security/selinux/include/avc.h at v2.6.26

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / security / selinux / include / avc.h
at v2.6.26 139 lines 3.0 kB view raw
wrap content
  1/*
  2 * Access vector cache interface for object managers.
  3 *
  4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  5 */
  6#ifndef _SELINUX_AVC_H_
  7#define _SELINUX_AVC_H_
  8
  9#include <linux/stddef.h>
 10#include <linux/errno.h>
 11#include <linux/kernel.h>
 12#include <linux/kdev_t.h>
 13#include <linux/spinlock.h>
 14#include <linux/init.h>
 15#include <linux/in6.h>
 16#include <linux/path.h>
 17#include <asm/system.h>
 18#include "flask.h"
 19#include "av_permissions.h"
 20#include "security.h"
 21
 22#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 23extern int selinux_enforcing;
 24#else
 25#define selinux_enforcing 1
 26#endif
 27
 28/*
 29 * An entry in the AVC.
 30 */
 31struct avc_entry;
 32
 33struct task_struct;
 34struct inode;
 35struct sock;
 36struct sk_buff;
 37
 38/* Auxiliary data to use in generating the audit record. */
 39struct avc_audit_data {
 40	char    type;
 41#define AVC_AUDIT_DATA_FS   1
 42#define AVC_AUDIT_DATA_NET  2
 43#define AVC_AUDIT_DATA_CAP  3
 44#define AVC_AUDIT_DATA_IPC  4
 45	struct task_struct *tsk;
 46	union 	{
 47		struct {
 48			struct path path;
 49			struct inode *inode;
 50		} fs;
 51		struct {
 52			int netif;
 53			struct sock *sk;
 54			u16 family;
 55			__be16 dport;
 56			__be16 sport;
 57			union {
 58				struct {
 59					__be32 daddr;
 60					__be32 saddr;
 61				} v4;
 62				struct {
 63					struct in6_addr daddr;
 64					struct in6_addr saddr;
 65				} v6;
 66			} fam;
 67		} net;
 68		int cap;
 69		int ipc_id;
 70	} u;
 71};
 72
 73#define v4info fam.v4
 74#define v6info fam.v6
 75
 76/* Initialize an AVC audit data structure. */
 77#define AVC_AUDIT_DATA_INIT(_d,_t) \
 78        { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
 79
 80/*
 81 * AVC statistics
 82 */
 83struct avc_cache_stats
 84{
 85	unsigned int lookups;
 86	unsigned int hits;
 87	unsigned int misses;
 88	unsigned int allocations;
 89	unsigned int reclaims;
 90	unsigned int frees;
 91};
 92
 93/*
 94 * AVC operations
 95 */
 96
 97void __init avc_init(void);
 98
 99void avc_audit(u32 ssid, u32 tsid,
100               u16 tclass, u32 requested,
101               struct av_decision *avd, int result, struct avc_audit_data *auditdata);
102
103#define AVC_STRICT 1 /* Ignore permissive mode. */
104int avc_has_perm_noaudit(u32 ssid, u32 tsid,
105			 u16 tclass, u32 requested,
106			 unsigned flags,
107			 struct av_decision *avd);
108
109int avc_has_perm(u32 ssid, u32 tsid,
110                 u16 tclass, u32 requested,
111                 struct avc_audit_data *auditdata);
112
113u32 avc_policy_seqno(void);
114
115#define AVC_CALLBACK_GRANT		1
116#define AVC_CALLBACK_TRY_REVOKE		2
117#define AVC_CALLBACK_REVOKE		4
118#define AVC_CALLBACK_RESET		8
119#define AVC_CALLBACK_AUDITALLOW_ENABLE	16
120#define AVC_CALLBACK_AUDITALLOW_DISABLE	32
121#define AVC_CALLBACK_AUDITDENY_ENABLE	64
122#define AVC_CALLBACK_AUDITDENY_DISABLE	128
123
124int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
125                                     u16 tclass, u32 perms,
126				     u32 *out_retained),
127		     u32 events, u32 ssid, u32 tsid,
128		     u16 tclass, u32 perms);
129
130/* Exported to selinuxfs */
131int avc_get_hash_stats(char *page);
132extern unsigned int avc_cache_threshold;
133
134#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
135DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
136#endif
137
138#endif /* _SELINUX_AVC_H_ */
139
Configure Feed

Configure Feed
