| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Access vector cache interface for object managers. |
| 3 | * |
| 4 | * Author : Stephen Smalley, <sds@epoch.ncsc.mil> |
| 5 | */ |
| 6 | #ifndef _SELINUX_AVC_H_ |
| 7 | #define _SELINUX_AVC_H_ |
| 8 | |
| 9 | #include <linux/stddef.h> |
| 10 | #include <linux/errno.h> |
| 11 | #include <linux/kernel.h> |
| 12 | #include <linux/kdev_t.h> |
| 13 | #include <linux/spinlock.h> |
| 14 | #include <linux/init.h> |
| 15 | #include <linux/in6.h> |
| 16 | #include <asm/system.h> |
| 17 | #include "flask.h" |
| 18 | #include "av_permissions.h" |
| 19 | #include "security.h" |
| 20 | |
| 21 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP |
| 22 | extern int selinux_enforcing; |
| 23 | #else |
| 24 | #define selinux_enforcing 1 |
| 25 | #endif |
| 26 | |
| 27 | /* |
| 28 | * An entry in the AVC. |
| 29 | */ |
| 30 | struct avc_entry; |
| 31 | |
| 32 | struct task_struct; |
| 33 | struct vfsmount; |
| 34 | struct dentry; |
| 35 | struct inode; |
| 36 | struct sock; |
| 37 | struct sk_buff; |
| 38 | |
| 39 | /* Auxiliary data to use in generating the audit record. */ |
| 40 | struct avc_audit_data { |
| 41 | char type; |
| 42 | #define AVC_AUDIT_DATA_FS 1 |
| 43 | #define AVC_AUDIT_DATA_NET 2 |
| 44 | #define AVC_AUDIT_DATA_CAP 3 |
| 45 | #define AVC_AUDIT_DATA_IPC 4 |
| 46 | struct task_struct *tsk; |
| 47 | union { |
| 48 | struct { |
| 49 | struct vfsmount *mnt; |
| 50 | struct dentry *dentry; |
| 51 | struct inode *inode; |
| 52 | } fs; |
| 53 | struct { |
| 54 | char *netif; |
| 55 | struct sock *sk; |
| 56 | u16 family; |
| 57 | u16 dport; |
| 58 | u16 sport; |
| 59 | union { |
| 60 | struct { |
| 61 | u32 daddr; |
| 62 | u32 saddr; |
| 63 | } v4; |
| 64 | struct { |
| 65 | struct in6_addr daddr; |
| 66 | struct in6_addr saddr; |
| 67 | } v6; |
| 68 | } fam; |
| 69 | } net; |
| 70 | int cap; |
| 71 | int ipc_id; |
| 72 | } u; |
| 73 | }; |
| 74 | |
| 75 | #define v4info fam.v4 |
| 76 | #define v6info fam.v6 |
| 77 | |
| 78 | /* Initialize an AVC audit data structure. */ |
| 79 | #define AVC_AUDIT_DATA_INIT(_d,_t) \ |
| 80 | { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; } |
| 81 | |
| 82 | /* |
| 83 | * AVC statistics |
| 84 | */ |
| 85 | struct avc_cache_stats |
| 86 | { |
| 87 | unsigned int lookups; |
| 88 | unsigned int hits; |
| 89 | unsigned int misses; |
| 90 | unsigned int allocations; |
| 91 | unsigned int reclaims; |
| 92 | unsigned int frees; |
| 93 | }; |
| 94 | |
| 95 | /* |
| 96 | * AVC operations |
| 97 | */ |
| 98 | |
| 99 | void __init avc_init(void); |
| 100 | |
| 101 | void avc_audit(u32 ssid, u32 tsid, |
| 102 | u16 tclass, u32 requested, |
| 103 | struct av_decision *avd, int result, struct avc_audit_data *auditdata); |
| 104 | |
| 105 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
| 106 | u16 tclass, u32 requested, |
| 107 | struct av_decision *avd); |
| 108 | |
| 109 | int avc_has_perm(u32 ssid, u32 tsid, |
| 110 | u16 tclass, u32 requested, |
| 111 | struct avc_audit_data *auditdata); |
| 112 | |
| 113 | #define AVC_CALLBACK_GRANT 1 |
| 114 | #define AVC_CALLBACK_TRY_REVOKE 2 |
| 115 | #define AVC_CALLBACK_REVOKE 4 |
| 116 | #define AVC_CALLBACK_RESET 8 |
| 117 | #define AVC_CALLBACK_AUDITALLOW_ENABLE 16 |
| 118 | #define AVC_CALLBACK_AUDITALLOW_DISABLE 32 |
| 119 | #define AVC_CALLBACK_AUDITDENY_ENABLE 64 |
| 120 | #define AVC_CALLBACK_AUDITDENY_DISABLE 128 |
| 121 | |
| 122 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, |
| 123 | u16 tclass, u32 perms, |
| 124 | u32 *out_retained), |
| 125 | u32 events, u32 ssid, u32 tsid, |
| 126 | u16 tclass, u32 perms); |
| 127 | |
| 128 | /* Exported to selinuxfs */ |
| 129 | int avc_get_hash_stats(char *page); |
| 130 | extern unsigned int avc_cache_threshold; |
| 131 | |
| 132 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS |
| 133 | DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); |
| 134 | #endif |
| 135 | |
| 136 | #endif /* _SELINUX_AVC_H_ */ |
| 137 | |