1 /* 2 * Copyright 2011 Tresys Technology, LLC. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * 1. Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * 2. Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS 15 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 17 * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 19 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 21 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 22 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 23 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * The views and conclusions contained in the software and documentation are those 26 * of the authors and should not be interpreted as representing official policies, 27 * either expressed or implied, of Tresys Technology, LLC. 28 */ 29 30 #ifndef CIL_INTERNAL_H_ 31 #define CIL_INTERNAL_H_ 32 33 #include <stdlib.h> 34 #include <stdio.h> 35 #include <stdint.h> 36 #include <arpa/inet.h> 37 38 #include <sepol/policydb/services.h> 39 #include <sepol/policydb/policydb.h> 40 #include <sepol/policydb/flask_types.h> 41 42 #include <cil/cil.h> 43 44 #include "cil_flavor.h" 45 #include "cil_tree.h" 46 #include "cil_symtab.h" 47 #include "cil_mem.h" 48 49 #define CIL_MAX_NAME_LENGTH 2048 50 51 52 enum cil_pass { 53 CIL_PASS_INIT = 0, 54 55 CIL_PASS_TIF, 56 CIL_PASS_IN, 57 CIL_PASS_BLKIN_LINK, 58 CIL_PASS_BLKIN_COPY, 59 CIL_PASS_BLKABS, 60 CIL_PASS_MACRO, 61 CIL_PASS_CALL1, 62 CIL_PASS_CALL2, 63 CIL_PASS_ALIAS1, 64 CIL_PASS_ALIAS2, 65 CIL_PASS_MISC1, 66 CIL_PASS_MLS, 67 CIL_PASS_MISC2, 68 CIL_PASS_MISC3, 69 70 CIL_PASS_NUM 71 }; 72 73 74 /* 75 Keywords 76 */ 77 extern char *CIL_KEY_CONS_T1; 78 extern char *CIL_KEY_CONS_T2; 79 extern char *CIL_KEY_CONS_T3; 80 extern char *CIL_KEY_CONS_R1; 81 extern char *CIL_KEY_CONS_R2; 82 extern char *CIL_KEY_CONS_R3; 83 extern char *CIL_KEY_CONS_U1; 84 extern char *CIL_KEY_CONS_U2; 85 extern char *CIL_KEY_CONS_U3; 86 extern char *CIL_KEY_CONS_L1; 87 extern char *CIL_KEY_CONS_L2; 88 extern char *CIL_KEY_CONS_H1; 89 extern char *CIL_KEY_CONS_H2; 90 extern char *CIL_KEY_AND; 91 extern char *CIL_KEY_OR; 92 extern char *CIL_KEY_NOT; 93 extern char *CIL_KEY_EQ; 94 extern char *CIL_KEY_NEQ; 95 extern char *CIL_KEY_CONS_DOM; 96 extern char *CIL_KEY_CONS_DOMBY; 97 extern char *CIL_KEY_CONS_INCOMP; 98 extern char *CIL_KEY_CONDTRUE; 99 extern char *CIL_KEY_CONDFALSE; 100 extern char *CIL_KEY_SELF; 101 extern char *CIL_KEY_OBJECT_R; 102 extern char *CIL_KEY_STAR; 103 extern char *CIL_KEY_TCP; 104 extern char *CIL_KEY_UDP; 105 extern char *CIL_KEY_DCCP; 106 extern char *CIL_KEY_SCTP; 107 extern char *CIL_KEY_AUDITALLOW; 108 extern char *CIL_KEY_TUNABLEIF; 109 extern char *CIL_KEY_ALLOW; 110 extern char *CIL_KEY_DONTAUDIT; 111 extern char *CIL_KEY_TYPETRANSITION; 112 extern char *CIL_KEY_TYPECHANGE; 113 extern char *CIL_KEY_CALL; 114 extern char *CIL_KEY_TUNABLE; 115 extern char *CIL_KEY_XOR; 116 extern char *CIL_KEY_ALL; 117 extern char *CIL_KEY_RANGE; 118 extern char *CIL_KEY_GLOB; 119 extern char *CIL_KEY_FILE; 120 extern char *CIL_KEY_DIR; 121 extern char *CIL_KEY_CHAR; 122 extern char *CIL_KEY_BLOCK; 123 extern char *CIL_KEY_SOCKET; 124 extern char *CIL_KEY_PIPE; 125 extern char *CIL_KEY_SYMLINK; 126 extern char *CIL_KEY_ANY; 127 extern char *CIL_KEY_XATTR; 128 extern char *CIL_KEY_TASK; 129 extern char *CIL_KEY_TRANS; 130 extern char *CIL_KEY_TYPE; 131 extern char *CIL_KEY_ROLE; 132 extern char *CIL_KEY_USER; 133 extern char *CIL_KEY_USERATTRIBUTE; 134 extern char *CIL_KEY_USERATTRIBUTESET; 135 extern char *CIL_KEY_SENSITIVITY; 136 extern char *CIL_KEY_CATEGORY; 137 extern char *CIL_KEY_CATSET; 138 extern char *CIL_KEY_LEVEL; 139 extern char *CIL_KEY_LEVELRANGE; 140 extern char *CIL_KEY_CLASS; 141 extern char *CIL_KEY_IPADDR; 142 extern char *CIL_KEY_MAP_CLASS; 143 extern char *CIL_KEY_CLASSPERMISSION; 144 extern char *CIL_KEY_BOOL; 145 extern char *CIL_KEY_STRING; 146 extern char *CIL_KEY_NAME; 147 extern char *CIL_KEY_SOURCE; 148 extern char *CIL_KEY_TARGET; 149 extern char *CIL_KEY_LOW; 150 extern char *CIL_KEY_HIGH; 151 extern char *CIL_KEY_LOW_HIGH; 152 extern char *CIL_KEY_GLBLUB; 153 extern char *CIL_KEY_HANDLEUNKNOWN; 154 extern char *CIL_KEY_HANDLEUNKNOWN_ALLOW; 155 extern char *CIL_KEY_HANDLEUNKNOWN_DENY; 156 extern char *CIL_KEY_HANDLEUNKNOWN_REJECT; 157 extern char *CIL_KEY_MACRO; 158 extern char *CIL_KEY_IN; 159 extern char *CIL_KEY_MLS; 160 extern char *CIL_KEY_DEFAULTRANGE; 161 extern char *CIL_KEY_BLOCKINHERIT; 162 extern char *CIL_KEY_BLOCKABSTRACT; 163 extern char *CIL_KEY_CLASSORDER; 164 extern char *CIL_KEY_CLASSMAPPING; 165 extern char *CIL_KEY_CLASSPERMISSIONSET; 166 extern char *CIL_KEY_COMMON; 167 extern char *CIL_KEY_CLASSCOMMON; 168 extern char *CIL_KEY_SID; 169 extern char *CIL_KEY_SIDCONTEXT; 170 extern char *CIL_KEY_SIDORDER; 171 extern char *CIL_KEY_USERLEVEL; 172 extern char *CIL_KEY_USERRANGE; 173 extern char *CIL_KEY_USERBOUNDS; 174 extern char *CIL_KEY_USERPREFIX; 175 extern char *CIL_KEY_SELINUXUSER; 176 extern char *CIL_KEY_SELINUXUSERDEFAULT; 177 extern char *CIL_KEY_TYPEATTRIBUTE; 178 extern char *CIL_KEY_TYPEATTRIBUTESET; 179 extern char *CIL_KEY_EXPANDTYPEATTRIBUTE; 180 extern char *CIL_KEY_TYPEALIAS; 181 extern char *CIL_KEY_TYPEALIASACTUAL; 182 extern char *CIL_KEY_TYPEBOUNDS; 183 extern char *CIL_KEY_TYPEPERMISSIVE; 184 extern char *CIL_KEY_RANGETRANSITION; 185 extern char *CIL_KEY_USERROLE; 186 extern char *CIL_KEY_ROLETYPE; 187 extern char *CIL_KEY_ROLETRANSITION; 188 extern char *CIL_KEY_ROLEALLOW; 189 extern char *CIL_KEY_ROLEATTRIBUTE; 190 extern char *CIL_KEY_ROLEATTRIBUTESET; 191 extern char *CIL_KEY_ROLEBOUNDS; 192 extern char *CIL_KEY_BOOLEANIF; 193 extern char *CIL_KEY_NEVERALLOW; 194 extern char *CIL_KEY_TYPEMEMBER; 195 extern char *CIL_KEY_SENSALIAS; 196 extern char *CIL_KEY_SENSALIASACTUAL; 197 extern char *CIL_KEY_CATALIAS; 198 extern char *CIL_KEY_CATALIASACTUAL; 199 extern char *CIL_KEY_CATORDER; 200 extern char *CIL_KEY_SENSITIVITYORDER; 201 extern char *CIL_KEY_SENSCAT; 202 extern char *CIL_KEY_CONSTRAIN; 203 extern char *CIL_KEY_MLSCONSTRAIN; 204 extern char *CIL_KEY_VALIDATETRANS; 205 extern char *CIL_KEY_MLSVALIDATETRANS; 206 extern char *CIL_KEY_CONTEXT; 207 extern char *CIL_KEY_FILECON; 208 extern char *CIL_KEY_IBPKEYCON; 