1/* 2 * Copyright 2011 Tresys Technology, LLC. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * 1. Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * 2. Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS 15 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 17 * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 19 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 21 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 22 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 23 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * The views and conclusions contained in the software and documentation are those 26 * of the authors and should not be interpreted as representing official policies, 27 * either expressed or implied, of Tresys Technology, LLC. 28 */ 29 30#ifndef CIL_INTERNAL_H_ 31#define CIL_INTERNAL_H_ 32 33#include <stdlib.h> 34#include <stdio.h> 35#include <stdint.h> 36#include <arpa/inet.h> 37 38#include <sepol/policydb/services.h> 39#include <sepol/policydb/policydb.h> 40#include <sepol/policydb/flask_types.h> 41 42#include <cil/cil.h> 43 44#include "cil_flavor.h" 45#include "cil_tree.h" 46#include "cil_symtab.h" 47#include "cil_mem.h" 48 49#define CIL_MAX_NAME_LENGTH 2048 50 51#define CIL_DEGENERATE_INHERITANCE_DEPTH 10UL 52#define CIL_DEGENERATE_INHERITANCE_MINIMUM (0x01 << CIL_DEGENERATE_INHERITANCE_DEPTH) 53#define CIL_DEGENERATE_INHERITANCE_GROWTH 10UL 54 55enum cil_pass { 56 CIL_PASS_INIT = 0, 57 58 CIL_PASS_TIF, 59 CIL_PASS_IN_BEFORE, 60 CIL_PASS_BLKIN_LINK, 61 CIL_PASS_BLKIN_COPY, 62 CIL_PASS_BLKABS, 63 CIL_PASS_IN_AFTER, 64 CIL_PASS_CALL1, 65 CIL_PASS_CALL2, 66 CIL_PASS_ALIAS1, 67 CIL_PASS_ALIAS2, 68 CIL_PASS_MISC1, 69 CIL_PASS_MLS, 70 CIL_PASS_MISC2, 71 CIL_PASS_MISC3, 72 73 CIL_PASS_NUM 74}; 75 76 77/* 78 Keywords 79*/ 80extern char *CIL_KEY_CONS_T1; 81extern char *CIL_KEY_CONS_T2; 82extern char *CIL_KEY_CONS_T3; 83extern char *CIL_KEY_CONS_R1; 84extern char *CIL_KEY_CONS_R2; 85extern char *CIL_KEY_CONS_R3; 86extern char *CIL_KEY_CONS_U1; 87extern char *CIL_KEY_CONS_U2; 88extern char *CIL_KEY_CONS_U3; 89extern char *CIL_KEY_CONS_L1; 90extern char *CIL_KEY_CONS_L2; 91extern char *CIL_KEY_CONS_H1; 92extern char *CIL_KEY_CONS_H2; 93extern char *CIL_KEY_AND; 94extern char *CIL_KEY_OR; 95extern char *CIL_KEY_NOT; 96extern char *CIL_KEY_EQ; 97extern char *CIL_KEY_NEQ; 98extern char *CIL_KEY_CONS_DOM; 99extern char *CIL_KEY_CONS_DOMBY; 100extern char *CIL_KEY_CONS_INCOMP; 101extern char *CIL_KEY_CONDTRUE; 102extern char *CIL_KEY_CONDFALSE; 103extern char *CIL_KEY_SELF; 104extern char *CIL_KEY_OBJECT_R; 105extern char *CIL_KEY_STAR; 106extern char *CIL_KEY_TCP; 107extern char *CIL_KEY_UDP; 108extern char *CIL_KEY_DCCP; 109extern char *CIL_KEY_SCTP; 110extern char *CIL_KEY_AUDITALLOW; 111extern char *CIL_KEY_TUNABLEIF; 112extern char *CIL_KEY_ALLOW; 113extern char *CIL_KEY_DONTAUDIT; 114extern char *CIL_KEY_TYPETRANSITION; 115extern char *CIL_KEY_TYPECHANGE; 116extern char *CIL_KEY_CALL; 117extern char *CIL_KEY_TUNABLE; 118extern char *CIL_KEY_XOR; 119extern char *CIL_KEY_ALL; 120extern char *CIL_KEY_RANGE; 121extern char *CIL_KEY_GLOB; 122extern char *CIL_KEY_FILE; 123extern char *CIL_KEY_DIR; 124extern char *CIL_KEY_CHAR; 125extern char *CIL_KEY_BLOCK; 126extern char *CIL_KEY_SOCKET; 127extern char *CIL_KEY_PIPE; 128extern char *CIL_KEY_SYMLINK; 129extern char *CIL_KEY_ANY; 130extern char *CIL_KEY_XATTR; 131extern char *CIL_KEY_TASK; 132extern char *CIL_KEY_TRANS; 133extern char *CIL_KEY_TYPE; 134extern char *CIL_KEY_ROLE; 135extern char *CIL_KEY_USER; 136extern char *CIL_KEY_USERATTRIBUTE; 137extern char *CIL_KEY_USERATTRIBUTESET; 138extern char *CIL_KEY_SENSITIVITY; 139extern char *CIL_KEY_CATEGORY; 140extern char *CIL_KEY_CATSET; 141extern