platform/external/busybox.git - Unnamed repository; edit this file 'description' to name the repository.

1 #ifndef BB_ANDROID_SELINUX_H
2 #define BB_ANDROID_SELINUX_H
3
4 #include <selinux/selinux.h>
5 #include <selinux/label.h>
6 #include <selinux/android.h>
7
8 /* Set the function used by matchpathcon_init when displaying
9    errors about the file_contexts configuration.  If not set,
10    then this defaults to fprintf(stderr, fmt, ...). */
11 extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
12
13 /* Set the function used by matchpathcon_init when checking the
14    validity of a context in the file contexts configuration.  If not set,
15    then this defaults to a test based on security_check_context().
16    The function is also responsible for reporting any such error, and
17    may include the 'path' and 'lineno' in such error messages. */
18 extern void set_matchpathcon_invalidcon(int (*f) (const char *path,
19 						  unsigned lineno,
20 						  char *context));
21
22 /* Same as above, but also allows canonicalization of the context,
23    by changing *context to refer to the canonical form.  If not set,
24    and invalidcon is also not set, then this defaults to calling
25    security_canonicalize_context(). */
26 extern void set_matchpathcon_canoncon(int (*f) (const char *path,
27 						unsigned lineno,
28 						char **context));
29
30 /* Set flags controlling operation of matchpathcon_init or matchpathcon. */
31 #define MATCHPATHCON_BASEONLY 1	/* Only process the base file_contexts file. */
32 #define MATCHPATHCON_NOTRANS  2	/* Do not perform any context translation. */
33 #define MATCHPATHCON_VALIDATE 4	/* Validate/canonicalize contexts at init time. */
34 extern void set_matchpathcon_flags(unsigned int flags);
35
36 /* Load the file contexts configuration specified by 'path'
37    into memory for use by subsequent matchpathcon calls.
38    If 'path' is NULL, then load the active file contexts configuration,
39    i.e. the path returned by selinux_file_context_path().
40    Unless the MATCHPATHCON_BASEONLY flag has been set, this
41    function also checks for a 'path'.homedirs file and
42    a 'path'.local file and loads additional specifications
43    from them if present. */
44 extern int matchpathcon_init(const char *path);
45
46 /* Same as matchpathcon_init, but only load entries with
47    regexes that have stems that are prefixes of 'prefix'. */
48 extern int matchpathcon_init_prefix(const char *path, const char *prefix);
49
50 /* Free the memory allocated by matchpathcon_init. */
51 extern void matchpathcon_fini(void);
52
53 /* Resolve all of the symlinks and relative portions of a pathname, but NOT
54  * the final component (same a realpath() unless the final component is a
55  * symlink.  Resolved path must be a path of size PATH_MAX + 1 */
56 extern int realpath_not_final(const char *name, char *resolved_path);
57
58 /* Match the specified pathname and mode against the file contexts
59    configuration and set *con to refer to the resulting context.
60    'mode' can be 0 to disable mode matching.
61    Caller must free via freecon.
62    If matchpathcon_init has not already been called, then this function
63    will call it upon its first invocation with a NULL path. */
64 extern int matchpathcon(const char *path,
65 			mode_t mode, char ** con);
66
67 /* Same as above, but return a specification index for
68    later use in a matchpathcon_filespec_add() call - see below. */
69 extern int matchpathcon_index(const char *path,
70 			      mode_t mode, char ** con);
71
72 /* Maintain an association between an inode and a specification index,
73    and check whether a conflicting specification is already associated
74    with the same inode (e.g. due to multiple hard links).  If so, then
75    use the latter of the two specifications based on their order in the
76    file contexts configuration.  Return the used specification index. */
77 extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
78
79 /* Destroy any inode associations that have been added, e.g. to restart
80    for a new filesystem. */
81 extern void matchpathcon_filespec_destroy(void);
82
83 /* Display statistics on the hash table usage for the associations. */
84 extern void matchpathcon_filespec_eval(void);
85
86 /* Check to see whether any specifications had no matches and report them.
