1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22#ifndef _SS_POLICYDB_H_
23#define _SS_POLICYDB_H_
24
25#include "symtab.h"
26#include "avtab.h"
27#include "sidtab.h"
28#include "ebitmap.h"
29#include "mls_types.h"
30#include "context.h"
31#include "constraint.h"
32
33
34
35
36
37
38
39
40
41struct perm_datum {
42 u32 value;
43};
44
45
46struct common_datum {
47 u32 value;
48 struct symtab permissions;
49};
50
51
52struct class_datum {
53 u32 value;
54 char *comkey;
55 struct common_datum *comdatum;
56 struct symtab permissions;
57 struct constraint_node *constraints;
58 struct constraint_node *validatetrans;
59
60#define DEFAULT_SOURCE 1
61#define DEFAULT_TARGET 2
62 char default_user;
63 char default_role;
64 char default_type;
65
66#define DEFAULT_SOURCE_LOW 1
67#define DEFAULT_SOURCE_HIGH 2
68#define DEFAULT_SOURCE_LOW_HIGH 3
69#define DEFAULT_TARGET_LOW 4
70#define DEFAULT_TARGET_HIGH 5
71#define DEFAULT_TARGET_LOW_HIGH 6
72 char default_range;
73};
74
75
76struct role_datum {
77 u32 value;
78 u32 bounds;
79 struct ebitmap dominates;
80 struct ebitmap types;
81};
82
83struct role_trans {
84 u32 role;
85 u32 type;
86 u32 tclass;
87 u32 new_role;
88 struct role_trans *next;
89};
90
91struct filename_trans {
92 u32 stype;
93 u32 ttype;
94 u16 tclass;
95 const char *name;
96};
97
98struct filename_trans_datum {
99 u32 otype;
100};
101
102struct role_allow {
103 u32 role;
104 u32 new_role;
105 struct role_allow *next;
106};
107
108
109struct type_datum {
110 u32 value;
111 u32 bounds;
112 unsigned char primary;
113 unsigned char attribute;
114};
115
116
117struct user_datum {
118 u32 value;
119 u32 bounds;
120 struct ebitmap roles;
121 struct mls_range range;
122 struct mls_level dfltlevel;
123};
124
125
126
127struct level_datum {
128 struct mls_level *level;
129 unsigned char isalias;
130};
131
132
133struct cat_datum {
134 u32 value;
135 unsigned char isalias;
136};
137
138struct range_trans {
139 u32 source_type;
140 u32 target_type;
141 u32 target_class;
142};
143
144
145struct cond_bool_datum {
146 __u32 value;
147 int state;
148};
149
150struct cond_node;
151
152
153
154
155
156
157struct type_set {
158 struct ebitmap types;
159 struct ebitmap negset;
160 u32 flags;
161};
162
163
164
165
166
167
168
169
170struct ocontext {
171 union {
172 char *name;
173 struct {
174 u8 protocol;
175 u16 low_port;
176 u16 high_port;
177 } port;
178 struct {
179 u32 addr;
180 u32 mask;
181 } node;
182 struct {
183 u32 addr[4];
184 u32 mask[4];
185 } node6;
186 struct {
187 u64 subnet_prefix;
188 u16 low_pkey;
189 u16 high_pkey;
190 } ibpkey;
191 struct {
192 char *dev_name;
193 u8 port;
194 } ibendport;
195 } u;
196 union {
197 u32 sclass;
198 u32 behavior;
199 } v;
200 struct context context[2];
201 u32 sid[2];
202 struct ocontext *next;
203};
204
205struct genfs {
206 char *fstype;
207 struct ocontext *head;
208 struct genfs *next;
209};
210
211
212#define SYM_COMMONS 0
213#define SYM_CLASSES 1
214#define SYM_ROLES 2
215#define SYM_TYPES 3
216#define SYM_USERS 4
217#define SYM_BOOLS 5
218#define SYM_LEVELS 6
219#define SYM_CATS 7
220#define SYM_NUM 8
221
222
223#define OCON_ISID 0
224#define OCON_FS 1
225#define OCON_PORT 2
226#define OCON_NETIF 3
227#define OCON_NODE 4
