1/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ 2 3/* 4 * Updated: Joshua Brindle <jbrindle@tresys.com> 5 * Karl MacMillan <kmacmillan@tresys.com> 6 * Jason Tang <jtang@tresys.com> 7 * 8 * Module support 9 * 10 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 11 * 12 * Support for enhanced MLS infrastructure. 13 * 14 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 15 * 16 * Added conditional policy language extensions 17 * 18 * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com> 19 * 20 * Fine-grained netlink support 21 * IPv6 support 22 * Code cleanup 23 * 24 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 25 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 26 * Copyright (C) 2003 - 2004 Red Hat, Inc. 27 * 28 * This library is free software; you can redistribute it and/or 29 * modify it under the terms of the GNU Lesser General Public 30 * License as published by the Free Software Foundation; either 31 * version 2.1 of the License, or (at your option) any later version. 32 * 33 * This library is distributed in the hope that it will be useful, 34 * but WITHOUT ANY WARRANTY; without even the implied warranty of 35 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 36 * Lesser General Public License for more details. 37 * 38 * You should have received a copy of the GNU Lesser General Public 39 * License along with this library; if not, write to the Free Software 40 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 41 */ 42 43/* FLASK */ 44 45/* 46 * A policy database (policydb) specifies the 47 * configuration data for the security policy. 48 */ 49 50#ifndef _SEPOL_POLICYDB_POLICYDB_H_ 51#define _SEPOL_POLICYDB_POLICYDB_H_ 52 53#include <stdio.h> 54#include <stddef.h> 55 56#include <sepol/policydb.h> 57 58#include <sepol/policydb/flask_types.h> 59#include <sepol/policydb/symtab.h> 60#include <sepol/policydb/avtab.h> 61#include <sepol/policydb/context.h> 62#include <sepol/policydb/constraint.h> 63#include <sepol/policydb/sidtab.h> 64#include <sys/cdefs.h> 65 66#define ERRMSG_LEN 1024 67 68#define POLICYDB_SUCCESS 0 69#define POLICYDB_ERROR -1 70#define POLICYDB_UNSUPPORTED -2 71 72__BEGIN_DECLS 73 74/* 75 * A datum type is defined for each kind of symbol 76 * in the configuration data: individual permissions, 77 * common prefixes for access vectors, classes, 78 * users, roles, types, sensitivities, categories, etc. 79 */ 80 81/* type set preserves data needed by modules such as *, ~ and attributes */ 82typedef struct type_set { 83 ebitmap_t types; 84 ebitmap_t negset; 85#define TYPE_STAR 1 86#define TYPE_COMP 2 87 uint32_t flags; 88} type_set_t; 89 90typedef struct role_set { 91 ebitmap_t roles; 92#define ROLE_STAR 1 93#define ROLE_COMP 2 94 uint32_t flags; 95} role_set_t; 96 97/* Permission attributes */ 98typedef struct perm_datum { 99 symtab_datum_t s; 100} perm_datum_t; 101 102/* Attributes of a common prefix for access vectors */ 103typedef struct common_datum { 104 symtab_datum_t s; 105 symtab_t permissions; /* common permissions */ 106} common_datum_t; 107 108/* Class attributes */ 109typedef struct class_datum { 110 symtab_datum_t s; 111 char *comkey; /* common name */ 112 common_datum_t *comdatum; /* common datum */ 113 symtab_t permissions; /* class-specific permission symbol table */ 114 constraint_node_t *constraints; /* constraints on class permissions */ 115 constraint_node_t *validatetrans; /* special transition rules */ 116/* Options how a new object user and role should be decided */ 117#define DEFAULT_SOURCE 1 118#define DEFAULT_TARGET 2 119 char default_user; 120 char default_role; 121 char default_type; 122/* Options how a new object range should be decided */ 123#define DEFAULT_SOURCE_LOW 1 124#define DEFAULT_SOURCE_HIGH 2 125#define DEFAULT_SOURCE_LOW_HIGH 3 126#define