1 /* 2 * Copyright 2011 Tresys Technology, LLC. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * 1. Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * 2. Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS 15 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 17 * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 19 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 21 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 22 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 23 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * The views and conclusions contained in the software and documentation are those 26 * of the authors and should not be interpreted as representing official policies, 27 * either expressed or implied, of Tresys Technology, LLC. 28 */ 29 30 #ifndef CIL_INTERNAL_H_ 31 #define CIL_INTERNAL_H_ 32 33 #include <stdlib.h> 34 #include <stdio.h> 35 #include <stdint.h> 36 #include <arpa/inet.h> 37 38 #include <sepol/policydb/services.h> 39 #include <sepol/policydb/policydb.h> 40 #include <sepol/policydb/flask_types.h> 41 42 #include <cil/cil.h> 43 44 #include "cil_flavor.h" 45 #include "cil_tree.h" 46 #include "cil_symtab.h" 47 #include "cil_mem.h" 48 49 #define CIL_MAX_NAME_LENGTH 2048 50 51 52 enum cil_pass { 53 CIL_PASS_INIT = 0, 54 55 CIL_PASS_TIF, 56 CIL_PASS_IN, 57 CIL_PASS_BLKIN_LINK, 58 CIL_PASS_BLKIN_COPY, 59 CIL_PASS_BLKABS, 60 CIL_PASS_MACRO, 61 CIL_PASS_CALL1, 62 CIL_PASS_CALL2, 63 CIL_PASS_ALIAS1, 64 CIL_PASS_ALIAS2, 65 CIL_PASS_MISC1, 66 CIL_PASS_MLS, 67 CIL_PASS_MISC2, 68 CIL_PASS_MISC3, 69 70 CIL_PASS_NUM 71 }; 72 73 74 /* 75 Keywords 76 */ 77 char *CIL_KEY_CONS_T1; 78 char *CIL_KEY_CONS_T2; 79 char *CIL_KEY_CONS_T3; 80 char *CIL_KEY_CONS_R1; 81 char *CIL_KEY_CONS_R2; 82 char *CIL_KEY_CONS_R3; 83 char *CIL_KEY_CONS_U1; 84 char *CIL_KEY_CONS_U2; 85 char *CIL_KEY_CONS_U3; 86 char *CIL_KEY_CONS_L1; 87 char *CIL_KEY_CONS_L2; 88 char *CIL_KEY_CONS_H1; 89 char *CIL_KEY_CONS_H2; 90 char *CIL_KEY_AND; 91 char *CIL_KEY_OR; 92 char *CIL_KEY_NOT; 93 char *CIL_KEY_EQ; 94 char *CIL_KEY_NEQ; 95 char *CIL_KEY_CONS_DOM; 96 char *CIL_KEY_CONS_DOMBY; 97 char *CIL_KEY_CONS_INCOMP; 98 char *CIL_KEY_CONDTRUE; 99 char *CIL_KEY_CONDFALSE; 100 char *CIL_KEY_SELF; 101 char *CIL_KEY_OBJECT_R; 102 char *CIL_KEY_STAR; 103 char *CIL_KEY_TCP; 104 char *CIL_KEY_UDP; 105 char *CIL_KEY_DCCP; 106 char *CIL_KEY_SCTP; 107 char *CIL_KEY_AUDITALLOW; 108 char *CIL_KEY_TUNABLEIF; 109 char *CIL_KEY_ALLOW; 110 char *CIL_KEY_DONTAUDIT; 111 char *CIL_KEY_TYPETRANSITION; 112 char *CIL_KEY_TYPECHANGE; 113 char *CIL_KEY_CALL; 114 char *CIL_KEY_TUNABLE; 115 char *CIL_KEY_XOR; 116 char *CIL_KEY_ALL; 117 char *CIL_KEY_RANGE; 118 char *CIL_KEY_GLOB; 119 char *CIL_KEY_FILE; 120 char *CIL_KEY_DIR; 121 char *CIL_KEY_CHAR; 122 char *CIL_KEY_BLOCK; 123 char *CIL_KEY_SOCKET; 124 char *CIL_KEY_PIPE; 125 char *CIL_KEY_SYMLINK; 126 char *CIL_KEY_ANY; 127 char *CIL_KEY_XATTR; 128 char *CIL_KEY_TASK; 129 char *CIL_KEY_TRANS; 130 char *CIL_KEY_TYPE; 131 char *CIL_KEY_ROLE; 132 char *CIL_KEY_USER; 133 char *CIL_KEY_USERATTRIBUTE; 134 char *CIL_KEY_USERATTRIBUTESET; 135 char *CIL_KEY_SENSITIVITY; 136 char *CIL_KEY_CATEGORY; 137 char *CIL_KEY_CATSET; 138 char *CIL_KEY_LEVEL; 139 char *CIL_KEY_LEVELRANGE; 140 char *CIL_KEY_CLASS; 141 char *CIL_KEY_IPADDR; 142 char *CIL_KEY_MAP_CLASS; 143 char *CIL_KEY_CLASSPERMISSION; 144 char *CIL_KEY_BOOL; 145 char *CIL_KEY_STRING; 146 char *CIL_KEY_NAME; 147 char *CIL_KEY_SOURCE; 148 char *CIL_KEY_TARGET; 149 char *CIL_KEY_LOW; 150 char *CIL_KEY_HIGH; 151 char *CIL_KEY_LOW_HIGH; 152 char *CIL_KEY_HANDLEUNKNOWN; 153 char *CIL_KEY_HANDLEUNKNOWN_ALLOW; 154 char *CIL_KEY_HANDLEUNKNOWN_DENY; 155 char *CIL_KEY_HANDLEUNKNOWN_REJECT; 156 char *CIL_KEY_MACRO; 157 char *CIL_KEY_IN; 158 char *CIL_KEY_MLS; 159 char *CIL_KEY_DEFAULTRANGE; 160 char *CIL_KEY_BLOCKINHERIT; 161 char *CIL_KEY_BLOCKABSTRACT; 162 char *CIL_KEY_CLASSORDER; 163 char *CIL_KEY_CLASSMAPPING; 164 char *CIL_KEY_CLASSPERMISSIONSET; 165 char *CIL_KEY_COMMON; 166 char *CIL_KEY_CLASSCOMMON; 167 char *CIL_KEY_SID; 168 char *CIL_KEY_SIDCONTEXT; 169 char *CIL_KEY_SIDORDER; 170 char *CIL_KEY_USERLEVEL; 171 char *CIL_KEY_USERRANGE; 172 char *CIL_KEY_USERBOUNDS; 173 char *CIL_KEY_USERPREFIX; 174 char *CIL_KEY_SELINUXUSER; 175 char *CIL_KEY_SELINUXUSERDEFAULT; 176 char *CIL_KEY_TYPEATTRIBUTE; 177 char *CIL_KEY_TYPEATTRIBUTESET; 178 char *CIL_KEY_EXPANDTYPEATTRIBUTE; 179 char *CIL_KEY_TYPEALIAS; 180 char *CIL_KEY_TYPEALIASACTUAL; 181 char *CIL_KEY_TYPEBOUNDS; 182 char *CIL_KEY_TYPEPERMISSIVE; 183 char *CIL_KEY_RANGETRANSITION; 184 char *CIL_KEY_USERROLE; 185 char *CIL_KEY_ROLETYPE; 186 char *CIL_KEY_ROLETRANSITION; 187 char *CIL_KEY_ROLEALLOW; 188 char *CIL_KEY_ROLEATTRIBUTE; 189 char *CIL_KEY_ROLEATTRIBUTESET; 190 char *CIL_KEY_ROLEBOUNDS; 191 char *CIL_KEY_BOOLEANIF; 192 char *CIL_KEY_NEVERALLOW; 193 char *CIL_KEY_TYPEMEMBER; 194 char *CIL_KEY_SENSALIAS; 195 char *CIL_KEY_SENSALIASACTUAL; 196 char *CIL_KEY_CATALIAS; 197 char *CIL_KEY_CATALIASACTUAL; 198 char *CIL_KEY_CATORDER; 199 char *CIL_KEY_SENSITIVITYORDER; 200 char *CIL_KEY_SENSCAT; 201 char *CIL_KEY_CONSTRAIN; 202 char *CIL_KEY_MLSCONSTRAIN; 203 char *CIL_KEY_VALIDATETRANS; 204 char *CIL_KEY_MLSVALIDATETRANS; 205 char *CIL_KEY_CONTEXT; 206 char *CIL_KEY_FILECON; 207 char *CIL_KEY_IBPKEYCON; 208 char *CIL_KEY_IBENDPORTCON; 209 char *CIL_KEY_PORTCON; 210 char *CIL_KEY_NODECON; 211 char *CIL_KEY_GENFSCON; 212 char *CIL_KEY_NETIFCON; 213 char *CIL_KEY_PIRQCON; 214 char *CIL_KEY_IOMEMCON; 215 char *CIL_KEY_IOPORTCON; 216 char *CIL_KEY_PCIDEVICECON; 217 char *CIL_KEY_DEVICETREECON; 218 char *CIL_KEY_FSUSE; 219 char *CIL_KEY_POLICYCAP; 220 char *CIL_KEY_OPTIONAL; 221 char *CIL_KEY_DEFAULTUSER; 222 char *CIL_KEY_DEFAULTROLE; 223 char *CIL_KEY_DEFAULTTYPE; 224 char *CIL_KEY_ROOT; 225 char *CIL_KEY_NODE; 226 char *CIL_KEY_PERM; 227 char *CIL_KEY_ALLOWX; 228 char *CIL_KEY_AUDITALLOWX; 229 char *CIL_KEY_DONTAUDITX; 230 char *CIL_KEY_NEVERALLOWX; 231 char *CIL_KEY_PERMISSIONX; 232 char *CIL_KEY_IOCTL; 233 char *CIL_KEY_UNORDERED; 234 char *CIL_KEY_SRC_INFO; 235 char *CIL_KEY_SRC_CIL; 236 char *CIL_KEY_SRC_HLL; 237 238 /* 239 Symbol Table Array Indices 240 */ 241 enum cil_sym_index { 242 CIL_SYM_BLOCKS = 0, 243 CIL_SYM_USERS, 244 CIL_SYM_ROLES, 245 CIL_SYM_TYPES, 246 CIL_SYM_COMMONS, 247 CIL_SYM_CLASSES, 248 CIL_SYM_CLASSPERMSETS, 249 CIL_SYM_BOOLS, 250 CIL_SYM_TUNABLES, 251 CIL_SYM_SENS, 252 CIL_SYM_CATS, 253 CIL_SYM_SIDS, 254 CIL_SYM_CONTEXTS, 255 CIL_SYM_LEVELS, 256 CIL_SYM_LEVELRANGES, 257 CIL_SYM_POLICYCAPS, 258 CIL_SYM_IPADDRS, 259 CIL_SYM_NAMES, 260 CIL_SYM_PERMX, 261 CIL_SYM_NUM, 262 CIL_SYM_UNKNOWN, 263 CIL_SYM_PERMS // Special case for permissions. This symtab is not included in arrays 264 }; 265 266 enum cil_sym_array { 267 CIL_SYM_ARRAY_ROOT = 0, 268 CIL_SYM_ARRAY_BLOCK, 269 CIL_SYM_ARRAY_IN, 270 CIL_SYM_ARRAY_MACRO, 271 CIL_SYM_ARRAY_CONDBLOCK, 272 CIL_SYM_ARRAY_NUM 273 }; 274 275 extern int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM]; 276 277 #define CIL_CLASS_SYM_SIZE 256 278 #define CIL_PERMS_PER_CLASS (sizeof(sepol_access_vector_t) * 8) 279 280 struct cil_db { 281 struct cil_tree *parse; 282 struct