conditional.h revision 255e72915d4cbddceb435e13d81601755714e9f3 
1935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz/* Authors: Karl MacMillan <kmacmillan@tresys.com>
2bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz *          Frank Mayer <mayerf@tresys.com>
3935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *
42aaca1df9df6980ec88180c8866c8987b31db91aJosé Fonseca * Copyright (C) 2003 - 2005 Tresys Technology, LLC
5821b3e2302a59332f96767b54040720dc0b83a13Vinson Lee *
6935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  This library is free software; you can redistribute it and/or
7935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  modify it under the terms of the GNU Lesser General Public
8935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  License as published by the Free Software Foundation; either
9935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  version 2.1 of the License, or (at your option) any later version.
10935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *
11935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  This library is distributed in the hope that it will be useful,
12935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  Lesser General Public License for more details.
15935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *
16935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  You should have received a copy of the GNU Lesser General Public
17935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  License along with this library; if not, write to the Free Software
18935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
19935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz */
20935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz
21bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz#ifndef _SEPOL_POLICYDB_CONDITIONAL_H_
22935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define _SEPOL_POLICYDB_CONDITIONAL_H_
23bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz
24935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#include <sepol/policydb/flask_types.h>
25935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#include <sepol/policydb/avtab.h>
26935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#include <sepol/policydb/symtab.h>
27935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#include <sepol/policydb/policydb.h>
28935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz
29935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_EXPR_MAXDEPTH 10
30935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz
31935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz/* this is the max unique bools in a conditional expression
32935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz * for which we precompute all outcomes for the expression.
33935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz *
34935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz * NOTE - do _NOT_ use value greater than 5 because
35935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz * cond_node_t->expr_pre_comp can only hold at most 32 values
36bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz */
37935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_MAX_BOOLS 5
38935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz
39935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz/*
40bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz * A conditional expression is a list of operators and operands
41bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz * in reverse polish notation.
42935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz */
43bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantztypedef struct cond_expr {
44935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_BOOL	1	/* plain bool */
45935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_NOT	2	/* !bool */
46935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_OR		3	/* bool || bool */
47935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_AND	4	/* bool && bool */
484153ec547cfb7fcb26bbeb09ac9ef19fe88d3e4eRoland Scheidegger#define COND_XOR	5	/* bool ^ bool */
49935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_EQ		6	/* bool == bool */
50935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_NEQ	7	/* bool != bool */
51935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz#define COND_LAST	COND_NEQ
52bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz	uint32_t expr_type;
53935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	uint32_t bool;
54935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	struct cond_expr *next;
55219150433a305b0e0b6093647758eed3a7650bc4Daniel Vetter} cond_expr_t;
56935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz
57219150433a305b0e0b6093647758eed3a7650bc4Daniel Vetter/*
58219150433a305b0e0b6093647758eed3a7650bc4Daniel Vetter * Each cond_node_t contains a list of rules to be enabled/disabled
59219150433a305b0e0b6093647758eed3a7650bc4Daniel Vetter * depending on the current value of the conditional expression. This
60219150433a305b0e0b6093647758eed3a7650bc4Daniel Vetter * struct is for that list.
61219150433a305b0e0b6093647758eed3a7650bc4Daniel Vetter */
62935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantztypedef struct cond_av_list {
63935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	avtab_ptr_t node;
64935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	struct cond_av_list *next;
65bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz} cond_av_list_t;
66935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz
67935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz/*
68bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz * A cond node represents a conditional block in a policy. It
69935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz * contains a conditional expression, the current state of the expression,
70935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz * two lists of rules to enable/disable depending on the value of the
71935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz * expression (the true list corresponds to if and the false list corresponds
72935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz * to else)..
73935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz */
74935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantztypedef struct cond_node {
75935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	int cur_state;
76935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	cond_expr_t *expr;
77935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	/* these true/false lists point into te_avtab when that is used */
78935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	cond_av_list_t *true_list;
79935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	cond_av_list_t *false_list;
80935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	/* and these are using during parsing and for modules */
81935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	avrule_t *avtrue_list;
82bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz	avrule_t *avfalse_list;
83935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	/* these fields are not written to binary policy */
84bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz	unsigned int nbools;
85bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz	uint32_t bool_ids[COND_MAX_BOOLS];
86bc88c95990f871a206a8fe93e7541f1f41841f7eJakob Bornecrantz	uint32_t expr_pre_comp;
87935e4c56e5b10a0a702d95f78e9f4e6660c452dcJakob Bornecrantz	/*                                               */
88	struct cond_node *next;
89} cond_node_t;
90
91extern int cond_evaluate_expr(policydb_t * p, cond_expr_t * expr);
92extern cond_expr_t *cond_copy_expr(cond_expr_t * expr);
93
94extern int cond_expr_equal(cond_node_t * a, cond_node_t * b);
95extern int cond_normalize_expr(policydb_t * p, cond_node_t * cn);
96extern void cond_node_destroy(cond_node_t * node);
97extern void cond_expr_destroy(cond_expr_t * expr);
98
99extern cond_node_t *cond_node_find(policydb_t * p,
100				   cond_node_t * needle, cond_node_t * haystack,
101				   int *was_created);
102
103extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node);
104
105extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
106				     cond_node_t * cn);
107
108extern int evaluate_conds(policydb_t * p);
109
110extern avtab_datum_t *cond_av_list_search(avtab_key_t * key,
111					  cond_av_list_t * cond_list);
112
113extern void cond_av_list_destroy(cond_av_list_t * list);
114
115extern void cond_optimize_lists(cond_list_t * cl);
116
117extern int cond_policydb_init(policydb_t * p);
118extern void cond_policydb_destroy(policydb_t * p);
119extern void cond_list_destroy(cond_list_t * list);
120
121extern int cond_init_bool_indexes(policydb_t * p);
122extern int cond_destroy_bool(hashtab_key_t key, hashtab_datum_t datum, void *p);
123
124extern int cond_index_bool(hashtab_key_t key, hashtab_datum_t datum,
125			   void *datap);
126
127extern int cond_read_bool(policydb_t * p, hashtab_t h, struct policy_file *fp);
128
129extern int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp);
130
131extern void cond_compute_av(avtab_t * ctab, avtab_key_t * key,
132			    struct sepol_av_decision *avd);
133
134#endif				/* _CONDITIONAL_H_ */
135