DEFAULT_TARGET_LOW 4 127#define DEFAULT_TARGET_HIGH 5 128#define DEFAULT_TARGET_LOW_HIGH 6 129 char default_range; 130} class_datum_t; 131 132/* Role attributes */ 133typedef struct role_datum { 134 symtab_datum_t s; 135 ebitmap_t dominates; /* set of roles dominated by this role */ 136 type_set_t types; /* set of authorized types for role */ 137 ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 138 uint32_t bounds; /* bounds role, if exist */ 139#define ROLE_ROLE 0 /* regular role in kernel policies */ 140#define ROLE_ATTRIB 1 /* attribute */ 141 uint32_t flavor; 142 ebitmap_t roles; /* roles with this attribute */ 143} role_datum_t; 144 145typedef struct role_trans { 146 uint32_t role; /* current role */ 147 uint32_t type; /* program executable type, or new object type */ 148 uint32_t tclass; /* process class, or new object class */ 149 uint32_t new_role; /* new role */ 150 struct role_trans *next; 151} role_trans_t; 152 153typedef struct role_allow { 154 uint32_t role; /* current role */ 155 uint32_t new_role; /* new role */ 156 struct role_allow *next; 157} role_allow_t; 158 159/* filename_trans rules */ 160typedef struct filename_trans { 161 uint32_t stype; 162 uint32_t ttype; 163 uint32_t tclass; 164 char *name; 165 uint32_t otype; 166 struct filename_trans *next; 167} filename_trans_t; 168 169/* Type attributes */ 170typedef struct type_datum { 171 symtab_datum_t s; 172 uint32_t primary; /* primary name? can be set to primary value if below is TYPE_ */ 173#define TYPE_TYPE 0 /* regular type or alias in kernel policies */ 174#define TYPE_ATTRIB 1 /* attribute */ 175#define TYPE_ALIAS 2 /* alias in modular policy */ 176 uint32_t flavor; 177 ebitmap_t types; /* types with this attribute */ 178#define TYPE_FLAGS_PERMISSIVE 0x01 179 uint32_t flags; 180 uint32_t bounds; /* bounds type, if exist */ 181} type_datum_t; 182 183/* 184 * Properties of type_datum 185 * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY 186 */ 187#define TYPEDATUM_PROPERTY_PRIMARY 0x0001 188#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 189#define TYPEDATUM_PROPERTY_ALIAS 0x0004 /* userspace only */ 190#define TYPEDATUM_PROPERTY_PERMISSIVE 0x0008 /* userspace only */ 191 192/* User attributes */ 193typedef struct user_datum { 194 symtab_datum_t s; 195 role_set_t roles; /* set of authorized roles for user */ 196 mls_semantic_range_t range; /* MLS range (min. - max.) for user */ 197 mls_semantic_level_t dfltlevel; /* default login MLS level for user */ 198 ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 199 mls_range_t exp_range; /* expanded range used for validation */ 200 mls_level_t exp_dfltlevel; /* expanded range used for validation */ 201 uint32_t bounds; /* bounds user, if exist */ 202} user_datum_t; 203 204/* Sensitivity attributes */ 205typedef struct level_datum { 206 mls_level_t *level; /* sensitivity and associated categories */ 207 unsigned char isalias; /* is this sensitivity an alias for another? */ 208 unsigned char defined; 209} level_datum_t; 210 211/* Category attributes */ 212typedef struct cat_datum { 213 symtab_datum_t s; 214 unsigned char isalias; /* is this category an alias for another? */ 215} cat_datum_t; 216 217typedef struct range_trans { 218 uint32_t source_type; 219 uint32_t target_type; 220 uint32_t target_class; 221 mls_range_t target_range; 222 struct range_trans *next; 223} range_trans_t; 224 225/* Boolean data type */ 226typedef struct cond_bool_datum { 227 symtab_datum_t s; 228 int state; 229#define COND_BOOL_FLAGS_TUNABLE 0x01 /* is this a tunable? */ 230 uint32_t flags; 231} cond_bool_datum_t; 232 233struct cond_node; 234 235typedef struct cond_node cond_list_t; 236struct cond_av_list; 237 238typedef struct class_perm_node { 239 uint32_t tclass; 240 uint32_t data; /* permissions or new type */ 241 struct class_perm_node *next; 242} class_perm_node_t; 243 244typedef struct av_operations { 245 uint8_t type; 246 /* 256 bits of ioctl number permissions */ 247 uint32_t perms[8]; 248} av_operations_t; 249 250typedef struct avrule { 251/* these typedefs are almost exactly the same as those in avtab.h - they are 252 * here because of the need to include neverallow and dontaudit messages */ 253#define AVRULE_ALLOWED 0x0001 254#define AVRULE_AUDITALLOW 0x0002 255#define AVRULE_AUDITDENY 0x0004 256#define AVRULE_DONTAUDIT 0x0008 257#define AVRULE_NEVERALLOW 0x0080 258#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 259#define AVRULE_TRANSITION 0x0010 260#define AVRULE_MEMBER 0x0020 261#define AVRULE_CHANGE 0x0040 262#define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 263#define AVRULE_OPNUM_ALLOWED 0x0100 264#define AVRULE_OPNUM_AUDITALLOW 0x0200 265#define AVRULE_OPNUM_DONTAUDIT 0x0400 266#define AVRULE_OPNUM (AVRULE_OPNUM_ALLOWED | AVRULE_OPNUM_AUDITALLOW | \ 267 AVRULE_OPNUM_DONTAUDIT) 268#define AVRULE_OPTYPE_ALLOWED 0x1000 269#define AVRULE_OPTYPE_AUDITALLOW 0x2000 270#define AVRULE_OPTYPE_DONTAUDIT 0x4000 271#define AVRULE_OPTYPE (AVRULE_OPTYPE_ALLOWED | AVRULE_OPTYPE_AUDITALLOW | \ 272 AVRULE_OPTYPE_DONTAUDIT) 273#define AVRULE_OP (AVRULE_OPNUM | AVRULE_OPTYPE) 274 uint32_t specified; 275#define RULE_SELF 1 276 uint32_t flags; 277 type_set_t stypes; 278 type_set_t ttypes; 279 class_perm_node_t *perms; 280 av_operations_t * ops; 281 unsigned long line; /* line number from policy.conf where 282 * this rule originated */ 283 /* source file name and line number (e.g. .te file) */ 284 char *source_filename; 285 unsigned long source_line; 286 struct avrule *next; 287} avrule_t; 288 289typedef struct role_trans_rule { 290 role_set_t roles; /* current role */ 291 type_set_t types; /* program executable type, or new object type */ 292 ebitmap_t classes; /* process class, or new object class */ 293 uint32_t new_role; /* new role */ 294 struct role_trans_rule *next; 295} role_trans_rule_t; 296 297typedef struct role_allow_rule { 298 role_set_t roles; /* current role */ 299 role_set_t new_roles; /* new roles */ 300 struct role_allow_rule *next; 301} role_allow_rule_t; 302 303typedef struct filename_trans_rule { 304 type_set_t stypes; 305 type_set_t ttypes; 306 uint32_t tclass; 307 char *name; 308 uint32_t otype; /* new type */ 309 struct filename_trans_rule *next; 310} filename_trans_rule_t; 311 312typedef struct range_trans_rule { 313 type_set_t stypes; 314 type_set_t ttypes; 315 ebitmap_t tclasses; 316 mls_semantic_range_t trange; 317 struct range_trans_rule *next; 318} range_trans_rule_t; 319 320/* 321 * The configuration data includes security contexts for 322 * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 323 * network interfaces, and nodes. This structure stores the 324 * relevant data for one such entry. Entries of the same kind 325 * (e.g. all initial SIDs) are linked together into a list. 326 */ 327typedef struct ocontext { 328 union { 329 char *name; /* name of initial SID, fs, netif, fstype, path */ 330 struct { 331 uint8_t protocol; 332 uint16_t low_port; 333 uint16_t high_port; 334 } port; /* TCP or UDP port information */ 335 struct { 336 uint32_t addr; /* network order */ 337 uint32_t mask; /* network order */ 338 } node; /* node information */ 339 struct { 340 uint32_t addr[4]; /* network order */ 341 uint32_t mask[4]; /* network order */ 342 } node6; /* IPv6 node information */ 343 uint32_t device; 344 uint16_t pirq; 345 struct { 346 uint64_t low_iomem; 347 uint64_t high_iomem; 348 } iomem; 349 struct { 350 uint32_t low_ioport; 351 uint32_t high_ioport; 352 } ioport; 353 } u; 354 union { 355 uint32_t sclass; /* security class for genfs */ 356 uint32_t behavior; /* labeling behavior for