Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Security server interface. | |
3 | * | |
4 | * Author : Stephen Smalley, <sds@epoch.ncsc.mil> | |
5 | * | |
6 | */ | |
7 | ||
8 | #ifndef _SELINUX_SECURITY_H_ | |
9 | #define _SELINUX_SECURITY_H_ | |
10 | ||
652bb9b0 | 11 | #include <linux/dcache.h> |
75834fc3 | 12 | #include <linux/magic.h> |
2606fd1f | 13 | #include <linux/types.h> |
1da177e4 LT |
14 | #include "flask.h" |
15 | ||
16 | #define SECSID_NULL 0x00000000 /* unspecified SID */ | |
17 | #define SECSID_WILD 0xffffffff /* wildcard SID */ | |
18 | #define SECCLASS_NULL 0x0000 /* no class */ | |
19 | ||
1da177e4 LT |
20 | /* Identify specific policy version changes */ |
21 | #define POLICYDB_VERSION_BASE 15 | |
22 | #define POLICYDB_VERSION_BOOL 16 | |
23 | #define POLICYDB_VERSION_IPV6 17 | |
24 | #define POLICYDB_VERSION_NLCLASS 18 | |
25 | #define POLICYDB_VERSION_VALIDATETRANS 19 | |
26 | #define POLICYDB_VERSION_MLS 19 | |
782ebb99 | 27 | #define POLICYDB_VERSION_AVTAB 20 |
f3f87714 | 28 | #define POLICYDB_VERSION_RANGETRANS 21 |
3bb56b25 | 29 | #define POLICYDB_VERSION_POLCAP 22 |
64dbf074 | 30 | #define POLICYDB_VERSION_PERMISSIVE 23 |
d9250dea | 31 | #define POLICYDB_VERSION_BOUNDARY 24 |
652bb9b0 | 32 | #define POLICYDB_VERSION_FILENAME_TRANS 25 |
8023976c | 33 | #define POLICYDB_VERSION_ROLETRANS 26 |
aa893269 | 34 | #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 |
eed7795d | 35 | #define POLICYDB_VERSION_DEFAULT_TYPE 28 |
1da177e4 LT |
36 | |
37 | /* Range of policy versions we understand*/ | |
38 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE | |
016b9bdb SS |
39 | #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX |
40 | #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE | |
41 | #else | |
eed7795d | 42 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE |
016b9bdb | 43 | #endif |
1da177e4 | 44 | |
0d90a7ec | 45 | /* Mask for just the mount related flags */ |
308ab70c | 46 | #define SE_MNTMASK 0x1f |
0d90a7ec | 47 | /* Super block security struct flags for mount options */ |
cfca0303 | 48 | /* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */ |
e0007529 EP |
49 | #define CONTEXT_MNT 0x01 |
50 | #define FSCONTEXT_MNT 0x02 | |
51 | #define ROOTCONTEXT_MNT 0x04 | |
52 | #define DEFCONTEXT_MNT 0x08 | |
cfca0303 | 53 | #define SBLABEL_MNT 0x10 |
0d90a7ec | 54 | /* Non-mount related flags */ |
cfca0303 EP |
55 | #define SE_SBINITIALIZED 0x0100 |
56 | #define SE_SBPROC 0x0200 | |
e0007529 | 57 | |
832cbd9a EP |
58 | #define CONTEXT_STR "context=" |
59 | #define FSCONTEXT_STR "fscontext=" | |
60 | #define ROOTCONTEXT_STR "rootcontext=" | |
61 | #define DEFCONTEXT_STR "defcontext=" | |
11689d47 | 62 | #define LABELSUPP_STR "seclabel" |
832cbd9a | 63 | |
5778eabd | 64 | struct netlbl_lsm_secattr; |
bb22f580 | 65 | |
1da177e4 | 66 | extern int selinux_enabled; |
1da177e4 | 67 | |
3bb56b25 PM |
68 | /* Policy capabilities */ |
69 | enum { | |
70 | POLICYDB_CAPABILITY_NETPEER, | |
b0c636b9 | 71 | POLICYDB_CAPABILITY_OPENPERM, |
3bb56b25 PM |
72 | __POLICYDB_CAPABILITY_MAX |
73 | }; | |
74 | #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) | |
75 | ||
76 | extern int selinux_policycap_netpeer; | |
b0c636b9 | 77 | extern int selinux_policycap_openperm; |
