selinux.h revision 9c46a0a3153124753e3afbd2090fea65a09e1df1
1#ifndef _SELINUX_H_ 2#define _SELINUX_H_ 3 4#include <sys/types.h> 5#include <stdarg.h> 6 7#ifdef __cplusplus 8extern "C" { 9#endif 10 11/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */ 12extern int is_selinux_enabled(void); 13/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */ 14extern int is_selinux_mls_enabled(void); 15 16typedef char *security_context_t; 17 18/* Free the memory allocated for a context by any of the below get* calls. */ 19extern void freecon(security_context_t con); 20 21/* Free the memory allocated for a context array by security_compute_user. */ 22extern void freeconary(security_context_t * con); 23 24/* Wrappers for the /proc/pid/attr API. */ 25 26/* Get current context, and set *con to refer to it. 27 Caller must free via freecon. */ 28extern int getcon(security_context_t * con); 29extern int getcon_raw(security_context_t * con); 30 31/* Set the current security context to con. 32 Note that use of this function requires that the entire application 33 be trusted to maintain any desired separation between the old and new 34 security contexts, unlike exec-based transitions performed via setexeccon. 35 When possible, decompose your application and use setexeccon()+execve() 36 instead. Note that the application may lose access to its open descriptors 37 as a result of a setcon() unless policy allows it to use descriptors opened 38 by the old context. */ 39extern int setcon(const security_context_t con); 40extern int setcon_raw(const security_context_t con); 41 42/* Get context of process identified by pid, and 43 set *con to refer to it. Caller must free via freecon. */ 44extern int getpidcon(pid_t pid, security_context_t * con); 45extern int getpidcon_raw(pid_t pid, security_context_t * con); 46 47/* Get previous context (prior to last exec), and set *con to refer to it. 48 Caller must free via freecon. */ 49extern int getprevcon(security_context_t * con); 50extern int getprevcon_raw(security_context_t * con); 51 52/* Get exec context, and set *con to refer to it. 53 Sets *con to NULL if no exec context has been set, i.e. using default. 54 If non-NULL, caller must free via freecon. */ 55extern int getexeccon(security_context_t * con); 56extern int getexeccon_raw(security_context_t * con); 57 58/* Set exec security context for the next execve. 59 Call with NULL if you want to reset to the default. */ 60extern int setexeccon(const security_context_t con); 61extern int setexeccon_raw(const security_context_t con); 62 63/* Get fscreate context, and set *con to refer to it. 64 Sets *con to NULL if no fs create context has been set, i.e. using default. 65 If non-NULL, caller must free via freecon. */ 66extern int getfscreatecon(security_context_t * con); 67extern int getfscreatecon_raw(security_context_t * con); 68 69/* Set the fscreate security context for subsequent file creations. 70 Call with NULL if you want to reset to the default. */ 71extern int setfscreatecon(const security_context_t context); 72extern int setfscreatecon_raw(const security_context_t context); 73 74/* Get keycreate context, and set *con to refer to it. 75 Sets *con to NULL if no key create context has been set, i.e. using default. 76 If non-NULL, caller must free via freecon. */ 77extern int getkeycreatecon(security_context_t * con); 78extern int getkeycreatecon_raw(security_context_t * con); 79 80/* Set the keycreate security context for subsequent key creations. 81 Call with NULL if you want to reset to the default. */ 82extern int setkeycreatecon(const security_context_t context); 83extern int setkeycreatecon_raw(const security_context_t context); 84 85/* Get sockcreate context, and set *con to refer to it. 86 Sets *con to NULL if no socket create context has been set, i.e. using default. 87 If non-NULL, caller must free via freecon. */ 88extern int getsockcreatecon(security_context_t * con); 89extern int getsockcreatecon_raw(security_context_t * con); 90 91/* Set the sockcreate security context for subsequent socket creations. 