Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/selinux/include/security.h
26489 views
1
/* SPDX-License-Identifier: GPL-2.0 */

2
/*

3
 * Security server interface.

4
 *

5
 * Author : Stephen Smalley, <[email protected]>

6
 *

7
 */

8


9
#ifndef _SELINUX_SECURITY_H_

10
#define _SELINUX_SECURITY_H_

11


12
#include <linux/compiler.h>

13
#include <linux/dcache.h>

14
#include <linux/magic.h>

15
#include <linux/types.h>

16
#include <linux/rcupdate.h>

17
#include <linux/refcount.h>

18
#include <linux/workqueue.h>

19
#include <linux/delay.h>

20
#include <linux/printk.h>

21
#include "flask.h"

22
#include "policycap.h"

23


24
#define SECSID_NULL   0x00000000 /* unspecified SID */

25
#define SECSID_WILD   0xffffffff /* wildcard SID */

26
#define SECCLASS_NULL 0x0000 /* no class */

27


28
/* Identify specific policy version changes */

29
#define POLICYDB_VERSION_BASE		     15

30
#define POLICYDB_VERSION_BOOL		     16

31
#define POLICYDB_VERSION_IPV6		     17

32
#define POLICYDB_VERSION_NLCLASS	     18

33
#define POLICYDB_VERSION_VALIDATETRANS	     19

34
#define POLICYDB_VERSION_MLS		     19

35
#define POLICYDB_VERSION_AVTAB		     20

36
#define POLICYDB_VERSION_RANGETRANS	     21

37
#define POLICYDB_VERSION_POLCAP		     22

38
#define POLICYDB_VERSION_PERMISSIVE	     23

39
#define POLICYDB_VERSION_BOUNDARY	     24

40
#define POLICYDB_VERSION_FILENAME_TRANS	     25

41
#define POLICYDB_VERSION_ROLETRANS	     26

42
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27

43
#define POLICYDB_VERSION_DEFAULT_TYPE	     28

44
#define POLICYDB_VERSION_CONSTRAINT_NAMES    29

45
#define POLICYDB_VERSION_XPERMS_IOCTL	     30

46
#define POLICYDB_VERSION_INFINIBAND	     31

47
#define POLICYDB_VERSION_GLBLUB		     32

48
#define POLICYDB_VERSION_COMP_FTRANS	     33 /* compressed filename transitions */

49
#define POLICYDB_VERSION_COND_XPERMS	     34 /* extended permissions in conditional policies */

50
#define POLICYDB_VERSION_NEVERAUDIT	     35 /* neveraudit types */

51


52
/* Range of policy versions we understand*/

53
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE

54
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEVERAUDIT

55


56
/* Mask for just the mount related flags */

57
#define SE_MNTMASK 0x0f

58
/* Super block security struct flags for mount options */

59
/* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */

60
#define CONTEXT_MNT	0x01

61
#define FSCONTEXT_MNT	0x02

62
#define ROOTCONTEXT_MNT 0x04

63
#define DEFCONTEXT_MNT	0x08

64
#define SBLABEL_MNT	0x10

65
/* Non-mount related flags */

66
#define SE_SBINITIALIZED 0x0100

67
#define SE_SBPROC	 0x0200

68
#define SE_SBGENFS	 0x0400

69
#define SE_SBGENFS_XATTR 0x0800

70
#define SE_SBNATIVE	 0x1000

71


72
#define CONTEXT_STR	"context"

73
#define FSCONTEXT_STR	"fscontext"

74
#define ROOTCONTEXT_STR "rootcontext"

75
#define DEFCONTEXT_STR	"defcontext"

76
#define SECLABEL_STR	"seclabel"

77


78
struct netlbl_lsm_secattr;

79


80
extern int selinux_enabled_boot;

81


82
/*

83
 * type_datum properties

84
 * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY

85
 */

86
#define TYPEDATUM_PROPERTY_PRIMARY   0x0001

87
#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002

88


89
/* limitation of boundary depth  */

90
#define POLICYDB_BOUNDS_MAXDEPTH 4

91


92
struct selinux_policy;

93


94
struct selinux_state {

95
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP

96
	bool enforcing;

97
#endif

98
	bool initialized;

99
	bool policycap[__POLICYDB_CAP_MAX];

100


101
	struct page *status_page;

102
	struct mutex status_lock;

103


104
	struct selinux_policy __rcu *policy;

105
	struct mutex policy_mutex;

106
} __randomize_layout;

107


108
void selinux_avc_init(void);

109


110
extern struct selinux_state selinux_state;

111


112
static inline bool selinux_initialized(void)

113
{

114
	/* do a synchronized load to avoid race conditions */

115
	return smp_load_acquire(&selinux_state.initialized);

116
}

117


118
static inline void selinux_mark_initialized(void)

