1*2d543d20SAndroid Build Coastguard Worker /*
2*2d543d20SAndroid Build Coastguard Worker * This file describes the internal interface used by the AVC
3*2d543d20SAndroid Build Coastguard Worker * for calling the user-supplied memory allocation, supplemental
4*2d543d20SAndroid Build Coastguard Worker * auditing, and locking routine, as well as incrementing the
5*2d543d20SAndroid Build Coastguard Worker * statistics fields.
6*2d543d20SAndroid Build Coastguard Worker *
7*2d543d20SAndroid Build Coastguard Worker * Author : Eamon Walsh <[email protected]>
8*2d543d20SAndroid Build Coastguard Worker */
9*2d543d20SAndroid Build Coastguard Worker #ifndef _SELINUX_AVC_INTERNAL_H_
10*2d543d20SAndroid Build Coastguard Worker #define _SELINUX_AVC_INTERNAL_H_
11*2d543d20SAndroid Build Coastguard Worker
12*2d543d20SAndroid Build Coastguard Worker #include <stdio.h>
13*2d543d20SAndroid Build Coastguard Worker #include <stdlib.h>
14*2d543d20SAndroid Build Coastguard Worker #include <string.h>
15*2d543d20SAndroid Build Coastguard Worker #include <selinux/avc.h>
16*2d543d20SAndroid Build Coastguard Worker #include "callbacks.h"
17*2d543d20SAndroid Build Coastguard Worker
18*2d543d20SAndroid Build Coastguard Worker /* callback pointers */
19*2d543d20SAndroid Build Coastguard Worker extern void *(*avc_func_malloc) (size_t) ;
20*2d543d20SAndroid Build Coastguard Worker extern void (*avc_func_free) (void *);
21*2d543d20SAndroid Build Coastguard Worker
22*2d543d20SAndroid Build Coastguard Worker extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) ;
23*2d543d20SAndroid Build Coastguard Worker extern void (*avc_func_audit) (void *, security_class_t, char *, size_t);
24*2d543d20SAndroid Build Coastguard Worker
25*2d543d20SAndroid Build Coastguard Worker extern int avc_using_threads ;
26*2d543d20SAndroid Build Coastguard Worker extern int avc_app_main_loop ;
27*2d543d20SAndroid Build Coastguard Worker extern void *(*avc_func_create_thread) (void (*)(void));
28*2d543d20SAndroid Build Coastguard Worker extern void (*avc_func_stop_thread) (void *);
29*2d543d20SAndroid Build Coastguard Worker
30*2d543d20SAndroid Build Coastguard Worker extern void *(*avc_func_alloc_lock) (void);
31*2d543d20SAndroid Build Coastguard Worker extern void (*avc_func_get_lock) (void *);
32*2d543d20SAndroid Build Coastguard Worker extern void (*avc_func_release_lock) (void *);
33*2d543d20SAndroid Build Coastguard Worker extern void (*avc_func_free_lock) (void *);
34*2d543d20SAndroid Build Coastguard Worker
35*2d543d20SAndroid Build Coastguard Worker /* selinux status processing for netlink and sestatus */
36*2d543d20SAndroid Build Coastguard Worker extern int avc_process_setenforce(int enforcing);
37*2d543d20SAndroid Build Coastguard Worker extern int avc_process_policyload(uint32_t seqno);
38*2d543d20SAndroid Build Coastguard Worker
set_callbacks(const struct avc_memory_callback * mem_cb,const struct avc_log_callback * log_cb,const struct avc_thread_callback * thread_cb,const struct avc_lock_callback * lock_cb)39*2d543d20SAndroid Build Coastguard Worker static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
40*2d543d20SAndroid Build Coastguard Worker const struct avc_log_callback *log_cb,
41*2d543d20SAndroid Build Coastguard Worker const struct avc_thread_callback *thread_cb,