char *CIL_KEY_LEVEL; 142extern char *CIL_KEY_LEVELRANGE; 143extern char *CIL_KEY_CLASS; 144extern char *CIL_KEY_IPADDR; 145extern char *CIL_KEY_MAP_CLASS; 146extern char *CIL_KEY_CLASSPERMISSION; 147extern char *CIL_KEY_BOOL; 148extern char *CIL_KEY_STRING; 149extern char *CIL_KEY_NAME; 150extern char *CIL_KEY_SOURCE; 151extern char *CIL_KEY_TARGET; 152extern char *CIL_KEY_LOW; 153extern char *CIL_KEY_HIGH; 154extern char *CIL_KEY_LOW_HIGH; 155extern char *CIL_KEY_GLBLUB; 156extern char *CIL_KEY_HANDLEUNKNOWN; 157extern char *CIL_KEY_HANDLEUNKNOWN_ALLOW; 158extern char *CIL_KEY_HANDLEUNKNOWN_DENY; 159extern char *CIL_KEY_HANDLEUNKNOWN_REJECT; 160extern char *CIL_KEY_MACRO; 161extern char *CIL_KEY_IN; 162extern char *CIL_KEY_IN_BEFORE; 163extern char *CIL_KEY_IN_AFTER; 164extern char *CIL_KEY_MLS; 165extern char *CIL_KEY_DEFAULTRANGE; 166extern char *CIL_KEY_BLOCKINHERIT; 167extern char *CIL_KEY_BLOCKABSTRACT; 168extern char *CIL_KEY_CLASSORDER; 169extern char *CIL_KEY_CLASSMAPPING; 170extern char *CIL_KEY_CLASSPERMISSIONSET; 171extern char *CIL_KEY_COMMON; 172extern char *CIL_KEY_CLASSCOMMON; 173extern char *CIL_KEY_SID; 174extern char *CIL_KEY_SIDCONTEXT; 175extern char *CIL_KEY_SIDORDER; 176extern char *CIL_KEY_USERLEVEL; 177extern char *CIL_KEY_USERRANGE; 178extern char *CIL_KEY_USERBOUNDS; 179extern char *CIL_KEY_USERPREFIX; 180extern char *CIL_KEY_SELINUXUSER; 181extern char *CIL_KEY_SELINUXUSERDEFAULT; 182extern char *CIL_KEY_TYPEATTRIBUTE; 183extern char *CIL_KEY_TYPEATTRIBUTESET; 184extern char *CIL_KEY_EXPANDTYPEATTRIBUTE; 185extern char *CIL_KEY_TYPEALIAS; 186extern char *CIL_KEY_TYPEALIASACTUAL; 187extern char *CIL_KEY_TYPEBOUNDS; 188extern char *CIL_KEY_TYPEPERMISSIVE; 189extern char *CIL_KEY_RANGETRANSITION; 190extern char *CIL_KEY_USERROLE; 191extern char *CIL_KEY_ROLETYPE; 192extern char *CIL_KEY_ROLETRANSITION; 193extern char *CIL_KEY_ROLEALLOW; 194extern char *CIL_KEY_ROLEATTRIBUTE; 195extern char *CIL_KEY_ROLEATTRIBUTESET; 196extern char *CIL_KEY_ROLEBOUNDS; 197extern char *CIL_KEY_BOOLEANIF; 198extern char *CIL_KEY_NEVERALLOW; 199extern char *CIL_KEY_TYPEMEMBER; 200extern char *CIL_KEY_SENSALIAS; 201extern char *CIL_KEY_SENSALIASACTUAL; 202extern char *CIL_KEY_CATALIAS; 203extern char *CIL_KEY_CATALIASACTUAL; 204extern char *CIL_KEY_CATORDER; 205extern char *CIL_KEY_SENSITIVITYORDER; 206extern char *CIL_KEY_SENSCAT; 207extern char *CIL_KEY_CONSTRAIN; 208extern char *CIL_KEY_MLSCONSTRAIN; 209extern char *CIL_KEY_VALIDATETRANS; 210extern char *CIL_KEY_MLSVALIDATETRANS; 211extern char *CIL_KEY_CONTEXT; 212extern char *CIL_KEY_FILECON; 213extern char *CIL_KEY_IBPKEYCON; 214extern char *CIL_KEY_IBENDPORTCON; 215extern char *CIL_KEY_PORTCON; 216extern char *CIL_KEY_NODECON; 217extern char *CIL_KEY_GENFSCON; 218extern char *CIL_KEY_NETIFCON; 219extern char *CIL_KEY_PIRQCON; 220extern char *CIL_KEY_IOMEMCON; 221extern char *CIL_KEY_IOPORTCON; 222extern char *CIL_KEY_PCIDEVICECON; 223extern char *CIL_KEY_DEVICETREECON; 224extern char *CIL_KEY_FSUSE; 225extern char *CIL_KEY_POLICYCAP; 226extern char *CIL_KEY_OPTIONAL; 227extern char *CIL_KEY_DEFAULTUSER; 228extern char *CIL_KEY_DEFAULTROLE; 229extern char *CIL_KEY_DEFAULTTYPE; 230extern char *CIL_KEY_ROOT; 231extern char *CIL_KEY_NODE; 232extern char *CIL_KEY_PERM; 233extern char *CIL_KEY_ALLOWX; 234extern char *CIL_KEY_AUDITALLOWX; 235extern char *CIL_KEY_DONTAUDITX; 236extern char *CIL_KEY_NEVERALLOWX; 237extern char *CIL_KEY_PERMISSIONX; 238extern char *CIL_KEY_IOCTL; 239extern char *CIL_KEY_UNORDERED; 240extern char *CIL_KEY_SRC_INFO; 241extern char *CIL_KEY_SRC_CIL; 242extern char *CIL_KEY_SRC_HLL_LMS; 243extern char *CIL_KEY_SRC_HLL_LMX; 244extern char *CIL_KEY_SRC_HLL_LME; 245 246/* 247 Symbol Table Array Indices 