1/* 2 * Copyright 2011 Tresys Technology, LLC. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * 1. Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * 2. Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS 15 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 17 * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 19 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 21 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 22 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 23 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * The views and conclusions contained in the software and documentation are those 26 * of the authors and should not be interpreted as representing official policies, 27 * either expressed or implied, of Tresys Technology, LLC. 28 */ 29 30#ifndef CIL_INTERNAL_H_ 31#define CIL_INTERNAL_H_ 32 33#include <stdlib.h> 34#include <stdio.h> 35#include <stdint.h> 36#include <arpa/inet.h> 37 38#include <sepol/policydb/services.h> 39#include <sepol/policydb/policydb.h> 40 41#include <cil/cil.h> 42 43#include "cil_flavor.h" 44#include "cil_tree.h" 45#include "cil_symtab.h" 46#include "cil_mem.h" 47 48#define CIL_MAX_NAME_LENGTH 2048 49 50 51enum cil_pass { 52 CIL_PASS_INIT = 0, 53 54 CIL_PASS_TIF, 55 CIL_PASS_IN, 56 CIL_PASS_BLKIN_LINK, 57 CIL_PASS_BLKIN_COPY, 58 CIL_PASS_BLKABS, 59 CIL_PASS_MACRO, 60 CIL_PASS_CALL1, 61 CIL_PASS_CALL2, 62 CIL_PASS_ALIAS1, 63 CIL_PASS_ALIAS2, 64 CIL_PASS_MISC1, 65 CIL_PASS_MLS, 66 CIL_PASS_MISC2, 67 CIL_PASS_MISC3, 68 69 CIL_PASS_NUM 70}; 71 72 73/* 74 Keywords 75*/ 76char *CIL_KEY_CONS_T1; 77char *CIL_KEY_CONS_T2; 78char *CIL_KEY_CONS_T3; 79char *CIL_KEY_CONS_R1; 80char *CIL_KEY_CONS_R2; 81char *CIL_KEY_CONS_R3; 82char *CIL_KEY_CONS_U1; 83char *CIL_KEY_CONS_U2; 84char *CIL_KEY_CONS_U3; 85char *CIL_KEY_CONS_L1; 86char *CIL_KEY_CONS_L2; 87char *CIL_KEY_CONS_H1; 88char *CIL_KEY_CONS_H2; 89char *CIL_KEY_AND; 90char *CIL_KEY_OR; 91char *CIL_KEY_NOT; 92char *CIL_KEY_EQ; 93char *CIL_KEY_NEQ; 94char *CIL_KEY_CONS_DOM; 95char *CIL_KEY_CONS_DOMBY; 96char *CIL_KEY_CONS_INCOMP; 97char *CIL_KEY_CONDTRUE; 98char *CIL_KEY_CONDFALSE; 99char *CIL_KEY_SELF; 100char *CIL_KEY_OBJECT_R; 101char *CIL_KEY_STAR; 102char *CIL_KEY_TCP; 103char *CIL_KEY_UDP; 104char *CIL_KEY_AUDITALLOW; 105char *CIL_KEY_TUNABLEIF; 106char *CIL_KEY_ALLOW; 107char *CIL_KEY_DONTAUDIT; 108char *CIL_KEY_TYPETRANSITION; 109char *CIL_KEY_TYPECHANGE; 110char *CIL_KEY_CALL; 111char *CIL_KEY_TUNABLE; 112char *CIL_KEY_XOR; 113char *CIL_KEY_ALL; 114char *CIL_KEY_RANGE; 115char *CIL_KEY_GLOB; 116char *CIL_KEY_FILE; 117char *CIL_KEY_DIR; 118char *CIL_KEY_CHAR; 119char *CIL_KEY_BLOCK; 120char *CIL_KEY_SOCKET; 121char *CIL_KEY_PIPE; 122char *CIL_KEY_SYMLINK; 123char *CIL_KEY_ANY; 124char *CIL_KEY_XATTR; 125char *CIL_KEY_TASK; 126char *CIL_KEY_TRANS; 127char *CIL_KEY_TYPE; 128char *CIL_KEY_ROLE; 129char *CIL_KEY_USER; 130char *CIL_KEY_USERATTRIBUTE; 131char *CIL_KEY_USERATTRIBUTESET; 132char *CIL_KEY_SENSITIVITY; 133char *CIL_KEY_CATEGORY; 134char *CIL_KEY_CATSET; 135char *CIL_KEY_LEVEL; 136char *CIL_KEY_LEVELRANGE; 137char *CIL_KEY_CLASS; 138char *CIL_KEY_IPADDR; 139char *CIL_KEY_MAP_CLASS; 140char *CIL_KEY_CLASSPERMISSION; 141char *CIL_KEY_BOOL; 142char *CIL_KEY_STRING; 143char *CIL_KEY_NAME; 144char *CIL_KEY_SOURCE; 145char *CIL_KEY_TARGET; 146char *CIL_KEY_LOW; 