3bb56b25 | 78 | |
d9250dea KK |
79 | /* |
80 | * type_datum properties | |
81 | * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY | |
82 | */ | |
83 | #define TYPEDATUM_PROPERTY_PRIMARY 0x0001 | |
84 | #define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 | |
85 | ||
86 | /* limitation of boundary depth */ | |
87 | #define POLICYDB_BOUNDS_MAXDEPTH 4 | |
88 | ||
0719aaf5 GT |
89 | int security_mls_enabled(void); |
90 | ||
b19d8eae | 91 | int security_load_policy(void *data, size_t len); |
6b697323 | 92 | int security_read_policy(void **data, size_t *len); |
cee74f47 | 93 | size_t security_policydb_len(void); |
1da177e4 | 94 | |
3bb56b25 PM |
95 | int security_policycap_supported(unsigned int req_cap); |
96 | ||
e47c8fc5 | 97 | #define SEL_VEC_MAX 32 |
1da177e4 LT |
98 | struct av_decision { |
99 | u32 allowed; | |
1da177e4 LT |
100 | u32 auditallow; |
101 | u32 auditdeny; | |
102 | u32 seqno; | |
8a6f83af | 103 | u32 flags; |
1da177e4 LT |
104 | }; |
105 | ||
8a6f83af KK |
106 | /* definitions of av_decision.flags */ |
107 | #define AVD_FLAGS_PERMISSIVE 0x0001 | |
64dbf074 | 108 | |
19439d05 SS |
109 | void security_compute_av(u32 ssid, u32 tsid, |
110 | u16 tclass, struct av_decision *avd); | |
c6d3aaa4 | 111 | |
19439d05 SS |
112 | void security_compute_av_user(u32 ssid, u32 tsid, |
113 | u16 tclass, struct av_decision *avd); | |
1da177e4 | 114 | |
652bb9b0 EP |
115 | int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, |
116 | const struct qstr *qstr, u32 *out_sid); | |
c6d3aaa4 | 117 | |
f50a3ec9 KK |
118 | int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, |
119 | const char *objname, u32 *out_sid); | |
1da177e4 LT |
120 | |
121 | int security_member_sid(u32 ssid, u32 tsid, | |
122 | u16 tclass, u32 *out_sid); | |
123 | ||
124 | int security_change_sid(u32 ssid, u32 tsid, | |
125 | u16 tclass, u32 *out_sid); | |
126 | ||
127 | int security_sid_to_context(u32 sid, char **scontext, | |
128 | u32 *scontext_len); | |
129 | ||
12b29f34 SS |
130 | int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len); |
131 | ||
8f0cfa52 | 132 | int security_context_to_sid(const char *scontext, u32 scontext_len, |
1da177e4 LT |
133 | u32 *out_sid); |
134 | ||
7bf570dc | 135 | int security_context_to_sid_default(const char *scontext, u32 scontext_len, |
869ab514 | 136 | u32 *out_sid, u32 def_sid, gfp_t gfp_flags); |
f5c1d5b2 | 137 | |
12b29f34 SS |
138 | int security_context_to_sid_force(const char *scontext, u32 scontext_len, |
139 | u32 *sid); | |
140 | ||
1da177e4 LT |
141 | int security_get_user_sids(u32 callsid, char *username, |
142 | u32 **sids, u32 *nel); | |
143 | ||
3e112172 | 144 | int security_port_sid(u8 protocol, u16 port, u32 *out_sid); |
1da177e4 | 145 | |
e8bfdb9d | 146 | int security_netif_sid(char *name, u32 *if_sid); |
1da177e4 LT |
147 | |
148 | int security_node_sid(u16 domain, void *addr, u32 addrlen, | |
149 | u32 *out_sid); | |
150 | ||
151 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |
b19d8eae | 152 | u16 tclass); |
1da177e4 | 153 | |
d9250dea KK |
154 | int security_bounded_transition(u32 oldsid, u32 newsid); |
155 | ||
08554d6b VY |
156 | int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid); |
157 | ||
220deb96 PM |
