xref: /OK3568_Linux_fs/kernel/security/selinux/include/avc.h (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0 */
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun  * Access vector cache interface for object managers.
4*4882a593Smuzhiyun  *
5*4882a593Smuzhiyun  * Author : Stephen Smalley, <sds@tycho.nsa.gov>
6*4882a593Smuzhiyun  */
7*4882a593Smuzhiyun #ifndef _SELINUX_AVC_H_
8*4882a593Smuzhiyun #define _SELINUX_AVC_H_
9*4882a593Smuzhiyun 
10*4882a593Smuzhiyun #include <linux/stddef.h>
11*4882a593Smuzhiyun #include <linux/errno.h>
12*4882a593Smuzhiyun #include <linux/kernel.h>
13*4882a593Smuzhiyun #include <linux/kdev_t.h>
14*4882a593Smuzhiyun #include <linux/spinlock.h>
15*4882a593Smuzhiyun #include <linux/init.h>
16*4882a593Smuzhiyun #include <linux/audit.h>
17*4882a593Smuzhiyun #include <linux/lsm_audit.h>
18*4882a593Smuzhiyun #include <linux/in6.h>
19*4882a593Smuzhiyun #include "flask.h"
20*4882a593Smuzhiyun #include "av_permissions.h"
21*4882a593Smuzhiyun #include "security.h"
22*4882a593Smuzhiyun 
23*4882a593Smuzhiyun /*
24*4882a593Smuzhiyun  * An entry in the AVC.
25*4882a593Smuzhiyun  */
26*4882a593Smuzhiyun struct avc_entry;
27*4882a593Smuzhiyun 
28*4882a593Smuzhiyun struct task_struct;
29*4882a593Smuzhiyun struct inode;
30*4882a593Smuzhiyun struct sock;
31*4882a593Smuzhiyun struct sk_buff;
32*4882a593Smuzhiyun 
33*4882a593Smuzhiyun /*
34*4882a593Smuzhiyun  * AVC statistics
35*4882a593Smuzhiyun  */
36*4882a593Smuzhiyun struct avc_cache_stats {
37*4882a593Smuzhiyun 	unsigned int lookups;
38*4882a593Smuzhiyun 	unsigned int misses;
39*4882a593Smuzhiyun 	unsigned int allocations;
40*4882a593Smuzhiyun 	unsigned int reclaims;
41*4882a593Smuzhiyun 	unsigned int frees;
42*4882a593Smuzhiyun };
43*4882a593Smuzhiyun 
44*4882a593Smuzhiyun /*
45*4882a593Smuzhiyun  * We only need this data after we have decided to send an audit message.
46*4882a593Smuzhiyun  */
47*4882a593Smuzhiyun struct selinux_audit_data {
48*4882a593Smuzhiyun 	u32 ssid;
49*4882a593Smuzhiyun 	u32 tsid;
50*4882a593Smuzhiyun 	u16 tclass;
51*4882a593Smuzhiyun 	u32 requested;
52*4882a593Smuzhiyun 	u32 audited;
53*4882a593Smuzhiyun 	u32 denied;
54*4882a593Smuzhiyun 	int result;
55*4882a593Smuzhiyun 	struct selinux_state *state;
56*4882a593Smuzhiyun };
57*4882a593Smuzhiyun 
58*4882a593Smuzhiyun /*
59*4882a593Smuzhiyun  * AVC operations
60*4882a593Smuzhiyun  */
61*4882a593Smuzhiyun 
62*4882a593Smuzhiyun void __init avc_init(void);
63*4882a593Smuzhiyun 
avc_audit_required(u32 requested,struct av_decision * avd,int result,u32 auditdeny,u32 * deniedp)64*4882a593Smuzhiyun static inline u32 avc_audit_required(u32 requested,
65*4882a593Smuzhiyun 			      struct av_decision *avd,
66*4882a593Smuzhiyun 			      int result,
67*4882a593Smuzhiyun 			      u32 auditdeny,
68*4882a593Smuzhiyun 			      u32 *deniedp)
69*4882a593Smuzhiyun {
70*4882a593Smuzhiyun 	u32 denied, audited;
71*4882a593Smuzhiyun 	denied = requested & ~avd->allowed;