cil_tree *ast; 283 struct cil_type *selftype; 284 struct cil_list *sidorder; 285 struct cil_list *classorder; 286 struct cil_list *catorder; 287 struct cil_list *sensitivityorder; 288 struct cil_sort *netifcon; 289 struct cil_sort *genfscon; 290 struct cil_sort *filecon; 291 struct cil_sort *nodecon; 292 struct cil_sort *ibpkeycon; 293 struct cil_sort *ibendportcon; 294 struct cil_sort *portcon; 295 struct cil_sort *pirqcon; 296 struct cil_sort *iomemcon; 297 struct cil_sort *ioportcon; 298 struct cil_sort *pcidevicecon; 299 struct cil_sort *devicetreecon; 300 struct cil_sort *fsuse; 301 struct cil_list *userprefixes; 302 struct cil_list *selinuxusers; 303 struct cil_list *names; 304 int num_types_and_attrs; 305 int num_classes; 306 int num_cats; 307 int num_types; 308 int num_roles; 309 int num_users; 310 struct cil_type **val_to_type; 311 struct cil_role **val_to_role; 312 struct cil_user **val_to_user; 313 int disable_dontaudit; 314 int disable_neverallow; 315 int attrs_expand_generated; 316 unsigned attrs_expand_size; 317 int preserve_tunables; 318 int handle_unknown; 319 int mls; 320 int multiple_decls; 321 int target_platform; 322 int policy_version; 323 }; 324 325 struct cil_root { 326 symtab_t symtab[CIL_SYM_NUM]; 327 }; 328 329 struct cil_sort { 330 enum cil_flavor flavor; 331 uint32_t count; 332 uint32_t index; 333 void **array; 334 }; 335 336 struct cil_block { 337 struct cil_symtab_datum datum; 338 symtab_t symtab[CIL_SYM_NUM]; 339 uint16_t is_abstract; 340 struct cil_list *bi_nodes; 341 }; 342 343 struct cil_blockinherit { 344 char *block_str; 345 struct cil_block *block; 346 }; 347 348 struct cil_blockabstract { 349 char *block_str; 350 }; 351 352 struct cil_in { 353 symtab_t symtab[CIL_SYM_NUM]; 354 char *block_str; 355 }; 356 357 struct cil_optional { 358 struct cil_symtab_datum datum; 359 int enabled; 360 }; 361 362 struct cil_perm { 363 struct cil_symtab_datum datum; 364 unsigned int value; 365 struct cil_list *classperms; /* Only used for map perms */ 366 }; 367 368 struct cil_class { 369 struct cil_symtab_datum datum; 370 symtab_t perms; 371 unsigned int num_perms; 372 struct cil_class *common; /* Only used for kernel class */ 373 uint32_t ordered; /* Only used for kernel class */ 374 }; 375 376 struct cil_classorder { 377 struct cil_list *class_list_str; 378 }; 379 380 struct cil_classperms_set { 381 char *set_str; 382 struct cil_classpermission *set; 383 }; 384 385 struct cil_classperms { 386 char *class_str; 387 struct cil_class *class; 388 struct cil_list *perm_strs; 389 struct cil_list *perms; 390 }; 391 392 struct cil_classpermission { 393 struct cil_symtab_datum datum; 394 struct cil_list *classperms; 395 }; 396 397 struct cil_classpermissionset { 398 char *set_str; 399 struct cil_list *classperms; 400 }; 401 402 struct cil_classmapping { 403 char *map_class_str; 404 char *map_perm_str; 405 struct cil_list *classperms; 406 }; 407 408 struct cil_classcommon { 409 char *class_str; 410 char *common_str; 411 }; 412 413 struct cil_alias { 414 struct cil_symtab_datum datum; 415 void *actual; 416 }; 417 418 struct cil_aliasactual { 419 char *alias_str; 420 char *actual_str; 421 }; 422 423 struct cil_sid { 424 struct cil_symtab_datum datum; 425 struct cil_context *context; 426 uint32_t ordered; 427 }; 428 429 struct cil_sidcontext { 430 char *sid_str; 431 char *context_str; 432 struct cil_context *context; 433 }; 434 435 struct cil_sidorder { 436 struct cil_list *sid_list_str; 437 }; 438 439 struct cil_user { 440 struct cil_symtab_datum datum; 441 struct cil_user *bounds; 442 ebitmap_t *roles; 443 struct