1 /*
2  * Security server interface.
3  *
4  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *
6  */
7 
8 #ifndef _SELINUX_SECURITY_H_
9 #define _SELINUX_SECURITY_H_
10 
11 #include <linux/compiler.h>
12 #include <linux/dcache.h>
13 #include <linux/magic.h>
14 #include <linux/types.h>
15 #include "flask.h"
16 
17 #define SECSID_NULL			0x00000000 /* unspecified SID */
18 #define SECSID_WILD			0xffffffff /* wildcard SID */
19 #define SECCLASS_NULL			0x0000 /* no class */
20 
21 /* Identify specific policy version changes */
22 #define POLICYDB_VERSION_BASE		15
23 #define POLICYDB_VERSION_BOOL		16
24 #define POLICYDB_VERSION_IPV6		17
25 #define POLICYDB_VERSION_NLCLASS	18
26 #define POLICYDB_VERSION_VALIDATETRANS	19
27 #define POLICYDB_VERSION_MLS		19
28 #define POLICYDB_VERSION_AVTAB		20
29 #define POLICYDB_VERSION_RANGETRANS	21
30 #define POLICYDB_VERSION_POLCAP		22
31 #define POLICYDB_VERSION_PERMISSIVE	23
32 #define POLICYDB_VERSION_BOUNDARY	24
33 #define POLICYDB_VERSION_FILENAME_TRANS	25
34 #define POLICYDB_VERSION_ROLETRANS	26
35 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	27
36 #define POLICYDB_VERSION_DEFAULT_TYPE	28
37 #define POLICYDB_VERSION_CONSTRAINT_NAMES	29
38 #define POLICYDB_VERSION_XPERMS_IOCTL	30
39 
40 /* Range of policy versions we understand*/
41 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
42 #define POLICYDB_VERSION_MAX	POLICYDB_VERSION_XPERMS_IOCTL
43 
44 /* Mask for just the mount related flags */
45 #define SE_MNTMASK	0x0f
46 /* Super block security struct flags for mount options */
47 /* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
48 #define CONTEXT_MNT	0x01
49 #define FSCONTEXT_MNT	0x02
50 #define ROOTCONTEXT_MNT	0x04
51 #define DEFCONTEXT_MNT	0x08
52 #define SBLABEL_MNT	0x10
53 /* Non-mount related flags */
54 #define SE_SBINITIALIZED	0x0100
55 #define SE_SBPROC		0x0200
56 #define SE_SBGENFS		0x0400
57 
58 #define CONTEXT_STR	"context="
59 #define FSCONTEXT_STR	"fscontext="
60 #define ROOTCONTEXT_STR	"rootcontext="
61 #define DEFCONTEXT_STR	"defcontext="
62 #define LABELSUPP_STR "seclabel"
63 
64 struct netlbl_lsm_secattr;
65 
66 extern int selinux_enabled;
67 
68 /* Policy capabilities */
69 enum {
70 	POLICYDB_CAPABILITY_NETPEER,
71 	POLICYDB_CAPABILITY_OPENPERM,
72 	POLICYDB_CAPABILITY_EXTSOCKCLASS,
73 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
74 	POLICYDB_CAPABILITY_CGROUPSECLABEL,
75 	__POLICYDB_CAPABILITY_MAX
76 };
77 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
78 
79 extern int selinux_policycap_netpeer;
80 extern int selinux_policycap_openperm;
81 extern int selinux_policycap_extsockclass;
82 extern int selinux_policycap_alwaysnetwork;
83 extern int selinux_policycap_cgroupseclabel;
84 
85 /*
86  * type_datum properties
87  * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
88  */
89 #define TYPEDATUM_PROPERTY_PRIMARY	0x0001
90 #define TYPEDATUM_PROPERTY_ATTRIBUTE	0x0002
91 
92 /* limitation of boundary depth  */
93 #define POLICYDB_BOUNDS_MAXDEPTH	4
94 
95 int security_mls_enabled(void);
96 
97 int security_load_policy(void *data, size_t len);
98 int security_read_policy(void **data, size_t *len);
99 size_t security_policydb_len(void);
100 
101 int security_policycap_supported(unsigned int req_cap);
102 
103 #define SEL_VEC_MAX 32
104 struct av_decision {
105 	u32 allowed;
106 	u32 auditallow;
107 	u32 auditdeny;
108 	u32 seqno;
109 	u32 flags;
110 };
111 
112 #define XPERMS_ALLOWED 1
113 #define XPERMS_AUDITALLOW 2
114 #define XPERMS_DONTAUDIT 4
115 
116 #define security_xperm_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
117 #define security_xperm_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
118 struct extended_perms_data {
119 	u32 p[8];
120 };
121 
122 struct extended_perms_decision {
123 	u8 used;
124 	u8 driver;
125 	struct extended_perms_data *allowed;
126 	struct extended_perms_data *auditallow;
127 	struct extended_perms_data *dontaudit;
128 };
129 
130 struct extended_perms {
131 	u16 len;	/* length associated decision chain */
132 	struct extended_perms_data drivers; /* flag drivers that are used */
133 };
134 
135 /* definitions of av_decision.flags */
136 #define AVD_FLAGS_PERMISSIVE	0x0001
137 
138 void security_compute_av(u32 ssid, u32 tsid,
139 			 u16 tclass, struct av_decision *avd,
140 			 struct extended_perms *xperms);
141 
142 void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass,
143 			 u8 driver, struct extended_perms_decision *xpermd);
144 
