Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/security/selinux/include/security.h
10817 views
1
/*

2
 * Security server interface.

3
 *

4
 * Author : Stephen Smalley, <[email protected]>

5
 *

6
 */

7


8
#ifndef _SELINUX_SECURITY_H_

9
#define _SELINUX_SECURITY_H_

10


11
#include <linux/dcache.h>

12
#include <linux/magic.h>

13
#include <linux/types.h>

14
#include "flask.h"

15


16
#define SECSID_NULL			0x00000000 /* unspecified SID */

17
#define SECSID_WILD			0xffffffff /* wildcard SID */

18
#define SECCLASS_NULL			0x0000 /* no class */

19


20
/* Identify specific policy version changes */

21
#define POLICYDB_VERSION_BASE		15

22
#define POLICYDB_VERSION_BOOL		16

23
#define POLICYDB_VERSION_IPV6		17

24
#define POLICYDB_VERSION_NLCLASS	18

25
#define POLICYDB_VERSION_VALIDATETRANS	19

26
#define POLICYDB_VERSION_MLS		19

27
#define POLICYDB_VERSION_AVTAB		20

28
#define POLICYDB_VERSION_RANGETRANS	21

29
#define POLICYDB_VERSION_POLCAP		22

30
#define POLICYDB_VERSION_PERMISSIVE	23

31
#define POLICYDB_VERSION_BOUNDARY	24

32
#define POLICYDB_VERSION_FILENAME_TRANS	25

33
#define POLICYDB_VERSION_ROLETRANS	26

34


35
/* Range of policy versions we understand*/

36
#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE

37
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX

38
#define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE

39
#else

40
#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS

41
#endif

42


43
/* Mask for just the mount related flags */

44
#define SE_MNTMASK	0x0f

45
/* Super block security struct flags for mount options */

46
#define CONTEXT_MNT	0x01

47
#define FSCONTEXT_MNT	0x02

48
#define ROOTCONTEXT_MNT	0x04

49
#define DEFCONTEXT_MNT	0x08

50
/* Non-mount related flags */

51
#define SE_SBINITIALIZED	0x10

52
#define SE_SBPROC		0x20

53
#define SE_SBLABELSUPP	0x40

54


55
#define CONTEXT_STR	"context="

56
#define FSCONTEXT_STR	"fscontext="

57
#define ROOTCONTEXT_STR	"rootcontext="

58
#define DEFCONTEXT_STR	"defcontext="

59
#define LABELSUPP_STR "seclabel"

60


61
struct netlbl_lsm_secattr;

62


63
extern int selinux_enabled;

64


65
/* Policy capabilities */

66
enum {

67
	POLICYDB_CAPABILITY_NETPEER,

68
	POLICYDB_CAPABILITY_OPENPERM,

69
	__POLICYDB_CAPABILITY_MAX

70
};

71
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)

72


73
extern int selinux_policycap_netpeer;

74
extern int selinux_policycap_openperm;

75


76
/*

77
 * type_datum properties

78
 * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY

79
 */

80
#define TYPEDATUM_PROPERTY_PRIMARY	0x0001

81
#define TYPEDATUM_PROPERTY_ATTRIBUTE	0x0002

82


83
/* limitation of boundary depth  */

84
#define POLICYDB_BOUNDS_MAXDEPTH	4

85


86
int security_mls_enabled(void);

87


88
int security_load_policy(void *data, size_t len);

89
int security_read_policy(void **data, size_t *len);

90
size_t security_policydb_len(void);

91


92
int security_policycap_supported(unsigned int req_cap);

93


94
#define SEL_VEC_MAX 32

95
struct av_decision {

96
	u32 allowed;

97
	u32 auditallow;

98
	u32 auditdeny;

99
	u32 seqno;

100
	u32 flags;

101
};

102


103
/* definitions of av_decision.flags */

104
#define AVD_FLAGS_PERMISSIVE	0x0001

105


106
void security_compute_av(u32 ssid, u32 tsid,

107
			 u16 tclass, struct av_decision *avd);

108


109
void security_compute_av_user(u32 ssid, u32 tsid,

110
			     u16 tclass, struct av_decision *avd);

