1/* Author : Stephen Smalley, <sds@tycho.nsa.gov> */ 2 3/* 4 * Updated: Joshua Brindle <jbrindle@tresys.com> 5 * Karl MacMillan <kmacmillan@tresys.com> 6 * Jason Tang <jtang@tresys.com> 7 * 8 * Module support 9 * 10 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 11 * 12 * Support for enhanced MLS infrastructure. 13 * 14 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 15 * 16 * Added conditional policy language extensions 17 * 18 * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com> 19 * 20 * Fine-grained netlink support 21 * IPv6 support 22 * Code cleanup 23 * 24 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 25 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 26 * Copyright (C) 2003 - 2004 Red Hat, Inc. 27 * Copyright (C) 2017 Mellanox Techonolgies Inc. 28 * 29 * This library is free software; you can redistribute it and/or 30 * modify it under the terms of the GNU Lesser General Public 31 * License as published by the Free Software Foundation; either 32 * version 2.1 of the License, or (at your option) any later version. 33 * 34 * This library is distributed in the hope that it will be useful, 35 * but WITHOUT ANY WARRANTY; without even the implied warranty of 36 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 37 * Lesser General Public License for more details. 38 * 39 * You should have received a copy of the GNU Lesser General Public 40 * License along with this library; if not, write to the Free Software 41 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 42 */ 43 44/* FLASK */ 45 46/* 47 * A policy database (policydb) specifies the 48 * configuration data for the security policy. 49 */ 50 51#ifndef _SEPOL_POLICYDB_POLICYDB_H_ 52#define _SEPOL_POLICYDB_POLICYDB_H_ 53 54#include <stdio.h> 55#include <stddef.h> 56 57#include <sepol/policydb.h> 58 59#include <sepol/policydb/flask_types.h> 60#include <sepol/policydb/symtab.h> 61#include <sepol/policydb/avtab.h> 62#include <sepol/policydb/context.h> 63#include <sepol/policydb/constraint.h> 64#include <sepol/policydb/sidtab.h> 65 66#define ERRMSG_LEN 1024 67 68#define POLICYDB_SUCCESS 0 69#define POLICYDB_ERROR -1 70#define POLICYDB_UNSUPPORTED -2 71 72#ifdef __cplusplus 73extern "C" { 74#endif 75 76#define IB_DEVICE_NAME_MAX 64 77 78/* 79 * A datum type is defined for each kind of symbol 80 * in the configuration data: individual permissions, 81 * common prefixes for access vectors, classes, 82 * users, roles, types, sensitivities, categories, etc. 83 */ 84 85/* type set preserves data needed by modules such as *, ~ and attributes */ 86typedef struct type_set { 87 ebitmap_t types; 88 ebitmap_t negset; 89#define TYPE_STAR 1 90#define TYPE_COMP 2 91 uint32_t flags; 92} type_set_t; 93 94typedef struct role_set { 95 ebitmap_t roles; 96#define ROLE_STAR 1 97#define ROLE_COMP 2 98 uint32_t flags; 99} role_set_t; 100 101/* Permission attributes */ 102typedef struct perm_datum { 103 symtab_datum_t s; 104} perm_datum_t; 105 106/* Attributes of a common prefix for access vectors */ 107typedef struct common_datum { 108 symtab_datum_t s; 109 symtab_t permissions; /* common permissions */ 110} common_datum_t; 111 112/* Class attributes */ 113typedef struct class_datum { 114 symtab_datum_t s; 115 char *comkey; /* common name */ 116 common_datum_t *comdatum; /* common datum */ 117 symtab_t permissions; /* class-specific permission symbol table */ 118 constraint_node_t *constraints; /* constraints on class permissions */ 119 constraint_node_t *validatetrans; /* special transition rules */ 120/* Options how a new object user and