87    The 'str' is used as a prefix for any warning messages. */
88 extern void matchpathcon_checkmatches(char *str);
89
90 /*
91  * Verify the context of the file 'path' against policy.
92  * Return 1 if match, 0 if not and -1 on error.
93  */
94 extern int selinux_file_context_verify(const char *path, mode_t mode);
95
96 /* Get the default security context for a user session for 'user'
97    spawned by 'fromcon' and set *newcon to refer to it.  The context
98    will be one of those authorized by the policy, but the selection
99    of a default is subject to user customizable preferences.
100    If 'fromcon' is NULL, defaults to current context.
101    Returns 0 on success or -1 otherwise.
102    Caller must free via freecon. */
103 extern int get_default_context(const char* user, const char* fromcon,
104 			char ** newcon);
105
106 /* Check a permission in the passwd class.
107    Return 0 if granted or -1 otherwise. */
108 #define PASSWD__PASSWD  0x001UL
109 #define PASSWD__CHFN    0x002UL
110 #define PASSWD__CHSH    0x004UL
111 #define PASSWD__ROOTOK  0x008UL
112 #define PASSWD__CRONTAB 0x010UL
113 extern int selinux_check_passwd_access(access_vector_t requested);
114
115 #define lgetfilecon_raw(path, context) \
116 	lgetfilecon(path, context)
117
118 #define lsetfilecon_raw(path, scontext) \
119 	lsetfilecon(path, scontext)
120
121 #define selabel_lookup_raw(hnd, con, path, mode) \
122 	selabel_lookup(hnd, con, path, mode)
123
124 #define security_canonicalize_context_raw(context, newctx) \
125 	security_canonicalize_context(context, newctx)
126
127 #define getprevcon_raw(context) \
128 	getprevcon(context)
129
130 #define is_context_customizable(ctx) false
131
132 #define selinux_log(type, ...) bb_error_msg(__VA_ARGS__)
133
134 #define selinux_policy_root() "/sepolicy"
135
136 static int selinux_getenforcemode(int *rc)
137 {
138 	if (rc) {
139 		*rc = security_getenforce();
140 		return 0;
141 	}
142 	return -1;
143 }
144
145 static const char *selinux_file_contexts_path()
146 {
147 	return "/file_contexts";
148 }
149
150 #endif /* BB_ANDROID_SELINUX_H */
151
1	#ifndef BB_ANDROID_SELINUX_H
2	#define BB_ANDROID_SELINUX_H
3
4	#include <selinux/selinux.h>
5	#include <selinux/label.h>
6	#include <selinux/android.h>
7
8	/* Set the function used by matchpathcon_init when displaying
9	errors about the file_contexts configuration. If not set,
10	then this defaults to fprintf(stderr, fmt, ...). */
11	extern void set_matchpathcon_printf(void (f) (const char fmt, ...));
12
13	/* Set the function used by matchpathcon_init when checking the
14	validity of a context in the file contexts configuration. If not set,
15	then this defaults to a test based on security_check_context().
16	The function is also responsible for reporting any such error, and
17	may include the 'path' and 'lineno' in such error messages. */
18	extern void set_matchpathcon_invalidcon(int (f) (const char path,
19	unsigned lineno,
20	char *context));
21
22	/* Same as above, but also allows canonicalization of the context,
23	by changing *context to refer to the canonical form. If not set,
24	and invalidcon is also not set, then this defaults to calling
25	security_canonicalize_context(). */
26	extern void set_matchpathcon_canoncon(int (f) (const char path,
27	unsigned lineno,
28	char **context));
29
30	/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
31	#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
32	#define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */
33	#define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */
34	extern void set_matchpathcon_flags(unsigned int flags);
35
36	/* Load the file contexts configuration specified by 'path'
37	into memory for use by subsequent matchpathcon calls.
38	If 'path' is NULL, then load the active file contexts configuration,
39	i.e. the path returned by selinux_file_context_path().