42*2d543d20SAndroid Build Coastguard Worker const struct avc_lock_callback *lock_cb)
43*2d543d20SAndroid Build Coastguard Worker {
44*2d543d20SAndroid Build Coastguard Worker if (mem_cb) {
45*2d543d20SAndroid Build Coastguard Worker avc_func_malloc = mem_cb->func_malloc;
46*2d543d20SAndroid Build Coastguard Worker avc_func_free = mem_cb->func_free;
47*2d543d20SAndroid Build Coastguard Worker }
48*2d543d20SAndroid Build Coastguard Worker if (log_cb) {
49*2d543d20SAndroid Build Coastguard Worker avc_func_log = log_cb->func_log;
50*2d543d20SAndroid Build Coastguard Worker avc_func_audit = log_cb->func_audit;
51*2d543d20SAndroid Build Coastguard Worker }
52*2d543d20SAndroid Build Coastguard Worker if (thread_cb) {
53*2d543d20SAndroid Build Coastguard Worker avc_using_threads = 1;
54*2d543d20SAndroid Build Coastguard Worker avc_func_create_thread = thread_cb->func_create_thread;
55*2d543d20SAndroid Build Coastguard Worker avc_func_stop_thread = thread_cb->func_stop_thread;
56*2d543d20SAndroid Build Coastguard Worker }
57*2d543d20SAndroid Build Coastguard Worker if (lock_cb) {
58*2d543d20SAndroid Build Coastguard Worker avc_func_alloc_lock = lock_cb->func_alloc_lock;
59*2d543d20SAndroid Build Coastguard Worker avc_func_get_lock = lock_cb->func_get_lock;
60*2d543d20SAndroid Build Coastguard Worker avc_func_release_lock = lock_cb->func_release_lock;
61*2d543d20SAndroid Build Coastguard Worker avc_func_free_lock = lock_cb->func_free_lock;
62*2d543d20SAndroid Build Coastguard Worker }
63*2d543d20SAndroid Build Coastguard Worker }
64*2d543d20SAndroid Build Coastguard Worker
65*2d543d20SAndroid Build Coastguard Worker /* message prefix and enforcing mode*/
66*2d543d20SAndroid Build Coastguard Worker #define AVC_PREFIX_SIZE 16
67*2d543d20SAndroid Build Coastguard Worker extern char avc_prefix[AVC_PREFIX_SIZE] ;
68*2d543d20SAndroid Build Coastguard Worker extern int avc_running ;
69*2d543d20SAndroid Build Coastguard Worker extern int avc_enforcing ;
70*2d543d20SAndroid Build Coastguard Worker extern int avc_setenforce ;
71*2d543d20SAndroid Build Coastguard Worker
72*2d543d20SAndroid Build Coastguard Worker /* user-supplied callback interface for avc */
avc_malloc(size_t size)73*2d543d20SAndroid Build Coastguard Worker static inline void *avc_malloc(size_t size)
74*2d543d20SAndroid Build Coastguard Worker {
75*2d543d20SAndroid Build Coastguard Worker return avc_func_malloc ? avc_func_malloc(size) : malloc(size);
76*2d543d20SAndroid Build Coastguard Worker }
77*2d543d20SAndroid Build Coastguard Worker
avc_free(void * ptr)78*2d543d20SAndroid Build Coastguard Worker static inline void avc_free(void *ptr)
79*2d543d20SAndroid Build Coastguard Worker {
80*2d543d20SAndroid Build Coastguard Worker if (avc_func_free)
81*2d543d20SAndroid Build Coastguard Worker avc_func_free(ptr);
82*2d543d20SAndroid Build Coastguard Worker else
83*2d543d20SAndroid Build Coastguard Worker free(ptr);
84*2d543d20SAndroid Build Coastguard Worker }
85*2d543d20SAndroid Build Coastguard Worker
86*2d543d20SAndroid Build Coastguard Worker /* this is a macro in order to use the variadic capability. */
87*2d543d20SAndroid Build Coastguard Worker #define avc_log(type, format...) \
88*2d543d20SAndroid Build Coastguard Worker do { \
89*2d543d20SAndroid Build Coastguard Worker if (avc_func_log) \
90*2d543d20SAndroid Build Coastguard Worker avc_func_log(format); \
