Re-organize folders
This commit is contained in:
parent
b614b06736
commit
bb5a6a1c28
6
.gitmodules
vendored
6
.gitmodules
vendored
@ -1,11 +1,11 @@
|
|||||||
[submodule "jni/selinux"]
|
[submodule "jni/selinux"]
|
||||||
path = jni/selinux
|
path = jni/external/selinux
|
||||||
url = https://github.com/topjohnwu/selinux.git
|
url = https://github.com/topjohnwu/selinux.git
|
||||||
[submodule "jni/su"]
|
[submodule "jni/su"]
|
||||||
path = jni/su
|
path = jni/su
|
||||||
url = https://github.com/topjohnwu/MagiskSU.git
|
url = https://github.com/topjohnwu/MagiskSU.git
|
||||||
[submodule "jni/ndk-compression"]
|
[submodule "jni/ndk-compression"]
|
||||||
path = jni/ndk-compression
|
path = jni/external/ndk-compression
|
||||||
url = https://github.com/topjohnwu/ndk-compression.git
|
url = https://github.com/topjohnwu/ndk-compression.git
|
||||||
[submodule "jni/magiskpolicy"]
|
[submodule "jni/magiskpolicy"]
|
||||||
path = jni/magiskpolicy
|
path = jni/magiskpolicy
|
||||||
@ -14,5 +14,5 @@
|
|||||||
path = MagiskManager
|
path = MagiskManager
|
||||||
url = https://github.com/topjohnwu/MagiskManager.git
|
url = https://github.com/topjohnwu/MagiskManager.git
|
||||||
[submodule "jni/busybox"]
|
[submodule "jni/busybox"]
|
||||||
path = jni/busybox
|
path = jni/external/busybox
|
||||||
url = https://github.com/topjohnwu/ndk-busybox.git
|
url = https://github.com/topjohnwu/ndk-busybox.git
|
||||||
|
@ -1,5 +1,16 @@
|
|||||||
LOCAL_PATH := $(call my-dir)
|
LOCAL_PATH := $(call my-dir)
|
||||||
|
|
||||||
|
# Some handy paths
|
||||||
|
JNI_ROOT := jni
|
||||||
|
SELINUX_PATH := jni/external/selinux
|
||||||
|
COMPRESS_LIB := jni/external/ndk-compression
|
||||||
|
LIBSELINUX := $(SELINUX_PATH)/libselinux/include
|
||||||
|
LIBSEPOL := $(SELINUX_PATH)/libsepol/include $(SELINUX_PATH)/libsepol/cil/include
|
||||||
|
LIBZ := $(COMPRESS_LIB)/zlib
|
||||||
|
LIBLZMA := $(COMPRESS_LIB)/xz/src/liblzma/api
|
||||||
|
LIBLZ4 := $(COMPRESS_LIB)/lz4/lib
|
||||||
|
LIBBZ2 := $(COMPRESS_LIB)/bzip2
|
||||||
|
|
||||||
########################
|
########################
|
||||||
# Binaries
|
# Binaries
|
||||||
########################
|
########################
|
||||||
@ -11,10 +22,10 @@ LOCAL_STATIC_LIBRARIES := libsepol
|
|||||||
LOCAL_SHARED_LIBRARIES := libsqlite libselinux
|
LOCAL_SHARED_LIBRARIES := libsqlite libselinux
|
||||||
|
|
||||||
LOCAL_C_INCLUDES := \
|
LOCAL_C_INCLUDES := \
|
||||||
$(LOCAL_PATH)/include \
|
jni/include \
|
||||||
$(LOCAL_PATH)/external \
|
jni/external \
|
||||||
$(LOCAL_PATH)/selinux/libsepol/include \
|
$(LIBSELINUX) \
|
||||||
$(LOCAL_PATH)/selinux/libsepol/cil/include
|
$(LIBSEPOL)
|
||||||
|
|
||||||
LOCAL_SRC_FILES := \
|
LOCAL_SRC_FILES := \
|
||||||
daemon/magisk.c \
|
daemon/magisk.c \
|
||||||
@ -55,12 +66,12 @@ include $(CLEAR_VARS)
|
|||||||
LOCAL_MODULE := magiskboot
|
LOCAL_MODULE := magiskboot
|
||||||
LOCAL_STATIC_LIBRARIES := libz liblzma liblz4 libbz2
|
LOCAL_STATIC_LIBRARIES := libz liblzma liblz4 libbz2
|
||||||
LOCAL_C_INCLUDES := \
|
LOCAL_C_INCLUDES := \
|
||||||
$(LOCAL_PATH)/magiskboot \
|
jni/magiskboot \
|
||||||
$(LOCAL_PATH)/include \
|
jni/include \
|
||||||
$(LOCAL_PATH)/ndk-compression/zlib \
|
$(LIBZ) \
|
||||||
$(LOCAL_PATH)/ndk-compression/xz/src/liblzma/api \
|
$(LIBLZMA) \
|
||||||
$(LOCAL_PATH)/ndk-compression/lz4/lib \
|
$(LIBLZ4) \
|
||||||
$(LOCAL_PATH)/ndk-compression/bzip2
|
$(LIBBZ2)
|
||||||
|
|
||||||
LOCAL_SRC_FILES := \
|
LOCAL_SRC_FILES := \
|
||||||
magiskboot/main.c \
|
magiskboot/main.c \
|
||||||
@ -92,27 +103,16 @@ ifneq ($(TARGET_ARCH_ABI), arm64-v8a)
|
|||||||
include $(CLEAR_VARS)
|
include $(CLEAR_VARS)
|
||||||
LOCAL_MODULE := b64xz
|
LOCAL_MODULE := b64xz
|
||||||
LOCAL_STATIC_LIBRARIES := liblzma
|
LOCAL_STATIC_LIBRARIES := liblzma
|
||||||
LOCAL_C_INCLUDES := $(LOCAL_PATH)/ndk-compression/xz/src/liblzma/api
|
LOCAL_C_INCLUDES := $(LIBLZMA)
|
||||||
LOCAL_SRC_FILES := b64xz.c
|
LOCAL_SRC_FILES := b64xz.c
|
||||||
LOCAL_LDFLAGS := -static
|
LOCAL_LDFLAGS := -static
|
||||||
include $(BUILD_EXECUTABLE)
|
include $(BUILD_EXECUTABLE)
|
||||||
# Busybox
|
# Busybox
|
||||||
include jni/busybox/Android.mk
|
include jni/external/busybox/Android.mk
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
########################
|
########################
|
||||||
# Libraries
|
# Externals
|
||||||
########################
|
########################
|
||||||
|
|
||||||
# External shared libraries, include stub libselinux and libsqlite
|
|
||||||
include jni/external/Android.mk
|
include jni/external/Android.mk
|
||||||
|
|
||||||
# libsepol, static library
|
|
||||||
include jni/selinux/libsepol/Android.mk
|
|
||||||
|
|
||||||
# Compression libraries for magiskboot
|
|
||||||
include jni/ndk-compression/zlib/Android.mk
|
|
||||||
include jni/ndk-compression/xz/src/liblzma/Android.mk
|
|
||||||
include jni/ndk-compression/lz4/lib/Android.mk
|
|
||||||
include jni/ndk-compression/bzip2/Android.mk
|
|
||||||
|
15
jni/external/Android.mk
vendored
15
jni/external/Android.mk
vendored
@ -1,13 +1,24 @@
|
|||||||
LOCAL_PATH:= $(call my-dir)
|
LOCAL_PATH:= $(call my-dir)
|
||||||
|
EXTERNAL := $(LOCAL_PATH)
|
||||||
|
|
||||||
# libsqlite.so (stub)
|
# libsqlite.so (stub)
|
||||||
include $(CLEAR_VARS)
|
include $(CLEAR_VARS)
|
||||||
LOCAL_MODULE:= libsqlite
|
LOCAL_MODULE:= libsqlite
|
||||||
LOCAL_SRC_FILES := sqlite3_stub.c
|
LOCAL_SRC_FILES := stubs/sqlite3_stub.c
|
||||||
include $(BUILD_SHARED_LIBRARY)
|
include $(BUILD_SHARED_LIBRARY)
|
||||||
|
|
||||||
# libselinux.so (stub)
|
# libselinux.so (stub)
|
||||||
include $(CLEAR_VARS)
|
include $(CLEAR_VARS)
|
||||||
LOCAL_MODULE:= libselinux
|
LOCAL_MODULE:= libselinux
|
||||||
LOCAL_SRC_FILES := selinux_stub.c
|
LOCAL_C_INCLUDES := $(LIBSELINUX)
|
||||||
|
LOCAL_SRC_FILES := stubs/selinux_stub.c
|
||||||
include $(BUILD_SHARED_LIBRARY)
|
include $(BUILD_SHARED_LIBRARY)
|
||||||
|
|
||||||
|
# libsepol, static library
|
||||||
|
include $(SELINUX_PATH)/libsepol/Android.mk
|
||||||
|
|
||||||
|
# Compression libraries for magiskboot
|
||||||
|
include $(COMPRESS_LIB)/zlib/Android.mk
|
||||||
|
include $(COMPRESS_LIB)/xz/src/liblzma/Android.mk
|
||||||
|
include $(COMPRESS_LIB)/lz4/lib/Android.mk
|
||||||
|
include $(COMPRESS_LIB)/bzip2/Android.mk
|
||||||
|
0
jni/busybox → jni/external/busybox
vendored
0
jni/busybox → jni/external/busybox
vendored
0
jni/selinux → jni/external/selinux
vendored
0
jni/selinux → jni/external/selinux
vendored
1029
jni/external/selinux/av_permissions.h
vendored
1029
jni/external/selinux/av_permissions.h
vendored
File diff suppressed because it is too large
Load Diff
511
jni/external/selinux/avc.h
vendored
511
jni/external/selinux/avc.h
vendored
@ -1,511 +0,0 @@
|
|||||||
/*
|
|
||||||
* Access vector cache interface for object managers.
|
|
||||||
*
|
|
||||||
* Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
|
|
||||||
*/
|
|
||||||
#ifndef _SELINUX_AVC_H_
|
|
||||||
#define _SELINUX_AVC_H_
|
|
||||||
|
|
||||||
#include <stdint.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <selinux/selinux.h>
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* SID format and operations
|
|
||||||
*/
|
|
||||||
struct security_id {
|
|
||||||
char * ctx;
|
|
||||||
unsigned int refcnt;
|
|
||||||
};
|
|
||||||
typedef struct security_id *security_id_t;
|
|
||||||
|
|
||||||
#define SECSID_WILD (security_id_t)NULL /* unspecified SID */
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_sid_to_context - get copy of context corresponding to SID.
|
|
||||||
* @sid: input SID
|
|
||||||
* @ctx: pointer to context reference
|
|
||||||
*
|
|
||||||
* Return a copy of the security context corresponding to the input
|
|
||||||
* @sid in the memory referenced by @ctx. The caller is expected to
|
|
||||||
* free the context with freecon(). Return %0 on success, -%1 on
|
|
||||||
* failure, with @errno set to %ENOMEM if insufficient memory was
|
|
||||||
* available to make the copy, or %EINVAL if the input SID is invalid.
|
|
||||||
*/
|
|
||||||
int avc_sid_to_context(security_id_t sid, char ** ctx);
|
|
||||||
int avc_sid_to_context_raw(security_id_t sid, char ** ctx);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_context_to_sid - get SID for context.
|
|
||||||
* @ctx: input security context
|
|
||||||
* @sid: pointer to SID reference
|
|
||||||
*
|
|
||||||
* Look up security context @ctx in SID table, making
|
|
||||||
* a new entry if @ctx is not found. Increment the
|
|
||||||
* reference counter for the SID. Store a pointer
|
|
||||||
* to the SID structure into the memory referenced by @sid,
|
|
||||||
* returning %0 on success or -%1 on error with @errno set.
|
|
||||||
*/
|
|
||||||
int avc_context_to_sid(const char * ctx, security_id_t * sid);
|
|
||||||
int avc_context_to_sid_raw(const char * ctx, security_id_t * sid);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* sidget - increment SID reference counter.
