LXR linux/security/selinux/include/security.h

   1/* SPDX-License-Identifier: GPL-2.0 */
   2/*
   3 * Security server interface.
   4 *
   5 * Author : Stephen Smalley, <sds@tycho.nsa.gov>
   6 *
   7 */
   8
   9#ifndef _SELINUX_SECURITY_H_
  10#define _SELINUX_SECURITY_H_
  11
  12#include <linux/compiler.h>
  13#include <linux/dcache.h>
  14#include <linux/magic.h>
  15#include <linux/types.h>
  16#include <linux/rcupdate.h>
  17#include <linux/refcount.h>
  18#include <linux/workqueue.h>
  19#include "flask.h"
  20#include "policycap.h"
  21
  22#define SECSID_NULL                     0x00000000 /* unspecified SID */
  23#define SECSID_WILD                     0xffffffff /* wildcard SID */
  24#define SECCLASS_NULL                   0x0000 /* no class */
  25
  26/* Identify specific policy version changes */
  27#define POLICYDB_VERSION_BASE           15
  28#define POLICYDB_VERSION_BOOL           16
  29#define POLICYDB_VERSION_IPV6           17
  30#define POLICYDB_VERSION_NLCLASS        18
  31#define POLICYDB_VERSION_VALIDATETRANS  19
  32#define POLICYDB_VERSION_MLS            19
  33#define POLICYDB_VERSION_AVTAB          20
  34#define POLICYDB_VERSION_RANGETRANS     21
  35#define POLICYDB_VERSION_POLCAP         22
  36#define POLICYDB_VERSION_PERMISSIVE     23
  37#define POLICYDB_VERSION_BOUNDARY       24
  38#define POLICYDB_VERSION_FILENAME_TRANS 25
  39#define POLICYDB_VERSION_ROLETRANS      26
  40#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS    27
  41#define POLICYDB_VERSION_DEFAULT_TYPE   28
  42#define POLICYDB_VERSION_CONSTRAINT_NAMES       29
  43#define POLICYDB_VERSION_XPERMS_IOCTL   30
  44#define POLICYDB_VERSION_INFINIBAND             31
  45#define POLICYDB_VERSION_GLBLUB         32
  46#define POLICYDB_VERSION_COMP_FTRANS    33 /* compressed filename transitions */
  47
  48/* Range of policy versions we understand*/
  49#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
  50#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_COMP_FTRANS
  51
  52/* Mask for just the mount related flags */
  53#define SE_MNTMASK      0x0f
  54/* Super block security struct flags for mount options */
  55/* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
  56#define CONTEXT_MNT     0x01
  57#define FSCONTEXT_MNT   0x02
  58#define ROOTCONTEXT_MNT 0x04
  59#define DEFCONTEXT_MNT  0x08
  60#define SBLABEL_MNT     0x10
  61/* Non-mount related flags */
  62#define SE_SBINITIALIZED        0x0100
  63#define SE_SBPROC               0x0200
  64#define SE_SBGENFS              0x0400
  65#define SE_SBGENFS_XATTR        0x0800
  66
  67#define CONTEXT_STR     "context"
  68#define FSCONTEXT_STR   "fscontext"
  69#define ROOTCONTEXT_STR "rootcontext"
  70#define DEFCONTEXT_STR  "defcontext"
  71#define SECLABEL_STR "seclabel"
  72
  73struct netlbl_lsm_secattr;
  74
  75extern int selinux_enabled_boot;
  76
  77/*
  78 * type_datum properties
  79 * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
  80 */
  81#define TYPEDATUM_PROPERTY_PRIMARY      0x0001
  82#define TYPEDATUM_PROPERTY_ATTRIBUTE    0x0002
  83
  84/* limitation of boundary depth  */
  85#define POLICYDB_BOUNDS_MAXDEPTH        4
  86
  87struct selinux_avc;
  88struct selinux_policy;
  89
  90struct selinux_state {
  91#ifdef CONFIG_SECURITY_SELINUX_DISABLE
  92        bool disabled;
  93#endif
  94#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
  95        bool enforcing;
  96#endif
  97        bool checkreqprot;
  98        bool initialized;
  99        bool policycap[__POLICYDB_CAPABILITY_MAX];
 100
 101        struct page *status_page;
 102        struct mutex status_lock;
 103
 104        struct selinux_avc *avc;
 105        struct selinux_policy __rcu *policy;
 106        struct mutex policy_mutex;
 107} __randomize_layout;
 108
 109void selinux_avc_init(struct selinux_avc **avc);
 110
 111extern struct selinux_state selinux_state;
 112
 113static inline bool selinux_initialized(const struct selinux_state *state)
 114{
 115        /* do a synchronized load to avoid race conditions */
 116        return smp_load_acquire(&state->initialized);
 117}
 118
 119static inline void selinux_mark_initialized(struct selinux_state *state)
 120{
 121        /* do a synchronized write to avoid race conditions */
 122        smp_store_release(&state->initialized, true);
 123}
 124
