Linux Kernel
3.7.1
Main Page
Related Pages
Modules
Namespaces
Data Structures
Files
File List
Globals
All
Data Structures
Namespaces
Files
Functions
Variables
Typedefs
Enumerations
Enumerator
Macros
Groups
Pages
security
selinux
include
security.h
Go to the documentation of this file.
1
/*
2
* Security server interface.
3
*
4
* Author : Stephen Smalley, <
[email protected]
>
5
*
6
*/
7
8
#ifndef _SELINUX_SECURITY_H_
9
#define _SELINUX_SECURITY_H_
10
11
#include <
linux/dcache.h
>
12
#include <linux/magic.h>
13
#include <linux/types.h>
14
#include "flask.h"
15
16
#define SECSID_NULL 0x00000000
/* unspecified SID */
17
#define SECSID_WILD 0xffffffff
/* wildcard SID */
18
#define SECCLASS_NULL 0x0000
/* no class */
19
20
/* Identify specific policy version changes */
21
#define POLICYDB_VERSION_BASE 15
22
#define POLICYDB_VERSION_BOOL 16
23
#define POLICYDB_VERSION_IPV6 17
24
#define POLICYDB_VERSION_NLCLASS 18
25
#define POLICYDB_VERSION_VALIDATETRANS 19
26
#define POLICYDB_VERSION_MLS 19
27
#define POLICYDB_VERSION_AVTAB 20
28
#define POLICYDB_VERSION_RANGETRANS 21
29
#define POLICYDB_VERSION_POLCAP 22
30
#define POLICYDB_VERSION_PERMISSIVE 23
31
#define POLICYDB_VERSION_BOUNDARY 24
32
#define POLICYDB_VERSION_FILENAME_TRANS 25
33
#define POLICYDB_VERSION_ROLETRANS 26
34
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
35
#define POLICYDB_VERSION_DEFAULT_TYPE 28
36
37
/* Range of policy versions we understand*/
38
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
39
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
40
#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
41
#else
42
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE
43
#endif
44
45
/* Mask for just the mount related flags */
46
#define SE_MNTMASK 0x0f
47
/* Super block security struct flags for mount options */
48
#define CONTEXT_MNT 0x01
49
#define FSCONTEXT_MNT 0x02
50
#define ROOTCONTEXT_MNT 0x04
51
#define DEFCONTEXT_MNT 0x08
52
/* Non-mount related flags */
53
#define SE_SBINITIALIZED 0x10
54
#define SE_SBPROC 0x20
55
#define SE_SBLABELSUPP 0x40
56
57
#define CONTEXT_STR "context="
58
#define FSCONTEXT_STR "fscontext="
59
#define ROOTCONTEXT_STR "rootcontext="
60
#define DEFCONTEXT_STR "defcontext="
61
#define LABELSUPP_STR "seclabel"
62
63
struct
netlbl_lsm_secattr
;
64
65
extern
int
selinux_enabled
;
66
67
/* Policy capabilities */
68
enum
{
69
POLICYDB_CAPABILITY_NETPEER
,
70
POLICYDB_CAPABILITY_OPENPERM
,
71
__POLICYDB_CAPABILITY_MAX
72
};
73
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
74
75
extern
int
selinux_policycap_netpeer
;
76
extern
int
selinux_policycap_openperm
;
77
78
/*
79
* type_datum properties
80
* available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
81
*/
82
#define TYPEDATUM_PROPERTY_PRIMARY 0x0001
83
#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002
84
85
/* limitation of boundary depth */
86
#define POLICYDB_BOUNDS_MAXDEPTH 4
87
88
int
security_mls_enabled
(
void
);
89
90
int
security_load_policy
(
void
*
data
,
size_t
len);
91
int
security_read_policy
(
void
**
data
,
size_t
*len);
92
size_t
security_policydb_len
(
void
);
93
94
int
security_policycap_supported
(
unsigned
int
req_cap);
95
96
#define SEL_VEC_MAX 32
97
struct
av_decision
{
98
u32
allowed
;
99
u32
auditallow
;
100
u32
auditdeny
;
101
u32
seqno
;
102
u32
flags
;
103
};
104
105
/* definitions of av_decision.flags */
106
#define AVD_FLAGS_PERMISSIVE 0x0001
107
108
void
security_compute_av
(
u32
ssid
,
u32
tsid,
109
u16
tclass,
struct
av_decision
*avd);
110
111
void
security_compute_av_user
(
u32
ssid
,
u32
tsid,
112
u16
tclass,
struct
av_decision
*avd);
113
114
int
security_transition_sid
(
u32
ssid
,
u32
tsid,
u16
tclass,
115
const
struct
qstr
*
qstr
,
u32
*out_sid);
116
117
int
security_transition_sid_user
(
u32
ssid
,
u32
tsid,
u16
tclass,
118
const
char
*objname,
u32
*out_sid);
119
120
int
security_member_sid
(
u32
ssid
,
u32
tsid,
121
u16
tclass,
u32
*out_sid);
122