|
|
||||||
* @sid: SID reference
|
|
||||||
*
|
|
||||||
* Increment the reference counter for @sid, indicating that
|
|
||||||
* @sid is in use by an (additional) object. Return the
|
|
||||||
* new reference count, or zero if @sid is invalid (has zero
|
|
||||||
* reference count). Note that avc_context_to_sid() also
|
|
||||||
* increments reference counts.
|
|
||||||
*/
|
|
||||||
int sidget(security_id_t sid);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* sidput - decrement SID reference counter.
|
|
||||||
* @sid: SID reference
|
|
||||||
*
|
|
||||||
* Decrement the reference counter for @sid, indicating that
|
|
||||||
* a reference to @sid is no longer in use. Return the
|
|
||||||
* new reference count. When the reference count reaches
|
|
||||||
* zero, the SID is invalid, and avc_context_to_sid() must
|
|
||||||
* be called to obtain a new SID for the security context.
|
|
||||||
*/
|
|
||||||
int sidput(security_id_t sid);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_get_initial_sid - get SID for an initial kernel security identifier
|
|
||||||
* @name: input name of initial kernel security identifier
|
|
||||||
* @sid: pointer to a SID reference
|
|
||||||
*
|
|
||||||
* Get the context for an initial kernel security identifier specified by
|
|
||||||
* @name using security_get_initial_context() and then call
|
|
||||||
* avc_context_to_sid() to get the corresponding SID.
|
|
||||||
*/
|
|
||||||
int avc_get_initial_sid(const char *name, security_id_t * sid);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* AVC entry
|
|
||||||
*/
|
|
||||||
struct avc_entry;
|
|
||||||
struct avc_entry_ref {
|
|
||||||
struct avc_entry *ae;
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_entry_ref_init - initialize an AVC entry reference.
|
|
||||||
* @aeref: pointer to avc entry reference structure
|
|
||||||
*
|
|
||||||
* Use this macro to initialize an avc entry reference structure
|
|
||||||
* before first use. These structures are passed to avc_has_perm(),
|
|
||||||
* which stores cache entry references in them. They can increase
|
|
||||||
* performance on repeated queries.
|
|
||||||
*/
|
|
||||||
#define avc_entry_ref_init(aeref) ((aeref)->ae = NULL)
|
|
||||||
|
|
||||||
/*
|
|
||||||
* User-provided callbacks for memory, auditing, and locking
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* These structures are passed by reference to avc_init(). Passing
|
|
||||||
* a NULL reference will cause the AVC to use a default. The default
|
|
||||||
* memory callbacks are malloc() and free(). The default logging method
|
|
||||||
* is to print on stderr. If no thread callbacks are passed, a separate
|
|
||||||
* listening thread won't be started for kernel policy change messages.
|
|
||||||
* If no locking callbacks are passed, no locking will take place.
|
|
||||||
*/
|
|
||||||
struct avc_memory_callback {
|
|
||||||
/* malloc() equivalent. */
|
|
||||||
void *(*func_malloc) (size_t size);
|
|
||||||
/* free() equivalent. */
|
|
||||||
void (*func_free) (void *ptr);
|
|
||||||
/* Note that these functions should set errno on failure.
|
|
||||||
If not, some avc routines may return -1 without errno set. */
|
|
||||||
};
|
|
||||||
|
|
||||||
struct avc_log_callback {
|
|
||||||
/* log the printf-style format and arguments. */
|
|
||||||
void
|
|
||||||
#ifdef __GNUC__
|
|
||||||
__attribute__ ((format(printf, 1, 2)))
|
|
||||||
#endif
|
|
||||||
(*func_log) (const char *fmt, ...);
|
|
||||||
/* store a string representation of auditdata (corresponding
|
|
||||||
to the given security class) into msgbuf. */
|
|
||||||
void (*func_audit) (void *auditdata, security_class_t cls,
|
|
||||||
char *msgbuf, size_t msgbufsize);
|
|
||||||
};
|
|
||||||
|
|
||||||
struct avc_thread_callback {
|
|
||||||
/* create and start a thread, returning an opaque pointer to it;
|
|
||||||
the thread should run the given function. */
|
|
||||||
void *(*func_create_thread) (void (*run) (void));
|
|
||||||
/* cancel a given thread and free its resources. */
|
|
||||||
void (*func_stop_thread) (void *thread);
|
|
||||||
};
|
|
||||||
|
|
||||||
struct avc_lock_callback {
|
|
||||||
/* create a lock and return an opaque pointer to it. */
|
|
||||||
void *(*func_alloc_lock) (void);
|
|
||||||
/* obtain a given lock, blocking if necessary. */
|
|
||||||
void (*func_get_lock) (void *lock);
|
|
||||||
/* release a given lock. */
|
|
||||||
void (*func_release_lock) (void *lock);
|
|
||||||
/* destroy a given lock (free memory, etc.) */
|
|
||||||
void (*func_free_lock) (void *lock);
|
|
||||||
};
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Available options
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* no-op option, useful for unused slots in an array of options */
|
|
||||||
#define AVC_OPT_UNUSED 0
|
|
||||||
/* override kernel enforcing mode (boolean value) */
|
|
||||||
#define AVC_OPT_SETENFORCE 1
|
|
||||||
|
|
||||||
/*
|
|
||||||
* AVC operations
|
|
||||||
*/
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_init - Initialize the AVC.
|
|
||||||
* @msgprefix: prefix for log messages
|
|
||||||
* @mem_callbacks: user-supplied memory callbacks
|
|
||||||
* @log_callbacks: user-supplied logging callbacks
|
|
||||||
* @thread_callbacks: user-supplied threading callbacks
|
|
||||||
* @lock_callbacks: user-supplied locking callbacks
|
|
||||||
*
|
|
||||||
* Initialize the access vector cache. Return %0 on
|
|
||||||
* success or -%1 with @errno set on failure.
|
|
||||||
* If @msgprefix is NULL, use "uavc". If any callback
|
|
||||||
* structure references are NULL, use default methods
|
|
||||||
* for those callbacks (see the definition of the callback
|
|
||||||
* structures above).
|
|
||||||
*/
|
|
||||||
int avc_init(const char *msgprefix,
|
|
||||||
const struct avc_memory_callback *mem_callbacks,
|
|
||||||
const struct avc_log_callback *log_callbacks,
|
|
||||||
const struct avc_thread_callback *thread_callbacks,
|
|
||||||
const struct avc_lock_callback *lock_callbacks);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_open - Initialize the AVC.
|
|
||||||
* @opts: array of selabel_opt structures specifying AVC options or NULL.
|
|
||||||
* @nopts: number of elements in opts array or zero for no options.
|
|
||||||
*
|
|
||||||
* This function is identical to avc_init(), except the message prefix
|
|
||||||
* is set to "avc" and any callbacks desired should be specified via
|
|
||||||
* selinux_set_callback(). Available options are listed above.
|
|
||||||
*/
|
|
||||||
int avc_open(struct selinux_opt *opts, unsigned nopts);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_cleanup - Remove unused SIDs and AVC entries.
|
|
||||||
*
|
|
||||||
* Search the SID table for SID structures with zero
|
|
||||||
* reference counts, and remove them along with all
|
|
||||||
* AVC entries that reference them. This can be used
|
|
||||||
* to return memory to the system.
|
|
||||||
*/
|
|
||||||
void avc_cleanup(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_reset - Flush the cache and reset statistics.
|
|
||||||
*
|
|
||||||
* Remove all entries from the cache and reset all access
|
|
||||||
* statistics (as returned by avc_cache_stats()) to zero.
|
|
||||||
* The SID mapping is not affected. Return %0 on success,
|
|
||||||
* -%1 with @errno set on error.
|
|
||||||
*/
|
|
||||||
int avc_reset(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_destroy - Free all AVC structures.
|
|
||||||
*
|
|
||||||
* Destroy all AVC structures and free all allocated
|
|
||||||
* memory. User-supplied locking, memory, and audit
|
|
||||||
* callbacks will be retained, but security-event
|
|
||||||
* callbacks will not. All SID's will be invalidated.
|
|
||||||
* User must call avc_init() if further use of AVC is desired.
|
|
||||||
*/
|
|
||||||
void avc_destroy(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_has_perm_noaudit - Check permissions but perform no auditing.
|
|
||||||
* @ssid: source security identifier
|
|
||||||
* @tsid: target security identifier
|
|
||||||
* @tclass: target security class
|
|
||||||
* @requested: requested permissions, interpreted based on @tclass
|
|
||||||
* @aeref: AVC entry reference
|
|
||||||
* @avd: access vector decisions
|
|
||||||
*
|
|
||||||
* Check the AVC to determine whether the @requested permissions are granted
|
|
||||||
* for the SID pair (@ssid, @tsid), interpreting the permissions
|
|
||||||
* based on @tclass, and call the security server on a cache miss to obtain
|
|
||||||
* a new decision and add it to the cache. Update @aeref to refer to an AVC
|
|
||||||
* entry with the resulting decisions, and return a copy of the decisions
|
|
||||||
* in @avd. Return %0 if all @requested permissions are granted, -%1 with
|
|
||||||
* @errno set to %EACCES if any permissions are denied, or to another value
|
|
||||||
* upon other errors. This function is typically called by avc_has_perm(),
|
|
||||||
* but may also be called directly to separate permission checking from
|
|
||||||
* auditing, e.g. in cases where a lock must be held for the check but
|
|
||||||
* should be released for the auditing.
|
|
||||||
*/
|
|
||||||
int avc_has_perm_noaudit(security_id_t ssid,
|
|
||||||
security_id_t tsid,
|
|
||||||
security_class_t tclass,
|
|
||||||
access_vector_t requested,
|
|
||||||
struct avc_entry_ref *aeref, struct av_decision *avd);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_has_perm - Check permissions and perform any appropriate auditing.
|
|
||||||
* @ssid: source security identifier
|
|
||||||
* @tsid: target security identifier
|
|
||||||
* @tclass: target security class
|
|
||||||
* @requested: requested permissions, interpreted based on @tclass
|
|
||||||
* @aeref: AVC entry reference
|
|
||||||
* @auditdata: auxiliary audit data
|
|
||||||
*
|
|
||||||
* Check the AVC to determine whether the @requested permissions are granted
|
|
||||||
* for the SID pair (@ssid, @tsid), interpreting the permissions
|
|
||||||
* based on @tclass, and call the security server on a cache miss to obtain
|
|
||||||
* a new decision and add it to the cache. Update @aeref to refer to an AVC
|
|
||||||
* entry with the resulting decisions. Audit the granting or denial of
|
|
||||||
* permissions in accordance with the policy. Return %0 if all @requested
|
|
||||||
* permissions are granted, -%1 with @errno set to %EACCES if any permissions
|
|
||||||
* are denied or to another value upon other errors.
|
|
||||||
*/
|
|
||||||
int avc_has_perm(security_id_t ssid, security_id_t tsid,
|
|
||||||
security_class_t tclass, access_vector_t requested,
|
|
||||||
struct avc_entry_ref *aeref, void *auditdata);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_audit - Audit the granting or denial of permissions.
|
|
||||||
* @ssid: source security identifier
|
|
||||||
* @tsid: target security identifier
|
|
||||||
* @tclass: target security class
|
|
||||||
* @requested: requested permissions
|
|
||||||
* @avd: access vector decisions
|
|
||||||
* @result: result from avc_has_perm_noaudit
|
|
||||||
* @auditdata: auxiliary audit data
|
|
||||||
*
|
|
||||||
* Audit the granting or denial of permissions in accordance
|
|
||||||
* with the policy. This function is typically called by
|
|
||||||
* avc_has_perm() after a permission check, but can also be
|
|
||||||
* called directly by callers who use avc_has_perm_noaudit()
|
|
||||||
* in order to separate the permission check from the auditing.
|
|
||||||
* For example, this separation is useful when the permission check must
|
|
||||||
* be performed under a lock, to allow the lock to be released
|
|
||||||
* before calling the auditing code.