147char *CIL_KEY_HIGH; 148char *CIL_KEY_LOW_HIGH; 149char *CIL_KEY_HANDLEUNKNOWN; 150char *CIL_KEY_HANDLEUNKNOWN_ALLOW; 151char *CIL_KEY_HANDLEUNKNOWN_DENY; 152char *CIL_KEY_HANDLEUNKNOWN_REJECT; 153char *CIL_KEY_MACRO; 154char *CIL_KEY_IN; 155char *CIL_KEY_MLS; 156char *CIL_KEY_DEFAULTRANGE; 157char *CIL_KEY_BLOCKINHERIT; 158char *CIL_KEY_BLOCKABSTRACT; 159char *CIL_KEY_CLASSORDER; 160char *CIL_KEY_CLASSMAPPING; 161char *CIL_KEY_CLASSPERMISSIONSET; 162char *CIL_KEY_COMMON; 163char *CIL_KEY_CLASSCOMMON; 164char *CIL_KEY_SID; 165char *CIL_KEY_SIDCONTEXT; 166char *CIL_KEY_SIDORDER; 167char *CIL_KEY_USERLEVEL; 168char *CIL_KEY_USERRANGE; 169char *CIL_KEY_USERBOUNDS; 170char *CIL_KEY_USERPREFIX; 171char *CIL_KEY_SELINUXUSER; 172char *CIL_KEY_SELINUXUSERDEFAULT; 173char *CIL_KEY_TYPEATTRIBUTE; 174char *CIL_KEY_TYPEATTRIBUTESET; 175char *CIL_KEY_TYPEALIAS; 176char *CIL_KEY_TYPEALIASACTUAL; 177char *CIL_KEY_TYPEBOUNDS; 178char *CIL_KEY_TYPEPERMISSIVE; 179char *CIL_KEY_RANGETRANSITION; 180char *CIL_KEY_USERROLE; 181char *CIL_KEY_ROLETYPE; 182char *CIL_KEY_ROLETRANSITION; 183char *CIL_KEY_ROLEALLOW; 184char *CIL_KEY_ROLEATTRIBUTE; 185char *CIL_KEY_ROLEATTRIBUTESET; 186char *CIL_KEY_ROLEBOUNDS; 187char *CIL_KEY_BOOLEANIF; 188char *CIL_KEY_NEVERALLOW; 189char *CIL_KEY_TYPEMEMBER; 190char *CIL_KEY_SENSALIAS; 191char *CIL_KEY_SENSALIASACTUAL; 192char *CIL_KEY_CATALIAS; 193char *CIL_KEY_CATALIASACTUAL; 194char *CIL_KEY_CATORDER; 195char *CIL_KEY_SENSITIVITYORDER; 196char *CIL_KEY_SENSCAT; 197char *CIL_KEY_CONSTRAIN; 198char *CIL_KEY_MLSCONSTRAIN; 199char *CIL_KEY_VALIDATETRANS; 200char *CIL_KEY_MLSVALIDATETRANS; 201char *CIL_KEY_CONTEXT; 202char *CIL_KEY_FILECON; 203char *CIL_KEY_PORTCON; 204char *CIL_KEY_NODECON; 205char *CIL_KEY_GENFSCON; 206char *CIL_KEY_NETIFCON; 207char *CIL_KEY_PIRQCON; 208char *CIL_KEY_IOMEMCON; 209char *CIL_KEY_IOPORTCON; 210char *CIL_KEY_PCIDEVICECON; 211char *CIL_KEY_DEVICETREECON; 212char *CIL_KEY_FSUSE; 213char *CIL_KEY_POLICYCAP; 214char *CIL_KEY_OPTIONAL; 215char *CIL_KEY_DEFAULTUSER; 216char *CIL_KEY_DEFAULTROLE; 217char *CIL_KEY_DEFAULTTYPE; 218char *CIL_KEY_ROOT; 219char *CIL_KEY_NODE; 220char *CIL_KEY_PERM; 221char *CIL_KEY_ALLOWX; 222char *CIL_KEY_AUDITALLOWX; 223char *CIL_KEY_DONTAUDITX; 224char *CIL_KEY_NEVERALLOWX; 225char *CIL_KEY_PERMISSIONX; 226char *CIL_KEY_IOCTL; 227char *CIL_KEY_UNORDERED; 228 229/* 230 Symbol Table Array Indices 231*/ 232enum cil_sym_index { 233 CIL_SYM_BLOCKS = 0, 234 CIL_SYM_USERS, 235 CIL_SYM_ROLES, 236 CIL_SYM_TYPES, 237 CIL_SYM_COMMONS, 238 CIL_SYM_CLASSES, 239 CIL_SYM_CLASSPERMSETS, 240 CIL_SYM_BOOLS, 241 CIL_SYM_TUNABLES, 242 CIL_SYM_SENS, 243 CIL_SYM_CATS, 244 CIL_SYM_SIDS, 245 CIL_SYM_CONTEXTS, 246 CIL_SYM_LEVELS, 247 CIL_SYM_LEVELRANGES, 248 CIL_SYM_POLICYCAPS, 249 CIL_SYM_IPADDRS, 250 CIL_SYM_NAMES, 251 CIL_SYM_PERMX, 252 CIL_SYM_NUM, 253 CIL_SYM_UNKNOWN, 254 CIL_SYM_PERMS // Special case for permissions. This symtab is not included in arrays 255}; 256 257enum cil_sym_array { 258 CIL_SYM_ARRAY_ROOT = 0, 259 CIL_SYM_ARRAY_BLOCK, 260 CIL_SYM_ARRAY_IN, 261 CIL_SYM_ARRAY_MACRO, 262 CIL_SYM_ARRAY_CONDBLOCK, 263 CIL_SYM_ARRAY_NUM 264}; 265 266extern int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM]; 267 268#define CIL_CLASS_SYM_SIZE 256 269 270struct cil_db { 271 struct cil_tree *parse; 272 struct cil_tree *ast; 273 struct cil_type *selftype; 274 struct cil_list *sidorder; 275 struct cil_list *classorder; 276 struct cil_list *catorder; 277 struct cil_list *sensitivityorder; 278 struct cil_sort *netifcon; 279 struct cil_sort *genfscon; 280 struct cil_sort *filecon; 281 struct cil_sort *nodecon; 282 struct cil_sort *portcon; 283 struct cil_sort *pirqcon; 284 struct cil_sort *iomemcon; 285 struct cil_sort *ioportcon; 286 struct cil_sort *pcidevicecon; 287 struct cil_sort *devicetreecon; 288 struct cil_sort *fsuse; 289 struct cil_list *userprefixes; 290 struct cil_list *selinuxusers; 291 struct cil_list *names; 292 int num_types_and_attrs; 293 int num_classes; 294 int num_cats; 295 int num_types; 296 int num_roles; 297 int num_users; 298 struct cil_type **val_to_type; 299 struct cil_role **val_to_role; 300 struct cil_user **val_to_user; 301 int disable_dontaudit; 302 int disable_neverallow; 303 int preserve_tunables; 304 int handle_unknown; 305 int mls; 306 int target_platform; 307 int policy_version; 308}; 309 310struct cil_root { 311 symtab_t symtab[CIL_SYM_NUM]; 312}; 313 314struct cil_sort { 315 enum cil_flavor flavor; 316 uint32_t count; 317 uint32_t index; 318 void **array; 319}; 320 321struct cil_block { 322 struct cil_symtab_datum datum; 323 symtab_t symtab[CIL_SYM_NUM]; 324 uint16_t is_abstract; 325 struct cil_list *bi_nodes; 326}; 327 328struct cil_blockinherit { 329 char *block_str; 330 struct cil_block *block; 331}; 332 333struct cil_blockabstract { 334 char *block_str; 335}; 336 337struct cil_in { 338 symtab_t symtab[CIL_SYM_NUM]; 339 char *block_str; 340}; 341 342struct cil_optional { 343 struct cil_symtab_datum datum; 344 int enabled; 345}; 346 347struct cil_perm { 348 struct cil_symtab_datum datum; 349 unsigned int value; 350 struct cil_list *classperms; /* Only used for map perms */ 351}; 352 353struct cil_class { 354 struct cil_symtab_datum datum; 355 symtab_t perms; 356 unsigned int num_perms; 357 struct cil_class *common; /* Only used for kernel class */ 358 uint32_t ordered; /* Only used for kernel class */ 359}; 360 361struct cil_classorder { 362 struct cil_list *class_list_str; 363}; 364 365struct cil_classperms_set { 366 char *set_str; 367 struct cil_classpermission *set; 368}; 369 370struct cil_classperms { 371 char *class_str; 372 struct cil_class *class; 373 struct cil_list *perm_strs; 374 struct cil_list *perms; 375}; 376 377struct cil_classpermission { 378 struct cil_symtab_datum datum; 379 struct cil_list *classperms; 380}; 381 382struct cil_classpermissionset { 383 char *set_str; 384 struct cil_list *classperms; 385}; 386 387struct cil_classmapping { 388 char *map_class_str; 389 char *map_perm_str; 390 struct cil_list *classperms; 391}; 392 393struct cil_classcommon { 394 char *class_str; 395 char *common_str; 396}; 397 398struct cil_alias { 399 struct cil_symtab_datum datum; 400 void *actual; 401}; 402 403struct cil_aliasactual { 404 char *alias_str; 405 char *actual_str; 406}; 407 408struct cil_sid { 409 struct cil_symtab_datum datum; 410 struct cil_context *context; 411 uint32_t ordered; 412}; 413 414struct cil_sidcontext { 415 char *sid_str; 416 char *context_str; 417 struct cil_context *context; 418}; 419 420struct cil_sidorder { 421 struct cil_list *sid_list_str; 422}; 423 424struct cil_user { 425 struct cil_symtab_datum datum; 426 struct