1 /* 2 * Copyright 2011 Tresys Technology, LLC. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * 1. Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * 2. Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS 15 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 17 * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 19 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 21 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 22 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 23 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * The views and conclusions contained in the software and documentation are those 26 * of the authors and should not be interpreted as representing official policies, 27 * either expressed or implied, of Tresys Technology, LLC. 28 */ 29 30 #ifndef CIL_INTERNAL_H_ 31 #define CIL_INTERNAL_H_ 32 33 #include <stdlib.h> 34 #include <stdio.h> 35 #include <stdint.h> 36 #include <arpa/inet.h> 37 38 #include <sepol/policydb/services.h> 39 #include <sepol/policydb/policydb.h> 40 #include <sepol/policydb/flask_types.h> 41 42 #include <cil/cil.h> 43 44 #include "cil_flavor.h" 45 #include "cil_tree.h" 46 #include "cil_symtab.h" 47 #include "cil_mem.h" 48 49 #define CIL_MAX_NAME_LENGTH 2048 50 51 #define CIL_DEGENERATE_INHERITANCE_DEPTH 10UL 52 #define CIL_DEGENERATE_INHERITANCE_MINIMUM (0x01 << CIL_DEGENERATE_INHERITANCE_DEPTH) 53 #define CIL_DEGENERATE_INHERITANCE_GROWTH 10UL 54 55 enum cil_pass { 56 CIL_PASS_INIT = 0, 57 58 CIL_PASS_TIF, 59 CIL_PASS_IN_BEFORE, 60 CIL_PASS_BLKIN_LINK, 61 CIL_PASS_BLKIN_COPY, 62 CIL_PASS_BLKABS, 63 CIL_PASS_IN_AFTER, 64 CIL_PASS_CALL1, 65 CIL_PASS_CALL2, 66 CIL_PASS_ALIAS1, 67 CIL_PASS_ALIAS2, 68 CIL_PASS_MISC1, 69 CIL_PASS_MLS, 70 CIL_PASS_MISC2, 71 CIL_PASS_MISC3, 72 73 CIL_PASS_NUM 74 }; 75 76 77 /* 78 Keywords 79 */ 80 extern char *CIL_KEY_CONS_T1; 81 extern char *CIL_KEY_CONS_T2; 82 extern char *CIL_KEY_CONS_T3; 83 extern char *CIL_KEY_CONS_R1; 84 extern char *CIL_KEY_CONS_R2; 85 extern char *CIL_KEY_CONS_R3; 86 extern char *CIL_KEY_CONS_U1; 87 extern char *CIL_KEY_CONS_U2; 88 extern char *CIL_KEY_CONS_U3; 89 extern char *CIL_KEY_CONS_L1; 90 extern char *CIL_KEY_CONS_L2; 91 extern char *CIL_KEY_CONS_H1; 92 extern char *CIL_KEY_CONS_H2; 93 extern char *CIL_KEY_AND; 94 extern char *CIL_KEY_OR; 95 extern char *CIL_KEY_NOT; 96 extern char *CIL_KEY_EQ; 97 extern char *CIL_KEY_NEQ; 98 extern char *CIL_KEY_CONS_DOM; 99 extern char *CIL_KEY_CONS_DOMBY; 100 extern char *CIL_KEY_CONS_INCOMP; 101 extern char *CIL_KEY_CONDTRUE; 102 extern char *CIL_KEY_CONDFALSE; 103 extern char *CIL_KEY_SELF; 104 extern char *CIL_KEY_OBJECT_R; 105 extern char *CIL_KEY_STAR; 106 extern char *CIL_KEY_TCP; 107 extern char *CIL_KEY_UDP; 108 extern char *CIL_KEY_DCCP; 109 extern char *CIL_KEY_SCTP; 110 extern char *CIL_KEY_AUDITALLOW; 111 extern char *CIL_KEY_TUNABLEIF; 112 extern char *CIL_KEY_ALLOW; 113 extern char *CIL_KEY_DONTAUDIT; 114 extern char *CIL_KEY_TYPETRANSITION; 115 extern char *CIL_KEY_TYPECHANGE; 116 extern char *CIL_KEY_CALL; 117 extern char *CIL_KEY_TUNABLE; 118 extern char *CIL_KEY_XOR; 119 extern char *CIL_KEY_ALL; 120 extern char *CIL_KEY_RANGE; 121 extern char *CIL_KEY_GLOB; 122 extern char *CIL_KEY_FILE; 123 extern char *CIL_KEY_DIR; 124 extern char *CIL_KEY_CHAR; 125 extern char *CIL_KEY_BLOCK; 126 extern char *CIL_KEY_SOCKET; 127 extern char *CIL_KEY_PIPE; 128 extern char *CIL_KEY_SYMLINK; 129 extern char *CIL_KEY_ANY; 130 extern char *CIL_KEY_XATTR; 131 extern char *CIL_KEY_TASK; 132 extern char *CIL_KEY_TRANS; 133 extern char *CIL_KEY_TYPE; 134 extern char *CIL_KEY_ROLE; 135 extern char *CIL_KEY_USER; 136 extern char *CIL_KEY_USERATTRIBUTE; 137 extern char *CIL_KEY_USERATTRIBUTESET; 138 extern char *CIL_KEY_SENSITIVITY; 139 extern char *CIL_KEY_CATEGORY; 140 extern char *CIL_KEY_CATSET; 141 extern char *CIL_KEY_LEVEL; 142 extern char *CIL_KEY_LEVELRANGE; 143 extern char *CIL_KEY_CLASS; 144 extern char *CIL_KEY_IPADDR; 145 extern char *CIL_KEY_MAP_CLASS; 146 extern char *CIL_KEY_CLASSPERMISSION; 147 extern char *CIL_KEY_BOOL; 148 extern char *CIL_KEY_STRING; 149 extern char *CIL_KEY_NAME; 150 extern char *CIL_KEY_SOURCE; 151 extern char *CIL_KEY_TARGET; 152 extern char *CIL_KEY_LOW; 153 extern char *CIL_KEY_HIGH; 154 extern char *CIL_KEY_LOW_HIGH; 155 extern char *CIL_KEY_GLBLUB; 156 extern char *CIL_KEY_HANDLEUNKNOWN; 157 extern char *CIL_KEY_HANDLEUNKNOWN_ALLOW; 158 extern char *CIL_KEY_HANDLEUNKNOWN_DENY; 159 extern char *CIL_KEY_HANDLEUNKNOWN_REJECT; 160 extern char *CIL_KEY_MACRO; 161 extern char *CIL_KEY_IN; 162 extern char *CIL_KEY_IN_BEFORE; 163 extern char *CIL_KEY_IN_AFTER; 164 extern char *CIL_KEY_MLS; 165 extern char *CIL_KEY_DEFAULTRANGE; 166 extern char *CIL_KEY_BLOCKINHERIT; 167 extern char *CIL_KEY_BLOCKABSTRACT; 168 extern char *CIL_KEY_CLASSORDER; 169 extern char *CIL_KEY_CLASSMAPPING; 170 extern char *CIL_KEY_CLASSPERMISSIONSET; 171 extern char *CIL_KEY_COMMON; 172 extern char *CIL_KEY_CLASSCOMMON; 173 extern char *CIL_KEY_SID; 174 extern char *CIL_KEY_SIDCONTEXT; 175 extern char *CIL_KEY_SIDORDER; 176 extern char *CIL_KEY_USERLEVEL; 177 extern char *CIL_KEY_USERRANGE; 178 extern char *CIL_KEY_USERBOUNDS; 179 extern char *CIL_KEY_USERPREFIX; 180 extern char *CIL_KEY_SELINUXUSER; 181 extern char *CIL_KEY_SELINUXUSERDEFAULT; 182 extern char *CIL_KEY_TYPEATTRIBUTE; 183 extern char *CIL_KEY_TYPEATTRIBUTESET; 184 extern char *CIL_KEY_EXPANDTYPEATTRIBUTE; 185 extern char *CIL_KEY_TYPEALIAS; 186 extern char *CIL_KEY_TYPEALIASACTUAL; 187 extern char *CIL_KEY_TYPEBOUNDS; 188 extern char *CIL_KEY_TYPEPERMISSIVE; 189 extern char *CIL_KEY_RANGETRANSITION; 190 extern char *CIL_KEY_USERROLE; 191 extern char *CIL_KEY_ROLETYPE; 192 extern char *CIL_KEY_ROLETRANSITION; 193 extern char *CIL_KEY_ROLEALLOW; 194 extern char *CIL_KEY_ROLEATTRIBUTE; 195 extern char *CIL_KEY_ROLEATTRIBUTESET; 196 extern char *CIL_KEY_ROLEBOUNDS; 197 extern char *CIL_KEY_BOOLEANIF; 198 extern char *CIL_KEY_NEVERALLOW; 199 extern char *CIL_KEY_TYPEMEMBER; 200 extern char *CIL_KEY_SENSALIAS; 201 extern char *CIL_KEY_SENSALIASACTUAL; 202 extern char *CIL_KEY_CATALIAS; 203 extern char *CIL_KEY_CATALIASACTUAL; 204 extern char *CIL_KEY_CATORDER; 205 extern char *CIL_KEY_SENSITIVITYORDER; 206 extern char *CIL_KEY_SENSCAT; 207 extern char *CIL_KEY_CONSTRAIN; 208 extern char *CIL_KEY_MLSCONSTRAIN; 209 extern char *CIL_KEY_VALIDATETRANS; 210 extern char *CIL_KEY_MLSVALIDATETRANS; 211 extern char *CIL_KEY_CONTEXT; 212 extern char *CIL_KEY_FILECON; 213 extern char *CIL_KEY_IBPKEYCON; 214 extern char *CIL_KEY_IBENDPORTCON; 215 extern char *CIL_KEY_PORTCON; 216 extern char *CIL_KEY_NODECON; 217 extern char *CIL_KEY_GENFSCON; 218 extern char *CIL_KEY_NETIFCON; 219 extern char *CIL_KEY_PIRQCON; 220 extern char *CIL_KEY_IOMEMCON; 221 extern char *CIL_KEY_IOPORTCON; 222 extern char *CIL_KEY_PCIDEVICECON; 223 extern char *CIL_KEY_DEVICETREECON; 224 extern char *CIL_KEY_FSUSE; 225 extern char *CIL_KEY_POLICYCAP; 226 extern char *CIL_KEY_OPTIONAL; 227 extern char *CIL_KEY_DEFAULTUSER; 228 extern char *CIL_KEY_DEFAULTROLE; 229 extern char *CIL_KEY_DEFAULTTYPE; 230 extern char *CIL_KEY_ROOT; 231 extern char *CIL_KEY_NODE; 232 extern char *CIL_KEY_PERM; 233 extern char *CIL_KEY_ALLOWX; 234 extern char *CIL_KEY_AUDITALLOWX; 235 extern char *CIL_KEY_DONTAUDITX; 236 extern char *CIL_KEY_NEVERALLOWX; 237 extern char *CIL_KEY_PERMISSIONX; 238 extern char *CIL_KEY_IOCTL; 239 extern char *CIL_KEY_UNORDERED; 240 extern char *CIL_KEY_SRC_INFO; 241 extern char *CIL_KEY_SRC_CIL; 242 extern char *CIL_KEY_SRC_HLL_LMS; 243 extern char *CIL_KEY_SRC_HLL_LMX; 244 extern