]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * A policy database (policydb) specifies the | |
3 | * configuration data for the security policy. | |
4 | * | |
5 | * Author : Stephen Smalley, <sds@epoch.ncsc.mil> | |
6 | */ | |
7 | ||
8 | /* | |
9 | * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | |
10 | * | |
11 | * Support for enhanced MLS infrastructure. | |
12 | * | |
13 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> | |
14 | * | |
15 | * Added conditional policy language extensions | |
16 | * | |
17 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. | |
18 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation, version 2. | |
22 | */ | |
23 | ||
24 | #ifndef _SS_POLICYDB_H_ | |
25 | #define _SS_POLICYDB_H_ | |
26 | ||
27 | #include "symtab.h" | |
28 | #include "avtab.h" | |
29 | #include "sidtab.h" | |
30 | #include "context.h" | |
31 | #include "constraint.h" | |
32 | ||
33 | /* | |
34 | * A datum type is defined for each kind of symbol | |
35 | * in the configuration data: individual permissions, | |
36 | * common prefixes for access vectors, classes, | |
37 | * users, roles, types, sensitivities, categories, etc. | |
38 | */ | |
39 | ||
40 | /* Permission attributes */ | |
41 | struct perm_datum { | |
42 | u32 value; /* permission bit + 1 */ | |
43 | }; | |
44 | ||
45 | /* Attributes of a common prefix for access vectors */ | |
46 | struct common_datum { | |
47 | u32 value; /* internal common value */ | |
48 | struct symtab permissions; /* common permissions */ | |
49 | }; | |
50 | ||
51 | /* Class attributes */ | |
52 | struct class_datum { | |
53 | u32 value; /* class value */ | |
54 | char *comkey; /* common name */ | |
55 | struct common_datum *comdatum; /* common datum */ | |
56 | struct symtab permissions; /* class-specific permission symbol table */ | |
57 | struct constraint_node *constraints; /* constraints on class permissions */ | |
58 | struct constraint_node *validatetrans; /* special transition rules */ | |
59 | }; | |
60 | ||
61 | /* Role attributes */ | |
62 | struct role_datum { | |
63 | u32 value; /* internal role value */ | |
64 | struct ebitmap dominates; /* set of roles dominated by this role */ | |
65 | struct ebitmap types; /* set of authorized types for role */ | |
66 | }; | |
67 | ||
68 | struct role_trans { | |
69 | u32 role; /* current role */ | |
70 | u32 type; /* program executable type */ | |
71 | u32 new_role; /* new role */ | |
72 | struct role_trans *next; | |
73 | }; | |
74 | ||
75 | struct role_allow { | |
76 | u32 role; /* current role */ | |
77 | u32 new_role; /* new role */ | |
78 | struct role_allow *next; | |
79 | }; | |
80 | ||
81 | /* Type attributes */ | |
82 | struct type_datum { | |
83 | u32 value; /* internal type value */ | |
84 | unsigned char primary; /* primary name? */ | |
85 | }; | |
86 | ||
87 | /* User attributes */ | |
88 | struct user_datum { | |
89 | u32 value; /* internal user value */ | |
90 | struct ebitmap roles; /* set of authorized roles for user */ | |
91 | struct mls_range range; /* MLS range (min - max) for user */ | |
92 | struct mls_level dfltlevel; /* default login MLS level for user */ | |
93 | }; | |
94 | ||
95 | ||
96 | /* Sensitivity attributes */ | |
97 | struct level_datum { | |
98 | struct mls_level *level; /* sensitivity and associated categories */ | |
99 | unsigned char isalias; /* is this sensitivity an alias for another? */ | |
100 | }; | |
101 | ||
102 | /* Category attributes */ | |
103 | struct cat_datum { | |