cil_user *bounds; 427 ebitmap_t *roles; 428 struct cil_level *dftlevel; 429 struct cil_levelrange *range; 430 int value; 431}; 432 433struct cil_userattribute { 434 struct cil_symtab_datum datum; 435 struct cil_list *expr_list; 436 ebitmap_t *users; 437}; 438 439struct cil_userattributeset { 440 char *attr_str; 441 struct cil_list *str_expr; 442 struct cil_list *datum_expr; 443}; 444 445struct cil_userrole { 446 char *user_str; 447 void *user; 448 char *role_str; 449 void *role; 450}; 451 452struct cil_userlevel { 453 char *user_str; 454 char *level_str; 455 struct cil_level *level; 456}; 457 458struct cil_userrange { 459 char *user_str; 460 char *range_str; 461 struct cil_levelrange *range; 462}; 463 464struct cil_userprefix { 465 char *user_str; 466 struct cil_user *user; 467 char *prefix_str; 468}; 469 470struct cil_selinuxuser { 471 char *name_str; 472 char *user_str; 473 struct cil_user *user; 474 char *range_str; 475 struct cil_levelrange *range; 476}; 477 478struct cil_role { 479 struct cil_symtab_datum datum; 480 struct cil_role *bounds; 481 ebitmap_t *types; 482 int value; 483}; 484 485struct cil_roleattribute { 486 struct cil_symtab_datum datum; 487 struct cil_list *expr_list; 488 ebitmap_t *roles; 489}; 490 491struct cil_roleattributeset { 492 char *attr_str; 493 struct cil_list *str_expr; 494 struct cil_list *datum_expr; 495}; 496 497struct cil_roletype { 498 char *role_str; 499 void *role; /* role or attribute */ 500 char *type_str; 501 void *type; /* type, alias, or attribute */ 502}; 503 504struct cil_type { 505 struct cil_symtab_datum datum; 506 struct cil_type *bounds; 507 int value; 508}; 509 510struct cil_typeattribute { 511 struct cil_symtab_datum datum; 512 struct cil_list *expr_list; 513 ebitmap_t *types; 514 int used; // whether or not this typeattribute was used and should be added to the binary 515}; 516 517struct cil_typeattributeset { 518 char *attr_str; 519 struct cil_list *str_expr; 520 struct cil_list *datum_expr; 521}; 522 523struct cil_typepermissive { 524 char *type_str; 525 void *type; /* type or alias */ 526}; 527 528struct cil_name { 529 struct cil_symtab_datum datum; 530 char *name_str; 531}; 532 533struct cil_nametypetransition { 534 char *src_str; 535 void *src; /* type, alias, or attribute */ 536 char *tgt_str; 537 void *tgt; /* type, alias, or attribute */ 538 char *obj_str; 539 struct cil_class *obj; 540 char *name_str; 541 struct cil_name *name; 542 char *result_str; 543 void *result; /* type or alias */ 544 545}; 546 547struct cil_rangetransition { 548 char *src_str; 549 void *src; /* type, alias, or attribute */ 550 char *exec_str; 551 void *exec; /* type, alias, or attribute */ 552 char *obj_str; 553 struct cil_class *obj; 554 char *range_str; 555 struct cil_levelrange *range; 556}; 557 558struct cil_bool { 559 struct cil_symtab_datum datum; 560 uint16_t value; 561}; 562 563struct cil_tunable { 564 struct cil_symtab_datum datum; 565 uint16_t value; 566}; 567 568#define CIL_AVRULE_ALLOWED 1 569#define CIL_AVRULE_AUDITALLOW 2 570#define CIL_AVRULE_DONTAUDIT 8 571#define CIL_AVRULE_NEVERALLOW 128 572#define CIL_AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 573struct cil_avrule { 574 int is_extended; 575 uint32_t rule_kind; 576 char *src_str; 577 void *src; /* type, alias, or attribute */ 578 char *tgt_str; 579 void *tgt; /* type, alias, or attribute */ 580 union { 581 struct cil_list *classperms; 582 struct { 583 char *permx_str; 584 struct cil_permissionx *permx; 585 } x; 586 } perms; 587}; 588 589#define CIL_PERMX_KIND_IOCTL 1 590struct cil_permissionx { 591 struct cil_symtab_datum datum; 592 uint32_t kind; 593 char *obj_str; 594 struct cil_class *obj; 595 struct cil_list *expr_str; 596 ebitmap_t *perms; 597}; 598 599#define CIL_TYPE_TRANSITION 16 600#define CIL_TYPE_MEMBER 32 601#define CIL_TYPE_CHANGE 64 602#define CIL_AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 603struct cil_type_rule { 604 uint32_t rule_kind; 605 char *src_str; 606 void *src; /* type, alias, or attribute */ 607 char *tgt_str; 608 void *tgt; /* type, alias, or attribute */ 609 char *obj_str; 610 struct cil_class *obj; 611 char *result_str; 612 void *result; /* type or alias */ 613}; 614 615struct cil_roletransition { 616 char *src_str; 617 struct cil_role *src; 618 char *tgt_str; 619 void *tgt; /* type, alias, or attribute */ 620 char *obj_str; 621 struct cil_class *obj; 622 char *result_str; 623 struct cil_role *result; 624}; 625 626struct cil_roleallow { 627 char *src_str; 628 void *src; /* role or attribute */ 629 char *tgt_str; 630 void *tgt; /* role or attribute */ 631}; 632 633struct cil_sens { 634 struct cil_symtab_datum datum; 635 struct cil_list *cats_list; 636 uint32_t ordered; 637}; 638 639struct cil_sensorder { 640 struct cil_list *sens_list_str; 641}; 642 643struct cil_cat { 644 struct cil_symtab_datum datum; 645 uint32_t ordered; 646 int value; 647}; 648 649struct cil_cats { 650 uint32_t evaluated; 651 struct cil_list *str_expr; 652 struct cil_list *datum_expr; 653}; 654 655struct cil_catset { 656 struct cil_symtab_datum datum; 657 struct cil_cats *cats; 658}; 659 660struct cil_catorder { 661 struct cil_list *cat_list_str; 662}; 663 664struct cil_senscat { 665 char *sens_str; 666 struct cil_cats *cats; 667}; 668 669struct cil_level { 670 struct cil_symtab_datum datum; 671 char *sens_str; 672 struct cil_sens *sens; 673 struct cil_cats *cats; 674}; 675 676struct cil_levelrange { 677 struct cil_symtab_datum datum; 678 char *low_str; 679 struct cil_level *low; 680 char *high_str; 681 struct cil_level *high; 682}; 683 684struct cil_context { 685 struct cil_symtab_datum datum; 686 char *user_str; 687 struct cil_user *user; 688 char *role_str; 689 struct cil_role *role; 690 char *type_str; 691 void *type; /* type or alias */ 692 char *range_str; 693 struct cil_levelrange *range; 694}; 695 696enum cil_filecon_types { 697 CIL_FILECON_FILE = 1, 698 CIL_FILECON_DIR, 699 CIL_FILECON_CHAR, 700 CIL_FILECON_BLOCK, 701 CIL_FILECON_SOCKET, 702 CIL_FILECON_PIPE, 703 CIL_FILECON_SYMLINK, 704 CIL_FILECON_ANY 705}; 706 707struct cil_filecon { 708 char *path_str; 709 enum cil_filecon_types type; 710 char *context_str; 711 struct cil_context *context; 712}; 713 714enum cil_protocol { 715 CIL_PROTOCOL_UDP = 1, 716 CIL_PROTOCOL_TCP 717}; 718 719struct cil_portcon { 720 enum cil_protocol proto; 721 uint32_t port_low; 722 uint32_t port_high; 723 char *context_str; 724 struct cil_context *context; 725}; 726 727struct cil_nodecon { 728 char *addr_str; 729 struct cil_ipaddr *addr; 730 char *mask_str; 731 struct cil_ipaddr *mask; 732 char *context_str; 733 struct cil_context *context; 734}; 735 736struct cil_ipaddr { 