• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Author : Stephen Smalley, <sds@tycho.nsa.gov> */
2 
3 /*
4  * Updated: Joshua Brindle <jbrindle@tresys.com>
5  *	    Karl MacMillan <kmacmillan@tresys.com>
6  *	    Jason Tang <jtang@tresys.com>
7  *
8  *	Module support
9  *
10  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
11  *
12  *	Support for enhanced MLS infrastructure.
13  *
14  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
15  *
16  * 	Added conditional policy language extensions
17  *
18  * Updated: Red Hat, Inc.  James Morris <jmorris@redhat.com>
19  *
20  *      Fine-grained netlink support
21  *      IPv6 support
22  *      Code cleanup
23  *
24  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
25  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
26  * Copyright (C) 2003 - 2004 Red Hat, Inc.
27  * Copyright (C) 2017 Mellanox Techonolgies Inc.
28  *
29  *  This library is free software; you can redistribute it and/or
30  *  modify it under the terms of the GNU Lesser General Public
31  *  License as published by the Free Software Foundation; either
32  *  version 2.1 of the License, or (at your option) any later version.
33  *
34  *  This library is distributed in the hope that it will be useful,
35  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
36  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
37  *  Lesser General Public License for more details.
38  *
39  *  You should have received a copy of the GNU Lesser General Public
40  *  License along with this library; if not, write to the Free Software
41  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
42  */
43 
44 /* FLASK */
45 
46 /*
47  * A policy database (policydb) specifies the
48  * configuration data for the security policy.
49  */
50 
51 #ifndef _SEPOL_POLICYDB_POLICYDB_H_
52 #define _SEPOL_POLICYDB_POLICYDB_H_
53 
54 #include <stdio.h>
55 #include <stddef.h>
56 
57 #include <sepol/policydb.h>
58 
59 #include <sepol/policydb/flask_types.h>
60 #include <sepol/policydb/symtab.h>
61 #include <sepol/policydb/avtab.h>
62 #include <sepol/policydb/context.h>
63 #include <sepol/policydb/constraint.h>
64 #include <sepol/policydb/sidtab.h>
65 
66 #define ERRMSG_LEN 1024
67 
68 #define POLICYDB_SUCCESS      0
69 #define POLICYDB_ERROR       -1
70 #define POLICYDB_UNSUPPORTED -2
71 
72 #ifdef __cplusplus
73 extern "C" {
74 #endif
75 
76 #define IB_DEVICE_NAME_MAX 64
77 
78 /*
79  * A datum type is defined for each kind of symbol
80  * in the configuration data:  individual permissions,
81  * common prefixes for access vectors, classes,
82  * users, roles, types, sensitivities, categories, etc.
83  */
84 
85 /* type set preserves data needed by modules such as *, ~ and attributes */
86 typedef struct type_set {
87 	ebitmap_t types;
88 	ebitmap_t negset;
89 #define TYPE_STAR 1
90 #define TYPE_COMP 2
91 	uint32_t flags;
92 } type_set_t;
93 
94 typedef struct role_set {
95 	ebitmap_t roles;
96 #define ROLE_STAR 1
97 #define ROLE_COMP 2
98 	uint32_t flags;
99 } role_set_t;
100 
101 /* Permission attributes */
102 typedef struct perm_datum {
103 	symtab_datum_t s;
104 } perm_datum_t;
105 
106 /* Attributes of a common prefix for access vectors */
107 typedef struct common_datum {
108 	symtab_datum_t s;
109 	symtab_t permissions;	/* common permissions */
110 } common_datum_t;
111 
112 /* Class attributes */
113 typedef struct class_datum {
114 	symtab_datum_t s;
115 	char *comkey;		/* common name */
116 	common_datum_t *comdatum;	/* common datum */
117 	symtab_t permissions;	/* class-specific permission symbol table */
118 	constraint_node_t *constraints;	/* constraints on class permissions */
119 	constraint_node_t *validatetrans;	/* special transition rules */
120 /* Options how a new object user and role should be decided */
121 #define DEFAULT_SOURCE		1
122 #define DEFAULT_TARGET		2
123 	char default_user;
124 	char default_role;
125 	char default_type;
