debuggers.hg

view xen/xsm/flask/ss/policydb.h @ 0:7d21f7218375

Exact replica of unstable on 051908 + README-this
author Mukesh Rathor
date Mon May 19 15:34:57 2008 -0700 (2008-05-19)
parents
children f875aaa791f0
line source
1 /*
2 * A policy database (policydb) specifies the
3 * configuration data for the security policy.
4 *
5 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
6 */
8 /*
9 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
10 *
11 * Support for enhanced MLS infrastructure.
12 *
13 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
14 *
15 * Added conditional policy language extensions
16 *
17 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
18 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation, version 2.
22 */
24 /* Ported to Xen 3.0, George Coker, <gscoker@alpha.ncsc.mil> */
26 #ifndef _SS_POLICYDB_H_
27 #define _SS_POLICYDB_H_
29 #include "symtab.h"
30 #include "avtab.h"
31 #include "sidtab.h"
32 #include "context.h"
33 #include "constraint.h"
35 /*
36 * A datum type is defined for each kind of symbol
37 * in the configuration data: individual permissions,
38 * common prefixes for access vectors, classes,
39 * users, roles, types, sensitivities, categories, etc.
40 */
42 /* Permission attributes */
43 struct perm_datum {
44 u32 value; /* permission bit + 1 */
45 };
47 /* Attributes of a common prefix for access vectors */
48 struct common_datum {
49 u32 value; /* internal common value */
50 struct symtab permissions; /* common permissions */
51 };
53 /* Class attributes */
54 struct class_datum {
55 u32 value; /* class value */
56 char *comkey; /* common name */
57 struct common_datum *comdatum; /* common datum */
58 struct symtab permissions; /* class-specific permission symbol table */
59 struct constraint_node *constraints; /* constraints on class permissions */
60 struct constraint_node *validatetrans; /* special transition rules */
61 };
63 /* Role attributes */
64 struct role_datum {
65 u32 value; /* internal role value */
66 struct ebitmap dominates; /* set of roles dominated by this role */
67 struct ebitmap types; /* set of authorized types for role */
68 };
70 struct role_trans {
71 u32 role; /* current role */
72 u32 type; /* program executable type */
73 u32 new_role; /* new role */
74 struct role_trans *next;
75 };
77 struct role_allow {
78 u32 role; /* current role */
79 u32 new_role; /* new role */
80 struct role_allow *next;
81 };
83 /* Type attributes */
84 struct type_datum {
85 u32 value; /* internal type value */
86 unsigned char primary; /* primary name? */
87 };
89 /* User attributes */
90 struct user_datum {
91 u32 value; /* internal user value */
92 struct ebitmap roles; /* set of authorized roles for user */
93 struct mls_range range; /* MLS range (min - max) for user */
94 struct mls_level dfltlevel; /* default login MLS level for user */
95 };
98 /* Sensitivity attributes */
99 struct level_datum {
100 struct mls_level *level; /* sensitivity and associated categories */
101 unsigned char isalias; /* is this sensitivity an alias for another? */
102 };
104 /* Category attributes */
105 struct cat_datum {
106 u32 value; /* internal category bit + 1 */
107 unsigned char isalias; /* is this category an alias for another? */
108 };
110 struct range_trans {
111 u32 dom; /* current process domain */
112 u32 type; /* program executable type */
113 struct mls_range range; /* new range */
114 struct range_trans *next;
115 };
117 /* Boolean data type */
118 struct cond_bool_datum {
119 __u32 value; /* internal type value */
120 int state;
121 };
123 struct cond_node;
125 /*
126 * The configuration data includes security contexts for
127 * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
128 * network interfaces, and nodes. This structure stores the
129 * relevant data for one such entry. Entries of the same kind
130 * (e.g. all initial SIDs) are linked together into a list.