|
|
||||||
*/
|
|
||||||
void avc_audit(security_id_t ssid, security_id_t tsid,
|
|
||||||
security_class_t tclass, access_vector_t requested,
|
|
||||||
struct av_decision *avd, int result, void *auditdata);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_compute_create - Compute SID for labeling a new object.
|
|
||||||
* @ssid: source security identifier
|
|
||||||
* @tsid: target security identifier
|
|
||||||
* @tclass: target security class
|
|
||||||
* @newsid: pointer to SID reference
|
|
||||||
*
|
|
||||||
* Call the security server to obtain a context for labeling a
|
|
||||||
* new object. Look up the context in the SID table, making
|
|
||||||
* a new entry if not found. Increment the reference counter
|
|
||||||
* for the SID. Store a pointer to the SID structure into the
|
|
||||||
* memory referenced by @newsid, returning %0 on success or -%1 on
|
|
||||||
* error with @errno set.
|
|
||||||
*/
|
|
||||||
int avc_compute_create(security_id_t ssid,
|
|
||||||
security_id_t tsid,
|
|
||||||
security_class_t tclass, security_id_t * newsid);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_compute_member - Compute SID for polyinstantation.
|
|
||||||
* @ssid: source security identifier
|
|
||||||
* @tsid: target security identifier
|
|
||||||
* @tclass: target security class
|
|
||||||
* @newsid: pointer to SID reference
|
|
||||||
*
|
|
||||||
* Call the security server to obtain a context for labeling an
|
|
||||||
* object instance. Look up the context in the SID table, making
|
|
||||||
* a new entry if not found. Increment the reference counter
|
|
||||||
* for the SID. Store a pointer to the SID structure into the
|
|
||||||
* memory referenced by @newsid, returning %0 on success or -%1 on
|
|
||||||
* error with @errno set.
|
|
||||||
*/
|
|
||||||
int avc_compute_member(security_id_t ssid,
|
|
||||||
security_id_t tsid,
|
|
||||||
security_class_t tclass, security_id_t * newsid);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* security event callback facility
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* security events */
|
|
||||||
#define AVC_CALLBACK_GRANT 1
|
|
||||||
#define AVC_CALLBACK_TRY_REVOKE 2
|
|
||||||
#define AVC_CALLBACK_REVOKE 4
|
|
||||||
#define AVC_CALLBACK_RESET 8
|
|
||||||
#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
|
|
||||||
#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
|
|
||||||
#define AVC_CALLBACK_AUDITDENY_ENABLE 64
|
|
||||||
#define AVC_CALLBACK_AUDITDENY_DISABLE 128
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_add_callback - Register a callback for security events.
|
|
||||||
* @callback: callback function
|
|
||||||
* @events: bitwise OR of desired security events
|
|
||||||
* @ssid: source security identifier or %SECSID_WILD
|
|
||||||
* @tsid: target security identifier or %SECSID_WILD
|
|
||||||
* @tclass: target security class
|
|
||||||
* @perms: permissions
|
|
||||||
*
|
|
||||||
* Register a callback function for events in the set @events
|
|
||||||
* related to the SID pair (@ssid, @tsid) and
|
|
||||||
* and the permissions @perms, interpreting
|
|
||||||
* @perms based on @tclass. Returns %0 on success or
|
|
||||||
* -%1 if insufficient memory exists to add the callback.
|
|
||||||
*/
|
|
||||||
int avc_add_callback(int (*callback)
|
|
||||||
(uint32_t event, security_id_t ssid,
|
|
||||||
security_id_t tsid, security_class_t tclass,
|
|
||||||
access_vector_t perms,
|
|
||||||
access_vector_t * out_retained),
|
|
||||||
uint32_t events, security_id_t ssid,
|
|
||||||
security_id_t tsid, security_class_t tclass,
|
|
||||||
access_vector_t perms);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* AVC statistics
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* If set, cache statistics are tracked. This may
|
|
||||||
* become a compile-time option in the future.
|
|
||||||
*/
|
|
||||||
#define AVC_CACHE_STATS 1
|
|
||||||
|
|
||||||
struct avc_cache_stats {
|
|
||||||
unsigned entry_lookups;
|
|
||||||
unsigned entry_hits;
|
|
||||||
unsigned entry_misses;
|
|
||||||
unsigned entry_discards;
|
|
||||||
unsigned cav_lookups;
|
|
||||||
unsigned cav_hits;
|
|
||||||
unsigned cav_probes;
|
|
||||||
unsigned cav_misses;
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_cache_stats - get cache access statistics.
|
|
||||||
* @stats: reference to statistics structure
|
|
||||||
*
|
|
||||||
* Fill the supplied structure with information about AVC
|
|
||||||
* activity since the last call to avc_init() or
|
|
||||||
* avc_reset(). See the structure definition for
|
|
||||||
* details.
|
|
||||||
*/
|
|
||||||
void avc_cache_stats(struct avc_cache_stats *stats);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_av_stats - log av table statistics.
|
|
||||||
*
|
|
||||||
* Log a message with information about the size and
|
|
||||||
* distribution of the access vector table. The audit
|
|
||||||
* callback is used to print the message.
|
|
||||||
*/
|
|
||||||
void avc_av_stats(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_sid_stats - log SID table statistics.
|
|
||||||
*
|
|
||||||
* Log a message with information about the size and
|
|
||||||
* distribution of the SID table. The audit callback
|
|
||||||
* is used to print the message.
|
|
||||||
*/
|
|
||||||
void avc_sid_stats(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_netlink_open - Create a netlink socket and connect to the kernel.
|
|
||||||
*/
|
|
||||||
int avc_netlink_open(int blocking);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_netlink_loop - Wait for netlink messages from the kernel
|
|
||||||
*/
|
|
||||||
void avc_netlink_loop(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_netlink_close - Close the netlink socket
|
|
||||||
*/
|
|
||||||
void avc_netlink_close(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_netlink_acquire_fd - Acquire netlink socket fd.
|
|
||||||
*
|
|
||||||
* Allows the application to manage messages from the netlink socket in
|
|
||||||
* its own main loop.
|
|
||||||
*/
|
|
||||||
int avc_netlink_acquire_fd(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_netlink_release_fd - Release netlink socket fd.
|
|
||||||
*
|
|
||||||
* Returns ownership of the netlink socket to the library.
|
|
||||||
*/
|
|
||||||
void avc_netlink_release_fd(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* avc_netlink_check_nb - Check netlink socket for new messages.
|
|
||||||
*
|
|
||||||
* Called by the application when using avc_netlink_acquire_fd() to
|
|
||||||
* process kernel netlink events.
|
|
||||||
*/
|
|
||||||
int avc_netlink_check_nb(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_status_open - Open and map SELinux kernel status page
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int selinux_status_open(int fallback);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_status_close - Unmap and close SELinux kernel status page
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
void selinux_status_close(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_status_updated - Inform us whether the kernel status has been updated
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int selinux_status_updated(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_status_getenforce - Get the enforce flag value
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int selinux_status_getenforce(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_status_policyload - Get the number of policy reloaded
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int selinux_status_policyload(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_status_deny_unknown - Get the behavior for undefined classes/permissions
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int selinux_status_deny_unknown(void);
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif /* _SELINUX_AVC_H_ */
|
|
50
jni/external/selinux/context.h
vendored
50
jni/external/selinux/context.h
vendored
@ -1,50 +0,0 @@
|
|||||||
#ifndef _SELINUX_CONTEXT_H_
|
|
||||||
#define _SELINUX_CONTEXT_H_
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Functions to deal with security contexts in user space.
|
|
||||||
*/
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
void *ptr;
|
|
||||||
} context_s_t;
|
|
||||||
|
|
||||||
typedef context_s_t *context_t;
|
|
||||||
|
|
||||||
/* Return a new context initialized to a context string */
|
|
||||||
|
|
||||||
extern context_t context_new(const char *);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Return a pointer to the string value of the context_t
|
|
||||||
* Valid until the next call to context_str or context_free
|
|
||||||
* for the same context_t*
|
|
||||||
*/
|
|
||||||
|
|
||||||
extern char *context_str(context_t);
|
|
||||||
|
|
||||||
/* Free the storage used by a context */
|
|
||||||
extern void context_free(context_t);
|
|
||||||
|
|
||||||
/* Get a pointer to the string value of a context component */
|
|
||||||
|
|
||||||
extern const char *context_type_get(context_t);
|
|
||||||
extern const char *context_range_get(context_t);
|
|
||||||
extern const char *context_role_get(context_t);
|
|
||||||
extern const char *context_user_get(context_t);
|
|
||||||
|
|
||||||
/* Set a context component. Returns nonzero if unsuccessful */
|
|
||||||
|
|
||||||
extern int context_type_set(context_t, const char *);
|
|
||||||
extern int context_range_set(context_t, const char *);
|
|
||||||
extern int context_role_set(context_t, const char *);
|
|
||||||
extern int context_user_set(context_t, const char *);
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif
|
|
118
jni/external/selinux/flask.h
vendored
118
jni/external/selinux/flask.h
vendored
@ -1,118 +0,0 @@
|
|||||||
/* This file is automatically generated. Do not edit. */
|
|
||||||
#ifndef _SELINUX_FLASK_H_
|
|
||||||
#define _SELINUX_FLASK_H_
|
|
||||||
|
|
||||||
#warning "Please remove any #include's of this header in your source code."
|
|
||||||
#warning "Instead, use string_to_security_class() to map the class name to a value."