737 struct cil_symtab_datum datum; 738 int family; 739 union { 740 struct in_addr v4; 741 struct in6_addr v6; 742 } ip; 743}; 744 745struct cil_genfscon { 746 char *fs_str; 747 char *path_str; 748 char *context_str; 749 struct cil_context *context; 750}; 751 752struct cil_netifcon { 753 char *interface_str; 754 char *if_context_str; 755 struct cil_context *if_context; 756 char *packet_context_str; 757 struct cil_context *packet_context; 758 char *context_str; 759}; 760 761struct cil_pirqcon { 762 uint32_t pirq; 763 char *context_str; 764 struct cil_context *context; 765}; 766 767struct cil_iomemcon { 768 uint64_t iomem_low; 769 uint64_t iomem_high; 770 char *context_str; 771 struct cil_context *context; 772}; 773 774struct cil_ioportcon { 775 uint32_t ioport_low; 776 uint32_t ioport_high; 777 char *context_str; 778 struct cil_context *context; 779}; 780 781struct cil_pcidevicecon { 782 uint32_t dev; 783 char *context_str; 784 struct cil_context *context; 785}; 786 787struct cil_devicetreecon { 788 char *path; 789 char *context_str; 790 struct cil_context *context; 791}; 792 793 794/* Ensure that CIL uses the same values as sepol services.h */ 795enum cil_fsuse_types { 796 CIL_FSUSE_XATTR = SECURITY_FS_USE_XATTR, 797 CIL_FSUSE_TASK = SECURITY_FS_USE_TASK, 798 CIL_FSUSE_TRANS = SECURITY_FS_USE_TRANS 799}; 800 801struct cil_fsuse { 802 enum cil_fsuse_types type; 803 char *fs_str; 804 char *context_str; 805 struct cil_context *context; 806}; 807 808#define CIL_MLS_LEVELS "l1 l2 h1 h2" 809#define CIL_CONSTRAIN_KEYS "t1 t2 r1 r2 u1 u2" 810#define CIL_MLSCONSTRAIN_KEYS CIL_MLS_LEVELS CIL_CONSTRAIN_KEYS 811#define CIL_CONSTRAIN_OPER "== != eq dom domby incomp not and or" 812struct cil_constrain { 813 struct cil_list *classperms; 814 struct cil_list *str_expr; 815 struct cil_list *datum_expr; 816}; 817 818struct cil_validatetrans { 819 char *class_str; 820 struct cil_class *class; 821 struct cil_list *str_expr; 822 struct cil_list *datum_expr; 823}; 824 825struct cil_param { 826 char *str; 827 enum cil_flavor flavor; 828}; 829 830struct cil_macro { 831 struct cil_symtab_datum datum; 832 symtab_t symtab[CIL_SYM_NUM]; 833 struct cil_list *params; 834}; 835 836struct cil_args { 837 char *arg_str; 838 struct cil_symtab_datum *arg; 839 char *param_str; 840 enum cil_flavor flavor; 841}; 842 843struct cil_call { 844 char *macro_str; 845 struct cil_macro *macro; 846 struct cil_tree *args_tree; 847 struct cil_list *args; 848 int copied; 849}; 850 851#define CIL_TRUE 1 852#define CIL_FALSE 0 853 854struct cil_condblock { 855 enum cil_flavor flavor; 856 symtab_t symtab[CIL_SYM_NUM]; 857}; 858 859struct cil_booleanif { 860 struct cil_list *str_expr; 861 struct cil_list *datum_expr; 862 int preserved_tunable; 863}; 864 865struct cil_tunableif { 866 struct cil_list *str_expr; 867 struct cil_list *datum_expr; 868}; 869 870struct cil_policycap { 871 struct cil_symtab_datum datum; 872}; 873 874struct cil_bounds { 875 char *parent_str; 876 char *child_str; 877}; 878 879/* Ensure that CIL uses the same values as sepol policydb.h */ 880enum cil_default_object { 881 CIL_DEFAULT_SOURCE = DEFAULT_SOURCE, 882 CIL_DEFAULT_TARGET = DEFAULT_TARGET, 883}; 884 885/* Default labeling behavior for users, roles, and types */ 886struct cil_default { 887 enum cil_flavor flavor; 888 struct cil_list *class_strs; 