Home | History | Annotate | Download | only in policydb 
      1 
      2 /* -*- linux-c -*- */
      3 
      4 /*
      5  * Author : Stephen Smalley, <sds (at) epoch.ncsc.mil>
      6  */
      7 
      8 #ifndef _SEPOL_POLICYDB_SERVICES_H_
      9 #define _SEPOL_POLICYDB_SERVICES_H_
     10 
     11 /*
     12  * Security server interface.
     13  */
     14 
     15 #include <sepol/policydb/flask_types.h>
     16 #include <sepol/policydb/policydb.h>
     17 #include <stddef.h>
     18 #include <sys/cdefs.h>
     19 
     20 __BEGIN_DECLS
     21 
     22 /* Set the policydb and sidtab structures to be used by
     23    the service functions.  If not set, then these default
     24    to private structures within libsepol that can only be
     25    initialized and accessed via the service functions themselves.
     26    Setting the structures explicitly allows a program to directly
     27    manipulate them, e.g. checkpolicy populates the structures directly
     28    from a source policy rather than from a binary policy. */
     29 extern int sepol_set_policydb(policydb_t * p);
     30 extern int sepol_set_sidtab(sidtab_t * s);
     31 
     32 /* Modify a policydb for boolean settings. */
     33 int sepol_genbools_policydb(policydb_t * policydb, const char *booleans);
     34 
     35 /* Modify a policydb for user settings. */
     36 int sepol_genusers_policydb(policydb_t * policydb, const char *usersdir);
     37 
     38 /* Load the security policy. This initializes the policydb
     39    and sidtab based on the provided binary policy. */
     40 extern int sepol_load_policy(void *data, size_t len);
     41 
     42 /*
     43  * Compute access vectors based on a SID pair for
     44  * the permissions in a particular class.
     45  */
     46 extern int sepol_compute_av(sepol_security_id_t ssid,	/* IN */
     47 			    sepol_security_id_t tsid,	/* IN */
     48 			    sepol_security_class_t tclass,	/* IN */
     49 			    sepol_access_vector_t requested,	/* IN */
     50 			    struct sepol_av_decision *avd);	/* OUT */
     51 
     52 /* Same as above, but also return the reason(s) for any
     53    denials of the requested permissions. */
     54 #define SEPOL_COMPUTEAV_TE   1
     55 #define SEPOL_COMPUTEAV_CONS 2
     56 #define SEPOL_COMPUTEAV_RBAC 4
     57 extern int sepol_compute_av_reason(sepol_security_id_t ssid,
     58 				   sepol_security_id_t tsid,
     59 				   sepol_security_class_t tclass,
     60 				   sepol_access_vector_t requested,
     61 				   struct sepol_av_decision *avd,
     62 				   unsigned int *reason);
     63 
     64 /*
     65  * Same as above, but also returns the constraint expression calculations
     66  * whether allowed or denied in a buffer. This buffer is allocated by
     67  * this call and must be free'd by the caller using free(3). The contraint
     68  * buffer will contain any constraints in infix notation.
     69  * If the SHOW_GRANTED flag is set it will show granted and denied
     70  * constraints. The default is to show only denied constraints.
     71  */
     72 #define SHOW_GRANTED 1
     73 extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
     74 				   sepol_security_id_t tsid,
     75 				   sepol_security_class_t tclass,
     76 				   sepol_access_vector_t requested,
     77 				   struct sepol_av_decision *avd,
     78 				   unsigned int *reason,
     79 				   char **reason_buf,
     80 				   unsigned int flags);
     81 
     82 /*
     83  * Returns the mls/validatetrans constraint expression calculations in
     84  * a buffer that must be free'd by the caller using free(3).
     85  * If the SHOW_GRANTED flag is set it will show granted and denied
     86  * mls/validatetrans (the default is to show only those denied).
     87  */
     88 extern int sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
     89 					sepol_security_id_t newsid,
     90 					sepol_security_id_t tasksid,
     91 					sepol_security_class_t tclass,
     92 					char **reason_buf,
     93 					unsigned int flags);
     94 
     95 /*
     96  * Return a class ID associated with the class string representation
     97  * specified by `class_name'.
     98  */
     99 extern int sepol_string_to_security_class(const char *class_name,
    100 					sepol_security_class_t  *tclass);
    101 
    102 /*
    103  * Return a permission av bit associated with tclass and the string
    104  * representation of the `perm_name'.
    105  */
    106 extern int sepol_string_to_av_perm(sepol_security_class_t tclass,
    107 					const char *perm_name,
    108 					sepol_access_vector_t *av);
    109 
    110 /*
    111  * Compute a SID to use for labeling a new object in the
    112  * class `tclass' based on a SID pair.
    113  */
    114 extern int sepol_transition_sid(sepol_security_id_t ssid,	/* IN */
    115 				sepol_security_id_t tsid,	/* IN */
    116 				sepol_security_class_t tclass,	/* IN */
    117 				sepol_security_id_t * out_sid);	/* OUT */
    118 
    119 /*
    120  * Compute a SID to use when selecting a member of a
    121  * polyinstantiated object of class `tclass' based on
    122  * a SID pair.
