xref: /openbmc/linux/security/selinux/include/avc.h (revision 60772e48)
1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * Access vector cache interface for object managers.
4  *
5  * Author : Stephen Smalley, <sds@tycho.nsa.gov>
6  */
7 #ifndef _SELINUX_AVC_H_
8 #define _SELINUX_AVC_H_
9 
10 #include <linux/stddef.h>
11 #include <linux/errno.h>
12 #include <linux/kernel.h>
13 #include <linux/kdev_t.h>
14 #include <linux/spinlock.h>
15 #include <linux/init.h>
16 #include <linux/audit.h>
17 #include <linux/lsm_audit.h>
18 #include <linux/in6.h>
19 #include "flask.h"
20 #include "av_permissions.h"
21 #include "security.h"
22 
23 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
24 extern int selinux_enforcing;
25 #else
26 #define selinux_enforcing 1
27 #endif
28 
29 /*
30  * An entry in the AVC.
31  */
32 struct avc_entry;
33 
34 struct task_struct;
35 struct inode;
36 struct sock;
37 struct sk_buff;
38 
39 /*
40  * AVC statistics
41  */
42 struct avc_cache_stats {
43 	unsigned int lookups;
44 	unsigned int misses;
45 	unsigned int allocations;
46 	unsigned int reclaims;
47 	unsigned int frees;
48 };
49 
50 /*
51  * We only need this data after we have decided to send an audit message.
52  */
53 struct selinux_audit_data {
54 	u32 ssid;
55 	u32 tsid;
56 	u16 tclass;
57 	u32 requested;
58 	u32 audited;
59 	u32 denied;
60 	int result;
61 };
62 
63 /*
64  * AVC operations
65  */
66 
67 void __init avc_init(void);
68 
69 static inline u32 avc_audit_required(u32 requested,
70 			      struct av_decision *avd,
71 			      int result,
72 			      u32 auditdeny,
73 			      u32 *deniedp)
74 {
75 	u32 denied, audited;
76 	denied = requested & ~avd->allowed;
77 	if (unlikely(denied)) {
78 		audited = denied & avd->auditdeny;
79 		/*
80 		 * auditdeny is TRICKY!  Setting a bit in
81 		 * this field means that ANY denials should NOT be audited if
82 		 * the policy contains an explicit dontaudit rule for that
83 		 * permission.  Take notice that this is unrelated to the
84 		 * actual permissions that were denied.  As an example lets
85 		 * assume:
86 		 *
87 		 * denied == READ
88 		 * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
89 		 * auditdeny & ACCESS == 1
90 		 *
91 		 * We will NOT audit the denial even though the denied
92 		 * permission was READ and the auditdeny checks were for
93 		 * ACCESS
94 		 */
95 		if (auditdeny && !(auditdeny & avd->auditdeny))
96 			audited = 0;
97 	} else if (result)
98 		audited = denied = requested;
99 	else
100 		audited = requested & avd->auditallow;
101 	*deniedp = denied;
102 	return audited;
103 }
104 
105 int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
106 		   u32 requested, u32 audited, u32 denied, int result,
107 		   struct common_audit_data *a,
108 		   unsigned flags);
109 
110 /**
111  * avc_audit - Audit the granting or denial of permissions.
112  * @ssid: source security identifier
113  * @tsid: target security identifier
114  * @tclass: target security class
115  * @requested: requested permissions
116  * @avd: access vector decisions
117  * @result: result from avc_has_perm_noaudit
118  * @a:  auxiliary audit data
119  * @flags: VFS walk flags
120  *
121  * Audit the granting or denial of permissions in accordance
122  * with the policy.  This function is typically called by
123  * avc_has_perm() after a permission check, but can also be
124  * called directly by callers who use avc_has_perm_noaudit()
125  * in order to separate the permission check from the auditing.
126  * For example, this separation is useful when the permission check must
127  * be performed under a lock, to allow the lock to be released
128  * before calling the auditing code.
129  */
130 static inline int avc_audit(u32 ssid, u32 tsid,
131 			    u16 tclass, u32 requested,
132 			    struct av_decision *avd,
133 			    int result,
134 			    struct common_audit_data *a,
135 			    int flags)
136 {
137 	u32 audited, denied;
138 	audited = avc_audit_required(requested, avd, result, 0, &denied);
139 	if (likely(!audited))
140 		return 0;
141 	return slow_avc_audit(ssid, tsid, tclass,
142 			      requested, audited, denied, result,
143 			      a, flags);
144 }
145 
146 #define AVC_STRICT 1 /* Ignore permissive mode. */
147 #define AVC_EXTENDED_PERMS 2	/* update extended permissions */
148 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
149 			 u16 tclass, u32 requested,
150 			 unsigned flags,
151 			 struct av_decision *avd);
152 
153 int avc_has_perm(u32 ssid, u32 tsid,
154 		 u16 tclass, u32 requested,
155 		 struct common_audit_data *auditdata);
156 int avc_has_perm_flags(u32 ssid, u32 tsid,
157 		       u16 tclass, u32 requested,
158 		       struct common_audit_data *auditdata,
159 		       int flags);
160 
161 int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
162 		u8 driver, u8 perm, struct common_audit_data *ad);
163 
164 
165 u32 avc_policy_seqno(void);
166 
167 #define AVC_CALLBACK_GRANT		1
168 #define AVC_CALLBACK_TRY_REVOKE		2
169 #define AVC_CALLBACK_REVOKE		4
170 #define AVC_CALLBACK_RESET		8
171 #define AVC_CALLBACK_AUDITALLOW_ENABLE	16
172 #define AVC_CALLBACK_AUDITALLOW_DISABLE	32
173 #define AVC_CALLBACK_AUDITDENY_ENABLE	64
174 #define AVC_CALLBACK_AUDITDENY_DISABLE	128
175 #define AVC_CALLBACK_ADD_XPERMS		256
176 
177 int avc_add_callback(int (*callback)(u32 event), u32 events);
178 
179 /* Exported to selinuxfs */
180 int avc_get_hash_stats(char *page);
181 extern unsigned int avc_cache_threshold;
182 
183 /* Attempt to free avc node cache */
184 void avc_disable(void);
185 
186 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
187 DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
188 #endif
189 
190 #endif /* _SELINUX_AVC_H_ */
191 
192