126 /* Options how a new object range should be decided */
127 #define DEFAULT_SOURCE_LOW	1
128 #define DEFAULT_SOURCE_HIGH	2
129 #define DEFAULT_SOURCE_LOW_HIGH	3
130 #define DEFAULT_TARGET_LOW	4
131 #define DEFAULT_TARGET_HIGH	5
132 #define DEFAULT_TARGET_LOW_HIGH	6
133 #define DEFAULT_GLBLUB 		7
134 	char default_range;
135 } class_datum_t;
136 
137 /* Role attributes */
138 typedef struct role_datum {
139 	symtab_datum_t s;
140 	ebitmap_t dominates;	/* set of roles dominated by this role */
141 	type_set_t types;	/* set of authorized types for role */
142 	ebitmap_t cache;	/* This is an expanded set used for context validation during parsing */
143 	uint32_t bounds;	/* bounds role, if exist */
144 #define ROLE_ROLE 0		/* regular role in kernel policies */
145 #define ROLE_ATTRIB 1		/* attribute */
146 	uint32_t flavor;
147 	ebitmap_t roles;	/* roles with this attribute */
148 } role_datum_t;
149 
150 typedef struct role_trans {
151 	uint32_t role;		/* current role */
152 	uint32_t type;		/* program executable type, or new object type */
153 	uint32_t tclass;	/* process class, or new object class */
154 	uint32_t new_role;	/* new role */
155 	struct role_trans *next;
156 } role_trans_t;
157 
158 typedef struct role_allow {
159 	uint32_t role;		/* current role */
160 	uint32_t new_role;	/* new role */
161 	struct role_allow *next;
162 } role_allow_t;
163 
164 /* filename_trans rules */
165 typedef struct filename_trans_key {
166 	uint32_t ttype;
167 	uint32_t tclass;
168 	char *name;
169 } filename_trans_key_t;
170 
171 typedef struct filename_trans_datum {
172 	ebitmap_t stypes;
173 	uint32_t otype;
174 	struct filename_trans_datum *next;
175 } filename_trans_datum_t;
176 
177 /* Type attributes */
178 typedef struct type_datum {
179 	symtab_datum_t s;
180 	uint32_t primary;	/* primary name? can be set to primary value if below is TYPE_ */
181 #define TYPE_TYPE 0		/* regular type or alias in kernel policies */
182 #define TYPE_ATTRIB 1		/* attribute */
183 #define TYPE_ALIAS 2		/* alias in modular policy */
184 	uint32_t flavor;
185 	ebitmap_t types;	/* types with this attribute */
186 #define TYPE_FLAGS_PERMISSIVE		(1 << 0)
187 #define TYPE_FLAGS_EXPAND_ATTR_TRUE	(1 << 1)
188 #define TYPE_FLAGS_EXPAND_ATTR_FALSE	(1 << 2)
189 #define TYPE_FLAGS_EXPAND_ATTR (TYPE_FLAGS_EXPAND_ATTR_TRUE | \
190 				TYPE_FLAGS_EXPAND_ATTR_FALSE)
191 	uint32_t flags;
192 	uint32_t bounds;	/* bounds type, if exist */
193 } type_datum_t;
194 
195 /*
196  * Properties of type_datum
197  * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY
198  */
199 #define TYPEDATUM_PROPERTY_PRIMARY	0x0001
200 #define TYPEDATUM_PROPERTY_ATTRIBUTE	0x0002
201 #define TYPEDATUM_PROPERTY_ALIAS	0x0004	/* userspace only */
202 #define TYPEDATUM_PROPERTY_PERMISSIVE	0x0008	/* userspace only */
203 
204 /* User attributes */
205 typedef struct user_datum {
206 	symtab_datum_t s;
207 	role_set_t roles;	/* set of authorized roles for user */
208 	mls_semantic_range_t range;	/* MLS range (min. - max.) for user */
209 	mls_semantic_level_t dfltlevel;	/* default login MLS level for user */
210 	ebitmap_t cache;	/* This is an expanded set used for context validation during parsing */
211 	mls_range_t exp_range;     /* expanded range used for validation */
212 	mls_level_t exp_dfltlevel; /* expanded range used for validation */
213 	uint32_t bounds;	/* bounds user, if exist */
214 } user_datum_t;
215 
216 /* Sensitivity attributes */
217 typedef struct level_datum {
218 	mls_level_t *level;	/* sensitivity and associated categories */
219 	unsigned char isalias;	/* is this sensitivity an alias for another? */
220 	unsigned char defined;
221 } level_datum_t;
222 
223 /* Category attributes */
224 typedef struct cat_datum {
225 	symtab_datum_t s;
226 	unsigned char isalias;	/* is this category an alias for another? */
227 } cat_datum_t;
228 
229 typedef struct range_trans {
230 	uint32_t source_type;
