selinux.h revision 13cd4c8960688af11ad23b4c946149015c80d549 
1#ifndef _SELINUX_H_
2#define _SELINUX_H_
3
4#include <sys/types.h>
5#include <stdarg.h>
6
7#ifdef __cplusplus
8extern "C" {
9#endif
10
11/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
12extern int is_selinux_enabled(void);
13/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
14extern int is_selinux_mls_enabled(void);
15
16typedef char *security_context_t;
17
18/* Free the memory allocated for a context by any of the below get* calls. */
19extern void freecon(security_context_t con);
20
21/* Free the memory allocated for a context array by security_compute_user. */
22extern void freeconary(security_context_t * con);
23
24/* Wrappers for the /proc/pid/attr API. */
25
26/* Get current context, and set *con to refer to it.
27   Caller must free via freecon. */
28extern int getcon(security_context_t * con);
29extern int getcon_raw(security_context_t * con);
30
31/* Set the current security context to con.
32   Note that use of this function requires that the entire application
33   be trusted to maintain any desired separation between the old and new
34   security contexts, unlike exec-based transitions performed via setexeccon.
35   When possible, decompose your application and use setexeccon()+execve()
36   instead. Note that the application may lose access to its open descriptors
37   as a result of a setcon() unless policy allows it to use descriptors opened
38   by the old context. */
39extern int setcon(security_context_t con);
40extern int setcon_raw(security_context_t con);
41
42/* Get context of process identified by pid, and
43   set *con to refer to it.  Caller must free via freecon. */
44extern int getpidcon(pid_t pid, security_context_t * con);
45extern int getpidcon_raw(pid_t pid, security_context_t * con);
46
47/* Get previous context (prior to last exec), and set *con to refer to it.
48   Caller must free via freecon. */
49extern int getprevcon(security_context_t * con);
50extern int getprevcon_raw(security_context_t * con);
51
52/* Get exec context, and set *con to refer to it.
53   Sets *con to NULL if no exec context has been set, i.e. using default.
54   If non-NULL, caller must free via freecon. */
55extern int getexeccon(security_context_t * con);
56extern int getexeccon_raw(security_context_t * con);
57
58/* Set exec security context for the next execve.
59   Call with NULL if you want to reset to the default. */
60extern int setexeccon(security_context_t con);
61extern int setexeccon_raw(security_context_t con);
62
63/* Get fscreate context, and set *con to refer to it.
64   Sets *con to NULL if no fs create context has been set, i.e. using default.
65   If non-NULL, caller must free via freecon. */
66extern int getfscreatecon(security_context_t * con);
67extern int getfscreatecon_raw(security_context_t * con);
68
69/* Set the fscreate security context for subsequent file creations.
70   Call with NULL if you want to reset to the default. */
71extern int setfscreatecon(security_context_t context);
72extern int setfscreatecon_raw(security_context_t context);
73
74/* Get keycreate context, and set *con to refer to it.
75   Sets *con to NULL if no key create context has been set, i.e. using default.
76   If non-NULL, caller must free via freecon. */
77extern int getkeycreatecon(security_context_t * con);
78extern int getkeycreatecon_raw(security_context_t * con);
79
80/* Set the keycreate security context for subsequent key creations.
81   Call with NULL if you want to reset to the default. */
82extern int setkeycreatecon(security_context_t context);
83extern int setkeycreatecon_raw(security_context_t context);
84
85/* Get sockcreate context, and set *con to refer to it.
86   Sets *con to NULL if no socket create context has been set, i.e. using default.
87   If non-NULL, caller must free via freecon. */
88extern int getsockcreatecon(security_context_t * con);
89extern int getsockcreatecon_raw(security_context_t * con);
90
91/* Set the sockcreate security context for subsequent socket creations.
92   Call with NULL if you want to reset to the default. */
93extern int setsockcreatecon(security_context_t context);
94extern int setsockcreatecon_raw(security_context_t context);
95
96/* Wrappers for the xattr API. */
97
98/* Get file context, and set *con to refer to it.
