162306a36Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0-only */ 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * An access vector table (avtab) is a hash table 462306a36Sopenharmony_ci * of access vectors and transition types indexed 562306a36Sopenharmony_ci * by a type pair and a class. An access vector 662306a36Sopenharmony_ci * table is used to represent the type enforcement 762306a36Sopenharmony_ci * tables. 862306a36Sopenharmony_ci * 962306a36Sopenharmony_ci * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> 1062306a36Sopenharmony_ci */ 1162306a36Sopenharmony_ci 1262306a36Sopenharmony_ci/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 1362306a36Sopenharmony_ci * 1462306a36Sopenharmony_ci * Added conditional policy language extensions 1562306a36Sopenharmony_ci * 1662306a36Sopenharmony_ci * Copyright (C) 2003 Tresys Technology, LLC 1762306a36Sopenharmony_ci * 1862306a36Sopenharmony_ci * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> 1962306a36Sopenharmony_ci * Tuned number of hash slots for avtab to reduce memory usage 2062306a36Sopenharmony_ci */ 2162306a36Sopenharmony_ci#ifndef _SS_AVTAB_H_ 2262306a36Sopenharmony_ci#define _SS_AVTAB_H_ 2362306a36Sopenharmony_ci 2462306a36Sopenharmony_ci#include "security.h" 2562306a36Sopenharmony_ci 2662306a36Sopenharmony_cistruct avtab_key { 2762306a36Sopenharmony_ci u16 source_type; /* source type */ 2862306a36Sopenharmony_ci u16 target_type; /* target type */ 2962306a36Sopenharmony_ci u16 target_class; /* target object class */ 3062306a36Sopenharmony_ci#define AVTAB_ALLOWED 0x0001 3162306a36Sopenharmony_ci#define AVTAB_AUDITALLOW 0x0002 3262306a36Sopenharmony_ci#define AVTAB_AUDITDENY 0x0004 3362306a36Sopenharmony_ci#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) 3462306a36Sopenharmony_ci#define AVTAB_TRANSITION 0x0010 3562306a36Sopenharmony_ci#define AVTAB_MEMBER 0x0020 3662306a36Sopenharmony_ci#define AVTAB_CHANGE 0x0040 3762306a36Sopenharmony_ci#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) 3862306a36Sopenharmony_ci/* extended permissions */ 3962306a36Sopenharmony_ci#define AVTAB_XPERMS_ALLOWED 0x0100 4062306a36Sopenharmony_ci#define AVTAB_XPERMS_AUDITALLOW 0x0200 4162306a36Sopenharmony_ci#define AVTAB_XPERMS_DONTAUDIT 0x0400 4262306a36Sopenharmony_ci#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \ 4362306a36Sopenharmony_ci AVTAB_XPERMS_AUDITALLOW | \ 4462306a36Sopenharmony_ci AVTAB_XPERMS_DONTAUDIT) 4562306a36Sopenharmony_ci#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */ 4662306a36Sopenharmony_ci#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ 4762306a36Sopenharmony_ci u16 specified; /* what field is specified */ 4862306a36Sopenharmony_ci}; 4962306a36Sopenharmony_ci 5062306a36Sopenharmony_ci/* 5162306a36Sopenharmony_ci * For operations that require more than the 32 permissions provided by the avc 5262306a36Sopenharmony_ci * extended permissions may be used to provide 256 bits of permissions. 5362306a36Sopenharmony_ci */ 5462306a36Sopenharmony_cistruct avtab_extended_perms { 5562306a36Sopenharmony_ci/* These are not flags. All 256 values may be used */ 5662306a36Sopenharmony_ci#define AVTAB_XPERMS_IOCTLFUNCTION 0x01 5762306a36Sopenharmony_ci#define AVTAB_XPERMS_IOCTLDRIVER 0x02 5862306a36Sopenharmony_ci /* extension of the avtab_key specified */ 5962306a36Sopenharmony_ci u8 specified; /* ioctl, netfilter, ... */ 6062306a36Sopenharmony_ci /* 6162306a36Sopenharmony_ci * if 256 bits is not adequate as is often the case with ioctls, then 6262306a36Sopenharmony_ci * multiple extended perms may be used and the driver field 6362306a36Sopenharmony_ci * specifies which permissions are included. 