mac_role etc. instead of system_role - Added min/max_cap attributes - Changed RC menues to support unlimited roles and types and 32 Bit values - Added rsbac_dialog, a copy of standard dialog with several enhancements (like --menu3 with help button) - Changed menues and tools to support new NET targets - Added help to all menues - Added network and network template menues - Added ttl support to ACL tools and menues - Added ttl support in RC tools - Updated rsbac_dialog and moved to subdir (Thanks to Stanislav again) 1.1.2: - Changed build process to autoconf/automake (Stanislav Ievlev) - Added dialog tool check to menues - Added SYMLINK target support to most tools and menues - Got REG samples moved from kernel part to examples/reg - Removed write_list feature from rsbac_pm - added rc_initial_role to FD tools - added ff_flag append_only - changed tmp file allocation to mktemp - added contrib/rsu (RC role-su) by Stanislav Ievlev - added linux2acl, a Linux rights to ACL converter - attr_back_fd now supports MAC with and without def_inherit 1.1.1: - Support for FIFO targets added - Internationalization added for command line tools, languages ru and de - attr_[gs]et_fd now support FD target - *_back_* now need a switch for *not* writing to stdout 1.1.0: - 'copy rights to type' added to rc_set_item and rsbac_rc_role_menu 1.0.9c: - acl_rm_user added - file/dir selection changed in menues - examples/backup_all added - new rsbac-klogd 1.0.9b: - Support for 32 Bit Uids/Gids - Support for new attributes log_program_based and log_user_based - Support for AUTH cap ranges - Support for new MAC security levels 0-252 - Removed obsolete useraci file installation - Russian menues and man pages added (thanks to our Russian team, see rus/README) 1.0.9a: - Added acl_group for full ACL group administration - Updated and changed RC tools for new separation of duty - Added ACL menu tools, with necessary additions to command line tools - Updated menues for new RC force role inherit_up_mixed 1.0.9: - Added support for long file/dir names and for those with spaces to rsbac_fd_menu - Changed rc_get_item, rc_set_item and rsbac_rc_role_menu to support the changed RC model. The new model distinguishes between all requests for role to type compatibility, allowing for much finer security settings. - Added acl_rights, acl_tlists, acl_grant and acl_mask for complete ACL model administration 1.0.8: - Added RC attributes - Wrote RC admin tools: rc_copy_role, rc_get_item, rc_set_item, rc_role_wrap - Wrote rsbac_rc_role_menu and rsbac_rc_type_menu - Added AUTH attributes to file/dir and process tools - Wrote AUTH admin tools auth_set_cap and auth_back_cap - Added MAC category support to most tools and to most menus - Wrote mac_wrap_cat, a simple category wrapper similar to mac_wrap for security levels. - Made tools compliant to glibc 1.0.7a: - Added recursion to attr_set_fd - Added recursive attr_rm_fd and attr_rm_file_dir to reset all attribute values to defaults for a target by removing the list entry. - Added resetting to rsbac_fd_menu 1.0.7: - Added inherit values to security_level, object_category and data_type in rsbac_fd_menu - Added menu item to change between effective and real attribute values - Added support for different screen sizes - if LINES and COLUMNS are exported from bash (e.g. in /etc/profile) 1.0.6: - Changed rsbac_fd_menu and rsbac_process_menu to tristate ms_trusted - Added attribute ff_flags with bit values to rsbac_fd_menu - Added rsbac_check to call sys_rsbac_check(), which checks attribute consistency 1.0.5: - rsbac_write added to call sys_rsbac_write = save attributes now - mac_wrap added to start a program with changed maximum security level (not the process owner's), e.g. from inetd - user_aci.sh added to set default roles with maintenance kernel 1.0.4: - Attributes mac_trusted_for_user, ms_sock_trusted_tcp/udp added to FILE utils - Attributes ms_sock_trusted_tcp/udp added to process utils - Attributes ms_trusted, ms_sockbuf, ms_str_nr, ms_str_offset, ms_scanned added to ipc utils - Attribute object_type removed from ipc utils, as in kernel - was IPC all the time anyway - Adjusted syscall return value interpretation to 2.1 kernels 1.0.3: - Target DEV added to file/dir utilities. rsbac_dev_menu added. Now devices can get their own attributes based on major/minor numbers, not only based on their file representations in /dev, which can be easily duplicated. - Attribute object_type removed from rsbac_fd_menu, was not used anyway and removed in rsbac/kernel. - attr_back_fd added. (Recursive) backup of all attribute values for those files/dirs given in command line. Only non-default values are saved. Output script file contains all attr_set_file_dir calls needed to restore. - Similar attr_back_user and attr_back_dev added. - Attributes log_array_low and log_array_high added to file/dir/dev utils. - Administration menu for (file/dir/dev X request) log levels added to rsbac_fd_menu and rsbac_dev_menu. - Command line utils also got log_level special options. 20/Apr/2001 Amon Ott rsbac-admin-1.4.0/main/tools/AUTHORS0000644000175000017500000000077011131371031016671 0ustar gauvaingauvainRSBAC main author is Amon Ott . Credits for many patches showing bugs and possible fixes and lots of good ideas go to many people, specially to what I call 'Our Russian RSBAC Team', the people of AltLinux with their AltLinux Castle distribution. They also provide and maintain the rklogd and related tools and helped me with the automake-autoconf mess. Also, there are several people doing lots of helpful promotion, too many to name them here. Their part cannot be rated too low. Amon. rsbac-admin-1.4.0/main/tools/README0000644000175000017500000000307611131371033016505 0ustar gauvaingauvainRSBAC Administration Tools ========================== RSBAC administration is done via command line tools or dialog menues. Please see the online documentation at http://www.rsbac.org/documentation or the kernel docs at /Documentation/rsbac for details. Language support (NLS): ---------------------- If your language is already supported, you only have to set your locale in the environment. If not, please read po/README to add your desired language. You can view the supported locales for your system with the locale command: $ locale -a You can view the support locales by RSBAC tools with this command: $ ls po/*.po Once choosen, please set it: (example for fr_FR@euro) $ export LANG="fr_FR@euro" $ export LANGUAGE="fr_FR@euro" $ export LC_ALL="fr_FR@euro" Then start using RSBAC utilities. -- All RSBAC code is copyrighted by Amon Ott unless stated otherwise, and published under the restrictions of the GNU General Public Licence as to be read in file COPYING in the main directory of the kernel source tree. All statements therein apply fully to all RSBAC sources. RSBAC is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details, available in the file ``COPYING' rsbac-admin-1.4.0/main/tools/examples/0000755000175000017500000000000011131371033017435 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/examples/auth/0000755000175000017500000000000011131371033020376 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/examples/auth/addcap.c0000644000175000017500000000134411131371033021760 0ustar gauvaingauvain#include #include #include #include #include #include #include int main(int argc, char ** argv) { int res = 0; int i; struct rsbac_auth_cap_range_t cap_range; if(argc > 1) { cap_range.first = 0; cap_range.last = 0; rsbac_auth_add_p_cap(strtoul(argv[1],0,0), ACT_real, cap_range, 3600); cap_range.first = 400; cap_range.last = 400; rsbac_auth_add_p_cap(strtoul(argv[1],0,0), ACT_real, cap_range, 3600); } exit(0); } rsbac-admin-1.4.0/main/tools/examples/rc/0000755000175000017500000000000011131371033020041 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/examples/rc/apache.sh0000755000175000017500000000562011131371033021624 0ustar gauvaingauvain#!/bin/bash # # RC sample administration - secure apache web server with CGIs # # DOCTYPE=`rc_get_item list_unused_fd_type_nr | head -n 1` APACHEROLE=`rc_get_item list_unused_role_nr | head -n 1` CGIROLE=`rc_get_item list_unused_role_nr | head -n 2 | tail -n 1` # GENERALTYPE=0 GENERALUSERROLE=0 ROLEADMINROLE=1 SYSADMINROLE=2 USEDROLES="`rc_get_item list_used_role_nr`" USEDTYPES="`rc_get_item list_used_fd_type_nr`" APACHEBIN=/usr/sbin/httpd DOCROOT=/usr/local/httpd CGIDIR=/usr/local/httpd/cgi-bin APACHEUSER=wwwrun # # Redo security check if test "`attr_get_file_dir DIR $DOCROOT rc_type_fd`" != "65" then echo "$DOCROOT already has a rc_type_fd set, exiting!" ; exit fi # echo "" echo Create new type $DOCTYPE \"WWW Docs\" rc_set_item TYPE $DOCTYPE type_fd_name "WWW Docs" || exit # echo "" echo Give \"Role Admin\" read and attribute rights to DOCTYPE $DOCTYPE rc_set_item ROLE $ROLEADMINROLE type_comp_fd $DOCTYPE R 1 || exit rc_set_item ROLE $ROLEADMINROLE type_comp_fd $DOCTYPE SE 1 || exit # echo "" echo Create new roles $APACHEROLE \"Apache Role\" and $CGIROLE \"CGI Role\" rc_set_item ROLE $APACHEROLE name "Apache Role" || exit rc_set_item ROLE $CGIROLE name "CGI Role" || exit # echo "" echo Disallow file creation for $CGIROLE \"CGI Role\" rc_set_item ROLE $CGIROLE def_fd_create_type 66 || exit # echo "" echo Give \"Apache Role\" and \"CGI Role\" read rights to DOCTYPE $DOCTYPE rc_set_item ROLE $APACHEROLE type_comp_fd $DOCTYPE R 1 || exit rc_set_item ROLE $CGIROLE type_comp_fd $DOCTYPE R 1 || exit # echo "" echo Give \"Apache Role\" CREATE and DELETE right to IPC type GENERALTYPE $GENERALTYPE for i in CREATE DELETE do rc_set_item ROLE $APACHEROLE type_comp_ipc $GENERALTYPE $i 1 || exit done # echo "" echo Give \"Apache Role\" and \"CGI Role\" SEARCH right to echo GENERALTYPE $GENERALTYPE to go down to own files for i in SEARCH do rc_set_item ROLE $APACHEROLE type_comp_fd $GENERALTYPE $i 1 || exit rc_set_item ROLE $CGIROLE type_comp_fd $GENERALTYPE $i 1 || exit done # echo "" echo Give \"System Admin\" read-write rights to DOCTYPE $DOCTYPE rc_set_item ROLE $SYSADMINROLE type_comp_fd $DOCTYPE RW 1 || exit # echo "" echo Set type $DOCTYPE \"WWW Docs\" for $DOCROOT and $CGIDIR attr_set_file_dir DIR $DOCROOT rc_type_fd $DOCTYPE || exit attr_set_file_dir DIR $CGIDIR rc_type_fd $DOCTYPE || exit # echo "" echo Give all CGIs in $CGIDIR rc_force_role \"CGI Role\" for i in ${CGIDIR}/* do \ attr_set_file_dir FILE $i rc_force_role $CGIROLE || exit done # echo "" echo Set role $APACHEROLE \"Apache Role\" for $APACHEUSER attr_set_user $APACHEUSER rc_def_role $APACHEROLE || exit # echo "" echo "Ready. Please check your new configuration." echo "" echo "Don't forget to set an AUTH capability for $APACHEBIN," echo "user $APACHEUSER, if AUTH is active:" echo auth_set_cap FILE add $APACHEBIN $APACHEUSER echo "" echo Also you might have to set perl's Registry.pm file to rc_type_fd $DOCTYPE echo to run perl CGI scripts. rsbac-admin-1.4.0/main/tools/examples/rc/home_area.sh0000755000175000017500000000304411131371033022321 0ustar gauvaingauvain#!/bin/bash # # RC sample administration - grant General Users no write access outside # /home tree. # # # Redo security check #if test "`attr_get_file_dir DIR /home rc_type_fd`" != "65" #then echo "/home already has a rc_type_fd set, exiting!" ; exit #fi HOMEAREATYPE=`rc_get_item list_used_fd_types | grep 'Home_Area' | cut -f 1 -d ' '` if test -z $HOMEAREATYPE then HOMEAREATYPE=`rc_get_item list_unused_fd_type_nr | head -n 1` else echo Redoing settings for \"Home Area\" type $HOMEAREATYPE fi # GENERALTYPE=0 GENERALUSERROLE=0 ROLEADMINROLE=1 SYSADMINROLE=2 # echo "" echo Create new type \"Home Area\" rc_set_item TYPE $HOMEAREATYPE type_fd_name "Home Area" # echo "" echo Give \"Role Admin\" read rights to HOMEAREATYPE $HOMEAREATYPE rc_set_item ROLE $ROLEADMINROLE type_comp_fd $HOMEAREATYPE R 1 # echo "" echo Give \"System Admin\" SEARCH right to HOMEAREATYPE $HOMEAREATYPE rc_set_item ROLE $SYSADMINROLE type_comp_fd $HOMEAREATYPE SEARCH 1 # echo "" echo Give \"General User\" read-write rights to HOMEAREATYPE $HOMEAREATYPE rc_set_item ROLE $GENERALUSERROLE type_comp_fd $HOMEAREATYPE RW 1 # #echo "" #echo Revoke \"General User\" EXECUTE right to HOMEAREATYPE $HOMEAREATYPE #rc_set_item ROLE $GENERALUSERROLE type_comp_fd $HOMEAREATYPE EXECUTE 0 # echo "" echo Revoke \"General User\" write rights to \"General FD\" rc_set_item ROLE $GENERALUSERROLE type_comp_fd $GENERALTYPE A 0 rc_set_item ROLE $GENERALUSERROLE type_comp_fd $GENERALTYPE R 1 # echo "" echo Set type $HOMEAREATYPE \"Home Area\" for /home attr_set_file_dir DIR /home rc_type_fd $HOMEAREATYPE rsbac-admin-1.4.0/main/tools/examples/rc/auth_prot.sh0000755000175000017500000001140011131371033022401 0ustar gauvaingauvain#!/bin/bash # # RC sample administration - protect /etc/passwd, /etc/group, /etc/shadow # ATTENTION: You should grant read rights to PASSWDTYPE for all new roles, # otherwise many programs might not work correctly # You should grant AUTHROLE SEARCH and CHDIR on all home dirs, # otherwise /bin/login cannot chdir to the user's home dir # (adjust HOMEAREATYPE to let this script do it for you). # # Adjust these lines COPYORIGINROLE=2 AUTHPROGS="/bin/login /usr/sbin/sshd" AUTHCHANGEPROGS="/bin/passwd /usr/bin/passwd /sbin/YaST" HOMEAREATYPE=`rc_get_item list_used_fd_types | grep 'Home_Area' | cut -f 1 -d ' '` # No more changes below # # Redo security check if test "`attr_get_file_dir FILE /bin/login rc_type_fd`" != "65" then echo "/bin/login already has a rc_type_fd set, exiting!" ; exit fi # echo "" PASSWDTYPE=`rc_get_item list_unused_fd_type_nr | head -n 1` SHADOWTYPE=`rc_get_item list_unused_fd_type_nr | head -n 2 | tail -n 1` # AUTHROLE=`rc_get_item list_unused_role_nr | head -n 1` AUTHCHANGEROLE=`rc_get_item list_unused_role_nr | head -n 2 | tail -n 1` # echo "" GENERALTYPE=0 GENERALUSERROLE=0 ROLEADMINROLE=1 SYSADMINROLE=2 USEDROLES="`rc_get_item list_used_role_nr`" # echo "" echo Create new types $PASSWDTYPE \"Passwd-Type\" and $SHADOWTYPE \"Shadow-Type\" rc_set_item TYPE $PASSWDTYPE type_fd_name "Passwd-Type" rc_set_item TYPE $SHADOWTYPE type_fd_name "Shadow-Type" # echo "" echo Create new roles $AUTHROLE \"Auth Role\" and $AUTHCHANGEROLE \"Auth Change\" echo \(Copy from role $COPYORIGINROLE and set name\) rc_copy_role $COPYORIGINROLE $AUTHROLE rc_set_item ROLE $AUTHROLE name "Auth Role" rc_copy_role $COPYORIGINROLE $AUTHCHANGEROLE rc_set_item ROLE $AUTHCHANGEROLE name "Auth Change" rc_set_item ROLE $AUTHCHANGEROLE def_fd_create_type $SHADOWTYPE # echo "" echo Give \"Auth Role\" read rights to \"Passwd Type\" $PASSWDTYPE and echo \"Shadow Type\" $SHADOWTYPE rc_set_item ROLE $AUTHROLE type_comp_fd $PASSWDTYPE R 1 rc_set_item ROLE $AUTHROLE type_comp_fd $SHADOWTYPE R 1 # echo "" if test -n $HOMEAREATYPE then \ echo Give \"Auth Role\" SEARCH, CHDIR, READ and READ_OPEN rights to \"Home Area\" $HOMEAREATYPE for i in SEARCH CHDIR READ READ_OPEN do rc_set_item ROLE $AUTHROLE type_comp_fd $HOMEAREATYPE $i 1 done else echo No \"Home Area\" type found - skipping fi # echo "" echo Give \"Auth Change\" APPEND_OPEN, CREATE and WRITE right to echo \"General Type\" $GENERALTYPE to create files in /etc and log errors for i in APPEND_OPEN CREATE WRITE do rc_set_item ROLE $AUTHCHANGEROLE type_comp_fd $GENERALTYPE $i 1 done # echo "" echo Give \"Auth Change\" read and write-open rights to \"Passwd Type\" $PASSWDTYPE echo and \"Shadow Type\" $SHADOWTYPE rc_set_item ROLE $AUTHCHANGEROLE type_comp_fd $PASSWDTYPE RW 1 rc_set_item ROLE $AUTHCHANGEROLE type_comp_fd $SHADOWTYPE RW 1 # echo "" echo Give all existing roles \($USEDROLES\) echo read rights to \"Passwd Type\" $PASSWDTYPE and echo EXECUTE/SEARCH on \"Shadow Type\" $SHADOWTYPE for i in $USEDROLES do \ rc_set_item ROLE $i type_comp_fd $PASSWDTYPE R 1 rc_set_item ROLE $i type_comp_fd $SHADOWTYPE EXECUTE 1 rc_set_item ROLE $i type_comp_fd $SHADOWTYPE SEARCH 1 done # echo "" echo Give \"Role Admin\" attribute rights on \"Passwd Type\" $PASSWDTYPE and echo \"Shadow Type\" $SHADOWTYPE rc_set_item ROLE $ROLEADMINROLE type_comp_fd $PASSWDTYPE SE 1 rc_set_item ROLE $ROLEADMINROLE type_comp_fd $SHADOWTYPE SE 1 # echo "" echo Give \"System Admin\" CREATE on \"Shadow Type\" $SHADOWTYPE rc_set_item ROLE $SYSADMINROLE type_comp_fd $SHADOWTYPE CREATE 1 # echo "" echo Set types for /etc/passwd, /etc/group, /etc/shadow, /etc/.pwd.lock, /etc/shadow- attr_set_file_dir FILE /etc/passwd rc_type_fd $PASSWDTYPE attr_set_file_dir FILE /etc/group rc_type_fd $PASSWDTYPE attr_set_file_dir FILE /etc/shadow rc_type_fd $SHADOWTYPE attr_set_file_dir FILE /etc/shadow- rc_type_fd $SHADOWTYPE attr_set_file_dir FILE /etc/.pwd.lock rc_type_fd $SHADOWTYPE # echo "" echo Set all authorising programs \($AUTHPROGS\) to type $PASSWDTYPE for i in $AUTHPROGS do \ attr_set_file_dir FILE $i rc_type_fd $PASSWDTYPE done # echo "" echo Give all authorising programs \($AUTHPROGS\) rc_force_role $AUTHROLE for i in $AUTHPROGS do \ attr_set_file_dir FILE $i rc_force_role $AUTHROLE done # echo "" echo Set all authorisation changing programs \($AUTHCHANGEPROGS\) to type $SHADOWTYPE for i in $AUTHCHANGEPROGS do \ attr_set_file_dir FILE $i rc_type_fd $SHADOWTYPE done # echo "" echo Give all authorisation changing programs \($AUTHCHANGEPROGS\) echo rc_force_role $AUTHCHANGEROLE for i in $AUTHCHANGEPROGS do \ attr_set_file_dir FILE $i rc_force_role $AUTHCHANGEROLE done # echo "" echo Give /bin/sh rc_force_role inherit_process '(65)' to make yast work attr_set_file_dir FILE /bin/sh rc_force_role 65 # echo "" echo Ready! rsbac-admin-1.4.0/main/tools/examples/rc/apache_nettemp.sh0000755000175000017500000000321011131371033023351 0ustar gauvaingauvain#!/bin/bash # # apache_nettemp.sh # # Setup a network template and RC role and type for apache networking control # net_temp new_template 2000 "HTTP Local" net_temp set_address_family 2000 INET net_temp set_type 2000 STREAM net_temp set_address 2000 0.0.0.0 net_temp set_valid_len 2000 0 net_temp set_protocol 2000 TCP net_temp set_netdev 2000 "" net_temp set_min_port 2000 80 net_temp set_max_port 2000 80 rc_set_item TYPE 4 type_netobj_name "HTTP local" rc_set_item ROLE 5 name "Webserver" rc_set_item -b ROLE 5 type_comp_fd 0 0000000000000001110100000011011010010111111110110100 rc_set_item -b ROLE 5 type_comp_dev 0 0000000000000000110000000000011010000000000010000100 rc_set_item -b ROLE 5 type_comp_ipc 0 0000000000000000110000000000011010010001101110011110 rc_set_item -b ROLE 5 type_comp_scd 5 1111000000000001011000111000100101111001100000000001 rc_set_item -b ROLE 5 type_comp_scd 12 0000000000000000000000000000000000000001000000000000 rc_set_item -b ROLE 5 type_comp_process 0 0000000000000000000011000100000000000000000101011000 rc_set_item -b ROLE 5 type_comp_netdev 0 0000000000000010000000000000000000000001000000000000 rc_set_item -b ROLE 5 type_comp_netobj 0 0000000001111000010000000000000010000000000100000000 rc_set_item -b ROLE 5 type_comp_netobj 4 0000000010000110000000000000000000000000000110000000 rc_set_item ROLE 5 def_fd_create_type 4294967294 rc_set_item ROLE 5 def_process_create_type 4294967294 rc_set_item ROLE 5 def_process_chown_type 4294967291 rc_set_item ROLE 5 def_process_execute_type 4294967295 rc_set_item ROLE 5 def_ipc_create_type 0 attr_set_net NETTEMP rc_type 4 2000 attr_set_file_dir FILE /usr/sbin/httpd rc_force_role 5 rsbac-admin-1.4.0/main/tools/examples/rc/named_nettemp.sh0000755000175000017500000000463611131371033023231 0ustar gauvaingauvain#!/bin/bash # # named_nettemp.sh # # Setup a network template and RC role and type for named networking control # net_temp new_template 100 "Named Localhost" net_temp set_address_family 100 INET net_temp set_type 100 ANY net_temp set_address 100 127.0.0.1 net_temp set_valid_len 100 32 net_temp set_protocol 100 ANY net_temp set_netdev 100 "" net_temp set_min_port 100 53 net_temp set_max_port 100 53 net_temp new_template 120 "Named Localaddr" net_temp set_address_family 120 INET net_temp set_type 120 ANY net_temp set_address 120 192.168.200.240 net_temp set_valid_len 120 32 net_temp set_protocol 120 ANY net_temp set_netdev 120 "" net_temp set_min_port 120 53 net_temp set_max_port 120 53 net_temp new_template 1000 "Named Unix" net_temp set_address_family 1000 UNIX net_temp set_type 1000 STREAM net_temp -u set_address 1000 "/var/run/ndc" net_temp set_valid_len 1000 12 net_temp set_protocol 1000 ANY net_temp set_netdev 1000 "" net_temp set_min_port 1000 0 net_temp set_max_port 1000 0 rc_set_item TYPE 3 type_netobj_name "Named Local" rc_set_item ROLE 4 name "Named" rc_set_item -b ROLE 4 type_comp_fd 0 0000000000000001111100000011011111010111111110110100 rc_set_item -b ROLE 4 type_comp_dev 0 0000000000000000111000000000011111000000000010000100 rc_set_item -b ROLE 4 type_comp_ipc 0 0000000000000000110000000000011110010001101110011110 rc_set_item -b ROLE 4 type_comp_scd 5 1111000000000001011000111000100101111001100000000001 rc_set_item -b ROLE 4 type_comp_scd 12 1111111111111111111111111111111111111111111111111111 rc_set_item -b ROLE 4 type_comp_process 0 0000000000000000000011000100000100000000000101011000 rc_set_item -b ROLE 4 type_comp_netdev 0 0000000000000010000000000000000100100001000000000000 rc_set_item -b ROLE 4 type_comp_nettemp 0 0000000000000000000000000000000010000000000000000000 rc_set_item -b ROLE 4 type_comp_netobj 0 0000000001111000010000000000000010000000000100000000 rc_set_item -b ROLE 4 type_comp_netobj 3 0000000011111110000000000000000000000000000110000000 rc_set_item ROLE 4 def_fd_create_type 4294967294 rc_set_item ROLE 4 def_process_create_type 4294967294 rc_set_item ROLE 4 def_process_chown_type 4294967291 rc_set_item ROLE 4 def_process_execute_type 4294967295 rc_set_item ROLE 4 def_ipc_create_type 0 attr_set_net NETTEMP rc_type 3 100 attr_set_net NETTEMP rc_type 3 120 attr_set_net NETTEMP rc_type 3 1000 attr_set_net NETTEMP rc_type 3 100105 attr_set_file_dir FILE /usr/sbin/named rc_force_role 4 rsbac-admin-1.4.0/main/tools/examples/reg/0000755000175000017500000000000011131371033020212 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/examples/reg/reg_sample1.c0000644000175000017500000002352711131371033022566 0ustar gauvaingauvain/* * RSBAC REG decision module sample 1 * * Author and (c) 1999-2005 Amon Ott */ #include #include #include #include #include #include #include #include #include #include #include #include static u_long nr_request_calls = 0; static u_long nr_set_attr_calls = 0; static u_long nr_need_overwrite_calls = 0; static u_long nr_system_calls = 0; static void * system_call_arg = NULL; MODULE_AUTHOR("Amon Ott"); MODULE_DESCRIPTION("RSBAC REG sample decision module 1"); MODULE_LICENSE("GPL"); #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) static char * name = NULL; static char * syscall_name = NULL; static long handle = 123456; static long syscall_registration_handle = 654321; static long syscall_dispatcher_handle = 1; module_param(name, charp, 0000); MODULE_PARM_DESC(name, "Name"); module_param(syscall_name, charp, 0000); MODULE_PARM_DESC(syscall_name, "Syscall name"); module_param(handle, long, S_IRUSR); MODULE_PARM_DESC(handle, "Handle"); module_param(syscall_registration_handle, long, S_IRUSR); MODULE_PARM_DESC(syscall_registration_handle, "Syscall registration handle"); module_param(syscall_dispatcher_handle, long, S_IRUSR); MODULE_PARM_DESC(syscall_dispatcher_handle, "Syscall dispatcher"); #else MODULE_PARM(name, "s"); static char * name = NULL; static char dummy_buf[70]="To protect against wrong insmod params"; MODULE_PARM(syscall_name, "s"); static char * syscall_name = NULL; static char dummy_buf2[70]="To protect against wrong insmod params"; MODULE_PARM(handle, "l"); static long handle = 123456; MODULE_PARM(syscall_registration_handle, "l"); static long syscall_registration_handle = 654321; MODULE_PARM(syscall_dispatcher_handle, "l"); static long syscall_dispatcher_handle = 1; #endif /* PROC functions */ #if defined(CONFIG_RSBAC_PROC) #define PROC_NAME "reg_sample1" static struct proc_dir_entry * proc_reg_sample_p; static int adf_sample_proc_info(char *buffer, char **start, off_t offset, int length) { int len = 0; off_t pos = 0; off_t begin = 0; union rsbac_target_id_t rsbac_target_id; union rsbac_attribute_value_t rsbac_attribute_value; if (!rsbac_is_initialized()) return (-ENOSYS); rsbac_target_id.scd = ST_rsbac; rsbac_attribute_value.dummy = 0; if (!rsbac_adf_request(R_GET_STATUS_DATA, current->pid, T_SCD, rsbac_target_id, A_none, rsbac_attribute_value)) { return -EPERM; } len += sprintf(buffer, "RSBAC REG decision module sample 1\n----------------------------------\n"); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to request function.\n", nr_request_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to set_attr function.\n", nr_set_attr_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to need_overwrite function.\n", nr_need_overwrite_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to system_call function %lu, last arg was %p.\n", nr_system_calls, syscall_dispatcher_handle, system_call_arg); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; out: *start = buffer + (offset - begin); len -= (offset - begin); if (len > length) len = length; return len; } #endif /* CONFIG_RSBAC_PROC */ /**** Decision Functions ****/ static int request_func ( enum rsbac_adf_request_t request, rsbac_pid_t owner_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) { /* count call, but not for SEARCH request */ if(request != R_SEARCH) nr_request_calls++; return GRANTED; } static int set_attr_func ( enum rsbac_adf_request_t request, rsbac_pid_t owner_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_target_t new_target, union rsbac_target_id_t new_tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) { /* count call, but not for SEARCH request */ if(request != R_SEARCH) nr_set_attr_calls++; return 0; } static rsbac_boolean_t need_overwrite_func (struct dentry * dentry_p) { nr_need_overwrite_calls++; return FALSE; } static int syscall_func (void * arg) { nr_system_calls++; system_call_arg = arg; return nr_system_calls; } /**** Init ****/ int init_module(void) { struct rsbac_reg_entry_t entry; struct rsbac_reg_syscall_entry_t syscall_entry; if(!handle) handle = 123456; if(!syscall_registration_handle) syscall_registration_handle = 654321; if(!syscall_dispatcher_handle) syscall_dispatcher_handle = 1; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 1: Initializing.\n"); /* clearing registration entries */ memset(&entry, 0, sizeof(entry)); memset(&syscall_entry, 0, sizeof(syscall_entry)); #if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,0) if((dummy_buf[0] != 'T') || (dummy_buf2[0] != 'T')) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 1: Not loaded due to invalid param string.\n"); return -ENOEXEC; } #endif if(name) { strncpy(entry.name, name, RSBAC_REG_NAME_LEN); entry.name[RSBAC_REG_NAME_LEN] = 0; } else strcpy(entry.name, "RSBAC REG sample 1 ADF module"); rsbac_printk(KERN_INFO "RSBAC REG decision module sample 1: REG Version: %u, Name: %s, Handle: %li\n", RSBAC_REG_VERSION, entry.name, handle); entry.handle = handle; entry.request_func = request_func; entry.set_attr_func = set_attr_func; entry.need_overwrite_func = need_overwrite_func; entry.switch_on = TRUE; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 1: Registering to ADF.\n"); if(rsbac_reg_register(RSBAC_REG_VERSION, entry) < 0) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 1: Registering failed. Unloading.\n"); return -ENOEXEC; } if(syscall_name) { strncpy(syscall_entry.name, syscall_name, RSBAC_REG_NAME_LEN); syscall_entry.name[RSBAC_REG_NAME_LEN] = 0; } else strcpy(syscall_entry.name, "RSBAC REG sample 1 syscall"); rsbac_printk(KERN_INFO "RSBAC REG decision module sample 1: REG Version: %u, Name: %s, Dispatcher Handle: %li\n", RSBAC_REG_VERSION, syscall_entry.name, syscall_dispatcher_handle); syscall_entry.registration_handle = syscall_registration_handle; syscall_entry.dispatcher_handle = syscall_dispatcher_handle; syscall_entry.syscall_func = syscall_func; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 1: Registering syscall.\n"); syscall_registration_handle = rsbac_reg_register_syscall(RSBAC_REG_VERSION, syscall_entry); if(syscall_registration_handle < 0) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 1: Registering syscall failed. Unloading.\n"); if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 1: Unregistering failed - beware of possible system failure!\n"); } return -ENOEXEC; } #if defined(CONFIG_RSBAC_PROC) proc_reg_sample_p = create_proc_entry(PROC_NAME, S_IFREG | S_IRUGO, proc_rsbac_root_p); if(!proc_reg_sample_p) { rsbac_printk(KERN_WARNING "%s: Not loaded due to failed proc entry registering.\n", name); if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 1: Unregistering failed - beware of possible system failure!\n"); } if(rsbac_reg_unregister_syscall(syscall_registration_handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 1: Unregistering syscall failed - beware of possible system failure!\n"); } return -ENOEXEC; } proc_reg_sample_p->get_info = adf_sample_proc_info; #endif rsbac_printk(KERN_INFO "RSBAC REG decision module sample 1: Loaded.\n"); return 0; } void cleanup_module(void) { rsbac_printk(KERN_INFO "RSBAC REG decision module sample 1: Unregistering.\n"); #if defined(CONFIG_RSBAC_PROC) remove_proc_entry(PROC_NAME, proc_rsbac_root_p); #endif if(rsbac_reg_unregister_syscall(syscall_registration_handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 1: Unregistering syscall failed - beware of possible system failure!\n"); } if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 1: Unregistering failed - beware of possible system failure!\n"); } rsbac_printk(KERN_INFO "RSBAC REG decision module sample 1: Unloaded.\n"); } rsbac-admin-1.4.0/main/tools/examples/reg/reg_sample2.c0000644000175000017500000004075611131371033022572 0ustar gauvaingauvain/* * RSBAC REG decision module sample2 * (not working any more, kept for reference) * * Author and (c) 1999-2005 Amon Ott */ /* general stuff */ #include #include #include #include /* for (un)lock_kernel() */ #include #include #include /* for file access */ #include #include /* rsbac */ #include #include #include #include #include #include #include #include static u_long nr_request_calls = 0; static u_long nr_set_attr_calls = 0; static u_long nr_need_overwrite_calls = 0; static rsbac_boolean_t no_write = FALSE; static u_long nr_system_calls = 0; static void * system_call_arg = 0; MODULE_AUTHOR("Amon Ott"); MODULE_DESCRIPTION("RSBAC REG sample decision module 2"); MODULE_PARM(name, "s"); static char * name = NULL; static char dummy_buf[70]="To protect against wrong insmod params"; MODULE_PARM(syscall_name, "s"); static char * syscall_name = NULL; static char dummy_buf2[70]="To protect against wrong insmod params"; MODULE_PARM(handle, "l"); static long handle = 123457; MODULE_PARM(syscall_registration_handle, "l"); static long syscall_registration_handle = 754321; MODULE_PARM(syscall_dispatcher_handle, "l"); static long syscall_dispatcher_handle = 2; /* Filename for persistent data in /rsbac dir of ROOT_DEV (max 7 chars) */ #define FILENAME "regsmp2" /* Version number for on disk data structures */ #define FILE_VERSION 1 /* PROC functions */ #if defined(CONFIG_RSBAC_PROC) #define PROC_NAME "reg_sample2" static struct proc_dir_entry * proc_reg_sample_p; #if LINUX_VERSION_CODE < KERNEL_VERSION(2,3,0) static int adf_sample_proc_info(char *buffer, char **start, off_t offset, int length, int dummy) #else static int adf_sample_proc_info(char *buffer, char **start, off_t offset, int length) #endif { int len = 0; off_t pos = 0; off_t begin = 0; union rsbac_target_id_t rsbac_target_id; union rsbac_attribute_value_t rsbac_attribute_value; if (!rsbac_is_initialized()) return (-ENOSYS); rsbac_target_id.scd = ST_rsbac; rsbac_attribute_value.dummy = 0; if (!rsbac_adf_request(R_GET_STATUS_DATA, current->pid, T_SCD, rsbac_target_id, A_none, rsbac_attribute_value)) { return -EPERM; } len += sprintf(buffer, "RSBAC REG decision module sample 2\n----------------------------------\n"); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to request function.\n", nr_request_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to set_attr function.\n", nr_set_attr_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to need_overwrite function.\n", nr_need_overwrite_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to system_call function %lu, last arg was %p.\n", nr_system_calls, syscall_dispatcher_handle, system_call_arg); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; out: *start = buffer + (offset - begin); len -= (offset - begin); if (len > length) len = length; return len; } #endif /* CONFIG_RSBAC_PROC */ /**** Read/Write Functions ****/ /* read_info() */ /* reading the system wide adf_sample2 data */ static int read_info(void) { struct file file; char name[RSBAC_MAXNAMELEN]; int err = 0; int tmperr; mm_segment_t oldfs; u_int version; u_long tmpval; /* copy name from base name */ strcpy(name, FILENAME); /* open file */ if ((err = rsbac_read_open(name, &file, rsbac_root_dev) )) return(err); /* OK, now we can start reading */ /* There is a read function for this file, so read data from * previous module load. * A positive read return value means a read success, * 0 end of file and a negative value an error. */ /* Set current user space to kernel space, because read() writes */ /* to user space */ oldfs = get_fs(); set_fs(KERNEL_DS); tmperr = file.f_op->read(&file, (char *) &version, sizeof(version), &file.f_pos); /* error? */ if (tmperr < sizeof(version)) { rsbac_printk(KERN_WARNING "read_info(): read error from file!\n"); err = -RSBAC_EREADFAILED; goto end_read; } /* if wrong version, warn and skip */ if (version != FILE_VERSION) { rsbac_printk(KERN_WARNING "read_info(): wrong version %u, expected %u - skipping file and setting no_write!\n", version, FILE_VERSION); no_write = TRUE; err = -RSBAC_EREADFAILED; goto end_read; } /* read nr_request_calls */ tmperr = file.f_op->read(&file, (char *) &tmpval, sizeof(tmpval), &file.f_pos); if (tmperr < sizeof(tmpval)) { rsbac_printk(KERN_WARNING "%s\n", "read_info(): read error from file!"); err = -RSBAC_EREADFAILED; goto end_read; } nr_request_calls = tmpval; /* read nr_set_attr_calls */ tmperr = file.f_op->read(&file, (char *) &tmpval, sizeof(tmpval), &file.f_pos); if (tmperr < sizeof(tmpval)) { rsbac_printk(KERN_WARNING "%s\n", "read_info(): read error from file!"); err = -RSBAC_EREADFAILED; goto end_read; } nr_set_attr_calls = tmpval; /* read nr_need_overwrite_calls */ tmperr = file.f_op->read(&file, (char *) &tmpval, sizeof(tmpval), &file.f_pos); if (tmperr < sizeof(tmpval)) { rsbac_printk(KERN_WARNING "%s\n", "read_info(): read error from file!"); err = -RSBAC_EREADFAILED; goto end_read; } nr_need_overwrite_calls = tmpval; end_read: /* Set current user space back to user space, because read() writes */ /* to user space */ set_fs(oldfs); /* We do not need this file dentry any more */ rsbac_read_close(&file); /* ready */ return(err); }; /* end of read_info() */ static int write_info(void) { struct file file; char name[RSBAC_MAXNAMELEN]; int err = 0; int tmperr; mm_segment_t oldfs; u_int version = FILE_VERSION; /* copy name from base name */ strcpy(name, FILENAME); /* get rsbac write-to-disk semaphore */ down(&rsbac_write_sem); /* open file */ if ((err = rsbac_write_open(name, &file, rsbac_root_dev) )) { up(&rsbac_write_sem); return(err); } /* OK, now we can start writing all sample items. * A positive return value means a write success, * 0 end of file and a negative value an error. */ /* Set current user space to kernel space, because write() reads * from user space */ oldfs = get_fs(); set_fs(KERNEL_DS); tmperr = file.f_op->write(&file, (char *) &version, sizeof(version), &file.f_pos); if (tmperr < sizeof(version)) { rsbac_printk(KERN_WARNING "write_info(): write error %i on file!\n", tmperr); err = -RSBAC_EWRITEFAILED; goto end_write; } tmperr = file.f_op->write(&file, (char *) &nr_request_calls, sizeof(nr_request_calls), &file.f_pos); if (tmperr < sizeof(nr_request_calls)) { rsbac_printk(KERN_WARNING "write_info(): write error %i on file!\n", tmperr); err = -RSBAC_EWRITEFAILED; goto end_write; } tmperr = file.f_op->write(&file, (char *) &nr_set_attr_calls, sizeof(nr_set_attr_calls), &file.f_pos); if (tmperr < sizeof(nr_set_attr_calls)) { rsbac_printk(KERN_WARNING "write_info(): write error %i on file!\n", tmperr); err = -RSBAC_EWRITEFAILED; goto end_write; } tmperr = file.f_op->write(&file, (char *) &nr_need_overwrite_calls, sizeof(nr_need_overwrite_calls), &file.f_pos); if (tmperr < sizeof(nr_need_overwrite_calls)) { rsbac_printk(KERN_WARNING "write_info(): write error %i on file!