1/* 2 * Labeling interface for userspace object managers and others. 3 * 4 * Author : Eamon Walsh <ewalsh@tycho.nsa.gov> 5 */ 6#ifndef _SELABEL_H_ 7#define _SELABEL_H_ 8 9#include <stdbool.h> 10#include <sys/types.h> 11#include <selinux/selinux.h> 12 13#ifdef __cplusplus 14extern "C" { 15#endif 16 17/* 18 * Opaque type used for all label handles. 19 */ 20 21struct selabel_handle; 22 23/* 24 * Available backends. 25 */ 26 27/* file contexts */ 28#define SELABEL_CTX_FILE 0 29/* media contexts */ 30#define SELABEL_CTX_MEDIA 1 31/* x contexts */ 32#define SELABEL_CTX_X 2 33/* db objects */ 34#define SELABEL_CTX_DB 3 35/* Android property service contexts */ 36#define SELABEL_CTX_ANDROID_PROP 4 37 38/* 39 * Available options 40 */ 41 42/* no-op option, useful for unused slots in an array of options */ 43#define SELABEL_OPT_UNUSED 0 44/* validate contexts before returning them (boolean value) */ 45#define SELABEL_OPT_VALIDATE 1 46/* don't use local customizations to backend data (boolean value) */ 47#define SELABEL_OPT_BASEONLY 2 48/* specify an alternate path to use when loading backend data */ 49#define SELABEL_OPT_PATH 3 50/* select a subset of the search space as an optimization (file backend) */ 51#define SELABEL_OPT_SUBSET 4 52/* require a hash calculation on spec files */ 53#define SELABEL_OPT_DIGEST 5 54/* total number of options */ 55#define SELABEL_NOPT 6 56 57/* 58 * Label operations 59 */ 60 61/** 62 * selabel_open - Create a labeling handle. 63 * @backend: one of the constants specifying a supported labeling backend. 64 * @opts: array of selabel_opt structures specifying label options or NULL. 65 * @nopts: number of elements in opts array or zero for no options. 66 * 67 * Open a labeling backend for use. The available backend identifiers are 68 * listed above. Options may be provided via the opts parameter; available 69 * options are listed above. Not all options may be supported by every 70 * backend. Return value is the created handle on success or NULL with 71 * @errno set on failure. 72 */ 73struct selabel_handle *selabel_open(unsigned int backend, 74 const struct selinux_opt *opts, 75 unsigned nopts); 76 77/** 78 * selabel_close - Close a labeling handle. 79 * @handle: specifies handle to close 80 * 81 * Destroy the specified handle, closing files, freeing allocated memory, 82 * etc. The handle may not be further used after it has been closed. 83 */ 84void selabel_close(struct selabel_handle *handle); 85 86/** 87 * selabel_lookup - Perform labeling lookup operation. 88 * @handle: specifies backend instance to query 89 * @con: returns the appropriate context with which to label the object 90 * @key: string input to lookup operation 91 * @type: numeric input to the lookup operation 92 * 93 * Perform a labeling lookup operation. Return %0 on success, -%1 with 94 * @errno set on failure. The key and type arguments are the inputs to the 95 * lookup operation; appropriate values are dictated by the backend in use. 96 * The result is returned in the memory pointed to by @con and must be freed 97 * by the user with freecon(). 98 */ 99int selabel_lookup(struct selabel_handle *handle, char **con, 100 const char *key, int type); 101int selabel_lookup_raw(struct selabel_handle *handle, char **con, 102 const char *key, int type); 103 104bool selabel_partial_match(struct selabel_handle *handle, const char *key); 105 106int selabel_lookup_best_match(struct selabel_handle *rec, char **con, 107 const char *key, const char **aliases, int type); 108int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, 109 const char *key, const char **aliases, int type); 110 111/** 112 * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to 113 * generate the digest. The SELABEL_OPT_DIGEST option must 114 * be set in selabel_open() to initiate the digest generation. 115 * @handle: specifies backend instance to query 116 * @digest: returns a pointer to the SHA1 digest. 117 * @digest_len: returns length of digest in bytes. 118 * @specfiles: a list of specfiles used in the SHA1 digest generation. 119 * The list is NULL terminated and will hold @num_specfiles entries. 120 * @num_specfiles: number of specfiles in the list. 121 * 122 * Return %0 on success, -%1 with @errno set on failure. 123 */ 124int selabel_digest(struct selabel_handle *rec, 125 unsigned char **digest, size_t *digest_len, 126 char ***specfiles, size_t *num_specfiles); 127 128enum selabel_cmp_result { 129 SELABEL_SUBSET, 130 SELABEL_EQUAL, 131 SELABEL_SUPERSET, 132 SELABEL_INCOMPARABLE 133}; 134 135/** 136 * selabel_cmp - Compare two label configurations. 137 * @h1: handle for the first label configuration 138 * @h2: handle for the first label configuration 139 * 140 * Compare two label configurations. 141 * Return %SELABEL_SUBSET if @h1 is a subset of @h2, %SELABEL_EQUAL 142 * if @h1 is identical to @h2, %SELABEL_SUPERSET if @h1 is a superset 143 * of @h2, and %SELABEL_INCOMPARABLE if @h1 and @h2 are incomparable. 144 */ 145enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1, 146 struct selabel_handle *h2); 147 148/** 149 * selabel_stats - log labeling operation statistics. 150 * @handle: specifies backend instance to query 151 * 152 * Log a message with information about the number of queries performed, 153 * number of unused matching entries, or other operational statistics. 154 * Message is backend-specific, some backends may not output a message. 155 */ 156void selabel_stats(struct selabel_handle *handle); 157 158/* 159 * Type codes used by specific backends 160 */ 161 162/* X backend */ 163#define SELABEL_X_PROP 1 164#define SELABEL_X_EXT 2 165#define SELABEL_X_CLIENT 3 166#define SELABEL_X_EVENT 4 167#define SELABEL_X_SELN 5 168#define SELABEL_X_POLYPROP 6 169#define SELABEL_X_POLYSELN 7 170 171/* DB backend */ 172#define SELABEL_DB_DATABASE 1 173#define SELABEL_DB_SCHEMA 2 174#define SELABEL_DB_TABLE 3 175#define SELABEL_DB_COLUMN 4 176#define SELABEL_DB_SEQUENCE 5 177#define SELABEL_DB_VIEW 6 178#define SELABEL_DB_PROCEDURE 7 179#define SELABEL_DB_BLOB 8 180#define SELABEL_DB_TUPLE 9 181#define SELABEL_DB_LANGUAGE 10 182#define SELABEL_DB_EXCEPTION 11 183#define SELABEL_DB_DATATYPE 12 184 185#ifdef __cplusplus 186} 187#endif 188#endif /* _SELABEL_H_ */ 189