xref: /linux/security/selinux/include/avc.h (revision e9fb13bfec7e017130ddc5c1b5466340470f4900) 
1 /*
2  * Access vector cache interface for object managers.
3  *
4  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5  */
6 #ifndef _SELINUX_AVC_H_
7 #define _SELINUX_AVC_H_
8 
9 #include <linux/stddef.h>
10 #include <linux/errno.h>
11 #include <linux/kernel.h>
12 #include <linux/kdev_t.h>
13 #include <linux/spinlock.h>
14 #include <linux/init.h>
15 #include <linux/audit.h>
16 #include <linux/lsm_audit.h>
17 #include <linux/in6.h>
18 #include <asm/system.h>
19 #include "flask.h"
20 #include "av_permissions.h"
21 #include "security.h"
22 
23 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
24 extern int selinux_enforcing;
25 #else
26 #define selinux_enforcing 1
27 #endif
28 
29 /*
30  * An entry in the AVC.
31  */
32 struct avc_entry;
33 
34 struct task_struct;
35 struct inode;
36 struct sock;
37 struct sk_buff;
38 
39 /*
40  * AVC statistics
41  */
42 struct avc_cache_stats {
43 	unsigned int lookups;
44 	unsigned int hits;
45 	unsigned int misses;
46 	unsigned int allocations;
47 	unsigned int reclaims;
48 	unsigned int frees;
49 };
50 
51 /*
52  * AVC operations
53  */
54 
55 void __init avc_init(void);
56 
57 int avc_audit(u32 ssid, u32 tsid,
58 	       u16 tclass, u32 requested,
59 	       struct av_decision *avd,
60 	       int result,
61 	      struct common_audit_data *a, unsigned flags);
62 
63 #define AVC_STRICT 1 /* Ignore permissive mode. */
64 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
65 			 u16 tclass, u32 requested,
66 			 unsigned flags,
67 			 struct av_decision *avd);
68 
69 int avc_has_perm_flags(u32 ssid, u32 tsid,
70 		       u16 tclass, u32 requested,
71 		       struct common_audit_data *auditdata,
72 		       unsigned);
73 
74 static inline int avc_has_perm(u32 ssid, u32 tsid,
75 			       u16 tclass, u32 requested,
76 			       struct common_audit_data *auditdata)
77 {
78 	return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
79 }
80 
81 u32 avc_policy_seqno(void);
82 
83 #define AVC_CALLBACK_GRANT		1
84 #define AVC_CALLBACK_TRY_REVOKE		2
85 #define AVC_CALLBACK_REVOKE		4
86 #define AVC_CALLBACK_RESET		8
87 #define AVC_CALLBACK_AUDITALLOW_ENABLE	16
88 #define AVC_CALLBACK_AUDITALLOW_DISABLE	32
89 #define AVC_CALLBACK_AUDITDENY_ENABLE	64
90 #define AVC_CALLBACK_AUDITDENY_DISABLE	128
91 
92 int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
93 				     u16 tclass, u32 perms,
94 				     u32 *out_retained),
95 		     u32 events, u32 ssid, u32 tsid,
96 		     u16 tclass, u32 perms);
97 
98 /* Exported to selinuxfs */
99 int avc_get_hash_stats(char *page);
100 extern unsigned int avc_cache_threshold;
101 
102 /* Attempt to free avc node cache */
103 void avc_disable(void);
104 
105 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
106 DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
107 #endif
108 
109 #endif /* _SELINUX_AVC_H_ */
110 
111