889 struct cil_list *class_datums; 890 enum cil_default_object object; 891}; 892 893/* Ensure that CIL uses the same values as sepol policydb.h */ 894enum cil_default_object_range { 895 CIL_DEFAULT_SOURCE_LOW = DEFAULT_SOURCE_LOW, 896 CIL_DEFAULT_SOURCE_HIGH = DEFAULT_SOURCE_HIGH, 897 CIL_DEFAULT_SOURCE_LOW_HIGH = DEFAULT_SOURCE_LOW_HIGH, 898 CIL_DEFAULT_TARGET_LOW = DEFAULT_TARGET_LOW, 899 CIL_DEFAULT_TARGET_HIGH = DEFAULT_TARGET_HIGH, 900 CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH, 901}; 902 903/* Default labeling behavior for range */ 904struct cil_defaultrange { 905 struct cil_list *class_strs; 906 struct cil_list *class_datums; 907 enum cil_default_object_range object_range; 908}; 909 910struct cil_handleunknown { 911 int handle_unknown; 912}; 913 914struct cil_mls { 915 int value; 916}; 917 918void cil_db_init(struct cil_db **db); 919void cil_db_destroy(struct cil_db **db); 920 921void cil_root_init(struct cil_root **root); 922void cil_root_destroy(struct cil_root *root); 923 924void cil_destroy_data(void **data, enum cil_flavor flavor); 925 926int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *index); 927const char * cil_node_to_string(struct cil_tree_node *node); 928 929int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size); 930int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size); 931int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size); 932 933void cil_symtab_array_init(symtab_t symtab[], int symtab_sizes[CIL_SYM_NUM]); 934void cil_symtab_array_destroy(symtab_t symtab[]); 935void cil_destroy_ast_symtabs(struct cil_tree_node *root); 936int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_sym_index sym_index); 937 938void cil_sort_init(struct cil_sort **sort); 939void cil_sort_destroy(struct cil_sort **sort); 940void cil_netifcon_init(struct cil_netifcon **netifcon); 941void cil_context_init(struct cil_context **context); 942void cil_level_init(struct cil_level **level); 943void cil_levelrange_init(struct cil_levelrange **lvlrange); 944void cil_sens_init(struct cil_sens **sens); 945void cil_block_init(struct cil_block **block); 946void cil_blockinherit_init(struct cil_blockinherit **inherit); 947void cil_blockabstract_init(struct cil_blockabstract **abstract); 948void cil_in_init(struct cil_in **in); 949void cil_class_init(struct cil_class **class); 950void cil_classorder_init(struct cil_classorder **classorder); 951void cil_classcommon_init(struct cil_classcommon **classcommon); 952void cil_sid_init(struct cil_sid **sid); 953void cil_sidcontext_init(struct cil_sidcontext **sidcontext); 954void cil_sidorder_init(struct cil_sidorder **sidorder); 955void cil_userrole_init(struct cil_userrole **userrole); 956void cil_userprefix_init(struct cil_userprefix **userprefix); 957void cil_selinuxuser_init(struct cil_selinuxuser **selinuxuser); 958void cil_roleattribute_init(struct cil_roleattribute **attribute); 959void cil_roleattributeset_init(struct cil_roleattributeset **attrset); 960void cil_roletype_init(struct cil_roletype **roletype); 961void cil_typeattribute_init(struct cil_typeattribute **attribute); 962void cil_typeattributeset_init(struct cil_typeattributeset **attrset); 963void cil_alias_init(struct cil_alias **alias); 964void cil_aliasactual_init(struct cil_aliasactual **aliasactual); 965void cil_typepermissive_init(struct