231 	uint32_t target_type;
232 	uint32_t target_class;
233 } range_trans_t;
234 
235 /* Boolean data type */
236 typedef struct cond_bool_datum {
237 	symtab_datum_t s;
238 	int state;
239 #define COND_BOOL_FLAGS_TUNABLE	0x01	/* is this a tunable? */
240 	uint32_t flags;
241 } cond_bool_datum_t;
242 
243 struct cond_node;
244 
245 typedef struct cond_node cond_list_t;
246 struct cond_av_list;
247 
248 typedef struct class_perm_node {
249 	uint32_t tclass;
250 	uint32_t data;		/* permissions or new type */
251 	struct class_perm_node *next;
252 } class_perm_node_t;
253 
254 #define xperm_test(x, p) (UINT32_C(1) & (p[x >> 5] >> (x & 0x1f)))
255 #define xperm_set(x, p) (p[x >> 5] |= (UINT32_C(1) << (x & 0x1f)))
256 #define xperm_clear(x, p) (p[x >> 5] &= ~(UINT32_C(1) << (x & 0x1f)))
257 #define EXTENDED_PERMS_LEN 8
258 
259 typedef struct av_extended_perms {
260 #define AVRULE_XPERMS_IOCTLFUNCTION	0x01
261 #define AVRULE_XPERMS_IOCTLDRIVER	0x02
262 	uint8_t specified;
263 	uint8_t driver;
264 	/* 256 bits of permissions */
265 	uint32_t perms[EXTENDED_PERMS_LEN];
266 } av_extended_perms_t;
267 
268 typedef struct avrule {
269 /* these typedefs are almost exactly the same as those in avtab.h - they are
270  * here because of the need to include neverallow and dontaudit messages */
271 #define AVRULE_ALLOWED			AVTAB_ALLOWED
272 #define AVRULE_AUDITALLOW		AVTAB_AUDITALLOW
273 #define AVRULE_AUDITDENY		AVTAB_AUDITDENY
274 #define AVRULE_DONTAUDIT		0x0008
275 #define AVRULE_NEVERALLOW		AVTAB_NEVERALLOW
276 #define AVRULE_AV         (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
277 #define AVRULE_TRANSITION		AVTAB_TRANSITION
278 #define AVRULE_MEMBER			AVTAB_MEMBER
279 #define AVRULE_CHANGE			AVTAB_CHANGE
280 #define AVRULE_TYPE       (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
281 #define AVRULE_XPERMS_ALLOWED 		AVTAB_XPERMS_ALLOWED
282 #define AVRULE_XPERMS_AUDITALLOW	AVTAB_XPERMS_AUDITALLOW
283 #define AVRULE_XPERMS_DONTAUDIT		AVTAB_XPERMS_DONTAUDIT
284 #define AVRULE_XPERMS_NEVERALLOW	AVTAB_XPERMS_NEVERALLOW
285 #define AVRULE_XPERMS	(AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \
286 				AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW)
287 	uint32_t specified;
288 #define RULE_SELF 1
289 	uint32_t flags;
290 	type_set_t stypes;
291 	type_set_t ttypes;
292 	class_perm_node_t *perms;
293 	av_extended_perms_t *xperms;
294 	unsigned long line;	/* line number from policy.conf where
295 				 * this rule originated  */
296 	/* source file name and line number (e.g. .te file) */
297 	char *source_filename;
298 	unsigned long source_line;
299 	struct avrule *next;
300 } avrule_t;
301 
302 typedef struct role_trans_rule {
303 	role_set_t roles;	/* current role */
304 	type_set_t types;	/* program executable type, or new object type */
305 	ebitmap_t classes;	/* process class, or new object class */
306 	uint32_t new_role;	/* new role */
307 	struct role_trans_rule *next;
308 } role_trans_rule_t;
309 
310 typedef struct role_allow_rule {
311 	role_set_t roles;	/* current role */
312 	role_set_t new_roles;	/* new roles */
313 	struct role_allow_rule *next;
314 } role_allow_rule_t;
315 
316 typedef struct filename_trans_rule {
317 	type_set_t stypes;
318 	type_set_t ttypes;
319 	uint32_t tclass;
320 	char *name;
321 	uint32_t otype;	/* new type */
322 	struct filename_trans_rule *next;
323 } filename_trans_rule_t;
324 
325 typedef struct range_trans_rule {
326 	type_set_t stypes;
327 	type_set_t ttypes;
328 	ebitmap_t tclasses;
329 	mls_semantic_range_t trange;
330 	struct range_trans_rule *next;
331 } range_trans_rule_t;
332 
333 /*
334  * The configuration data includes security contexts for
335  * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
336  * network interfaces, and nodes.  This structure stores the
337  * relevant data for one such entry.  Entries of the same kind
338  * (e.g. all initial SIDs) are linked together into a list.
