Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Access vector cache interface for object managers. | |
3 | * | |
4 | * Author : Stephen Smalley, <sds@epoch.ncsc.mil> | |
5 | */ | |
6 | #ifndef _SELINUX_AVC_H_ | |
7 | #define _SELINUX_AVC_H_ | |
8 | ||
9 | #include <linux/stddef.h> | |
10 | #include <linux/errno.h> | |
11 | #include <linux/kernel.h> | |
12 | #include <linux/kdev_t.h> | |
13 | #include <linux/spinlock.h> | |
14 | #include <linux/init.h> | |
15 | #include <linux/in6.h> | |
16 | #include <asm/system.h> | |
17 | #include "flask.h" | |
18 | #include "av_permissions.h" | |
19 | #include "security.h" | |
20 | ||
21 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP | |
22 | extern int selinux_enforcing; | |
23 | #else | |
24 | #define selinux_enforcing 1 | |
25 | #endif | |
26 | ||
27 | /* | |
28 | * An entry in the AVC. | |
29 | */ | |
30 | struct avc_entry; | |
31 | ||
32 | struct task_struct; | |
33 | struct vfsmount; | |
34 | struct dentry; | |
35 | struct inode; | |
36 | struct sock; | |
37 | struct sk_buff; | |
38 | ||
39 | /* Auxiliary data to use in generating the audit record. */ | |
40 | struct avc_audit_data { | |
41 | char type; | |
42 | #define AVC_AUDIT_DATA_FS 1 | |
43 | #define AVC_AUDIT_DATA_NET 2 | |
44 | #define AVC_AUDIT_DATA_CAP 3 | |
45 | #define AVC_AUDIT_DATA_IPC 4 | |
46 | struct task_struct *tsk; | |
47 | union { | |
48 | struct { | |
49 | struct vfsmount *mnt; | |
50 | struct dentry *dentry; | |
51 | struct inode *inode; | |
52 | } fs; | |
53 | struct { | |
54 | char *netif; | |
55 | struct sock *sk; | |
56 | u16 family; | |
87fcd70d AV |
57 | __be16 dport; |
58 | __be16 sport; | |
1da177e4 LT |
59 | union { |
60 | struct { | |
87fcd70d AV |
61 | __be32 daddr; |
62 | __be32 saddr; | |
1da177e4 LT |
63 | } v4; |
64 | struct { | |
65 | struct in6_addr daddr; | |
66 | struct in6_addr saddr; | |
67 | } v6; | |
68 | } fam; | |
69 | } net; | |
70 | int cap; | |
71 | int ipc_id; | |
72 | } u; | |
73 | }; | |
74 | ||
75 | #define v4info fam.v4 | |
76 | #define v6info fam.v6 | |
77 | ||
78 | /* Initialize an AVC audit data structure. */ | |
79 | #define AVC_AUDIT_DATA_INIT(_d,_t) \ | |
80 | { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; } | |
81 | ||
82 | /* | |
83 | * AVC statistics | |
84 | */ | |
85 | struct avc_cache_stats | |
86 | { | |
87 | unsigned int lookups; | |
88 | unsigned int hits; | |
89 | unsigned int misses; | |
90 | unsigned int allocations; | |
91 | unsigned int reclaims; | |
92 | unsigned int frees; | |
93 | }; | |
94 | ||
95 | /* | |
96 | * AVC operations | |
97 | */ | |
98 | ||
99 | void __init avc_init(void); | |
100 | ||
101 | void avc_audit(u32 ssid, u32 tsid, | |
102 | u16 tclass, u32 requested, | |
103 | struct av_decision *avd, int result, struct avc_audit_data *auditdata); | |
104 | ||
105 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |
106 | u16 tclass, u32 requested, | |
107 | struct av_decision *avd); | |
108 | ||
109 | int avc_has_perm(u32 ssid, u32 tsid, | |
110 | u16 tclass, u32 requested, | |
111 | struct avc_audit_data *auditdata); | |
112 | ||
113 | #define AVC_CALLBACK_GRANT 1 | |
114 | #define AVC_CALLBACK_TRY_REVOKE 2 | |
115 | #define AVC_CALLBACK_REVOKE 4 | |
116 | #define AVC_CALLBACK_RESET 8 | |
117 | #define AVC_CALLBACK_AUDITALLOW_ENABLE 16 | |
118 | #define AVC_CALLBACK_AUDITALLOW_DISABLE 32 | |
119 | #define AVC_CALLBACK_AUDITDENY_ENABLE 64 | |
120 | #define AVC_CALLBACK_AUDITDENY_DISABLE 128 | |
121 | ||
122 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, | |
123 | u16 tclass, u32 perms, | |
124 | u32 *out_retained), | |
125 | u32 events, u32 ssid, u32 tsid, | |
126 | u16 tclass, u32 perms); | |
127 | ||
128 | /* Exported to selinuxfs */ | |
129 | int avc_get_hash_stats(char *page); | |
130 | extern unsigned int avc_cache_threshold; | |
131 | ||
132 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
133 | DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); | |
134 | #endif | |
135 | ||
136 | #endif /* _SELINUX_AVC_H_ */ | |
137 |