1 2/* -*- linux-c -*- */ 3 4/* 5 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 6 */ 7 8#ifndef _SEPOL_POLICYDB_SERVICES_H_ 9#define _SEPOL_POLICYDB_SERVICES_H_ 10 11/* 12 * Security server interface. 13 */ 14 15#include <sepol/policydb/flask_types.h> 16#include <sepol/policydb/policydb.h> 17#include <stddef.h> 18 19/* Set the policydb and sidtab structures to be used by 20 the service functions. If not set, then these default 21 to private structures within libsepol that can only be 22 initialized and accessed via the service functions themselves. 23 Setting the structures explicitly allows a program to directly 24 manipulate them, e.g. checkpolicy populates the structures directly 25 from a source policy rather than from a binary policy. */ 26extern int sepol_set_policydb(policydb_t * p); 27extern int sepol_set_sidtab(sidtab_t * s); 28 29/* Modify a policydb for boolean settings. */ 30int sepol_genbools_policydb(policydb_t * policydb, const char *booleans); 31 32/* Modify a policydb for user settings. */ 33int sepol_genusers_policydb(policydb_t * policydb, const char *usersdir); 34 35/* Load the security policy. This initializes the policydb 36 and sidtab based on the provided binary policy. */ 37extern int sepol_load_policy(void *data, size_t len); 38 39/* 40 * Compute access vectors based on a SID pair for 41 * the permissions in a particular class. 42 */ 43extern int sepol_compute_av(sepol_security_id_t ssid, /* IN */ 44 sepol_security_id_t tsid, /* IN */ 45 sepol_security_class_t tclass, /* IN */ 46 sepol_access_vector_t requested, /* IN */ 47 struct sepol_av_decision *avd); /* OUT */ 48 49/* Same as above, but also return the reason(s) for any 50 denials of the requested permissions. */ 51#define SEPOL_COMPUTEAV_TE 1 52#define SEPOL_COMPUTEAV_CONS 2 53#define SEPOL_COMPUTEAV_RBAC 4 54extern int sepol_compute_av_reason(sepol_security_id_t ssid, 55 sepol_security_id_t tsid, 56 sepol_security_class_t tclass, 57 sepol_access_vector_t requested, 58 struct sepol_av_decision *avd, 59 unsigned int *reason); 60 61/* 62 * Compute a SID to use for labeling a new object in the 63 * class `tclass' based on a SID pair. 64 */ 65extern int sepol_transition_sid(sepol_security_id_t ssid, /* IN */ 66 sepol_security_id_t tsid, /* IN */ 67 sepol_security_class_t tclass, /* IN */ 68 sepol_security_id_t * out_sid); /* OUT */ 69 70/* 71 * Compute a SID to use when selecting a member of a 72 * polyinstantiated object of class `tclass' based on 73 * a SID pair. 74 */ 75extern int sepol_member_sid(sepol_security_id_t ssid, /* IN */ 76 sepol_security_id_t tsid, /* IN */ 77 sepol_security_class_t tclass, /* IN */ 78 sepol_security_id_t * out_sid); /* OUT */ 79 80/* 81 * Compute a SID to use for relabeling an object in the 82 * class `tclass' based on a SID pair. 83 */ 84extern int sepol_change_sid(sepol_security_id_t ssid, /* IN */ 85 sepol_security_id_t tsid, /* IN */ 86 sepol_security_class_t tclass, /* IN */ 87 sepol_security_id_t * out_sid); /* OUT */ 88 89/* 90 * Write the security context string representation of 91 * the context associated with `sid' into a dynamically 92 * allocated string of the correct size. Set `*scontext' 93 * to point to this string and set `*scontext_len' to 94 * the length of the string. 95 */ 96extern int sepol_sid_to_context(sepol_security_id_t sid, /* IN */ 97 sepol_security_context_t * scontext, /* OUT */ 98 size_t * scontext_len); /* OUT */ 99 100/* 101 * Return a SID associated with the security context that 102 * has the string representation specified by `scontext'. 103 */ 104extern int sepol_context_to_sid(const sepol_security_context_t scontext, /* IN */ 105 size_t scontext_len, /* IN */ 106 sepol_security_id_t * out_sid); /* OUT */ 107 108/* 109 * Generate the set of SIDs for legal security contexts 110 * for a given user that can be reached by `fromsid'. 111 * Set `*sids' to point to a dynamically allocated 112 * array containing the set of SIDs. Set `*nel' to the 113 * number of elements in the array. 114 */ 115extern int sepol_get_user_sids(sepol_security_id_t callsid, 116 char *username, 117 sepol_security_id_t ** sids, uint32_t * nel); 118 119/* 120 * Return the SIDs to use for an unlabeled file system 121 * that is being mounted from the device with the 122 * the kdevname `name'. The `fs_sid' SID is returned for 123 * the file system and the `file_sid' SID is returned 124 * for all files within that file system. 125 */ 126extern int sepol_fs_sid(char *dev, /* IN */ 127 sepol_security_id_t * fs_sid, /* OUT */ 128 sepol_security_id_t * file_sid); /* OUT */ 129 130/* 131 * Return the SID of the port specified by 132 * `domain', `type', `protocol', and `port'. 133 */ 134extern int sepol_port_sid(uint16_t domain, 135 uint16_t type, 136 uint8_t protocol, 137 uint16_t port, sepol_security_id_t * out_sid); 138 139/* 140 * Return the SIDs to use for a network interface 141 * with the name `name'. The `if_sid' SID is returned for 142 * the interface and the `msg_sid' SID is returned as 143 * the default SID for messages received on the 144 * interface. 145 */ 146extern int sepol_netif_sid(char *name, 147 sepol_security_id_t * if_sid, 148 sepol_security_id_t * msg_sid); 149 150/* 151 * Return the SID of the node specified by the address 152 * `addr' where `addrlen' is the length of the address 153 * in bytes and `domain' is the communications domain or 154 * address family in which the address should be interpreted. 155 */ 156extern int sepol_node_sid(uint16_t domain, 157 void *addr, 158 size_t addrlen, sepol_security_id_t * out_sid); 159 160/* 161 * Return a value indicating how to handle labeling for the 162 * the specified filesystem type, and optionally return a SID 163 * for the filesystem object. 164 */ 165#define SECURITY_FS_USE_XATTR 1 /* use xattr */ 166#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */ 167#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */ 168#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */ 169#define SECURITY_FS_USE_NONE 5 /* no labeling support */ 170extern int sepol_fs_use(const char *fstype, /* IN */ 171 unsigned int *behavior, /* OUT */ 172 sepol_security_id_t * sid); /* OUT */ 173 174/* 175 * Return the SID to use for a file in a filesystem 176 * that cannot support a persistent label mapping or use another 177 * fixed labeling behavior like transition SIDs or task SIDs. 178 */ 179extern int sepol_genfs_sid(const char *fstype, /* IN */ 180 char *name, /* IN */ 181 sepol_security_class_t sclass, /* IN */ 182 sepol_security_id_t * sid); /* OUT */ 183 184#endif 185