1 /* 2 * Access vector cache interface for object managers. 3 * 4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 5 */ 6 #ifndef _SELINUX_AVC_H_ 7 #define _SELINUX_AVC_H_ 8 9 #include <linux/stddef.h> 10 #include <linux/errno.h> 11 #include <linux/kernel.h> 12 #include <linux/kdev_t.h> 13 #include <linux/spinlock.h> 14 #include <linux/init.h> 15 #include <linux/audit.h> 16 #include <linux/lsm_audit.h> 17 #include <linux/in6.h> 18 #include "flask.h" 19 #include "av_permissions.h" 20 #include "security.h" 21 22 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 23 extern int selinux_enforcing; 24 #else 25 #define selinux_enforcing 1 26 #endif 27 28 /* 29 * An entry in the AVC. 30 */ 31 struct avc_entry; 32 33 struct task_struct; 34 struct inode; 35 struct sock; 36 struct sk_buff; 37 38 /* 39 * AVC statistics 40 */ 41 struct avc_cache_stats { 42 unsigned int lookups; 43 unsigned int misses; 44 unsigned int allocations; 45 unsigned int reclaims; 46 unsigned int frees; 47 }; 48 49 /* 50 * We only need this data after we have decided to send an audit message. 51 */ 52 struct selinux_audit_data { 53 u32 ssid; 54 u32 tsid; 55 u16 tclass; 56 u32 requested; 57 u32 audited; 58 u32 denied; 59 int result; 60 }; 61 62 /* 63 * AVC operations 64 */ 65 66 void __init avc_init(void); 67 68 static inline u32 avc_audit_required(u32 requested, 69 struct av_decision *avd, 70 int result, 71 u32 auditdeny, 72 u32 *deniedp) 73 { 74 u32 denied, audited; 75 denied = requested & ~avd->allowed; 76 if (unlikely(denied)) { 77 audited = denied & avd->auditdeny; 78 /* 79 * auditdeny is TRICKY! Setting a bit in 80 * this field means that ANY denials should NOT be audited if 81 * the policy contains an explicit dontaudit rule for that 82 * permission. Take notice that this is unrelated to the 83 * actual permissions that were denied. As an example lets 84 * assume: 85 * 86 * denied == READ 87 * avd.auditdeny & ACCESS == 0 (not set means explicit rule) 88 * auditdeny & ACCESS == 1 89 * 90 * We will NOT audit the denial even though the denied 91 * permission was READ and the auditdeny checks were for 92 * ACCESS 93 */ 94 if (auditdeny && !(auditdeny & avd->auditdeny)) 95 audited = 0; 96 } else if (result) 97 audited = denied = requested; 98 else 99 audited = requested & avd->auditallow; 100 *deniedp = denied; 101 return audited; 102 } 103 104 int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, 105 u32 requested, u32 audited, u32 denied, 106 struct common_audit_data *a, 107 unsigned flags); 108 109 /** 110 * avc_audit - Audit the granting or denial of permissions. 111 * @ssid: source security identifier 112 * @tsid: target security identifier 113 * @tclass: target security class 114 * @requested: requested permissions 115 * @avd: access vector decisions 116 * @result: result from avc_has_perm_noaudit 117 * @a: auxiliary audit data 118 * @flags: VFS walk flags 119 * 120 * Audit the granting or denial of permissions in accordance 121 * with the policy. This function is typically called by 122 * avc_has_perm() after a permission check, but can also be 123 * called directly by callers who use avc_has_perm_noaudit() 124 * in order to separate the permission check from the auditing. 125 * For example, this separation is useful when the permission check must 126 * be performed under a lock, to allow the lock to be released 127 * before calling the auditing code. 128 */ 129 static inline int avc_audit(u32 ssid, u32 tsid, 130 u16 tclass, u32 requested, 131 struct av_decision *avd, 132 int result, 133 struct common_audit_data *a, unsigned flags) 134 { 135 u32 audited, denied; 136 audited = avc_audit_required(requested, avd, result, 0, &denied); 137 if (likely(!audited)) 138 return 0; 139 return slow_avc_audit(ssid, tsid, tclass, 140 requested, audited, denied, 141 a, flags); 142 } 143 144 #define AVC_STRICT 1 /* Ignore permissive mode. */ 145 int avc_has_perm_noaudit(u32 ssid, u32 tsid, 146 u16 tclass, u32 requested, 147 unsigned flags, 148 struct av_decision *avd); 149 150 int avc_has_perm_flags(u32 ssid, u32 tsid, 151 u16 tclass, u32 requested, 152 struct common_audit_data *auditdata, 153 unsigned); 154 155 static inline int avc_has_perm(u32 ssid, u32 tsid, 156 u16 tclass, u32 requested, 157 struct common_audit_data *auditdata) 158 { 159 return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0); 160 } 161 162 u32 avc_policy_seqno(void); 163 164 #define AVC_CALLBACK_GRANT 1 165 #define AVC_CALLBACK_TRY_REVOKE 2 166 #define AVC_CALLBACK_REVOKE 4 167 #define AVC_CALLBACK_RESET 8 168 #define AVC_CALLBACK_AUDITALLOW_ENABLE 16 169 #define AVC_CALLBACK_AUDITALLOW_DISABLE 32 170 #define AVC_CALLBACK_AUDITDENY_ENABLE 64 171 #define AVC_CALLBACK_AUDITDENY_DISABLE 128 172 173 int avc_add_callback(int (*callback)(u32 event), u32 events); 174 175 /* Exported to selinuxfs */ 176 int avc_get_hash_stats(char *page); 177 extern unsigned int avc_cache_threshold; 178 179 /* Attempt to free avc node cache */ 180 void avc_disable(void); 181 182 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 183 DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); 184 #endif 185 186 #endif /* _SELINUX_AVC_H_ */ 187 188