| avc.h (aa8e712cee93d520e96a2ca8e3a20f807c937e3f) | avc.h (6b6bc6205d98796361962ee282a063f18ba8dc57) |
|---|---|
| 1/* SPDX-License-Identifier: GPL-2.0 */ 2/* 3 * Access vector cache interface for object managers. 4 * 5 * Author : Stephen Smalley, <sds@tycho.nsa.gov> 6 */ 7#ifndef _SELINUX_AVC_H_ 8#define _SELINUX_AVC_H_ --- 38 unchanged lines hidden (view full) --- 47struct selinux_audit_data { 48 u32 ssid; 49 u32 tsid; 50 u16 tclass; 51 u32 requested; 52 u32 audited; 53 u32 denied; 54 int result; | 1/* SPDX-License-Identifier: GPL-2.0 */ 2/* 3 * Access vector cache interface for object managers. 4 * 5 * Author : Stephen Smalley, <sds@tycho.nsa.gov> 6 */ 7#ifndef _SELINUX_AVC_H_ 8#define _SELINUX_AVC_H_ --- 38 unchanged lines hidden (view full) --- 47struct selinux_audit_data { 48 u32 ssid; 49 u32 tsid; 50 u16 tclass; 51 u32 requested; 52 u32 audited; 53 u32 denied; 54 int result; |
| 55 struct selinux_state *state; |
|
| 55}; 56 57/* 58 * AVC operations 59 */ 60 61void __init avc_init(void); 62 --- 28 unchanged lines hidden (view full) --- 91 } else if (result) 92 audited = denied = requested; 93 else 94 audited = requested & avd->auditallow; 95 *deniedp = denied; 96 return audited; 97} 98 | 56}; 57 58/* 59 * AVC operations 60 */ 61 62void __init avc_init(void); 63 --- 28 unchanged lines hidden (view full) --- 92 } else if (result) 93 audited = denied = requested; 94 else 95 audited = requested & avd->auditallow; 96 *deniedp = denied; 97 return audited; 98} 99 |
| 99int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, | 100int slow_avc_audit(struct selinux_state *state, 101 u32 ssid, u32 tsid, u16 tclass, |
| 100 u32 requested, u32 audited, u32 denied, int result, 101 struct common_audit_data *a, 102 unsigned flags); 103 104/** 105 * avc_audit - Audit the granting or denial of permissions. 106 * @ssid: source security identifier 107 * @tsid: target security identifier --- 8 unchanged lines hidden (view full) --- 116 * with the policy. This function is typically called by 117 * avc_has_perm() after a permission check, but can also be 118 * called directly by callers who use avc_has_perm_noaudit() 119 * in order to separate the permission check from the auditing. 120 * For example, this separation is useful when the permission check must 121 * be performed under a lock, to allow the lock to be released 122 * before calling the auditing code. 123 */ | 102 u32 requested, u32 audited, u32 denied, int result, 103 struct common_audit_data *a, 104 unsigned flags); 105 106/** 107 * avc_audit - Audit the granting or denial of permissions. 108 * @ssid: source security identifier 109 * @tsid: target security identifier --- 8 unchanged lines hidden (view full) --- 118 * with the policy. This function is typically called by 119 * avc_has_perm() after a permission check, but can also be 120 * called directly by callers who use avc_has_perm_noaudit() 121 * in order to separate the permission check from the auditing. 122 * For example, this separation is useful when the permission check must 123 * be performed under a lock, to allow the lock to be released 124 * before calling the auditing code. 125 */ |
| 124static inline int avc_audit(u32 ssid, u32 tsid, | 126static inline int avc_audit(struct selinux_state *state, 127 u32 ssid, u32 tsid, |
| 125 u16 tclass, u32 requested, 126 struct av_decision *avd, 127 int result, 128 struct common_audit_data *a, 129 int flags) 130{ 131 u32 audited, denied; 132 audited = avc_audit_required(requested, avd, result, 0, &denied); 133 if (likely(!audited)) 134 return 0; | 128 u16 tclass, u32 requested, 129 struct av_decision *avd, 130 int result, 131 struct common_audit_data *a, 132 int flags) 133{ 134 u32 audited, denied; 135 audited = avc_audit_required(requested, avd, result, 0, &denied); 136 if (likely(!audited)) 137 return 0; |