99   Caller must free via freecon. */
100extern int getfilecon(const char *path, security_context_t * con);
101extern int getfilecon_raw(const char *path, security_context_t * con);
102extern int lgetfilecon(const char *path, security_context_t * con);
103extern int lgetfilecon_raw(const char *path, security_context_t * con);
104extern int fgetfilecon(int fd, security_context_t * con);
105extern int fgetfilecon_raw(int fd, security_context_t * con);
106
107/* Set file context */
108extern int setfilecon(const char *path, security_context_t con);
109extern int setfilecon_raw(const char *path, security_context_t con);
110extern int lsetfilecon(const char *path, security_context_t con);
111extern int lsetfilecon_raw(const char *path, security_context_t con);
112extern int fsetfilecon(int fd, security_context_t con);
113extern int fsetfilecon_raw(int fd, security_context_t con);
114
115/* Wrappers for the socket API */
116
117/* Get context of peer socket, and set *con to refer to it.
118   Caller must free via freecon. */
119extern int getpeercon(int fd, security_context_t * con);
120extern int getpeercon_raw(int fd, security_context_t * con);
121
122/* Wrappers for the selinuxfs (policy) API. */
123
124typedef unsigned int access_vector_t;
125typedef unsigned short security_class_t;
126
127struct av_decision {
128	access_vector_t allowed;
129	access_vector_t decided;
130	access_vector_t auditallow;
131	access_vector_t auditdeny;
132	unsigned int seqno;
133};
134
135/* Structure for passing options, used by AVC and label subsystems */
136struct selinux_opt {
137	int type;
138	const char *value;
139};
140
141/* Callback facilities */
142union selinux_callback {
143	/* log the printf-style format and arguments,
144	   with the type code indicating the type of message */
145	int
146#ifdef __GNUC__
147__attribute__ ((format(printf, 2, 3)))
148#endif
149	(*func_log) (int type, const char *fmt, ...);
150	/* store a string representation of auditdata (corresponding
151	   to the given security class) into msgbuf. */
152	int (*func_audit) (void *auditdata, security_class_t cls,
153			   char *msgbuf, size_t msgbufsize);
154	/* validate the supplied context, modifying if necessary */
155	int (*func_validate) (security_context_t *ctx);
156};
157
158#define SELINUX_CB_LOG		0
159#define SELINUX_CB_AUDIT	1
160#define SELINUX_CB_VALIDATE	2
161
162extern union selinux_callback selinux_get_callback(int type);
163extern void selinux_set_callback(int type, union selinux_callback cb);
164
165	/* Logging type codes, passed to the logging callback */
166#define SELINUX_ERROR	        0
167#define SELINUX_WARNING		1
168#define SELINUX_INFO		2
169#define SELINUX_AVC		3
170
171/* Compute an access decision. */
172extern int security_compute_av(security_context_t scon,
173			       security_context_t tcon,
174			       security_class_t tclass,
175			       access_vector_t requested,
176			       struct av_decision *avd);
177extern int security_compute_av_raw(security_context_t scon,
178				   security_context_t tcon,
179				   security_class_t tclass,
180				   access_vector_t requested,
181				   struct av_decision *avd);
182
183/* Compute a labeling decision and set *newcon to refer to it.
184   Caller must free via freecon. */
185extern int security_compute_create(security_context_t scon,
186				   security_context_t tcon,
187				   security_class_t tclass,
188				   security_context_t * newcon);
189extern int security_compute_create_raw(security_context_t scon,
190				       security_context_t tcon,
191				       security_class_t tclass,
192				       security_context_t * newcon);
193
194/* Compute a relabeling decision and set *newcon to refer to it.
195   Caller must free via freecon. */
196extern int security_compute_relabel(security_context_t scon,
197				    security_context_t tcon,
198				    security_class_t tclass,
199				    security_context_t * newcon);
200extern int security_compute_relabel_raw(security_context_t scon,
201					security_context_t tcon,
202					security_class_t tclass,
203					security_context_t * newcon);
204
205/* Compute a polyinstantiation member decision and set *newcon to refer to it.
