1/*
  2 * Access vector cache interface for object managers.
  3 *
  4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  5 */
  6#ifndef _SELINUX_AVC_H_
  7#define _SELINUX_AVC_H_
  8
  9#include <linux/stddef.h>
 10#include <linux/errno.h>
 11#include <linux/kernel.h>
 12#include <linux/kdev_t.h>
 13#include <linux/spinlock.h>
 14#include <linux/init.h>
 15#include <linux/audit.h>
 16#include <linux/lsm_audit.h>
 17#include <linux/in6.h>
 18#include "flask.h"
 19#include "av_permissions.h"
 20#include "security.h"
 21
 22#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 23extern int selinux_enforcing;
 24#else
 25#define selinux_enforcing 1
 26#endif
 27
 28/*
 29 * An entry in the AVC.
 30 */
 31struct avc_entry;
 32
 33struct task_struct;
 34struct inode;
 35struct sock;
 36struct sk_buff;
 37
 38/*
 39 * AVC statistics
 40 */
 41struct avc_cache_stats {
 42	unsigned int lookups;
 43	unsigned int misses;
 44	unsigned int allocations;
 45	unsigned int reclaims;
 46	unsigned int frees;
 47};
 48
 49/*
 50 * We only need this data after we have decided to send an audit message.
 51 */
 52struct selinux_audit_data {
 53	u32 ssid;
 54	u32 tsid;
 55	u16 tclass;
 56	u32 requested;
 57	u32 audited;
 58	u32 denied;
 59	int result;
 60};
 61
 62/*
 63 * AVC operations
 64 */
 65
 66void __init avc_init(void);
 67
 68static inline u32 avc_audit_required(u32 requested,
 69			      struct av_decision *avd,
 70			      int result,
 71			      u32 auditdeny,
 72			      u32 *deniedp)
 73{
 74	u32 denied, audited;
 75	denied = requested & ~avd->allowed;
 76	if (unlikely(denied)) {
 77		audited = denied & avd->auditdeny;
 78		/*
 79		 * auditdeny is TRICKY!  Setting a bit in
 80		 * this field means that ANY denials should NOT be audited if
 81		 * the policy contains an explicit dontaudit rule for that
 82		 * permission.  Take notice that this is unrelated to the
 83		 * actual permissions that were denied.  As an example lets
 84		 * assume:
 85		 *
 86		 * denied == READ
 87		 * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
 88		 * auditdeny & ACCESS == 1
 89		 *
 90		 * We will NOT audit the denial even though the denied
 91		 * permission was READ and the auditdeny checks were for
 92		 * ACCESS
 93		 */
 94		if (auditdeny && !(auditdeny & avd->auditdeny))
 95			audited = 0;
 96	} else if (result)
 97		audited = denied = requested;
 98	else
 99		audited = requested & avd->auditallow;
100	*deniedp = denied;
101	return audited;
102}
103
104int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
105		   u32 requested, u32 audited, u32 denied,
106		   struct common_audit_data *a,
107		   unsigned flags);
108
109/**
110 * avc_audit - Audit the granting or denial of permissions.
111 * @ssid: source security identifier
112 * @tsid: target security identifier
113 * @tclass: target security class
114 * @requested: requested permissions
115 * @avd: access vector decisions
116 * @result: result from avc_has_perm_noaudit
117 * @a:  auxiliary audit data
118 * @flags: VFS walk flags
119 *
120 * Audit the granting or denial of permissions in accordance
121 * with the policy.  This function is typically called by
122 * avc_has_perm() after a permission check, but can also be
123 * called directly by callers who use avc_has_perm_noaudit()
124 * in order to separate the permission check from the auditing.
125 * For example, this separation is useful when the permission check must
126 * be performed under a lock, to allow the lock to be released
127 * before calling the auditing code.
128 */
129static inline int avc_audit(u32 ssid, u32 tsid,
130			    u16 tclass, u32 requested,
131			    struct av_decision *avd,
132			    int result,
133			    struct common_audit_data *a, unsigned flags)
134{
135	u32 audited, denied;
136	audited = avc_audit_required(requested, avd, result, 0, &denied);
137	if (likely(!audited))
138		return 0;
139	return slow_avc_audit(ssid, tsid, tclass,
140			      requested, audited, denied,
141			      a, flags);
142}
143
144#define AVC_STRICT 1 /* Ignore permissive mode. */
145int avc_has_perm_noaudit(u32 ssid, u32 tsid,
146			 u16 tclass, u32 requested,
147			 unsigned flags,
148			 struct av_decision *avd);
149
150int avc_has_perm_flags(u32 ssid, u32 tsid,
151		       u16 tclass, u32 requested,
152		       struct common_audit_data *auditdata,
153		       unsigned);
154
155static inline int avc_has_perm(u32 ssid, u32 tsid,
156			       u16 tclass, u32 requested,
157			       struct common_audit_data *auditdata)
158{
159	return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
160}
161
162u32 avc_policy_seqno(void);
163
164#define AVC_CALLBACK_GRANT		1
165#define AVC_CALLBACK_TRY_REVOKE		2
166#define AVC_CALLBACK_REVOKE		4
167#define AVC_CALLBACK_RESET		8
168#define AVC_CALLBACK_AUDITALLOW_ENABLE	16
169#define AVC_CALLBACK_AUDITALLOW_DISABLE	32
170#define AVC_CALLBACK_AUDITDENY_ENABLE	64
171#define AVC_CALLBACK_AUDITDENY_DISABLE	128
172
173int avc_add_callback(int (*callback)(u32 event), u32 events);
174
175/* Exported to selinuxfs */
176int avc_get_hash_stats(char *page);
177extern unsigned int avc_cache_threshold;
178
179/* Attempt to free avc node cache */
180void avc_disable(void);
181
182#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
183DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
184#endif
185
186#endif /* _SELINUX_AVC_H_ */
187