00001 /******************************* */ 00002 /* Rule Set Based Access Control */ 00003 /* Author and (c) 1999-2004: */ 00004 /* Amon Ott <ao@rsbac.org> */ 00005 /* API: Data structures */ 00006 /* and functions for Access */ 00007 /* Control Information */ 00008 /* Last modified: 23/Apr/2004 */ 00009 /******************************* */ 00010 00011 #ifndef __RSBAC_ACI_H 00012 #define __RSBAC_ACI_H 00013 00014 #include <rsbac/types.h> 00015 #include <linux/init.h> 00016 00017 /***************************************************/ 00018 /* Prototypes */ 00019 /***************************************************/ 00020 00021 /* All functions return 0, if no error occurred, and a negative error code */ 00022 /* otherwise. The error codes are defined in rsbac_error.h. */ 00023 00024 /****************************************************************************/ 00025 /* Initialization, including ACI restoration for all mounted devices from */ 00026 /* disk. After this call, all ACI is kept in memory for performance reasons,*/ 00027 /* but user and file/dir object ACI are written to disk on every change. */ 00028 00029 #ifdef CONFIG_RSBAC_INIT_DELAY 00030 extern int rsbac_init(kdev_t root_dev); 00031 #else 00032 extern int rsbac_init(kdev_t root_dev) __init; 00033 #endif 00034 00035 /* Notify RSBAC of new kernel thread */ 00036 int rsbac_kthread_notify(rsbac_pid_t pid); 00037 00038 /* To turn RSBAC off on umount of root device */ 00039 extern void rsbac_off(void); 00040 00041 /* For other kernel parts to check, whether RSBAC was initialized correctly */ 00042 extern inline boolean rsbac_is_initialized(void); 00043 00044 /* When mounting a device, its ACI must be read and added to the ACI lists. */ 00045 extern int rsbac_mount(struct super_block * sb_p, struct dentry * d_covers); 00046 /* When umounting a device, its ACI must be removed from the ACI lists. */ 00047 extern int rsbac_umount(struct super_block * sb_p, struct dentry * d_covers); 00048 00049 /* On pivot_root, we must unblock the dentry tree of the old root */ 00050 /* by putting all cached rsbac.dat dentries */ 00051 int rsbac_free_dat_dentries(void); 00052 00053 /* Some information about the current status is also available */ 00054 extern int rsbac_stats(void); 00055 00056 /* Trigger internal consistency check (int: if != 0: correct errors) */ 00057 extern int rsbac_check(int correct, int check_inode); 00058 00059 /* RSBAC attribute saving to disk can be triggered from outside 00060 * param: call lock_kernel() before disk access? 00061 */ 00062 #if defined(CONFIG_RSBAC_MAINT) || defined(CONFIG_RSBAC_AUTO_WRITE) 00063 extern int rsbac_write(boolean); 00064 #endif 00065 00066 /* get the parent of a target 00067 * returns -RSBAC_EINVALIDTARGET for non-fs targets 00068 * and -RSBAC_ENOTFOUND, if no parent available 00069 * In kernels >= 2.4.0, device_p->d_covers is used and the item is properly 00070 * locked for reading, so never call with a write lock held on device_p! 00071 */ 00072 int rsbac_get_parent(enum rsbac_target_t target, 00073 union rsbac_target_id_t tid, 00074 enum rsbac_target_t * parent_target_p, 00075 union rsbac_target_id_t * parent_tid_p); 00076 00077 /****************************************************************************/ 00078 /* For objects, users and processes all manipulation is encapsulated by the */ 00079 /* function calls rsbac_set_attr, rsbac_get_attr and rsbac_remove_target. */ 00080 00081 extern int rsbac_get_attr(enum rsbac_switch_target_t module, 00082 enum rsbac_target_t target, 00083 union rsbac_target_id_t, 00084 enum rsbac_attribute_t, 00085 union rsbac_attribute_value_t *, 00086 boolean); /* inherit? */ 00087 00088 extern int rsbac_set_attr(enum rsbac_switch_target_t module, 00089 enum rsbac_target_t, 00090 union rsbac_target_id_t, 00091 enum rsbac_attribute_t, 00092 union rsbac_attribute_value_t); 00093 00094 /* All RSBAC targets should be removed, if no longer needed, to prevent */ 00095 /* memory wasting. */ 00096 00097 extern int rsbac_remove_target(enum rsbac_target_t, 00098 union rsbac_target_id_t); 00099 00100 #ifdef CONFIG_RSBAC_DAZ_CACHE 00101 /* Flush DAZuko cache lists */ 00102 int rsbac_daz_flush_cache(void); 00103 #endif 00104 00105 #endif