119
{

120
	/* do a synchronized write to avoid race conditions */

121
	smp_store_release(&selinux_state.initialized, true);

122
}

123


124
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP

125
static inline bool enforcing_enabled(void)

126
{

127
	return READ_ONCE(selinux_state.enforcing);

128
}

129


130
static inline void enforcing_set(bool value)

131
{

132
	WRITE_ONCE(selinux_state.enforcing, value);

133
}

134
#else

135
static inline bool enforcing_enabled(void)

136
{

137
	return true;

138
}

139


140
static inline void enforcing_set(bool value)

141
{

142
}

143
#endif

144


145
static inline bool checkreqprot_get(void)

146
{

147
	/* non-zero/true checkreqprot values are no longer supported */

148
	return 0;

149
}

150


151
static inline bool selinux_policycap_netpeer(void)

152
{

153
	return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_NETPEER]);

154
}

155


156
static inline bool selinux_policycap_openperm(void)

157
{

158
	return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_OPENPERM]);

159
}

160


161
static inline bool selinux_policycap_extsockclass(void)

162
{

163
	return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_EXTSOCKCLASS]);

164
}

165


166
static inline bool selinux_policycap_alwaysnetwork(void)

167
{

168
	return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_ALWAYSNETWORK]);

169
}

170


171
static inline bool selinux_policycap_cgroupseclabel(void)

172
{

173
	return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_CGROUPSECLABEL]);

174
}

175


176
static inline bool selinux_policycap_nnp_nosuid_transition(void)

177
{

178
	return READ_ONCE(

179
		selinux_state.policycap[POLICYDB_CAP_NNP_NOSUID_TRANSITION]);

180
}

181


182
static inline bool selinux_policycap_genfs_seclabel_symlinks(void)

183
{

184
	return READ_ONCE(

185
		selinux_state.policycap[POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS]);

186
}

187


188
static inline bool selinux_policycap_ioctl_skip_cloexec(void)

189
{

190
	return READ_ONCE(

191
		selinux_state.policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]);

192
}

193


194
static inline bool selinux_policycap_userspace_initial_context(void)

195
{

196
	return READ_ONCE(

197
		selinux_state.policycap[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]);

198
}

199


200
static inline bool selinux_policycap_netlink_xperm(void)

201
{

202
	return READ_ONCE(

203
		selinux_state.policycap[POLICYDB_CAP_NETLINK_XPERM]);

204
}

205


206
static inline bool selinux_policycap_netif_wildcard(void)

207
{

208
	return READ_ONCE(

209
		selinux_state.policycap[POLICYDB_CAP_NETIF_WILDCARD]);

210
}

211


212
struct selinux_policy_convert_data;

213


214
struct selinux_load_state {

215
	struct selinux_policy *policy;

216
	struct selinux_policy_convert_data *convert_data;

217
};

218


219
int security_mls_enabled(void);

220
int security_load_policy(void *data, size_t len,

221
			 struct selinux_load_state *load_state);

222
void selinux_policy_commit(struct selinux_load_state *load_state);

223
void selinux_policy_cancel(struct selinux_load_state *load_state);

224
int security_read_policy(void **data, size_t *len);

225
int security_read_state_kernel(void **data, size_t *len);

226
int security_policycap_supported(unsigned int req_cap);

227


228
#define SEL_VEC_MAX 32

229
struct av_decision {

230
	u32 allowed;

231
	u32 auditallow;

232
	u32 auditdeny;

233
	u32 seqno;

234
	u32 flags;

235
};

236


237
#define XPERMS_ALLOWED	  1

238
#define XPERMS_AUDITALLOW 2

239
#define XPERMS_DONTAUDIT  4

240


241
#define security_xperm_set(perms, x)  ((perms)[(x) >> 5] |= 1 << ((x)&0x1f))

242
#define security_xperm_test(perms, x) (1 & ((perms)[(x) >> 5] >> ((x)&0x1f)))

243
struct extended_perms_data {

244
	u32 p[8];

245
};

246


247
struct extended_perms_decision {

248
	u8 used;

249
	u8 driver;

250
	u8 base_perm;

251
	struct extended_perms_data *allowed;

252
	struct extended_perms_data *auditallow;

253
	struct extended_perms_data *dontaudit;

254
};

255


256
struct extended_perms {

257
	u16 len; /* length associated decision chain */

258
	u8 base_perms; /* which base permissions are covered */

259
	struct extended_perms_data drivers; /* flag drivers that are used */

260
};

261


262
/* definitions of av_decision.flags */

263
#define AVD_FLAGS_PERMISSIVE 0x0001

264
#define AVD_FLAGS_NEVERAUDIT  0x0002

265


266
void security_compute_av(u32 ssid, u32 tsid, u16 tclass,

267
			 struct av_decision *avd,

268
			 struct extended_perms *xperms);