92 Call with NULL if you want to reset to the default. */ 93extern int setsockcreatecon(const security_context_t context); 94extern int setsockcreatecon_raw(const security_context_t context); 95 96/* Wrappers for the xattr API. */ 97 98/* Get file context, and set *con to refer to it. 99 Caller must free via freecon. */ 100extern int getfilecon(const char *path, security_context_t * con); 101extern int getfilecon_raw(const char *path, security_context_t * con); 102extern int lgetfilecon(const char *path, security_context_t * con); 103extern int lgetfilecon_raw(const char *path, security_context_t * con); 104extern int fgetfilecon(int fd, security_context_t * con); 105extern int fgetfilecon_raw(int fd, security_context_t * con); 106 107/* Set file context */ 108extern int setfilecon(const char *path, security_context_t con); 109extern int setfilecon_raw(const char *path, security_context_t con); 110extern int lsetfilecon(const char *path, security_context_t con); 111extern int lsetfilecon_raw(const char *path, security_context_t con); 112extern int fsetfilecon(int fd, security_context_t con); 113extern int fsetfilecon_raw(int fd, security_context_t con); 114 115/* Wrappers for the socket API */ 116 117/* Get context of peer socket, and set *con to refer to it. 118 Caller must free via freecon. */ 119extern int getpeercon(int fd, security_context_t * con); 120extern int getpeercon_raw(int fd, security_context_t * con); 121 122/* Wrappers for the selinuxfs (policy) API. */ 123 124typedef unsigned int access_vector_t; 125typedef unsigned short security_class_t; 126 127struct av_decision { 128 access_vector_t allowed; 129 access_vector_t decided; 130 access_vector_t auditallow; 131 access_vector_t auditdeny; 132 unsigned int seqno; 133 unsigned int flags; 134}; 135 136/* Definitions of av_decision.flags */ 137#define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001 138 139/* Structure for passing options, used by AVC and label subsystems */ 140struct selinux_opt { 141 int type; 142 const char *value; 143}; 144 145/* Callback facilities */ 146union selinux_callback { 147 /* log the printf-style format and arguments, 148 with the type code indicating the type of message */ 149 int 150#ifdef __GNUC__ 151__attribute__ ((format(printf, 2, 3))) 152#endif 153 (*func_log) (int type, const char *fmt, ...); 154 /* store a string representation of auditdata (corresponding 155 to the given security class) into msgbuf. */ 156 int (*func_audit) (void *auditdata, security_class_t cls, 157 char *msgbuf, size_t msgbufsize); 158 /* validate the supplied context, modifying if necessary */ 159 int (*func_validate) (security_context_t *ctx); 160 /* netlink callback for setenforce message */ 161 int (*func_setenforce) (int enforcing); 162 /* netlink callback for policyload message */ 163 int (*func_policyload) (int seqno); 164}; 165 166#define SELINUX_CB_LOG 0 167#define SELINUX_CB_AUDIT 1 168#define SELINUX_CB_VALIDATE 2 169#define SELINUX_CB_SETENFORCE 3 170#define SELINUX_CB_POLICYLOAD 4 171 172extern union selinux_callback selinux_get_callback(int type); 173extern void selinux_set_callback(int type, union selinux_callback cb); 174 175 /* Logging type codes, passed to the logging callback */ 176#define SELINUX_ERROR 0 177#define SELINUX_WARNING 1 178#define SELINUX_INFO 2 179#define SELINUX_AVC 3 180 181/* Compute an access decision. */ 182extern int security_compute_av(const security_context_t scon, 183 const security_context_t tcon, 184 security_class_t tclass, 185 access_vector_t requested, 186 struct av_decision *avd); 187extern int security_compute_av_raw(const security_context_t scon, 188 const security_context_t tcon, 189 security_class_t tclass, 190 access_vector_t requested, 191 struct av_decision *avd); 192 193extern int security_compute_av_flags(const security_context_t scon, 194 const security_context_t tcon, 195 security_class_t tclass, 196 access_vector_t requested, 197 struct av_decision *avd); 198extern int security_compute_av_flags_raw(const security_context_t scon, 199 const security_context_t tcon, 200 security_class_t tclass, 201 access_vector_t requested, 202 struct av_decision *avd); 203 204/* Compute a labeling decision and set *newcon to refer to it. 205 Caller must free via freecon. */ 206extern int security_compute_create(const security_context_t scon, 207 const security_context_t tcon, 208 security_class_t tclass, 209 security_context_t * newcon); 210extern int security_compute_create_raw(const security_context_t scon, 211 const security_context_t tcon, 212 security_class_t tclass, 213 security_context_t * newcon); 214 215/* Compute a relabeling decision and set *newcon to refer to it. 216 Caller