Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/security/selinux/ss/policydb.h 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) /* SPDX-License-Identifier: GPL-2.0-only */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * A policy database (policydb) specifies the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  * configuration data for the security policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  * Author : Stephen Smalley, <sds@tycho.nsa.gov>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10)  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12)  *	Support for enhanced MLS infrastructure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14)  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16)  *	Added conditional policy language extensions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18)  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19)  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) #ifndef _SS_POLICYDB_H_
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) #define _SS_POLICYDB_H_
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) #include "symtab.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) #include "avtab.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) #include "sidtab.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) #include "ebitmap.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) #include "mls_types.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) #include "context.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) #include "constraint.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34)  * A datum type is defined for each kind of symbol
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35)  * in the configuration data:  individual permissions,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36)  * common prefixes for access vectors, classes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37)  * users, roles, types, sensitivities, categories, etc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) /* Permission attributes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) struct perm_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 	u32 value;		/* permission bit + 1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) /* Attributes of a common prefix for access vectors */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) struct common_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 	u32 value;			/* internal common value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 	struct symtab permissions;	/* common permissions */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) /* Class attributes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) struct class_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 	u32 value;			/* class value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 	char *comkey;			/* common name */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 	struct common_datum *comdatum;	/* common datum */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 	struct symtab permissions;	/* class-specific permission symbol table */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 	struct constraint_node *constraints;	/* constraints on class permissions */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 	struct constraint_node *validatetrans;	/* special transition rules */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) /* Options how a new object user, role, and type should be decided */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) #define DEFAULT_SOURCE         1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) #define DEFAULT_TARGET         2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 	char default_user;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 	char default_role;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 	char default_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) /* Options how a new object range should be decided */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) #define DEFAULT_SOURCE_LOW     1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) #define DEFAULT_SOURCE_HIGH    2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) #define DEFAULT_SOURCE_LOW_HIGH        3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) #define DEFAULT_TARGET_LOW     4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) #define DEFAULT_TARGET_HIGH    5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) #define DEFAULT_TARGET_LOW_HIGH        6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) #define DEFAULT_GLBLUB		7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 	char default_range;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) /* Role attributes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) struct role_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) 	u32 value;			/* internal role value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 	u32 bounds;			/* boundary of role */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 	struct ebitmap dominates;	/* set of roles dominated by this role */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 	struct ebitmap types;		/* set of authorized types for role */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) struct role_trans_key {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 	u32 role;		/* current role */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 	u32 type;		/* program executable type, or new object type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 	u32 tclass;		/* process class, or new object class */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) struct role_trans_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 	u32 new_role;		/* new role */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) struct filename_trans_key {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 	u32 ttype;		/* parent dir context */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 	u16 tclass;		/* class of new object */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 	const char *name;	/* last path component */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) struct filename_trans_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 	struct ebitmap stypes;	/* bitmap of source types for this otype */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 	u32 otype;		/* resulting type of new object */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 	struct filename_trans_datum *next;	/* record for next otype*/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) struct role_allow {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 	u32 role;		/* current role */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 	u32 new_role;		/* new role */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 	struct role_allow *next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) /* Type attributes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) struct type_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 	u32 value;		/* internal type value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 	u32 bounds;		/* boundary of type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 	unsigned char primary;	/* primary name? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 	unsigned char attribute;/* attribute ?*/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) /* User attributes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) struct user_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 	u32 value;			/* internal user value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 	u32 bounds;			/* bounds of user */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 	struct ebitmap roles;		/* set of authorized roles for user */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 	struct mls_range range;		/* MLS range (min - max) for user */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) 	struct mls_level dfltlevel;	/* default login MLS level for user */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) /* Sensitivity attributes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) struct level_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 	struct mls_level *level;	/* sensitivity and associated categories */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	unsigned char isalias;	/* is this sensitivity an alias for another? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) /* Category attributes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) struct cat_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	u32 value;		/* internal category bit + 1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 	unsigned char isalias;  /* is this category an alias for another? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) struct range_trans {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 	u32 source_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 	u32 target_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 	u32 target_class;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) /* Boolean data type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) struct cond_bool_datum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 	__u32 value;		/* internal type value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	int state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) struct cond_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157)  * type set preserves data needed to determine constraint info from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)  * policy source. This is not used by the kernel policy but allows
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159)  * utilities such as audit2allow to determine constraint denials.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) struct type_set {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 	struct ebitmap types;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 	struct ebitmap negset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 	u32 flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168)  * The configuration data includes security contexts for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169)  * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170)  * network interfaces, and nodes.  This structure stores the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)  * relevant data for one such entry.  Entries of the same kind
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172)  * (e.g. all initial SIDs) are linked together into a list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) struct ocontext {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 	union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 		char *name;	/* name of initial SID, fs, netif, fstype, path */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) 		struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) 			u8 protocol;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) 			u16 low_port;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 			u16 high_port;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) 		} port;		/* TCP or UDP port information */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 		struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) 			u32 addr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) 			u32 mask;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 		} node;		/* node information */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 		struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) 			u32 addr[4];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 			u32 mask[4];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) 		} node6;        /* IPv6 node information */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) 		struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 			u64 subnet_prefix;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) 			u16 low_pkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) 			u16 high_pkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) 		} ibpkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 		struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) 			char *dev_name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) 			u8 port;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) 		} ibendport;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) 	} u;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 	union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) 		u32 sclass;  /* security class for genfs */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 		u32 behavior;  /* labeling behavior for fs_use */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 	} v;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 	struct context context[2];	/* security context(s) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 	u32 sid[2];	/* SID(s) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 	struct ocontext *next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) struct genfs {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 	char *fstype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 	struct ocontext *head;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 	struct genfs *next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) /* symbol table array indices */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) #define SYM_COMMONS 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) #define SYM_CLASSES 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) #define SYM_ROLES   2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) #define SYM_TYPES   3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) #define SYM_USERS   4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) #define SYM_BOOLS   5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) #define SYM_LEVELS  6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) #define SYM_CATS    7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) #define SYM_NUM     8
