1
2/* -*- linux-c -*- */
3
4/*
5 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
6 */
7
8#ifndef _SEPOL_POLICYDB_SERVICES_H_
9#define _SEPOL_POLICYDB_SERVICES_H_
10
11/*
12 * Security server interface.
13 */
14
15#include <sepol/policydb/flask_types.h>
16#include <sepol/policydb/policydb.h>
17#include <stddef.h>
18
19/* Set the policydb and sidtab structures to be used by
20   the service functions.  If not set, then these default
21   to private structures within libsepol that can only be
22   initialized and accessed via the service functions themselves.
23   Setting the structures explicitly allows a program to directly
24   manipulate them, e.g. checkpolicy populates the structures directly
25   from a source policy rather than from a binary policy. */
26extern int sepol_set_policydb(policydb_t * p);
27extern int sepol_set_sidtab(sidtab_t * s);
28
29/* Modify a policydb for boolean settings. */
30int sepol_genbools_policydb(policydb_t * policydb, const char *booleans);
31
32/* Modify a policydb for user settings. */
33int sepol_genusers_policydb(policydb_t * policydb, const char *usersdir);
34
35/* Load the security policy. This initializes the policydb
36   and sidtab based on the provided binary policy. */
37extern int sepol_load_policy(void *data, size_t len);
38
39/*
40 * Compute access vectors based on a SID pair for
41 * the permissions in a particular class.
42 */
43extern int sepol_compute_av(sepol_security_id_t ssid,	/* IN */
44			    sepol_security_id_t tsid,	/* IN */
45			    sepol_security_class_t tclass,	/* IN */
46			    sepol_access_vector_t requested,	/* IN */
47			    struct sepol_av_decision *avd);	/* OUT */
48
49/* Same as above, but also return the reason(s) for any
50   denials of the requested permissions. */
51#define SEPOL_COMPUTEAV_TE   1
52#define SEPOL_COMPUTEAV_CONS 2
53#define SEPOL_COMPUTEAV_RBAC 4
54extern int sepol_compute_av_reason(sepol_security_id_t ssid,
55				   sepol_security_id_t tsid,
56				   sepol_security_class_t tclass,
57				   sepol_access_vector_t requested,
58				   struct sepol_av_decision *avd,
59				   unsigned int *reason);
60
61/*
62 * Same as above, but also returns the constraint expression calculations
63 * whether allowed or denied in a buffer. This buffer is allocated by
64 * this call and must be free'd by the caller using free(3). The contraint
65 * buffer will contain any constraints in infix notation.
66 * If the SHOW_GRANTED flag is set it will show granted and denied
67 * constraints. The default is to show only denied constraints.
68 */
69#define SHOW_GRANTED 1
70extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
71				   sepol_security_id_t tsid,
72				   sepol_security_class_t tclass,
73				   sepol_access_vector_t requested,
74				   struct sepol_av_decision *avd,
75				   unsigned int *reason,
76				   char **reason_buf,
77				   unsigned int flags);
78/*
79 * Return a class ID associated with the class string representation
80 * specified by `class_name'.
81 */
82extern int sepol_string_to_security_class(const char *class_name,
83					sepol_security_class_t  *tclass);
84
85/*
86 * Return a permission av bit associated with tclass and the string
87 * representation of the `perm_name'.
88 */
89extern int sepol_string_to_av_perm(sepol_security_class_t tclass,
90					const char *perm_name,
91					sepol_access_vector_t *av);
92
93/*
94 * Compute a SID to use for labeling a new object in the
95 * class `tclass' based on a SID pair.
96 */
97extern int sepol_transition_sid(sepol_security_id_t ssid,	/* IN */
98				sepol_security_id_t tsid,	/* IN */
99				sepol_security_class_t tclass,	/* IN */
100				sepol_security_id_t * out_sid);	/* OUT */
101
102/*
103 * Compute a SID to use when selecting a member of a
104 * polyinstantiated object of class `tclass' based on
105 * a SID pair.
106 */
107extern int sepol_member_sid(sepol_security_id_t ssid,	/* IN */
108			    sepol_security_id_t tsid,	/* IN */
109			    sepol_security_class_t tclass,	/* IN */
110			    sepol_security_id_t * out_sid);	/* OUT */
111
112/*
113 * Compute a SID to use for relabeling an object in the
114 * class `tclass' based on a SID pair.
