1255e72915d4cbddceb435e13d81601755714e9fSE Android 2255e72915d4cbddceb435e13d81601755714e9fSE Android/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ 3255e72915d4cbddceb435e13d81601755714e9fSE Android 4255e72915d4cbddceb435e13d81601755714e9fSE Android/* 5255e72915d4cbddceb435e13d81601755714e9fSE Android * Updated: Joshua Brindle <jbrindle@tresys.com> 6255e72915d4cbddceb435e13d81601755714e9fSE Android * Karl MacMillan <kmacmillan@tresys.com> 7255e72915d4cbddceb435e13d81601755714e9fSE Android * Jason Tang <jtang@tresys.com> 8255e72915d4cbddceb435e13d81601755714e9fSE Android * 9255e72915d4cbddceb435e13d81601755714e9fSE Android * Module support 10255e72915d4cbddceb435e13d81601755714e9fSE Android * 11255e72915d4cbddceb435e13d81601755714e9fSE Android * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 12255e72915d4cbddceb435e13d81601755714e9fSE Android * 13255e72915d4cbddceb435e13d81601755714e9fSE Android * Support for enhanced MLS infrastructure. 14255e72915d4cbddceb435e13d81601755714e9fSE Android * 15255e72915d4cbddceb435e13d81601755714e9fSE Android * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 16255e72915d4cbddceb435e13d81601755714e9fSE Android * 17255e72915d4cbddceb435e13d81601755714e9fSE Android * Added conditional policy language extensions 18255e72915d4cbddceb435e13d81601755714e9fSE Android * 19255e72915d4cbddceb435e13d81601755714e9fSE Android * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com> 20255e72915d4cbddceb435e13d81601755714e9fSE Android * 21255e72915d4cbddceb435e13d81601755714e9fSE Android * Fine-grained netlink support 22255e72915d4cbddceb435e13d81601755714e9fSE Android * IPv6 support 23255e72915d4cbddceb435e13d81601755714e9fSE Android * Code cleanup 24255e72915d4cbddceb435e13d81601755714e9fSE Android * 25255e72915d4cbddceb435e13d81601755714e9fSE Android * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 26255e72915d4cbddceb435e13d81601755714e9fSE Android * Copyright (C) 2003 - 2004 Tresys Technology, LLC 27255e72915d4cbddceb435e13d81601755714e9fSE Android * Copyright (C) 2003 - 2004 Red Hat, Inc. 28255e72915d4cbddceb435e13d81601755714e9fSE Android * 29255e72915d4cbddceb435e13d81601755714e9fSE Android * This library is free software; you can redistribute it and/or 30255e72915d4cbddceb435e13d81601755714e9fSE Android * modify it under the terms of the GNU Lesser General Public 31255e72915d4cbddceb435e13d81601755714e9fSE Android * License as published by the Free Software Foundation; either 32255e72915d4cbddceb435e13d81601755714e9fSE Android * version 2.1 of the License, or (at your option) any later version. 33255e72915d4cbddceb435e13d81601755714e9fSE Android * 34255e72915d4cbddceb435e13d81601755714e9fSE Android * This library is distributed in the hope that it will be useful, 35255e72915d4cbddceb435e13d81601755714e9fSE Android * but WITHOUT ANY WARRANTY; without even the implied warranty of 36255e72915d4cbddceb435e13d81601755714e9fSE Android * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 37255e72915d4cbddceb435e13d81601755714e9fSE Android * Lesser General Public License for more details. 38255e72915d4cbddceb435e13d81601755714e9fSE Android * 39255e72915d4cbddceb435e13d81601755714e9fSE Android * You should have received a copy of the GNU Lesser General Public 40255e72915d4cbddceb435e13d81601755714e9fSE Android * License along with this library; if not, write to the Free Software 41255e72915d4cbddceb435e13d81601755714e9fSE Android * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 42255e72915d4cbddceb435e13d81601755714e9fSE Android */ 43255e72915d4cbddceb435e13d81601755714e9fSE Android 44255e72915d4cbddceb435e13d81601755714e9fSE Android/* FLASK */ 45255e72915d4cbddceb435e13d81601755714e9fSE Android 46255e72915d4cbddceb435e13d81601755714e9fSE Android/* 47255e72915d4cbddceb435e13d81601755714e9fSE Android * A policy database (policydb) specifies the 48255e72915d4cbddceb435e13d81601755714e9fSE Android * configuration data for the security policy. 49255e72915d4cbddceb435e13d81601755714e9fSE Android */ 50255e72915d4cbddceb435e13d81601755714e9fSE Android 51255e72915d4cbddceb435e13d81601755714e9fSE Android#ifndef _SEPOL_POLICYDB_POLICYDB_H_ 52255e72915d4cbddceb435e13d81601755714e9fSE Android#define _SEPOL_POLICYDB_POLICYDB_H_ 53255e72915d4cbddceb435e13d81601755714e9fSE Android 54255e72915d4cbddceb435e13d81601755714e9fSE Android#include <stdio.h> 55255e72915d4cbddceb435e13d81601755714e9fSE Android#include <stddef.h> 56255e72915d4cbddceb435e13d81601755714e9fSE Android 57255e72915d4cbddceb435e13d81601755714e9fSE Android#include <sepol/policydb.h> 58255e72915d4cbddceb435e13d81601755714e9fSE Android 59255e72915d4cbddceb435e13d81601755714e9fSE Android#include <sepol/policydb/flask_types.h> 60255e72915d4cbddceb435e13d81601755714e9fSE Android#include <sepol/policydb/symtab.h> 61255e72915d4cbddceb435e13d81601755714e9fSE Android#include <sepol/policydb/avtab.h> 62255e72915d4cbddceb435e13d81601755714e9fSE Android#include <sepol/policydb/context.h> 63255e72915d4cbddceb435e13d81601755714e9fSE Android#include <sepol/policydb/constraint.h> 64255e72915d4cbddceb435e13d81601755714e9fSE Android#include <sepol/policydb/sidtab.h> 65255e72915d4cbddceb435e13d81601755714e9fSE Android 66255e72915d4cbddceb435e13d81601755714e9fSE Android#define ERRMSG_LEN 1024 67255e72915d4cbddceb435e13d81601755714e9fSE Android 68255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_SUCCESS 0 69255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_ERROR -1 70255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_UNSUPPORTED -2 71255e72915d4cbddceb435e13d81601755714e9fSE Android 72255e72915d4cbddceb435e13d81601755714e9fSE Android/* 73255e72915d4cbddceb435e13d81601755714e9fSE Android * A datum type is defined for each kind of symbol 74255e72915d4cbddceb435e13d81601755714e9fSE Android * in the configuration data: individual permissions, 75255e72915d4cbddceb435e13d81601755714e9fSE Android * common prefixes for access vectors, classes, 76255e72915d4cbddceb435e13d81601755714e9fSE Android * users, roles, types, sensitivities, categories, etc. 77255e72915d4cbddceb435e13d81601755714e9fSE Android */ 78255e72915d4cbddceb435e13d81601755714e9fSE Android 79255e72915d4cbddceb435e13d81601755714e9fSE Android/* type set preserves data needed by modules such as *, ~ and attributes */ 80255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct type_set { 81255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t types; 82255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t negset; 83255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPE_STAR 1 84255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPE_COMP 2 85255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t flags; 86255e72915d4cbddceb435e13d81601755714e9fSE Android} type_set_t; 87255e72915d4cbddceb435e13d81601755714e9fSE Android 88255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct role_set { 89255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t roles; 90255e72915d4cbddceb435e13d81601755714e9fSE Android#define ROLE_STAR 1 91255e72915d4cbddceb435e13d81601755714e9fSE Android#define ROLE_COMP 2 92255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t flags; 93255e72915d4cbddceb435e13d81601755714e9fSE Android} role_set_t; 94255e72915d4cbddceb435e13d81601755714e9fSE Android 95255e72915d4cbddceb435e13d81601755714e9fSE Android/* Permission attributes */ 96255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct perm_datum { 97255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_datum_t s; 98255e72915d4cbddceb435e13d81601755714e9fSE Android} perm_datum_t; 99255e72915d4cbddceb435e13d81601755714e9fSE