\n", tmperr); err = -RSBAC_EWRITEFAILED; goto end_write; } end_write: /* Set current user space back to user space, because write() reads */ /* from user space */ set_fs(oldfs); /* End of write access */ rsbac_write_close(&file); up(&rsbac_write_sem); return(err); }; /* end of write_info() */ /**** Decision Functions ****/ static int request_func ( enum rsbac_adf_request_t request, rsbac_pid_t owner_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) { /* count call, but not for SEARCH request */ if(request != R_SEARCH) nr_request_calls++; return GRANTED; } static int set_attr_func ( enum rsbac_adf_request_t request, rsbac_pid_t owner_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_target_t new_target, union rsbac_target_id_t new_tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) { /* count call, but not for SEARCH request */ if(request != R_SEARCH) nr_set_attr_calls++; return 0; } static rsbac_boolean_t need_overwrite_func (struct dentry * dentry_p) { nr_need_overwrite_calls++; return FALSE; } static int write_func(rsbac_boolean_t need_lock) { int res=0; if(need_lock) lock_kernel(); if(!write_info()) res = 1; if(need_lock) unlock_kernel(); return(res); } static int syscall_func (void * arg) { nr_system_calls++; system_call_arg = arg; return nr_system_calls; } /**** Init ****/ int init_module(void) { struct rsbac_reg_entry_t entry; struct rsbac_reg_syscall_entry_t syscall_entry; if(!handle) handle = 123457; if(!syscall_registration_handle) syscall_registration_handle = 754321; if(!syscall_dispatcher_handle) syscall_dispatcher_handle = 2; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 2: Initializing.\n"); /* clearing registration entries */ memset(&entry, 0, sizeof(entry)); memset(&syscall_entry, 0, sizeof(syscall_entry)); if((dummy_buf[0] != 'T') || (dummy_buf2[0] != 'T')) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 2: Not loaded due to invalid param string.\n"); return -ENOEXEC; } if(name) { strncpy(entry.name, name, RSBAC_REG_NAME_LEN); entry.name[RSBAC_REG_NAME_LEN] = 0; } else strcpy(entry.name, "RSBAC REG sample 2 ADF module"); rsbac_printk(KERN_INFO "RSBAC REG decision module sample 2: REG Version: %u, Name: %s, Handle: %li\n", RSBAC_REG_VERSION, entry.name, handle); entry.handle = handle; entry.request_func = request_func; entry.set_attr_func = set_attr_func; entry.need_overwrite_func = need_overwrite_func; entry.write_func = write_func; entry.switch_on = TRUE; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 2: Registering to ADF.\n"); if(rsbac_reg_register(RSBAC_REG_VERSION, entry) < 0) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 2: Registering failed. Unloading.\n"); return -ENOEXEC; } if(syscall_name) { strncpy(syscall_entry.name, syscall_name, RSBAC_REG_NAME_LEN); syscall_entry.name[RSBAC_REG_NAME_LEN] = 0; } else strcpy(syscall_entry.name, "RSBAC REG sample 2 syscall"); rsbac_printk(KERN_INFO "RSBAC REG decision module sample 2: REG Version: %u, Name: %s, Dispatcher Handle: %li\n", RSBAC_REG_VERSION, syscall_entry.name, syscall_dispatcher_handle); syscall_entry.registration_handle = syscall_registration_handle; syscall_entry.dispatcher_handle = syscall_dispatcher_handle; syscall_entry.syscall_func = syscall_func; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 2: Registering syscall.\n"); syscall_registration_handle = rsbac_reg_register_syscall(RSBAC_REG_VERSION, syscall_entry); if(syscall_registration_handle < 0) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 2: Registering syscall failed. Unloading.\n"); if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 2: Unregistering failed - beware of possible system failure!\n"); } return -ENOEXEC; } if(read_info()) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 2: Could not read info from previous session.\n"); } #if defined(CONFIG_RSBAC_PROC) proc_reg_sample_p = create_proc_entry(PROC_NAME, S_IFREG | S_IRUGO, proc_rsbac_root_p); if(!proc_reg_sample_p) { rsbac_printk(KERN_WARNING "%s: Not loaded due to failed proc entry registering.\n", name); if(rsbac_reg_unregister_syscall(syscall_registration_handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 2: Unregistering syscall failed - beware of possible system failure!\n"); } if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 2: Unregistering from ADF failed - beware of possible system failure!\n"); } return -ENOEXEC; } proc_reg_sample_p->get_info = adf_sample_proc_info; #endif rsbac_printk(KERN_INFO "RSBAC REG decision module sample 2: Loaded.\n"); return 0; } void cleanup_module(void) { rsbac_printk(KERN_INFO "RSBAC REG decision module sample 2: Unregistering.\n"); #if defined(CONFIG_RSBAC_PROC) remove_proc_entry(PROC_NAME, proc_rsbac_root_p); #endif if(write_info()) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 2: Could not save info for next session.\n"); } if(rsbac_reg_unregister_syscall(syscall_registration_handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 2: Unregistering syscall failed - beware of possible system failure!\n"); } if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 2: Unregistering module failed - beware of possible system failure!\n"); } rsbac_printk(KERN_INFO "RSBAC REG decision module sample 2: Unloaded.\n"); } rsbac-admin-1.4.0/main/tools/examples/reg/reg_syscall.c0000644000175000017500000000214311131371033022665 0ustar gauvaingauvain#include #include #include #include #include #include #include int main(int argc, char ** argv) { int res = 0; long handle; char * progname; int verbose = 0; progname = argv[0]; if ((argc > 1) && (!strcmp("-v",argv[1])) ) { verbose=1; argv++; argc--; } if (argc >= 3) { handle=strtol(argv[1],0,10); if(verbose) { printf("%s: calling REG syscall with handle %li and\narg pointer %p (string '%s')\n", progname, handle, argv[2], argv[2]); } res = rsbac_reg(handle, argv[2]); if(res<0) fprintf(stderr, "Error: %i, errno: %i\n", res, errno); else if(verbose) printf("%i syscalls until now\n", res); return res; } else { printf("%s (RSBAC)\n***\n", argv[0]); printf("Use: %s [-v] handle string\n", progname); printf("This program calls sys_rsbac_reg() with handle handle and parameter string\n"); printf(" -v = verbose\n"); } return (res); } rsbac-admin-1.4.0/main/tools/examples/reg/reg_sample3.c0000644000175000017500000003422111131371033022561 0ustar gauvaingauvain/* * RSBAC REG decision module sample * * Author and (c) 1999-2005 Amon Ott */ /* general stuff */ #include #include #include #include /* for (un)lock_kernel() */ #include #include #include /* for file access */ #include #include /* rsbac */ #include #include #include #include #include #include #include #include static u_long nr_request_calls = 0; #define ORD_request 1 static u_long nr_set_attr_calls = 0; #define ORD_set_attr 2 static u_long nr_need_overwrite_calls = 0; #define ORD_overwrite 3 static u_long nr_write_calls = 0; #define ORD_write 4 static u_long nr_system_calls = 0; #define ORD_syscall 5 static void * system_call_arg = 0; MODULE_AUTHOR("Amon Ott"); MODULE_DESCRIPTION("RSBAC REG sample decision module 3"); MODULE_LICENSE("GPL"); #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) static char * name = NULL; static char * syscall_name = NULL; static u_int listkey = 133457; static long handle = 133457; static long syscall_registration_handle = 754331; static long syscall_dispatcher_handle = 3; module_param(name, charp, 0000); MODULE_PARM_DESC(name, "Name"); module_param(syscall_name, charp, 0000); MODULE_PARM_DESC(syscall_name, "Syscall name"); module_param(listkey, int, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); MODULE_PARM_DESC(listkey, "List key"); module_param(handle, long, S_IRUSR); MODULE_PARM_DESC(handle, "Handle"); module_param(syscall_registration_handle, long, S_IRUSR); MODULE_PARM_DESC(syscall_registration_handle, "Syscall registration handle"); module_param(syscall_dispatcher_handle, long, S_IRUSR); MODULE_PARM_DESC(syscall_dispatcher_handle, "Syscall dispatcher handle"); #else MODULE_PARM(name, "s"); static char * name = NULL; static char dummy_buf[70]="To protect against wrong insmod params"; MODULE_PARM(syscall_name, "s"); static char * syscall_name = NULL; static char dummy_buf2[70]="To protect against wrong insmod params"; MODULE_PARM(listkey, "l"); static u_int listkey = 133457; MODULE_PARM(handle, "l"); static long handle = 133457; MODULE_PARM(syscall_registration_handle, "l"); static long syscall_registration_handle = 754331; MODULE_PARM(syscall_dispatcher_handle, "l"); static long syscall_dispatcher_handle = 3; #endif /* Filename for persistent data in /rsbac dir of ROOT_DEV (max 7 chars) */ #define FILENAME "regsmp3" /* Version number for on disk data structures */ #define LIST_VERSION 1 static rsbac_list_handle_t list_handle; /* PROC functions */ #if defined(CONFIG_RSBAC_PROC) #define PROC_NAME "reg_sample3" static struct proc_dir_entry * proc_reg_sample_p; static int adf_sample_proc_info(char *buffer, char **start, off_t offset, int length) { int len = 0; off_t pos = 0; off_t begin = 0; union rsbac_target_id_t rsbac_target_id; union rsbac_attribute_value_t rsbac_attribute_value; if (!rsbac_is_initialized()) return (-ENOSYS); rsbac_target_id.scd = ST_rsbac; rsbac_attribute_value.dummy = 0; if (!rsbac_adf_request(R_GET_STATUS_DATA, current->pid, T_SCD, rsbac_target_id, A_none, rsbac_attribute_value)) { return -EPERM; } len += sprintf(buffer, "RSBAC REG decision module sample 3\n----------------------------------\n"); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to request function.\n", nr_request_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to set_attr function.\n", nr_set_attr_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to need_overwrite function.\n", nr_need_overwrite_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to write function.\n", nr_write_calls); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%lu calls to system_call function %lu, last arg was %p.\n", nr_system_calls, syscall_dispatcher_handle, system_call_arg); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; len += sprintf(buffer + len, "%li list items.\n", rsbac_list_count(list_handle)); pos = begin + len; if (pos < offset) { len = 0; begin = pos; } if (pos > offset+length) goto out; out: *start = buffer + (offset - begin); len -= (offset - begin); if (len > length) len = length; return len; } #endif /* CONFIG_RSBAC_PROC */ /**** List helper functions ****/ static int compare(void * desc1, void * desc2) { return memcmp((u_int *) desc1, (u_int *) desc2, sizeof(u_int) ); } /* static rsbac_list_conv_function_t * get_conv(rsbac_version_t version) { return compare; } */ /**** Decision Functions ****/ static int request_func ( enum rsbac_adf_request_t request, rsbac_pid_t owner_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) { /* count call, but not for SEARCH request */ if(request != R_SEARCH) { __u32 ord = ORD_request; nr_request_calls++; rsbac_list_add(list_handle, &ord, &nr_request_calls); } return GRANTED; } static int set_attr_func ( enum rsbac_adf_request_t request, rsbac_pid_t owner_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_target_t new_target, union rsbac_target_id_t new_tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val, rsbac_uid_t owner) { __u32 ord = ORD_set_attr; /* count call, but not for SEARCH request */ if(request != R_SEARCH) { nr_set_attr_calls++; rsbac_list_add(list_handle, &ord, &nr_set_attr_calls); } return 0; } static rsbac_boolean_t need_overwrite_func (struct dentry * dentry_p) { __u32 ord = ORD_overwrite; nr_need_overwrite_calls++; rsbac_list_add(list_handle, &ord, &nr_need_overwrite_calls); return FALSE; } static int write_func(rsbac_boolean_t need_lock) { __u32 ord = ORD_write; nr_write_calls++; rsbac_list_add(list_handle, &ord, &nr_write_calls); return(0); } static int syscall_func (void * arg) { __u32 ord = ORD_syscall; nr_system_calls++; system_call_arg = arg; rsbac_list_add(list_handle, &ord, &nr_system_calls); return nr_system_calls; } /**** Init ****/ int init_module(void) { struct rsbac_reg_entry_t entry; struct rsbac_reg_syscall_entry_t syscall_entry; struct rsbac_list_info_t list_info; __u32 ord; if(!listkey) listkey = 133457; if(!handle) handle = 133457; if(!syscall_registration_handle) syscall_registration_handle = 754331; if(!syscall_dispatcher_handle) syscall_dispatcher_handle = 3; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: Initializing.\n"); /* clearing registration entries */ memset(&entry, 0, sizeof(entry)); memset(&syscall_entry, 0, sizeof(syscall_entry)); #if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,0) if((dummy_buf[0] != 'T') || (dummy_buf2[0] != 'T')) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 3: Not loaded due to invalid param string.\n"); return -ENOEXEC; } #endif /* Register a generic list */ list_info.version = LIST_VERSION; list_info.key = listkey; list_info.desc_size = sizeof(__u32); list_info.data_size = sizeof(nr_request_calls); list_info.max_age = 3600; /* 1h */ if(rsbac_list_register(RSBAC_LIST_VERSION, &list_handle, &list_info, RSBAC_LIST_PERSIST | RSBAC_LIST_BACKUP, compare, NULL, NULL, FILENAME, 0)) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 3: Registering list failed. Unloading.\n"); return -ENOEXEC; } rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: List Version: %u, Name: %s, Handle: %p, Key: %u\n", RSBAC_LIST_VERSION, FILENAME, list_handle, listkey); ord = ORD_request; if(rsbac_list_exist(list_handle, &ord)) rsbac_list_get_data(list_handle, &ord, &nr_request_calls); ord = ORD_set_attr; if(rsbac_list_exist(list_handle, &ord)) rsbac_list_get_data(list_handle, &ord, &nr_set_attr_calls); ord = ORD_overwrite; if(rsbac_list_exist(list_handle, &ord)) rsbac_list_get_data(list_handle, &ord, &nr_need_overwrite_calls); ord = ORD_write; if(rsbac_list_exist(list_handle, &ord)) rsbac_list_get_data(list_handle, &ord, &nr_write_calls); ord = ORD_syscall; if(rsbac_list_exist(list_handle, &ord)) rsbac_list_get_data(list_handle, &ord, &nr_system_calls); /* Register to ADF */ if(name) { strncpy(entry.name, name, RSBAC_REG_NAME_LEN); entry.name[RSBAC_REG_NAME_LEN] = 0; } else strcpy(entry.name, "RSBAC REG sample 3 ADF module"); rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: REG Version: %u, Name: %s, Handle: %li\n", RSBAC_REG_VERSION, entry.name, handle); entry.handle = handle; entry.request_func = request_func; entry.set_attr_func = set_attr_func; entry.need_overwrite_func = need_overwrite_func; entry.write_func = write_func; entry.switch_on = TRUE; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: Registering to ADF.\n"); if(rsbac_reg_register(RSBAC_REG_VERSION, entry) < 0) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 3: Registering failed. Unloading.\n"); if(rsbac_list_detach(&list_handle, listkey)) rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 3: Unregistering list failed - beware!\n"); return -ENOEXEC; } if(syscall_name) { strncpy(syscall_entry.name, syscall_name, RSBAC_REG_NAME_LEN); syscall_entry.name[RSBAC_REG_NAME_LEN] = 0; } else strcpy(syscall_entry.name, "RSBAC REG sample 3 syscall"); rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: REG Version: %u, Name: %s, Dispatcher Handle: %li\n", RSBAC_REG_VERSION, syscall_entry.name, syscall_dispatcher_handle); syscall_entry.registration_handle = syscall_registration_handle; syscall_entry.dispatcher_handle = syscall_dispatcher_handle; syscall_entry.syscall_func = syscall_func; rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: Registering syscall.\n"); syscall_registration_handle = rsbac_reg_register_syscall(RSBAC_REG_VERSION, syscall_entry); if(syscall_registration_handle < 0) { rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 3: Registering syscall failed. Unloading.\n"); if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 3: Unregistering failed - beware of possible system failure!\n"); } if(rsbac_list_detach(&list_handle, listkey)) rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 3: Unregistering list failed - beware!\n"); return -ENOEXEC; } #if defined(CONFIG_RSBAC_PROC) proc_reg_sample_p = create_proc_entry(PROC_NAME, S_IFREG | S_IRUGO, proc_rsbac_root_p); if(!proc_reg_sample_p) { rsbac_printk(KERN_WARNING "%s: Not loaded due to failed proc entry registering.\n", name); if(rsbac_reg_unregister_syscall(syscall_registration_handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 3: Unregistering syscall failed - beware of possible system failure!\n"); } if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 3: Unregistering from ADF failed - beware of possible system failure!\n"); } if(rsbac_list_detach(&list_handle, listkey)) rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 3: Unregistering list failed - beware!\n"); return -ENOEXEC; } proc_reg_sample_p->get_info = adf_sample_proc_info; #endif rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: Loaded.\n"); return 0; } void cleanup_module(void) { rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: Unregistering.\n"); #if defined(CONFIG_RSBAC_PROC) remove_proc_entry(PROC_NAME, proc_rsbac_root_p); #endif if(rsbac_reg_unregister_syscall(syscall_registration_handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 3: Unregistering syscall failed - beware of possible system failure!\n"); } if(rsbac_reg_unregister(handle)) { rsbac_printk(KERN_ERR "RSBAC REG decision module sample 3: Unregistering module failed - beware of possible system failure!\n"); } if(rsbac_list_detach(&list_handle, listkey)) rsbac_printk(KERN_WARNING "RSBAC REG decision module sample 3: Unregistering list failed - beware!\n"); rsbac_printk(KERN_INFO "RSBAC REG decision module sample 3: Unloaded.\n"); } rsbac-admin-1.4.0/main/tools/examples/reg/Makefile0000644000175000017500000000361211131371033021654 0ustar gauvaingauvain# # Makefile for rsbac decision module example. # # Author and (c) 1999-2005 Amon Ott # # Set this to your kernel directory # comment out, if kernel is not SMP or has no MODVERSIONS #SMP=1 #MODVERSIONS=1 DESTDIR := PREFIX := $(DESTDIR)/usr/local # comment out, if RSBAC kernel has no PROC support CONFIG_RSBAC_PROC := 1 KERN := /lib/modules/`uname -r`/ KERNSOURCE := $(KERN)/source MODDIR := $(KERN)/misc KERNVER := $(shell uname -r|cut -d "." -f1,2) PWD := $(shell pwd) # set this to your bin dir BINDIR := $(PREFIX)/bin # ----- nothing should be changed below ----- #HELPPATH = $(KERNELDIR)/rsbac/help CC := gcc CFLAGS := -O2 -DCONFIG_RSBAC SFLAGS := -lrsbac MFLAGS := -D__KERNEL__ -DMODULE -DCONFIG_RSBAC_REG CFLAGS += -I$(PREFIX)/include -I/usr/include -I $(KERNSOURCE)/include ifdef SMP MFLAGS +=-D__SMP__ endif ifdef MODVERSIONS MFLAGS += -DMODVERSIONS MFLAGS += -include -I$(PREFIX)/include/linux/modversions.h \ -I/usr/include/linux/modversions.h endif ifdef CONFIG_RSBAC_PROC MFLAGS +=-DCONFIG_RSBAC_PROC endif obj-m := reg_sample1.o reg_sample3.o MODULES := reg_sample1.o reg_sample3.o PROG := reg_syscall LIBS := all : ifeq ($(KERNVER), 2.4) set -e for i in $(PROGS) ; do $(MAKE) CFLAGS="$(CFLAGS) $(SFLAGS)" $$i ; done for i in $(MODULES) ; do $(MAKE) CFLAGS="$(CFLAGS) $(MFLAGS)" $$i ; done else @make -C $(KERNSOURCE) SUBDIRS=$(PWD) modules endif gcc $(CFLAGS) $(SFLAGS) reg_syscall.c -o $(PROG) install : $(MODULES) $(PROG) -bash -c "if test ! -d $(MODDIR) ; then mkdir $(MODDIR) ; fi" install -m 644 $(MODULES) $(MODDIR) -depmod -a -bash -c "if test ! -d $(BINDIR) ; then mkdir $(BINDIR) ; fi" install -m 644 $(PROG) $(BINDIR) uninstall : -bash -c "cd $(MODDIR) && rm $(MODULES)" -bash -c "cd $(BINDIR) && rm $(PROG)" clean : ifeq ($(KERNVER), 2.4) rm -f $(MODULES) $(PROG) else @make -C $(KERNSOURCE) SUBDIRS=$(PWD) clean endif rsbac-admin-1.4.0/main/tools/examples/acl/0000755000175000017500000000000011131371033020174 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/examples/acl/acl_backup_all0000755000175000017500000000064111131371033023037 0ustar gauvaingauvain#!/bin/bash acl_tlist -br FD :DEFAULT: / acl_tlist -br DEV :DEFAULT: /dev acl_tlist -br IPC :DEFAULT: acl_tlist -br SCD :DEFAULT: `acl_tlist -n` acl_tlist -br PROCESS :DEFAULT: acl_tlist -br NETDEV :DEFAULT: ALLTEMP=`net_temp list_temp_nr` acl_tlist -br NETTEMP_NT :DEFAULT: $ALLTEMP acl_tlist -br NETTEMP $ALLTEMP acl_tlist -br NETOBJ :DEFAULT: acl_mask -br FD / acl_mask -br DEV /dev acl_mask -b SCD `acl_tlist -n` rsbac-admin-1.4.0/main/tools/examples/acl/acl_backup_my_groups0000755000175000017500000000020511131371033024307 0ustar gauvaingauvain#/bin/sh acl_group -b list_groups for i in `acl_group -s list_groups|cut -d ' ' -f 1` do acl_group -b -n get_group_members $i done rsbac-admin-1.4.0/main/tools/examples/acl/acl_remove_all_fd_entries_for_user.sh0000755000175000017500000000014411131371033027604 0ustar gauvaingauvain#!/bin/sh if test -z $1 then echo Use: $0 user ; exit 1 fi acl_grant_fd -mvr USER $1 FD :DEFAULT: / rsbac-admin-1.4.0/main/tools/INSTALL0000644000175000017500000000237711131371031016657 0ustar gauvaingauvainRSBAC Tools Installation ------------------------ Prerequisites: ------------- You need to have thoses packages before you can continue: - make - gcc - binutils - coreutils - libc-dev - findutils - dialog This list is non-exhaustive and you might need other packages, depending on your operating system. Installation: ------------ * The quick, simple way: $ make then, Change privileges to a user who can install files (e.g. root) $ make install To clean the build files: $ make clean To restore the original package state before any compilation: $ make distclean * Options: It is possible to change compilation directives, like the compiler used, the flags used, the destination directories, and so on. To get a complete list of thoses variables, run: $ make -p For example, to change some compilation flags: $ make CFLAGS="-O3 -march=opteron" For Sparc, you will need to compile with: $ make CFLAGS="-mcpu=ultrasparc" This package also adds special variables which you can change depending on your needs. - NLS: NLS is enabled by default. To disable: $ make NLS=0 Please see the ``README' file provided in this directory for more information about NLS and languages. Note: disabling NLS will effectively disable Gettext. rsbac-admin-1.4.0/main/tools/Makefile0000644000175000017500000001100311131371033017252 0ustar gauvaingauvain#!/usr/bin/make -f # Licensed under the terms of the GPLv2 # Guillaume Destuynder # # Configuration # VERSION := 1.4.0 PACKAGE := rsbac-tools INSTALL := install MSGFMT := msgfmt STRIP := strip CC := gcc GZIP := gzip CP := cp ECHO := $(shell which echo) ifeq ($(ECHO),) ECHO := echo endif DESTDIR := PREFIX := /usr/local LOCALEDIR := $(PREFIX)/share/locale DIR_PO := de ru fr DIR_DOC := $(PREFIX)/share/doc/$(PACKAGE)-$(VERSION) DIR_MAN := $(PREFIX)/share/man/man1 DIR_BIN := $(PREFIX)/bin DIR_RBIN := /bin NLS := 1 CFLAGS := -fPIC -O2 -fomit-frame-pointer CFLAGS += -Isrc -I../headers -I/usr/include -I/usr/local/include \ -I$(PREFIX)/include LDFLAGS := DEFINES := -DPACKAGE=\"$(PACKAGE)\" \ -DVERSION=\"$(VERSION)\" \ -DLOCALEDIR=\"$(LOCALEDIR)\" \ -DENABLE_NLS=$(NLS) LIBS := -L../libs/.libs -L$(PREFIX)/lib -lrsbac QUIET := > /dev/null 2>&1 include module.mk FILES_MAN := $(wildcard man/*1) FILES_PO := $(wildcard po/*.po) DIR_EXAMPLE := examples # # Nice make. Use make VERBOSE=1 to verbose compilation. # ifneq ($(VERBOSE), 1) .SILENT: E = @$(ECHO) -e " " else QUIET = E = @: endif # # Targets # all: $(FILES_TOOLS:.c=) $(FILES_PO:.po=.mo) $(FILES_TOOLS:.c=): % : %.c $(E) "CC\t\t$@" $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) $(LIBS) $@.c -o $@ $(FILES_PO:.po=.mo): $(FILES_PO) ifeq ($(NLS), 1) $(foreach f, $(FILES_PO), $(ECHO) -e " PO\t\t$(f)"; \ $(MSGFMT) -o $(f:.po=.mo) $(f);) else @touch $@ endif clean: $(foreach f, $(FILES_TOOLS:.c=), $(ECHO) -e " CLEAN\t\t$(f)"; \ rm -f $(f);) $(E) "CLEAN\t\t$(FILES_PO:.po=.mo)" rm -f $(FILES_PO:.po=.mo) distclean: clean $(E) "CLEAN\t\t$(FILES_PO:.po=.po~)" rm -f $(FILES_PO:.po=.po~) $(E) "CLEAN\t\t$(FILES_MAN:.1=.1.gz)" rm -f $(FILES_MAN:.1=.1.gz) install: all $(E) "INTO\t\t$(DESTDIR) ($(PREFIX))" $(E) "DIR\t\t$(DIR_BIN) $(DIR_MAN) $(DIR_DOC) $(DIR_RBIN)" $(INSTALL) -d $(DESTDIR)/$(DIR_BIN) $(DESTDIR)/$(DIR_MAN) $(DESTDIR)/$(DIR_DOC) $(DESTDIR)/$(DIR_RBIN) ifeq ($(NLS), 1) $(E) "DIR\t\t$(LOCALEDIR)" $(foreach f, $(DIR_PO), $(INSTALL) -d $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_MESSAGES; \ $(INSTALL) -d $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_TIME;) $(E) "INSTALL\t$(DIR_PO)" $(foreach f, $(DIR_PO), \ $(INSTALL) -m644 po/$(f).mo \ $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_MESSAGES/$(PACKAGE).mo; \ $(INSTALL) -m644 po/$(f).mo \ $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_MESSAGES/$(PACKAGE)-$(VERSION).mo;) endif # /bin $(foreach f, $(PROGS_BIN), $(ECHO) -e " INSTALL\t$(f)"; \ $(INSTALL) -m755 $(f) $(DESTDIR)/$(DIR_RBIN);) # /usr/bin $(foreach f, $(PROGS_USR_BIN), $(ECHO) -e " INSTALL\t$(f)"; \ $(INSTALL) -m755 $(f) $(DESTDIR)/$(DIR_BIN);) $(foreach f, $(FILES_MAN), $(ECHO) -e " GZIP\t\t$(f)"; \ $(GZIP) -9c $(f) > $(f:.1=.1.gz);) $(foreach f, $(FILES_MAN:.1=.1.gz), $(ECHO) -e " INSTALL\t$(f)"; \ $(INSTALL) -m 644 $(f) $(DESTDIR)/$(DIR_MAN);) $(E) "INSTALL\t\tAUTHORS INSTALL README COPYING Changes" $(INSTALL) -m644 AUTHORS INSTALL README COPYING Changes $(DESTDIR)/$(DIR_DOC) $(E) "INSTALL\t\t $(DIR_EXAMPLE)" $(CP) -r $(DIR_EXAMPLE) $(DESTDIR)/$(DIR_DOC) install-strip: install $(foreach f, $(subst scripts/,,$(subst src/,,$(PROGRAMS))), $(ECHO) -e " STRIP\t\t$(f)"; \ $(STRIP) -s $(DESTDIR)/$(DIR_BIN)/$(f);) \ $(foreach f, $(subst scripts/,,$(subst src/,,$(PROGS_BIN))), $(ECHO) -e " STRIP\t\t$(f)"; \ $(STRIP) -s $(DESTDIR)/$(DIR_RBIN)/$(f);) uninstall: ifeq ($(NLS), 1) $(foreach f, $(DIR_PO), $(ECHO) -e " UNINSTALL\t$(f)"; rm -f po/$(f).mo \ $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_MESSAGES/$(PACKAGE).mo;) endif # /bin $(foreach f, $(subst scripts/,,$(subst src/,,$(PROGS_BIN))), $(ECHO) -e " UNINSTALL\t$(f)"; \ rm -f $(DESTDIR)/$(DIR_RBIN)/$(f);) # /usr/bin $(foreach f, $(subst scripts/,,$(subst src/,,$(PROGS_USR_BIN))), $(ECHO) -e " UNINSTALL\t$(f)"; \ rm -f $(DESTDIR)/$(DIR_BIN)/$(f);) $(E) "UNINSTALL\t$(FILES_MAN)" rm -f $(DESTDIR)/$(DIR_MAN)/$(FILES_MAN) # # gettext translation stuff # # Re-create the messages.po file nls-messages: $(E) "XGETTEXT\t\tGenerating po/messages.tpo" xgettext -p po -o messages.tpo src/*.c # Merges translations nls-merge-keep: $(FILES_PO) $(foreach f, $(FILES_PO), $(ECHO) -e " MSGMERGE\t\tMerging $(f)"; \ msgmerge -o $(f).new $(f) po/messages.tpo $(QUIET);) $(E) "MSGMERGE\t\tGenerated: $(FILES_PO:.po=.po.new)" nls-merge-update: $(FILES_PO) $(foreach f, $(FILES_PO), $(ECHO) -e " MSGMERGE\t\tMerging $(f)"; \ msgmerge -U $(f) po/messages.tpo $(QUIET);) $(E) "MSGMERGE\t\tUpdated: $(FILES_PO)" .PHONY: all clean distclean uninstall install nls-messages rsbac-admin-1.4.0/main/tools/man/0000755000175000017500000000000011131371033016372 5ustar gauvaingauvainrsbac-admin-1.4.0/main/tools/man/rc_copy_role.10000644000175000017500000000164611131371033021142 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "RC_COPY_ROLE" 1 "May 2003" "Rule Set Based Access Control" "rc_copy_role" .SH NAME rc_copy_role \- copy one RC role with all settings into another .SH "SYNOPSIS" .ad l .hy 0 .HP 16 \fBrsbac_copy_role\fR {\fBfrom_role\fR} {\fBto_role\fR} .ad .hy .SH "DESCRIPTION" .PP During RC module administration, this command allows to copy an existing role with all its associated rights\&. This functionality is useful to e\&.g\&. split one role into two, or to create testing\&. .PP To be secure, test your configurations with different role numbers and use \fIrc_copy_role\fR to copy (create) them, if necessary\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_set_process.10000644000175000017500000000232611131371033022042 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_SET_PROCESS" 1 "May 2003" "Rule Set Based Access Control" "attr_set_process" .SH NAME attr_set_process \- set RSBAC attributes on the selected process .SH "SYNOPSIS" .ad l .hy 0 .HP 17 \fBattr_set_process\fR [\fB\-pamA\fR] {\fBmodule\fR} {\fBprocess\-id\fR} {\fBattribute\fR} {\fBvalue\fR} .ad .hy .SH "DESCRIPTION" .PP If you want to change RSBAC attribute on some process, you may use \fIattr_set_process\fR utility\&. Check appropriate documentation about possible attributes and values for module you want to administrate or use \fB\-A\fR option to see full list\&. .SH "OPTIONS" .TP \fB\-p\fR Print resulting request names\&. .TP \fB\-a\fR Add, not set\&. This is usefull for attributes like process' MAC category\&. .TP \fB\-m\fR Remove, not set .TP \fB\-A\fR list attributes and values .TP \fBmodule\fR One of the possible RSBAC modules, e\&.g\&., GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_rm_fd.10000644000175000017500000000205311131371033020575 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_RM_FD" 1 "May 2003" "Rule Set Based Access Control" "attr_rm_fd" .SH NAME attr_rm_fd \- remove (reset into default values) all RSBAC attributes of file or directory .SH "SYNOPSIS" .ad l .hy 0 .HP 11 \fBattr_rm_fd\fR [\fB\-vr\fR] {\fBtarget\-type\fR} [\fBfile/dirname\fR] .ad .hy .SH "DESCRIPTION" .PP Remove (reset into default values) all attributes of selected file or directory\&. It is very useful to run this utility after \fBuserdel\fR command to get rid of old settings\&. .SH "OPTIONS" .PP .TP \fB\-v\fR verbose output .TP \fB\-r\fR recurse into subdirs .TP \fBtarget\-type\fR Valid RSBAC target type, on of the: FILE, DIR, FIFO, SYMLINK, DEV or FD (FD: lets program decide between FILE, DIR, FIFO and SYMLINK, no DEV) .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/rc_role_wrap.10000644000175000017500000000165011131371033021134 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "RC_ROLE_WRAP" 1 "May 2003" "Rule Set Based Access Control" "rc_role_wrap" .SH NAME rc_role_wrap \- execute some program with different RC role .SH "SYNOPSIS" .ad l .hy 0 .HP 13 \fBrc_role_wrap\fR [\fB\-v\fR] {\fBnew_role\fR} {\fBprogram\fR} [\fBargs\fR] .ad .hy .SH "DESCRIPTION" .PP Sometimes, you need to run some program with different RC roles\&. Note that \fBnew_role\fR must be one of the compatible roles of the role requesting the change\&. .PP A RC force role or RC initial role attribute value on the executable file often provides a better solution\&. .SH "OPTIONS" .TP \fB\-v\fR verbose output .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_get_user.10000644000175000017500000000310111131371033021316 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_GET_USER" 1 "May 2003" "Rule Set Based Access Control" "attr_get_user" .SH NAME attr_get_user \- get RSBAC attributes of the selected user .SH "SYNOPSIS" .ad l .hy 0 .HP 17 \fBattr_get_process\fR [\fB\-enblcRa\fR] {\fBmodule\fR} {\fBuser\fR} {\fBattribute\fR} [\fBposition|request\-name\fR] .ad .hy .SH "DESCRIPTION" .PP If you want to get RSBAC attribute of some user, you may use \fIattr_get_user\fR utility\&. Check appropriate documentation about possible attributes and values for module you want to administrate or use \fB\-a\fR option to see full list\&. .SH "OPTIONS" .TP \fB\-e\fR show effective (maybe inherited) value, not real .TP \fB\-n\fR numeric value .TP \fB\-b\fR both names and numbers .TP \fB\-l\fR list all users .TP \fB\-c\fR list all Linux capabilities\&. This option is valid only for CAPS module .TP \fB\-R\fR list all RES resource names\&. This option is valid only for RES module .TP \fB\-a\fR list attributes and values .TP \fBmodule\fR one of the possible RSBAC modules, e\&.g\&., GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH .TP \fBmac_[min_]categories\fR has vector type\&. Works with additional parameter position: 0=no, 1=yes .TP \fBlog_user_based\fR has vector type\&. Works with additional parameter request\-name: 0=no, 1=yes .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_back_fd.10000644000175000017500000000235211131371033021061 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_BACK_FD" 1 "May 2003" "Rule Set Based Access Control" "attr_back_fd" .SH NAME attr_back_fd \- Backup RSBAC attributes from filesystem objects .SH "SYNOPSIS" .ad l .hy 0 .HP 13 \fBattr_back_fd\fR [\fB\-vrnmia\fR] [\fB\-o\fR\ \fItarget\-file\fR] [\fBfile/dirname(s)\fR] .ad .hy .SH "DESCRIPTION" .PP You should use \fIattr_back_fd\fR to backup RSBAC attributes of filesystem objects\&. This program should be called by a user with full attribute read access, e\&.g\&. root with all modules off\&. You can also create special settings (e\&.g\&. special role for RC) for modules you use in your system\&. Symlinks are not followed\&. .SH "OPTIONS" .TP \fB\-v\fR be verbose .TP \fB\-r\fR walk recursively into subdirs .TP \fB\-m\fR ignore ms_scanned .TP \fB\-i\fR use MAC non\-inherit values as default values .TP \fB\-o\fR \fItarget\-file\fR write to \fItarget\-file\fR, not stdout .TP \fB\-a\fR list attributes and values .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/rsbac_check.10000644000175000017500000000203411131371033020702 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "RSBAC_CHECK" 1 "May 2003" "Rule Set Based Access Control" "rsbac_check" .SH NAME rsbac_check \- trigger consistency checking .SH "SYNOPSIS" .ad l .hy 0 .HP 12 \fBrsbac_check\fR {\fBcorrect\fR} {\fBcheck_inode\fR} .ad .hy .SH "DESCRIPTION" .PP request the data structures to be checked for consistency\&. This can also reduce list sizes, because unnecessary entries and those with negative time\-to\-live are deleted\&. It is advisable to run this command regularly, e\&.g\&. once per week\&. .SH "OPTIONS" .PP .TP \fBcorrect\fR correction mode: 0 \- do not correct errors, 1 \- correct errors, 2 \- correct more\&. .TP \fBcheck_inode\fR checking mode: 0 \- do not check inode numbers, 1 \- also check inode numbers\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/rsbac_write.10000644000175000017500000000242111131371033020757 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "RSBAC_WRITE" 1 "May 2003" "Rule Set Based Access Control" "rsbac_write" .SH NAME rsbac_write \- request the modified data structures to be written to disk .SH "SYNOPSIS" .ad l .hy 0 .HP 12 \fBrsbac_write\fR .ad .hy .SH "DESCRIPTION" .PP RSBAC has two locations of ACI (Access Control information): on disks and in the computer's RAM\&. During system boot RSBAC ACI is read from disk and placed into appropriate data structures in kernel memory\&. When you change some attributes, you really made changes in RAM storage\&. RSBAC syncs modified data from RAM to disk every few seconds (2 secs by default, see kernel config)\&. So, you can loose your changes on some unexpected system damage\&. .PP Use \fBrsbac_write\fR, if you want to write the changed RSBAC attributes to disk immediately, or to get it written at all, if you disabled automatic writing in kernel config\&. Please note that the data will also be written when the respective filesystem gets umounted\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/pm_create.10000644000175000017500000000165711131371033020424 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "PM_CREATE" 1 "May 2003" "Rule Set Based Access Control" "pm_create" .SH NAME pm_create \- create some files in a particular PM class .SH "SYNOPSIS" .ad l .hy 0 .HP 10 \fBpm_create\fR {\fBclass\fR} {\fBmode\fR} [\fBfilename(s)\fR] .ad .hy .SH "DESCRIPTION" .PP This program will create files with PM class \fBclass\fR and Linux access rights \fBmode\fR\&. Please note that in PM model, the create right depends on the desired class of the new object\&. .PP See appropriate RSBAC documentation for PM module details\&. .SH "OPTIONS" .TP \fBclass\fR number of the PM class .TP \fBmode\fR access rights of new files .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/rsbac_jail.10000644000175000017500000000315411131371033020550 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "RSBAC_JAIL" 1 "May 2003" "Rule Set Based Access Control" "rsbac_jail" .SH NAME rsbac_jail \- put program into RSBAC jail .SH "SYNOPSIS" .ad l .hy 0 .HP 11 \fBrsbac_jail\fR [\fB\-vilnrao\fR] {\fBpath\fR} {\fBIP\fR} {\fBprog\fR} [\fBargs\fR] .ad .hy .SH "DESCRIPTION" .PP All Linux kernels provide the chroot system call to confine a process in a subdirectory\&. Unfortunately, this does not protect the system from root processes, and it can be broken out of\&. The JAIL module extends the chroot system call functionality to provide a superset of the FreeBSD jail functionality (except individual kernel level hostnames)\&. .PP This program will put the process into a jail with chroot to \fIpath\fR, ip address \fIIP\fR and then execute \fIprog\fR with \fIargs\fR\&. .PP See appropriate RSBAC documentation about for JAIL module details\&. .SH "OPTIONS" .TP \fB\-v\fR verbose program output .TP \fB\-i\fR allow access to IPC outside this jail .TP \fB\-l\fR allow jailed processes to change their rlimits .TP \fB\-n\fR allow all network families, not only UNIX and INET (IPv4) .TP \fB\-r\fR allow INET (IPv4) raw sockets (e\&.g\&. for ping) .TP \fB\-a\fR auto\-adjust INET any address 0\&.0\&.0\&.0 to jail address, if set .TP \fB\-o\fR additionally allow to/from remote INET (IPv4) address 127\&.0\&.0\&.1 .