1f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 2f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Access vector cache interface for object managers. 3f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 4f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Author : Eamon Walsh <ewalsh@epoch.ncsc.mil> 5f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 6f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifndef _SELINUX_AVC_H_ 7f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define _SELINUX_AVC_H_ 8f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 9f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <stdint.h> 10f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <errno.h> 11f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <stdlib.h> 12f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <selinux/selinux.h> 13f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 14f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifdef __cplusplus 15f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyextern "C" { 16f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif 17f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 18f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 19f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * SID format and operations 20f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 21f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct security_id { 22ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalley char * ctx; 23f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned int refcnt; 24f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 25f074036424618c130dacb3464465a8b40bffef5Stephen Smalleytypedef struct security_id *security_id_t; 26f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 27f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define SECSID_WILD (security_id_t)NULL /* unspecified SID */ 28f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 29f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 30f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_sid_to_context - get copy of context corresponding to SID. 31f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @sid: input SID 32f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @ctx: pointer to context reference 33f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 34f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Return a copy of the security context corresponding to the input 35f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @sid in the memory referenced by @ctx. The caller is expected to 36f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * free the context with freecon(). Return %0 on success, -%1 on 37f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * failure, with @errno set to %ENOMEM if insufficient memory was 38f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * available to make the copy, or %EINVAL if the input SID is invalid. 39f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 40ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyint avc_sid_to_context(security_id_t sid, char ** ctx); 41ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyint avc_sid_to_context_raw(security_id_t sid, char ** ctx); 42f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 43f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 44f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_context_to_sid - get SID for context. 45f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @ctx: input security context 46f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @sid: pointer to SID reference 47f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 48f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Look up security context @ctx in SID table, making 49f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * a new entry if @ctx is not found. Increment the 50f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * reference counter for the SID. Store a pointer 51f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * to the SID structure into the memory referenced by @sid, 52f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * returning %0 on success or -%1 on error with @errno set. 53f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 54ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyint avc_context_to_sid(const char * ctx, security_id_t * sid); 55ab40ea9bfd71b50138f1482c4764a65ac17d8cafStephen Smalleyint avc_context_to_sid_raw(const char * ctx, security_id_t * sid); 56f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 57f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 58f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * sidget - increment SID reference counter. 59f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @sid: SID reference 60f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 61f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Increment the reference counter for @sid, indicating that 62f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @sid is in use by an (additional) object. Return the 63f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * new reference count, or zero if @sid is invalid (has zero 64f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * reference count). Note that avc_context_to_sid() also 65f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * increments reference counts. 66f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 67f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint sidget(security_id_t sid); 68f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 69f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 70f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * sidput - decrement SID reference counter. 71f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @sid: SID reference 72f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 73f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Decrement the reference counter for @sid, indicating that 74f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * a reference to @sid is no longer in use. Return the 75f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * new reference count. When the reference count reaches 76f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * zero, the SID is invalid, and avc_context_to_sid() must 77f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * be called to obtain a new SID for the security context. 78f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 79f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint sidput(security_id_t sid); 80f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 81f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 82f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_get_initial_sid - get SID for an initial kernel security identifier 83f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @name: input name of initial kernel security identifier 84f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @sid: pointer to a SID reference 85f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 86f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Get the context for an initial kernel security identifier specified by 87f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @name using security_get_initial_context() and then call 88f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_context_to_sid() to get the corresponding SID. 89f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 90f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_get_initial_sid(const char *name, security_id_t * sid); 91f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 92f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 93f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * AVC entry 94f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 95f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct avc_entry; 96f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct avc_entry_ref { 97f074036424618c130dacb3464465a8b40bffef5Stephen Smalley struct avc_entry *ae; 98f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 99f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 100f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 101f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_entry_ref_init - initialize an AVC entry reference. 