[mirror_ubuntu-artful-kernel.git] / include / linux / selinux.h

/*
 * SELinux services exported to the rest of the kernel.
 *
 * Author: James Morris <jmorris@redhat.com>
 *
 * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
 * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
 * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2,
 * as published by the Free Software Foundation.
 */
#ifndef _LINUX_SELINUX_H
#define _LINUX_SELINUX_H

struct selinux_audit_rule;
struct audit_context;
struct inode;
struct kern_ipc_perm;

#ifdef CONFIG_SECURITY_SELINUX

/**
 *	selinux_audit_rule_init - alloc/init an selinux audit rule structure.
 *	@field: the field this rule refers to
 *	@op: the operater the rule uses
 *	@rulestr: the text "target" of the rule
 *	@rule: pointer to the new rule structure returned via this
 *
 *	Returns 0 if successful, -errno if not.  On success, the rule structure
 *	will be allocated internally.  The caller must free this structure with
 *	selinux_audit_rule_free() after use.
 */
int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
                            struct selinux_audit_rule **rule);

/**
 *	selinux_audit_rule_free - free an selinux audit rule structure.
 *	@rule: pointer to the audit rule to be freed
 *
 *	This will free all memory associated with the given rule.
 *	If @rule is NULL, no operation is performed.
 */
void selinux_audit_rule_free(struct selinux_audit_rule *rule);

/**
 *	selinux_audit_rule_match - determine if a context ID matches a rule.
 *	@ctxid: the context ID to check
 *	@field: the field this rule refers to
 *	@op: the operater the rule uses
 *	@rule: pointer to the audit rule to check against
 *	@actx: the audit context (can be NULL) associated with the check
 *
 *	Returns 1 if the context id matches the rule, 0 if it does not, and
 *	-errno on failure.
 */
int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
                             struct selinux_audit_rule *rule,
                             struct audit_context *actx);

/**
 *	selinux_audit_set_callback - set the callback for policy reloads.
 *	@callback: the function to call when the policy is reloaded
 *
 *	This sets the function callback function that will update the rules
 *	upon policy reloads.  This callback should rebuild all existing rules
 *	using selinux_audit_rule_init().
 */
void selinux_audit_set_callback(int (*callback)(void));

/**
 *	selinux_task_ctxid - determine a context ID for a process.
 *	@tsk: the task object
 *	@ctxid: ID value returned via this
 *
 *	On return, ctxid will contain an ID for the context.  This value
 *	should only be used opaquely.
 */
void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid);

/**
 *     selinux_ctxid_to_string - map a security context ID to a string
 *     @ctxid: security context ID to be converted.
 *     @ctx: address of context string to be returned
 *     @ctxlen: length of returned context string.
 *
 *     Returns 0 if successful, -errno if not.  On success, the context
 *     string will be allocated internally, and the caller must call
 *     kfree() on it after use.
 */
int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen);

/**
 *     selinux_get_inode_sid - get the inode's security context ID
 *     @inode: inode structure to get the sid from.
 *     @sid: pointer to security context ID to be filled in.
 *
 *     Returns nothing
 */
void selinux_get_inode_sid(const struct inode *inode, u32 *sid);

/**
 *     selinux_get_ipc_sid - get the ipc security context ID
 *     @ipcp: ipc structure to get the sid from.
 *     @sid: pointer to security context ID to be filled in.
 *
 *     Returns nothing
 */
void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid);

/**
 *     selinux_get_task_sid - return the SID of task
 *     @tsk: the task whose SID will be returned
 *     @sid: pointer to security context ID to be filled in.
 *
 *     Returns nothing
 */
void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);

/**
 *     selinux_string_to_sid - map a security context string to a security ID
 *     @str: the security context string to be mapped
 *     @sid: ID value returned via this.
 *
 *     Returns 0 if successful, with the SID stored in sid.  A value
 *     of zero for sid indicates no SID could be determined (but no error
 *     occurred).
 */
int selinux_string_to_sid(char *str, u32 *sid);

/**
 *     selinux_relabel_packet_permission - check permission to relabel a packet
 *     @sid: ID value to be applied to network packet (via SECMARK, most likely)
 *
 *     Returns 0 if the current task is allowed to label packets with the
 *     supplied security ID.  Note that it is implicit that the packet is always
 *     being relabeled from the default unlabled value, and that the access
 *     control decision is made in the AVC.
 */
int selinux_relabel_packet_permission(u32 sid);