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_set_fd.10000644000175000017500000000271711131371033020761 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_SET_FD" 1 "May 2003" "Rule Set Based Access Control" "attr_set_fd" .SH NAME attr_set_fd \- set RSBAC attributes on the selected file or directory .SH "SYNOPSIS" .ad l .hy 0 .HP 12 \fBattr_set_fd\fR [\fB\-vrna\fR] [\fB\-V\fR\fIversion\fR] {\fBmodule\fR} {\fBtarget\-type\fR} {\fBvalue\fR} [\fBfile/dirname(s)\fR] .ad .hy .SH "DESCRIPTION" .PP If you want to change RSBAC attribute for some file or directory, you may use \fIattr_set_fd\fR utility\&. Check appropriate documentation about possible attributes and values for module you want to administrate or use \fB\-a\fR option to see full list\&. .SH "OPTIONS" .TP \fB\-v\fR verbose output .TP \fB\-r\fR apply changes recurse into subdirs .TP \fB\-n\fR list all requests .TP \fB\-a\fR list attributes and values .TP \fB\-V\fR \fIversion\fR supply RSBAC integer \fIversion\fR number for upgrading .TP \fBmodule\fR One of the possible RSBAC modules, e\&.g\&., GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\&. .TP \fBtarget\-type\fR One of the possible file object target types: FILE, DIR, FIFO, SYMLINK, DEV or FD\&. FD target type let program decide between FILE, DIR, FIFO and SYMLINK, but no DEV\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/acl_mask.10000644000175000017500000000262611131371033020234 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ACL_MASK" 1 "May 2003" "Rule Set Based Access Control" "acl_mask" .SH NAME acl_mask \- View or set an object's mask for right inheritance .SH "SYNOPSIS" .ad l .hy 0 .HP 12 \fBattr_set_fd\fR [\fB\-vrpsbn\fR] [\fB\-V\fR\fIversion\fR] {\fBrights\fR} {\fBtarget\-type\fR} [\fBfile/dirname(s)\fR] .ad .hy .SH "DESCRIPTION" .PP Using this utility you can view or set an object's general ACL mask\&. .SH "OPTIONS" .TP \fB\-v\fR verbose output .TP \fB\-r\fR recurse into subdirs .TP \fB\-p\fR print right names .TP \fB\-s\fR set mask, not get .TP \fB\-b\fR backup mode .TP \fB\-n\fR list valid SCD names .TP \fB\-V\fR \fIversion\fR supply RSBAC integer \fIversion\fR number for upgrading .TP \fBrights\fR list of space\-separated right names (requests and ACL specials), also request groups: R (read requests), RW (read\-write), SY (system), SE (security), A (all) and S (ACL special rights) .TP \fBtarget\-type\fR One of possible RSBAC target types: FILE, DIR, FIFO, SYMLINK, DEV, SCD, NETDEV NETTEMP_NT, NETTEMP, NETOBJ or FD\&. (FD: lets program decide between FILE, DIR, FIFO and SYMLINK, no DEV) .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/switch_module.10000644000175000017500000000216411131371033021325 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "SWITCH_MODULE" 1 "May 2003" "Rule Set Based Access Control" "switch_module" .SH NAME switch_module \- switch RSBAC module on/off or enable/disable global or individual module soft mode .SH "SYNOPSIS" .ad l .hy 0 .HP 14 \fBswitch_module\fR [\fB\-s\fR] {\fBmodule\fR} {\fBvalue\fR} .ad .hy .SH "DESCRIPTION" .PP Switch decision modules on or off, if enabled by kernel configuration\&. Parameters are modules name and 0 or 1\&. Necessary permissions are module dependent\&. This tool can also switch ``soft mode'' on or off\&. .PP See appropriate RSBAC documentation about ``soft mode''\&. .SH "OPTIONS" .PP .TP \fB\-s\fR switch module's individual softmode, not the whole module .TP \fBmodule\fR name of RSBAC module, e\&.g\&., RC or ACL .TP \fBvalue\fR 1 corresponds to ``turn on'', and 0 \- ``turn off'' .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/net_temp.10000644000175000017500000000232611131371033020272 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "NET_TEMP" 1 "May 2003" "Rule Set Based Access Control" "net_temp" .SH NAME net_temp \- work with network templates .SH "SYNOPSIS" .ad l .hy 0 .HP 9 \fBnet_temp\fR [\fB\-vbsnluda\fR] [\fB\-V\fR\ \fIversion\fR] {\fBfunction\fR} {\fBid\fR} [\fBset\-param\fR] .ad .hy .ad l .hy 0 .HP 9 \fBnet_temp\fR [\fB\-vbsnluda\fR] {\fBlist_temp_{names,nr}\fR} .ad .hy .ad l .hy 0 .HP 9 \fBnet_temp\fR [\fB\-vbsnluda\fR] {\fBlist_template\fR} {\fBid\fR} .ad .hy .SH "DESCRIPTION" .PP work with network templates .SH "OPTIONS" .PP .TP \fB\-v\fR verbose output .TP \fB\-l\fR list available functions .TP \fB\-b\fR backup mode .TP \fB\-s\fR scripting mode .TP \fB\-n\fR take number as address .TP \fB\-u\fR take string as address .TP \fB\-d\fR take DNS name as address and convert to IP address .TP \fB\-a\fR list all templates in detail .TP \fB\-V\fR \fIversion\fR supply RSBAC integer version number for upgrading .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/pm_ct_exec.10000644000175000017500000000151711131371033020566 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "PM_CT_EXEC" 1 "May 2003" "Rule Set Based Access Control" "pm_ct_exec" .SH NAME pm_ct_exec \- start program with some PM current task .SH "SYNOPSIS" .ad l .hy 0 .HP 11 \fBpm_ct_exec\fR {\fBtask\-nr\fR} {\fBprog\fR} [\fBargs\fR] .ad .hy .SH "DESCRIPTION" .PP This program will set \fIrsbac_pm_current_task\fR to \fBtask\-nr\fR and then execute prog via execvp()\&. .PP See appropriate RSBAC documentation for PM module details\&. .SH "OPTIONS" .TP \fBtask\-nr\fR number of the PM task .TP \fBprogram\fR program to run .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/rsbac_stats.10000644000175000017500000000137211131371033020767 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "RSBAC_STATS" 1 "May 2003" "Rule Set Based Access Control" "rsbac_stats" .SH NAME rsbac_stats \- write RSBAC status info into syslog .SH "SYNOPSIS" .ad l .hy 0 .HP 12 \fBrsbac_stats\fR .ad .hy .SH "DESCRIPTION" .PP This program requests the kernel to write the current RSBAC status to the syslog at level \fIKERN_INFO\fR\&. You can see results in system logs (or logs of rklogd) later\&. .PP This feature may be useful in some scripts .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_get_fd.10000644000175000017500000000316611131371033020744 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_GET_FD" 1 "May 2003" "Rule Set Based Access Control" "attr_get_fd" .SH NAME attr_get_fd \- fetch RSBAC attributes from files or directories .SH "SYNOPSIS" .ad l .hy 0 .HP 12 \fBattr_get_fd\fR [\fB\-vrnea\fR] {\fBmodule\fR} {\fBtarget\-type\fR} {\fBattribute\fR} [\fBfile/dirname(s)\fR] .ad .hy .SH "DESCRIPTION" .PP You need \fIattr_get_fd\fR to get RSBAC attribute values for filesystem objects\&. There are different attributes for different RSBAC modules\&. Check appropriate documentation about possible attributes for module you want to administrate or use \fB\-a\fR option to see full list\&. .SH "OPTIONS" .TP \fB\-v\fR verbose program output .TP \fB\-e\fR show effective (maybe inherited) value instead of real values\&. See appropriate documentation about difference between effective and real access rights\&. .TP \fB\-r\fR walk recursively into subdirs .TP \fB\-n\fR list all requests\&. Full target and request lists are in the ``Targets and Requests'' chapter of the RSBAC documentation\&. .TP \fB\-a\fR list attributes and values .TP \fBmodule\fR One of the possible RSBAC modules, e\&.g\&., GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\&. .TP \fBtarget\-type\fR One of the possible RSBAC target types, e\&.g\&., FILE, DIR, FIFO, SYMLINK, DEV or FD (FD: all of FILE, DIR, FIFO and SYMLINK, but no DEV)) .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_get_process.10000644000175000017500000000237611131371033022033 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_GET_PROCESS" 1 "May 2003" "Rule Set Based Access Control" "attr_get_process" .SH NAME attr_get_process \- get RSBAC attributes on the selected process .SH "SYNOPSIS" .ad l .hy 0 .HP 17 \fBattr_get_process\fR [\fB\-pna\fR] {\fBmodule\fR} {\fBpid\fR} {\fBattribute\fR} [\fBbit\-no\fR] .ad .hy .SH "DESCRIPTION" .PP If you want to get RSBAC attribute on some process, you may use \fIattr_get_process\fR utility\&. Check appropriate documentation about possible attributes and values for module you want to administrate or use \fB\-a\fR option to see full list\&. .SH "OPTIONS" .TP \fB\-p\fR print all request names .TP \fB\-n\fR list all request names .TP \fB\-a\fR list attributes and values .TP \fBmodule\fR one of the possible RSBAC modules, e\&.g\&., GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH .TP \fBbit\-no\fR additional parameter for vector based attributes, like categories and log_program_based\&. Value 0 means no, and 1 means yes\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/acl_rm_user.10000644000175000017500000000145711131371033020756 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ACL_RM_USER" 1 "May 2003" "Rule Set Based Access Control" "acl_rm_user" .SH NAME acl_rm_user \- remove all groups and memberships of a user .SH "SYNOPSIS" .ad l .hy 0 .HP 12 \fBacl_rm_user\fR [\fB\-y\fR] {\fBuser\fR} .ad .hy .SH "DESCRIPTION" .PP Remove everything in ACL related to a user\&. It is very useful to run this utility after \fBuserdel\fR command to get rid of old settings\&. .SH "OPTIONS" .PP .TP \fB\-y\fR remove without asking .TP \fBuser\fR name or id of the user .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_get_up.10000644000175000017500000000211411131371033020767 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_GET_UP" 1 "May 2003" "Rule Set Based Access Control" "attr_get_up" .SH NAME attr_get_up \- get RSBAC attributes on the selected user or process .SH "SYNOPSIS" .ad l .hy 0 .HP 12 \fBattr_get_up\fR [\fB\-a\fR] {\fBmodule\fR} {\fBtarget\-type\fR} {\fBattribute\fR} [\fBuser(s)/proc\-no\fR] .ad .hy .SH "DESCRIPTION" .PP If you want to get RSBAC attribute on some process or user, you may use \fIattr_get_up\fR utility\&. Check appropriate documentation about possible attributes and values for module you want to administrate or use \fB\-a\fR option to see full list\&. .SH "OPTIONS" .TP \fB\-a\fR list attributes and values .TP \fBmodule\fR one of the possible RSBAC modules, e\&.g\&., EN, MAC, FC, SIM, PM, MS, FF, RC or AUTH .TP \fBtarget\-type\fR USER or PROCESS .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_rm_user.10000644000175000017500000000150411131371033021162 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_RM_USER" 1 "May 2003" "Rule Set Based Access Control" "attr_rm_user" .SH NAME attr_rm_user \- remove all attributes of a user .SH "SYNOPSIS" .ad l .hy 0 .HP 13 \fBattr_rm_user\fR {\fBuser\&.\&.\&.\fR} .ad .hy .SH "DESCRIPTION" .PP Remove all attributes related to a user\&. It is advisable to run this utility after e\&.g\&. the \fBuserdel\fR command to get rid of old settings, because the kernel does not know about valid user accounts\&. .SH "OPTIONS" .PP .TP \fBuser\fR name or UID of the user .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_rm_file_dir.10000644000175000017500000000160611131371033021764 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_RM_FILE_DIR" 1 "May 2003" "Rule Set Based Access Control" "attr_rm_file_dir" .SH NAME attr_rm_file_dir \- remove (reset into default values) all RSBAC attributes of file or directory .SH "SYNOPSIS" .ad l .hy 0 .HP 17 \fBattr_rm_file_dir\fR {\fBtarget\-type\fR} [\fBfile/dirname\fR] .ad .hy .SH "DESCRIPTION" .PP Remove (reset into default values) all attributes of selected file or directory\&. It is very useful to run this utility after \fBuserdel\fR command to get rid of old settings\&. .SH "OPTIONS" .PP .TP \fBtarget\-type\fR FILE, DIR, FIFO, SYMLINK or DEV .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_get_file_dir.10000644000175000017500000000365211131371033022130 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_GET_FILE_DIR" 1 "May 2003" "Rule Set Based Access Control" "attr_get_file_dir" .SH NAME attr_get_file_dir \- fetch RSBAC attribute values for filesystem objects .SH "SYNOPSIS" .ad l .hy 0 .HP 18 \fBattr_get_file_dir\fR [\fB\-epcRa\fR] [\fB\-n\fR\ \fItarget\fR] {\fBmodule\fR} {\fBtarget\-type\fR} {\fBfile/dirname(s)\fR} {\fBattribute\fR} [\fBrequest\fR] .ad .hy .ad l .hy 0 .HP 18 \fBattr_get_file_dir\fR [\fB\-epcRa\fR] [\fB\-n\fR\ \fItarget\fR] {\fBmodule\fR} {\fBtarget\-type\fR} {\fBfile/dirname(s)\fR} {\fBattribute\fR} [\fBposition\fR] .ad .hy .ad l .hy 0 .HP 18 \fBattr_get_file_dir\fR {\fBlist_category_nr\fR} .ad .hy .SH "DESCRIPTION" .PP You need \fIattr_get_file_dir\fR to get RSBAC attribute values of filesystem objects\&. There are different attributes for different RSBAC modules\&. Check appropriate documentation about possible attributes for module you want to administrate or use \fB\-a\fR option to see the full list\&. .SH "OPTIONS" .TP \fB\-e\fR show effective (maybe inherited) value instead of the real value\&. See appropriate documentation about the difference between effective and real values\&. .TP \fB\-p\fR print names of used requests .TP \fB\-n\fR \fItarget\fR list all requests for \fItarget\fR .TP \fB\-c\fR list all Linux capabilities .TP \fB\-R\fR list all RES resource names .TP \fB\-a\fR list all attributes and values .TP \fB\-A\fR list attributes and values .TP \fBmodule\fR One of the possible RSBAC modules, e\&.g\&., GEN, MAC, FC, SIM, PM, MS, FF, RC, AUTH or RES\&. .TP \fBtarget\-type\fR One of the possible RSBAC target types, e\&.g\&., FILE, DIR, FIFO, SYMLINK or DEV\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_set_user.10000644000175000017500000000251611131371033021343 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_SET_USER" 1 "May 2003" "Rule Set Based Access Control" "attr_set_user" .SH NAME attr_set_user \- set RSBAC attributes on the selected user .SH "SYNOPSIS" .ad l .hy 0 .HP 14 \fBattr_set_user\fR [\fB\-pamAV\fR] {\fBmodule\fR} {\fBuser\fR} {\fBattribute\fR} [\fBposition\fR] {\fBvalue\fR} .ad .hy .ad l .hy 0 .HP 14 \fBattr_set_user\fR [\fB\-pamAV\fR] {\fBmodule\fR} {\fBuser\fR} {\fBlog_user_based\fR} [\fBrequest\-list\fR] .ad .hy .SH "DESCRIPTION" .PP If you want to change RSBAC attribute for some user, you may use \fIattr_set_user\fR utility\&. Check appropriate documentation about possible attributes and values for module you want to administrate or use \fB\-A\fR option to see full list\&. .SH "OPTIONS" .TP \fB\-p\fR Print resulting requests\&. .TP \fB\-a\fR Add, not set\&. This is usefull for attributes like users' MAC category\&. .TP \fB\-m\fR Remove, not set .TP \fB\-A\fR list attributes and values .TP \fBmodule\fR One of the possible RSBAC modules, e\&.g\&., GEN, MAC, FC, SIM, PM, MS, FF, RC or AUTH\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/switch_adf_log.10000644000175000017500000000273611131371033021440 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "SWITCH_ADF_LOG" 1 "May 2003" "Rule Set Based Access Control" "switch_adf_log" .SH NAME switch_adf_log \- switch general log subsystem settings .SH "SYNOPSIS" .ad l .hy 0 .HP 15 \fBswitch_adf_log\fR [\fB\-ntbgs\fR] [\fB\-V\fR\ \fIversion\fR] {\fBrequest\fR} [\fBtarget\fR] [\fBvalue\fR] .ad .hy .SH "DESCRIPTION" .PP RSBAC has general log settings and log settings per user or process\&. Using \fIadf_switch_log\fR you can change general log settings for all types of RSBAC requests\&. .PP See appropriate RSBAC documentation about ADF subsystem and possible requests\&. You can also use \fB\-n\fR to see possible requests and \fB\-t\fR to see possible targets\&. .SH "OPTIONS" .PP .TP \fB\-n\fR list all requests .TP \fB\-t\fR list all target types .TP \fB\-b\fR backup log level settings .TP \fB\-g\fR get not set .TP \fB\-s\fR scripting mode .TP \fB\-V\fR \fIversion\fR supply RSBAC integer version number for upgrading .TP \fBrequest\fR one of possible RSBAC requests or \fIALL\fR for all requests\&. .TP \fBvalue\fR 0, 1 or 2\&. Amon, please, describe this values\&. .TP \fBtarget\fR One of the possible RSBAC targets or leave out for \fIALL\fR targets\&. .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/linux2acl.10000644000175000017500000000236111131371033020357 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "LINUX2ACL" 1 "May 2003" "Rule Set Based Access Control" "linux2acl" .SH NAME linux2acl \- convert linux groups and rights to RSBAC ACL groups and rights .SH "SYNOPSIS" .ad l .hy 0 .HP 10 \fBlinux2acl\fR [\fB\-vrgGpPn\fR] {\fBfile/dir/scdname(s)\fR} .ad .hy .SH "DESCRIPTION" .PP \fIlinux2acl\fR creates an ACL model administration script from existing Linux groups and filesystem object rights\&. Should be used, if Linux filesystem access control is meant to be replaced by ACL and disabled via \fIrsbac_dac_disable\fR (s\&.a\&.)\&. .PP See ``Installation and Administration'' guide about compile time kernel options\&. .SH "OPTIONS" .TP \fB\-v\fR use verbose in scripts .TP \fB\-r\fR recurse into subdirs .TP \fB\-g\fR also create group entries with members .TP \fB\-G\fR only create group entries with members .TP \fB\-p\fR print right names .TP \fB\-P\fR use private groups .TP \fB\-n\fR use numeric user ids where possible .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/man/attr_back_user.10000644000175000017500000000213311131371033021443 0ustar gauvaingauvain.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "ATTR_BACK_USER" 1 "May 2003" "Rule Set Based Access Control" "attr_back_user" .SH NAME attr_back_user \- Backup RSBAC attributes for users .SH "SYNOPSIS" .ad l .hy 0 .HP 15 \fBattr_back_user\fR [\fB\-aAv\fR] [\fB\-o\fR\ \fItarget\-file\fR] [\fBusername(s)\fR] .ad .hy .SH "DESCRIPTION" .PP You should use \fIattr_back_user\fR to backup RSBAC attributes of system users\&. This program should be called by a user with full attribute read access, e\&.g\&. the default user 400\&. You can also create special settings (e\&.g\&. special role for RC) for modules you use in your system\&. .SH "OPTIONS" .TP \fB\-v\fR be verbose .TP \fB\-a\fR process all known user accounts .TP \fB\-o\fR \fItarget\-file\fR write to \fItarget\-file\fR, not stdout .TP \fB\-A\fR list attributes and values .SH AUTHOR Amon Ott . rsbac-admin-1.4.0/main/tools/COPYING0000644000175000017500000004313111131371033016654 0ustar gauvaingauvain GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. rsbac-admin-1.4.0/main/pam/0000755000175000017500000000000011131371037015240 5ustar gauvaingauvainrsbac-admin-1.4.0/main/pam/pam_rsbac.c0000644000175000017500000005472511131371037017350 0ustar gauvaingauvain/* pam_rsbac module */ /* * $Id: pam_permit.c,v 1.2 2000/12/04 19:02:34 baggins Exp $ * Written by Andrew Morgan 1996/3/11 * Modified for rsbac by Amon Ott 2005 * Modified for rsbac by Guillaume Destuynder 2006 * * Several functions and some other code copied from * Copyright (c) Jan Rêkorajski 1999. * Copyright (c) Andrew G. Morgan 1996-8. * Copyright (c) Alex O. Yuriev, 1996. * Copyright (c) Cristian Gafton 1996. * * Modified and glued together for RSBAC authentication by * Amon Ott * Copyright (c) Amon Ott, 2004 * * This product may be distributed under the terms of * the GNU Public License. * * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #define DEFAULT_USER "nobody" #define MISTYPED_PASS _("Sorry, passwords do not match!") #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" /* * here, we make definitions for the externally accessible functions * in this file (these definitions are required for static modules * but strongly encouraged generally) they are used to instruct the * modules include file to define their prototypes. */ #define PAM_SM_AUTH #define PAM_SM_ACCOUNT #define PAM_SM_SESSION #define PAM_SM_PASSWORD #include #include #include #include #define _pam_delete(xx) \ { \ _pam_overwrite(xx); \ _pam_drop(xx); \ } void _log_err(int err, pam_handle_t *pamh, const char *format,...) { va_list args; const char tag[] = "(pam_rsbac) "; char *mod_format; int free_mod_format = 1; mod_format = malloc( 1 + sizeof(tag) + strlen(format)); if(mod_format == NULL) { free_mod_format = 0; mod_format = (char *) format; } else { strcpy(mod_format, tag); strcat( mod_format, format); } va_start(args, format); vsyslog(err | LOG_AUTH, mod_format, args); va_end(args); if (free_mod_format) free(mod_format); } static int converse(pam_handle_t * pamh, int ctrl, int nargs ,struct pam_message **message ,struct pam_response **response) { int retval; struct pam_conv *conv; D(("begin to converse")); retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); if (retval == PAM_SUCCESS) { retval = conv->conv(nargs, (const struct pam_message **) message ,response, conv->appdata_ptr); D(("returned from application's conversation function")); if (retval != PAM_SUCCESS) { _log_err(LOG_DEBUG, pamh, "conversation failure [%s]" ,pam_strerror(pamh, retval)); } } else if (retval != PAM_CONV_AGAIN) { _log_err(LOG_ERR, pamh ,"couldn't obtain conversation function [%s]" ,pam_strerror(pamh, retval)); } D(("ready to return from module conversation")); return retval; /* propagate error status */ } int _make_remark(pam_handle_t * pamh, unsigned int ctrl ,int type, const char *text) { int retval = PAM_SUCCESS; { struct pam_message *pmsg[1], msg[1]; struct pam_response *resp; char remark[RSBAC_MAXNAMELEN]; sprintf(remark, "pam_rsbac.so: %s", text); pmsg[0] = &msg[0]; msg[0].msg = remark; msg[0].msg_style = type; resp = NULL; retval = converse(pamh, 0, 1, pmsg, &resp); if (resp) { _pam_drop_reply(resp, 1); } } return retval; } /* * Beacause getlogin() is braindead and sometimes it just * doesn't work, we reimplement it here. */ char *PAM_getlogin(void) { struct utmp *ut, line; char *curr_tty, *retval; static char curr_user[sizeof(ut->ut_user) + 4]; retval = NULL; curr_tty = ttyname(0); if (curr_tty != NULL && (strlen(curr_tty) > 5)) { D(("PAM_getlogin ttyname: %s", curr_tty)); curr_tty += 5; setutent(); strncpy(line.ut_line, curr_tty, sizeof(line.ut_line)); if ((ut = getutline(&line)) != NULL) { strncpy(curr_user, ut->ut_user, sizeof(ut->ut_user)); curr_user[sizeof(curr_user) - 1] = '\0'; retval = curr_user; } endutent(); } if(retval) D(("PAM_getlogin retval: %s", retval)); return retval; } /* --- authentication management functions --- */ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc ,const char **argv) { int retval; const char *user=NULL; char * p; unsigned int ctrl = 0; /* * authentication requires we know who the user wants to be */ retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } if (user == NULL || *user == '\0') { D(("username not known")); pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); } retval = pam_get_item (pamh, PAM_AUTHTOK, (void *) &p); if(retval != PAM_SUCCESS) { if (retval != PAM_CONV_AGAIN) { _log_err(LOG_CRIT, pamh, "auth could not identify password for [%s]" ,user); } else { D(("conversation function is not ready yet")); /* * it is safe to resume this function so we translate this * retval to the value that indicates we're happy to resume. */ retval = PAM_INCOMPLETE; } user = NULL; return retval; } if(!p) { struct pam_message msg[3], *pmsg[3]; struct pam_response *resp; int i, replies; char * comment = NULL; char prompt1[RSBAC_MAXNAMELEN]; char * token = NULL; /* prepare to converse */ #ifdef ENABLE_RSBAC_PROMPT snprintf(prompt1, RSBAC_MAXNAMELEN - 1, _("%s's RSBAC password: "), user); #else snprintf(prompt1, RSBAC_MAXNAMELEN, _("Password:")); #endif prompt1[RSBAC_MAXNAMELEN - 1] = 0; if (comment != NULL) { pmsg[0] = &msg[0]; msg[0].msg_style = PAM_TEXT_INFO; msg[0].msg = comment; i = 1; } else { i = 0; } pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; msg[i++].msg = prompt1; replies = 1; /* so call the conversation expecting i responses */ resp = NULL; retval = converse(pamh, ctrl, i, pmsg, &resp); if (resp != NULL) { /* interpret the response */ if (retval == PAM_SUCCESS) { /* a good conversation */ token = x_strdup(resp[i - replies].resp); if (token != NULL) { p = token; pam_set_item (pamh, PAM_AUTHTOK, p); } else { _log_err(LOG_NOTICE, pamh ,"could not recover authentication token"); } } /* * tidy up the conversation (resp_retcode) is ignored * -- what is it for anyway? AGM */ _pam_drop_reply(resp, i); } else { retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval; return retval; } } retval = rsbac_um_auth_name((char *) user, p); if(!retval) return PAM_SUCCESS; switch(errno) { case RSBAC_EMUSTCHANGE: return PAM_SUCCESS; case EPERM: _log_err(LOG_NOTICE, pamh, "could not authenticate user %s", user); pam_set_item (pamh, PAM_AUTHTOK, NULL); return PAM_AUTH_ERR; case RSBAC_ENOTFOUND: _log_err(LOG_NOTICE, pamh, "could not authenticate user %s", user); return PAM_USER_UNKNOWN; case RSBAC_EINVALIDMODULE: case ENOSYS: _log_err(LOG_NOTICE, pamh, "RSBAC user management not available"); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("RSBAC user management not available")); return PAM_USER_UNKNOWN; case RSBAC_EINVALIDVERSION: _log_err(LOG_NOTICE, pamh, "Incompatible RSBAC version, this PAM module was compiled for %s", RSBAC_VERSION); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Incompatible RSBAC version")); return PAM_USER_UNKNOWN; case RSBAC_EEXPIRED: _log_err(LOG_NOTICE, pamh, "account %s has expired (account expired)", user); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Your account has expired, please contact system administrator")); pam_set_item (pamh, PAM_AUTHTOK, NULL); return PAM_ACCT_EXPIRED; default: { char tmp[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; _log_err(LOG_NOTICE, pamh, "error not handled: %s", get_error_name(tmp, retval)); snprintf(tmp2, RSBAC_MAXNAMELEN - 1, _("Unhandled error %s, please contact system administrator!"), get_error_name(tmp, retval)); tmp2[RSBAC_MAXNAMELEN - 1] = 0; _make_remark(pamh, ctrl, PAM_TEXT_INFO, tmp2); return PAM_AUTHINFO_UNAVAIL; } } } PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc ,const char **argv) { return PAM_SUCCESS; } /* --- account management functions --- */ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc ,const char **argv) { const char * user; int retval; unsigned int ctrl = 0; retval = pam_get_item(pamh, PAM_USER, (const void **) &user); if (retval != PAM_SUCCESS || user == NULL) { _log_err(LOG_ALERT, pamh ,"could not identify user (from uid=%d)" ,getuid()); return PAM_USER_UNKNOWN; } retval = rsbac_um_check_account_name((char *) user); if(!retval) return PAM_SUCCESS; switch(errno) { case RSBAC_ENOTFOUND: _log_err(LOG_NOTICE, pamh, "could not identify user %s", user); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Cannot lookup your account data")); return PAM_USER_UNKNOWN; case RSBAC_EINVALIDMODULE: case ENOSYS: _log_err(LOG_NOTICE, pamh, _("RSBAC user management not available")); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("RSBAC user management not available")); return PAM_USER_UNKNOWN; case RSBAC_EINVALIDVERSION: _log_err(LOG_NOTICE, pamh, "Incompatible RSBAC version, this PAM module was compiled for %s", RSBAC_VERSION); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Incompatible RSBAC version")); return PAM_USER_UNKNOWN; case RSBAC_EMUSTCHANGE: _log_err(LOG_NOTICE, pamh, "expired password for user %s", user); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("You are required to change your password immediately")); return PAM_NEW_AUTHTOK_REQD; case RSBAC_EEXPIRED: _log_err(LOG_NOTICE, pamh, "account %s has expired (account expired)", user); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Your account has expired, please contact system administrator")); return PAM_ACCT_EXPIRED; default: break; } /* within warning period? */ if(retval > 0) { char tmp[RSBAC_MAXNAMELEN]; _log_err(LOG_DEBUG, pamh ,"password for user %s will expire in %d days", user, retval); snprintf(tmp, RSBAC_MAXNAMELEN - 1, _("Warning: your password will expire in %d day%.2s"), retval, retval == 1 ? "" : "s"); tmp[RSBAC_MAXNAMELEN - 1] = 0; _make_remark(pamh, ctrl, PAM_TEXT_INFO, tmp); return PAM_SUCCESS; } /* other error? */ if(retval < 0) { char tmp[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; _log_err(LOG_NOTICE, pamh, "error not handled: %s", get_error_name(tmp, retval)); snprintf(tmp2, RSBAC_MAXNAMELEN - 1, _("Unhandled error %s, please contact system administrator!"), get_error_name(tmp, retval)); tmp2[RSBAC_MAXNAMELEN - 1] = 0; _make_remark(pamh, ctrl, PAM_TEXT_INFO, tmp2); return PAM_AUTHINFO_UNAVAIL; } /* OK, we got it. */ return PAM_SUCCESS; } /* --- password management --- */ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc ,const char **argv) { int retval; const char *user=NULL; rsbac_uid_t uid = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); char * p_old; char * p_new; unsigned int ctrl = 0; struct pam_message msg[3], *pmsg[3]; struct pam_response *resp; int i, replies; char prompt1[RSBAC_MAXNAMELEN]; char prompt2[RSBAC_MAXNAMELEN]; char * token = NULL; snprintf(prompt2, RSBAC_MAXNAMELEN, _("Repeat new password: ")); prompt2[RSBAC_MAXNAMELEN - 1] = 0; retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } if(!user) return PAM_SERVICE_ERR; if(!user[0]) return PAM_USER_UNKNOWN; if (flags & PAM_PRELIM_CHECK) { retval = rsbac_um_get_uid(0, (char *) user, &uid); if(!retval) return PAM_SUCCESS; switch(errno) { case RSBAC_EEXPIRED: return PAM_ACCT_EXPIRED; default: return PAM_TRY_AGAIN; } } if (flags & PAM_CHANGE_EXPIRED_AUTHTOK) { retval = rsbac_um_check_account_name((char *) user); if(!retval) return PAM_SUCCESS; switch(errno) { case RSBAC_EEXPIRED: case RSBAC_EMUSTCHANGE: break; default: return PAM_TRY_AGAIN; } } retval = pam_get_item (pamh, PAM_OLDAUTHTOK, (void *) &p_old); if(retval != PAM_SUCCESS || !p_old) { /* prepare to converse */ snprintf(prompt1, RSBAC_MAXNAMELEN - 1, _("Old password for user %s: "), user); prompt1[RSBAC_MAXNAMELEN - 1] = 0; i = 0; pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; msg[i++].msg = prompt1; replies = 1; /* so call the conversation expecting i responses */ resp = NULL; retval = converse(pamh, ctrl, i, pmsg, &resp); if (resp != NULL) { /* interpret the response */ if (retval == PAM_SUCCESS) { /* a good conversation */ token = x_strdup(resp[i - replies].resp); if (token != NULL) { p_old = token; } else { _log_err(LOG_NOTICE, pamh ,"could not recover authentication token"); } } /* * tidy up the conversation (resp_retcode) is ignored * -- what is it for anyway? AGM */ _pam_drop_reply(resp, i); if(!token) return PAM_AUTHTOK_RECOVER_ERR; } else { retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval; return retval; } retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) p_old); if (retval != PAM_SUCCESS) { _log_err(LOG_CRIT, pamh, "failed to set PAM_OLDAUTHTOK"); } } retval = pam_get_item (pamh, PAM_AUTHTOK, (void *) &p_new); if(retval != PAM_SUCCESS || !p_new) { /* prepare to converse */ snprintf(prompt1, RSBAC_MAXNAMELEN - 1, _("New password for user %s: "), user); prompt1[RSBAC_MAXNAMELEN - 1] = 0; i = 0; pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; msg[i++].msg = prompt1; pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; msg[i++].msg = prompt2; replies = 2; /* so call the conversation expecting i responses */ resp = NULL; retval = converse(pamh, ctrl, i, pmsg, &resp); if (resp != NULL) { /* interpret the response */ if (retval == PAM_SUCCESS) { /* a good conversation */ token = x_strdup(resp[i - replies].resp); if (token != NULL) { /* verify that password entered correctly */ if (!resp[i - 1].resp || strcmp(token, resp[i - 1].resp)) { _pam_delete(token); /* mistyped */ retval = PAM_AUTHTOK_RECOVER_ERR; _make_remark(pamh, ctrl ,PAM_ERROR_MSG, MISTYPED_PASS); _pam_drop_reply(resp, i); return retval; } p_new = token; } else { _log_err(LOG_NOTICE, pamh ,"could not recover authentication token"); } } /* * tidy up the conversation (resp_retcode) is ignored * -- what is it for anyway? AGM */ _pam_drop_reply(resp, i); if(!token) return PAM_AUTHTOK_RECOVER_ERR; } else { retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval; return retval; } } if(user) { retval = rsbac_um_set_pass_name((char *) user, p_old, p_new); } else { uid = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, getuid()); retval = rsbac_um_set_pass(uid, p_old, p_new); } if(!retval) return PAM_SUCCESS; switch(errno) { case EPERM: _log_err(LOG_NOTICE, pamh, "could not authenticate user %s", user); return PAM_AUTH_ERR; case RSBAC_ENOTFOUND: _log_err(LOG_NOTICE, pamh, "could not authenticate user %s", user); return PAM_USER_UNKNOWN; case RSBAC_EWEAKPASSWORD: _log_err(LOG_NOTICE, pamh, "new password for user %s is too weak", user); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("New password is too weak")); return PAM_TRY_AGAIN; case RSBAC_EINVALIDMODULE: case ENOSYS: _log_err(LOG_NOTICE, pamh, "RSBAC user management not available"); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("RSBAC user management not available")); return PAM_USER_UNKNOWN; case RSBAC_EINVALIDVERSION: _log_err(LOG_NOTICE, pamh, "Incompatible RSBAC version, this PAM module was compiled for %s", RSBAC_VERSION); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Incompatible RSBAC version")); return PAM_USER_UNKNOWN; case RSBAC_EEXPIRED: _log_err(LOG_NOTICE, pamh, "account %s has expired (account expired)", user); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Your account has expired, please contact system administrator")); return PAM_ACCT_EXPIRED; default: { char tmp[RSBAC_MAXNAMELEN]; char tmp2[RSBAC_MAXNAMELEN]; _log_err(LOG_NOTICE, pamh, "error not handled: %s", get_error_name(tmp, retval)); snprintf(tmp2, RSBAC_MAXNAMELEN - 1, _("Unhandled error %s, please contact system administrator!"), get_error_name(tmp, retval)); tmp2[RSBAC_MAXNAMELEN - 1] = 0; _make_remark(pamh, ctrl, PAM_TEXT_INFO, tmp2); return PAM_AUTHINFO_UNAVAIL; } } } /* --- session management --- */ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc ,const char **argv) { char *user_name, *service, *login; int retval; retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || retval != PAM_SUCCESS) { _log_err(LOG_CRIT, pamh, "open_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || retval != PAM_SUCCESS) { _log_err(LOG_CRIT, pamh, "open_session - error recovering service"); return PAM_SESSION_ERR; } login = PAM_getlogin(); _log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)", user_name, login == NULL ? "*unknown*" : login, getuid()); return PAM_SUCCESS; } PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc ,const char **argv) { char *user, *service; int retval; retval = pam_get_item(pamh, PAM_USER, (void *) &user); if (user == NULL || retval != PAM_SUCCESS) { _log_err(LOG_CRIT, pamh, "close_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || retval != PAM_SUCCESS) { _log_err(LOG_CRIT, pamh, "close_session - error recovering service"); return PAM_SESSION_ERR; } _log_err(LOG_INFO, pamh, "session closed for user %s", user); return PAM_SUCCESS; } /* end of module definition */ #ifdef PAM_STATIC /* static module data */ struct pam_module _pam_permit_modstruct = { "pam_permit", pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session, pam_sm_chauthtok }; #endif rsbac-admin-1.4.0/main/pam/po/0000755000175000017500000000000011131371037015656 5ustar gauvaingauvainrsbac-admin-1.4.0/main/pam/po/fr.po0000644000175000017500000000466311131371037016636 0ustar gauvaingauvain# PAM RSBAC # Copyright (C) 2007 Guillaume Destuynder # This file is distributed under the same license as the PACKAGE package. # Guillaume Destuynder , 2007. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2008-02-21 16:42+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: Guillaume Destuynder \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: pam_rsbac.c:37 msgid "Sorry, passwords do not match!" msgstr "Désolé, les mots de passe ne correspondent pas!" #: pam_rsbac.c:238 #, c-format msgid "%s's RSBAC password: " msgstr "Mot de passe RSBAC pour %s: " #: pam_rsbac.c:240 #, c-format msgid "Password:" msgstr "" #: pam_rsbac.c:315 pam_rsbac.c:394 pam_rsbac.c:396 pam_rsbac.c:663 msgid "RSBAC user management not available" msgstr "Gestion d'utilisateurs RSBAC non disponible" #: pam_rsbac.c:323 pam_rsbac.c:404 pam_rsbac.c:671 msgid "Incompatible RSBAC version" msgstr "Version de RSBAC incompatible" #: pam_rsbac.c:331 pam_rsbac.c:420 pam_rsbac.c:679 msgid "Your account has expired, please contact system administrator" msgstr "Votre compte a expiré. Contactez votre administrateur système" #: pam_rsbac.c:343 pam_rsbac.c:449 pam_rsbac.c:690 #, c-format msgid "Unhandled error %s, please contact system administrator!" msgstr "Erreur %s, contactez votre administarteur système!" #: pam_rsbac.c:388 msgid "Cannot lookup your account data" msgstr "Impossible de récupérer les informations de votre compte" #: pam_rsbac.c:412 msgid "You are required to change your password immediately" msgstr "Vous devez changer de mot de passe immédiatement" #: pam_rsbac.c:434 #, c-format msgid "Warning: your password will expire in %d day%.2s" msgstr "Attention: votre mot de passe expire dans %d jours%.2s" #: pam_rsbac.c:478 #, c-format msgid "Repeat new password: " msgstr "Repétez le nouveau mot de passe: " #: pam_rsbac.c:523 pam_rsbac_oldpw.c:239 #, c-format msgid "Old password for user %s: " msgstr "Ancien mot de passe pour l'utilisateur %s: " #: pam_rsbac.c:571 #, c-format msgid "New password for user %s: " msgstr "Nouveau mot de passe pour l'utilisateur %s: " #: pam_rsbac.c:655 msgid "New password is too weak" msgstr "Le nouveau mot de passe est trop simple" #~ msgid "User not authenticated" #~ msgstr "Utilisateur non authentifié" rsbac-admin-1.4.0/main/pam/po/README0000644000175000017500000000233111131371037016535 0ustar gauvaingauvainHow to add a new language: ------------------------- 1. Set or make sure your $LANG, $LANGUAGE and $LC_ALL variables are set AND exported $ echo $LANG $LANGUAGE $LC_ALL This should output your language, for example: fr_FR@euro fr_FR@euro fr_FR@euro This will be the example in the next sections, please replace it with your own language. 