91*2d543d20SAndroid Build Coastguard Worker else \
92*2d543d20SAndroid Build Coastguard Worker selinux_log(type, format); \
93*2d543d20SAndroid Build Coastguard Worker } while (0)
94*2d543d20SAndroid Build Coastguard Worker
avc_suppl_audit(void * ptr,security_class_t class,char * buf,size_t len)95*2d543d20SAndroid Build Coastguard Worker static inline void avc_suppl_audit(void *ptr, security_class_t class,
96*2d543d20SAndroid Build Coastguard Worker char *buf, size_t len)
97*2d543d20SAndroid Build Coastguard Worker {
98*2d543d20SAndroid Build Coastguard Worker if (avc_func_audit)
99*2d543d20SAndroid Build Coastguard Worker avc_func_audit(ptr, class, buf, len);
100*2d543d20SAndroid Build Coastguard Worker else
101*2d543d20SAndroid Build Coastguard Worker selinux_audit(ptr, class, buf, len);
102*2d543d20SAndroid Build Coastguard Worker }
103*2d543d20SAndroid Build Coastguard Worker
avc_create_thread(void (* run)(void))104*2d543d20SAndroid Build Coastguard Worker static inline void *avc_create_thread(void (*run) (void))
105*2d543d20SAndroid Build Coastguard Worker {
106*2d543d20SAndroid Build Coastguard Worker return avc_func_create_thread ? avc_func_create_thread(run) : NULL;
107*2d543d20SAndroid Build Coastguard Worker }
108*2d543d20SAndroid Build Coastguard Worker
avc_stop_thread(void * thread)109*2d543d20SAndroid Build Coastguard Worker static inline void avc_stop_thread(void *thread)
110*2d543d20SAndroid Build Coastguard Worker {
111*2d543d20SAndroid Build Coastguard Worker if (avc_func_stop_thread)
112*2d543d20SAndroid Build Coastguard Worker avc_func_stop_thread(thread);
113*2d543d20SAndroid Build Coastguard Worker }
114*2d543d20SAndroid Build Coastguard Worker
avc_alloc_lock(void)115*2d543d20SAndroid Build Coastguard Worker static inline void *avc_alloc_lock(void)
116*2d543d20SAndroid Build Coastguard Worker {
117*2d543d20SAndroid Build Coastguard Worker return avc_func_alloc_lock ? avc_func_alloc_lock() : NULL;
118*2d543d20SAndroid Build Coastguard Worker }
119*2d543d20SAndroid Build Coastguard Worker
avc_get_lock(void * lock)120*2d543d20SAndroid Build Coastguard Worker static inline void avc_get_lock(void *lock)
121*2d543d20SAndroid Build Coastguard Worker {
122*2d543d20SAndroid Build Coastguard Worker if (avc_func_get_lock)
123*2d543d20SAndroid Build Coastguard Worker avc_func_get_lock(lock);
124*2d543d20SAndroid Build Coastguard Worker }
125*2d543d20SAndroid Build Coastguard Worker
avc_release_lock(void * lock)126*2d543d20SAndroid Build Coastguard Worker static inline void avc_release_lock(void *lock)
127*2d543d20SAndroid Build Coastguard Worker {
128*2d543d20SAndroid Build Coastguard Worker if (avc_func_release_lock)
129*2d543d20SAndroid Build Coastguard Worker avc_func_release_lock(lock);
130*2d543d20SAndroid Build Coastguard Worker }
131*2d543d20SAndroid Build Coastguard Worker
avc_free_lock(void * lock)132*2d543d20SAndroid Build Coastguard Worker static inline void avc_free_lock(void *lock)
133*2d543d20SAndroid Build Coastguard Worker {
134*2d543d20SAndroid Build Coastguard Worker if (avc_func_free_lock)
135*2d543d20SAndroid Build Coastguard Worker avc_func_free_lock(lock);
136*2d543d20SAndroid Build Coastguard Worker }
137*2d543d20SAndroid Build Coastguard Worker
138*2d543d20SAndroid Build Coastguard Worker /* statistics helper routines */
