5
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
8
#ifndef _LINUX_SECURITY_H_
9
#define _LINUX_SECURITY_H_
12
* Security server interface.
15
#include "flask_types.h"
18
/* Initialize the security server */
19
int security_init(void);
21
/* Load the security policy. */
22
int security_load_policy(void * data, size_t len);
25
* Compute access vectors based on a SID pair for
26
* the permissions in a particular class.
29
access_vector_t allowed;
30
access_vector_t decided;
31
access_vector_t auditallow;
32
access_vector_t auditdeny;
35
int security_compute_av(
36
security_id_t ssid, /* IN */
37
security_id_t tsid, /* IN */
38
security_class_t tclass, /* IN */
39
access_vector_t requested, /* IN */
40
struct av_decision *avd); /* OUT */
43
* Compute a SID to use for labeling a new object in the
44
* class `tclass' based on a SID pair.
46
int security_transition_sid(
47
security_id_t ssid, /* IN */
48
security_id_t tsid, /* IN */
49
security_class_t tclass, /* IN */
50
security_id_t *out_sid); /* OUT */
53
* Compute a SID to use when selecting a member of a
54
* polyinstantiated object of class `tclass' based on
57
int security_member_sid(
58
security_id_t ssid, /* IN */
59
security_id_t tsid, /* IN */
60
security_class_t tclass, /* IN */
61
security_id_t *out_sid); /* OUT */
64
* Compute a SID to use for relabeling an object in the
65
* class `tclass' based on a SID pair.
67
int security_change_sid(
68
security_id_t ssid, /* IN */
69
security_id_t tsid, /* IN */
70
security_class_t tclass, /* IN */
71
security_id_t *out_sid); /* OUT */
74
* Write the security context string representation of
75
* the context associated with `sid' into a dynamically
76
* allocated string of the correct size. Set `*scontext'
77
* to point to this string and set `*scontext_len' to
78
* the length of the string.
80
int security_sid_to_context(
81
security_id_t sid, /* IN */
82
security_context_t *scontext, /* OUT */
83
size_t *scontext_len); /* OUT */
86
* Return a SID associated with the security context that
87
* has the string representation specified by `scontext'.
89
int security_context_to_sid(
90
security_context_t scontext, /* IN */
91
size_t scontext_len, /* IN */
92
security_id_t *out_sid); /* OUT */
95
* Generate the set of SIDs for legal security contexts
96
* for a given user that can be reached by `fromsid'.
97
* Set `*sids' to point to a dynamically allocated
98
* array containing the set of SIDs. Set `*nel' to the
99
* number of elements in the array.
101
int security_get_user_sids(security_id_t callsid,
103
security_id_t **sids,
107
* Return the SIDs to use for an unlabeled file system
108
* that is being mounted from the device with the
109
* the kdevname `name'. The `fs_sid' SID is returned for
110
* the file system and the `file_sid' SID is returned
111
* for all files within that file system.
115
security_id_t *fs_sid, /* OUT */
116
security_id_t *file_sid); /* OUT */
119
* Return the SID of the port specified by
120
* `domain', `type', `protocol', and `port'.
122
int security_port_sid(
127
security_id_t *out_sid);
130
* Return the SIDs to use for a network interface
131
* with the name `name'. The `if_sid' SID is returned for
132
* the interface and the `msg_sid' SID is returned as
133
* the default SID for messages received on the
136
int security_netif_sid(
138
security_id_t *if_sid,
139
security_id_t *msg_sid);
142
* Return the SID of the node specified by the address
143
* `addr' where `addrlen' is the length of the address
144
* in bytes and `domain' is the communications domain or
145
* address family in which the address should be interpreted.
147
int security_node_sid(
151
security_id_t *out_sid);
154
* Return a value indicating how to handle labeling for the
155
* the specified filesystem type, and optionally return a SID
156
* for the filesystem object.
158
#define SECURITY_FS_USE_XATTR 1 /* use xattr */
159
#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
160
#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */
161
#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */
162
#define SECURITY_FS_USE_NONE 5 /* no labeling support */
164
const char *fstype, /* IN */
165
unsigned int *behavior, /* OUT */
166
security_id_t *sid); /* OUT */
169
* Return the SID to use for a file in a filesystem
170
* that cannot support a persistent label mapping or use another
171
* fixed labeling behavior like transition SIDs or task SIDs.
173
int security_genfs_sid(
174
const char *fstype, /* IN */
176
security_class_t sclass, /* IN */
177
security_id_t *sid); /* OUT */
179
#endif /* _LINUX_SECURITY_H_ */