2. Copy po/messages to po/fr_FR.po (not fr_FR@euro.po) 3. Edit the file: * Change the header * Fill all occurences of ``msgstr' in your own language * Take care of the quotes and format strings (%s, %i, \n, \t) * If you are unsure of the translation, look it up in the program, or ask the RSBAC team. (http://www.rsbac.org/contact) 4. Make sure you have the Gettext package with development files installed: * compile your file: $ msgfmt -o po/fr_FR.mo po/fr.po If everything goes right, go to step 5, else correct. 5. Compile and install the RSBAC tools using (see the ``INSTALL' file) * Try the programs and check everything works 6. Send the .po (fr_FR.po) file to the RSBAC team so that it's included in the next release. 7. Once we release the new version, please test the translation again to make sure nothing was forgotten. Thanks for contributing! rsbac-admin-1.4.0/main/pam/po/messages.tpo0000644000175000017500000000344411131371037020216 0ustar gauvaingauvain# SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2008-02-21 16:42+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #: pam_rsbac.c:37 msgid "Sorry, passwords do not match!" msgstr "" #: pam_rsbac.c:238 #, c-format msgid "%s's RSBAC password: " msgstr "" #: pam_rsbac.c:240 #, c-format msgid "Password:" msgstr "" #: pam_rsbac.c:315 pam_rsbac.c:394 pam_rsbac.c:396 pam_rsbac.c:663 msgid "RSBAC user management not available" msgstr "" #: pam_rsbac.c:323 pam_rsbac.c:404 pam_rsbac.c:671 msgid "Incompatible RSBAC version" msgstr "" #: pam_rsbac.c:331 pam_rsbac.c:420 pam_rsbac.c:679 msgid "Your account has expired, please contact system administrator" msgstr "" #: pam_rsbac.c:343 pam_rsbac.c:449 pam_rsbac.c:690 #, c-format msgid "Unhandled error %s, please contact system administrator!" msgstr "" #: pam_rsbac.c:388 msgid "Cannot lookup your account data" msgstr "" #: pam_rsbac.c:412 msgid "You are required to change your password immediately" msgstr "" #: pam_rsbac.c:434 #, c-format msgid "Warning: your password will expire in %d day%.2s" msgstr "" #: pam_rsbac.c:478 #, c-format msgid "Repeat new password: " msgstr "" #: pam_rsbac.c:523 pam_rsbac_oldpw.c:239 #, c-format msgid "Old password for user %s: " msgstr "" #: pam_rsbac.c:571 #, c-format msgid "New password for user %s: " msgstr "" #: pam_rsbac.c:655 msgid "New password is too weak" msgstr "" rsbac-admin-1.4.0/main/pam/po/de.po0000644000175000017500000000461711131371037016616 0ustar gauvaingauvain# PAM RSBAC # Copyright (C) 2007 Guillaume Destuynder # This file is distributed under the same license as the PACKAGE package. # Guillaume Destuynder , 2007. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2008-02-21 16:42+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: Guillaume Destuynder \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: pam_rsbac.c:37 msgid "Sorry, passwords do not match!" msgstr "Passwörter stimmen nicht überein!" #: pam_rsbac.c:238 #, c-format msgid "%s's RSBAC password: " msgstr "%s RSBAC-Passwort: " #: pam_rsbac.c:240 #, c-format msgid "Password:" msgstr "Passwort:" #: pam_rsbac.c:315 pam_rsbac.c:394 pam_rsbac.c:396 pam_rsbac.c:663 msgid "RSBAC user management not available" msgstr "RSBAC-Benutzerverwaltung nicht verfügbar" #: pam_rsbac.c:323 pam_rsbac.c:404 pam_rsbac.c:671 msgid "Incompatible RSBAC version" msgstr "Inkompatible RSBAC-Version" #: pam_rsbac.c:331 pam_rsbac.c:420 pam_rsbac.c:679 msgid "Your account has expired, please contact system administrator" msgstr "" "Ihr Zugang ist abgelaufen, bitte wenden Sie sich an den zuständigen " "Administrator" #: pam_rsbac.c:343 pam_rsbac.c:449 pam_rsbac.c:690 #, c-format msgid "Unhandled error %s, please contact system administrator!" msgstr "Unbekannter Fehler %s, bitte wenden Sie sich an den Administrator!" #: pam_rsbac.c:388 msgid "Cannot lookup your account data" msgstr "Zugangs-Daten nicht verfügbar" #: pam_rsbac.c:412 msgid "You are required to change your password immediately" msgstr "Passwort ist abgelaufen, bitte sofort ändern" #: pam_rsbac.c:434 #, c-format msgid "Warning: your password will expire in %d day%.2s" msgstr "Achtung: Ihr Passwort wird in %d Tag%.2s ablaufen" #: pam_rsbac.c:478 #, c-format msgid "Repeat new password: " msgstr "Neues Passwort wiederholen: " #: pam_rsbac.c:523 pam_rsbac_oldpw.c:239 #, c-format msgid "Old password for user %s: " msgstr "Altes Passwort des Benutzers %s: " #: pam_rsbac.c:571 #, c-format msgid "New password for user %s: " msgstr "Neues Passwort des Benutzers %s: " #: pam_rsbac.c:655 msgid "New password is too weak" msgstr "Neues Passwort des Benutzers %s ist zu schwach" #~ msgid "User not authenticated" #~ msgstr "Benutzer nicht authentisiert" rsbac-admin-1.4.0/main/pam/pam_rsbac_oldpw.c0000644000175000017500000001756111131371037020552 0ustar gauvaingauvain/* pam_rsbac module */ /* * $Id: pam_permit.c,v 1.2 2000/12/04 19:02:34 baggins Exp $ * Written by Andrew Morgan 1996/3/11 * * Several functions and some other code copied from * Copyright (c) Jan Rêkorajski 1999. * Copyright (c) Andrew G. Morgan 1996-8. * Copyright (c) Alex O. Yuriev, 1996. * Copyright (c) Cristian Gafton 1996. * * Modified and glued together for RSBAC authentication by * Amon Ott * Copyright (c) Amon Ott, 2004 * * This product may be distributed under the terms of * the GNU Public License. * * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #define DEFAULT_USER "nobody" #include #include #include #include #include #include #include #include #include #include #include #include "nls.h" /* * here, we make definitions for the externally accessible functions * in this file (these definitions are required for static modules * but strongly encouraged generally) they are used to instruct the * modules include file to define their prototypes. */ #define PAM_SM_PASSWORD #include #include #include #include #define _pam_delete(xx) \ { \ _pam_overwrite(xx); \ _pam_drop(xx); \ } void _log_err(int err, pam_handle_t *pamh, const char *format,...) { va_list args; const char tag[] = "(pam_rsbac_oldpw) "; char *mod_format; int free_mod_format = 1; mod_format = malloc( 1 + sizeof(tag) + strlen(format)); if(mod_format == NULL) { free_mod_format = 0; mod_format = (char *) format; } else { strcpy(mod_format, tag); strcat( mod_format, format); } va_start(args, format); vsyslog(err | LOG_AUTH, mod_format, args); va_end(args); if (free_mod_format) free(mod_format); } static int converse(pam_handle_t * pamh, int ctrl, int nargs ,struct pam_message **message ,struct pam_response **response) { int retval; struct pam_conv *conv; D(("begin to converse")); retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); if (retval == PAM_SUCCESS) { retval = conv->conv(nargs, (const struct pam_message **) message ,response, conv->appdata_ptr); D(("returned from application's conversation function")); if (retval != PAM_SUCCESS) { _log_err(LOG_DEBUG, pamh, "conversation failure [%s]" ,pam_strerror(pamh, retval)); } } else if (retval != PAM_CONV_AGAIN) { _log_err(LOG_ERR, pamh ,"couldn't obtain coversation function [%s]" ,pam_strerror(pamh, retval)); } D(("ready to return from module conversation")); return retval; /* propagate error status */ } int _make_remark(pam_handle_t * pamh, unsigned int ctrl ,int type, const char *text) { int retval = PAM_SUCCESS; { struct pam_message *pmsg[1], msg[1]; struct pam_response *resp; char remark[RSBAC_MAXNAMELEN]; sprintf(remark, "pam_rsbac_oldpw.so: %s", text); pmsg[0] = &msg[0]; msg[0].msg = remark; msg[0].msg_style = type; resp = NULL; retval = converse(pamh, 0, 1, pmsg, &resp); if (resp) { _pam_drop_reply(resp, 1); } } return retval; } /* * Beacause getlogin() is braindead and sometimes it just * doesn't work, we reimplement it here. */ char *PAM_getlogin(void) { struct utmp *ut, line; char *curr_tty, *retval; static char curr_user[sizeof(ut->ut_user) + 4]; retval = NULL; curr_tty = ttyname(0); if (curr_tty != NULL && (strlen(curr_tty) > 5)) { D(("PAM_getlogin ttyname: %s", curr_tty)); curr_tty += 5; setutent(); strncpy(line.ut_line, curr_tty, sizeof(line.ut_line)); if ((ut = getutline(&line)) != NULL) { strncpy(curr_user, ut->ut_user, sizeof(ut->ut_user)); curr_user[sizeof(curr_user) - 1] = '\0'; retval = curr_user; } endutent(); } if(retval) D(("PAM_getlogin retval: %s", retval)); return retval; } /* --- password management --- */ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc ,const char **argv) { int retval; const char *user=NULL; rsbac_uid_t uid = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); char * p_old; unsigned int ctrl = 0; struct pam_message msg[3], *pmsg[3]; struct pam_response *resp; int i, replies; char prompt1[RSBAC_MAXNAMELEN]; char * token = NULL; retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } if(!user) return PAM_SERVICE_ERR; if(!user[0]) return PAM_USER_UNKNOWN; if (flags & PAM_PRELIM_CHECK) { retval = rsbac_um_get_uid(0, (char *) user, &uid); if(!retval) return PAM_SUCCESS; switch(errno) { case RSBAC_EEXPIRED: return PAM_ACCT_EXPIRED; default: return PAM_TRY_AGAIN; } } if (flags & PAM_CHANGE_EXPIRED_AUTHTOK) { retval = rsbac_um_check_account_name((char *) user); if(!retval) return PAM_SUCCESS; switch(errno) { case RSBAC_EEXPIRED: case RSBAC_EMUSTCHANGE: break; default: return PAM_TRY_AGAIN; } } retval = pam_get_item (pamh, PAM_OLDAUTHTOK, (void *) &p_old); if(retval != PAM_SUCCESS || !p_old) { /* prepare to converse */ snprintf(prompt1, RSBAC_MAXNAMELEN - 1, _("Old password for user %s: "), user); prompt1[RSBAC_MAXNAMELEN - 1] = 0; i = 0; pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; msg[i++].msg = prompt1; replies = 1; /* so call the conversation expecting i responses */ resp = NULL; retval = converse(pamh, ctrl, i, pmsg, &resp); if (resp != NULL) { /* interpret the response */ if (retval == PAM_SUCCESS) { /* a good conversation */ token = x_strdup(resp[i - replies].resp); if (token != NULL) { p_old = token; } else { _log_err(LOG_NOTICE, pamh ,"could not recover authentication token"); } } /* * tidy up the conversation (resp_retcode) is ignored * -- what is it for anyway? AGM */ _pam_drop_reply(resp, i); if(!token) return PAM_AUTHTOK_RECOVER_ERR; } else { retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval; return retval; } retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) p_old); if (retval != PAM_SUCCESS) { _log_err(LOG_CRIT, pamh, "failed to set PAM_OLDAUTHTOK"); } } return PAM_SUCCESS; } /* end of module definition */ #ifdef PAM_STATIC /* static module data */ struct pam_module _pam_permit_modstruct = { "pam_permit", pam_sm_chauthtok }; #endif rsbac-admin-1.4.0/main/pam/README0000644000175000017500000000303111131371037016115 0ustar gauvaingauvainPAM module for RSBAC User Management ------------------------------------ See the file pam_rsbac.c for copyright and license details pam_rsbac.so is the main RSBAC PAM module, which can be used as full replacement for pam_unix.so. If you want to use pam_rsbac.so together with pam_cracklib.so, passwd will first ask for the new password before pam_rsbac asks.so for the old password. This behaviour breaks some programs, e.g. kdepasswd, and does not match most users' expectations. Thus, pam_rsbac_oldpw.so simply asks for the old password, stores it in PAM and returns success. A /etc/pam.d password file could look like this: password required pam_rsbac_oldpw.so password required pam_cracklib.so retry=3 minlen=8 difok=3 password required pam_rsbac.so -- All RSBAC code is copyrighted by Amon Ott unless stated otherwise, and published under the restrictions of the GNU General Public Licence as to be read in file COPYING in the main directory of the kernel source tree. All statements therein apply fully to all RSBAC sources. RSBAC is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details, available in the file ``COPYING' rsbac-admin-1.4.0/main/pam/nls.h0000644000175000017500000000370511131371037016212 0ustar gauvaingauvain/* Convenience header for conditional use of GNU . Copyright (C) 1995-1998, 2000-2002 Free Software Foundation, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #define _(msgid) dgettext(PACKAGE, msgid) #define N_(msgid) msgid #ifdef ENABLE_NLS #include #else /* Disabled NLS. The casts to 'const char *' serve the purpose of producing warnings for invalid uses of the value returned from these functions. On pre-ANSI systems without 'const', the config.h file is supposed to contain "#define const". */ # define gettext(Msgid) ((const char *) (Msgid)) # define dgettext(Domainname, Msgid) ((const char *) (Msgid)) # define dcgettext(Domainname, Msgid, Category) ((const char *) (Msgid)) # define ngettext(Msgid1, Msgid2, N) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define dngettext(Domainname, Msgid1, Msgid2, N) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define dcngettext(Domainname, Msgid1, Msgid2, N, Category) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define textdomain(Domainname) ((const char *) (Domainname)) # define bindtextdomain(Domainname, Dirname) ((const char *) (Dirname)) # define bind_textdomain_codeset(Domainname, Codeset) ((const char *) (Codeset)) #endif rsbac-admin-1.4.0/main/pam/Makefile0000644000175000017500000000600611131371037016702 0ustar gauvaingauvain#!/usr/bin/make -f # Licensed under the terms of the GPLv2 # Guillaume Destuynder # # Configuration # VERSION := 1.0 PACKAGE := pam_rsbac INSTALL := install CC := gcc MSGFMT := msgfmt ECHO := $(shell which echo) ifeq ($(ECHO),) ECHO := echo endif HOST := $(shell uname -m) DESTDIR := PREFIX := /usr/local ifeq ($(HOST), x86_64) LIBDIR := /lib64 else LIBDIR := /lib endif DIR_PAM := $(LIBDIR)/security LOCALEDIR := $(PREFIX)/share/locale DIR_PO := de fr NLS := 1 RSBAC_PROMPT := 0 CFLAGS := -fPIC -O2 -fomit-frame-pointer CFLAGS += -shared -I../headers -I/usr/include -I/usr/local/include \ -I$(PREFIX)/include LDFLAGS := DEFINES := -DPACKAGE=\"$(PACKAGE)\" ifeq ($(RSBAC_PROMPT), 1) DEFINES += -DENABLE_RSBAC_PROMPT endif ifeq ($(NLS), 1) DEFINES += -DENABLE_NLS endif LIBS := -L../libs/.libs -L$(PREFIX)/lib -lrsbac FILES_PAM := $(wildcard *.c) FILES_PO := $(wildcard po/*.po) # # Nice make. Use make VERBOSE=1 to verbose compilation. # ifneq ($(VERBOSE), 1) .SILENT: E = @$(ECHO) -e " " else E = @: endif # # Targets # all: $(FILES_PAM:.c=.so) $(FILES_PO:.po=.mo) $(FILES_PAM:.c=.so): $(FILES_PAM) $(foreach f, $(FILES_PAM), $(ECHO) -e " LIB\t\t$(f)"; \ $(CC) $(LDFLAGS) $(CFLAGS) $(DEFINES) $(LIBS) -o $(f:.c=.so) $(f);) $(FILES_PO:.po=.mo): $(FILES_PO) ifeq ($(NLS), 1) $(foreach f, $(FILES_PO), $(ECHO) -e " PO\t\t$(f)"; \ $(MSGFMT) -o $(f:.po=.mo) $(f);) else @touch $@ endif clean: $(E) "CLEAN\t\t$(FILES_PAM:.c=.so)" rm -f $(FILES_PAM:.c=.so) distclean: clean install: $(FILES_PAM:.c=.so) $(E) "INTO\t\t$(DESTDIR)" $(E) "DIR\t\t$(DIR_PAM)" $(INSTALL) -d $(DESTDIR)/$(DIR_PAM) $(E) "INSTALL\t$(FILES_PAM:.c=.so)" $(INSTALL) -m755 $(FILES_PAM:.c=.so) $(DESTDIR)/$(DIR_PAM) ifeq ($(NLS), 1) $(E) "DIR\t\t$(LOCALEDIR)" $(foreach f, $(DIR_PO), $(INSTALL) -d $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_MESSAGES; \ $(INSTALL) -d $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_TIME;) $(E) "INSTALL\t$(DIR_PO)" $(foreach f, $(DIR_PO), \ $(INSTALL) -m644 po/$(f).mo \ $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_MESSAGES/$(PACKAGE).mo; \ $(INSTALL) -m644 po/$(f).mo \ $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_MESSAGES/$(PACKAGE)-$(VERSION).mo;) endif uninstall: $(foreach f, $(FILES_PAM:.c=.so), $(ECHO) -e " UNINSTALL\t$(f)"; \ rm -f $(DESTDIR)/$(DIR_PAM)/$(f);) ifeq ($(NLS), 1) $(foreach f, $(DIR_PO), $(ECHO) -e " UNINSTALL\t$(f)"; rm -f po/$(f).mo \ $(DESTDIR)/$(LOCALEDIR)/$(f)/LC_MESSAGES/$(PACKAGE).mo;) endif # Re-create the messages.po file nls-messages: $(E) "XGETTEXT\t\tGenerating po/messages.tpo" xgettext -E --keyword=_ --keyword=N_ -p po -o messages.tpo *.c # Merges translations nls-merge-keep: $(FILES_PO) $(foreach f, $(FILES_PO), $(ECHO) -e " MSGMERGE\t\tMerging $(f)"; \ msgmerge -o $(f).new $(f) po/messages.tpo $(QUIET);) $(E) "MSGMERGE\t\tGenerated: $(FILES_PO:.po=.po.new)" nls-merge-update: $(FILES_PO) $(foreach f, $(FILES_PO), $(ECHO) -e " MSGMERGE\t\tMerging $(f)"; \ msgmerge -U $(f) po/messages.tpo $(QUIET);) $(E) "MSGMERGE\t\tUpdated: $(FILES_PO)" .PHONY: all clean distclean uninstall rsbac-admin-1.4.0/main/pam/COPYING0000644000175000017500000004313111131371037016275 0ustar gauvaingauvain GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. rsbac-admin-1.4.0/main/nss/0000755000175000017500000000000011131371034015263 5ustar gauvaingauvainrsbac-admin-1.4.0/main/nss/nss-rsbac.h0000644000175000017500000000327611131371034017337 0ustar gauvaingauvain#ifndef __NSS_PGSQL_H_INCLUDED__ # define __NSS_PGSQL_H_INCLUDED__ # ifdef HAVE_CONFIG_H # include "config.h" # endif # ifdef HAVE_UNISTD_H # include # endif # ifdef HAVE_NSS_H # include # endif # include # include # include int readconfig(void); void cleanup(void); char *getcfg(const char *key); int backend_isopen(void); int backend_open(void); void backend_close(void); void backend_prepare(const char *what); enum nss_status backend_getpwent(struct passwd *result, char *buffer, size_t buflen, int *errnop); enum nss_status backend_getgrent(struct group *result, char *buffer, size_t buflen, int *errnop); enum nss_status backend_getpwuid(uid_t uid, struct passwd *result, char *buffer, size_t buflen, int *errnop); enum nss_status backend_getgrgid(gid_t gid, struct group *result, char *buffer, size_t buflen, int *errnop); enum nss_status backend_getgrnam(const char *name, struct group *result, char *buffer, size_t buflen, int *errnop); enum nss_status backend_getpwnam(const char *name, struct passwd *result, char *buffer, size_t buflen, int *errnop); size_t backend_initgroups_dyn(const char *user, gid_t group, long int *start, long int *size, gid_t **groupsp, long int limit, int *errnop); void groupcpy(struct group *dest, struct group *src); void passwdcpy(struct passwd *dest, struct passwd *src); void print_err(const char *msg, ...); void print_msg(const char *msg, ...); size_t sql_escape(const char *from, char *to, size_t len); # ifdef DEBUG # define D(x) print_msg(x) # else # define D(x) # endif #endif rsbac-admin-1.4.0/main/nss/conf/0000755000175000017500000000000011131371034016210 5ustar gauvaingauvainrsbac-admin-1.4.0/main/nss/conf/nsswitch.conf0000644000175000017500000000114411131371034020721 0ustar gauvaingauvain# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. # # extended with example entries using the nss-rsbac module. passwd: compat [NOTFOUND=continue SUCCESS=continue] rsbac group: compat [NOTFOUND=continue SUCCESS=continue] rsbac shadow: rsbac hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis rsbac-admin-1.4.0/main/nss/interface.c0000644000175000017500000004711611131371034017400 0ustar gauvaingauvain/** * nsswitch lib for RSBAC user management * * Copyright (c) 2001 by Joerg Wendland, Bret Mogilefsky * see included file COPYING for details * * Copyright (c) 2004-2007 by Amon Ott * see included file COPYING for license details * */ #include "nss-rsbac.h" #include #include #include #include #include #include #include static pthread_mutex_t lock; static int user_index = 0; static rsbac_uid_t * user_array = NULL; static int user_num = 0; static int group_index = 0; static rsbac_gid_t * group_array = NULL; static int group_num = 0; #define ROOM 20 enum nss_status _nss_rsbac_setspent(void) { pthread_mutex_lock(&lock); if(user_array) free(user_array); user_num = rsbac_um_get_user_list(0, RSBAC_UM_VIRTUAL_KEEP, NULL, 0); if(user_num < 0) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } user_num += ROOM; user_array = malloc(user_num * sizeof(*user_array)); if(!user_array) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } user_num = rsbac_um_get_user_list(0, RSBAC_UM_VIRTUAL_KEEP, user_array, user_num); if(user_num < 0) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } if(user_num > 0) qsort(user_array, user_num, sizeof(*user_array), rsbac_user_compare); user_index = 0; pthread_mutex_unlock(&lock); return NSS_STATUS_SUCCESS; } /* * passwd functions */ enum nss_status _nss_rsbac_setpwent(void) { pthread_mutex_lock(&lock); if(user_array) free(user_array); user_num = rsbac_um_get_user_list(0, RSBAC_UM_VIRTUAL_KEEP, NULL, 0); if(user_num < 0) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } user_num += ROOM; user_array = malloc(user_num * sizeof(*user_array)); if(!user_array) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } user_num = rsbac_um_get_user_list(0, RSBAC_UM_VIRTUAL_KEEP, user_array, user_num); if(user_num < 0) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } if(user_num > 0) qsort(user_array, user_num, sizeof(*user_array), rsbac_user_compare); user_index = 0; pthread_mutex_unlock(&lock); return NSS_STATUS_SUCCESS; } enum nss_status _nss_rsbac_endpwent(void) { pthread_mutex_lock(&lock); if(user_array) { free(user_array); user_array = NULL; } user_index = 0; user_num = 0; pthread_mutex_unlock(&lock); return NSS_STATUS_SUCCESS; } enum nss_status _nss_rsbac_endspent(void) { pthread_mutex_lock(&lock); if(user_array) { free(user_array); user_array = NULL; } user_index = 0; user_num = 0; pthread_mutex_unlock(&lock); return NSS_STATUS_SUCCESS; } static enum nss_status get_copy_user_string(rsbac_uid_t user, enum rsbac_um_mod_t mod, char ** pw_item_p, char ** buffer_p, int * buflen_p, int * errnop) { int res; int len; union rsbac_um_mod_data_t data; if(!pw_item_p || !buffer_p || !buflen_p || !errnop) return NSS_STATUS_UNAVAIL; res = rsbac_um_get_user_item(0, user, mod, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } len = strlen(data.string); if((*buflen_p) < len+11) { *errnop = ENOMEM; return NSS_STATUS_TRYAGAIN; } if ((mod == UM_name) && (RSBAC_UID_SET(user) > 0) && (RSBAC_UID_SET(user) <= RSBAC_UM_VIRTUAL_MAX)) len=sprintf((*buffer_p), "%u/%s", RSBAC_UID_SET(user), data.string); else strncpy((*buffer_p), data.string, len); (*buffer_p)[len] = 0; (*pw_item_p) = (*buffer_p); (*buffer_p) += len+1; (*buflen_p) -=len+1; *errnop = 0; return NSS_STATUS_SUCCESS; } static enum nss_status fill_passwd( rsbac_uid_t user, struct passwd *result, char *buffer, int buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; int res; union rsbac_um_mod_data_t data; if(!result || !buffer || !errnop || !buflen) return NSS_STATUS_UNAVAIL; *errnop = 0; result->pw_uid = RSBAC_UID_NUM(user); buffer[0] = 0; result->pw_passwd = buffer; buffer++; buflen--; retval = get_copy_user_string(user, UM_name, &result->pw_name, &buffer, &buflen, errnop); if(retval != NSS_STATUS_SUCCESS) return retval; retval = get_copy_user_string(user, UM_fullname, &result->pw_gecos, &buffer, &buflen, errnop); if(retval != NSS_STATUS_SUCCESS) return retval; retval = get_copy_user_string(user, UM_homedir, &result->pw_dir, &buffer, &buflen, errnop); if(retval != NSS_STATUS_SUCCESS) return retval; retval = get_copy_user_string(user, UM_shell, &result->pw_shell, &buffer, &buflen, errnop); if(retval != NSS_STATUS_SUCCESS) return retval; res = rsbac_um_get_user_item(0, user, UM_group, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } memcpy(buffer, &data.group, sizeof(data.group)); buffer[sizeof(data.group)] = 0; buffer += sizeof(data.group)+1; buflen -= sizeof(data.group)+1; result->pw_gid = data.group; return NSS_STATUS_SUCCESS; } static enum nss_status fill_spwd( rsbac_uid_t user, struct spwd *result, char *buffer, int buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; int res; union rsbac_um_mod_data_t data; if(!result || !buffer || !errnop || !buflen) return NSS_STATUS_UNAVAIL; *errnop = 0; buffer[0] = 0; result->sp_pwdp = buffer; buffer++; buflen--; retval = get_copy_user_string(user, UM_name, &result->sp_namp, &buffer, &buflen, errnop); if(retval != NSS_STATUS_SUCCESS) return retval; res = rsbac_um_get_user_item(0, user, UM_lastchange, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } result->sp_lstchg = data.days; res = rsbac_um_get_user_item(0, user, UM_minchange, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } result->sp_min = data.days; res = rsbac_um_get_user_item(0, user, UM_maxchange, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } result->sp_max = data.days; res = rsbac_um_get_user_item(0, user, UM_warnchange, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } result->sp_warn = data.days; res = rsbac_um_get_user_item(0, user, UM_inactive, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } result->sp_inact = data.days; res = rsbac_um_get_user_item(0, user, UM_expire, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } result->sp_expire = data.days; return NSS_STATUS_SUCCESS; } enum nss_status _nss_rsbac_getpwent_r(struct passwd *result, char *buffer, size_t buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; int res; pthread_mutex_lock(&lock); if(!user_array) { res = _nss_rsbac_setpwent(); if(res != NSS_STATUS_SUCCESS) { *errnop = ERANGE; pthread_mutex_unlock(&lock); return res; } } if(user_index < user_num) { retval = fill_passwd(user_array[user_index], result, buffer, buflen, errnop); user_index++; } else retval = NSS_STATUS_NOTFOUND; pthread_mutex_unlock(&lock); return retval; } enum nss_status _nss_rsbac_getspent_r(struct spwd *result, char *buffer, size_t buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; int res; pthread_mutex_lock(&lock); if(!user_array) { res = _nss_rsbac_setspent(); if(res != NSS_STATUS_SUCCESS) { *errnop = ERANGE; pthread_mutex_unlock(&lock); return res; } } if(user_index < user_num) { retval = fill_spwd(user_array[user_index], result, buffer, buflen, errnop); user_index++; } else retval = NSS_STATUS_NOTFOUND; pthread_mutex_unlock(&lock); return retval; } enum nss_status _nss_rsbac_getpwnam_r(char *pwnam, struct passwd *result, char *buffer, size_t buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; rsbac_uid_t user = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); int res; pthread_mutex_lock(&lock); res = rsbac_um_get_uid(0, pwnam, &user); if(res < 0) { *errnop = -res; pthread_mutex_unlock(&lock); return retval; } retval = fill_passwd(user, result, buffer, buflen, errnop); pthread_mutex_unlock(&lock); return retval; } enum nss_status _nss_rsbac_getpwuid_r(uid_t uid, struct passwd *result, char *buffer, size_t buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; pthread_mutex_lock(&lock); retval = fill_passwd(RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP,uid), result, buffer, buflen, errnop); pthread_mutex_unlock(&lock); return retval; } enum nss_status _nss_rsbac_getspnam_r(char *pwnam, struct spwd *result, char *buffer, size_t buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; rsbac_uid_t user = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); int res; pthread_mutex_lock(&lock); res = rsbac_um_get_uid(0, pwnam, &user); if(res < 0) { *errnop = -res; pthread_mutex_unlock(&lock); return retval; } retval = fill_spwd(user, result, buffer, buflen, errnop); pthread_mutex_unlock(&lock); return retval; } /* * group functions */ static enum nss_status get_copy_group_string(rsbac_gid_t group, enum rsbac_um_mod_t mod, char ** gr_item_p, char ** buffer_p, int * buflen_p, int * errnop) { int res; int len; union rsbac_um_mod_data_t data; if(!gr_item_p || !buffer_p || !buflen_p || !errnop) return NSS_STATUS_UNAVAIL; res = rsbac_um_get_group_item(0, group, mod, &data); if(res < 0) { *errnop = -res; return NSS_STATUS_UNAVAIL; } len = strlen(data.string); if((*buflen_p) < len+1) { *errnop = ENOMEM; return NSS_STATUS_TRYAGAIN; } strncpy((*buffer_p), data.string, len); (*buffer_p)[len] = 0; (*gr_item_p) = (*buffer_p); (*buffer_p) += len+1; (*buflen_p) -=len+1; *errnop = 0; return NSS_STATUS_SUCCESS; } static enum nss_status fill_group(rsbac_gid_t group, struct group *result, char *buffer, int buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; rsbac_uid_num_t * g_user_array; int member_count; if(!result || !buffer || !errnop) return retval; result->gr_gid = RSBAC_GID_NUM(group); buffer[0] = 0; result->gr_passwd = buffer; buffer++; buflen--; retval = get_copy_group_string(group, UM_name, &result->gr_name, &buffer, &buflen, errnop); if(retval != NSS_STATUS_SUCCESS) return retval; member_count = rsbac_um_get_gm_user_list(0, group, NULL, 0); if(member_count > 0) { /* some extra space */ member_count += 10; g_user_array = malloc(member_count * sizeof(*g_user_array)); if(!g_user_array) { memset(buffer, 0, sizeof(char *)); result->gr_mem = (char **) buffer; buffer += sizeof(char *); buflen -= sizeof(char *); } else { member_count = rsbac_um_get_gm_user_list(0, group, g_user_array, member_count); if(member_count > 0) { int i; int res; int len; int count = 0; char ** pointers = (char **) buffer; union rsbac_um_mod_data_t data; if(buflen < (member_count + 1) * sizeof(char *)) { *errnop = ENOMEM; return NSS_STATUS_TRYAGAIN; } memset(pointers, 0, (member_count + 1) * sizeof(char *)); buffer += (member_count + 1) * sizeof(char *); buflen -= (member_count + 1) * sizeof(char *); for(i=0; igr_mem = pointers; } else { memset(buffer, 0, sizeof(char *)); result->gr_mem = (char **) buffer; buffer += sizeof(char *); buflen -= sizeof(char *); } free(g_user_array); } } else { memset(buffer, 0, sizeof(char *)); result->gr_mem = (char **) buffer; buffer += sizeof(char *); buflen -= sizeof(char *); } return NSS_STATUS_SUCCESS; } enum nss_status _nss_rsbac_setgrent(void) { pthread_mutex_lock(&lock); if(group_array) free(group_array); group_num = rsbac_um_get_group_list(0, RSBAC_UM_VIRTUAL_KEEP, NULL, 0); if(group_num < 0) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } group_num += ROOM; group_array = malloc(group_num * sizeof(*group_array)); if(!group_array) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } group_num = rsbac_um_get_group_list(0, RSBAC_UM_VIRTUAL_KEEP, group_array, group_num); if(group_num < 0) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } if(group_num > 0) qsort(group_array, group_num, sizeof(*group_array), rsbac_group_compare); group_index = 0; pthread_mutex_unlock(&lock); return NSS_STATUS_SUCCESS; } enum nss_status _nss_rsbac_endgrent(void) { pthread_mutex_lock(&lock); if(group_array) { free(group_array); group_array = NULL; } group_index = 0; group_num = 0; pthread_mutex_unlock(&lock); return NSS_STATUS_SUCCESS; } enum nss_status _nss_rsbac_getgrent_r(struct group *result, char *buffer, size_t buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; pthread_mutex_lock(&lock); if(!group_array) { retval = _nss_rsbac_setgrent(); if(retval != NSS_STATUS_SUCCESS) { pthread_mutex_unlock(&lock); return retval; } } if(group_index < group_num) { retval = fill_group(group_array[group_index], result, buffer, buflen, errnop); group_index++; } else retval = NSS_STATUS_NOTFOUND; pthread_mutex_unlock(&lock); return retval; } enum nss_status _nss_rsbac_getgrnam_r(const char *grnam, struct group *result, char *buffer, size_t buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; rsbac_gid_t group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_GROUP); pthread_mutex_lock(&lock); if(rsbac_um_get_gid(0, (char *) grnam, &group)) { pthread_mutex_unlock(&lock); return retval; } retval = fill_group(group, result, buffer, buflen, errnop); pthread_mutex_unlock(&lock); return retval; } enum nss_status _nss_rsbac_getgrgid_r(gid_t gid, struct group *result, char *buffer, size_t buflen, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; pthread_mutex_lock(&lock); retval = fill_group(RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, gid), result, buffer, buflen, errnop); pthread_mutex_unlock(&lock); return retval; } enum nss_status _nss_rsbac_initgroups_dyn(char *user, gid_t group, long int *start, long int *size, gid_t **groupsp, long int limit, int *errnop) { enum nss_status retval = NSS_STATUS_UNAVAIL; rsbac_uid_t uid = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); rsbac_gid_num_t * gm_array; gid_t *groups = *groupsp; int gm_num; pthread_mutex_lock(&lock); if(rsbac_um_get_uid(0, user, &uid)) { pthread_mutex_unlock(&lock); return retval; } gm_num = rsbac_um_get_gm_list(0, uid, NULL, 0); if(gm_num < 0) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } gm_num += ROOM; gm_array = malloc(gm_num * sizeof(*gm_array)); if(!gm_array) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } gm_num = rsbac_um_get_gm_list(0, uid, gm_array, gm_num); if(gm_num < 0) { pthread_mutex_unlock(&lock); return NSS_STATUS_UNAVAIL; } if(!gm_num) { pthread_mutex_unlock(&lock); return NSS_STATUS_NOTFOUND; } if(gm_num + (*start) > *size) { // Have to make the result buffer bigger long int newsize = gm_num + (*start); newsize = (limit > 0) ? rsbac_min(limit, newsize) : newsize; *groupsp = groups = realloc(groups, newsize * sizeof(*groups)); *size = newsize; } gm_num = (limit > 0) ? rsbac_min(gm_num, limit - *start) : gm_num; while(gm_num--) { groups[*start] = gm_array[gm_num]; *start += 1; } free(gm_array); pthread_mutex_unlock(&lock); return NSS_STATUS_SUCCESS; } rsbac-admin-1.4.0/main/nss/AUTHORS0000644000175000017500000000016311131371034016333 0ustar gauvaingauvainJoerg Wendland Bret Mogilefsky Amon Ott rsbac-admin-1.4.0/main/nss/Makefile0000644000175000017500000000500411131371034016722 0ustar gauvaingauvain#!