139*2d543d20SAndroid Build Coastguard Worker #ifdef AVC_CACHE_STATS
140*2d543d20SAndroid Build Coastguard Worker
141*2d543d20SAndroid Build Coastguard Worker #define avc_cache_stats_incr(field) \
142*2d543d20SAndroid Build Coastguard Worker do { \
143*2d543d20SAndroid Build Coastguard Worker cache_stats.field ++; \
144*2d543d20SAndroid Build Coastguard Worker } while (0)
145*2d543d20SAndroid Build Coastguard Worker #define avc_cache_stats_add(field, num) \
146*2d543d20SAndroid Build Coastguard Worker do { \
147*2d543d20SAndroid Build Coastguard Worker cache_stats.field += num; \
148*2d543d20SAndroid Build Coastguard Worker } while (0)
149*2d543d20SAndroid Build Coastguard Worker
150*2d543d20SAndroid Build Coastguard Worker #else
151*2d543d20SAndroid Build Coastguard Worker
152*2d543d20SAndroid Build Coastguard Worker #define avc_cache_stats_incr(field) do {} while (0)
153*2d543d20SAndroid Build Coastguard Worker #define avc_cache_stats_add(field, num) do {} while (0)
154*2d543d20SAndroid Build Coastguard Worker
155*2d543d20SAndroid Build Coastguard Worker #endif
156*2d543d20SAndroid Build Coastguard Worker
157*2d543d20SAndroid Build Coastguard Worker /* logging helper routines */
158*2d543d20SAndroid Build Coastguard Worker #define AVC_AUDIT_BUFSIZE 1024
159*2d543d20SAndroid Build Coastguard Worker
160*2d543d20SAndroid Build Coastguard Worker /* again, we need the variadic capability here */
161*2d543d20SAndroid Build Coastguard Worker #define log_append(buf,format...) \
162*2d543d20SAndroid Build Coastguard Worker snprintf(buf+strlen(buf), AVC_AUDIT_BUFSIZE-strlen(buf), format)
163*2d543d20SAndroid Build Coastguard Worker
164*2d543d20SAndroid Build Coastguard Worker /* internal callbacks */
165*2d543d20SAndroid Build Coastguard Worker int avc_ss_grant(security_id_t ssid, security_id_t tsid,
166*2d543d20SAndroid Build Coastguard Worker security_class_t tclass, access_vector_t perms,
167*2d543d20SAndroid Build Coastguard Worker uint32_t seqno) ;
168*2d543d20SAndroid Build Coastguard Worker int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
169*2d543d20SAndroid Build Coastguard Worker security_class_t tclass,
170*2d543d20SAndroid Build Coastguard Worker access_vector_t perms, uint32_t seqno,
171*2d543d20SAndroid Build Coastguard Worker access_vector_t * out_retained) ;
172*2d543d20SAndroid Build Coastguard Worker int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
173*2d543d20SAndroid Build Coastguard Worker security_class_t tclass, access_vector_t perms,
174*2d543d20SAndroid Build Coastguard Worker uint32_t seqno) ;
175*2d543d20SAndroid Build Coastguard Worker int avc_ss_reset(uint32_t seqno) ;
176*2d543d20SAndroid Build Coastguard Worker int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
177*2d543d20SAndroid Build Coastguard Worker security_class_t tclass, access_vector_t perms,
178*2d543d20SAndroid Build Coastguard Worker uint32_t seqno, uint32_t enable) ;
179*2d543d20SAndroid Build Coastguard Worker int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
180*2d543d20SAndroid Build Coastguard Worker security_class_t tclass, access_vector_t perms,
181*2d543d20SAndroid Build Coastguard Worker uint32_t seqno, uint32_t enable) ;
182*2d543d20SAndroid Build Coastguard Worker
183*2d543d20SAndroid Build Coastguard Worker #endif /* _SELINUX_AVC_INTERNAL_H_ */
184