 125#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 126static inline bool enforcing_enabled(struct selinux_state *state)
 127{
 128        return READ_ONCE(state->enforcing);
 129}
 130
 131static inline void enforcing_set(struct selinux_state *state, bool value)
 132{
 133        WRITE_ONCE(state->enforcing, value);
 134}
 135#else
 136static inline bool enforcing_enabled(struct selinux_state *state)
 137{
 138        return true;
 139}
 140
 141static inline void enforcing_set(struct selinux_state *state, bool value)
 142{
 143}
 144#endif
 145
 146static inline bool checkreqprot_get(const struct selinux_state *state)
 147{
 148        return READ_ONCE(state->checkreqprot);
 149}
 150
 151static inline void checkreqprot_set(struct selinux_state *state, bool value)
 152{
 153        WRITE_ONCE(state->checkreqprot, value);
 154}
 155
 156#ifdef CONFIG_SECURITY_SELINUX_DISABLE
 157static inline bool selinux_disabled(struct selinux_state *state)
 158{
 159        return READ_ONCE(state->disabled);
 160}
 161
 162static inline void selinux_mark_disabled(struct selinux_state *state)
 163{
 164        WRITE_ONCE(state->disabled, true);
 165}
 166#else
 167static inline bool selinux_disabled(struct selinux_state *state)
 168{
 169        return false;
 170}
 171#endif
 172
 173static inline bool selinux_policycap_netpeer(void)
 174{
 175        struct selinux_state *state = &selinux_state;
 176
 177        return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NETPEER]);
 178}
 179
 180static inline bool selinux_policycap_openperm(void)
 181{
 182        struct selinux_state *state = &selinux_state;
 183
 184        return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_OPENPERM]);
 185}
 186
 187static inline bool selinux_policycap_extsockclass(void)
 188{
 189        struct selinux_state *state = &selinux_state;
 190
 191        return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS]);
 192}
 193
 194static inline bool selinux_policycap_alwaysnetwork(void)
 195{
 196        struct selinux_state *state = &selinux_state;
 197
 198        return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK]);
 199}
 200
 201static inline bool selinux_policycap_cgroupseclabel(void)
 202{
 203        struct selinux_state *state = &selinux_state;
 204
 205        return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL]);
 206}
 207
 208static inline bool selinux_policycap_nnp_nosuid_transition(void)
 209{
 210        struct selinux_state *state = &selinux_state;
 211
 212        return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]);
 213}
 214
 215static inline bool selinux_policycap_genfs_seclabel_symlinks(void)
 216{
 217        struct selinux_state *state = &selinux_state;
 218
 219        return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]);
 220}
 221
 222int security_mls_enabled(struct selinux_state *state);
 223int security_load_policy(struct selinux_state *state,
 224                        void *data, size_t len,
 225                        struct selinux_policy **newpolicyp);
 226void selinux_policy_commit(struct selinux_state *state,
 227                        struct selinux_policy *newpolicy);
 228void selinux_policy_cancel(struct selinux_state *state,
 229                        struct selinux_policy *policy);
 230int security_read_policy(struct selinux_state *state,
 231                         void **data, size_t *len);
 232
 233int security_policycap_supported(struct selinux_state *state,
 234                                 unsigned int req_cap);
 235
 236#define SEL_VEC_MAX 32
 237struct av_decision {
 238        u32 allowed;
 239        u32 auditallow;
 240        u32 auditdeny;
 241        u32 seqno;
 242        u32 flags;
 243};
 244
 245#define XPERMS_ALLOWED 1
 246#define XPERMS_AUDITALLOW 2
 247#define XPERMS_DONTAUDIT 4
 248
 249#define security_xperm_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
 250#define security_xperm_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
 251struct extended_perms_data {
 252        u32 p[8];
 253};
 254
 255struct extended_perms_decision {
 256        u8 used;
 257        u8 driver;
 258        struct extended_perms_data *allowed;
 259        struct extended_perms_data *auditallow;
 260        struct extended_perms_data *dontaudit;
 261};
 262
 263struct extended_perms {
 264        u16 len;        /* length associated decision chain */
