aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/av_perm_to_string.h5
-rw-r--r--security/selinux/include/av_permissions.h5
-rw-r--r--security/selinux/include/netlabel.h16
-rw-r--r--security/selinux/include/netport.h31
-rw-r--r--security/selinux/include/objsec.h15
-rw-r--r--security/selinux/include/security.h15
6 files changed, 59 insertions, 28 deletions
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index d5696690d3a2..1223b4ff9bee 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -14,12 +14,17 @@
14 S_(SECCLASS_DIR, DIR__REPARENT, "reparent") 14 S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
15 S_(SECCLASS_DIR, DIR__SEARCH, "search") 15 S_(SECCLASS_DIR, DIR__SEARCH, "search")
16 S_(SECCLASS_DIR, DIR__RMDIR, "rmdir") 16 S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
17 S_(SECCLASS_DIR, DIR__OPEN, "open")
17 S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans") 18 S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
18 S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint") 19 S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
19 S_(SECCLASS_FILE, FILE__EXECMOD, "execmod") 20 S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
21 S_(SECCLASS_FILE, FILE__OPEN, "open")
20 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans") 22 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
21 S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint") 23 S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
22 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") 24 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
25 S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
26 S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
27 S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
23 S_(SECCLASS_FD, FD__USE, "use") 28 S_(SECCLASS_FD, FD__USE, "use")
24 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") 29 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
25 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn") 30 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 75b41311ab86..c4c51165c505 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -79,6 +79,7 @@
79#define DIR__REPARENT 0x00080000UL 79#define DIR__REPARENT 0x00080000UL
80#define DIR__SEARCH 0x00100000UL 80#define DIR__SEARCH 0x00100000UL
81#define DIR__RMDIR 0x00200000UL 81#define DIR__RMDIR 0x00200000UL
82#define DIR__OPEN 0x00400000UL
82#define FILE__IOCTL 0x00000001UL 83#define FILE__IOCTL 0x00000001UL
83#define FILE__READ 0x00000002UL 84#define FILE__READ 0x00000002UL
84#define FILE__WRITE 0x00000004UL 85#define FILE__WRITE 0x00000004UL
@@ -99,6 +100,7 @@
99#define FILE__EXECUTE_NO_TRANS 0x00020000UL 100#define FILE__EXECUTE_NO_TRANS 0x00020000UL
100#define FILE__ENTRYPOINT 0x00040000UL 101#define FILE__ENTRYPOINT 0x00040000UL
101#define FILE__EXECMOD 0x00080000UL 102#define FILE__EXECMOD 0x00080000UL
103#define FILE__OPEN 0x00100000UL
102#define LNK_FILE__IOCTL 0x00000001UL 104#define LNK_FILE__IOCTL 0x00000001UL
103#define LNK_FILE__READ 0x00000002UL 105#define LNK_FILE__READ 0x00000002UL
104#define LNK_FILE__WRITE 0x00000004UL 106#define LNK_FILE__WRITE 0x00000004UL
@@ -136,6 +138,7 @@
136#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL 138#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
137#define CHR_FILE__ENTRYPOINT 0x00040000UL 139#define CHR_FILE__ENTRYPOINT 0x00040000UL
138#define CHR_FILE__EXECMOD 0x00080000UL 140#define CHR_FILE__EXECMOD 0x00080000UL
141#define CHR_FILE__OPEN 0x00100000UL
139#define BLK_FILE__IOCTL 0x00000001UL 142#define BLK_FILE__IOCTL 0x00000001UL
140#define BLK_FILE__READ 0x00000002UL 143#define BLK_FILE__READ 0x00000002UL
141#define BLK_FILE__WRITE 0x00000004UL 144#define BLK_FILE__WRITE 0x00000004UL
@@ -153,6 +156,7 @@
153#define BLK_FILE__SWAPON 0x00004000UL 156#define BLK_FILE__SWAPON 0x00004000UL
154#define BLK_FILE__QUOTAON 0x00008000UL 157#define BLK_FILE__QUOTAON 0x00008000UL
155#define BLK_FILE__MOUNTON 0x00010000UL 158#define BLK_FILE__MOUNTON 0x00010000UL
159#define BLK_FILE__OPEN 0x00020000UL
156#define SOCK_FILE__IOCTL 0x00000001UL 160#define SOCK_FILE__IOCTL 0x00000001UL
157#define SOCK_FILE__READ 0x00000002UL 161#define SOCK_FILE__READ 0x00000002UL
158#define SOCK_FILE__WRITE 0x00000004UL 162#define SOCK_FILE__WRITE 0x00000004UL
@@ -187,6 +191,7 @@
187#define FIFO_FILE__SWAPON 0x00004000UL 191#define FIFO_FILE__SWAPON 0x00004000UL
188#define FIFO_FILE__QUOTAON 0x00008000UL 192#define FIFO_FILE__QUOTAON 0x00008000UL