#else

static inline int selinux_audit_rule_init(u32 field, u32 op,
                                          char *rulestr,
                                          struct selinux_audit_rule **rule)
{
	return -ENOTSUPP;
}

static inline void selinux_audit_rule_free(struct selinux_audit_rule *rule)
{
	return;
}

static inline int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
                                           struct selinux_audit_rule *rule,
                                           struct audit_context *actx)
{
	return 0;
}

static inline void selinux_audit_set_callback(int (*callback)(void))
{
	return;
}

static inline void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid)
{
	*ctxid = 0;
}

static inline int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen)
{
       *ctx = NULL;
       *ctxlen = 0;
       return 0;
}

static inline void selinux_get_inode_sid(const struct inode *inode, u32 *sid)
{
	*sid = 0;
}

static inline void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid)
{
	*sid = 0;
}

static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid)
{
	*sid = 0;
}

static inline int selinux_string_to_sid(const char *str, u32 *sid)
{
       *sid = 0;
       return 0;
}

static inline int selinux_relabel_packet_permission(u32 sid)
{
	return 0;
}

#endif	/* CONFIG_SECURITY_SELINUX */

#endif /* _LINUX_SELINUX_H */
Commit	Line	Data
376bd9cb DG	1	/*
	2	* SELinux services exported to the rest of the kernel.
	3	*
	4	* Author: James Morris <jmorris@redhat.com>
	5	*
	6	* Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
	7	* Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
e7c34970	8	* Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
376bd9cb DG	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License version 2,
	12	* as published by the Free Software Foundation.
	13	*/
	14	#ifndef _LINUX_SELINUX_H
	15	#define _LINUX_SELINUX_H
	16
	17	struct selinux_audit_rule;
	18	struct audit_context;
1b50eed9	19	struct inode;
9c7aa6aa	20	struct kern_ipc_perm;
376bd9cb DG	21
	22	#ifdef CONFIG_SECURITY_SELINUX
	23
	24	/**
	25	* selinux_audit_rule_init - alloc/init an selinux audit rule structure.
	26	* @field: the field this rule refers to
	27	* @op: the operater the rule uses
	28	* @rulestr: the text "target" of the rule
	29	* @rule: pointer to the new rule structure returned via this
	30	*
	31	* Returns 0 if successful, -errno if not. On success, the rule structure
	32	* will be allocated internally. The caller must free this structure with
	33	* selinux_audit_rule_free() after use.
	34	*/
	35	int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
	36	struct selinux_audit_rule **rule);
	37
	38	/**
	39	* selinux_audit_rule_free - free an selinux audit rule structure.
	40	* @rule: pointer to the audit rule to be freed
	41	*
	42	* This will free all memory associated with the given rule.
	43	* If @rule is NULL, no operation is performed.
	44	*/
	45	void selinux_audit_rule_free(struct selinux_audit_rule *rule);
	46
	47	/**
	48	* selinux_audit_rule_match - determine if a context ID matches a rule.
	49	* @ctxid: the context ID to check
	50	* @field: the field this rule refers to
	51	* @op: the operater the rule uses
	52	* @rule: pointer to the audit rule to check against
	53	* @actx: the audit context (can be NULL) associated with the check
	54	*
	55	* Returns 1 if the context id matches the rule, 0 if it does not, and
	56	* -errno on failure.
	57	*/
	58	int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
	59	struct selinux_audit_rule *rule,
	60	struct audit_context *actx);
	61
	62	/**
	63	* selinux_audit_set_callback - set the callback for policy reloads.
	64	* @callback: the function to call when the policy is reloaded
	65	*
	66	* This sets the function callback function that will update the rules
	67	* upon policy reloads. This callback should rebuild all existing rules
	68	* using selinux_audit_rule_init().
	69	*/
	70	void selinux_audit_set_callback(int (*callback)(void));
	71
	72	/**
	73	* selinux_task_ctxid - determine a context ID for a process.
	74	* @tsk: the task object
