| 1 | /* |
|---|
| 2 | * Labeling interface for userspace object managers and others. |
|---|
| 3 | * |
|---|
| 4 | * Author : Eamon Walsh <ewalsh@tycho.nsa.gov> |
|---|
| 5 | */ |
|---|
| 6 | #ifndef _SELABEL_H_ |
|---|
| 7 | #define _SELABEL_H_ |
|---|
| 8 | |
|---|
| 9 | #include <stdbool.h> |
|---|
| 10 | #include <stdint.h> |
|---|
| 11 | #include <sys/types.h> |
|---|
| 12 | #include <selinux/selinux.h> |
|---|
| 13 | |
|---|
| 14 | #ifdef __cplusplus |
|---|
| 15 | extern "C" { |
|---|
| 16 | #endif |
|---|
| 17 | |
|---|
| 18 | /* |
|---|
| 19 | * Opaque type used for all label handles. |
|---|
| 20 | */ |
|---|
| 21 | |
|---|
| 22 | struct selabel_handle; |
|---|
| 23 | |
|---|
| 24 | /* |
|---|
| 25 | * Available backends. |
|---|
| 26 | */ |
|---|
| 27 | |
|---|
| 28 | /* file contexts */ |
|---|
| 29 | #define SELABEL_CTX_FILE 0 |
|---|
| 30 | /* media contexts */ |
|---|
| 31 | #define SELABEL_CTX_MEDIA 1 |
|---|
| 32 | /* x contexts */ |
|---|
| 33 | #define SELABEL_CTX_X 2 |
|---|
| 34 | /* db objects */ |
|---|
| 35 | #define SELABEL_CTX_DB 3 |
|---|
| 36 | /* Android property service contexts */ |
|---|
| 37 | #define SELABEL_CTX_ANDROID_PROP 4 |
|---|
| 38 | /* Android service contexts */ |
|---|
| 39 | #define SELABEL_CTX_ANDROID_SERVICE 5 |
|---|
| 40 | |
|---|
| 41 | /* |
|---|
| 42 | * Available options |
|---|
| 43 | */ |
|---|
| 44 | |
|---|
| 45 | /* no-op option, useful for unused slots in an array of options */ |
|---|
| 46 | #define SELABEL_OPT_UNUSED 0 |
|---|
| 47 | /* validate contexts before returning them (boolean value) */ |
|---|
| 48 | #define SELABEL_OPT_VALIDATE 1 |
|---|
| 49 | /* don't use local customizations to backend data (boolean value) */ |
|---|
| 50 | #define SELABEL_OPT_BASEONLY 2 |
|---|
| 51 | /* specify an alternate path to use when loading backend data */ |
|---|
| 52 | #define SELABEL_OPT_PATH 3 |
|---|
| 53 | /* select a subset of the search space as an optimization (file backend) */ |
|---|
| 54 | #define SELABEL_OPT_SUBSET 4 |
|---|
| 55 | /* require a hash calculation on spec files */ |
|---|
| 56 | #define SELABEL_OPT_DIGEST 5 |
|---|
| 57 | /* total number of options */ |
|---|
| 58 | #define SELABEL_NOPT 6 |
|---|
| 59 | |
|---|
| 60 | /* |
|---|
| 61 | * Label operations |
|---|
| 62 | */ |
|---|
| 63 | |
|---|
| 64 | /** |
|---|
| 65 | * selabel_open - Create a labeling handle. |
|---|
| 66 | * @backend: one of the constants specifying a supported labeling backend. |
|---|
| 67 | * @opts: array of selabel_opt structures specifying label options or NULL. |
|---|
| 68 | * @nopts: number of elements in opts array or zero for no options. |
|---|
| 69 | * |
|---|
| 70 | * Open a labeling backend for use. The available backend identifiers are |
|---|
| 71 | * listed above. Options may be provided via the opts parameter; available |
|---|
| 72 | * options are listed above. Not all options may be supported by every |
|---|
| 73 | * backend. Return value is the created handle on success or NULL with |
|---|
| 74 | * @errno set on failure. |
|---|
| 75 | */ |
