1f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 2f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * This file describes the internal interface used by the AVC 3f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * for calling the user-supplied memory allocation, supplemental 4f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * auditing, and locking routine, as well as incrementing the 5f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * statistics fields. 6f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 7f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Author : Eamon Walsh <ewalsh@epoch.ncsc.mil> 8f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 9f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifndef _SELINUX_AVC_INTERNAL_H_ 10f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define _SELINUX_AVC_INTERNAL_H_ 11f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 12f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <stdio.h> 13f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <stdlib.h> 14f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <string.h> 15f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <selinux/avc.h> 16f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include "callbacks.h" 17f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include "dso.h" 18f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 19f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* callback pointers */ 20f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void *(*avc_func_malloc) (size_t) hidden; 21f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void (*avc_func_free) (void *)hidden; 22f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 23f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void (*avc_func_log) (const char *, ...)hidden; 24f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden; 25f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 26f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int avc_using_threads hidden; 27f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int avc_app_main_loop hidden; 28f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void *(*avc_func_create_thread) (void (*)(void))hidden; 29f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void (*avc_func_stop_thread) (void *)hidden; 30f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 31f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void *(*avc_func_alloc_lock) (void)hidden; 32f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void (*avc_func_get_lock) (void *)hidden; 33f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void (*avc_func_release_lock) (void *)hidden; 34f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern void (*avc_func_free_lock) (void *)hidden; 35f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 36f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void set_callbacks(const struct avc_memory_callback *mem_cb, 37f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const struct avc_log_callback *log_cb, 38f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const struct avc_thread_callback *thread_cb, 39f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const struct avc_lock_callback *lock_cb) 40f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 41f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (mem_cb) { 42f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_malloc = mem_cb->func_malloc; 43f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_free = mem_cb->func_free; 44f074036424618c130dacb3464465a8b40bffef5Stephen Smalley } 45f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (log_cb) { 46f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_log = log_cb->func_log; 47f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_audit = log_cb->func_audit; 48f074036424618c130dacb3464465a8b40bffef5Stephen Smalley } 49f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (thread_cb) { 50f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_using_threads = 1; 51f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_create_thread = thread_cb->func_create_thread; 52f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_stop_thread = thread_cb->func_stop_thread; 53f074036424618c130dacb3464465a8b40bffef5Stephen Smalley } 54f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (lock_cb) { 55f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_alloc_lock = lock_cb->func_alloc_lock; 56f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_get_lock = lock_cb->func_get_lock; 57f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_release_lock = lock_cb->func_release_lock; 58f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_free_lock = lock_cb->func_free_lock; 59f074036424618c130dacb3464465a8b40bffef5Stephen Smalley } 60f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 61f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 62f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* message prefix and enforcing mode*/ 63f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_PREFIX_SIZE 16 64f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern char avc_prefix[AVC_PREFIX_SIZE] hidden; 65f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int avc_running hidden; 66f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int avc_enforcing hidden; 67f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int avc_setenforce hidden; 68f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 69f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* user-supplied callback interface for avc */ 70f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void *avc_malloc(size_t size) 71f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 72f074036424618c130dacb3464465a8b40bffef5Stephen Smalley return avc_func_malloc ? avc_func_malloc(size) : malloc(size); 73f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 74f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 75f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void avc_free(void *ptr) 76f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 77f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (avc_func_free) 78f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_free(ptr); 79f074036424618c130dacb3464465a8b40bffef5Stephen Smalley else 80f074036424618c130dacb3464465a8b40bffef5Stephen Smalley free(ptr); 81f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 82f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 83f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* this is a macro in order to use the variadic capability. */ 84f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define avc_log(type, format...) \ 85f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (avc_func_log) \ 86f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_log(format); \ 87f074036424618c130dacb3464465a8b40bffef5Stephen Smalley else \ 88f074036424618c130dacb3464465a8b40bffef5Stephen Smalley selinux_log(type, format); 89f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 90f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void avc_suppl_audit(void *ptr, security_class_t class, 91f074036424618c130dacb3464465a8b40bffef5Stephen Smalley char *buf, size_t len) 92f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 93f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (avc_func_audit) 94f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_audit(ptr, class, buf, len); 95f074036424618c130dacb3464465a8b40bffef5Stephen Smalley else 96f074036424618c130dacb3464465a8b40bffef5Stephen Smalley selinux_audit(ptr, class, buf, len); 97f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 98f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 99f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void *avc_create_thread(void (*run) (void)) 100f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 101f074036424618c130dacb3464465a8b40bffef5Stephen Smalley return avc_func_create_thread ? avc_func_create_thread(run) : NULL; 102f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 103f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 104f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void avc_stop_thread(void *thread) 105f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 106f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (avc_func_stop_thread) 107f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_stop_thread(thread); 108f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 109f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 110f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void *avc_alloc_lock(void) 111f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 112f074036424618c130dacb3464465a8b40bffef5Stephen Smalley return avc_func_alloc_lock ? avc_func_alloc_lock() : NULL; 113f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 114f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 115f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void avc_get_lock(void *lock) 116f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 117f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (avc_func_get_lock) 118f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_get_lock(lock); 119f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 120f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 121f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void avc_release_lock(void *lock) 122f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 123f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (avc_func_release_lock) 124f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_release_lock(lock); 125f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 126f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 127f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystatic inline void avc_free_lock(void *lock) 128f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{ 129f074036424618c130dacb3464465a8b40bffef5Stephen Smalley if (avc_func_free_lock) 130f074036424618c130dacb3464465a8b40bffef5Stephen Smalley avc_func_free_lock(lock); 131f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 132f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 133f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* statistics helper routines */ 134f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifdef AVC_CACHE_STATS 135f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 136f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define avc_cache_stats_incr(field) \ 137f074036424618c130dacb3464465a8b40bffef5Stephen Smalley cache_stats.field ++; 138f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define avc_cache_stats_add(field, num) \ 139f074036424618c130dacb3464465a8b40bffef5Stephen Smalley cache_stats.field += num; 140f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 141f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#else 142f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 143f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define avc_cache_stats_incr(field) 144f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define avc_cache_stats_add(field, num) 145f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 146f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif 147f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 148f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* logging helper routines */ 149f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_AUDIT_BUFSIZE 1024 150f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 151f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* again, we need the variadic capability here */ 152f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define log_append(buf,format...) \ 153f074036424618c130dacb3464465a8b40bffef5Stephen Smalley snprintf(buf+strlen(buf), AVC_AUDIT_BUFSIZE-strlen(buf), format) 154f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 155f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* internal callbacks */ 156f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_ss_grant(security_id_t ssid, security_id_t tsid, 157f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, access_vector_t perms, 158f074036424618c130dacb3464465a8b40bffef5Stephen Smalley uint32_t seqno) hidden; 159f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_ss_try_revoke(security_id_t ssid, security_id_t tsid, 160f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, 161f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t perms, uint32_t seqno, 162f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t * out_retained) hidden; 163f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_ss_revoke(security_id_t ssid, security_id_t tsid, 164f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, access_vector_t perms, 165f074036424618c130dacb3464465a8b40bffef5Stephen Smalley uint32_t seqno) hidden; 166f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_ss_reset(uint32_t seqno) hidden; 167f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid, 168f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, access_vector_t perms, 169f074036424618c130dacb3464465a8b40bffef5Stephen Smalley uint32_t seqno, uint32_t enable) hidden; 170f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid, 171f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, access_vector_t perms, 172f074036424618c130dacb3464465a8b40bffef5Stephen Smalley uint32_t seqno, uint32_t enable) hidden; 173f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 174f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* netlink kernel message code */ 175f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern int avc_netlink_trouble hidden; 176f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 177f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyhidden_proto(avc_av_stats) 178f074036424618c130dacb3464465a8b40bffef5Stephen Smalley hidden_proto(avc_cleanup) 179f074036424618c130dacb3464465a8b40bffef5Stephen Smalley hidden_proto(avc_reset) 180f074036424618c130dacb3464465a8b40bffef5Stephen Smalley hidden_proto(avc_audit) 181f074036424618c130dacb3464465a8b40bffef5Stephen Smalley hidden_proto(avc_has_perm_noaudit) 182f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif /* _SELINUX_AVC_INTERNAL_H_ */ 183