• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 
2 /* -*- linux-c -*- */
3 
4 /*
5  * Author : Stephen Smalley, <sds@tycho.nsa.gov>
6  */
7 
8 #ifndef _SEPOL_POLICYDB_SERVICES_H_
9 #define _SEPOL_POLICYDB_SERVICES_H_
10 
11 /*
12  * Security server interface.
13  */
14 
15 #include <sepol/policydb/flask_types.h>
16 #include <sepol/policydb/policydb.h>
17 #include <stddef.h>
18 
19 #ifdef __cplusplus
20 extern "C" {
21 #endif
22 
23 /* Set the policydb and sidtab structures to be used by
24    the service functions.  If not set, then these default
25    to private structures within libsepol that can only be
26    initialized and accessed via the service functions themselves.
27    Setting the structures explicitly allows a program to directly
28    manipulate them, e.g. checkpolicy populates the structures directly
29    from a source policy rather than from a binary policy. */
30 extern int sepol_set_policydb(policydb_t * p);
31 extern int sepol_set_sidtab(sidtab_t * s);
32 
33 /* Load the security policy. This initializes the policydb
34    and sidtab based on the provided binary policy. */
35 extern int sepol_load_policy(void *data, size_t len);
36 
37 /*
38  * Compute access vectors based on a SID pair for
39  * the permissions in a particular class.
40  */
41 extern int sepol_compute_av(sepol_security_id_t ssid,	/* IN */
42 			    sepol_security_id_t tsid,	/* IN */
43 			    sepol_security_class_t tclass,	/* IN */
44 			    sepol_access_vector_t requested,	/* IN */
45 			    struct sepol_av_decision *avd);	/* OUT */
46 
47 /* Same as above, but also return the reason(s) for any
48    denials of the requested permissions. */
49 #define SEPOL_COMPUTEAV_TE     0x1U
50 #define SEPOL_COMPUTEAV_CONS   0x2U
51 #define SEPOL_COMPUTEAV_RBAC   0x4U
52 #define SEPOL_COMPUTEAV_BOUNDS 0x8U
53 extern int sepol_compute_av_reason(sepol_security_id_t ssid,
54 				   sepol_security_id_t tsid,
55 				   sepol_security_class_t tclass,
56 				   sepol_access_vector_t requested,
57 				   struct sepol_av_decision *avd,
58 				   unsigned int *reason);
59 
60 /*
61  * Same as above, but also returns the constraint expression calculations
62  * whether allowed or denied in a buffer. This buffer is allocated by
63  * this call and must be free'd by the caller using free(3). The constraint
64  * buffer will contain any constraints in infix notation.
65  * If the SHOW_GRANTED flag is set it will show granted and denied
66  * constraints. The default is to show only denied constraints.
67  */
68 #define SHOW_GRANTED 1
69 extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
70 				   sepol_security_id_t tsid,
71 				   sepol_security_class_t tclass,
72 				   sepol_access_vector_t requested,
73 				   struct sepol_av_decision *avd,
74 				   unsigned int *reason,
75 				   char **reason_buf,
76 				   unsigned int flags);
77 
78 /*
79  * Returns the mls/validatetrans constraint expression calculations in
80  * a buffer that must be free'd by the caller using free(3).
81  * If the SHOW_GRANTED flag is set it will show granted and denied
82  * mls/validatetrans (the default is to show only those denied).
83  */
84 extern int sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
85 					sepol_security_id_t newsid,
86 					sepol_security_id_t tasksid,
87 					sepol_security_class_t tclass,
88 					char **reason_buf,
89 					unsigned int flags);
90 
91 /*
92  * Return a class ID associated with the class string representation
93  * specified by `class_name'.
94  */
95 extern int sepol_string_to_security_class(const char *class_name,
96 					sepol_security_class_t  *tclass);
97 
98 /*
99  * Return a permission av bit associated with tclass and the string
100  * representation of the `perm_name'.
101  */
102 extern int sepol_string_to_av_perm(sepol_security_class_t tclass,
103 					const char *perm_name,
104 					sepol_access_vector_t *av);
105 
106 /*
107  * Return a string representation of the permission av bit associated with
108  * tclass.
109  * Returns a pointer to an internal buffer, overridden by the next call to
110  * this function or sepol_av_to_string().
111  */
112  extern const char *sepol_av_perm_to_string(sepol_security_class_t tclass,
113 					sepol_access_vector_t av);
114 
115 /*
116  * Compute a SID to use for labeling a new object in the
117  * class `tclass' based on a SID pair.
118  */
119 extern int sepol_transition_sid(sepol_security_id_t ssid,	/* IN */
120 				sepol_security_id_t tsid,	/* IN */
121 				sepol_security_class_t tclass,	/* IN */
122 				sepol_security_id_t * out_sid);	/* OUT */
123 
124 /*
125  * Compute a SID to use when selecting a member of a
126  * polyinstantiated object of class `tclass' based on
127  * a SID pair.
128  */
129 extern int sepol_member_sid(sepol_security_id_t ssid,	/* IN */
130 			    sepol_security_id_t tsid,	/* IN */
131 			    sepol_security_class_t tclass,	/* IN */
132 			    sepol_security_id_t * out_sid);	/* OUT */
133 
134 /*
135  * Compute a SID to use for relabeling an object in the
136  * class `tclass' based on a SID pair.
