[deliverable/linux.git] / security / selinux / include / avc.h

/*
 * Access vector cache interface for object managers.
 *
 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
 */
#ifndef _SELINUX_AVC_H_
#define _SELINUX_AVC_H_

#include <linux/stddef.h>
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/kdev_t.h>
#include <linux/spinlock.h>
#include <linux/init.h>
#include <linux/audit.h>
#include <linux/lsm_audit.h>
#include <linux/in6.h>
#include <asm/system.h>
#include "flask.h"
#include "av_permissions.h"
#include "security.h"

#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
extern int selinux_enforcing;
#else
#define selinux_enforcing 1
#endif

/*
 * An entry in the AVC.
 */
struct avc_entry;

struct task_struct;
struct inode;
struct sock;
struct sk_buff;

/*
 * AVC statistics
 */
struct avc_cache_stats {
	unsigned int lookups;
	unsigned int hits;
	unsigned int misses;
	unsigned int allocations;
	unsigned int reclaims;
	unsigned int frees;
};

/*
 * AVC operations
 */

void __init avc_init(void);

int avc_audit(u32 ssid, u32 tsid,
	       u16 tclass, u32 requested,
	       struct av_decision *avd,
	       int result,
	      struct common_audit_data *a, unsigned flags);

#define AVC_STRICT 1 /* Ignore permissive mode. */
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
			 u16 tclass, u32 requested,
			 unsigned flags,
			 struct av_decision *avd);

int avc_has_perm_flags(u32 ssid, u32 tsid,
		       u16 tclass, u32 requested,
		       struct common_audit_data *auditdata,
		       unsigned);

static inline int avc_has_perm(u32 ssid, u32 tsid,
			       u16 tclass, u32 requested,
			       struct common_audit_data *auditdata)
{
	return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
}

u32 avc_policy_seqno(void);

#define AVC_CALLBACK_GRANT		1
#define AVC_CALLBACK_TRY_REVOKE		2
#define AVC_CALLBACK_REVOKE		4
#define AVC_CALLBACK_RESET		8
#define AVC_CALLBACK_AUDITALLOW_ENABLE	16
#define AVC_CALLBACK_AUDITALLOW_DISABLE	32
#define AVC_CALLBACK_AUDITDENY_ENABLE	64
#define AVC_CALLBACK_AUDITDENY_DISABLE	128

int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
				     u16 tclass, u32 perms,
				     u32 *out_retained),
		     u32 events, u32 ssid, u32 tsid,
		     u16 tclass, u32 perms);

/* Exported to selinuxfs */
int avc_get_hash_stats(char *page);
extern unsigned int avc_cache_threshold;

/* Attempt to free avc node cache */
void avc_disable(void);

#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
#endif

#endif /* _SELINUX_AVC_H_ */
Commit	Line	Data
1da177e4 LT	1	/*
	2	* Access vector cache interface for object managers.
	3	*
	4	* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
	5	*/
	6	#ifndef _SELINUX_AVC_H_
	7	#define _SELINUX_AVC_H_
	8
	9	#include <linux/stddef.h>
	10	#include <linux/errno.h>
	11	#include <linux/kernel.h>
	12	#include <linux/kdev_t.h>
	13	#include <linux/spinlock.h>
	14	#include <linux/init.h>
d9250dea	15	#include <linux/audit.h>
2bf49690	16	#include <linux/lsm_audit.h>
1da177e4 LT	17	#include <linux/in6.h>
	18	#include <asm/system.h>
	19	#include "flask.h"
	20	#include "av_permissions.h"
	21	#include "security.h"
	22
	23	#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
	24	extern int selinux_enforcing;
	25	#else
	26	#define selinux_enforcing 1
	27	#endif
	28
	29	/*
	30	* An entry in the AVC.
	31	*/
	32	struct avc_entry;
	33
	34	struct task_struct;
1da177e4 LT	35	struct inode;
	36	struct sock;
	37	struct sk_buff;
	38
1da177e4 LT	39	/*
	40	* AVC statistics
	41	*/
f5269710	42	struct avc_cache_stats {
1da177e4 LT	43	unsigned int lookups;
	44	unsigned int hits;
	45	unsigned int misses;
	46	unsigned int allocations;
	47	unsigned int reclaims;
	48	unsigned int frees;
	49	};
	50
	51	/*
	52	* AVC operations
	53	*/
	54
	55	void __init avc_init(void);
	56
9ade0cf4	57	int avc_audit(u32 ssid, u32 tsid,
f5269710	58	u16 tclass, u32 requested,
2bf49690 TL	59	struct av_decision *avd,
2bf49690 TL	60	int result,
9ade0cf4	61	struct common_audit_data *a, unsigned flags);
1da177e4	62
2c3c05db	63	#define AVC_STRICT 1 /* Ignore permissive mode. */
1da177e4	64	int avc_has_perm_noaudit(u32 ssid, u32 tsid,
2c3c05db SS	65	u16 tclass, u32 requested,
	66	unsigned flags,
	67	struct av_decision *avd);
1da177e4	68
9ade0cf4 EP	69	int avc_has_perm_flags(u32 ssid, u32 tsid,
	70	u16 tclass, u32 requested,
	71	struct common_audit_data *auditdata,
	72	unsigned);
	73
	74	static inline int avc_has_perm(u32 ssid, u32 tsid,
	75	u16 tclass, u32 requested,
	76	struct common_audit_data *auditdata)
	77	{
	78	return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
	79	}
1da177e4	80
788e7dd4 YN	81	u32 avc_policy_seqno(void);
788e7dd4 YN	82
1da177e4 LT	83	#define AVC_CALLBACK_GRANT 1
	84	#define AVC_CALLBACK_TRY_REVOKE 2
	85	#define AVC_CALLBACK_REVOKE 4
	86	#define AVC_CALLBACK_RESET 8
	87	#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
	88	#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
	89	#define AVC_CALLBACK_AUDITDENY_ENABLE 64
	90	#define AVC_CALLBACK_AUDITDENY_DISABLE 128
	91
	92	int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
f5269710	93	u16 tclass, u32 perms,
1da177e4 LT	94	u32 *out_retained),
	95	u32 events, u32 ssid, u32 tsid,
	96	u16 tclass, u32 perms);
	97
	98	/* Exported to selinuxfs */
	99	int avc_get_hash_stats(char *page);
	100	extern unsigned int avc_cache_threshold;
	101
89c86576 TL	102	/* Attempt to free avc node cache */
	103	void avc_disable(void);
	104
1da177e4 LT	105	#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
	106	DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
	107	#endif
	108
	109	#endif /* _SELINUX_AVC_H_ */
	110