Loading...
1/*
2 * An access vector table (avtab) is a hash table
3 * of access vectors and transition types indexed
4 * by a type pair and a class. An access vector
5 * table is used to represent the type enforcement
6 * tables.
7 *
8 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
9 */
10
11/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
12 *
13 * Added conditional policy language extensions
14 *
15 * Copyright (C) 2003 Tresys Technology, LLC
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation, version 2.
19 *
20 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Tuned number of hash slots for avtab to reduce memory usage
22 */
23#ifndef _SS_AVTAB_H_
24#define _SS_AVTAB_H_
25
26#include "security.h"
27#include <linux/flex_array.h>
28
29struct avtab_key {
30 u16 source_type; /* source type */
31 u16 target_type; /* target type */
32 u16 target_class; /* target object class */
33#define AVTAB_ALLOWED 0x0001
34#define AVTAB_AUDITALLOW 0x0002
35#define AVTAB_AUDITDENY 0x0004
36#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
37#define AVTAB_TRANSITION 0x0010
38#define AVTAB_MEMBER 0x0020
39#define AVTAB_CHANGE 0x0040
40#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
41/* extended permissions */
42#define AVTAB_XPERMS_ALLOWED 0x0100
43#define AVTAB_XPERMS_AUDITALLOW 0x0200
44#define AVTAB_XPERMS_DONTAUDIT 0x0400
45#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \
46 AVTAB_XPERMS_AUDITALLOW | \
47 AVTAB_XPERMS_DONTAUDIT)
48#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
49#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
50 u16 specified; /* what field is specified */
51};
52
53/*
54 * For operations that require more than the 32 permissions provided by the avc
55 * extended permissions may be used to provide 256 bits of permissions.
56 */
57struct avtab_extended_perms {
58/* These are not flags. All 256 values may be used */
59#define AVTAB_XPERMS_IOCTLFUNCTION 0x01
60#define AVTAB_XPERMS_IOCTLDRIVER 0x02
61 /* extension of the avtab_key specified */
62 u8 specified; /* ioctl, netfilter, ... */
63 /*
64 * if 256 bits is not adequate as is often the case with ioctls, then
65 * multiple extended perms may be used and the driver field
66 * specifies which permissions are included.
67 */
68 u8 driver;
69 /* 256 bits of permissions */
70 struct extended_perms_data perms;
71};
72
73struct avtab_datum {
74 union {
75 u32 data; /* access vector or type value */
76 struct avtab_extended_perms *xperms;
77 } u;
78};
79
80struct avtab_node {
81 struct avtab_key key;
82 struct avtab_datum datum;
83 struct avtab_node *next;
84};
85
86struct avtab {
87 struct flex_array *htable;
88 u32 nel; /* number of elements */
89 u32 nslot; /* number of hash slots */
90 u32 mask; /* mask to compute hash func */
91
92};
93
94int avtab_init(struct avtab *);
95int avtab_alloc(struct avtab *, u32);
96struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);
97void avtab_destroy(struct avtab *h);
98void avtab_hash_eval(struct avtab *h, char *tag);
99
100struct policydb;
101int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
102 int (*insert)(struct avtab *a, struct avtab_key *k,
103 struct avtab_datum *d, void *p),
104 void *p);
105
106int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
107int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp);
108int avtab_write(struct policydb *p, struct avtab *a, void *fp);
109
110struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key,
111 struct avtab_datum *datum);
112
113struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
114
115struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
116
117void avtab_cache_init(void);
118void avtab_cache_destroy(void);
119
120#define MAX_AVTAB_HASH_BITS 16
121#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
122
123#endif /* _SS_AVTAB_H_ */
124
1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * An access vector table (avtab) is a hash table
4 * of access vectors and transition types indexed
5 * by a type pair and a class. An access vector
6 * table is used to represent the type enforcement
7 * tables.
8 *
9 * Author : Stephen Smalley, <sds@tycho.nsa.gov>
10 */
11
12/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 *
14 * Added conditional policy language extensions
15 *
16 * Copyright (C) 2003 Tresys Technology, LLC
17 *
18 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
19 * Tuned number of hash slots for avtab to reduce memory usage
20 */
21#ifndef _SS_AVTAB_H_
22#define _SS_AVTAB_H_
23
24#include "security.h"
25
26struct avtab_key {
27 u16 source_type; /* source type */
28 u16 target_type; /* target type */
29 u16 target_class; /* target object class */
30#define AVTAB_ALLOWED 0x0001
31#define AVTAB_AUDITALLOW 0x0002
32#define AVTAB_AUDITDENY 0x0004
33#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
34#define AVTAB_TRANSITION 0x0010
35#define AVTAB_MEMBER 0x0020
36#define AVTAB_CHANGE 0x0040
37#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
38/* extended permissions */
39#define AVTAB_XPERMS_ALLOWED 0x0100
40#define AVTAB_XPERMS_AUDITALLOW 0x0200
41#define AVTAB_XPERMS_DONTAUDIT 0x0400
42#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \
43 AVTAB_XPERMS_AUDITALLOW | \
44 AVTAB_XPERMS_DONTAUDIT)
45#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
46#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
47 u16 specified; /* what field is specified */
48};
49
50/*
51 * For operations that require more than the 32 permissions provided by the avc
52 * extended permissions may be used to provide 256 bits of permissions.
53 */
54struct avtab_extended_perms {
55/* These are not flags. All 256 values may be used */
56#define AVTAB_XPERMS_IOCTLFUNCTION 0x01
57#define AVTAB_XPERMS_IOCTLDRIVER 0x02
58 /* extension of the avtab_key specified */
59 u8 specified; /* ioctl, netfilter, ... */
60 /*
61 * if 256 bits is not adequate as is often the case with ioctls, then
62 * multiple extended perms may be used and the driver field
63 * specifies which permissions are included.
64 */
65 u8 driver;
66 /* 256 bits of permissions */
67 struct extended_perms_data perms;
68};
69
70struct avtab_datum {
71 union {
72 u32 data; /* access vector or type value */
73 struct avtab_extended_perms *xperms;
74 } u;
75};
76
77struct avtab_node {
78 struct avtab_key key;
79 struct avtab_datum datum;
80 struct avtab_node *next;
81};
82
83struct avtab {
84 struct avtab_node **htable;
85 u32 nel; /* number of elements */
86 u32 nslot; /* number of hash slots */
87 u32 mask; /* mask to compute hash func */
88};
89
90void avtab_init(struct avtab *h);
91int avtab_alloc(struct avtab *, u32);
92int avtab_alloc_dup(struct avtab *new, const struct avtab *orig);
93struct avtab_datum *avtab_search(struct avtab *h, const struct avtab_key *k);
94void avtab_destroy(struct avtab *h);
95void avtab_hash_eval(struct avtab *h, char *tag);
96
97struct policydb;
98int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
99 int (*insert)(struct avtab *a, const struct avtab_key *k,
100 const struct avtab_datum *d, void *p),
101 void *p);
102
103int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
104int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp);
105int avtab_write(struct policydb *p, struct avtab *a, void *fp);
106
107struct avtab_node *avtab_insert_nonunique(struct avtab *h,
108 const struct avtab_key *key,
109 const struct avtab_datum *datum);
110
111struct avtab_node *avtab_search_node(struct avtab *h,
112 const struct avtab_key *key);
113
114struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
115
116#define MAX_AVTAB_HASH_BITS 16
117#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
118
119#endif /* _SS_AVTAB_H_ */
120