Chapter 11
Flask Security Framework

Flask is an operating system security architecture that provides flexible support for security policies. This chapter defines the Flask-related COM interfaces that are defined by header files in the oskit/flask directory. The sections of this chapter are:

An example implementation of an AVC component is available in com/avc.c. An example implementation of a security server component is available in security. An example implementation of file access control wrappers that use these interfaces is available in com/sfs*.c.

11.1 flask_types.h: basic Flask types and constants

This header file defines the basic types and constants used by the Flask-related COM interfaces. The architecture defines two policy-independent types for the set of security attributes associated with each subject and object controlled by the security policy. The security context type (oskit_security_context_t) is defined as a variable-length string that can be interpreted by any application or user with an understanding of the security policy. A security context might consist of several attributes, such as a user identity, a role, a type and a classification level.

To permit most object manager interactions to remain independent of both the format and the content of the security context, the security server defines a security identifier (SID) for each active security context. The SID type (oskit_security_id_t) is defined as a fixed-sized value that is mapped by the security server to a security context. The SID mapping cannot be assumed to be consistent either across executions (reboots) of the security server or across security servers on different nodes. Hence, SIDs may be lightweight; in the implementation, they are simply 32-bit integers.

The null (or zero-valued) SID is never a valid SID, but it may be used in extended object manager calls when no particular SID is specified. A wildcard SID, OSKIT_SECSID_WILD, is defined that matches any other SID when used for certain AVC operations. Certain SIDs (specified in flask/initial_sids) are predefined for system initialization. The corresponding constants are defined in the automatically generated header file flask/flask.h.

The security server computes access decisions based on a pair of SIDs. Typically, the SID pair consists of the SID of a subject invoking an operation and the SID of the object on which the operation was invoked. Rather than providing access decisions individually, the security server groups related access decisions into a bitmap referred to as an access vector. For example, a single access vector expresses the set of file permissions granted for a given SID pair.

The access vector type (oskit_access_vector_t) is defined as an unsigned 32-bit integer value. The bits within an access vector are interpreted differently depending on the class of the object. Each object class is identified by an unsigned 16-bit integer value, with the oskit_security_class_t type. The set of security classes is specified in flask/security_classes, with the corresponding constants in the automatically generated header file flask/flask.h. The permissions for each class are specified in flask/access_vectors, and the corresponding constants are defined in the automatically generated header file flask/av_permissions.h.

11.2 oskit_security: Security Server Interface

The oskit_security interface specifies the methods provided by a security server component for obtaining security decisions. The oskit_security COM interface inherits from IUnknown, and has the following additional methods:

compute_av:
Compute access vectors.
notify_perm:
Notify of completed operations.
transition_sid:
Compute a SID for a new object.
member_sid:
Compute the SID of a member in a polyinstantiated object.
sid_to_context:
Obtain the security context for a given SID.
context_to_sid:
Obtain a SID for a given security context.
register_avc:
Register an AVC component for policy change notifications.
unregister_avc:
Unregister an AVC component.
load_policy:
Load a new policy configuration.
fs_sid:
Obtain the SIDs for an unlabeled file system.
port_sid:
Obtain the SID of a port number.
netif_sid:
Obtain the SIDs of a network interface.
node_sid:
Obtain the SID of a network node.

11.2.1 compute_av: Compute access vectors

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_compute_av(oskit_security_t *security, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t requested, [out] oskit_access_vector_t *allowed, [out] oskit_access_vector_t *decided, [out] oskit_access_vector_t *auditallow, [out] oskit_access_vector_t *auditdeny, [out] oskit_access_vector_t *notify, [out] oskit_u32_t *seqno);

DESCRIPTION

The oskit_security_compute_av function computes access vectors based on a SID pair for the permissions in a particular class. An access vector cache (AVC) component calls this function when no valid entry exists for the requested permissions in the cache. The first SID parameter, ssid, is referred to as the source SID and the second SID parameter, tsid, is referred to as the target SID. The returned access vectors must contain decisions for every permission specified in the requested access vector.

The security server may optionally return decisions for other permissions in the same class. The decided access vector contains the set of permissions for which a decision was returned. The other returned access vectors may only be used for permissions in this set. The security server may choose to defer computation of permissions until they are explicitly requested.

The allowed access vector contains the set of granted permissions. The seqno parameter contains a sequence number associated with the access granting. If the sequence number provided by the latest policy change is greater than this value, then the access granting may be invalid and must be discarded. The sequence number addresses the issue of an interleaving of an access granting and a policy change.

