1 /* 2 * Labeling interface for userspace object managers and others. 3 * 4 * Author : Eamon Walsh <ewalsh@tycho.nsa.gov> 5 */ 6 #ifndef _SELABEL_H_ 7 #define _SELABEL_H_ 8 9 #include <stdbool.h> 10 #include <stdint.h> 11 #include <sys/types.h> 12 #include <selinux/selinux.h> 13 14 #ifdef __cplusplus 15 extern "C" { 16 #endif 17 18 /* 19 * Opaque type used for all label handles. 20 */ 21 22 struct selabel_handle; 23 24 /* 25 * Available backends. 26 */ 27 28 /* file contexts */ 29 #define SELABEL_CTX_FILE 0 30 /* media contexts */ 31 #define SELABEL_CTX_MEDIA 1 32 /* x contexts */ 33 #define SELABEL_CTX_X 2 34 /* db objects */ 35 #define SELABEL_CTX_DB 3 36 /* Android property service contexts */ 37 #define SELABEL_CTX_ANDROID_PROP 4 38 /* Android service contexts */ 39 #define SELABEL_CTX_ANDROID_SERVICE 5 40 /* Android keystore key contexts */ 41 #define SELABEL_CTX_ANDROID_KEYSTORE2_KEY 6 42 43 /* 44 * Available options 45 */ 46 47 /* no-op option, useful for unused slots in an array of options */ 48 #define SELABEL_OPT_UNUSED 0 49 /* validate contexts before returning them (boolean value) */ 50 #define SELABEL_OPT_VALIDATE 1 51 /* don't use local customizations to backend data (boolean value) */ 52 #define SELABEL_OPT_BASEONLY 2 53 /* specify an alternate path to use when loading backend data */ 54 #define SELABEL_OPT_PATH 3 55 /* select a subset of the search space as an optimization (file backend) */ 56 #define SELABEL_OPT_SUBSET 4 57 /* require a hash calculation on spec files */ 58 #define SELABEL_OPT_DIGEST 5 59 /* total number of options */ 60 #define SELABEL_NOPT 6 61 62 /* 63 * Label operations 64 */ 65 66 /** 67 * selabel_open - Create a labeling handle. 68 * @backend: one of the constants specifying a supported labeling backend. 69 * @opts: array of selabel_opt structures specifying label options or NULL. 70 * @nopts: number of elements in opts array or zero for no options. 71 * 72 * Open a labeling backend for use. The available backend identifiers are 73 * listed above. Options may be provided via the opts parameter; available 74 * options are listed above. Not all options may be supported by every 75 * backend. Return value is the created handle on success or NULL with 76 * @errno set on failure. 77 */ 78 extern struct selabel_handle *selabel_open(unsigned int backend, 79 const struct selinux_opt *opts, 80 unsigned nopts); 81 82 /** 83 * selabel_close - Close a labeling handle. 84 * @handle: specifies handle to close 85 * 86 * Destroy the specified handle, closing files, freeing allocated memory, 87 * etc. The handle may not be further used after it has been closed. 88 */ 89 extern void selabel_close(struct selabel_handle *handle); 90 91 /** 92 * selabel_lookup - Perform labeling lookup operation. 93 * @handle: specifies backend instance to query 94 * @con: returns the appropriate context with which to label the object 95 * @key: string input to lookup operation 96 * @type: numeric input to the lookup operation 97 * 98 * Perform a labeling lookup operation. Return %0 on success, -%1 with 99 * @errno set on failure. The key and type arguments are the inputs to the 100 * lookup operation; appropriate values are dictated by the backend in use. 101 * The result is returned in the memory pointed to by @con and must be freed 102 * by the user with freecon(). 103 */ 104 extern int selabel_lookup(struct selabel_handle *handle, char **con, 105 const char *key, int type); 106 extern int selabel_lookup_raw(struct selabel_handle *handle, char **con, 107 const char *key, int type); 108 109 extern bool selabel_partial_match(struct selabel_handle *handle, const char *key); 110 111 extern bool selabel_get_digests_all_partial_matches(struct selabel_handle *rec, 112 const char *key, 113 uint8_t **calculated_digest, 114 uint8_t **xattr_digest, 115 size_t *digest_len); 116 extern bool selabel_hash_all_partial_matches(struct selabel_handle *rec, 117 const char *key, uint8_t* digest); 118 119 extern int selabel_lookup_best_match(struct selabel_handle *rec, char **con, 120 const char *key, const char **aliases, int type); 121 extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, 122 const char *key, const char **aliases, int type); 123 124 /** 125 * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to 126 * generate the digest. The SELABEL_OPT_DIGEST option must 127 * be set in selabel_open() to initiate the digest generation. 128 * @handle: specifies backend instance to query 129 * @digest: returns a pointer to the SHA1 digest. 130 * @digest_len: returns length of digest in bytes. 131 * @specfiles: a list of specfiles used in the SHA1 digest generation. 132 * The list is NULL terminated and will hold @num_specfiles entries. 133 * @num_specfiles: number of specfiles in the list. 134 * 135 * Return %0 on success, -%1 with @errno set on failure. 136 */ 137 extern int selabel_digest(struct selabel_handle *rec, 138 unsigned char **digest, size_t *digest_len, 139 char ***specfiles, size_t *num_specfiles); 140 141 enum selabel_cmp_result { 142 SELABEL_SUBSET, 143 SELABEL_EQUAL, 144 SELABEL_SUPERSET, 145 SELABEL_INCOMPARABLE 146 }; 147 148 /** 149 * selabel_cmp - Compare two label configurations. 150 * @h1: handle for the first label configuration 151 * @h2: handle for the first label configuration 152 * 153 * Compare two label configurations. 154 * Return %SELABEL_SUBSET if @h1 is a subset of @h2, %SELABEL_EQUAL 155 * if @h1 is identical to @h2, %SELABEL_SUPERSET if @h1 is a superset 156 * of @h2, and %SELABEL_INCOMPARABLE if @h1 and @h2 are incomparable. 157 */ 158 extern enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1, 159 struct selabel_handle *h2); 160 161 /** 162 * selabel_stats - log labeling operation statistics. 163 * @handle: specifies backend instance to query 164 * 165 * Log a message with information about the number of queries performed, 166 * number of unused matching entries, or other operational statistics. 167 * Message is backend-specific, some backends may not output a message. 168 */ 169 extern void selabel_stats(struct selabel_handle *handle); 170 171 /* 172 * Type codes used by specific backends 173 */ 174 175 /* X backend */ 176 #define SELABEL_X_PROP 1 177 #define SELABEL_X_EXT 2 178 #define SELABEL_X_CLIENT 3 179 #define SELABEL_X_EVENT 4 180 #define SELABEL_X_SELN 5 181 #define SELABEL_X_POLYPROP 6 182 #define SELABEL_X_POLYSELN 7 183 184 /* DB backend */ 185 #define SELABEL_DB_DATABASE 1 186 #define SELABEL_DB_SCHEMA 2 187 #define SELABEL_DB_TABLE 3 188 #define SELABEL_DB_COLUMN 4 189 #define SELABEL_DB_SEQUENCE 5 190 #define SELABEL_DB_VIEW 6 191 #define SELABEL_DB_PROCEDURE 7 192 #define SELABEL_DB_BLOB 8 193 #define SELABEL_DB_TUPLE 9 194 #define SELABEL_DB_LANGUAGE 10 195 #define SELABEL_DB_EXCEPTION 11 196 #define SELABEL_DB_DATATYPE 12 197 198 #ifdef __cplusplus 199 } 200 #endif 201 #endif /* _SELABEL_H_ */ 202