root/security/selinux/ss/avtab.h

INCLUDED FROM

   1 /* SPDX-License-Identifier: GPL-2.0-only */
   2 /*
   3  * An access vector table (avtab) is a hash table
   4  * of access vectors and transition types indexed
   5  * by a type pair and a class.  An access vector
   6  * table is used to represent the type enforcement
   7  * tables.
   8  *
   9  *  Author : Stephen Smalley, <sds@tycho.nsa.gov>
  10  */
  11 
  12 /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
  13  *
  14  *      Added conditional policy language extensions
  15  *
  16  * Copyright (C) 2003 Tresys Technology, LLC
  17  *
  18  * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
  19  *      Tuned number of hash slots for avtab to reduce memory usage
  20  */
  21 #ifndef _SS_AVTAB_H_
  22 #define _SS_AVTAB_H_
  23 
  24 #include "security.h"
  25 
  26 struct avtab_key {
  27         u16 source_type;        /* source type */
  28         u16 target_type;        /* target type */
  29         u16 target_class;       /* target object class */
  30 #define AVTAB_ALLOWED           0x0001
  31 #define AVTAB_AUDITALLOW        0x0002
  32 #define AVTAB_AUDITDENY         0x0004
  33 #define AVTAB_AV                (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
  34 #define AVTAB_TRANSITION        0x0010
  35 #define AVTAB_MEMBER            0x0020
  36 #define AVTAB_CHANGE            0x0040
  37 #define AVTAB_TYPE              (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
  38 /* extended permissions */
  39 #define AVTAB_XPERMS_ALLOWED    0x0100
  40 #define AVTAB_XPERMS_AUDITALLOW 0x0200
  41 #define AVTAB_XPERMS_DONTAUDIT  0x0400
  42 #define AVTAB_XPERMS            (AVTAB_XPERMS_ALLOWED | \
  43                                 AVTAB_XPERMS_AUDITALLOW | \
  44                                 AVTAB_XPERMS_DONTAUDIT)
  45 #define AVTAB_ENABLED_OLD   0x80000000 /* reserved for used in cond_avtab */
  46 #define AVTAB_ENABLED           0x8000 /* reserved for used in cond_avtab */
  47         u16 specified;  /* what field is specified */
  48 };
  49 
  50 /*
  51  * For operations that require more than the 32 permissions provided by the avc
  52  * extended permissions may be used to provide 256 bits of permissions.
  53  */
  54 struct avtab_extended_perms {
  55 /* These are not flags. All 256 values may be used */
  56 #define AVTAB_XPERMS_IOCTLFUNCTION      0x01
  57 #define AVTAB_XPERMS_IOCTLDRIVER        0x02
  58         /* extension of the avtab_key specified */
  59         u8 specified; /* ioctl, netfilter, ... */
  60         /*
  61          * if 256 bits is not adequate as is often the case with ioctls, then
  62          * multiple extended perms may be used and the driver field
  63          * specifies which permissions are included.
  64          */
  65         u8 driver;
  66         /* 256 bits of permissions */
  67         struct extended_perms_data perms;
  68 };
  69 
  70 struct avtab_datum {
  71         union {
  72                 u32 data; /* access vector or type value */
  73                 struct avtab_extended_perms *xperms;
  74         } u;
  75 };
  76 
  77 struct avtab_node {
  78         struct avtab_key key;
  79         struct avtab_datum datum;
  80         struct avtab_node *next;
  81 };
  82 
  83 struct avtab {
  84         struct avtab_node **htable;
  85         u32 nel;        /* number of elements */
  86         u32 nslot;      /* number of hash slots */
  87         u32 mask;       /* mask to compute hash func */
  88 };
  89 
  90 int avtab_init(struct avtab *);
  91 int avtab_alloc(struct avtab *, u32);
  92 struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);
  93 void avtab_destroy(struct avtab *h);
  94 void avtab_hash_eval(struct avtab *h, char *tag);
  95 
  96 struct policydb;
  97 int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
  98                     int (*insert)(struct avtab *a, struct avtab_key *k,
  99                                   struct avtab_datum *d, void *p),
 100                     void *p);
 101 
 102 int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
 103 int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp);
 104 int avtab_write(struct policydb *p, struct avtab *a, void *fp);
 105 
 106 struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key,
 107                                           struct avtab_datum *datum);
 108 
 109 struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
 110 
 111 struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
 112 
 113 #define MAX_AVTAB_HASH_BITS 16
 114 #define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
 115 
 116 #endif  /* _SS_AVTAB_H_ */
 117