Android 100255e72915d4cbddceb435e13d81601755714e9fSE Android/* Attributes of a common prefix for access vectors */ 101255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct common_datum { 102255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_datum_t s; 103255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_t permissions; /* common permissions */ 104255e72915d4cbddceb435e13d81601755714e9fSE Android} common_datum_t; 105255e72915d4cbddceb435e13d81601755714e9fSE Android 106255e72915d4cbddceb435e13d81601755714e9fSE Android/* Class attributes */ 107255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct class_datum { 108255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_datum_t s; 109255e72915d4cbddceb435e13d81601755714e9fSE Android char *comkey; /* common name */ 110255e72915d4cbddceb435e13d81601755714e9fSE Android common_datum_t *comdatum; /* common datum */ 111255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_t permissions; /* class-specific permission symbol table */ 112255e72915d4cbddceb435e13d81601755714e9fSE Android constraint_node_t *constraints; /* constraints on class permissions */ 113255e72915d4cbddceb435e13d81601755714e9fSE Android constraint_node_t *validatetrans; /* special transition rules */ 1144ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley/* Options how a new object user and role should be decided */ 1154ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define DEFAULT_SOURCE 1 1164ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define DEFAULT_TARGET 2 1174ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley char default_user; 1184ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley char default_role; 119dedcd596b31e0e4fc15d75b3a8b5e6b61e6c28b3Stephen Smalley char default_type; 1204ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley/* Options how a new object range should be decided */ 1214ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define DEFAULT_SOURCE_LOW 1 1224ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define DEFAULT_SOURCE_HIGH 2 1234ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define DEFAULT_SOURCE_LOW_HIGH 3 1244ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define DEFAULT_TARGET_LOW 4 1254ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define DEFAULT_TARGET_HIGH 5 1264ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define DEFAULT_TARGET_LOW_HIGH 6 1274ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley char default_range; 128255e72915d4cbddceb435e13d81601755714e9fSE Android} class_datum_t; 129255e72915d4cbddceb435e13d81601755714e9fSE Android 130255e72915d4cbddceb435e13d81601755714e9fSE Android/* Role attributes */ 131255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct role_datum { 132255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_datum_t s; 133255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t dominates; /* set of roles dominated by this role */ 134255e72915d4cbddceb435e13d81601755714e9fSE Android type_set_t types; /* set of authorized types for role */ 135255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 136255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t bounds; /* bounds role, if exist */ 137255e72915d4cbddceb435e13d81601755714e9fSE Android#define ROLE_ROLE 0 /* regular role in kernel policies */ 138255e72915d4cbddceb435e13d81601755714e9fSE Android#define ROLE_ATTRIB 1 /* attribute */ 139255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t flavor; 140255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t roles; /* roles with this attribute */ 141255e72915d4cbddceb435e13d81601755714e9fSE Android} role_datum_t; 142255e72915d4cbddceb435e13d81601755714e9fSE Android 143255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct role_trans { 144255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t role; /* current role */ 145255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t type; /* program executable type, or new object type */ 146255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t tclass; /* process class, or new object class */ 147255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t new_role; /* new role */ 148255e72915d4cbddceb435e13d81601755714e9fSE Android struct role_trans *next; 149255e72915d4cbddceb435e13d81601755714e9fSE Android} role_trans_t; 150255e72915d4cbddceb435e13d81601755714e9fSE Android 151255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct role_allow { 152255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t role; /* current role */ 153255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t new_role; /* new role */ 154255e72915d4cbddceb435e13d81601755714e9fSE Android struct role_allow *next; 155255e72915d4cbddceb435e13d81601755714e9fSE Android} role_allow_t; 156255e72915d4cbddceb435e13d81601755714e9fSE Android 157255e72915d4cbddceb435e13d81601755714e9fSE Android/* filename_trans rules */ 158255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct filename_trans { 159255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t stype; 160255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t ttype; 161255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t tclass; 162255e72915d4cbddceb435e13d81601755714e9fSE Android char *name; 163255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t otype; 164255e72915d4cbddceb435e13d81601755714e9fSE Android struct filename_trans *next; 165255e72915d4cbddceb435e13d81601755714e9fSE Android} filename_trans_t; 166255e72915d4cbddceb435e13d81601755714e9fSE Android 167255e72915d4cbddceb435e13d81601755714e9fSE Android/* Type attributes */ 168255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct type_datum { 169255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_datum_t s; 170255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t primary; /* primary name? can be set to primary value if below is TYPE_ */ 171255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPE_TYPE 0 /* regular type or alias in kernel policies */ 172255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPE_ATTRIB 1 /* attribute */ 173255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPE_ALIAS 2 /* alias in modular policy */ 174255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t flavor; 175255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t types; /* types with this attribute */ 176255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPE_FLAGS_PERMISSIVE 0x01 177255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t flags; 178255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t bounds; /* bounds type, if exist */ 179255e72915d4cbddceb435e13d81601755714e9fSE Android} type_datum_t; 180255e72915d4cbddceb435e13d81601755714e9fSE Android 181255e72915d4cbddceb435e13d81601755714e9fSE Android/* 182255e72915d4cbddceb435e13d81601755714e9fSE Android * Properties of type_datum 183255e72915d4cbddceb435e13d81601755714e9fSE Android * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY 184255e72915d4cbddceb435e13d81601755714e9fSE Android */ 185255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPEDATUM_PROPERTY_PRIMARY 0x0001 186255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 187255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPEDATUM_PROPERTY_ALIAS 0x0004 /* userspace only */ 188255e72915d4cbddceb435e13d81601755714e9fSE Android#define TYPEDATUM_PROPERTY_PERMISSIVE 0x0008 /* userspace only */ 189255e72915d4cbddceb435e13d81601755714e9fSE Android 190255e72915d4cbddceb435e13d81601755714e9fSE Android/* User attributes */ 191255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct