1 2 /* -*- linux-c -*- */ 3 4 /* 5 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 6 */ 7 8 #ifndef _SEPOL_POLICYDB_SERVICES_H_ 9 #define _SEPOL_POLICYDB_SERVICES_H_ 10 11 /* 12 * Security server interface. 13 */ 14 15 #include <sepol/policydb/flask_types.h> 16 #include <sepol/policydb/policydb.h> 17 #include <stddef.h> 18 19 #ifdef __cplusplus 20 extern "C" { 21 #endif 22 23 /* Set the policydb and sidtab structures to be used by 24 the service functions. If not set, then these default 25 to private structures within libsepol that can only be 26 initialized and accessed via the service functions themselves. 27 Setting the structures explicitly allows a program to directly 28 manipulate them, e.g. checkpolicy populates the structures directly 29 from a source policy rather than from a binary policy. */ 30 extern int sepol_set_policydb(policydb_t * p); 31 extern int sepol_set_sidtab(sidtab_t * s); 32 33 /* Modify a policydb for boolean settings. */ 34 int sepol_genbools_policydb(policydb_t * policydb, const char *booleans); 35 36 /* Modify a policydb for user settings. */ 37 int sepol_genusers_policydb(policydb_t * policydb, const char *usersdir); 38 39 /* Load the security policy. This initializes the policydb 40 and sidtab based on the provided binary policy. */ 41 extern int sepol_load_policy(void *data, size_t len); 42 43 /* 44 * Compute access vectors based on a SID pair for 45 * the permissions in a particular class. 46 */ 47 extern int sepol_compute_av(sepol_security_id_t ssid, /* IN */ 48 sepol_security_id_t tsid, /* IN */ 49 sepol_security_class_t tclass, /* IN */ 50 sepol_access_vector_t requested, /* IN */ 51 struct sepol_av_decision *avd); /* OUT */ 52 53 /* Same as above, but also return the reason(s) for any 54 denials of the requested permissions. */ 55 #define SEPOL_COMPUTEAV_TE 0x1U 56 #define SEPOL_COMPUTEAV_CONS 0x2U 57 #define SEPOL_COMPUTEAV_RBAC 0x4U 58 #define SEPOL_COMPUTEAV_BOUNDS 0x8U 59 extern int sepol_compute_av_reason(sepol_security_id_t ssid, 60 sepol_security_id_t tsid, 61 sepol_security_class_t tclass, 62 sepol_access_vector_t requested, 63 struct sepol_av_decision *avd, 64 unsigned int *reason); 65 66 /* 67 * Same as above, but also returns the constraint expression calculations 68 * whether allowed or denied in a buffer. This buffer is allocated by 69 * this call and must be free'd by the caller using free(3). The contraint 70 * buffer will contain any constraints in infix notation. 71 * If the SHOW_GRANTED flag is set it will show granted and denied 72 * constraints. The default is to show only denied constraints. 73 */ 74 #define SHOW_GRANTED 1 75 extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid, 76 sepol_security_id_t tsid, 77 sepol_security_class_t tclass, 78 sepol_access_vector_t requested, 79 struct sepol_av_decision *avd, 80 unsigned int *reason, 81 char **reason_buf, 82 unsigned int flags); 83 84 /* 85 * Returns the mls/validatetrans constraint expression calculations in 86 * a buffer that must be free'd by the caller using free(3). 87 * If the SHOW_GRANTED flag is set it will show granted and denied 88 * mls/validatetrans (the default is to show only those denied). 89 */ 90 extern int sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid, 91 sepol_security_id_t newsid, 92 sepol_security_id_t tasksid, 93 sepol_security_class_t tclass, 94 char **reason_buf, 95 unsigned int flags); 96 97 /* 98 * Return a class ID associated with the class string representation 99 * specified by `class_name'. 100 */ 101 extern int sepol_string_to_security_class(const char *class_name, 102 sepol_security_class_t *tclass); 103 104 /* 105 * Return a permission av bit associated with tclass and the string 106 * representation of the `perm_name'. 