/usr/bin/make -f # Licensed under the terms of the GPLv2 # Guillaume Destuynder # # Configuration # See # http://www.gnu.org/software/libtool/manual.html#Versioning # For managing version information.. LIBVERSION := 2 INSTALL := install LIBTOOL := libtool CC := gcc ECHO := $(shell which echo) ifeq ($(ECHO),) ECHO := echo endif DESTDIR := PREFIX := /usr/local ifeq ($(DIR_NSS),) LIBDIR := $(PREFIX)/lib else LIBDIR := $(DIR_NSS) endif CFLAGS := -O2 -fomit-frame-pointer CFLAGS += -I../headers -I/usr/include -I/usr/local/include \ -I$(PREFIX)/include LDFLAGS := LIBS := -L../libs -L../libs/.libs -L$(PREFIX)/lib -lrsbac FILES_NSS := $(wildcard *.c) NSS_LIB := libnss_rsbac.la QUIET := > /dev/null DVERSION := 1.0.1 DPACKAGE := libnss-rsbac DEFINES := -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"$(DPACKAGE)\" -DVERSION=\"$(DVERSION)\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_UNISTD_H=1 -DHAVE_NSS_H=1 -DHAVE_LIBRSBAC=1 -DHAVE_DLFCN_H=1 -I. -I. -DLIBDIR=\"$(LIBDIR)\" -DSYSCONFDIR=\"$(PREFIX)etc\" -D_GNU_SOURCE # # Nice make. Use make VERBOSE=1 to verbose compilation. # ifneq ($(VERBOSE), 1) .SILENT: E = @$(ECHO) -e " " else QUIET = E = @: endif # # Targets # all: $(NSS_LIB) $(NSS_LIB): $(FILES_NSS) $(E) "CC\t\t$(FILES_NSS)" $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) -c $< $(QUIET) $(E) "LD\t\t$(NSS_LIB)" $(LIBTOOL) --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) $(LIBS) \ -o $@ $(FILES_NSS:.c=.lo) -rpath $(LIBDIR) -version-info $(LIBVERSION) \ $(QUIET) clean: $(E) "CLEAN\t\tinterface.o" rm -f interface.o $(FILES_NSS:.c=.o) $(E) "CLEAN\t\tinterface.lo" rm -f interface.lo distclean: clean $(E) "CLEAN\t\t$(NSS_LIB)" rm -f $(NSS_LIB) rm -f $(SNSS_LIB) libnss_rsbac.so libnss_rsbac.so.2 $(E) "CLEAN\t\tlibtool files" rm -rf .libs .deps install: $(NSS_LIB) $(E) "INTO\t\t$(DESTDIR) ($(PREFIX))" $(E) "DIR\t\t$(LIBDIR)" $(INSTALL) -d $(DESTDIR)/$(LIBDIR) $(QUIET) $(E) "INSTALL\t$(NSS_LIB)" $(LIBTOOL) --mode=install install -c $(NSS_LIB) \ $(DESTDIR)/$(LIBDIR) $(QUIET) $(E) "INSTALL\t$(NSS_LIB)" $(LIBTOOL) -n --mode=finish $(DESTDIR)/$(LIBDIR) $(QUIET) uninstall: $(E) "UNINSTALL\t $(LIBDIR)/$(NSS_LIB)" $(LIBTOOL) --mode=uninstall rm \ $(DESTDIR)/$(LIBDIR)/$(NSS_LIB) $(QUIET) .PHONY: all clean distclean rsbac-admin-1.4.0/main/nss/COPYING0000644000175000017500000004311011131371034016315 0ustar gauvaingauvain GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. rsbac-admin-1.4.0/main/nss/ChangeLog0000644000175000017500000000315111131371034017035 0ustar gauvaingauvain2004-08-16 Amon Ott * Changed for RSBAC, removed all database stuff 2003-04-21 Joerg Wendland * really relibtoolize 2003-04-16 Joerg Wendland * re-{libtoolize, aclocalize, autoconfigure, automake} 2001-10-22 Joerg Wendland * added documentation and database example * changes to debian packaging (see debian/changelog) * New Version: 1.0.0 2001-10-04 Joerg Wendland * fixed SQL statement in backend/initgroups_dyn() * filled README 2001-09-30 Bret Mogilefsky * made config file parsing much more robust; improper handling of sscanf was causing many hard-to-debug crashes when config files contained blank lines. changed back to -O2 from -g * complain when config file contains a line that's not understood * plugged MANY leaks * now _only_ malloc for config directives, or when necessary (sql_escape); should be much faster * added atexit() calls to do db, cfg cleanup * removed unused functions * print_err made more usable and added print_msg, which D() now uses 2001-09-20 Bret Mogilefsky * added debug messages =) * added initgroups_dyn(); which gives massive speedup to glibc initgroups() call * fixed some leaks * fixed use of stale pointers 2001-08-27 Joerg Wendland * removed debug messages * fixed getgrnam() and getpwnam() functions to correctly escape user input in SQL statements rsbac-admin-1.4.0/main/README0000644000175000017500000000141111131371037015340 0ustar gauvaingauvainAll RSBAC code is copyrighted by Amon Ott unless stated otherwise, and published under the restrictions of the GNU General Public Licence as to be read in file COPYING in the main directory of the kernel source tree. All statements therein apply fully to all RSBAC sources. RSBAC is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details, available in the file ``COPYING' rsbac-admin-1.4.0/main/libs/0000755000175000017500000000000011131371037015414 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/helpers/0000755000175000017500000000000011131371035017054 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/helpers/syscall_wrapper.c0000644000175000017500000012137711131371035022445 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2008: */ /* Amon Ott */ /* Syscall wrapper functions for all */ /* admin tools */ /* Last modified: 03/Mar/2008 */ /************************************* */ #include #include #include #include #include #include #include "nls.h" int rsbac_version(void) { return sys_rsbac(RSBAC_VERSION_NR, RSYS_version, NULL); } int rsbac_stats(void) { return sys_rsbac(RSBAC_VERSION_NR, RSYS_stats, NULL); } int rsbac_check(int correct, int check_inode) { union rsbac_syscall_arg_t arg; arg.check.correct = correct; arg.check.check_inode = check_inode; return sys_rsbac(RSBAC_VERSION_NR, RSYS_check, &arg); } int rsbac_write(void) { return sys_rsbac(RSBAC_VERSION_NR, RSYS_write, NULL); } int rsbac_get_attr( rsbac_list_ta_number_t ta_number, enum rsbac_switch_target_t module, enum rsbac_target_t target, union rsbac_target_id_t * tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * value, int inherit) { union rsbac_syscall_arg_t arg; arg.get_attr.ta_number = ta_number; arg.get_attr.module = module; arg.get_attr.target = target; arg.get_attr.tid = tid; arg.get_attr.attr = attr; arg.get_attr.value = value; arg.get_attr.inherit = inherit; return sys_rsbac(RSBAC_VERSION_NR, RSYS_get_attr, &arg); } int rsbac_get_attr_n( rsbac_list_ta_number_t ta_number, enum rsbac_switch_target_t module, enum rsbac_target_t target, char * t_name, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * value, int inherit) { union rsbac_syscall_arg_t arg; arg.get_attr_n.ta_number = ta_number; arg.get_attr_n.module = module; arg.get_attr_n.target = target; arg.get_attr_n.t_name = t_name; arg.get_attr_n.attr = attr; arg.get_attr_n.value = value; arg.get_attr_n.inherit = inherit; return sys_rsbac(RSBAC_VERSION_NR, RSYS_get_attr_n, &arg); } int rsbac_set_attr( rsbac_list_ta_number_t ta_number, enum rsbac_switch_target_t module, enum rsbac_target_t target, union rsbac_target_id_t * tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * value) { union rsbac_syscall_arg_t arg; arg.set_attr.ta_number = ta_number; arg.set_attr.module = module; arg.set_attr.target = target; arg.set_attr.tid = tid; arg.set_attr.attr = attr; arg.set_attr.value = value; return sys_rsbac(RSBAC_VERSION_NR, RSYS_set_attr, &arg); } int rsbac_set_attr_n( rsbac_list_ta_number_t ta_number, enum rsbac_switch_target_t module, enum rsbac_target_t target, char * t_name, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * value) { union rsbac_syscall_arg_t arg; arg.set_attr_n.ta_number = ta_number; arg.set_attr_n.module = module; arg.set_attr_n.target = target; arg.set_attr_n.t_name = t_name; arg.set_attr_n.attr = attr; arg.set_attr_n.value = value; return sys_rsbac(RSBAC_VERSION_NR, RSYS_set_attr_n, &arg); } int rsbac_remove_target( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, union rsbac_target_id_t * tid) { union rsbac_syscall_arg_t arg; arg.remove_target.ta_number = ta_number; arg.remove_target.target = target; arg.remove_target.tid = tid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_remove_target, &arg); } int rsbac_remove_target_n( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, char * t_name) { union rsbac_syscall_arg_t arg; arg.remove_target_n.ta_number = ta_number; arg.remove_target_n.target = target; arg.remove_target_n.t_name = t_name; return sys_rsbac(RSBAC_VERSION_NR, RSYS_remove_target_n, &arg); } int rsbac_net_list_all_netdev( rsbac_list_ta_number_t ta_number, rsbac_netdev_id_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.net_list_all_netdev.ta_number = ta_number; arg.net_list_all_netdev.id_p = id_p; arg.net_list_all_netdev.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_net_list_all_netdev, &arg); } int rsbac_net_template( rsbac_list_ta_number_t ta_number, enum rsbac_net_temp_syscall_t call, rsbac_net_temp_id_t id, union rsbac_net_temp_syscall_data_t * data_p) { union rsbac_syscall_arg_t arg; arg.net_template.ta_number = ta_number; arg.net_template.call = call; arg.net_template.id = id; arg.net_template.data_p = data_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_net_template, &arg); } int rsbac_net_list_all_template( rsbac_list_ta_number_t ta_number, rsbac_net_temp_id_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.net_list_all_template.ta_number = ta_number; arg.net_list_all_template.id_p = id_p; arg.net_list_all_template.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_net_list_all_template, &arg); } int rsbac_switch(enum rsbac_switch_target_t module, int value) { union rsbac_syscall_arg_t arg; arg.switch_module.module = module; arg.switch_module.value = value; return sys_rsbac(RSBAC_VERSION_NR, RSYS_switch, &arg); } int rsbac_get_switch(enum rsbac_switch_target_t module, int * value_p, int * switchable_p) { union rsbac_syscall_arg_t arg; arg.get_switch_module.module = module; arg.get_switch_module.value_p = value_p; arg.get_switch_module.switchable_p = switchable_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_get_switch, &arg); } /************** MAC ***************/ int rsbac_mac_set_curr_level(rsbac_security_level_t level, rsbac_mac_category_vector_t * categories_p) { union rsbac_syscall_arg_t arg; arg.mac_set_curr_level.level = level; arg.mac_set_curr_level.categories_p = categories_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_set_curr_level, &arg); } int rsbac_mac_get_curr_level(rsbac_security_level_t * level_p, rsbac_mac_category_vector_t * categories_p) { union rsbac_syscall_arg_t arg; arg.mac_get_curr_level.level_p = level_p; arg.mac_get_curr_level.categories_p = categories_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_get_curr_level, &arg); } int rsbac_mac_get_max_level(rsbac_security_level_t * level_p, rsbac_mac_category_vector_t * categories_p) { union rsbac_syscall_arg_t arg; arg.mac_get_max_level.level_p = level_p; arg.mac_get_max_level.categories_p = categories_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_get_max_level, &arg); } int rsbac_mac_get_min_level(rsbac_security_level_t * level_p, rsbac_mac_category_vector_t * categories_p) { union rsbac_syscall_arg_t arg; arg.mac_get_curr_level.level_p = level_p; arg.mac_get_curr_level.categories_p = categories_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_get_min_level, &arg); } int rsbac_mac_add_p_tru( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, rsbac_uid_t uid, rsbac_time_t ttl) { union rsbac_syscall_arg_t arg; arg.mac_add_p_tru.ta_number = ta_number; arg.mac_add_p_tru.pid = pid; arg.mac_add_p_tru.uid = uid; arg.mac_add_p_tru.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_add_p_tru, &arg); } int rsbac_mac_remove_p_tru( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, rsbac_uid_t uid) { union rsbac_syscall_arg_t arg; arg.mac_remove_p_tru.ta_number = ta_number; arg.mac_remove_p_tru.pid = pid; arg.mac_remove_p_tru.uid = uid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_remove_p_tru, &arg); } int rsbac_mac_add_f_tru( rsbac_list_ta_number_t ta_number, char * filename, rsbac_uid_t uid, rsbac_time_t ttl) { union rsbac_syscall_arg_t arg; arg.mac_add_f_tru.ta_number = ta_number; arg.mac_add_f_tru.filename = filename; arg.mac_add_f_tru.uid = uid; arg.mac_add_f_tru.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_add_f_tru, &arg); } int rsbac_mac_remove_f_tru( rsbac_list_ta_number_t ta_number, char * filename, rsbac_uid_t uid) { union rsbac_syscall_arg_t arg; arg.mac_remove_f_tru.ta_number = ta_number; arg.mac_remove_f_tru.filename = filename; arg.mac_remove_f_tru.uid = uid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_remove_f_tru, &arg); } /* trulist must have space for maxnum tru_range entries - first and last each! */ int rsbac_mac_get_f_trulist( rsbac_list_ta_number_t ta_number, char * filename, rsbac_uid_t trulist[], rsbac_time_t ttllist[], u_int maxnum) { union rsbac_syscall_arg_t arg; arg.mac_get_f_trulist.ta_number = ta_number; arg.mac_get_f_trulist.filename = filename; arg.mac_get_f_trulist.trulist = trulist; arg.mac_get_f_trulist.ttllist = ttllist; arg.mac_get_f_trulist.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_get_f_trulist, &arg); } int rsbac_mac_get_p_trulist( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, rsbac_uid_t trulist[], rsbac_time_t ttllist[], u_int maxnum) { union rsbac_syscall_arg_t arg; arg.mac_get_p_trulist.ta_number = ta_number; arg.mac_get_p_trulist.pid = pid; arg.mac_get_p_trulist.trulist = trulist; arg.mac_get_p_trulist.ttllist = ttllist; arg.mac_get_p_trulist.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_mac_get_p_trulist, &arg); } /************** PM ***************/ int rsbac_stats_pm(void) { return sys_rsbac(RSBAC_VERSION_NR, RSYS_stats_pm, NULL); } int rsbac_pm( rsbac_list_ta_number_t ta_number, enum rsbac_pm_function_type_t function, union rsbac_pm_function_param_t * param_p, rsbac_pm_tkt_id_t ticket) { union rsbac_syscall_arg_t arg; arg.pm.ta_number = ta_number; arg.pm.function = function; arg.pm.param_p = param_p; arg.pm.ticket = ticket; return sys_rsbac(RSBAC_VERSION_NR, RSYS_pm, &arg); } int rsbac_pm_change_current_task(rsbac_pm_task_id_t task) { union rsbac_syscall_arg_t arg; arg.pm_change_current_task.task = task; return sys_rsbac(RSBAC_VERSION_NR, RSYS_pm_change_current_task, &arg); } int rsbac_pm_create_file(const char * filename, int mode, rsbac_pm_object_class_id_t object_class) { union rsbac_syscall_arg_t arg; arg.pm_create_file.filename = filename; arg.pm_create_file.mode = mode; arg.pm_create_file.object_class = object_class; return sys_rsbac(RSBAC_VERSION_NR, RSYS_pm_create_file, &arg); } /************** DAZ **************/ int rsbac_daz_flush_cache(void) { return sys_rsbac(RSBAC_VERSION_NR, RSYS_daz_flush_cache, NULL); } /************** RC ***************/ int rsbac_rc_copy_role( rsbac_list_ta_number_t ta_number, rsbac_rc_role_id_t from_role, rsbac_rc_role_id_t to_role) { union rsbac_syscall_arg_t arg; arg.rc_copy_role.ta_number = ta_number; arg.rc_copy_role.from_role = from_role; arg.rc_copy_role.to_role = to_role; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_copy_role, &arg); } int rsbac_rc_copy_type( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, rsbac_rc_type_id_t from_type, rsbac_rc_type_id_t to_type) { union rsbac_syscall_arg_t arg; arg.rc_copy_type.ta_number = ta_number; arg.rc_copy_type.target = target; arg.rc_copy_type.from_type = from_type; arg.rc_copy_type.to_type = to_type; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_copy_type, &arg); } int rsbac_rc_get_item( rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, union rsbac_rc_target_id_t * tid_p, union rsbac_rc_target_id_t * subtid_p, enum rsbac_rc_item_t item, union rsbac_rc_item_value_t * value_p, rsbac_time_t * ttl_p) { union rsbac_syscall_arg_t arg; arg.rc_get_item.ta_number = ta_number; arg.rc_get_item.target = target; arg.rc_get_item.tid_p = tid_p; arg.rc_get_item.subtid_p = subtid_p; arg.rc_get_item.item = item; arg.rc_get_item.value_p = value_p; arg.rc_get_item.ttl_p = ttl_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_get_item, &arg); } /* Setting values */ int rsbac_rc_set_item( rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, union rsbac_rc_target_id_t * tid_p, union rsbac_rc_target_id_t * subtid_p, enum rsbac_rc_item_t item, union rsbac_rc_item_value_t * value_p, rsbac_time_t ttl) { union rsbac_syscall_arg_t arg; arg.rc_set_item.ta_number = ta_number; arg.rc_set_item.target = target; arg.rc_set_item.tid_p = tid_p; arg.rc_set_item.subtid_p = subtid_p; arg.rc_set_item.item = item; arg.rc_set_item.value_p = value_p; arg.rc_set_item.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_set_item, &arg); } int rsbac_rc_get_list( rsbac_list_ta_number_t ta_number, enum rsbac_rc_target_t target, union rsbac_rc_target_id_t * tid_p, enum rsbac_rc_item_t item, u_int maxnum, __u32 * array_p, rsbac_time_t * ttl_array_p) { union rsbac_syscall_arg_t arg; arg.rc_get_list.ta_number = ta_number; arg.rc_get_list.target = target; arg.rc_get_list.tid_p = tid_p; arg.rc_get_list.item = item; arg.rc_get_list.maxnum = maxnum; arg.rc_get_list.array_p = array_p; arg.rc_get_list.ttl_array_p = ttl_array_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_get_list, &arg); } int rsbac_rc_change_role (rsbac_rc_role_id_t role, char * pass) { union rsbac_syscall_arg_t arg; arg.rc_change_role.role = role; arg.rc_change_role.pass = pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_change_role, &arg); } int rsbac_rc_get_eff_rights_n( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, char * t_name, rsbac_rc_request_vector_t * request_vector_p, rsbac_time_t * ttl_p) { union rsbac_syscall_arg_t arg; arg.rc_get_eff_rights_n.ta_number = ta_number; arg.rc_get_eff_rights_n.target = target; arg.rc_get_eff_rights_n.t_name = t_name; arg.rc_get_eff_rights_n.request_vector_p = request_vector_p; arg.rc_get_eff_rights_n.ttl_p = ttl_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_get_eff_rights_n, &arg); } int rsbac_rc_get_current_role (rsbac_rc_role_id_t * role_p) { union rsbac_syscall_arg_t arg; arg.rc_get_current_role.role_p = role_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_get_current_role, &arg); } int rsbac_rc_select_fd_create_type(rsbac_rc_type_id_t type) { union rsbac_syscall_arg_t arg; arg.rc_select_fd_create_type.type = type; return sys_rsbac(RSBAC_VERSION_NR, RSYS_rc_select_fd_create_type, &arg); } /************** AUTH ***************/ /* Provide means for adding and removing of capabilities */ int rsbac_auth_add_p_cap( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t cap_range, rsbac_time_t ttl) { union rsbac_syscall_arg_t arg; arg.auth_add_p_cap.ta_number = ta_number; arg.auth_add_p_cap.pid = pid; arg.auth_add_p_cap.cap_type = cap_type; arg.auth_add_p_cap.cap_range = cap_range; arg.auth_add_p_cap.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_auth_add_p_cap, &arg); } int rsbac_auth_remove_p_cap( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t cap_range) { union rsbac_syscall_arg_t arg; arg.auth_remove_p_cap.ta_number = ta_number; arg.auth_remove_p_cap.pid = pid; arg.auth_remove_p_cap.cap_type = cap_type; arg.auth_remove_p_cap.cap_range = cap_range; return sys_rsbac(RSBAC_VERSION_NR, RSYS_auth_remove_p_cap, &arg); } int rsbac_auth_add_f_cap( rsbac_list_ta_number_t ta_number, char * filename, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t cap_range, rsbac_time_t ttl) { union rsbac_syscall_arg_t arg; arg.auth_add_f_cap.ta_number = ta_number; arg.auth_add_f_cap.filename = filename; arg.auth_add_f_cap.cap_type = cap_type; arg.auth_add_f_cap.cap_range = cap_range; arg.auth_add_f_cap.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_auth_add_f_cap, &arg); } int rsbac_auth_remove_f_cap( rsbac_list_ta_number_t ta_number, char * filename, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t cap_range) { union rsbac_syscall_arg_t arg; arg.auth_remove_f_cap.ta_number = ta_number; arg.auth_remove_f_cap.filename = filename; arg.auth_remove_f_cap.cap_type = cap_type; arg.auth_remove_f_cap.cap_range = cap_range; return sys_rsbac(RSBAC_VERSION_NR, RSYS_auth_remove_f_cap, &arg); } /* caplist must have space for maxnum cap_range entries - first and last each! */ int rsbac_auth_get_f_caplist( rsbac_list_ta_number_t ta_number, char * filename, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t caplist[], rsbac_time_t ttllist[], u_int maxnum) { union rsbac_syscall_arg_t arg; arg.auth_get_f_caplist.ta_number = ta_number; arg.auth_get_f_caplist.filename = filename; arg.auth_get_f_caplist.cap_type = cap_type; arg.auth_get_f_caplist.caplist = caplist; arg.auth_get_f_caplist.ttllist = ttllist; arg.auth_get_f_caplist.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_auth_get_f_caplist, &arg); } int rsbac_auth_get_p_caplist( rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, enum rsbac_auth_cap_type_t cap_type, struct rsbac_auth_cap_range_t caplist[], rsbac_time_t ttllist[], u_int maxnum) { union rsbac_syscall_arg_t arg; arg.auth_get_p_caplist.ta_number = ta_number; arg.auth_get_p_caplist.pid = pid; arg.auth_get_p_caplist.cap_type = cap_type; arg.auth_get_p_caplist.caplist = caplist; arg.auth_get_p_caplist.ttllist = ttllist; arg.auth_get_p_caplist.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_auth_get_p_caplist, &arg); } /**********************************/ /************** REG ***************/ int rsbac_reg(rsbac_reg_handle_t handle, void * arg) { union rsbac_syscall_arg_t s_arg; s_arg.reg.handle = handle; s_arg.reg.arg = arg; return sys_rsbac(RSBAC_VERSION_NR, RSYS_reg, &s_arg); } /**********************************/ /************** ACL ***************/ int rsbac_acl( rsbac_list_ta_number_t ta_number, enum rsbac_acl_syscall_type_t call, struct rsbac_acl_syscall_arg_t * arg) { union rsbac_syscall_arg_t s_arg; s_arg.acl.ta_number = ta_number; s_arg.acl.call = call; s_arg.acl.arg = arg; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl, &s_arg); } int rsbac_acl_n( rsbac_list_ta_number_t ta_number, enum rsbac_acl_syscall_type_t call, struct rsbac_acl_syscall_n_arg_t * arg) { union rsbac_syscall_arg_t s_arg; s_arg.acl_n.ta_number = ta_number; s_arg.acl_n.call = call; s_arg.acl_n.arg = arg; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_n, &s_arg); } int rsbac_acl_get_rights( rsbac_list_ta_number_t ta_number, struct rsbac_acl_syscall_arg_t * arg, rsbac_acl_rights_vector_t * rights_p, u_int effective) { union rsbac_syscall_arg_t s_arg; s_arg.acl_get_rights.ta_number = ta_number; s_arg.acl_get_rights.arg = arg; s_arg.acl_get_rights.rights_p = rights_p; s_arg.acl_get_rights.effective = effective; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_get_rights, &s_arg); } int rsbac_acl_get_rights_n( rsbac_list_ta_number_t ta_number, struct rsbac_acl_syscall_n_arg_t * arg, rsbac_acl_rights_vector_t * rights_p, u_int effective) { union rsbac_syscall_arg_t s_arg; s_arg.acl_get_rights_n.ta_number = ta_number; s_arg.acl_get_rights_n.arg = arg; s_arg.acl_get_rights_n.rights_p = rights_p; s_arg.acl_get_rights_n.effective = effective; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_get_rights_n, &s_arg); } int rsbac_acl_get_tlist ( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, union rsbac_target_id_t * tid, struct rsbac_acl_entry_t entry_array[], rsbac_time_t ttl_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; s_arg.acl_get_tlist.ta_number = ta_number; s_arg.acl_get_tlist.target = target; s_arg.acl_get_tlist.tid = tid; s_arg.acl_get_tlist.entry_array = entry_array; s_arg.acl_get_tlist.ttl_array = ttl_array; s_arg.acl_get_tlist.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_get_tlist, &s_arg); } int rsbac_acl_get_tlist_n( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, char * t_name, struct rsbac_acl_entry_t entry_array[], rsbac_time_t ttl_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; s_arg.acl_get_tlist_n.ta_number = ta_number; s_arg.acl_get_tlist_n.target = target; s_arg.acl_get_tlist_n.t_name = t_name; s_arg.acl_get_tlist_n.entry_array = entry_array; s_arg.acl_get_tlist_n.ttl_array = ttl_array; s_arg.acl_get_tlist_n.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_get_tlist_n, &s_arg); } int rsbac_acl_get_mask ( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, union rsbac_target_id_t * tid, rsbac_acl_rights_vector_t * mask_p) { union rsbac_syscall_arg_t s_arg; s_arg.acl_get_mask.ta_number = ta_number; s_arg.acl_get_mask.target = target; s_arg.acl_get_mask.tid = tid; s_arg.acl_get_mask.mask_p = mask_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_get_mask, &s_arg); } int rsbac_acl_get_mask_n( rsbac_list_ta_number_t ta_number, enum rsbac_target_t target, char * t_name, rsbac_acl_rights_vector_t * mask_p) { union rsbac_syscall_arg_t s_arg; s_arg.acl_get_mask_n.ta_number = ta_number; s_arg.acl_get_mask_n.target = target; s_arg.acl_get_mask_n.t_name = t_name; s_arg.acl_get_mask_n.mask_p = mask_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_get_mask_n, &s_arg); } /******** ACL groups *********/ int rsbac_acl_group( rsbac_list_ta_number_t ta_number, enum rsbac_acl_group_syscall_type_t call, union rsbac_acl_group_syscall_arg_t * arg_p) { union rsbac_syscall_arg_t s_arg; s_arg.acl_group.ta_number = ta_number; s_arg.acl_group.call = call; s_arg.acl_group.arg_p = arg_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_group, &s_arg); } /**********************************/ /************** JAIL **************/ int rsbac_jail(rsbac_version_t version, char * path, rsbac_jail_ip_t ip, rsbac_jail_flags_t flags, rsbac_cap_vector_t max_caps, rsbac_jail_scd_vector_t scd_get, rsbac_jail_scd_vector_t scd_modify) { union rsbac_syscall_arg_t s_arg; s_arg.jail.version = version; s_arg.jail.path = path; s_arg.jail.ip = ip; s_arg.jail.flags = flags; s_arg.jail.max_caps = max_caps; s_arg.jail.scd_get = scd_get; s_arg.jail.scd_modify = scd_modify; return sys_rsbac(RSBAC_VERSION_NR, RSYS_jail, &s_arg); } /**********************************/ /************** UM **************/ int rsbac_um_auth_name(char * name, char * pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_auth_name.name = name; s_arg.um_auth_name.pass = pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_auth_name, &s_arg); } int rsbac_um_auth_uid(rsbac_uid_t uid, char * pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_auth_uid.uid = uid; s_arg.um_auth_name.pass = pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_auth_uid, &s_arg); } int rsbac_um_add_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, struct rsbac_um_user_entry_t * entry_p, char * pass, rsbac_time_t ttl) { union rsbac_syscall_arg_t s_arg; s_arg.um_add_user.ta_number = ta_number; s_arg.um_add_user.uid = uid; s_arg.um_add_user.entry_p = entry_p; s_arg.um_add_user.pass = pass; s_arg.um_add_user.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_add_user, &s_arg); } int rsbac_um_add_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid, struct rsbac_um_group_entry_t * entry_p, char * pass, rsbac_time_t ttl) { union rsbac_syscall_arg_t s_arg; s_arg.um_add_group.ta_number = ta_number; s_arg.um_add_group.gid = gid; s_arg.um_add_group.entry_p = entry_p; s_arg.um_add_group.pass = pass; s_arg.um_add_group.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_add_group, &s_arg); } int rsbac_um_add_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, rsbac_gid_num_t gid, rsbac_time_t ttl) { union rsbac_syscall_arg_t s_arg; s_arg.um_add_gm.ta_number = ta_number; s_arg.um_add_gm.uid = uid; s_arg.um_add_gm.gid = gid; s_arg.um_add_gm.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_add_gm, &s_arg); } int rsbac_um_mod_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p) { union rsbac_syscall_arg_t s_arg; s_arg.um_mod_user.ta_number = ta_number; s_arg.um_mod_user.uid = uid; s_arg.um_mod_user.mod = mod; s_arg.um_mod_user.data_p = data_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_mod_user, &s_arg); } int rsbac_um_mod_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p) { union rsbac_syscall_arg_t s_arg; s_arg.um_mod_group.ta_number = ta_number; s_arg.um_mod_group.gid = gid; s_arg.um_mod_group.mod = mod; s_arg.um_mod_group.data_p = data_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_mod_group, &s_arg); } int rsbac_um_get_user_item( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_user_item.ta_number = ta_number; s_arg.um_get_user_item.uid = uid; s_arg.um_get_user_item.mod = mod; s_arg.um_get_user_item.data_p = data_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_user_item, &s_arg); } int rsbac_um_get_group_item( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid, enum rsbac_um_mod_t mod, union rsbac_um_mod_data_t * data_p) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_group_item.ta_number = ta_number; s_arg.um_get_group_item.gid = gid; s_arg.um_get_group_item.mod = mod; s_arg.um_get_group_item.data_p = data_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_group_item, &s_arg); } int rsbac_um_remove_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid) { union rsbac_syscall_arg_t s_arg; s_arg.um_remove_user.ta_number = ta_number; s_arg.um_remove_user.uid = uid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_remove_user, &s_arg); } int rsbac_um_remove_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid) { union rsbac_syscall_arg_t s_arg; s_arg.um_remove_group.ta_number = ta_number; s_arg.um_remove_group.gid = gid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_remove_group, &s_arg); } int rsbac_um_remove_gm( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, rsbac_gid_num_t gid) { union rsbac_syscall_arg_t s_arg; s_arg.um_remove_gm.ta_number = ta_number; s_arg.um_remove_gm.uid = uid; s_arg.um_remove_gm.gid = gid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_remove_gm, &s_arg); } int rsbac_um_user_exists( rsbac_list_ta_number_t ta_number, rsbac_uid_t uid) { union rsbac_syscall_arg_t s_arg; s_arg.um_user_exists.ta_number = ta_number; s_arg.um_user_exists.uid = uid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_user_exists, &s_arg); } int rsbac_um_group_exists( rsbac_list_ta_number_t ta_number, rsbac_gid_t gid) { union rsbac_syscall_arg_t s_arg; s_arg.um_group_exists.ta_number = ta_number; s_arg.um_group_exists.gid = gid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_group_exists, &s_arg); } int rsbac_um_get_next_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t old_user, rsbac_uid_t * next_user_p) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_next_user.ta_number = ta_number; s_arg.um_get_next_user.old_user = old_user; s_arg.um_get_next_user.next_user_p = next_user_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_next_user, &s_arg); } int rsbac_um_get_user_list( rsbac_list_ta_number_t ta_number, rsbac_um_set_t vset, rsbac_uid_t user_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_user_list.ta_number = ta_number; s_arg.um_get_user_list.vset = vset; s_arg.um_get_user_list.user_array = user_array; s_arg.um_get_user_list.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_user_list, &s_arg); } int rsbac_um_get_gm_list( rsbac_list_ta_number_t ta_number, rsbac_uid_t user, rsbac_gid_num_t group_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_gm_list.ta_number = ta_number; s_arg.um_get_gm_list.user = user; s_arg.um_get_gm_list.group_array = group_array; s_arg.um_get_gm_list.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_gm_list, &s_arg); } int rsbac_um_get_gm_user_list( rsbac_list_ta_number_t ta_number, rsbac_gid_t group, rsbac_uid_num_t user_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_gm_user_list.ta_number = ta_number; s_arg.um_get_gm_user_list.group = group; s_arg.um_get_gm_user_list.user_array = user_array; s_arg.um_get_gm_user_list.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_gm_user_list, &s_arg); } int rsbac_um_get_group_list( rsbac_list_ta_number_t ta_number, rsbac_um_set_t vset, rsbac_gid_t group_array[], u_int maxnum) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_group_list.ta_number = ta_number; s_arg.um_get_group_list.vset = vset; s_arg.um_get_group_list.group_array = group_array; s_arg.um_get_group_list.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_group_list, &s_arg); } int rsbac_um_get_uid( rsbac_list_ta_number_t ta_number, char * name, rsbac_uid_t * uid_p) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_uid.ta_number = ta_number; s_arg.um_get_uid.name = name; s_arg.um_get_uid.uid_p = uid_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_uid, &s_arg); } int rsbac_um_get_gid( rsbac_list_ta_number_t ta_number, char * name, rsbac_gid_t * gid_p) { union rsbac_syscall_arg_t s_arg; s_arg.um_get_gid.ta_number = ta_number; s_arg.um_get_gid.name = name; s_arg.um_get_gid.gid_p = gid_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_get_gid, &s_arg); } int rsbac_um_set_pass(rsbac_uid_t uid, char * old_pass, char * new_pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_set_pass.uid = uid; s_arg.um_set_pass.old_pass = old_pass; s_arg.um_set_pass.new_pass = new_pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_set_pass, &s_arg); } int rsbac_um_set_pass_name(char * name, char * old_pass, char * new_pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_set_pass_name.name = name; s_arg.um_set_pass_name.old_pass = old_pass; s_arg.um_set_pass_name.new_pass = new_pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_set_pass_name, &s_arg); } int rsbac_um_add_onetime(rsbac_uid_t uid, char * old_pass, char * new_pass, rsbac_time_t ttl) { union rsbac_syscall_arg_t s_arg; s_arg.um_add_onetime.uid = uid; s_arg.um_add_onetime.old_pass = old_pass; s_arg.um_add_onetime.new_pass = new_pass; s_arg.um_add_onetime.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_add_onetime, &s_arg); } int rsbac_um_add_onetime_name(char * name, char * old_pass, char * new_pass, rsbac_time_t ttl) { union rsbac_syscall_arg_t s_arg; s_arg.um_add_onetime_name.name = name; s_arg.um_add_onetime_name.old_pass = old_pass; s_arg.um_add_onetime_name.new_pass = new_pass; s_arg.um_add_onetime_name.ttl = ttl; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_add_onetime_name, &s_arg); } int rsbac_um_remove_all_onetime(rsbac_uid_t uid, char * old_pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_remove_all_onetime.uid = uid; s_arg.um_remove_all_onetime.old_pass = old_pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_remove_all_onetime, &s_arg); } int rsbac_um_remove_all_onetime_name(char * name, char * old_pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_remove_all_onetime_name.name = name; s_arg.um_remove_all_onetime_name.old_pass = old_pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_remove_all_onetime_name, &s_arg); } int rsbac_um_count_onetime(rsbac_uid_t uid, char * old_pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_count_onetime.uid = uid; s_arg.um_count_onetime.old_pass = old_pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_count_onetime, &s_arg); } int rsbac_um_count_onetime_name(char * name, char * old_pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_count_onetime_name.name = name; s_arg.um_count_onetime_name.old_pass = old_pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_count_onetime_name, &s_arg); } int rsbac_um_set_group_pass(rsbac_gid_t gid, char * new_pass) { union rsbac_syscall_arg_t s_arg; s_arg.um_set_group_pass.gid = gid; s_arg.um_set_group_pass.new_pass = new_pass; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_set_group_pass, &s_arg); } int rsbac_um_check_account(rsbac_uid_t uid) { union rsbac_syscall_arg_t s_arg; s_arg.um_check_account.uid = uid; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_check_account, &s_arg); } int rsbac_um_check_account_name(char * name) { union rsbac_syscall_arg_t s_arg; s_arg.um_check_account_name.name = name; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_check_account_name, &s_arg); } int rsbac_um_select_vset(rsbac_um_set_t vset) { union rsbac_syscall_arg_t s_arg; s_arg.um_select_vset.vset = vset; return sys_rsbac(RSBAC_VERSION_NR, RSYS_um_select_vset, &s_arg); } int rsbac_list_ta_begin(rsbac_time_t ttl, rsbac_list_ta_number_t * ta_number_p, rsbac_uid_t commit_uid, char * password) { union rsbac_syscall_arg_t s_arg; s_arg.list_ta_begin.ttl = ttl; s_arg.list_ta_begin.ta_number_p = ta_number_p; s_arg.list_ta_begin.commit_uid = commit_uid; s_arg.list_ta_begin.password = password; return sys_rsbac(RSBAC_VERSION_NR, RSYS_list_ta_begin, &s_arg); } int rsbac_list_ta_refresh(rsbac_time_t ttl, rsbac_list_ta_number_t ta_number, char * password) { union rsbac_syscall_arg_t s_arg; s_arg.list_ta_refresh.ttl = ttl; s_arg.list_ta_refresh.ta_number = ta_number; s_arg.list_ta_refresh.password = password; return sys_rsbac(RSBAC_VERSION_NR, RSYS_list_ta_refresh, &s_arg); } int rsbac_list_ta_commit(rsbac_list_ta_number_t ta_number, char * password) { union rsbac_syscall_arg_t s_arg; s_arg.list_ta_commit.ta_number = ta_number; s_arg.list_ta_commit.password = password; return sys_rsbac(RSBAC_VERSION_NR, RSYS_list_ta_commit, &s_arg); } int rsbac_list_ta_forget(rsbac_list_ta_number_t ta_number, char * password) { union rsbac_syscall_arg_t s_arg; s_arg.list_ta_forget.ta_number = ta_number; s_arg.list_ta_forget.password = password; return sys_rsbac(RSBAC_VERSION_NR, RSYS_list_ta_forget, &s_arg); } int rsbac_list_all_dev( rsbac_list_ta_number_t ta_number, struct rsbac_dev_desc_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.list_all_dev.ta_number = ta_number; arg.list_all_dev.id_p = id_p; arg.list_all_dev.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_list_all_dev, &arg); } int rsbac_acl_list_all_dev( rsbac_list_ta_number_t ta_number, struct rsbac_dev_desc_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.acl_list_all_dev.ta_number = ta_number; arg.acl_list_all_dev.id_p = id_p; arg.acl_list_all_dev.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_list_all_dev, &arg); } int rsbac_list_all_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.list_all_user.ta_number = ta_number; arg.list_all_user.id_p = id_p; arg.list_all_user.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_list_all_user, &arg); } int rsbac_acl_list_all_user( rsbac_list_ta_number_t ta_number, rsbac_uid_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.acl_list_all_user.ta_number = ta_number; arg.acl_list_all_user.id_p = id_p; arg.acl_list_all_user.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_list_all_user, &arg); } int rsbac_list_all_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.list_all_group.ta_number = ta_number; arg.list_all_group.id_p = id_p; arg.list_all_group.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_list_all_group, &arg); } int rsbac_acl_list_all_group( rsbac_list_ta_number_t ta_number, rsbac_gid_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.acl_list_all_group.ta_number = ta_number; arg.acl_list_all_group.id_p = id_p; arg.acl_list_all_group.