269


270
void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass, u8 driver,

271
				      u8 base_perm,

272
				      struct extended_perms_decision *xpermd);

273


274
void security_compute_av_user(u32 ssid, u32 tsid, u16 tclass,

275
			      struct av_decision *avd);

276


277
int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,

278
			    const struct qstr *qstr, u32 *out_sid);

279


280
int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,

281
				 const char *objname, u32 *out_sid);

282


283
int security_member_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);

284


285
int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);

286


287
int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len);

288


289
int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);

290


291
int security_sid_to_context_inval(u32 sid, char **scontext, u32 *scontext_len);

292


293
int security_context_to_sid(const char *scontext, u32 scontext_len,

294
			    u32 *out_sid, gfp_t gfp);

295


296
int security_context_str_to_sid(const char *scontext, u32 *out_sid, gfp_t gfp);

297


298
int security_context_to_sid_default(const char *scontext, u32 scontext_len,

299
				    u32 *out_sid, u32 def_sid, gfp_t gfp_flags);

300


301
int security_context_to_sid_force(const char *scontext, u32 scontext_len,

302
				  u32 *sid);

303


304
int security_get_user_sids(u32 fromsid, const char *username, u32 **sids, u32 *nel);

305


306
int security_port_sid(u8 protocol, u16 port, u32 *out_sid);

307


308
int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);

309


310
int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);

311


312
int security_netif_sid(const char *name, u32 *if_sid);

313


314
int security_node_sid(u16 domain, const void *addr, u32 addrlen, u32 *out_sid);

315


316
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,

317
				 u16 tclass);

318


319
int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,

320
				      u16 tclass);

321


322
int security_bounded_transition(u32 old_sid, u32 new_sid);

323


324
int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);

325


326
int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, u32 xfrm_sid,

327
				 u32 *peer_sid);

328


329
int security_get_classes(struct selinux_policy *policy, char ***classes,

330
			 u32 *nclasses);

331
int security_get_permissions(struct selinux_policy *policy, const char *class,

332
			     char ***perms, u32 *nperms);

333
int security_get_reject_unknown(void);

334
int security_get_allow_unknown(void);

335


336
#define SECURITY_FS_USE_XATTR	 1 /* use xattr */

337
#define SECURITY_FS_USE_TRANS	 2 /* use transition SIDs, e.g. devpts/tmpfs */

338
#define SECURITY_FS_USE_TASK	 3 /* use task SIDs, e.g. pipefs/sockfs */

339
#define SECURITY_FS_USE_GENFS	 4 /* use the genfs support */

340
#define SECURITY_FS_USE_NONE	 5 /* no labeling support */

341
#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */

342
#define SECURITY_FS_USE_NATIVE	 7 /* use native label support */

343
#define SECURITY_FS_USE_MAX	 7 /* Highest SECURITY_FS_USE_XXX */

344


345
int security_fs_use(struct super_block *sb);

346


347
int security_genfs_sid(const char *fstype, const char *path, u16 sclass,

348
		       u32 *sid);

349


350
int selinux_policy_genfs_sid(struct selinux_policy *policy, const char *fstype,

351
			     const char *path, u16 sclass, u32 *sid);

352


353
#ifdef CONFIG_NETLABEL

354
int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,

355
				   u32 *sid);

356


357
int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr);

358
#else

359
static inline int

360
security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, u32 *sid)

361
{

362
	return -EIDRM;

363
}

364


365
static inline int

366
security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)

367
{

368
	return -ENOENT;

369
}

370
#endif /* CONFIG_NETLABEL */

371


372
const char *security_get_initial_sid_context(u32 sid);

373


374
/*

375
 * status notifier using mmap interface

376
 */

377
extern struct page *selinux_kernel_status_page(void);

378


379
#define SELINUX_KERNEL_STATUS_VERSION 1

380
struct selinux_kernel_status {

381
	u32 version; /* version number of the structure */

382
	u32 sequence; /* sequence number of seqlock logic */

383
	u32 enforcing; /* current setting of enforcing mode */

384
	u32 policyload; /* times of policy reloaded */

385
	u32 deny_unknown; /* current setting of deny_unknown */

386
	/*

387
	 * The version > 0 supports above members.

388
	 */

389
} __packed;

390


391
extern void selinux_status_update_setenforce(bool enforcing);

392
extern void selinux_status_update_policyload(u32 seqno);

393
extern void selinux_complete_init(void);

394
extern struct path selinux_null;

395
extern void selnl_notify_setenforce(int val);

396
extern void selnl_notify_policyload(u32 seqno);

397
extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);

398


399
extern void avtab_cache_init(void);

400
extern void ebitmap_cache_init(void);

401
extern void hashtab_cache_init(void);

402
extern int security_sidtab_hash_stats(char *page);

403


404
#endif /* _SELINUX_SECURITY_H_ */

405


406