1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
2 | /* |
3 | * An access vector table (avtab) is a hash table |
4 | * of access vectors and transition types indexed |
5 | * by a type pair and a class. An access vector |
6 | * table is used to represent the type enforcement |
7 | * tables. |
8 | * |
9 | * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> |
10 | */ |
11 | |
12 | /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> |
13 | * |
14 | * Added conditional policy language extensions |
15 | * |
16 | * Copyright (C) 2003 Tresys Technology, LLC |
17 | * |
18 | * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> |
19 | * Tuned number of hash slots for avtab to reduce memory usage |
20 | */ |
21 | #ifndef _SS_AVTAB_H_ |
22 | #define _SS_AVTAB_H_ |
23 | |
24 | #include "security.h" |
25 | |
26 | struct avtab_key { |
27 | u16 source_type; /* source type */ |
28 | u16 target_type; /* target type */ |
29 | u16 target_class; /* target object class */ |
30 | #define AVTAB_ALLOWED 0x0001 |
31 | #define AVTAB_AUDITALLOW 0x0002 |
32 | #define AVTAB_AUDITDENY 0x0004 |
33 | #define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) |
34 | #define AVTAB_TRANSITION 0x0010 |
35 | #define AVTAB_MEMBER 0x0020 |
36 | #define AVTAB_CHANGE 0x0040 |
37 | #define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) |
38 | /* extended permissions */ |
39 | #define AVTAB_XPERMS_ALLOWED 0x0100 |
40 | #define AVTAB_XPERMS_AUDITALLOW 0x0200 |
41 | #define AVTAB_XPERMS_DONTAUDIT 0x0400 |
42 | #define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \ |
43 | AVTAB_XPERMS_AUDITALLOW | \ |
44 | AVTAB_XPERMS_DONTAUDIT) |
45 | #define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */ |
46 | #define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ |
47 | u16 specified; /* what field is specified */ |
48 | }; |
49 | |
50 | /* |
51 | * For operations that require more than the 32 permissions provided by the avc |
52 | * extended permissions may be used to provide 256 bits of permissions. |
53 | */ |
54 | struct avtab_extended_perms { |
55 | /* These are not flags. All 256 values may be used */ |
56 | #define AVTAB_XPERMS_IOCTLFUNCTION 0x01 |
57 | #define AVTAB_XPERMS_IOCTLDRIVER 0x02 |
58 | /* extension of the avtab_key specified */ |
59 | u8 specified; /* ioctl, netfilter, ... */ |
60 | /* |
61 | * if 256 bits is not adequate as is often the case with ioctls, then |
62 | * multiple extended perms may be used and the driver field |
63 | * specifies which permissions are included. |
64 | */ |
65 | u8 driver; |
66 | /* 256 bits of permissions */ |
67 | struct extended_perms_data perms; |
68 | }; |
69 | |
70 | struct avtab_datum { |
71 | union { |
72 | u32 data; /* access vector or type value */ |
73 | struct avtab_extended_perms *xperms; |
74 | } u; |
75 | }; |
76 | |
77 | struct avtab_node { |
78 | struct avtab_key key; |
79 | struct avtab_datum datum; |
80 | struct avtab_node *next; |
81 | }; |
82 | |
83 | struct avtab { |
84 | struct avtab_node **htable; |
85 | u32 nel; /* number of elements */ |
86 | u32 nslot; /* number of hash slots */ |
87 | u32 mask; /* mask to compute hash func */ |
88 | }; |
89 | |
90 | void avtab_init(struct avtab *h); |
91 | int avtab_alloc(struct avtab *, u32); |
92 | int avtab_alloc_dup(struct avtab *new, const struct avtab *orig); |
93 | void avtab_destroy(struct avtab *h); |
94 | |
95 | #ifdef CONFIG_SECURITY_SELINUX_DEBUG |
96 | void avtab_hash_eval(struct avtab *h, const char *tag); |
97 | #else |
98 | static inline void avtab_hash_eval(struct avtab *h, const char *tag) |
99 | { |
100 | } |
101 | #endif |
102 | |
103 | struct policydb; |
104 | int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, |
105 | int (*insert)(struct avtab *a, const struct avtab_key *k, |
106 | const struct avtab_datum *d, void *p), |
107 | void *p); |
108 | |
109 | int avtab_read(struct avtab *a, void *fp, struct policydb *pol); |
110 | int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp); |
111 | int avtab_write(struct policydb *p, struct avtab *a, void *fp); |
112 | |
113 | struct avtab_node *avtab_insert_nonunique(struct avtab *h, |
114 | const struct avtab_key *key, |
115 | const struct avtab_datum *datum); |
116 | |
117 | struct avtab_node *avtab_search_node(struct avtab *h, |
118 | const struct avtab_key *key); |
119 | |
120 | struct avtab_node *avtab_search_node_next(struct avtab_node *node, u16 specified); |
121 | |
122 | #define MAX_AVTAB_HASH_BITS 16 |
123 | #define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) |
124 | |
125 | #endif /* _SS_AVTAB_H_ */ |
126 | |
127 | |