1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Security server interface.
4 *
5 * Author : Stephen Smalley, <sds@tycho.nsa.gov>
6 *
7 */
8
9 #ifndef _SELINUX_SECURITY_H_
10 #define _SELINUX_SECURITY_H_
11
12 #include <linux/compiler.h>
13 #include <linux/dcache.h>
14 #include <linux/magic.h>
15 #include <linux/types.h>
16 #include <linux/refcount.h>
17 #include <linux/workqueue.h>
18 #include "flask.h"
19
20 #define SECSID_NULL 0x00000000 /* unspecified SID */
21 #define SECSID_WILD 0xffffffff /* wildcard SID */
22 #define SECCLASS_NULL 0x0000 /* no class */
23
24 /* Identify specific policy version changes */
25 #define POLICYDB_VERSION_BASE 15
26 #define POLICYDB_VERSION_BOOL 16
27 #define POLICYDB_VERSION_IPV6 17
28 #define POLICYDB_VERSION_NLCLASS 18
29 #define POLICYDB_VERSION_VALIDATETRANS 19
30 #define POLICYDB_VERSION_MLS 19
31 #define POLICYDB_VERSION_AVTAB 20
32 #define POLICYDB_VERSION_RANGETRANS 21
33 #define POLICYDB_VERSION_POLCAP 22
34 #define POLICYDB_VERSION_PERMISSIVE 23
35 #define POLICYDB_VERSION_BOUNDARY 24
36 #define POLICYDB_VERSION_FILENAME_TRANS 25
37 #define POLICYDB_VERSION_ROLETRANS 26
38 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
39 #define POLICYDB_VERSION_DEFAULT_TYPE 28
40 #define POLICYDB_VERSION_CONSTRAINT_NAMES 29
41 #define POLICYDB_VERSION_XPERMS_IOCTL 30
42 #define POLICYDB_VERSION_INFINIBAND 31
43
44 /* Range of policy versions we understand*/
45 #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
46 #define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND
47
48 /* Mask for just the mount related flags */
49 #define SE_MNTMASK 0x0f
50 /* Super block security struct flags for mount options */
51 /* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
52 #define CONTEXT_MNT 0x01
53 #define FSCONTEXT_MNT 0x02
54 #define ROOTCONTEXT_MNT 0x04
55 #define DEFCONTEXT_MNT 0x08
56 #define SBLABEL_MNT 0x10
57 /* Non-mount related flags */
58 #define SE_SBINITIALIZED 0x0100
59 #define SE_SBPROC 0x0200
60 #define SE_SBGENFS 0x0400
61 #define SE_SBGENFS_XATTR 0x0800
62
63 #define CONTEXT_STR "context"
64 #define FSCONTEXT_STR "fscontext"
65 #define ROOTCONTEXT_STR "rootcontext"
66 #define DEFCONTEXT_STR "defcontext"
67 #define SECLABEL_STR "seclabel"
68
69 struct netlbl_lsm_secattr;
70
71 extern int selinux_enabled;
72
73 /* Policy capabilities */
74 enum {
75 POLICYDB_CAPABILITY_NETPEER,
76 POLICYDB_CAPABILITY_OPENPERM,
77 POLICYDB_CAPABILITY_EXTSOCKCLASS,
78 POLICYDB_CAPABILITY_ALWAYSNETWORK,
79 POLICYDB_CAPABILITY_CGROUPSECLABEL,
80 POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
81 __POLICYDB_CAPABILITY_MAX
82 };
83 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
84
85 extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
86
87 /*
88 * type_datum properties
89 * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
90 */
91 #define TYPEDATUM_PROPERTY_PRIMARY 0x0001
92 #define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002
93
94 /* limitation of boundary depth */
95 #define POLICYDB_BOUNDS_MAXDEPTH 4
96
97 struct selinux_avc;
98 struct selinux_ss;
99
100 struct selinux_state {
101 bool disabled;
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 bool enforcing;
104 #endif
105 bool checkreqprot;
106 bool initialized;
107 bool policycap[__POLICYDB_CAPABILITY_MAX];
108 bool android_netlink_route;
109 bool android_netlink_getneigh;
110
111 struct selinux_avc *avc;
112 struct selinux_ss *ss;
113 };
114
115 void selinux_ss_init(struct selinux_ss **ss);
116 void selinux_avc_init(struct selinux_avc **avc);
