Loading...
1/*
2 * An access vector table (avtab) is a hash table
3 * of access vectors and transition types indexed
4 * by a type pair and a class. An access vector
5 * table is used to represent the type enforcement
6 * tables.
7 *
8 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
9 */
10
11/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
12 *
13 * Added conditional policy language extensions
14 *
15 * Copyright (C) 2003 Tresys Technology, LLC
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation, version 2.
19 *
20 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Tuned number of hash slots for avtab to reduce memory usage
22 */
23#ifndef _SS_AVTAB_H_
24#define _SS_AVTAB_H_
25
26#include "security.h"
27#include <linux/flex_array.h>
28
29struct avtab_key {
30 u16 source_type; /* source type */
31 u16 target_type; /* target type */
32 u16 target_class; /* target object class */
33#define AVTAB_ALLOWED 0x0001
34#define AVTAB_AUDITALLOW 0x0002
35#define AVTAB_AUDITDENY 0x0004
36#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
37#define AVTAB_TRANSITION 0x0010
38#define AVTAB_MEMBER 0x0020
39#define AVTAB_CHANGE 0x0040
40#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
41/* extended permissions */
42#define AVTAB_XPERMS_ALLOWED 0x0100
43#define AVTAB_XPERMS_AUDITALLOW 0x0200
44#define AVTAB_XPERMS_DONTAUDIT 0x0400
45#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \
46 AVTAB_XPERMS_AUDITALLOW | \
47 AVTAB_XPERMS_DONTAUDIT)
48#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
49#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
50 u16 specified; /* what field is specified */
51};
52
53/*
54 * For operations that require more than the 32 permissions provided by the avc
55 * extended permissions may be used to provide 256 bits of permissions.
56 */
57struct avtab_extended_perms {
58/* These are not flags. All 256 values may be used */
59#define AVTAB_XPERMS_IOCTLFUNCTION 0x01
60#define AVTAB_XPERMS_IOCTLDRIVER 0x02
61 /* extension of the avtab_key specified */
62 u8 specified; /* ioctl, netfilter, ... */
63 /*
64 * if 256 bits is not adequate as is often the case with ioctls, then
65 * multiple extended perms may be used and the driver field
66 * specifies which permissions are included.
67 */
68 u8 driver;
69 /* 256 bits of permissions */
70 struct extended_perms_data perms;
71};
72
73struct avtab_datum {
74 union {
75 u32 data; /* access vector or type value */
76 struct avtab_extended_perms *xperms;
77 } u;
78};
79
80struct avtab_node {
81 struct avtab_key key;
82 struct avtab_datum datum;
83 struct avtab_node *next;
84};
85
86struct avtab {
87 struct flex_array *htable;
88 u32 nel; /* number of elements */
89 u32 nslot; /* number of hash slots */
90 u32 mask; /* mask to compute hash func */
91
92};
93
94int avtab_init(struct avtab *);
95int avtab_alloc(struct avtab *, u32);
96struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);
97void avtab_destroy(struct avtab *h);
98void avtab_hash_eval(struct avtab *h, char *tag);
99
100struct policydb;
101int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
102 int (*insert)(struct avtab *a, struct avtab_key *k,
103 struct avtab_datum *d, void *p),
104 void *p);
105
106int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
107int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp);
108int avtab_write(struct policydb *p, struct avtab *a, void *fp);
109
110struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key,
111 struct avtab_datum *datum);
112
113struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
114
115struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
116
117void avtab_cache_init(void);
118void avtab_cache_destroy(void);
119
120#define MAX_AVTAB_HASH_BITS 16
121#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
122
123#endif /* _SS_AVTAB_H_ */
124
1/*
2 * An access vector table (avtab) is a hash table
3 * of access vectors and transition types indexed
4 * by a type pair and a class. An access vector
5 * table is used to represent the type enforcement
6 * tables.
7 *
8 * Author : Stephen Smalley, <sds@tycho.nsa.gov>
9 */
10
11/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
12 *
13 * Added conditional policy language extensions
14 *
15 * Copyright (C) 2003 Tresys Technology, LLC
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation, version 2.
19 *
20 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Tuned number of hash slots for avtab to reduce memory usage
22 */
23#ifndef _SS_AVTAB_H_
24#define _SS_AVTAB_H_
25
26#include "security.h"
27#include <linux/flex_array.h>
28
29struct avtab_key {
30 u16 source_type; /* source type */
31 u16 target_type; /* target type */
32 u16 target_class; /* target object class */
33#define AVTAB_ALLOWED 0x0001
34#define AVTAB_AUDITALLOW 0x0002
35#define AVTAB_AUDITDENY 0x0004
36#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
37#define AVTAB_TRANSITION 0x0010
38#define AVTAB_MEMBER 0x0020
39#define AVTAB_CHANGE 0x0040
40#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
41/* extended permissions */
42#define AVTAB_XPERMS_ALLOWED 0x0100
43#define AVTAB_XPERMS_AUDITALLOW 0x0200
44#define AVTAB_XPERMS_DONTAUDIT 0x0400
45#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \
46 AVTAB_XPERMS_AUDITALLOW | \
47 AVTAB_XPERMS_DONTAUDIT)
48#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
49#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
50 u16 specified; /* what field is specified */
51};
52
53/*
54 * For operations that require more than the 32 permissions provided by the avc
55 * extended permissions may be used to provide 256 bits of permissions.
56 */
57struct avtab_extended_perms {
58/* These are not flags. All 256 values may be used */
59#define AVTAB_XPERMS_IOCTLFUNCTION 0x01
60#define AVTAB_XPERMS_IOCTLDRIVER 0x02
61 /* extension of the avtab_key specified */
62 u8 specified; /* ioctl, netfilter, ... */
63 /*
64 * if 256 bits is not adequate as is often the case with ioctls, then
65 * multiple extended perms may be used and the driver field
66 * specifies which permissions are included.
67 */
68 u8 driver;
69 /* 256 bits of permissions */
70 struct extended_perms_data perms;
71};
72
73struct avtab_datum {
74 union {
75 u32 data; /* access vector or type value */
76 struct avtab_extended_perms *xperms;
77 } u;
78};
79
80struct avtab_node {
81 struct avtab_key key;
82 struct avtab_datum datum;
83 struct avtab_node *next;
84};
85
86struct avtab {
87 struct flex_array *htable;
88 u32 nel; /* number of elements */
89 u32 nslot; /* number of hash slots */
90 u32 mask; /* mask to compute hash func */
91
92};
93
94int avtab_init(struct avtab *);
95int avtab_alloc(struct avtab *, u32);
96struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);
97void avtab_destroy(struct avtab *h);
98void avtab_hash_eval(struct avtab *h, char *tag);
99
100struct policydb;
101int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
102 int (*insert)(struct avtab *a, struct avtab_key *k,
103 struct avtab_datum *d, void *p),
104 void *p);
105
106int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
107int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp);
108int avtab_write(struct policydb *p, struct avtab *a, void *fp);
109
110struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key,
111 struct avtab_datum *datum);
112
113struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
114
115struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
116
117#define MAX_AVTAB_HASH_BITS 16
118#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
119
120#endif /* _SS_AVTAB_H_ */
121