1
2
3
4
5
6
7#ifndef _SELINUX_AVC_H_
8#define _SELINUX_AVC_H_
9
10#include <linux/stddef.h>
11#include <linux/errno.h>
12#include <linux/kernel.h>
13#include <linux/kdev_t.h>
14#include <linux/spinlock.h>
15#include <linux/init.h>
16#include <linux/audit.h>
17#include <linux/lsm_audit.h>
18#include <linux/in6.h>
19#include "flask.h"
20#include "av_permissions.h"
21#include "security.h"
22
23#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
24extern int selinux_enforcing;
25#else
26#define selinux_enforcing 1
27#endif
28
29
30
31
32struct avc_entry;
33
34struct task_struct;
35struct inode;
36struct sock;
37struct sk_buff;
38
39
40
41
42struct avc_cache_stats {
43 unsigned int lookups;
44 unsigned int misses;
45 unsigned int allocations;
46 unsigned int reclaims;
47 unsigned int frees;
48};
49
50
51
52
53struct selinux_audit_data {
54 u32 ssid;
55 u32 tsid;
56 u16 tclass;
57 u32 requested;
58 u32 audited;
59 u32 denied;
60 int result;
61};
62
63
64
65
66
67void __init avc_init(void);
68
69static inline u32 avc_audit_required(u32 requested,
70 struct av_decision *avd,
71 int result,
72 u32 auditdeny,
73 u32 *deniedp)
74{
75 u32 denied, audited;
76 denied = requested & ~avd->allowed;
77 if (unlikely(denied)) {
78 audited = denied & avd->auditdeny;
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95 if (auditdeny && !(auditdeny & avd->auditdeny))
96 audited = 0;
97 } else if (result)
98 audited = denied = requested;
99 else
100 audited = requested & avd->auditallow;
101 *deniedp = denied;
102 return audited;
103}
104
105int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
106 u32 requested, u32 audited, u32 denied, int result,
107 struct common_audit_data *a,
108 unsigned flags);
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130static inline int avc_audit(u32 ssid, u32 tsid,
131 u16 tclass, u32 requested,
132 struct av_decision *avd,
133 int result,
134 struct common_audit_data *a,
135 int flags)
136{
137 u32 audited, denied;
138 audited = avc_audit_required(requested, avd, result, 0, &denied);
139 if (likely(!audited))
140 return 0;
141 return slow_avc_audit(ssid, tsid, tclass,
142 requested, audited, denied, result,
143 a, flags);
144}
145
146#define AVC_STRICT 1
147#define AVC_EXTENDED_PERMS 2
148int avc_has_perm_noaudit(u32 ssid, u32 tsid,
149 u16 tclass, u32 requested,
150 unsigned flags,
151 struct av_decision *avd);
152
153int avc_has_perm(u32 ssid, u32 tsid,
154 u16 tclass, u32 requested,
155 struct common_audit_data *auditdata);
156int avc_has_perm_flags(u32 ssid, u32 tsid,
157 u16 tclass, u32 requested,
158 struct common_audit_data *auditdata,
159 int flags);
160
161int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
162 u8 driver, u8 perm, struct common_audit_data *ad);
163
164
165u32 avc_policy_seqno(void);
166
167#define AVC_CALLBACK_GRANT 1
168#define AVC_CALLBACK_TRY_REVOKE 2
169#define AVC_CALLBACK_REVOKE 4
170#define AVC_CALLBACK_RESET 8
171#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
172#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
173#define AVC_CALLBACK_AUDITDENY_ENABLE 64
174#define AVC_CALLBACK_AUDITDENY_DISABLE 128
175#define AVC_CALLBACK_ADD_XPERMS 256
176
177int avc_add_callback(int (*callback)(u32 event), u32 events);
178
179
180int avc_get_hash_stats(char *page);
181extern unsigned int avc_cache_threshold;
182
183
184void avc_disable(void);
185
186#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
187DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
188#endif
189
190#endif
191
192