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_acl_list_all_group, &arg); } int rsbac_list_all_ipc(rsbac_list_ta_number_t ta_number, struct rsbac_ipc_t * id_p, u_long maxnum) { union rsbac_syscall_arg_t arg; arg.list_all_ipc.ta_number = ta_number; arg.list_all_ipc.id_p = id_p; arg.list_all_ipc.maxnum = maxnum; return sys_rsbac(RSBAC_VERSION_NR, RSYS_list_all_ipc, &arg); } /************************************************* */ /* DEBUG/LOG functions */ /************************************************* */ int rsbac_adf_log_switch(enum rsbac_adf_request_t request, enum rsbac_target_t target, u_int value) { union rsbac_syscall_arg_t s_arg; s_arg.adf_log_switch.request = request; s_arg.adf_log_switch.target = target; s_arg.adf_log_switch.value = value; return sys_rsbac(RSBAC_VERSION_NR, RSYS_adf_log_switch, &s_arg); } int rsbac_get_adf_log(enum rsbac_adf_request_t request, enum rsbac_target_t target, u_int * value_p) { union rsbac_syscall_arg_t s_arg; s_arg.get_adf_log.request = request; s_arg.get_adf_log.target = target; s_arg.get_adf_log.value_p = value_p; return sys_rsbac(RSBAC_VERSION_NR, RSYS_get_adf_log, &s_arg); } /* * Commands to rsbac_log: * * 0 -- Close the log. Currently a NOP. * 1 -- Open the log. Currently a NOP. * 2 -- Read from the log. * 3 -- Read up to the last 4k of messages in the ring buffer. * 4 -- Read and clear last 4k of messages in the ring buffer * 5 -- Clear ring buffer. */ int rsbac_log(int type, char * buf, int len) { union rsbac_syscall_arg_t s_arg; s_arg.log.type = type; s_arg.log.buf = buf; s_arg.log.len = len; return sys_rsbac(RSBAC_VERSION_NR, RSYS_log, &s_arg); } int rsbac_init(char * root_dev) { union rsbac_syscall_arg_t arg; arg.init.root_dev = root_dev; return sys_rsbac(RSBAC_VERSION_NR, RSYS_init, &arg); } void locale_init(){ setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); } rsbac-admin-1.4.0/main/libs/helpers/acl_getname.c0000644000175000017500000000706111131371034021462 0ustar gauvaingauvain/* * acl_getname.c: Getname functions for the ACL module. * * Author and Copyright (C) 1999-2005 Amon Ott (ao@rsbac.org) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2. * * Last modified 19/09/2000. */ #include #include #include #include #include #ifdef __KERNEL__ #include #else #include #endif static char acl_subject_type_list[ACLS_NONE + 1][6] = { "USER", "ROLE", "GROUP", "NONE" }; static char acl_group_syscall_list[ACLGS_none + 1][18] = { "add_group", "change_group", "remove_group", "get_group_entry", "list_groups", "add_member", "remove_member", "get_user_groups", "get_group_members", "none" }; static char acl_scd_type_list[AST_none - 32 + 1][20] = { "auth_administration", "none" }; static char acl_special_right_list[ACLR_NONE - 32 + 1][20] = { "FORWARD", "ACCESS_CONTROL", "SUPERVISOR", "NONE" }; char *get_acl_subject_type_name(char *name, enum rsbac_acl_subject_type_t value) { if (!name) return (NULL); if (value > ACLS_NONE) strcpy(name, "ERROR!"); else strcpy(name, acl_subject_type_list[value]); return (name); }; #ifndef __KERNEL__ enum rsbac_acl_subject_type_t get_acl_subject_type_nr(const char *name) { enum rsbac_acl_subject_type_t i; if (!name) return (ACLS_NONE); for (i = 0; i < ACLS_NONE; i++) { if (!strcmp(name, acl_subject_type_list[i])) { return (i); } } return (ACLS_NONE); }; #endif char *get_acl_group_syscall_name(char *name, enum rsbac_acl_group_syscall_type_t value) { if (!name) return (NULL); if (value > ACLGS_none) strcpy(name, "ERROR!"); else strcpy(name, acl_group_syscall_list[value]); return (name); }; #ifndef __KERNEL__ enum rsbac_acl_group_syscall_type_t get_acl_group_syscall_nr(const char *name) { enum rsbac_acl_group_syscall_type_t i; if (!name) return (ACLGS_none); for (i = 0; i < ACLGS_none; i++) { if (!strcmp(name, acl_group_syscall_list[i])) { return (i); } } return (ACLGS_none); }; #endif char *get_acl_scd_type_name(char *name, enum rsbac_acl_scd_type_t value) { if (!name) return (NULL); if (value < AST_min) { return (get_scd_type_name(name, value)); } value -= AST_min; if (value > AST_none) { strcpy(name, "ERROR!"); return (name); } strcpy(name, acl_scd_type_list[value]); return (name); }; #ifndef __KERNEL__ enum rsbac_acl_scd_type_t get_acl_scd_type_nr(const char *name) { enum rsbac_acl_scd_type_t i; if (!name) return (AST_none); for (i = 0; i < AST_none - 32; i++) { if (!strcmp(name, acl_scd_type_list[i])) { return (i + 32); } } return (get_scd_type_nr(name)); }; #endif char *get_acl_special_right_name(char *name, enum rsbac_acl_special_rights_t value) { if (!name) return (NULL); if (value < RSBAC_ACL_SPECIAL_RIGHT_BASE) { return (get_request_name(name, value)); } value -= RSBAC_ACL_SPECIAL_RIGHT_BASE; if (value > ACLR_NONE) { strcpy(name, "ERROR!"); return (name); } strcpy(name, acl_special_right_list[value]); return (name); }; #ifndef __KERNEL__ enum rsbac_acl_special_rights_t get_acl_special_right_nr(const char *name) { enum rsbac_acl_special_rights_t i; if (!name) return (ACLR_NONE); for (i = 0; i < (ACLR_NONE - RSBAC_ACL_SPECIAL_RIGHT_BASE); i++) { if (!strcmp(name, acl_special_right_list[i])) { return (i + RSBAC_ACL_SPECIAL_RIGHT_BASE); } } return (get_request_nr(name)); }; #endif rsbac-admin-1.4.0/main/libs/helpers/cap_getname.c0000644000175000017500000000536411131371035021473 0ustar gauvaingauvain/********************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2008: */ /* Amon Ott */ /* Getname functions for CAP module */ /* Last modified: 13/Feb/2008 */ /********************************** */ #include #include #include #include #ifdef __KERNEL__ #include #include #include #include #include #else #include #endif /*****************************************/ #ifdef __KERNEL__ #ifdef CONFIG_RSBAC_CAP_LOG_MISSING void rsbac_cap_log_missing_cap(int cap) { char * tmp; union rsbac_target_id_t i_tid; union rsbac_attribute_value_t i_attr_val1; #if 0 && LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) if(cap == CAP_SYS_ADMIN) return; #endif i_tid.process = task_pid(current); if (rsbac_get_attr(SW_CAP, T_PROCESS, i_tid, A_max_caps_user, &i_attr_val1, FALSE)) { rsbac_ds_get_error("rsbac_cap_log_missing_cap()", A_max_caps_user); } else { if(!((i_attr_val1.max_caps_user.cap[0] & (1 << cap)) || ((i_attr_val1.max_caps_user.cap[1] & (1 << cap))))) { tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); if(tmp) { get_cap_name(tmp, cap); rsbac_printk(KERN_DEBUG "capable(): pid %u(%.15s), uid %u: missing user max_cap %s!\n", current->pid, current->comm, current->uid, tmp); rsbac_kfree(tmp); } } } if (rsbac_get_attr(SW_CAP, T_PROCESS, i_tid, A_max_caps_program, &i_attr_val1, FALSE)) { rsbac_ds_get_error("rsbac_cap_log_missing_cap()", A_max_caps_program); } else { if(!((i_attr_val1.max_caps_program.cap[0] & (1 << cap)) || (i_attr_val1.max_caps_program.cap[1] & (1 << cap)))) { tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); if(tmp) { get_cap_name(tmp, cap); rsbac_printk(KERN_DEBUG "capable(): pid %u(%.15s), uid %u: missing program max_cap %s!\n", current->pid, current->comm, current->uid, tmp); rsbac_kfree(tmp); } } } } #endif #endif rsbac-admin-1.4.0/main/libs/helpers/pm_getname.c0000644000175000017500000002362311131371035021342 0ustar gauvaingauvain/* * pm_getname.c: Getname functions for the PM module. * * Author and Copyright (C) 1999-2005 Amon Ott (ao@rsbac.org) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2. * * Last modified 19/10/2004. */ #include #include #include #ifdef __KERNEL__ #include #else #include #endif static char pm_list[PL_none][6] = { "task", "class", "na", "cs", "tp", "pp", "tkt" }; static char pm_all_list[PA_none][11] = { "task", "class", "na", "cs", "tp", "pp", "tkt", "task_set", "tp_set", "ru_set", "pp_set", "in_pp_set", "out_pp_set" }; static char pm_role[PR_none + 1][24] = { "user", "security_officer", "data_protection_officer", "tp_manager", "system_admin", "none" }; static char pm_process_type[PP_TP + 1][5] = { "none", "tp" }; static char pm_object_type[PO_dir + 1][18] = { "none", "tp", "personal_data", "non_personal_data", "ipc", "dir" }; #ifdef __KERNEL__ static char pm_set[PS_NONE + 1][5] = { "TASK", "TP", "RU", "PP", "NONE" }; static char pm_target[PMT_NONE + 1][6] = { "TASK", "CLASS", "NA", "CS", "TP", "PP", "TKT", "NONE" }; static char pm_data[PD_none + 1][15] = { "purpose", "tp_set", "ru_set", "pp_set", "task", "class", "tp", "accesses", "file", "issuer", "function_type", "function_param", "valid_until", "def_class", "none" }; #endif static char pm_function_type[PF_none + 1][24] = { "add_na", "delete_na", "add_task", "delete_task", "add_object_class", "delete_object_class", "add_authorized_tp", "delete_authorized_tp", "add_consent", "delete_consent", "add_purpose", "delete_purpose", "add_responsible_user", "delete_responsible_user", "delete_user_aci", "set_role", "set_object_class", "switch_pm", "switch_auth", "set_device_object_type", "set_auth_may_setuid", "set_auth_may_set_cap", /* issued by user also */ "add_authorized_task", "delete_authorized_task", /* called by tp_manager */ "create_tp", "delete_tp", "set_tp", "create_ticket", "none" }; #ifndef __KERNEL__ static char pm_function_param[PF_none + 1][123] = { "\t\tticket task class tp accesses (class can be IPC, DEV or NIL)", "\tticket task class tp accesses (class can be IPC, DEV or NIL)", "\tticket id purpose", "\tticket id", "ticket id purpose1 purpose2 ...", "ticket id", "ticket task tp", "ticket task tp", "\tticket filename purpose", "\tticket filename purpose", "\tticket id default-class\n (class created, if necessary, and purpose added to pp-list of class)", "\tticket id", "ticket user task", "ticket user task", "ticket id", "\tticket user role\n (roles: user|security_officer|data_protection_officer|tp_manager|system_admin)", "ticket filename object_class\n (also sets object_type personal_data (cl!=0) or non_personal_data (cl=0)", "\tticket value (0 or 1)", "\tticket value (0 or 1)", "ticket devicename object_type [object_class]\n (types: none, tp, personal_data, non_personal_data)\n (default class is DEV)", "ticket filename value(0 or 1)", "ticket filename value(0 or 1)", /* issued by user also */ "ticket user task", "ticket user task", /* called by tp_manager */ "\tid", "\tid", "\t\tfilename id", /* create_ticket */ "(call with create_ticket for params)", "INVALID" }; #endif static char pm_tkt_function_type[PTF_none + 1][25] = { "add_na", "delete_na", "add_task", "delete_task", "add_object_class", "delete_object_class", "add_authorized_tp", "delete_authorized_tp", "add_consent", "delete_consent", "add_purpose", "delete_purpose", "add_responsible_user", "delete_responsible_user", "delete_user_aci", "set_role", "set_object_class", "switch_pm", "switch_auth", "set_device_object_type", "set_auth_may_setuid", "set_auth_may_set_cap", /* issued by user also */ "add_authorized_task", "delete_authorized_task", "none" }; #ifndef __KERNEL__ static char pm_tkt_function_param[PTF_none + 1][116] = { "\t\ttask class tp accesses (class can be IPC, DEV or NIL)", "\ttask class tp accesses (class can be IPC, DEV or NIL)", "\tid purpose", "\tid", "id purpose1 purpose2 ...", "id", "task tp", "task tp", "\tfilename purpose", "\tfilename purpose", "\tid default-class (class must not be NIL, IPC or DEV)", "\tid", "user task", "user task", "user", "\tuser role\n (roles: user|security_officer|data_protection_officer|tp_manager|system_admin)", "filename object_class\n (sets object_type personal_data (cl!=0) or non_personal_data (cl=0)", "\tvalue (0 or 1)", "\tvalue (0 or 1)", "devicename object_type [object_class]\n (types: none, tp, personal_data, non_personal_data)\n (default class is DEV)", "filename value(0 or 1)", "filename value(0 or 1)", /* issued by user also */ "user task", "user task", "INVALID" }; #endif char *get_pm_list_name(char *name, enum rsbac_pm_list_t value) { if (!name) return (NULL); if (value > PL_none) strcpy(name, "ERROR!"); else strcpy(name, pm_list[value]); return (name); }; enum rsbac_pm_list_t get_pm_list_nr(const char *name) { enum rsbac_pm_list_t i; if (!name) return (PL_none); for (i = 0; i < PL_none; i++) { if (!strcmp(name, pm_list[i])) { return (i); } } return (PL_none); }; char *get_pm_all_list_name(char *name, enum rsbac_pm_all_list_t value) { if (!name) return (NULL); if (value > PA_none) strcpy(name, "ERROR!"); else strcpy(name, pm_all_list[value]); return (name); }; enum rsbac_pm_all_list_t get_pm_all_list_nr(const char *name) { enum rsbac_pm_all_list_t i; if (!name) return (PA_none); for (i = 0; i < PA_none; i++) { if (!strcmp(name, pm_all_list[i])) { return (i); } } return (PA_none); }; /****/ char *get_pm_role_name(char *name, enum rsbac_pm_role_t value) { if (!name) return (NULL); if (value > PR_none) strcpy(name, "ERROR!"); else strcpy(name, pm_role[value]); return (name); }; enum rsbac_pm_role_t get_pm_role_nr(const char *name) { enum rsbac_pm_role_t i; if (!name) return (PR_none); for (i = 0; i < PR_none; i++) { if (!strcmp(name, pm_role[i])) { return (i); } } return (PR_none); }; char *get_pm_process_type_name(char *name, enum rsbac_pm_process_type_t value) { if (!name) return (NULL); if (value > PP_TP) strcpy(name, "ERROR!"); else strcpy(name, pm_process_type[value]); return (name); }; enum rsbac_pm_process_type_t get_pm_process_type_nr(const char *name) { enum rsbac_pm_process_type_t i; if (!name) return (PP_none); for (i = 0; i < PP_TP; i++) { if (!strcmp(name, pm_process_type[i])) { return (i); } } return (PP_none); }; char *get_pm_object_type_name(char *name, enum rsbac_pm_object_type_t value) { if (!name) return (NULL); if (value > PO_dir) strcpy(name, "ERROR!"); else strcpy(name, pm_object_type[value]); return (name); }; enum rsbac_pm_object_type_t get_pm_object_type_nr(const char *name) { enum rsbac_pm_object_type_t i; if (!name) return (PO_none); for (i = 0; i < PO_dir; i++) { if (!strcmp(name, pm_object_type[i])) { return (i); } } return (PO_none); }; #ifdef __KERNEL__ char *get_pm_set_name(char *name, enum rsbac_pm_set_t value) { if (!name) return (NULL); if (value > PS_NONE) strcpy(name, "ERROR!"); else strcpy(name, pm_set[value]); return (name); }; enum rsbac_pm_set_t get_pm_set_nr(const char *name) { enum rsbac_pm_set_t i; if (!name) return (PS_NONE); for (i = 0; i < PS_NONE; i++) { if (!strcmp(name, pm_set[i])) { return (i); } } return (PS_NONE); }; char *get_pm_target_name(char *name, enum rsbac_pm_target_t value) { if (!name) return (NULL); if (value > PMT_NONE) strcpy(name, "ERROR!"); else strcpy(name, pm_target[value]); return (name); }; enum rsbac_pm_target_t get_pm_target_nr(const char *name) { enum rsbac_pm_target_t i; if (!name) return (PMT_NONE); for (i = 0; i < PMT_NONE; i++) { if (!strcmp(name, pm_target[i])) { return (i); } } return (PMT_NONE); }; char *get_pm_data_name(char *name, enum rsbac_pm_data_t value) { if (!name) return (NULL); if (value > PD_none) strcpy(name, "ERROR!"); else strcpy(name, pm_data[value]); return (name); }; enum rsbac_pm_data_t get_pm_data_nr(const char *name) { enum rsbac_pm_data_t i; if (!name) return (PD_none); for (i = 0; i < PD_none; i++) { if (!strcmp(name, pm_data[i])) { return (i); } } return (PD_none); }; #endif char *get_pm_function_type_name(char *name, enum rsbac_pm_function_type_t value) { if (!name) return (NULL); if (value > PF_none) strcpy(name, "ERROR!"); else strcpy(name, pm_function_type[value]); return (name); }; enum rsbac_pm_function_type_t get_pm_function_type_nr(const char *name) { enum rsbac_pm_function_type_t i; if (!name) return (PF_none); for (i = 0; i < PF_none; i++) { if (!strcmp(name, pm_function_type[i])) { return (i); } } return (PF_none); }; #ifndef __KERNEL__ char *get_pm_function_param(char *name, enum rsbac_pm_function_type_t value) { if (!name) return (NULL); if (value > PF_none) strcpy(name, "ERROR!"); else strcpy(name, pm_function_param[value]); return (name); }; #endif char *get_pm_tkt_function_type_name(char *name, enum rsbac_pm_tkt_function_type_t value) { if (!name) return (NULL); if (value > PTF_none) strcpy(name, "ERROR!"); else strcpy(name, pm_tkt_function_type[value]); return (name); }; enum rsbac_pm_tkt_function_type_t get_pm_tkt_function_type_nr(const char *name) { enum rsbac_pm_tkt_function_type_t i; if (!name) return (PTF_none); for (i = 0; i < PTF_none; i++) { if (!strcmp(name, pm_tkt_function_type[i])) { return (i); } } return (PTF_none); }; #ifndef __KERNEL__ char *get_pm_tkt_function_param(char *name, enum rsbac_pm_tkt_function_type_t value) { if (!name) return (NULL); if (value > PTF_none) strcpy(name, "ERROR!"); else strcpy(name, pm_tkt_function_param[value]); return (name); }; #endif rsbac-admin-1.4.0/main/libs/helpers/jail_getname.c0000644000175000017500000000331311131371034021636 0ustar gauvaingauvain/*********************************** */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2008: */ /* Amon Ott */ /* Getname functions for JAIL module */ /* Last modified: 13/Feb/2008 */ /*********************************** */ #include #include #include #include #ifdef __KERNEL__ #include #include #include #include #include #else #include #endif #ifdef __KERNEL__ #ifdef CONFIG_RSBAC_JAIL_LOG_MISSING void rsbac_jail_log_missing_cap(int cap) { char * tmp; union rsbac_target_id_t i_tid; union rsbac_attribute_value_t i_attr_val1; i_tid.process = task_pid(current); if (rsbac_get_attr(SW_JAIL, T_PROCESS, i_tid, A_jail_max_caps, &i_attr_val1, FALSE)) { rsbac_ds_get_error("rsbac_jail_log_missing_cap()", A_jail_max_caps); } else { if(!((i_attr_val1.jail_max_caps.cap[0] & (1 << cap)) || (i_attr_val1.jail_max_caps.cap[1] & (1 << cap)))) { tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); if(tmp) { get_cap_name(tmp, cap); rsbac_printk(KERN_DEBUG "capable(): pid %u(%.15s), uid %u: missing jail_max_cap %s!\n", current->pid, current->comm, current->uid, tmp); rsbac_kfree(tmp); } } } } #endif #endif rsbac-admin-1.4.0/main/libs/helpers/net_getname.c0000644000175000017500000002110411131371035021504 0ustar gauvaingauvain/* * net_getname.c: Getname functions for the Network * * Author and Copyright (C) 1999-2005 Amon Ott (ao@rsbac.org) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2. * * Last modified 13/03/2002. */ #include #include #include #include #include #ifdef __KERNEL__ #include #include #else #include #include #include #endif static char net_temp_syscall_list[NTS_none + 1][19] = { "new_template", "copy_template", "delete_template", "check_id", "get_address", "get_address_family", "get_type", "get_protocol", "get_netdev", "get_ports", "get_name", "set_address", "set_address_family", "set_type", "set_protocol", "set_netdev", "set_ports", "set_name", "none" }; static char net_family_list[AF_MAX + 1][19] = { "ANY", /* 0 */ "UNIX", /* 1 Unix domain sockets */ "INET", /* 2 Internet IP Protocol */ "AX25", /* 3 Amateur Radio AX.25 */ "IPX", /* 4 Novell IPX */ "APPLETALK", /* 5 AppleTalk DDP */ "NETROM", /* 6 Amateur Radio NET/ROM */ "BRIDGE", /* 7 Multiprotocol bridge */ "ATMPVC", /* 8 ATM PVCs */ "X25", /* 9 Reserved for X.25 project */ "INET6", /* 10 IP version 6 */ "ROSE", /* 11 Amateur Radio X.25 PLP */ "DECnet", /* 12 Reserved for DECnet project */ "NETBEUI", /* 13 Reserved for 802.2LLC project */ "SECURITY", /* 14 Security callback pseudo AF */ "KEY", /* 15 PF_KEY key management API */ "NETLINK", /* 16 */ "PACKET", /* 17 Packet family */ "ASH", /* 18 Ash */ "ECONET", /* 19 Acorn Econet */ "ATMSVC", /* 20 ATM SVCs */ "(undefined)", /* 21 */ "SNA", /* 22 Linux SNA Project (nutters!) */ "IRDA", /* 23 IRDA sockets */ "PPPOX", /* 24 PPPoX sockets */ "WANPIPE", /* 25 Wanpipe API Sockets */ "(undefined)", /* 26 */ "(undefined)", /* 27 */ "(undefined)", /* 28 */ "(undefined)", /* 29 */ "(undefined)", /* 30 */ "BLUETOOTH", /* 31 Bluetooth sockets */ "MAX" }; struct proto_desc_t { char name[19]; int nr; }; #define NR_PROTO 18 static struct proto_desc_t net_protocol_list[NR_PROTO] = { {"ANY", 0}, /* 0 Dummy protocol for TCP */ {"ICMP", 1}, /* Internet Control Message Protocol */ {"IGMP", 2}, /* Internet Group Management Protocol */ {"IPIP", 4}, /* IPIP tunnels (older KA9Q tunnels use 94) */ {"TCP", 6}, /* Transmission Control Protocol */ {"EGP", 8}, /* Exterior Gateway Protocol */ {"PUP", 12}, /* PUP protocol */ {"UDP", 17}, /* User Datagram Protocol */ {"IDP", 22}, /* XNS IDP protocol */ {"RSVP", 46}, /* RSVP protocol */ {"GRE", 47}, /* Cisco GRE tunnels (rfc 1701,1702) */ {"IPV6", 41}, /* IPv6-in-IPv4 tunnelling */ {"PIM", 103}, /* Protocol Independent Multicast */ {"ESP", 50}, /* Encapsulation Security Payload protocol */ {"AH", 51}, /* Authentication Header protocol */ {"COMP", 108}, /* Compression Header protocol */ {"RAW", 255}, /* Raw IP packets */ {"MAX", RSBAC_NET_PROTO_MAX}, }; #define NR_NL_PROTO 20 static struct proto_desc_t net_netlink_protocol_list[NR_NL_PROTO] = { {"ROUTE",0}, /* 0 Routing/device hook */ {"UNUSED",1}, /* 1 Unused number */ {"USERSOCK",2}, /* 2 Reserved for user mode socket protocols */ {"FIREWALL",3}, /* 3 Firewalling hook */ {"INET_DIAG",4}, /* 4 INET socket monitoring */ {"NFLOG",5}, /* 5 netfilter/iptables ULOG */ {"XFRM",6}, /* 6 ipsec */ {"SELINUX",7}, /* 7 SELinux event notifications */ {"ISCSI",8}, /* 8 Open-iSCSI */ {"AUDIT",9}, /* 9 auditing */ {"FIB_LOOKUP",10}, {"CONNECTOR",11}, {"NETFILTER",12}, /* 12 netfilter subsystem */ {"IP6_FW",13}, {"DNRTMSG",14}, /* 14 DECnet routing messages */ {"KOBJECT_UEVENT",15}, /* 15 Kernel messages to userspace */ {"GENERIC",16}, {"DM",17}, /* 17 (DM Events) */ {"SCSITRANSPORT",18}, /* 18 SCSI Transports */ {"ECRYPTFS",19} }; static char rsbac_net_type_list[RSBAC_NET_TYPE_MAX + 1][19] = { "ANY", "STREAM", /* 1 stream (connection) socket */ "DGRAM", /* 2 datagram (conn.less) socket */ "RAW", /* 3 raw socket */ "RDM", /* 4 reliably-delivered message */ "SEQPACKET", /* 5 sequential packet socket */ "(undefined)", /* 6 */ "(undefined)", /* 7 */ "(undefined)", /* 8 */ "(undefined)", /* 9 */ "PACKET", /* 10 linux specific way of */ /* getting packets at the dev */ /* level. For writing rarp and */ /* other similar things on the */ /* user level. */ "MAX" }; /*****************************************/ char *rsbac_get_net_temp_syscall_name(char *name, enum rsbac_net_temp_syscall_t value) { if (!name) return (NULL); if (value > NTS_none) strcpy(name, "ERROR!"); else strcpy(name, net_temp_syscall_list[value]); return (name); }; #ifndef __KERNEL__ enum rsbac_net_temp_syscall_t rsbac_get_net_temp_syscall_nr(const char *name) { enum rsbac_net_temp_syscall_t i; if (!name) return (NTS_none); for (i = 0; i < NTS_none; i++) { if (!strcmp(name, net_temp_syscall_list[i])) { return (i); } } return (NTS_none); }; #endif #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(rsbac_get_net_family_name); #endif #endif char *rsbac_get_net_family_name(char *name, u_int value) { if (!name) return (NULL); if (value > AF_MAX) strcpy(name, "ERROR!"); else strcpy(name, net_family_list[value]); return (name); }; #ifndef __KERNEL__ int rsbac_get_net_family_nr(const char *name) { int i; if (!name) return (AF_MAX); for (i = 0; i < AF_MAX; i++) { if (!strcmp(name, net_family_list[i])) { return (i); } } return (AF_MAX); }; #endif #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(rsbac_get_net_protocol_name); #endif #endif char *rsbac_get_net_protocol_name(char *name, u_int value) { int i; if (!name) return (NULL); if (value >= RSBAC_NET_PROTO_MAX) strcpy(name, "ERROR!"); else { for (i = 0; i < NR_PROTO; i++) { if (net_protocol_list[i].nr == value) { strcpy(name, net_protocol_list[i].name); return name; } } sprintf(name, "%u", value); } return (name); }; char *rsbac_get_netlink_protocol_name(char *name, u_int value) { int i; if (!name) return (NULL); if (value >= RSBAC_NET_PROTO_MAX) strcpy(name, "ERROR!"); else { for (i = 0; i < NR_NL_PROTO; i++) { if (net_netlink_protocol_list[i].nr == value) { strcpy(name, net_netlink_protocol_list[i].name); return name; } } sprintf(name, "%u", value); } return (name); }; #ifndef __KERNEL__ int rsbac_get_net_protocol_nr(const char *name) { int i; if (!name) return (RSBAC_NET_PROTO_MAX); for (i = 0; i < NR_PROTO; i++) { if (!strcmp(name, net_protocol_list[i].name)) { return (net_protocol_list[i].nr); } } return (RSBAC_NET_PROTO_MAX); }; int rsbac_get_netlink_protocol_nr(const char *name) { int i; if (!name) return (RSBAC_NET_PROTO_MAX); for (i = 0; i < NR_NL_PROTO; i++) { if (!strcmp(name, net_netlink_protocol_list[i].name)) { return (net_netlink_protocol_list[i].nr); } } return (RSBAC_NET_PROTO_MAX); }; #endif #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(rsbac_get_net_type_name); #endif #endif char *rsbac_get_net_type_name(char *name, u_int value) { if (!name) return (NULL); if (value > RSBAC_NET_TYPE_MAX) strcpy(name, "ERROR!"); else strcpy(name, rsbac_net_type_list[value]); return (name); }; #ifndef __KERNEL__ int rsbac_get_net_type_nr(const char *name) { int i; if (!name) return (RSBAC_NET_TYPE_MAX); for (i = 0; i < RSBAC_NET_TYPE_MAX; i++) { if (!strcmp(name, rsbac_net_type_list[i])) { return (i); } } return (RSBAC_NET_TYPE_MAX); }; #endif #ifdef __KERNEL__ int rsbac_net_str_to_inet(char *str, __u32 * addr) { char *end; __u32 s0, s1, s2, s3; if (!str || !addr) return -RSBAC_EINVALIDPOINTER; end = str; while (*end) { if ((*end != '.') && (*end != '\n') && (*end != ' ') && ((*end < '0') || (*end > '9') ) ) return -RSBAC_EINVALIDVALUE; end++; } s0 = simple_strtoul(str, &end, 10); if (!*end || (s0 > 255)) return -RSBAC_EINVALIDVALUE; end++; s1 = simple_strtoul(end, &end, 10); if (!*end || (s1 > 255)) return -RSBAC_EINVALIDVALUE; end++; s2 = simple_strtoul(end, &end, 10); if (!*end || (s2 > 255)) return -RSBAC_EINVALIDVALUE; end++; s3 = simple_strtoul(end, &end, 10); if (*end || (s3 > 255)) return -RSBAC_EINVALIDVALUE; *addr = s3 | (s2 << 8) | (s1 << 16) | (s0 << 24); *addr = htonl(*addr); return 0; } #endif rsbac-admin-1.4.0/main/libs/helpers/res_getname.c0000644000175000017500000000210011131371035021502 0ustar gauvaingauvain/* * res_getname.c: Getname functions for the RES module. * * Author and Copyright (C) 1999-2005 Amon Ott (ao@rsbac.org) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2. * * Last modified 22/10/2002. */ #ifndef __KERNEL__ #include #include #include #include #include static char res_list[RSBAC_RES_MAX + 2][8] = { "cpu", "fsize", "data", "stack", "core", "rss", "nproc", "nofile", "memlock", "as", "locks", "NONE" }; char *get_res_name(char *name, u_int value) { if (!name) return (NULL); if (value > RSBAC_RES_MAX) strcpy(name, "ERROR!"); else strcpy(name, res_list[value]); return (name); }; int get_res_nr(const char *name) { int i; if (!name) return (RSBAC_RES_NONE); for (i = 0; i <= RSBAC_RES_MAX; i++) { if (!strcmp(name, res_list[i])) { return (i); } } return (RSBAC_RES_NONE); }; #endif rsbac-admin-1.4.0/main/libs/helpers/net_helpers.c0000644000175000017500000000544411131371035021537 0ustar gauvaingauvain/* * net_helpers.c: Helper functions for the Network. * * Author and Copyright (C) 1999-2005 Amon Ott (ao@rsbac.org) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2. * * Last modified 24/04/2002. */ #include #ifdef __KERNEL__ #include #endif __u32 rsbac_net_make_mask_u32(__u8 bits) { __u32 res; __u8 res0 = 0; __u8 res1 = 0; __u8 res2 = 0; __u8 res3 = 0; int i; if (bits >= 32) return (__u32) - 1; if (!bits) return 0; if (bits >= 24) { bits -= 24; res0 = 255; res1 = 255; res2 = 255; for (i = 0; i < bits; i++) res3 |= 1 << (7 - i); } else if (bits >= 16) { bits -= 16; res0 = 255; res1 = 255; res3 = 0; for (i = 0; i < bits; i++) res2 |= 1 << (7 - i); } else if (bits >= 8) { bits -= 8; res0 = 255; res2 = 0; res3 = 0; for (i = 0; i < bits; i++) res1 |= 1 << (7 - i); } else { res1 = 0; res2 = 0; res3 = 0; for (i = 0; i < bits; i++) res0 |= 1 << (7 - i); } res = (res3 << 24) | (res2 << 16) | (res1 << 8) | res0; return res; } #ifdef __KERNEL__ /* The lookup data param is always second, so we use it as description here! */ int rsbac_net_compare_data(void *data1, void *data2) { struct rsbac_net_temp_data_t *temp = data1; struct rsbac_net_description_t *desc = data2; if (!temp || !desc) return 1; if ((temp->address_family != RSBAC_NET_ANY) && (temp->address_family != desc->address_family) ) return 1; switch (desc->address_family) { case AF_INET: { __u32 mask; int i; if(temp->address.inet.nr_addr == 0) return 1; if ((temp->type != RSBAC_NET_ANY) && (desc->type != temp->type) ) return 1; if ((temp->protocol != RSBAC_NET_ANY) && (desc->protocol != temp->protocol) ) return 1; if(temp->ports.nr_ports > 0) { i=0; while(i < temp->ports.nr_ports) { if ((desc->port >= temp->ports.ports[i].min) && (desc->port <= temp->ports.ports[i].max)) break; i++; } if(i == temp->ports.nr_ports) return 1; } if (temp->netdev[0] && (!desc->netdev[0] || strncmp(desc->netdev, temp->netdev, RSBAC_IFNAMSIZ)) ) return 1; if (!desc->address) return 1; i=0; while(i < temp->address.inet.nr_addr) { mask = rsbac_net_make_mask_u32(temp->address.inet.valid_bits[i]); if ((((*(__u32 *) desc->address) & mask) == (temp->address.inet.addr[i] & mask)) ) return 0; i++; } return 1; } /* Other address families: only socket type checks for now */ default: if ((temp->type != RSBAC_NET_ANY) && (desc->type != temp->type) ) return 1; return 0; } return 1; } #endif rsbac-admin-1.4.0/main/libs/helpers/nls.h0000644000175000017500000000522011131371034020017 0ustar gauvaingauvain/* Convenience header for conditional use of GNU . Copyright (C) 1995-1998, 2000-2002 Free Software Foundation, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifndef __RSBAC_LOCALE_H #define __RSBAC_LOCALE_H #endif #ifndef _LIBGETTEXT_H #define _LIBGETTEXT_H 1 #include /* NLS can be disabled through the configure --disable-nls option. */ #if ENABLE_NLS /* Get declarations of GNU message catalog functions. */ # include #else /* Disabled NLS. The casts to 'const char *' serve the purpose of producing warnings for invalid uses of the value returned from these functions. On pre-ANSI systems without 'const', the config.h file is supposed to contain "#define const". */ # define gettext(Msgid) ((const char *) (Msgid)) # define dgettext(Domainname, Msgid) ((const char *) (Msgid)) # define dcgettext(Domainname, Msgid, Category) ((const char *) (Msgid)) # define ngettext(Msgid1, Msgid2, N) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define dngettext(Domainname, Msgid1, Msgid2, N) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define dcngettext(Domainname, Msgid1, Msgid2, N, Category) \ ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) # define textdomain(Domainname) ((const char *) (Domainname)) # define bindtextdomain(Domainname, Dirname) ((const char *) (Dirname)) # define bind_textdomain_codeset(Domainname, Codeset) ((const char *) (Codeset)) #endif /* A pseudo function call that serves as a marker for the automated extraction of messages, but does not call gettext(). The run-time translation is done at a different place in the code. The argument, String, should be a literal string. Concatenated strings and other string expressions won't work. The macro's expansion is not parenthesized, so that it is suitable as initializer for static 'char[]' or 'const char[]' variables. */ #define gettext_noop(String) String #endif /* _LIBGETTEXT_H */ rsbac-admin-1.4.0/main/libs/helpers/helpers.c0000644000175000017500000005577011131371034020677 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2008: */ /* Amon Ott */ /* Helper functions for all parts */ /* Last modified: 04/Sep/2008 */ /************************************* */ #ifndef __KERNEL__ #include #endif #include #include #include #include #include #include #ifdef __KERNEL__ #include #include #include #include #include #include #include #include #ifdef CONFIG_RSBAC_RC #include #endif #endif #ifndef __KERNEL__ #include #include #include #include #include #endif #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ int rsbac_get_vset_num(char * sourcename, rsbac_um_set_t * vset_p) { if (!sourcename || !vset_p) return -RSBAC_EINVALIDPOINTER; if (!strcmp(sourcename,"all")) { *vset_p = RSBAC_UM_VIRTUAL_ALL; return 0; } if (!strcmp(sourcename,"auto") || !strcmp(sourcename,"keep")) { *vset_p = RSBAC_UM_VIRTUAL_KEEP; return 0; } #ifdef __KERNEL__ *vset_p = simple_strtoul(sourcename, NULL, 0); #else *vset_p = strtoul(sourcename, NULL, 0); #endif if(!*vset_p && strcmp(sourcename,"0")) return -RSBAC_EINVALIDVALUE; if (*vset_p > RSBAC_UM_VIRTUAL_MAX) return -RSBAC_EINVALIDVALUE; return 0; } #ifndef __KERNEL__ int rsbac_u32_compare(__u32 * a, __u32 * b) { if(*a < *b) return -1; if(*a > *b) return 1; return 0; } int rsbac_u32_void_compare(const void *a, const void *b) { return rsbac_u32_compare((__u32 *) a, (__u32 *) b); } int rsbac_user_compare(const void * a, const void * b) { return rsbac_u32_compare((__u32 *) a, (__u32 *) b); } int rsbac_group_compare(const void * a, const void * b) { return rsbac_u32_compare((__u32 *) a, (__u32 *) b); } int rsbac_nettemp_id_compare(const void * a, const void * b) { return rsbac_u32_compare((__u32 *) a, (__u32 *) b); } int rsbac_dev_compare(const void * desc1, const void * desc2) { const struct rsbac_dev_desc_t * i_desc1 = desc1; const struct rsbac_dev_desc_t * i_desc2 = desc2; int result; result = memcmp(&i_desc1->type, &i_desc2->type, sizeof(i_desc1->type)); if(result) return result; result = memcmp(&i_desc1->major, &i_desc2->major, sizeof(i_desc1->major)); if(result) return result; return memcmp(&i_desc1->minor, &i_desc2->minor, sizeof(i_desc1->minor)); } #endif char * inttostr(char * str, int i) { int j = 0; if(!str) return(NULL); if (i<0) { str[j] = '-'; j++; i = -i; } if (i>=10000) { str[j] = '0' + (i / 10000); j++; } if (i>=1000) { str[j] = '0' + ((i % 10000) / 1000); j++; } if (i>=100) { str[j] = '0' + ((i % 1000) / 100); j++; } if (i>=10) { str[j] = '0' + ((i % 100) / 10); j++; } str[j] = '0' + (i % 10); j++; str[j] = 0; return (str); }; char * ulongtostr(char * str, u_long i) { int j = 0; u_long k = 1000000000; if(!str) return(NULL); if (i>=k) { str[j] = '0' + ((i / k) % 100); j++; } k /= 10; while (k>1) { if (i>=k) { str[j] = '0' + ((i % (k*10)) / k); j++; } k /= 10; }; str[j] = '0' + (i % 10); j++; str[j] = 0; return (str); }; char * longtostr(char * str, long i) { int j = 0; u_long k = 1000000000; if(!str) return(NULL); if (i<0) { str[0] = '-'; j = 1; i = -i; } if (i>=k) { str[j] = '0' + ((i / k) % 100); j++; } k /= 10; while (k>1) { if (i>=k) { str[j] = '0' + ((i % (k*10)) / k); j++; } k /= 10; }; str[j] = '0' + (i % 10); j++; str[j] = 0; return (str); }; char * u64tostrmac(char * str, __u64 i) { int j = 0; __u64 k; if(!str) return(NULL); k = 1; for(j = RSBAC_MAC_MAX_CAT;j >= 0;j--) { if (i & k) str[j] = '1'; else str[j] = '0'; k<<=1; }; str[RSBAC_MAC_NR_CATS] = 0; return (str); }; #ifndef __KERNEL__ int rsbac_lib_version(void) { return RSBAC_VERSION_NR; } void error_exit(int error) { char tmp1[80]; if(error<0) { get_error_name(tmp1,error); fprintf(stderr, "Error: %s\n", tmp1); exit(1); } } void show_error(int error) { char tmp1[80]; if(error<0) { get_error_name(tmp1,error); fprintf(stderr, "Error: %s\n", tmp1); } } int rsbac_get_uid_name(rsbac_list_ta_number_t ta_number, rsbac_uid_t * uid, char * name, char * sourcename) { struct passwd * user_info_p; rsbac_uid_t uid_i = RSBAC_NO_USER; char * p = sourcename; if(!sourcename) return -RSBAC_EINVALIDPOINTER; while (*p && (*p != '/')) p++; if (*p) { rsbac_um_set_t tmp_vset = 0; uid_i = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_USER); if(rsbac_um_get_uid(ta_number, sourcename, &uid_i)) { int err; *p = 0; err = rsbac_get_vset_num(sourcename, &tmp_vset); if (err) return err; *p = '/'; p++; if (!strcmp(p, "ALL")) uid_i = RSBAC_ALL_USERS; else { uid_i = strtoul(p, NULL, 0); if(!uid_i && strcmp(p,"0")) { return -RSBAC_EINVALIDVALUE; } } uid_i = RSBAC_GEN_UID(tmp_vset, uid_i); if(name) { union rsbac_um_mod_data_t data; if(!rsbac_um_get_user_item(ta_number, uid_i, UM_name, &data)) sprintf(name,"%u/%s", RSBAC_UID_SET(uid_i), data.string); else sprintf(name, "%u/%s", RSBAC_UID_SET(uid_i), p); } } else { p++; if(name) { sprintf(name, "%u/%s", RSBAC_UID_SET(uid_i), p); } } if(uid) *uid = uid_i; return 0; } if(!(user_info_p = getpwnam(sourcename))) { uid_i = strtoul(sourcename,0,10); if( !uid_i && strcmp("0", sourcename) ) { return -RSBAC_EINVALIDVALUE; } if(name) { if((user_info_p = getpwuid(RSBAC_UID_NUM(uid_i)))) strcpy(name, user_info_p->pw_name); else sprintf(name, "%u", RSBAC_UID_NUM(uid_i)); } } else { uid_i = user_info_p->pw_uid; if(name) strcpy(name, user_info_p->pw_name); } if(uid) *uid = uid_i; return 0; } int rsbac_get_fullname(rsbac_list_ta_number_t ta_number, char * fullname, rsbac_uid_t uid) { if(!fullname) return -RSBAC_EINVALIDPOINTER; if(!RSBAC_UID_SET(uid)) { struct passwd * user_info_p; if(!(user_info_p = getpwuid(RSBAC_UID_NUM(uid)))) { sprintf(fullname, "%u", RSBAC_UID_NUM(uid)); } else { strcpy(fullname, user_info_p->pw_gecos); } } else { union rsbac_um_mod_data_t data; if(!rsbac_um_get_user_item(ta_number, uid, UM_fullname, &data)) strcpy(fullname, data.string); else sprintf(fullname, "%u", RSBAC_UID_NUM(uid)); } return 0; } char * get_user_name(rsbac_list_ta_number_t ta_number, rsbac_uid_t user, char * name) { if(!name) return NULL; if(!RSBAC_UID_SET(user)) { struct passwd * user_info_p; if(!(user_info_p = getpwuid(RSBAC_UID_NUM(user)))) { sprintf(name, "%u", RSBAC_UID_NUM(user)); } else { strcpy(name, user_info_p->pw_name); } } else { union rsbac_um_mod_data_t data; if(!rsbac_um_get_user_item(ta_number, user, UM_name, &data)) sprintf(name, "%u/%s", RSBAC_UID_SET(user), data.string); else sprintf(name, "%u/%u", RSBAC_UID_SET(user), RSBAC_UID_NUM(user)); } return name; } char * get_group_name(rsbac_list_ta_number_t ta_number, rsbac_gid_t group, char * name) { if(!name) return NULL; if(!RSBAC_GID_SET(group)) { struct group * group_info_p; if(!(group_info_p = getgrgid(RSBAC_GID_NUM(group)))) { sprintf(name, "%u", RSBAC_GID_NUM(group)); } else { strcpy(name, group_info_p->gr_name); } } else { union rsbac_um_mod_data_t data; if(!rsbac_um_get_group_item(ta_number, group, UM_name, &data)) sprintf(name, "%u/%s", RSBAC_GID_SET(group), data.string); else sprintf(name, "%u/%u", RSBAC_GID_SET(group), RSBAC_GID_NUM(group)); } return name; } int rsbac_get_gid_name(rsbac_list_ta_number_t ta_number, rsbac_gid_t * gid, char * name, char * sourcename) { struct group * group_info_p; rsbac_gid_t gid_i = RSBAC_NO_GROUP; char * p = sourcename; if(!sourcename) return -RSBAC_EINVALIDPOINTER; while (*p && (*p != '/')) p++; if (*p) { rsbac_um_set_t tmp_vset = 0; gid_i = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, RSBAC_NO_GROUP); if(rsbac_um_get_gid(ta_number, sourcename, &gid_i)) { int err; *p = 0; err = rsbac_get_vset_num(sourcename, &tmp_vset); if (err) return err; *p = '/'; p++; if (!strcmp(p, "ALL")) gid_i = RSBAC_ALL_GROUPS; else { gid_i = strtoul(p, NULL, 0); if(!gid_i && strcmp(p,"0")) { return -RSBAC_EINVALIDVALUE; } } gid_i = RSBAC_GEN_GID(tmp_vset, gid_i); } p++; if(name) { sprintf(name, "%u/%s", RSBAC_GID_SET(gid_i), p); } if(gid) *gid = gid_i; return 0; } if(!