1/*
2 * Access vector cache interface for object managers.
3 *
4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5 */
6#ifndef _SELINUX_AVC_H_
7#define _SELINUX_AVC_H_
8
9#include <linux/stddef.h>
10#include <linux/errno.h>
11#include <linux/kernel.h>
12#include <linux/kdev_t.h>
13#include <linux/spinlock.h>
14#include <linux/init.h>
15#include <linux/audit.h>
16#include <linux/lsm_audit.h>
17#include <linux/in6.h>
18#include "flask.h"
19#include "av_permissions.h"
20#include "security.h"
21
22#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
23extern int selinux_enforcing;
24#else
25#define selinux_enforcing 1
26#endif
27
28/*
29 * An entry in the AVC.
30 */
31struct avc_entry;
32
33struct task_struct;
34struct inode;
35struct sock;
36struct sk_buff;
37
38/*
39 * AVC statistics
40 */
41struct avc_cache_stats {
42	unsigned int lookups;
43	unsigned int misses;
44	unsigned int allocations;
45	unsigned int reclaims;
46	unsigned int frees;
47};
48
49/*
50 * We only need this data after we have decided to send an audit message.
51 */
52struct selinux_audit_data {
53	u32 ssid;
54	u32 tsid;
55	u16 tclass;
56	u32 requested;
57	u32 audited;
58	u32 denied;
59	int result;
60};
61
62/*
63 * AVC operations
64 */
65
66void __init avc_init(void);
67
68static inline u32 avc_audit_required(u32 requested,
69			      struct av_decision *avd,
70			      int result,
71			      u32 auditdeny,
72			      u32 *deniedp)
73{
74	u32 denied, audited;
75	denied = requested & ~avd->allowed;
76	if (unlikely(denied)) {
77		audited = denied & avd->auditdeny;
78		/*
79		 * auditdeny is TRICKY!  Setting a bit in
80		 * this field means that ANY denials should NOT be audited if
81		 * the policy contains an explicit dontaudit rule for that
82		 * permission.  Take notice that this is unrelated to the
83		 * actual permissions that were denied.  As an example lets
84		 * assume:
85		 *
86		 * denied == READ
87		 * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
88		 * auditdeny & ACCESS == 1
89		 *
90		 * We will NOT audit the denial even though the denied
91		 * permission was READ and the auditdeny checks were for
92		 * ACCESS
93		 */
94		if (auditdeny && !(auditdeny & avd->auditdeny))
95			audited = 0;
96	} else if (result)
97		audited = denied = requested;
98	else
99		audited = requested & avd->auditallow;
100	*deniedp = denied;
101	return audited;
102}
103
104int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
105		   u32 requested, u32 audited, u32 denied, int result,
106		   struct common_audit_data *a,
107		   unsigned flags);
108
109/**
110 * avc_audit - Audit the granting or denial of permissions.
111 * @ssid: source security identifier
112 * @tsid: target security identifier
113 * @tclass: target security class
114 * @requested: requested permissions
115 * @avd: access vector decisions
116 * @result: result from avc_has_perm_noaudit
117 * @a:  auxiliary audit data
118 * @flags: VFS walk flags
119 *
120 * Audit the granting or denial of permissions in accordance
121 * with the policy.  This function is typically called by
122 * avc_has_perm() after a permission check, but can also be
123 * called directly by callers who use avc_has_perm_noaudit()
124 * in order to separate the permission check from the auditing.
125 * For example, this separation is useful when the permission check must
126 * be performed under a lock, to allow the lock to be released
127 * before calling the auditing code.
128 */
129static inline int avc_audit(u32 ssid, u32 tsid,
130			    u16 tclass, u32 requested,
131			    struct av_decision *avd,
132			    int result,
133			    struct common_audit_data *a)
134{
135	u32 audited, denied;
136	audited = avc_audit_required(requested, avd, result, 0, &denied);
137	if (likely(!audited))
138		return 0;
139	return slow_avc_audit(ssid, tsid, tclass,
140			      requested, audited, denied, result,
141			      a, 0);
142}
143
144#define AVC_STRICT 1 /* Ignore permissive mode. */
145int avc_has_perm_noaudit(u32 ssid, u32 tsid,
146			 u16 tclass, u32 requested,
147			 unsigned flags,
148			 struct av_decision *avd);
149
150int avc_has_perm(u32 ssid, u32 tsid,
151		 u16 tclass, u32 requested,
152		 struct common_audit_data *auditdata);
153
154u32 avc_policy_seqno(void);
155
156#define AVC_CALLBACK_GRANT		1
157#define AVC_CALLBACK_TRY_REVOKE		2
158#define AVC_CALLBACK_REVOKE		4
159#define AVC_CALLBACK_RESET		8
160#define AVC_CALLBACK_AUDITALLOW_ENABLE	16
161#define AVC_CALLBACK_AUDITALLOW_DISABLE	32
162#define AVC_CALLBACK_AUDITDENY_ENABLE	64
163#define AVC_CALLBACK_AUDITDENY_DISABLE	128
164
165int avc_add_callback(int (*callback)(u32 event), u32 events);
166
167/* Exported to selinuxfs */
168int avc_get_hash_stats(char *page);
169extern unsigned int avc_cache_threshold;
170
171/* Attempt to free avc node cache */
172void avc_disable(void);
173
174#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
175DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
176#endif
177
178#endif /* _SELINUX_AVC_H_ */
179
180