2005-04-16 15:20:36 -07:00
|
|
|
/*
|
|
|
|
|
* Access vector cache interface for object managers.
|
|
|
|
|
*
|
|
|
|
|
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
|
|
|
*/
|
|
|
|
|
#ifndef _SELINUX_AVC_H_
|
|
|
|
|
#define _SELINUX_AVC_H_
|
|
|
|
|
|
|
|
|
|
#include <linux/stddef.h>
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/kdev_t.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/init.h>
|
2008-08-28 16:35:57 +09:00
|
|
|
#include <linux/audit.h>
|
2009-07-14 12:14:09 -04:00
|
|
|
#include <linux/lsm_audit.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <linux/in6.h>
|
2008-02-14 19:38:33 -08:00
|
|
|
#include <linux/path.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <asm/system.h>
|
|
|
|
|
#include "flask.h"
|
|
|
|
|
#include "av_permissions.h"
|
|
|
|
|
#include "security.h"
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
|
|
|
|
|
extern int selinux_enforcing;
|
|
|
|
|
#else
|
|
|
|
|
#define selinux_enforcing 1
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* An entry in the AVC.
|
|
|
|
|
*/
|
|
|
|
|
struct avc_entry;
|
|
|
|
|
|
|
|
|
|
struct task_struct;
|
|
|
|
|
struct inode;
|
|
|
|
|
struct sock;
|
|
|
|
|
struct sk_buff;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* AVC statistics
|
|
|
|
|
*/
|
2008-05-14 11:27:45 -04:00
|
|
|
struct avc_cache_stats {
|
2005-04-16 15:20:36 -07:00
|
|
|
unsigned int lookups;
|
|
|
|
|
unsigned int hits;
|
|
|
|
|
unsigned int misses;
|
|
|
|
|
unsigned int allocations;
|
|
|
|
|
unsigned int reclaims;
|
|
|
|
|
unsigned int frees;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* AVC operations
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
void __init avc_init(void);
|
|
|
|
|
|
|
|
|
|
void avc_audit(u32 ssid, u32 tsid,
|
2008-05-14 11:27:45 -04:00
|
|
|
u16 tclass, u32 requested,
|
2009-07-14 12:14:09 -04:00
|
|
|
struct av_decision *avd,
|
|
|
|
|
int result,
|
|
|
|
|
struct common_audit_data *a);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2007-06-07 15:34:10 -04:00
|
|
|
#define AVC_STRICT 1 /* Ignore permissive mode. */
|
2005-04-16 15:20:36 -07:00
|
|
|
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
2007-06-07 15:34:10 -04:00
|
|
|
u16 tclass, u32 requested,
|
|
|
|
|
unsigned flags,
|
|
|
|
|
struct av_decision *avd);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
|
int avc_has_perm(u32 ssid, u32 tsid,
|
2008-05-14 11:27:45 -04:00
|
|
|
u16 tclass, u32 requested,
|
2009-07-14 12:14:09 -04:00
|
|
|
struct common_audit_data *auditdata);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2007-09-14 09:27:07 +09:00
|
|
|
u32 avc_policy_seqno(void);
|
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
#define AVC_CALLBACK_GRANT 1
|
|
|
|
|
#define AVC_CALLBACK_TRY_REVOKE 2
|
|
|
|
|
#define AVC_CALLBACK_REVOKE 4
|
|
|
|
|
#define AVC_CALLBACK_RESET 8
|
|
|
|
|
#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
|
|
|
|
|
#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
|
|
|
|
|
#define AVC_CALLBACK_AUDITDENY_ENABLE 64
|
|
|
|
|
#define AVC_CALLBACK_AUDITDENY_DISABLE 128
|
|
|
|
|
|
|
|
|
|
int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
|
2008-05-14 11:27:45 -04:00
|
|
|
u16 tclass, u32 perms,
|
2005-04-16 15:20:36 -07:00
|
|
|
u32 *out_retained),
|
|
|
|
|
u32 events, u32 ssid, u32 tsid,
|
|
|
|
|
u16 tclass, u32 perms);
|
|
|
|
|
|
|
|
|
|
/* Exported to selinuxfs */
|
|
|
|
|
int avc_get_hash_stats(char *page);
|
|
|
|
|
extern unsigned int avc_cache_threshold;
|
|
|
|
|
|
2009-06-24 17:58:05 -04:00
|
|
|
/* Attempt to free avc node cache */
|
|
|
|
|
void avc_disable(void);
|
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
|
|
|
|
|
DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#endif /* _SELINUX_AVC_H_ */
|
|
|
|
|
|
