avtab.h (3833B)
1/* SPDX-License-Identifier: GPL-2.0-only */ 2/* 3 * An access vector table (avtab) is a hash table 4 * of access vectors and transition types indexed 5 * by a type pair and a class. An access vector 6 * table is used to represent the type enforcement 7 * tables. 8 * 9 * Author : Stephen Smalley, <sds@tycho.nsa.gov> 10 */ 11 12/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Copyright (C) 2003 Tresys Technology, LLC 17 * 18 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> 19 * Tuned number of hash slots for avtab to reduce memory usage 20 */ 21#ifndef _SS_AVTAB_H_ 22#define _SS_AVTAB_H_ 23 24#include "security.h" 25 26struct avtab_key { 27 u16 source_type; /* source type */ 28 u16 target_type; /* target type */ 29 u16 target_class; /* target object class */ 30#define AVTAB_ALLOWED 0x0001 31#define AVTAB_AUDITALLOW 0x0002 32#define AVTAB_AUDITDENY 0x0004 33#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) 34#define AVTAB_TRANSITION 0x0010 35#define AVTAB_MEMBER 0x0020 36#define AVTAB_CHANGE 0x0040 37#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) 38/* extended permissions */ 39#define AVTAB_XPERMS_ALLOWED 0x0100 40#define AVTAB_XPERMS_AUDITALLOW 0x0200 41#define AVTAB_XPERMS_DONTAUDIT 0x0400 42#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \ 43 AVTAB_XPERMS_AUDITALLOW | \ 44 AVTAB_XPERMS_DONTAUDIT) 45#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */ 46#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ 47 u16 specified; /* what field is specified */ 48}; 49 50/* 51 * For operations that require more than the 32 permissions provided by the avc 52 * extended permissions may be used to provide 256 bits of permissions. 53 */ 54struct avtab_extended_perms { 55/* These are not flags. All 256 values may be used */ 56#define AVTAB_XPERMS_IOCTLFUNCTION 0x01 57#define AVTAB_XPERMS_IOCTLDRIVER 0x02 58 /* extension of the avtab_key specified */ 59 u8 specified; /* ioctl, netfilter, ... */ 60 /* 61 * if 256 bits is not adequate as is often the case with ioctls, then 62 * multiple extended perms may be used and the driver field 63 * specifies which permissions are included. 64 */ 65 u8 driver; 66 /* 256 bits of permissions */ 67 struct extended_perms_data perms; 68}; 69 70struct avtab_datum { 71 union { 72 u32 data; /* access vector or type value */ 73 struct avtab_extended_perms *xperms; 74 } u; 75}; 76 77struct avtab_node { 78 struct avtab_key key; 79 struct avtab_datum datum; 80 struct avtab_node *next; 81}; 82 83struct avtab { 84 struct avtab_node **htable; 85 u32 nel; /* number of elements */ 86 u32 nslot; /* number of hash slots */ 87 u32 mask; /* mask to compute hash func */ 88}; 89 90void avtab_init(struct avtab *h); 91int avtab_alloc(struct avtab *, u32); 92int avtab_alloc_dup(struct avtab *new, const struct avtab *orig); 93struct avtab_datum *avtab_search(struct avtab *h, const struct avtab_key *k); 94void avtab_destroy(struct avtab *h); 95void avtab_hash_eval(struct avtab *h, char *tag); 96 97struct policydb; 98int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, 99 int (*insert)(struct avtab *a, const struct avtab_key *k, 100 const struct avtab_datum *d, void *p), 101 void *p); 102 103int avtab_read(struct avtab *a, void *fp, struct policydb *pol); 104int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp); 105int avtab_write(struct policydb *p, struct avtab *a, void *fp); 106 107struct avtab_node *avtab_insert_nonunique(struct avtab *h, 108 const struct avtab_key *key, 109 const struct avtab_datum *datum); 110 111struct avtab_node *avtab_search_node(struct avtab *h, 112 const struct avtab_key *key); 113 114struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified); 115 116#define MAX_AVTAB_HASH_BITS 16 117#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) 118 119#endif /* _SS_AVTAB_H_ */ 120