selinux/ss/avtab.h

0001 /* SPDX-License-Identifier: GPL-2.0-only */
0002 /*
0003  * An access vector table (avtab) is a hash table
0004  * of access vectors and transition types indexed
0005  * by a type pair and a class.  An access vector
0006  * table is used to represent the type enforcement
0007  * tables.
0008  *
0009  *  Author : Stephen Smalley, <sds@tycho.nsa.gov>
0010  */
0011
0012 /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
0013  *
0014  *  Added conditional policy language extensions
0015  *
0016  * Copyright (C) 2003 Tresys Technology, LLC
0017  *
0018  * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
0019  *  Tuned number of hash slots for avtab to reduce memory usage
0020  */
0021 #ifndef _SS_AVTAB_H_
0022 #define _SS_AVTAB_H_
0023
0024 #include "security.h"
0025
0026 struct avtab_key {
0027     u16 source_type;    /* source type */
0028     u16 target_type;    /* target type */
0029     u16 target_class;   /* target object class */
0030 #define AVTAB_ALLOWED       0x0001
0031 #define AVTAB_AUDITALLOW    0x0002
0032 #define AVTAB_AUDITDENY     0x0004
0033 #define AVTAB_AV        (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
0034 #define AVTAB_TRANSITION    0x0010
0035 #define AVTAB_MEMBER        0x0020
0036 #define AVTAB_CHANGE        0x0040
0037 #define AVTAB_TYPE      (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
0038 /* extended permissions */
0039 #define AVTAB_XPERMS_ALLOWED    0x0100
0040 #define AVTAB_XPERMS_AUDITALLOW 0x0200
0041 #define AVTAB_XPERMS_DONTAUDIT  0x0400
0042 #define AVTAB_XPERMS        (AVTAB_XPERMS_ALLOWED | \
0043                 AVTAB_XPERMS_AUDITALLOW | \
0044                 AVTAB_XPERMS_DONTAUDIT)
0045 #define AVTAB_ENABLED_OLD   0x80000000 /* reserved for used in cond_avtab */
0046 #define AVTAB_ENABLED       0x8000 /* reserved for used in cond_avtab */
0047     u16 specified;  /* what field is specified */
0048 };
0049
0050 /*
0051  * For operations that require more than the 32 permissions provided by the avc
0052  * extended permissions may be used to provide 256 bits of permissions.
0053  */
0054 struct avtab_extended_perms {
0055 /* These are not flags. All 256 values may be used */
0056 #define AVTAB_XPERMS_IOCTLFUNCTION  0x01
0057 #define AVTAB_XPERMS_IOCTLDRIVER    0x02
0058     /* extension of the avtab_key specified */
0059     u8 specified; /* ioctl, netfilter, ... */
0060     /*
0061      * if 256 bits is not adequate as is often the case with ioctls, then
0062      * multiple extended perms may be used and the driver field
0063      * specifies which permissions are included.
0064      */
0065     u8 driver;
0066     /* 256 bits of permissions */
0067     struct extended_perms_data perms;
0068 };
0069
0070 struct avtab_datum {
0071     union {
0072         u32 data; /* access vector or type value */
0073         struct avtab_extended_perms *xperms;
0074     } u;
0075 };
0076
0077 struct avtab_node {
0078     struct avtab_key key;
0079     struct avtab_datum datum;
0080     struct avtab_node *next;
0081 };
0082
0083 struct avtab {
0084     struct avtab_node **htable;
0085     u32 nel;    /* number of elements */
0086     u32 nslot;      /* number of hash slots */
0087     u32 mask;       /* mask to compute hash func */
0088 };
0089
0090 void avtab_init(struct avtab *h);
0091 int avtab_alloc(struct avtab *, u32);
0092 int avtab_alloc_dup(struct avtab *new, const struct avtab *orig);
0093 struct avtab_datum *avtab_search(struct avtab *h, const struct avtab_key *k);
0094 void avtab_destroy(struct avtab *h);
0095 void avtab_hash_eval(struct avtab *h, char *tag);
0096
0097 struct policydb;
0098 int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
0099             int (*insert)(struct avtab *a, const struct avtab_key *k,
0100                   const struct avtab_datum *d, void *p),
0101             void *p);
0102
0103 int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
0104 int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp);
0105 int avtab_write(struct policydb *p, struct avtab *a, void *fp);
0106
0107 struct avtab_node *avtab_insert_nonunique(struct avtab *h,
0108                       const struct avtab_key *key,
0109                       const struct avtab_datum *datum);
0110
0111 struct avtab_node *avtab_search_node(struct avtab *h,
0112                      const struct avtab_key *key);
0113
0114 struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
0115
0116 #define MAX_AVTAB_HASH_BITS 16
0117 #define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
0118
0119 #endif  /* _SS_AVTAB_H_ */
0120