char *CIL_KEY_SRC_HLL_LME; 245 246 /* 247 Symbol Table Array Indices 248 */ 249 enum cil_sym_index { 250 CIL_SYM_BLOCKS = 0, 251 CIL_SYM_USERS, 252 CIL_SYM_ROLES, 253 CIL_SYM_TYPES, 254 CIL_SYM_COMMONS, 255 CIL_SYM_CLASSES, 256 CIL_SYM_CLASSPERMSETS, 257 CIL_SYM_BOOLS, 258 CIL_SYM_TUNABLES, 259 CIL_SYM_SENS, 260 CIL_SYM_CATS, 261 CIL_SYM_SIDS, 262 CIL_SYM_CONTEXTS, 263 CIL_SYM_LEVELS, 264 CIL_SYM_LEVELRANGES, 265 CIL_SYM_POLICYCAPS, 266 CIL_SYM_IPADDRS, 267 CIL_SYM_NAMES, 268 CIL_SYM_PERMX, 269 CIL_SYM_NUM, 270 CIL_SYM_UNKNOWN, 271 CIL_SYM_PERMS // Special case for permissions. This symtab is not included in arrays 272 }; 273 274 enum cil_sym_array { 275 CIL_SYM_ARRAY_ROOT = 0, 276 CIL_SYM_ARRAY_BLOCK, 277 CIL_SYM_ARRAY_IN, 278 CIL_SYM_ARRAY_MACRO, 279 CIL_SYM_ARRAY_CONDBLOCK, 280 CIL_SYM_ARRAY_NUM 281 }; 282 283 extern const int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM]; 284 285 #define CIL_CLASS_SYM_SIZE 256 286 #define CIL_PERMS_PER_CLASS (sizeof(sepol_access_vector_t) * 8) 287 288 struct cil_db { 289 struct cil_tree *parse; 290 struct cil_tree *ast; 291 struct cil_type *selftype; 292 struct cil_list *sidorder; 293 struct cil_list *classorder; 294 struct cil_list *catorder; 295 struct cil_list *sensitivityorder; 296 struct cil_sort *netifcon; 297 struct cil_sort *genfscon; 298 struct cil_sort *filecon; 299 struct cil_sort *nodecon; 300 struct cil_sort *ibpkeycon; 301 struct cil_sort *ibendportcon; 302 struct cil_sort *portcon; 303 struct cil_sort *pirqcon; 304 struct cil_sort *iomemcon; 305 struct cil_sort *ioportcon; 306 struct cil_sort *pcidevicecon; 307 struct cil_sort *devicetreecon; 308 struct cil_sort *fsuse; 309 struct cil_list *userprefixes; 310 struct cil_list *selinuxusers; 311 struct cil_list *names; 312 int num_types_and_attrs; 313 int num_classes; 314 int num_cats; 315 int num_types; 316 int num_roles; 317 int num_users; 318 struct cil_type **val_to_type; 319 struct cil_role **val_to_role; 320 struct cil_user **val_to_user; 321 int disable_dontaudit; 322 int disable_neverallow; 323 int attrs_expand_generated; 324 unsigned attrs_expand_size; 325 int preserve_tunables; 326 int handle_unknown; 327 int mls; 328 int multiple_decls; 329 int qualified_names; 330 int target_platform; 331 int policy_version; 332 }; 333 334 struct cil_root { 335 symtab_t symtab[CIL_SYM_NUM]; 336 }; 337 338 struct cil_sort { 339 enum cil_flavor flavor; 340 uint32_t count; 341 uint32_t index; 342 void **array; 343 }; 344 345 struct cil_block { 346 struct cil_symtab_datum datum; 347 symtab_t symtab[CIL_SYM_NUM]; 348 uint16_t is_abstract; 349 struct cil_list *bi_nodes; 350 }; 351 352 struct cil_blockinherit { 353 char *block_str; 354 struct cil_block *block; 355 }; 356 357 struct cil_blockabstract { 358 char *block_str; 359 }; 360 361 struct cil_in { 362 symtab_t symtab[CIL_SYM_NUM]; 363 int is_after; 364 char *block_str; 365 }; 366 367 struct cil_optional { 368 struct cil_symtab_datum datum; 369 }; 370 371 struct cil_perm { 372 struct cil_symtab_datum datum; 373 unsigned int value; 374 struct cil_list *classperms; /* Only used for map perms */ 375 }; 376 377 struct cil_class { 378 struct cil_symtab_datum datum; 379 symtab_t perms; 380 unsigned int num_perms; 381 struct cil_class *common; /* Only used for kernel class */ 382 uint32_t ordered; /* Only used for kernel class */ 383 }; 384 385 struct cil_classorder { 386 struct cil_list *class_list_str; 387 }; 388 389 struct cil_classperms_set { 390 char *set_str; 391 struct cil_classpermission *set; 392 }; 393 394 struct cil_classperms { 395 char *class_str; 396 struct cil_class *class; 397 struct cil_list *perm_strs; 398 struct cil_list *perms; 399 }; 400 401 struct cil_classpermission { 402 struct cil_symtab_datum datum; 403 struct cil_list *classperms; 404 }; 405 406 struct cil_classpermissionset { 407 char *set_str; 408 struct cil_list *classperms; 409 }; 410 411 struct cil_classmapping { 412 char *map_class_str; 413 char *map_perm_str; 414 struct cil_list *classperms; 415 }; 416 417 struct cil_classcommon { 418 char *class_str; 419 char *common_str; 420 }; 421 422 struct cil_alias { 423 struct cil_symtab_datum datum; 424 void *actual; 425 }; 426 427 struct cil_aliasactual { 428 char *alias_str; 429 char *actual_str; 430 }; 431 432 struct cil_sid { 433 struct cil_symtab_datum datum; 434 struct cil_context *context; 435 uint32_t ordered; 436 }; 437 438 struct cil_sidcontext { 439 char *sid_str; 440 char *context_str; 441 struct cil_context *context; 442 }; 443 444 struct cil_sidorder { 445 struct cil_list *sid_list_str; 446 }; 447 448 struct cil_user { 449 struct cil_symtab_datum datum; 450 struct cil_user *bounds; 451 ebitmap_t *roles; 452 struct cil_level *dftlevel; 453 struct cil_levelrange *range; 454 int value; 455 }; 456 457 struct cil_userattribute { 458 struct cil_symtab_datum datum; 459 struct cil_list *expr_list; 460 ebitmap_t *users; 461 }; 462 463 struct cil_userattributeset { 464 char *attr_str; 465 struct cil_list *str_expr; 466 struct cil_list *datum_expr; 467 }; 468 469 struct cil_userrole { 470 char *user_str; 471 void *user; 472 char *role_str; 473 void *role; 474 }; 475 476 struct cil_userlevel { 477 char *user_str; 478 char *level_str; 479 struct cil_level *level; 480 }; 481 482 struct cil_userrange { 483 char *user_str; 484 char *range_str; 485 struct cil_levelrange *range; 486 }; 487 488 struct cil_userprefix { 489 char *user_str; 490 struct cil_user *user; 491 char *prefix_str; 492 }; 493 494 struct cil_selinuxuser { 495 char *name_str; 496 char *user_str; 497 struct cil_user *user; 498 char *range_str; 499 struct cil_levelrange *range; 500 }; 501 502 struct cil_role { 503 struct cil_symtab_datum datum; 504 struct cil_role *bounds; 505 ebitmap_t *types; 506 int value; 507 }; 508 509 struct cil_roleattribute { 510 struct cil_symtab_datum datum; 511 struct cil_list *expr_list; 512 ebitmap_t *roles; 513 }; 514 515 struct cil_roleattributeset { 516 char *attr_str; 517 struct cil_list *str_expr; 518 struct cil_list *datum_expr; 519 }; 520 521 struct cil_roletype { 522 char *role_str; 523 void *role; /* role or attribute */ 524 char *type_str; 525 void *type; /* type, alias, or attribute */ 526 }; 527 528 struct cil_type { 529 struct cil_symtab_datum datum; 530 struct cil_type *bounds; 531 int value; 532 }; 533 534 #define CIL_ATTR_AVRULE (1 << 0) 535 #define CIL_ATTR_NEVERALLOW (1 << 1) 536 #define CIL_ATTR_CONSTRAINT (1 << 2) 537 #define CIL_ATTR_EXPAND_TRUE (1 << 3) 538 #define CIL_ATTR_EXPAND_FALSE (1 << 4) 539 struct cil_typeattribute { 540 struct cil_symtab_datum datum; 541 struct cil_list *expr_list; 542 ebitmap_t *types; 543 int used; // whether or not this attribute was used in a binary policy rule 544 int keep; 545 }; 546 547 struct cil_typeattributeset { 548 char *attr_str; 549 struct cil_list *str_expr; 550 struct cil_list *datum_expr; 551 }; 552 553 struct cil_expandtypeattribute { 554 struct cil_list *attr_strs; 555 struct cil_list *attr_datums; 556 int expand; 557 }; 558 559 struct cil_typepermissive { 560 char *type_str; 561 void *type; /* type or alias */ 562 }; 563 564 struct cil_name { 565 struct cil_symtab_datum datum; 566 char *name_str; 567 }; 568 569 struct cil_nametypetransition { 570 char *src_str; 571 void *src; /* type, alias, or attribute */ 572 char *tgt_str; 573 void *tgt; /* type, alias, or attribute */ 574 char *obj_str; 575 struct cil_class *obj; 576 char *name_str; 577 struct cil_name *name; 578 char *result_str; 579 void *result; /* type or alias */ 580 581 }; 582 583 struct cil_rangetransition { 584 char *src_str; 585 void *src; /* type, alias, or attribute */ 586 char *exec_str; 587 void *exec; /* type, alias, or attribute */ 588 char *obj_str; 589 struct cil_class *obj; 590 char *range_str; 591 struct cil_levelrange *range; 592 }; 593 594 struct cil_bool { 595 struct cil_symtab_datum datum; 596 uint16_t value; 597 }; 598 599 struct cil_tunable { 600 struct cil_symtab_datum datum; 601 uint16_t value; 602 }; 603 604 #define CIL_AVRULE_ALLOWED 1 605 #define CIL_AVRULE_AUDITALLOW 2 606 #define CIL_AVRULE_DONTAUDIT 8 607 #define CIL_AVRULE_NEVERALLOW 128 608 #define CIL_AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 609 struct cil_avrule { 610 int is_extended; 611 uint32_t rule_kind; 612 char *src_str; 613 void *src; /* type, alias, or attribute */ 614 char *tgt_str; 615 void *tgt; /* type, alias, or attribute */ 616 union { 617 struct cil_list *classperms; 618 struct { 619 char *permx_str; 620 struct cil_permissionx *permx; 621 } x; 622 } perms; 623 }; 624 625 #define CIL_PERMX_KIND_IOCTL 1 626 struct cil_permissionx { 627 struct cil_symtab_datum datum; 628 uint32_t kind; 629 char *obj_str; 630 struct cil_class *obj; 631 struct cil_list *expr_str; 632 ebitmap_t *perms; 633 }; 634 635 #define CIL_TYPE_TRANSITION 16 636 #define CIL_TYPE_MEMBER 32 637 #define CIL_TYPE_CHANGE 64 638 #define CIL_AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 639 struct cil_type_rule { 640 uint32_t rule_kind; 641 char *src_str; 642 void *src; /* type, alias, or attribute */ 643 char *tgt_str; 644 void *tgt; /* type, alias, or attribute */ 645 char *obj_str; 646 struct cil_class *obj; 647 char *result_str; 648 void *result; /* type or alias */ 649 }; 650 651 struct cil_roletransition { 652 char *src_str; 653 struct cil_role *src; 654 char *tgt_str; 655 void *tgt; /* type, alias, or attribute */ 656 char *obj_str; 657 struct cil_class *obj; 658 char *result_str; 659 struct cil_role *result; 660 }; 661 662 struct cil_roleallow { 663 char *src_str; 664 void *src; /* role or attribute */ 665 char *tgt_str; 666 void *tgt; /* role or attribute */ 667 }; 668 669 struct cil_sens { 670 struct cil_symtab_datum datum; 671 struct cil_list *cats_list; 672 uint32_t ordered; 673 }; 674 675 struct cil_sensorder { 676 struct cil_list *sens_list_str; 677 }; 678 679 struct cil_cat { 680 struct cil_symtab_datum datum; 681 uint32_t ordered; 682 int value; 683 }; 684 685 struct cil_cats { 686 uint32_t evaluated; 687 struct cil_list *str_expr; 688 struct cil_list *datum_expr; 689 }; 690 691 struct cil_catset { 692 struct cil_symtab_datum datum; 693 struct cil_cats *cats; 694 }; 695 696 struct cil_catorder { 697 struct cil_list *cat_list_str; 698 }; 699 700 struct cil_senscat { 701 char *sens_str; 702 struct cil_cats *cats; 703 }; 704 705 struct cil_level { 706 struct cil_symtab_datum datum; 707 char *sens_str; 708 struct cil_sens *sens; 709 struct cil_cats *cats; 710 }; 711 712 struct cil_levelrange { 713 struct cil_symtab_datum datum; 714 char *low_str; 715 struct cil_level *low; 716 char *high_str; 717 struct cil_level *high; 718 }; 719 720 struct cil_context { 721 struct cil_symtab_datum datum; 722 char *user_str; 723 struct cil_user *user; 724 char *role_str; 725 struct cil_role *role; 726 char *type_str; 727 void *type; /* type or alias */ 728 char *range_str; 729 struct cil_levelrange *range; 730 }; 731 732 enum cil_filecon_types { 733 CIL_FILECON_FILE = 1, 734 CIL_FILECON_DIR, 735 CIL_FILECON_CHAR, 736 CIL_FILECON_BLOCK, 737 CIL_FILECON_SOCKET, 738 CIL_FILECON_PIPE, 739 CIL_FILECON_SYMLINK, 740 CIL_FILECON_ANY 741 }; 742 743 struct cil_filecon { 744 char *path_str; 745 enum cil_filecon_types type; 746 char *context_str; 747 struct cil_context *context; 748 }; 749 750 enum cil_protocol { 751 CIL_PROTOCOL_UDP = 1, 752 CIL_PROTOCOL_TCP, 753 CIL_PROTOCOL_DCCP, 754 CIL_PROTOCOL_SCTP 755 }; 756 757 struct cil_ibpkeycon { 758 char *subnet_prefix_str; 