must free via freecon. */ 217extern int security_compute_relabel(const security_context_t scon, 218 const security_context_t tcon, 219 security_class_t tclass, 220 security_context_t * newcon); 221extern int security_compute_relabel_raw(const security_context_t scon, 222 const security_context_t tcon, 223 security_class_t tclass, 224 security_context_t * newcon); 225 226/* Compute a polyinstantiation member decision and set *newcon to refer to it. 227 Caller must free via freecon. */ 228extern int security_compute_member(const security_context_t scon, 229 const security_context_t tcon, 230 security_class_t tclass, 231 security_context_t * newcon); 232extern int security_compute_member_raw(const security_context_t scon, 233 const security_context_t tcon, 234 security_class_t tclass, 235 security_context_t * newcon); 236 237/* Compute the set of reachable user contexts and set *con to refer to 238 the NULL-terminated array of contexts. Caller must free via freeconary. */ 239extern int security_compute_user(const security_context_t scon, 240 const char *username, 241 security_context_t ** con); 242extern int security_compute_user_raw(const security_context_t scon, 243 const char *username, 244 security_context_t ** con); 245 246/* Load a policy configuration. */ 247extern int security_load_policy(void *data, size_t len); 248 249/* Get the context of an initial kernel security identifier by name. 250 Caller must free via freecon */ 251extern int security_get_initial_context(const char *name, 252 security_context_t * con); 253extern int security_get_initial_context_raw(const char *name, 254 security_context_t * con); 255 256/* 257 * Make a policy image and load it. 258 * This function provides a higher level interface for loading policy 259 * than security_load_policy, internally determining the right policy 260 * version, locating and opening the policy file, mapping it into memory, 261 * manipulating it as needed for current boolean settings and/or local 262 * definitions, and then calling security_load_policy to load it. 263 * 264 * 'preservebools' is a boolean flag indicating whether current 265 * policy boolean values should be preserved into the new policy (if 1) 266 * or reset to the saved policy settings (if 0). The former case is the 267 * default for policy reloads, while the latter case is an option for policy 268 * reloads but is primarily for the initial policy load. 269 */ 270extern int selinux_mkload_policy(int preservebools); 271 272/* 273 * Perform the initial policy load. 274 * This function determines the desired enforcing mode, sets the 275 * the *enforce argument accordingly for the caller to use, sets the 276 * SELinux kernel enforcing status to match it, and loads the policy. 277 * It also internally handles the initial selinuxfs mount required to 278 * perform these actions. 279 * 280 * The function returns 0 if everything including the policy load succeeds. 281 * In this case, init is expected to re-exec itself in order to transition 282 * to the proper security context. 283 * Otherwise, the function returns -1, and init must check *enforce to 284 * determine how to proceed. If enforcing (*enforce > 0), then init should 285 * halt the system. Otherwise, init may proceed normally without a re-exec. 286 */ 287extern int selinux_init_load_policy(int *enforce); 288 289/* Translate boolean strict to name value pair. */ 290typedef struct { 291 char *name; 292 int value; 293} SELboolean; 294/* save a list of booleans in a single transaction. */ 295extern int security_set_boolean_list(size_t boolcnt, 296 SELboolean * boollist, int permanent); 297 298/* Load policy boolean settings. 299 Path may be NULL, in which case the booleans are loaded from 300 the active policy boolean configuration file. */ 301extern int security_load_booleans(char *path); 302 303/* Check the validity of a security context. */ 304extern int security_check_context(const security_context_t con); 305extern int security_check_context_raw(const security_context_t con); 306 307/* Canonicalize a security context. */ 308extern int security_canonicalize_context(const security_context_t con, 309 security_context_t * canoncon); 310extern int security_canonicalize_context_raw(const security_context_t con, 311 security_context_t * canoncon); 312 313/* Get the enforce flag value. */ 314extern int security_getenforce(void); 315 