137  */
138 extern int sepol_change_sid(sepol_security_id_t ssid,	/* IN */
139 			    sepol_security_id_t tsid,	/* IN */
140 			    sepol_security_class_t tclass,	/* IN */
141 			    sepol_security_id_t * out_sid);	/* OUT */
142 
143 /*
144  * Write the security context string representation of
145  * the context associated with `sid' into a dynamically
146  * allocated string of the correct size.  Set `*scontext'
147  * to point to this string and set `*scontext_len' to
148  * the length of the string.
149  */
150 extern int sepol_sid_to_context(sepol_security_id_t sid,	/* IN */
151 				sepol_security_context_t * scontext,	/* OUT */
152 				size_t * scontext_len);	/* OUT */
153 
154 /*
155  * Return a SID associated with the security context that
156  * has the string representation specified by `scontext'.
157  */
158 extern int sepol_context_to_sid(sepol_const_security_context_t scontext,	/* IN */
159 				size_t scontext_len,	/* IN */
160 				sepol_security_id_t * out_sid);	/* OUT */
161 
162 /*
163  * Generate the set of SIDs for legal security contexts
164  * for a given user that can be reached by `fromsid'.
165  * Set `*sids' to point to a dynamically allocated
166  * array containing the set of SIDs.  Set `*nel' to the
167  * number of elements in the array.
168  */
169 extern int sepol_get_user_sids(sepol_security_id_t callsid,
170 			       char *username,
171 			       sepol_security_id_t ** sids, uint32_t * nel);
172 
173 /*
174  * Return the SIDs to use for an unlabeled file system
175  * that is being mounted from the device with the
176  * the kdevname `name'.  The `fs_sid' SID is returned for
177  * the file system and the `file_sid' SID is returned
178  * for all files within that file system.
179  */
180 extern int sepol_fs_sid(char *dev,	/* IN */
181 			sepol_security_id_t * fs_sid,	/* OUT  */
182 			sepol_security_id_t * file_sid);	/* OUT */
183 
184 /*
185  * Return the SID of the port specified by
186  * `domain', `type', `protocol', and `port'.
187  */
188 extern int sepol_port_sid(uint16_t domain,
189 			  uint16_t type,
190 			  uint8_t protocol,
191 			  uint16_t port, sepol_security_id_t * out_sid);
192 
193 /*
194  * Return the SID of the ibpkey specified by
195  * `subnet prefix', and `pkey'.
196  */
197 extern int sepol_ibpkey_sid(uint64_t subnet_prefix_p,
198 			    uint16_t pkey,
199 			    sepol_security_id_t *out_sid);
200 
201 /*
202  * Return the SID of the ibendport specified by
203  * `dev_name', and `port'.
204  */
205 extern int sepol_ibendport_sid(char *dev_name,
206 			       uint8_t port,
207 			       sepol_security_id_t *out_sid);
208 
209 /*
210  * Return the SIDs to use for a network interface
211  * with the name `name'.  The `if_sid' SID is returned for
212  * the interface and the `msg_sid' SID is returned as
213  * the default SID for messages received on the
214  * interface.
215  */
216 extern int sepol_netif_sid(char *name,
217 			   sepol_security_id_t * if_sid,
218 			   sepol_security_id_t * msg_sid);
219 
220 /*
221  * Return the SID of the node specified by the address
222  * `addr' where `addrlen' is the length of the address
223  * in bytes and `domain' is the communications domain or
224  * address family in which the address should be interpreted.
225  */
226 extern int sepol_node_sid(uint16_t domain,
227 			  void *addr,
228 			  size_t addrlen, sepol_security_id_t * out_sid);
229 
230 /*
231  * Return a value indicating how to handle labeling for the
232  * the specified filesystem type, and optionally return a SID
233  * for the filesystem object.
234  */
235 #define SECURITY_FS_USE_XATTR 1	/* use xattr */
236 #define SECURITY_FS_USE_TRANS 2	/* use transition SIDs, e.g. devpts/tmpfs */
237 #define SECURITY_FS_USE_TASK  3	/* use task SIDs, e.g. pipefs/sockfs */
238 #define SECURITY_FS_USE_GENFS 4	/* use the genfs support */
239 #define SECURITY_FS_USE_NONE  5	/* no labeling support */
240 extern int sepol_fs_use(const char *fstype,	/* IN */
241 			unsigned int *behavior,	/* OUT */
242 			sepol_security_id_t * sid);	/* OUT  */
243 
244 /*
245  * Return the SID to use for a file in a filesystem
246  * that cannot support a persistent label mapping or use another
247  * fixed labeling behavior like transition SIDs or task SIDs.
248  */
249 extern int sepol_genfs_sid(const char *fstype,	/* IN */
250 			   const char *name,	/* IN */
251 			   sepol_security_class_t sclass,	/* IN */
252 			   sepol_security_id_t * sid);	/* OUT  */
253 
254 #ifdef __cplusplus
255 }
256 #endif
257 
258 #endif
259