Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d6d901c23a
Branches Tags
linux-vybrid_pu...
/
security
/
selinux
/
ss
/
policydb.h

policydb.h 8.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306 
  1. /*
    2. 

  2.  * A policy database (policydb) specifies the
    3. 

  3.  * configuration data for the security policy.
    4. 

  4.  *
    5. 

  5.  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
    6. 

  6.  */
    7. 

  7. 

  8. /*
    9. 

  9.  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
    10. 

  10.  *
    11. 

  11.  *	Support for enhanced MLS infrastructure.
    12. 

  12.  *
    13. 

  13.  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
    14. 

  14.  *
    15. 

  15.  *	Added conditional policy language extensions
    16. 

  16.  *
    17. 

  17.  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
    18. 

  18.  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
    19. 

  19.  *	This program is free software; you can redistribute it and/or modify
    20. 

  20.  *	it under the terms of the GNU General Public License as published by
    21. 

  21.  *	the Free Software Foundation, version 2.
    22. 

  22.  */
    23. 

  23. 

  24. #ifndef _SS_POLICYDB_H_
    25. 

  25. #define _SS_POLICYDB_H_
    26. 

  26. 

  27. #include "symtab.h"
    28. 

  28. #include "avtab.h"
    29. 

  29. #include "sidtab.h"
    30. 

  30. #include "ebitmap.h"
    31. 

  31. #include "mls_types.h"
    32. 

  32. #include "context.h"
    33. 

  33. #include "constraint.h"
    34. 

  34. 

  35. /*
    36. 

  36.  * A datum type is defined for each kind of symbol
    37. 

  37.  * in the configuration data:  individual permissions,
    38. 

  38.  * common prefixes for access vectors, classes,
    39. 

  39.  * users, roles, types, sensitivities, categories, etc.
    40. 

  40.  */
    41. 

  41. 

  42. /* Permission attributes */
    43. 

  43. struct perm_datum {
    44. 

  44. 	u32 value;		/* permission bit + 1 */
    45. 

  45. };
    46. 

  46. 

  47. /* Attributes of a common prefix for access vectors */
    48. 

  48. struct common_datum {
    49. 

  49. 	u32 value;			/* internal common value */
    50. 

  50. 	struct symtab permissions;	/* common permissions */
    51. 

  51. };
    52. 

  52. 

  53. /* Class attributes */
    54. 

  54. struct class_datum {
    55. 

  55. 	u32 value;			/* class value */
    56. 

  56. 	char *comkey;			/* common name */
    57. 

  57. 	struct common_datum *comdatum;	/* common datum */
    58. 

  58. 	struct symtab permissions;	/* class-specific permission symbol table */
    59. 

  59. 	struct constraint_node *constraints;	/* constraints on class permissions */
    60. 

  60. 	struct constraint_node *validatetrans;	/* special transition rules */
    61. 

  61. };
    62. 

  62. 

  63. /* Role attributes */
    64. 

  64. struct role_datum {
    65. 

  65. 	u32 value;			/* internal role value */
    66. 

  66. 	u32 bounds;			/* boundary of role */
    67. 

  67. 	struct ebitmap dominates;	/* set of roles dominated by this role */
    68. 

  68. 	struct ebitmap types;		/* set of authorized types for role */
    69. 

  69. };
    70. 

  70. 

  71. struct role_trans {
    72. 

  72. 	u32 role;		/* current role */
    73. 

  73. 	u32 type;		/* program executable type */
    74. 

  74. 	u32 new_role;		/* new role */
    75. 

  75. 	struct role_trans *next;
    76. 

  76. };
    77. 

  77. 

  78. struct role_allow {
    79. 

  79. 	u32 role;		/* current role */
    80. 

  80. 	u32 new_role;		/* new role */
    81. 

  81. 	struct role_allow *next;
    82. 

  82. };
    83. 

  83. 

  84. /* Type attributes */
    85. 

  85. struct type_datum {
    86. 

  86. 	u32 value;		/* internal type value */
    87. 

  87. 	u32 bounds;		/* boundary of type */
    88. 

  88. 	unsigned char primary;	/* primary name? */
    89. 

  89. 	unsigned char attribute;/* attribute ?*/
    90. 

  90. };
    91. 

  91. 

  92. /* User attributes */
    93. 

  93. struct user_datum {
    94. 

  94. 	u32 value;			/* internal user value */
    95. 

  95. 	u32 bounds;			/* bounds of user */
    96. 

  96. 	struct ebitmap roles;		/* set of authorized roles for user */
    97. 

  97. 	struct mls_range range;		/* MLS range (min - max) for user */
    98. 

  98. 	struct mls_level dfltlevel;	/* default login MLS level for user */
    99. 

  99. };
    100. 

  100. 

  101. 

  102. /* Sensitivity attributes */
    103. 

  103. struct level_datum {
    104. 

  104. 	struct mls_level *level;	/* sensitivity and associated categories */
    105. 