111


112
int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,

113
			    const struct qstr *qstr, u32 *out_sid);

114


115
int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,

116
				 const char *objname, u32 *out_sid);

117


118
int security_member_sid(u32 ssid, u32 tsid,

119
	u16 tclass, u32 *out_sid);

120


121
int security_change_sid(u32 ssid, u32 tsid,

122
	u16 tclass, u32 *out_sid);

123


124
int security_sid_to_context(u32 sid, char **scontext,

125
	u32 *scontext_len);

126


127
int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);

128


129
int security_context_to_sid(const char *scontext, u32 scontext_len,

130
	u32 *out_sid);

131


132
int security_context_to_sid_default(const char *scontext, u32 scontext_len,

133
				    u32 *out_sid, u32 def_sid, gfp_t gfp_flags);

134


135
int security_context_to_sid_force(const char *scontext, u32 scontext_len,

136
				  u32 *sid);

137


138
int security_get_user_sids(u32 callsid, char *username,

139
			   u32 **sids, u32 *nel);

140


141
int security_port_sid(u8 protocol, u16 port, u32 *out_sid);

142


143
int security_netif_sid(char *name, u32 *if_sid);

144


145
int security_node_sid(u16 domain, void *addr, u32 addrlen,

146
	u32 *out_sid);

147


148
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,

149
				 u16 tclass);

150


151
int security_bounded_transition(u32 oldsid, u32 newsid);

152


153
int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);

154


155
int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,

156
				 u32 xfrm_sid,

157
				 u32 *peer_sid);

158


159
int security_get_classes(char ***classes, int *nclasses);

160
int security_get_permissions(char *class, char ***perms, int *nperms);

161
int security_get_reject_unknown(void);

162
int security_get_allow_unknown(void);

163


164
#define SECURITY_FS_USE_XATTR		1 /* use xattr */

165
#define SECURITY_FS_USE_TRANS		2 /* use transition SIDs, e.g. devpts/tmpfs */

166
#define SECURITY_FS_USE_TASK		3 /* use task SIDs, e.g. pipefs/sockfs */

167
#define SECURITY_FS_USE_GENFS		4 /* use the genfs support */

168
#define SECURITY_FS_USE_NONE		5 /* no labeling support */

169
#define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */

170


171
int security_fs_use(const char *fstype, unsigned int *behavior,

172
	u32 *sid);

173


174
int security_genfs_sid(const char *fstype, char *name, u16 sclass,

175
	u32 *sid);

176


177
#ifdef CONFIG_NETLABEL

178
int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,

179
				   u32 *sid);

180


181
int security_netlbl_sid_to_secattr(u32 sid,

182
				   struct netlbl_lsm_secattr *secattr);

183
#else

184
static inline int security_netlbl_secattr_to_sid(

185
					    struct netlbl_lsm_secattr *secattr,

186
					    u32 *sid)

187
{

188
	return -EIDRM;

189
}

190


191
static inline int security_netlbl_sid_to_secattr(u32 sid,

192
					   struct netlbl_lsm_secattr *secattr)

193
{

194
	return -ENOENT;

195
}

196
#endif /* CONFIG_NETLABEL */

197


198
const char *security_get_initial_sid_context(u32 sid);

199


200
/*

201
 * status notifier using mmap interface

202
 */

203
extern struct page *selinux_kernel_status_page(void);

204


205
#define SELINUX_KERNEL_STATUS_VERSION	1

206
struct selinux_kernel_status {

207
	u32	version;	/* version number of thie structure */

208
	u32	sequence;	/* sequence number of seqlock logic */

209
	u32	enforcing;	/* current setting of enforcing mode */

210
	u32	policyload;	/* times of policy reloaded */

211
	u32	deny_unknown;	/* current setting of deny_unknown */

212
	/*

213
	 * The version > 0 supports above members.

214
	 */

215
} __attribute__((packed));

216


217
extern void selinux_status_update_setenforce(int enforcing);

218
extern void selinux_status_update_policyload(int seqno);

219


220
#endif /* _SELINUX_SECURITY_H_ */

221


222


223