2 * Security server interface.
4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
8 #ifndef _SELINUX_SECURITY_H_
9 #define _SELINUX_SECURITY_H_
11 #include <linux/dcache.h>
12 #include <linux/magic.h>
13 #include <linux/types.h>
16 #define SECSID_NULL 0x00000000 /* unspecified SID */
17 #define SECSID_WILD 0xffffffff /* wildcard SID */
18 #define SECCLASS_NULL 0x0000 /* no class */
20 /* Identify specific policy version changes */
21 #define POLICYDB_VERSION_BASE 15
22 #define POLICYDB_VERSION_BOOL 16
23 #define POLICYDB_VERSION_IPV6 17
24 #define POLICYDB_VERSION_NLCLASS 18
25 #define POLICYDB_VERSION_VALIDATETRANS 19
26 #define POLICYDB_VERSION_MLS 19
27 #define POLICYDB_VERSION_AVTAB 20
28 #define POLICYDB_VERSION_RANGETRANS 21
29 #define POLICYDB_VERSION_POLCAP 22
30 #define POLICYDB_VERSION_PERMISSIVE 23
31 #define POLICYDB_VERSION_BOUNDARY 24
32 #define POLICYDB_VERSION_FILENAME_TRANS 25
33 #define POLICYDB_VERSION_ROLETRANS 26
34 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
35 #define POLICYDB_VERSION_DEFAULT_TYPE 28
36 #define POLICYDB_VERSION_CONSTRAINT_NAMES 29
37 #define POLICYDB_VERSION_XPERMS_IOCTL 30
39 /* Range of policy versions we understand*/
40 #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
41 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
42 #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
44 #define POLICYDB_VERSION_MAX POLICYDB_VERSION_XPERMS_IOCTL
47 /* Mask for just the mount related flags */
48 #define SE_MNTMASK 0x0f
49 /* Super block security struct flags for mount options */
50 #define CONTEXT_MNT 0x01
51 #define FSCONTEXT_MNT 0x02
52 #define ROOTCONTEXT_MNT 0x04
53 #define DEFCONTEXT_MNT 0x08
54 /* Non-mount related flags */
55 #define SE_SBINITIALIZED 0x10
56 #define SE_SBPROC 0x20
57 #define SE_SBLABELSUPP 0x40
59 #define CONTEXT_STR "context="
60 #define FSCONTEXT_STR "fscontext="
61 #define ROOTCONTEXT_STR "rootcontext="
62 #define DEFCONTEXT_STR "defcontext="
63 #define LABELSUPP_STR "seclabel"
65 struct netlbl_lsm_secattr
;
67 extern int selinux_enabled
;
69 /* Policy capabilities */
71 POLICYDB_CAPABILITY_NETPEER
,
72 POLICYDB_CAPABILITY_OPENPERM
,
73 __POLICYDB_CAPABILITY_MAX
75 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
77 extern int selinux_policycap_netpeer
;
78 extern int selinux_policycap_openperm
;
81 * type_datum properties
82 * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
84 #define TYPEDATUM_PROPERTY_PRIMARY 0x0001
85 #define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002
87 /* limitation of boundary depth */
88 #define POLICYDB_BOUNDS_MAXDEPTH 4
90 int security_mls_enabled(void);
92 int security_load_policy(void *data
, size_t len
);
93 int security_read_policy(void **data
, size_t *len
);
94 size_t security_policydb_len(void);
96 int security_policycap_supported(unsigned int req_cap
);
98 #define SEL_VEC_MAX 32
107 #define XPERMS_ALLOWED 1
108 #define XPERMS_AUDITALLOW 2
109 #define XPERMS_DONTAUDIT 4
111 #define security_xperm_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
112 #define security_xperm_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
113 struct extended_perms_data
{
117 struct extended_perms_decision
{
120 struct extended_perms_data
*allowed
;
121 struct extended_perms_data
*auditallow
;
122 struct extended_perms_data
*dontaudit
;
125 struct extended_perms
{
126 u16 len
; /* length associated decision chain */
127 struct extended_perms_data drivers
; /* flag drivers that are used */
130 /* definitions of av_decision.flags */
131 #define AVD_FLAGS_PERMISSIVE 0x0001
133 void security_compute_av(u32 ssid
, u32 tsid
,
134 u16 tclass
, struct av_decision
*avd
,
135 struct extended_perms
*xperms
);
137 void security_compute_xperms_decision(u32 ssid
, u32 tsid
, u16 tclass
,
138 u8 driver
, struct extended_perms_decision