cil_level *dftlevel; 444 struct cil_levelrange *range; 445 int value; 446 }; 447 448 struct cil_userattribute { 449 struct cil_symtab_datum datum; 450 struct cil_list *expr_list; 451 ebitmap_t *users; 452 }; 453 454 struct cil_userattributeset { 455 char *attr_str; 456 struct cil_list *str_expr; 457 struct cil_list *datum_expr; 458 }; 459 460 struct cil_userrole { 461 char *user_str; 462 void *user; 463 char *role_str; 464 void *role; 465 }; 466 467 struct cil_userlevel { 468 char *user_str; 469 char *level_str; 470 struct cil_level *level; 471 }; 472 473 struct cil_userrange { 474 char *user_str; 475 char *range_str; 476 struct cil_levelrange *range; 477 }; 478 479 struct cil_userprefix { 480 char *user_str; 481 struct cil_user *user; 482 char *prefix_str; 483 }; 484 485 struct cil_selinuxuser { 486 char *name_str; 487 char *user_str; 488 struct cil_user *user; 489 char *range_str; 490 struct cil_levelrange *range; 491 }; 492 493 struct cil_role { 494 struct cil_symtab_datum datum; 495 struct cil_role *bounds; 496 ebitmap_t *types; 497 int value; 498 }; 499 500 struct cil_roleattribute { 501 struct cil_symtab_datum datum; 502 struct cil_list *expr_list; 503 ebitmap_t *roles; 504 }; 505 506 struct cil_roleattributeset { 507 char *attr_str; 508 struct cil_list *str_expr; 509 struct cil_list *datum_expr; 510 }; 511 512 struct cil_roletype { 513 char *role_str; 514 void *role; /* role or attribute */ 515 char *type_str; 516 void *type; /* type, alias, or attribute */ 517 }; 518 519 struct cil_type { 520 struct cil_symtab_datum datum; 521 struct cil_type *bounds; 522 int value; 523 }; 524 525 #define CIL_ATTR_AVRULE (1 << 0) 526 #define CIL_ATTR_NEVERALLOW (1 << 1) 527 #define CIL_ATTR_CONSTRAINT (1 << 2) 528 #define CIL_ATTR_EXPAND_TRUE (1 << 3) 529 #define CIL_ATTR_EXPAND_FALSE (1 << 4) 530 struct cil_typeattribute { 531 struct cil_symtab_datum datum; 532 struct cil_list *expr_list; 533 ebitmap_t *types; 534 int used; // whether or not this attribute was used in a binary policy rule 535 int keep; 536 }; 537 538 struct cil_typeattributeset { 539 char *attr_str; 540 struct cil_list *str_expr; 541 struct cil_list *datum_expr; 542 }; 543 544 struct cil_expandtypeattribute { 545 struct cil_list *attr_strs; 546 struct cil_list *attr_datums; 547 int expand; 548 }; 549 550 struct cil_typepermissive { 551 char *type_str; 552 void *type; /* type or alias */ 553 }; 554 555 struct cil_name { 556 struct cil_symtab_datum datum; 557 char *name_str; 558 }; 559 560 struct cil_nametypetransition { 561 char *src_str; 562 void *src; /* type, alias, or attribute */ 563 char *tgt_str; 564 void *tgt; /* type, alias, or attribute */ 565 char *obj_str; 566 struct cil_class *obj; 567 char *name_str; 568 struct cil_name *name; 569 char *result_str; 570 void *result; /* type or alias */ 571 572 }; 573 574 struct cil_rangetransition { 575 char *src_str; 576 void *src; /* type, alias, or attribute */ 577 char *exec_str; 578 void *exec; /* type, alias, or attribute */ 579 char *obj_str; 580 struct cil_class *obj; 581 char *range_str; 582 struct cil_levelrange *range; 583 }; 584 585 struct cil_bool { 586 struct cil_symtab_datum datum; 587 uint16_t value; 588 }; 589 590 struct cil_tunable { 591 struct cil_symtab_datum datum; 592 uint16_t value; 593 }; 594 595 #define CIL_AVRULE_ALLOWED 1 596 #define CIL_AVRULE_AUDITALLOW 2 597 #define CIL_AVRULE_DONTAUDIT 8 598 #define CIL_AVRULE_NEVERALLOW 128 599 #define CIL_AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 600 struct cil_avrule { 601 int is_extended; 602 uint32_t rule_kind; 603 char *src_str; 604 