1f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifndef _SELINUX_H_ 2f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define _SELINUX_H_ 3f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 4f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <sys/types.h> 5f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <stdarg.h> 6f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 7f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifdef __cplusplus 8f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern "C" { 9f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif 10f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 11f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */ 12f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int is_selinux_enabled(void); 13f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */ 14f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int is_selinux_mls_enabled(void); 15f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 16ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley/* No longer used; here for compatibility with legacy callers. */ 17f074036424618c130dacb3464465a8b40bffef5Stephen Smalleytypedef char *security_context_t; 18f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 19f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Free the memory allocated for a context by any of the below get* calls. */ 20ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern void freecon(char * con); 21f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 22f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Free the memory allocated for a context array by security_compute_user. */ 23ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern void freeconary(char ** con); 24f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 25f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Wrappers for the /proc/pid/attr API. */ 26f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 27f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get current context, and set *con to refer to it. 28f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Caller must free via freecon. */ 29ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getcon(char ** con); 30f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 31f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set the current security context to con. 32f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Note that use of this function requires that the entire application 33f074036424618c130dacb3464465a8b40bffef5Stephen Smalley be trusted to maintain any desired separation between the old and new 34f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security contexts, unlike exec-based transitions performed via setexeccon. 35f074036424618c130dacb3464465a8b40bffef5Stephen Smalley When possible, decompose your application and use setexeccon()+execve() 36f074036424618c130dacb3464465a8b40bffef5Stephen Smalley instead. Note that the application may lose access to its open descriptors 37f074036424618c130dacb3464465a8b40bffef5Stephen Smalley as a result of a setcon() unless policy allows it to use descriptors opened 38f074036424618c130dacb3464465a8b40bffef5Stephen Smalley by the old context. */ 39ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int setcon(const char * con); 40f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 41f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get context of process identified by pid, and 42f074036424618c130dacb3464465a8b40bffef5Stephen Smalley set *con to refer to it. Caller must free via freecon. */ 43ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getpidcon(pid_t pid, char ** con); 44f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 45f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get previous context (prior to last exec), and set *con to refer to it. 46f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Caller must free via freecon. */ 47ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getprevcon(char ** con); 48f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 49f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get exec context, and set *con to refer to it. 50f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Sets *con to NULL if no exec context has been set, i.e. using default. 51f074036424618c130dacb3464465a8b40bffef5Stephen Smalley If non-NULL, caller must free via freecon. */ 52ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getexeccon(char ** con); 53f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 54f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set exec security context for the next execve. 55f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Call with NULL if you want to reset to the default. */ 56ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int setexeccon(const char * con); 57f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 58f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get fscreate context, and set *con to refer to it. 59f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Sets *con to NULL if no fs create context has been set, i.e. using default. 60f074036424618c130dacb3464465a8b40bffef5Stephen Smalley If non-NULL, caller must free via freecon. */ 61ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getfscreatecon(char ** con); 62f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 63f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set the fscreate security context for subsequent file creations. 64f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Call with NULL if you want to reset to the default. */ 65ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int setfscreatecon(const char * context); 66f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 67f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get keycreate context, and set *con to refer to it. 68f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Sets *con to NULL if no key create context has been set, i.e. using default. 69f074036424618c130dacb3464465a8b40bffef5Stephen Smalley If non-NULL, caller must free via freecon. */ 70ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getkeycreatecon(char ** con); 71f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 72f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set the keycreate security context for subsequent key creations. 73f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Call with NULL if you want to reset to the default. */ 74ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int setkeycreatecon(const char * context); 75f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 76f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get sockcreate context, and set *con to refer to it. 77f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Sets *con to NULL if no socket create context has been set, i.e. using default. 78f074036424618c130dacb3464465a8b40bffef5Stephen Smalley If non-NULL, caller must free via freecon. */ 79ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getsockcreatecon(char ** con); 80f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 81f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set the sockcreate security context for subsequent socket creations. 