Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
avc.h
Go to the documentation of this file.
1 /*
2  * Access vector cache interface for object managers.
3  *
4  * Author : Stephen Smalley, <[email protected]>
5  */
6 #ifndef _SELINUX_AVC_H_
7 #define _SELINUX_AVC_H_
8 
9 #include <linux/stddef.h>
10 #include <linux/errno.h>
11 #include <linux/kernel.h>
12 #include <linux/kdev_t.h>
13 #include <linux/spinlock.h>
14 #include <linux/init.h>
15 #include <linux/audit.h>
16 #include <linux/lsm_audit.h>
17 #include <linux/in6.h>
18 #include "flask.h"
19 #include "av_permissions.h"
20 #include "security.h"
21 
22 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
23 extern int selinux_enforcing;
24 #else
25 #define selinux_enforcing 1
26 #endif
27 
28 /*
29  * An entry in the AVC.
30  */
31 struct avc_entry;
32 
33 struct task_struct;
34 struct inode;
35 struct sock;
36 struct sk_buff;
37 
38 /*
39  * AVC statistics
40  */
42  unsigned int lookups;
43  unsigned int misses;
44  unsigned int allocations;
45  unsigned int reclaims;
46  unsigned int frees;
47 };
48 
49 /*
50  * We only need this data after we have decided to send an audit message.
51  */
59  int result;
60 };
61 
62 /*
63  * AVC operations
64  */
65 
66 void __init avc_init(void);
67 
68 static inline u32 avc_audit_required(u32 requested,
69  struct av_decision *avd,
70  int result,
71  u32 auditdeny,
72  u32 *deniedp)
73 {
74  u32 denied, audited;
75  denied = requested & ~avd->allowed;
76  if (unlikely(denied)) {
77  audited = denied & avd->auditdeny;
78  /*
79  * auditdeny is TRICKY! Setting a bit in
80  * this field means that ANY denials should NOT be audited if
81  * the policy contains an explicit dontaudit rule for that
82  * permission. Take notice that this is unrelated to the
83  * actual permissions that were denied. As an example lets
84  * assume:
85  *
86  * denied == READ
87  * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
88  * auditdeny & ACCESS == 1
89  *
90  * We will NOT audit the denial even though the denied
91  * permission was READ and the auditdeny checks were for
92  * ACCESS
93  */
94  if (auditdeny && !(auditdeny & avd->auditdeny))
95  audited = 0;
96  } else if (result)
97  audited = denied = requested;
98  else
99  audited = requested & avd->auditallow;
100  *deniedp = denied;
101  return audited;
102 }
103 
104 int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
105  u32 requested, u32 audited, u32 denied,
106  struct common_audit_data *a,
107  unsigned flags);
108 
129 static inline int avc_audit(u32 ssid, u32 tsid,
130  u16 tclass, u32 requested,
131  struct av_decision *avd,
132  int result,
133  struct common_audit_data *a, unsigned flags)
134 {
135  u32 audited, denied;
136  audited = avc_audit_required(requested, avd, result, 0, &denied);
137  if (likely(!audited))
138  return 0;
139  return slow_avc_audit(ssid, tsid, tclass,
140  requested, audited, denied,
141  a, flags);
142 }
143 
144 #define AVC_STRICT 1 /* Ignore permissive mode. */
145 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
146  u16 tclass, u32 requested,
147  unsigned flags,
148  struct av_decision *avd);
149 
150 int avc_has_perm_flags(u32 ssid, u32 tsid,
151  u16 tclass, u32 requested,
152  struct common_audit_data *auditdata,
153  unsigned);
154 
155 static inline int avc_has_perm(u32 ssid, u32 tsid,
156  u16 tclass, u32 requested,
157  struct common_audit_data *auditdata)
158 {
159  return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
160 }
161 
162 u32 avc_policy_seqno(void);
163 
164 #define AVC_CALLBACK_GRANT 1
165 #define AVC_CALLBACK_TRY_REVOKE 2
166 #define AVC_CALLBACK_REVOKE 4
167 #define AVC_CALLBACK_RESET 8
168 #define AVC_CALLBACK_AUDITALLOW_ENABLE 16
169 #define AVC_CALLBACK_AUDITALLOW_DISABLE 32
170 #define AVC_CALLBACK_AUDITDENY_ENABLE 64
171 #define AVC_CALLBACK_AUDITDENY_DISABLE 128
172 
174 
175 /* Exported to selinuxfs */
176 int avc_get_hash_stats(char *page);
177 extern unsigned int avc_cache_threshold;
178 
179 /* Attempt to free avc node cache */
180 void avc_disable(void);
181 
182 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
184 #endif
185 
186 #endif /* _SELINUX_AVC_H_ */
187