 265        struct extended_perms_data drivers; /* flag drivers that are used */
 266};
 267
 268/* definitions of av_decision.flags */
 269#define AVD_FLAGS_PERMISSIVE    0x0001
 270
 271void security_compute_av(struct selinux_state *state,
 272                         u32 ssid, u32 tsid,
 273                         u16 tclass, struct av_decision *avd,
 274                         struct extended_perms *xperms);
 275
 276void security_compute_xperms_decision(struct selinux_state *state,
 277                                      u32 ssid, u32 tsid, u16 tclass,
 278                                      u8 driver,
 279                                      struct extended_perms_decision *xpermd);
 280
 281void security_compute_av_user(struct selinux_state *state,
 282                              u32 ssid, u32 tsid,
 283                              u16 tclass, struct av_decision *avd);
 284
 285int security_transition_sid(struct selinux_state *state,
 286                            u32 ssid, u32 tsid, u16 tclass,
 287                            const struct qstr *qstr, u32 *out_sid);
 288
 289int security_transition_sid_user(struct selinux_state *state,
 290                                 u32 ssid, u32 tsid, u16 tclass,
 291                                 const char *objname, u32 *out_sid);
 292
 293int security_member_sid(struct selinux_state *state, u32 ssid, u32 tsid,
 294                        u16 tclass, u32 *out_sid);
 295
 296int security_change_sid(struct selinux_state *state, u32 ssid, u32 tsid,
 297                        u16 tclass, u32 *out_sid);
 298
 299int security_sid_to_context(struct selinux_state *state, u32 sid,
 300                            char **scontext, u32 *scontext_len);
 301
 302int security_sid_to_context_force(struct selinux_state *state,
 303                                  u32 sid, char **scontext, u32 *scontext_len);
 304
 305int security_sid_to_context_inval(struct selinux_state *state,
 306                                  u32 sid, char **scontext, u32 *scontext_len);
 307
 308int security_context_to_sid(struct selinux_state *state,
 309                            const char *scontext, u32 scontext_len,
 310                            u32 *out_sid, gfp_t gfp);
 311
 312int security_context_str_to_sid(struct selinux_state *state,
 313                                const char *scontext, u32 *out_sid, gfp_t gfp);
 314
 315int security_context_to_sid_default(struct selinux_state *state,
 316                                    const char *scontext, u32 scontext_len,
 317                                    u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
 318
 319int security_context_to_sid_force(struct selinux_state *state,
 320                                  const char *scontext, u32 scontext_len,
 321                                  u32 *sid);
 322
 323int security_get_user_sids(struct selinux_state *state,
 324                           u32 callsid, char *username,
 325                           u32 **sids, u32 *nel);
 326
 327int security_port_sid(struct selinux_state *state,
 328                      u8 protocol, u16 port, u32 *out_sid);
 329
 330int security_ib_pkey_sid(struct selinux_state *state,
 331                         u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
 332
 333int security_ib_endport_sid(struct selinux_state *state,
 334                            const char *dev_name, u8 port_num, u32 *out_sid);
 335
 336int security_netif_sid(struct selinux_state *state,
 337                       char *name, u32 *if_sid);
 338
 339int security_node_sid(struct selinux_state *state,
 340                      u16 domain, void *addr, u32 addrlen,
 341                      u32 *out_sid);
 342
 343int security_validate_transition(struct selinux_state *state,
 344                                 u32 oldsid, u32 newsid, u32 tasksid,
 345                                 u16 tclass);
 346
 347int security_validate_transition_user(struct selinux_state *state,
 348                                      u32 oldsid, u32 newsid, u32 tasksid,
 349                                      u16 tclass);
 350
 351int security_bounded_transition(struct selinux_state *state,
 352                                u32 oldsid, u32 newsid);
 353
 354int security_sid_mls_copy(struct selinux_state *state,
 355                          u32 sid, u32 mls_sid, u32 *new_sid);