339  */
340 typedef struct ocontext {
341 	union {
342 		char *name;	/* name of initial SID, fs, netif, fstype, path */
343 		struct {
344 			uint8_t protocol;
345 			uint16_t low_port;
346 			uint16_t high_port;
347 		} port;		/* TCP or UDP port information */
348 		struct {
349 			uint32_t addr; /* network order */
350 			uint32_t mask; /* network order */
351 		} node;		/* node information */
352 		struct {
353 			uint32_t addr[4]; /* network order */
354 			uint32_t mask[4]; /* network order */
355 		} node6;	/* IPv6 node information */
356 		uint32_t device;
357 		uint16_t pirq;
358 		struct {
359 			uint64_t low_iomem;
360 			uint64_t high_iomem;
361 		} iomem;
362 		struct {
363 			uint32_t low_ioport;
364 			uint32_t high_ioport;
365 		} ioport;
366 		struct {
367 			uint64_t subnet_prefix;
368 			uint16_t low_pkey;
369 			uint16_t high_pkey;
370 		} ibpkey;
371 		struct {
372 			char *dev_name;
373 			uint8_t port;
374 		} ibendport;
375 	} u;
376 	union {
377 		uint32_t sclass;	/* security class for genfs */
378 		uint32_t behavior;	/* labeling behavior for fs_use */
379 	} v;
380 	context_struct_t context[2];	/* security context(s) */
381 	sepol_security_id_t sid[2];	/* SID(s) */
382 	struct ocontext *next;
383 } ocontext_t;
384 
385 typedef struct genfs {
386 	char *fstype;
387 	struct ocontext *head;
388 	struct genfs *next;
389 } genfs_t;
390 
391 /* symbol table array indices */
392 #define SYM_COMMONS 0
393 #define SYM_CLASSES 1
394 #define SYM_ROLES   2
395 #define SYM_TYPES   3
396 #define SYM_USERS   4
397 #define SYM_BOOLS   5
398 #define SYM_LEVELS  6
399 #define SYM_CATS    7
400 #define SYM_NUM     8
401 
402 /* object context array indices */
403 #define OCON_ISID  0	/* initial SIDs */
404 #define OCON_FS    1	/* unlabeled file systems */
405 #define OCON_PORT  2	/* TCP and UDP port numbers */
406 #define OCON_NETIF 3	/* network interfaces */
407 #define OCON_NODE  4	/* nodes */
408 #define OCON_FSUSE 5	/* fs_use */
409 #define OCON_NODE6 6	/* IPv6 nodes */
410 #define OCON_IBPKEY 7	/* Infiniband PKEY */
411 #define OCON_IBENDPORT 8	/* Infiniband End Port */
412 
413 /* object context array indices for Xen */
414 #define OCON_XEN_ISID  	    0    /* initial SIDs */
415 #define OCON_XEN_PIRQ       1    /* physical irqs */
416 #define OCON_XEN_IOPORT     2    /* io ports */
417 #define OCON_XEN_IOMEM	    3    /* io memory */
418 #define OCON_XEN_PCIDEVICE  4    /* pci devices */
419 #define OCON_XEN_DEVICETREE 5    /* device tree node */
420 
421 /* OCON_NUM needs to be the largest index in any platform's ocontext array */
422 #define OCON_NUM   9
423 
424 /* section: module information */
425 
426 /* scope_index_t holds all of the symbols that are in scope in a
427  * particular situation.  The bitmaps are indices (and thus must
428  * subtract one) into the global policydb->scope array. */
429 typedef struct scope_index {
430 	ebitmap_t scope[SYM_NUM];
431 #define p_classes_scope scope[SYM_CLASSES]
432 #define p_roles_scope scope[SYM_ROLES]
433 #define p_types_scope scope[SYM_TYPES]
434 #define p_users_scope scope[SYM_USERS]
435 #define p_bools_scope scope[SYM_BOOLS]
436 #define p_sens_scope scope[SYM_LEVELS]
437 #define p_cat_scope scope[SYM_CATS]
438 
439 	/* this array maps from class->value to the permissions within
440 	 * scope.  if bit (perm->value - 1) is set in map
441 	 * class_perms_map[class->value - 1] then that permission is
442 	 * enabled for this class within this decl.  */
443 	ebitmap_t *class_perms_map;
444 	/* total number of classes in class_perms_map array */
445 	uint32_t class_perms_len;