316/* Set the enforce flag value. */ 317extern int security_setenforce(int value); 318 319/* Get the behavior for undefined classes/permissions */ 320extern int security_deny_unknown(void); 321 322/* Disable SELinux at runtime (must be done prior to initial policy load). */ 323extern int security_disable(void); 324 325/* Get the policy version number. */ 326extern int security_policyvers(void); 327 328/* Get the boolean names */ 329extern int security_get_boolean_names(char ***names, int *len); 330 331/* Get the pending value for the boolean */ 332extern int security_get_boolean_pending(const char *name); 333 334/* Get the active value for the boolean */ 335extern int security_get_boolean_active(const char *name); 336 337/* Set the pending value for the boolean */ 338extern int security_set_boolean(const char *name, int value); 339 340/* Commit the pending values for the booleans */ 341extern int security_commit_booleans(void); 342 343/* Userspace class mapping support */ 344struct security_class_mapping { 345 const char *name; 346 const char *perms[sizeof(access_vector_t) * 8 + 1]; 347}; 348 349extern int selinux_set_mapping(struct security_class_mapping *map); 350 351/* Common helpers */ 352 353/* Convert between security class values and string names */ 354extern security_class_t string_to_security_class(const char *name); 355extern const char *security_class_to_string(security_class_t cls); 356 357/* Convert between individual access vector permissions and string names */ 358extern const char *security_av_perm_to_string(security_class_t tclass, 359 access_vector_t perm); 360extern access_vector_t string_to_av_perm(security_class_t tclass, 361 const char *name); 362 363/* Returns an access vector in a string representation. User must free the 364 * returned string via free(). */ 365extern int security_av_string(security_class_t tclass, 366 access_vector_t av, char **result); 367 368/* Display an access vector in a string representation. */ 369extern void print_access_vector(security_class_t tclass, access_vector_t av); 370 371/* Set the function used by matchpathcon_init when displaying 372 errors about the file_contexts configuration. If not set, 373 then this defaults to fprintf(stderr, fmt, ...). */ 374extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...)); 375 376/* Set the function used by matchpathcon_init when checking the 377 validity of a context in the file contexts configuration. If not set, 378 then this defaults to a test based on security_check_context(). 379 The function is also responsible for reporting any such error, and 380 may include the 'path' and 'lineno' in such error messages. */ 381extern void set_matchpathcon_invalidcon(int (*f) (const char *path, 382 unsigned lineno, 383 char *context)); 384 385/* Same as above, but also allows canonicalization of the context, 386 by changing *context to refer to the canonical form. If not set, 387 and invalidcon is also not set, then this defaults to calling 388 security_canonicalize_context(). */ 389extern void set_matchpathcon_canoncon(int (*f) (const char *path, 390 unsigned lineno, 391 char **context)); 392 393/* Set flags controlling operation of matchpathcon_init or matchpathcon. */ 394#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */ 395#define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */ 396#define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */ 397extern void set_matchpathcon_flags(unsigned int flags); 398 399/* Load the file contexts configuration specified by 'path' 400 into memory for use by subsequent matchpathcon calls. 401 If 'path' is NULL, then load the active file contexts configuration, 402 i.e. the path returned by selinux_file_context_path(). 403 Unless the MATCHPATHCON_BASEONLY flag has been set, this 404 function also checks for a 'path'.homedirs file and 405 a 'path'.local file and loads additional specifications 406 from them if present. */ 407extern int matchpathcon_init(const char *path); 408 409/* Same as matchpathcon_init, but only load entries with 410 regexes that have stems that are prefixes of 'prefix'. */ 411extern int matchpathcon_init_prefix(const char *path, const char *prefix); 412 413/* Free the memory allocated by matchpathcon_init. */ 414extern void matchpathcon_fini(void); 415 416/* Match the specified pathname and mode against the file contexts 417 configuration and set *con to refer to the resulting context. 