40	Unless the MATCHPATHCON_BASEONLY flag has been set, this
41	function also checks for a 'path'.homedirs file and
42	a 'path'.local file and loads additional specifications
43	from them if present. */
44	extern int matchpathcon_init(const char *path);
45
46	/* Same as matchpathcon_init, but only load entries with
47	regexes that have stems that are prefixes of 'prefix'. */
48	extern int matchpathcon_init_prefix(const char path, const char prefix);
49
50	/* Free the memory allocated by matchpathcon_init. */
51	extern void matchpathcon_fini(void);
52
53	/* Resolve all of the symlinks and relative portions of a pathname, but NOT
54	* the final component (same a realpath() unless the final component is a
55	* symlink. Resolved path must be a path of size PATH_MAX + 1 */
56	extern int realpath_not_final(const char name, char resolved_path);
57
58	/* Match the specified pathname and mode against the file contexts
59	configuration and set *con to refer to the resulting context.
60	'mode' can be 0 to disable mode matching.
61	Caller must free via freecon.
62	If matchpathcon_init has not already been called, then this function
63	will call it upon its first invocation with a NULL path. */
64	extern int matchpathcon(const char *path,
65	mode_t mode, char ** con);
66
67	/* Same as above, but return a specification index for
68	later use in a matchpathcon_filespec_add() call - see below. */
69	extern int matchpathcon_index(const char *path,
70	mode_t mode, char ** con);
71
72	/* Maintain an association between an inode and a specification index,
73	and check whether a conflicting specification is already associated
74	with the same inode (e.g. due to multiple hard links). If so, then
75	use the latter of the two specifications based on their order in the
76	file contexts configuration. Return the used specification index. */
77	extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
78
79	/* Destroy any inode associations that have been added, e.g. to restart
80	for a new filesystem. */
81	extern void matchpathcon_filespec_destroy(void);
82
83	/* Display statistics on the hash table usage for the associations. */
84	extern void matchpathcon_filespec_eval(void);
85
86	/* Check to see whether any specifications had no matches and report them.
87	The 'str' is used as a prefix for any warning messages. */
88	extern void matchpathcon_checkmatches(char *str);
89
90	/*
91	* Verify the context of the file 'path' against policy.
92	* Return 1 if match, 0 if not and -1 on error.
93	*/
94	extern int selinux_file_context_verify(const char *path, mode_t mode);
95
96	/* Get the default security context for a user session for 'user'
97	spawned by 'fromcon' and set *newcon to refer to it. The context
98	will be one of those authorized by the policy, but the selection
99	of a default is subject to user customizable preferences.
100	If 'fromcon' is NULL, defaults to current context.
101	Returns 0 on success or -1 otherwise.
102	Caller must free via freecon. */
103	extern int get_default_context(const char* user, const char* fromcon,
104	char ** newcon);
105
106	/* Check a permission in the passwd class.
107	Return 0 if granted or -1 otherwise. */
108	#define PASSWD__PASSWD 0x001UL
109	#define PASSWD__CHFN 0x002UL
110	#define PASSWD__CHSH 0x004UL
111	#define PASSWD__ROOTOK 0x008UL
112	#define PASSWD__CRONTAB 0x010UL
113	extern int selinux_check_passwd_access(access_vector_t requested);
114
115	#define lgetfilecon_raw(path, context) \
116	lgetfilecon(path, context)
117
118	#define lsetfilecon_raw(path, scontext) \
119	lsetfilecon(path, scontext)
120
121	#define selabel_lookup_raw(hnd, con, path, mode) \
122	selabel_lookup(hnd, con, path, mode)
123
124	#define security_canonicalize_context_raw(context, newctx) \
125	security_canonicalize_context(context, newctx)
126
127	#define getprevcon_raw(context) \
128	getprevcon(context)
129
130	#define is_context_customizable(ctx) false
131
132	#define selinux_log(type, ...) bb_error_msg(__VA_ARGS__)
133
134	#define selinux_policy_root() "/sepolicy"
135
136	static int selinux_getenforcemode(int *rc)
137	{
138	if (rc) {
139	*rc = security_getenforce();
140	return 0;
141	}
142	return -1;
143	}
144
145	static const char *selinux_file_contexts_path()
146	{
147	return "/file_contexts";
148	}
149
150	#endif /* BB_ANDROID_SELINUX_H */
151