role should be decided */ 121#define DEFAULT_SOURCE 1 122#define DEFAULT_TARGET 2 123 char default_user; 124 char default_role; 125 char default_type; 126/* Options how a new object range should be decided */ 127#define DEFAULT_SOURCE_LOW 1 128#define DEFAULT_SOURCE_HIGH 2 129#define DEFAULT_SOURCE_LOW_HIGH 3 130#define DEFAULT_TARGET_LOW 4 131#define DEFAULT_TARGET_HIGH 5 132#define DEFAULT_TARGET_LOW_HIGH 6 133#define DEFAULT_GLBLUB 7 134 char default_range; 135} class_datum_t; 136 137/* Role attributes */ 138typedef struct role_datum { 139 symtab_datum_t s; 140 ebitmap_t dominates; /* set of roles dominated by this role */ 141 type_set_t types; /* set of authorized types for role */ 142 ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 143 uint32_t bounds; /* bounds role, if exist */ 144#define ROLE_ROLE 0 /* regular role in kernel policies */ 145#define ROLE_ATTRIB 1 /* attribute */ 146 uint32_t flavor; 147 ebitmap_t roles; /* roles with this attribute */ 148} role_datum_t; 149 150typedef struct role_trans { 151 uint32_t role; /* current role */ 152 uint32_t type; /* program executable type, or new object type */ 153 uint32_t tclass; /* process class, or new object class */ 154 uint32_t new_role; /* new role */ 155 struct role_trans *next; 156} role_trans_t; 157 158typedef struct role_allow { 159 uint32_t role; /* current role */ 160 uint32_t new_role; /* new role */ 161 struct role_allow *next; 162} role_allow_t; 163 164/* filename_trans rules */ 165typedef struct filename_trans_key { 166 uint32_t ttype; 167 uint32_t tclass; 168 char *name; 169} filename_trans_key_t; 170 171typedef struct filename_trans_datum { 172 ebitmap_t stypes; 173 uint32_t otype; 174 struct filename_trans_datum *next; 175} filename_trans_datum_t; 176 177/* Type attributes */ 178typedef struct type_datum { 179 symtab_datum_t s; 180 uint32_t primary; /* primary name? can be set to primary value if below is TYPE_ */ 181#define TYPE_TYPE 0 /* regular type or alias in kernel policies */ 182#define TYPE_ATTRIB 1 /* attribute */ 183#define TYPE_ALIAS 2 /* alias in modular policy */ 184 uint32_t flavor; 185 ebitmap_t types; /* types with this attribute */ 186#define TYPE_FLAGS_PERMISSIVE (1 << 0) 187#define TYPE_FLAGS_EXPAND_ATTR_TRUE (1 << 1) 188#define TYPE_FLAGS_EXPAND_ATTR_FALSE (1 << 2) 189#define TYPE_FLAGS_EXPAND_ATTR (TYPE_FLAGS_EXPAND_ATTR_TRUE | \ 190 TYPE_FLAGS_EXPAND_ATTR_FALSE) 191 uint32_t flags; 192 uint32_t bounds; /* bounds type, if exist */ 193} type_datum_t; 194 195/* 196 * Properties of type_datum 197 * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY 198 */ 199#define TYPEDATUM_PROPERTY_PRIMARY 0x0001 200#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 201#define TYPEDATUM_PROPERTY_ALIAS 0x0004 /* userspace only */ 202#define TYPEDATUM_PROPERTY_PERMISSIVE 0x0008 /* userspace only */ 203 204/* User attributes */ 205typedef struct user_datum { 206 symtab_datum_t s; 207 role_set_t roles; /* set of authorized roles for user */ 208 mls_semantic_range_t range; /* MLS range (min. - max.) for user */ 209 mls_semantic_level_t dfltlevel; /* default login MLS level for user */ 210 ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 211 mls_range_t exp_range; /* expanded range used for validation */ 212 mls_level_t exp_dfltlevel; /* expanded range used for validation */ 213 uint32_t bounds; /* bounds user, if exist */ 214} user_datum_t; 215 216/* Sensitivity attributes */ 217typedef struct level_datum { 218 mls_level_t *level; /* sensitivity and associated categories */ 219 unsigned char isalias; /* is this