cil_typepermissive **typeperm); 966void cil_name_init(struct cil_name **name); 967void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans); 968void cil_rangetransition_init(struct cil_rangetransition **rangetrans); 969void cil_bool_init(struct cil_bool **cilbool); 970void cil_boolif_init(struct cil_booleanif **bif); 971void cil_condblock_init(struct cil_condblock **cb); 972void cil_tunable_init(struct cil_tunable **ciltun); 973void cil_tunif_init(struct cil_tunableif **tif); 974void cil_avrule_init(struct cil_avrule **avrule); 975void cil_permissionx_init(struct cil_permissionx **permx); 976void cil_type_rule_init(struct cil_type_rule **type_rule); 977void cil_roletransition_init(struct cil_roletransition **roletrans); 978void cil_roleallow_init(struct cil_roleallow **role_allow); 979void cil_catset_init(struct cil_catset **catset); 980void cil_cats_init(struct cil_cats **cats); 981void cil_senscat_init(struct cil_senscat **senscat); 982void cil_filecon_init(struct cil_filecon **filecon); 983void cil_portcon_init(struct cil_portcon **portcon); 984void cil_nodecon_init(struct cil_nodecon **nodecon); 985void cil_genfscon_init(struct cil_genfscon **genfscon); 986void cil_pirqcon_init(struct cil_pirqcon **pirqcon); 987void cil_iomemcon_init(struct cil_iomemcon **iomemcon); 988void cil_ioportcon_init(struct cil_ioportcon **ioportcon); 989void cil_pcidevicecon_init(struct cil_pcidevicecon **pcidevicecon); 990void cil_devicetreecon_init(struct cil_devicetreecon **devicetreecon); 991void cil_fsuse_init(struct cil_fsuse **fsuse); 992void cil_constrain_init(struct cil_constrain **constrain); 993void cil_validatetrans_init(struct cil_validatetrans **validtrans); 994void cil_ipaddr_init(struct cil_ipaddr **ipaddr); 995void cil_perm_init(struct cil_perm **perm); 996void cil_classpermission_init(struct cil_classpermission **cp); 997void cil_classpermissionset_init(struct cil_classpermissionset **cps); 998void cil_classperms_set_init(struct cil_classperms_set **cp_set); 999void cil_classperms_init(struct cil_classperms **cp); 1000void cil_classmapping_init(struct cil_classmapping **mapping); 1001void cil_user_init(struct cil_user **user); 1002void cil_userlevel_init(struct cil_userlevel **usrlvl); 1003void cil_userrange_init(struct cil_userrange **userrange); 1004void cil_role_init(struct cil_role **role); 1005void cil_type_init(struct cil_type **type); 1006void cil_cat_init(struct cil_cat **cat); 1007void cil_catorder_init(struct cil_catorder **catorder); 1008void cil_sensorder_init(struct cil_sensorder **sensorder); 1009void cil_args_init(struct cil_args **args); 1010void cil_call_init(struct cil_call **call); 1011void cil_optional_init(struct cil_optional **optional); 1012void cil_param_init(struct cil_param **param); 1013void cil_macro_init(struct cil_macro **macro); 1014void cil_policycap_init(struct cil_policycap **policycap); 1015void cil_bounds_init(struct cil_bounds **bounds); 1016void cil_default_init(struct cil_default **def); 1017void cil_defaultrange_init(struct cil_defaultrange **def); 1018void cil_handleunknown_init(struct cil_handleunknown **unk); 1019void cil_mls_init(struct cil_mls **mls); 1020void cil_userattribute_init(struct cil_userattribute **attribute); 1021void cil_userattributeset_init(struct cil_userattributeset **attrset); 1022 1023#endif 1024