18c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Author : Joshua Brindle <jbrindle@tresys.com> 28c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * Karl MacMillan <kmacmillan@tresys.com> 38c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * Jason Tang <jtang@tresys.com> 48c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * Added support for binary policy modules 58c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * 68c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * Copyright (C) 2004 - 2005 Tresys Technology, LLC 78c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * This program is free software; you can redistribute it and/or modify 88c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * it under the terms of the GNU General Public License as published by 98c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * the Free Software Foundation, version 2. 108c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android */ 118c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 128c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android#ifndef MODULE_COMPILER_H 138c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android#define MODULE_COMPILER_H 148c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 158c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android#include <sepol/policydb/hashtab.h> 168c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 178c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Called when checkpolicy begins to parse a policy -- either at the 188c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * very beginning for a kernel/base policy, or after the module header 198c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * for policy modules. Initialize the memory structures within. 208c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * Return 0 on success, -1 on error. */ 218c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint define_policy(int pass, int module_header_given); 228c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 238c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Declare a symbol declaration to the current avrule_decl. Check 248c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * that insertion is allowed here and that the symbol does not already 258c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * exist. Returns 0 on success, 1 if symbol was already there (caller 268c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * needs to free() the datum), -1 if declarations not allowed, -2 for 278c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * duplicate declarations, -3 for all else. 288c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android */ 298c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint declare_symbol(uint32_t symbol_type, 308c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android hashtab_key_t key, hashtab_datum_t datum, 318c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android uint32_t * dest_value, uint32_t * datum_value); 328c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 338c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidrole_datum_t *declare_role(unsigned char isattr); 348c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidtype_datum_t *declare_type(unsigned char primary, unsigned char isattr); 358c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androiduser_datum_t *declare_user(void); 368c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 378c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidtype_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr); 388c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidrole_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr); 398c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 408c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Add a symbol to the current avrule_block's require section. Note 418c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * that a module may not both declare and require the same symbol. 428c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * Returns 0 on success, -1 on error. */ 438c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_symbol(uint32_t symbol_type, 448c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android hashtab_key_t key, hashtab_datum_t datum, 458c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android uint32_t * dest_value, uint32_t * datum_value); 468c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 478c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Enable a permission for a class within the current avrule_decl. 488c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * Return 0 on success, -1 if out of memory. */ 498c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint add_perm_to_class(uint32_t perm_value, uint32_t class_value); 508c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 518c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Functions called from REQUIRE blocks. Add the first symbol on the 528c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * id_queue to this avrule_decl's scope if not already there. 538c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * c.f. require_symbol(). */ 548c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_class(int pass); 558c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_role(int pass); 568c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_type(int pass); 578c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_attribute(int pass); 588c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_attribute_role(int pass); 598c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_user(int pass); 608c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_bool(int pass); 61cd88c5c44f93ca14828bdae024fae6e0287ba71dStephen Smalleyint require_tunable(int pass); 628c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_sens(int pass); 638c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint require_cat(int pass); 648c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 658c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Check if an identifier is within the scope of the current 668c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * declaration or any of its parents. Return 1 if it is, 0 if not. 678c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * If the identifier is not known at all then return 1 (truth). */ 688c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint is_id_in_scope(uint32_t symbol_type, hashtab_key_t id); 698c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 708c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Check if a particular permission is within the scope of the current 718c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * declaration or any of its parents. Return 1 if it is, 0 if not. 728c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * If the identifier is not known at all then return 1 (truth). */ 738c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id); 748c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 758c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Search the current avrules block for a conditional with the same 768c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * expression as 'cond'. If the conditional does not exist then 778c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * create one. Either way, return the conditional. */ 788c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidcond_list_t *get_current_cond_list(cond_list_t * cond); 798c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 808c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Append rule to the current avrule_block. */ 818c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidvoid append_cond_list(cond_list_t * cond); 828c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidvoid append_avrule(avrule_t * avrule); 838c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidvoid append_role_trans(role_trans_rule_t * role_tr_rules); 848c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidvoid append_role_allow(role_allow_rule_t * role_allow_rules); 858c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidvoid append_range_trans(range_trans_rule_t * range_tr_rules); 868c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidvoid append_filename_trans(filename_trans_rule_t * filename_trans_rules); 878c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 888c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Create a new optional block and add it to the global policy. 898c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * During the second pass resolve the block's requirements. Return 0 908c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * on success, -1 on error. 918c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android */ 928c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint begin_optional(int pass); 938c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint end_optional(int pass); 948c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 958c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* ELSE blocks are similar to normal blocks with the following two 968c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * limitations: 978c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * - no declarations are allowed within else branches 988c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * - no REQUIRES are allowed; the else branch inherits the parent's 998c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * requirements 1008c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android */ 1018c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint begin_optional_else(int pass); 1028c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 1038c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android/* Called whenever existing an avrule block. Check that the block had 1048c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * a non-empty REQUIRE section. If so pop the block off of the scop 1058c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * stack and return 0. If not then send an error to yyerror and 1068c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android * return -1. */ 1078c48de15b1afeb1cd01a753195a29b1a7811dbfSE Androidint end_avrule_block(int pass); 1088c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android 1098c48de15b1afeb1cd01a753195a29b1a7811dbfSE Android#endif 110