Home | History | Annotate | Download | only in policydb
      1 
      2 /* -*- linux-c -*- */
      3 
      4 /*
      5  * Author : Stephen Smalley, <sds (at) epoch.ncsc.mil>
      6  */
      7 
      8 #ifndef _SEPOL_POLICYDB_SERVICES_H_
      9 #define _SEPOL_POLICYDB_SERVICES_H_
     10 
     11 /*
     12  * Security server interface.
     13  */
     14 
     15 #include <sepol/policydb/flask_types.h>
     16 #include <sepol/policydb/policydb.h>
     17 #include <stddef.h>
     18 
     19 /* Set the policydb and sidtab structures to be used by
     20    the service functions.  If not set, then these default
     21    to private structures within libsepol that can only be
     22    initialized and accessed via the service functions themselves.
     23    Setting the structures explicitly allows a program to directly
     24    manipulate them, e.g. checkpolicy populates the structures directly
     25    from a source policy rather than from a binary policy. */
     26 extern int sepol_set_policydb(policydb_t * p);
     27 extern int sepol_set_sidtab(sidtab_t * s);
     28 
     29 /* Modify a policydb for boolean settings. */
     30 int sepol_genbools_policydb(policydb_t * policydb, const char *booleans);
     31 
     32 /* Modify a policydb for user settings. */
     33 int sepol_genusers_policydb(policydb_t * policydb, const char *usersdir);
     34 
     35 /* Load the security policy. This initializes the policydb
     36    and sidtab based on the provided binary policy. */
     37 extern int sepol_load_policy(void *data, size_t len);
     38 
     39 /*
     40  * Compute access vectors based on a SID pair for
     41  * the permissions in a particular class.
     42  */
     43 extern int sepol_compute_av(sepol_security_id_t ssid,	/* IN */
     44 			    sepol_security_id_t tsid,	/* IN */
     45 			    sepol_security_class_t tclass,	/* IN */
     46 			    sepol_access_vector_t requested,	/* IN */
     47 			    struct sepol_av_decision *avd);	/* OUT */
     48 
     49 /* Same as above, but also return the reason(s) for any
     50    denials of the requested permissions. */
     51 #define SEPOL_COMPUTEAV_TE   1
     52 #define SEPOL_COMPUTEAV_CONS 2
     53 #define SEPOL_COMPUTEAV_RBAC 4
     54 extern int sepol_compute_av_reason(sepol_security_id_t ssid,
     55 				   sepol_security_id_t tsid,
     56 				   sepol_security_class_t tclass,
     57 				   sepol_access_vector_t requested,
     58 				   struct sepol_av_decision *avd,
     59 				   unsigned int *reason);
     60 
     61 /*
     62  * Same as above, but also returns the constraint expression calculations
     63  * whether allowed or denied in a buffer. This buffer is allocated by
     64  * this call and must be free'd by the caller using free(3). The contraint
     65  * buffer will contain any constraints in infix notation.
     66  * If the SHOW_GRANTED flag is set it will show granted and denied
     67  * constraints. The default is to show only denied constraints.
     68  */
     69 #define SHOW_GRANTED 1
     70 extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
     71 				   sepol_security_id_t tsid,
     72 				   sepol_security_class_t tclass,
     73 				   sepol_access_vector_t requested,
     74 				   struct sepol_av_decision *avd,
     75 				   unsigned int *reason,
     76 				   char **reason_buf,
     77 				   unsigned int flags);
     78 /*
     79  * Return a class ID associated with the class string representation
     80  * specified by `class_name'.
     81  */
     82 extern int sepol_string_to_security_class(const char *class_name,
     83 					sepol_security_class_t  *tclass);
     84 
     85 /*
     86  * Return a permission av bit associated with tclass and the string
     87  * representation of the `perm_name'.
     88  */
     89 extern int sepol_string_to_av_perm(sepol_security_class_t tclass,
     90 					const char *perm_name,
     91 					sepol_access_vector_t *av);
     92 
     93 /*
     94  * Compute a SID to use for labeling a new object in the
     95  * class `tclass' based on a SID pair.
     96  */
     97 extern int sepol_transition_sid(sepol_security_id_t ssid,	/* IN */
     98 				sepol_security_id_t tsid,	/* IN */
     99 				sepol_security_class_t tclass,	/* IN */
    100 				sepol_security_id_t * out_sid);	/* OUT */
    101 
    102 /*
    103  * Compute a SID to use when selecting a member of a
    104  * polyinstantiated object of class `tclass' based on
    105  * a SID pair.
    106  */
    107 extern int sepol_member_sid(sepol_security_id_t ssid,	/* IN */
    108 			    sepol_security_id_t tsid,	/* IN */
    109 			    sepol_security_class_t tclass,	/* IN */
    110 			    sepol_security_id_t * out_sid);	/* OUT */
    111 
    112 /*
    113  * Compute a SID to use for relabeling an object in the
    114  * class `tclass' based on a SID pair.
