1 /*
2 * Access vector cache interface for object managers.
3 *
4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5 */
6 #ifndef _SELINUX_AVC_H_
7 #define _SELINUX_AVC_H_
8
9 #include <linux/stddef.h>
10 #include <linux/errno.h>
11 #include <linux/kernel.h>
12 #include <linux/kdev_t.h>
13 #include <linux/spinlock.h>
14 #include <linux/init.h>
15 #include <linux/audit.h>
16 #include <linux/in6.h>
17 #include <linux/path.h>
18 #include <asm/system.h>
19 #include "flask.h"
20 #include "av_permissions.h"
21 #include "security.h"
22
23 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
24 extern int selinux_enforcing;
25 #else
26 #define selinux_enforcing 1
27 #endif
28
29 /*
30 * An entry in the AVC.
31 */
32 struct avc_entry;
33
34 struct task_struct;
35 struct inode;
36 struct sock;
37 struct sk_buff;
38
39 /* Auxiliary data to use in generating the audit record. */
40 struct avc_audit_data {
41 char type;
42 #define AVC_AUDIT_DATA_FS 1
43 #define AVC_AUDIT_DATA_NET 2
44 #define AVC_AUDIT_DATA_CAP 3
45 #define AVC_AUDIT_DATA_IPC 4
46 struct task_struct *tsk;
47 union {
48 struct {
49 struct path path;
50 struct inode *inode;
51 } fs;
52 struct {
53 int netif;
54 struct sock *sk;
55 u16 family;
56 __be16 dport;
57 __be16 sport;
58 union {
59 struct {
60 __be32 daddr;
61 __be32 saddr;
62 } v4;
63 struct {
64 struct in6_addr daddr;
65 struct in6_addr saddr;
66 } v6;
67 } fam;
68 } net;
69 int cap;
70 int ipc_id;
71 } u;
72 };
73
74 #define v4info fam.v4
75 #define v6info fam.v6
76
77 /* Initialize an AVC audit data structure. */
78 #define AVC_AUDIT_DATA_INIT(_d,_t) \
79 { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
80
81 /*
82 * AVC statistics
83 */
84 struct avc_cache_stats {
85 unsigned int lookups;
86 unsigned int hits;
87 unsigned int misses;
88 unsigned int allocations;
89 unsigned int reclaims;
90 unsigned int frees;
91 };
92
93 /*
94 * AVC operations
95 */
96
97 void __init avc_init(void);
98
99 void avc_audit(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested,
101 struct av_decision *avd, int result, struct avc_audit_data *auditdata);
102
103 #define AVC_STRICT 1 /* Ignore permissive mode. */
104 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
105 u16 tclass, u32 requested,
106 unsigned flags,
107 struct av_decision *avd);
108
109 int avc_has_perm(u32 ssid, u32 tsid,
110 u16 tclass, u32 requested,
111 struct avc_audit_data *auditdata);
112
113 u32 avc_policy_seqno(void);
114
115 #define AVC_CALLBACK_GRANT 1
116 #define AVC_CALLBACK_TRY_REVOKE 2
117 #define AVC_CALLBACK_REVOKE 4
118 #define AVC_CALLBACK_RESET 8
119 #define AVC_CALLBACK_AUDITALLOW_ENABLE 16
120 #define AVC_CALLBACK_AUDITALLOW_DISABLE 32
121 #define AVC_CALLBACK_AUDITDENY_ENABLE 64
122 #define AVC_CALLBACK_AUDITDENY_DISABLE 128
123
124 int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
125 u16 tclass, u32 perms,
126 u32 *out_retained),
127 u32 events, u32 ssid, u32 tsid,
128 u16 tclass, u32 perms);
129
130 /* Shows permission in human readable form */
131 void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av);
132
133 /* Exported to selinuxfs */
134 int avc_get_hash_stats(char *page);
135 extern unsigned int avc_cache_threshold;
136
137 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
138 DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
139 #endif
140
141 #endif /* _SELINUX_AVC_H_ */
142
143
|
This page was automatically generated by the
LXR engine.
|