user_datum { 192255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_datum_t s; 193255e72915d4cbddceb435e13d81601755714e9fSE Android role_set_t roles; /* set of authorized roles for user */ 194255e72915d4cbddceb435e13d81601755714e9fSE Android mls_semantic_range_t range; /* MLS range (min. - max.) for user */ 195255e72915d4cbddceb435e13d81601755714e9fSE Android mls_semantic_level_t dfltlevel; /* default login MLS level for user */ 196255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 197255e72915d4cbddceb435e13d81601755714e9fSE Android mls_range_t exp_range; /* expanded range used for validation */ 198255e72915d4cbddceb435e13d81601755714e9fSE Android mls_level_t exp_dfltlevel; /* expanded range used for validation */ 199255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t bounds; /* bounds user, if exist */ 200255e72915d4cbddceb435e13d81601755714e9fSE Android} user_datum_t; 201255e72915d4cbddceb435e13d81601755714e9fSE Android 202255e72915d4cbddceb435e13d81601755714e9fSE Android/* Sensitivity attributes */ 203255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct level_datum { 204255e72915d4cbddceb435e13d81601755714e9fSE Android mls_level_t *level; /* sensitivity and associated categories */ 205255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned char isalias; /* is this sensitivity an alias for another? */ 206255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned char defined; 207255e72915d4cbddceb435e13d81601755714e9fSE Android} level_datum_t; 208255e72915d4cbddceb435e13d81601755714e9fSE Android 209255e72915d4cbddceb435e13d81601755714e9fSE Android/* Category attributes */ 210255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct cat_datum { 211255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_datum_t s; 212255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned char isalias; /* is this category an alias for another? */ 213255e72915d4cbddceb435e13d81601755714e9fSE Android} cat_datum_t; 214255e72915d4cbddceb435e13d81601755714e9fSE Android 215255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct range_trans { 216255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t source_type; 217255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t target_type; 218255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t target_class; 219255e72915d4cbddceb435e13d81601755714e9fSE Android mls_range_t target_range; 220255e72915d4cbddceb435e13d81601755714e9fSE Android struct range_trans *next; 221255e72915d4cbddceb435e13d81601755714e9fSE Android} range_trans_t; 222255e72915d4cbddceb435e13d81601755714e9fSE Android 223255e72915d4cbddceb435e13d81601755714e9fSE Android/* Boolean data type */ 224255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct cond_bool_datum { 225255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_datum_t s; 226255e72915d4cbddceb435e13d81601755714e9fSE Android int state; 227fb82f8ed213dd54eebc6bdd5557984c3ba870496Stephen Smalley#define COND_BOOL_FLAGS_TUNABLE 0x01 /* is this a tunable? */ 228fb82f8ed213dd54eebc6bdd5557984c3ba870496Stephen Smalley uint32_t flags; 229255e72915d4cbddceb435e13d81601755714e9fSE Android} cond_bool_datum_t; 230255e72915d4cbddceb435e13d81601755714e9fSE Android 231255e72915d4cbddceb435e13d81601755714e9fSE Androidstruct cond_node; 232255e72915d4cbddceb435e13d81601755714e9fSE Android 233255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct cond_node cond_list_t; 234255e72915d4cbddceb435e13d81601755714e9fSE Androidstruct cond_av_list; 235255e72915d4cbddceb435e13d81601755714e9fSE Android 236255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct class_perm_node { 237255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t class; 238255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t data; /* permissions or new type */ 239255e72915d4cbddceb435e13d81601755714e9fSE Android struct class_perm_node *next; 240255e72915d4cbddceb435e13d81601755714e9fSE Android} class_perm_node_t; 241255e72915d4cbddceb435e13d81601755714e9fSE Android 242255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct avrule { 243255e72915d4cbddceb435e13d81601755714e9fSE Android/* these typedefs are almost exactly the same as those in avtab.h - they are 244255e72915d4cbddceb435e13d81601755714e9fSE Android * here because of the need to include neverallow and dontaudit messages */ 245255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_ALLOWED 1 246255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_AUDITALLOW 2 247255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_AUDITDENY 4 248255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_DONTAUDIT 8 249255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_NEVERALLOW 128 250255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 251255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_TRANSITION 16 252255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_MEMBER 32 253255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_CHANGE 64 254255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 255255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t specified; 256255e72915d4cbddceb435e13d81601755714e9fSE Android#define RULE_SELF 1 257255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t flags; 258255e72915d4cbddceb435e13d81601755714e9fSE Android type_set_t stypes; 259255e72915d4cbddceb435e13d81601755714e9fSE Android type_set_t ttypes; 260255e72915d4cbddceb435e13d81601755714e9fSE Android class_perm_node_t *perms; 261255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned long line; /* line number from policy.conf where 262255e72915d4cbddceb435e13d81601755714e9fSE Android * this rule originated */ 263c71644b06ebd417ef060f3f07472125516f86c41Stephen Smalley /* source file name and line number (e.g. .te file) */ 264c71644b06ebd417ef060f3f07472125516f86c41Stephen Smalley char *source_filename; 265c71644b06ebd417ef060f3f07472125516f86c41Stephen Smalley unsigned long source_line; 266255e72915d4cbddceb435e13d81601755714e9fSE Android struct avrule *next; 267255e72915d4cbddceb435e13d81601755714e9fSE Android} avrule_t; 268255e72915d4cbddceb435e13d81601755714e9fSE Android 269255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct role_trans_rule { 270255e72915d4cbddceb435e13d81601755714e9fSE Android role_set_t roles; /* current role */ 271255e72915d4cbddceb435e13d81601755714e9fSE Android type_set_t types; /* program executable type, or new object type */ 272255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t classes; /* process class, or new object class */ 273255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t new_role; /* new role */ 274255e72915d4cbddceb435e13d81601755714e9fSE Android struct role_trans_rule *next; 275255e72915d4cbddceb435e13d81601755714e9fSE Android} role_trans_rule_t; 276255e72915d4cbddceb435e13d81601755714e9fSE Android 277255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct role_allow_rule { 278255e72915d4cbddceb435e13d81601755714e9fSE Android role_set_t roles; /* current role */ 279255e72915d4cbddceb435e13d81601755714e9fSE Android role_set_t new_roles; /* new roles */ 280255e72915d4cbddceb435e13d81601755714e9fSE Android struct role_allow_rule *next; 281255e72915d4cbddceb435e13d81601755714e9fSE Android} role_allow_rule_t; 282255e72915d4cbddceb435e13d81601755714e9fSE Android 283255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct filename_trans_rule { 284255e72915d4cbddceb435e13d81601755714e9fSE Android type_set_t stypes; 285255e72915d4cbddceb435e13d81601755714e9fSE Android type_set_t ttypes; 286255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t tclass; 