759 uint32_t pkey_low; 760 uint32_t pkey_high; 761 char *context_str; 762 struct cil_context *context; 763 }; 764 765 struct cil_portcon { 766 enum cil_protocol proto; 767 uint32_t port_low; 768 uint32_t port_high; 769 char *context_str; 770 struct cil_context *context; 771 }; 772 773 struct cil_nodecon { 774 char *addr_str; 775 struct cil_ipaddr *addr; 776 char *mask_str; 777 struct cil_ipaddr *mask; 778 char *context_str; 779 struct cil_context *context; 780 }; 781 782 struct cil_ipaddr { 783 struct cil_symtab_datum datum; 784 int family; 785 union { 786 struct in_addr v4; 787 struct in6_addr v6; 788 } ip; 789 }; 790 791 struct cil_genfscon { 792 char *fs_str; 793 char *path_str; 794 char *context_str; 795 struct cil_context *context; 796 }; 797 798 struct cil_netifcon { 799 char *interface_str; 800 char *if_context_str; 801 struct cil_context *if_context; 802 char *packet_context_str; 803 struct cil_context *packet_context; 804 char *context_str; 805 }; 806 807 struct cil_ibendportcon { 808 char *dev_name_str; 809 uint32_t port; 810 char *context_str; 811 struct cil_context *context; 812 }; 813 struct cil_pirqcon { 814 uint32_t pirq; 815 char *context_str; 816 struct cil_context *context; 817 }; 818 819 struct cil_iomemcon { 820 uint64_t iomem_low; 821 uint64_t iomem_high; 822 char *context_str; 823 struct cil_context *context; 824 }; 825 826 struct cil_ioportcon { 827 uint32_t ioport_low; 828 uint32_t ioport_high; 829 char *context_str; 830 struct cil_context *context; 831 }; 832 833 struct cil_pcidevicecon { 834 uint32_t dev; 835 char *context_str; 836 struct cil_context *context; 837 }; 838 839 struct cil_devicetreecon { 840 char *path; 841 char *context_str; 842 struct cil_context *context; 843 }; 844 845 846 /* Ensure that CIL uses the same values as sepol services.h */ 847 enum cil_fsuse_types { 848 CIL_FSUSE_XATTR = SECURITY_FS_USE_XATTR, 849 CIL_FSUSE_TASK = SECURITY_FS_USE_TASK, 850 CIL_FSUSE_TRANS = SECURITY_FS_USE_TRANS 851 }; 852 853 struct cil_fsuse { 854 enum cil_fsuse_types type; 855 char *fs_str; 856 char *context_str; 857 struct cil_context *context; 858 }; 859 860 #define CIL_MLS_LEVELS "l1 l2 h1 h2" 861 #define CIL_CONSTRAIN_KEYS "t1 t2 r1 r2 u1 u2" 862 #define CIL_MLSCONSTRAIN_KEYS CIL_MLS_LEVELS CIL_CONSTRAIN_KEYS 863 #define CIL_CONSTRAIN_OPER "== != eq dom domby incomp not and or" 864 struct cil_constrain { 865 struct cil_list *classperms; 866 struct cil_list *str_expr; 867 struct cil_list *datum_expr; 868 }; 869 870 struct cil_validatetrans { 871 char *class_str; 872 struct cil_class *class; 873 struct cil_list *str_expr; 874 struct cil_list *datum_expr; 875 }; 876 877 struct cil_param { 878 char *str; 879 enum cil_flavor flavor; 880 }; 881 882 struct cil_macro { 883 struct cil_symtab_datum datum; 884 symtab_t symtab[CIL_SYM_NUM]; 885 struct cil_list *params; 886 }; 887 888 struct cil_args { 889 char *arg_str; 890 struct cil_symtab_datum *arg; 891 char *param_str; 892 enum cil_flavor flavor; 893 }; 894 895 struct cil_call { 896 char *macro_str; 897 struct cil_macro *macro; 898 struct cil_tree *args_tree; 899 struct cil_list *args; 900 int copied; 901 }; 902 903 #define CIL_TRUE 1 904 #define CIL_FALSE 0 905 906 struct cil_condblock { 907 enum cil_flavor flavor; 908 symtab_t symtab[CIL_SYM_NUM]; 909 }; 910 911 struct cil_booleanif { 912 struct cil_list *str_expr; 913 struct cil_list *datum_expr; 914 int preserved_tunable; 915 }; 916 917 struct cil_tunableif { 918 struct cil_list *str_expr; 919 struct cil_list *datum_expr; 920 }; 921 922 struct cil_policycap { 923 struct cil_symtab_datum datum; 924 }; 925 926 struct cil_bounds { 927 char *parent_str; 928 char *child_str; 929 }; 930 931 /* Ensure that CIL uses the same values as sepol policydb.h */ 932 enum cil_default_object { 933 CIL_DEFAULT_SOURCE = DEFAULT_SOURCE, 934 CIL_DEFAULT_TARGET = DEFAULT_TARGET, 935 }; 936 937 /* Default labeling behavior for users, roles, and types */ 938 struct cil_default { 939 enum cil_flavor flavor; 940 struct cil_list *class_strs; 941 struct cil_list *class_datums; 942 enum cil_default_object object; 943 }; 944 945 /* Ensure that CIL uses the same values as sepol policydb.h */ 946 enum cil_default_object_range { 947 CIL_DEFAULT_SOURCE_LOW = DEFAULT_SOURCE_LOW, 948 CIL_DEFAULT_SOURCE_HIGH = DEFAULT_SOURCE_HIGH, 949 CIL_DEFAULT_SOURCE_LOW_HIGH = DEFAULT_SOURCE_LOW_HIGH, 950 CIL_DEFAULT_TARGET_LOW = DEFAULT_TARGET_LOW, 951 CIL_DEFAULT_TARGET_HIGH = DEFAULT_TARGET_HIGH, 952 CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH, 953 CIL_DEFAULT_GLBLUB = DEFAULT_GLBLUB, 954 }; 955 956 /* Default labeling behavior for range */ 957 struct cil_defaultrange { 958 struct cil_list *class_strs; 959 struct cil_list *class_datums; 960 enum cil_default_object_range object_range; 961 }; 962 963 struct cil_handleunknown { 964 int handle_unknown; 965 }; 966 967 struct cil_mls { 968 int value; 969 }; 970 971 struct cil_src_info { 972 char *kind; 973 uint32_t hll_line; 974 char *path; 975 }; 976 977 void cil_db_init(struct cil_db **db); 978 void cil_db_destroy(struct cil_db **db); 979 980 void cil_root_init(struct cil_root **root); 981 void cil_root_destroy(struct cil_root *root); 982 983 void cil_destroy_data(void **data, enum cil_flavor flavor); 984 985 int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *index); 986 const char * cil_node_to_string(struct cil_tree_node *node); 987 988 int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size); 989 int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size); 990 int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size); 991 992 void cil_symtab_array_init(symtab_t symtab[], const int symtab_sizes[CIL_SYM_NUM]); 993 void cil_symtab_array_destroy(symtab_t symtab[]); 994 void cil_destroy_ast_symtabs(struct cil_tree_node *root); 995 int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_sym_index sym_index); 996 int cil_string_to_uint32(const char *string, uint32_t *value, int base); 997 int cil_string_to_uint64(const char *string, uint64_t *value, int base); 998 999 void cil_sort_init(struct cil_sort **sort); 1000 void cil_sort_destroy(struct cil_sort **sort); 1001 void cil_netifcon_init(struct cil_netifcon **netifcon); 1002 void cil_ibendportcon_init(struct cil_ibendportcon **ibendportcon); 1003 void cil_context_init(struct cil_context **context); 1004 void cil_level_init(struct cil_level **level); 1005 void cil_levelrange_init(struct cil_levelrange **lvlrange); 1006 void cil_sens_init(struct cil_sens **sens); 1007 void cil_block_init(struct cil_block **block); 1008 void cil_blockinherit_init(struct cil_blockinherit **inherit); 1009 void cil_blockabstract_init(struct cil_blockabstract **abstract); 1010 void cil_in_init(struct cil_in **in); 1011 void cil_class_init(struct cil_class **class); 1012 void cil_classorder_init(struct cil_classorder **classorder); 1013 void cil_classcommon_init(struct cil_classcommon **classcommon); 1014 void cil_sid_init(struct cil_sid **sid); 1015 void cil_sidcontext_init(struct cil_sidcontext **sidcontext); 1016 void cil_sidorder_init(struct cil_sidorder **sidorder); 1017 void cil_userrole_init(struct cil_userrole **userrole); 1018 void cil_userprefix_init(struct cil_userprefix **userprefix); 1019 void cil_selinuxuser_init(struct cil_selinuxuser **selinuxuser); 1020 void cil_roleattribute_init(struct cil_roleattribute **attribute); 1021 void cil_roleattributeset_init(struct cil_roleattributeset **attrset); 1022 void cil_roletype_init(struct cil_roletype **roletype); 1023 void cil_typeattribute_init(struct cil_typeattribute **attribute); 1024 void cil_typeattributeset_init(struct