248*/ 249enum cil_sym_index { 250 CIL_SYM_BLOCKS = 0, 251 CIL_SYM_USERS, 252 CIL_SYM_ROLES, 253 CIL_SYM_TYPES, 254 CIL_SYM_COMMONS, 255 CIL_SYM_CLASSES, 256 CIL_SYM_CLASSPERMSETS, 257 CIL_SYM_BOOLS, 258 CIL_SYM_TUNABLES, 259 CIL_SYM_SENS, 260 CIL_SYM_CATS, 261 CIL_SYM_SIDS, 262 CIL_SYM_CONTEXTS, 263 CIL_SYM_LEVELS, 264 CIL_SYM_LEVELRANGES, 265 CIL_SYM_POLICYCAPS, 266 CIL_SYM_IPADDRS, 267 CIL_SYM_NAMES, 268 CIL_SYM_PERMX, 269 CIL_SYM_NUM, 270 CIL_SYM_UNKNOWN, 271 CIL_SYM_PERMS // Special case for permissions. This symtab is not included in arrays 272}; 273 274enum cil_sym_array { 275 CIL_SYM_ARRAY_ROOT = 0, 276 CIL_SYM_ARRAY_BLOCK, 277 CIL_SYM_ARRAY_IN, 278 CIL_SYM_ARRAY_MACRO, 279 CIL_SYM_ARRAY_CONDBLOCK, 280 CIL_SYM_ARRAY_NUM 281}; 282 283extern const int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM]; 284 285#define CIL_CLASS_SYM_SIZE 256 286#define CIL_PERMS_PER_CLASS (sizeof(sepol_access_vector_t) * 8) 287 288struct cil_db { 289 struct cil_tree *parse; 290 struct cil_tree *ast; 291 struct cil_type *selftype; 292 struct cil_list *sidorder; 293 struct cil_list *classorder; 294 struct cil_list *catorder; 295 struct cil_list *sensitivityorder; 296 struct cil_sort *netifcon; 297 struct cil_sort *genfscon; 298 struct cil_sort *filecon; 299 struct cil_sort *nodecon; 300 struct cil_sort *ibpkeycon; 301 struct cil_sort *ibendportcon; 302 struct cil_sort *portcon; 303 struct cil_sort *pirqcon; 304 struct cil_sort *iomemcon; 305 struct cil_sort *ioportcon; 306 struct cil_sort *pcidevicecon; 307 struct cil_sort *devicetreecon; 308 struct cil_sort *fsuse; 309 struct cil_list *userprefixes; 310 struct cil_list *selinuxusers; 311 struct cil_list *names; 312 int num_types_and_attrs; 313 int num_classes; 314 int num_cats; 315 int num_types; 316 int num_roles; 317 int num_users; 318 struct cil_type **val_to_type; 319 struct cil_role **val_to_role; 320 struct cil_user **val_to_user; 321 int disable_dontaudit; 322 int disable_neverallow; 323 int attrs_expand_generated; 324 unsigned attrs_expand_size; 325 int preserve_tunables; 326 int handle_unknown; 327 int mls; 328 int multiple_decls; 329 int qualified_names; 330 int target_platform; 331 int policy_version; 332}; 333 334struct cil_root { 335 symtab_t symtab[CIL_SYM_NUM]; 336}; 337 338struct cil_sort { 339 enum cil_flavor flavor; 340 uint32_t count; 341 uint32_t index; 342 void **array; 343}; 344 345struct cil_block { 346 struct cil_symtab_datum datum; 347 symtab_t symtab[CIL_SYM_NUM]; 348 uint16_t is_abstract; 349 struct cil_list *bi_nodes; 350}; 351 352struct cil_blockinherit { 353 char *block_str; 354 struct cil_block *block; 355}; 356 357struct cil_blockabstract { 358 char *block_str; 359}; 360 361struct cil_in { 362 symtab_t symtab[CIL_SYM_NUM]; 363 int is_after; 364 char *block_str; 365}; 366 367struct cil_optional { 368 struct cil_symtab_datum datum; 369}; 370 371struct cil_perm { 372 struct cil_symtab_datum datum; 373 unsigned int value; 374 struct cil_list *classperms; /* Only used for map perms */ 375}; 376 377struct cil_class { 378 struct cil_symtab_datum datum; 379 symtab_t perms; 380 unsigned int num_perms; 381 struct cil_class *common; /* Only used for kernel class */ 382 uint32_t ordered; /* Only used for kernel class */ 383}; 384 385struct cil_classorder { 386 struct cil_list *class_list_str; 387}; 388 389struct cil_classperms_set { 390 char *set_str; 391 struct cil_classpermission *set; 392}; 393 394struct cil_classperms { 395 char *class_str; 396 struct cil_class *class; 397 struct cil_list *perm_strs; 398 struct cil_list *perms; 399}; 400 401struct cil_classpermission { 402 struct cil_symtab_datum datum; 403 struct cil_list *classperms; 404}; 405 406struct cil_classpermissionset { 407 char *set_str; 408 struct cil_list *classperms; 409}; 410 411struct cil_classmapping { 412 char *map_class_str; 413 char *map_perm_str; 414 struct cil_list *classperms; 415}; 416 417struct cil_classcommon { 418 char *class_str; 419 char *common_str; 420}; 421 422struct cil_alias { 423 struct cil_symtab_datum datum; 424 void *actual; 425}; 426 427struct cil_aliasactual { 428 char *alias_str; 429 char *actual_str; 430}; 431 432struct cil_sid { 433 struct cil_symtab_datum datum; 434 struct cil_context *context; 435 uint32_t ordered; 436}; 437 438struct cil_sidcontext { 439 char *sid_str; 440 char *context_str; 441 struct cil_context *context; 442}; 443 444struct cil_sidorder { 445 struct cil_list *sid_list_str; 446}; 447 448struct cil_user { 449 struct cil_symtab_datum datum; 450 struct cil_user *bounds; 451 ebitmap_t *roles; 452 struct cil_level *dftlevel; 453 struct cil_levelrange *range; 454 int value; 455}; 456 457struct cil_userattribute { 458 struct cil_symtab_datum datum; 459 struct cil_list *expr_list; 460 ebitmap_t *users; 461}; 462 463struct cil_userattributeset { 464 char *attr_str; 465 struct cil_list *str_expr; 466 struct cil_list *datum_expr; 467}; 468 469struct cil_userrole { 470 char *user_str; 471 void *user; 472 char *role_str; 473 void *role; 474}; 475 476struct cil_userlevel { 477 char *user_str; 478 char *level_str; 479 struct cil_level *level; 480}; 481 482struct cil_userrange { 483 char *user_str; 484 char *range_str; 485 struct cil_levelrange *range; 486}; 487 488struct cil_userprefix { 489 char *user_str; 490 struct cil_user *user; 491 char *prefix_str; 492}; 493 494struct cil_selinuxuser { 495 char *name_str; 496 char *user_str; 497 struct cil_user *user; 498 char *range_str; 499 struct cil_levelrange *range; 500}; 501 502struct cil_role { 503 struct cil_symtab_datum datum; 504 struct cil_role *bounds; 505 ebitmap_t *types; 506 int value; 507}; 508 509struct cil_roleattribute { 510 struct cil_symtab_datum datum; 511 struct cil_list *expr_list; 512 ebitmap_t *roles; 513}; 514 515struct cil_roleattributeset { 516 char *attr_str; 517 struct cil_list *str_expr; 518 struct cil_list *datum_expr; 519}; 520 521struct cil_roletype { 522 char *role_str; 523 void *role; /* role or attribute */ 524 char *type_str; 525 void *type; /* type, alias, or attribute */ 526}; 527 528struct cil_type { 529 struct cil_symtab_datum datum; 530 struct cil_type *bounds; 531 int value; 532}; 533 534#define CIL_ATTR_AVRULE (1 << 0) 535#define CIL_ATTR_NEVERALLOW (1 << 1) 536#define CIL_ATTR_CONSTRAINT (1 << 2) 537#define CIL_ATTR_EXPAND_TRUE (1 << 3) 538#define CIL_ATTR_EXPAND_FALSE (1 << 4) 539struct cil_typeattribute { 540 struct cil_symtab_datum datum; 541 struct cil_list *expr_list; 542 ebitmap_t *types; 543 int used; // whether or not this attribute was used in a binary policy rule 544 int keep; 545}; 546 547struct cil_typeattributeset { 548 char *attr_str; 549 struct cil_list *str_expr; 550 struct cil_list *datum_expr; 551}; 552 553struct cil_expandtypeattribute { 554 struct cil_list *attr_strs; 555 struct cil_list *attr_datums; 556 int expand; 557}; 558 559struct cil_typepermissive { 560 char *type_str; 561 void *type; /* type or alias */ 562}; 563 564struct cil_name { 565 struct cil_symtab_datum datum; 566 char *name_str; 567}; 568 569struct cil_nametypetransition { 570 char *src_str; 571 void *src; /* type, alias, or attribute */ 572 char *tgt_str; 573 void *tgt; /* type, alias, or attribute */ 574 char *obj_str; 575 struct cil_class *obj; 576 char *name_str; 577 struct cil_name *name; 578 char *result_str; 579 void *result; /* type or alias */ 580 581}; 582 583struct cil_rangetransition { 584 char *src_str; 585 void *src; /* type, alias, or attribute */ 586 char *exec_str; 587 void *exec; /* type, alias, or attribute */ 588 char *obj_str; 589 struct cil_class *obj; 590 char *range_str; 591 struct cil_levelrange *range; 592}; 593 594struct cil_bool { 595 struct cil_symtab_datum datum; 596 uint16_t value; 597}; 598 599struct cil_tunable { 600 struct cil_symtab_datum datum; 601 uint16_t value; 602}; 603 604#define CIL_AVRULE_ALLOWED 1 605#define CIL_AVRULE_AUDITALLOW 2 606#define CIL_AVRULE_DONTAUDIT 8 607#define CIL_AVRULE_NEVERALLOW 128 608#define CIL_AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 609struct cil_avrule { 610 int is_extended; 611 uint32_t rule_kind; 612 char *src_str; 613 void *src; /* type, alias, or attribute */ 614 char *tgt_str; 615 void *tgt; /* type, alias, or attribute */ 616 union { 617 struct cil_list *classperms; 618 struct { 619 char *permx_str; 620 struct cil_permissionx *permx; 621 } x; 622 } perms; 623}; 624 625#define CIL_PERMX_KIND_IOCTL 1 626struct cil_permissionx { 627 struct cil_symtab_datum datum; 628 uint32_t kind; 629 char *obj_str; 630 struct cil_class *obj; 631 struct cil_list *expr_str; 632 ebitmap_t *perms; 633}; 634 635#define CIL_TYPE_TRANSITION 16 636#define CIL_TYPE_MEMBER 32 637#define CIL_TYPE_CHANGE 64 638#define CIL_AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 639struct cil_type_rule { 640 uint32_t rule_kind; 641 char *src_str; 642 void *src; /* type, alias, or attribute */ 643 char *tgt_str; 644 void *tgt; /* type, alias, or attribute */ 645 char *obj_str; 646 struct cil_class *obj; 647 char *result_str; 648 void *result; /* type or alias */ 649}; 650 651struct cil_roletransition { 652 char *src_str; 653 struct cil_role *src; 654 char *tgt_str; 655 void *tgt; /* type, alias, or attribute */ 656 char *obj_str; 657 struct cil_class *obj; 658 char *result_str; 659 struct cil_role *result; 660}; 661 662struct cil_roleallow { 663 char *src_str; 664 void *src; /* role or attribute */ 665 char *tgt_str; 666 void *tgt; /* role or attribute */ 667}; 668 669struct cil_sens { 670 struct cil_symtab_datum datum; 671 struct cil_list *cats_list; 672 uint32_t ordered; 673}; 674 675struct cil_sensorder { 676 struct cil_list *sens_list_str; 677}; 678 679struct cil_cat { 680 struct cil_symtab_datum datum; 681 uint32_t ordered; 682 int value; 683}; 684 685struct cil_cats { 686 uint32_t evaluated; 687 struct cil_list *str_expr; 688 struct cil_list *datum_expr; 689}; 690 691struct cil_catset { 692 struct cil_symtab_datum datum; 693 struct cil_cats *cats; 694}; 695 696struct cil_catorder { 697 struct cil_list *cat_list_str; 698}; 699 700struct cil_senscat { 701 char *sens_str; 702 struct cil_cats *cats; 703}; 704 705struct cil_level { 706 struct cil_symtab_datum datum; 707 char *sens_str; 708 struct cil_sens *sens; 709 struct cil_cats *cats; 710}; 711 712struct cil_levelrange { 713 struct cil_symtab_datum datum; 714 char *low_str; 715 struct cil_level *low; 716 char *high_str; 717 struct cil_level *high; 718}; 719 720struct cil_context { 721 struct cil_symtab_datum datum; 722 char *user_str; 723 struct cil_user *user; 724 char *role_str; 725 struct cil_role *role; 726 char *type_str; 727 void *type; /* type or alias */ 728 char *range_str; 729 struct cil_levelrange *range; 730}; 731 732enum cil_filecon_types { 733 CIL_FILECON_ANY = 0, 734 CIL_FILECON_FILE, 735 CIL_FILECON_DIR, 736 CIL_FILECON_CHAR, 737 CIL_FILECON_BLOCK, 738 CIL_FILECON_SOCKET, 739 CIL_FILECON_PIPE, 740 CIL_FILECON_SYMLINK, 741}; 742 743struct cil_filecon { 744 char *path_str; 745 enum cil_filecon_types type; 746 char *context_str; 747 struct cil_context *context; 748}; 749 750enum cil_protocol { 751 CIL_PROTOCOL_UDP = 1, 752 CIL_PROTOCOL_TCP, 753 CIL_PROTOCOL_DCCP, 754 CIL_PROTOCOL_SCTP 755}; 756 757struct cil_ibpkeycon { 758 char *subnet_prefix_str; 759 uint32_t pkey_low; 760 