72*4882a593Smuzhiyun 	if (unlikely(denied)) {
73*4882a593Smuzhiyun 		audited = denied & avd->auditdeny;
74*4882a593Smuzhiyun 		/*
75*4882a593Smuzhiyun 		 * auditdeny is TRICKY!  Setting a bit in
76*4882a593Smuzhiyun 		 * this field means that ANY denials should NOT be audited if
77*4882a593Smuzhiyun 		 * the policy contains an explicit dontaudit rule for that
78*4882a593Smuzhiyun 		 * permission.  Take notice that this is unrelated to the
79*4882a593Smuzhiyun 		 * actual permissions that were denied.  As an example lets
80*4882a593Smuzhiyun 		 * assume:
81*4882a593Smuzhiyun 		 *
82*4882a593Smuzhiyun 		 * denied == READ
83*4882a593Smuzhiyun 		 * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
84*4882a593Smuzhiyun 		 * auditdeny & ACCESS == 1
85*4882a593Smuzhiyun 		 *
86*4882a593Smuzhiyun 		 * We will NOT audit the denial even though the denied
87*4882a593Smuzhiyun 		 * permission was READ and the auditdeny checks were for
88*4882a593Smuzhiyun 		 * ACCESS
89*4882a593Smuzhiyun 		 */
90*4882a593Smuzhiyun 		if (auditdeny && !(auditdeny & avd->auditdeny))
91*4882a593Smuzhiyun 			audited = 0;
92*4882a593Smuzhiyun 	} else if (result)
93*4882a593Smuzhiyun 		audited = denied = requested;
94*4882a593Smuzhiyun 	else
95*4882a593Smuzhiyun 		audited = requested & avd->auditallow;
96*4882a593Smuzhiyun 	*deniedp = denied;
97*4882a593Smuzhiyun 	return audited;
98*4882a593Smuzhiyun }
99*4882a593Smuzhiyun 
100*4882a593Smuzhiyun int slow_avc_audit(struct selinux_state *state,
101*4882a593Smuzhiyun 		   u32 ssid, u32 tsid, u16 tclass,
102*4882a593Smuzhiyun 		   u32 requested, u32 audited, u32 denied, int result,
103*4882a593Smuzhiyun 		   struct common_audit_data *a);
104*4882a593Smuzhiyun 
105*4882a593Smuzhiyun /**
106*4882a593Smuzhiyun  * avc_audit - Audit the granting or denial of permissions.
107*4882a593Smuzhiyun  * @ssid: source security identifier
108*4882a593Smuzhiyun  * @tsid: target security identifier
109*4882a593Smuzhiyun  * @tclass: target security class
110*4882a593Smuzhiyun  * @requested: requested permissions
111*4882a593Smuzhiyun  * @avd: access vector decisions
112*4882a593Smuzhiyun  * @result: result from avc_has_perm_noaudit
113*4882a593Smuzhiyun  * @a:  auxiliary audit data
114*4882a593Smuzhiyun  * @flags: VFS walk flags
115*4882a593Smuzhiyun  *
116*4882a593Smuzhiyun  * Audit the granting or denial of permissions in accordance
117*4882a593Smuzhiyun  * with the policy.  This function is typically called by
118*4882a593Smuzhiyun  * avc_has_perm() after a permission check, but can also be
119*4882a593Smuzhiyun  * called directly by callers who use avc_has_perm_noaudit()
120*4882a593Smuzhiyun  * in order to separate the permission check from the auditing.
121*4882a593Smuzhiyun  * For example, this separation is useful when the permission check must
122*4882a593Smuzhiyun  * be performed under a lock, to allow the lock to be released
123*4882a593Smuzhiyun  * before calling the auditing code.
