blob: 8a0cfb0e743d916dbce13d0511d8e0329d4860ef
1 | #ifndef BB_ANDROID_SELINUX_H |
2 | #define BB_ANDROID_SELINUX_H |
3 | |
4 | #include <selinux/selinux.h> |
5 | #include <selinux/label.h> |
6 | #include <selinux/android.h> |
7 | |
8 | /* Set the function used by matchpathcon_init when displaying |
9 | errors about the file_contexts configuration. If not set, |
10 | then this defaults to fprintf(stderr, fmt, ...). */ |
11 | extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...)); |
12 | |
13 | /* Set the function used by matchpathcon_init when checking the |
14 | validity of a context in the file contexts configuration. If not set, |
15 | then this defaults to a test based on security_check_context(). |
16 | The function is also responsible for reporting any such error, and |
17 | may include the 'path' and 'lineno' in such error messages. */ |
18 | extern void set_matchpathcon_invalidcon(int (*f) (const char *path, |
19 | unsigned lineno, |
20 | char *context)); |
21 | |
22 | /* Same as above, but also allows canonicalization of the context, |
23 | by changing *context to refer to the canonical form. If not set, |
24 | and invalidcon is also not set, then this defaults to calling |
25 | security_canonicalize_context(). */ |
26 | extern void set_matchpathcon_canoncon(int (*f) (const char *path, |
27 | unsigned lineno, |
28 | char **context)); |
29 | |
30 | /* Set flags controlling operation of matchpathcon_init or matchpathcon. */ |
31 | #define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */ |
32 | #define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */ |
33 | #define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */ |
34 | extern void set_matchpathcon_flags(unsigned int flags); |
35 | |
36 | /* Load the file contexts configuration specified by 'path' |
37 | into memory for use by subsequent matchpathcon calls. |
38 | If 'path' is NULL, then load the active file contexts configuration, |
39 | i.e. the path returned by selinux_file_context_path(). |
40 | Unless the MATCHPATHCON_BASEONLY flag has been set, this |
41 | function also checks for a 'path'.homedirs file and |
42 | a 'path'.local file and loads additional specifications |
43 | from them if present. */ |
44 | extern int matchpathcon_init(const char *path); |
45 | |
46 | /* Same as matchpathcon_init, but only load entries with |
47 | regexes that have stems that are prefixes of 'prefix'. */ |
48 | extern int matchpathcon_init_prefix(const char *path, const char *prefix); |
49 | |
50 | /* Free the memory allocated by matchpathcon_init. */ |
51 | extern void matchpathcon_fini(void); |
52 | |
53 | /* Resolve all of the symlinks and relative portions of a pathname, but NOT |
54 | * the final component (same a realpath() unless the final component is a |
55 | * symlink. Resolved path must be a path of size PATH_MAX + 1 */ |
56 | extern int realpath_not_final(const char *name, char *resolved_path); |
57 | |
58 | /* Match the specified pathname and mode against the file contexts |
59 | configuration and set *con to refer to the resulting context. |
60 | 'mode' can be 0 to disable mode matching. |
61 | Caller must free via freecon. |
62 | If matchpathcon_init has not already been called, then this function |
63 | will call it upon its first invocation with a NULL path. */ |
64 | extern int matchpathcon(const char *path, |
65 | mode_t mode, char ** con); |
66 | |
67 | /* Same as above, but return a specification index for |
68 | later use in a matchpathcon_filespec_add() call - see below. */ |
69 | extern int matchpathcon_index(const char *path, |
70 | mode_t mode, char ** con); |
71 | |
72 | /* Maintain an association between an inode and a specification index, |
73 | and check whether a conflicting specification is already associated |
74 | with the same inode (e.g. due to multiple hard links). If so, then |
75 | use the latter of the two specifications based on their order in the |
76 | file contexts configuration. Return the used specification index. */ |
77 | extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file); |
78 | |
79 | /* Destroy any inode associations that have been added, e.g. to restart |
80 | for a new filesystem. */ |
81 | extern void matchpathcon_filespec_destroy(void); |
82 | |
83 | /* Display statistics on the hash table usage for the associations. */ |
84 | extern void matchpathcon_filespec_eval(void); |
85 | |
86 | /* Check to see whether any specifications had no matches and report them. |
87 | The 'str' is used as a prefix for any warning messages. */ |
88 | extern void matchpathcon_checkmatches(char *str); |
89 | |
90 | /* |
91 | * Verify the context of the file 'path' against policy. |
92 | * Return 1 if match, 0 if not and -1 on error. |
93 | */ |
94 | extern int selinux_file_context_verify(const char *path, mode_t mode); |
95 | |
96 | /* Get the default security context for a user session for 'user' |
97 | spawned by 'fromcon' and set *newcon to refer to it. The context |
98 | will be one of those authorized by the policy, but the selection |
99 | of a default is subject to user customizable preferences. |
100 | If 'fromcon' is NULL, defaults to current context. |
101 | Returns 0 on success or -1 otherwise. |
102 | Caller must free via freecon. */ |
103 | extern int get_default_context(const char* user, const char* fromcon, |
104 | char ** newcon); |
105 | |
106 | /* Check a permission in the passwd class. |
107 | Return 0 if granted or -1 otherwise. */ |
108 | #define PASSWD__PASSWD 0x001UL |
109 | #define PASSWD__CHFN 0x002UL |
110 | #define PASSWD__CHSH 0x004UL |
111 | #define PASSWD__ROOTOK 0x008UL |
112 | #define PASSWD__CRONTAB 0x010UL |
113 | extern int selinux_check_passwd_access(access_vector_t requested); |
114 | |
115 | #define lgetfilecon_raw(path, context) \ |
116 | lgetfilecon(path, context) |
117 | |
118 | #define lsetfilecon_raw(path, scontext) \ |
119 | lsetfilecon(path, scontext) |
120 | |
121 | #define selabel_lookup_raw(hnd, con, path, mode) \ |
122 | selabel_lookup(hnd, con, path, mode) |
123 | |
124 | #define security_canonicalize_context_raw(context, newctx) \ |
125 | security_canonicalize_context(context, newctx) |
126 | |
127 | #define getprevcon_raw(context) \ |
128 | getprevcon(context) |
129 | |
130 | #define is_context_customizable(ctx) false |
131 | |
132 | #define selinux_log(type, ...) bb_error_msg(__VA_ARGS__) |
133 | |
134 | #define selinux_policy_root() "/sepolicy" |
135 | |
136 | static int selinux_getenforcemode(int *rc) |
137 | { |
138 | if (rc) { |
139 | *rc = security_getenforce(); |
140 | return 0; |
141 | } |
142 | return -1; |
143 | } |
144 | |
145 | static const char *selinux_file_contexts_path() |
146 | { |
147 | return "/file_contexts"; |
148 | } |
149 | |
150 | #endif /* BB_ANDROID_SELINUX_H */ |
151 |