18c2ecf20Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0 */
28c2ecf20Sopenharmony_ci/*
38c2ecf20Sopenharmony_ci * A constraint is a condition that must be satisfied in
48c2ecf20Sopenharmony_ci * order for one or more permissions to be granted.
58c2ecf20Sopenharmony_ci * Constraints are used to impose additional restrictions
68c2ecf20Sopenharmony_ci * beyond the type-based rules in `te' or the role-based
78c2ecf20Sopenharmony_ci * transition rules in `rbac'.  Constraints are typically
88c2ecf20Sopenharmony_ci * used to prevent a process from transitioning to a new user
98c2ecf20Sopenharmony_ci * identity or role unless it is in a privileged type.
108c2ecf20Sopenharmony_ci * Constraints are likewise typically used to prevent a
118c2ecf20Sopenharmony_ci * process from labeling an object with a different user
128c2ecf20Sopenharmony_ci * identity.
138c2ecf20Sopenharmony_ci *
148c2ecf20Sopenharmony_ci * Author : Stephen Smalley, <sds@tycho.nsa.gov>
158c2ecf20Sopenharmony_ci */
168c2ecf20Sopenharmony_ci#ifndef _SS_CONSTRAINT_H_
178c2ecf20Sopenharmony_ci#define _SS_CONSTRAINT_H_
188c2ecf20Sopenharmony_ci
198c2ecf20Sopenharmony_ci#include "ebitmap.h"
208c2ecf20Sopenharmony_ci
218c2ecf20Sopenharmony_ci#define CEXPR_MAXDEPTH 5
228c2ecf20Sopenharmony_ci
238c2ecf20Sopenharmony_cistruct constraint_expr {
248c2ecf20Sopenharmony_ci#define CEXPR_NOT		1 /* not expr */
258c2ecf20Sopenharmony_ci#define CEXPR_AND		2 /* expr and expr */
268c2ecf20Sopenharmony_ci#define CEXPR_OR		3 /* expr or expr */
278c2ecf20Sopenharmony_ci#define CEXPR_ATTR		4 /* attr op attr */
288c2ecf20Sopenharmony_ci#define CEXPR_NAMES		5 /* attr op names */
298c2ecf20Sopenharmony_ci	u32 expr_type;		/* expression type */
308c2ecf20Sopenharmony_ci
318c2ecf20Sopenharmony_ci#define CEXPR_USER 1		/* user */
328c2ecf20Sopenharmony_ci#define CEXPR_ROLE 2		/* role */
338c2ecf20Sopenharmony_ci#define CEXPR_TYPE 4		/* type */
348c2ecf20Sopenharmony_ci#define CEXPR_TARGET 8		/* target if set, source otherwise */
358c2ecf20Sopenharmony_ci#define CEXPR_XTARGET 16	/* special 3rd target for validatetrans rule */
368c2ecf20Sopenharmony_ci#define CEXPR_L1L2 32		/* low level 1 vs. low level 2 */
378c2ecf20Sopenharmony_ci#define CEXPR_L1H2 64		/* low level 1 vs. high level 2 */
388c2ecf20Sopenharmony_ci#define CEXPR_H1L2 128		/* high level 1 vs. low level 2 */
398c2ecf20Sopenharmony_ci#define CEXPR_H1H2 256		/* high level 1 vs. high level 2 */
408c2ecf20Sopenharmony_ci#define CEXPR_L1H1 512		/* low level 1 vs. high level 1 */
418c2ecf20Sopenharmony_ci#define CEXPR_L2H2 1024		/* low level 2 vs. high level 2 */
428c2ecf20Sopenharmony_ci	u32 attr;		/* attribute */
438c2ecf20Sopenharmony_ci
448c2ecf20Sopenharmony_ci#define CEXPR_EQ     1		/* == or eq */
458c2ecf20Sopenharmony_ci#define CEXPR_NEQ    2		/* != */
468c2ecf20Sopenharmony_ci#define CEXPR_DOM    3		/* dom */
478c2ecf20Sopenharmony_ci#define CEXPR_DOMBY  4		/* domby  */
488c2ecf20Sopenharmony_ci#define CEXPR_INCOMP 5		/* incomp */
498c2ecf20Sopenharmony_ci	u32 op;			/* operator */
508c2ecf20Sopenharmony_ci
518c2ecf20Sopenharmony_ci	struct ebitmap names;	/* names */
528c2ecf20Sopenharmony_ci	struct type_set *type_names;
538c2ecf20Sopenharmony_ci
548c2ecf20Sopenharmony_ci	struct constraint_expr *next;   /* next expression */
558c2ecf20Sopenharmony_ci};
568c2ecf20Sopenharmony_ci
578c2ecf20Sopenharmony_cistruct constraint_node {
588c2ecf20Sopenharmony_ci	u32 permissions;	/* constrained permissions */
598c2ecf20Sopenharmony_ci	struct constraint_expr *expr;	/* constraint on permissions */
608c2ecf20Sopenharmony_ci	struct constraint_node *next;	/* next constraint */
618c2ecf20Sopenharmony_ci};
628c2ecf20Sopenharmony_ci
638c2ecf20Sopenharmony_ci#endif	/* _SS_CONSTRAINT_H_ */
64