xref: /openbmc/linux/security/selinux/ss/policydb.h (revision 4800cd83)
1 /*
2  * A policy database (policydb) specifies the
3  * configuration data for the security policy.
4  *
5  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
6  */
7 
8 /*
9  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
10  *
11  *	Support for enhanced MLS infrastructure.
12  *
13  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
14  *
15  *	Added conditional policy language extensions
16  *
17  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
18  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
19  *	This program is free software; you can redistribute it and/or modify
20  *	it under the terms of the GNU General Public License as published by
21  *	the Free Software Foundation, version 2.
22  */
23 
24 #ifndef _SS_POLICYDB_H_
25 #define _SS_POLICYDB_H_
26 
27 #include <linux/flex_array.h>
28 
29 #include "symtab.h"
30 #include "avtab.h"
31 #include "sidtab.h"
32 #include "ebitmap.h"
33 #include "mls_types.h"
34 #include "context.h"
35 #include "constraint.h"
36 
37 /*
38  * A datum type is defined for each kind of symbol
39  * in the configuration data:  individual permissions,
40  * common prefixes for access vectors, classes,
41  * users, roles, types, sensitivities, categories, etc.
42  */
43 
44 /* Permission attributes */
45 struct perm_datum {
46 	u32 value;		/* permission bit + 1 */
47 };
48 
49 /* Attributes of a common prefix for access vectors */
50 struct common_datum {
51 	u32 value;			/* internal common value */
52 	struct symtab permissions;	/* common permissions */
53 };
54 
55 /* Class attributes */
56 struct class_datum {
57 	u32 value;			/* class value */
58 	char *comkey;			/* common name */
59 	struct common_datum *comdatum;	/* common datum */
60 	struct symtab permissions;	/* class-specific permission symbol table */
61 	struct constraint_node *constraints;	/* constraints on class permissions */
62 	struct constraint_node *validatetrans;	/* special transition rules */
63 };
64 
65 /* Role attributes */
66 struct role_datum {
67 	u32 value;			/* internal role value */
68 	u32 bounds;			/* boundary of role */
69 	struct ebitmap dominates;	/* set of roles dominated by this role */
70 	struct ebitmap types;		/* set of authorized types for role */
71 };
72 
73 struct role_trans {
74 	u32 role;		/* current role */
75 	u32 type;		/* program executable type */
76 	u32 new_role;		/* new role */
77 	struct role_trans *next;
78 };
79 
80 struct role_allow {
81 	u32 role;		/* current role */
82 	u32 new_role;		/* new role */
83 	struct role_allow *next;
84 };
85 
86 /* Type attributes */
87 struct type_datum {
88 	u32 value;		/* internal type value */
89 	u32 bounds;		/* boundary of type */
90 	unsigned char primary;	/* primary name? */
91 	unsigned char attribute;/* attribute ?*/
92 };
93 
94 /* User attributes */
95 struct user_datum {
96 	u32 value;			/* internal user value */
97 	u32 bounds;			/* bounds of user */
98 	struct ebitmap roles;		/* set of authorized roles for user */
99 	struct mls_range range;		/* MLS range (min - max) for user */
100 	struct mls_level dfltlevel;	/* default login MLS level for user */
101 };
102 
103 
104 /* Sensitivity attributes */
105 struct level_datum {
106 	struct mls_level *level;	/* sensitivity and associated categories */
107 	unsigned char isalias;	/* is this sensitivity an alias for another? */
108 };
109 
110 /* Category attributes */
111 struct cat_datum {
112 	u32 value;		/* internal category bit + 1 */
113 	unsigned char isalias;  /* is this category an alias for another? */
114 };
115 
116 struct range_trans {
117 	u32 source_type;
118 	u32 target_type;
119 	u32 target_class;
120 };
121 
122 /* Boolean data type */
123 struct cond_bool_datum {
124 	__u32 value;		/* internal type value */
125 	int state;
126 };
127 
128 struct cond_node;
129 
130 /*
131  * The configuration data includes security contexts for
132  * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
133  * network interfaces, and nodes.  This structure stores the
134  * relevant data for one such entry.  Entries of the same kind
135  * (e.g. all initial SIDs) are linked together into a list.