| 135 return slow_avc_audit(ssid, tsid, tclass, | 138 return slow_avc_audit(state, ssid, tsid, tclass, |
| 136 requested, audited, denied, result, 137 a, flags); 138} 139 140#define AVC_STRICT 1 /* Ignore permissive mode. */ 141#define AVC_EXTENDED_PERMS 2 /* update extended permissions */ | 139 requested, audited, denied, result, 140 a, flags); 141} 142 143#define AVC_STRICT 1 /* Ignore permissive mode. */ 144#define AVC_EXTENDED_PERMS 2 /* update extended permissions */ |
| 142int avc_has_perm_noaudit(u32 ssid, u32 tsid, | 145int avc_has_perm_noaudit(struct selinux_state *state, 146 u32 ssid, u32 tsid, |
| 143 u16 tclass, u32 requested, 144 unsigned flags, 145 struct av_decision *avd); 146 | 147 u16 tclass, u32 requested, 148 unsigned flags, 149 struct av_decision *avd); 150 |
| 147int avc_has_perm(u32 ssid, u32 tsid, | 151int avc_has_perm(struct selinux_state *state, 152 u32 ssid, u32 tsid, |
| 148 u16 tclass, u32 requested, 149 struct common_audit_data *auditdata); | 153 u16 tclass, u32 requested, 154 struct common_audit_data *auditdata); |
| 150int avc_has_perm_flags(u32 ssid, u32 tsid, | 155int avc_has_perm_flags(struct selinux_state *state, 156 u32 ssid, u32 tsid, |
| 151 u16 tclass, u32 requested, 152 struct common_audit_data *auditdata, 153 int flags); 154 | 157 u16 tclass, u32 requested, 158 struct common_audit_data *auditdata, 159 int flags); 160 |
| 155int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, 156 u8 driver, u8 perm, struct common_audit_data *ad); | 161int avc_has_extended_perms(struct selinux_state *state, 162 u32 ssid, u32 tsid, u16 tclass, u32 requested, 163 u8 driver, u8 perm, struct common_audit_data *ad); |
| 157 158 | 164 165 |
| 159u32 avc_policy_seqno(void); | 166u32 avc_policy_seqno(struct selinux_state *state); |
| 160 161#define AVC_CALLBACK_GRANT 1 162#define AVC_CALLBACK_TRY_REVOKE 2 163#define AVC_CALLBACK_REVOKE 4 164#define AVC_CALLBACK_RESET 8 165#define AVC_CALLBACK_AUDITALLOW_ENABLE 16 166#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 167#define AVC_CALLBACK_AUDITDENY_ENABLE 64 168#define AVC_CALLBACK_AUDITDENY_DISABLE 128 169#define AVC_CALLBACK_ADD_XPERMS 256 170 171int avc_add_callback(int (*callback)(u32 event), u32 events); 172 173/* Exported to selinuxfs */ | 167 168#define AVC_CALLBACK_GRANT 1 169#define AVC_CALLBACK_TRY_REVOKE 2 170#define AVC_CALLBACK_REVOKE 4 171#define AVC_CALLBACK_RESET 8 172#define AVC_CALLBACK_AUDITALLOW_ENABLE 16 173#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 174#define AVC_CALLBACK_AUDITDENY_ENABLE 64 175#define AVC_CALLBACK_AUDITDENY_DISABLE 128 176#define AVC_CALLBACK_ADD_XPERMS 256 177 178int avc_add_callback(int (*callback)(u32 event), u32 events); 179 180/* Exported to selinuxfs */ |
| 174int avc_get_hash_stats(char *page); 175extern unsigned int avc_cache_threshold; | 181struct selinux_avc; 182int avc_get_hash_stats(struct selinux_avc *avc, char *page); 183unsigned int avc_get_cache_threshold(struct selinux_avc *avc); 184void avc_set_cache_threshold(struct selinux_avc *avc, 185 unsigned int cache_threshold); |
| 176 177/* Attempt to free avc node cache */ 178void avc_disable(void); 179 180#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 181DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); 182#endif 183 184#endif /* _SELINUX_AVC_H_ */ 185 | 186 187/* Attempt to free avc node cache */ 188void avc_disable(void); 189 190#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 191DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); 192#endif 193 194#endif /* _SELINUX_AVC_H_ */ 195 |