The auditallow and auditdeny access vectors contain the set of permissions that should be audited when granted or when denied, respectively. These vectors enable the security server to precisely control the auditing of permission checks. The AVC component ensures that auditing is performed in accordance with these vectors.

The notify access vector contains the set of permissions for which the oskit_security_notify_perm function should be called when the operation associated with the permission has successfully completed. This vector permits the security server to request that the AVC component notify the security server of the successful completion of operations so that the security server may base its decisions on the history of operations in the system. This differs from merely basing decisions on the history of granted permissions, since an operation may still fail due to other conditions even if permission is granted for that operation.

PARAMETERS
security:
The security server.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
requested:
The permissions to be checked.
allowed:
The set of granted permissions.
decided:
The set of decided permissions.
auditallow:
The set of permissions to audit when granted.
auditdeny:
The set of permissions to audit when denied.
notify:
The set of permissions to notify when used.
seqno:
The sequence number for the granting.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.2 notify_perm: Notify of completed operations

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_notify_perm(oskit_security_t *security, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t requested);

DESCRIPTION

The oskit_security_notify_perm function notifies the security server that an operation associated with the permissions in the requested access vector has completed successfully. The AVC component calls this function when it is called by an object manager to indicate that the operation has completed successfully if any of the requested permissions are in the corresponding notify vector.

PARAMETERS
security:
The security server.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
requested:
The permissions to be checked.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.3 transition_sid: Compute a SID for a new object

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_transition_sid(oskit_security_t *security, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, [out] oskit_security_id_t *out_sid);

DESCRIPTION

The oskit_security_transition_sid function computes a SID for a new object based on a SID pair and a class. The object managers call this function when objects are created if a SID was not specified for the object and there is more than one relevant SID that might be used as input in determining the SID of the new object. In particular, the file system code calls this function to obtain the SID of a new file based on the SID of the creating process and the SID of the parent directory, and the process management code calls this function to obtain the SID of a process transformed by an execve based on the current SID of the process and the SID of the executable program.

PARAMETERS
security:
The security server.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The security class of the object to be labeled.
out_sid:
The SID with which to label the object.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.4 member_sid: Compute a SID for a member object

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_member_sid(oskit_security_t *security, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, [out] oskit_security_id_t *out_sid);

DESCRIPTION

The security_member_sid function computes a SID to use when selecting a member of a polyinstantiated object based on a SID pair and a class. Certain fixed resources, such as the /tmp directory or the TCP/UDP port number spaces, need be polyinstantiated to restrict sharing among processes. Each instantiation is referred to as a member. The object managers call this function when a polyinstantiated object is accessed and then transparently redirect the process to the appropriate member.

PARAMETERS
security:
The security server.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The security class of the polyinstantiated object.
out_sid:
The SID of the instance to be used.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.5 sid_to_context: Obtain the security context for a given SID

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_sid_to_context(oskit_security_t *security, oskit_security_id_t sid, [out] oskit_security_context_t *scontext, [out] oskit_u32_t *scontext_len);,

DESCRIPTION

The oskit_security_sid_to_context function returns the security context associated with a particular SID. The scontext parameter is set to point to a dynamically-allocated string of the correct size. The scontext_len parameter is set to the length of the security context string, including the terminating NULL character.

PARAMETERS
security:
The security server.
sid:
The SID.
scontext:
The security context.
scontext_len:
The length of the security context in bytes.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.6 context_to_sid: Obtain the SID for a given security context

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_context_to_sid(oskit_security_t *security, oskit_security_context_t scontext, oskit_u32_t scontext_len, [out] oskit_security_id_t *out_sid);

DESCRIPTION

The oskit_security_context_to_sid function returns a SID associated with a particular security context. The scontext_len parameter specifies the length of the security context string, including the terminating NULL character.

PARAMETERS
security:
The security server.
scontext:
The security context.
scontext_len:
The length of the security context in bytes.
out_sid:
The SID.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.7 register_avc: Register an AVC component for policy change notifications

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_register_avc(oskit_security_t *security, oskit_security_class_t *classes, oskit_u32_t nclasses, oskit_avc_ss_t *avc);

DESCRIPTION

This method registers an AVC component for policy change notifications.

PARAMETERS
security:
The security server.
classes:
The array of security classes relevant to the AVC.
nclasses:
The number of security classes.
avc:
The AVC component.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.8 unregister_avc: Unregister an AVC component

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_unregister_avc(oskit_security_t *security, oskit_avc_ss_t *avc);

DESCRIPTION

This method unregisters an AVC component.

