113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ 313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* 513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> 613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Tuned number of hash slots for avtab to reduce memory usage 713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 1013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 1113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Added conditional policy language extensions 1213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 1313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Copyright (C) 2003 Tresys Technology, LLC 1413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 1513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * This library is free software; you can redistribute it and/or 1613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * modify it under the terms of the GNU Lesser General Public 1713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * License as published by the Free Software Foundation; either 1813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * version 2.1 of the License, or (at your option) any later version. 1913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 2013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * This library is distributed in the hope that it will be useful, 2113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * but WITHOUT ANY WARRANTY; without even the implied warranty of 2213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 2313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Lesser General Public License for more details. 2413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 2513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * You should have received a copy of the GNU Lesser General Public 2613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * License along with this library; if not, write to the Free Software 2713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 2813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 2913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 3013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* FLASK */ 3113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 3213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* 3313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * An access vector table (avtab) is a hash table 3413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * of access vectors and transition types indexed 3513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * by a type pair and a class. An access vector 3613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * table is used to represent the type enforcement 3713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * tables. 3813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 3913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 4013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#ifndef _SEPOL_POLICYDB_AVTAB_H_ 4113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#define _SEPOL_POLICYDB_AVTAB_H_ 4213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 43ed7a6ba24ad3241e696fa7bc9bb56bb4f373147bdcashman#include <sys/cdefs.h> 4413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <sys/types.h> 4513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <stdint.h> 4613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47ed7a6ba24ad3241e696fa7bc9bb56bb4f373147bdcashman__BEGIN_DECLS 48ed7a6ba24ad3241e696fa7bc9bb56bb4f373147bdcashman 4913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletypedef struct avtab_key { 5013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint16_t source_type; 5113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint16_t target_type; 5213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint16_t target_class; 5380bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_ALLOWED 0x0001 5480bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_AUDITALLOW 0x0002 5580bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_AUDITDENY 0x0004 5680bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_NEVERALLOW 0x0080 5780bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) 5880bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_TRANSITION 0x0010 5980bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_MEMBER 0x0020 6080bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_CHANGE 0x0040 6180bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) 6280bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OPNUM_ALLOWED 0x0100 6380bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OPNUM_AUDITALLOW 0x0200 6480bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OPNUM_DONTAUDIT 0x0400 6580bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OPNUM (AVTAB_OPNUM_ALLOWED | AVTAB_OPNUM_AUDITALLOW | AVTAB_OPNUM_DONTAUDIT) 6680bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OPTYPE_ALLOWED 0x1000 6780bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OPTYPE_AUDITALLOW 0x2000 6880bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OPTYPE_DONTAUDIT 0x4000 6980bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OPTYPE (AVTAB_OPTYPE_ALLOWED | AVTAB_OPTYPE_AUDITALLOW | AVTAB_OPTYPE_DONTAUDIT) 7080bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_OP (AVTAB_OPNUM | AVTAB_OPTYPE) 7180bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_ENABLED_OLD 0x80000000 7280bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ 7313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint16_t specified; /* what fields are specified */ 7413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} avtab_key_t; 7513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 7680bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoeptypedef struct avtab_operations { 7780bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep uint8_t type; 7880bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep uint32_t perms[8]; 7980bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep} avtab_operations_t; 8080bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep 8113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletypedef struct avtab_datum { 8213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t data; /* access vector or type */ 8380bc7ee8faaddfa7a650994fa82a57f41a9e7475Jeff Vander Stoep avtab_operations_t *ops; 8413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} avtab_datum_t; 8513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletypedef struct avtab_node *avtab_ptr_t; 8713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestruct avtab_node { 8913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_key_t key; 9013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t datum; 9113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t next; 9213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *parse_context; /* generic context pointer used by parser; 9313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * not saved in binary policy */ 9413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned merged; /* flag for avtab_write only; 9513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle not saved in binary policy */ 9613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle}; 9713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 9813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletypedef struct avtab { 9913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t *htable; 10013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t nel; /* number of elements */ 10113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t nslot; /* number of hash slots */ 102acb2a9beded6bd29471ffaa517316c0497f24e15John Brooks uint32_t mask; /* mask to compute hash func */ 10313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} avtab_t; 10413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 10513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern int avtab_init(avtab_t *); 10613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern int avtab_alloc(avtab_t *, uint32_t); 10713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern int avtab_insert(avtab_t * h, avtab_key_t * k, avtab_datum_t * d); 10813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 10913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k); 11013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 11113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern void avtab_destroy(avtab_t * h); 11213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 11313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern int avtab_map(avtab_t * h, 11413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int (*apply) (avtab_key_t * k, 11513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t * d, void *args), void *args); 11613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 11713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern void avtab_hash_eval(avtab_t * h, char *tag); 11813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 11913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestruct policy_file; 12013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, 12113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int (*insert) (avtab_t * a, avtab_key_t * k, 12213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t * d, void *p), void *p); 12313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers); 12513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern avtab_ptr_t avtab_insert_nonunique(avtab_t * h, avtab_key_t * key, 12713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t * datum); 12813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern avtab_ptr_t avtab_insert_with_parse_context(avtab_t * h, 13013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_key_t * key, 13113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t * datum, 13213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *parse_context); 13313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 13413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern avtab_ptr_t avtab_search_node(avtab_t * h, avtab_key_t * key); 13513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 13613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleextern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified); 13713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 138acb2a9beded6bd29471ffaa517316c0497f24e15John Brooks#define MAX_AVTAB_HASH_BITS 20 13913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) 14013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#define MAX_AVTAB_HASH_MASK (MAX_AVTAB_HASH_BUCKETS-1) 141acb2a9beded6bd29471ffaa517316c0497f24e15John Brooks/* avtab_alloc uses one bucket per 2-4 elements, so adjust to get maximum buckets */ 142acb2a9beded6bd29471ffaa517316c0497f24e15John Brooks#define MAX_AVTAB_SIZE (MAX_AVTAB_HASH_BUCKETS << 1) 14313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 144ed7a6ba24ad3241e696fa7bc9bb56bb4f373147bdcashman__END_DECLS 14513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#endif /* _AVTAB_H_ */ 14613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* FLASK */ 148