287255e72915d4cbddceb435e13d81601755714e9fSE Android char *name; 288255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t otype; /* new type */ 289255e72915d4cbddceb435e13d81601755714e9fSE Android struct filename_trans_rule *next; 290255e72915d4cbddceb435e13d81601755714e9fSE Android} filename_trans_rule_t; 291255e72915d4cbddceb435e13d81601755714e9fSE Android 292255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct range_trans_rule { 293255e72915d4cbddceb435e13d81601755714e9fSE Android type_set_t stypes; 294255e72915d4cbddceb435e13d81601755714e9fSE Android type_set_t ttypes; 295255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t tclasses; 296255e72915d4cbddceb435e13d81601755714e9fSE Android mls_semantic_range_t trange; 297255e72915d4cbddceb435e13d81601755714e9fSE Android struct range_trans_rule *next; 298255e72915d4cbddceb435e13d81601755714e9fSE Android} range_trans_rule_t; 299255e72915d4cbddceb435e13d81601755714e9fSE Android 300255e72915d4cbddceb435e13d81601755714e9fSE Android/* 301255e72915d4cbddceb435e13d81601755714e9fSE Android * The configuration data includes security contexts for 302255e72915d4cbddceb435e13d81601755714e9fSE Android * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 303255e72915d4cbddceb435e13d81601755714e9fSE Android * network interfaces, and nodes. This structure stores the 304255e72915d4cbddceb435e13d81601755714e9fSE Android * relevant data for one such entry. Entries of the same kind 305255e72915d4cbddceb435e13d81601755714e9fSE Android * (e.g. all initial SIDs) are linked together into a list. 306255e72915d4cbddceb435e13d81601755714e9fSE Android */ 307255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct ocontext { 308255e72915d4cbddceb435e13d81601755714e9fSE Android union { 309255e72915d4cbddceb435e13d81601755714e9fSE Android char *name; /* name of initial SID, fs, netif, fstype, path */ 310255e72915d4cbddceb435e13d81601755714e9fSE Android struct { 311255e72915d4cbddceb435e13d81601755714e9fSE Android uint8_t protocol; 312255e72915d4cbddceb435e13d81601755714e9fSE Android uint16_t low_port; 313255e72915d4cbddceb435e13d81601755714e9fSE Android uint16_t high_port; 314255e72915d4cbddceb435e13d81601755714e9fSE Android } port; /* TCP or UDP port information */ 315255e72915d4cbddceb435e13d81601755714e9fSE Android struct { 316255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t addr; /* network order */ 317255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t mask; /* network order */ 318255e72915d4cbddceb435e13d81601755714e9fSE Android } node; /* node information */ 319255e72915d4cbddceb435e13d81601755714e9fSE Android struct { 320255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t addr[4]; /* network order */ 321255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t mask[4]; /* network order */ 322255e72915d4cbddceb435e13d81601755714e9fSE Android } node6; /* IPv6 node information */ 323255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t device; 324255e72915d4cbddceb435e13d81601755714e9fSE Android uint16_t pirq; 325255e72915d4cbddceb435e13d81601755714e9fSE Android struct { 326255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t low_iomem; 327255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t high_iomem; 328255e72915d4cbddceb435e13d81601755714e9fSE Android } iomem; 329255e72915d4cbddceb435e13d81601755714e9fSE Android struct { 330255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t low_ioport; 331255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t high_ioport; 332255e72915d4cbddceb435e13d81601755714e9fSE Android } ioport; 333255e72915d4cbddceb435e13d81601755714e9fSE Android } u; 334255e72915d4cbddceb435e13d81601755714e9fSE Android union { 335255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t sclass; /* security class for genfs */ 336255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t behavior; /* labeling behavior for fs_use */ 337255e72915d4cbddceb435e13d81601755714e9fSE Android } v; 338255e72915d4cbddceb435e13d81601755714e9fSE Android context_struct_t context[2]; /* security context(s) */ 339255e72915d4cbddceb435e13d81601755714e9fSE Android sepol_security_id_t sid[2]; /* SID(s) */ 340255e72915d4cbddceb435e13d81601755714e9fSE Android struct ocontext *next; 341255e72915d4cbddceb435e13d81601755714e9fSE Android} ocontext_t; 342255e72915d4cbddceb435e13d81601755714e9fSE Android 343255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct genfs { 344255e72915d4cbddceb435e13d81601755714e9fSE Android char *fstype; 345255e72915d4cbddceb435e13d81601755714e9fSE Android struct ocontext *head; 346255e72915d4cbddceb435e13d81601755714e9fSE Android struct genfs *next; 347255e72915d4cbddceb435e13d81601755714e9fSE Android} genfs_t; 348255e72915d4cbddceb435e13d81601755714e9fSE Android 349255e72915d4cbddceb435e13d81601755714e9fSE Android/* symbol table array indices */ 350255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_COMMONS 0 351255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_CLASSES 1 352255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_ROLES 2 353255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_TYPES 3 354255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_USERS 4 355255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_BOOLS 5 356255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_LEVELS 6 357255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_CATS 7 358255e72915d4cbddceb435e13d81601755714e9fSE Android#define SYM_NUM 8 359255e72915d4cbddceb435e13d81601755714e9fSE Android 360255e72915d4cbddceb435e13d81601755714e9fSE Android/* object context array indices */ 361255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_ISID 0 /* initial SIDs */ 362255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_FS 1 /* unlabeled file systems */ 363255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_PORT 2 /* TCP and UDP port numbers */ 364255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_NETIF 3 /* network interfaces */ 365255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_NODE 4 /* nodes */ 366255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_FSUSE 5 /* fs_use */ 367255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_NODE6 6 /* IPv6 nodes */ 368255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_GENFS 7 /* needed for ocontext_supported */ 369255e72915d4cbddceb435e13d81601755714e9fSE Android 370255e72915d4cbddceb435e13d81601755714e9fSE Android/* object context array indices for Xen */ 371255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_XEN_ISID 0 /* initial SIDs */ 372255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_XEN_PIRQ 1 /* physical irqs */ 373255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_XEN_IOPORT 2 /* io ports */ 374255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_XEN_IOMEM 3 /* io memory */ 375255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_XEN_PCIDEVICE 4 /* pci devices */ 376255e72915d4cbddceb435e13d81601755714e9fSE Android 377255e72915d4cbddceb435e13d81601755714e9fSE Android/* OCON_NUM needs to be the largest index in any platform's ocontext array */ 378255e72915d4cbddceb435e13d81601755714e9fSE Android#define OCON_NUM 7 379255e72915d4cbddceb435e13d81601755714e9fSE Android 380255e72915d4cbddceb435e13d81601755714e9fSE Android/* section: module information */ 381255e72915d4cbddceb435e13d81601755714e9fSE Android 382255e72915d4cbddceb435e13d81601755714e9fSE Android/* scope_index_t holds all of the symbols that are in scope in a 383255e72915d4cbddceb435e13d81601755714e9fSE Android * particular situation. The bitmaps are indices (and thus must 