sensitivity an alias for another? */ 220 unsigned char defined; 221} level_datum_t; 222 223/* Category attributes */ 224typedef struct cat_datum { 225 symtab_datum_t s; 226 unsigned char isalias; /* is this category an alias for another? */ 227} cat_datum_t; 228 229typedef struct range_trans { 230 uint32_t source_type; 231 uint32_t target_type; 232 uint32_t target_class; 233} range_trans_t; 234 235/* Boolean data type */ 236typedef struct cond_bool_datum { 237 symtab_datum_t s; 238 int state; 239#define COND_BOOL_FLAGS_TUNABLE 0x01 /* is this a tunable? */ 240 uint32_t flags; 241} cond_bool_datum_t; 242 243struct cond_node; 244 245typedef struct cond_node cond_list_t; 246struct cond_av_list; 247 248typedef struct class_perm_node { 249 uint32_t tclass; 250 uint32_t data; /* permissions or new type */ 251 struct class_perm_node *next; 252} class_perm_node_t; 253 254#define xperm_test(x, p) (UINT32_C(1) & ((p)[(x) >> 5] >> ((x) & 0x1f))) 255#define xperm_set(x, p) ((p)[(x) >> 5] |= (UINT32_C(1) << ((x) & 0x1f))) 256#define xperm_clear(x, p) ((p)[(x) >> 5] &= ~(UINT32_C(1) << ((x) & 0x1f))) 257#define EXTENDED_PERMS_LEN 8 258 259typedef struct av_extended_perms { 260#define AVRULE_XPERMS_IOCTLFUNCTION 0x01 261#define AVRULE_XPERMS_IOCTLDRIVER 0x02 262 uint8_t specified; 263 uint8_t driver; 264 /* 256 bits of permissions */ 265 uint32_t perms[EXTENDED_PERMS_LEN]; 266} av_extended_perms_t; 267 268typedef struct avrule { 269/* these typedefs are almost exactly the same as those in avtab.h - they are 270 * here because of the need to include neverallow and dontaudit messages */ 271#define AVRULE_ALLOWED AVTAB_ALLOWED 272#define AVRULE_AUDITALLOW AVTAB_AUDITALLOW 273#define AVRULE_AUDITDENY AVTAB_AUDITDENY 274#define AVRULE_DONTAUDIT 0x0008 275#define AVRULE_NEVERALLOW AVTAB_NEVERALLOW 276#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 277#define AVRULE_TRANSITION AVTAB_TRANSITION 278#define AVRULE_MEMBER AVTAB_MEMBER 279#define AVRULE_CHANGE AVTAB_CHANGE 280#define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 281#define AVRULE_XPERMS_ALLOWED AVTAB_XPERMS_ALLOWED 282#define AVRULE_XPERMS_AUDITALLOW AVTAB_XPERMS_AUDITALLOW 283#define AVRULE_XPERMS_DONTAUDIT AVTAB_XPERMS_DONTAUDIT 284#define AVRULE_XPERMS_NEVERALLOW AVTAB_XPERMS_NEVERALLOW 285#define AVRULE_XPERMS (AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \ 286 AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW) 287 uint32_t specified; 288#define RULE_SELF 1 289 uint32_t flags; 290 type_set_t stypes; 291 type_set_t ttypes; 292 class_perm_node_t *perms; 293 av_extended_perms_t *xperms; 294 unsigned long line; /* line number from policy.conf where 295 * this rule originated */ 296 /* source file name and line number (e.g. .te file) */ 297 char *source_filename; 298 unsigned long source_line; 299 struct avrule *next; 300} avrule_t; 301 302typedef struct role_trans_rule { 303 role_set_t roles; /* current role */ 304 type_set_t types; /* program executable type, or new object type */ 305 ebitmap_t classes; /* process class, or new object class */ 306 uint32_t new_role; /* new role */ 307 struct role_trans_rule *next; 308} role_trans_rule_t; 309 310typedef struct role_allow_rule { 311 role_set_t roles; /* current role */ 312 role_set_t new_roles; /* new roles */ 313 struct role_allow_rule *next; 314} role_allow_rule_t; 315 316typedef struct filename_trans_rule { 317 uint32_t flags; /* may have RULE_SELF set */ 318 type_set_t stypes; 319 type_set_t ttypes; 320 uint32_t tclass; 321 char *name; 322 uint32_t otype; /* new type */ 323 struct