206   Caller must free via freecon. */
207extern int security_compute_member(security_context_t scon,
208				   security_context_t tcon,
209				   security_class_t tclass,
210				   security_context_t * newcon);
211extern int security_compute_member_raw(security_context_t scon,
212				       security_context_t tcon,
213				       security_class_t tclass,
214				       security_context_t * newcon);
215
216/* Compute the set of reachable user contexts and set *con to refer to
217   the NULL-terminated array of contexts.  Caller must free via freeconary. */
218extern int security_compute_user(security_context_t scon,
219				 const char *username,
220				 security_context_t ** con);
221extern int security_compute_user_raw(security_context_t scon,
222				     const char *username,
223				     security_context_t ** con);
224
225/* Load a policy configuration. */
226extern int security_load_policy(void *data, size_t len);
227
228/* Get the context of an initial kernel security identifier by name.
229   Caller must free via freecon */
230extern int security_get_initial_context(const char *name,
231					security_context_t * con);
232extern int security_get_initial_context_raw(const char *name,
233					    security_context_t * con);
234
235/*
236 * Make a policy image and load it.
237 * This function provides a higher level interface for loading policy
238 * than security_load_policy, internally determining the right policy
239 * version, locating and opening the policy file, mapping it into memory,
240 * manipulating it as needed for current boolean settings and/or local
241 * definitions, and then calling security_load_policy to load it.
242 *
243 * 'preservebools' is a boolean flag indicating whether current
244 * policy boolean values should be preserved into the new policy (if 1)
245 * or reset to the saved policy settings (if 0).  The former case is the
246 * default for policy reloads, while the latter case is an option for policy
247 * reloads but is primarily for the initial policy load.
248 */
249extern int selinux_mkload_policy(int preservebools);
250
251/*
252 * Perform the initial policy load.
253 * This function determines the desired enforcing mode, sets the
254 * the *enforce argument accordingly for the caller to use, sets the
255 * SELinux kernel enforcing status to match it, and loads the policy.
256 * It also internally handles the initial selinuxfs mount required to
257 * perform these actions.
258 *
259 * The function returns 0 if everything including the policy load succeeds.
260 * In this case, init is expected to re-exec itself in order to transition
261 * to the proper security context.
262 * Otherwise, the function returns -1, and init must check *enforce to
263 * determine how to proceed.  If enforcing (*enforce > 0), then init should
264 * halt the system.  Otherwise, init may proceed normally without a re-exec.
265 */
266extern int selinux_init_load_policy(int *enforce);
267
268/* Translate boolean strict to name value pair. */
269typedef struct {
270	char *name;
271	int value;
272} SELboolean;
273/* save a list of booleans in a single transaction.  */
274extern int security_set_boolean_list(size_t boolcnt,
275				     SELboolean * boollist, int permanent);
276
277/* Load policy boolean settings.
278   Path may be NULL, in which case the booleans are loaded from
279   the active policy boolean configuration file. */
280extern int security_load_booleans(char *path);
281
282/* Check the validity of a security context. */
283extern int security_check_context(security_context_t con);
284extern int security_check_context_raw(security_context_t con);
285
286/* Canonicalize a security context. */
287extern int security_canonicalize_context(security_context_t con,
288					 security_context_t * canoncon);
289extern int security_canonicalize_context_raw(security_context_t con,
290					     security_context_t * canoncon);
291
292/* Get the enforce flag value. */
293extern int security_getenforce(void);
294
295/* Set the enforce flag value. */
296extern int security_setenforce(int value);
297
298/* Disable SELinux at runtime (must be done prior to initial policy load). */
299extern int security_disable(void);
300
301/* Get the policy version number. */
302extern int security_policyvers(void);
303
304/* Get the boolean names */
305extern int security_get_boolean_names(char ***names, int *len);
306
307/* Get the pending value for the boolean */
308extern int security_get_boolean_pending(const char *name);
309
310/* Get the active value for the boolean */
311extern int security_get_boolean_active(const char *name);
312
313/* Set the pending value for the boolean */
314extern int security_set_boolean(const char *name, int value);
315
316/* Commit the pending values for the booleans */
317extern int security_commit_booleans(void);
318
319/* Userspace class mapping support */
320struct security_class_mapping {
321	const char *name;
322	const char *perms[sizeof(access_vector_t) * 8 + 1];
323};
324
325int selinux_set_mapping(struct security_class_mapping *map);
326
327/* Common helpers */
328
329/* Convert between security class values and string names */
330extern security_class_t string_to_security_class(const char *name);
331extern const char *security_class_to_string(security_class_t cls);
332
333/* Convert between individual access vector permissions and string names */
334extern const char *security_av_perm_to_string(security_class_t tclass,
335					      access_vector_t perm);
336extern access_vector_t string_to_av_perm(security_class_t tclass,
337					 const char *name);
338
339/* Returns an access vector in a string representation.  User must free the
340 * returned string via free(). */
341extern int security_av_string(security_class_t tclass,
342			      access_vector_t av, char **result);
343
344/* Display an access vector in a string representation. */
345extern void print_access_vector(security_class_t tclass, access_vector_t av);
346
347/* Set the function used by matchpathcon_init when displaying
348   errors about the file_contexts configuration.  If not set,
349   then this defaults to fprintf(stderr, fmt, ...). */
350extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
351
352/* Set the function used by matchpathcon_init when checking the
353   validity of a context in the file contexts configuration.  If not set,
354   then this defaults to a test based on security_check_context().