136  */
137 struct ocontext {
138 	union {
139 		char *name;	/* name of initial SID, fs, netif, fstype, path */
140 		struct {
141 			u8 protocol;
142 			u16 low_port;
143 			u16 high_port;
144 		} port;		/* TCP or UDP port information */
145 		struct {
146 			u32 addr;
147 			u32 mask;
148 		} node;		/* node information */
149 		struct {
150 			u32 addr[4];
151 			u32 mask[4];
152 		} node6;        /* IPv6 node information */
153 	} u;
154 	union {
155 		u32 sclass;  /* security class for genfs */
156 		u32 behavior;  /* labeling behavior for fs_use */
157 	} v;
158 	struct context context[2];	/* security context(s) */
159 	u32 sid[2];	/* SID(s) */
160 	struct ocontext *next;
161 };
162 
163 struct genfs {
164 	char *fstype;
165 	struct ocontext *head;
166 	struct genfs *next;
167 };
168 
169 /* symbol table array indices */
170 #define SYM_COMMONS 0
171 #define SYM_CLASSES 1
172 #define SYM_ROLES   2
173 #define SYM_TYPES   3
174 #define SYM_USERS   4
175 #define SYM_BOOLS   5
176 #define SYM_LEVELS  6
177 #define SYM_CATS    7
178 #define SYM_NUM     8
179 
180 /* object context array indices */
181 #define OCON_ISID  0	/* initial SIDs */
182 #define OCON_FS    1	/* unlabeled file systems */
183 #define OCON_PORT  2	/* TCP and UDP port numbers */
184 #define OCON_NETIF 3	/* network interfaces */
185 #define OCON_NODE  4	/* nodes */
186 #define OCON_FSUSE 5	/* fs_use */
187 #define OCON_NODE6 6	/* IPv6 nodes */
188 #define OCON_NUM   7
189 
190 /* The policy database */
191 struct policydb {
192 	int mls_enabled;
193 
194 	/* symbol tables */
195 	struct symtab symtab[SYM_NUM];
196 #define p_commons symtab[SYM_COMMONS]
197 #define p_classes symtab[SYM_CLASSES]
198 #define p_roles symtab[SYM_ROLES]
199 #define p_types symtab[SYM_TYPES]
200 #define p_users symtab[SYM_USERS]
201 #define p_bools symtab[SYM_BOOLS]
202 #define p_levels symtab[SYM_LEVELS]
203 #define p_cats symtab[SYM_CATS]
204 
205 	/* symbol names indexed by (value - 1) */
206 	struct flex_array *sym_val_to_name[SYM_NUM];
207 
208 	/* class, role, and user attributes indexed by (value - 1) */
209 	struct class_datum **class_val_to_struct;
210 	struct role_datum **role_val_to_struct;
211 	struct user_datum **user_val_to_struct;
212 	struct flex_array *type_val_to_struct_array;
213 
214 	/* type enforcement access vectors and transitions */
215 	struct avtab te_avtab;
216 
217 	/* role transitions */
218 	struct role_trans *role_tr;
219 
220 	/* bools indexed by (value - 1) */
221 	struct cond_bool_datum **bool_val_to_struct;
222 	/* type enforcement conditional access vectors and transitions */
223 	struct avtab te_cond_avtab;
224 	/* linked list indexing te_cond_avtab by conditional */
225 	struct cond_node *cond_list;
226 
227 	/* role allows */
228 	struct role_allow *role_allow;
229 
230 	/* security contexts of initial SIDs, unlabeled file systems,
231 	   TCP or UDP port numbers, network interfaces and nodes */
232 	struct ocontext *ocontexts[OCON_NUM];
233 
234 	/* security contexts for files in filesystems that cannot support
235 	   a persistent label mapping or use another
236 	   fixed labeling behavior. */
237 	struct genfs *genfs;
238 
239 	/* range transitions table (range_trans_key -> mls_range) */
240 	struct hashtab *range_tr;
241 
242 	/* type -> attribute reverse mapping */
243 	struct flex_array *type_attr_map_array;
244 
245 	struct ebitmap policycaps;
246 
247 	struct ebitmap permissive_map;
248 
249 	/* length of this policy when it was loaded */
250 	size_t len;
251 
252 	unsigned int policyvers;
253 
254 	unsigned int reject_unknown : 1;
255 	unsigned int allow_unknown : 1;
256 
257 	u16 process_class;
258 	u32 process_trans_perms;
259 };
260 
261 extern void policydb_destroy(struct policydb *p);
262 extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
263 extern int policydb_context_isvalid(struct policydb *p, struct context *c);
264 extern int policydb_class_isvalid(struct policydb *p, unsigned int class);
265 extern int policydb_type_isvalid(struct policydb *p, unsigned int type);
266 extern int policydb_role_isvalid(struct policydb *p, unsigned int role);
267 extern int policydb_read(struct policydb *p, void *fp);
268 extern int policydb_write(struct policydb *p, void *fp);
269 
270 #define PERM_SYMTAB_SIZE 32
271 
272 #define POLICYDB_CONFIG_MLS    1
273 
274 /* the config flags related to unknown classes/perms are bits 2 and 3 */
275 #define REJECT_UNKNOWN	0x00000002
276 #define ALLOW_UNKNOWN	0x00000004
277 
278 #define OBJECT_R "object_r"
279 #define OBJECT_R_VAL 1
280 
281 #define POLICYDB_MAGIC SELINUX_MAGIC
282 #define POLICYDB_STRING "SE Linux"
283 
284 struct policy_file {
285 	char *data;
286 	size_t len;
287 };
288 
289 struct policy_data {
290 	struct policydb *p;
291 	void *fp;
292 };
293 
294 static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
295 {
296 	if (bytes > fp->len)
297 		return -EINVAL;
298 
299 	memcpy(buf, fp->data, bytes);
300 	fp->data += bytes;
301 	fp->len -= bytes;
302 	return 0;
303 }
304 
305 static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file *fp)
306 {
307 	size_t len = bytes * num;
308 
309 	memcpy(fp->data, buf, len);
310 	fp->data += len;
311 	fp->len -= len;
312 
313 	return 0;
314 }
315 
316 static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr)
317 {
318 	struct flex_array *fa = p->sym_val_to_name[sym_num];
319 
320 	return flex_array_get_ptr(fa, element_nr);
321 }
322 
323 extern u16 string_to_security_class(struct policydb *p, const char *name);
324 extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
325 
326 #endif	/* _SS_POLICYDB_H_ */
327 
328