filename_trans_rule *next; 324} filename_trans_rule_t; 325 326typedef struct range_trans_rule { 327 type_set_t stypes; 328 type_set_t ttypes; 329 ebitmap_t tclasses; 330 mls_semantic_range_t trange; 331 struct range_trans_rule *next; 332} range_trans_rule_t; 333 334/* 335 * The configuration data includes security contexts for 336 * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 337 * network interfaces, and nodes. This structure stores the 338 * relevant data for one such entry. Entries of the same kind 339 * (e.g. all initial SIDs) are linked together into a list. 340 */ 341typedef struct ocontext { 342 union { 343 char *name; /* name of initial SID, fs, netif, fstype, path */ 344 struct { 345 uint8_t protocol; 346 uint16_t low_port; 347 uint16_t high_port; 348 } port; /* TCP or UDP port information */ 349 struct { 350 uint32_t addr; /* network order */ 351 uint32_t mask; /* network order */ 352 } node; /* node information */ 353 struct { 354 uint32_t addr[4]; /* network order */ 355 uint32_t mask[4]; /* network order */ 356 } node6; /* IPv6 node information */ 357 uint32_t device; 358 uint16_t pirq; 359 struct { 360 uint64_t low_iomem; 361 uint64_t high_iomem; 362 } iomem; 363 struct { 364 uint32_t low_ioport; 365 uint32_t high_ioport; 366 } ioport; 367 struct { 368 uint64_t subnet_prefix; 369 uint16_t low_pkey; 370 uint16_t high_pkey; 371 } ibpkey; 372 struct { 373 char *dev_name; 374 uint8_t port; 375 } ibendport; 376 } u; 377 union { 378 uint32_t sclass; /* security class for genfs */ 379 uint32_t behavior; /* labeling behavior for fs_use */ 380 } v; 381 context_struct_t context[2]; /* security context(s) */ 382 sepol_security_id_t sid[2]; /* SID(s) */ 383 struct ocontext *next; 384} ocontext_t; 385 386typedef struct genfs { 387 char *fstype; 388 struct ocontext *head; 389 struct genfs *next; 390} genfs_t; 391 392/* symbol table array indices */ 393#define SYM_COMMONS 0 394#define SYM_CLASSES 1 395#define SYM_ROLES 2 396#define SYM_TYPES 3 397#define SYM_USERS 4 398#define SYM_BOOLS 5 399#define SYM_LEVELS 6 400#define SYM_CATS 7 401#define SYM_NUM 8 402 403/* object context array indices */ 404#define OCON_ISID 0 /* initial SIDs */ 405#define OCON_FS 1 /* unlabeled file systems */ 406#define OCON_PORT 2 /* TCP and UDP port numbers */ 407#define OCON_NETIF 3 /* network interfaces */ 408#define OCON_NODE 4 /* nodes */ 409#define OCON_FSUSE 5 /* fs_use */ 410#define OCON_NODE6 6 /* IPv6 nodes */ 411#define OCON_IBPKEY 7 /* Infiniband PKEY */ 412#define OCON_IBENDPORT 8 /* Infiniband End Port */ 413 414/* object context array indices for Xen */ 415#define OCON_XEN_ISID 0 /* initial SIDs */ 416#define OCON_XEN_PIRQ 1 /* physical irqs */ 417#define OCON_XEN_IOPORT 2 /* io ports */ 418#define OCON_XEN_IOMEM 3 /* io memory */ 419#define OCON_XEN_PCIDEVICE 4 /* pci devices */ 420#define OCON_XEN_DEVICETREE 5 /* device tree node */ 421 422/* OCON_NUM needs to be the largest index in any platform's ocontext array */ 423#define OCON_NUM 9 424 425/* section: module information */ 426 427/* scope_index_t holds all of the symbols that are in scope in a 428 * particular situation. The bitmaps are indices (and thus must 429 * subtract one) into the global policydb->scope array. */ 430typedef struct scope_index { 431 ebitmap_t scope[SYM_NUM]; 432#define p_classes_scope scope[SYM_CLASSES] 433#define p_roles_scope scope[SYM_ROLES] 434#define p_types_scope scope[SYM_TYPES] 435#define p_users_scope scope[SYM_USERS] 436#define p_bools_scope scope[SYM_BOOLS] 437#define p_sens_scope scope[SYM_LEVELS] 438#define