]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/selinux/include/avc.h
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
security: update documentation for security_request_module
[mirror_ubuntu-bionic-kernel.git] / security / selinux / include / avc.h
CommitLineData
1da177e4
LT		 1/*
2 * Access vector cache interface for object managers.
3 *
4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5 */
6#ifndef _SELINUX_AVC_H_
7#define _SELINUX_AVC_H_
8
9#include <linux/stddef.h>
10#include <linux/errno.h>
11#include <linux/kernel.h>
12#include <linux/kdev_t.h>
13#include <linux/spinlock.h>
14#include <linux/init.h>
d9250dea 15#include <linux/audit.h>
1da177e4 16#include <linux/in6.h>
44707fdf 17#include <linux/path.h>
1da177e4
LT		 18#include <asm/system.h>
19#include "flask.h"
20#include "av_permissions.h"
21#include "security.h"
22
23#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
24extern int selinux_enforcing;
25#else
26#define selinux_enforcing 1
27#endif
28
29/*
30 * An entry in the AVC.
31 */
32struct avc_entry;
33
34struct task_struct;
1da177e4
LT		 35struct inode;
36struct sock;
37struct sk_buff;
38
be940d62
JM		 39/* Auxiliary data to use in generating the audit record. */
40struct avc_audit_data {
41 char type;
42#define AVC_AUDIT_DATA_FS 1
43#define AVC_AUDIT_DATA_NET 2
44#define AVC_AUDIT_DATA_CAP 3
45#define AVC_AUDIT_DATA_IPC 4
46 struct task_struct *tsk;
47 union {
48 struct {
49 struct path path;
50 struct inode *inode;
51 } fs;
52 struct {
53 int netif;
54 struct sock *sk;
55 u16 family;
56 __be16 dport;
57 __be16 sport;
58 union {
59 struct {
60 __be32 daddr;
61 __be32 saddr;
62 } v4;
63 struct {
64 struct in6_addr daddr;
65 struct in6_addr saddr;
66 } v6;
67 } fam;
68 } net;
69 int cap;
70 int ipc_id;
71 } u;
72};
73
74#define v4info fam.v4
75#define v6info fam.v6
76
77/* Initialize an AVC audit data structure. */
78#define AVC_AUDIT_DATA_INIT(_d,_t) \
79 { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
80
1da177e4
LT		 81/*
82 * AVC statistics
83 */
f5269710 84struct avc_cache_stats {
1da177e4
LT		 85 unsigned int lookups;
86 unsigned int hits;
87 unsigned int misses;
88 unsigned int allocations;
89 unsigned int reclaims;
90 unsigned int frees;
91};
92
93/*
94 * AVC operations
95 */
96
97void __init avc_init(void);
98
99void avc_audit(u32 ssid, u32 tsid,
f5269710 100 u16 tclass, u32 requested,
be940d62 101 struct av_decision *avd, int result, struct avc_audit_data *auditdata);
1da177e4 102
2c3c05db 103#define AVC_STRICT 1 /* Ignore permissive mode. */
1da177e4 104int avc_has_perm_noaudit(u32 ssid, u32 tsid,
2c3c05db
SS		 105 u16 tclass, u32 requested,
106 unsigned flags,
107 struct av_decision *avd);
1da177e4
LT		 108
109int avc_has_perm(u32 ssid, u32 tsid,
f5269710 110 u16 tclass, u32 requested,
be940d62 111 struct avc_audit_data *auditdata);
1da177e4 112
788e7dd4
YN		 113u32 avc_policy_seqno(void);
114
1da177e4
LT		 115#define AVC_CALLBACK_GRANT 1
116#define AVC_CALLBACK_TRY_REVOKE 2
117#define AVC_CALLBACK_REVOKE 4
118#define AVC_CALLBACK_RESET 8
119#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
120#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
121#define AVC_CALLBACK_AUDITDENY_ENABLE 64
122#define AVC_CALLBACK_AUDITDENY_DISABLE 128
123
124int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
f5269710 125 u16 tclass, u32 perms,
1da177e4
LT		 126 u32 *out_retained),
127 u32 events, u32 ssid, u32 tsid,
128 u16 tclass, u32 perms);
129
130/* Exported to selinuxfs */
131int avc_get_hash_stats(char *page);
132extern unsigned int avc_cache_threshold;
133
89c86576
TL		 134/* Attempt to free avc node cache */
135void avc_disable(void);
136
1da177e4
LT		 137#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
138DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
139#endif
140
141#endif /* _SELINUX_AVC_H_ */
142
ubuntu-bionic-kernel mirror