fs_use */ 357 } v; 358 context_struct_t context[2]; /* security context(s) */ 359 sepol_security_id_t sid[2]; /* SID(s) */ 360 struct ocontext *next; 361} ocontext_t; 362 363typedef struct genfs { 364 char *fstype; 365 struct ocontext *head; 366 struct genfs *next; 367} genfs_t; 368 369/* symbol table array indices */ 370#define SYM_COMMONS 0 371#define SYM_CLASSES 1 372#define SYM_ROLES 2 373#define SYM_TYPES 3 374#define SYM_USERS 4 375#define SYM_BOOLS 5 376#define SYM_LEVELS 6 377#define SYM_CATS 7 378#define SYM_NUM 8 379 380/* object context array indices */ 381#define OCON_ISID 0 /* initial SIDs */ 382#define OCON_FS 1 /* unlabeled file systems */ 383#define OCON_PORT 2 /* TCP and UDP port numbers */ 384#define OCON_NETIF 3 /* network interfaces */ 385#define OCON_NODE 4 /* nodes */ 386#define OCON_FSUSE 5 /* fs_use */ 387#define OCON_NODE6 6 /* IPv6 nodes */ 388#define OCON_GENFS 7 /* needed for ocontext_supported */ 389 390/* object context array indices for Xen */ 391#define OCON_XEN_ISID 0 /* initial SIDs */ 392#define OCON_XEN_PIRQ 1 /* physical irqs */ 393#define OCON_XEN_IOPORT 2 /* io ports */ 394#define OCON_XEN_IOMEM 3 /* io memory */ 395#define OCON_XEN_PCIDEVICE 4 /* pci devices */ 396#define OCON_XEN_DEVICETREE 5 /* device tree node */ 397 398/* OCON_NUM needs to be the largest index in any platform's ocontext array */ 399#define OCON_NUM 7 400 401/* section: module information */ 402 403/* scope_index_t holds all of the symbols that are in scope in a 404 * particular situation. The bitmaps are indices (and thus must 405 * subtract one) into the global policydb->scope array. */ 406typedef struct scope_index { 407 ebitmap_t scope[SYM_NUM]; 408#define p_classes_scope scope[SYM_CLASSES] 409#define p_roles_scope scope[SYM_ROLES] 410#define p_types_scope scope[SYM_TYPES] 411#define p_users_scope scope[SYM_USERS] 412#define p_bools_scope scope[SYM_BOOLS] 413#define p_sens_scope scope[SYM_LEVELS] 414#define p_cat_scope scope[SYM_CATS] 415 416 /* this array maps from class->value to the permissions within 417 * scope. if bit (perm->value - 1) is set in map 418 * class_perms_map[class->value - 1] then that permission is 419 * enabled for this class within this decl. */ 420 ebitmap_t *class_perms_map; 421 /* total number of classes in class_perms_map array */ 422 uint32_t class_perms_len; 423} scope_index_t; 424 425/* a list of declarations for a particular avrule_decl */ 426 427/* These two structs declare a block of policy that has TE and RBAC 428 * statements and declarations. The root block (the global policy) 429 * can never have an ELSE branch. */ 430typedef struct avrule_decl { 431 uint32_t decl_id; 432 uint32_t enabled; /* whether this block is enabled */ 433 434 cond_list_t *cond_list; 435 avrule_t *avrules; 436 role_trans_rule_t *role_tr_rules; 437 role_allow_rule_t *role_allow_rules; 438 range_trans_rule_t *range_tr_rules; 439 scope_index_t required; /* symbols needed to activate this block */ 440 scope_index_t declared; /* symbols declared within this block */ 441 442 /* type transition rules with a 'name' component */ 443 filename_trans_rule_t *filename_trans_rules; 444 445 /* for additive statements (type attribute, roles, and users) */ 446 symtab_t symtab[SYM_NUM]; 447 448 /* In a linked module this will contain the name of the module 449 * from which this avrule_decl originated. */ 450 char *module_name; 451 452 struct avrule_decl *next; 453} avrule_decl_t; 454 455typedef struct avrule_block { 456 avrule_decl_t *branch_list; 457 avrule_decl_t *enabled; /* pointer to which branch is enabled. this is 458 used in linking and never written to disk */ 459#define AVRULE_OPTIONAL 1 460 uint32_t flags; /* any flags for this block, currently just optional */ 461 struct avrule_block *next; 462} avrule_block_t; 