355   The function is also responsible for reporting any such error, and
356   may include the 'path' and 'lineno' in such error messages. */
357extern void set_matchpathcon_invalidcon(int (*f) (const char *path,
358						  unsigned lineno,
359						  char *context));
360
361/* Same as above, but also allows canonicalization of the context,
362   by changing *context to refer to the canonical form.  If not set,
363   and invalidcon is also not set, then this defaults to calling
364   security_canonicalize_context(). */
365extern void set_matchpathcon_canoncon(int (*f) (const char *path,
366						unsigned lineno,
367						char **context));
368
369/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
370#define MATCHPATHCON_BASEONLY 1	/* Only process the base file_contexts file. */
371#define MATCHPATHCON_NOTRANS  2	/* Do not perform any context translation. */
372#define MATCHPATHCON_VALIDATE 4	/* Validate/canonicalize contexts at init time. */
373extern void set_matchpathcon_flags(unsigned int flags);
374
375/* Load the file contexts configuration specified by 'path'
376   into memory for use by subsequent matchpathcon calls.
377   If 'path' is NULL, then load the active file contexts configuration,
378   i.e. the path returned by selinux_file_context_path().
379   Unless the MATCHPATHCON_BASEONLY flag has been set, this
380   function also checks for a 'path'.homedirs file and
381   a 'path'.local file and loads additional specifications
382   from them if present. */
383extern int matchpathcon_init(const char *path);
384
385/* Same as matchpathcon_init, but only load entries with
386   regexes that have stems that are prefixes of 'prefix'. */
387extern int matchpathcon_init_prefix(const char *path, const char *prefix);
388
389/* Free the memory allocated by matchpathcon_init. */
390extern void matchpathcon_fini(void);
391
392/* Match the specified pathname and mode against the file contexts
393   configuration and set *con to refer to the resulting context.
394   'mode' can be 0 to disable mode matching.
395   Caller must free via freecon.
396   If matchpathcon_init has not already been called, then this function
397   will call it upon its first invocation with a NULL path. */
398extern int matchpathcon(const char *path,
399			mode_t mode, security_context_t * con);
400
401/* Same as above, but return a specification index for
402   later use in a matchpathcon_filespec_add() call - see below. */
403extern int matchpathcon_index(const char *path,
404			      mode_t mode, security_context_t * con);
405
406/* Maintain an association between an inode and a specification index,
407   and check whether a conflicting specification is already associated
408   with the same inode (e.g. due to multiple hard links).  If so, then
409   use the latter of the two specifications based on their order in the
410   file contexts configuration.  Return the used specification index. */
411extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
412
413/* Destroy any inode associations that have been added, e.g. to restart
414   for a new filesystem. */
415extern void matchpathcon_filespec_destroy(void);
416
417/* Display statistics on the hash table usage for the associations. */
418extern void matchpathcon_filespec_eval(void);
419
420/* Check to see whether any specifications had no matches and report them.
421   The 'str' is used as a prefix for any warning messages. */
422extern void matchpathcon_checkmatches(char *str);
423
424/* Match the specified media and against the media contexts
425   configuration and set *con to refer to the resulting context.
