include/linux/selinux.h

   1 /*
   2  * SELinux services exported to the rest of the kernel.
   3  *
   4  * Author: James Morris <jmorris@redhat.com>
   5  *
   6  * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
   7  * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
   8  * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
   9  *
  10  * This program is free software; you can redistribute it and/or modify
  11  * it under the terms of the GNU General Public License version 2,
  12  * as published by the Free Software Foundation.
  13  */
  14 #ifndef _LINUX_SELINUX_H
  15 #define _LINUX_SELINUX_H
  16
  17 struct selinux_audit_rule;
  18 struct audit_context;
  19 struct inode;
  20 struct kern_ipc_perm;
  21
  22 #ifdef CONFIG_SECURITY_SELINUX
  23
  24 /**
  25  *      selinux_audit_rule_init - alloc/init an selinux audit rule structure.
  26  *      @field: the field this rule refers to
  27  *      @op: the operater the rule uses
  28  *      @rulestr: the text "target" of the rule
  29  *      @rule: pointer to the new rule structure returned via this
  30  *
  31  *      Returns 0 if successful, -errno if not.  On success, the rule structure
  32  *      will be allocated internally.  The caller must free this structure with
  33  *      selinux_audit_rule_free() after use.
  34  */
  35 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
  36                             struct selinux_audit_rule **rule);
  37
  38 /**
  39  *      selinux_audit_rule_free - free an selinux audit rule structure.
  40  *      @rule: pointer to the audit rule to be freed
  41  *
  42  *      This will free all memory associated with the given rule.
  43  *      If @rule is NULL, no operation is performed.
  44  */
  45 void selinux_audit_rule_free(struct selinux_audit_rule *rule);
  46
  47 /**
  48  *      selinux_audit_rule_match - determine if a context ID matches a rule.
  49  *      @sid: the context ID to check
  50  *      @field: the field this rule refers to
  51  *      @op: the operater the rule uses
  52  *      @rule: pointer to the audit rule to check against
  53  *      @actx: the audit context (can be NULL) associated with the check
  54  *
  55  *      Returns 1 if the context id matches the rule, 0 if it does not, and
  56  *      -errno on failure.
  57  */
  58 int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
  59                              struct selinux_audit_rule *rule,
  60                              struct audit_context *actx);
  61
  62 /**
  63  *      selinux_audit_set_callback - set the callback for policy reloads.
  64  *      @callback: the function to call when the policy is reloaded
  65  *
  66  *      This sets the function callback function that will update the rules
  67  *      upon policy reloads.  This callback should rebuild all existing rules
  68  *      using selinux_audit_rule_init().
  69  */
  70 void selinux_audit_set_callback(int (*callback)(void));
  71
  72 /**
  73  *     selinux_sid_to_string - map a security context ID to a string
  74  *     @sid: security context ID to be converted.
  75  *     @ctx: address of context string to be returned
  76  *     @ctxlen: length of returned context string.
  77  *
  78  *     Returns 0 if successful, -errno if not.  On success, the context
  79  *     string will be allocated internally, and the caller must call
  80  *     kfree() on it after use.
  81  */
  82 int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen);
  83
  84 /**
  85  *     selinux_get_inode_sid - get the inode's security context ID
  86  *     @inode: inode structure to get the sid from.
  87  *     @sid: pointer to security context ID to be filled in.
  88  *
  89  *     Returns nothing
  90  */
  91 void selinux_get_inode_sid(const struct inode *inode, u32 *sid);
  92
  93 /**
  94  *     selinux_get_ipc_sid - get the ipc security context ID
  95  *     @ipcp: ipc structure to get the sid from.
  96  *     @sid: pointer to security context ID to be filled in.
  97  *
  98  *     Returns nothing
  99  */
 100 void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid);
 101
 102 /**
 103  *     selinux_get_task_sid - return the SID of task
 104  *     @tsk: the task whose SID will be returned
 105  *     @sid: pointer to security context ID to be filled in.
 106  *
 107  *     Returns nothing
 108  */
 109 void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);
 110
 111 /**
 112  *     selinux_string_to_sid - map a security context string to a security ID
 113  *     @str: the security context string to be mapped
 114  *     @sid: ID value returned via this.
 115  *
 116  *     Returns 0 if successful, with the SID stored in sid.  A value
 117  *     of zero for sid indicates no SID could be determined (but no error
 118  *     occurred).
 119  */
 120 int selinux_string_to_sid(char *str, u32 *sid);
 121
 122 /**
 123  *     selinux_secmark_relabel_packet_permission - secmark permission check
 124  *     @sid: SECMARK ID value to be applied to network packet
 125  *
 126  *     Returns 0 if the current task is allowed to set the SECMARK label of
 127  *     packets with the supplied security ID.  Note that it is implicit that
 128  *     the packet is always being relabeled from the default unlabeled value,
 129  *     and that the access control decision is made in the AVC.
 130  */
 131 int selinux_secmark_relabel_packet_permission(u32 sid);
 132
 133 /**
 134  *     selinux_secmark_refcount_inc - increments the secmark use counter
 135  *
 136  *     SELinux keeps track of the current SECMARK targets in use so it knows
 137  *     when to apply SECMARK label access checks to network packets.  This
 138  *     function incements this reference count to indicate that a new SECMARK
 139  *     target has been configured.
 140  */
 141 void selinux_secmark_refcount_inc(void);
 142
 143 /**
 144  *     selinux_secmark_refcount_dec - decrements the secmark use counter
 145  *
 146  *     SELinux keeps track of the current SECMARK targets in use so it knows
 147  *     when to apply SECMARK label access checks to network packets.  This
 148  *     function decements this reference count to indicate that one of the
 149  *     existing SECMARK targets has been removed/flushed.
 150  */
 151 void selinux_secmark_refcount_dec(void);
 152 #else
 153
 154 static inline int selinux_audit_rule_init(u32 field, u32 op,
 155                                           char *rulestr,
 156                                           struct selinux_audit_rule **rule)
 157 {
 158         return -EOPNOTSUPP;
 159 }
 160
 161 static inline void selinux_audit_rule_free(struct selinux_audit_rule *rule)
 162 {
 163         return;
 164 }
 165
 166 static inline int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
 167                                            struct selinux_audit_rule *rule,
 168                                            struct audit_context *actx)
 169 {
 170         return 0;
 171 }
 172
 173 static inline void selinux_audit_set_callback(int (*callback)(void))
 174 {
 175         return;
 176 }
 177
 178 static inline int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen)
 179 {
 180        *ctx = NULL;
 181        *ctxlen = 0;
 182        return 0;
 183 }
 184
 185 static inline void selinux_get_inode_sid(const struct inode *inode, u32 *sid)
 186 {
 187         *sid = 0;
 188 }
 189
 190 static inline void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid)
 191 {
 192         *sid = 0;
 193 }
 194
 195 static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid)
 196 {
 197         *sid = 0;
 198 }
 199
 200 static inline int selinux_string_to_sid(const char *str, u32 *sid)
 201 {
 202        *sid = 0;
 203        return 0;
 204 }
 205
 206 static inline int selinux_secmark_relabel_packet_permission(u32 sid)
 207 {
 208         return 0;
 209 }
 210
 211 static inline void selinux_secmark_refcount_inc(void)
 212 {
 213         return;
 214 }
 215
 216 static inline void selinux_secmark_refcount_dec(void)
 217 {
 218         return;
 219 }
 220
 221 #endif  /* CONFIG_SECURITY_SELINUX */
 222
 223 #endif /* _LINUX_SELINUX_H */