228#define OCON_FSUSE 5
229#define OCON_NODE6 6
230#define OCON_IBPKEY 7
231#define OCON_IBENDPORT 8
232#define OCON_NUM 9
233
234
235struct policydb {
236 int mls_enabled;
237
238
239 struct symtab symtab[SYM_NUM];
240#define p_commons symtab[SYM_COMMONS]
241#define p_classes symtab[SYM_CLASSES]
242#define p_roles symtab[SYM_ROLES]
243#define p_types symtab[SYM_TYPES]
244#define p_users symtab[SYM_USERS]
245#define p_bools symtab[SYM_BOOLS]
246#define p_levels symtab[SYM_LEVELS]
247#define p_cats symtab[SYM_CATS]
248
249
250 char **sym_val_to_name[SYM_NUM];
251
252
253 struct class_datum **class_val_to_struct;
254 struct role_datum **role_val_to_struct;
255 struct user_datum **user_val_to_struct;
256 struct type_datum **type_val_to_struct_array;
257
258
259 struct avtab te_avtab;
260
261
262 struct role_trans *role_tr;
263
264
265
266 struct ebitmap filename_trans_ttypes;
267
268 struct hashtab *filename_trans;
269
270
271 struct cond_bool_datum **bool_val_to_struct;
272
273 struct avtab te_cond_avtab;
274
275 struct cond_node *cond_list;
276
277
278 struct role_allow *role_allow;
279
280
281
282 struct ocontext *ocontexts[OCON_NUM];
283
284
285
286
287 struct genfs *genfs;
288
289
290 struct hashtab *range_tr;
291
292
293 struct ebitmap *type_attr_map_array;
294
295 struct ebitmap policycaps;
296
297 struct ebitmap permissive_map;
298
299
300 size_t len;
301
302 unsigned int policyvers;
303
304 unsigned int reject_unknown : 1;
305 unsigned int allow_unknown : 1;
306
307 u16 process_class;
308 u32 process_trans_perms;
309};
310
311extern void policydb_destroy(struct policydb *p);
312extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
313extern int policydb_context_isvalid(struct policydb *p, struct context *c);
314extern int policydb_class_isvalid(struct policydb *p, unsigned int class);
315extern int policydb_type_isvalid(struct policydb *p, unsigned int type);
316extern int policydb_role_isvalid(struct policydb *p, unsigned int role);
317extern int policydb_read(struct policydb *p, void *fp);
318extern int policydb_write(struct policydb *p, void *fp);
319
320#define PERM_SYMTAB_SIZE 32
321
322#define POLICYDB_CONFIG_MLS 1
323
324
325#define REJECT_UNKNOWN 0x00000002
326#define ALLOW_UNKNOWN 0x00000004
327
328#define OBJECT_R "object_r"
329#define OBJECT_R_VAL 1
330
331#define POLICYDB_MAGIC SELINUX_MAGIC
332#define POLICYDB_STRING "SE Linux"
333
334struct policy_file {
335 char *data;
336 size_t len;
337};
338
339struct policy_data {
340 struct policydb *p;
341 void *fp;
342};
343
344static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
345{
346 if (bytes > fp->len)
347 return -EINVAL;
348
349 memcpy(buf, fp->data, bytes);
350 fp->data += bytes;
351 fp->len -= bytes;
352 return 0;
353}
354
355static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp)
356{
357 size_t len = bytes * num;
358
359 memcpy(fp->data, buf, len);
360 fp->data += len;
361 fp->len -= len;
362
363 return 0;
364}
365
366static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr)
367{
368 return p->sym_val_to_name[sym_num][element_nr];
369}
370
371extern u16 string_to_security_class(struct policydb *p, const char *name);
372extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
373
374#endif
375
376