124*4882a593Smuzhiyun  */
avc_audit(struct selinux_state * state,u32 ssid,u32 tsid,u16 tclass,u32 requested,struct av_decision * avd,int result,struct common_audit_data * a,int flags)125*4882a593Smuzhiyun static inline int avc_audit(struct selinux_state *state,
126*4882a593Smuzhiyun 			    u32 ssid, u32 tsid,
127*4882a593Smuzhiyun 			    u16 tclass, u32 requested,
128*4882a593Smuzhiyun 			    struct av_decision *avd,
129*4882a593Smuzhiyun 			    int result,
130*4882a593Smuzhiyun 			    struct common_audit_data *a,
131*4882a593Smuzhiyun 			    int flags)
132*4882a593Smuzhiyun {
133*4882a593Smuzhiyun 	u32 audited, denied;
134*4882a593Smuzhiyun 	audited = avc_audit_required(requested, avd, result, 0, &denied);
135*4882a593Smuzhiyun 	if (likely(!audited))
136*4882a593Smuzhiyun 		return 0;
137*4882a593Smuzhiyun 	/* fall back to ref-walk if we have to generate audit */
138*4882a593Smuzhiyun 	if (flags & MAY_NOT_BLOCK)
139*4882a593Smuzhiyun 		return -ECHILD;
140*4882a593Smuzhiyun 	return slow_avc_audit(state, ssid, tsid, tclass,
141*4882a593Smuzhiyun 			      requested, audited, denied, result,
142*4882a593Smuzhiyun 			      a);
143*4882a593Smuzhiyun }
144*4882a593Smuzhiyun 
145*4882a593Smuzhiyun #define AVC_STRICT 1 /* Ignore permissive mode. */
146*4882a593Smuzhiyun #define AVC_EXTENDED_PERMS 2	/* update extended permissions */
147*4882a593Smuzhiyun #define AVC_NONBLOCKING    4	/* non blocking */
148*4882a593Smuzhiyun int avc_has_perm_noaudit(struct selinux_state *state,
149*4882a593Smuzhiyun 			 u32 ssid, u32 tsid,
150*4882a593Smuzhiyun 			 u16 tclass, u32 requested,
151*4882a593Smuzhiyun 			 unsigned flags,
152*4882a593Smuzhiyun 			 struct av_decision *avd);
153*4882a593Smuzhiyun 
154*4882a593Smuzhiyun int avc_has_perm(struct selinux_state *state,
155*4882a593Smuzhiyun 		 u32 ssid, u32 tsid,
156*4882a593Smuzhiyun 		 u16 tclass, u32 requested,
157*4882a593Smuzhiyun 		 struct common_audit_data *auditdata);
158*4882a593Smuzhiyun int avc_has_perm_flags(struct selinux_state *state,
159*4882a593Smuzhiyun 		       u32 ssid, u32 tsid,
160*4882a593Smuzhiyun 		       u16 tclass, u32 requested,
161*4882a593Smuzhiyun 		       struct common_audit_data *auditdata,
162*4882a593Smuzhiyun 		       int flags);
163*4882a593Smuzhiyun 
164*4882a593Smuzhiyun int avc_has_extended_perms(struct selinux_state *state,
165*4882a593Smuzhiyun 			   u32 ssid, u32 tsid, u16 tclass, u32 requested,
166*4882a593Smuzhiyun 			   u8 driver, u8 perm, struct common_audit_data *ad);
167*4882a593Smuzhiyun 
168*4882a593Smuzhiyun 
169*4882a593Smuzhiyun u32 avc_policy_seqno(struct selinux_state *state);
170*4882a593Smuzhiyun 
171*4882a593Smuzhiyun #define AVC_CALLBACK_GRANT		1
172*4882a593Smuzhiyun #define AVC_CALLBACK_TRY_REVOKE		2
173*4882a593Smuzhiyun #define AVC_CALLBACK_REVOKE		4
174*4882a593Smuzhiyun #define AVC_CALLBACK_RESET		8
175*4882a593Smuzhiyun #define AVC_CALLBACK_AUDITALLOW_ENABLE	16
176*4882a593Smuzhiyun #define AVC_CALLBACK_AUDITALLOW_DISABLE	32
177*4882a593Smuzhiyun #define AVC_CALLBACK_AUDITDENY_ENABLE	64
178*4882a593Smuzhiyun #define AVC_CALLBACK_AUDITDENY_DISABLE	128
179*4882a593Smuzhiyun #define AVC_CALLBACK_ADD_XPERMS		256
180*4882a593Smuzhiyun 
181*4882a593Smuzhiyun int avc_add_callback(int (*callback)(u32 event), u32 events);
182*4882a593Smuzhiyun 
183*4882a593Smuzhiyun /* Exported to selinuxfs */
184*4882a593Smuzhiyun struct selinux_avc;
185*4882a593Smuzhiyun int avc_get_hash_stats(struct selinux_avc *avc, char *page);
186*4882a593Smuzhiyun unsigned int avc_get_cache_threshold(struct selinux_avc *avc);
187*4882a593Smuzhiyun void avc_set_cache_threshold(struct selinux_avc *avc,
188*4882a593Smuzhiyun 			     unsigned int cache_threshold);
189*4882a593Smuzhiyun 
190*4882a593Smuzhiyun /* Attempt to free avc node cache */
191*4882a593Smuzhiyun void avc_disable(void);
192*4882a593Smuzhiyun 
193*4882a593Smuzhiyun #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
194*4882a593Smuzhiyun DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
195*4882a593Smuzhiyun #endif
196*4882a593Smuzhiyun 
197*4882a593Smuzhiyun #endif /* _SELINUX_AVC_H_ */
198*4882a593Smuzhiyun 
199