| 1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
|---|---|
| 2 | /* |
| 3 | * An access vector table (avtab) is a hash table |
| 4 | * of access vectors and transition types indexed |
| 5 | * by a type pair and a class. An access vector |
| 6 | * table is used to represent the type enforcement |
| 7 | * tables. |
| 8 | * |
| 9 | * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> |
| 10 | */ |
| 11 | |
| 12 | /* Updated: Frank Mayer <mayerf@tresys.com> and |
| 13 | * Karl MacMillan <kmacmillan@tresys.com> |
| 14 | * Added conditional policy language extensions |
| 15 | * Copyright (C) 2003 Tresys Technology, LLC |
| 16 | * |
| 17 | * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> |
| 18 | * Tuned number of hash slots for avtab to reduce memory usage |
| 19 | */ |
| 20 | |
| 21 | #ifndef _SS_AVTAB_H_ |
| 22 | #define _SS_AVTAB_H_ |
| 23 | |
| 24 | #include "security.h" |
| 25 | |
| 26 | struct avtab_key { |
| 27 | u16 source_type; /* source type */ |
| 28 | u16 target_type; /* target type */ |
| 29 | u16 target_class; /* target object class */ |
| 30 | #define AVTAB_ALLOWED 0x0001 |
| 31 | #define AVTAB_AUDITALLOW 0x0002 |
| 32 | #define AVTAB_AUDITDENY 0x0004 |
| 33 | #define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) |
| 34 | #define AVTAB_TRANSITION 0x0010 |
| 35 | #define AVTAB_MEMBER 0x0020 |
| 36 | #define AVTAB_CHANGE 0x0040 |
| 37 | #define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) |
| 38 | /* extended permissions */ |
| 39 | #define AVTAB_XPERMS_ALLOWED 0x0100 |
| 40 | #define AVTAB_XPERMS_AUDITALLOW 0x0200 |
| 41 | #define AVTAB_XPERMS_DONTAUDIT 0x0400 |
| 42 | #define AVTAB_XPERMS \ |
| 43 | (AVTAB_XPERMS_ALLOWED | AVTAB_XPERMS_AUDITALLOW | \ |
| 44 | AVTAB_XPERMS_DONTAUDIT) |
| 45 | #define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */ |
| 46 | #define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ |
| 47 | u16 specified; /* what field is specified */ |
| 48 | }; |
| 49 | |
| 50 | /* |
| 51 | * For operations that require more than the 32 permissions provided by the avc |
| 52 | * extended permissions may be used to provide 256 bits of permissions. |
| 53 | */ |
| 54 | struct avtab_extended_perms { |
| 55 | /* These are not flags. All 256 values may be used */ |
| 56 | #define AVTAB_XPERMS_IOCTLFUNCTION 0x01 |
| 57 | #define AVTAB_XPERMS_IOCTLDRIVER 0x02 |
| 58 | #define AVTAB_XPERMS_NLMSG 0x03 |
| 59 | /* extension of the avtab_key specified */ |
| 60 | u8 specified; /* ioctl, netfilter, ... */ |
| 61 | /* |
| 62 | * if 256 bits is not adequate as is often the case with ioctls, then |
| 63 | * multiple extended perms may be used and the driver field |
| 64 | * specifies which permissions are included. |
| 65 | */ |
| 66 | u8 driver; |
| 67 | /* 256 bits of permissions */ |
| 68 | struct extended_perms_data perms; |
| 69 | }; |
| 70 | |
| 71 | struct avtab_datum { |
| 72 | union { |
| 73 | u32 data; /* access vector or type value */ |
| 74 | struct avtab_extended_perms *xperms; |
| 75 | } u; |
| 76 | }; |
| 77 | |
| 78 | struct avtab_node { |
| 79 | struct avtab_key key; |
| 80 | struct avtab_datum datum; |
| 81 | struct avtab_node *next; |
| 82 | }; |
| 83 | |
| 84 | struct avtab { |
| 85 | struct avtab_node **htable; |
| 86 | u32 nel; /* number of elements */ |
| 87 | u32 nslot; /* number of hash slots */ |
| 88 | u32 mask; /* mask to compute hash func */ |
| 89 | }; |
| 90 | |
| 91 | void avtab_init(struct avtab *h); |
| 92 | int avtab_alloc(struct avtab *h, u32 nrules); |
| 93 | int avtab_alloc_dup(struct avtab *new, const struct avtab *orig); |
| 94 | void avtab_destroy(struct avtab *h); |
| 95 | |
| 96 | #define MAX_AVTAB_HASH_BITS 16 |
| 97 | #define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) |
| 98 | |
| 99 | #ifdef CONFIG_SECURITY_SELINUX_DEBUG |
| 100 | void avtab_hash_eval(struct avtab *h, const char *tag); |
| 101 | #else |
| 102 | static inline void avtab_hash_eval(struct avtab *h, const char *tag) |
| 103 | { |
| 104 | } |
| 105 | #endif |
| 106 | |
| 107 | struct policydb; |
| 108 | struct policy_file; |
| 109 | int avtab_read_item(struct avtab *a, struct policy_file *fp, struct policydb *pol, |
| 110 | int (*insert)(struct avtab *a, const struct avtab_key *k, |
| 111 | const struct avtab_datum *d, void *p), |
| 112 | void *p, bool conditional); |
| 113 | |
| 114 | int avtab_read(struct avtab *a, struct policy_file *fp, struct policydb *pol); |
| 115 | int avtab_write_item(struct policydb *p, const struct avtab_node *cur, |
| 116 | struct policy_file *fp); |
| 117 | int avtab_write(struct policydb *p, struct avtab *a, struct policy_file *fp); |
| 118 | |
| 119 | struct avtab_node *avtab_insert_nonunique(struct avtab *h, |
| 120 | const struct avtab_key *key, |
| 121 | const struct avtab_datum *datum); |
| 122 | |
| 123 | struct avtab_node *avtab_search_node(struct avtab *h, |
| 124 | const struct avtab_key *key); |
| 125 | struct avtab_node *avtab_search_node_next(struct avtab_node *node, |
| 126 | u16 specified); |
| 127 | |
| 128 | #endif /* _SS_AVTAB_H_ */ |
| 129 |
Generated while processing Linux/security/selinux/ss/avtab.c
Generated on 2025-Oct-12 from project Linux revision 6.17.0 (67029a49db6c)
Powered by 
Code Browser 2.1
Generator usage only permitted with license.