16cd6a6acSopenharmony_ci/* Author : Stephen Smalley, <sds@tycho.nsa.gov> */
26cd6a6acSopenharmony_ci
36cd6a6acSopenharmony_ci/* FLASK */
46cd6a6acSopenharmony_ci
56cd6a6acSopenharmony_ci/*
66cd6a6acSopenharmony_ci * A constraint is a condition that must be satisfied in
76cd6a6acSopenharmony_ci * order for one or more permissions to be granted.
86cd6a6acSopenharmony_ci * Constraints are used to impose additional restrictions
96cd6a6acSopenharmony_ci * beyond the type-based rules in `te' or the role-based
106cd6a6acSopenharmony_ci * transition rules in `rbac'.  Constraints are typically
116cd6a6acSopenharmony_ci * used to prevent a process from transitioning to a new user
126cd6a6acSopenharmony_ci * identity or role unless it is in a privileged type.
136cd6a6acSopenharmony_ci * Constraints are likewise typically used to prevent a
146cd6a6acSopenharmony_ci * process from labeling an object with a different user
156cd6a6acSopenharmony_ci * identity.
166cd6a6acSopenharmony_ci */
176cd6a6acSopenharmony_ci
186cd6a6acSopenharmony_ci#ifndef _SEPOL_POLICYDB_CONSTRAINT_H_
196cd6a6acSopenharmony_ci#define _SEPOL_POLICYDB_CONSTRAINT_H_
206cd6a6acSopenharmony_ci
216cd6a6acSopenharmony_ci#include <sepol/policydb/ebitmap.h>
226cd6a6acSopenharmony_ci#include <sepol/policydb/flask_types.h>
236cd6a6acSopenharmony_ci
246cd6a6acSopenharmony_ci#ifdef __cplusplus
256cd6a6acSopenharmony_ciextern "C" {
266cd6a6acSopenharmony_ci#endif
276cd6a6acSopenharmony_ci
286cd6a6acSopenharmony_ci#define CEXPR_MAXDEPTH 5
296cd6a6acSopenharmony_ci
306cd6a6acSopenharmony_cistruct type_set;
316cd6a6acSopenharmony_ci
326cd6a6acSopenharmony_citypedef struct constraint_expr {
336cd6a6acSopenharmony_ci#define CEXPR_NOT		1	/* not expr */
346cd6a6acSopenharmony_ci#define CEXPR_AND		2	/* expr and expr */
356cd6a6acSopenharmony_ci#define CEXPR_OR		3	/* expr or expr */
366cd6a6acSopenharmony_ci#define CEXPR_ATTR		4	/* attr op attr */
376cd6a6acSopenharmony_ci#define CEXPR_NAMES		5	/* attr op names */
386cd6a6acSopenharmony_ci	uint32_t expr_type;	/* expression type */
396cd6a6acSopenharmony_ci
406cd6a6acSopenharmony_ci#define CEXPR_USER 1		/* user */
416cd6a6acSopenharmony_ci#define CEXPR_ROLE 2		/* role */
426cd6a6acSopenharmony_ci#define CEXPR_TYPE 4		/* type */
436cd6a6acSopenharmony_ci#define CEXPR_TARGET 8		/* target if set, source otherwise */
446cd6a6acSopenharmony_ci#define CEXPR_XTARGET 16	/* special 3rd target for validatetrans rule */
456cd6a6acSopenharmony_ci#define CEXPR_L1L2 32		/* low level 1 vs. low level 2 */
466cd6a6acSopenharmony_ci#define CEXPR_L1H2 64		/* low level 1 vs. high level 2 */
476cd6a6acSopenharmony_ci#define CEXPR_H1L2 128		/* high level 1 vs. low level 2 */
486cd6a6acSopenharmony_ci#define CEXPR_H1H2 256		/* high level 1 vs. high level 2 */
496cd6a6acSopenharmony_ci#define CEXPR_L1H1 512		/* low level 1 vs. high level 1 */
506cd6a6acSopenharmony_ci#define CEXPR_L2H2 1024		/* low level 2 vs. high level 2 */
516cd6a6acSopenharmony_ci	uint32_t attr;		/* attribute */
526cd6a6acSopenharmony_ci
536cd6a6acSopenharmony_ci#define CEXPR_EQ     1		/* == or eq */
546cd6a6acSopenharmony_ci#define CEXPR_NEQ    2		/* != */
556cd6a6acSopenharmony_ci#define CEXPR_DOM    3		/* dom */
566cd6a6acSopenharmony_ci#define CEXPR_DOMBY  4		/* domby  */
576cd6a6acSopenharmony_ci#define CEXPR_INCOMP 5		/* incomp */
586cd6a6acSopenharmony_ci	uint32_t op;		/* operator */
596cd6a6acSopenharmony_ci
606cd6a6acSopenharmony_ci	ebitmap_t names;	/* names */
616cd6a6acSopenharmony_ci	struct type_set *type_names;
626cd6a6acSopenharmony_ci
636cd6a6acSopenharmony_ci	struct constraint_expr *next;	/* next expression */
646cd6a6acSopenharmony_ci} constraint_expr_t;
656cd6a6acSopenharmony_ci
666cd6a6acSopenharmony_citypedef struct constraint_node {
676cd6a6acSopenharmony_ci	sepol_access_vector_t permissions;	/* constrained permissions */
686cd6a6acSopenharmony_ci	constraint_expr_t *expr;	/* constraint on permissions */
696cd6a6acSopenharmony_ci	struct constraint_node *next;	/* next constraint */
706cd6a6acSopenharmony_ci} constraint_node_t;
716cd6a6acSopenharmony_ci
726cd6a6acSopenharmony_ciextern int constraint_expr_init(constraint_expr_t * expr);
736cd6a6acSopenharmony_ciextern void constraint_expr_destroy(constraint_expr_t * expr);
746cd6a6acSopenharmony_ci
756cd6a6acSopenharmony_ci#ifdef __cplusplus
766cd6a6acSopenharmony_ci}
776cd6a6acSopenharmony_ci#endif
786cd6a6acSopenharmony_ci
796cd6a6acSopenharmony_ci#endif				/* _CONSTRAINT_H_ */
806cd6a6acSopenharmony_ci
816cd6a6acSopenharmony_ci/* FLASK */
82