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Security object class definitions
|
|
||||||
*/
|
|
||||||
#define SECCLASS_SECURITY 1
|
|
||||||
#define SECCLASS_PROCESS 2
|
|
||||||
#define SECCLASS_SYSTEM 3
|
|
||||||
#define SECCLASS_CAPABILITY 4
|
|
||||||
#define SECCLASS_FILESYSTEM 5
|
|
||||||
#define SECCLASS_FILE 6
|
|
||||||
#define SECCLASS_DIR 7
|
|
||||||
#define SECCLASS_FD 8
|
|
||||||
#define SECCLASS_LNK_FILE 9
|
|
||||||
#define SECCLASS_CHR_FILE 10
|
|
||||||
#define SECCLASS_BLK_FILE 11
|
|
||||||
#define SECCLASS_SOCK_FILE 12
|
|
||||||
#define SECCLASS_FIFO_FILE 13
|
|
||||||
#define SECCLASS_SOCKET 14
|
|
||||||
#define SECCLASS_TCP_SOCKET 15
|
|
||||||
#define SECCLASS_UDP_SOCKET 16
|
|
||||||
#define SECCLASS_RAWIP_SOCKET 17
|
|
||||||
#define SECCLASS_NODE 18
|
|
||||||
#define SECCLASS_NETIF 19
|
|
||||||
#define SECCLASS_NETLINK_SOCKET 20
|
|
||||||
#define SECCLASS_PACKET_SOCKET 21
|
|
||||||
#define SECCLASS_KEY_SOCKET 22
|
|
||||||
#define SECCLASS_UNIX_STREAM_SOCKET 23
|
|
||||||
#define SECCLASS_UNIX_DGRAM_SOCKET 24
|
|
||||||
#define SECCLASS_SEM 25
|
|
||||||
#define SECCLASS_MSG 26
|
|
||||||
#define SECCLASS_MSGQ 27
|
|
||||||
#define SECCLASS_SHM 28
|
|
||||||
#define SECCLASS_IPC 29
|
|
||||||
#define SECCLASS_PASSWD 30
|
|
||||||
#define SECCLASS_X_DRAWABLE 31
|
|
||||||
#define SECCLASS_X_SCREEN 32
|
|
||||||
#define SECCLASS_X_GC 33
|
|
||||||
#define SECCLASS_X_FONT 34
|
|
||||||
#define SECCLASS_X_COLORMAP 35
|
|
||||||
#define SECCLASS_X_PROPERTY 36
|
|
||||||
#define SECCLASS_X_SELECTION 37
|
|
||||||
#define SECCLASS_X_CURSOR 38
|
|
||||||
#define SECCLASS_X_CLIENT 39
|
|
||||||
#define SECCLASS_X_DEVICE 40
|
|
||||||
#define SECCLASS_X_SERVER 41
|
|
||||||
#define SECCLASS_X_EXTENSION 42
|
|
||||||
#define SECCLASS_NETLINK_ROUTE_SOCKET 43
|
|
||||||
#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
|
|
||||||
#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
|
|
||||||
#define SECCLASS_NETLINK_NFLOG_SOCKET 46
|
|
||||||
#define SECCLASS_NETLINK_XFRM_SOCKET 47
|
|
||||||
#define SECCLASS_NETLINK_SELINUX_SOCKET 48
|
|
||||||
#define SECCLASS_NETLINK_AUDIT_SOCKET 49
|
|
||||||
#define SECCLASS_NETLINK_IP6FW_SOCKET 50
|
|
||||||
#define SECCLASS_NETLINK_DNRT_SOCKET 51
|
|
||||||
#define SECCLASS_DBUS 52
|
|
||||||
#define SECCLASS_NSCD 53
|
|
||||||
#define SECCLASS_ASSOCIATION 54
|
|
||||||
#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
|
|
||||||
#define SECCLASS_APPLETALK_SOCKET 56
|
|
||||||
#define SECCLASS_PACKET 57
|
|
||||||
#define SECCLASS_KEY 58
|
|
||||||
#define SECCLASS_CONTEXT 59
|
|
||||||
#define SECCLASS_DCCP_SOCKET 60
|
|
||||||
#define SECCLASS_MEMPROTECT 61
|
|
||||||
#define SECCLASS_DB_DATABASE 62
|
|
||||||
#define SECCLASS_DB_TABLE 63
|
|
||||||
#define SECCLASS_DB_PROCEDURE 64
|
|
||||||
#define SECCLASS_DB_COLUMN 65
|
|
||||||
#define SECCLASS_DB_TUPLE 66
|
|
||||||
#define SECCLASS_DB_BLOB 67
|
|
||||||
#define SECCLASS_PEER 68
|
|
||||||
#define SECCLASS_CAPABILITY2 69
|
|
||||||
#define SECCLASS_X_RESOURCE 70
|
|
||||||
#define SECCLASS_X_EVENT 71
|
|
||||||
#define SECCLASS_X_SYNTHETIC_EVENT 72
|
|
||||||
#define SECCLASS_X_APPLICATION_DATA 73
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Security identifier indices for initial entities
|
|
||||||
*/
|
|
||||||
#define SECINITSID_KERNEL 1
|
|
||||||
#define SECINITSID_SECURITY 2
|
|
||||||
#define SECINITSID_UNLABELED 3
|
|
||||||
#define SECINITSID_FS 4
|
|
||||||
#define SECINITSID_FILE 5
|
|
||||||
#define SECINITSID_FILE_LABELS 6
|
|
||||||
#define SECINITSID_INIT 7
|
|
||||||
#define SECINITSID_ANY_SOCKET 8
|
|
||||||
#define SECINITSID_PORT 9
|
|
||||||
#define SECINITSID_NETIF 10
|
|
||||||
#define SECINITSID_NETMSG 11
|
|
||||||
#define SECINITSID_NODE 12
|
|
||||||
#define SECINITSID_IGMP_PACKET 13
|
|
||||||
#define SECINITSID_ICMP_SOCKET 14
|
|
||||||
#define SECINITSID_TCP_SOCKET 15
|
|
||||||
#define SECINITSID_SYSCTL_MODPROBE 16
|
|
||||||
#define SECINITSID_SYSCTL 17
|
|
||||||
#define SECINITSID_SYSCTL_FS 18
|
|
||||||
#define SECINITSID_SYSCTL_KERNEL 19
|
|
||||||
#define SECINITSID_SYSCTL_NET 20
|
|
||||||
#define SECINITSID_SYSCTL_NET_UNIX 21
|
|
||||||
#define SECINITSID_SYSCTL_VM 22
|
|
||||||
#define SECINITSID_SYSCTL_DEV 23
|
|
||||||
#define SECINITSID_KMOD 24
|
|
||||||
#define SECINITSID_POLICY 25
|
|
||||||
#define SECINITSID_SCMP_PACKET 26
|
|
||||||
#define SECINITSID_DEVNULL 27
|
|
||||||
|
|
||||||
#define SECINITSID_NUM 27
|
|
||||||
|
|
||||||
#endif
|
|
82
jni/external/selinux/get_context_list.h
vendored
82
jni/external/selinux/get_context_list.h
vendored
@ -1,82 +0,0 @@
|
|||||||
#ifndef _SELINUX_GET_SID_LIST_H_
|
|
||||||
#define _SELINUX_GET_SID_LIST_H_
|
|
||||||
|
|
||||||
#include <selinux/selinux.h>
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define SELINUX_DEFAULTUSER "user_u"
|
|
||||||
|
|
||||||
/* Get an ordered list of authorized security contexts for a user session
|
|
||||||
for 'user' spawned by 'fromcon' and set *conary to refer to the
|
|
||||||
NULL-terminated array of contexts. Every entry in the list will
|
|
||||||
be authorized by the policy, but the ordering is subject to user
|
|
||||||
customizable preferences. Returns number of entries in *conary.
|
|
||||||
If 'fromcon' is NULL, defaults to current context.
|
|
||||||
Caller must free via freeconary. */
|
|
||||||
extern int get_ordered_context_list(const char *user,
|
|
||||||
char * fromcon,
|
|
||||||
char *** list);
|
|
||||||
|
|
||||||
/* As above, but use the provided MLS level rather than the
|
|
||||||
default level for the user. */
|
|
||||||
int get_ordered_context_list_with_level(const char *user,
|
|
||||||
const char *level,
|
|
||||||
char * fromcon,
|
|
||||||
char *** list);
|
|
||||||
|
|
||||||
/* Get the default security context for a user session for 'user'
|
|
||||||
spawned by 'fromcon' and set *newcon to refer to it. The context
|
|
||||||
will be one of those authorized by the policy, but the selection
|
|
||||||
of a default is subject to user customizable preferences.
|
|
||||||
If 'fromcon' is NULL, defaults to current context.
|
|
||||||
Returns 0 on success or -1 otherwise.
|
|
||||||
Caller must free via freecon. */
|
|
||||||
extern int get_default_context(const char *user,
|
|
||||||
char * fromcon,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
/* As above, but use the provided MLS level rather than the
|
|
||||||
default level for the user. */
|
|
||||||
int get_default_context_with_level(const char *user,
|
|
||||||
const char *level,
|
|
||||||
char * fromcon,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
/* Same as get_default_context, but only return a context
|
|
||||||
that has the specified role. If no reachable context exists
|
|
||||||
for the user with that role, then return -1. */
|
|
||||||
int get_default_context_with_role(const char *user,
|
|
||||||
const char *role,
|
|
||||||
char * fromcon,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
/* Same as get_default_context, but only return a context
|
|
||||||
that has the specified role and level. If no reachable context exists
|
|
||||||
for the user with that role, then return -1. */
|
|
||||||
int get_default_context_with_rolelevel(const char *user,
|
|
||||||
const char *role,
|
|
||||||
const char *level,
|
|
||||||
char * fromcon,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
/* Given a list of authorized security contexts for the user,
|
|
||||||
query the user to select one and set *newcon to refer to it.
|
|
||||||
Caller must free via freecon.
|
|
||||||
Returns 0 on sucess or -1 otherwise. */
|
|
||||||
extern int query_user_context(char ** list,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
/* Allow the user to manually enter a context as a fallback
|
|
||||||
if a list of authorized contexts could not be obtained.
|
|
||||||
Caller must free via freecon.
|
|
||||||
Returns 0 on success or -1 otherwise. */
|
|
||||||
extern int manual_user_enter_context(const char *user,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif
|
|
23
jni/external/selinux/get_default_type.h
vendored
23
jni/external/selinux/get_default_type.h
vendored
@ -1,23 +0,0 @@
|
|||||||
/* get_default_type.h - contains header information and function prototypes
|
|
||||||
* for functions to get the default type for a role
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef _SELINUX_GET_DEFAULT_TYPE_H_
|
|
||||||
#define _SELINUX_GET_DEFAULT_TYPE_H_
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Return path to default type file. */
|
|
||||||
const char *selinux_default_type_path(void);
|
|
||||||
|
|
||||||
/* Get the default type (domain) for 'role' and set 'type' to refer to it.
|
|
||||||
Caller must free via free().
|
|
||||||
Return 0 on success or -1 otherwise. */
|
|
||||||
int get_default_type(const char *role, char **type);
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif /* ifndef _GET_DEFAULT_TYPE_H_ */
|
|
190
jni/external/selinux/label.h
vendored
190
jni/external/selinux/label.h
vendored
@ -1,190 +0,0 @@
|
|||||||
/*
|
|
||||||
* Labeling interface for userspace object managers and others.
|
|
||||||
*
|
|
||||||
* Author : Eamon Walsh <ewalsh@tycho.nsa.gov>
|
|
||||||
*/
|
|
||||||
#ifndef _SELABEL_H_
|
|
||||||
#define _SELABEL_H_
|
|
||||||
|
|
||||||
#include <stdbool.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <selinux/selinux.h>
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Opaque type used for all label handles.
|
|
||||||
*/
|
|
||||||
|
|
||||||
struct selabel_handle;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Available backends.
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* file contexts */
|
|
||||||
#define SELABEL_CTX_FILE 0
|
|
||||||
/* media contexts */
|
|
||||||
#define SELABEL_CTX_MEDIA 1
|
|
||||||
/* x contexts */
|
|
||||||
#define SELABEL_CTX_X 2
|
|
||||||
/* db objects */
|
|
||||||
#define SELABEL_CTX_DB 3
|
|
||||||
/* Android property service contexts */
|
|
||||||
#define SELABEL_CTX_ANDROID_PROP 4
|
|
||||||
/* Android service contexts */
|
|
||||||
#define SELABEL_CTX_ANDROID_SERVICE 5
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Available options
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* no-op option, useful for unused slots in an array of options */
|
|
||||||
#define SELABEL_OPT_UNUSED 0
|
|
||||||
/* validate contexts before returning them (boolean value) */
|
|
||||||
#define SELABEL_OPT_VALIDATE 1
|
|
||||||
/* don't use local customizations to backend data (boolean value) */
|
|
||||||
#define SELABEL_OPT_BASEONLY 2
|
|
||||||
/* specify an alternate path to use when loading backend data */
|
|
||||||
#define SELABEL_OPT_PATH 3
|
|
||||||
/* select a subset of the search space as an optimization (file backend) */
|
|
||||||
#define SELABEL_OPT_SUBSET 4
|
|
||||||
/* require a hash calculation on spec files */
|
|
||||||
#define SELABEL_OPT_DIGEST 5
|
|
||||||
/* total number of options */
|
|
||||||
#define SELABEL_NOPT 6
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Label operations
|
|
||||||
*/
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selabel_open - Create a labeling handle.
|
|
||||||
* @backend: one of the constants specifying a supported labeling backend.
|
|
||||||
* @opts: array of selabel_opt structures specifying label options or NULL.
|
|
||||||
* @nopts: number of elements in opts array or zero for no options.
|
|
||||||
*
|
|
||||||
* Open a labeling backend for use. The available backend identifiers are
|
|
||||||
* listed above. Options may be provided via the opts parameter; available
|
|
||||||
* options are listed above. Not all options may be supported by every
|
|
||||||
* backend. Return value is the created handle on success or NULL with
|
|
||||||
* @errno set on failure.
|
|
||||||
*/
|
|
||||||
struct selabel_handle *selabel_open(unsigned int backend,
|
|
||||||
const struct selinux_opt *opts,
|
|
||||||
unsigned nopts);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selabel_close - Close a labeling handle.
|
|
||||||
* @handle: specifies handle to close
|
|
||||||
*
|
|
||||||
* Destroy the specified handle, closing files, freeing allocated memory,
|
|
||||||
* etc. The handle may not be further used after it has been closed.
|
|
||||||
*/
|
|
||||||
void selabel_close(struct selabel_handle *handle);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selabel_lookup - Perform labeling lookup operation.