384255e72915d4cbddceb435e13d81601755714e9fSE Android * subtract one) into the global policydb->scope array. */ 385255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct scope_index { 386255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t scope[SYM_NUM]; 387255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_classes_scope scope[SYM_CLASSES] 388255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_roles_scope scope[SYM_ROLES] 389255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_types_scope scope[SYM_TYPES] 390255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_users_scope scope[SYM_USERS] 391255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_bools_scope scope[SYM_BOOLS] 392255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_sens_scope scope[SYM_LEVELS] 393255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_cat_scope scope[SYM_CATS] 394255e72915d4cbddceb435e13d81601755714e9fSE Android 395255e72915d4cbddceb435e13d81601755714e9fSE Android /* this array maps from class->value to the permissions within 396255e72915d4cbddceb435e13d81601755714e9fSE Android * scope. if bit (perm->value - 1) is set in map 397255e72915d4cbddceb435e13d81601755714e9fSE Android * class_perms_map[class->value - 1] then that permission is 398255e72915d4cbddceb435e13d81601755714e9fSE Android * enabled for this class within this decl. */ 399255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t *class_perms_map; 400255e72915d4cbddceb435e13d81601755714e9fSE Android /* total number of classes in class_perms_map array */ 401255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t class_perms_len; 402255e72915d4cbddceb435e13d81601755714e9fSE Android} scope_index_t; 403255e72915d4cbddceb435e13d81601755714e9fSE Android 404255e72915d4cbddceb435e13d81601755714e9fSE Android/* a list of declarations for a particular avrule_decl */ 405255e72915d4cbddceb435e13d81601755714e9fSE Android 406255e72915d4cbddceb435e13d81601755714e9fSE Android/* These two structs declare a block of policy that has TE and RBAC 407255e72915d4cbddceb435e13d81601755714e9fSE Android * statements and declarations. The root block (the global policy) 408255e72915d4cbddceb435e13d81601755714e9fSE Android * can never have an ELSE branch. */ 409255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct avrule_decl { 410255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t decl_id; 411255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t enabled; /* whether this block is enabled */ 412255e72915d4cbddceb435e13d81601755714e9fSE Android 413255e72915d4cbddceb435e13d81601755714e9fSE Android cond_list_t *cond_list; 414255e72915d4cbddceb435e13d81601755714e9fSE Android avrule_t *avrules; 415255e72915d4cbddceb435e13d81601755714e9fSE Android role_trans_rule_t *role_tr_rules; 416255e72915d4cbddceb435e13d81601755714e9fSE Android role_allow_rule_t *role_allow_rules; 417255e72915d4cbddceb435e13d81601755714e9fSE Android range_trans_rule_t *range_tr_rules; 418255e72915d4cbddceb435e13d81601755714e9fSE Android scope_index_t required; /* symbols needed to activate this block */ 419255e72915d4cbddceb435e13d81601755714e9fSE Android scope_index_t declared; /* symbols declared within this block */ 420255e72915d4cbddceb435e13d81601755714e9fSE Android 421255e72915d4cbddceb435e13d81601755714e9fSE Android /* type transition rules with a 'name' component */ 422255e72915d4cbddceb435e13d81601755714e9fSE Android filename_trans_rule_t *filename_trans_rules; 423255e72915d4cbddceb435e13d81601755714e9fSE Android 424255e72915d4cbddceb435e13d81601755714e9fSE Android /* for additive statements (type attribute, roles, and users) */ 425255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_t symtab[SYM_NUM]; 426255e72915d4cbddceb435e13d81601755714e9fSE Android 427255e72915d4cbddceb435e13d81601755714e9fSE Android /* In a linked module this will contain the name of the module 428255e72915d4cbddceb435e13d81601755714e9fSE Android * from which this avrule_decl originated. */ 429255e72915d4cbddceb435e13d81601755714e9fSE Android char *module_name; 430255e72915d4cbddceb435e13d81601755714e9fSE Android 431255e72915d4cbddceb435e13d81601755714e9fSE Android struct avrule_decl *next; 432255e72915d4cbddceb435e13d81601755714e9fSE Android} avrule_decl_t; 433255e72915d4cbddceb435e13d81601755714e9fSE Android 434255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct avrule_block { 435255e72915d4cbddceb435e13d81601755714e9fSE Android avrule_decl_t *branch_list; 436255e72915d4cbddceb435e13d81601755714e9fSE Android avrule_decl_t *enabled; /* pointer to which branch is enabled. this is 437255e72915d4cbddceb435e13d81601755714e9fSE Android used in linking and never written to disk */ 438255e72915d4cbddceb435e13d81601755714e9fSE Android#define AVRULE_OPTIONAL 1 439255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t flags; /* any flags for this block, currently just optional */ 440255e72915d4cbddceb435e13d81601755714e9fSE Android struct avrule_block *next; 441255e72915d4cbddceb435e13d81601755714e9fSE Android} avrule_block_t; 442255e72915d4cbddceb435e13d81601755714e9fSE Android 443255e72915d4cbddceb435e13d81601755714e9fSE Android/* Every identifier has its own scope datum. The datum describes if 444255e72915d4cbddceb435e13d81601755714e9fSE Android * the item is to be included into the final policy during 445255e72915d4cbddceb435e13d81601755714e9fSE Android * expansion. */ 446255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct scope_datum { 447255e72915d4cbddceb435e13d81601755714e9fSE Android/* Required for this decl */ 448255e72915d4cbddceb435e13d81601755714e9fSE Android#define SCOPE_REQ 1 449255e72915d4cbddceb435e13d81601755714e9fSE Android/* Declared in this decl */ 450255e72915d4cbddceb435e13d81601755714e9fSE Android#define SCOPE_DECL 2 451255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t scope; 452255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t *decl_ids; 453255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t decl_ids_len; 454255e72915d4cbddceb435e13d81601755714e9fSE Android /* decl_ids is a list of avrule_decl's that declare/require 455255e72915d4cbddceb435e13d81601755714e9fSE Android * this symbol. If scope==SCOPE_DECL then this is a list of 456255e72915d4cbddceb435e13d81601755714e9fSE Android * declarations. If the symbol may only be declared once 457255e72915d4cbddceb435e13d81601755714e9fSE Android * (types, bools) then decl_ids_len will be exactly 1. For 458255e72915d4cbddceb435e13d81601755714e9fSE Android * implicitly declared things (roles, users) then decl_ids_len 459255e72915d4cbddceb435e13d81601755714e9fSE Android * will be at least 1. */ 460255e72915d4cbddceb435e13d81601755714e9fSE Android} scope_datum_t; 461255e72915d4cbddceb435e13d81601755714e9fSE Android 462255e72915d4cbddceb435e13d81601755714e9fSE Android/* The policy database */ 463255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct policydb { 464255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICY_KERN SEPOL_POLICY_KERN 465255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICY_BASE SEPOL_POLICY_BASE 466255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICY_MOD SEPOL_POLICY_MOD 467255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t policy_type; 468255e72915d4cbddceb435e13d81601755714e9fSE Android char *name; 469255e72915d4cbddceb435e13d81601755714e9fSE Android char *version; 470255e72915d4cbddceb435e13d81601755714e9fSE Android int target_platform; 471255e72915d4cbddceb435e13d81601755714e9fSE Android 472255e72915d4cbddceb435e13d81601755714e9fSE Android /* Set when the policydb is modified such that writing is unsupported */ 473255e72915d4cbddceb435e13d81601755714e9fSE Android int unsupported_format; 474255e72915d4cbddceb435e13d81601755714e9fSE Android 475255e72915d4cbddceb435e13d81601755714e9fSE Android /* Whether this policydb is mls, should always be set */ 476255e72915d4cbddceb435e13d81601755714e9fSE Android int mls; 477255e72915d4cbddceb435e13d81601755714e9fSE Android 478255e72915d4cbddceb435e13d81601755714e9fSE Android /* symbol tables */ 479255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_t symtab[SYM_NUM]; 480255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_commons symtab[SYM_COMMONS] 481255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_classes symtab[SYM_CLASSES] 482255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_roles symtab[SYM_ROLES] 483255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_types symtab[SYM_TYPES] 484255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_users symtab[SYM_USERS] 485255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_bools symtab[SYM_BOOLS] 486255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_levels symtab[SYM_LEVELS] 487255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_cats symtab[SYM_CATS] 488255e72915d4cbddceb435e13d81601755714e9fSE Android 489255e72915d4cbddceb435e13d81601755714e9fSE Android /* symbol names indexed by (value - 1) */ 490255e72915d4cbddceb435e13d81601755714e9fSE Android char **sym_val_to_name[SYM_NUM]; 491255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_common_val_to_name sym_val_to_name[SYM_COMMONS] 492255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_class_val_to_name sym_val_to_name[SYM_CLASSES] 493255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_role_val_to_name sym_val_to_name[SYM_ROLES] 494255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_type_val_to_name sym_val_to_name[SYM_TYPES] 495255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_user_val_to_name sym_val_to_name[SYM_USERS] 496255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS] 497255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS] 498255e72915d4cbddceb435e13d81601755714e9fSE Android#define p_cat_val_to_name sym_val_to_name[SYM_CATS] 499255e72915d4cbddceb435e13d81601755714e9fSE Android 500255e72915d4cbddceb435e13d81601755714e9fSE Android /* class, role, and user attributes indexed by (value - 1) */ 501255e72915d4cbddceb435e13d81601755714e9fSE Android class_datum_t **class_val_to_struct; 502255e72915d4cbddceb435e13d81601755714e9fSE Android role_datum_t **role_val_to_struct; 503255e72915d4cbddceb435e13d81601755714e9fSE Android user_datum_t **user_val_to_struct; 504255e72915d4cbddceb435e13d81601755714e9fSE Android type_datum_t **type_val_to_struct; 505255e72915d4cbddceb435e13d81601755714e9fSE Android 506255e72915d4cbddceb435e13d81601755714e9fSE Android /* module stuff section -- used in parsing and for modules */ 507255e72915d4cbddceb435e13d81601755714e9fSE Android 508255e72915d4cbddceb435e13d81601755714e9fSE Android /* keep track of the scope for every identifier. these are 509255e72915d4cbddceb435e13d81601755714e9fSE Android * hash tables, where the key is the identifier name and value 510255e72915d4cbddceb435e13d81601755714e9fSE Android * a scope_datum_t. as a convenience, one may use the 511255e72915d4cbddceb435e13d81601755714e9fSE Android * p_*_macros (cf. struct scope_index_t declaration). */ 512255e72915d4cbddceb435e13d81601755714e9fSE Android symtab_t scope[SYM_NUM]; 513255e72915d4cbddceb435e13d81601755714e9fSE Android 514255e72915d4cbddceb435e13d81601755714e9fSE Android /* module rule storage */ 515255e72915d4cbddceb435e13d81601755714e9fSE Android avrule_block_t *global; 516255e72915d4cbddceb435e13d81601755714e9fSE Android /* avrule_decl index used for link/expand */ 517255e72915d4cbddceb435e13d81601755714e9fSE Android avrule_decl_t **decl_val_to_struct; 518255e72915d4cbddceb435e13d81601755714e9fSE Android 519255e72915d4cbddceb435e13d81601755714e9fSE Android /* compiled storage of rules - use for the kernel policy */ 520255e72915d4cbddceb435e13d81601755714e9fSE Android 521255e72915d4cbddceb435e13d81601755714e9fSE Android /* type enforcement access vectors and transitions */ 522255e72915d4cbddceb435e13d81601755714e9fSE Android avtab_t te_avtab; 523255e72915d4cbddceb435e13d81601755714e9fSE Android 524255e72915d4cbddceb435e13d81601755714e9fSE Android /* bools indexed by (value - 1) */ 525255e72915d4cbddceb435e13d81601755714e9fSE Android cond_bool_datum_t **bool_val_to_struct; 526255e72915d4cbddceb435e13d81601755714e9fSE Android /* type enforcement conditional access vectors and transitions */ 527255e72915d4cbddceb435e13d81601755714e9fSE Android avtab_t te_cond_avtab; 528255e72915d4cbddceb435e13d81601755714e9fSE Android /* linked list indexing te_cond_avtab by conditional */ 529255e72915d4cbddceb435e13d81601755714e9fSE Android cond_list_t *cond_list; 530255e72915d4cbddceb435e13d81601755714e9fSE Android 531255e72915d4cbddceb435e13d81601755714e9fSE Android /* role transitions */ 532255e72915d4cbddceb435e13d81601755714e9fSE Android role_trans_t *role_tr; 533255e72915d4cbddceb435e13d81601755714e9fSE Android 534255e72915d4cbddceb435e13d81601755714e9fSE Android /* type transition rules with a 'name' component */ 535255e72915d4cbddceb435e13d81601755714e9fSE Android filename_trans_t *filename_trans; 536255e72915d4cbddceb435e13d81601755714e9fSE Android 537255e72915d4cbddceb435e13d81601755714e9fSE Android /* role allows */ 538255e72915d4cbddceb435e13d81601755714e9fSE Android role_allow_t *role_allow; 539255e72915d4cbddceb435e13d81601755714e9fSE Android 540255e72915d4cbddceb435e13d81601755714e9fSE Android /* security contexts of initial SIDs, unlabeled file systems, 541255e72915d4cbddceb435e13d81601755714e9fSE Android TCP or UDP port numbers, network interfaces and nodes */ 542255e72915d4cbddceb435e13d81601755714e9fSE Android ocontext_t *ocontexts[OCON_NUM]; 543255e72915d4cbddceb435e13d81601755714e9fSE Android 544255e72915d4cbddceb435e13d81601755714e9fSE Android /* security contexts for files in filesystems that cannot support 545255e72915d4cbddceb435e13d81601755714e9fSE Android a persistent label mapping or use another 546255e72915d4cbddceb435e13d81601755714e9fSE Android fixed labeling behavior. */ 547255e72915d4cbddceb435e13d81601755714e9fSE Android genfs_t *genfs; 548255e72915d4cbddceb435e13d81601755714e9fSE Android 549255e72915d4cbddceb435e13d81601755714e9fSE Android /* range transitions */ 550255e72915d4cbddceb435e13d81601755714e9fSE Android range_trans_t *range_tr; 551255e72915d4cbddceb435e13d81601755714e9fSE Android 552255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t *type_attr_map; 553255e72915d4cbddceb435e13d81601755714e9fSE Android 554255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t *attr_type_map; /* not saved in the binary policy */ 555255e72915d4cbddceb435e13d81601755714e9fSE Android 556255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t policycaps; 557255e72915d4cbddceb435e13d81601755714e9fSE Android 558255e72915d4cbddceb435e13d81601755714e9fSE Android /* this bitmap is referenced by type NOT the typical type-1 used in other 559255e72915d4cbddceb435e13d81601755714e9fSE Android bitmaps. Someday the 0 bit may be used for global permissive */ 560255e72915d4cbddceb435e13d81601755714e9fSE Android ebitmap_t permissive_map; 561255e72915d4cbddceb435e13d81601755714e9fSE Android 562255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned policyvers; 563255e72915d4cbddceb435e13d81601755714e9fSE Android 564255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned handle_unknown; 565255e72915d4cbddceb435e13d81601755714e9fSE