446 } scope_index_t;
447 
448 /* a list of declarations for a particular avrule_decl */
449 
450 /* These two structs declare a block of policy that has TE and RBAC
451  * statements and declarations.  The root block (the global policy)
452  * can never have an ELSE branch. */
453 typedef struct avrule_decl {
454 	uint32_t decl_id;
455 	uint32_t enabled;	/* whether this block is enabled */
456 
457 	cond_list_t *cond_list;
458 	avrule_t *avrules;
459 	role_trans_rule_t *role_tr_rules;
460 	role_allow_rule_t *role_allow_rules;
461 	range_trans_rule_t *range_tr_rules;
462 	scope_index_t required;	/* symbols needed to activate this block */
463 	scope_index_t declared;	/* symbols declared within this block */
464 
465 	/* type transition rules with a 'name' component */
466 	filename_trans_rule_t *filename_trans_rules;
467 
468 	/* for additive statements (type attribute, roles, and users) */
469 	symtab_t symtab[SYM_NUM];
470 
471 	/* In a linked module this will contain the name of the module
472 	 * from which this avrule_decl originated. */
473 	char *module_name;
474 
475 	struct avrule_decl *next;
476 } avrule_decl_t;
477 
478 typedef struct avrule_block {
479 	avrule_decl_t *branch_list;
480 	avrule_decl_t *enabled;	/* pointer to which branch is enabled.  this is
481 				   used in linking and never written to disk */
482 #define AVRULE_OPTIONAL 1
483 	uint32_t flags;		/* any flags for this block, currently just optional */
484 	struct avrule_block *next;
485 } avrule_block_t;
486 
487 /* Every identifier has its own scope datum.  The datum describes if
488  * the item is to be included into the final policy during
489  * expansion. */
490 typedef struct scope_datum {
491 /* Required for this decl */
492 #define SCOPE_REQ  1
493 /* Declared in this decl */
494 #define SCOPE_DECL 2
495 	uint32_t scope;
496 	uint32_t *decl_ids;
497 	uint32_t decl_ids_len;
498 	/* decl_ids is a list of avrule_decl's that declare/require
499 	 * this symbol.  If scope==SCOPE_DECL then this is a list of
500 	 * declarations.  If the symbol may only be declared once
501 	 * (types, bools) then decl_ids_len will be exactly 1.  For
502 	 * implicitly declared things (roles, users) then decl_ids_len
503 	 * will be at least 1. */
504 } scope_datum_t;
505 
506 /* The policy database */
507 typedef struct policydb {
508 #define POLICY_KERN SEPOL_POLICY_KERN
509 #define POLICY_BASE SEPOL_POLICY_BASE
510 #define POLICY_MOD SEPOL_POLICY_MOD
511 	uint32_t policy_type;
512 	char *name;
513 	char *version;
514 	int  target_platform;
515 
516 	/* Set when the policydb is modified such that writing is unsupported */
517 	int unsupported_format;
518 
519 	/* Whether this policydb is mls, should always be set */
520 	int mls;
521 
522 	/* symbol tables */
523 	symtab_t symtab[SYM_NUM];
524 #define p_commons symtab[SYM_COMMONS]
525 #define p_classes symtab[SYM_CLASSES]
526 #define p_roles symtab[SYM_ROLES]
527 #define p_types symtab[SYM_TYPES]
528 #define p_users symtab[SYM_USERS]
529 #define p_bools symtab[SYM_BOOLS]
530 #define p_levels symtab[SYM_LEVELS]
531 #define p_cats symtab[SYM_CATS]
532 
533 	/* symbol names indexed by (value - 1) */
534 	char **sym_val_to_name[SYM_NUM];
535 #define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
536 #define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
537 #define p_role_val_to_name sym_val_to_name[SYM_ROLES]
538 #define p_type_val_to_name sym_val_to_name[SYM_TYPES]
539 #define p_user_val_to_name sym_val_to_name[SYM_USERS]
540 #define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