189#define FIFO_FILE__MOUNTON 0x00010000UL 193#define FIFO_FILE__MOUNTON 0x00010000UL
194#define FIFO_FILE__OPEN 0x00020000UL
190#define FD__USE 0x00000001UL 195#define FD__USE 0x00000001UL
191#define SOCKET__IOCTL 0x00000001UL 196#define SOCKET__IOCTL 0x00000001UL
192#define SOCKET__READ 0x00000002UL 197#define SOCKET__READ 0x00000002UL
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 00a2809c8506..9a9e7cd9a379 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -41,10 +41,6 @@ void selinux_netlbl_cache_invalidate(void);
41 41
42void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 42void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
43 int family); 43 int family);
44void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
45 int family);
46void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
47 struct sk_security_struct *newssec);
48 44
49int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, 45int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
50 u16 family, 46 u16 family,
@@ -73,18 +69,6 @@ static inline void selinux_netlbl_sk_security_reset(
73{ 69{
74 return; 70 return;
75} 71}
76static inline void selinux_netlbl_sk_security_init(
77 struct sk_security_struct *ssec,
78 int family)
79{
80 return;
81}
82static inline void selinux_netlbl_sk_security_clone(
83 struct sk_security_struct *ssec,
84 struct sk_security_struct *newssec)
85{
86 return;
87}
88 72
89static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, 73static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
90 u16 family, 74 u16 family,
diff --git a/security/selinux/include/netport.h b/security/selinux/include/netport.h
new file mode 100644
index 000000000000..8991752eaf93
--- /dev/null
+++ b/security/selinux/include/netport.h
@@ -0,0 +1,31 @@
1/*
2 * Network port table
3 *
4 * SELinux must keep a mapping of network ports to labels/SIDs. This
5 * mapping is maintained as part of the normal policy but a fast cache is
6 * needed to reduce the lookup overhead.
7 *
8 * Author: Paul Moore <paul.moore@hp.com>
9 *
10 */
11
12/*
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2008
14 *
15 * This program is free software: you can redistribute it and/or modify
16 * it under the terms of version 2 of the GNU General Public License as
17 * published by the Free Software Foundation.
18 *
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
23 *
24 */
25
26#ifndef _SELINUX_NETPORT_H
27#define _SELINUX_NETPORT_H
28
29int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid);
30
31#endif
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index c6c2bb4ebacc..300b61bad7b3 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -28,14 +28,12 @@
28#include "avc.h" 28#include "avc.h"
29 29
30struct task_security_struct { 30struct task_security_struct {
31 struct task_struct *task; /* back pointer to task object */
32 u32 osid; /* SID prior to last execve */ 31 u32 osid; /* SID prior to last execve */
33 u32 sid; /* current SID */ 32 u32 sid; /* current SID */
34 u32 exec_sid; /* exec SID */ 33 u32 exec_sid; /* exec SID */
35 u32 create_sid; /* fscreate SID */ 34 u32 create_sid; /* fscreate SID */
36 u32 keycreate_sid; /* keycreate SID */ 35 u32 keycreate_sid; /* keycreate SID */
37 u32 sockcreate_sid; /* fscreate SID */ 36 u32 sockcreate_sid; /* fscreate SID */
38 u32 ptrace_sid; /* SID of ptrace parent */
39}; 37};
40 38
41struct inode_security_struct { 39struct inode_security_struct {
@@ -50,7 +48,6 @@ struct inode_security_struct {
50}; 48};
51 49
52struct file_security_struct { 50struct file_security_struct {
53 struct file *file; /* back pointer to file object */
54 u32 sid; /* SID of open file description */ 51 u32 sid; /* SID of open file description */
55 u32 fown_sid; /* SID of file owner (for SIGIO) */ 52 u32 fown_sid; /* SID of file owner (for SIGIO) */
56 u32 isid; /* SID of inode at the time of file open */ 53 u32 isid; /* SID of inode at the time of file open */
@@ -73,18 +70,15 @@ struct superblock_security_struct {
73}; 70};
74 71
75struct msg_security_struct { 72struct msg_security_struct {
76 struct msg_msg *msg; /* back pointer */
77 u32 sid; /* SID of message */ 73 u32 sid; /* SID of message */
78}; 74};
79 75
80struct ipc_security_struct { 76struct ipc_security_struct {
81 struct kern_ipc_perm *ipc_perm; /* back pointer */
82 u16 sclass; /* security class of this object */ 77 u16 sclass; /* security class of this object */
