16cd6a6acSopenharmony_ci/* Author : Joshua Brindle <jbrindle@tresys.com> 26cd6a6acSopenharmony_ci * Karl MacMillan <kmacmillan@tresys.com> 36cd6a6acSopenharmony_ci * Jason Tang <jtang@tresys.com> 46cd6a6acSopenharmony_ci * Added support for binary policy modules 56cd6a6acSopenharmony_ci * 66cd6a6acSopenharmony_ci * Copyright (C) 2004 - 2005 Tresys Technology, LLC 76cd6a6acSopenharmony_ci * This program is free software; you can redistribute it and/or modify 86cd6a6acSopenharmony_ci * it under the terms of the GNU General Public License as published by 96cd6a6acSopenharmony_ci * the Free Software Foundation, version 2. 106cd6a6acSopenharmony_ci */ 116cd6a6acSopenharmony_ci 126cd6a6acSopenharmony_ci#ifndef MODULE_COMPILER_H 136cd6a6acSopenharmony_ci#define MODULE_COMPILER_H 146cd6a6acSopenharmony_ci 156cd6a6acSopenharmony_ci#include <sepol/policydb/hashtab.h> 166cd6a6acSopenharmony_ci 176cd6a6acSopenharmony_ci/* Called when checkpolicy begins to parse a policy -- either at the 186cd6a6acSopenharmony_ci * very beginning for a kernel/base policy, or after the module header 196cd6a6acSopenharmony_ci * for policy modules. Initialize the memory structures within. 206cd6a6acSopenharmony_ci * Return 0 on success, -1 on error. */ 216cd6a6acSopenharmony_ciint define_policy(int pass, int module_header_given); 226cd6a6acSopenharmony_ci 236cd6a6acSopenharmony_ci/* Declare a symbol declaration to the current avrule_decl. Check 246cd6a6acSopenharmony_ci * that insertion is allowed here and that the symbol does not already 256cd6a6acSopenharmony_ci * exist. Returns 0 on success, 1 if symbol was already there (caller 266cd6a6acSopenharmony_ci * needs to free() the datum), -1 if declarations not allowed, -2 for 276cd6a6acSopenharmony_ci * duplicate declarations, -3 for all else. 286cd6a6acSopenharmony_ci */ 296cd6a6acSopenharmony_ciint declare_symbol(uint32_t symbol_type, 306cd6a6acSopenharmony_ci hashtab_key_t key, hashtab_datum_t datum, 316cd6a6acSopenharmony_ci uint32_t * dest_value, uint32_t * datum_value); 326cd6a6acSopenharmony_ci 336cd6a6acSopenharmony_cirole_datum_t *declare_role(unsigned char isattr); 346cd6a6acSopenharmony_citype_datum_t *declare_type(unsigned char primary, unsigned char isattr); 356cd6a6acSopenharmony_ciuser_datum_t *declare_user(void); 366cd6a6acSopenharmony_ci 376cd6a6acSopenharmony_citype_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr); 386cd6a6acSopenharmony_cirole_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr); 396cd6a6acSopenharmony_ci 406cd6a6acSopenharmony_ci/* Add a symbol to the current avrule_block's require section. Note 416cd6a6acSopenharmony_ci * that a module may not both declare and require the same symbol. 426cd6a6acSopenharmony_ci * Returns 0 on success, -1 on error. */ 436cd6a6acSopenharmony_ciint require_symbol(uint32_t symbol_type, 446cd6a6acSopenharmony_ci hashtab_key_t key, hashtab_datum_t datum, 456cd6a6acSopenharmony_ci uint32_t * dest_value, uint32_t * datum_value); 466cd6a6acSopenharmony_ci 476cd6a6acSopenharmony_ci/* Enable a permission for a class within the current avrule_decl. 486cd6a6acSopenharmony_ci * Return 0 on success, -1 if out of memory. */ 496cd6a6acSopenharmony_ciint add_perm_to_class(uint32_t perm_value, uint32_t class_value); 506cd6a6acSopenharmony_ci 516cd6a6acSopenharmony_ci/* Functions called from REQUIRE blocks. Add the first symbol on the 526cd6a6acSopenharmony_ci * id_queue to this avrule_decl's scope if not already there. 