|
|
||||||
* @handle: specifies backend instance to query
|
|
||||||
* @con: returns the appropriate context with which to label the object
|
|
||||||
* @key: string input to lookup operation
|
|
||||||
* @type: numeric input to the lookup operation
|
|
||||||
*
|
|
||||||
* Perform a labeling lookup operation. Return %0 on success, -%1 with
|
|
||||||
* @errno set on failure. The key and type arguments are the inputs to the
|
|
||||||
* lookup operation; appropriate values are dictated by the backend in use.
|
|
||||||
* The result is returned in the memory pointed to by @con and must be freed
|
|
||||||
* by the user with freecon().
|
|
||||||
*/
|
|
||||||
int selabel_lookup(struct selabel_handle *handle, char **con,
|
|
||||||
const char *key, int type);
|
|
||||||
int selabel_lookup_raw(struct selabel_handle *handle, char **con,
|
|
||||||
const char *key, int type);
|
|
||||||
|
|
||||||
bool selabel_partial_match(struct selabel_handle *handle, const char *key);
|
|
||||||
|
|
||||||
int selabel_lookup_best_match(struct selabel_handle *rec, char **con,
|
|
||||||
const char *key, const char **aliases, int type);
|
|
||||||
int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
|
|
||||||
const char *key, const char **aliases, int type);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
|
|
||||||
* generate the digest. The SELABEL_OPT_DIGEST option must
|
|
||||||
* be set in selabel_open() to initiate the digest generation.
|
|
||||||
* @handle: specifies backend instance to query
|
|
||||||
* @digest: returns a pointer to the SHA1 digest.
|
|
||||||
* @digest_len: returns length of digest in bytes.
|
|
||||||
* @specfiles: a list of specfiles used in the SHA1 digest generation.
|
|
||||||
* The list is NULL terminated and will hold @num_specfiles entries.
|
|
||||||
* @num_specfiles: number of specfiles in the list.
|
|
||||||
*
|
|
||||||
* Return %0 on success, -%1 with @errno set on failure.
|
|
||||||
*/
|
|
||||||
int selabel_digest(struct selabel_handle *rec,
|
|
||||||
unsigned char **digest, size_t *digest_len,
|
|
||||||
char ***specfiles, size_t *num_specfiles);
|
|
||||||
|
|
||||||
enum selabel_cmp_result {
|
|
||||||
SELABEL_SUBSET,
|
|
||||||
SELABEL_EQUAL,
|
|
||||||
SELABEL_SUPERSET,
|
|
||||||
SELABEL_INCOMPARABLE
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selabel_cmp - Compare two label configurations.
|
|
||||||
* @h1: handle for the first label configuration
|
|
||||||
* @h2: handle for the first label configuration
|
|
||||||
*
|
|
||||||
* Compare two label configurations.
|
|
||||||
* Return %SELABEL_SUBSET if @h1 is a subset of @h2, %SELABEL_EQUAL
|
|
||||||
* if @h1 is identical to @h2, %SELABEL_SUPERSET if @h1 is a superset
|
|
||||||
* of @h2, and %SELABEL_INCOMPARABLE if @h1 and @h2 are incomparable.
|
|
||||||
*/
|
|
||||||
enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1,
|
|
||||||
struct selabel_handle *h2);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selabel_stats - log labeling operation statistics.
|
|
||||||
* @handle: specifies backend instance to query
|
|
||||||
*
|
|
||||||
* Log a message with information about the number of queries performed,
|
|
||||||
* number of unused matching entries, or other operational statistics.
|
|
||||||
* Message is backend-specific, some backends may not output a message.
|
|
||||||
*/
|
|
||||||
void selabel_stats(struct selabel_handle *handle);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Type codes used by specific backends
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* X backend */
|
|
||||||
#define SELABEL_X_PROP 1
|
|
||||||
#define SELABEL_X_EXT 2
|
|
||||||
#define SELABEL_X_CLIENT 3
|
|
||||||
#define SELABEL_X_EVENT 4
|
|
||||||
#define SELABEL_X_SELN 5
|
|
||||||
#define SELABEL_X_POLYPROP 6
|
|
||||||
#define SELABEL_X_POLYSELN 7
|
|
||||||
|
|
||||||
/* DB backend */
|
|
||||||
#define SELABEL_DB_DATABASE 1
|
|
||||||
#define SELABEL_DB_SCHEMA 2
|
|
||||||
#define SELABEL_DB_TABLE 3
|
|
||||||
#define SELABEL_DB_COLUMN 4
|
|
||||||
#define SELABEL_DB_SEQUENCE 5
|
|
||||||
#define SELABEL_DB_VIEW 6
|
|
||||||
#define SELABEL_DB_PROCEDURE 7
|
|
||||||
#define SELABEL_DB_BLOB 8
|
|
||||||
#define SELABEL_DB_TUPLE 9
|
|
||||||
#define SELABEL_DB_LANGUAGE 10
|
|
||||||
#define SELABEL_DB_EXCEPTION 11
|
|
||||||
#define SELABEL_DB_DATATYPE 12
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif /* _SELABEL_H_ */
|
|
187
jni/external/selinux/restorecon.h
vendored
187
jni/external/selinux/restorecon.h
vendored
@ -1,187 +0,0 @@
|
|||||||
#ifndef _RESTORECON_H_
|
|
||||||
#define _RESTORECON_H_
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_restorecon - Relabel files.
|
|
||||||
* @pathname: specifies file/directory to relabel.
|
|
||||||
* @restorecon_flags: specifies the actions to be performed when relabeling.
|
|
||||||
*
|
|
||||||
* selinux_restorecon(3) will automatically call
|
|
||||||
* selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3)
|
|
||||||
* first time through to set the selabel_open(3) parameters to use the
|
|
||||||
* currently loaded policy file_contexts and request their computed digest.
|
|
||||||
*
|
|
||||||
* Should other selabel_open(3) parameters be required see
|
|
||||||
* selinux_restorecon_set_sehandle(3).
|
|
||||||
*/
|
|
||||||
extern int selinux_restorecon(const char *pathname,
|
|
||||||
unsigned int restorecon_flags);
|
|
||||||
/*
|
|
||||||
* restorecon_flags options
|
|
||||||
*/
|
|
||||||
/*
|
|
||||||
* Force the checking of labels even if the stored SHA1
|
|
||||||
* digest matches the specfiles SHA1 digest.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_IGNORE_DIGEST 0x0001
|
|
||||||
/*
|
|
||||||
* Do not change file labels.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_NOCHANGE 0x0002
|
|
||||||
/*
|
|
||||||
* If set set change file label to that in spec file.
|
|
||||||
* If not only change type component to that in spec file.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_SET_SPECFILE_CTX 0x0004
|
|
||||||
/*
|
|
||||||
* Recursively descend directories.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_RECURSE 0x0008
|
|
||||||
/*
|
|
||||||
* Log changes to selinux log. Note that if VERBOSE and
|
|
||||||
* PROGRESS are set, then PROGRESS will take precedence.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_VERBOSE 0x0010
|
|
||||||
/*
|
|
||||||
* If SELINUX_RESTORECON_PROGRESS is true and
|
|
||||||
* SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete,
|
|
||||||
* else output the number of files in 1k blocks processed to stdout.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_PROGRESS 0x0020
|
|
||||||
/*
|
|
||||||
* Convert passed-in pathname to canonical pathname.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_REALPATH 0x0040
|
|
||||||
/*
|
|
||||||
* Prevent descending into directories that have a different
|
|
||||||
* device number than the pathname from which the descent began.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_XDEV 0x0080
|
|
||||||
/*
|
|
||||||
* Attempt to add an association between an inode and a specification.
|
|
||||||
* If there is already an association for the inode and it conflicts
|
|
||||||
* with the specification, then use the last matching specification.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_ADD_ASSOC 0x0100
|
|
||||||
/*
|
|
||||||
* Abort on errors during the file tree walk.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_ABORT_ON_ERROR 0x0200
|
|
||||||
/*
|
|
||||||
* Log any label changes to syslog.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_SYSLOG_CHANGES 0x0400
|
|
||||||
/*
|
|
||||||
* Log what spec matched each file.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_LOG_MATCHES 0x0800
|
|
||||||
/*
|
|
||||||
* Ignore files that do not exist.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_IGNORE_NOENTRY 0x1000
|
|
||||||
/*
|
|
||||||
* Do not read /proc/mounts to obtain a list of non-seclabel
|
|
||||||
* mounts to be excluded from relabeling checks.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_IGNORE_MOUNTS 0x2000
|
|
||||||
/*
|
|
||||||
* Set if there is a mass relabel required.
|
|
||||||
* See SELINUX_RESTORECON_PROGRESS flag for details.
|
|
||||||
*/
|
|
||||||
#define SELINUX_RESTORECON_MASS_RELABEL 0x4000
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_restorecon_set_sehandle - Set the global fc handle.
|
|
||||||
* @hndl: specifies handle to set as the global fc handle.
|
|
||||||
*
|
|
||||||
* Called by a process that has already called selabel_open(3) with it's
|
|
||||||
* required parameters, or if selinux_restorecon_default_handle(3) has been
|
|
||||||
* called to set the default selabel_open(3) parameters.
|
|
||||||
*/
|
|
||||||
// extern void selinux_restorecon_set_sehandle(struct selabel_handle *hndl);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_restorecon_default_handle - Sets default selabel_open(3) parameters
|
|
||||||
* to use the currently loaded policy and
|
|
||||||
* file_contexts, also requests the digest.
|
|
||||||
*
|
|
||||||
* Return value is the created handle on success or NULL with @errno set on
|
|
||||||
* failure.
|
|
||||||
*/
|
|
||||||
extern struct selabel_handle *selinux_restorecon_default_handle(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_restorecon_set_exclude_list - Add a list of directories that are
|
|
||||||
* to be excluded from relabeling.
|
|
||||||
* @exclude_list: containing a NULL terminated list of one or more
|
|
||||||
* directories not to be relabeled.
|
|
||||||
*/
|
|
||||||
extern void selinux_restorecon_set_exclude_list(const char **exclude_list);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_restorecon_set_alt_rootpath - Use alternate rootpath.
|
|
||||||
* @alt_rootpath: containing the alternate rootpath to be used.
|
|
||||||
*
|
|
||||||
* Return %0 on success, -%1 with @errno set on failure.
|
|
||||||
*/
|
|
||||||
extern int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_restorecon_xattr - Read/remove RESTORECON_LAST xattr entries.
|
|
||||||
* @pathname: specifies directory path to check.
|
|
||||||
* @xattr_flags: specifies the actions to be performed.
|
|
||||||
* @xattr_list: a linked list of struct dir_xattr structures containing
|
|
||||||
* the directory, digest and result of the action on the
|
|
||||||
* RESTORECON_LAST entry.
|
|
||||||
*
|
|
||||||
* selinux_restorecon_xattr(3) will automatically call
|
|
||||||
* selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3)
|
|
||||||
* first time through to set the selabel_open(3) parameters to use the
|
|
||||||
* currently loaded policy file_contexts and request their computed digest.
|
|
||||||
*
|
|
||||||
* Should other selabel_open(3) parameters be required see
|
|
||||||
* selinux_restorecon_set_sehandle(3), however note that a file_contexts
|
|
||||||
* computed digest is required for selinux_restorecon_xattr().
