1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
/*
* This file describes the internal interface used by the AVC
* for calling the user-supplied memory allocation, supplemental
* auditing, and locking routine, as well as incrementing the
* statistics fields.
*
* Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
*/
#ifndef _SELINUX_AVC_INTERNAL_H_
#define _SELINUX_AVC_INTERNAL_H_
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <selinux/avc.h>
#include "callbacks.h"
#include "dso.h"
/* callback pointers */
extern void *(*avc_func_malloc) (size_t) hidden;
extern void (*avc_func_free) (void *)hidden;
extern void (*avc_func_log) (const char *, ...)hidden;
extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
extern int avc_using_threads hidden;
extern int avc_app_main_loop hidden;
extern void *(*avc_func_create_thread) (void (*)(void))hidden;
extern void (*avc_func_stop_thread) (void *)hidden;
extern void *(*avc_func_alloc_lock) (void)hidden;
extern void (*avc_func_get_lock) (void *)hidden;
extern void (*avc_func_release_lock) (void *)hidden;
extern void (*avc_func_free_lock) (void *)hidden;
static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
const struct avc_log_callback *log_cb,
const struct avc_thread_callback *thread_cb,
const struct avc_lock_callback *lock_cb)
{
if (mem_cb) {
avc_func_malloc = mem_cb->func_malloc;
avc_func_free = mem_cb->func_free;
}
if (log_cb) {
avc_func_log = log_cb->func_log;
avc_func_audit = log_cb->func_audit;
}
if (thread_cb) {
avc_using_threads = 1;
avc_func_create_thread = thread_cb->func_create_thread;
avc_func_stop_thread = thread_cb->func_stop_thread;
}
if (lock_cb) {
avc_func_alloc_lock = lock_cb->func_alloc_lock;
avc_func_get_lock = lock_cb->func_get_lock;
avc_func_release_lock = lock_cb->func_release_lock;
avc_func_free_lock = lock_cb->func_free_lock;
}
}
/* message prefix and enforcing mode*/
#define AVC_PREFIX_SIZE 16
extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
extern int avc_running hidden;
extern int avc_enforcing hidden;
extern int avc_setenforce hidden;
/* user-supplied callback interface for avc */
static inline void *avc_malloc(size_t size)
{
return avc_func_malloc ? avc_func_malloc(size) : malloc(size);
}
static inline void avc_free(void *ptr)
{
if (avc_func_free)
avc_func_free(ptr);
else
free(ptr);
}
/* this is a macro in order to use the variadic capability. */
#define avc_log(type, format...) \
if (avc_func_log) \
avc_func_log(format); \
else \
selinux_log(type, format);
static inline void avc_suppl_audit(void *ptr, security_class_t class,
char *buf, size_t len)
{
if (avc_func_audit)
avc_func_audit(ptr, class, buf, len);
else
selinux_audit(ptr, class, buf, len);
}
static inline void *avc_create_thread(void (*run) (void))
{
return avc_func_create_thread ? avc_func_create_thread(run) : NULL;
}
static inline void avc_stop_thread(void *thread)
{
if (avc_func_stop_thread)
avc_func_stop_thread(thread);
}
static inline void *avc_alloc_lock(void)
{
return avc_func_alloc_lock ? avc_func_alloc_lock() : NULL;
}
static inline void avc_get_lock(void *lock)
{
if (avc_func_get_lock)
avc_func_get_lock(lock);
}
static inline void avc_release_lock(void *lock)
{
if (avc_func_release_lock)
avc_func_release_lock(lock);
}
static inline void avc_free_lock(void *lock)
{
if (avc_func_free_lock)
avc_func_free_lock(lock);
}
/* statistics helper routines */
#ifdef AVC_CACHE_STATS
#define avc_cache_stats_incr(field) \
cache_stats.field ++;
#define avc_cache_stats_add(field, num) \
cache_stats.field += num;
#else
#define avc_cache_stats_incr(field)
#define avc_cache_stats_add(field, num)
#endif
/* logging helper routines */
#define AVC_AUDIT_BUFSIZE 1024
/* again, we need the variadic capability here */
#define log_append(buf,format...) \
snprintf(buf+strlen(buf), AVC_AUDIT_BUFSIZE-strlen(buf), format)
/* internal callbacks */
int avc_ss_grant(security_id_t ssid, security_id_t tsid,
security_class_t tclass, access_vector_t perms,
uint32_t seqno) hidden;
int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
security_class_t tclass,
access_vector_t perms, uint32_t seqno,
access_vector_t * out_retained) hidden;
int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
security_class_t tclass, access_vector_t perms,
uint32_t seqno) hidden;
int avc_ss_reset(uint32_t seqno) hidden;
int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
security_class_t tclass, access_vector_t perms,
uint32_t seqno, uint32_t enable) hidden;
int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
security_class_t tclass, access_vector_t perms,
uint32_t seqno, uint32_t enable) hidden;
/* netlink kernel message code */
extern int avc_netlink_trouble hidden;
hidden_proto(avc_av_stats)
hidden_proto(avc_cleanup)
hidden_proto(avc_reset)
hidden_proto(avc_audit)
hidden_proto(avc_has_perm_noaudit)
#endif /* _SELINUX_AVC_INTERNAL_H_ */
|