541 #define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
542 #define p_cat_val_to_name sym_val_to_name[SYM_CATS]
543 
544 	/* class, role, and user attributes indexed by (value - 1) */
545 	class_datum_t **class_val_to_struct;
546 	role_datum_t **role_val_to_struct;
547 	user_datum_t **user_val_to_struct;
548 	type_datum_t **type_val_to_struct;
549 
550 	/* module stuff section -- used in parsing and for modules */
551 
552 	/* keep track of the scope for every identifier.  these are
553 	 * hash tables, where the key is the identifier name and value
554 	 * a scope_datum_t.  as a convenience, one may use the
555 	 * p_*_macros (cf. struct scope_index_t declaration). */
556 	symtab_t scope[SYM_NUM];
557 
558 	/* module rule storage */
559 	avrule_block_t *global;
560 	/* avrule_decl index used for link/expand */
561 	avrule_decl_t **decl_val_to_struct;
562 
563 	/* compiled storage of rules - use for the kernel policy */
564 
565 	/* type enforcement access vectors and transitions */
566 	avtab_t te_avtab;
567 
568 	/* bools indexed by (value - 1) */
569 	cond_bool_datum_t **bool_val_to_struct;
570 	/* type enforcement conditional access vectors and transitions */
571 	avtab_t te_cond_avtab;
572 	/* linked list indexing te_cond_avtab by conditional */
573 	cond_list_t *cond_list;
574 
575 	/* role transitions */
576 	role_trans_t *role_tr;
577 
578 	/* role allows */
579 	role_allow_t *role_allow;
580 
581 	/* security contexts of initial SIDs, unlabeled file systems,
582 	   TCP or UDP port numbers, network interfaces and nodes */
583 	ocontext_t *ocontexts[OCON_NUM];
584 
585 	/* security contexts for files in filesystems that cannot support
586 	   a persistent label mapping or use another
587 	   fixed labeling behavior. */
588 	genfs_t *genfs;
589 
590 	/* range transitions table (range_trans_key -> mls_range) */
591 	hashtab_t range_tr;
592 
593 	/* file transitions with the last path component */
594 	hashtab_t filename_trans;
595 	uint32_t filename_trans_count;
596 
597 	ebitmap_t *type_attr_map;
598 
599 	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
600 
601 	ebitmap_t policycaps;
602 
603 	/* this bitmap is referenced by type NOT the typical type-1 used in other
604 	   bitmaps.  Someday the 0 bit may be used for global permissive */
605 	ebitmap_t permissive_map;
606 
607 	unsigned policyvers;
608 
609 	unsigned handle_unknown;
610 
611 	sepol_security_class_t process_class;
612 	sepol_security_class_t dir_class;
613 	sepol_access_vector_t process_trans;
614 	sepol_access_vector_t process_trans_dyntrans;
615 } policydb_t;
616 
617 struct sepol_policydb {
618 	struct policydb p;
619 };
620 
621 extern int policydb_init(policydb_t * p);
622 
623 extern int policydb_from_image(sepol_handle_t * handle,
624 			       void *data, size_t len, policydb_t * policydb);
625 
626 extern int policydb_to_image(sepol_handle_t * handle,
627 			     policydb_t * policydb, void **newdata,
628 			     size_t * newlen);
629 
630 extern int policydb_index_classes(policydb_t * p);
631 
632 extern int policydb_index_bools(policydb_t * p);
633 
634 extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
635 				 unsigned int verbose);
636 
637 extern int policydb_role_cache(hashtab_key_t key,
638 			       hashtab_datum_t datum,
639 			       void *arg);
640 
641 extern int policydb_user_cache(hashtab_key_t key,
642 			       hashtab_datum_t datum,
643 			       void *arg);
644 
645 extern int policydb_reindex_users(policydb_t * p);
646 
647 extern int policydb_optimize(policydb_t * p);
648 
