man-pages/man3/avc_has_perm.3.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of avc_has_perm</TITLE>
</HEAD><BODY>
<H1>avc_has_perm</H1>
Section: SELinux API documentation (3)<BR>Updated: 27 May 2004<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>

<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init - obtain and audit SELinux access decisions
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>#include &lt;<A HREF="file:///usr/include/selinux/selinux.h">selinux/selinux.h</A>&gt;</B>

<BR>

<B>#include &lt;<A HREF="file:///usr/include/selinux/avc.h">selinux/avc.h</A>&gt;</B>

<P>
<B>void avc_entry_ref_init(struct avc_entry_ref *</B><I>aeref</I><B>);</B>

<P>
<B>int avc_has_perm(security_id_t </B><I>ssid</I><B>, security_id_t </B><I>tsid</I><B>,</B>


<B>security_class_t </B><I>tclass</I><B>, access_vector_t </B><I>requested</I><B>,</B>

<BR>

<B>struct avc_entry_ref *</B><I>aeref</I><B>, void *</B><I>auditdata</I><B>);</B>


<P>
<B>int avc_has_perm_noaudit(security_id_t </B><I>ssid</I><B>, security_id_t </B><I>tsid</I><B>,</B>


<B>security_class_t </B><I>tclass</I><B>, access_vector_t </B><I>requested</I><B>,</B>

<BR>

<B>struct avc_entry_ref *</B><I>aeref</I><B>, struct av_decision *</B><I>avd</I><B>);</B>


<P>
<B>void avc_audit(security_id_t </B><I>ssid</I><B>, security_id_t </B><I>tsid</I><B>,</B>


<B>security_class_t </B><I>tclass</I><B>, access_vector_t </B><I>requested</I><B>,</B>

<BR>

<B>struct av_decision *</B><I>avd</I><B>, int </B><I>result</I><B>, void *</B><I>auditdata</I><B>);</B>


<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<B>avc_entry_ref_init</B>()

initializes an
<B>avc_entry_ref</B>

structure; see
<B>ENTRY REFERENCES</B>

below.  This function may be implemented as a macro.
<P>
<B>avc_has_perm</B>()

checks whether the 
<I>requested</I>

permissions are granted
for subject SID
<I>ssid</I>

and target SID
<I>tsid</I>,

interpreting the permissions
based on
<I>tclass</I>

and updating
<I>aeref</I>,

if non-NULL, to refer to a cache entry with the resulting decision.  The granting or denial of permissions is audited in accordance with the policy.  The
<I>auditdata</I>

parameter is for supplemental auditing; see
<B>avc_audit</B>()

below.
<P>
<B>avc_has_perm_noaudit</B>()

behaves as
<B>avc_has_perm</B>()

without producing an audit message.  The access decision is returned in
<I>avd</I>

and can be passed to
<B>avc_audit</B>()

explicitly.
<P>
<B>avc_audit</B>()

produces an audit message for the access query represented by
<I>ssid</I>,

<I>tsid</I>,

<I>tclass</I>,

and
<I>requested</I>,

with a decision represented by
<I>avd</I>.

Pass the value returned by
<B>avc_has_perm_noaudit</B>()

as
<I>result</I>.

The
<I>auditdata</I>

parameter is passed to the user-supplied
<B>func_audit</B>

callback and can be used to add supplemental information to the audit message; see
<B><A HREF="/cgi-bin/man/man2html?3+avc_init">avc_init</A></B>(3).

<A NAME="lbAE">&nbsp;</A>
<H2>ENTRY REFERENCES</H2>

Entry references can be used to speed cache performance for repeated queries on the same subject and target.  The userspace AVC will check the
<I>aeref</I>

argument, if supplied, before searching the cache on a permission query.  After a query is performed,
<I>aeref</I>

will be updated to reference the cache entry for that query.  A subsequent query on the same subject and target will then have the decision at hand without having to walk the cache.
<P>
After declaring an
<B>avc_entry_ref</B>

structure, use
<B>avc_entry_ref_init</B>()

to initialize it before passing it to
<B>avc_has_perm</B>()

or
<B>avc_has_perm_noaudit</B>()

for the first time.
Using an uninitialized structure will produce undefined behavior.
<A NAME="lbAF">&nbsp;</A>
<H2>RETURN VALUE</H2>

If requested permissions are granted, zero is returned.  If requested permissions are denied or an error occurred, -1 is returned and
<I>errno</I>

is set appropriately.
<P>
In permissive mode, zero will be returned and
<I>errno</I>

unchanged even if permissions were denied.
<B>avc_has_perm</B>()

will still produce an audit message in this case.
<A NAME="lbAG">&nbsp;</A>
<H2>ERRORS</H2>

<DL COMPACT>
<DT id="1"><B>EACCES</B>

<DD>
A requested permission was denied.
<DT id="2"><B>EINVAL</B>

<DD>
The
<I>tclass</I>

and/or the security contexts referenced by
<I>ssid</I>

and
<I>tsid</I>

are not recognized by the currently loaded policy.
<DT id="3"><B>ENOMEM</B>

<DD>
An attempt to allocate memory failed.
</DL>
<A NAME="lbAH">&nbsp;</A>
<H2>NOTES</H2>

Internal errors encountered by the userspace AVC may cause certain values of
<I>errno</I>

to be returned unexpectedly.  For example, netlink socket errors may produce
<B>EACCES</B>

or
<B>EINVAL</B>.

Make sure that userspace object managers are granted appropriate access to
netlink by the policy.
<A NAME="lbAI">&nbsp;</A>
<H2>AUTHOR</H2>

Eamon Walsh &lt;<A HREF="mailto:ewalsh@tycho.nsa.gov">ewalsh@tycho.nsa.gov</A>&gt;
<A NAME="lbAJ">&nbsp;</A>
<H2>SEE ALSO</H2>



<B><A HREF="/cgi-bin/man/man2html?3+avc_init">avc_init</A></B>(3),

<B><A HREF="/cgi-bin/man/man2html?3+avc_context_to_sid">avc_context_to_sid</A></B>(3),

<B><A HREF="/cgi-bin/man/man2html?3+avc_cache_stats">avc_cache_stats</A></B>(3),

<B><A HREF="/cgi-bin/man/man2html?3+avc_add_callback">avc_add_callback</A></B>(3),

<B><A HREF="/cgi-bin/man/man2html?3+security_compute_av">security_compute_av</A></B>(3),

<B><A HREF="/cgi-bin/man/man2html?8+selinux">selinux</A></B>(8)

<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="4"><A HREF="#lbAB">NAME</A><DD>
<DT id="5"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="6"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="7"><A HREF="#lbAE">ENTRY REFERENCES</A><DD>
<DT id="8"><A HREF="#lbAF">RETURN VALUE</A><DD>
<DT id="9"><A HREF="#lbAG">ERRORS</A><DD>
<DT id="10"><A HREF="#lbAH">NOTES</A><DD>
<DT id="11"><A HREF="#lbAI">AUTHOR</A><DD>
<DT id="12"><A HREF="#lbAJ">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:36 GMT, March 31, 2021
</BODY>
</HTML>