426   Caller must free con via freecon. */
427extern int matchmediacon(const char *media, security_context_t * con);
428
429/*
430  selinux_getenforcemode reads the /etc/selinux/config file and determines
431  whether the machine should be started in enforcing (1), permissive (0) or
432  disabled (-1) mode.
433 */
434extern int selinux_getenforcemode(int *enforce);
435
436/*
437  selinux_getpolicytype reads the /etc/selinux/config file and determines
438  what the default policy for the machine is.  Calling application must
439  free policytype.
440 */
441extern int selinux_getpolicytype(char **policytype);
442
443/*
444  selinux_policy_root reads the /etc/selinux/config file and returns
445  the directory path under which the compiled policy file and context
446  configuration files exist.
447 */
448extern const char *selinux_policy_root(void);
449
450/* These functions return the paths to specific files under the
451   policy root directory. */
452extern const char *selinux_binary_policy_path(void);
453extern const char *selinux_failsafe_context_path(void);
454extern const char *selinux_removable_context_path(void);
455extern const char *selinux_default_context_path(void);
456extern const char *selinux_user_contexts_path(void);
457extern const char *selinux_file_context_path(void);
458extern const char *selinux_file_context_homedir_path(void);
459extern const char *selinux_file_context_local_path(void);
460extern const char *selinux_homedir_context_path(void);
461extern const char *selinux_media_context_path(void);
462extern const char *selinux_x_context_path(void);
463extern const char *selinux_contexts_path(void);
464extern const char *selinux_securetty_types_path(void);
465extern const char *selinux_booleans_path(void);
466extern const char *selinux_customizable_types_path(void);
467extern const char *selinux_users_path(void);
468extern const char *selinux_usersconf_path(void);
469extern const char *selinux_translations_path(void);
470extern const char *selinux_netfilter_context_path(void);
471extern const char *selinux_path(void);
472
473/* Check a permission in the passwd class.
474   Return 0 if granted or -1 otherwise. */
475extern int selinux_check_passwd_access(access_vector_t requested);
476extern int checkPasswdAccess(access_vector_t requested);
477
478/* Check if the tty_context is defined as a securetty
479   Return 0 if secure, < 0 otherwise. */
480extern int selinux_check_securetty_context(security_context_t tty_context);
481
482/* Set the path to the selinuxfs mount point explicitly.
483   Normally, this is determined automatically during libselinux
484   initialization, but this is not always possible, e.g. for /sbin/init
485   which performs the initial mount of selinuxfs. */
486void set_selinuxmnt(char *mnt);
487
488/* Execute a helper for rpm in an appropriate security context. */
489extern int rpm_execcon(unsigned int verified,
490		       const char *filename,
491		       char *const argv[], char *const envp[]);
492
493/* Returns whether a file context is customizable, and should not
494   be relabeled . */
495extern int is_context_customizable(security_context_t scontext);
496
497/* Perform context translation between the human-readable format
498   ("translated") and the internal system format ("raw").
499   Caller must free the resulting context via freecon.
500   Returns -1 upon an error or 0 otherwise.
501   If passed NULL, sets the returned context to NULL and returns 0. */
502extern int selinux_trans_to_raw_context(security_context_t trans,
503					security_context_t * rawp);
504extern int selinux_raw_to_trans_context(security_context_t raw,
505					security_context_t * transp);
506
507/* Get the SELinux username and level to use for a given Linux username.
508   These values may then be passed into the get_ordered_context_list*
509   and get_default_context* functions to obtain a context for the user.
510   Returns 0 on success or -1 otherwise.
511   Caller must free the returned strings via free. */
512extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
513
514/* Compare two file contexts, return 0 if equivalent. */
515int selinux_file_context_cmp(const security_context_t a,
516			     const security_context_t b);
517
518/*
519 * Verify the context of the file 'path' against policy.
520 * Return 0 if correct.
521 */
522int selinux_file_context_verify(const char *path, mode_t mode);
523
524/* This function sets the file context on to the system defaults returns 0 on success */
525int selinux_lsetfilecon_default(const char *path);
526
527#ifdef __cplusplus
528}
529#endif
530#endif
531