117
118 extern struct selinux_state selinux_state;
119
120 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
enforcing_enabled(struct selinux_state * state)121 static inline bool enforcing_enabled(struct selinux_state *state)
122 {
123 return state->enforcing;
124 }
125
enforcing_set(struct selinux_state * state,bool value)126 static inline void enforcing_set(struct selinux_state *state, bool value)
127 {
128 state->enforcing = value;
129 }
130 #else
enforcing_enabled(struct selinux_state * state)131 static inline bool enforcing_enabled(struct selinux_state *state)
132 {
133 return true;
134 }
135
enforcing_set(struct selinux_state * state,bool value)136 static inline void enforcing_set(struct selinux_state *state, bool value)
137 {
138 }
139 #endif
140
selinux_policycap_netpeer(void)141 static inline bool selinux_policycap_netpeer(void)
142 {
143 struct selinux_state *state = &selinux_state;
144
145 return state->policycap[POLICYDB_CAPABILITY_NETPEER];
146 }
147
selinux_policycap_openperm(void)148 static inline bool selinux_policycap_openperm(void)
149 {
150 struct selinux_state *state = &selinux_state;
151
152 return state->policycap[POLICYDB_CAPABILITY_OPENPERM];
153 }
154
selinux_policycap_extsockclass(void)155 static inline bool selinux_policycap_extsockclass(void)
156 {
157 struct selinux_state *state = &selinux_state;
158
159 return state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS];
160 }
161
selinux_policycap_alwaysnetwork(void)162 static inline bool selinux_policycap_alwaysnetwork(void)
163 {
164 struct selinux_state *state = &selinux_state;
165
166 return state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK];
167 }
168
selinux_policycap_cgroupseclabel(void)169 static inline bool selinux_policycap_cgroupseclabel(void)
170 {
171 struct selinux_state *state = &selinux_state;
172
173 return state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL];
174 }
175
selinux_policycap_nnp_nosuid_transition(void)176 static inline bool selinux_policycap_nnp_nosuid_transition(void)
177 {
178 struct selinux_state *state = &selinux_state;
179
180 return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION];
181 }
182
selinux_android_nlroute_getlink(void)183 static inline bool selinux_android_nlroute_getlink(void)
184 {
185 struct selinux_state *state = &selinux_state;
186
187 return state->android_netlink_route;
188 }
189
selinux_android_nlroute_getneigh(void)190 static inline bool selinux_android_nlroute_getneigh(void)
191 {
192 struct selinux_state *state = &selinux_state;
193
194 return state->android_netlink_getneigh;
195 }
196
197 int security_mls_enabled(struct selinux_state *state);
198 int security_load_policy(struct selinux_state *state,
199 void *data, size_t len);
200 int security_read_policy(struct selinux_state *state,
201 void **data, size_t *len);
202 size_t security_policydb_len(struct selinux_state *state);
203
204 int security_policycap_supported(struct selinux_state *state,
205 unsigned int req_cap);
206
207 #define SEL_VEC_MAX 32
208 struct av_decision {
209 u32 allowed;
210 u32 auditallow;
211 u32 auditdeny;
212 u32 seqno;
213 u32 flags;
214 };
215
216 #define XPERMS_ALLOWED 1
217 #define XPERMS_AUDITALLOW 2
218 #define XPERMS_DONTAUDIT 4
219
220 #define security_xperm_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
221 #define security_xperm_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
222 struct extended_perms_data {
223 u32 p[8];
224 };
225
226 struct extended_perms_decision {
