16cd6a6acSopenharmony_ci
26cd6a6acSopenharmony_ci/* Author : Stephen Smalley, <sds@tycho.nsa.gov> */
36cd6a6acSopenharmony_ci
46cd6a6acSopenharmony_ci/*
56cd6a6acSopenharmony_ci * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
66cd6a6acSopenharmony_ci * 	Tuned number of hash slots for avtab to reduce memory usage
76cd6a6acSopenharmony_ci */
86cd6a6acSopenharmony_ci
96cd6a6acSopenharmony_ci/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
106cd6a6acSopenharmony_ci *
116cd6a6acSopenharmony_ci * 	Added conditional policy language extensions
126cd6a6acSopenharmony_ci *
136cd6a6acSopenharmony_ci * Copyright (C) 2003 Tresys Technology, LLC
146cd6a6acSopenharmony_ci *
156cd6a6acSopenharmony_ci *  This library is free software; you can redistribute it and/or
166cd6a6acSopenharmony_ci *  modify it under the terms of the GNU Lesser General Public
176cd6a6acSopenharmony_ci *  License as published by the Free Software Foundation; either
186cd6a6acSopenharmony_ci *  version 2.1 of the License, or (at your option) any later version.
196cd6a6acSopenharmony_ci *
206cd6a6acSopenharmony_ci *  This library is distributed in the hope that it will be useful,
216cd6a6acSopenharmony_ci *  but WITHOUT ANY WARRANTY; without even the implied warranty of
226cd6a6acSopenharmony_ci *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
236cd6a6acSopenharmony_ci *  Lesser General Public License for more details.
246cd6a6acSopenharmony_ci *
256cd6a6acSopenharmony_ci *  You should have received a copy of the GNU Lesser General Public
266cd6a6acSopenharmony_ci *  License along with this library; if not, write to the Free Software
276cd6a6acSopenharmony_ci *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
286cd6a6acSopenharmony_ci */
296cd6a6acSopenharmony_ci
306cd6a6acSopenharmony_ci/* FLASK */
316cd6a6acSopenharmony_ci
326cd6a6acSopenharmony_ci/*
336cd6a6acSopenharmony_ci * An access vector table (avtab) is a hash table
346cd6a6acSopenharmony_ci * of access vectors and transition types indexed
356cd6a6acSopenharmony_ci * by a type pair and a class.  An access vector
366cd6a6acSopenharmony_ci * table is used to represent the type enforcement
376cd6a6acSopenharmony_ci * tables.
386cd6a6acSopenharmony_ci */
396cd6a6acSopenharmony_ci
406cd6a6acSopenharmony_ci#ifndef _SEPOL_POLICYDB_AVTAB_H_
416cd6a6acSopenharmony_ci#define _SEPOL_POLICYDB_AVTAB_H_
426cd6a6acSopenharmony_ci
436cd6a6acSopenharmony_ci#include <sys/types.h>
446cd6a6acSopenharmony_ci#include <stdint.h>
456cd6a6acSopenharmony_ci
466cd6a6acSopenharmony_ci#ifdef __cplusplus
476cd6a6acSopenharmony_ciextern "C" {
486cd6a6acSopenharmony_ci#endif
496cd6a6acSopenharmony_ci
506cd6a6acSopenharmony_citypedef struct avtab_key {
516cd6a6acSopenharmony_ci	uint16_t source_type;
526cd6a6acSopenharmony_ci	uint16_t target_type;
536cd6a6acSopenharmony_ci	uint16_t target_class;
546cd6a6acSopenharmony_ci#define AVTAB_ALLOWED		0x0001
556cd6a6acSopenharmony_ci#define AVTAB_AUDITALLOW	0x0002
566cd6a6acSopenharmony_ci#define AVTAB_AUDITDENY		0x0004
576cd6a6acSopenharmony_ci#define AVTAB_NEVERALLOW	0x0080
586cd6a6acSopenharmony_ci#define AVTAB_AV		(AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
596cd6a6acSopenharmony_ci#define AVTAB_TRANSITION	0x0010
606cd6a6acSopenharmony_ci#define AVTAB_MEMBER		0x0020
616cd6a6acSopenharmony_ci#define AVTAB_CHANGE		0x0040
626cd6a6acSopenharmony_ci#define AVTAB_TYPE		(AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
636cd6a6acSopenharmony_ci#define AVTAB_XPERMS_ALLOWED	0x0100
646cd6a6acSopenharmony_ci#define AVTAB_XPERMS_AUDITALLOW	0x0200
656cd6a6acSopenharmony_ci#define AVTAB_XPERMS_DONTAUDIT	0x0400
666cd6a6acSopenharmony_ci#define AVTAB_XPERMS_NEVERALLOW	0x0800
676cd6a6acSopenharmony_ci#define AVTAB_XPERMS		(AVTAB_XPERMS_ALLOWED | AVTAB_XPERMS_AUDITALLOW | AVTAB_XPERMS_DONTAUDIT)
686cd6a6acSopenharmony_ci#define AVTAB_ENABLED_OLD	0x80000000
696cd6a6acSopenharmony_ci#define AVTAB_ENABLED		0x8000	/* reserved for used in cond_avtab */
706cd6a6acSopenharmony_ci	uint16_t specified;	/* what fields are specified */
716cd6a6acSopenharmony_ci} avtab_key_t;
726cd6a6acSopenharmony_ci
736cd6a6acSopenharmony_citypedef struct avtab_extended_perms {
746cd6a6acSopenharmony_ci
756cd6a6acSopenharmony_ci#define AVTAB_XPERMS_IOCTLFUNCTION	0x01