Android} policydb_t; 566255e72915d4cbddceb435e13d81601755714e9fSE Android 567255e72915d4cbddceb435e13d81601755714e9fSE Androidstruct sepol_policydb { 568255e72915d4cbddceb435e13d81601755714e9fSE Android struct policydb p; 569255e72915d4cbddceb435e13d81601755714e9fSE Android}; 570255e72915d4cbddceb435e13d81601755714e9fSE Android 571255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_init(policydb_t * p); 572255e72915d4cbddceb435e13d81601755714e9fSE Android 573255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_from_image(sepol_handle_t * handle, 574255e72915d4cbddceb435e13d81601755714e9fSE Android void *data, size_t len, policydb_t * policydb); 575255e72915d4cbddceb435e13d81601755714e9fSE Android 576255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_to_image(sepol_handle_t * handle, 577255e72915d4cbddceb435e13d81601755714e9fSE Android policydb_t * policydb, void **newdata, 578255e72915d4cbddceb435e13d81601755714e9fSE Android size_t * newlen); 579255e72915d4cbddceb435e13d81601755714e9fSE Android 580255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_index_classes(policydb_t * p); 581255e72915d4cbddceb435e13d81601755714e9fSE Android 582255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_index_bools(policydb_t * p); 583255e72915d4cbddceb435e13d81601755714e9fSE Android 584255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_index_others(sepol_handle_t * handle, policydb_t * p, 585255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned int verbose); 586255e72915d4cbddceb435e13d81601755714e9fSE Android 587255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_reindex_users(policydb_t * p); 588255e72915d4cbddceb435e13d81601755714e9fSE Android 589255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void policydb_destroy(policydb_t * p); 590255e72915d4cbddceb435e13d81601755714e9fSE Android 591255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_load_isids(policydb_t * p, sidtab_t * s); 592255e72915d4cbddceb435e13d81601755714e9fSE Android 593255e72915d4cbddceb435e13d81601755714e9fSE Android/* Deprecated */ 594255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_context_isvalid(const policydb_t * p, 595255e72915d4cbddceb435e13d81601755714e9fSE Android const context_struct_t * c); 596255e72915d4cbddceb435e13d81601755714e9fSE Android 597255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void symtabs_destroy(symtab_t * symtab); 598255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p); 599255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef void (*hashtab_destroy_func_t) (hashtab_key_t k, hashtab_datum_t d, 600255e72915d4cbddceb435e13d81601755714e9fSE Android void *args); 601255e72915d4cbddceb435e13d81601755714e9fSE Androidextern hashtab_destroy_func_t get_symtab_destroy_func(int sym_num); 602255e72915d4cbddceb435e13d81601755714e9fSE Android 603255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void class_perm_node_init(class_perm_node_t * x); 604255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void type_set_init(type_set_t * x); 605255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void type_set_destroy(type_set_t * x); 606255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int type_set_cpy(type_set_t * dst, type_set_t * src); 607255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int type_set_or_eq(type_set_t * dst, type_set_t * other); 608255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_set_init(role_set_t * x); 609255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_set_destroy(role_set_t * x); 610255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void avrule_init(avrule_t * x); 611255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void avrule_destroy(avrule_t * x); 612255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void avrule_list_destroy(avrule_t * x); 613255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_trans_rule_init(role_trans_rule_t * x); 614255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_trans_rule_list_destroy(role_trans_rule_t * x); 615255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void filename_trans_rule_init(filename_trans_rule_t * x); 616255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void filename_trans_rule_list_destroy(filename_trans_rule_t * x); 617255e72915d4cbddceb435e13d81601755714e9fSE Android 618255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_datum_init(role_datum_t * x); 619255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_datum_destroy(role_datum_t * x); 620255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_allow_rule_init(role_allow_rule_t * x); 621255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_allow_rule_destroy(role_allow_rule_t * x); 622255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void role_allow_rule_list_destroy(role_allow_rule_t * x); 623255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void range_trans_rule_init(range_trans_rule_t *x); 624255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void range_trans_rule_destroy(range_trans_rule_t *x); 625255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void range_trans_rule_list_destroy(range_trans_rule_t *x); 626255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void type_datum_init(type_datum_t * x); 627255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void type_datum_destroy(type_datum_t * x); 628255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void user_datum_init(user_datum_t * x); 629255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void user_datum_destroy(user_datum_t * x); 630255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void level_datum_init(level_datum_t * x); 631255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void level_datum_destroy(level_datum_t * x); 632255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void cat_datum_init(cat_datum_t * x); 633255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void cat_datum_destroy(cat_datum_t * x); 634255e72915d4cbddceb435e13d81601755714e9fSE Android 635255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int check_assertions(sepol_handle_t * handle, 636255e72915d4cbddceb435e13d81601755714e9fSE Android policydb_t * p, avrule_t * avrules); 637255e72915d4cbddceb435e13d81601755714e9fSE Android 638255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int symtab_insert(policydb_t * x, uint32_t sym, 639255e72915d4cbddceb435e13d81601755714e9fSE Android hashtab_key_t key, hashtab_datum_t datum, 640255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t scope, uint32_t avrule_decl_id, 641255e72915d4cbddceb435e13d81601755714e9fSE Android uint32_t * value); 642255e72915d4cbddceb435e13d81601755714e9fSE Android 643255e72915d4cbddceb435e13d81601755714e9fSE Android/* A policy "file" may be a memory region referenced by a (data, len) pair 644255e72915d4cbddceb435e13d81601755714e9fSE Android or a file referenced by a FILE pointer. */ 645255e72915d4cbddceb435e13d81601755714e9fSE Androidtypedef struct policy_file { 646255e72915d4cbddceb435e13d81601755714e9fSE Android#define PF_USE_MEMORY 0 647255e72915d4cbddceb435e13d81601755714e9fSE Android#define PF_USE_STDIO 1 648255e72915d4cbddceb435e13d81601755714e9fSE Android#define PF_LEN 2 /* total up length in len field */ 649255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned type; 650255e72915d4cbddceb435e13d81601755714e9fSE Android char *data; 651255e72915d4cbddceb435e13d81601755714e9fSE Android size_t len; 652255e72915d4cbddceb435e13d81601755714e9fSE Android size_t size; 653255e72915d4cbddceb435e13d81601755714e9fSE Android FILE *fp; 