1/* SPDX-License-Identifier: GPL-2.0 */ 2/* 3 * Access vector cache interface for object managers. 4 * 5 * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> 6 */ 7 8#ifndef _SELINUX_AVC_H_ 9#define _SELINUX_AVC_H_ 10 11#include <linux/stddef.h> 12#include <linux/errno.h> 13#include <linux/kernel.h> 14#include <linux/kdev_t.h> 15#include <linux/spinlock.h> 16#include <linux/init.h> 17#include <linux/audit.h> 18#include <linux/lsm_audit.h> 19#include <linux/in6.h> 20#include "flask.h" 21#include "av_permissions.h" 22#include "security.h" 23 24/* 25 * An entry in the AVC. 26 */ 27struct avc_entry; 28 29struct task_struct; 30struct inode; 31struct sock; 32struct sk_buff; 33 34/* 35 * AVC statistics 36 */ 37struct avc_cache_stats { 38 unsigned int lookups; 39 unsigned int misses; 40 unsigned int allocations; 41 unsigned int reclaims; 42 unsigned int frees; 43}; 44 45/* 46 * We only need this data after we have decided to send an audit message. 47 */ 48struct selinux_audit_data { 49 u32 ssid; 50 u32 tsid; 51 u16 tclass; 52 u32 requested; 53 u32 audited; 54 u32 denied; 55 int result; 56} __randomize_layout; 57 58/* 59 * AVC operations 60 */ 61 62void __init avc_init(void); 63 64static inline u32 avc_audit_required(u32 requested, struct av_decision *avd, 65 int result, u32 auditdeny, u32 *deniedp) 66{ 67 u32 denied, audited; 68 denied = requested & ~avd->allowed; 69 if (unlikely(denied)) { 70 audited = denied & avd->auditdeny; 71 /* 72 * auditdeny is TRICKY! Setting a bit in 73 * this field means that ANY denials should NOT be audited if 74 * the policy contains an explicit dontaudit rule for that 75 * permission. Take notice that this is unrelated to the 76 * actual permissions that were denied. As an example lets 77 * assume: 78 * 79 * denied == READ 80 * avd.auditdeny & ACCESS == 0 (not set means explicit rule) 81 * auditdeny & ACCESS == 1 82 * 83 * We will NOT audit the denial even though the denied 84 * permission was READ and the auditdeny checks were for 85 * ACCESS 86 */ 87 if (auditdeny && !(auditdeny & avd->auditdeny)) 88 audited = 0; 89 } else if (result) 90 audited = denied = requested; 91 else 92 audited = requested & avd->auditallow; 93 *deniedp = denied; 94 return audited; 95} 96 97int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, u32 audited, 98 u32 denied, int result, struct common_audit_data *a); 99 100/** 101 * avc_audit - Audit the granting or denial of permissions. 102 * @ssid: source security identifier 103 * @tsid: target security identifier 104 * @tclass: target security class 105 * @requested: requested permissions 106 * @avd: access vector decisions 107 * @result: result from avc_has_perm_noaudit 108 * @a: auxiliary audit data 109 * 110 * Audit the granting or denial of permissions in accordance 111 * with the policy. This function is typically called by 112 * avc_has_perm() after a permission check, but can also be 113 * called directly by callers who use avc_has_perm_noaudit() 114 * in order to separate the permission check from the auditing. 115 * For example, this separation is useful when the permission check must 116 * be performed under a lock, to allow the lock to be released 117 * before calling the auditing code. 118 */ 119static inline int avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, 120 struct av_decision *avd, int result, 121 struct common_audit_data *a) 122{ 123 u32 audited, denied; 124 audited = avc_audit_required(requested, avd, result, 0, &denied); 125 if (likely(!audited)) 126 return 0; 127 return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied, 128 result, a); 129} 130 131#define AVC_STRICT 1 /* Ignore permissive mode. */ 132#define AVC_EXTENDED_PERMS 2 /* update extended permissions */ 133int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested, 134 unsigned int flags, struct av_decision *avd); 135 136int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested, 137 struct common_audit_data *auditdata); 138 139int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, 140 u8 driver, u8 perm, struct common_audit_data *ad); 141 142u32 avc_policy_seqno(void); 143 144#define AVC_CALLBACK_GRANT 1 145#define AVC_CALLBACK_TRY_REVOKE 2 146#define AVC_CALLBACK_REVOKE 4 147#define AVC_CALLBACK_RESET 8 148#define AVC_CALLBACK_AUDITALLOW_ENABLE 16 149#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 150#define AVC_CALLBACK_AUDITDENY_ENABLE 64 151#define AVC_CALLBACK_AUDITDENY_DISABLE 128 152#define AVC_CALLBACK_ADD_XPERMS 256 153 154int avc_add_callback(int (*callback)(u32 event), u32 events); 155 156/* Exported to selinuxfs */ 157int avc_get_hash_stats(char *page); 158unsigned int avc_get_cache_threshold(void); 159void avc_set_cache_threshold(unsigned int cache_threshold); 160 161#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 162DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); 163#endif 164 165#endif /* _SELINUX_AVC_H_ */ 166