1 /* 2 * Access vector cache interface for object managers. 3 * 4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 5 */ 6 #ifndef _SELINUX_AVC_H_ 7 #define _SELINUX_AVC_H_ 8 9 #include <linux/stddef.h> 10 #include <linux/errno.h> 11 #include <linux/kernel.h> 12 #include <linux/kdev_t.h> 13 #include <linux/spinlock.h> 14 #include <linux/init.h> 15 #include <linux/audit.h> 16 #include <linux/lsm_audit.h> 17 #include <linux/in6.h> 18 #include <asm/system.h> 19 #include "flask.h" 20 #include "av_permissions.h" 21 #include "security.h" 22 23 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 24 extern int selinux_enforcing; 25 #else 26 #define selinux_enforcing 1 27 #endif 28 29 /* 30 * An entry in the AVC. 31 */ 32 struct avc_entry; 33 34 struct task_struct; 35 struct inode; 36 struct sock; 37 struct sk_buff; 38 39 /* 40 * AVC statistics 41 */ 42 struct avc_cache_stats { 43 unsigned int lookups; 44 unsigned int hits; 45 unsigned int misses; 46 unsigned int allocations; 47 unsigned int reclaims; 48 unsigned int frees; 49 }; 50 51 /* 52 * AVC operations 53 */ 54 55 void __init avc_init(void); 56 57 int avc_audit(u32 ssid, u32 tsid, 58 u16 tclass, u32 requested, 59 struct av_decision *avd, 60 int result, 61 struct common_audit_data *a, unsigned flags); 62 63 #define AVC_STRICT 1 /* Ignore permissive mode. */ 64 int avc_has_perm_noaudit(u32 ssid, u32 tsid, 65 u16 tclass, u32 requested, 66 unsigned flags, 67 struct av_decision *avd); 68 69 int avc_has_perm_flags(u32 ssid, u32 tsid, 70 u16 tclass, u32 requested, 71 struct common_audit_data *auditdata, 72 unsigned); 73 74 static inline int avc_has_perm(u32 ssid, u32 tsid, 75 u16 tclass, u32 requested, 76 struct common_audit_data *auditdata) 77 { 78 return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0); 79 } 80 81 u32 avc_policy_seqno(void); 82 83 #define AVC_CALLBACK_GRANT 1 84 #define AVC_CALLBACK_TRY_REVOKE 2 85 #define AVC_CALLBACK_REVOKE 4 86 #define AVC_CALLBACK_RESET 8 87 #define AVC_CALLBACK_AUDITALLOW_ENABLE 16 88 #define AVC_CALLBACK_AUDITALLOW_DISABLE 32 89 #define AVC_CALLBACK_AUDITDENY_ENABLE 64 90 #define AVC_CALLBACK_AUDITDENY_DISABLE 128 91 92 int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, 93 u16 tclass, u32 perms, 94 u32 *out_retained), 95 u32 events, u32 ssid, u32 tsid, 96 u16 tclass, u32 perms); 97 98 /* Exported to selinuxfs */ 99 int avc_get_hash_stats(char *page); 100 extern unsigned int avc_cache_threshold; 101 102 /* Attempt to free avc node cache */ 103 void avc_disable(void); 104 105 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 106 DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); 107 #endif 108 109 #endif /* _SELINUX_AVC_H_ */ 110 111