|---|
| 76 | extern struct selabel_handle *selabel_open(unsigned int backend, |
|---|
| 77 | const struct selinux_opt *opts, |
|---|
| 78 | unsigned nopts); |
|---|
| 79 | |
|---|
| 80 | /** |
|---|
| 81 | * selabel_close - Close a labeling handle. |
|---|
| 82 | * @handle: specifies handle to close |
|---|
| 83 | * |
|---|
| 84 | * Destroy the specified handle, closing files, freeing allocated memory, |
|---|
| 85 | * etc. The handle may not be further used after it has been closed. |
|---|
| 86 | */ |
|---|
| 87 | extern void selabel_close(struct selabel_handle *handle); |
|---|
| 88 | |
|---|
| 89 | /** |
|---|
| 90 | * selabel_lookup - Perform labeling lookup operation. |
|---|
| 91 | * @handle: specifies backend instance to query |
|---|
| 92 | * @con: returns the appropriate context with which to label the object |
|---|
| 93 | * @key: string input to lookup operation |
|---|
| 94 | * @type: numeric input to the lookup operation |
|---|
| 95 | * |
|---|
| 96 | * Perform a labeling lookup operation. Return %0 on success, -%1 with |
|---|
| 97 | * @errno set on failure. The key and type arguments are the inputs to the |
|---|
| 98 | * lookup operation; appropriate values are dictated by the backend in use. |
|---|
| 99 | * The result is returned in the memory pointed to by @con and must be freed |
|---|
| 100 | * by the user with freecon(). |
|---|
| 101 | */ |
|---|
| 102 | extern int selabel_lookup(struct selabel_handle *handle, char **con, |
|---|
| 103 | const char *key, int type); |
|---|
| 104 | extern int selabel_lookup_raw(struct selabel_handle *handle, char **con, |
|---|
| 105 | const char *key, int type); |
|---|
| 106 | |
|---|
| 107 | extern bool selabel_partial_match(struct selabel_handle *handle, const char *key); |
|---|
| 108 | |
|---|
| 109 | extern bool selabel_get_digests_all_partial_matches(struct selabel_handle *rec, |
|---|
| 110 | const char *key, |
|---|
| 111 | uint8_t **calculated_digest, |
|---|
| 112 | uint8_t **xattr_digest, |
|---|
| 113 | size_t *digest_len); |
|---|
| 114 | extern bool selabel_hash_all_partial_matches(struct selabel_handle *rec, |
|---|
| 115 | const char *key, uint8_t* digest); |
|---|
| 116 | |
|---|
| 117 | extern int selabel_lookup_best_match(struct selabel_handle *rec, char **con, |
|---|
| 118 | const char *key, const char **aliases, int type); |
|---|
| 119 | extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, |
|---|
| 120 | const char *key, const char **aliases, int type); |
|---|
| 121 | |
|---|
| 122 | /** |
|---|
| 123 | * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to |
|---|
| 124 | * generate the digest. The SELABEL_OPT_DIGEST option must |
|---|
| 125 | * be set in selabel_open() to initiate the digest generation. |
|---|
| 126 | * @handle: specifies backend instance to query |
|---|
| 127 | * @digest: returns a pointer to the SHA1 digest. |
|---|
| 128 | * @digest_len: returns length of digest in bytes. |
|---|
| 129 | * @specfiles: a list of specfiles used in the SHA1 digest generation. |
|---|