102f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @aeref: pointer to avc entry reference structure 103f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 104f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Use this macro to initialize an avc entry reference structure 105f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * before first use. These structures are passed to avc_has_perm(), 106f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * which stores cache entry references in them. They can increase 107f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * performance on repeated queries. 108f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 109f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define avc_entry_ref_init(aeref) ((aeref)->ae = NULL) 110f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 111f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 112f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * User-provided callbacks for memory, auditing, and locking 113f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 114f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 115f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* These structures are passed by reference to avc_init(). Passing 116f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * a NULL reference will cause the AVC to use a default. The default 117f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * memory callbacks are malloc() and free(). The default logging method 118f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * is to print on stderr. If no thread callbacks are passed, a separate 119f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * listening thread won't be started for kernel policy change messages. 120f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * If no locking callbacks are passed, no locking will take place. 121f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 122f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct avc_memory_callback { 123f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* malloc() equivalent. */ 124f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void *(*func_malloc) (size_t size); 125f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* free() equivalent. */ 126f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void (*func_free) (void *ptr); 127f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* Note that these functions should set errno on failure. 128f074036424618c130dacb3464465a8b40bffef5Stephen Smalley If not, some avc routines may return -1 without errno set. */ 129f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 130f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 131f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct avc_log_callback { 132f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* log the printf-style format and arguments. */ 133f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void (*func_log) (const char *fmt, ...); 134f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* store a string representation of auditdata (corresponding 135f074036424618c130dacb3464465a8b40bffef5Stephen Smalley to the given security class) into msgbuf. */ 136f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void (*func_audit) (void *auditdata, security_class_t cls, 137f074036424618c130dacb3464465a8b40bffef5Stephen Smalley char *msgbuf, size_t msgbufsize); 138f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 139f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 140f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct avc_thread_callback { 141f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* create and start a thread, returning an opaque pointer to it; 142f074036424618c130dacb3464465a8b40bffef5Stephen Smalley the thread should run the given function. */ 143f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void *(*func_create_thread) (void (*run) (void)); 144f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* cancel a given thread and free its resources. */ 145f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void (*func_stop_thread) (void *thread); 146f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 147f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 148f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct avc_lock_callback { 149f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* create a lock and return an opaque pointer to it. */ 150f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void *(*func_alloc_lock) (void); 151f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* obtain a given lock, blocking if necessary. */ 152f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void (*func_get_lock) (void *lock); 153f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* release a given lock. */ 154f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void (*func_release_lock) (void *lock); 155f074036424618c130dacb3464465a8b40bffef5Stephen Smalley /* destroy a given lock (free memory, etc.) */ 156f074036424618c130dacb3464465a8b40bffef5Stephen Smalley void (*func_free_lock) (void *lock); 157f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 158f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 159f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 160f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Available options 161f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 162f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 163f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* no-op option, useful for unused slots in an array of options */ 164f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_OPT_UNUSED 0 165f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* override kernel enforcing mode (boolean value) */ 166f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_OPT_SETENFORCE 1 167f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 168f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 169f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * AVC operations 170f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 171f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 172f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 173f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_init - Initialize the AVC. 174f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @msgprefix: prefix for log messages 175f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @mem_callbacks: user-supplied memory callbacks 176f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @log_callbacks: user-supplied logging callbacks 177f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @thread_callbacks: user-supplied threading callbacks 178f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @lock_callbacks: user-supplied locking callbacks 179f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 180f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Initialize the access vector cache. Return %0 on 181f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * success or -%1 with @errno set on failure. 182f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * If @msgprefix is NULL, use "uavc". If any callback 183f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * structure references are NULL, use default methods 184f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * for those callbacks (see the definition of the callback 185f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * structures above). 186f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 187f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_init(const char *msgprefix, 188f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const struct avc_memory_callback *mem_callbacks, 189f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const struct avc_log_callback *log_callbacks, 190f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const struct avc_thread_callback *thread_callbacks, 191f074036424618c130dacb3464465a8b40bffef5Stephen Smalley const struct avc_lock_callback *lock_callbacks); 192f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 193f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 194f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_open - Initialize the AVC. 195f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @opts: array of selabel_opt structures specifying AVC options or NULL. 196f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @nopts: number of elements in opts array or zero for no options. 197f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 198f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * This function is identical to avc_init(), except the message prefix 199f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * is set to "avc" and any callbacks desired should be specified via 200f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * selinux_set_callback(). Available options are listed above. 