649 extern void policydb_destroy(policydb_t * p);
650 
651 extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
652 
653 extern int policydb_sort_ocontexts(policydb_t *p);
654 
655 extern int policydb_filetrans_insert(policydb_t *p, uint32_t stype,
656 				     uint32_t ttype, uint32_t tclass,
657 				     const char *name, char **name_alloc,
658 				     uint32_t otype, uint32_t *present_otype);
659 
660 /* Deprecated */
661 extern int policydb_context_isvalid(const policydb_t * p,
662 				    const context_struct_t * c);
663 
664 extern void symtabs_destroy(symtab_t * symtab);
665 extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p);
666 
667 extern void class_perm_node_init(class_perm_node_t * x);
668 extern void type_set_init(type_set_t * x);
669 extern void type_set_destroy(type_set_t * x);
670 extern int type_set_cpy(type_set_t * dst, const type_set_t * src);
671 extern int type_set_or_eq(type_set_t * dst, const type_set_t * other);
672 extern void role_set_init(role_set_t * x);
673 extern void role_set_destroy(role_set_t * x);
674 extern void avrule_init(avrule_t * x);
675 extern void avrule_destroy(avrule_t * x);
676 extern void avrule_list_destroy(avrule_t * x);
677 extern void role_trans_rule_init(role_trans_rule_t * x);
678 extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
679 extern void filename_trans_rule_init(filename_trans_rule_t * x);
680 extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x);
681 
682 extern void role_datum_init(role_datum_t * x);
683 extern void role_datum_destroy(role_datum_t * x);
684 extern void role_allow_rule_init(role_allow_rule_t * x);
685 extern void role_allow_rule_destroy(role_allow_rule_t * x);
686 extern void role_allow_rule_list_destroy(role_allow_rule_t * x);
687 extern void range_trans_rule_init(range_trans_rule_t *x);
688 extern void range_trans_rule_destroy(range_trans_rule_t *x);
689 extern void range_trans_rule_list_destroy(range_trans_rule_t *x);
690 extern void type_datum_init(type_datum_t * x);
691 extern void type_datum_destroy(type_datum_t * x);
692 extern void user_datum_init(user_datum_t * x);
693 extern void user_datum_destroy(user_datum_t * x);
694 extern void level_datum_init(level_datum_t * x);
695 extern void level_datum_destroy(level_datum_t * x);
696 extern void cat_datum_init(cat_datum_t * x);
697 extern void cat_datum_destroy(cat_datum_t * x);
698 extern int check_assertion(policydb_t *p, avrule_t *avrule);
699 extern int check_assertions(sepol_handle_t * handle,
700 			    policydb_t * p, avrule_t * avrules);
701 
702 extern int symtab_insert(policydb_t * x, uint32_t sym,
703 			 hashtab_key_t key, hashtab_datum_t datum,
704 			 uint32_t scope, uint32_t avrule_decl_id,
705 			 uint32_t * value);
706 
707 /* A policy "file" may be a memory region referenced by a (data, len) pair
708    or a file referenced by a FILE pointer. */
709 typedef struct policy_file {
710 #define PF_USE_MEMORY  0
711 #define PF_USE_STDIO   1
712 #define PF_LEN         2	/* total up length in len field */
713 	unsigned type;
714 	char *data;
715 	size_t len;
716 	size_t size;
717 	FILE *fp;
718 	struct sepol_handle *handle;
719 } policy_file_t;
720 
721 struct sepol_policy_file {
722 	struct policy_file pf;
723 };
724 
725 extern void policy_file_init(policy_file_t * x);
726 
727 extern int policydb_read(policydb_t * p, struct policy_file *fp,
728 			 unsigned int verbose);
729 extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
730 			    struct policy_file *fp);
731 
732 extern int policydb_write(struct policydb *p, struct policy_file *pf);