  105. 	unsigned char isalias;	/* is this sensitivity an alias for another? */
    106. 

  106. };
    107. 

  107. 

  108. /* Category attributes */
    109. 

  109. struct cat_datum {
    110. 

  110. 	u32 value;		/* internal category bit + 1 */
    111. 

  111. 	unsigned char isalias;  /* is this category an alias for another? */
    112. 

  112. };
    113. 

  113. 

  114. struct range_trans {
    115. 

  115. 	u32 source_type;
    116. 

  116. 	u32 target_type;
    117. 

  117. 	u32 target_class;
    118. 

  118. };
    119. 

  119. 

  120. /* Boolean data type */
    121. 

  121. struct cond_bool_datum {
    122. 

  122. 	__u32 value;		/* internal type value */
    123. 

  123. 	int state;
    124. 

  124. };
    125. 

  125. 

  126. struct cond_node;
    127. 

  127. 

  128. /*
    129. 

  129.  * The configuration data includes security contexts for
    130. 

  130.  * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
    131. 

  131.  * network interfaces, and nodes.  This structure stores the
    132. 

  132.  * relevant data for one such entry.  Entries of the same kind
    133. 

  133.  * (e.g. all initial SIDs) are linked together into a list.
    134. 

  134.  */
    135. 

  135. struct ocontext {
    136. 

  136. 	union {
    137. 

  137. 		char *name;	/* name of initial SID, fs, netif, fstype, path */
    138. 

  138. 		struct {
    139. 

  139. 			u8 protocol;
    140. 

  140. 			u16 low_port;
    141. 

  141. 			u16 high_port;
    142. 

  142. 		} port;		/* TCP or UDP port information */
    143. 

  143. 		struct {
    144. 

  144. 			u32 addr;
    145. 

  145. 			u32 mask;
    146. 

  146. 		} node;		/* node information */
    147. 

  147. 		struct {
    148. 

  148. 			u32 addr[4];
    149. 

  149. 			u32 mask[4];
    150. 

  150. 		} node6;        /* IPv6 node information */
    151. 

  151. 	} u;
    152. 

  152. 	union {
    153. 

  153. 		u32 sclass;  /* security class for genfs */
    154. 

  154. 		u32 behavior;  /* labeling behavior for fs_use */
    155. 

  155. 	} v;
    156. 

  156. 	struct context context[2];	/* security context(s) */
    157. 

  157. 	u32 sid[2];	/* SID(s) */
    158. 

  158. 	struct ocontext *next;
    159. 

  159. };
    160. 

  160. 

  161. struct genfs {
    162. 

  162. 	char *fstype;
    163. 

  163. 	struct ocontext *head;
    164. 

  164. 	struct genfs *next;
    165. 

  165. };
    166. 

  166. 

  167. /* symbol table array indices */
    168. 

  168. #define SYM_COMMONS 0
    169. 

  169. #define SYM_CLASSES 1
    170. 

  170. #define SYM_ROLES   2
    171. 

  171. #define SYM_TYPES   3
    172. 

  172. #define SYM_USERS   4
    173. 

  173. #define SYM_BOOLS   5
    174. 

  174. #define SYM_LEVELS  6
    175. 

  175. #define SYM_CATS    7
    176. 

  176. #define SYM_NUM     8
    177. 

  177. 

  178. /* object context array indices */
    179. 

  179. #define OCON_ISID  0	/* initial SIDs */
    180. 

  180. #define OCON_FS    1	/* unlabeled file systems */
    181. 

  181. #define OCON_PORT  2	/* TCP and UDP port numbers */
    182. 

  182. #define OCON_NETIF 3	/* network interfaces */
    183. 

  183. #define OCON_NODE  4	/* nodes */
    184. 

  184. #define OCON_FSUSE 5	/* fs_use */
    185. 

  185. #define OCON_NODE6 6	/* IPv6 nodes */
    186. 

  186. #define OCON_NUM   7
    187. 

  187. 

  188. /* The policy database */
    189. 

  189. struct policydb {
    190. 

  190. 	int mls_enabled;
    191. 

  191. 

  192. 	/* symbol tables */
    193. 

  193. 	struct symtab symtab[SYM_NUM];
    194. 

  194. #define p_commons symtab[SYM_COMMONS]
    195. 

  195. #define p_classes symtab[SYM_CLASSES]
    196. 

  196. #define p_roles symtab[SYM_ROLES]
    197. 

  197. #define p_types symtab[SYM_TYPES]
    198. 

  198. #define p_users symtab[SYM_USERS]
    199. 

  199. #define p_bools symtab[SYM_BOOLS]
    200. 

  200. #define p_levels symtab[SYM_LEVELS]
    201. 

  201. #define p_cats symtab[SYM_CATS]
    202. 

  202. 

  203. 	/* symbol names indexed by (value - 1) */
    204. 

  204. 	char **sym_val_to_name[SYM_NUM];
    205. 

  205. #define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
    206. 

  206. #define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
    207. 