	75	* @ctxid: ID value returned via this
	76	*
	77	* On return, ctxid will contain an ID for the context. This value
	78	* should only be used opaquely.
	79	*/
	80	void selinux_task_ctxid(struct task_struct tsk, u32 ctxid);
	81
1b50eed9 SG	82	/**
	83	* selinux_ctxid_to_string - map a security context ID to a string
	84	* @ctxid: security context ID to be converted.
	85	* @ctx: address of context string to be returned
	86	* @ctxlen: length of returned context string.
	87	*
	88	* Returns 0 if successful, -errno if not. On success, the context
	89	* string will be allocated internally, and the caller must call
	90	* kfree() on it after use.
	91	*/
	92	int selinux_ctxid_to_string(u32 ctxid, char *ctx, u32 ctxlen);
	93
	94	/**
	95	* selinux_get_inode_sid - get the inode's security context ID
	96	* @inode: inode structure to get the sid from.
	97	* @sid: pointer to security context ID to be filled in.
	98	*
	99	* Returns nothing
	100	*/
	101	void selinux_get_inode_sid(const struct inode inode, u32 sid);
	102
9c7aa6aa SG	103	/**
	104	* selinux_get_ipc_sid - get the ipc security context ID
	105	* @ipcp: ipc structure to get the sid from.
	106	* @sid: pointer to security context ID to be filled in.
	107	*
	108	* Returns nothing
	109	*/
	110	void selinux_get_ipc_sid(const struct kern_ipc_perm ipcp, u32 sid);
	111
e7c34970 SG	112	/**
	113	* selinux_get_task_sid - return the SID of task
	114	* @tsk: the task whose SID will be returned
	115	* @sid: pointer to security context ID to be filled in.
	116	*
	117	* Returns nothing
	118	*/
	119	void selinux_get_task_sid(struct task_struct tsk, u32 sid);
	120
c749b29f JM	121	/**
	122	* selinux_string_to_sid - map a security context string to a security ID
	123	* @str: the security context string to be mapped
	124	* @sid: ID value returned via this.
	125	*
	126	* Returns 0 if successful, with the SID stored in sid. A value
	127	* of zero for sid indicates no SID could be determined (but no error
	128	* occurred).
	129	*/
	130	int selinux_string_to_sid(char str, u32 sid);
	131
	132	/**
	133	* selinux_relabel_packet_permission - check permission to relabel a packet
	134	* @sid: ID value to be applied to network packet (via SECMARK, most likely)
	135	*
	136	* Returns 0 if the current task is allowed to label packets with the
	137	* supplied security ID. Note that it is implicit that the packet is always
	138	* being relabeled from the default unlabled value, and that the access
	139	* control decision is made in the AVC.
	140	*/
	141	int selinux_relabel_packet_permission(u32 sid);
e7c34970	142
376bd9cb DG	143	#else
	144
	145	static inline int selinux_audit_rule_init(u32 field, u32 op,
	146	char *rulestr,
	147	struct selinux_audit_rule **rule)
	148	{
	149	return -ENOTSUPP;
	150	}
	151
	152	static inline void selinux_audit_rule_free(struct selinux_audit_rule *rule)
	153	{
	154	return;
	155	}
	156
	157	static inline int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
	158	struct selinux_audit_rule *rule,
	159	struct audit_context *actx)
	160	{
	161	return 0;
	162	}
	163
	164	static inline void selinux_audit_set_callback(int (*callback)(void))
	165	{
	166	return;
	167	}
	168
	169	static inline void selinux_task_ctxid(struct task_struct tsk, u32 ctxid)
	170	{
	171	*ctxid = 0;
	172	}
	173
1b50eed9 SG	174	static inline int selinux_ctxid_to_string(u32 ctxid, char *ctx, u32 ctxlen)
	175	{
	176	*ctx = NULL;
	177	*ctxlen = 0;
	178	return 0;
	179	}
	180
	181	static inline void selinux_get_inode_sid(const struct inode inode, u32 sid)
	182	{
	183	*sid = 0;
	184	}
	185
9c7aa6aa SG	186	static inline void selinux_get_ipc_sid(const struct kern_ipc_perm ipcp, u32 sid)
	187	{
	188	*sid = 0;
	189	}
	190
e7c34970 SG	191	static inline void selinux_get_task_sid(struct task_struct tsk, u32 sid)
	192	{
	193	*sid = 0;
	194	}
	195
c749b29f JM	196	static inline int selinux_string_to_sid(const char str, u32 sid)
	197	{
	198	*sid = 0;
	199	return 0;
	200	}
	201
	202	static inline int selinux_relabel_packet_permission(u32 sid)
	203	{
	204	return 0;
	205	}
	206
376bd9cb DG	207	#endif /* CONFIG_SECURITY_SELINUX */
	208
	209	#endif /* _LINUX_SELINUX_H */