(group_info_p = getgrnam(sourcename))) { gid_i = strtoul(sourcename,0,10); if( !gid_i && strcmp("0", sourcename) ) { return -RSBAC_EINVALIDVALUE; } if(name) { if((group_info_p = getgrgid(RSBAC_GID_NUM(gid_i)))) strcpy(name, group_info_p->gr_name); else sprintf(name, "%u", RSBAC_GID_NUM(gid_i)); } } else { gid_i = group_info_p->gr_gid; if(name) strcpy(name, group_info_p->gr_name); } if(gid) *gid = gid_i; return 0; } char * u64tostrlog(char * str, __u64 i) { int j = 0; __u64 k; if(!str) return(NULL); k = 1; for(j = R_NONE - 1;j >= 0;j--) { if (i & k) str[j] = '1'; else str[j] = '0'; k<<=1; }; str[R_NONE] = 0; return (str); }; __u64 strtou64log(char * str, __u64 * i_p) { int j; __u64 k = 1, res=0; if(!str) return(0); if (strlen(str) < R_NONE) return(-1); for(j=R_NONE-1;j>=0;j--) { if(str[j] != '0') { res |= k; } k <<= 1; } for(j=R_NONE;j<64;j++) { res |= k; k <<= 1; } *i_p = res; return(res); }; char * u64tostrrc(char * str, __u64 i) { int j = 0; __u64 k; if(!str) return(NULL); k = 1; for(j = 63;j >= 0;j--) { if (i & k) str[j] = '1'; else str[j] = '0'; k<<=1; }; str[64] = 0; return (str); }; __u64 strtou64rc(char * str, __u64 * i_p) { int j; __u64 k = 1, res=0; if(!str) return(0); if (strlen(str) < 64) return(-1); for(j=63;j>=0;j--) { if(str[j] != '0') { res |= k; } k <<= 1; } *i_p = res; return(res); }; char * u64tostrrcr(char * str, __u64 i) { int j = 0; __u64 k; if(!str) return(NULL); k = 1; for(j = RCR_NONE - 1;j >= 0;j--) { if (i & k) str[j] = '1'; else str[j] = '0'; k<<=1; }; str[RCR_NONE] = 0; return (str); }; __u64 strtou64rcr(char * str, __u64 * i_p) { int j; __u64 k = 1, res=0; if(!str) return(0); if (strlen(str) < RCR_NONE) return(-1); for(j=RCR_NONE-1;j>=0;j--) { if(str[j] != '0') { res |= k; } k <<= 1; } for(j=RCR_NONE;j<64;j++) { res |= k; k <<= 1; } *i_p = res; return(res); }; __u64 strtou64mac(char * str, __u64 * i_p) { int j; __u64 k = 1, res=0; if(!str) return(0); if (strlen(str) < RSBAC_MAC_NR_CATS) return(-1); for(j=RSBAC_MAC_MAX_CAT;j>=0;j--) { if(str[j] != '0') { res |= k; } k <<= 1; } for(j=RSBAC_MAC_NR_CATS;j<64;j++) { res |= k; k <<= 1; } *i_p = res; return(res); }; __u64 strtou64acl(char * str, __u64 * i_p) { int j; __u64 k = 1, res=0; if(!str) return(0); if (strlen(str) < (ACLR_NONE - 1)) return(-1); for(j=ACLR_NONE-1;j>=0;j--) { if(str[j] != '0') { res |= k; } k <<= 1; } for(j=ACLR_NONE-1;j<64;j++) { res |= k; k <<= 1; } *i_p = res; return(res); } int strtodevdesc(char * str, struct rsbac_dev_desc_t * dev_p) { char * p; char * c; if(!str) return -RSBAC_EINVALIDVALUE; if(!strcmp(str, ":DEFAULT:")) { *dev_p = RSBAC_ZERO_DEV_DESC; return 0; } p = str; c = strchr(p,':'); switch(*p) { case 'b': case 'B': if(c) dev_p->type = D_block; else dev_p->type = D_block_major; break; case 'c': case 'C': if(c) dev_p->type = D_char; else dev_p->type = D_char_major; break; default: return -RSBAC_EINVALIDTARGET; } p++; dev_p->major = strtoul(p,0,0); if(c) { c++; dev_p->minor = strtoul(c,0,0); } else dev_p->minor = 0; return 0; } char * devdesctostr(char * str, struct rsbac_dev_desc_t dev) { if(RSBAC_IS_ZERO_DEV_DESC(dev)) { sprintf(str, ":DEFAULT:"); return str; } switch(dev.type) { case D_block: case D_char: sprintf(str, "%c%u:%u", 'b' + dev.type, dev.major, dev.minor); break; case D_block_major: case D_char_major: sprintf(str, "%c%u", 'b' + dev.type - (D_block_major - D_block), dev.major); break; default: sprintf(str, "invalid!"); } return str; } #endif /* ifndef __KERNEL__ */ char * u64tostracl(char * str, __u64 i) { int j = 0; __u64 k; if(!str) return(NULL); k = 1; for(j = ACLR_NONE - 1;j >= 0;j--) { if (i & k) str[j] = '1'; else str[j] = '0'; k<<=1; }; str[ACLR_NONE] = 0; return (str); }; char * u32tostrcap(char * str, __u32 i) { int j = 0; __u32 k; if(!str) return(NULL); k = 1; for(j = CAP_NONE - 1;j >= 0;j--) { if (i & k) str[j] = '1'; else str[j] = '0'; k<<=1; }; str[CAP_NONE] = 0; return (str); }; __u32 strtou32cap(char * str, __u32 * i_p) { int j; __u32 k = 1, res=0; if(!str) return(0); if (strlen(str) < CAP_NONE_OLD) return -1; for(j=CAP_NONE_OLD-1;j>=0;j--) { if(str[j] != '0') { res |= k; } k <<= 1; } for(j=CAP_NONE_OLD;j<32;j++) { res |= k; k <<= 1; } *i_p = res; return res; } char * kcaptostrcap(char * str, rsbac_cap_vector_t i) { int j = 0; int off; __u32 k; if(!str) return NULL; k = 1; for(j = CAP_NONE - 1;j >= 32;j--) { if (i.cap[1] & k) str[j-32] = '1'; else str[j-32] = '0'; k<<=1; }; k = 1; off = CAP_NONE-32; for(j = 31+off;j >= off;j--) { if (i.cap[0] & k) str[j] = '1'; else str[j] = '0'; k<<=1; }; str[CAP_NONE] = 0; return str; } int strcaptokcap(char * str, rsbac_cap_vector_t * i) { int j; int res; int off; __u32 k = 1; if(!str) return(-1); if (strlen(str) < CAP_NONE) return(-1); for(j = CAP_NONE-1; j >= 32; j--) { if(str[j-32] != '0') { i->cap[1] |= k; } k <<= 1; } k = 1; off = CAP_NONE-32; for(j =31+off ;j >= off; j--) { if(str[j] != '0') { i->cap[0] |= k; } k <<= 1; } /* for(j=CAP_NONE;j<32;j++) { res |= k; k <<= 1; }*/ /* *i_p = res;*/ return(res); } #ifdef __KERNEL__ /* find the current owner of this process */ int rsbac_get_owner(rsbac_uid_t * user_p) { *user_p = current->uid; return(0); } void rsbac_ds_get_error(char * function, enum rsbac_attribute_t attr) { if(!function) return; if(attr != A_none) { char tmp[80]; get_attribute_name(tmp, attr); rsbac_printk(KERN_WARNING "%s: rsbac_get_attr() for %s returned error!\n", function, tmp); } else { rsbac_printk(KERN_WARNING "%s: rsbac_get_attr() returned error!\n", function); } } void rsbac_ds_get_error_num(char * function, enum rsbac_attribute_t attr, int err) { if(!function) return; if(attr != A_none) { char tmp[80]; char tmp2[80]; get_attribute_name(tmp, attr); get_error_name(tmp2, err); rsbac_printk(KERN_WARNING "%s: rsbac_get_attr() for %s returned error %s!\n", function, tmp, tmp2); } else { rsbac_printk(KERN_WARNING "%s: rsbac_get_attr() returned error!\n", function); } } void rsbac_ds_set_error(char * function, enum rsbac_attribute_t attr) { if(!function) return; if(attr != A_none) { char tmp[80]; get_attribute_name(tmp, attr); rsbac_printk(KERN_WARNING "%s: rsbac_set_attr() for %s returned error!\n", function, tmp); } else { rsbac_printk(KERN_WARNING "%s: rsbac_set_attr() returned error!\n", function); } } void rsbac_ds_set_error_num(char * function, enum rsbac_attribute_t attr, int err) { if(!function) return; if(attr != A_none) { char tmp[80]; char tmp2[80]; get_attribute_name(tmp, attr); get_error_name(tmp2, err); rsbac_printk(KERN_WARNING "%s: rsbac_set_attr() for %s returned error %s!\n", function, tmp, tmp2); } else { rsbac_printk(KERN_WARNING "%s: rsbac_set_attr() returned error!\n", function); } } #ifdef CONFIG_RSBAC_RC void rsbac_rc_ds_get_error(char * function, enum rsbac_rc_item_t item) { if(!function) return; if(item != RI_none) { char tmp[80]; get_rc_item_name(tmp, item); rsbac_printk(KERN_WARNING "%s: rsbac_rc_get_item() for %s returned error!\n", function, tmp); } else { rsbac_printk(KERN_WARNING "%s: rsbac_rc_get_item() returned error!\n", function); } } void rsbac_rc_ds_set_error(char * function, enum rsbac_rc_item_t item) { if(!function) return; if(item != RI_none) { char tmp[80]; get_rc_item_name(tmp, item); rsbac_printk(KERN_WARNING "%s: rsbac_rc_set_item() for %s returned error!\n", function, tmp); } else { rsbac_printk(KERN_WARNING "%s: rsbac_rc_set_item() returned error!\n", function); } } #endif /****************************************************************/ /* Access to user data space */ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(rsbac_get_user); #endif int rsbac_get_user(unsigned char * kern_p, unsigned char * user_p, int size) { if(kern_p && user_p && (size > 0)) { return copy_from_user(kern_p, user_p, size); } return(0); } #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(rsbac_put_user); #endif int rsbac_put_user(unsigned char * kern_p, unsigned char * user_p, int size) { if(kern_p && user_p && (size > 0)) { return copy_to_user(user_p,kern_p,size); } return(0); }; #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(rsbac_getname); #endif char * rsbac_getname(const char * name) { return getname(name); }; #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(rsbac_putname); #endif void rsbac_putname(const char * name) { putname(name); } inline int clear_user_buf(char * ubuf, int len) { return clear_user(ubuf,len); } #endif /* __KERNEL__ */ rsbac-admin-1.4.0/main/libs/helpers/rc_getname.c0000644000175000017500000001467011131371035021334 0ustar gauvaingauvain/* * rc_getname.c: Getname functions for the RC module. * * Author and Copyright (C) 1999-2005 Amon Ott (ao@rsbac.org) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2. * * Last modified 21/12/2004. */ #include #include #include #include #ifdef __KERNEL__ #include #else #include #endif #ifndef NULL #define NULL ((void *) 0) #endif static char rc_target_list[RT_NONE + 1][13] = { "ROLE", "TYPE", "NONE" }; static char rc_admin_list[RC_none + 1][13] = { "no_admin", "role_admin", "system_admin", "none" }; static char rc_scd_type_list[RST_none - RST_min + 1][20] = { "auth_administration", "none" }; static char rc_item_list[RI_none + 1][30] = { "role_comp", "admin_roles", "assign_roles", "type_comp_fd", "type_comp_dev", "type_comp_user", "type_comp_process", "type_comp_ipc", "type_comp_scd", "type_comp_group", "type_comp_netdev", "type_comp_nettemp", "type_comp_netobj", "admin_type", "name", "def_fd_create_type", "def_fd_ind_create_type", "def_user_create_type", "def_process_create_type", "def_process_chown_type", "def_process_execute_type", "def_ipc_create_type", "def_group_create_type", "def_unixsock_create_type", "boot_role", "req_reauth", "type_fd_name", "type_dev_name", "type_ipc_name", "type_user_name", "type_process_name", "type_group_name", "type_netdev_name", "type_nettemp_name", "type_netobj_name", "type_fd_need_secdel", "type_scd_name", "remove_role", "def_fd_ind_create_type_remove", "type_fd_remove", "type_dev_remove", "type_ipc_remove", "type_user_remove", "type_process_remove", "type_group_remove", "type_netdev_remove", "type_nettemp_remove", "type_netobj_remove", #ifdef __KERNEL__ #endif "none" }; #ifndef __KERNEL__ static char rc_item_param_list[RI_none + 1][100] = { "\t0 = FALSE, 1 = TRUE", "\t0 = FALSE, 1 = TRUE", "\t0 = FALSE, 1 = TRUE", "\t0 = FALSE, 1 = TRUE", "\t0 = FALSE, 1 = TRUE", "\t0 = FALSE, 1 = TRUE", "0 = FALSE, 1 = TRUE", "\t0 = FALSE, 1 = TRUE", "\t0 = FALSE, 1 = TRUE", "\t0 = FALSE, 1 = TRUE", "0 = FALSE, 1 = TRUE", "0 = FALSE, 1 = TRUE", "0 = FALSE, 1 = TRUE", "\t0 = no_admin, 1 = role_admin, 2 = system_admin\n\t\t\t(for RC administration only)", "\t\tString, max. 15 chars", "number, -2 = inherit from parent, -3 = no_create", "parent_type new_type, -2 = inherit from parent,\n\t\t\t-3 = no_create", "number, -2 = inherit from parent, -3 = no_create", "number, -1 = inherit from process,\n\t\t\t-3 = no_create", "number, -2 = inherit from parent (keep),\n\t\t\t-3 = no_create", "number, -2 = inherit from parent (keep),\n\t\t\t-5 = use def_create of new role, -6 = no_chown", "number, -1 = inherit from process (keep),\n\t\t\t-4 = no_execute", "number, -3 = no_create", "number, -7 = use_template (do not set)", "\t0 = FALSE, 1 = TRUE", "\tString, max. 15 chars", "\tString, max. 15 chars", "\tString, max. 15 chars", "\tString, max. 15 chars", "String, max. 15 chars", "\tString, max. 15 chars", "String, max. 15 chars", "String, max. 15 chars", "String, max. 15 chars", "0 = FALSE, 1 = TRUE", "\tString, max. 15 chars (read-only)", "\t\t(none)" }; #endif static char rc_special_right_list[RCR_NONE - RSBAC_RC_SPECIAL_RIGHT_BASE + 1][20] = { "ADMIN", "ASSIGN", "ACCESS_CONTROL", "SUPERVISOR", "MODIFY_AUTH", "CHANGE_AUTHED_OWNER", "SELECT", "NONE" }; /*****************************************/ char *get_rc_target_name(char *name, enum rsbac_rc_target_t value) { if (!name) return (NULL); if (value > RT_NONE) strcpy(name, "ERROR!"); else strcpy(name, rc_target_list[value]); return (name); }; enum rsbac_rc_target_t get_rc_target_nr(const char *name) { enum rsbac_rc_target_t i; if (!name) return (RT_NONE); for (i = 0; i < RT_NONE; i++) { if (!strcmp(name, rc_target_list[i])) { return (i); } } return (RT_NONE); }; char *get_rc_admin_name(char *name, enum rsbac_rc_admin_type_t value) { if (!name) return (NULL); if (value > RC_none) strcpy(name, "ERROR!"); else strcpy(name, rc_admin_list[value]); return (name); }; enum rsbac_rc_admin_type_t get_rc_admin_nr(const char *name) { enum rsbac_rc_admin_type_t i; if (!name) return (RC_none); for (i = 0; i < RC_none; i++) { if (!strcmp(name, rc_admin_list[i])) { return (i); } } return (RC_none); }; char *get_rc_scd_type_name(char *name, enum rsbac_rc_scd_type_t value) { if (!name) return (NULL); if (value < RST_min) { return (get_scd_type_name(name, value)); } value -= RST_min; if (value > RST_none) { strcpy(name, "ERROR!"); return (name); } strcpy(name, rc_scd_type_list[value]); return (name); }; enum rsbac_rc_scd_type_t get_rc_scd_type_nr(const char *name) { enum rsbac_rc_scd_type_t i; if (!name) return (RC_none); for (i = 0; i < RC_none - RST_min; i++) { if (!strcmp(name, rc_scd_type_list[i])) { return (i + RST_min); } } return (get_scd_type_nr(name)); }; char *get_rc_item_name(char *name, enum rsbac_rc_item_t value) { if (!name) return (NULL); if (value > RI_none) strcpy(name, "ERROR!"); else strcpy(name, rc_item_list[value]); return (name); }; enum rsbac_rc_item_t get_rc_item_nr(const char *name) { enum rsbac_rc_item_t i; if (!name) return (RI_none); for (i = 0; i < RI_none; i++) { if (!strcmp(name, rc_item_list[i])) { return (i); } } return (RI_none); }; #ifndef __KERNEL__ char *get_rc_item_param(char *name, enum rsbac_rc_item_t value) { if (!name) return (NULL); if (value > RI_none) strcpy(name, "ERROR!"); else strcpy(name, rc_item_param_list[value]); return (name); }; #endif char *get_rc_special_right_name(char *name, enum rsbac_rc_special_rights_t value) { if (!name) return (NULL); if (value < RSBAC_RC_SPECIAL_RIGHT_BASE) { return (get_request_name(name, value)); } value -= RSBAC_RC_SPECIAL_RIGHT_BASE; if (value > RCR_NONE) { strcpy(name, "ERROR!"); return (name); } strcpy(name, rc_special_right_list[value]); return (name); }; #ifndef __KERNEL__ enum rsbac_rc_special_rights_t get_rc_special_right_nr(const char *name) { enum rsbac_rc_special_rights_t i; if (!name) return (RCR_NONE); for (i = 0; i < (RCR_NONE - RSBAC_RC_SPECIAL_RIGHT_BASE); i++) { if (!strcmp(name, rc_special_right_list[i])) { return (i + RSBAC_RC_SPECIAL_RIGHT_BASE); } } return (get_request_nr(name)); } #endif rsbac-admin-1.4.0/main/libs/helpers/pax_getname.c0000644000175000017500000000402411131371035021510 0ustar gauvaingauvain/* * acl_getname.c: Getname functions for the PAX module. * * Author and Copyright (C) 1999-2005 Amon Ott (ao@rsbac.org) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2. * * Last modified 06/01/2004. */ #include #include #include #include #ifdef __KERNEL__ #include #else #include #include #endif char *pax_print_flags(char *string, rsbac_pax_flags_t flags) { sprintf(string, "%c%c%c%c%c%c", flags & PF_PAX_PAGEEXEC ? 'P' : 'p', flags & PF_PAX_EMUTRAMP ? 'E' : 'e', flags & PF_PAX_MPROTECT ? 'M' : 'm', flags & PF_PAX_RANDMMAP ? 'R' : 'r', flags & PF_PAX_RANDEXEC ? 'X' : 'x', flags & PF_PAX_SEGMEXEC ? 'S' : 's'); return string; } #ifndef __KERNEL__ rsbac_pax_flags_t pax_strtoflags(char *string, rsbac_pax_flags_t init_flags) { char *p = string; rsbac_pax_flags_t add_flags = 0; rsbac_pax_flags_t remove_flags = 0; if (!p) return init_flags; while (*p) { switch (*p) { case 'P': add_flags |= PF_PAX_PAGEEXEC; break; case 'p': remove_flags |= PF_PAX_PAGEEXEC; break; case 'E': add_flags |= PF_PAX_EMUTRAMP; break; case 'e': remove_flags |= PF_PAX_EMUTRAMP; break; case 'M': add_flags |= PF_PAX_MPROTECT; break; case 'm': remove_flags |= PF_PAX_MPROTECT; break; case 'R': add_flags |= PF_PAX_RANDMMAP; break; case 'r': remove_flags |= PF_PAX_RANDMMAP; break; case 'X': add_flags |= PF_PAX_RANDEXEC; break; case 'x': remove_flags |= PF_PAX_RANDEXEC; break; case 'S': add_flags |= PF_PAX_SEGMEXEC; break; case 's': remove_flags |= PF_PAX_SEGMEXEC; break; case 'z': remove_flags = RSBAC_PAX_ALL_FLAGS; break; case 'a': add_flags = RSBAC_PAX_ALL_FLAGS; break; default: break; } p++; } return (init_flags | add_flags) & ~remove_flags; } #endif rsbac-admin-1.4.0/main/libs/helpers/getname.c0000644000175000017500000012221211131371034020637 0ustar gauvaingauvain/************************************* */ /* Rule Set Based Access Control */ /* Author and (c) 1999-2007: */ /* Amon Ott */ /* Helper functions for all parts */ /* Last modified: 17/Sep/2007 */ /************************************* */ #include #include #include #include #include #ifdef __KERNEL__ #include #include #include #include #include #include #include #include #include #else #include #include #include #endif static char request_list[R_NONE + 1][24] = { "ADD_TO_KERNEL", "ALTER", "APPEND_OPEN", "CHANGE_GROUP", "CHANGE_OWNER", "CHDIR", "CLONE", "CLOSE", "CREATE", "DELETE", "EXECUTE", "GET_PERMISSIONS_DATA", "GET_STATUS_DATA", "LINK_HARD", "MODIFY_ACCESS_DATA", "MODIFY_ATTRIBUTE", "MODIFY_PERMISSIONS_DATA", "MODIFY_SYSTEM_DATA", "MOUNT", "READ", "READ_ATTRIBUTE", "READ_WRITE_OPEN", "READ_OPEN", "REMOVE_FROM_KERNEL", "RENAME", "SEARCH", "SEND_SIGNAL", "SHUTDOWN", "SWITCH_LOG", "SWITCH_MODULE", "TERMINATE", "TRACE", "TRUNCATE", "UMOUNT", "WRITE", "WRITE_OPEN", "MAP_EXEC", "BIND", "LISTEN", "ACCEPT", "CONNECT", "SEND", "RECEIVE", "NET_SHUTDOWN", "CHANGE_DAC_EFF_OWNER", "CHANGE_DAC_FS_OWNER", "CHANGE_DAC_EFF_GROUP", "CHANGE_DAC_FS_GROUP", "IOCTL", "LOCK", "AUTHENTICATE", "NONE" }; static char result_list[UNDEFINED + 1][12] = { "NOT_GRANTED", "GRANTED", "DO_NOT_CARE", "UNDEFINED" }; static rsbac_switch_target_int_t attr_mod_list[A_none + 1] = { SW_GEN, /* pseudo */ SW_MAC, /* security_level */ SW_MAC, /* initial_security_level */ SW_MAC, /* local_sec_level */ SW_MAC, /* remote_sec_level */ SW_MAC, /* min_security_level */ SW_MAC, /* mac_categories */ SW_MAC, /* mac_initial_categories */ SW_MAC, /* local_mac_categories */ SW_MAC, /* remote_mac_categories */ SW_MAC, /* mac_min_categories */ SW_MAC, /* mac_user_flags */ SW_MAC, /* mac_process_flags */ SW_MAC, /* mac_file_flags */ SW_NONE, /* system_role */ SW_MAC, /* mac_role */ SW_DAZ, /* daz_role */ SW_FF, /* ff_role */ SW_AUTH, /* auth_role */ SW_CAP, /* cap_role */ SW_JAIL, /* jail_role */ SW_PAX, /* pax_role */ SW_MAC, /* current_sec_level */ SW_MAC, /* mac_curr_categories */ SW_MAC, /* min_write_open */ SW_MAC, /* min_write_categories */ SW_MAC, /* max_read_open */ SW_MAC, /* max_read_categories */ SW_MAC, /* mac_auto */ SW_MAC, /* mac_check */ SW_MAC, /* mac_prop_trusted */ SW_PM, /* pm_role */ SW_PM, /* pm_process_type */ SW_PM, /* pm_current_task */ SW_PM, /* pm_object_class */ SW_PM, /* local_pm_object_class */ SW_PM, /* remote_pm_object_class */ SW_PM, /* pm_ipc_purpose */ SW_PM, /* local_pm_ipc_purpose */ SW_PM, /* remote_pm_ipc_purpose */ SW_PM, /* pm_object_type */ SW_PM, /* local_pm_object_type */ SW_PM, /* remote_pm_object_type */ SW_PM, /* pm_program_type */ SW_PM, /* pm_tp */ SW_PM, /* pm_task_set */ SW_DAZ, /* daz_scanned */ SW_DAZ, /* daz_scanner */ SW_FF, /* ff_flags */ SW_RC, /* rc_type */ SW_RC, /* rc_select_type */ SW_RC, /* local_rc_type */ SW_RC, /* remote_rc_type */ SW_RC, /* rc_type_fd */ SW_RC, /* rc_type_nt */ SW_RC, /* rc_force_role */ SW_RC, /* rc_initial_role */ SW_RC, /* rc_role */ SW_RC, /* rc_def_role */ SW_AUTH, /* auth_may_setuid */ SW_AUTH, /* auth_may_set_cap */ SW_AUTH, /* auth_learn */ SW_CAP, /* min_caps */ SW_CAP, /* max_caps */ SW_CAP, /* max_caps_user */ SW_CAP, /* max_caps_program */ SW_JAIL, /* jail_id */ SW_JAIL, /* jail_parent */ SW_JAIL, /* jail_ip */ SW_JAIL, /* jail_flags */ SW_JAIL, /* jail_max_caps */ SW_JAIL, /* jail_scd_get */ SW_JAIL, /* jail_scd_modify */ SW_PAX, /* pax_flags */ SW_RES, /* res_role */ SW_RES, /* res_min */ SW_RES, /* res_max */ SW_GEN, /* log_array_low */ SW_GEN, /* local_log_array_low */ SW_GEN, /* remote_log_array_low */ SW_GEN, /* log_array_high */ SW_GEN, /* local_log_array_high */ SW_GEN, /* remote_log_array_high */ SW_GEN, /* log_program_based */ SW_GEN, /* log_user_based */ SW_GEN, /* symlink_add_remote_ip */ SW_GEN, /* symlink_add_uid */ SW_GEN, /* symlink_add_mac_level */ SW_GEN, /* symlink_add_rc_role */ SW_GEN, /* linux_dac_disable */ SW_CAP, /* cap_process_hiding */ SW_GEN, /* fake_root_uid */ SW_GEN, /* audit_uid */ SW_GEN, /* auid_exempt */ SW_AUTH, /* auth_last_auth */ SW_GEN, /* remote_ip */ SW_CAP, /* cap_ld_env */ SW_DAZ, /* daz_do_scan */ SW_GEN, /* vset */ #ifdef __KERNEL__ /* adf-request helpers */ SW_NONE, /* group */ SW_NONE, /* signal */ SW_NONE, /* mode */ SW_NONE, /* nlink */ SW_NONE, /* switch_target */ SW_NONE, /* mod_name */ SW_NONE, /* request */ SW_NONE, /* trace_request */ SW_NONE, /* auth_add_f_cap */ SW_NONE, /* auth_remove_f_cap */ SW_NONE, /* auth_get_caplist */ SW_NONE, /* prot_bits */ SW_NONE, /* internal */ SW_NONE, /* create_data */ SW_NONE, /* new_object */ SW_NONE, /* rlimit */ SW_NONE, /* new_dir_dentry_p */ SW_NONE, /* auth_program_file */ SW_NONE, /* auth_start_uid */ SW_NONE, /* auth_start_euid */ SW_NONE, /* auth_start_gid */ SW_NONE, /* auth_start_egid */ SW_NONE, /* acl_learn */ SW_NONE, /* priority */ SW_NONE, /* pgid */ SW_NONE, /* kernel_thread */ SW_NONE, /* open_flag */ SW_NONE, /* reboot_cmd */ SW_NONE, /* setsockopt_level */ SW_NONE, /* ioctl_cmd */ SW_NONE, /* f_mode */ SW_NONE, /* process */ SW_NONE, /* sock_type */ #endif SW_NONE /* none */ }; static char attribute_list[A_none + 1][23] = { "pseudo", "security_level", "initial_security_level", "local_sec_level", "remote_sec_level", "min_security_level", "mac_categories", "mac_initial_categories", "local_mac_categories", "remote_mac_categories", "mac_min_categories", "mac_user_flags", "mac_process_flags", "mac_file_flags", "system_role", "mac_role", "daz_role", "ff_role", "auth_role", "cap_role", "jail_role", "pax_role", "current_sec_level", "mac_curr_categories", "min_write_open", "min_write_categories", "max_read_open", "max_read_categories", "mac_auto", "mac_check", "mac_prop_trusted", "pm_role", "pm_process_type", "pm_current_task", "pm_object_class", "local_pm_object_class", "remote_pm_object_class", "pm_ipc_purpose", "local_pm_ipc_purpose", "remote_pm_ipc_purpose", "pm_object_type", "local_pm_object_type", "remote_pm_object_type", "pm_program_type", "pm_tp", "pm_task_set", "daz_scanned", "daz_scanner", "ff_flags", "rc_type", "rc_select_type", "local_rc_type", "remote_rc_type", "rc_type_fd", "rc_type_nt", "rc_force_role", "rc_initial_role", "rc_role", "rc_def_role", "auth_may_setuid", "auth_may_set_cap", "auth_learn", "min_caps", "max_caps", "max_caps_user", "max_caps_program", "jail_id", "jail_parent", "jail_ip", "jail_flags", "jail_max_caps", "jail_scd_get", "jail_scd_modify", "pax_flags", "res_role", "res_min", "res_max", "log_array_low", "local_log_array_low", "remote_log_array_low", "log_array_high", "local_log_array_high", "remote_log_array_high", "log_program_based", "log_user_based", "symlink_add_remote_ip", "symlink_add_uid", "symlink_add_mac_level", "symlink_add_rc_role", "linux_dac_disable", "cap_process_hiding", "fake_root_uid", "audit_uid", "auid_exempt", "auth_last_auth", "remote_ip", "cap_ld_env", "daz_do_scan", "vset", #ifdef __KERNEL__ /* adf-request helpers */ "owner", "group", "signal", "mode", "nlink", "switch_target", "mod_name", "request", "trace_request", "auth_add_f_cap", "auth_remove_f_cap", "auth_get_caplist", "prot_bits", "internal", "create_data", "new_object", "rlimit", "new_dir_dentry_p", "auth_program_file", "auth_start_uid", "auth_start_euid", "auth_start_gid", "auth_start_egid", "acl_learn", "priority", "pgid", "kernel_thread", "open_flag", "reboot_cmd", "setsockopt_level", "ioctl_cmd", "f_mode", "process", "sock_type", #endif "none" }; static char target_list[T_NONE + 1][11] = { "FILE", "DIR", "FIFO", "SYMLINK", "DEV", "IPC", "SCD", "USER", "PROCESS", "NETDEV", "NETTEMP", "NETOBJ", "NETTEMP_NT", "GROUP", "FD", "UNIXSOCK", "NONE" }; static char ipc_target_list[I_none + 1][9] = { "sem", "msg", "shm", "anonpipe", "mqueue", "anonunix", "none" }; static char switch_target_list[SW_NONE + 1][12] = { "GEN", "MAC", "PM", "DAZ", "FF", "RC", "AUTH", "REG", "ACL", "CAP", "JAIL", "RES", "PAX", "SOFTMODE", "DAC_DISABLE", "UM", "FREEZE", "NONE" }; static char error_list[RSBAC_EMAX][26] = { "RSBAC_EPERM", "RSBAC_EACCESS", "RSBAC_EREADFAILED", "RSBAC_EWRITEFAILED", "RSBAC_EINVALIDPOINTER", "RSBAC_ENOROOTDIR", "RSBAC_EPATHTOOLONG", "RSBAC_ENOROOTDEV", "RSBAC_ENOTFOUND", "RSBAC_ENOTINITIALIZED", "RSBAC_EREINIT", "RSBAC_ECOULDNOTADDDEVICE", "RSBAC_ECOULDNOTADDITEM", "RSBAC_ECOULDNOTCREATEPATH", "RSBAC_EINVALIDATTR", "RSBAC_EINVALIDDEV", "RSBAC_EINVALIDTARGET", "RSBAC_EINVALIDVALUE", "RSBAC_EEXISTS", "RSBAC_EINTERNONLY", "RSBAC_EINVALIDREQUEST", "RSBAC_ENOTWRITABLE", "RSBAC_EMALWAREDETECTED", "RSBAC_ENOMEM", "RSBAC_EDECISIONMISMATCH", "RSBAC_EINVALIDVERSION", "RSBAC_EINVALIDMODULE", "RSBAC_EEXPIRED", "RSBAC_EMUSTCHANGE", "RSBAC_EBUSY", "RSBAC_EINVALIDTRANSACTION", "RSBAC_EWEAKPASSWORD", "RSBAC_EINVALIDLIST" }; static char scd_type_list[ST_none + 1][17] = { "time_strucs", "clock", "host_id", "net_id", "ioports", "rlimit", "swap", "syslog", "rsbac", "rsbac_log", "other", "kmem", "network", "firewall", "priority", "sysfs", "rsbac_remote_log", "quota", "sysctl", "nfsd", "ksyms", "mlock", "capability", "kexec", "none" }; /* Attribute types */ #ifndef __KERNEL__ static char attribute_param_list[A_none + 1][194] = { "user-pseudo (positive long integer)", /* pseudo */ "0 = unclassified, 1 = confidential, 2 = secret,\n\t3 = top secret, 254 = inherit, max. level 252", /* security_level */ "0 = unclassified, 1 = confidential, 2 = secret,\n\t3 = top secret, 254 = inherit, max. level 252", /* initial_security_level */ "0 = unclassified, 1 = confidential, 2 = secret,\n\t3 = top secret, 254 = inherit, max. level 252", /* local_sec_level */ "0 = unclassified, 1 = confidential, 2 = secret,\n\t3 = top secret, 254 = inherit, max. level 252", /* remote_sec_level */ "0 = unclassified, 1 = confidential, 2 = secret,\n\t3 = top secret, 254 = inherit, max. level 252", /* min_security_level */ "Bit Set String of length 64 for all categories", /* mac_categories */ "Bit Set String of length 64 for all categories", /* mac_initial_categories */ "Bit Set String of length 64 for all categories", /* local_mac_categories */ "Bit Set String of length 64 for all categories", /* remote_mac_categories */ "Bit Set String of length 64 for all categories", /* mac_min_categories */ "1 = override, 4 = trusted, 8 = write_up, 16 = read_up,\n\t32 = write_down, 64 = allow_mac_auto", /* mac_user_flags */ "1 = override, 2 = auto, 4 = trusted, 8 = write_up,\n\t16 = read_up, 32 = write_down, 128 = prop_trusted", /* mac_process_flags */ "2 = auto, 4 = trusted, 8 = write_up, 16 = read_up,\n\t32 = write_down", /* mac_file_flags */ "0 = user, 1 = security officer, 2 = administrator,\n\t3 = auditor", /* system_role */ "0 = user, 1 = security officer, 2 = administrator,\n\t3 = auditor", /* mac_role */ "0 = user, 1 = security officer, 2 = administrator,\n\t3 = auditor", /* daz_role */ "0 = user, 1 = security officer, 2 = administrator,\n\t3 = auditor", /* ff_role */ "0 = user, 1 = security officer, 2 = administrator,\n\t3 = auditor", /* auth_role */ "0 = user, 1 = security officer, 2 = administrator,\n\t3 = auditor", /* cap_role */ "0 = user, 1 = security officer, 2 = administrator,\n\t3 = auditor", /* jail_role */ "0 = user, 1 = security officer, 2 = administrator,\n\t3 = auditor", /* pax_role */ "0 = unclassified, 1 = confidential, 2 = secret,\n\t3 = top secret, max. level 252", /* current_sec_level */ "Bit Set String of length 64 for all categories", /* mac_curr_categories */ "0 = unclassified, 1 = confidential, 2 = secret,\n\t3 = top secret, max. level 252", /* min_write_open */ "Bit Set String of length 64 for all categories", /* min_write_categories */ "0 = unclassified, 1 = confidential, 2 = secret,\n\t3 = top secret, max. level 252", /* max_read_open */ "Bit Set String of length 64 for all categories", /* max_read_categories */ "0 = no, 1 = yes, 2 = inherit (default value)", /* mac_auto */ "0 = false, 1 = true", /* mac_check */ "0 = false, 1 = true", /* mac_prop_trusted */ "0 = user, 1 = security officer, 2 = data protection officer,\n\t3 = TP-manager, 4 = system-admin", /* pm_role */ "0 = none, 1 = TP", /* pm_process_type */ "Task-ID (positive integer)", /* pm_current_task */ "Class-ID (positive integer)", /* pm_object_class */ "Class-ID (positive integer)", /* local_pm_object_class */ "Class-ID (positive integer)", /* remote_pm_object_class */ "Purpose-ID (positive integer)", /* pm_ipc_purpose */ "Purpose-ID (positive integer)", /* local_pm_ipc_purpose */ "Purpose-ID (positive integer)", /* remote_pm_ipc_purpose */ "0 = none, 1 = TP, 2 = personal data, 3 = non-personal data,\n\t4 = ipc, 5 = dir", /* pm_object_type */ "0 = none, 1 = TP, 2 = personal data, 3 = non-personal data,\n\t4 = ipc, 5 = dir", /* local_pm_object_type */ "0 = none, 1 = TP, 2 = personal data, 3 = non-personal data,\n\t4 = ipc, 5 = dir", /* remote_pm_object_type */ "0 = none, 1 = TP", /* pm_program_type */ "TP-ID (positive integer)", /* pm_tp */ "pm-task-list-ID (positive integer)", /* pm_task_set */ "0 = unscanned, 1 = infected, 2 = clean", /* daz_scanned */ "0 = FALSE, 1 = TRUE", /* daz_scanner */ "1 = read_only, 2 = execute_only, 4 = search_only, 8 = write_only,\n\t16 = secure_delete, 32 = no_execute, 64 = no_delete_or_rename,\n\t128 = add_inherited (or'd), 256 = append_only, 512 = no_mount", /* ff_flags */ "RC-type-id", /* rc_type */ "RC-type-id (-7 = use fd)", /* rc_select_type */ "RC-type-id", /* local_rc_type */ "RC-type-id", /* remote_rc_type */ "RC-type-id (-2 = inherit from parent)", /* rc_type_fd */ "RC-type-id", /* rc_type_nt */ "RC-role-id (-1 = inherit_user, -2 = inherit_process (keep),\n\t-3 = inherit_parent (def.),\n\t-4 = inherit_user_on_chown_only (root default)", /* rc_force_role */ "RC-role-id (-3 = inherit_parent (default),\n\t-5 = use_force_role (root default)", /* rc_initial_role */ "RC-role-id", /* rc_role */ "RC-role-id", /* rc_def_role */ "0 = off, 1 = full, 2 = last_auth_only, 3 = last_auth_and_gid", /* auth_may_setuid */ "0 = false, 1 = true", /* auth_may_set_cap */ "0 = false, 1 = true", /* auth_learn */ "Bit-Vector value or name list of desired caps", /* min_caps */ "Bit-Vector value or name list of desired caps", /* max_caps */ "Bit-Vector value or name list of desired caps", /* max_caps_user */ "Bit-Vector value or name list of desired caps", /* max_caps_program */ "JAIL ID (0 = off)", /* jail_id */ "JAIL ID (0 = no parent jail)", /* jail_parent */ "JAIL IP address a.b.c.d", /* jail_ip */ "JAIL flags (or'd, 1 = allow external IPC, 2 = allow all net families,\n\t4 = allow_rlimit, 8 = allow raw IP, 16 = auto adjust IP,\n\t32 = allow localhost, 64 = allow scd clock)", /* jail_flags */ "Bit-Vector value or name list of desired caps", /* jail_max_caps */ "List of SCD targets", /* jail_scd_get */ "List of SCD targets", /* jail_scd_modify */ "PAX flags with capital=on, non-capital=off, e.g. PeMRxS", /* pax_flags */ "0 = user, 1 = security officer, 2 = administrator", /* res_role */ "array of non-negative integer values, all 0 for unset", /* res_min */ "array of non-negative integer values, all 0 for unset", /* res_max */ "Bit-String for all Requests, low bit", /* log_array_low */ "Bit-String for all Requests, low bit", /* local_log_array_low */ "Bit-String for all Requests, low bit", /* remote_log_array_low */ "Bit-String for all Requests, high bit (l=0,h=0 = none, l=1,h=0 = denied,\n\tl=0,h=1 = full, l=1,h=1 = request based)", /* log_array_high */ "Bit-String for all Requests, high bit (l=0,h=0 = none, l=1,h=0 = denied,\n\tl=0,h=1 = full, l=1,h=1 = request based)", /* local_log_array_high */ "Bit-String for all Requests, high bit (l=0,h=0 = none, l=1,h=0 = denied,\n\tl=0,h=1 = full, l=1,h=1 = request based)", /* remote_log_array_high */ "Bit-String for all Requests", /* log_program_based */ "Bit-String for all Requests", /* log_user_based */ "Number of bytes to add, 0 to turn off", /* symlink_add_remote_ip */ "0 = false, 1 = true", /* symlink_add_uid */ "0 = false, 1 = true", /* symlink_add_mac_level */ "0 = false, 1 = true", /* symlink_add_rc_role */ "0 = false, 1 = true, 2 = inherit (default)", /* linux_dac_disable */ "0 = off (default), 1 = from other users, 2 = full", /* cap_process_hiding */ "0 = off (default), 1 = uid_only, 2 = euid_only, 3 = both", /* fake_root_uid */ "-3 = unset, uid otherwise", /* audit_uid */ "-3 = unset, uid otherwise", /* auid_exempt */ "-3 = unset, uid otherwise", /* auth_last_auth */ "32 Bit value in network byte order", /* remote_ip */ "0 = disallow executing of program file with LD_ variables set,\n\t1 = do not care (default)", /* cap_ld_env */ "0 = never, 1 = registered, 2 = always, 3 = inherit", /* daz_do_scan */ "non-negative virtual set number, 0 = default main set", "INVALID!" }; #endif static char log_level_list[LL_invalid + 1][9] = { "none", "denied", "full", "request", "invalid!" }; static char cap_list[RSBAC_CAP_MAX + 1][17] = { "CHOWN", "DAC_OVERRIDE", "DAC_READ_SEARCH", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "SETPCAP", "LINUX_IMMUTABLE", "NET_BIND_SERVICE", "NET_BROADCAST", "NET_ADMIN", "NET_RAW", "IPC_LOCK", "IPC_OWNER", "SYS_MODULE", "SYS_RAWIO", "SYS_CHROOT", "SYS_PTRACE", "SYS_PACCT", "SYS_ADMIN", "SYS_BOOT", "SYS_NICE", "SYS_RESOURCE", "SYS_TIME", "SYS_TTY_CONFIG", "MKNOD", "LEASE", "AUDIT_WRITE", "AUDIT_CONTROL", "SETFCAP", "MAC_OVERRIDE", "MAC_ADMIN", "NONE" }; /*****************************************/ #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(get_request_name); #endif #endif char *get_request_name(char *request_name, enum rsbac_adf_request_t request) { if (!request_name) return (NULL); if (request >= R_NONE) strcpy(request_name, "ERROR!"); else strcpy(request_name, request_list[request]); return (request_name); } enum rsbac_adf_request_t get_request_nr(const char *request_name) { enum rsbac_adf_request_t i; if (!request_name) return (R_NONE); for (i = 0; i < R_NONE; i++) { if (!strcmp(request_name, request_list[i])) { return (i); } } return (R_NONE); } char *get_result_name(char *res_name, enum rsbac_adf_req_ret_t res) { if (!res_name) return (NULL); if (res > UNDEFINED) strcpy(res_name, "ERROR!"); else strcpy(res_name, result_list[res]); return (res_name); } enum rsbac_adf_req_ret_t get_result_nr(const char *res_name) { enum rsbac_adf_req_ret_t i; if (!res_name) return (UNDEFINED); for (i = 0; i < UNDEFINED; i++) { if (!strcmp(res_name, result_list[i])) { return (i); } } return (UNDEFINED); } enum rsbac_switch_target_t get_attr_module(enum rsbac_attribute_t attr) { if (attr > A_none) return SW_NONE; else return attr_mod_list[attr]; } #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(get_attribute_name); #endif #endif char *get_attribute_name(char *attr_name, enum rsbac_attribute_t attr) { if (!attr_name) return (NULL); if (attr > A_none) strcpy(attr_name, "ERROR!"); else strcpy(attr_name, attribute_list[attr]); return (attr_name); } enum rsbac_attribute_t get_attribute_nr(const char *attr_name) { enum rsbac_attribute_t i; if (!attr_name) return (A_none); for (i = 0; i < A_none; i++) { if (!strcmp(attr_name, attribute_list[i])) { return (i); } } return (A_none); } #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(get_attribute_value_name); #endif #endif char *get_attribute_value_name(char *attr_val_name, enum rsbac_attribute_t attr, union rsbac_attribute_value_t *attr_val_p) { if (!attr_val_name) return (NULL); if (attr > A_none) strcpy(attr_val_name, "ERROR!"); else switch (attr) { case A_none: strcpy(attr_val_name, "none"); break; #ifdef __KERNEL__ case A_create_data: { char *tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN); if (tmp) { if (attr_val_p->create_data. dentry_p) snprintf(attr_val_name, RSBAC_MAXNAMELEN - 1, "%s %s, mode %o", get_target_name_only (tmp, attr_val_p-> create_data. target), attr_val_p-> create_data. dentry_p->d_name. name, attr_val_p-> create_data. mode & S_IALLUGO); else snprintf(attr_val_name, RSBAC_MAXNAMELEN - 1, "%s, mode %o", get_target_name_only (tmp, attr_val_p-> create_data. target), attr_val_p-> create_data. mode & S_IALLUGO); rsbac_kfree(tmp); } } break; case A_mode: