linux/security/selinux/include/security.h

/*
 * Security server interface.
 *
 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
 *
 */

#ifndef _SELINUX_SECURITY_H_
#define _SELINUX_SECURITY_H_

#include "flask.h"

#define SECSID_NULL			0x00000000 /* unspecified SID */
#define SECSID_WILD			0xffffffff /* wildcard SID */
#define SECCLASS_NULL			0x0000 /* no class */

#define SELINUX_MAGIC 0xf97cff8c

/* Identify specific policy version changes */
#define POLICYDB_VERSION_BASE		15
#define POLICYDB_VERSION_BOOL		16
#define POLICYDB_VERSION_IPV6		17
#define POLICYDB_VERSION_NLCLASS	18
#define POLICYDB_VERSION_VALIDATETRANS	19
#define POLICYDB_VERSION_MLS		19

/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_MLS

#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
extern int selinux_enabled;
#else
#define selinux_enabled 1
#endif

extern int selinux_mls_enabled;

int security_load_policy(void * data, size_t len);

struct av_decision {
	u32 allowed;
	u32 decided;
	u32 auditallow;
	u32 auditdeny;
	u32 seqno;
};

int security_compute_av(u32 ssid, u32 tsid,
	u16 tclass, u32 requested,
	struct av_decision *avd);

int security_transition_sid(u32 ssid, u32 tsid,
	u16 tclass, u32 *out_sid);

int security_member_sid(u32 ssid, u32 tsid,
	u16 tclass, u32 *out_sid);

int security_change_sid(u32 ssid, u32 tsid,
	u16 tclass, u32 *out_sid);

int security_sid_to_context(u32 sid, char **scontext,
	u32 *scontext_len);

int security_context_to_sid(char *scontext, u32 scontext_len,
	u32 *out_sid);

int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid);

int security_get_user_sids(u32 callsid, char *username,
			   u32 **sids, u32 *nel);

int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port,
	u32 *out_sid);

int security_netif_sid(char *name, u32 *if_sid,
	u32 *msg_sid);

int security_node_sid(u16 domain, void *addr, u32 addrlen,
	u32 *out_sid);

int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
                                 u16 tclass);

#define SECURITY_FS_USE_XATTR		1 /* use xattr */
#define SECURITY_FS_USE_TRANS		2 /* use transition SIDs, e.g. devpts/tmpfs */
#define SECURITY_FS_USE_TASK		3 /* use task SIDs, e.g. pipefs/sockfs */
#define SECURITY_FS_USE_GENFS		4 /* use the genfs support */
#define SECURITY_FS_USE_NONE		5 /* no labeling support */
#define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */

int security_fs_use(const char *fstype, unsigned int *behavior,
	u32 *sid);

int security_genfs_sid(const char *fstype, char *name, u16 sclass,
	u32 *sid);

#endif /* _SELINUX_SECURITY_H_ */
Linux-2.6.12-rc2 Initial git repository build. I'm not bothering with the full history, even though we have it. We can create a separate "historical" git archive of that later if we want to, and in the meantime it's about 3.2GB when imported into git - space that would just make the early git days unnecessarily complicated, when we don't have a lot of good infrastructure for it. Let it rip! 2005-04-17 02:20:36 +04:00			`/*`
			`* Security server interface.`
			`*`
			`* Author : Stephen Smalley, <sds@epoch.ncsc.mil>`
			`*`
			`*/`

			`#ifndef _SELINUX_SECURITY_H_`
			`#define _SELINUX_SECURITY_H_`

			`#include "flask.h"`

			`#define SECSID_NULL 0x00000000 /* unspecified SID */`
			`#define SECSID_WILD 0xffffffff /* wildcard SID */`
			`#define SECCLASS_NULL 0x0000 /* no class */`

			`#define SELINUX_MAGIC 0xf97cff8c`

			`/* Identify specific policy version changes */`
			`#define POLICYDB_VERSION_BASE 15`
			`#define POLICYDB_VERSION_BOOL 16`
			`#define POLICYDB_VERSION_IPV6 17`
			`#define POLICYDB_VERSION_NLCLASS 18`
			`#define POLICYDB_VERSION_VALIDATETRANS 19`
			`#define POLICYDB_VERSION_MLS 19`

			`/* Range of policy versions we understand*/`
			`#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE`
			`#define POLICYDB_VERSION_MAX POLICYDB_VERSION_MLS`

			`#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM`
			`extern int selinux_enabled;`
			`#else`
			`#define selinux_enabled 1`
			`#endif`

			`extern int selinux_mls_enabled;`

			`int security_load_policy(void * data, size_t len);`

			`struct av_decision {`
			`u32 allowed;`
			`u32 decided;`
			`u32 auditallow;`
			`u32 auditdeny;`
			`u32 seqno;`
			`};`

			`int security_compute_av(u32 ssid, u32 tsid,`
			`u16 tclass, u32 requested,`
			`struct av_decision *avd);`

			`int security_transition_sid(u32 ssid, u32 tsid,`
			`u16 tclass, u32 *out_sid);`

			`int security_member_sid(u32 ssid, u32 tsid,`
			`u16 tclass, u32 *out_sid);`

			`int security_change_sid(u32 ssid, u32 tsid,`
			`u16 tclass, u32 *out_sid);`

			`int security_sid_to_context(u32 sid, char **scontext,`
			`u32 *scontext_len);`

			`int security_context_to_sid(char *scontext, u32 scontext_len,`
			`u32 *out_sid);`

[PATCH] SELinux: default labeling of MLS field Implement kernel labeling of the MLS (multilevel security) field of security contexts for files which have no existing MLS field. This is to enable upgrades of a system from non-MLS to MLS without performing a full filesystem relabel including all of the mountpoints, which would be quite painful for users. With this patch, with MLS enabled, if a file has no MLS field, the kernel internally adds an MLS field to the in-core inode (but not to the on-disk file). This MLS field added is the default for the superblock, allowing per-mountpoint control over the values via fixed policy or mount options. This patch has been tested by enabling MLS without relabeling its filesystem, and seems to be working correctly. Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> 2005-07-28 12:07:37 +04:00			`int security_context_to_sid_default(char scontext, u32 scontext_len, u32 out_sid, u32 def_sid);`

Linux-2.6.12-rc2 Initial git repository build. I'm not bothering with the full history, even though we have it. We can create a separate "historical" git archive of that later if we want to, and in the meantime it's about 3.2GB when imported into git - space that would just make the early git days unnecessarily complicated, when we don't have a lot of good infrastructure for it. Let it rip! 2005-04-17 02:20:36 +04:00			`int security_get_user_sids(u32 callsid, char *username,`
			`u32 *sids, u32 nel);`

			`int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port,`
			`u32 *out_sid);`

			`int security_netif_sid(char name, u32 if_sid,`
			`u32 *msg_sid);`

			`int security_node_sid(u16 domain, void *addr, u32 addrlen,`
			`u32 *out_sid);`

			`int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,`
			`u16 tclass);`

			`#define SECURITY_FS_USE_XATTR 1 /* use xattr */`
			`#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */`
			`#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */`
			`#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */`
			`#define SECURITY_FS_USE_NONE 5 /* no labeling support */`
			`#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */`

			`int security_fs_use(const char fstype, unsigned int behavior,`
			`u32 *sid);`

			`int security_genfs_sid(const char fstype, char name, u16 sclass,`
			`u32 *sid);`

			`#endif /* _SELINUX_SECURITY_H_ */`