536cd6a6acSopenharmony_ci * c.f. require_symbol(). */ 546cd6a6acSopenharmony_ciint require_class(int pass); 556cd6a6acSopenharmony_ciint require_role(int pass); 566cd6a6acSopenharmony_ciint require_type(int pass); 576cd6a6acSopenharmony_ciint require_attribute(int pass); 586cd6a6acSopenharmony_ciint require_attribute_role(int pass); 596cd6a6acSopenharmony_ciint require_user(int pass); 606cd6a6acSopenharmony_ciint require_bool(int pass); 616cd6a6acSopenharmony_ciint require_tunable(int pass); 626cd6a6acSopenharmony_ciint require_sens(int pass); 636cd6a6acSopenharmony_ciint require_cat(int pass); 646cd6a6acSopenharmony_ci 656cd6a6acSopenharmony_ci/* Check if an identifier is within the scope of the current 666cd6a6acSopenharmony_ci * declaration or any of its parents. Return 1 if it is, 0 if not. 676cd6a6acSopenharmony_ci * If the identifier is not known at all then return 1 (truth). */ 686cd6a6acSopenharmony_ciint is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id); 696cd6a6acSopenharmony_ci 706cd6a6acSopenharmony_ci/* Check if a particular permission is within the scope of the current 716cd6a6acSopenharmony_ci * declaration or any of its parents. Return 1 if it is, 0 if not. 726cd6a6acSopenharmony_ci * If the identifier is not known at all then return 1 (truth). */ 736cd6a6acSopenharmony_ciint is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id); 746cd6a6acSopenharmony_ci 756cd6a6acSopenharmony_ci/* Search the current avrules block for a conditional with the same 766cd6a6acSopenharmony_ci * expression as 'cond'. If the conditional does not exist then 776cd6a6acSopenharmony_ci * create one. Either way, return the conditional. */ 786cd6a6acSopenharmony_cicond_list_t *get_current_cond_list(cond_list_t * cond); 796cd6a6acSopenharmony_ci 806cd6a6acSopenharmony_ci/* Append rule to the current avrule_block. */ 816cd6a6acSopenharmony_civoid append_cond_list(cond_list_t * cond); 826cd6a6acSopenharmony_civoid append_avrule(avrule_t * avrule); 836cd6a6acSopenharmony_civoid append_role_trans(role_trans_rule_t * role_tr_rules); 846cd6a6acSopenharmony_civoid append_role_allow(role_allow_rule_t * role_allow_rules); 856cd6a6acSopenharmony_civoid append_range_trans(range_trans_rule_t * range_tr_rules); 866cd6a6acSopenharmony_civoid append_filename_trans(filename_trans_rule_t * filename_trans_rules); 876cd6a6acSopenharmony_ci 886cd6a6acSopenharmony_ci/* Create a new optional block and add it to the global policy. 896cd6a6acSopenharmony_ci * During the second pass resolve the block's requirements. Return 0 906cd6a6acSopenharmony_ci * on success, -1 on error. 916cd6a6acSopenharmony_ci */ 926cd6a6acSopenharmony_ciint begin_optional(int pass); 936cd6a6acSopenharmony_ciint end_optional(int pass); 946cd6a6acSopenharmony_ci 956cd6a6acSopenharmony_ci/* ELSE blocks are similar to normal blocks with the following two 966cd6a6acSopenharmony_ci * limitations: 976cd6a6acSopenharmony_ci * - no declarations are allowed within else branches 986cd6a6acSopenharmony_ci * - no REQUIRES are allowed; the else branch inherits the parent's 996cd6a6acSopenharmony_ci * requirements 1006cd6a6acSopenharmony_ci */ 1016cd6a6acSopenharmony_ciint begin_optional_else(int pass); 1026cd6a6acSopenharmony_ci 1036cd6a6acSopenharmony_ci/* Called whenever existing an avrule block. Check that the block had 1046cd6a6acSopenharmony_ci * a non-empty REQUIRE section. If so pop the block off of the scop 1056cd6a6acSopenharmony_ci * stack and return 0. If not then send an error to yyerror and 1066cd6a6acSopenharmony_ci * return -1. */ 1076cd6a6acSopenharmony_ciint end_avrule_block(int pass); 1086cd6a6acSopenharmony_ci 1096cd6a6acSopenharmony_ci#endif 110