158 | int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, |
159 | u32 xfrm_sid, | |
160 | u32 *peer_sid); | |
161 | ||
55fcf09b CP |
162 | int security_get_classes(char ***classes, int *nclasses); |
163 | int security_get_permissions(char *class, char ***perms, int *nperms); | |
3f12070e EP |
164 | int security_get_reject_unknown(void); |
165 | int security_get_allow_unknown(void); | |
55fcf09b | 166 | |
1da177e4 LT |
167 | #define SECURITY_FS_USE_XATTR 1 /* use xattr */ |
168 | #define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */ | |
169 | #define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */ | |
170 | #define SECURITY_FS_USE_GENFS 4 /* use the genfs support */ | |
171 | #define SECURITY_FS_USE_NONE 5 /* no labeling support */ | |
172 | #define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ | |
173 | ||
f936c6e5 | 174 | int security_fs_use(const char *fstype, short unsigned int *behavior, |
089be43e | 175 | u32 *sid); |
1da177e4 LT |
176 | |
177 | int security_genfs_sid(const char *fstype, char *name, u16 sclass, | |
178 | u32 *sid); | |
179 | ||
5778eabd PM |
180 | #ifdef CONFIG_NETLABEL |
181 | int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, | |
5778eabd PM |
182 | u32 *sid); |
183 | ||
184 | int security_netlbl_sid_to_secattr(u32 sid, | |
185 | struct netlbl_lsm_secattr *secattr); | |
186 | #else | |
187 | static inline int security_netlbl_secattr_to_sid( | |
188 | struct netlbl_lsm_secattr *secattr, | |
5778eabd PM |
189 | u32 *sid) |
190 | { | |
191 | return -EIDRM; | |
192 | } | |
193 | ||
194 | static inline int security_netlbl_sid_to_secattr(u32 sid, | |
195 | struct netlbl_lsm_secattr *secattr) | |
196 | { | |
197 | return -ENOENT; | |
198 | } | |
199 | #endif /* CONFIG_NETLABEL */ | |
200 | ||
f0ee2e46 JC |
201 | const char *security_get_initial_sid_context(u32 sid); |
202 | ||
11904167 KK |
203 | /* |
204 | * status notifier using mmap interface | |
205 | */ | |
206 | extern struct page *selinux_kernel_status_page(void); | |
207 | ||
208 | #define SELINUX_KERNEL_STATUS_VERSION 1 | |
36f7f284 | 209 | struct selinux_kernel_status { |
11904167 KK |
210 | u32 version; /* version number of thie structure */ |
211 | u32 sequence; /* sequence number of seqlock logic */ | |
212 | u32 enforcing; /* current setting of enforcing mode */ | |
213 | u32 policyload; /* times of policy reloaded */ | |
214 | u32 deny_unknown; /* current setting of deny_unknown */ | |
215 | /* | |
216 | * The version > 0 supports above members. | |
217 | */ | |
218 | } __attribute__((packed)); | |
219 | ||
220 | extern void selinux_status_update_setenforce(int enforcing); | |
221 | extern void selinux_status_update_policyload(int seqno); | |
cc59a582 | 222 | extern void selinux_complete_init(void); |
58982b74 | 223 | extern int selinux_disable(void); |
ad3fa08c | 224 | extern void exit_sel_fs(void); |
765927b2 | 225 | extern struct path selinux_null; |
ad3fa08c | 226 | extern struct vfsmount *selinuxfs_mount; |
6a3fbe81 JM |
227 | extern void selnl_notify_setenforce(int val); |
228 | extern void selnl_notify_policyload(u32 seqno); | |
229 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); | |
11904167 | 230 | |
1da177e4 LT |
231 | #endif /* _SELINUX_SECURITY_H_ */ |
232 |