p_cat_scope scope[SYM_CATS] 439 440 /* this array maps from class->value to the permissions within 441 * scope. if bit (perm->value - 1) is set in map 442 * class_perms_map[class->value - 1] then that permission is 443 * enabled for this class within this decl. */ 444 ebitmap_t *class_perms_map; 445 /* total number of classes in class_perms_map array */ 446 uint32_t class_perms_len; 447} scope_index_t; 448 449/* a list of declarations for a particular avrule_decl */ 450 451/* These two structs declare a block of policy that has TE and RBAC 452 * statements and declarations. The root block (the global policy) 453 * can never have an ELSE branch. */ 454typedef struct avrule_decl { 455 uint32_t decl_id; 456 uint32_t enabled; /* whether this block is enabled */ 457 458 cond_list_t *cond_list; 459 avrule_t *avrules; 460 role_trans_rule_t *role_tr_rules; 461 role_allow_rule_t *role_allow_rules; 462 range_trans_rule_t *range_tr_rules; 463 scope_index_t required; /* symbols needed to activate this block */ 464 scope_index_t declared; /* symbols declared within this block */ 465 466 /* type transition rules with a 'name' component */ 467 filename_trans_rule_t *filename_trans_rules; 468 469 /* for additive statements (type attribute, roles, and users) */ 470 symtab_t symtab[SYM_NUM]; 471 472 /* In a linked module this will contain the name of the module 473 * from which this avrule_decl originated. */ 474 char *module_name; 475 476 struct avrule_decl *next; 477} avrule_decl_t; 478 479typedef struct avrule_block { 480 avrule_decl_t *branch_list; 481 avrule_decl_t *enabled; /* pointer to which branch is enabled. this is 482 used in linking and never written to disk */ 483#define AVRULE_OPTIONAL 1 484 uint32_t flags; /* any flags for this block, currently just optional */ 485 struct avrule_block *next; 486} avrule_block_t; 487 488/* Every identifier has its own scope datum. The datum describes if 489 * the item is to be included into the final policy during 490 * expansion. */ 491typedef struct scope_datum { 492/* Required for this decl */ 493#define SCOPE_REQ 1 494/* Declared in this decl */ 495#define SCOPE_DECL 2 496 uint32_t scope; 497 uint32_t *decl_ids; 498 uint32_t decl_ids_len; 499 /* decl_ids is a list of avrule_decl's that declare/require 500 * this symbol. If scope==SCOPE_DECL then this is a list of 501 * declarations. If the symbol may only be declared once 502 * (types, bools) then decl_ids_len will be exactly 1. For 503 * implicitly declared things (roles, users) then decl_ids_len 504 * will be at least 1. */ 505} scope_datum_t; 506 507/* The policy database */ 508typedef struct policydb { 509#define POLICY_KERN SEPOL_POLICY_KERN 510#define POLICY_BASE SEPOL_POLICY_BASE 511#define POLICY_MOD SEPOL_POLICY_MOD 512 uint32_t policy_type; 513 char *name; 514 char *version; 515 int target_platform; 516 517 /* Set when the policydb is modified such that writing is unsupported */ 518 int unsupported_format; 519 520 /* Whether this policydb is mls, should always be set */ 521 int mls; 522 523 /* symbol tables */ 524 symtab_t symtab[SYM_NUM]; 525#define p_commons symtab[SYM_COMMONS] 526#define p_classes symtab[SYM_CLASSES] 527#define p_roles symtab[SYM_ROLES] 528#define p_types symtab[SYM_TYPES] 529#define p_users symtab[SYM_USERS] 530#define p_bools symtab[SYM_BOOLS] 531#define p_levels symtab[SYM_LEVELS] 532#define p_cats symtab[SYM_CATS] 533 534 /* symbol names indexed by (value - 1) */ 535 char **sym_val_to_name[SYM_NUM]; 536#define p_common_val_to_name sym_val_to_name[SYM_COMMONS] 537#define p_class_val_to_name