2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Access vector cache interface for object managers.
|
|
|
|
*
|
|
|
|
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
|
|
*/
|
|
|
|
#ifndef _SELINUX_AVC_H_
|
|
|
|
#define _SELINUX_AVC_H_
|
|
|
|
|
|
|
|
#include <linux/stddef.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/kdev_t.h>
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/init.h>
|
2008-08-28 15:35:57 +08:00
|
|
|
#include <linux/audit.h>
|
2009-07-15 00:14:09 +08:00
|
|
|
#include <linux/lsm_audit.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/in6.h>
|
|
|
|
#include "flask.h"
|
|
|
|
#include "av_permissions.h"
|
|
|
|
#include "security.h"
|
|
|
|
|
|
|
|
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
|
|
|
|
extern int selinux_enforcing;
|
|
|
|
#else
|
|
|
|
#define selinux_enforcing 1
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* An entry in the AVC.
|
|
|
|
*/
|
|
|
|
struct avc_entry;
|
|
|
|
|
|
|
|
struct task_struct;
|
|
|
|
struct inode;
|
|
|
|
struct sock;
|
|
|
|
struct sk_buff;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* AVC statistics
|
|
|
|
*/
|
2008-05-14 23:27:45 +08:00
|
|
|
struct avc_cache_stats {
|
2005-04-17 06:20:36 +08:00
|
|
|
unsigned int lookups;
|
|
|
|
unsigned int misses;
|
|
|
|
unsigned int allocations;
|
|
|
|
unsigned int reclaims;
|
|
|
|
unsigned int frees;
|
|
|
|
};
|
|
|
|
|
2012-04-04 00:38:00 +08:00
|
|
|
/*
|
|
|
|
* We only need this data after we have decided to send an audit message.
|
|
|
|
*/
|
|
|
|
struct selinux_late_audit_data {
|
2012-04-04 00:37:02 +08:00
|
|
|
u32 ssid;
|
|
|
|
u32 tsid;
|
|
|
|
u16 tclass;
|
|
|
|
u32 requested;
|
|
|
|
u32 audited;
|
|
|
|
u32 denied;
|
2012-04-04 00:38:00 +08:00
|
|
|
int result;
|
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We collect this at the beginning or during an selinux security operation
|
|
|
|
*/
|
|
|
|
struct selinux_audit_data {
|
2012-04-04 00:37:02 +08:00
|
|
|
/*
|
|
|
|
* auditdeny is a bit tricky and unintuitive. See the
|
|
|
|
* comments in avc.c for it's meaning and usage.
|
|
|
|
*/
|
|
|
|
u32 auditdeny;
|
2012-04-04 00:38:00 +08:00
|
|
|
struct selinux_late_audit_data *slad;
|
2012-04-04 00:37:02 +08:00
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* AVC operations
|
|
|
|
*/
|
|
|
|
|
|
|
|
void __init avc_init(void);
|
|
|
|
|
2011-04-26 04:26:29 +08:00
|
|
|
int avc_audit(u32 ssid, u32 tsid,
|
2008-05-14 23:27:45 +08:00
|
|
|
u16 tclass, u32 requested,
|
2009-07-15 00:14:09 +08:00
|
|
|
struct av_decision *avd,
|
|
|
|
int result,
|
2011-04-26 04:26:29 +08:00
|
|
|
struct common_audit_data *a, unsigned flags);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-06-08 03:34:10 +08:00
|
|
|
#define AVC_STRICT 1 /* Ignore permissive mode. */
|
2005-04-17 06:20:36 +08:00
|
|
|
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
2007-06-08 03:34:10 +08:00
|
|
|
u16 tclass, u32 requested,
|
|
|
|
unsigned flags,
|
|
|
|
struct av_decision *avd);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-26 04:26:29 +08:00
|
|
|
int avc_has_perm_flags(u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, u32 requested,
|
|
|
|
struct common_audit_data *auditdata,
|
|
|
|
unsigned);
|
|
|
|
|
|
|
|
static inline int avc_has_perm(u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, u32 requested,
|
|
|
|
struct common_audit_data *auditdata)
|
|
|
|
{
|
|
|
|
return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-09-14 08:27:07 +08:00
|
|
|
u32 avc_policy_seqno(void);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#define AVC_CALLBACK_GRANT 1
|
|
|
|
#define AVC_CALLBACK_TRY_REVOKE 2
|
|
|
|
#define AVC_CALLBACK_REVOKE 4
|
|
|
|
#define AVC_CALLBACK_RESET 8
|
|
|
|
#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
|
|
|
|
#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
|
|
|
|
#define AVC_CALLBACK_AUDITDENY_ENABLE 64
|
|
|
|
#define AVC_CALLBACK_AUDITDENY_DISABLE 128
|
|
|
|
|
|
|
|
int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
|
2008-05-14 23:27:45 +08:00
|
|
|
u16 tclass, u32 perms,
|
2005-04-17 06:20:36 +08:00
|
|
|
u32 *out_retained),
|
|
|
|
u32 events, u32 ssid, u32 tsid,
|
|
|
|
u16 tclass, u32 perms);
|
|
|
|
|
|
|
|
/* Exported to selinuxfs */
|
|
|
|
int avc_get_hash_stats(char *page);
|
|
|
|
extern unsigned int avc_cache_threshold;
|
|
|
|
|
2009-06-25 05:58:05 +08:00
|
|
|
/* Attempt to free avc node cache */
|
|
|
|
void avc_disable(void);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
|
|
|
|
DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#endif /* _SELINUX_AVC_H_ */
|
|
|
|
|