418 'mode' can be 0 to disable mode matching. 419 Caller must free via freecon. 420 If matchpathcon_init has not already been called, then this function 421 will call it upon its first invocation with a NULL path. */ 422extern int matchpathcon(const char *path, 423 mode_t mode, security_context_t * con); 424 425/* Same as above, but return a specification index for 426 later use in a matchpathcon_filespec_add() call - see below. */ 427extern int matchpathcon_index(const char *path, 428 mode_t mode, security_context_t * con); 429 430/* Maintain an association between an inode and a specification index, 431 and check whether a conflicting specification is already associated 432 with the same inode (e.g. due to multiple hard links). If so, then 433 use the latter of the two specifications based on their order in the 434 file contexts configuration. Return the used specification index. */ 435extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file); 436 437/* Destroy any inode associations that have been added, e.g. to restart 438 for a new filesystem. */ 439extern void matchpathcon_filespec_destroy(void); 440 441/* Display statistics on the hash table usage for the associations. */ 442extern void matchpathcon_filespec_eval(void); 443 444/* Check to see whether any specifications had no matches and report them. 445 The 'str' is used as a prefix for any warning messages. */ 446extern void matchpathcon_checkmatches(char *str); 447 448/* Match the specified media and against the media contexts 449 configuration and set *con to refer to the resulting context. 450 Caller must free con via freecon. */ 451extern int matchmediacon(const char *media, security_context_t * con); 452 453/* 454 selinux_getenforcemode reads the /etc/selinux/config file and determines 455 whether the machine should be started in enforcing (1), permissive (0) or 456 disabled (-1) mode. 457 */ 458extern int selinux_getenforcemode(int *enforce); 459 460/* 461 selinux_getpolicytype reads the /etc/selinux/config file and determines 462 what the default policy for the machine is. Calling application must 463 free policytype. 464 */ 465extern int selinux_getpolicytype(char **policytype); 466 467/* 468 selinux_policy_root reads the /etc/selinux/config file and returns 469 the directory path under which the compiled policy file and context 470 configuration files exist. 471 */ 472extern const char *selinux_policy_root(void); 473 474/* These functions return the paths to specific files under the 475 policy root directory. */ 476extern const char *selinux_binary_policy_path(void); 477extern const char *selinux_failsafe_context_path(void); 478extern const char *selinux_removable_context_path(void); 479extern const char *selinux_default_context_path(void); 480extern const char *selinux_user_contexts_path(void); 481extern const char *selinux_file_context_path(void); 482extern const char *selinux_file_context_homedir_path(void); 483extern const char *selinux_file_context_local_path(void); 484extern const char *selinux_file_context_subs_path(void); 485extern const char *selinux_file_context_subs_dist_path(void); 486extern const char *selinux_homedir_context_path(void); 487extern const char *selinux_media_context_path(void); 488extern const char *selinux_virtual_domain_context_path(void); 489extern const char *selinux_virtual_image_context_path(void); 490extern const char *selinux_x_context_path(void); 491extern const char *selinux_sepgsql_context_path(void); 492extern const char *selinux_contexts_path(void); 493extern const char *selinux_securetty_types_path(void); 494extern const char *selinux_booleans_path(void); 495extern const char *selinux_customizable_types_path(void); 496extern const char *selinux_users_path(void); 497extern const char *selinux_usersconf_path(void); 498extern const char *selinux_translations_path(void); 499extern const char *selinux_colors_path(void); 500extern const char *selinux_netfilter_context_path(void); 501extern const char *selinux_path(void); 502 503/** 504 * selinux_check_access - Check permissions and perform appropriate auditing. 505 * @scon: source security context 506 * @tcon: target security context 507 * @tclass: target security class string 508 * @perm: requested permissions string, interpreted based on @tclass 509 * @auditdata: auxiliary audit data 510 * 511 * Check the AVC to determine whether the @perm permissions are granted 512 * for the SID pair (@scon, @tcon), interpreting the permissions 513 * based on @tclass. 