Domů Procházet Nápověda
Přihlásit se
zhangyang
/
lewaimai_pos_windows
Sledovat 1
Oblíbit 0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 1.0.2.2
Větve Značky
lewaimai_pos...
/
include
/
linux
/
sepol
/
policydb
/
services.h

services.h 6.2 KB
Trvalý odkaz Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 
  1. 

  2. /* -*- linux-c -*- */
    3. 

  3. 

  4. /*
    5. 

  5.  * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 
    6. 

  6.  */
    7. 

  7. 

  8. #ifndef _SEPOL_POLICYDB_SERVICES_H_
    9. 

  9. #define _SEPOL_POLICYDB_SERVICES_H_
    10. 

  10. 

  11. /*
    12. 

  12.  * Security server interface.
    13. 

  13.  */
    14. 

  14. 

  15. #include <sepol/policydb/flask_types.h>
    16. 

  16. #include <sepol/policydb/policydb.h>
    17. 

  17. #include <stddef.h>
    18. 

  18. 

  19. /* Set the policydb and sidtab structures to be used by
    20. 

  20.    the service functions.  If not set, then these default
    21. 

  21.    to private structures within libsepol that can only be
    22. 

  22.    initialized and accessed via the service functions themselves.
    23. 

  23.    Setting the structures explicitly allows a program to directly
    24. 

  24.    manipulate them, e.g. checkpolicy populates the structures directly
    25. 

  25.    from a source policy rather than from a binary policy. */
    26. 

  26. extern int sepol_set_policydb(policydb_t * p);
    27. 

  27. extern int sepol_set_sidtab(sidtab_t * s);
    28. 

  28. 

  29. /* Modify a policydb for boolean settings. */
    30. 

  30. int sepol_genbools_policydb(policydb_t * policydb, const char *booleans);
    31. 

  31. 

  32. /* Modify a policydb for user settings. */
    33. 

  33. int sepol_genusers_policydb(policydb_t * policydb, const char *usersdir);
    34. 

  34. 

  35. /* Load the security policy. This initializes the policydb
    36. 

  36.    and sidtab based on the provided binary policy. */
    37. 

  37. extern int sepol_load_policy(void *data, size_t len);
    38. 

  38. 

  39. /*
    40. 

  40.  * Compute access vectors based on a SID pair for
    41. 

  41.  * the permissions in a particular class.
    42. 

  42.  */
    43. 

  43. extern int sepol_compute_av(sepol_security_id_t ssid,	/* IN */
    44. 

  44. 			    sepol_security_id_t tsid,	/* IN */
    45. 

  45. 			    sepol_security_class_t tclass,	/* IN */
    46. 

  46. 			    sepol_access_vector_t requested,	/* IN */
    47. 

  47. 			    struct sepol_av_decision *avd);	/* OUT */
    48. 

  48. 

  49. /* Same as above, but also return the reason(s) for any
    50. 

  50.    denials of the requested permissions. */
    51. 

  51. #define SEPOL_COMPUTEAV_TE   1
    52. 

  52. #define SEPOL_COMPUTEAV_CONS 2
    53. 

  53. #define SEPOL_COMPUTEAV_RBAC 4
    54. 

  54. extern int sepol_compute_av_reason(sepol_security_id_t ssid,
    55. 

  55. 				   sepol_security_id_t tsid,
    56. 

  56. 				   sepol_security_class_t tclass,
    57. 

  57. 				   sepol_access_vector_t requested,
    58. 

  58. 				   struct sepol_av_decision *avd,
    59. 

  59. 				   unsigned int *reason);
    60. 

  60. 

  61. /*
    62. 

  62.  * Compute a SID to use for labeling a new object in the 
    63. 

  63.  * class `tclass' based on a SID pair.  
    64. 

  64.  */
    65. 

  65. extern int sepol_transition_sid(sepol_security_id_t ssid,	/* IN */
    66. 

  66. 				sepol_security_id_t tsid,	/* IN */
    67. 

  67. 				sepol_security_class_t tclass,	/* IN */
    68. 

  68. 				sepol_security_id_t * out_sid);	/* OUT */
    69. 

  69. 

  70. /*
    71. 

  71.  * Compute a SID to use when selecting a member of a 
    72. 

  72.  * polyinstantiated object of class `tclass' based on 
    73. 

  73.  * a SID pair.
    74. 

  74.  */
    75. 

  75. extern int sepol_member_sid(sepol_security_id_t ssid,	/* IN */
    76. 

  76. 			    sepol_security_id_t tsid,	/* IN */
    77. 

  77. 			    sepol_security_class_t tclass,	/* IN */
    78. 

  78. 			    sepol_security_id_t * out_sid);	/* OUT */
    79. 

  79. 

  80. /*
    81. 

  81.  * Compute a SID to use for relabeling an object in the 
    82. 

  82.  * class `tclass' based on a SID pair.  
    83. 

  83.  */
    84. 

  84. extern int sepol_change_sid(sepol_security_id_t ssid,	/* IN */
    85. 

  85. 			    sepol_security_id_t tsid,	/* IN */
    86. 

  86. 			    sepol_security_class_t tclass,	/* IN */
    87. 

  87. 			    sepol_security_id_t * out_sid);	/* OUT */
    88. 

  88. 

  89. /*
    90. 

  90.  * Write the security context string representation of 
    91. 

  91.  * the context associated with `sid' into a dynamically
    92. 