82f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Call with NULL if you want to reset to the default. */ 83ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int setsockcreatecon(const char * context); 84f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 85f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Wrappers for the xattr API. */ 86f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 87f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get file context, and set *con to refer to it. 88f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Caller must free via freecon. */ 89ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getfilecon(const char *path, char ** con); 90ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int lgetfilecon(const char *path, char ** con); 91ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int fgetfilecon(int fd, char ** con); 92f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 93f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set file context */ 94ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int setfilecon(const char *path, const char *con); 95ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int lsetfilecon(const char *path, const char *con); 96ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int fsetfilecon(int fd, const char *con); 97f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 98f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Wrappers for the socket API */ 99f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 100f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get context of peer socket, and set *con to refer to it. 101f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Caller must free via freecon. */ 102ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int getpeercon(int fd, char ** con); 103f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 104f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Wrappers for the selinuxfs (policy) API. */ 105f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 106f074036424618c130dacb3464465a8b40bffef5Stephen Smalleytypedef unsigned int access_vector_t; 107f074036424618c130dacb3464465a8b40bffef5Stephen Smalleytypedef unsigned short security_class_t; 108f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 109f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct av_decision { 110f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t allowed; 111f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t decided; 112f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t auditallow; 113f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t auditdeny; 114f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned int seqno; 115f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned int flags; 116f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 117f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 118f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Definitions of av_decision.flags */ 119f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001 120f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 121f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Structure for passing options, used by AVC and label subsystems */ 122f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct selinux_opt { 123f074036424618c130dacb3464465a8b40bffef5Stephen Smalley int type; 124f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const char *value; 125f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 126f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 127f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Callback facilities */ 128f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyunion selinux_callback { 129f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* log the printf-style format and arguments, 130f074036424618c130dacb3464465a8b40bffef5Stephen Smalley with the type code indicating the type of message */ 131f074036424618c130dacb3464465a8b40bffef5Stephen Smalley int 132f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifdef __GNUC__ 133f074036424618c130dacb3464465a8b40bffef5Stephen Smalley__attribute__ ((format(printf, 2, 3))) 134f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif 135f074036424618c130dacb3464465a8b40bffef5Stephen Smalley (*func_log) (int type, const char *fmt, ...); 136f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* store a string representation of auditdata (corresponding 137f074036424618c130dacb3464465a8b40bffef5Stephen Smalley to the given security class) into msgbuf. */ 138f074036424618c130dacb3464465a8b40bffef5Stephen Smalley int (*func_audit) (void *auditdata, security_class_t cls, 139f074036424618c130dacb3464465a8b40bffef5Stephen Smalley char *msgbuf, size_t msgbufsize); 140f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* validate the supplied context, modifying if necessary */ 141ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley int (*func_validate) (char **ctx); 142f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* netlink callback for setenforce message */ 143f074036424618c130dacb3464465a8b40bffef5Stephen Smalley int (*func_setenforce) (int enforcing); 144f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* netlink callback for policyload message */ 145f074036424618c130dacb3464465a8b40bffef5Stephen Smalley int (*func_policyload) (int seqno); 146f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 147f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 148f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_CB_LOG 0 149f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_CB_AUDIT 1 150f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_CB_VALIDATE 2 151f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_CB_SETENFORCE 3 152f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_CB_POLICYLOAD 4 153f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 154f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern union selinux_callback selinux_get_callback(int type); 155f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void selinux_set_callback(int type, union selinux_callback cb); 156f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 157f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* Logging type codes, passed to the logging callback */ 158f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_ERROR 0 159f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_WARNING 1 160f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_INFO 2 161f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SELINUX_AVC 3 162f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 163f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Compute an access decision. */ 164ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int security_compute_av(const char * scon, 165ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley const char * tcon, 166f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, 167f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t requested, 168f074036424618c130dacb3464465a8b40bffef5Stephen Smalley struct av_decision *avd); 169f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 170f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Compute a labeling decision and set *newcon to refer to it. 171f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Caller must free via freecon. */ 172ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int security_compute_create(const char * scon, 173ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley const char * tcon, 174f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, 175ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley char ** newcon); 176f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 177f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Compute a relabeling decision and set *newcon to refer to it. 178f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Caller must free via freecon. */ 179ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int security_compute_relabel(const char * scon, 180ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley const char * tcon, 181f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, 182ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley char ** newcon); 183f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 184f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Compute a polyinstantiation member decision and set *newcon to refer to it. 185f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Caller must free via freecon. */ 186ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int security_compute_member(const char * scon, 187ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley const char * tcon, 188f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, 189ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley char ** newcon); 190f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 191f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Compute the set of reachable user contexts and set *con to refer to 192f074036424618c130dacb3464465a8b40bffef5Stephen Smalley the NULL-terminated array of contexts. Caller must free via freeconary. */ 193ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int security_compute_user(const char * scon, 