104 | u32 value; /* internal category bit + 1 */ | |
105 | unsigned char isalias; /* is this category an alias for another? */ | |
106 | }; | |
107 | ||
108 | struct range_trans { | |
f3f87714 DG |
109 | u32 source_type; |
110 | u32 target_type; | |
111 | u32 target_class; | |
112 | struct mls_range target_range; | |
1da177e4 LT |
113 | struct range_trans *next; |
114 | }; | |
115 | ||
116 | /* Boolean data type */ | |
117 | struct cond_bool_datum { | |
118 | __u32 value; /* internal type value */ | |
119 | int state; | |
120 | }; | |
121 | ||
122 | struct cond_node; | |
123 | ||
124 | /* | |
125 | * The configuration data includes security contexts for | |
126 | * initial SIDs, unlabeled file systems, TCP and UDP port numbers, | |
127 | * network interfaces, and nodes. This structure stores the | |
128 | * relevant data for one such entry. Entries of the same kind | |
129 | * (e.g. all initial SIDs) are linked together into a list. | |
130 | */ | |
131 | struct ocontext { | |
132 | union { | |
133 | char *name; /* name of initial SID, fs, netif, fstype, path */ | |
134 | struct { | |
135 | u8 protocol; | |
136 | u16 low_port; | |
137 | u16 high_port; | |
138 | } port; /* TCP or UDP port information */ | |
139 | struct { | |
140 | u32 addr; | |
141 | u32 mask; | |
142 | } node; /* node information */ | |
143 | struct { | |
144 | u32 addr[4]; | |
145 | u32 mask[4]; | |
146 | } node6; /* IPv6 node information */ | |
147 | } u; | |
148 | union { | |
149 | u32 sclass; /* security class for genfs */ | |
150 | u32 behavior; /* labeling behavior for fs_use */ | |
151 | } v; | |
152 | struct context context[2]; /* security context(s) */ | |
153 | u32 sid[2]; /* SID(s) */ | |
154 | struct ocontext *next; | |
155 | }; | |
156 | ||
157 | struct genfs { | |
158 | char *fstype; | |
159 | struct ocontext *head; | |
160 | struct genfs *next; | |
161 | }; | |
162 | ||
163 | /* symbol table array indices */ | |
164 | #define SYM_COMMONS 0 | |
165 | #define SYM_CLASSES 1 | |
166 | #define SYM_ROLES 2 | |
167 | #define SYM_TYPES 3 | |
168 | #define SYM_USERS 4 | |
169 | #define SYM_BOOLS 5 | |
170 | #define SYM_LEVELS 6 | |
171 | #define SYM_CATS 7 | |
172 | #define SYM_NUM 8 | |
173 | ||
174 | /* object context array indices */ | |
175 | #define OCON_ISID 0 /* initial SIDs */ | |
176 | #define OCON_FS 1 /* unlabeled file systems */ | |
177 | #define OCON_PORT 2 /* TCP and UDP port numbers */ | |
178 | #define OCON_NETIF 3 /* network interfaces */ | |
179 | #define OCON_NODE 4 /* nodes */ | |
180 | #define OCON_FSUSE 5 /* fs_use */ | |
181 | #define OCON_NODE6 6 /* IPv6 nodes */ | |
182 | #define OCON_NUM 7 | |
183 | ||
184 | /* The policy database */ | |
185 | struct policydb { | |
186 | /* symbol tables */ | |
187 | struct symtab symtab[SYM_NUM]; | |
188 | #define p_commons symtab[SYM_COMMONS] | |
189 | #define p_classes symtab[SYM_CLASSES] | |
190 | #define p_roles symtab[SYM_ROLES] | |
191 | #define p_types symtab[SYM_TYPES] | |
192 | #define p_users symtab[SYM_USERS] | |
193 | #define p_bools symtab[SYM_BOOLS] | |
194 | #define p_levels symtab[SYM_LEVELS] | |
195 | #define p_cats symtab[SYM_CATS] | |
196 | ||
197 | /* symbol names indexed by (value - 1) */ | |
198 | char **sym_val_to_name[SYM_NUM]; | |
199 | #define p_common_val_to_name sym_val_to_name[SYM_COMMONS] | |
200 | #define p_class_val_to_name sym_val_to_name[SYM_CLASSES] | |
201 | #define p_role_val_to_name sym_val_to_name[SYM_ROLES] | |