107 */ 108 extern int sepol_string_to_av_perm(sepol_security_class_t tclass, 109 const char *perm_name, 110 sepol_access_vector_t *av); 111 112 /* 113 * Compute a SID to use for labeling a new object in the 114 * class `tclass' based on a SID pair. 115 */ 116 extern int sepol_transition_sid(sepol_security_id_t ssid, /* IN */ 117 sepol_security_id_t tsid, /* IN */ 118 sepol_security_class_t tclass, /* IN */ 119 sepol_security_id_t * out_sid); /* OUT */ 120 121 /* 122 * Compute a SID to use when selecting a member of a 123 * polyinstantiated object of class `tclass' based on 124 * a SID pair. 125 */ 126 extern int sepol_member_sid(sepol_security_id_t ssid, /* IN */ 127 sepol_security_id_t tsid, /* IN */ 128 sepol_security_class_t tclass, /* IN */ 129 sepol_security_id_t * out_sid); /* OUT */ 130 131 /* 132 * Compute a SID to use for relabeling an object in the 133 * class `tclass' based on a SID pair. 134 */ 135 extern int sepol_change_sid(sepol_security_id_t ssid, /* IN */ 136 sepol_security_id_t tsid, /* IN */ 137 sepol_security_class_t tclass, /* IN */ 138 sepol_security_id_t * out_sid); /* OUT */ 139 140 /* 141 * Write the security context string representation of 142 * the context associated with `sid' into a dynamically 143 * allocated string of the correct size. Set `*scontext' 144 * to point to this string and set `*scontext_len' to 145 * the length of the string. 146 */ 147 extern int sepol_sid_to_context(sepol_security_id_t sid, /* IN */ 148 sepol_security_context_t * scontext, /* OUT */ 149 size_t * scontext_len); /* OUT */ 150 151 /* 152 * Return a SID associated with the security context that 153 * has the string representation specified by `scontext'. 154 */ 155 extern int sepol_context_to_sid(const sepol_security_context_t scontext, /* IN */ 156 size_t scontext_len, /* IN */ 157 sepol_security_id_t * out_sid); /* OUT */ 158 159 /* 160 * Generate the set of SIDs for legal security contexts 161 * for a given user that can be reached by `fromsid'. 162 * Set `*sids' to point to a dynamically allocated 163 * array containing the set of SIDs. Set `*nel' to the 164 * number of elements in the array. 165 */ 166 extern int sepol_get_user_sids(sepol_security_id_t callsid, 167 char *username, 168 sepol_security_id_t ** sids, uint32_t * nel); 169 170 /* 171 * Return the SIDs to use for an unlabeled file system 172 * that is being mounted from the device with the 173 * the kdevname `name'. The `fs_sid' SID is returned for 174 * the file system and the `file_sid' SID is returned 175 * for all files within that file system. 176 */ 177 extern int sepol_fs_sid(char *dev, /* IN */ 178 sepol_security_id_t * fs_sid, /* OUT */ 179 sepol_security_id_t * file_sid); /* OUT */ 180 181 /* 182 * Return the SID of the port specified by 183 * `domain', `type', `protocol', and `port'. 184 */ 185 extern int sepol_port_sid(uint16_t domain, 186 uint16_t type, 187 uint8_t protocol, 188 uint16_t port, sepol_security_id_t * out_sid); 189 190 /* 191 * Return the SIDs to use for a network interface 192 * with the name `name'. The `if_sid' SID is returned for 193 * the interface and the `msg_sid' SID is returned as 194 * the default SID for messages received on the 195 * interface. 196 */ 197 extern int sepol_netif_sid(char *name, 198 sepol_security_id_t * if_sid, 199 sepol_security_id_t * msg_sid); 200 201 /* 202 * Return the SID of the node specified by the address 203 * `addr' where `addrlen' is the length of the address 204 * in bytes and `domain' is the communications domain or 205 * address family in which the address should be interpreted. 206 */ 207 extern int sepol_node_sid(uint16_t domain, 208 void *addr, 209 size_t addrlen, sepol_security_id_t * out_sid); 210 211 /* 212 * Return a value indicating how to handle labeling for the 213 * the specified filesystem type, and optionally return a SID 214 * for the filesystem object. 215 */ 216 #define SECURITY_FS_USE_XATTR 1 /* use xattr */ 217 #define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */ 218 #define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */ 219 #define SECURITY_FS_USE_GENFS 4 /* use the genfs support */ 220 #define SECURITY_FS_USE_NONE 5 /* no labeling support */ 221 extern int sepol_fs_use(const char *fstype, /* IN */ 222 unsigned int *behavior, /* OUT */ 223 sepol_security_id_t * sid); /* OUT */ 224 225 /* 226 * Return the SID to use for a file in a filesystem 227 * that cannot support a persistent label mapping or use another 228 * fixed labeling behavior like transition SIDs or task SIDs. 229 */ 230 extern int sepol_genfs_sid(const char *fstype, /* IN */ 231 const char *name, /* IN */ 232 sepol_security_class_t sclass, /* IN */ 233 sepol_security_id_t * sid); /* OUT */ 234 235 #ifdef __cplusplus 236 } 237 #endif 238 239 #endif 240