227 u8 used;
228 u8 driver;
229 struct extended_perms_data *allowed;
230 struct extended_perms_data *auditallow;
231 struct extended_perms_data *dontaudit;
232 };
233
234 struct extended_perms {
235 u16 len; /* length associated decision chain */
236 struct extended_perms_data drivers; /* flag drivers that are used */
237 };
238
239 /* definitions of av_decision.flags */
240 #define AVD_FLAGS_PERMISSIVE 0x0001
241
242 void security_compute_av(struct selinux_state *state,
243 u32 ssid, u32 tsid,
244 u16 tclass, struct av_decision *avd,
245 struct extended_perms *xperms);
246
247 void security_compute_xperms_decision(struct selinux_state *state,
248 u32 ssid, u32 tsid, u16 tclass,
249 u8 driver,
250 struct extended_perms_decision *xpermd);
251
252 void security_compute_av_user(struct selinux_state *state,
253 u32 ssid, u32 tsid,
254 u16 tclass, struct av_decision *avd);
255
256 int security_transition_sid(struct selinux_state *state,
257 u32 ssid, u32 tsid, u16 tclass,
258 const struct qstr *qstr, u32 *out_sid);
259
260 int security_transition_sid_user(struct selinux_state *state,
261 u32 ssid, u32 tsid, u16 tclass,
262 const char *objname, u32 *out_sid);
263
264 int security_member_sid(struct selinux_state *state, u32 ssid, u32 tsid,
265 u16 tclass, u32 *out_sid);
266
267 int security_change_sid(struct selinux_state *state, u32 ssid, u32 tsid,
268 u16 tclass, u32 *out_sid);
269
270 int security_sid_to_context(struct selinux_state *state, u32 sid,
271 char **scontext, u32 *scontext_len);
272
273 int security_sid_to_context_force(struct selinux_state *state,
274 u32 sid, char **scontext, u32 *scontext_len);
275
276 int security_sid_to_context_inval(struct selinux_state *state,
277 u32 sid, char **scontext, u32 *scontext_len);
278
279 int security_context_to_sid(struct selinux_state *state,
280 const char *scontext, u32 scontext_len,
281 u32 *out_sid, gfp_t gfp);
282
283 int security_context_str_to_sid(struct selinux_state *state,
284 const char *scontext, u32 *out_sid, gfp_t gfp);
285
286 int security_context_to_sid_default(struct selinux_state *state,
287 const char *scontext, u32 scontext_len,
288 u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
289
290 int security_context_to_sid_force(struct selinux_state *state,
291 const char *scontext, u32 scontext_len,
292 u32 *sid);
293
294 int security_get_user_sids(struct selinux_state *state,
295 u32 callsid, char *username,
296 u32 **sids, u32 *nel);
297
298 int security_port_sid(struct selinux_state *state,
299 u8 protocol, u16 port, u32 *out_sid);
300
301 int security_ib_pkey_sid(struct selinux_state *state,
302 u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
303
304 int security_ib_endport_sid(struct selinux_state *state,
305 const char *dev_name, u8 port_num, u32 *out_sid);
306
307 int security_netif_sid(struct selinux_state *state,
308 char *name, u32 *if_sid);
309
310 int security_node_sid(struct selinux_state *state,
311 u16 domain, void *addr, u32 addrlen,
312 u32 *out_sid);
313
314 int security_validate_transition(struct selinux_state *state,
315 u32 oldsid, u32 newsid, u32 tasksid,
316 u16 tclass);
317
318 int security_validate_transition_user(struct selinux_state *state,
319 u32 oldsid, u32 newsid, u32 tasksid,
320 u16 tclass);
321
322 int security_bounded_transition(struct selinux_state *state,
323 u32 oldsid, u32 newsid);
324
325 int security_sid_mls_copy(struct selinux_state *state,
326 u32 sid, u32 mls_sid, u32 *new_sid);
327
328 int security_net_peersid_resolve(struct selinux_state *state,
