1 2/* Author : Stephen Smalley, <sds@tycho.nsa.gov> */ 3 4/* 5 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> 6 * Tuned number of hash slots for avtab to reduce memory usage 7 */ 8 9/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 10 * 11 * Added conditional policy language extensions 12 * 13 * Copyright (C) 2003 Tresys Technology, LLC 14 * 15 * This library is free software; you can redistribute it and/or 16 * modify it under the terms of the GNU Lesser General Public 17 * License as published by the Free Software Foundation; either 18 * version 2.1 of the License, or (at your option) any later version. 19 * 20 * This library is distributed in the hope that it will be useful, 21 * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 23 * Lesser General Public License for more details. 24 * 25 * You should have received a copy of the GNU Lesser General Public 26 * License along with this library; if not, write to the Free Software 27 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 28 */ 29 30/* FLASK */ 31 32/* 33 * An access vector table (avtab) is a hash table 34 * of access vectors and transition types indexed 35 * by a type pair and a class. An access vector 36 * table is used to represent the type enforcement 37 * tables. 38 */ 39 40#ifndef _SEPOL_POLICYDB_AVTAB_H_ 41#define _SEPOL_POLICYDB_AVTAB_H_ 42 43#include <sys/types.h> 44#include <stdint.h> 45 46#ifdef __cplusplus 47extern "C" { 48#endif 49 50typedef struct avtab_key { 51 uint16_t source_type; 52 uint16_t target_type; 53 uint16_t target_class; 54#define AVTAB_ALLOWED 0x0001 55#define AVTAB_AUDITALLOW 0x0002 56#define AVTAB_AUDITDENY 0x0004 57#define AVTAB_NEVERALLOW 0x0080 58#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) 59#define AVTAB_TRANSITION 0x0010 60#define AVTAB_MEMBER 0x0020 61#define AVTAB_CHANGE 0x0040 62#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) 63#define AVTAB_XPERMS_ALLOWED 0x0100 64#define AVTAB_XPERMS_AUDITALLOW 0x0200 65#define AVTAB_XPERMS_DONTAUDIT 0x0400 66#define AVTAB_XPERMS_NEVERALLOW 0x0800 67#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | AVTAB_XPERMS_AUDITALLOW | AVTAB_XPERMS_DONTAUDIT) 68#define AVTAB_ENABLED_OLD 0x80000000 69#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ 70 uint16_t specified; /* what fields are specified */ 71} avtab_key_t; 72 73typedef struct avtab_extended_perms { 74 75#define AVTAB_XPERMS_IOCTLFUNCTION 0x01 76#define AVTAB_XPERMS_IOCTLDRIVER 0x02 77 /* extension of the avtab_key specified */ 78 uint8_t specified; 79 uint8_t driver; 80 uint32_t perms[8]; 81} avtab_extended_perms_t; 82 83typedef struct avtab_datum { 84 uint32_t data; /* access vector or type */ 85 avtab_extended_perms_t *xperms; 86} avtab_datum_t; 87 88typedef struct avtab_node *avtab_ptr_t; 89 90struct avtab_node { 91 avtab_key_t key; 92 avtab_datum_t datum; 93 avtab_ptr_t next; 94 void *parse_context; /* generic context pointer used by parser; 95 * not saved in binary policy */ 96 unsigned merged; /* flag for avtab_write only; 97 not saved in binary policy */ 98}; 99 100typedef struct avtab { 101 avtab_ptr_t *htable; 102 uint32_t nel; /* number of elements */ 103 uint32_t nslot; /* number of hash slots */ 104 uint32_t mask; /* mask to compute hash func */ 105} avtab_t; 106 107extern int avtab_init(avtab_t *); 108extern int avtab_alloc(avtab_t *, uint32_t); 109extern int avtab_insert(avtab_t * h, avtab_key_t * k, avtab_datum_t * d); 110 111extern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k); 112 113extern void avtab_destroy(avtab_t * h); 114 115extern int avtab_map(avtab_t * h, 116 int (*apply) (avtab_key_t * k, 117 avtab_datum_t * d, void *args), void *args); 118 119extern void avtab_hash_eval(avtab_t * h, char *tag); 120 121struct policy_file; 122extern int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, 123 int (*insert) (avtab_t * a, avtab_key_t * k, 124 avtab_datum_t * d, void *p), void *p); 125 126extern int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers); 127 128extern avtab_ptr_t avtab_insert_nonunique(avtab_t * h, avtab_key_t * key, 129 avtab_datum_t * datum); 130 131extern avtab_ptr_t avtab_insert_with_parse_context(avtab_t * h, 132 avtab_key_t * key, 133 avtab_datum_t * datum, 134 void *parse_context); 135 136extern avtab_ptr_t avtab_search_node(avtab_t * h, avtab_key_t * key); 137 138extern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified); 139 140#define MAX_AVTAB_HASH_BITS 20 141#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) 142#define MAX_AVTAB_HASH_MASK (MAX_AVTAB_HASH_BUCKETS-1) 143/* avtab_alloc uses one bucket per 2-4 elements, so adjust to get maximum buckets */ 144#define MAX_AVTAB_SIZE (MAX_AVTAB_HASH_BUCKETS << 1) 145 146#ifdef __cplusplus 147} 148#endif 149 150#endif /* _AVTAB_H_ */ 151 152/* FLASK */ 153