115 */
116extern int sepol_change_sid(sepol_security_id_t ssid,	/* IN */
117			    sepol_security_id_t tsid,	/* IN */
118			    sepol_security_class_t tclass,	/* IN */
119			    sepol_security_id_t * out_sid);	/* OUT */
120
121/*
122 * Write the security context string representation of
123 * the context associated with `sid' into a dynamically
124 * allocated string of the correct size.  Set `*scontext'
125 * to point to this string and set `*scontext_len' to
126 * the length of the string.
127 */
128extern int sepol_sid_to_context(sepol_security_id_t sid,	/* IN */
129				sepol_security_context_t * scontext,	/* OUT */
130				size_t * scontext_len);	/* OUT */
131
132/*
133 * Return a SID associated with the security context that
134 * has the string representation specified by `scontext'.
135 */
136extern int sepol_context_to_sid(const sepol_security_context_t scontext,	/* IN */
137				size_t scontext_len,	/* IN */
138				sepol_security_id_t * out_sid);	/* OUT */
139
140/*
141 * Generate the set of SIDs for legal security contexts
142 * for a given user that can be reached by `fromsid'.
143 * Set `*sids' to point to a dynamically allocated
144 * array containing the set of SIDs.  Set `*nel' to the
145 * number of elements in the array.
146 */
147extern int sepol_get_user_sids(sepol_security_id_t callsid,
148			       char *username,
149			       sepol_security_id_t ** sids, uint32_t * nel);
150
151/*
152 * Return the SIDs to use for an unlabeled file system
153 * that is being mounted from the device with the
154 * the kdevname `name'.  The `fs_sid' SID is returned for
155 * the file system and the `file_sid' SID is returned
156 * for all files within that file system.
157 */
158extern int sepol_fs_sid(char *dev,	/* IN */
159			sepol_security_id_t * fs_sid,	/* OUT  */
160			sepol_security_id_t * file_sid);	/* OUT */
161
162/*
163 * Return the SID of the port specified by
164 * `domain', `type', `protocol', and `port'.
165 */
166extern int sepol_port_sid(uint16_t domain,
167			  uint16_t type,
168			  uint8_t protocol,
169			  uint16_t port, sepol_security_id_t * out_sid);
170
171/*
172 * Return the SIDs to use for a network interface
173 * with the name `name'.  The `if_sid' SID is returned for
174 * the interface and the `msg_sid' SID is returned as
175 * the default SID for messages received on the
176 * interface.
177 */
178extern int sepol_netif_sid(char *name,
179			   sepol_security_id_t * if_sid,
180			   sepol_security_id_t * msg_sid);
181
182/*
183 * Return the SID of the node specified by the address
184 * `addr' where `addrlen' is the length of the address
185 * in bytes and `domain' is the communications domain or
186 * address family in which the address should be interpreted.
187 */
188extern int sepol_node_sid(uint16_t domain,
189			  void *addr,
190			  size_t addrlen, sepol_security_id_t * out_sid);
191
192/*
193 * Return a value indicating how to handle labeling for the
194 * the specified filesystem type, and optionally return a SID
195 * for the filesystem object.
196 */
197#define SECURITY_FS_USE_XATTR 1	/* use xattr */
198#define SECURITY_FS_USE_TRANS 2	/* use transition SIDs, e.g. devpts/tmpfs */
199#define SECURITY_FS_USE_TASK  3	/* use task SIDs, e.g. pipefs/sockfs */
200#define SECURITY_FS_USE_GENFS 4	/* use the genfs support */
201#define SECURITY_FS_USE_NONE  5	/* no labeling support */
202extern int sepol_fs_use(const char *fstype,	/* IN */
203			unsigned int *behavior,	/* OUT */
204			sepol_security_id_t * sid);	/* OUT  */
205
206/*
207 * Return the SID to use for a file in a filesystem
208 * that cannot support a persistent label mapping or use another
209 * fixed labeling behavior like transition SIDs or task SIDs.
210 */
211extern int sepol_genfs_sid(const char *fstype,	/* IN */
212			   char *name,	/* IN */
213			   sepol_security_class_t sclass,	/* IN */
214			   sepol_security_id_t * sid);	/* OUT  */
215
216#endif
217