329 u32 nlbl_sid, u32 nlbl_type,
330 u32 xfrm_sid,
331 u32 *peer_sid);
332
333 int security_get_classes(struct selinux_state *state,
334 char ***classes, int *nclasses);
335 int security_get_permissions(struct selinux_state *state,
336 char *class, char ***perms, int *nperms);
337 int security_get_reject_unknown(struct selinux_state *state);
338 int security_get_allow_unknown(struct selinux_state *state);
339
340 #define SECURITY_FS_USE_XATTR 1 /* use xattr */
341 #define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
342 #define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */
343 #define SECURITY_FS_USE_GENFS 4 /* use the genfs support */
344 #define SECURITY_FS_USE_NONE 5 /* no labeling support */
345 #define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */
346 #define SECURITY_FS_USE_NATIVE 7 /* use native label support */
347 #define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */
348
349 int security_fs_use(struct selinux_state *state, struct super_block *sb);
350
351 int security_genfs_sid(struct selinux_state *state,
352 const char *fstype, char *name, u16 sclass,
353 u32 *sid);
354
355 #ifdef CONFIG_NETLABEL
356 int security_netlbl_secattr_to_sid(struct selinux_state *state,
357 struct netlbl_lsm_secattr *secattr,
358 u32 *sid);
359
360 int security_netlbl_sid_to_secattr(struct selinux_state *state,
361 u32 sid,
362 struct netlbl_lsm_secattr *secattr);
363 #else
security_netlbl_secattr_to_sid(struct selinux_state * state,struct netlbl_lsm_secattr * secattr,u32 * sid)364 static inline int security_netlbl_secattr_to_sid(struct selinux_state *state,
365 struct netlbl_lsm_secattr *secattr,
366 u32 *sid)
367 {
368 return -EIDRM;
369 }
370
security_netlbl_sid_to_secattr(struct selinux_state * state,u32 sid,struct netlbl_lsm_secattr * secattr)371 static inline int security_netlbl_sid_to_secattr(struct selinux_state *state,
372 u32 sid,
373 struct netlbl_lsm_secattr *secattr)
374 {
375 return -ENOENT;
376 }
377 #endif /* CONFIG_NETLABEL */
378
379 const char *security_get_initial_sid_context(u32 sid);
380
381 /*
382 * status notifier using mmap interface
383 */
384 extern struct page *selinux_kernel_status_page(struct selinux_state *state);
385
386 #define SELINUX_KERNEL_STATUS_VERSION 1
387 struct selinux_kernel_status {
388 u32 version; /* version number of thie structure */
389 u32 sequence; /* sequence number of seqlock logic */
390 u32 enforcing; /* current setting of enforcing mode */
391 u32 policyload; /* times of policy reloaded */
392 u32 deny_unknown; /* current setting of deny_unknown */
393 /*
394 * The version > 0 supports above members.
395 */
396 } __packed;
397
398 extern void selinux_status_update_setenforce(struct selinux_state *state,
399 int enforcing);
400 extern void selinux_status_update_policyload(struct selinux_state *state,
401 int seqno);
402 extern void selinux_complete_init(void);
403 extern int selinux_disable(struct selinux_state *state);
404 extern void exit_sel_fs(void);
405 extern struct path selinux_null;
406 extern struct vfsmount *selinuxfs_mount;
407 extern void selnl_notify_setenforce(int val);
408 extern void selnl_notify_policyload(u32 seqno);
409 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
410
411 extern void avtab_cache_init(void);
412 extern void ebitmap_cache_init(void);
413 extern void hashtab_cache_init(void);
414 extern void selinux_nlmsg_init(void);
415 extern int security_sidtab_hash_stats(struct selinux_state *state, char *page);
416
417 #endif /* _SELINUX_SECURITY_H_ */
418