*xpermd
);
140 void security_compute_av_user(u32 ssid
, u32 tsid
,
141 u16 tclass
, struct av_decision
*avd
);
143 int security_transition_sid(u32 ssid
, u32 tsid
, u16 tclass
,
144 const struct qstr
*qstr
, u32
*out_sid
);
146 int security_transition_sid_user(u32 ssid
, u32 tsid
, u16 tclass
,
147 const char *objname
, u32
*out_sid
);
149 int security_member_sid(u32 ssid
, u32 tsid
,
150 u16 tclass
, u32
*out_sid
);
152 int security_change_sid(u32 ssid
, u32 tsid
,
153 u16 tclass
, u32
*out_sid
);
155 int security_sid_to_context(u32 sid
, char **scontext
,
158 int security_sid_to_context_force(u32 sid
, char **scontext
, u32
*scontext_len
);
160 int security_context_to_sid(const char *scontext
, u32 scontext_len
,
163 int security_context_to_sid_default(const char *scontext
, u32 scontext_len
,
164 u32
*out_sid
, u32 def_sid
, gfp_t gfp_flags
);
166 int security_context_to_sid_force(const char *scontext
, u32 scontext_len
,
169 int security_get_user_sids(u32 callsid
, char *username
,
170 u32
**sids
, u32
*nel
);
172 int security_port_sid(u8 protocol
, u16 port
, u32
*out_sid
);
174 int security_netif_sid(char *name
, u32
*if_sid
);
176 int security_node_sid(u16 domain
, void *addr
, u32 addrlen
,
179 int security_validate_transition(u32 oldsid
, u32 newsid
, u32 tasksid
,
182 int security_bounded_transition(u32 oldsid
, u32 newsid
);
184 int security_sid_mls_copy(u32 sid
, u32 mls_sid
, u32
*new_sid
);
186 int security_net_peersid_resolve(u32 nlbl_sid
, u32 nlbl_type
,
190 int security_get_classes(char ***classes
, int *nclasses
);
191 int security_get_permissions(char *class, char ***perms
, int *nperms
);
192 int security_get_reject_unknown(void);
193 int security_get_allow_unknown(void);
195 #define SECURITY_FS_USE_XATTR 1 /* use xattr */
196 #define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
197 #define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */
198 #define SECURITY_FS_USE_GENFS 4 /* use the genfs support */
199 #define SECURITY_FS_USE_NONE 5 /* no labeling support */
200 #define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */
202 int security_fs_use(const char *fstype
, unsigned int *behavior
,
205 int security_genfs_sid(const char *fstype
, char *name
, u16 sclass
,
208 #ifdef CONFIG_NETLABEL
209 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr
*secattr
,
212 int security_netlbl_sid_to_secattr(u32 sid
,
213 struct netlbl_lsm_secattr
*secattr
);
215 static inline int security_netlbl_secattr_to_sid(
216 struct netlbl_lsm_secattr
*secattr
,
222 static inline int security_netlbl_sid_to_secattr(u32 sid
,
223 struct netlbl_lsm_secattr
*secattr
)
227 #endif /* CONFIG_NETLABEL */
229 const char *security_get_initial_sid_context(u32 sid
);
232 * status notifier using mmap interface
234 extern struct page
*selinux_kernel_status_page(void);
236 #define SELINUX_KERNEL_STATUS_VERSION 1
237 struct selinux_kernel_status
{
238 u32 version
; /* version number of thie structure */
239 u32 sequence
; /* sequence number of seqlock logic */
240 u32 enforcing
; /* current setting of enforcing mode */
241 u32 policyload
; /* times of policy reloaded */
242 u32 deny_unknown
; /* current setting of deny_unknown */
244 * The version > 0 supports above members.
246 } __attribute__((packed
));
248 extern void selinux_status_update_setenforce(int enforcing
);
249 extern void selinux_status_update_policyload(int seqno
);
250 extern void selinux_complete_init(void);
251 extern int selinux_disable(void);
252 extern void exit_sel_fs(void);
253 extern struct path selinux_null
;
254 extern struct vfsmount
*selinuxfs_mount
;
255 extern void selnl_notify_setenforce(int val
);
256 extern void selnl_notify_policyload(u32 seqno
);
257 extern int selinux_nlmsg_lookup(u16 sclass
, u16 nlmsg_type
, u32
*perm
);
259 #endif /* _SELINUX_SECURITY_H_ */