xref: /openbmc/linux/security/selinux/include/avc.h (revision 64c70b1c) 
1 /*
2  * Access vector cache interface for object managers.
3  *
4  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5  */
6 #ifndef _SELINUX_AVC_H_
7 #define _SELINUX_AVC_H_
8 
9 #include <linux/stddef.h>
10 #include <linux/errno.h>
11 #include <linux/kernel.h>
12 #include <linux/kdev_t.h>
13 #include <linux/spinlock.h>
14 #include <linux/init.h>
15 #include <linux/in6.h>
16 #include <asm/system.h>
17 #include "flask.h"
18 #include "av_permissions.h"
19 #include "security.h"
20 
21 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
22 extern int selinux_enforcing;
23 #else
24 #define selinux_enforcing 1
25 #endif
26 
27 /*
28  * An entry in the AVC.
29  */
30 struct avc_entry;
31 
32 struct task_struct;
33 struct vfsmount;
34 struct dentry;
35 struct inode;
36 struct sock;
37 struct sk_buff;
38 
39 /* Auxiliary data to use in generating the audit record. */
40 struct avc_audit_data {
41 	char    type;
42 #define AVC_AUDIT_DATA_FS   1
43 #define AVC_AUDIT_DATA_NET  2
44 #define AVC_AUDIT_DATA_CAP  3
45 #define AVC_AUDIT_DATA_IPC  4
46 	struct task_struct *tsk;
47 	union 	{
48 		struct {
49 			struct vfsmount *mnt;
50 			struct dentry *dentry;
51 			struct inode *inode;
52 		} fs;
53 		struct {
54 			char *netif;
55 			struct sock *sk;
56 			u16 family;
57 			__be16 dport;
58 			__be16 sport;
59 			union {
60 				struct {
61 					__be32 daddr;
62 					__be32 saddr;
63 				} v4;
64 				struct {
65 					struct in6_addr daddr;
66 					struct in6_addr saddr;
67 				} v6;
68 			} fam;
69 		} net;
70 		int cap;
71 		int ipc_id;
72 	} u;
73 };
74 
75 #define v4info fam.v4
76 #define v6info fam.v6
77 
78 /* Initialize an AVC audit data structure. */
79 #define AVC_AUDIT_DATA_INIT(_d,_t) \
80         { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
81 
82 /*
83  * AVC statistics
84  */
85 struct avc_cache_stats
86 {
87 	unsigned int lookups;
88 	unsigned int hits;
89 	unsigned int misses;
90 	unsigned int allocations;
91 	unsigned int reclaims;
92 	unsigned int frees;
93 };
94 
95 /*
96  * AVC operations
97  */
98 
99 void __init avc_init(void);
100 
101 void avc_audit(u32 ssid, u32 tsid,
102                u16 tclass, u32 requested,
103                struct av_decision *avd, int result, struct avc_audit_data *auditdata);
104 
105 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
106                          u16 tclass, u32 requested,
107                          struct av_decision *avd);
108 
109 int avc_has_perm(u32 ssid, u32 tsid,
110                  u16 tclass, u32 requested,
111                  struct avc_audit_data *auditdata);
112 
113 #define AVC_CALLBACK_GRANT		1
114 #define AVC_CALLBACK_TRY_REVOKE		2
115 #define AVC_CALLBACK_REVOKE		4
116 #define AVC_CALLBACK_RESET		8
117 #define AVC_CALLBACK_AUDITALLOW_ENABLE	16
118 #define AVC_CALLBACK_AUDITALLOW_DISABLE	32
119 #define AVC_CALLBACK_AUDITDENY_ENABLE	64
120 #define AVC_CALLBACK_AUDITDENY_DISABLE	128
121 
122 int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
123                                      u16 tclass, u32 perms,
124 				     u32 *out_retained),
125 		     u32 events, u32 ssid, u32 tsid,
126 		     u16 tclass, u32 perms);
127 
128 /* Exported to selinuxfs */
129 int avc_get_hash_stats(char *page);
130 extern unsigned int avc_cache_threshold;
131 
132 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
133 DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
134 #endif
135 
136 #endif /* _SELINUX_AVC_H_ */
137 
138