514 * Return %0 if all @perm permissions are granted, -%1 with 515 * @errno set to %EACCES if any permissions are denied or to another 516 * value upon other errors. 517 * If auditing or logging is configured the appropriate callbacks will be called 518 * and passed the auditdata field 519 */ 520extern int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *tclass, const char *perm, void *auditdata); 521 522/* Check a permission in the passwd class. 523 Return 0 if granted or -1 otherwise. */ 524extern int selinux_check_passwd_access(access_vector_t requested); 525extern int checkPasswdAccess(access_vector_t requested); 526 527/* Check if the tty_context is defined as a securetty 528 Return 0 if secure, < 0 otherwise. */ 529extern int selinux_check_securetty_context(const security_context_t tty_context); 530 531/* Set the path to the selinuxfs mount point explicitly. 532 Normally, this is determined automatically during libselinux 533 initialization, but this is not always possible, e.g. for /sbin/init 534 which performs the initial mount of selinuxfs. */ 535void set_selinuxmnt(char *mnt); 536 537/* Check if selinuxfs exists as a kernel filesystem */ 538int selinuxfs_exists(void); 539 540/* clear selinuxmnt variable and free allocated memory */ 541void fini_selinuxmnt(void); 542 543/* Execute a helper for rpm in an appropriate security context. */ 544extern int rpm_execcon(unsigned int verified, 545 const char *filename, 546 char *const argv[], char *const envp[]); 547 548/* Returns whether a file context is customizable, and should not 549 be relabeled . */ 550extern int is_context_customizable(const security_context_t scontext); 551 552/* Perform context translation between the human-readable format 553 ("translated") and the internal system format ("raw"). 554 Caller must free the resulting context via freecon. 555 Returns -1 upon an error or 0 otherwise. 556 If passed NULL, sets the returned context to NULL and returns 0. */ 557extern int selinux_trans_to_raw_context(const security_context_t trans, 558 security_context_t * rawp); 559extern int selinux_raw_to_trans_context(const security_context_t raw, 560 security_context_t * transp); 561 562/* Perform context translation between security contexts 563 and display colors. Returns a space-separated list of ten 564 ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". 565 Caller must free the resulting string via free. 566 Returns -1 upon an error or 0 otherwise. */ 567extern int selinux_raw_context_to_color(const security_context_t raw, 568 char **color_str); 569 570/* Get the SELinux username and level to use for a given Linux username. 571 These values may then be passed into the get_ordered_context_list* 572 and get_default_context* functions to obtain a context for the user. 573 Returns 0 on success or -1 otherwise. 574 Caller must free the returned strings via free. */ 575extern int getseuserbyname(const char *linuxuser, char **seuser, char **level); 576 577/* Get the SELinux username and level to use for a given Linux username and service. 578 These values may then be passed into the get_ordered_context_list* 579 and get_default_context* functions to obtain a context for the user. 580 Returns 0 on success or -1 otherwise. 581 Caller must free the returned strings via free. */ 582extern int getseuser(const char *username, const char *service, 583 char **r_seuser, char **r_level); 584 585/* Compare two file contexts, return 0 if equivalent. */ 586extern int selinux_file_context_cmp(const security_context_t a, 587 const security_context_t b); 588 589/* 590 * Verify the context of the file 'path' against policy. 591 * Return 1 if match, 0 if not and -1 on error. 592 */ 593extern int selinux_file_context_verify(const char *path, mode_t mode); 594 595/* This function sets the file context on to the system defaults returns 0 on success */ 596extern int selinux_lsetfilecon_default(const char *path); 597 598/* 599 * Force a reset of the loaded configuration 600 * WARNING: This is not thread safe. Be very sure that no other threads 601 * are calling into libselinux when this is called. 602 */ 603extern void selinux_reset_config(void); 604 605#ifdef __cplusplus 606} 607#endif 608#endif 609