    123  */
    124 extern int sepol_member_sid(sepol_security_id_t ssid,	/* IN */
    125 			    sepol_security_id_t tsid,	/* IN */
    126 			    sepol_security_class_t tclass,	/* IN */
    127 			    sepol_security_id_t * out_sid);	/* OUT */
    128 
    129 /*
    130  * Compute a SID to use for relabeling an object in the
    131  * class `tclass' based on a SID pair.
    132  */
    133 extern int sepol_change_sid(sepol_security_id_t ssid,	/* IN */
    134 			    sepol_security_id_t tsid,	/* IN */
    135 			    sepol_security_class_t tclass,	/* IN */
    136 			    sepol_security_id_t * out_sid);	/* OUT */
    137 
    138 /*
    139  * Write the security context string representation of
    140  * the context associated with `sid' into a dynamically
    141  * allocated string of the correct size.  Set `*scontext'
    142  * to point to this string and set `*scontext_len' to
    143  * the length of the string.
    144  */
    145 extern int sepol_sid_to_context(sepol_security_id_t sid,	/* IN */
    146 				sepol_security_context_t * scontext,	/* OUT */
    147 				size_t * scontext_len);	/* OUT */
    148 
    149 /*
    150  * Return a SID associated with the security context that
    151  * has the string representation specified by `scontext'.
    152  */
    153 extern int sepol_context_to_sid(const sepol_security_context_t scontext,	/* IN */
    154 				size_t scontext_len,	/* IN */
    155 				sepol_security_id_t * out_sid);	/* OUT */
    156 
    157 /*
    158  * Generate the set of SIDs for legal security contexts
    159  * for a given user that can be reached by `fromsid'.
    160  * Set `*sids' to point to a dynamically allocated
    161  * array containing the set of SIDs.  Set `*nel' to the
    162  * number of elements in the array.
    163  */
    164 extern int sepol_get_user_sids(sepol_security_id_t callsid,
    165 			       char *username,
    166 			       sepol_security_id_t ** sids, uint32_t * nel);
    167 
    168 /*
    169  * Return the SIDs to use for an unlabeled file system
    170  * that is being mounted from the device with the
    171  * the kdevname `name'.  The `fs_sid' SID is returned for
    172  * the file system and the `file_sid' SID is returned
    173  * for all files within that file system.
    174  */
    175 extern int sepol_fs_sid(char *dev,	/* IN */
    176 			sepol_security_id_t * fs_sid,	/* OUT  */
    177 			sepol_security_id_t * file_sid);	/* OUT */
    178 
    179 /*
    180  * Return the SID of the port specified by
    181  * `domain', `type', `protocol', and `port'.
    182  */
    183 extern int sepol_port_sid(uint16_t domain,
    184 			  uint16_t type,
    185 			  uint8_t protocol,
    186 			  uint16_t port, sepol_security_id_t * out_sid);
    187 
    188 /*
    189  * Return the SIDs to use for a network interface
    190  * with the name `name'.  The `if_sid' SID is returned for
    191  * the interface and the `msg_sid' SID is returned as
    192  * the default SID for messages received on the
    193  * interface.
    194  */
    195 extern int sepol_netif_sid(char *name,
    196 			   sepol_security_id_t * if_sid,
    197 			   sepol_security_id_t * msg_sid);
    198 
    199 /*
    200  * Return the SID of the node specified by the address
    201  * `addr' where `addrlen' is the length of the address
    202  * in bytes and `domain' is the communications domain or
    203  * address family in which the address should be interpreted.
    204  */
    205 extern int sepol_node_sid(uint16_t domain,
    206 			  void *addr,
    207 			  size_t addrlen, sepol_security_id_t * out_sid);
    208 
    209 /*
    210  * Return a value indicating how to handle labeling for the
    211  * the specified filesystem type, and optionally return a SID
    212  * for the filesystem object.
    213  */
    214 #define SECURITY_FS_USE_XATTR 1	/* use xattr */
    215 #define SECURITY_FS_USE_TRANS 2	/* use transition SIDs, e.g. devpts/tmpfs */
    216 #define SECURITY_FS_USE_TASK  3	/* use task SIDs, e.g. pipefs/sockfs */
    217 #define SECURITY_FS_USE_GENFS 4	/* use the genfs support */
    218 #define SECURITY_FS_USE_NONE  5	/* no labeling support */
    219 extern int sepol_fs_use(const char *fstype,	/* IN */
    220 			unsigned int *behavior,	/* OUT */
    221 			sepol_security_id_t * sid);	/* OUT  */
    222 
    223 /*
    224  * Return the SID to use for a file in a filesystem
    225  * that cannot support a persistent label mapping or use another
    226  * fixed labeling behavior like transition SIDs or task SIDs.
    227  */
    228 extern int sepol_genfs_sid(const char *fstype,	/* IN */
    229 			   const char *name,	/* IN */
    230 			   sepol_security_class_t sclass,	/* IN */
    231 			   sepol_security_id_t * sid);	/* OUT  */
    232 
    233 __END_DECLS
    234 #endif
    235