uint32_t pkey_high; 761 char *context_str; 762 struct cil_context *context; 763}; 764 765struct cil_portcon { 766 enum cil_protocol proto; 767 uint32_t port_low; 768 uint32_t port_high; 769 char *context_str; 770 struct cil_context *context; 771}; 772 773struct cil_nodecon { 774 char *addr_str; 775 struct cil_ipaddr *addr; 776 char *mask_str; 777 struct cil_ipaddr *mask; 778 char *context_str; 779 struct cil_context *context; 780}; 781 782struct cil_ipaddr { 783 struct cil_symtab_datum datum; 784 int family; 785 union { 786 struct in_addr v4; 787 struct in6_addr v6; 788 } ip; 789}; 790 791struct cil_genfscon { 792 char *fs_str; 793 char *path_str; 794 enum cil_filecon_types file_type; 795 char *context_str; 796 struct cil_context *context; 797}; 798 799struct cil_netifcon { 800 char *interface_str; 801 char *if_context_str; 802 struct cil_context *if_context; 803 char *packet_context_str; 804 struct cil_context *packet_context; 805 char *context_str; 806}; 807 808struct cil_ibendportcon { 809 char *dev_name_str; 810 uint32_t port; 811 char *context_str; 812 struct cil_context *context; 813}; 814struct cil_pirqcon { 815 uint32_t pirq; 816 char *context_str; 817 struct cil_context *context; 818}; 819 820struct cil_iomemcon { 821 uint64_t iomem_low; 822 uint64_t iomem_high; 823 char *context_str; 824 struct cil_context *context; 825}; 826 827struct cil_ioportcon { 828 uint32_t ioport_low; 829 uint32_t ioport_high; 830 char *context_str; 831 struct cil_context *context; 832}; 833 834struct cil_pcidevicecon { 835 uint32_t dev; 836 char *context_str; 837 struct cil_context *context; 838}; 839 840struct cil_devicetreecon { 841 char *path; 842 char *context_str; 843 struct cil_context *context; 844}; 845 846 847/* Ensure that CIL uses the same values as sepol services.h */ 848enum cil_fsuse_types { 849 CIL_FSUSE_XATTR = SECURITY_FS_USE_XATTR, 850 CIL_FSUSE_TASK = SECURITY_FS_USE_TASK, 851 CIL_FSUSE_TRANS = SECURITY_FS_USE_TRANS 852}; 853 854struct cil_fsuse { 855 enum cil_fsuse_types type; 856 char *fs_str; 857 char *context_str; 858 struct cil_context *context; 859}; 860 861#define CIL_MLS_LEVELS "l1 l2 h1 h2" 862#define CIL_CONSTRAIN_KEYS "t1 t2 r1 r2 u1 u2" 863#define CIL_MLSCONSTRAIN_KEYS CIL_MLS_LEVELS CIL_CONSTRAIN_KEYS 864#define CIL_CONSTRAIN_OPER "== != eq dom domby incomp not and or" 865struct cil_constrain { 866 struct cil_list *classperms; 867 struct cil_list *str_expr; 868 struct cil_list *datum_expr; 869}; 870 871struct cil_validatetrans { 872 char *class_str; 873 struct cil_class *class; 874 struct cil_list *str_expr; 875 struct cil_list *datum_expr; 876}; 877 878struct cil_param { 879 char *str; 880 enum cil_flavor flavor; 881}; 882 883struct cil_macro { 884 struct cil_symtab_datum datum; 885 symtab_t symtab[CIL_SYM_NUM]; 886 struct cil_list *params; 887}; 888 889struct cil_args { 890 char *arg_str; 891 struct cil_symtab_datum *arg; 892 char *param_str; 893 enum cil_flavor flavor; 894}; 895 896struct cil_call { 897 char *macro_str; 898 struct cil_macro *macro; 899 struct cil_tree *args_tree; 900 struct cil_list *args; 901 int copied; 902}; 903 904#define CIL_TRUE 1 905#define CIL_FALSE 0 906 907struct cil_condblock { 908 enum cil_flavor flavor; 909 symtab_t symtab[CIL_SYM_NUM]; 910}; 911 912struct cil_booleanif { 913 struct cil_list *str_expr; 914 struct cil_list *datum_expr; 915 int preserved_tunable; 916}; 917 918struct cil_tunableif { 919 struct cil_list *str_expr; 920 struct cil_list *datum_expr; 921}; 922 923struct cil_policycap { 924 struct cil_symtab_datum datum; 925}; 926 927struct cil_bounds { 928 char *parent_str; 929 char *child_str; 930}; 931 932/* Ensure that CIL uses the same values as sepol policydb.h */ 933enum cil_default_object { 934 CIL_DEFAULT_SOURCE = DEFAULT_SOURCE, 935 CIL_DEFAULT_TARGET = DEFAULT_TARGET, 936}; 937 938/* Default labeling behavior for users, roles, and types */ 939struct cil_default { 940 enum cil_flavor flavor; 941 struct cil_list *class_strs; 942 struct cil_list *class_datums; 943 enum cil_default_object object; 944}; 945 946/* Ensure that CIL uses the same values as sepol policydb.h */ 947enum cil_default_object_range { 948 CIL_DEFAULT_SOURCE_LOW = DEFAULT_SOURCE_LOW, 949 CIL_DEFAULT_SOURCE_HIGH = DEFAULT_SOURCE_HIGH, 950 CIL_DEFAULT_SOURCE_LOW_HIGH = DEFAULT_SOURCE_LOW_HIGH, 951 CIL_DEFAULT_TARGET_LOW = DEFAULT_TARGET_LOW, 952 CIL_DEFAULT_TARGET_HIGH = DEFAULT_TARGET_HIGH, 953 CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH, 954 CIL_DEFAULT_GLBLUB = DEFAULT_GLBLUB, 955}; 956 957/* Default labeling behavior for range */ 958struct cil_defaultrange { 959 struct cil_list *class_strs; 960 struct cil_list *class_datums; 961 enum cil_default_object_range object_range; 962}; 963 964struct cil_handleunknown { 965 int handle_unknown; 966}; 967 968struct cil_mls { 969 int value; 970}; 971 972struct cil_src_info { 973 char *kind; 974 uint32_t hll_line; 975 char *path; 976}; 977 978void cil_db_init(struct cil_db **db); 979void cil_db_destroy(struct cil_db **db); 980 981void cil_root_init(struct cil_root **root); 982void cil_root_destroy(struct cil_root *root); 983 984void cil_destroy_data(void **data, enum cil_flavor flavor); 985 986int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *index); 987const char * cil_node_to_string(struct cil_tree_node *node); 988 989int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size); 990int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size); 991int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size); 992 993void cil_symtab_array_init(symtab_t symtab[], const int symtab_sizes[CIL_SYM_NUM]); 994void cil_symtab_array_destroy(symtab_t symtab[]); 995void cil_destroy_ast_symtabs(struct cil_tree_node *root); 996int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_sym_index sym_index); 997int cil_string_to_uint32(const char *string, uint32_t *value, int base); 998int cil_string_to_uint64(const char *string, uint64_t *value, int base); 999 1000void cil_sort_init(struct cil_sort **sort); 1001void cil_sort_destroy(struct cil_sort **sort); 1002void cil_netifcon_init(struct cil_netifcon **netifcon); 1003void cil_ibendportcon_init(struct cil_ibendportcon **ibendportcon); 1004void cil_context_init(struct cil_context **context); 1005void cil_level_init(struct cil_level **level); 1006void cil_levelrange_init(struct cil_levelrange **lvlrange); 1007void cil_sens_init(struct cil_sens **sens); 1008void cil_block_init(struct cil_block **block); 1009void cil_blockinherit_init(struct cil_blockinherit **inherit); 1010void cil_blockabstract_init(struct cil_blockabstract **abstract); 1011void cil_in_init(struct cil_in **in); 1012void cil_class_init(struct cil_class **class); 1013void cil_classorder_init(struct cil_classorder **classorder); 1014void cil_classcommon_init(struct cil_classcommon **classcommon); 1015void cil_sid_init(struct cil_sid **sid); 1016void cil_sidcontext_init(struct cil_sidcontext **sidcontext); 1017void cil_sidorder_init(struct cil_sidorder **sidorder); 1018void cil_userrole_init(struct cil_userrole **userrole); 1019void cil_userprefix_init(struct cil_userprefix **userprefix); 1020void cil_selinuxuser_init(struct cil_selinuxuser **selinuxuser); 1021void cil_roleattribute_init(struct cil_roleattribute **attribute); 1022void cil_roleattributeset_init(struct cil_roleattributeset **attrset); 1023void cil_roletype_init(struct cil_roletype **roletype); 1024void cil_typeattribute_init(struct cil_typeattribute **attribute); 1025void cil_typeattributeset_init(struct