PARAMETERS
security:
The security server.
avc:
The AVC component.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.9 load_policy: Load a new policy configuration

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_load_policy(oskit_security_t *security, oskit_openfile_t *openfile);

DESCRIPTION

This method loads a new policy configuration from openfile. The security server notifies any registered AVC components of any policy changes caused by the new configuration.

PARAMETERS
security:
The security server.
openfile:
The open file.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.10 fs_sid: Obtain SIDs for an unlabeled file system

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_fs_sid(oskit_security_t *security, char *name, [out] oskit_security_id_t *fs_sid, [out] oskit_security_id_t *file_sid);

DESCRIPTION

The oskit_security_fs_sid function returns SIDs to use for an unlabeled file system mounted from the device specified by dev. The file system code calls this function when a process attempts to mount an unlabeled file system. The value for the dev parameter is a string of the form “major:minor” where both the major and minor number are in hexadecimal and are right justified in a two character field, as returned by the kdevname function on the device number. The fs_sid parameter is set to the SID to use for the file system, and the file_sid parameter is set to the SID to use for any existing files in the file system.

PARAMETERS
security:
The security server.
name:
The name of the device.
fs_sid:
The file system SID.
file_sid:
The file SID.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.11 port_sid: Obtain the SID for a port number

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_port_sid(oskit_security_t *security, oskit_u16_t domain, oskit_u16_t type, oskit_u8_t protocol, oskit_u16_t port, [out] oskit_security_id_t *sid);

DESCRIPTION

The oskit_security_port_sid function returns the SID to use for the port number port in the protocol specified by the triple (domain, type, protocol).

PARAMETERS
security:
The security server.
domain:
The communications domain/address family.
type:
The socket type.
protocol:
The protocol.
port:
The port number.
sid:
The SID of the port number.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.12 netif_sid: Obtains SIDs for a network interface

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_netif_sid(oskit_security_t *security, char *name, [out] oskit_security_id_t *if_sid, [out] oskit_security_id_t *msg_sid);

DESCRIPTION

The oskit_security_netif_sid function returns SIDs to use for a network interface. The value for the name parameter is typically the driver name followed by the unit number, e.g. the name eth0 would be used for the first Ethernet interface. The if_sid parameter is set to the SID to use for the interface, and the msg_sid parameter is set to the SID to use for any unlabeled messages received on the interface.

PARAMETERS
security:
The security server.
name:
The name of the interface.
if_sid:
The interface SID.
msg_sid:
The default message SID.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.2.13 node_sid: Obtains the SID for a network node

SYNOPSIS

#include <oskit/flask/security.h>

OSKIT_COMDECL oskit_security_node_sid(oskit_security_t *security, oskit_u16_t domain, void *addr, oskit_u32_t addrlen, [out] oskit_security_id_t *sid);

DESCRIPTION

The oskit_security_node_sid function returns the SID to use for the node whose address is specified by addr. The addrlen parameter specifies the length of the address in bytes, and the domain parameter specifies the communications domain or address family in which the address should be interpreted.

PARAMETERS
security:
The security server.
domain:
The communications domain/address family.
addr:
The address.
addrlen:
The length of the address in bytes.
sid:
The SID of the port number.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.3 oskit_avc: AVC Interface

The oskit_avc interface specifies the methods provided by an access vector cache (AVC) component to object managers. These methods are used by object managers to perform permission checks, to notify the AVC component of completed operations and to register callbacks for policy changes.

The AVC entry reference type (oskit_avc_entry_ref_t) consists of a pointer to an entry in the AVC. The AVC returns a reference to the entry used for a permission check. An object manager may save this reference with the corresponding object for subsequent use in other permission checks on the object. An object manager must initialize a reference before its first use with the OSKIT_AVC_ENTRY_REF_INIT macro. An object manager may copy a reference with the OSKIT_AVC_ENTRY_REF_CPY macro. AVC entry references should only be dereferenced by the AVC functions.

The oskit_avc COM interface inherits from IUnknown, and has the following additional methods:

has_perm_ref:
Check permissions.
notify_perm_ref:
Notify of completed operations.
add_callback:
Register a callback for a policy change event.
remove_callback:
Remove a previously registered callback.
log_contents:
Log the contents of the AVC.
log_stats:
Log the AVC usage statistics.

