1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Access vector cache interface for object managers. 4 * 5 * Author : Stephen Smalley, <sds@tycho.nsa.gov> 6 */ 7 #ifndef _SELINUX_AVC_H_ 8 #define _SELINUX_AVC_H_ 9 10 #include <linux/stddef.h> 11 #include <linux/errno.h> 12 #include <linux/kernel.h> 13 #include <linux/kdev_t.h> 14 #include <linux/spinlock.h> 15 #include <linux/init.h> 16 #include <linux/audit.h> 17 #include <linux/lsm_audit.h> 18 #include <linux/in6.h> 19 #include "flask.h" 20 #include "av_permissions.h" 21 #include "security.h" 22 23 /* 24 * An entry in the AVC. 25 */ 26 struct avc_entry; 27 28 struct task_struct; 29 struct inode; 30 struct sock; 31 struct sk_buff; 32 33 /* 34 * AVC statistics 35 */ 36 struct avc_cache_stats { 37 unsigned int lookups; 38 unsigned int misses; 39 unsigned int allocations; 40 unsigned int reclaims; 41 unsigned int frees; 42 }; 43 44 /* 45 * We only need this data after we have decided to send an audit message. 46 */ 47 struct selinux_audit_data { 48 u32 ssid; 49 u32 tsid; 50 u16 tclass; 51 u32 requested; 52 u32 audited; 53 u32 denied; 54 int result; 55 } __randomize_layout; 56 57 /* 58 * AVC operations 59 */ 60 61 void __init avc_init(void); 62 63 static inline u32 avc_audit_required(u32 requested, 64 struct av_decision *avd, 65 int result, 66 u32 auditdeny, 67 u32 *deniedp) 68 { 69 u32 denied, audited; 70 denied = requested & ~avd->allowed; 71 if (unlikely(denied)) { 72 audited = denied & avd->auditdeny; 73 /* 74 * auditdeny is TRICKY! Setting a bit in 75 * this field means that ANY denials should NOT be audited if 76 * the policy contains an explicit dontaudit rule for that 77 * permission. Take notice that this is unrelated to the 78 * actual permissions that were denied. As an example lets 79 * assume: 80 * 81 * denied == READ 82 * avd.auditdeny & ACCESS == 0 (not set means explicit rule) 83 * auditdeny & ACCESS == 1 84 * 85 * We will NOT audit the denial even though the denied 86 * permission was READ and the auditdeny checks were for 87 * ACCESS 88 */ 89 if (auditdeny && !(auditdeny & avd->auditdeny)) 90 audited = 0; 91 } else if (result) 92 audited = denied = requested; 93 else 94 audited = requested & avd->auditallow; 95 *deniedp = denied; 96 return audited; 97 } 98 99 int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, 100 u32 requested, u32 audited, u32 denied, int result, 101 struct common_audit_data *a); 102 103 /** 104 * avc_audit - Audit the granting or denial of permissions. 105 * @ssid: source security identifier 106 * @tsid: target security identifier 107 * @tclass: target security class 108 * @requested: requested permissions 109 * @avd: access vector decisions 110 * @result: result from avc_has_perm_noaudit 111 * @a: auxiliary audit data 112 * 113 * Audit the granting or denial of permissions in accordance 114 * with the policy. This function is typically called by 115 * avc_has_perm() after a permission check, but can also be 116 * called directly by callers who use avc_has_perm_noaudit() 117 * in order to separate the permission check from the auditing. 118 * For example, this separation is useful when the permission check must 119 * be performed under a lock, to allow the lock to be released 120 * before calling the auditing code. 121 */ 122 static inline int avc_audit(u32 ssid, u32 tsid, 123 u16 tclass, u32 requested, 124 struct av_decision *avd, 125 int result, 126 struct common_audit_data *a) 127 { 128 u32 audited, denied; 129 audited = avc_audit_required(requested, avd, result, 0, &denied); 130 if (likely(!audited)) 131 return 0; 132 return slow_avc_audit(ssid, tsid, tclass, 133 requested, audited, denied, result, 134 a); 135 } 136 137 #define AVC_STRICT 1 /* Ignore permissive mode. */ 138 #define AVC_EXTENDED_PERMS 2 /* update extended permissions */ 139 int avc_has_perm_noaudit(u32 ssid, u32 tsid, 140 u16 tclass, u32 requested, 141 unsigned flags, 142 struct av_decision *avd); 143 144 int avc_has_perm(u32 ssid, u32 tsid, 145 u16 tclass, u32 requested, 146 struct common_audit_data *auditdata); 147 148 int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, 149 u8 driver, u8 perm, struct common_audit_data *ad); 150 151 152 u32 avc_policy_seqno(void); 153 154 #define AVC_CALLBACK_GRANT 1 155 #define AVC_CALLBACK_TRY_REVOKE 2 156 #define AVC_CALLBACK_REVOKE 4 157 #define AVC_CALLBACK_RESET 8 158 #define AVC_CALLBACK_AUDITALLOW_ENABLE 16 159 #define AVC_CALLBACK_AUDITALLOW_DISABLE 32 160 #define AVC_CALLBACK_AUDITDENY_ENABLE 64 161 #define AVC_CALLBACK_AUDITDENY_DISABLE 128 162 #define AVC_CALLBACK_ADD_XPERMS 256 163 164 int avc_add_callback(int (*callback)(u32 event), u32 events); 165 166 /* Exported to selinuxfs */ 167 int avc_get_hash_stats(char *page); 168 unsigned int avc_get_cache_threshold(void); 169 void avc_set_cache_threshold(unsigned int cache_threshold); 170 171 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 172 DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); 173 #endif 174 175 #endif /* _SELINUX_AVC_H_ */ 176 177