1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
/*
* Access vector cache interface for object managers.
*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
*/
/* Ported to Xen 3.0, George Coker, <gscoker@alpha.ncsc.mil> */
#ifndef _FLASK_AVC_H_
#define _FLASK_AVC_H_
#include <xen/errno.h>
#include <xen/lib.h>
#include <xen/spinlock.h>
#include <asm/percpu.h>
#include "flask.h"
#include "av_permissions.h"
#include "security.h"
#ifdef FLASK_DEVELOP
extern int flask_enforcing;
#else
#define flask_enforcing 1
#endif
/*
* An entry in the AVC.
*/
struct avc_entry;
struct task_struct;
struct vfsmount;
struct dentry;
struct inode;
struct sock;
struct sk_buff;
/* Auxiliary data to use in generating the audit record. */
struct avc_audit_data {
char type;
#define AVC_AUDIT_DATA_NONE 0
#define AVC_AUDIT_DATA_DEV 1
#define AVC_AUDIT_DATA_IRQ 2
#define AVC_AUDIT_DATA_RANGE 3
struct domain *sdom;
struct domain *tdom;
union {
unsigned long device;
int irq;
struct {
unsigned long start;
unsigned long end;
} range;
};
};
#define v4info fam.v4
#define v6info fam.v6
/* Initialize an AVC audit data structure. */
#define AVC_AUDIT_DATA_INIT(_d,_t) \
{ memset((_d), 0, sizeof(struct avc_audit_data)); \
(_d)->type = AVC_AUDIT_DATA_##_t; }
/*
* AVC statistics
*/
struct avc_cache_stats
{
unsigned int lookups;
unsigned int hits;
unsigned int misses;
unsigned int allocations;
unsigned int reclaims;
unsigned int frees;
};
/*
* AVC operations
*/
void avc_init(void);
void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
struct av_decision *avd, int result, struct avc_audit_data *auditdata);
int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
struct av_decision *avd);
int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested,
struct avc_audit_data *auditdata);
#define AVC_CALLBACK_GRANT 1
#define AVC_CALLBACK_TRY_REVOKE 2
#define AVC_CALLBACK_REVOKE 4
#define AVC_CALLBACK_RESET 8
#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
#define AVC_CALLBACK_AUDITDENY_ENABLE 64
#define AVC_CALLBACK_AUDITDENY_DISABLE 128
int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
u16 tclass, u32 perms, u32 *out_retained), u32 events,
u32 ssid, u32 tsid, u16 tclass, u32 perms);
/* Exported to selinuxfs */
struct xen_flask_hash_stats;
int avc_get_hash_stats(struct xen_flask_hash_stats *arg);
extern unsigned int avc_cache_threshold;
#ifdef FLASK_AVC_STATS
DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
#endif
#endif /* _FLASK_AVC_H_ */
|