766cd6a6acSopenharmony_ci#define AVTAB_XPERMS_IOCTLDRIVER	0x02
776cd6a6acSopenharmony_ci	/* extension of the avtab_key specified */
786cd6a6acSopenharmony_ci	uint8_t specified;
796cd6a6acSopenharmony_ci	uint8_t driver;
806cd6a6acSopenharmony_ci	uint32_t perms[8];
816cd6a6acSopenharmony_ci} avtab_extended_perms_t;
826cd6a6acSopenharmony_ci
836cd6a6acSopenharmony_citypedef struct avtab_datum {
846cd6a6acSopenharmony_ci	uint32_t data;		/* access vector or type */
856cd6a6acSopenharmony_ci	avtab_extended_perms_t *xperms;
866cd6a6acSopenharmony_ci} avtab_datum_t;
876cd6a6acSopenharmony_ci
886cd6a6acSopenharmony_citypedef struct avtab_node *avtab_ptr_t;
896cd6a6acSopenharmony_ci
906cd6a6acSopenharmony_cistruct avtab_node {
916cd6a6acSopenharmony_ci	avtab_key_t key;
926cd6a6acSopenharmony_ci	avtab_datum_t datum;
936cd6a6acSopenharmony_ci	avtab_ptr_t next;
946cd6a6acSopenharmony_ci	void *parse_context;	/* generic context pointer used by parser;
956cd6a6acSopenharmony_ci				 * not saved in binary policy */
966cd6a6acSopenharmony_ci	unsigned merged;	/* flag for avtab_write only;
976cd6a6acSopenharmony_ci				   not saved in binary policy */
986cd6a6acSopenharmony_ci};
996cd6a6acSopenharmony_ci
1006cd6a6acSopenharmony_citypedef struct avtab {
1016cd6a6acSopenharmony_ci	avtab_ptr_t *htable;
1026cd6a6acSopenharmony_ci	uint32_t nel;		/* number of elements */
1036cd6a6acSopenharmony_ci	uint32_t nslot;         /* number of hash slots */
1046cd6a6acSopenharmony_ci	uint32_t mask;          /* mask to compute hash func */
1056cd6a6acSopenharmony_ci} avtab_t;
1066cd6a6acSopenharmony_ci
1076cd6a6acSopenharmony_ciextern int avtab_init(avtab_t *);
1086cd6a6acSopenharmony_ciextern int avtab_alloc(avtab_t *, uint32_t);
1096cd6a6acSopenharmony_ciextern int avtab_insert(avtab_t * h, avtab_key_t * k, avtab_datum_t * d);
1106cd6a6acSopenharmony_ci
1116cd6a6acSopenharmony_ciextern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k);
1126cd6a6acSopenharmony_ci
1136cd6a6acSopenharmony_ciextern void avtab_destroy(avtab_t * h);
1146cd6a6acSopenharmony_ci
1156cd6a6acSopenharmony_ciextern int avtab_map(const avtab_t * h,
1166cd6a6acSopenharmony_ci		     int (*apply) (avtab_key_t * k,
1176cd6a6acSopenharmony_ci				   avtab_datum_t * d, void *args), void *args);
1186cd6a6acSopenharmony_ci
1196cd6a6acSopenharmony_ciextern void avtab_hash_eval(avtab_t * h, char *tag);
1206cd6a6acSopenharmony_ci
1216cd6a6acSopenharmony_cistruct policy_file;
1226cd6a6acSopenharmony_ciextern int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
1236cd6a6acSopenharmony_ci			   int (*insert) (avtab_t * a, avtab_key_t * k,
1246cd6a6acSopenharmony_ci					  avtab_datum_t * d, void *p), void *p);
1256cd6a6acSopenharmony_ci
1266cd6a6acSopenharmony_ciextern int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers);
1276cd6a6acSopenharmony_ci
1286cd6a6acSopenharmony_ciextern avtab_ptr_t avtab_insert_nonunique(avtab_t * h, avtab_key_t * key,
1296cd6a6acSopenharmony_ci					  avtab_datum_t * datum);
1306cd6a6acSopenharmony_ci
1316cd6a6acSopenharmony_ciextern avtab_ptr_t avtab_insert_with_parse_context(avtab_t * h,
1326cd6a6acSopenharmony_ci						   avtab_key_t * key,
1336cd6a6acSopenharmony_ci						   avtab_datum_t * datum,
1346cd6a6acSopenharmony_ci						   void *parse_context);
1356cd6a6acSopenharmony_ci
1366cd6a6acSopenharmony_ciextern avtab_ptr_t avtab_search_node(avtab_t * h, avtab_key_t * key);
1376cd6a6acSopenharmony_ci
1386cd6a6acSopenharmony_ciextern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified);
1396cd6a6acSopenharmony_ci
1406cd6a6acSopenharmony_ci#define MAX_AVTAB_HASH_BITS 20
1416cd6a6acSopenharmony_ci#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
1426cd6a6acSopenharmony_ci#define MAX_AVTAB_HASH_MASK (MAX_AVTAB_HASH_BUCKETS-1)
1436cd6a6acSopenharmony_ci/* avtab_alloc uses one bucket per 2-4 elements, so adjust to get maximum buckets */
1446cd6a6acSopenharmony_ci#define MAX_AVTAB_SIZE (MAX_AVTAB_HASH_BUCKETS << 1)
1456cd6a6acSopenharmony_ci
1466cd6a6acSopenharmony_ci#ifdef __cplusplus
1476cd6a6acSopenharmony_ci}
1486cd6a6acSopenharmony_ci#endif
1496cd6a6acSopenharmony_ci
1506cd6a6acSopenharmony_ci#endif				/* _AVTAB_H_ */
1516cd6a6acSopenharmony_ci
1526cd6a6acSopenharmony_ci/* FLASK */
153