|
|
||||||
*/
|
|
||||||
enum digest_result {
|
|
||||||
MATCH = 0,
|
|
||||||
NOMATCH,
|
|
||||||
DELETED_MATCH,
|
|
||||||
DELETED_NOMATCH,
|
|
||||||
ERROR
|
|
||||||
};
|
|
||||||
|
|
||||||
struct dir_xattr {
|
|
||||||
char *directory;
|
|
||||||
char *digest; /* A hex encoded string that can be printed. */
|
|
||||||
enum digest_result result;
|
|
||||||
struct dir_xattr *next;
|
|
||||||
};
|
|
||||||
|
|
||||||
extern int selinux_restorecon_xattr(const char *pathname,
|
|
||||||
unsigned int xattr_flags,
|
|
||||||
struct dir_xattr ***xattr_list);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* xattr_flags options
|
|
||||||
*/
|
|
||||||
/* Recursively descend directories. */
|
|
||||||
#define SELINUX_RESTORECON_XATTR_RECURSE 0x0001
|
|
||||||
/* Delete non-matching digests from each directory in pathname. */
|
|
||||||
#define SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS 0x0002
|
|
||||||
/* Delete all digests found in pathname. */
|
|
||||||
#define SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS 0x0004
|
|
||||||
/* Do not read /proc/mounts. */
|
|
||||||
#define SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS 0x0008
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif
|
|
673
jni/external/selinux/selinux.h
vendored
673
jni/external/selinux/selinux.h
vendored
@ -1,673 +0,0 @@
|
|||||||
#ifndef _SELINUX_H_
|
|
||||||
#define _SELINUX_H_
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
|
|
||||||
extern int is_selinux_enabled(void);
|
|
||||||
/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
|
|
||||||
extern int is_selinux_mls_enabled(void);
|
|
||||||
|
|
||||||
/* No longer used; here for compatibility with legacy callers. */
|
|
||||||
typedef char *security_context_t;
|
|
||||||
|
|
||||||
/* Free the memory allocated for a context by any of the below get* calls. */
|
|
||||||
extern void freecon(char * con);
|
|
||||||
|
|
||||||
/* Free the memory allocated for a context array by security_compute_user. */
|
|
||||||
extern void freeconary(char ** con);
|
|
||||||
|
|
||||||
/* Wrappers for the /proc/pid/attr API. */
|
|
||||||
|
|
||||||
/* Get current context, and set *con to refer to it.
|
|
||||||
Caller must free via freecon. */
|
|
||||||
extern int getcon(char ** con);
|
|
||||||
extern int getcon_raw(char ** con);
|
|
||||||
|
|
||||||
/* Set the current security context to con.
|
|
||||||
Note that use of this function requires that the entire application
|
|
||||||
be trusted to maintain any desired separation between the old and new
|
|
||||||
security contexts, unlike exec-based transitions performed via setexeccon.
|
|
||||||
When possible, decompose your application and use setexeccon()+execve()
|
|
||||||
instead. Note that the application may lose access to its open descriptors
|
|
||||||
as a result of a setcon() unless policy allows it to use descriptors opened
|
|
||||||
by the old context. */
|
|
||||||
extern int setcon(const char * con);
|
|
||||||
extern int setcon_raw(const char * con);
|
|
||||||
|
|
||||||
/* Get context of process identified by pid, and
|
|
||||||
set *con to refer to it. Caller must free via freecon. */
|
|
||||||
extern int getpidcon(pid_t pid, char ** con);
|
|
||||||
extern int getpidcon_raw(pid_t pid, char ** con);
|
|
||||||
|
|
||||||
/* Get previous context (prior to last exec), and set *con to refer to it.
|
|
||||||
Caller must free via freecon. */
|
|
||||||
extern int getprevcon(char ** con);
|
|
||||||
extern int getprevcon_raw(char ** con);
|
|
||||||
|
|
||||||
/* Get exec context, and set *con to refer to it.
|
|
||||||
Sets *con to NULL if no exec context has been set, i.e. using default.
|
|
||||||
If non-NULL, caller must free via freecon. */
|
|
||||||
extern int getexeccon(char ** con);
|
|
||||||
extern int getexeccon_raw(char ** con);
|
|
||||||
|
|
||||||
/* Set exec security context for the next execve.
|
|
||||||
Call with NULL if you want to reset to the default. */
|
|
||||||
extern int setexeccon(const char * con);
|
|
||||||
extern int setexeccon_raw(const char * con);
|
|
||||||
|
|
||||||
/* Get fscreate context, and set *con to refer to it.
|
|
||||||
Sets *con to NULL if no fs create context has been set, i.e. using default.
|
|
||||||
If non-NULL, caller must free via freecon. */
|
|
||||||
extern int getfscreatecon(char ** con);
|
|
||||||
extern int getfscreatecon_raw(char ** con);
|
|
||||||
|
|
||||||
/* Set the fscreate security context for subsequent file creations.
|
|
||||||
Call with NULL if you want to reset to the default. */
|
|
||||||
extern int setfscreatecon(const char * context);
|
|
||||||
extern int setfscreatecon_raw(const char * context);
|
|
||||||
|
|
||||||
/* Get keycreate context, and set *con to refer to it.
|
|
||||||
Sets *con to NULL if no key create context has been set, i.e. using default.
|
|
||||||
If non-NULL, caller must free via freecon. */
|
|
||||||
extern int getkeycreatecon(char ** con);
|
|
||||||
extern int getkeycreatecon_raw(char ** con);
|
|
||||||
|
|
||||||
/* Set the keycreate security context for subsequent key creations.
|
|
||||||
Call with NULL if you want to reset to the default. */
|
|
||||||
extern int setkeycreatecon(const char * context);
|
|
||||||
extern int setkeycreatecon_raw(const char * context);
|
|
||||||
|
|
||||||
/* Get sockcreate context, and set *con to refer to it.
|
|
||||||
Sets *con to NULL if no socket create context has been set, i.e. using default.
|
|
||||||
If non-NULL, caller must free via freecon. */
|
|
||||||
extern int getsockcreatecon(char ** con);
|
|
||||||
extern int getsockcreatecon_raw(char ** con);
|
|
||||||
|
|
||||||
/* Set the sockcreate security context for subsequent socket creations.
|
|
||||||
Call with NULL if you want to reset to the default. */
|
|
||||||
extern int setsockcreatecon(const char * context);
|
|
||||||
extern int setsockcreatecon_raw(const char * context);
|
|
||||||
|
|
||||||
/* Wrappers for the xattr API. */
|
|
||||||
|
|
||||||
/* Get file context, and set *con to refer to it.
|
|
||||||
Caller must free via freecon. */
|
|
||||||
extern int getfilecon(const char *path, char ** con);
|
|
||||||
extern int getfilecon_raw(const char *path, char ** con);
|
|
||||||
extern int lgetfilecon(const char *path, char ** con);
|
|
||||||
extern int lgetfilecon_raw(const char *path, char ** con);
|
|
||||||
extern int fgetfilecon(int fd, char ** con);
|
|
||||||
extern int fgetfilecon_raw(int fd, char ** con);
|
|
||||||
|
|
||||||
/* Set file context */
|
|
||||||
extern int setfilecon(const char *path, const char * con);
|
|
||||||
extern int setfilecon_raw(const char *path, const char * con);
|
|
||||||
extern int lsetfilecon(const char *path, const char * con);
|
|
||||||
extern int lsetfilecon_raw(const char *path, const char * con);
|
|
||||||
extern int fsetfilecon(int fd, const char * con);
|
|
||||||
extern int fsetfilecon_raw(int fd, const char * con);
|
|
||||||
|
|
||||||
/* Wrappers for the socket API */
|
|
||||||
|
|
||||||
/* Get context of peer socket, and set *con to refer to it.
|
|
||||||
Caller must free via freecon. */
|
|
||||||
extern int getpeercon(int fd, char ** con);
|
|
||||||
extern int getpeercon_raw(int fd, char ** con);
|
|
||||||
|
|
||||||
/* Wrappers for the selinuxfs (policy) API. */
|
|
||||||
|
|
||||||
typedef unsigned int access_vector_t;
|
|
||||||
typedef unsigned short security_class_t;
|
|
||||||
|
|
||||||
struct av_decision {
|
|
||||||
access_vector_t allowed;
|
|
||||||
access_vector_t decided;
|
|
||||||
access_vector_t auditallow;
|
|
||||||
access_vector_t auditdeny;
|
|
||||||
unsigned int seqno;
|
|
||||||
unsigned int flags;
|
|
||||||
};
|
|
||||||
|
|
||||||
/* Definitions of av_decision.flags */
|
|
||||||
#define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001
|
|
||||||
|
|
||||||
/* Structure for passing options, used by AVC and label subsystems */
|
|
||||||
struct selinux_opt {
|
|
||||||
int type;
|
|
||||||
const char *value;
|
|
||||||
};
|
|
||||||
|
|
||||||
/* Callback facilities */
|
|
||||||
union selinux_callback {
|
|
||||||
/* log the printf-style format and arguments,
|
|
||||||
with the type code indicating the type of message */
|
|
||||||
int
|
|
||||||
#ifdef __GNUC__
|
|
||||||
__attribute__ ((format(printf, 2, 3)))
|
|
||||||
#endif
|
|
||||||
(*func_log) (int type, const char *fmt, ...);
|
|
||||||
/* store a string representation of auditdata (corresponding
|
|
||||||
to the given security class) into msgbuf. */
|
|
||||||
int (*func_audit) (void *auditdata, security_class_t cls,
|
|
||||||
char *msgbuf, size_t msgbufsize);
|
|
||||||
/* validate the supplied context, modifying if necessary */
|
|
||||||
int (*func_validate) (char **ctx);
|
|
||||||
/* netlink callback for setenforce message */
|
|
||||||
int (*func_setenforce) (int enforcing);
|
|
||||||
/* netlink callback for policyload message */
|
|
||||||
int (*func_policyload) (int seqno);
|
|
||||||
};
|
|
||||||
|
|
||||||
#define SELINUX_CB_LOG 0
|
|
||||||
#define SELINUX_CB_AUDIT 1
|
|
||||||
#define SELINUX_CB_VALIDATE 2
|
|
||||||
#define SELINUX_CB_SETENFORCE 3
|
|
||||||
#define SELINUX_CB_POLICYLOAD 4
|
|
||||||
|
|
||||||
extern union selinux_callback selinux_get_callback(int type);
|
|
||||||
extern void selinux_set_callback(int type, union selinux_callback cb);
|
|
||||||
|
|
||||||
/* Logging type codes, passed to the logging callback */
|
|
||||||
#define SELINUX_ERROR 0
|
|
||||||
#define SELINUX_WARNING 1
|
|
||||||
#define SELINUX_INFO 2
|
|
||||||
#define SELINUX_AVC 3
|
|
||||||
#define SELINUX_TRANS_DIR "/var/run/setrans"
|
|
||||||
|
|
||||||
/* Compute an access decision. */
|
|
||||||
extern int security_compute_av(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
access_vector_t requested,
|
|
||||||
struct av_decision *avd);
|
|
||||||
extern int security_compute_av_raw(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
access_vector_t requested,
|
|
||||||
struct av_decision *avd);
|
|
||||||
|
|
||||||
extern int security_compute_av_flags(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
access_vector_t requested,
|
|
||||||
struct av_decision *avd);
|
|
||||||
extern int security_compute_av_flags_raw(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
access_vector_t requested,
|
|
||||||
struct av_decision *avd);
|
|
||||||
|
|
||||||
/* Compute a labeling decision and set *newcon to refer to it.
|
|
||||||
Caller must free via freecon. */
|
|
||||||
extern int security_compute_create(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
char ** newcon);
|
|
||||||
extern int security_compute_create_raw(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
char ** newcon);
|
|
||||||
extern int security_compute_create_name(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
const char *objname,
|
|
||||||
char ** newcon);
|
|
||||||
extern int security_compute_create_name_raw(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
const char *objname,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
/* Compute a relabeling decision and set *newcon to refer to it.
|
|
||||||
Caller must free via freecon. */
|
|
||||||
extern int security_compute_relabel(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
char ** newcon);
|
|
||||||
extern int security_compute_relabel_raw(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
/* Compute a polyinstantiation member decision and set *newcon to refer to it.
|
|
||||||
Caller must free via freecon. */
|
|
||||||
extern int security_compute_member(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
char ** newcon);
|
|
||||||
extern int security_compute_member_raw(const char * scon,
|
|
||||||
const char * tcon,
|
|
||||||
security_class_t tclass,
|
|
||||||
char ** newcon);
|
|
||||||
|
|
||||||
/* Compute the set of reachable user contexts and set *con to refer to
|
|
||||||
the NULL-terminated array of contexts. Caller must free via freeconary. */
|
|
||||||
extern int security_compute_user(const char * scon,
|
|
||||||
const char *username,
|
|
||||||
char *** con);
|
|
||||||
extern int security_compute_user_raw(const char * scon,
|
|
||||||
const char *username,
|
|
||||||
char *** con);
|
|
||||||
|
|
||||||
/* Load a policy configuration. */
|
|
||||||
extern int security_load_policy(void *data, size_t len);
|
|
||||||
|
|
||||||
/* Get the context of an initial kernel security identifier by name.