6462306a36Sopenharmony_ci */ 6562306a36Sopenharmony_ci u8 driver; 6662306a36Sopenharmony_ci /* 256 bits of permissions */ 6762306a36Sopenharmony_ci struct extended_perms_data perms; 6862306a36Sopenharmony_ci}; 6962306a36Sopenharmony_ci 7062306a36Sopenharmony_cistruct avtab_datum { 7162306a36Sopenharmony_ci union { 7262306a36Sopenharmony_ci u32 data; /* access vector or type value */ 7362306a36Sopenharmony_ci struct avtab_extended_perms *xperms; 7462306a36Sopenharmony_ci } u; 7562306a36Sopenharmony_ci}; 7662306a36Sopenharmony_ci 7762306a36Sopenharmony_cistruct avtab_node { 7862306a36Sopenharmony_ci struct avtab_key key; 7962306a36Sopenharmony_ci struct avtab_datum datum; 8062306a36Sopenharmony_ci struct avtab_node *next; 8162306a36Sopenharmony_ci}; 8262306a36Sopenharmony_ci 8362306a36Sopenharmony_cistruct avtab { 8462306a36Sopenharmony_ci struct avtab_node **htable; 8562306a36Sopenharmony_ci u32 nel; /* number of elements */ 8662306a36Sopenharmony_ci u32 nslot; /* number of hash slots */ 8762306a36Sopenharmony_ci u32 mask; /* mask to compute hash func */ 8862306a36Sopenharmony_ci}; 8962306a36Sopenharmony_ci 9062306a36Sopenharmony_civoid avtab_init(struct avtab *h); 9162306a36Sopenharmony_ciint avtab_alloc(struct avtab *, u32); 9262306a36Sopenharmony_ciint avtab_alloc_dup(struct avtab *new, const struct avtab *orig); 9362306a36Sopenharmony_civoid avtab_destroy(struct avtab *h); 9462306a36Sopenharmony_ci 9562306a36Sopenharmony_ci#ifdef CONFIG_SECURITY_SELINUX_DEBUG 9662306a36Sopenharmony_civoid avtab_hash_eval(struct avtab *h, const char *tag); 9762306a36Sopenharmony_ci#else 9862306a36Sopenharmony_cistatic inline void avtab_hash_eval(struct avtab *h, const char *tag) 9962306a36Sopenharmony_ci{ 10062306a36Sopenharmony_ci} 10162306a36Sopenharmony_ci#endif 10262306a36Sopenharmony_ci 10362306a36Sopenharmony_cistruct policydb; 10462306a36Sopenharmony_ciint avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, 10562306a36Sopenharmony_ci int (*insert)(struct avtab *a, const struct avtab_key *k, 10662306a36Sopenharmony_ci const struct avtab_datum *d, void *p), 10762306a36Sopenharmony_ci void *p); 10862306a36Sopenharmony_ci 10962306a36Sopenharmony_ciint avtab_read(struct avtab *a, void *fp, struct policydb *pol); 11062306a36Sopenharmony_ciint avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp); 11162306a36Sopenharmony_ciint avtab_write(struct policydb *p, struct avtab *a, void *fp); 11262306a36Sopenharmony_ci 11362306a36Sopenharmony_cistruct avtab_node *avtab_insert_nonunique(struct avtab *h, 11462306a36Sopenharmony_ci const struct avtab_key *key, 11562306a36Sopenharmony_ci const struct avtab_datum *datum); 11662306a36Sopenharmony_ci 11762306a36Sopenharmony_cistruct avtab_node *avtab_search_node(struct avtab *h, 11862306a36Sopenharmony_ci const struct avtab_key *key); 11962306a36Sopenharmony_ci 12062306a36Sopenharmony_cistruct avtab_node *avtab_search_node_next(struct avtab_node *node, u16 specified); 12162306a36Sopenharmony_ci 12262306a36Sopenharmony_ci#define MAX_AVTAB_HASH_BITS 16 12362306a36Sopenharmony_ci#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) 12462306a36Sopenharmony_ci 12562306a36Sopenharmony_ci#endif /* _SS_AVTAB_H_ */ 12662306a36Sopenharmony_ci 127