| 130 | * The list is NULL terminated and will hold @num_specfiles entries. |
|---|
| 131 | * @num_specfiles: number of specfiles in the list. |
|---|
| 132 | * |
|---|
| 133 | * Return %0 on success, -%1 with @errno set on failure. |
|---|
| 134 | */ |
|---|
| 135 | extern int selabel_digest(struct selabel_handle *rec, |
|---|
| 136 | unsigned char **digest, size_t *digest_len, |
|---|
| 137 | char ***specfiles, size_t *num_specfiles); |
|---|
| 138 | |
|---|
| 139 | enum selabel_cmp_result { |
|---|
| 140 | SELABEL_SUBSET, |
|---|
| 141 | SELABEL_EQUAL, |
|---|
| 142 | SELABEL_SUPERSET, |
|---|
| 143 | SELABEL_INCOMPARABLE |
|---|
| 144 | }; |
|---|
| 145 | |
|---|
| 146 | /** |
|---|
| 147 | * selabel_cmp - Compare two label configurations. |
|---|
| 148 | * @h1: handle for the first label configuration |
|---|
| 149 | * @h2: handle for the first label configuration |
|---|
| 150 | * |
|---|
| 151 | * Compare two label configurations. |
|---|
| 152 | * Return %SELABEL_SUBSET if @h1 is a subset of @h2, %SELABEL_EQUAL |
|---|
| 153 | * if @h1 is identical to @h2, %SELABEL_SUPERSET if @h1 is a superset |
|---|
| 154 | * of @h2, and %SELABEL_INCOMPARABLE if @h1 and @h2 are incomparable. |
|---|
| 155 | */ |
|---|
| 156 | extern enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1, |
|---|
| 157 | struct selabel_handle *h2); |
|---|
| 158 | |
|---|
| 159 | /** |
|---|
| 160 | * selabel_stats - log labeling operation statistics. |
|---|
| 161 | * @handle: specifies backend instance to query |
|---|
| 162 | * |
|---|
| 163 | * Log a message with information about the number of queries performed, |
|---|
| 164 | * number of unused matching entries, or other operational statistics. |
|---|
| 165 | * Message is backend-specific, some backends may not output a message. |
|---|
| 166 | */ |
|---|
| 167 | extern void selabel_stats(struct selabel_handle *handle); |
|---|
| 168 | |
|---|
| 169 | /* |
|---|
| 170 | * Type codes used by specific backends |
|---|
| 171 | */ |
|---|
| 172 | |
|---|
| 173 | /* X backend */ |
|---|
| 174 | #define SELABEL_X_PROP 1 |
|---|
| 175 | #define SELABEL_X_EXT 2 |
|---|
| 176 | #define SELABEL_X_CLIENT 3 |
|---|
| 177 | #define SELABEL_X_EVENT 4 |
|---|
| 178 | #define SELABEL_X_SELN 5 |
|---|
| 179 | #define SELABEL_X_POLYPROP 6 |
|---|
| 180 | #define SELABEL_X_POLYSELN 7 |
|---|
| 181 | |
|---|
| 182 | /* DB backend */ |
|---|
| 183 | #define SELABEL_DB_DATABASE 1 |
|---|
| 184 | #define SELABEL_DB_SCHEMA 2 |
|---|
| 185 | #define SELABEL_DB_TABLE 3 |
|---|
| 186 | #define SELABEL_DB_COLUMN 4 |
|---|
| 187 | #define SELABEL_DB_SEQUENCE 5 |
|---|
| 188 | #define SELABEL_DB_VIEW 6 |
|---|
| 189 | #define SELABEL_DB_PROCEDURE 7 |
|---|
| 190 | #define SELABEL_DB_BLOB 8 |
|---|
| 191 | #define SELABEL_DB_TUPLE 9 |
|---|
| 192 | #define SELABEL_DB_LANGUAGE 10 |
|---|
| 193 | #define SELABEL_DB_EXCEPTION 11 |
|---|
| 194 | #define SELABEL_DB_DATATYPE 12 |
|---|
| 195 | |
|---|
| 196 | #ifdef __cplusplus |
|---|
| 197 | } |
|---|
| 198 | #endif |
|---|
| 199 | #endif /* _SELABEL_H_ */ |
|---|
| 200 | |
|---|