83 u32 sid; /* SID of IPC resource */ 78 u32 sid; /* SID of IPC resource */
84}; 79};
85 80
86struct bprm_security_struct { 81struct bprm_security_struct {
87 struct linux_binprm *bprm; /* back pointer to bprm object */
88 u32 sid; /* SID for transformed process */ 82 u32 sid; /* SID for transformed process */
89 unsigned char set; 83 unsigned char set;
90 84
@@ -109,8 +103,13 @@ struct netnode_security_struct {
109 u16 family; /* address family */ 103 u16 family; /* address family */
110}; 104};
111 105
106struct netport_security_struct {
107 u32 sid; /* SID for this node */
108 u16 port; /* port number */
109 u8 protocol; /* transport protocol */
110};
111
112struct sk_security_struct { 112struct sk_security_struct {
113 struct sock *sk; /* back pointer to sk object */
114 u32 sid; /* SID of this object */ 113 u32 sid; /* SID of this object */
115 u32 peer_sid; /* SID of peer */ 114 u32 peer_sid; /* SID of peer */
116 u16 sclass; /* sock security class */ 115 u16 sclass; /* sock security class */
@@ -120,12 +119,10 @@ struct sk_security_struct {
120 NLBL_REQUIRE, 119 NLBL_REQUIRE,
121 NLBL_LABELED, 120 NLBL_LABELED,
122 } nlbl_state; 121 } nlbl_state;
123 spinlock_t nlbl_lock; /* protects nlbl_state */
124#endif 122#endif
125}; 123};
126 124
127struct key_security_struct { 125struct key_security_struct {
128 struct key *obj; /* back pointer */
129 u32 sid; /* SID of key */ 126 u32 sid; /* SID of key */
130}; 127};
131 128
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 44e12ec88090..1904c462a605 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -26,13 +26,14 @@
26#define POLICYDB_VERSION_AVTAB 20 26#define POLICYDB_VERSION_AVTAB 20
27#define POLICYDB_VERSION_RANGETRANS 21 27#define POLICYDB_VERSION_RANGETRANS 21
28#define POLICYDB_VERSION_POLCAP 22 28#define POLICYDB_VERSION_POLCAP 22
29#define POLICYDB_VERSION_PERMISSIVE 23
29 30
30/* Range of policy versions we understand*/ 31/* Range of policy versions we understand*/
31#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 32#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
32#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX 33#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
33#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE 34#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
34#else 35#else
35#define POLICYDB_VERSION_MAX POLICYDB_VERSION_POLCAP 36#define POLICYDB_VERSION_MAX POLICYDB_VERSION_PERMISSIVE
36#endif 37#endif
37 38
38#define CONTEXT_MNT 0x01 39#define CONTEXT_MNT 0x01
@@ -40,6 +41,11 @@
40#define ROOTCONTEXT_MNT 0x04 41#define ROOTCONTEXT_MNT 0x04
41#define DEFCONTEXT_MNT 0x08 42#define DEFCONTEXT_MNT 0x08
42 43
44#define CONTEXT_STR "context="
45#define FSCONTEXT_STR "fscontext="
46#define ROOTCONTEXT_STR "rootcontext="
47#define DEFCONTEXT_STR "defcontext="
48
43struct netlbl_lsm_secattr; 49struct netlbl_lsm_secattr;
44 50
45extern int selinux_enabled; 51extern int selinux_enabled;
@@ -48,11 +54,13 @@ extern int selinux_mls_enabled;
48/* Policy capabilities */ 54/* Policy capabilities */
49enum { 55enum {
50 POLICYDB_CAPABILITY_NETPEER, 56 POLICYDB_CAPABILITY_NETPEER,
57 POLICYDB_CAPABILITY_OPENPERM,
51 __POLICYDB_CAPABILITY_MAX 58 __POLICYDB_CAPABILITY_MAX
52}; 59};
53#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) 60#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
54 61
55extern int selinux_policycap_netpeer; 62extern int selinux_policycap_netpeer;
63extern int selinux_policycap_openperm;
56 64
57int security_load_policy(void * data, size_t len); 65int security_load_policy(void * data, size_t len);
58 66
@@ -67,6 +75,8 @@ struct av_decision {
67 u32 seqno; 75 u32 seqno;
68}; 76};
69 77
78int security_permissive_sid(u32 sid);
79
70int security_compute_av(u32 ssid, u32 tsid, 80int security_compute_av(u32 ssid, u32 tsid,
71 u16 tclass, u32 requested, 81 u16 tclass, u32 requested,
72 struct av_decision *avd); 82 struct av_decision *avd);
@@ -92,8 +102,7 @@ int security_context_to_sid_default(char *scontext, u32 scontext_len,
92int security_get_user_sids(u32 callsid, char *username, 102int security_get_user_sids(u32 callsid, char *username,
93 u32 **sids, u32 *nel); 103 u32 **sids, u32 *nel);
94 104
95int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port, 105int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
96 u32 *out_sid);
97 106
98int security_netif_sid(char *name, u32 *if_sid); 107int security_netif_sid(char *name, u32 *if_sid);
99 108