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) /* object context array indices */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) #define OCON_ISID	0 /* initial SIDs */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) #define OCON_FS		1 /* unlabeled file systems */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) #define OCON_PORT	2 /* TCP and UDP port numbers */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) #define OCON_NETIF	3 /* network interfaces */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) #define OCON_NODE	4 /* nodes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) #define OCON_FSUSE	5 /* fs_use */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) #define OCON_NODE6	6 /* IPv6 nodes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) #define OCON_IBPKEY	7 /* Infiniband PKeys */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) #define OCON_IBENDPORT	8 /* Infiniband end ports */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) #define OCON_NUM	9
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) /* The policy database */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) struct policydb {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 	int mls_enabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 	int android_netlink_route;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 	int android_netlink_getneigh;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) 	/* symbol tables */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 	struct symtab symtab[SYM_NUM];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) #define p_commons symtab[SYM_COMMONS]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) #define p_classes symtab[SYM_CLASSES]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) #define p_roles symtab[SYM_ROLES]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) #define p_types symtab[SYM_TYPES]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) #define p_users symtab[SYM_USERS]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) #define p_bools symtab[SYM_BOOLS]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) #define p_levels symtab[SYM_LEVELS]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) #define p_cats symtab[SYM_CATS]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) 	/* symbol names indexed by (value - 1) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) 	char		**sym_val_to_name[SYM_NUM];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) 	/* class, role, and user attributes indexed by (value - 1) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) 	struct class_datum **class_val_to_struct;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) 	struct role_datum **role_val_to_struct;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) 	struct user_datum **user_val_to_struct;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) 	struct type_datum **type_val_to_struct;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) 	/* type enforcement access vectors and transitions */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) 	struct avtab te_avtab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) 	/* role transitions */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) 	struct hashtab role_tr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) 	/* file transitions with the last path component */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) 	/* quickly exclude lookups when parent ttype has no rules */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) 	struct ebitmap filename_trans_ttypes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) 	/* actual set of filename_trans rules */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) 	struct hashtab filename_trans;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) 	/* only used if policyvers < POLICYDB_VERSION_COMP_FTRANS */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) 	u32 compat_filename_trans_count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) 	/* bools indexed by (value - 1) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) 	struct cond_bool_datum **bool_val_to_struct;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) 	/* type enforcement conditional access vectors and transitions */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) 	struct avtab te_cond_avtab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) 	/* array indexing te_cond_avtab by conditional */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) 	struct cond_node *cond_list;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) 	u32 cond_list_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) 	/* role allows */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) 	struct role_allow *role_allow;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) 	/* security contexts of initial SIDs, unlabeled file systems,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 	   TCP or UDP port numbers, network interfaces and nodes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) 	struct ocontext *ocontexts[OCON_NUM];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) 	/* security contexts for files in filesystems that cannot support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) 	   a persistent label mapping or use another
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 	   fixed labeling behavior. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) 	struct genfs *genfs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) 	/* range transitions table (range_trans_key -> mls_range) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 	struct hashtab range_tr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) 	/* type -> attribute reverse mapping */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) 	struct ebitmap *type_attr_map_array;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) 	struct ebitmap policycaps;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) 	struct ebitmap permissive_map;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) 	/* length of this policy when it was loaded */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) 	size_t len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) 	unsigned int policyvers;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) 	unsigned int reject_unknown : 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) 	unsigned int allow_unknown : 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) 	u16 process_class;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) 	u32 process_trans_perms;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) } __randomize_layout;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) extern void policydb_destroy(struct policydb *p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) extern int policydb_context_isvalid(struct policydb *p, struct context *c);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) extern int policydb_class_isvalid(struct policydb *p, unsigned int class);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) extern int policydb_type_isvalid(struct policydb *p, unsigned int type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) extern int policydb_role_isvalid(struct policydb *p, unsigned int role);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) extern int policydb_read(struct policydb *p, void *fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) extern int policydb_write(struct policydb *p, void *fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) extern struct filename_trans_datum *policydb_filenametr_search(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 	struct policydb *p, struct filename_trans_key *key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) extern struct mls_range *policydb_rangetr_search(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) 	struct policydb *p, struct range_trans *key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) extern struct role_trans_datum *policydb_roletr_search(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) 	struct policydb *p, struct role_trans_key *key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) #define POLICYDB_CONFIG_MLS    1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) #define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE    (1 << 31)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) #define POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH (1 << 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) /* the config flags related to unknown classes/perms are bits 2 and 3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) #define REJECT_UNKNOWN	0x00000002
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) #define ALLOW_UNKNOWN	0x00000004
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) #define OBJECT_R "object_r"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) #define OBJECT_R_VAL 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) #define POLICYDB_MAGIC SELINUX_MAGIC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) #define POLICYDB_STRING "SE Linux"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) struct policy_file {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) 	char *data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) 	size_t len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) struct policy_data {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) 	struct policydb *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) 	void *fp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) 	if (bytes > fp->len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) 	memcpy(buf, fp->data, bytes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) 	fp->data += bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) 	fp->len -= bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) 	size_t len = bytes * num;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) 	memcpy(fp->data, buf, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) 	fp->data += len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) 	fp->len -= len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) 	return p->sym_val_to_name[sym_num][element_nr];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) extern u16 string_to_security_class(struct policydb *p, const char *name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) #endif	/* _SS_POLICYDB_H_ */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393)
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.