463 464/* Every identifier has its own scope datum. The datum describes if 465 * the item is to be included into the final policy during 466 * expansion. */ 467typedef struct scope_datum { 468/* Required for this decl */ 469#define SCOPE_REQ 1 470/* Declared in this decl */ 471#define SCOPE_DECL 2 472 uint32_t scope; 473 uint32_t *decl_ids; 474 uint32_t decl_ids_len; 475 /* decl_ids is a list of avrule_decl's that declare/require 476 * this symbol. If scope==SCOPE_DECL then this is a list of 477 * declarations. If the symbol may only be declared once 478 * (types, bools) then decl_ids_len will be exactly 1. For 479 * implicitly declared things (roles, users) then decl_ids_len 480 * will be at least 1. */ 481} scope_datum_t; 482 483/* The policy database */ 484typedef struct policydb { 485#define POLICY_KERN SEPOL_POLICY_KERN 486#define POLICY_BASE SEPOL_POLICY_BASE 487#define POLICY_MOD SEPOL_POLICY_MOD 488 uint32_t policy_type; 489 char *name; 490 char *version; 491 int target_platform; 492 493 /* Set when the policydb is modified such that writing is unsupported */ 494 int unsupported_format; 495 496 /* Whether this policydb is mls, should always be set */ 497 int mls; 498 499 /* symbol tables */ 500 symtab_t symtab[SYM_NUM]; 501#define p_commons symtab[SYM_COMMONS] 502#define p_classes symtab[SYM_CLASSES] 503#define p_roles symtab[SYM_ROLES] 504#define p_types symtab[SYM_TYPES] 505#define p_users symtab[SYM_USERS] 506#define p_bools symtab[SYM_BOOLS] 507#define p_levels symtab[SYM_LEVELS] 508#define p_cats symtab[SYM_CATS] 509 510 /* symbol names indexed by (value - 1) */ 511 char **sym_val_to_name[SYM_NUM]; 512#define p_common_val_to_name sym_val_to_name[SYM_COMMONS] 513#define p_class_val_to_name sym_val_to_name[SYM_CLASSES] 514#define p_role_val_to_name sym_val_to_name[SYM_ROLES] 515#define p_type_val_to_name sym_val_to_name[SYM_TYPES] 516#define p_user_val_to_name sym_val_to_name[SYM_USERS] 517#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS] 518#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS] 519#define p_cat_val_to_name sym_val_to_name[SYM_CATS] 520 521 /* class, role, and user attributes indexed by (value - 1) */ 522 class_datum_t **class_val_to_struct; 523 role_datum_t **role_val_to_struct; 524 user_datum_t **user_val_to_struct; 525 type_datum_t **type_val_to_struct; 526 527 /* module stuff section -- used in parsing and for modules */ 528 529 /* keep track of the scope for every identifier. these are 530 * hash tables, where the key is the identifier name and value 531 * a scope_datum_t. as a convenience, one may use the 532 * p_*_macros (cf. struct scope_index_t declaration). */ 533 symtab_t scope[SYM_NUM]; 534 535 /* module rule storage */ 536 avrule_block_t *global; 537 /* avrule_decl index used for link/expand */ 538 avrule_decl_t **decl_val_to_struct; 539 540 /* compiled storage of rules - use for the kernel policy */ 541 542 /* type enforcement access vectors and transitions */ 543 avtab_t te_avtab; 544 545 /* bools indexed by (value - 1) */ 546 cond_bool_datum_t **bool_val_to_struct; 547 /* type enforcement conditional access vectors and transitions */ 548 avtab_t te_cond_avtab; 549 /* linked list indexing te_cond_avtab by conditional */ 550 cond_list_t *cond_list; 551 552 /* role transitions */ 553 role_trans_t *role_tr; 554 555 /* type transition rules with a 'name' component */ 556 filename_trans_t *filename_trans; 557 558 /* role allows */ 559 role_allow_t *role_allow; 560 561 /* security contexts of initial SIDs, unlabeled file systems, 562 TCP or UDP port numbers, network interfaces and nodes */ 563 ocontext_t *ocontexts[OCON_NUM]; 564 565 /* security contexts for files in filesystems that cannot support 566 a persistent label mapping or use another 567 fixed labeling behavior. */ 568 