[linux-2.6-block.git] / security / selinux / include / avc.h

/*
 * Access vector cache interface for object managers.
 *
 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
 */
#ifndef _SELINUX_AVC_H_
#define _SELINUX_AVC_H_

#include <linux/stddef.h>
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/kdev_t.h>
#include <linux/spinlock.h>
#include <linux/init.h>
#include <linux/audit.h>
#include <linux/lsm_audit.h>
#include <linux/in6.h>
#include <linux/path.h>
#include <asm/system.h>
#include "flask.h"
#include "av_permissions.h"
#include "security.h"

#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
extern int selinux_enforcing;
#else
#define selinux_enforcing 1
#endif

/*
 * An entry in the AVC.
 */
struct avc_entry;

struct task_struct;
struct inode;
struct sock;
struct sk_buff;

/*
 * AVC statistics
 */
struct avc_cache_stats {
	unsigned int lookups;
	unsigned int hits;
	unsigned int misses;
	unsigned int allocations;
	unsigned int reclaims;
	unsigned int frees;
};

/*
 * AVC operations
 */

void __init avc_init(void);

void avc_audit(u32 ssid, u32 tsid,
	       u16 tclass, u32 requested,
	       struct av_decision *avd,
	       int result,
	       struct common_audit_data *a);

#define AVC_STRICT 1 /* Ignore permissive mode. */
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
			 u16 tclass, u32 requested,
			 unsigned flags,
			 struct av_decision *avd);

int avc_has_perm(u32 ssid, u32 tsid,
		 u16 tclass, u32 requested,
		 struct common_audit_data *auditdata);

u32 avc_policy_seqno(void);

#define AVC_CALLBACK_GRANT		1
#define AVC_CALLBACK_TRY_REVOKE		2
#define AVC_CALLBACK_REVOKE		4
#define AVC_CALLBACK_RESET		8
#define AVC_CALLBACK_AUDITALLOW_ENABLE	16
#define AVC_CALLBACK_AUDITALLOW_DISABLE	32
#define AVC_CALLBACK_AUDITDENY_ENABLE	64
#define AVC_CALLBACK_AUDITDENY_DISABLE	128

int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
				     u16 tclass, u32 perms,
				     u32 *out_retained),
		     u32 events, u32 ssid, u32 tsid,
		     u16 tclass, u32 perms);

/* Exported to selinuxfs */
int avc_get_hash_stats(char *page);
extern unsigned int avc_cache_threshold;

/* Attempt to free avc node cache */
void avc_disable(void);

#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
#endif

#endif /* _SELINUX_AVC_H_ */
Commit	Line	Data
1da177e4 LT	1	/*
	2	* Access vector cache interface for object managers.
	3	*
	4	* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
	5	*/
	6	#ifndef _SELINUX_AVC_H_
	7	#define _SELINUX_AVC_H_
	8
	9	#include <linux/stddef.h>
	10	#include <linux/errno.h>
	11	#include <linux/kernel.h>
	12	#include <linux/kdev_t.h>
	13	#include <linux/spinlock.h>
	14	#include <linux/init.h>
d9250dea	15	#include <linux/audit.h>
2bf49690	16	#include <linux/lsm_audit.h>
1da177e4	17	#include <linux/in6.h>
44707fdf	18	#include <linux/path.h>
1da177e4 LT	19	#include <asm/system.h>
	20	#include "flask.h"
	21	#include "av_permissions.h"
	22	#include "security.h"
	23
	24	#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
	25	extern int selinux_enforcing;
	26	#else
	27	#define selinux_enforcing 1
	28	#endif
	29
	30	/*
	31	* An entry in the AVC.
	32	*/
	33	struct avc_entry;
	34
	35	struct task_struct;
1da177e4 LT	36	struct inode;
	37	struct sock;
	38	struct sk_buff;
	39
1da177e4 LT	40	/*
	41	* AVC statistics
	42	*/
f5269710	43	struct avc_cache_stats {
1da177e4 LT	44	unsigned int lookups;
	45	unsigned int hits;
	46	unsigned int misses;
	47	unsigned int allocations;
	48	unsigned int reclaims;
	49	unsigned int frees;
	50	};
	51
	52	/*
	53	* AVC operations
	54	*/
	55
	56	void __init avc_init(void);
	57
	58	void avc_audit(u32 ssid, u32 tsid,
f5269710	59	u16 tclass, u32 requested,
2bf49690 TL	60	struct av_decision *avd,
	61	int result,
	62	struct common_audit_data *a);
1da177e4	63
2c3c05db	64	#define AVC_STRICT 1 /* Ignore permissive mode. */
1da177e4	65	int avc_has_perm_noaudit(u32 ssid, u32 tsid,
2c3c05db SS	66	u16 tclass, u32 requested,
	67	unsigned flags,
	68	struct av_decision *avd);
1da177e4 LT	69
1da177e4 LT	70	int avc_has_perm(u32 ssid, u32 tsid,
f5269710	71	u16 tclass, u32 requested,
2bf49690	72	struct common_audit_data *auditdata);
1da177e4	73
788e7dd4 YN	74	u32 avc_policy_seqno(void);
788e7dd4 YN	75
1da177e4 LT	76	#define AVC_CALLBACK_GRANT 1
	77	#define AVC_CALLBACK_TRY_REVOKE 2
	78	#define AVC_CALLBACK_REVOKE 4
	79	#define AVC_CALLBACK_RESET 8
	80	#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
	81	#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
	82	#define AVC_CALLBACK_AUDITDENY_ENABLE 64
	83	#define AVC_CALLBACK_AUDITDENY_DISABLE 128
	84
	85	int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
f5269710	86	u16 tclass, u32 perms,
1da177e4 LT	87	u32 *out_retained),
	88	u32 events, u32 ssid, u32 tsid,
	89	u16 tclass, u32 perms);
	90
	91	/* Exported to selinuxfs */
	92	int avc_get_hash_stats(char *page);
	93	extern unsigned int avc_cache_threshold;
	94
89c86576 TL	95	/* Attempt to free avc node cache */
	96	void avc_disable(void);
	97
1da177e4 LT	98	#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
	99	DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
	100	#endif
	101
	102	#endif /* _SELINUX_AVC_H_ */
	103