cil_typeattributeset **attrset); 1025 void cil_expandtypeattribute_init(struct cil_expandtypeattribute **expandattr); 1026 void cil_alias_init(struct cil_alias **alias); 1027 void cil_aliasactual_init(struct cil_aliasactual **aliasactual); 1028 void cil_typepermissive_init(struct cil_typepermissive **typeperm); 1029 void cil_name_init(struct cil_name **name); 1030 void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans); 1031 void cil_rangetransition_init(struct cil_rangetransition **rangetrans); 1032 void cil_bool_init(struct cil_bool **cilbool); 1033 void cil_boolif_init(struct cil_booleanif **bif); 1034 void cil_condblock_init(struct cil_condblock **cb); 1035 void cil_tunable_init(struct cil_tunable **ciltun); 1036 void cil_tunif_init(struct cil_tunableif **tif); 1037 void cil_avrule_init(struct cil_avrule **avrule); 1038 void cil_permissionx_init(struct cil_permissionx **permx); 1039 void cil_type_rule_init(struct cil_type_rule **type_rule); 1040 void cil_roletransition_init(struct cil_roletransition **roletrans); 1041 void cil_roleallow_init(struct cil_roleallow **role_allow); 1042 void cil_catset_init(struct cil_catset **catset); 1043 void cil_cats_init(struct cil_cats **cats); 1044 void cil_senscat_init(struct cil_senscat **senscat); 1045 void cil_filecon_init(struct cil_filecon **filecon); 1046 void cil_ibpkeycon_init(struct cil_ibpkeycon **ibpkeycon); 1047 void cil_portcon_init(struct cil_portcon **portcon); 1048 void cil_nodecon_init(struct cil_nodecon **nodecon); 1049 void cil_genfscon_init(struct cil_genfscon **genfscon); 1050 void cil_pirqcon_init(struct cil_pirqcon **pirqcon); 1051 void cil_iomemcon_init(struct cil_iomemcon **iomemcon); 1052 void cil_ioportcon_init(struct cil_ioportcon **ioportcon); 1053 void cil_pcidevicecon_init(struct cil_pcidevicecon **pcidevicecon); 1054 void cil_devicetreecon_init(struct cil_devicetreecon **devicetreecon); 1055 void cil_fsuse_init(struct cil_fsuse **fsuse); 1056 void cil_constrain_init(struct cil_constrain **constrain); 1057 void cil_validatetrans_init(struct cil_validatetrans **validtrans); 1058 void cil_ipaddr_init(struct cil_ipaddr **ipaddr); 1059 void cil_perm_init(struct cil_perm **perm); 1060 void cil_classpermission_init(struct cil_classpermission **cp); 1061 void cil_classpermissionset_init(struct cil_classpermissionset **cps); 1062 void cil_classperms_set_init(struct cil_classperms_set **cp_set); 1063 void cil_classperms_init(struct cil_classperms **cp); 1064 void cil_classmapping_init(struct cil_classmapping **mapping); 1065 void cil_user_init(struct cil_user **user); 1066 void cil_userlevel_init(struct cil_userlevel **usrlvl); 1067 void cil_userrange_init(struct cil_userrange **userrange); 1068 void cil_role_init(struct cil_role **role); 1069 void cil_type_init(struct cil_type **type); 1070 void cil_cat_init(struct cil_cat **cat); 1071 void cil_catorder_init(struct cil_catorder **catorder); 1072 void cil_sensorder_init(struct cil_sensorder **sensorder); 1073 void cil_args_init(struct cil_args **args); 1074 void cil_call_init(struct cil_call **call); 1075 void cil_optional_init(struct cil_optional **optional); 1076 void cil_param_init(struct cil_param **param); 1077 void cil_macro_init(struct cil_macro **macro); 1078 void cil_policycap_init(struct cil_policycap **policycap); 1079 void cil_bounds_init(struct cil_bounds **bounds); 1080 void cil_default_init(struct cil_default **def); 1081 void cil_defaultrange_init(struct cil_defaultrange **def); 1082 void cil_handleunknown_init(struct cil_handleunknown **unk); 1083 void cil_mls_init(struct cil_mls **mls); 1084 void cil_src_info_init(struct cil_src_info **info); 1085 void cil_userattribute_init(struct cil_userattribute **attribute); 1086 void cil_userattributeset_init(struct cil_userattributeset **attrset); 1087 1088 #endif 1089