genfs_t *genfs; 569 570 /* range transitions */ 571 range_trans_t *range_tr; 572 573 ebitmap_t *type_attr_map; 574 575 ebitmap_t *attr_type_map; /* not saved in the binary policy */ 576 577 ebitmap_t policycaps; 578 579 /* this bitmap is referenced by type NOT the typical type-1 used in other 580 bitmaps. Someday the 0 bit may be used for global permissive */ 581 ebitmap_t permissive_map; 582 583 unsigned policyvers; 584 585 unsigned handle_unknown; 586} policydb_t; 587 588struct sepol_policydb { 589 struct policydb p; 590}; 591 592extern int policydb_init(policydb_t * p); 593 594extern int policydb_from_image(sepol_handle_t * handle, 595 void *data, size_t len, policydb_t * policydb); 596 597extern int policydb_to_image(sepol_handle_t * handle, 598 policydb_t * policydb, void **newdata, 599 size_t * newlen); 600 601extern int policydb_index_classes(policydb_t * p); 602 603extern int policydb_index_bools(policydb_t * p); 604 605extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p, 606 unsigned int verbose); 607 608extern int policydb_reindex_users(policydb_t * p); 609 610extern void policydb_destroy(policydb_t * p); 611 612extern int policydb_load_isids(policydb_t * p, sidtab_t * s); 613 614/* Deprecated */ 615extern int policydb_context_isvalid(const policydb_t * p, 616 const context_struct_t * c); 617 618extern void symtabs_destroy(symtab_t * symtab); 619extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p); 620typedef void (*hashtab_destroy_func_t) (hashtab_key_t k, hashtab_datum_t d, 621 void *args); 622extern hashtab_destroy_func_t get_symtab_destroy_func(int sym_num); 623 624extern void class_perm_node_init(class_perm_node_t * x); 625extern void type_set_init(type_set_t * x); 626extern void type_set_destroy(type_set_t * x); 627extern int type_set_cpy(type_set_t * dst, type_set_t * src); 628extern int type_set_or_eq(type_set_t * dst, type_set_t * other); 629extern void role_set_init(role_set_t * x); 630extern void role_set_destroy(role_set_t * x); 631extern void avrule_init(avrule_t * x); 632extern void avrule_destroy(avrule_t * x); 633extern void avrule_list_destroy(avrule_t * x); 634extern void role_trans_rule_init(role_trans_rule_t * x); 635extern void role_trans_rule_list_destroy(role_trans_rule_t * x); 636extern void filename_trans_rule_init(filename_trans_rule_t * x); 637extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x); 638 639extern void role_datum_init(role_datum_t * x); 640extern void role_datum_destroy(role_datum_t * x); 641extern void role_allow_rule_init(role_allow_rule_t * x); 642extern void role_allow_rule_destroy(role_allow_rule_t * x); 643extern void role_allow_rule_list_destroy(role_allow_rule_t * x); 644extern void range_trans_rule_init(range_trans_rule_t *x); 645extern void range_trans_rule_destroy(range_trans_rule_t *x); 646extern void range_trans_rule_list_destroy(range_trans_rule_t *x); 647extern void type_datum_init(type_datum_t * x); 648extern void type_datum_destroy(type_datum_t * x); 649extern void user_datum_init(user_datum_t * x); 650extern void user_datum_destroy(user_datum_t * x); 651extern void level_datum_init(level_datum_t * x); 652extern void level_datum_destroy(level_datum_t * x); 653extern void cat_datum_init(cat_datum_t * x); 654extern void cat_datum_destroy(cat_datum_t * x); 655 656extern int check_assertions(sepol_handle_t * handle, 657 policydb_t * p, avrule_t * avrules); 658 659extern int symtab_insert(policydb_t * x, uint32_t sym, 660 hashtab_key_t key, hashtab_datum_t datum, 661 uint32_t scope, uint32_t avrule_decl_id, 662 uint32_t * value); 663 664/* A policy "file" may be a memory region referenced by a (data, len) pair 665 or a file referenced by a FILE pointer. */ 666typedef struct policy_file { 667#define PF_USE_MEMORY 0 668#define PF_USE_STDIO 1 669#define