avc_internal.h revision eee0f022e44ade05143eeee3748dd78fbd17966b 
1/*
2 * This file describes the internal interface used by the AVC
3 * for calling the user-supplied memory allocation, supplemental
4 * auditing, and locking routine, as well as incrementing the
5 * statistics fields.
6 *
7 * Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
8 */
9#ifndef _SELINUX_AVC_INTERNAL_H_
10#define _SELINUX_AVC_INTERNAL_H_
11
12#include <stdio.h>
13#include <stdlib.h>
14#include <string.h>
15#include <selinux/avc.h>
16#include "callbacks.h"
17#include "dso.h"
18
19/* SID reference counter manipulation */
20static inline int sid_inc_refcnt(security_id_t sid)
21{
22	return sid->refcnt = (sid->refcnt > 0) ? sid->refcnt + 1 : 0;
23}
24
25static inline int sid_dec_refcnt(security_id_t sid)
26{
27	return sid->refcnt = (sid->refcnt > 0) ? sid->refcnt - 1 : 0;
28}
29
30/* callback pointers */
31extern void *(*avc_func_malloc) (size_t) hidden;
32extern void (*avc_func_free) (void *)hidden;
33
34extern void (*avc_func_log) (const char *, ...)hidden;
35extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
36
37extern int avc_using_threads hidden;
38extern void *(*avc_func_create_thread) (void (*)(void))hidden;
39extern void (*avc_func_stop_thread) (void *)hidden;
40
41extern void *(*avc_func_alloc_lock) (void)hidden;
42extern void (*avc_func_get_lock) (void *)hidden;
43extern void (*avc_func_release_lock) (void *)hidden;
44extern void (*avc_func_free_lock) (void *)hidden;
45
46static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
47				 const struct avc_log_callback *log_cb,
48				 const struct avc_thread_callback *thread_cb,
49				 const struct avc_lock_callback *lock_cb)
50{
51	if (mem_cb) {
52		avc_func_malloc = mem_cb->func_malloc;
53		avc_func_free = mem_cb->func_free;
54	}
55	if (log_cb) {
56		avc_func_log = log_cb->func_log;
57		avc_func_audit = log_cb->func_audit;
58	}
59	if (thread_cb) {
60		avc_using_threads = 1;
61		avc_func_create_thread = thread_cb->func_create_thread;
62		avc_func_stop_thread = thread_cb->func_stop_thread;
63	}
64	if (lock_cb) {
65		avc_func_alloc_lock = lock_cb->func_alloc_lock;
66		avc_func_get_lock = lock_cb->func_get_lock;
67		avc_func_release_lock = lock_cb->func_release_lock;
68		avc_func_free_lock = lock_cb->func_free_lock;
69	}
70}
71
72/* message prefix and enforcing mode*/
73#define AVC_PREFIX_SIZE 16
74extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
75extern int avc_running hidden;
76extern int avc_enforcing hidden;
77extern int avc_setenforce hidden;
78
79/* user-supplied callback interface for avc */
80static inline void *avc_malloc(size_t size)
81{
82	return avc_func_malloc ? avc_func_malloc(size) : malloc(size);
83}
84
85static inline void avc_free(void *ptr)
86{
87	if (avc_func_free)
88		avc_func_free(ptr);
89	else
90		free(ptr);
91}
92
93/* this is a macro in order to use the variadic capability. */
94#define avc_log(type, format...) \
95  if (avc_func_log) \
96    avc_func_log(format); \
97  else \
98    selinux_log(type, format);
99
100static inline void avc_suppl_audit(void *ptr, security_class_t class,
101				   char *buf, size_t len)
102{
103	if (avc_func_audit)
104		avc_func_audit(ptr, class, buf, len);
105	else
106		selinux_audit(ptr, class, buf, len);
107}
108
109static inline void *avc_create_thread(void (*run) (void))
110{
111	return avc_func_create_thread ? avc_func_create_thread(run) : NULL;
112}
113
114static inline void avc_stop_thread(void *thread)
115{
116	if (avc_func_stop_thread)
117		avc_func_stop_thread(thread);
118}
119
120static inline void *avc_alloc_lock(void)
121{
122	return avc_func_alloc_lock ? avc_func_alloc_lock() : NULL;
123}
124
125static inline void avc_get_lock(void *lock)
126{
127	if (avc_func_get_lock)
128		avc_func_get_lock(lock);
129}
130
131static inline void avc_release_lock(void *lock)
132{
133	if (avc_func_release_lock)
134		avc_func_release_lock(lock);
135}
136
137static inline void avc_free_lock(void *lock)
138{
139	if (avc_func_free_lock)
140		avc_func_free_lock(lock);
141}
142
143/* statistics helper routines */
144#ifdef AVC_CACHE_STATS
145
146#define avc_cache_stats_incr(field) \
147  cache_stats.field ++;
148#define avc_cache_stats_add(field, num) \
149  cache_stats.field += num;
150
151#else
152
153#define avc_cache_stats_incr(field)
154#define avc_cache_stats_add(field, num)
155
156#endif
157
158/* logging helper routines */
159#define AVC_AUDIT_BUFSIZE 1024
160
161/* again, we need the variadic capability here */
162#define log_append(buf,format...) \
163  snprintf(buf+strlen(buf), AVC_AUDIT_BUFSIZE-strlen(buf), format)
164
165/* internal callbacks */
166int avc_ss_grant(security_id_t ssid, security_id_t tsid,
167		 security_class_t tclass, access_vector_t perms,
168		 uint32_t seqno) hidden;
169int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
170		      security_class_t tclass,
171		      access_vector_t perms, uint32_t seqno,
172		      access_vector_t * out_retained) hidden;
173int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
174		  security_class_t tclass, access_vector_t perms,
175		  uint32_t seqno) hidden;
176int avc_ss_reset(uint32_t seqno) hidden;
177int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
178			  security_class_t tclass, access_vector_t perms,
179			  uint32_t seqno, uint32_t enable) hidden;
180int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
181			 security_class_t tclass, access_vector_t perms,
182			 uint32_t seqno, uint32_t enable) hidden;
183
184/* netlink kernel message code */
185extern int avc_netlink_trouble hidden;
186int avc_netlink_open(int blocking) hidden;
187int avc_netlink_check_nb(void) hidden;
188void avc_netlink_loop(void) hidden;
189void avc_netlink_close(void) hidden;
190
191hidden_proto(avc_av_stats)
192    hidden_proto(avc_cleanup)
193    hidden_proto(avc_reset)
194    hidden_proto(avc_audit)
195    hidden_proto(avc_has_perm_noaudit)
196#endif				/* _SELINUX_AVC_INTERNAL_H_ */
197