131 */
132 struct ocontext {
133 union {
134 char *name; /* name of initial SID, fs, netif, fstype, path */
135 int pirq;
136 int virq;
137 int vcpu;
138 u32 ioport;
139 unsigned long iomem;
140 } u;
141 struct context context[2]; /* security context(s) */
142 u32 sid[2]; /* SID(s) */
143 struct ocontext *next;
144 };
146 /* symbol table array indices */
147 #define SYM_COMMONS 0
148 #define SYM_CLASSES 1
149 #define SYM_ROLES 2
150 #define SYM_TYPES 3
151 #define SYM_USERS 4
152 #define SYM_BOOLS 5
153 #define SYM_LEVELS 6
154 #define SYM_CATS 7
155 #define SYM_NUM 8
157 /* object context array indices */
158 #define OCON_ISID 0 /* initial SIDs */
159 #define OCON_PIRQ 1 /* physical irqs */
160 #define OCON_VIRQ 2 /* virtual irqs */
161 #define OCON_VCPU 3 /* virtual cpus */
162 #define OCON_IOPORT 4 /* io ports */
163 #define OCON_IOMEM 5 /* io memory */
164 #define OCON_DUMMY 6
165 #define OCON_NUM 7
167 /* The policy database */
168 struct policydb {
169 /* symbol tables */
170 struct symtab symtab[SYM_NUM];
171 #define p_commons symtab[SYM_COMMONS]
172 #define p_classes symtab[SYM_CLASSES]
173 #define p_roles symtab[SYM_ROLES]
174 #define p_types symtab[SYM_TYPES]
175 #define p_users symtab[SYM_USERS]
176 #define p_bools symtab[SYM_BOOLS]
177 #define p_levels symtab[SYM_LEVELS]
178 #define p_cats symtab[SYM_CATS]
180 /* symbol names indexed by (value - 1) */
181 char **sym_val_to_name[SYM_NUM];
182 #define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
183 #define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
184 #define p_role_val_to_name sym_val_to_name[SYM_ROLES]
185 #define p_type_val_to_name sym_val_to_name[SYM_TYPES]
186 #define p_user_val_to_name sym_val_to_name[SYM_USERS]
187 #define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
188 #define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
189 #define p_cat_val_to_name sym_val_to_name[SYM_CATS]
191 /* class, role, and user attributes indexed by (value - 1) */
192 struct class_datum **class_val_to_struct;
193 struct role_datum **role_val_to_struct;
194 struct user_datum **user_val_to_struct;
196 /* type enforcement access vectors and transitions */
197 struct avtab te_avtab;
199 /* role transitions */
200 struct role_trans *role_tr;
202 /* bools indexed by (value - 1) */
203 struct cond_bool_datum **bool_val_to_struct;
204 /* type enforcement conditional access vectors and transitions */
205 struct avtab te_cond_avtab;
206 /* linked list indexing te_cond_avtab by conditional */
207 struct cond_node* cond_list;
209 /* role allows */
210 struct role_allow *role_allow;
212 /* security contexts of initial SIDs, unlabeled file systems,
213 TCP or UDP port numbers, network interfaces and nodes */
214 struct ocontext *ocontexts[OCON_NUM];
216 /* range transitions */
217 struct range_trans *range_tr;
219 /* type -> attribute reverse mapping */
220 struct ebitmap *type_attr_map;
222 unsigned int policyvers;
223 };
225 extern void policydb_destroy(struct policydb *p);
226 extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
227 extern int policydb_context_isvalid(struct policydb *p, struct context *c);
228 extern int policydb_read(struct policydb *p, void *fp);
230 #define PERM_SYMTAB_SIZE 32
232 #define POLICYDB_CONFIG_MLS 1
234 #define OBJECT_R "object_r"
235 #define OBJECT_R_VAL 1
237 #define POLICYDB_MAGIC FLASK_MAGIC
238 #define POLICYDB_STRING "SE Linux"
240 struct policy_file {
241 char *data;
242 size_t len;
243 };
245 static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
246 {
247 if ( bytes > fp->len )
248 return -EINVAL;
250 memcpy(buf, fp->data, bytes);
251 fp->data += bytes;
252 fp->len -= bytes;
253 return 0;
254 }
256 #endif /* _SS_POLICYDB_H_ */