|
|
||||||
Caller must free via freecon */
|
|
||||||
extern int security_get_initial_context(const char *name,
|
|
||||||
char ** con);
|
|
||||||
extern int security_get_initial_context_raw(const char *name,
|
|
||||||
char ** con);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Make a policy image and load it.
|
|
||||||
* This function provides a higher level interface for loading policy
|
|
||||||
* than security_load_policy, internally determining the right policy
|
|
||||||
* version, locating and opening the policy file, mapping it into memory,
|
|
||||||
* manipulating it as needed for current boolean settings and/or local
|
|
||||||
* definitions, and then calling security_load_policy to load it.
|
|
||||||
*
|
|
||||||
* 'preservebools' is a boolean flag indicating whether current
|
|
||||||
* policy boolean values should be preserved into the new policy (if 1)
|
|
||||||
* or reset to the saved policy settings (if 0). The former case is the
|
|
||||||
* default for policy reloads, while the latter case is an option for policy
|
|
||||||
* reloads but is primarily for the initial policy load.
|
|
||||||
*/
|
|
||||||
extern int selinux_mkload_policy(int preservebools);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Perform the initial policy load.
|
|
||||||
* This function determines the desired enforcing mode, sets the
|
|
||||||
* the *enforce argument accordingly for the caller to use, sets the
|
|
||||||
* SELinux kernel enforcing status to match it, and loads the policy.
|
|
||||||
* It also internally handles the initial selinuxfs mount required to
|
|
||||||
* perform these actions.
|
|
||||||
*
|
|
||||||
* The function returns 0 if everything including the policy load succeeds.
|
|
||||||
* In this case, init is expected to re-exec itself in order to transition
|
|
||||||
* to the proper security context.
|
|
||||||
* Otherwise, the function returns -1, and init must check *enforce to
|
|
||||||
* determine how to proceed. If enforcing (*enforce > 0), then init should
|
|
||||||
* halt the system. Otherwise, init may proceed normally without a re-exec.
|
|
||||||
*/
|
|
||||||
extern int selinux_init_load_policy(int *enforce);
|
|
||||||
|
|
||||||
/* Translate boolean strict to name value pair. */
|
|
||||||
typedef struct {
|
|
||||||
char *name;
|
|
||||||
int value;
|
|
||||||
} SELboolean;
|
|
||||||
/* save a list of booleans in a single transaction. */
|
|
||||||
extern int security_set_boolean_list(size_t boolcnt,
|
|
||||||
SELboolean * boollist, int permanent);
|
|
||||||
|
|
||||||
/* Load policy boolean settings.
|
|
||||||
Path may be NULL, in which case the booleans are loaded from
|
|
||||||
the active policy boolean configuration file. */
|
|
||||||
extern int security_load_booleans(char *path);
|
|
||||||
|
|
||||||
/* Check the validity of a security context. */
|
|
||||||
extern int security_check_context(const char * con);
|
|
||||||
extern int security_check_context_raw(const char * con);
|
|
||||||
|
|
||||||
/* Canonicalize a security context. */
|
|
||||||
extern int security_canonicalize_context(const char * con,
|
|
||||||
char ** canoncon);
|
|
||||||
extern int security_canonicalize_context_raw(const char * con,
|
|
||||||
char ** canoncon);
|
|
||||||
|
|
||||||
/* Get the enforce flag value. */
|
|
||||||
extern int security_getenforce(void);
|
|
||||||
|
|
||||||
/* Set the enforce flag value. */
|
|
||||||
extern int security_setenforce(int value);
|
|
||||||
|
|
||||||
/* Get the behavior for undefined classes/permissions */
|
|
||||||
extern int security_deny_unknown(void);
|
|
||||||
|
|
||||||
/* Disable SELinux at runtime (must be done prior to initial policy load). */
|
|
||||||
extern int security_disable(void);
|
|
||||||
|
|
||||||
/* Get the policy version number. */
|
|
||||||
extern int security_policyvers(void);
|
|
||||||
|
|
||||||
/* Get the boolean names */
|
|
||||||
extern int security_get_boolean_names(char ***names, int *len);
|
|
||||||
|
|
||||||
/* Get the pending value for the boolean */
|
|
||||||
extern int security_get_boolean_pending(const char *name);
|
|
||||||
|
|
||||||
/* Get the active value for the boolean */
|
|
||||||
extern int security_get_boolean_active(const char *name);
|
|
||||||
|
|
||||||
/* Set the pending value for the boolean */
|
|
||||||
extern int security_set_boolean(const char *name, int value);
|
|
||||||
|
|
||||||
/* Commit the pending values for the booleans */
|
|
||||||
extern int security_commit_booleans(void);
|
|
||||||
|
|
||||||
/* Userspace class mapping support */
|
|
||||||
struct security_class_mapping {
|
|
||||||
const char *name;
|
|
||||||
const char *perms[sizeof(access_vector_t) * 8 + 1];
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_set_mapping - Enable dynamic mapping between integer offsets and security class names
|
|
||||||
* @map: array of security_class_mapping structures
|
|
||||||
*
|
|
||||||
* The core avc_has_perm() API uses integers to represent security
|
|
||||||
* classes; previous to the introduction of this function, it was
|
|
||||||
* common for userspace object managers to be compiled using generated
|
|
||||||
* offsets for a particular policy. However, that strongly ties the build of the userspace components to a particular policy.
|
|
||||||
*
|
|
||||||
* By using this function to map between integer offsets and security
|
|
||||||
* class names, it's possible to replace a system policies that have
|
|
||||||
* at least the same set of security class names as used by the
|
|
||||||
* userspace object managers.
|
|
||||||
*
|
|
||||||
* To correctly use this function, you should override the generated
|
|
||||||
* security class defines from the system policy in a local header,
|
|
||||||
* starting at 1, and have one security_class_mapping structure entry
|
|
||||||
* per define.
|
|
||||||
*/
|
|
||||||
extern int selinux_set_mapping(struct security_class_mapping *map);
|
|
||||||
|
|
||||||
/* Common helpers */
|
|
||||||
|
|
||||||
/* Convert between mode and security class values */
|
|
||||||
extern security_class_t mode_to_security_class(mode_t mode);
|
|
||||||
/* Convert between security class values and string names */
|
|
||||||
extern security_class_t string_to_security_class(const char *name);
|
|
||||||
extern const char *security_class_to_string(security_class_t cls);
|
|
||||||
|
|
||||||
/* Convert between individual access vector permissions and string names */
|
|
||||||
extern const char *security_av_perm_to_string(security_class_t tclass,
|
|
||||||
access_vector_t perm);
|
|
||||||
extern access_vector_t string_to_av_perm(security_class_t tclass,
|
|
||||||
const char *name);
|
|
||||||
|
|
||||||
/* Returns an access vector in a string representation. User must free the
|
|
||||||
* returned string via free(). */
|
|
||||||
extern int security_av_string(security_class_t tclass,
|
|
||||||
access_vector_t av, char **result);
|
|
||||||
|
|
||||||
/* Display an access vector in a string representation. */
|
|
||||||
extern void print_access_vector(security_class_t tclass, access_vector_t av);
|
|
||||||
|
|
||||||
/* Set the function used by matchpathcon_init when displaying
|
|
||||||
errors about the file_contexts configuration. If not set,
|
|
||||||
then this defaults to fprintf(stderr, fmt, ...). */
|
|
||||||
extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
|
|
||||||
|
|
||||||
/* Set the function used by matchpathcon_init when checking the
|
|
||||||
validity of a context in the file contexts configuration. If not set,
|
|
||||||
then this defaults to a test based on security_check_context().
|
|
||||||
The function is also responsible for reporting any such error, and
|
|
||||||
may include the 'path' and 'lineno' in such error messages. */
|
|
||||||
extern void set_matchpathcon_invalidcon(int (*f) (const char *path,
|
|
||||||
unsigned lineno,
|
|
||||||
char *context));
|
|
||||||
|
|
||||||
/* Same as above, but also allows canonicalization of the context,
|
|
||||||
by changing *context to refer to the canonical form. If not set,
|
|
||||||
and invalidcon is also not set, then this defaults to calling
|
|
||||||
security_canonicalize_context(). */
|
|
||||||
extern void set_matchpathcon_canoncon(int (*f) (const char *path,
|
|
||||||
unsigned lineno,
|
|
||||||
char **context));
|
|
||||||
|
|
||||||
/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
|
|
||||||
#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
|
|
||||||
#define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */
|
|
||||||
#define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */
|
|
||||||
extern void set_matchpathcon_flags(unsigned int flags);
|
|
||||||
|
|
||||||
/* Load the file contexts configuration specified by 'path'
|
|
||||||
into memory for use by subsequent matchpathcon calls.
|
|
||||||
If 'path' is NULL, then load the active file contexts configuration,
|
|
||||||
i.e. the path returned by selinux_file_context_path().
|
|
||||||
Unless the MATCHPATHCON_BASEONLY flag has been set, this
|
|
||||||
function also checks for a 'path'.homedirs file and
|
|
||||||
a 'path'.local file and loads additional specifications
|
|
||||||
from them if present. */
|
|
||||||
extern int matchpathcon_init(const char *path);
|
|
||||||
|
|
||||||
/* Same as matchpathcon_init, but only load entries with
|
|
||||||
regexes that have stems that are prefixes of 'prefix'. */
|
|
||||||
extern int matchpathcon_init_prefix(const char *path, const char *prefix);
|
|
||||||
|
|
||||||
/* Free the memory allocated by matchpathcon_init. */
|
|
||||||
extern void matchpathcon_fini(void);
|
|
||||||
|
|
||||||
/* Resolve all of the symlinks and relative portions of a pathname, but NOT
|
|
||||||
* the final component (same a realpath() unless the final component is a
|
|
||||||
* symlink. Resolved path must be a path of size PATH_MAX + 1 */
|
|
||||||
extern int realpath_not_final(const char *name, char *resolved_path);
|
|
||||||
|
|
||||||
/* Match the specified pathname and mode against the file contexts
|
|
||||||
configuration and set *con to refer to the resulting context.
|
|
||||||
'mode' can be 0 to disable mode matching.
|
|
||||||
Caller must free via freecon.
|
|
||||||
If matchpathcon_init has not already been called, then this function
|
|
||||||
will call it upon its first invocation with a NULL path. */
|
|
||||||
extern int matchpathcon(const char *path,
|
|
||||||
mode_t mode, char ** con);
|
|
||||||
|
|
||||||
/* Same as above, but return a specification index for
|
|
||||||
later use in a matchpathcon_filespec_add() call - see below. */
|
|
||||||
extern int matchpathcon_index(const char *path,
|
|
||||||
mode_t mode, char ** con);
|
|
||||||
|
|
||||||
/* Maintain an association between an inode and a specification index,
|
|
||||||
and check whether a conflicting specification is already associated
|
|
||||||
with the same inode (e.g. due to multiple hard links). If so, then
|
|
||||||
use the latter of the two specifications based on their order in the
|
|
||||||
file contexts configuration. Return the used specification index. */
|
|
||||||
extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
|
|
||||||
|
|
||||||
/* Destroy any inode associations that have been added, e.g. to restart
|
|
||||||
for a new filesystem. */
|
|
||||||
extern void matchpathcon_filespec_destroy(void);
|
|
||||||
|
|
||||||
/* Display statistics on the hash table usage for the associations. */
|
|
||||||
extern void matchpathcon_filespec_eval(void);
|
|
||||||
|
|
||||||
/* Check to see whether any specifications had no matches and report them.
|
|
||||||
The 'str' is used as a prefix for any warning messages. */
|
|
||||||
extern void matchpathcon_checkmatches(char *str);
|
|
||||||
|
|
||||||
/* Match the specified media and against the media contexts
|
|
||||||
configuration and set *con to refer to the resulting context.