11.3.1 has_perm_ref: Check permissions

SYNOPSIS

#include <oskit/flask/avc.h>

OSKIT_COMDECL oskit_avc_has_perm_ref(oskit_avc_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t requested, [in/out] oskit_avc_entry_ref_t *aeref);

DESCRIPTION

The oskit_avc_has_perm_ref inline function determines whether the requested permissions are granted for the specified SID pair and class. If aeref refers to a valid AVC entry for this permission check, then the referenced entry is used. Otherwise, this function obtains a valid entry and sets aeref to refer to this entry. To obtain a valid entry, this function first searches the cache. If this fails, then this function calls the oskit_security_compute_av interface of the security server to compute the access vectors and adds a new entry to the cache. If the appropriate audit access vector (auditallow or auditdeny) in the entry indicates that the permission check should be audited, then this function audits the permission check.

The object managers call this function to perform permission checks. Object managers may also use a variant of this function, avc_has_perm, in order to omit the reference parameter.

PARAMETERS
avc:
The access vector cache.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object class.
requested:
The permissions to be checked.
aeref :
The reference to an AVC entry.
RETURNS

This function returns 0 if permission is granted. If the security server returns an error upon a oskit_security_compute_av call, then this function returns that error. If the security server returns a sequence number that is less than the latest policy change sequence number, then this function discards the security server response and returns OSKIT_EAGAIN. If permission is denied, then this function returns OSKIT_EACCES.

11.3.2 notify_perm_ref: Notify of completed operations

SYNOPSIS

#include <oskit/flask/avc.h>

OSKIT_COMDECL oskit_avc_notify_perm_ref(oskit_avc_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t requested, [in/out] oskit_avc_entry_ref_t *aeref);

DESCRIPTION

The oskit_avc_notify_perm_ref inline function notifies the AVC component that an operation associated with the requested permissions has completed successfully. If any of the requested permissions are in the notify access vector of the corresponding AVC entry, then this function calls the oskit_security_notify_perm interface of the security server to notify the security server that the operation has completed successfully. If aeref refers to a valid AVC entry for the requested permissions, then the referenced entry is used to obtain the notify vector. Otherwise, this function obtains a valid entry and sets aeref to refer to this entry in the same manner as oskit_avc_has_perm_ref.

The object managers call this function to notify the AVC component of operation completion. Object managers may also use a variant of this function, avc_notify_perm, in order to omit the reference parameter.

PARAMETERS
avc:
The access vector cache.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object class.
requested:
The permissions to be checked.
aeref :
The reference to an AVC entry.
RETURNS

This function returns 0 if the notification was successful. If the security server returns an error upon a oskit_security_compute_av or a oskit_security_notify_perm call, then this function returns that error. If the security server returns a sequence number that is less than the latest policy change sequence number, then this function discards the security server response and returns OSKIT_EAGAIN.

11.3.3 add_callback: Register a callback for a policy change event

SYNOPSIS

#include <oskit/flask/avc.h>

OSKIT_COMDECL oskit_avc_add_callback(oskit_avc_t *avc, oskit_avc_callback_t *callback, oskit_u32_t events, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms);

DESCRIPTION

The oskit_avc_add_callback function registers an object manager callback function callback with the AVC component for policy change notifications. When the security server calls an AVC interface that corresponds to an event in the set events with a SID pair, class and permissions that match ssid, tsid, tclass and perms, the AVC component calls the registered callback function with the parameters provided by the security server. The callback function may then update any affected permissions that are retained in the state of the object manager. The wildcard SID, OSKIT_SECSID_WILD, may be used for the ssid and tsid parameters to match all SID values. Permission vectors match if they have a non-null intersection. The meaning of each event value is explained in the description of the corresponding interface in the next section.

PARAMETERS
avc:
The access vector cache.
callback:
The callback.
events:
The events. Legal events are:
OSKIT_AVC_CALLBACK_GRANT:
Grant permissions.
OSKIT_AVC_CALLBACK_TRY_REVOKE:
Revoke permissions if not r etained.
OSKIT_AVC_CALLBACK_REVOKE:
Revoke permissions.
OSKIT_AVC_CALLBACK_RESET:
Recheck permissions.
OSKIT_AVC_CALLBACK_AUDITALLOW_ENABLE:
Enable auditing of p ermission grantings.
OSKIT_AVC_CALLBACK_AUDITALLOW_DISABLE:
Disable auditing of permission grantings.
OSKIT_AVC_CALLBACK_AUDITDENY_ENABLE:
Enable auditing of pe rmission denials.
OSKIT_AVC_CALLBACK_AUDITDENY_DISABLE:
Disable auditing of permission denials.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
perms:
The permissions.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.3.4 remove_callback: Remove a previously registered callback

SYNOPSIS

#include <oskit/flask/avc.h>

OSKIT_COMDECL oskit_avc_remove_callback(oskit_avc_t *avc, oskit_avc_callback_t *callback);

DESCRIPTION

This method removes the specified callback.