201f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 202f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_open(struct selinux_opt *opts, unsigned nopts); 203f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 204f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 205f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_cleanup - Remove unused SIDs and AVC entries. 206f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 207f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Search the SID table for SID structures with zero 208f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * reference counts, and remove them along with all 209f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * AVC entries that reference them. This can be used 210f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * to return memory to the system. 211f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 212f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_cleanup(void); 213f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 214f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 215f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_reset - Flush the cache and reset statistics. 216f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 217f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Remove all entries from the cache and reset all access 218f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * statistics (as returned by avc_cache_stats()) to zero. 219f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * The SID mapping is not affected. Return %0 on success, 220f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * -%1 with @errno set on error. 221f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 222f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_reset(void); 223f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 224f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 225f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_destroy - Free all AVC structures. 226f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 227f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Destroy all AVC structures and free all allocated 228f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * memory. User-supplied locking, memory, and audit 229f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * callbacks will be retained, but security-event 230f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * callbacks will not. All SID's will be invalidated. 231f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * User must call avc_init() if further use of AVC is desired. 232f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 233f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_destroy(void); 234f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 235f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 236f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_has_perm_noaudit - Check permissions but perform no auditing. 237f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @ssid: source security identifier 238f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tsid: target security identifier 239f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tclass: target security class 240f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @requested: requested permissions, interpreted based on @tclass 241f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @aeref: AVC entry reference 242f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @avd: access vector decisions 243f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 244f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Check the AVC to determine whether the @requested permissions are granted 245f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * for the SID pair (@ssid, @tsid), interpreting the permissions 246f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * based on @tclass, and call the security server on a cache miss to obtain 247f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * a new decision and add it to the cache. Update @aeref to refer to an AVC 248f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * entry with the resulting decisions, and return a copy of the decisions 249f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * in @avd. Return %0 if all @requested permissions are granted, -%1 with 250f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @errno set to %EACCES if any permissions are denied, or to another value 251f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * upon other errors. This function is typically called by avc_has_perm(), 252f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * but may also be called directly to separate permission checking from 253f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * auditing, e.g. in cases where a lock must be held for the check but 254f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * should be released for the auditing. 255f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 256f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_has_perm_noaudit(security_id_t ssid, 257f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_id_t tsid, 258f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, 259f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t requested, 260f074036424618c130dacb3464465a8b40bffef5Stephen Smalley struct avc_entry_ref *aeref, struct av_decision *avd); 261f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 262f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 263f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_has_perm - Check permissions and perform any appropriate auditing. 264f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @ssid: source security identifier 265f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tsid: target security identifier 266f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tclass: target security class 267f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @requested: requested permissions, interpreted based on @tclass 268f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @aeref: AVC entry reference 269f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @auditdata: auxiliary audit data 270f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 271f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Check the AVC to determine whether the @requested permissions are granted 272f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * for the SID pair (@ssid, @tsid), interpreting the permissions 273f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * based on @tclass, and call the security server on a cache miss to obtain 274f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * a new decision and add it to the cache. Update @aeref to refer to an AVC 275f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * entry with the resulting decisions. Audit the granting or denial of 276f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * permissions in accordance with the policy. Return %0 if all @requested 277f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * permissions are granted, -%1 with @errno set to %EACCES if any permissions 278f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * are denied or to another value upon other errors. 279f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 280f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_has_perm(security_id_t ssid, security_id_t tsid, 281f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, access_vector_t requested, 282f074036424618c130dacb3464465a8b40bffef5Stephen Smalley struct avc_entry_ref *aeref, void *auditdata); 283f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 284f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 285f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_audit - Audit the granting or denial of permissions. 286f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @ssid: source security identifier 287f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tsid: target security identifier 288f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tclass: target security class 289f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @requested: requested permissions 290f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @avd: access vector decisions 291f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @result: result from avc_has_perm_noaudit 292f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @auditdata: auxiliary audit data 293f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 294f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Audit the granting or denial of permissions in accordance 295f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * with the policy. This function is typically called by 296f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_has_perm() after a permission check, but can also be 297f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * called directly by callers who use avc_has_perm_noaudit() 298f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * in order to separate the permission check from the auditing. 