145 void security_compute_av_user(u32 ssid, u32 tsid,
146 			     u16 tclass, struct av_decision *avd);
147 
148 int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
149 			    const struct qstr *qstr, u32 *out_sid);
150 
151 int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
152 				 const char *objname, u32 *out_sid);
153 
154 int security_member_sid(u32 ssid, u32 tsid,
155 	u16 tclass, u32 *out_sid);
156 
157 int security_change_sid(u32 ssid, u32 tsid,
158 	u16 tclass, u32 *out_sid);
159 
160 int security_sid_to_context(u32 sid, char **scontext,
161 	u32 *scontext_len);
162 
163 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);
164 
165 int security_context_to_sid(const char *scontext, u32 scontext_len,
166 			    u32 *out_sid, gfp_t gfp);
167 
168 int security_context_str_to_sid(const char *scontext, u32 *out_sid, gfp_t gfp);
169 
170 int security_context_to_sid_default(const char *scontext, u32 scontext_len,
171 				    u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
172 
173 int security_context_to_sid_force(const char *scontext, u32 scontext_len,
174 				  u32 *sid);
175 
176 int security_get_user_sids(u32 callsid, char *username,
177 			   u32 **sids, u32 *nel);
178 
179 int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
180 
181 int security_netif_sid(char *name, u32 *if_sid);
182 
183 int security_node_sid(u16 domain, void *addr, u32 addrlen,
184 	u32 *out_sid);
185 
186 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
187 				 u16 tclass);
188 
189 int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
190 				      u16 tclass);
191 
192 int security_bounded_transition(u32 oldsid, u32 newsid);
193 
194 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
195 
196 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
197 				 u32 xfrm_sid,
198 				 u32 *peer_sid);
199 
200 int security_get_classes(char ***classes, int *nclasses);
201 int security_get_permissions(char *class, char ***perms, int *nperms);
202 int security_get_reject_unknown(void);
203 int security_get_allow_unknown(void);
204 
205 #define SECURITY_FS_USE_XATTR		1 /* use xattr */
206 #define SECURITY_FS_USE_TRANS		2 /* use transition SIDs, e.g. devpts/tmpfs */
207 #define SECURITY_FS_USE_TASK		3 /* use task SIDs, e.g. pipefs/sockfs */
208 #define SECURITY_FS_USE_GENFS		4 /* use the genfs support */
209 #define SECURITY_FS_USE_NONE		5 /* no labeling support */
210 #define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */
211 #define SECURITY_FS_USE_NATIVE		7 /* use native label support */
212 #define SECURITY_FS_USE_MAX		7 /* Highest SECURITY_FS_USE_XXX */
213 
214 int security_fs_use(struct super_block *sb);
215 
216 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
217 	u32 *sid);
218 
219 #ifdef CONFIG_NETLABEL
220 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
221 				   u32 *sid);
222 
223 int security_netlbl_sid_to_secattr(u32 sid,
224 				   struct netlbl_lsm_secattr *secattr);
225 #else
226 static inline int security_netlbl_secattr_to_sid(
227 					    struct netlbl_lsm_secattr *secattr,
228 					    u32 *sid)
229 {
230 	return -EIDRM;
231 }
232 
233 static inline int security_netlbl_sid_to_secattr(u32 sid,
234 					   struct netlbl_lsm_secattr *secattr)
235 {
236 	return -ENOENT;
237 }
238 #endif /* CONFIG_NETLABEL */
239 
240 const char *security_get_initial_sid_context(u32 sid);
241 
242 /*
243  * status notifier using mmap interface
244  */
245 extern struct page *selinux_kernel_status_page(void);
246 
247 #define SELINUX_KERNEL_STATUS_VERSION	1
248 struct selinux_kernel_status {
249 	u32	version;	/* version number of thie structure */
250 	u32	sequence;	/* sequence number of seqlock logic */
251 	u32	enforcing;	/* current setting of enforcing mode */
252 	u32	policyload;	/* times of policy reloaded */
253 	u32	deny_unknown;	/* current setting of deny_unknown */
254 	/*
255 	 * The version > 0 supports above members.
256 	 */
257 } __packed;
258 
259 extern void selinux_status_update_setenforce(int enforcing);
260 extern void selinux_status_update_policyload(int seqno);
261 extern void selinux_complete_init(void);
262 extern int selinux_disable(void);
263 extern void exit_sel_fs(void);
264 extern struct path selinux_null;
265 extern struct vfsmount *selinuxfs_mount;
266 extern void selnl_notify_setenforce(int val);
267 extern void selnl_notify_policyload(u32 seqno);
268 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
269 
270 #endif /* _SELINUX_SECURITY_H_ */
271 
272