LXR linux/security/selinux/ss/avtab.h

   1/* SPDX-License-Identifier: GPL-2.0-only */
   2/*
   3 * An access vector table (avtab) is a hash table
   4 * of access vectors and transition types indexed
   5 * by a type pair and a class.  An access vector
   6 * table is used to represent the type enforcement
   7 * tables.
   8 *
   9 *  Author : Stephen Smalley, <sds@tycho.nsa.gov>
  10 */
  11
  12/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
  13 *
  14 *      Added conditional policy language extensions
  15 *
  16 * Copyright (C) 2003 Tresys Technology, LLC
  17 *
  18 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
  19 *      Tuned number of hash slots for avtab to reduce memory usage
  20 */
  21#ifndef _SS_AVTAB_H_
  22#define _SS_AVTAB_H_
  23
  24#include "security.h"
  25
  26struct avtab_key {
  27        u16 source_type;        /* source type */
  28        u16 target_type;        /* target type */
  29        u16 target_class;       /* target object class */
  30#define AVTAB_ALLOWED           0x0001
  31#define AVTAB_AUDITALLOW        0x0002
  32#define AVTAB_AUDITDENY         0x0004
  33#define AVTAB_AV                (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
  34#define AVTAB_TRANSITION        0x0010
  35#define AVTAB_MEMBER            0x0020
  36#define AVTAB_CHANGE            0x0040
  37#define AVTAB_TYPE              (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
  38/* extended permissions */
  39#define AVTAB_XPERMS_ALLOWED    0x0100
  40#define AVTAB_XPERMS_AUDITALLOW 0x0200
  41#define AVTAB_XPERMS_DONTAUDIT  0x0400
  42#define AVTAB_XPERMS            (AVTAB_XPERMS_ALLOWED | \
  43                                AVTAB_XPERMS_AUDITALLOW | \
  44                                AVTAB_XPERMS_DONTAUDIT)
  45#define AVTAB_ENABLED_OLD   0x80000000 /* reserved for used in cond_avtab */
  46#define AVTAB_ENABLED           0x8000 /* reserved for used in cond_avtab */
  47        u16 specified;  /* what field is specified */
  48};
  49
  50/*
  51 * For operations that require more than the 32 permissions provided by the avc
  52 * extended permissions may be used to provide 256 bits of permissions.
  53 */
  54struct avtab_extended_perms {
  55/* These are not flags. All 256 values may be used */
  56#define AVTAB_XPERMS_IOCTLFUNCTION      0x01
  57#define AVTAB_XPERMS_IOCTLDRIVER        0x02
  58        /* extension of the avtab_key specified */
  59        u8 specified; /* ioctl, netfilter, ... */
  60        /*
  61         * if 256 bits is not adequate as is often the case with ioctls, then
  62         * multiple extended perms may be used and the driver field
  63         * specifies which permissions are included.
  64         */
  65        u8 driver;
  66        /* 256 bits of permissions */
  67        struct extended_perms_data perms;
  68};
  69
  70struct avtab_datum {
  71        union {
  72                u32 data; /* access vector or type value */
  73                struct avtab_extended_perms *xperms;
  74        } u;
  75};
  76
  77struct avtab_node {
  78        struct avtab_key key;
  79        struct avtab_datum datum;
  80        struct avtab_node *next;
  81};
  82
  83struct avtab {
  84        struct avtab_node **htable;
  85        u32 nel;        /* number of elements */
  86        u32 nslot;      /* number of hash slots */
  87        u32 mask;       /* mask to compute hash func */
  88};
  89
  90void avtab_init(struct avtab *h);
  91int avtab_alloc(struct avtab *, u32);
  92int avtab_alloc_dup(struct avtab *new, const struct avtab *orig);
  93struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);
  94void avtab_destroy(struct avtab *h);
  95void avtab_hash_eval(struct avtab *h, char *tag);
  96
  97struct policydb;
  98int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
  99                    int (*insert)(struct avtab *a, struct avtab_key *k,
 100                                  struct avtab_datum *d, void *p),
 101                    void *p);
 102
 103int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
 104int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp);
 105int avtab_write(struct policydb *p, struct avtab *a, void *fp);
 106
 107struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key,
 108                                          struct avtab_datum *datum);
 109
 110struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
 111
 112struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
 113
 114#define MAX_AVTAB_HASH_BITS 16
 115#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
 116
 117#endif  /* _SS_AVTAB_H_ */
 118
 119