299f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * For example, this separation is useful when the permission check must 300f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * be performed under a lock, to allow the lock to be released 301f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * before calling the auditing code. 302f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 303f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_audit(security_id_t ssid, security_id_t tsid, 304f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, access_vector_t requested, 305f074036424618c130dacb3464465a8b40bffef5Stephen Smalley struct av_decision *avd, int result, void *auditdata); 306f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 307f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 308f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_compute_create - Compute SID for labeling a new object. 309f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @ssid: source security identifier 310f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tsid: target security identifier 311f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tclass: target security class 312f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @newsid: pointer to SID reference 313f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 314f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Call the security server to obtain a context for labeling a 315f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * new object. Look up the context in the SID table, making 316f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * a new entry if not found. Increment the reference counter 317f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * for the SID. Store a pointer to the SID structure into the 318f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * memory referenced by @newsid, returning %0 on success or -%1 on 319f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * error with @errno set. 320f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 321f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_compute_create(security_id_t ssid, 322f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_id_t tsid, 323f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, security_id_t * newsid); 324f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 325f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 326f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_compute_member - Compute SID for polyinstantation. 327f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @ssid: source security identifier 328f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tsid: target security identifier 329f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tclass: target security class 330f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @newsid: pointer to SID reference 331f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 332f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Call the security server to obtain a context for labeling an 333f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * object instance. Look up the context in the SID table, making 334f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * a new entry if not found. Increment the reference counter 335f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * for the SID. Store a pointer to the SID structure into the 336f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * memory referenced by @newsid, returning %0 on success or -%1 on 337f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * error with @errno set. 338f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 339f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_compute_member(security_id_t ssid, 340f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_id_t tsid, 341f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_class_t tclass, security_id_t * newsid); 342f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 343f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 344f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * security event callback facility 345f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 346f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 347f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* security events */ 348f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CALLBACK_GRANT 1 349f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CALLBACK_TRY_REVOKE 2 350f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CALLBACK_REVOKE 4 351f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CALLBACK_RESET 8 352f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CALLBACK_AUDITALLOW_ENABLE 16 353f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 354f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CALLBACK_AUDITDENY_ENABLE 64 355f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CALLBACK_AUDITDENY_DISABLE 128 356f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 357f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 358f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_add_callback - Register a callback for security events. 359f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @callback: callback function 360f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @events: bitwise OR of desired security events 361f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @ssid: source security identifier or %SECSID_WILD 362f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tsid: target security identifier or %SECSID_WILD 363f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @tclass: target security class 364f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @perms: permissions 365f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 366f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Register a callback function for events in the set @events 367f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * related to the SID pair (@ssid, @tsid) and 368f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * and the permissions @perms, interpreting 369f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @perms based on @tclass. Returns %0 on success or 370f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * -%1 if insufficient memory exists to add the callback. 371f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 372f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_add_callback(int (*callback) 373f074036424618c130dacb3464465a8b40bffef5Stephen Smalley (uint32_t event, security_id_t ssid, 374f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_id_t tsid, security_class_t tclass, 375f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t perms, 376f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t * out_retained), 377f074036424618c130dacb3464465a8b40bffef5Stephen Smalley uint32_t events, security_id_t ssid, 378f074036424618c130dacb3464465a8b40bffef5Stephen Smalley security_id_t tsid, security_class_t tclass, 379f074036424618c130dacb3464465a8b40bffef5Stephen Smalley access_vector_t perms); 380f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 381f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* 382f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * AVC statistics 383f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 384f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 385f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/* If set, cache statistics are tracked. This may 386f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * become a compile-time option in the future. 