PARAMETERS
avc:
The access vector cache.
callback:
The callback.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.3.5 log_contents: Log the contents of the AVC

SYNOPSIS

#include <oskit/flask/avc.h>

OSKIT_COMDECL oskit_avc_log_contents(oskit_avc_t *avc, int priority, char *tag);

DESCRIPTION

This method logs the contents of the AVC.

PARAMETERS
avc:
The access vector cache.
priority:
The log priority.
tag:
The log prefix tag.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.3.6 log_stats: Log the AVC usage statistics

SYNOPSIS

#include <oskit/flask/avc.h>

OSKIT_COMDECL oskit_avc_log_stats(oskit_avc_t *avc, int priority, char *tag);

DESCRIPTION

This method logs the statistics of the AVC.

PARAMETERS
avc:
The access vector cache.
priority:
The log priority.
tag:
The log prefix tag.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.4 oskit_avc_ss: AVC Interface for the Security Server

The oskit_avc_ss interface specifies the methods provided by an AVC component to the security server. These methods are used by the security server to manage the cache as needed for policy changes. The oskit_avc_ss COM interface inherits from IUnknown, and has the following additional methods:

grant:
Grant previously denied permissions.
try_revoke:
Revoke previously granted permissions if those permissions are not retained in the state of the object manager. Return any retained permissions.
revoke:
Revoke previously granted permissions.
reset:
Reset the cache to its initial state and recheck all retained permissions.
set_auditallow:
Enable or disable the auditing of granted permissions.
set_auditdeny:
Enable or disable the auditing of denied permissions.
set_notify:
Enable or disable the notification of used permissions.

11.4.1 grant: Grant previously denied permissions

SYNOPSIS

#include <oskit/flask/avc_ss.h>

OSKIT_COMDECL oskit_avc_ss_grant(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno);

DESCRIPTION

The oskit_avc_ss_grant function grants previously denied permissions for a SID pair and class. The wildcard SID, OSKIT_SECSID_WILD, may be used for the ssid and tsid parameters to match all SID values. This function adds the permissions in perms to the allowed vector in any matching entries in the cache. It then calls any callbacks registered by an object manager for the OSKIT_AVC_CALLBACK_GRANT event with a matching SID pair, class and permissions. Permission vectors match if they have a non-null intersection. This function updates the latest policy change sequence number to the greater of its current value and the seqno value.

PARAMETERS
avc:
The access vector cache.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
perms:
The permissions.
seqno:
The sequence number for the policy change.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.4.2 try_revoke: Try to revoke previously granted permissions

SYNOPSIS

#include <oskit/flask/avc_ss.h>

OSKIT_COMDECL oskit_avc_ss_try_revoke(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno, [out] oskit_access_vector_t *out_retained);

DESCRIPTION

The oskit_avc_ss_try_revoke function tries to revoke previously granted permissions for a SID pair and class, but only if they are not retained in the state of an object manager. If any of the permissions in perms are retained, the retained permissions are returned in out_retained. The wildcard SID, OSKIT_SECSID_WILD, may be used for the ssid and tsid parameters to match all SID values. This function calls any callbacks registered by an object manager for the OSKIT_AVC_CALLBACK_TRY_REVOKE event with a matching SID pair, class and permissions. Permission vectors match if they have a non-null intersection. Each callback is expected to identify which matching permissions are retained in the state of the object manager. The set of retained permissions returned by each callback is added to out_retained. This function then removes any permissions in perms that were not retained from the allowed vector in any matching entries in the cache. This function updates the latest policy change sequence number to the greater of its current value and the seqno value.