654255e72915d4cbddceb435e13d81601755714e9fSE Android struct sepol_handle *handle; 655255e72915d4cbddceb435e13d81601755714e9fSE Android} policy_file_t; 656255e72915d4cbddceb435e13d81601755714e9fSE Android 657255e72915d4cbddceb435e13d81601755714e9fSE Androidstruct sepol_policy_file { 658255e72915d4cbddceb435e13d81601755714e9fSE Android struct policy_file pf; 659255e72915d4cbddceb435e13d81601755714e9fSE Android}; 660255e72915d4cbddceb435e13d81601755714e9fSE Android 661255e72915d4cbddceb435e13d81601755714e9fSE Androidextern void policy_file_init(policy_file_t * x); 662255e72915d4cbddceb435e13d81601755714e9fSE Android 663255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_read(policydb_t * p, struct policy_file *fp, 664255e72915d4cbddceb435e13d81601755714e9fSE Android unsigned int verbose); 665255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int avrule_read_list(policydb_t * p, avrule_t ** avrules, 666255e72915d4cbddceb435e13d81601755714e9fSE Android struct policy_file *fp); 667255e72915d4cbddceb435e13d81601755714e9fSE Android 668255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_write(struct policydb *p, struct policy_file *pf); 669255e72915d4cbddceb435e13d81601755714e9fSE Androidextern int policydb_set_target_platform(policydb_t *p, int platform); 670255e72915d4cbddceb435e13d81601755714e9fSE Android 671255e72915d4cbddceb435e13d81601755714e9fSE Android#define PERM_SYMTAB_SIZE 32 672255e72915d4cbddceb435e13d81601755714e9fSE Android 673255e72915d4cbddceb435e13d81601755714e9fSE Android/* Identify specific policy version changes */ 674255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_BASE 15 675255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_BOOL 16 676255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_IPV6 17 677255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_NLCLASS 18 678255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_VALIDATETRANS 19 679255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_MLS 19 680255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_AVTAB 20 681255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_RANGETRANS 21 682255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_POLCAP 22 683255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_PERMISSIVE 23 684255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_BOUNDARY 24 685255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_FILENAME_TRANS 25 686255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_ROLETRANS 26 6874ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 688dedcd596b31e0e4fc15d75b3a8b5e6b61e6c28b3Stephen Smalley#define POLICYDB_VERSION_DEFAULT_TYPE 28 689dedcd596b31e0e4fc15d75b3a8b5e6b61e6c28b3Stephen Smalley#define POLICYDB_VERSION_CONSTRAINT_NAMES 29 690255e72915d4cbddceb435e13d81601755714e9fSE Android 691255e72915d4cbddceb435e13d81601755714e9fSE Android/* Range of policy versions we understand*/ 692255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 693dedcd596b31e0e4fc15d75b3a8b5e6b61e6c28b3Stephen Smalley#define POLICYDB_VERSION_MAX POLICYDB_VERSION_CONSTRAINT_NAMES 694255e72915d4cbddceb435e13d81601755714e9fSE Android 695255e72915d4cbddceb435e13d81601755714e9fSE Android/* Module versions and specific changes*/ 696255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_BASE 4 697255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_VALIDATETRANS 5 698255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_MLS 5 699255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_RANGETRANS 6 700255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_MLS_USERS 6 701255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_POLCAP 7 702255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_PERMISSIVE 8 703255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_BOUNDARY 9 704255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10 705255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_FILENAME_TRANS 11 706255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_ROLETRANS 12 707255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_ROLEATTRIB 13 708fb82f8ed213dd54eebc6bdd5557984c3ba870496Stephen Smalley#define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 7094ebc669d5dc59771284b2d61eb4cce53e6a7069eStephen Smalley#define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 710dedcd596b31e0e4fc15d75b3a8b5e6b61e6c28b3Stephen Smalley#define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16 711dedcd596b31e0e4fc15d75b3a8b5e6b61e6c28b3Stephen Smalley#define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 712255e72915d4cbddceb435e13d81601755714e9fSE Android 713255e72915d4cbddceb435e13d81601755714e9fSE Android#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE 714dedcd596b31e0e4fc15d75b3a8b5e6b61e6c28b3Stephen Smalley#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 715255e72915d4cbddceb435e13d81601755714e9fSE Android 716255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_CONFIG_MLS 1 717255e72915d4cbddceb435e13d81601755714e9fSE Android 718255e72915d4cbddceb435e13d81601755714e9fSE Android/* macros to check policy feature */ 719255e72915d4cbddceb435e13d81601755714e9fSE Android 720255e72915d4cbddceb435e13d81601755714e9fSE Android/* TODO: add other features here */ 721255e72915d4cbddceb435e13d81601755714e9fSE Android 722255e72915d4cbddceb435e13d81601755714e9fSE Android#define policydb_has_boundary_feature(p) \ 723255e72915d4cbddceb435e13d81601755714e9fSE Android (((p)->policy_type == POLICY_KERN \ 724255e72915d4cbddceb435e13d81601755714e9fSE Android && p->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ 725255e72915d4cbddceb435e13d81601755714e9fSE Android ((p)->policy_type != POLICY_KERN \ 726255e72915d4cbddceb435e13d81601755714e9fSE Android && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) 727255e72915d4cbddceb435e13d81601755714e9fSE Android 728255e72915d4cbddceb435e13d81601755714e9fSE Android/* the config flags related to unknown classes/perms are bits 2 and 3 */ 729255e72915d4cbddceb435e13d81601755714e9fSE Android#define DENY_UNKNOWN SEPOL_DENY_UNKNOWN 730255e72915d4cbddceb435e13d81601755714e9fSE Android#define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN 731255e72915d4cbddceb435e13d81601755714e9fSE Android#define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN 732255e72915d4cbddceb435e13d81601755714e9fSE Android 733255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN) 734255e72915d4cbddceb435e13d81601755714e9fSE Android 735255e72915d4cbddceb435e13d81601755714e9fSE Android#define OBJECT_R "object_r" 736255e72915d4cbddceb435e13d81601755714e9fSE Android#define OBJECT_R_VAL 1 737255e72915d4cbddceb435e13d81601755714e9fSE Android 738255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_MAGIC SELINUX_MAGIC 739255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_STRING "SE Linux" 740255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_XEN_STRING "XenFlask" 741255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_STRING_MAX_LENGTH 32 742255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC 743255e72915d4cbddceb435e13d81601755714e9fSE Android#define POLICYDB_MOD_STRING "SE Linux Module" 744255e72915d4cbddceb435e13d81601755714e9fSE Android#define SEPOL_TARGET_SELINUX 0 745255e72915d4cbddceb435e13d81601755714e9fSE Android#define SEPOL_TARGET_XEN 1 746255e72915d4cbddceb435e13d81601755714e9fSE Android 747255e72915d4cbddceb435e13d81601755714e9fSE Android 748255e72915d4cbddceb435e13d81601755714e9fSE Android#endif /* _POLICYDB_H_ */ 749255e72915d4cbddceb435e13d81601755714e9fSE Android 750255e72915d4cbddceb435e13d81601755714e9fSE Android/* FLASK */ 751