194f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const char *username, 195ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley char *** con); 196f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 197f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Load a policy configuration. */ 198f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_load_policy(void *data, size_t len); 199f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 200f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get the context of an initial kernel security identifier by name. 201f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Caller must free via freecon */ 202f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_get_initial_context(const char *name, 203ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley char ** con); 204f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 205f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Translate boolean strict to name value pair. */ 206f074036424618c130dacb3464465a8b40bffef5Stephen Smalleytypedef struct { 20784cdd3e00cb4566bfcd0b34d6c0706e5d74d8874Stephen Smalley const char *name; 208f074036424618c130dacb3464465a8b40bffef5Stephen Smalley int value; 209f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} SELboolean; 210f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* save a list of booleans in a single transaction. */ 211f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_set_boolean_list(size_t boolcnt, 21284cdd3e00cb4566bfcd0b34d6c0706e5d74d8874Stephen Smalley SELboolean * const boollist, int permanent); 213f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 214f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Check the validity of a security context. */ 215ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int security_check_context(const char * con); 216f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 217f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Canonicalize a security context. */ 218ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int security_canonicalize_context(const char * con, 219ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley char ** canoncon); 220f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 221f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get the enforce flag value. */ 222f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_getenforce(void); 223f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 224f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set the enforce flag value. */ 225f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_setenforce(int value); 226f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 227f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get the behavior for undefined classes/permissions */ 228f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_deny_unknown(void); 229f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 230f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Disable SELinux at runtime (must be done prior to initial policy load). */ 231f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_disable(void); 232f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 233f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get the policy version number. */ 234f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_policyvers(void); 235f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 236f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get the boolean names */ 237f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_get_boolean_names(char ***names, int *len); 238f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 239f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get the pending value for the boolean */ 240f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_get_boolean_pending(const char *name); 241f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 242f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Get the active value for the boolean */ 243f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_get_boolean_active(const char *name); 244f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 245f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set the pending value for the boolean */ 246f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_set_boolean(const char *name, int value); 247f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 248f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Commit the pending values for the booleans */ 249f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_commit_booleans(void); 250f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 251f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Userspace class mapping support */ 252f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct security_class_mapping { 253f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const char *name; 254f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const char *perms[sizeof(access_vector_t) * 8 + 1]; 255f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 256f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 257f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int selinux_set_mapping(struct security_class_mapping *map); 258f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 259f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Common helpers */ 260f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 261f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Convert between security class values and string names */ 262f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern security_class_t string_to_security_class(const char *name); 263f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern const char *security_class_to_string(security_class_t cls); 264f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 265f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Convert between individual access vector permissions and string names */ 266f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern const char *security_av_perm_to_string(security_class_t tclass, 267f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t perm); 268f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern access_vector_t string_to_av_perm(security_class_t tclass, 269f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const char *name); 270f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 271f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Returns an access vector in a string representation. User must free the 272f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * returned string via free(). */ 273f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int security_av_string(security_class_t tclass, 274f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t av, char **result); 275f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 276f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Check permissions and perform appropriate auditing. */ 277ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyextern int selinux_check_access(const char * scon, 278ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley const char * tcon, 279f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const char *tclass, 280f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const char *perm, void *aux); 281f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 282f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* Set the path to the selinuxfs mount point explicitly. 283f074036424618c130dacb3464465a8b40bffef5Stephen Smalley Normally, this is determined automatically during libselinux 284f074036424618c130dacb3464465a8b40bffef5Stephen Smalley initialization, but this is not always possible, e.g. for /sbin/init 285f074036424618c130dacb3464465a8b40bffef5Stephen Smalley which performs the initial mount of selinuxfs. */ 286833cba64c0a3a8ac4684e408da509827f6977ed8Nick Kralevichvoid set_selinuxmnt(const char *mnt); 287f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 288f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifdef __cplusplus 289f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 290f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif 291f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif 292