PARAMETERS
avc:
The access vector cache.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
perms:
The permissions.
seqno:
The sequence number for the policy change.
out_retained:
The set of permissions retained.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.4.3 revoke: Revoke previously granted permissions

SYNOPSIS

#include <oskit/flask/avc_ss.h>

OSKIT_COMDECL oskit_avc_ss_revoke(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno);

DESCRIPTION

The oskit_avc_ss_revoke function revokes previously granted permissions for a SID pair and class, even if they are retained in the state of an object manager. The wildcard SID, OSKIT_SECSID_WILD, may be used for the ssid and tsid parameters to match all SID values. This function removes any permissions in perms from the allowed vector in any matching entries in the cache. It then calls any callbacks registered by an object manager for the OSKIT_AVC_CALLBACK_REVOKE event with a matching SID pair, class and permissions. Permission vectors match if they have a non-null intersection. Each callback is expected to revoke any matching permissions that are retained in the state of the object manager. This function updates the latest policy change sequence number to the greater of its current value and the seqno value.

PARAMETERS
avc:
The access vector cache.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
perms:
The permissions.
seqno:
The sequence number for the policy change.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.4.4 reset: Reset the cache and recheck all retained permissions

SYNOPSIS

#include <oskit/flask/avc_ss.h>

OSKIT_COMDECL oskit_avc_ss_reset(oskit_avc_ss_t *avc, oskit_u32_t seqno);

DESCRIPTION

The oskit_avc_ss_reset function flushes the cache and revalidates all permissions retained in the state of the object managers. This function invalidates all entries in the cache. It then calls any callbacks registered by an object manager for the OSKIT_AVC_CALLBACK_RESET event. Each callback is expected to revalidate permissions that are retained in the state of the object manager by calling oskit_avc_has_perm_ref or one of its variants. This function updates the latest policy change sequence number to the greater of its current value and the seqno value.

PARAMETERS
avc:
The access vector cache.
seqno:
The sequence number for the policy change.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.4.5 set_auditallow: Enable or disable the auditing of granted permissions

SYNOPSIS

#include <oskit/flask/avc_ss.h>

OSKIT_COMDECL oskit_avc_ss_set_auditallow(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno, oskit_bool_t enable);

DESCRIPTION

The oskit_avc_ss_set_auditallow function enables or disables auditing of granted permissions for a SID pair and class. The wildcard SID, OSKIT_SECSID_WILD, may be used for the ssid and tsid parameters to match all SID values. The enable flag should be 1 to enable auditing and 0 to disable auditing. This function adds or removes, depending on the value of enable, the permissions in perms from the auditallow vector in any matching entries in the cache. It then calls any callbacks registered by an object manager for the OSKIT_AVC_CALLBACK_AUDITALLOW_ENABLE or OSKIT_AVC_CALLBACK_AUDITALLOW_DISABLE event with a matching SID pair, class and permissions. Permission vectors match if they have a non-null intersection. This function updates the latest policy change sequence number to the greater of its current value and the seqno value.

PARAMETERS
avc:
The access vector cache.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
perms:
The permissions.
seqno:
The sequence number for the policy change.
enable:
The boolean flag indicating whether to enable or disable.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.4.6 set_auditdeny: Enable or disable the auditing of denied permissions

SYNOPSIS

#include <oskit/flask/avc_ss.h>

OSKIT_COMDECL oskit_avc_ss_set_auditdeny(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno, oskit_bool_t enable);

DESCRIPTION

The oskit_avc_ss_set_auditdeny function enables or disables auditing of denied permissions for a SID pair and class. It has the same behavior as oskit_avc_ss_set_auditallow, except that it modifies the auditdeny vector and it is associated with the OSKIT_AVC_CALLBACK_AUDITDENY_ENABLE and OSKIT_AVC_CALLBACK_AUDITDENY_DISABLE events.

PARAMETERS
avc:
The access vector cache.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
perms:
The permissions.
seqno:
The sequence number for the policy change.
enable:
The boolean flag indicating whether to enable or disable.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.

11.4.7 set_notify: Enable or disable the notification of used permissions

SYNOPSIS

#include <oskit/flask/avc_ss.h>

OSKIT_COMDECL oskit_avc_ss_set_notify(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno, oskit_bool_t enable);

DESCRIPTION

The oskit_avc_ss_set_notify function enables or disables notification of completed operations for a SID pair and class. It has the same behavior as oskit_avc_ss_set_auditallow, except that it modifies the notify vector and it is associated with the OSKIT_AVC_CALLBACK_NOTIFY_ENABLE and OSKIT_AVC_CALLBACK_NOTIFY_DISABLE events.

PARAMETERS
avc:
The access vector cache.
ssid:
The source SID.
tsid:
The target SID.
tclass:
The target object security class.
perms:
The permissions.
seqno:
The sequence number for the policy change.
enable:
The boolean flag indicating whether to enable or disable.
RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.