void *src; /* type, alias, or attribute */ 605 char *tgt_str; 606 void *tgt; /* type, alias, or attribute */ 607 union { 608 struct cil_list *classperms; 609 struct { 610 char *permx_str; 611 struct cil_permissionx *permx; 612 } x; 613 } perms; 614 }; 615 616 #define CIL_PERMX_KIND_IOCTL 1 617 struct cil_permissionx { 618 struct cil_symtab_datum datum; 619 uint32_t kind; 620 char *obj_str; 621 struct cil_class *obj; 622 struct cil_list *expr_str; 623 ebitmap_t *perms; 624 }; 625 626 #define CIL_TYPE_TRANSITION 16 627 #define CIL_TYPE_MEMBER 32 628 #define CIL_TYPE_CHANGE 64 629 #define CIL_AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 630 struct cil_type_rule { 631 uint32_t rule_kind; 632 char *src_str; 633 void *src; /* type, alias, or attribute */ 634 char *tgt_str; 635 void *tgt; /* type, alias, or attribute */ 636 char *obj_str; 637 struct cil_class *obj; 638 char *result_str; 639 void *result; /* type or alias */ 640 }; 641 642 struct cil_roletransition { 643 char *src_str; 644 struct cil_role *src; 645 char *tgt_str; 646 void *tgt; /* type, alias, or attribute */ 647 char *obj_str; 648 struct cil_class *obj; 649 char *result_str; 650 struct cil_role *result; 651 }; 652 653 struct cil_roleallow { 654 char *src_str; 655 void *src; /* role or attribute */ 656 char *tgt_str; 657 void *tgt; /* role or attribute */ 658 }; 659 660 struct cil_sens { 661 struct cil_symtab_datum datum; 662 struct cil_list *cats_list; 663 uint32_t ordered; 664 }; 665 666 struct cil_sensorder { 667 struct cil_list *sens_list_str; 668 }; 669 670 struct cil_cat { 671 struct cil_symtab_datum datum; 672 uint32_t ordered; 673 int value; 674 }; 675 676 struct cil_cats { 677 uint32_t evaluated; 678 struct cil_list *str_expr; 679 struct cil_list *datum_expr; 680 }; 681 682 struct cil_catset { 683 struct cil_symtab_datum datum; 684 struct cil_cats *cats; 685 }; 686 687 struct cil_catorder { 688 struct cil_list *cat_list_str; 689 }; 690 691 struct cil_senscat { 692 char *sens_str; 693 struct cil_cats *cats; 694 }; 695 696 struct cil_level { 697 struct cil_symtab_datum datum; 698 char *sens_str; 699 struct cil_sens *sens; 700 struct cil_cats *cats; 701 }; 702 703 struct cil_levelrange { 704 struct cil_symtab_datum datum; 705 char *low_str; 706 struct cil_level *low; 707 char *high_str; 708 struct cil_level *high; 709 }; 710 711 struct cil_context { 712 struct cil_symtab_datum datum; 713 char *user_str; 714 struct cil_user *user; 715 char *role_str; 716 struct cil_role *role; 717 char *type_str; 718 void *type; /* type or alias */ 719 char *range_str; 720 struct cil_levelrange *range; 721 }; 722 723 enum cil_filecon_types { 724 CIL_FILECON_FILE = 1, 725 CIL_FILECON_DIR, 726 CIL_FILECON_CHAR, 727 CIL_FILECON_BLOCK, 728 CIL_FILECON_SOCKET, 729 CIL_FILECON_PIPE, 730 CIL_FILECON_SYMLINK, 731 CIL_FILECON_ANY 732 }; 733 734 struct cil_filecon { 735 char *path_str; 736 enum cil_filecon_types type; 737 char *context_str; 738 struct cil_context *context; 739 }; 740 741 enum cil_protocol { 742 CIL_PROTOCOL_UDP = 1, 743 CIL_PROTOCOL_TCP, 744 CIL_PROTOCOL_DCCP, 745 CIL_PROTOCOL_SCTP 746 }; 747 748 struct cil_ibpkeycon { 749 char *subnet_prefix_str; 750 uint32_t pkey_low; 751 uint32_t pkey_high; 752 char *context_str; 753 struct cil_context *context; 754 }; 755 756 struct cil_portcon { 757 enum cil_protocol proto; 758 uint32_t port_low; 759 uint32_t port_high; 760 char *context_str; 761 struct cil_context *context; 762 }; 763 764 struct cil_nodecon { 765 char *addr_str; 766 struct cil_ipaddr *addr; 767 char *mask_str; 768 struct cil_ipaddr *mask; 769 char *context_str; 770 struct cil_context *context; 771 }; 772 773 struct cil_ipaddr { 774 struct cil_symtab_datum datum; 775 int family; 776 union { 777 struct in_addr v4; 778 struct in6_addr v6; 779 } ip; 780 }; 781 782 struct cil_genfscon { 783 char *fs_str; 784 char *path_str; 785 char *context_str; 786 struct cil_context *context; 787 }; 788 789 struct cil_netifcon { 790 char *interface_str; 791 char *if_context_str; 792 struct cil_context *if_context; 793 char *packet_context_str; 794 struct cil_context *packet_context; 795 char *context_str; 796 }; 797 798 struct cil_ibendportcon { 799 char *dev_name_str; 800 uint32_t port; 801 char *context_str; 802 struct cil_context *context; 803 }; 804 struct cil_pirqcon { 805 uint32_t pirq; 806 char *context_str; 807 struct cil_context *context; 808 }; 809 810 struct cil_iomemcon { 811 uint64_t iomem_low; 812 uint64_t iomem_high; 813 char *context_str; 814 struct cil_context *context; 815 }; 816 817 struct cil_ioportcon { 818 uint32_t ioport_low; 819 uint32_t ioport_high; 820 char *context_str; 821 struct cil_context *context; 822 }; 823 824 struct cil_pcidevicecon { 825 uint32_t dev; 826 char *context_str; 827 struct cil_context *context; 828 }; 829 830 struct cil_devicetreecon { 831 char *path; 832 char *context_str; 833 struct cil_context *context; 834 }; 835 836 837 /* Ensure that CIL uses the same values as sepol services.h */ 838 enum cil_fsuse_types { 839 CIL_FSUSE_XATTR = SECURITY_FS_USE_XATTR, 840 CIL_FSUSE_TASK = SECURITY_FS_USE_TASK, 841 CIL_FSUSE_TRANS = SECURITY_FS_USE_TRANS 842 }; 843 844 struct cil_fsuse { 845 enum cil_fsuse_types type; 846 char *fs_str; 847 char *context_str; 848 struct cil_context *context; 849 }; 850 851 #define CIL_MLS_LEVELS "l1 l2 h1 h2" 852 #define CIL_CONSTRAIN_KEYS "t1 t2 r1 r2 u1 u2" 853 #define CIL_MLSCONSTRAIN_KEYS CIL_MLS_LEVELS CIL_CONSTRAIN_KEYS 854 #define CIL_CONSTRAIN_OPER "== != eq dom domby incomp not and or" 855 struct cil_constrain { 856 struct cil_list *classperms; 857 struct cil_list *str_expr; 858 struct cil_list *datum_expr; 859 }; 860 861 struct cil_validatetrans { 862 char *class_str; 863 struct cil_class *class; 864 struct cil_list *str_expr; 865 struct cil_list *datum_expr; 866 }; 867 868 struct cil_param { 869 char *str; 870 enum cil_flavor flavor; 871 }; 872 873 struct cil_macro { 874 struct cil_symtab_datum datum; 875 symtab_t symtab[CIL_SYM_NUM]; 876 struct cil_list *params; 877 }; 878 879 struct cil_args { 880 char *arg_str; 881 struct cil_symtab_datum *arg; 882 char *param_str; 883 enum cil_flavor flavor; 884 }; 885 886 struct cil_call { 887 char *macro_str; 888 struct cil_macro *macro; 889 struct cil_tree *args_tree; 890 struct cil_list *args; 891 int copied; 892 }; 893 894 #define CIL_TRUE 1 895 #define CIL_FALSE 0 896 897 struct cil_condblock { 898 enum cil_flavor flavor; 899 symtab_t symtab[CIL_SYM_NUM]; 900 }; 901 902 struct cil_booleanif { 903 struct cil_list *str_expr; 904 struct cil_list *datum_expr; 905 int preserved_tunable; 906 }; 907 908 struct cil_tunableif { 909 struct cil_list *str_expr; 910 struct cil_list *datum_expr; 911 }; 912 913 struct cil_policycap { 914 struct cil_symtab_datum datum; 915 }; 916 917 struct cil_bounds { 918 char *parent_str; 919 char *child_str; 920 }; 921 922 /* Ensure that CIL uses the same values as sepol policydb.h */ 923 enum cil_default_object { 924 CIL_DEFAULT_SOURCE = DEFAULT_SOURCE, 925 CIL_DEFAULT_TARGET = DEFAULT_TARGET, 926 }; 927 928 /* Default labeling behavior for users, roles, and types */ 929 struct cil_default { 930 enum cil_flavor flavor; 931 struct cil_list *class_strs; 932 struct cil_list *class_datums; 933 enum cil_default_object object; 934 }; 935 936 /* Ensure that CIL uses the same values as sepol policydb.h */ 937 enum cil_default_object_range { 938 CIL_DEFAULT_SOURCE_LOW = DEFAULT_SOURCE_LOW, 939 CIL_DEFAULT_SOURCE_HIGH = DEFAULT_SOURCE_HIGH, 940 CIL_DEFAULT_SOURCE_LOW_HIGH = DEFAULT_SOURCE_LOW_HIGH, 941 CIL_DEFAULT_TARGET_LOW = DEFAULT_TARGET_LOW, 942 CIL_DEFAULT_TARGET_HIGH = DEFAULT_TARGET_HIGH, 943 CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH, 944 }; 945 946 /* Default labeling behavior for range */ 947 struct cil_defaultrange { 948 struct cil_list *class_strs; 949 struct cil_list *class_datums; 950 enum cil_default_object_range object_range; 951 }; 952 953 struct cil_handleunknown { 954 int handle_unknown; 955 }; 956 957 struct cil_mls { 958 int value; 959 }; 960 961 struct cil_src_info { 962 int is_cil; 963 char *path; 964 }; 965 966 void cil_db_init(struct cil_db **db); 967 void cil_db_destroy(struct cil_db **db); 968 969 void cil_root_init(struct cil_root **root); 970 void cil_root_destroy(struct cil_root *root); 971 972 void cil_destroy_data(void **data, enum cil_flavor flavor); 973 974 int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *index); 975 const char * cil_node_to_string(struct cil_tree_node *node); 976 977 int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size); 978 int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size); 979 int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size); 980 981 void cil_symtab_array_init(symtab_t symtab[], int symtab_sizes[CIL_SYM_NUM]); 982 void cil_symtab_array_destroy(symtab_t symtab[]); 983 void cil_destroy_ast_symtabs(struct cil_tree_node *root); 984 int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_sym_index sym_index); 985 986 void cil_sort_init(struct cil_sort **sort); 987 void cil_sort_destroy(struct cil_sort **sort); 988 void cil_netifcon_init(struct cil_netifcon **netifcon); 989 void cil_ibendportcon_init(struct cil_ibendportcon **ibendportcon); 990 void cil_context_init(struct cil_context **context); 991 void cil_level_init(struct cil_level **level); 992 void cil_levelrange_init(struct cil_levelrange **lvlrange); 993 void cil_sens_init(struct cil_sens **sens); 994 void cil_block_init(struct cil_block **block); 995 void cil_blockinherit_init(struct cil_blockinherit **inherit); 996 void cil_blockabstract_init(struct cil_blockabstract **abstract); 997 void cil_in_init(struct cil_in **in); 998 void cil_class_init(struct cil_class **class); 999 void cil_classorder_init(struct cil_classorder **classorder); 1000 void cil_classcommon_init(struct cil_classcommon **classcommon); 1001 void cil_sid_init(struct cil_sid **sid); 1002 void cil_sidcontext_init(struct cil_sidcontext **sidcontext); 1003 void cil_sidorder_init(struct cil_sidorder **sidorder); 1004 void cil_userrole_init(struct cil_userrole **userrole); 1005 void cil_userprefix_init(struct cil_userprefix **userprefix); 1006 void cil_selinuxuser_init(struct cil_selinuxuser **selinuxuser); 1007 void cil_roleattribute_init(struct cil_roleattribute **attribute); 1008 void cil_roleattributeset_init(struct cil_roleattributeset **attrset); 1009 void cil_roletype_init(struct cil_roletype **roletype); 1010 void cil_typeattribute_init(struct cil_typeattribute **attribute); 1011 void cil_typeattributeset_init(struct cil_typeattributeset **attrset); 1012 void cil_expandtypeattribute_init(struct cil_expandtypeattribute **expandattr); 1013 void cil_alias_init(struct cil_alias **alias); 1014 void cil_aliasactual_init(struct cil_aliasactual **aliasactual); 1015 void cil_typepermissive_init(struct cil_typepermissive **typeperm); 1016 void cil_name_init(struct cil_name **name); 1017 void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans); 1018 void cil_rangetransition_init(struct cil_rangetransition **rangetrans); 1019 void cil_bool_init(struct cil_bool **cilbool); 1020 void cil_boolif_init(struct cil_booleanif **bif); 1021 void cil_condblock_init(struct cil_condblock **cb); 1022 void cil_tunable_init(struct cil_tunable **ciltun); 1023 void cil_tunif_init(struct cil_tunableif **tif); 1024 void cil_avrule_init(struct cil_avrule **avrule); 1025 void cil_permissionx_init(struct cil_permissionx **permx); 1026 void cil_type_rule_init(struct cil_type_rule **type_rule); 1027 void cil_roletransition_init(struct cil_roletransition **roletrans); 1028 void cil_roleallow_init(struct cil_roleallow **role_allow); 1029 void cil_catset_init(struct cil_catset **catset); 1030 void cil_cats_init(struct cil_cats **cats); 1031 void cil_senscat_init(struct cil_senscat **senscat); 1032 void cil_filecon_init(struct cil_filecon **filecon); 1033 void cil_ibpkeycon_init(struct cil_ibpkeycon **ibpkeycon); 1034 void cil_portcon_init(struct cil_portcon **portcon); 1035 void cil_nodecon_init(struct cil_nodecon **nodecon); 1036 void cil_genfscon_init(struct cil_genfscon **genfscon); 1037 void cil_pirqcon_init(struct cil_pirqcon **pirqcon); 1038 void cil_iomemcon_init(struct cil_iomemcon **iomemcon); 1039 void cil_ioportcon_init(struct cil_ioportcon **ioportcon); 1040 void cil_pcidevicecon_init(struct cil_pcidevicecon **pcidevicecon); 1041 void cil_devicetreecon_init(struct cil_devicetreecon **devicetreecon); 1042 void cil_fsuse_init(struct cil_fsuse **fsuse); 1043 void cil_constrain_init(struct cil_constrain **constrain); 1044 void cil_validatetrans_init(struct cil_validatetrans **validtrans); 1045 void cil_ipaddr_init(struct cil_ipaddr **ipaddr); 1046 void cil_perm_init(struct cil_perm **perm); 1047 void cil_classpermission_init(struct cil_classpermission **cp); 1048 void cil_classpermissionset_init(struct cil_classpermissionset **cps); 1049 void cil_classperms_set_init(struct cil_classperms_set **cp_set); 1050 void cil_classperms_init(struct cil_classperms **cp); 1051 void cil_classmapping_init(struct cil_classmapping **mapping); 1052 void cil_user_init(struct cil_user **user); 1053 void cil_userlevel_init(struct cil_userlevel **usrlvl); 1054 void cil_userrange_init(struct cil_userrange **userrange); 1055 void cil_role_init(struct cil_role **role); 1056 void cil_type_init(struct cil_type **type); 1057 void cil_cat_init(struct cil_cat **cat); 1058 void cil_catorder_init(struct cil_catorder **catorder); 1059 void cil_sensorder_init(struct cil_sensorder **sensorder); 1060 void cil_args_init(struct cil_args **args); 1061 void cil_call_init(struct cil_call **call); 1062 void cil_optional_init(struct cil_optional **optional); 1063 void cil_param_init(struct cil_param **param); 1064 void cil_macro_init(struct cil_macro **macro); 1065 void cil_policycap_init(struct cil_policycap **policycap); 1066 void cil_bounds_init(struct cil_bounds **bounds); 1067 void cil_default_init(struct cil_default **def); 1068 void cil_defaultrange_init(struct cil_defaultrange **def); 1069 void cil_handleunknown_init(struct cil_handleunknown **unk); 1070 void cil_mls_init(struct cil_mls **mls); 1071 void cil_src_info_init(struct cil_src_info **info); 1072 void cil_userattribute_init(struct cil_userattribute **attribute); 1073 void cil_userattributeset_init(struct cil_userattributeset **attrset); 1074 1075 #endif 1076