    115  */
    116 extern int sepol_change_sid(sepol_security_id_t ssid,	/* IN */
    117 			    sepol_security_id_t tsid,	/* IN */
    118 			    sepol_security_class_t tclass,	/* IN */
    119 			    sepol_security_id_t * out_sid);	/* OUT */
    120 
    121 /*
    122  * Write the security context string representation of
    123  * the context associated with `sid' into a dynamically
    124  * allocated string of the correct size.  Set `*scontext'
    125  * to point to this string and set `*scontext_len' to
    126  * the length of the string.
    127  */
    128 extern int sepol_sid_to_context(sepol_security_id_t sid,	/* IN */
    129 				sepol_security_context_t * scontext,	/* OUT */
    130 				size_t * scontext_len);	/* OUT */
    131 
    132 /*
    133  * Return a SID associated with the security context that
    134  * has the string representation specified by `scontext'.
    135  */
    136 extern int sepol_context_to_sid(const sepol_security_context_t scontext,	/* IN */
    137 				size_t scontext_len,	/* IN */
    138 				sepol_security_id_t * out_sid);	/* OUT */
    139 
    140 /*
    141  * Generate the set of SIDs for legal security contexts
    142  * for a given user that can be reached by `fromsid'.
    143  * Set `*sids' to point to a dynamically allocated
    144  * array containing the set of SIDs.  Set `*nel' to the
    145  * number of elements in the array.
    146  */
    147 extern int sepol_get_user_sids(sepol_security_id_t callsid,
    148 			       char *username,
    149 			       sepol_security_id_t ** sids, uint32_t * nel);
    150 
    151 /*
    152  * Return the SIDs to use for an unlabeled file system
    153  * that is being mounted from the device with the
    154  * the kdevname `name'.  The `fs_sid' SID is returned for
    155  * the file system and the `file_sid' SID is returned
    156  * for all files within that file system.
    157  */
    158 extern int sepol_fs_sid(char *dev,	/* IN */
    159 			sepol_security_id_t * fs_sid,	/* OUT  */
    160 			sepol_security_id_t * file_sid);	/* OUT */
    161 
    162 /*
    163  * Return the SID of the port specified by
    164  * `domain', `type', `protocol', and `port'.
    165  */
    166 extern int sepol_port_sid(uint16_t domain,
    167 			  uint16_t type,
    168 			  uint8_t protocol,
    169 			  uint16_t port, sepol_security_id_t * out_sid);
    170 
    171 /*
    172  * Return the SIDs to use for a network interface
    173  * with the name `name'.  The `if_sid' SID is returned for
    174  * the interface and the `msg_sid' SID is returned as
    175  * the default SID for messages received on the
    176  * interface.
    177  */
    178 extern int sepol_netif_sid(char *name,
    179 			   sepol_security_id_t * if_sid,
    180 			   sepol_security_id_t * msg_sid);
    181 
    182 /*
    183  * Return the SID of the node specified by the address
    184  * `addr' where `addrlen' is the length of the address
    185  * in bytes and `domain' is the communications domain or
    186  * address family in which the address should be interpreted.
    187  */
    188 extern int sepol_node_sid(uint16_t domain,
    189 			  void *addr,
    190 			  size_t addrlen, sepol_security_id_t * out_sid);
    191 
    192 /*
    193  * Return a value indicating how to handle labeling for the
    194  * the specified filesystem type, and optionally return a SID
    195  * for the filesystem object.
    196  */
    197 #define SECURITY_FS_USE_XATTR 1	/* use xattr */
    198 #define SECURITY_FS_USE_TRANS 2	/* use transition SIDs, e.g. devpts/tmpfs */
    199 #define SECURITY_FS_USE_TASK  3	/* use task SIDs, e.g. pipefs/sockfs */
    200 #define SECURITY_FS_USE_GENFS 4	/* use the genfs support */
    201 #define SECURITY_FS_USE_NONE  5	/* no labeling support */
    202 extern int sepol_fs_use(const char *fstype,	/* IN */
    203 			unsigned int *behavior,	/* OUT */
    204 			sepol_security_id_t * sid);	/* OUT  */
    205 
    206 /*
    207  * Return the SID to use for a file in a filesystem
    208  * that cannot support a persistent label mapping or use another
    209  * fixed labeling behavior like transition SIDs or task SIDs.
    210  */
    211 extern int sepol_genfs_sid(const char *fstype,	/* IN */
    212 			   char *name,	/* IN */
    213 			   sepol_security_class_t sclass,	/* IN */
    214 			   sepol_security_id_t * sid);	/* OUT  */
    215 
    216 #endif
    217