sym_val_to_name[SYM_CLASSES] 538#define p_role_val_to_name sym_val_to_name[SYM_ROLES] 539#define p_type_val_to_name sym_val_to_name[SYM_TYPES] 540#define p_user_val_to_name sym_val_to_name[SYM_USERS] 541#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS] 542#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS] 543#define p_cat_val_to_name sym_val_to_name[SYM_CATS] 544 545 /* class, role, and user attributes indexed by (value - 1) */ 546 class_datum_t **class_val_to_struct; 547 role_datum_t **role_val_to_struct; 548 user_datum_t **user_val_to_struct; 549 type_datum_t **type_val_to_struct; 550 551 /* module stuff section -- used in parsing and for modules */ 552 553 /* keep track of the scope for every identifier. these are 554 * hash tables, where the key is the identifier name and value 555 * a scope_datum_t. as a convenience, one may use the 556 * p_*_macros (cf. struct scope_index_t declaration). */ 557 symtab_t scope[SYM_NUM]; 558 559 /* module rule storage */ 560 avrule_block_t *global; 561 /* avrule_decl index used for link/expand */ 562 avrule_decl_t **decl_val_to_struct; 563 564 /* compiled storage of rules - use for the kernel policy */ 565 566 /* type enforcement access vectors and transitions */ 567 avtab_t te_avtab; 568 569 /* bools indexed by (value - 1) */ 570 cond_bool_datum_t **bool_val_to_struct; 571 /* type enforcement conditional access vectors and transitions */ 572 avtab_t te_cond_avtab; 573 /* linked list indexing te_cond_avtab by conditional */ 574 cond_list_t *cond_list; 575 576 /* role transitions */ 577 role_trans_t *role_tr; 578 579 /* role allows */ 580 role_allow_t *role_allow; 581 582 /* security contexts of initial SIDs, unlabeled file systems, 583 TCP or UDP port numbers, network interfaces and nodes */ 584 ocontext_t *ocontexts[OCON_NUM]; 585 586 /* security contexts for files in filesystems that cannot support 587 a persistent label mapping or use another 588 fixed labeling behavior. */ 589 genfs_t *genfs; 590 591 /* range transitions table (range_trans_key -> mls_range) */ 592 hashtab_t range_tr; 593 594 /* file transitions with the last path component */ 595 hashtab_t filename_trans; 596 uint32_t filename_trans_count; 597 598 ebitmap_t *type_attr_map; 599 600 ebitmap_t *attr_type_map; /* not saved in the binary policy */ 601 602 ebitmap_t policycaps; 603 604 /* this bitmap is referenced by type NOT the typical type-1 used in other 605 bitmaps. Someday the 0 bit may be used for global permissive */ 606 ebitmap_t permissive_map; 607 608 unsigned policyvers; 609 610 unsigned handle_unknown; 611 612 sepol_security_class_t process_class; 613 sepol_security_class_t dir_class; 614 sepol_access_vector_t process_trans; 615 sepol_access_vector_t process_trans_dyntrans; 616} policydb_t; 617 618struct sepol_policydb { 619 struct policydb p; 620}; 621 622extern int policydb_init(policydb_t * p); 623 624extern int policydb_from_image(sepol_handle_t * handle, 625 void *data, size_t len, policydb_t * policydb); 626 627extern int policydb_to_image(sepol_handle_t * handle, 628 policydb_t * policydb, void **newdata, 629 size_t * newlen); 630 631extern int policydb_index_classes(policydb_t * p); 632 633extern int policydb_index_bools(policydb_t * p); 634 635extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p, 636 unsigned int verbose); 637 638extern int policydb_role_cache(hashtab_key_t key, 639 hashtab_datum_t datum, 640 void *arg); 641 642extern int policydb_user_cache(hashtab_key_t key, 643 hashtab_datum_t datum, 644 void *arg); 645 646extern int policydb_reindex_users(policydb_t * p); 647 648extern int policydb_optimize(policydb_t * p); 649 650extern void policydb_destroy(policydb_t * p); 651 652extern int policydb_load_isids(policydb_t * p, sidtab_t * s); 653 654extern int policydb_sort_ocontexts(policydb_t *p); 655 656extern int policydb_filetrans_insert(policydb_t *p, uint32_t stype, 657 uint32_t ttype, uint32_t tclass, 658 const char *name, char **name_alloc, 659 uint32_t otype, uint32_t *present_otype); 660 661/* Deprecated */ 662extern int policydb_context_isvalid(const policydb_t * p, 663 const context_struct_t * c); 664 665extern void symtabs_destroy(symtab_t * symtab); 666extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p); 667 668extern void class_perm_node_init(class_perm_node_t * x); 669extern void type_set_init(type_set_t * x); 670extern void type_set_destroy(type_set_t * x); 671extern int type_set_cpy(type_set_t * dst, const type_set_t * src); 672extern int type_set_or_eq(type_set_t * dst, const type_set_t * other); 673extern void role_set_init(role_set_t * x); 674extern void role_set_destroy(role_set_t * x); 675extern void avrule_init(avrule_t * x); 676extern void avrule_destroy(avrule_t * x); 677extern void avrule_list_destroy(avrule_t * x); 678extern void role_trans_rule_init(role_trans_rule_t * x); 679extern void role_trans_rule_list_destroy(role_trans_rule_t * x); 680extern void filename_trans_rule_init(filename_trans_rule_t * x); 681extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x); 682 683extern void role_datum_init(role_datum_t * x); 684extern void role_datum_destroy(role_datum_t * x); 685extern void role_allow_rule_init(role_allow_rule_t * x); 686extern void role_allow_rule_destroy(role_allow_rule_t * x); 687extern void role_allow_rule_list_destroy(role_allow_rule_t * x); 688extern void range_trans_rule_init(range_trans_rule_t *x); 689extern void range_trans_rule_destroy(range_trans_rule_t *x); 690extern void range_trans_rule_list_destroy(range_trans_rule_t *x); 691extern void type_datum_init(type_datum_t * x); 692extern void type_datum_destroy(type_datum_t * x); 693extern void user_datum_init(user_datum_t * x); 694extern void user_datum_destroy(user_datum_t * x); 695extern void level_datum_init(level_datum_t * x); 696extern void level_datum_destroy(level_datum_t * x); 697extern void cat_datum_init(cat_datum_t * x); 698extern void cat_datum_destroy(cat_datum_t * x); 699extern int check_assertion(policydb_t *p, avrule_t *avrule); 700extern int check_assertions(sepol_handle_t * handle, 701 policydb_t * p, avrule_t * avrules); 702 703extern int symtab_insert(policydb_t * x, uint32_t sym, 704 hashtab_key_t key, hashtab_datum_t datum, 705 uint32_t scope, uint32_t avrule_decl_id, 706 uint32_t * value); 707 708/* A policy "file" may be a memory region referenced by a (data, len) pair 709 or a file referenced by a FILE pointer. */ 710typedef struct policy_file { 711#define PF_USE_MEMORY 0 712#define PF_USE_STDIO 1 713#define PF_LEN 2 /* total up length in len field */ 714 unsigned type; 715 char *data; 716 size_t len; 717 size_t size; 718 FILE *fp; 719 struct sepol_handle *handle; 720} policy_file_t; 721 722struct sepol_policy_file { 723 struct policy_file pf; 724}; 725 726extern void policy_file_init(policy_file_t * x); 727 728extern int policydb_read(policydb_t * p, struct policy_file *fp, 729 unsigned int verbose); 730extern int avrule_read_list(policydb_t * p, avrule_t ** avrules, 731 struct policy_file *fp); 732 733extern int policydb_write(struct policydb *p, struct policy_file *pf); 734extern int policydb_set_target_platform(policydb_t *p, int platform); 735 736#define PERM_SYMTAB_SIZE 32 737 738/* Identify specific policy version changes */ 739#define POLICYDB_VERSION_BASE 15 740#define POLICYDB_VERSION_BOOL 16 741#define POLICYDB_VERSION_IPV6 17 742#define POLICYDB_VERSION_NLCLASS 18 743#define POLICYDB_VERSION_VALIDATETRANS 19 744#define POLICYDB_VERSION_MLS 19 745#define POLICYDB_VERSION_AVTAB 20 746#define POLICYDB_VERSION_RANGETRANS 21 747#define POLICYDB_VERSION_POLCAP 22 748#define POLICYDB_VERSION_PERMISSIVE 23 749#define POLICYDB_VERSION_BOUNDARY 24 750#define POLICYDB_VERSION_FILENAME_TRANS 25 751#define POLICYDB_VERSION_ROLETRANS 26 752#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 753#define POLICYDB_VERSION_DEFAULT_TYPE 28 754#define POLICYDB_VERSION_CONSTRAINT_NAMES 29 755#define POLICYDB_VERSION_XEN_DEVICETREE 30 /* Xen-specific */ 756#define POLICYDB_VERSION_XPERMS_IOCTL 30 /* Linux-specific */ 757#define POLICYDB_VERSION_INFINIBAND 31 /* Linux-specific */ 758#define POLICYDB_VERSION_GLBLUB 32 759#define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */ 760 761/* Range of policy versions we understand*/ 762#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 763#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS 764 765/* Module versions and specific changes*/ 766#define MOD_POLICYDB_VERSION_BASE 4 767#define MOD_POLICYDB_VERSION_VALIDATETRANS 5 768#define MOD_POLICYDB_VERSION_MLS 5 769#define MOD_POLICYDB_VERSION_RANGETRANS 6 770#define MOD_POLICYDB_VERSION_MLS_USERS 6 771#define MOD_POLICYDB_VERSION_POLCAP 7 772#define MOD_POLICYDB_VERSION_PERMISSIVE 8 773#define MOD_POLICYDB_VERSION_BOUNDARY 9 774#define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10 775#define MOD_POLICYDB_VERSION_FILENAME_TRANS 11 776#define MOD_POLICYDB_VERSION_ROLETRANS 12 777#define MOD_POLICYDB_VERSION_ROLEATTRIB 13 778#define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 779#define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 780#define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16 781#define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 782#define MOD_POLICYDB_VERSION_XPERMS_IOCTL 18 783#define MOD_POLICYDB_VERSION_INFINIBAND 19 784#define MOD_POLICYDB_VERSION_GLBLUB 20 785#define MOD_POLICYDB_VERSION_SELF_TYPETRANS 21 786 787#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE 788#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_SELF_TYPETRANS 789 790#define POLICYDB_CONFIG_MLS 1 791 792/* macros to check policy feature */ 793 794/* TODO: add other features here */ 795 796#define policydb_has_boundary_feature(p) \ 797 (((p)->policy_type == POLICY_KERN \ 798 && (p)->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ 799 ((p)->policy_type != POLICY_KERN \ 800 && (p)->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) 801 802/* the config flags related to unknown classes/perms are bits 2 and 3 */ 803#define DENY_UNKNOWN SEPOL_DENY_UNKNOWN 804#define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN 805#define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN 806 807#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN) 808 809#define OBJECT_R "object_r" 810#define OBJECT_R_VAL 1 811 812#define POLICYDB_MAGIC SELINUX_MAGIC 813#define POLICYDB_STRING "SE Linux" 814#define POLICYDB_XEN_STRING "XenFlask" 815#define POLICYDB_STRING_MAX_LENGTH 32 816#define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC 817#define POLICYDB_MOD_STRING "SE Linux Module" 818 819#ifdef __cplusplus 820} 821#endif 822 823#endif /* _POLICYDB_H_ */ 824 825/* FLASK */ 826