 356
 357int security_net_peersid_resolve(struct selinux_state *state,
 358                                 u32 nlbl_sid, u32 nlbl_type,
 359                                 u32 xfrm_sid,
 360                                 u32 *peer_sid);
 361
 362int security_get_classes(struct selinux_policy *policy,
 363                         char ***classes, int *nclasses);
 364int security_get_permissions(struct selinux_policy *policy,
 365                             char *class, char ***perms, int *nperms);
 366int security_get_reject_unknown(struct selinux_state *state);
 367int security_get_allow_unknown(struct selinux_state *state);
 368
 369#define SECURITY_FS_USE_XATTR           1 /* use xattr */
 370#define SECURITY_FS_USE_TRANS           2 /* use transition SIDs, e.g. devpts/tmpfs */
 371#define SECURITY_FS_USE_TASK            3 /* use task SIDs, e.g. pipefs/sockfs */
 372#define SECURITY_FS_USE_GENFS           4 /* use the genfs support */
 373#define SECURITY_FS_USE_NONE            5 /* no labeling support */
 374#define SECURITY_FS_USE_MNTPOINT        6 /* use mountpoint labeling */
 375#define SECURITY_FS_USE_NATIVE          7 /* use native label support */
 376#define SECURITY_FS_USE_MAX             7 /* Highest SECURITY_FS_USE_XXX */
 377
 378int security_fs_use(struct selinux_state *state, struct super_block *sb);
 379
 380int security_genfs_sid(struct selinux_state *state,
 381                       const char *fstype, char *name, u16 sclass,
 382                       u32 *sid);
 383
 384int selinux_policy_genfs_sid(struct selinux_policy *policy,
 385                       const char *fstype, char *name, u16 sclass,
 386                       u32 *sid);
 387
 388#ifdef CONFIG_NETLABEL
 389int security_netlbl_secattr_to_sid(struct selinux_state *state,
 390                                   struct netlbl_lsm_secattr *secattr,
 391                                   u32 *sid);
 392
 393int security_netlbl_sid_to_secattr(struct selinux_state *state,
 394                                   u32 sid,
 395                                   struct netlbl_lsm_secattr *secattr);
 396#else
 397static inline int security_netlbl_secattr_to_sid(struct selinux_state *state,
 398                                            struct netlbl_lsm_secattr *secattr,
 399                                            u32 *sid)
 400{
 401        return -EIDRM;
 402}
 403
 404static inline int security_netlbl_sid_to_secattr(struct selinux_state *state,
 405                                         u32 sid,
 406                                         struct netlbl_lsm_secattr *secattr)
 407{
 408        return -ENOENT;
 409}
 410#endif /* CONFIG_NETLABEL */
 411
 412const char *security_get_initial_sid_context(u32 sid);
 413
 414/*
 415 * status notifier using mmap interface
 416 */
 417extern struct page *selinux_kernel_status_page(struct selinux_state *state);
 418
 419#define SELINUX_KERNEL_STATUS_VERSION   1
 420struct selinux_kernel_status {
 421        u32     version;        /* version number of thie structure */
 422        u32     sequence;       /* sequence number of seqlock logic */
 423        u32     enforcing;      /* current setting of enforcing mode */
 424        u32     policyload;     /* times of policy reloaded */
 425        u32     deny_unknown;   /* current setting of deny_unknown */
 426        /*
 427         * The version > 0 supports above members.
 428         */
 429} __packed;
 430
 431extern void selinux_status_update_setenforce(struct selinux_state *state,
 432                                             int enforcing);
 433extern void selinux_status_update_policyload(struct selinux_state *state,
 434                                             int seqno);
 435extern void selinux_complete_init(void);
 436extern int selinux_disable(struct selinux_state *state);
 437extern void exit_sel_fs(void);
 438extern struct path selinux_null;
 439extern struct vfsmount *selinuxfs_mount;
 440extern void selnl_notify_setenforce(int val);
 441extern void selnl_notify_policyload(u32 seqno);
 442extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
 443
 444extern void avtab_cache_init(void);
 445extern void ebitmap_cache_init(void);
 446extern void hashtab_cache_init(void);
 447extern int security_sidtab_hash_stats(struct selinux_state *state, char *page);
 448
 449#endif /* _SELINUX_SECURITY_H_ */
 450