PF_LEN 2 /* total up length in len field */ 670 unsigned type; 671 char *data; 672 size_t len; 673 size_t size; 674 FILE *fp; 675 struct sepol_handle *handle; 676} policy_file_t; 677 678struct sepol_policy_file { 679 struct policy_file pf; 680}; 681 682extern void policy_file_init(policy_file_t * x); 683 684extern int policydb_read(policydb_t * p, struct policy_file *fp, 685 unsigned int verbose); 686extern int avrule_read_list(policydb_t * p, avrule_t ** avrules, 687 struct policy_file *fp); 688 689extern int policydb_write(struct policydb *p, struct policy_file *pf); 690extern int policydb_set_target_platform(policydb_t *p, int platform); 691 692#define PERM_SYMTAB_SIZE 32 693 694/* Identify specific policy version changes */ 695#define POLICYDB_VERSION_BASE 15 696#define POLICYDB_VERSION_BOOL 16 697#define POLICYDB_VERSION_IPV6 17 698#define POLICYDB_VERSION_NLCLASS 18 699#define POLICYDB_VERSION_VALIDATETRANS 19 700#define POLICYDB_VERSION_MLS 19 701#define POLICYDB_VERSION_AVTAB 20 702#define POLICYDB_VERSION_RANGETRANS 21 703#define POLICYDB_VERSION_POLCAP 22 704#define POLICYDB_VERSION_PERMISSIVE 23 705#define POLICYDB_VERSION_BOUNDARY 24 706#define POLICYDB_VERSION_FILENAME_TRANS 25 707#define POLICYDB_VERSION_ROLETRANS 26 708#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 709#define POLICYDB_VERSION_DEFAULT_TYPE 28 710#define POLICYDB_VERSION_CONSTRAINT_NAMES 29 711#define POLICYDB_VERSION_XEN_DEVICETREE 30 /* Xen-specific */ 712#define POLICYDB_VERSION_IOCTL_OPERATIONS 30 /* Linux-specific */ 713 714/* Range of policy versions we understand*/ 715#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 716#define POLICYDB_VERSION_MAX POLICYDB_VERSION_IOCTL_OPERATIONS 717 718/* Module versions and specific changes*/ 719#define MOD_POLICYDB_VERSION_BASE 4 720#define MOD_POLICYDB_VERSION_VALIDATETRANS 5 721#define MOD_POLICYDB_VERSION_MLS 5 722#define MOD_POLICYDB_VERSION_RANGETRANS 6 723#define MOD_POLICYDB_VERSION_MLS_USERS 6 724#define MOD_POLICYDB_VERSION_POLCAP 7 725#define MOD_POLICYDB_VERSION_PERMISSIVE 8 726#define MOD_POLICYDB_VERSION_BOUNDARY 9 727#define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10 728#define MOD_POLICYDB_VERSION_FILENAME_TRANS 11 729#define MOD_POLICYDB_VERSION_ROLETRANS 12 730#define MOD_POLICYDB_VERSION_ROLEATTRIB 13 731#define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 732#define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 733#define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16 734#define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 735 736#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE 737#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 738 739#define POLICYDB_CONFIG_MLS 1 740 741/* macros to check policy feature */ 742 743/* TODO: add other features here */ 744 745#define policydb_has_boundary_feature(p) \ 746 (((p)->policy_type == POLICY_KERN \ 747 && p->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ 748 ((p)->policy_type != POLICY_KERN \ 749 && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) 750 751/* the config flags related to unknown classes/perms are bits 2 and 3 */ 752#define DENY_UNKNOWN SEPOL_DENY_UNKNOWN 753#define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN 754#define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN 755 756#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN) 757 758#define OBJECT_R "object_r" 759#define OBJECT_R_VAL 1 760 761#define POLICYDB_MAGIC SELINUX_MAGIC 762#define POLICYDB_STRING "SE Linux" 763#define POLICYDB_XEN_STRING "XenFlask" 764#define POLICYDB_STRING_MAX_LENGTH 32 765#define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC 766#define POLICYDB_MOD_STRING "SE Linux Module" 767 768__END_DECLS 769#endif /* _POLICYDB_H_ */ 770 771/* FLASK */ 772