123
int
security_change_sid
(
u32
ssid
,
u32
tsid,
124
u16
tclass,
u32
*out_sid);
125
126
int
security_sid_to_context
(
u32
sid
,
char
**scontext,
127
u32
*scontext_len);
128
129
int
security_sid_to_context_force
(
u32
sid
,
char
**scontext,
u32
*scontext_len);
130
131
int
security_context_to_sid
(
const
char
*scontext,
u32
scontext_len,
132
u32
*out_sid);
133
134
int
security_context_to_sid_default
(
const
char
*scontext,
u32
scontext_len,
135
u32
*out_sid,
u32
def_sid,
gfp_t
gfp_flags);
136
137
int
security_context_to_sid_force
(
const
char
*scontext,
u32
scontext_len,
138
u32
*
sid
);
139
140
int
security_get_user_sids
(
u32
callsid,
char
*username,
141
u32
**sids,
u32
*nel);
142
143
int
security_port_sid
(
u8
protocol
,
u16
port
,
u32
*out_sid);
144
145
int
security_netif_sid
(
char
*
name
,
u32
*if_sid);
146
147
int
security_node_sid
(
u16
domain,
void
*
addr
,
u32
addrlen,
148
u32
*out_sid);
149
150
int
security_validate_transition
(
u32
oldsid,
u32
newsid,
u32
tasksid,
151
u16
tclass);
152
153
int
security_bounded_transition
(
u32
oldsid,
u32
newsid);
154
155
int
security_sid_mls_copy
(
u32
sid
,
u32
mls_sid,
u32
*new_sid);
156
157
int
security_net_peersid_resolve
(
u32
nlbl_sid,
u32
nlbl_type,
158
u32
xfrm_sid,
159
u32
*peer_sid);
160
161
int
security_get_classes
(
char
***classes,
int
*nclasses);
162
int
security_get_permissions
(
char
*
class
,
char
***perms,
int
*nperms);
163
int
security_get_reject_unknown
(
void
);
164
int
security_get_allow_unknown
(
void
);
165
166
#define SECURITY_FS_USE_XATTR 1
/* use xattr */
167
#define SECURITY_FS_USE_TRANS 2
/* use transition SIDs, e.g. devpts/tmpfs */
168
#define SECURITY_FS_USE_TASK 3
/* use task SIDs, e.g. pipefs/sockfs */
169
#define SECURITY_FS_USE_GENFS 4
/* use the genfs support */
170
#define SECURITY_FS_USE_NONE 5
/* no labeling support */
171
#define SECURITY_FS_USE_MNTPOINT 6
/* use mountpoint labeling */
172
173
int
security_fs_use
(
const
char
*fstype,
unsigned
int
*behavior,
174
u32
*
sid
);
175
176
int
security_genfs_sid
(
const
char
*fstype,
char
*
name
,
u16
sclass,
177
u32
*
sid
);
178
179
#ifdef CONFIG_NETLABEL
180
int
security_netlbl_secattr_to_sid(
struct
netlbl_lsm_secattr
*secattr,
181
u32
*
sid
);
182
183
int
security_netlbl_sid_to_secattr(
u32
sid
,
184
struct
netlbl_lsm_secattr
*secattr);
185
#else
186
static
inline
int
security_netlbl_secattr_to_sid(
187
struct
netlbl_lsm_secattr
*secattr,
188
u32
*
sid
)
189
{
190
return
-
EIDRM
;
191
}
192
193
static
inline
int
security_netlbl_sid_to_secattr(
u32
sid
,
194
struct
netlbl_lsm_secattr
*secattr)
195
{
196
return
-
ENOENT
;
197
}
198
#endif
/* CONFIG_NETLABEL */
199
200
const
char
*
security_get_initial_sid_context
(
u32
sid
);
201
202
/*
203
* status notifier using mmap interface
204
*/
205
extern
struct
page
*
selinux_kernel_status_page
(
void
);
206
207
#define SELINUX_KERNEL_STATUS_VERSION 1
208
struct
selinux_kernel_status
{
209
u32
version
;
/* version number of thie structure */
210
u32
sequence
;
/* sequence number of seqlock logic */
211
u32
enforcing
;
/* current setting of enforcing mode */
212
u32
policyload
;
/* times of policy reloaded */
213
u32
deny_unknown
;
/* current setting of deny_unknown */
214
/*
215
* The version > 0 supports above members.
216
*/
217
}
__attribute__
((packed));
218
219
extern
void
selinux_status_update_setenforce
(
int
enforcing
);
220
extern
void
selinux_status_update_policyload
(
int
seqno
);
221
extern
void
selinux_complete_init
(
void
);
222
extern
int
selinux_disable
(
void
);
223
extern
void
exit_sel_fs
(
void
);
224
extern
struct
path
selinux_null
;
225
extern
struct
vfsmount
*
selinuxfs_mount
;
226
extern
void
selnl_notify_setenforce
(
int
val
);
227
extern
void
selnl_notify_policyload
(
u32
seqno
);
228
extern
int
selinux_nlmsg_lookup
(
u16
sclass,
u16
nlmsg_type,
u32
*
perm
);
229
230
#endif
/* _SELINUX_SECURITY_H_ */
231
Generated on Thu Jan 10 2013 14:52:33 for Linux Kernel by
1.8.2
1.8.2