sprintf(attr_val_name, "%o", attr_val_p->mode); break; case A_priority: sprintf(attr_val_name, "%i", attr_val_p->priority); break; case A_mod_name: if (attr_val_p->mod_name) strncpy(attr_val_name, attr_val_p->mod_name, RSBAC_MAXNAMELEN - 1); else strcpy(attr_val_name, "unknown"); attr_val_name[RSBAC_MAXNAMELEN - 1] = 0; break; case A_auth_add_f_cap: case A_auth_remove_f_cap: #ifdef CONFIG_RSBAC_UM_VIRTUAL if( RSBAC_UID_SET(attr_val_p->auth_cap_range.first) || RSBAC_UID_SET(attr_val_p->auth_cap_range.last) ) sprintf(attr_val_name, "%u/%u:%u/%u", RSBAC_UID_SET(attr_val_p->auth_cap_range.first), RSBAC_UID_NUM(attr_val_p->auth_cap_range.first), RSBAC_UID_SET(attr_val_p->auth_cap_range.last), RSBAC_UID_NUM(attr_val_p->auth_cap_range.last)); else #endif sprintf(attr_val_name, "%u:%u", RSBAC_UID_NUM(attr_val_p->auth_cap_range.first), RSBAC_UID_NUM(attr_val_p->auth_cap_range.last)); break; case A_switch_target: get_switch_target_name(attr_val_name, attr_val_p->switch_target); break; case A_request: get_request_name(attr_val_name, attr_val_p->request); break; case A_sock_type: rsbac_get_net_type_name(attr_val_name, attr_val_p->sock_type); break; #endif #if defined(CONFIG_RSBAC_PAX) || !defined(__KERNEL__) case A_pax_flags: pax_print_flags(attr_val_name, attr_val_p->pax_flags); break; #endif #if defined(CONFIG_RSBAC_AUTH) || !defined(__KERNEL__) case A_auth_last_auth: #if defined(CONFIG_RSBAC_AUTH_LEARN) && defined(__KERNEL__) case A_auth_start_uid: case A_auth_start_euid: #endif #ifdef CONFIG_RSBAC_UM_VIRTUAL if(RSBAC_UID_SET(attr_val_p->auth_last_auth)) sprintf(attr_val_name, "%u/%u", RSBAC_UID_SET(attr_val_p->auth_last_auth), RSBAC_UID_NUM(attr_val_p->auth_last_auth)); else #endif sprintf(attr_val_name, "%u", RSBAC_UID_NUM(attr_val_p->auth_last_auth)); break; #endif #ifdef CONFIG_RSBAC_AUTH_GROUP case A_auth_start_gid: #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP case A_auth_start_egid: #endif #ifdef CONFIG_RSBAC_UM_VIRTUAL if(RSBAC_GID_SET(attr_val_p->auth_last_auth)) sprintf(attr_val_name, "%u/%u", RSBAC_GID_SET(attr_val_p->auth_last_auth), RSBAC_GID_NUM(attr_val_p->auth_last_auth)); else #endif sprintf(attr_val_name, "%u", RSBAC_GID_NUM(attr_val_p->auth_start_gid)); break; #endif default: snprintf(attr_val_name, RSBAC_MAXNAMELEN - 1, "%u", attr_val_p->u_dummy); } return (attr_val_name); } #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(get_scd_type_name); #endif #endif char *get_scd_type_name(char *res_name, enum rsbac_scd_type_t res) { if (!res_name) return (NULL); if (res > ST_none) strcpy(res_name, "ERROR!"); else strcpy(res_name, scd_type_list[res]); return (res_name); } enum rsbac_scd_type_t get_scd_type_nr(const char *res_name) { enum rsbac_scd_type_t i; if (!res_name) return (ST_none); for (i = 0; i < ST_none; i++) { if (!strcmp(res_name, scd_type_list[i])) { return (i); } } return (ST_none); } #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(get_target_name); #endif #endif char *get_target_name(char *target_type_name, enum rsbac_target_t target, char *target_id_name, union rsbac_target_id_t tid) { #ifdef __KERNEL__ char *help_name; #else char help_name[RSBAC_MAXNAMELEN + 4]; #endif if (!target_type_name) return (NULL); #ifdef __KERNEL__ #ifdef CONFIG_RSBAC_LOG_FULL_PATH help_name = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + 4); #else help_name = rsbac_kmalloc(RSBAC_MAXNAMELEN + 4); #endif if (!help_name) return NULL; #endif switch (target) { #ifdef __KERNEL__ case T_FD: strcpy(target_type_name, "FD"); if (!target_id_name) break; sprintf(target_id_name, "Device %02u:%02u Inode %u", RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); if (tid.file.dentry_p && tid.file.dentry_p->d_name.name && tid.file.dentry_p->d_name.len) { #ifdef CONFIG_RSBAC_LOG_FULL_PATH if (rsbac_get_full_path (tid.file.dentry_p, help_name, CONFIG_RSBAC_MAX_PATH_LEN) > 0) { strcat(target_id_name, " Path "); strcat(target_id_name, help_name); } #else int namelen = rsbac_min(tid.file.dentry_p->d_name.len, RSBAC_MAXNAMELEN); strcat(target_id_name, " Name "); strncpy(help_name, tid.file.dentry_p->d_name.name, namelen); help_name[namelen] = 0; strcat(target_id_name, help_name); #endif } break; case T_FILE: strcpy(target_type_name, "FILE"); if (!target_id_name) break; sprintf(target_id_name, "Device %02u:%02u Inode %u", RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode); if (tid.file.dentry_p && tid.file.dentry_p->d_name.name && tid.file.dentry_p->d_name.len) { #ifdef CONFIG_RSBAC_LOG_FULL_PATH if (rsbac_get_full_path (tid.file.dentry_p, help_name, CONFIG_RSBAC_MAX_PATH_LEN) > 0) { strcat(target_id_name, " Path "); strcat(target_id_name, help_name); } #else int namelen = rsbac_min(tid.file.dentry_p->d_name.len, RSBAC_MAXNAMELEN); strcat(target_id_name, " Name "); strncpy(help_name, tid.file.dentry_p->d_name.name, namelen); help_name[namelen] = 0; strcat(target_id_name, help_name); #endif } break; case T_DIR: strcpy(target_type_name, "DIR"); if (!target_id_name) break; sprintf(target_id_name, "Device %02u:%02u Inode %u", RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.dir.inode); if (tid.dir.dentry_p && tid.dir.dentry_p->d_name.name && tid.dir.dentry_p->d_name.len) { #ifdef CONFIG_RSBAC_LOG_FULL_PATH if (rsbac_get_full_path (tid.dir.dentry_p, help_name, CONFIG_RSBAC_MAX_PATH_LEN) > 0) { strcat(target_id_name, " Path "); strcat(target_id_name, help_name); } #else int namelen = rsbac_min(tid.dir.dentry_p->d_name.len, RSBAC_MAXNAMELEN); strcat(target_id_name, " Name "); strncpy(help_name, tid.dir.dentry_p->d_name.name, namelen); help_name[namelen] = 0; strcat(target_id_name, help_name); #endif } break; case T_FIFO: strcpy(target_type_name, "FIFO"); if (!target_id_name) break; sprintf(target_id_name, "Device %02u:%02u Inode %u", RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.fifo.inode); if (tid.fifo.dentry_p && tid.fifo.dentry_p->d_name.name && tid.fifo.dentry_p->d_name.len) { #ifdef CONFIG_RSBAC_LOG_FULL_PATH if (rsbac_get_full_path (tid.fifo.dentry_p, help_name, CONFIG_RSBAC_MAX_PATH_LEN) > 0) { strcat(target_id_name, " Path "); strcat(target_id_name, help_name); } #else int namelen = rsbac_min(tid.fifo.dentry_p->d_name.len, RSBAC_MAXNAMELEN); strcat(target_id_name, " Name "); strncpy(help_name, tid.fifo.dentry_p->d_name.name, namelen); help_name[namelen] = 0; strcat(target_id_name, help_name); #endif } break; case T_SYMLINK: strcpy(target_type_name, "SYMLINK"); if (!target_id_name) break; sprintf(target_id_name, "Device %02u:%02u Inode %u", RSBAC_MAJOR(tid.symlink.device), RSBAC_MINOR(tid.symlink.device), tid.symlink.inode); if (tid.symlink.dentry_p && tid.symlink.dentry_p->d_name.name && tid.symlink.dentry_p->d_name.len) { #ifdef CONFIG_RSBAC_LOG_FULL_PATH if (rsbac_get_full_path (tid.symlink.dentry_p, help_name, CONFIG_RSBAC_MAX_PATH_LEN) > 0) { strcat(target_id_name, " Path "); strcat(target_id_name, help_name); } #else int namelen = rsbac_min(tid.symlink.dentry_p->d_name.len, RSBAC_MAXNAMELEN); strcat(target_id_name, " Name "); strncpy(help_name, tid.symlink.dentry_p->d_name.name, namelen); help_name[namelen] = 0; strcat(target_id_name, help_name); #endif } break; case T_UNIXSOCK: strcpy(target_type_name, "UNIXSOCK"); if (!target_id_name) break; sprintf(target_id_name, "Device %02u:%02u Inode %u", RSBAC_MAJOR(tid.unixsock.device), RSBAC_MINOR(tid.unixsock.device), tid.unixsock.inode); if (tid.symlink.dentry_p && tid.unixsock.dentry_p->d_name.name && tid.unixsock.dentry_p->d_name.len) { #ifdef CONFIG_RSBAC_LOG_FULL_PATH if (rsbac_get_full_path (tid.unixsock.dentry_p, help_name, CONFIG_RSBAC_MAX_PATH_LEN) > 0) { strcat(target_id_name, " Path "); strcat(target_id_name, help_name); } #else int namelen = rsbac_min(tid.unixsock.dentry_p->d_name.len, RSBAC_MAXNAMELEN); strcat(target_id_name, " Name "); strncpy(help_name, tid.unixsock.dentry_p->d_name.name, namelen); help_name[namelen] = 0; strcat(target_id_name, help_name); #endif } break; case T_DEV: strcpy(target_type_name, "DEV"); if (!target_id_name) break; switch (tid.dev.type) { case D_block: sprintf(target_id_name, "block %02u:%02u", tid.dev.major, tid.dev.minor); break; case D_char: sprintf(target_id_name, "char %02u:%02u", tid.dev.major, tid.dev.minor); break; case D_block_major: sprintf(target_id_name, "block major %02u", tid.dev.major); break; case D_char_major: sprintf(target_id_name, "char major %02u", tid.dev.major); break; default: sprintf(target_id_name, "*unknown* %02u:%02u", tid.dev.major, tid.dev.minor); } break; case T_NETOBJ: strcpy(target_type_name, "NETOBJ"); if (!target_id_name) break; #ifdef CONFIG_NET if (tid.netobj.sock_p && tid.netobj.sock_p->ops && tid.netobj.sock_p->sk) { char type_name[RSBAC_MAXNAMELEN]; switch (tid.netobj.sock_p->ops->family) { case AF_INET: { __u32 saddr; __u16 sport; __u32 daddr; __u16 dport; struct net_device *dev; char ldevname[RSBAC_IFNAMSIZ + 10]; char rdevname[RSBAC_IFNAMSIZ + 10]; if (tid.netobj.local_addr) { struct sockaddr_in *addr = tid.netobj.local_addr; saddr = addr->sin_addr.s_addr; sport = ntohs(addr->sin_port); } else { #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) saddr = inet_sk(tid.netobj. sock_p->sk)-> saddr; sport = inet_sk(tid.netobj. sock_p->sk)-> num; #else saddr = tid.netobj.sock_p->sk-> saddr; sport = tid.netobj.sock_p->sk-> num; #endif } if (tid.netobj.remote_addr) { struct sockaddr_in *addr = tid.netobj.remote_addr; daddr = addr->sin_addr.s_addr; dport = ntohs(addr->sin_port); } else { #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) daddr = inet_sk(tid.netobj. sock_p->sk)-> daddr; dport = ntohs(inet_sk (tid.netobj. sock_p->sk)-> dport); #else daddr = tid.netobj.sock_p->sk-> daddr; dport = ntohs(tid.netobj. sock_p->sk-> dport); #endif } dev = ip_dev_find(saddr); if (dev) { sprintf(ldevname, "%s:", dev->name); dev_put(dev); } else ldevname[0] = 0; dev = ip_dev_find(daddr); if (dev) { sprintf(rdevname, "%s:", dev->name); dev_put(dev); } else rdevname[0] = 0; sprintf(target_id_name, "%p INET %s proto %s local %s%u.%u.%u.%u:%u remote %s%u.%u.%u.%u:%u", tid.netobj.sock_p, rsbac_get_net_type_name (type_name, tid.netobj.sock_p->type), #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) rsbac_get_net_protocol_name (help_name, tid.netobj.sock_p->sk-> sk_protocol), #else rsbac_get_net_protocol_name (help_name, tid.netobj.sock_p->sk-> protocol), #endif ldevname, NIPQUAD(saddr), sport, rdevname, NIPQUAD(daddr), dport); } break; case AF_UNIX: #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) if (unix_sk(tid.netobj.sock_p->sk)->addr) sprintf(target_id_name, "%p UNIX %s %s", tid.netobj.sock_p, rsbac_get_net_type_name (type_name, tid.netobj.sock_p->type), unix_sk(tid.netobj.sock_p-> sk)->addr->name[0]. sun_path); #else if (tid.netobj.sock_p->sk->protinfo. af_unix.addr) sprintf(target_id_name, "%p UNIX %s %s", tid.netobj.sock_p, rsbac_get_net_type_name (type_name, tid.netobj.sock_p->type), tid.netobj.sock_p->sk-> protinfo.af_unix.addr-> name[0].sun_path); #endif else if (tid.netobj.local_addr) { struct sockaddr_un *addr = tid.netobj.local_addr; sprintf(target_id_name, "%p UNIX %s %s", tid.netobj.sock_p, rsbac_get_net_type_name (type_name, tid.netobj.sock_p->type), addr->sun_path); } else sprintf(target_id_name, "%p UNIX %s", tid.netobj.sock_p, rsbac_get_net_type_name (type_name, tid.netobj.sock_p->type)); break; default: sprintf(target_id_name, "%p %s %s", tid.netobj.sock_p, rsbac_get_net_family_name (help_name, tid.netobj.sock_p->ops->family), rsbac_get_net_type_name(type_name, tid.netobj. sock_p-> type)); } } else #endif /* CONFIG_NET */ { sprintf(target_id_name, "%p", tid.netobj.sock_p); } break; #endif /* __KERNEL__ */ case T_IPC: strcpy(target_type_name, "IPC"); if (!target_id_name) break; switch (tid.ipc.type) { case I_sem: strcpy(target_id_name, "Sem-ID "); break; case I_msg: strcpy(target_id_name, "Msg-ID "); break; case I_shm: strcpy(target_id_name, "Shm-ID "); break; case I_anonpipe: strcpy(target_id_name, "AnonPipe-ID "); break; case I_mqueue: strcpy(target_id_name, "Mqueue-ID "); break; case I_anonunix: strcpy(target_id_name, "AnonUnix-ID "); break; default: strcpy(target_id_name, "ID "); break; }; sprintf(help_name, "%lu", tid.ipc.id.id_nr); strcat(target_id_name, help_name); break; case T_SCD: strcpy(target_type_name, "SCD"); if (target_id_name) get_scd_type_name(target_id_name, tid.scd); break; case T_USER: strcpy(target_type_name, "USER"); if (target_id_name) { #ifdef CONFIG_RSBAC_UM_VIRTUAL if(RSBAC_UID_SET(tid.user)) sprintf(target_id_name, "%u/%u", RSBAC_UID_SET(tid.user), RSBAC_UID_NUM(tid.user)); else #endif sprintf(target_id_name, "%u", RSBAC_UID_NUM(tid.user)); } break; case T_PROCESS: strcpy(target_type_name, "PROCESS"); if (target_id_name) sprintf(target_id_name, "%u", tid.process); break; case T_GROUP: strcpy(target_type_name, "GROUP"); if (target_id_name) { #ifdef CONFIG_RSBAC_UM_VIRTUAL if(RSBAC_GID_SET(tid.group)) sprintf(target_id_name, "%u/%u", RSBAC_GID_SET(tid.group), RSBAC_GID_NUM(tid.group)); else #endif sprintf(target_id_name, "%u", RSBAC_GID_NUM(tid.group)); } break; case T_NETDEV: strcpy(target_type_name, "NETDEV"); if (!target_id_name) break; strncpy(target_id_name, tid.netdev, RSBAC_IFNAMSIZ); target_id_name[RSBAC_IFNAMSIZ] = 0; break; case T_NETTEMP: strcpy(target_type_name, "NETTEMP"); if (target_id_name) sprintf(target_id_name, "%u", tid.nettemp); break; case T_NETTEMP_NT: strcpy(target_type_name, "NETTEMP_NT"); if (target_id_name) sprintf(target_id_name, "%u", tid.nettemp); break; case T_NONE: strcpy(target_type_name, "NONE"); if (target_id_name) strcpy(target_id_name, "NONE"); break; default: strcpy(target_type_name, "ERROR!!!"); if (target_id_name) sprintf(target_id_name, "%u", target); } #ifdef __KERNEL__ rsbac_kfree(help_name); #endif return (target_type_name); } char *get_target_name_only(char *target_type_name, enum rsbac_target_t target) { if (!target_type_name) return (NULL); switch (target) { case T_FILE: strcpy(target_type_name, "FILE"); break; case T_DIR: strcpy(target_type_name, "DIR"); break; case T_FIFO: strcpy(target_type_name, "FIFO"); break; case T_SYMLINK: strcpy(target_type_name, "SYMLINK"); break; case T_UNIXSOCK: strcpy(target_type_name, "UNIXSOCK"); break; case T_FD: strcpy(target_type_name, "FD"); break; case T_DEV: strcpy(target_type_name, "DEV"); break; case T_NETOBJ: strcpy(target_type_name, "NETOBJ"); break; case T_IPC: strcpy(target_type_name, "IPC"); break; case T_SCD: strcpy(target_type_name, "SCD"); break; case T_USER: strcpy(target_type_name, "USER"); break; case T_PROCESS: strcpy(target_type_name, "PROCESS"); break; case T_GROUP: strcpy(target_type_name, "GROUP"); break; case T_NETDEV: strcpy(target_type_name, "NETDEV"); break; case T_NETTEMP: strcpy(target_type_name, "NETTEMP"); break; case T_NETTEMP_NT: strcpy(target_type_name, "NETTEMP_NT"); break; case T_NONE: strcpy(target_type_name, "NONE"); break; default: strcpy(target_type_name, "ERROR!!!"); }; return (target_type_name); } enum rsbac_target_t get_target_nr(const char *target_name) { enum rsbac_target_t i; if (!target_name) return (T_NONE); for (i = 0; i < T_NONE; i++) { if (!strcmp(target_name, target_list[i])) { return (i); } } return (T_NONE); } char *get_ipc_target_name(char *ipc_name, enum rsbac_ipc_type_t target) { if (!ipc_name) return (NULL); if (target > I_none) strcpy(ipc_name, "ERROR!"); else strcpy(ipc_name, ipc_target_list[target]); return (ipc_name); } enum rsbac_ipc_type_t get_ipc_target_nr(const char *ipc_name) { enum rsbac_ipc_type_t i; if (!ipc_name) return (I_none); for (i = 0; i < I_none; i++) { if (!strcmp(ipc_name, ipc_target_list[i])) { return (i); } } return (I_none); } #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(get_switch_target_name); #endif #endif char *get_switch_target_name(char *switch_name, enum rsbac_switch_target_t target) { if (!switch_name) return (NULL); if (target > SW_NONE) strcpy(switch_name, "ERROR!"); else strcpy(switch_name, switch_target_list[target]); return (switch_name); } enum rsbac_switch_target_t get_switch_target_nr(const char *switch_name) { enum rsbac_switch_target_t i; if (!switch_name) return (SW_NONE); for (i = 0; i < SW_NONE; i++) { #ifdef __KERNEL__ if (!strncmp (switch_name, switch_target_list[i], strlen(switch_target_list[i]))) #else if (!strcmp(switch_name, switch_target_list[i])) #endif { return (i); } } return (SW_NONE); } #ifdef __KERNEL__ #if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT) EXPORT_SYMBOL(get_error_name); #endif #endif char *get_error_name(char *error_name, int error) { if (!error_name) return (NULL); #ifndef __KERNEL__ if((error == -1) && RSBAC_ERROR(-errno)) error = -errno; #endif if (RSBAC_ERROR(error)) strcpy(error_name, error_list[(-error) - RSBAC_EPERM]); else #ifdef __KERNEL__ inttostr(error_name, error); #else strcpy(error_name, strerror(errno)); #endif return (error_name); } #ifndef __KERNEL__ char *get_attribute_param(char *attr_name, enum rsbac_attribute_t attr) { if (!attr_name) return (NULL); if (attr > A_none) strcpy(attr_name, "ERROR!"); else strcpy(attr_name, attribute_param_list[attr]); return (attr_name); } #endif char *get_log_level_name(char *ll_name, enum rsbac_log_level_t target) { if (!ll_name) return (NULL); if (target > LL_invalid) strcpy(ll_name, "ERROR!"); else strcpy(ll_name, log_level_list[target]); return (ll_name); } enum rsbac_log_level_t get_log_level_nr(const char *ll_name) { enum rsbac_log_level_t i; if (!ll_name) return (LL_invalid); for (i = 0; i < LL_invalid; i++) { if (!strcmp(ll_name, log_level_list[i])) { return (i); } } return (LL_invalid); } char *get_cap_name(char *name, u_int value) { if (!name) return (NULL); if (value > CAP_NONE) strcpy(name, "ERROR!"); else strcpy(name, cap_list[value]); return (name); } int get_cap_nr(const char *name) { int i; if (!name) return (CAP_NONE); for (i = 0; i < CAP_NONE; i++) { if (!strcasecmp(name, cap_list[i])) { return (i); } } return (CAP_NONE); } rsbac-admin-1.4.0/main/libs/asm-arches/0000755000175000017500000000000011131371036017436 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-m32r/0000755000175000017500000000000011131371036020777 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-m32r/unistd.h0000644000175000017500000000000011131371036022444 0ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-h8300/0000755000175000017500000000000011131371035020755 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-h8300/unistd.h0000644000175000017500000000000011131371035022422 0ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-arm26/0000755000175000017500000000000011131371036021143 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-arm26/unistd.h0000644000175000017500000000000011131371036022610 0ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-ppc/0000755000175000017500000000000011131371036020776 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-ppc/unistd.h0000644000175000017500000000003011131371036022446 0ustar gauvaingauvain#define __NR_rsbac 224 rsbac-admin-1.4.0/main/libs/asm-arches/asm-x86_64/0000755000175000017500000000000011131371036021152 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-x86_64/unistd.h0000644000175000017500000000006511131371036022632 0ustar gauvaingauvain#define __NR_rsbac 185 /* reserved for security */ rsbac-admin-1.4.0/main/libs/asm-arches/asm-sparc64/0000755000175000017500000000000011131371036021476 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-sparc64/unistd.h0000644000175000017500000000000011131371036023143 0ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-arm/0000755000175000017500000000000011131371035020772 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-arm/unistd.h0000644000175000017500000000010611131371035022446 0ustar gauvaingauvain#include #define __NR_rsbac (__NR_SYSCALL_BASE+223) rsbac-admin-1.4.0/main/libs/asm-arches/asm-sh64/0000755000175000017500000000000011131371036021000 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-sh64/unistd.h0000644000175000017500000000000011131371036022445 0ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-v850/0000755000175000017500000000000011131371035020715 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-v850/unistd.h0000644000175000017500000000003011131371035022365 0ustar gauvaingauvain#define __NR_rsbac 230 rsbac-admin-1.4.0/main/libs/asm-arches/asm-sparc/0000755000175000017500000000000011131371035021323 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-sparc/unistd.h0000644000175000017500000000003011131371035022773 0ustar gauvaingauvain#define __NR_rsbac 164 rsbac-admin-1.4.0/main/libs/asm-arches/asm-i386/0000755000175000017500000000000011131371036020705 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-i386/unistd.h0000644000175000017500000000003011131371036022355 0ustar gauvaingauvain#define __NR_rsbac 223 rsbac-admin-1.4.0/main/libs/asm-arches/asm-sh/0000755000175000017500000000000011131371035020625 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-sh/unistd.h0000644000175000017500000000003011131371035022275 0ustar gauvaingauvain#define __NR_rsbac 223 rsbac-admin-1.4.0/main/libs/asm-arches/asm-cris/0000755000175000017500000000000011131371036021154 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-cris/unistd.h0000644000175000017500000000003011131371036022624 0ustar gauvaingauvain#define __NR_rsbac 223 rsbac-admin-1.4.0/main/libs/asm-arches/asm-m68knommu/0000755000175000017500000000000011131371035022054 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-m68knommu/unistd.h0000644000175000017500000000003011131371035023524 0ustar gauvaingauvain#define __NR_rsbac 300 rsbac-admin-1.4.0/main/libs/asm-arches/asm-ppc64/0000755000175000017500000000000011131371036021150 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-ppc64/unistd.h0000644000175000017500000000003011131371036022620 0ustar gauvaingauvain#define __NR_rsbac 224 rsbac-admin-1.4.0/main/libs/asm-arches/asm-parisc/0000755000175000017500000000000011131371035021474 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-parisc/unistd.h0000644000175000017500000000004711131371035023154 0ustar gauvaingauvain#define __NR_rsbac (__NR_Linux + 300) rsbac-admin-1.4.0/main/libs/asm-arches/asm-mips/0000755000175000017500000000000011131371035021163 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-mips/unistd.h0000644000175000017500000000012711131371035022642 0ustar gauvaingauvain/* RSBAC - we use 221, the old sys_security */ #define __NR_rsbac (__NR_Linux + 221) rsbac-admin-1.4.0/main/libs/asm-arches/asm-frv/0000755000175000017500000000000011131371036021011 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-frv/unistd.h0000644000175000017500000000000011131371036022456 0ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-m68k/0000755000175000017500000000000011131371036021001 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-m68k/unistd.h0000644000175000017500000000003011131371036022451 0ustar gauvaingauvain#define __NR_rsbac 300 rsbac-admin-1.4.0/main/libs/asm-arches/asm-alpha/0000755000175000017500000000000011131371036021301 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-alpha/unistd.h0000644000175000017500000000003111131371036022752 0ustar gauvaingauvain#define __NR_rsbac 380 rsbac-admin-1.4.0/main/libs/asm-arches/asm-um/0000755000175000017500000000000011131371035020634 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-um/unistd.h0000644000175000017500000000000011131371035022301 0ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-ia64/0000755000175000017500000000000011131371035020756 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-ia64/unistd.h0000644000175000017500000000003211131371035022430 0ustar gauvaingauvain#define __NR_rsbac 1270 rsbac-admin-1.4.0/main/libs/asm-arches/asm-s390/0000755000175000017500000000000011131371036020712 5ustar gauvaingauvainrsbac-admin-1.4.0/main/libs/asm-arches/asm-s390/unistd.h0000644000175000017500000000003011131371036022362 0ustar gauvaingauvain#define __NR_rsbac 300 rsbac-admin-1.4.0/main/libs/README0000644000175000017500000000157711131371037016306 0ustar gauvaingauvainRSBAC Libraries This package builds the RSBAC libraries necessary to link RSBAC related binaries and programs. -- All RSBAC code is copyrighted by Amon Ott unless stated otherwise, and published under the restrictions of the GNU General Public Licence as to be read in file COPYING in the main directory of the kernel source tree. All statements therein apply fully to all RSBAC sources. RSBAC is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details, available in the file ``COPYING' rsbac-admin-1.4.0/main/libs/Makefile0000644000175000017500000000465411131371037017065 0ustar gauvaingauvain#!/usr/bin/make -f # Licensed under the terms of the GPLv2 # Guillaume Destuynder # # Configuration # VERSION := 1.4.0 LIBVERSION := 1 INSTALL := install LIBTOOL := libtool CC := gcc ECHO := $(shell which echo) ifeq ($(ECHO),) ECHO := echo endif HOST := $(shell uname -m) DESTDIR := PREFIX := /usr/local ifeq ($(DIR_LIBS),) ifeq ($(HOST), x86_64) LIBDIR := $(PREFIX)/lib64 else LIBDIR := $(PREFIX)/lib endif else LIBDIR := $(DIR_LIBS) endif LOCALEDIR := $(PREFIX)/share/locale RSBACLIB := librsbac.la NLS := 1 CFLAGS := -fPIC -O2 -fomit-frame-pointer CFLAGS += -I../headers -I/usr/include -I/usr/local/include \ -I$(PREFIX)/include LDFLAGS := DEFINES := -DPACKAGE=\"rsbac-admin\" \ -DVERSION=\"$(VERSION)\" \ -DLOCALEDIR=\"$(LOCALEDIR)\" \ -DENABLE_NLS=$(NLS) QUIET := > /dev/null LIBS := ARCH := $(shell uname -m | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ \ -e s/arm.*/arm/ -e s/sa110/arm/ \ -e s/s390x/s390/ -e s/parisc64/parisc/ ) FILES_LIBS := $(wildcard helpers/*.c) # # Architecture checks # ASM_DIR := asm-arches/asm-$(ARCH)/unistd.h CFLAGS += -include ./$(ASM_DIR) # # Nice make. Use make VERBOSE=1 to verbose compilation. # ifneq ($(VERBOSE), 1) .SILENT: E = @$(ECHO) -e " " else QUIET = E = @: endif # # Targets # all: $(RSBACLIB) $(RSBACLIB): $(FILES_LIBS) $(foreach f, $(FILES_LIBS), $(ECHO) -e " CC\t\t$(f)"; \ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) -c $(f) $(QUIET) -o $(f:.c=.lo);) $(E) "LD\t\t$(RSBACLIB)" $(LIBTOOL) --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(DEFINES) $(LIBS) \ -o $@ $(FILES_LIBS:.c=.lo) -rpath $(LIBDIR) -version-info $(LIBVERSION) \ $(QUIET) clean: $(E) "CLEAN\t\t$(RSBACLIB) librsbac.a" rm -f $(RSBACLIB) librsbac.a $(E) "CLEAN\t\tLibtool objects" rm -rf $(FILES_LIBS:.c=.lo) $(FILES_LIBS:.c=.o) helpers/.libs rm -rf .libs distclean: clean install: all $(E) "INTO\t\t$(DESTDIR) ($(PREFIX))" $(E) "DIR\t\t$(LIBDIR)" $(INSTALL) -d $(DESTDIR)/$(LIBDIR) $(E) "INSTALL\t$(RSBACLIB)" $(LIBTOOL) --mode=install install -c $(RSBACLIB) \ $(DESTDIR)/$(LIBDIR)/$(RSBACLIB) $(QUIET) $(E) "LIBTOOL\t$(RSBACLIB)" $(LIBTOOL) -n --mode=finish $(DESTDIR)/$(LIBDIR) $(QUIET) uninstall: $(E) "UNINSTALL\t $(LIBDIR)/$(RSBACLIB) \ $(LIBDIR)/librsbac.so $(LIBDIR)/librsbac.a" $(LIBTOOL) --mode=uninstall rm \ $(DESTDIR)/$(LIBDIR)/$(RSBACLIB) $(QUIET) .PHONY: all clean distclean rsbac-admin-1.4.0/main/libs/COPYING0000644000175000017500000004313111131371037016451 0ustar gauvaingauvain GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. rsbac-admin-1.4.0/main/COPYING0000644000175000017500000004313111131371034015515 0ustar gauvaingauvain GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. rsbac-admin-1.4.0/contrib/0000755000175000017500000000000011131371031015171 5ustar gauvaingauvainrsbac-admin-1.4.0/contrib/README0000644000175000017500000000030711131371031016051 0ustar gauvaingauvainContributions ------------- All files in this directory are user contributed files. Please contact the responsible person in the README file of each supplied directory for support and information. rsbac-admin-1.4.0/README0000644000175000017500000000245311131371037014423 0ustar gauvaingauvainWelcome to the RSBAC packages directory -------------------------------------- What you will do from here depends on you ! * Simply installing the tools and start using RSBAC ? - type make, and as root, make install Please see ``INSTALL' for more information * Want to know what is in there ? - contrib: This directory contain all users contributions, like patches for programs to support jail() instead of chroot() calls, and procps tools (ps, top, ...) displaying the roles applications are running under. - main: You will find all the main RSBAC packages in this directory. * tools The tools are the commands used to manage RSBAC and build policies, set rights and authorisations (ex: rsbac_menu, attr_set_*) * pam (Pluggable Authentification Module) The pam module allows you to authenticate users and against the RSBAC UM (in kernel User Management). * nss (Name Service Switch) NSS let us switch the authentication from files/db/nis/ldap or whichever else to the RSBAC UM. * rklogd (RSBAC Kernel Logger Daemon) rklogd is a daemon reading RSBAC messages on /proc/rsbac-info/rmsg It is usefull to separate RSBAC logging from the rest of the traditional system logging, in use together with the kernel parameter ``rsbac_nosyslog' It also provides a log viewer, rklogd-viewer. rsbac-admin-1.4.0/INSTALL0000644000175000017500000000660011131371037014572 0ustar gauvaingauvainRSBAC packages Installation --------------------------- Prerequisites: ------------- You need to instal the following packages before you can continue: - make - gcc - binutils - coreutils - libc-dev (glibc 2.1+) - findutils - dialog - libtool Might need (architecture dependent): - kernel-headers For rklogd: - ncurses-dev - ncurses-lib For pam: - pam-dev This list is non-exhaustive and you might need other packages, depending on your operating system Notes about distributions and packages making: --------------------------------------------- The main/libs directory has essential RSBAC libraries, which need to be available at all times. Thus, it is recommanded to override their default location to /lib instead of $(PREFIX)/lib (which will be /usr/lib usually). This allows the system to come up even if /usr is not mounted for some reason. This cause a problem with the FHS, because .a and .la archives will be automatically installed by libtool into /lib, next to the .so (the real library). To alleviate this problem, you must move the .a and .la archives to /usr/lib, and either symlink /usr/lib/libraryname.so to /lib/libraryname.so (easy and clean) either write a script telling the linked to look in /lib (gentoo-style). Options: ------- There are several options you can set for the compilation or installation. You can set them this way: $ make target OPTION=value OPTION1=value ... Sparc machines are known to compile with: $ make install CFLAGS="-mcpu=ultrasparc" If you do not have gettext (uclibc), you will need: $ make install NLS=0 You can get a list of options by doing: $ make -p Or by browsing the Makefiles for directories or special variables. Other common values are PREFIX or DESTDIR, for example: $ make PREFIX=/usr the above will install into /usr (like, /usr/bin) or $ make PREFIX=/usr DESTDIR=/chroot/another_install/ the above will install into /chroot/another_install/usr (like, /chroot/another_install/usr/bin) If not detected correctly, you can also select the architecture you are compiling RSBAC libraries for with the ARCH setting. Warning, ARCH is only used for this very case. The tradionnal HOST setting is used in other cases. $ make ARCH=i386 Make sure to check your architecture exists in ``main/libs/asm-arches' first. You can guess it by running either: $ uname -m or $ gcc -dumpmachine Likewise, LIBDIR is set automatically to /lib64 if your system is listed as a 64bit architecture. This detection ignore the ARCH setting, but not the HOST setting. You can override this by setting LIBDIR manually, for example: $ make LIBDIR=/lib or $ make LIBDIR=/lib64 If you wish to debug the build process, use: $ make VERBOSE=1 Available targets per package: ----------------------------- You have to change to the package directory first :) To make a target: $ make Each package contains similar targets: install: effectively tries to install the package, please have administrator privileges ! install-strip: same, stripping binaries (removes symbols, debug stuff, smaller binaries) uninstall: attempts to remove every file installed by the package, you also need administrator privileges. clean: remove all object files, possibly binaries if no object files are present. distclean: restore the original state of the directory, by running clean and removing every binary or file left during the build process Simply typing make will only build the package. rsbac-admin-1.4.0/Makefile0000644000175000017500000001062111131371037015177 0ustar gauvaingauvain# # Nice make. Use make VERBOSE=1 to verbose compilation. # ifneq ($(VERBOSE), 1) .SILENT: E = @echo else E = @: endif all: @echo "Welcome to RSBAC!" @echo "To compile all packages, type:" @echo "\`\`make build'" @echo @echo "To install all packages, as administrator user, type:" @echo "\`\`make install' or \`\`make install-strip'" @echo @echo "To uninstall all packages, as administrator user, type:" @echo "\`\`make uninstall'" @echo @echo "To compile or install per package, type:" @echo "\`\`make ' or \`\`make -install'" @echo @echo "with package one of:" @echo @echo " ---------------------------------------" @echo "| headers libs nss pam rklogd tools |" @echo " ---------------------------------------" @echo @echo "Or change to the right directory and use the traditional" @echo "make; su; make install" @echo @echo "To disable User Management (UM) related packages use:" @echo "\`\`make build-no-um' then \`\`make inst-no-um' as admininistrator" @echo @echo "Type make VERBOSE=1 to display compilation lines." @echo @echo "Be sure to read the \`\`INSTALL' and \`\`README' files for" @echo "more information." @echo @echo "The RSBAC team - http://www.rsbac.org" inst-no-um: headers-install libs-install rklogd-install tools-install build-no-um: libs rklogd tools build: libs pam rklogd tools nss install: headers-install libs-install pam-install rklogd-install \ tools-install nss-install install-strip: headers-install libs-install pam-install rklogd-install-strip \ tools-install-strip nss-install uninstall: pam-uninstall rklogd-uninstall tools-uninstall nss-uninstall \ libs-uninstall headers-uninstall clean: libs-clean pam-clean rklogd-clean tools-clean nss-clean distclean : clean # Display function E = @echo;echo "$(1)";echo " -------------------------------------" # # Building # libs: $(call E, "Building RSBAC Libraries...") @$(MAKE) -C main/libs nss: libs $(call E, "Building RSBAC NSS...") @$(MAKE) -C main/nss pam: libs $(call E, "Building RSBAC PAM...") @$(MAKE) -C main/pam rklogd: libs $(call E, "Building rklogd and rklogd-viewer...") @$(MAKE) -C main/rklogd tools: libs $(call E, "Building RSBAC tools...") @$(MAKE) -C main/tools # # Installations # headers-install: $(call E, "Installing RSBAC headers...") @$(MAKE) install -C main/headers libs-install: headers-install libs $(call E, "Installing RSBAC libraries...") @$(MAKE) install -C main/libs nss-install: headers-install libs-install nss $(call E, "Installing RSBAC NSS...") @$(MAKE) install -C main/nss pam-install: headers-install libs-install pam $(call E, "Installing RSBAC PAM...") @$(MAKE) install -C main/pam rklogd-install: libs-install rklogd $(call E, "Installing rklogd and rklogd-viewer...") @$(MAKE) install -C main/rklogd rklogd-install-strip: libs-install rklogd $(call E, "Installing rklogd and rklogd-viewer \(stripped\)...") @$(MAKE) install-strip -C main/rklogd tools-install: headers-install libs-install tools $(call E, "Installing RSBAC tools...") @$(MAKE) install -C main/tools tools-install-strip: headers-install libs-install tools $(call E, "Installing RSBAC tools \(stripped\)...") @$(MAKE) install-strip -C main/tools # # Uninstallations # headers-uninstall: nss-uninstall pam-uninstall tools-uninstall libs-uninstall $(call E, "Uninstalling RSBAC headers...") @-make uninstall -C main/headers libs-uninstall: nss-uninstall pam-uninstall rklogd-uninstall tools-uninstall $(call E, "Uninstalling RSBAC libraries...") @-make uninstall clean -C main/libs nss-uninstall: $(call E, "Uninstalling RSBAC NSS...") @-make uninstall clean -C main/nss pam-uninstall: $(call E, "Uninstalling RSBAC PAM...") @-make uninstall clean -C main/pam rklogd-uninstall: $(call E, "Uninstalling rklogd and rklogd-viewer...") @-make uninstall clean -C main/rklogd tools-uninstall: libs-uninstall $(call E, "Uninstalling RSBAC tools...") @-make uninstall clean -C main/tools # # Cleaning # libs-clean: $(call E, "Cleaning RSBAC Libraries...") @$(MAKE) distclean -C main/libs nss-clean: $(call E, "Cleaning RSBAC NSS...") @$(MAKE) distclean -C main/nss pam-clean: $(call E, "Cleaning RSBAC PAM...") @$(MAKE) distclean -C main/pam rklogd-clean: $(call E, "Cleaning rklogd and rklogd-viewer...") @$(MAKE) distclean -C main/rklogd tools-clean: $(call E, "Cleaning RSBAC tools...") @$(MAKE) distclean -C main/tools .PHONY: all build clean distclean