387f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 388f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#define AVC_CACHE_STATS 1 389f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 390f074036424618c130dacb3464465a8b40bffef5Stephen Smalleystruct avc_cache_stats { 391f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned entry_lookups; 392f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned entry_hits; 393f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned entry_misses; 394f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned entry_discards; 395f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned cav_lookups; 396f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned cav_hits; 397f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned cav_probes; 398f074036424618c130dacb3464465a8b40bffef5Stephen Smalley unsigned cav_misses; 399f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}; 400f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 401f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 402f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_cache_stats - get cache access statistics. 403f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * @stats: reference to statistics structure 404f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 405f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Fill the supplied structure with information about AVC 406f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * activity since the last call to avc_init() or 407f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_reset(). See the structure definition for 408f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * details. 409f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 410f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_cache_stats(struct avc_cache_stats *stats); 411f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 412f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 413f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_av_stats - log av table statistics. 414f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 415f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Log a message with information about the size and 416f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * distribution of the access vector table. The audit 417f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * callback is used to print the message. 418f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 419f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_av_stats(void); 420f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 421f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 422f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_sid_stats - log SID table statistics. 423f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 424f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Log a message with information about the size and 425f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * distribution of the SID table. The audit callback 426f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * is used to print the message. 427f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 428f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_sid_stats(void); 429f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 430f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 431f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_netlink_open - Create a netlink socket and connect to the kernel. 432f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 433f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_netlink_open(int blocking); 434f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 435f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 436f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_netlink_loop - Wait for netlink messages from the kernel 437f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 438f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_netlink_loop(void); 439f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 440f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 441f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_netlink_close - Close the netlink socket 442f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 443f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_netlink_close(void); 444f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 445f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 446f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_netlink_acquire_fd - Acquire netlink socket fd. 447f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 448f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Allows the application to manage messages from the netlink socket in 449f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * its own main loop. 450f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 451f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_netlink_acquire_fd(void); 452f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 453f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 454f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_netlink_release_fd - Release netlink socket fd. 455f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 456f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Returns ownership of the netlink socket to the library. 457f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 458f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid avc_netlink_release_fd(void); 459f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 460f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 461f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * avc_netlink_check_nb - Check netlink socket for new messages. 462f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 463f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Called by the application when using avc_netlink_acquire_fd() to 464f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * process kernel netlink events. 465f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 466f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint avc_netlink_check_nb(void); 467f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 468f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 469f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * selinux_status_open - Open and map SELinux kernel status page 470f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 471f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 472f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint selinux_status_open(int fallback); 473f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 474f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 475f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * selinux_status_close - Unmap and close SELinux kernel status page 476f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 477f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 478f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyvoid selinux_status_close(void); 479f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 480f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 481f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * selinux_status_updated - Inform us whether the kernel status has been updated 482f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 483f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 484f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint selinux_status_updated(void); 485f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 486f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 487f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * selinux_status_getenforce - Get the enforce flag value 488f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 489f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 490f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint selinux_status_getenforce(void); 491f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 492f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 493f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * selinux_status_policyload - Get the number of policy reloaded 494f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 495f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 496f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint selinux_status_policyload(void); 497f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 498f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/** 499f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * selinux_status_deny_unknown - Get the behavior for undefined classes/permissions 500f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * 501f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */ 502f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint selinux_status_deny_unknown(void); 503f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 504f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#ifdef __cplusplus 505f074036424618c130dacb3464465a8b40bffef5Stephen Smalley} 506f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif 507f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#endif /* _SELINUX_AVC_H_ */ 508