202 | #define p_type_val_to_name sym_val_to_name[SYM_TYPES] | |
203 | #define p_user_val_to_name sym_val_to_name[SYM_USERS] | |
204 | #define p_bool_val_to_name sym_val_to_name[SYM_BOOLS] | |
205 | #define p_sens_val_to_name sym_val_to_name[SYM_LEVELS] | |
206 | #define p_cat_val_to_name sym_val_to_name[SYM_CATS] | |
207 | ||
208 | /* class, role, and user attributes indexed by (value - 1) */ | |
209 | struct class_datum **class_val_to_struct; | |
210 | struct role_datum **role_val_to_struct; | |
211 | struct user_datum **user_val_to_struct; | |
212 | ||
213 | /* type enforcement access vectors and transitions */ | |
214 | struct avtab te_avtab; | |
215 | ||
216 | /* role transitions */ | |
217 | struct role_trans *role_tr; | |
218 | ||
219 | /* bools indexed by (value - 1) */ | |
220 | struct cond_bool_datum **bool_val_to_struct; | |
221 | /* type enforcement conditional access vectors and transitions */ | |
222 | struct avtab te_cond_avtab; | |
223 | /* linked list indexing te_cond_avtab by conditional */ | |
224 | struct cond_node* cond_list; | |
225 | ||
226 | /* role allows */ | |
227 | struct role_allow *role_allow; | |
228 | ||
229 | /* security contexts of initial SIDs, unlabeled file systems, | |
230 | TCP or UDP port numbers, network interfaces and nodes */ | |
231 | struct ocontext *ocontexts[OCON_NUM]; | |
232 | ||
233 | /* security contexts for files in filesystems that cannot support | |
234 | a persistent label mapping or use another | |
235 | fixed labeling behavior. */ | |
236 | struct genfs *genfs; | |
237 | ||
238 | /* range transitions */ | |
239 | struct range_trans *range_tr; | |
240 | ||
782ebb99 SS |
241 | /* type -> attribute reverse mapping */ |
242 | struct ebitmap *type_attr_map; | |
243 | ||
3bb56b25 PM |
244 | struct ebitmap policycaps; |
245 | ||
1da177e4 | 246 | unsigned int policyvers; |
3f12070e EP |
247 | |
248 | unsigned int reject_unknown : 1; | |
249 | unsigned int allow_unknown : 1; | |
250 | u32 *undefined_perms; | |
1da177e4 LT |
251 | }; |
252 | ||
253 | extern void policydb_destroy(struct policydb *p); | |
254 | extern int policydb_load_isids(struct policydb *p, struct sidtab *s); | |
255 | extern int policydb_context_isvalid(struct policydb *p, struct context *c); | |
45e5421e SS |
256 | extern int policydb_class_isvalid(struct policydb *p, unsigned int class); |
257 | extern int policydb_type_isvalid(struct policydb *p, unsigned int type); | |
258 | extern int policydb_role_isvalid(struct policydb *p, unsigned int role); | |
1da177e4 LT |
259 | extern int policydb_read(struct policydb *p, void *fp); |
260 | ||
261 | #define PERM_SYMTAB_SIZE 32 | |
262 | ||
263 | #define POLICYDB_CONFIG_MLS 1 | |
264 | ||
3f12070e EP |
265 | /* the config flags related to unknown classes/perms are bits 2 and 3 */ |
266 | #define REJECT_UNKNOWN 0x00000002 | |
267 | #define ALLOW_UNKNOWN 0x00000004 | |
268 | ||
1da177e4 LT |
269 | #define OBJECT_R "object_r" |
270 | #define OBJECT_R_VAL 1 | |
271 | ||
272 | #define POLICYDB_MAGIC SELINUX_MAGIC | |
273 | #define POLICYDB_STRING "SE Linux" | |
274 | ||
275 | struct policy_file { | |
276 | char *data; | |
277 | size_t len; | |
278 | }; | |
279 | ||
280 | static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes) | |
281 | { | |
282 | if (bytes > fp->len) | |
283 | return -EINVAL; | |
284 | ||
285 | memcpy(buf, fp->data, bytes); | |
286 | fp->data += bytes; | |
287 | fp->len -= bytes; | |
288 | return 0; | |
289 | } | |
290 | ||
291 | #endif /* _SS_POLICYDB_H_ */ | |
292 |