  207. #define p_role_val_to_name sym_val_to_name[SYM_ROLES]
    208. 

  208. #define p_type_val_to_name sym_val_to_name[SYM_TYPES]
    209. 

  209. #define p_user_val_to_name sym_val_to_name[SYM_USERS]
    210. 

  210. #define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
    211. 

  211. #define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
    212. 

  212. #define p_cat_val_to_name sym_val_to_name[SYM_CATS]
    213. 

  213. 

  214. 	/* class, role, and user attributes indexed by (value - 1) */
    215. 

  215. 	struct class_datum **class_val_to_struct;
    216. 

  216. 	struct role_datum **role_val_to_struct;
    217. 

  217. 	struct user_datum **user_val_to_struct;
    218. 

  218. 	struct type_datum **type_val_to_struct;
    219. 

  219. 

  220. 	/* type enforcement access vectors and transitions */
    221. 

  221. 	struct avtab te_avtab;
    222. 

  222. 

  223. 	/* role transitions */
    224. 

  224. 	struct role_trans *role_tr;
    225. 

  225. 

  226. 	/* bools indexed by (value - 1) */
    227. 

  227. 	struct cond_bool_datum **bool_val_to_struct;
    228. 

  228. 	/* type enforcement conditional access vectors and transitions */
    229. 

  229. 	struct avtab te_cond_avtab;
    230. 

  230. 	/* linked list indexing te_cond_avtab by conditional */
    231. 

  231. 	struct cond_node *cond_list;
    232. 

  232. 

  233. 	/* role allows */
    234. 

  234. 	struct role_allow *role_allow;
    235. 

  235. 

  236. 	/* security contexts of initial SIDs, unlabeled file systems,
    237. 

  237. 	   TCP or UDP port numbers, network interfaces and nodes */
    238. 

  238. 	struct ocontext *ocontexts[OCON_NUM];
    239. 

  239. 

  240. 	/* security contexts for files in filesystems that cannot support
    241. 

  241. 	   a persistent label mapping or use another
    242. 

  242. 	   fixed labeling behavior. */
    243. 

  243. 	struct genfs *genfs;
    244. 

  244. 

  245. 	/* range transitions table (range_trans_key -> mls_range) */
    246. 

  246. 	struct hashtab *range_tr;
    247. 

  247. 

  248. 	/* type -> attribute reverse mapping */
    249. 

  249. 	struct ebitmap *type_attr_map;
    250. 

  250. 

  251. 	struct ebitmap policycaps;
    252. 

  252. 

  253. 	struct ebitmap permissive_map;
    254. 

  254. 

  255. 	unsigned int policyvers;
    256. 

  256. 

  257. 	unsigned int reject_unknown : 1;
    258. 

  258. 	unsigned int allow_unknown : 1;
    259. 

  259. 

  260. 	u16 process_class;
    261. 

  261. 	u32 process_trans_perms;
    262. 

  262. };
    263. 

  263. 

  264. extern void policydb_destroy(struct policydb *p);
    265. 

  265. extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
    266. 

  266. extern int policydb_context_isvalid(struct policydb *p, struct context *c);
    267. 

  267. extern int policydb_class_isvalid(struct policydb *p, unsigned int class);
    268. 

  268. extern int policydb_type_isvalid(struct policydb *p, unsigned int type);
    269. 

  269. extern int policydb_role_isvalid(struct policydb *p, unsigned int role);
    270. 

  270. extern int policydb_read(struct policydb *p, void *fp);
    271. 

  271. 

  272. #define PERM_SYMTAB_SIZE 32
    273. 

  273. 

  274. #define POLICYDB_CONFIG_MLS    1
    275. 

  275. 

  276. /* the config flags related to unknown classes/perms are bits 2 and 3 */
    277. 

  277. #define REJECT_UNKNOWN	0x00000002
    278. 

  278. #define ALLOW_UNKNOWN	0x00000004
    279. 

  279. 

  280. #define OBJECT_R "object_r"
    281. 

  281. #define OBJECT_R_VAL 1
    282. 

  282. 

  283. #define POLICYDB_MAGIC SELINUX_MAGIC
    284. 

  284. #define POLICYDB_STRING "SE Linux"
    285. 

  285. 

  286. struct policy_file {
    287. 

  287. 	char *data;
    288. 

  288. 	size_t len;
    289. 

  289. };
    290. 

  290. 

  291. static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
    292. 

  292. {
    293. 

  293. 	if (bytes > fp->len)
    294. 

  294. 		return -EINVAL;
    295. 

  295. 

  296. 	memcpy(buf, fp->data, bytes);
    297. 

  297. 	fp->data += bytes;
    298. 

  298. 	fp->len -= bytes;
    299. 

  299. 	return 0;
    300. 

  300. }
    301. 

  301. 

  302. extern u16 string_to_security_class(struct policydb *p, const char *name);
    303. 

  303. extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
    304. 

  304. 

  305. #endif	/* _SS_POLICYDB_H_ */
    306. 

  306.