cil_typeattributeset **attrset); 1026void cil_expandtypeattribute_init(struct cil_expandtypeattribute **expandattr); 1027void cil_alias_init(struct cil_alias **alias); 1028void cil_aliasactual_init(struct cil_aliasactual **aliasactual); 1029void cil_typepermissive_init(struct cil_typepermissive **typeperm); 1030void cil_name_init(struct cil_name **name); 1031void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans); 1032void cil_rangetransition_init(struct cil_rangetransition **rangetrans); 1033void cil_bool_init(struct cil_bool **cilbool); 1034void cil_boolif_init(struct cil_booleanif **bif); 1035void cil_condblock_init(struct cil_condblock **cb); 1036void cil_tunable_init(struct cil_tunable **ciltun); 1037void cil_tunif_init(struct cil_tunableif **tif); 1038void cil_avrule_init(struct cil_avrule **avrule); 1039void cil_permissionx_init(struct cil_permissionx **permx); 1040void cil_type_rule_init(struct cil_type_rule **type_rule); 1041void cil_roletransition_init(struct cil_roletransition **roletrans); 1042void cil_roleallow_init(struct cil_roleallow **role_allow); 1043void cil_catset_init(struct cil_catset **catset); 1044void cil_cats_init(struct cil_cats **cats); 1045void cil_senscat_init(struct cil_senscat **senscat); 1046void cil_filecon_init(struct cil_filecon **filecon); 1047void cil_ibpkeycon_init(struct cil_ibpkeycon **ibpkeycon); 1048void cil_portcon_init(struct cil_portcon **portcon); 1049void cil_nodecon_init(struct cil_nodecon **nodecon); 1050void cil_genfscon_init(struct cil_genfscon **genfscon); 1051void cil_pirqcon_init(struct cil_pirqcon **pirqcon); 1052void cil_iomemcon_init(struct cil_iomemcon **iomemcon); 1053void cil_ioportcon_init(struct cil_ioportcon **ioportcon); 1054void cil_pcidevicecon_init(struct cil_pcidevicecon **pcidevicecon); 1055void cil_devicetreecon_init(struct cil_devicetreecon **devicetreecon); 1056void cil_fsuse_init(struct cil_fsuse **fsuse); 1057void cil_constrain_init(struct cil_constrain **constrain); 1058void cil_validatetrans_init(struct cil_validatetrans **validtrans); 1059void cil_ipaddr_init(struct cil_ipaddr **ipaddr); 1060void cil_perm_init(struct cil_perm **perm); 1061void cil_classpermission_init(struct cil_classpermission **cp); 1062void cil_classpermissionset_init(struct cil_classpermissionset **cps); 1063void cil_classperms_set_init(struct cil_classperms_set **cp_set); 1064void cil_classperms_init(struct cil_classperms **cp); 1065void cil_classmapping_init(struct cil_classmapping **mapping); 1066void cil_user_init(struct cil_user **user); 1067void cil_userlevel_init(struct cil_userlevel **usrlvl); 1068void cil_userrange_init(struct cil_userrange **userrange); 1069void cil_role_init(struct cil_role **role); 1070void cil_type_init(struct cil_type **type); 1071void cil_cat_init(struct cil_cat **cat); 1072void cil_catorder_init(struct cil_catorder **catorder); 1073void cil_sensorder_init(struct cil_sensorder **sensorder); 1074void cil_args_init(struct cil_args **args); 1075void cil_call_init(struct cil_call **call); 1076void cil_optional_init(struct cil_optional **optional); 1077void cil_param_init(struct cil_param **param); 1078void cil_macro_init(struct cil_macro **macro); 1079void cil_policycap_init(struct cil_policycap **policycap); 1080void cil_bounds_init(struct cil_bounds **bounds); 1081void cil_default_init(struct cil_default **def); 1082void cil_defaultrange_init(struct cil_defaultrange **def); 1083void cil_handleunknown_init(struct cil_handleunknown **unk); 1084void cil_mls_init(struct cil_mls **mls); 1085void cil_src_info_init(struct cil_src_info **info); 1086void cil_userattribute_init(struct cil_userattribute **attribute); 1087void cil_userattributeset_init(struct cil_userattributeset **attrset); 1088 1089#endif 1090