733 extern int policydb_set_target_platform(policydb_t *p, int platform);
734 
735 #define PERM_SYMTAB_SIZE 32
736 
737 /* Identify specific policy version changes */
738 #define POLICYDB_VERSION_BASE		15
739 #define POLICYDB_VERSION_BOOL		16
740 #define POLICYDB_VERSION_IPV6		17
741 #define POLICYDB_VERSION_NLCLASS	18
742 #define POLICYDB_VERSION_VALIDATETRANS	19
743 #define POLICYDB_VERSION_MLS		19
744 #define POLICYDB_VERSION_AVTAB		20
745 #define POLICYDB_VERSION_RANGETRANS	21
746 #define POLICYDB_VERSION_POLCAP		22
747 #define POLICYDB_VERSION_PERMISSIVE	23
748 #define POLICYDB_VERSION_BOUNDARY	24
749 #define POLICYDB_VERSION_FILENAME_TRANS	25
750 #define POLICYDB_VERSION_ROLETRANS	26
751 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	27
752 #define POLICYDB_VERSION_DEFAULT_TYPE	28
753 #define POLICYDB_VERSION_CONSTRAINT_NAMES	29
754 #define POLICYDB_VERSION_XEN_DEVICETREE		30 /* Xen-specific */
755 #define POLICYDB_VERSION_XPERMS_IOCTL	30 /* Linux-specific */
756 #define POLICYDB_VERSION_INFINIBAND		31 /* Linux-specific */
757 #define POLICYDB_VERSION_GLBLUB		32
758 #define POLICYDB_VERSION_COMP_FTRANS	33 /* compressed filename transitions */
759 
760 /* Range of policy versions we understand*/
761 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
762 #define POLICYDB_VERSION_MAX	POLICYDB_VERSION_COMP_FTRANS
763 
764 /* Module versions and specific changes*/
765 #define MOD_POLICYDB_VERSION_BASE		4
766 #define MOD_POLICYDB_VERSION_VALIDATETRANS	5
767 #define MOD_POLICYDB_VERSION_MLS		5
768 #define MOD_POLICYDB_VERSION_RANGETRANS 	6
769 #define MOD_POLICYDB_VERSION_MLS_USERS		6
770 #define MOD_POLICYDB_VERSION_POLCAP		7
771 #define MOD_POLICYDB_VERSION_PERMISSIVE		8
772 #define MOD_POLICYDB_VERSION_BOUNDARY		9
773 #define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS	10
774 #define MOD_POLICYDB_VERSION_FILENAME_TRANS	11
775 #define MOD_POLICYDB_VERSION_ROLETRANS		12
776 #define MOD_POLICYDB_VERSION_ROLEATTRIB		13
777 #define MOD_POLICYDB_VERSION_TUNABLE_SEP	14
778 #define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	15
779 #define MOD_POLICYDB_VERSION_DEFAULT_TYPE	16
780 #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES  17
781 #define MOD_POLICYDB_VERSION_XPERMS_IOCTL  18
782 #define MOD_POLICYDB_VERSION_INFINIBAND		19
783 #define MOD_POLICYDB_VERSION_GLBLUB		20
784 
785 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
786 #define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_GLBLUB
787 
788 #define POLICYDB_CONFIG_MLS    1
789 
790 /* macros to check policy feature */
791 
792 /* TODO: add other features here */
793 
794 #define policydb_has_boundary_feature(p)			\
795 	(((p)->policy_type == POLICY_KERN			\
796 	  && p->policyvers >= POLICYDB_VERSION_BOUNDARY) ||	\
797 	 ((p)->policy_type != POLICY_KERN			\
798 	  && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY))
799 
800 /* the config flags related to unknown classes/perms are bits 2 and 3 */
801 #define DENY_UNKNOWN	SEPOL_DENY_UNKNOWN
802 #define REJECT_UNKNOWN	SEPOL_REJECT_UNKNOWN
803 #define ALLOW_UNKNOWN 	SEPOL_ALLOW_UNKNOWN
804 
805 #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
806 
807 #define OBJECT_R "object_r"
808 #define OBJECT_R_VAL 1
809 
810 #define POLICYDB_MAGIC SELINUX_MAGIC
811 #define POLICYDB_STRING "SE Linux"
812 #define POLICYDB_XEN_STRING "XenFlask"
813 #define POLICYDB_STRING_MAX_LENGTH 32
814 #define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC
815 #define POLICYDB_MOD_STRING "SE Linux Module"
816 
817 #ifdef __cplusplus
818 }
819 #endif
820 
821 #endif				/* _POLICYDB_H_ */
822 
823 /* FLASK */
824