|
|
||||||
Caller must free con via freecon. */
|
|
||||||
extern int matchmediacon(const char *media, char ** con);
|
|
||||||
|
|
||||||
/*
|
|
||||||
selinux_getenforcemode reads the /etc/selinux/config file and determines
|
|
||||||
whether the machine should be started in enforcing (1), permissive (0) or
|
|
||||||
disabled (-1) mode.
|
|
||||||
*/
|
|
||||||
extern int selinux_getenforcemode(int *enforce);
|
|
||||||
|
|
||||||
/*
|
|
||||||
selinux_boolean_sub reads the /etc/selinux/TYPE/booleans.subs_dist file
|
|
||||||
looking for a record with boolean_name. If a record exists selinux_boolean_sub
|
|
||||||
returns the translated name otherwise it returns the original name.
|
|
||||||
The returned value needs to be freed. On failure NULL will be returned.
|
|
||||||
*/
|
|
||||||
extern char *selinux_boolean_sub(const char *boolean_name);
|
|
||||||
|
|
||||||
/*
|
|
||||||
selinux_getpolicytype reads the /etc/selinux/config file and determines
|
|
||||||
what the default policy for the machine is. Calling application must
|
|
||||||
free policytype.
|
|
||||||
*/
|
|
||||||
extern int selinux_getpolicytype(char **policytype);
|
|
||||||
|
|
||||||
/*
|
|
||||||
selinux_policy_root reads the /etc/selinux/config file and returns
|
|
||||||
the directory path under which the compiled policy file and context
|
|
||||||
configuration files exist.
|
|
||||||
*/
|
|
||||||
extern const char *selinux_policy_root(void);
|
|
||||||
|
|
||||||
/*
|
|
||||||
selinux_set_policy_root sets an alternate policy root directory path under
|
|
||||||
which the compiled policy file and context configuration files exist.
|
|
||||||
*/
|
|
||||||
extern int selinux_set_policy_root(const char *rootpath);
|
|
||||||
|
|
||||||
/* These functions return the paths to specific files under the
|
|
||||||
policy root directory. */
|
|
||||||
extern const char *selinux_current_policy_path(void);
|
|
||||||
extern const char *selinux_binary_policy_path(void);
|
|
||||||
extern const char *selinux_failsafe_context_path(void);
|
|
||||||
extern const char *selinux_removable_context_path(void);
|
|
||||||
extern const char *selinux_default_context_path(void);
|
|
||||||
extern const char *selinux_user_contexts_path(void);
|
|
||||||
extern const char *selinux_file_context_path(void);
|
|
||||||
extern const char *selinux_file_context_homedir_path(void);
|
|
||||||
extern const char *selinux_file_context_local_path(void);
|
|
||||||
extern const char *selinux_file_context_subs_path(void);
|
|
||||||
extern const char *selinux_file_context_subs_dist_path(void);
|
|
||||||
extern const char *selinux_homedir_context_path(void);
|
|
||||||
extern const char *selinux_media_context_path(void);
|
|
||||||
extern const char *selinux_virtual_domain_context_path(void);
|
|
||||||
extern const char *selinux_virtual_image_context_path(void);
|
|
||||||
extern const char *selinux_lxc_contexts_path(void);
|
|
||||||
extern const char *selinux_x_context_path(void);
|
|
||||||
extern const char *selinux_sepgsql_context_path(void);
|
|
||||||
extern const char *selinux_openrc_contexts_path(void);
|
|
||||||
extern const char *selinux_openssh_contexts_path(void);
|
|
||||||
extern const char *selinux_snapperd_contexts_path(void);
|
|
||||||
extern const char *selinux_systemd_contexts_path(void);
|
|
||||||
extern const char *selinux_contexts_path(void);
|
|
||||||
extern const char *selinux_securetty_types_path(void);
|
|
||||||
extern const char *selinux_booleans_subs_path(void);
|
|
||||||
extern const char *selinux_booleans_path(void);
|
|
||||||
extern const char *selinux_customizable_types_path(void);
|
|
||||||
extern const char *selinux_users_path(void);
|
|
||||||
extern const char *selinux_usersconf_path(void);
|
|
||||||
extern const char *selinux_translations_path(void);
|
|
||||||
extern const char *selinux_colors_path(void);
|
|
||||||
extern const char *selinux_netfilter_context_path(void);
|
|
||||||
extern const char *selinux_path(void);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* selinux_check_access - Check permissions and perform appropriate auditing.
|
|
||||||
* @scon: source security context
|
|
||||||
* @tcon: target security context
|
|
||||||
* @tclass: target security class string
|
|
||||||
* @perm: requested permissions string, interpreted based on @tclass
|
|
||||||
* @auditdata: auxiliary audit data
|
|
||||||
*
|
|
||||||
* Check the AVC to determine whether the @perm permissions are granted
|
|
||||||
* for the SID pair (@scon, @tcon), interpreting the permissions
|
|
||||||
* based on @tclass.
|
|
||||||
* Return %0 if all @perm permissions are granted, -%1 with
|
|
||||||
* @errno set to %EACCES if any permissions are denied or to another
|
|
||||||
* value upon other errors.
|
|
||||||
* If auditing or logging is configured the appropriate callbacks will be called
|
|
||||||
* and passed the auditdata field
|
|
||||||
*/
|
|
||||||
extern int selinux_check_access(const char * scon, const char * tcon, const char *tclass, const char *perm, void *auditdata);
|
|
||||||
|
|
||||||
/* Check a permission in the passwd class.
|
|
||||||
Return 0 if granted or -1 otherwise. */
|
|
||||||
extern int selinux_check_passwd_access(access_vector_t requested);
|
|
||||||
extern int checkPasswdAccess(access_vector_t requested);
|
|
||||||
|
|
||||||
/* Check if the tty_context is defined as a securetty
|
|
||||||
Return 0 if secure, < 0 otherwise. */
|
|
||||||
extern int selinux_check_securetty_context(const char * tty_context);
|
|
||||||
|
|
||||||
/* Set the path to the selinuxfs mount point explicitly.
|
|
||||||
Normally, this is determined automatically during libselinux
|
|
||||||
initialization, but this is not always possible, e.g. for /sbin/init
|
|
||||||
which performs the initial mount of selinuxfs. */
|
|
||||||
void set_selinuxmnt(const char *mnt);
|
|
||||||
|
|
||||||
/* Check if selinuxfs exists as a kernel filesystem */
|
|
||||||
int selinuxfs_exists(void);
|
|
||||||
|
|
||||||
/* clear selinuxmnt variable and free allocated memory */
|
|
||||||
void fini_selinuxmnt(void);
|
|
||||||
|
|
||||||
/* Set an appropriate security context based on the filename of a helper
|
|
||||||
* program, falling back to a new context with the specified type. */
|
|
||||||
extern int setexecfilecon(const char *filename, const char *fallback_type);
|
|
||||||
|
|
||||||
#ifndef DISABLE_RPM
|
|
||||||
/* Execute a helper for rpm in an appropriate security context. */
|
|
||||||
extern int rpm_execcon(unsigned int verified,
|
|
||||||
const char *filename,
|
|
||||||
char *const argv[], char *const envp[]);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Returns whether a file context is customizable, and should not
|
|
||||||
be relabeled . */
|
|
||||||
extern int is_context_customizable(const char * scontext);
|
|
||||||
|
|
||||||
/* Perform context translation between the human-readable format
|
|
||||||
("translated") and the internal system format ("raw").
|
|
||||||
Caller must free the resulting context via freecon.
|
|
||||||
Returns -1 upon an error or 0 otherwise.
|
|
||||||
If passed NULL, sets the returned context to NULL and returns 0. */
|
|
||||||
extern int selinux_trans_to_raw_context(const char * trans,
|
|
||||||
char ** rawp);
|
|
||||||
extern int selinux_raw_to_trans_context(const char * raw,
|
|
||||||
char ** transp);
|
|
||||||
|
|
||||||
/* Perform context translation between security contexts
|
|
||||||
and display colors. Returns a space-separated list of ten
|
|
||||||
ten hex RGB triples prefixed by hash marks, e.g. "#ff0000".
|
|
||||||
Caller must free the resulting string via free.
|
|
||||||
Returns -1 upon an error or 0 otherwise. */
|
|
||||||
extern int selinux_raw_context_to_color(const char * raw,
|
|
||||||
char **color_str);
|
|
||||||
|
|
||||||
/* Get the SELinux username and level to use for a given Linux username.
|
|
||||||
These values may then be passed into the get_ordered_context_list*
|
|
||||||
and get_default_context* functions to obtain a context for the user.
|
|
||||||
Returns 0 on success or -1 otherwise.
|
|
||||||
Caller must free the returned strings via free. */
|
|
||||||
extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
|
|
||||||
|
|
||||||
/* Get the SELinux username and level to use for a given Linux username and service.
|
|
||||||
These values may then be passed into the get_ordered_context_list*
|
|
||||||
and get_default_context* functions to obtain a context for the user.
|
|
||||||
Returns 0 on success or -1 otherwise.
|
|
||||||
Caller must free the returned strings via free. */
|
|
||||||
extern int getseuser(const char *username, const char *service,
|
|
||||||
char **r_seuser, char **r_level);
|
|
||||||
|
|
||||||
/* Compare two file contexts, return 0 if equivalent. */
|
|
||||||
extern int selinux_file_context_cmp(const char * a,
|
|
||||||
const char * b);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Verify the context of the file 'path' against policy.
|
|
||||||
* Return 1 if match, 0 if not and -1 on error.
|
|
||||||
*/
|
|
||||||
extern int selinux_file_context_verify(const char *path, mode_t mode);
|
|
||||||
|
|
||||||
/* This function sets the file context on to the system defaults returns 0 on success */
|
|
||||||
extern int selinux_lsetfilecon_default(const char *path);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Force a reset of the loaded configuration
|
|
||||||
* WARNING: This is not thread safe. Be very sure that no other threads
|
|
||||||
* are calling into libselinux when this is called.
|
|
||||||
*/
|
|
||||||
extern void selinux_reset_config(void);
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif
|
|
@ -1,10 +1,11 @@
|
|||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
#include "selinux/avc.h"
|
#include <selinux/avc.h>
|
||||||
#include "selinux/context.h"
|
#include <selinux/context.h>
|
||||||
#include "selinux/get_context_list.h"
|
#include <selinux/get_context_list.h>
|
||||||
#include "selinux/get_default_type.h"
|
#include <selinux/get_default_type.h>
|
||||||
#include "selinux/restorecon.h"
|
#include <selinux/label.h>
|
||||||
#include "selinux/selinux.h"
|
#include <selinux/restorecon.h>
|
||||||
|
#include <selinux/selinux.h>
|
||||||
int is_selinux_enabled(void) { return 0; }
|
int is_selinux_enabled(void) { return 0; }
|
||||||
int is_selinux_mls_enabled(void) { return 0; }
|
int is_selinux_mls_enabled(void) { return 0; }
|
||||||
void freecon(char * con) { }
|
void freecon(char * con) { }
|
||||||
@ -225,7 +226,7 @@ int selinux_raw_to_trans_context(const char * raw,
|
|||||||
int selinux_raw_context_to_color(const char * raw,
|
int selinux_raw_context_to_color(const char * raw,
|
||||||
char **color_str) { return 0; }
|
char **color_str) { return 0; }
|
||||||
int getseuserbyname(const char *linuxuser, char **seuser, char **level) { return 0; }
|
int getseuserbyname(const char *linuxuser, char **seuser, char **level) { return 0; }
|
||||||
int getseuser(const char *username, const char *service,
|
int getseuser(const char *username, const char *service,
|
||||||
char **r_seuser, char **r_level) { return 0; }
|
char **r_seuser, char **r_level) { return 0; }
|
||||||
int selinux_file_context_cmp(const char * a,
|
int selinux_file_context_cmp(const char * a,
|
||||||
const char * b) { return 0; }
|
const char * b) { return 0; }
|
Loading…
x
Reference in New Issue
Block a user