  92.  * allocated string of the correct size.  Set `*scontext'
    93. 

  93.  * to point to this string and set `*scontext_len' to
    94. 

  94.  * the length of the string.
    95. 

  95.  */
    96. 

  96. extern int sepol_sid_to_context(sepol_security_id_t sid,	/* IN */
    97. 

  97. 				sepol_security_context_t * scontext,	/* OUT */
    98. 

  98. 				size_t * scontext_len);	/* OUT */
    99. 

  99. 

  100. /*
    101. 

  101.  * Return a SID associated with the security context that
    102. 

  102.  * has the string representation specified by `scontext'.
    103. 

  103.  */
    104. 

  104. extern int sepol_context_to_sid(const sepol_security_context_t scontext,	/* IN */
    105. 

  105. 				size_t scontext_len,	/* IN */
    106. 

  106. 				sepol_security_id_t * out_sid);	/* OUT */
    107. 

  107. 

  108. /*
    109. 

  109.  * Generate the set of SIDs for legal security contexts
    110. 

  110.  * for a given user that can be reached by `fromsid'.
    111. 

  111.  * Set `*sids' to point to a dynamically allocated 
    112. 

  112.  * array containing the set of SIDs.  Set `*nel' to the
    113. 

  113.  * number of elements in the array.
    114. 

  114.  */
    115. 

  115. extern int sepol_get_user_sids(sepol_security_id_t callsid,
    116. 

  116. 			       char *username,
    117. 

  117. 			       sepol_security_id_t ** sids, uint32_t * nel);
    118. 

  118. 

  119. /*
    120. 

  120.  * Return the SIDs to use for an unlabeled file system
    121. 

  121.  * that is being mounted from the device with the
    122. 

  122.  * the kdevname `name'.  The `fs_sid' SID is returned for 
    123. 

  123.  * the file system and the `file_sid' SID is returned
    124. 

  124.  * for all files within that file system.
    125. 

  125.  */
    126. 

  126. extern int sepol_fs_sid(char *dev,	/* IN */
    127. 

  127. 			sepol_security_id_t * fs_sid,	/* OUT  */
    128. 

  128. 			sepol_security_id_t * file_sid);	/* OUT */
    129. 

  129. 

  130. /*
    131. 

  131.  * Return the SID of the port specified by
    132. 

  132.  * `domain', `type', `protocol', and `port'.
    133. 

  133.  */
    134. 

  134. extern int sepol_port_sid(uint16_t domain,
    135. 

  135. 			  uint16_t type,
    136. 

  136. 			  uint8_t protocol,
    137. 

  137. 			  uint16_t port, sepol_security_id_t * out_sid);
    138. 

  138. 

  139. /*
    140. 

  140.  * Return the SIDs to use for a network interface
    141. 

  141.  * with the name `name'.  The `if_sid' SID is returned for 
    142. 

  142.  * the interface and the `msg_sid' SID is returned as
    143. 

  143.  * the default SID for messages received on the
    144. 

  144.  * interface.
    145. 

  145.  */
    146. 

  146. extern int sepol_netif_sid(char *name,
    147. 

  147. 			   sepol_security_id_t * if_sid,
    148. 

  148. 			   sepol_security_id_t * msg_sid);
    149. 

  149. 

  150. /*
    151. 

  151.  * Return the SID of the node specified by the address
    152. 

  152.  * `addr' where `addrlen' is the length of the address
    153. 

  153.  * in bytes and `domain' is the communications domain or
    154. 

  154.  * address family in which the address should be interpreted.
    155. 

  155.  */
    156. 

  156. extern int sepol_node_sid(uint16_t domain,
    157. 

  157. 			  void *addr,
    158. 

  158. 			  size_t addrlen, sepol_security_id_t * out_sid);
    159. 

  159. 

  160. /*
    161. 

  161.  * Return a value indicating how to handle labeling for the
    162. 

  162.  * the specified filesystem type, and optionally return a SID
    163. 

  163.  * for the filesystem object.  
    164. 

  164.  */
    165. 

  165. #define SECURITY_FS_USE_XATTR 1	/* use xattr */
    166. 

  166. #define SECURITY_FS_USE_TRANS 2	/* use transition SIDs, e.g. devpts/tmpfs */
    167. 

  167. #define SECURITY_FS_USE_TASK  3	/* use task SIDs, e.g. pipefs/sockfs */
    168. 

  168. #define SECURITY_FS_USE_GENFS 4	/* use the genfs support */
    169. 

  169. #define SECURITY_FS_USE_NONE  5	/* no labeling support */
    170. 

  170. extern int sepol_fs_use(const char *fstype,	/* IN */
    171. 

  171. 			unsigned int *behavior,	/* OUT */
    172. 

  172. 			sepol_security_id_t * sid);	/* OUT  */
    173. 

  173. 

  174. /*
    175. 

  175.  * Return the SID to use for a file in a filesystem
    176. 

  176.  * that cannot support a persistent label mapping or use another
    177. 

  177.  * fixed labeling behavior like transition SIDs or task SIDs.
    178. 

  178.  */
    179. 

  179. extern int sepol_genfs_sid(const char *fstype,	/* IN */
    180. 

  180. 			   char *name,	/* IN */
    181. 

  181. 			   sepol_security_class_t sclass,	/* IN */
    182. 

  182. 			   sepol_security_id_t * sid);	/* OUT  */
    183. 

  183. 

  184. #endif
    185. 

  185.