209 extern char *CIL_KEY_IBENDPORTCON; 210 extern char *CIL_KEY_PORTCON; 211 extern char *CIL_KEY_NODECON; 212 extern char *CIL_KEY_GENFSCON; 213 extern char *CIL_KEY_NETIFCON; 214 extern char *CIL_KEY_PIRQCON; 215 extern char *CIL_KEY_IOMEMCON; 216 extern char *CIL_KEY_IOPORTCON; 217 extern char *CIL_KEY_PCIDEVICECON; 218 extern char *CIL_KEY_DEVICETREECON; 219 extern char *CIL_KEY_FSUSE; 220 extern char *CIL_KEY_POLICYCAP; 221 extern char *CIL_KEY_OPTIONAL; 222 extern char *CIL_KEY_DEFAULTUSER; 223 extern char *CIL_KEY_DEFAULTROLE; 224 extern char *CIL_KEY_DEFAULTTYPE; 225 extern char *CIL_KEY_ROOT; 226 extern char *CIL_KEY_NODE; 227 extern char *CIL_KEY_PERM; 228 extern char *CIL_KEY_ALLOWX; 229 extern char *CIL_KEY_AUDITALLOWX; 230 extern char *CIL_KEY_DONTAUDITX; 231 extern char *CIL_KEY_NEVERALLOWX; 232 extern char *CIL_KEY_PERMISSIONX; 233 extern char *CIL_KEY_IOCTL; 234 extern char *CIL_KEY_UNORDERED; 235 extern char *CIL_KEY_SRC_INFO; 236 extern char *CIL_KEY_SRC_CIL; 237 extern char *CIL_KEY_SRC_HLL; 238 239 /* 240 Symbol Table Array Indices 241 */ 242 enum cil_sym_index { 243 CIL_SYM_BLOCKS = 0, 244 CIL_SYM_USERS, 245 CIL_SYM_ROLES, 246 CIL_SYM_TYPES, 247 CIL_SYM_COMMONS, 248 CIL_SYM_CLASSES, 249 CIL_SYM_CLASSPERMSETS, 250 CIL_SYM_BOOLS, 251 CIL_SYM_TUNABLES, 252 CIL_SYM_SENS, 253 CIL_SYM_CATS, 254 CIL_SYM_SIDS, 255 CIL_SYM_CONTEXTS, 256 CIL_SYM_LEVELS, 257 CIL_SYM_LEVELRANGES, 258 CIL_SYM_POLICYCAPS, 259 CIL_SYM_IPADDRS, 260 CIL_SYM_NAMES, 261 CIL_SYM_PERMX, 262 CIL_SYM_NUM, 263 CIL_SYM_UNKNOWN, 264 CIL_SYM_PERMS // Special case for permissions. This symtab is not included in arrays 265 }; 266 267 enum cil_sym_array { 268 CIL_SYM_ARRAY_ROOT = 0, 269 CIL_SYM_ARRAY_BLOCK, 270 CIL_SYM_ARRAY_IN, 271 CIL_SYM_ARRAY_MACRO, 272 CIL_SYM_ARRAY_CONDBLOCK, 273 CIL_SYM_ARRAY_NUM 274 }; 275 276 extern int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM]; 277 278 #define CIL_CLASS_SYM_SIZE 256 279 #define CIL_PERMS_PER_CLASS (sizeof(sepol_access_vector_t) * 8) 280 281 struct cil_db { 282 struct cil_tree *parse; 283 struct cil_tree *ast; 284 struct cil_type *selftype; 285 struct cil_list *sidorder; 286 struct cil_list *classorder; 287 struct cil_list *catorder; 288 struct cil_list *sensitivityorder; 289 struct cil_sort *netifcon; 290 struct cil_sort *genfscon; 291 struct cil_sort *filecon; 292 struct cil_sort *nodecon; 293 struct cil_sort *ibpkeycon; 294 struct cil_sort *ibendportcon; 295 struct cil_sort *portcon; 296 struct cil_sort *pirqcon; 297 struct cil_sort *iomemcon; 298 struct cil_sort *ioportcon; 299 struct cil_sort *pcidevicecon; 300 struct cil_sort *devicetreecon; 301 struct cil_sort *fsuse; 302 struct cil_list *userprefixes; 303 struct cil_list *selinuxusers; 304 struct cil_list *names; 305 int num_types_and_attrs; 306 int num_classes; 307 int num_cats; 308 int num_types; 309 int num_roles; 310 int num_users; 311 struct cil_type **val_to_type; 312 struct cil_role **val_to_role; 313 struct cil_user **val_to_user; 314 int disable_dontaudit; 315 int disable_neverallow; 316 int attrs_expand_generated; 317 unsigned attrs_expand_size; 318 int preserve_tunables; 319 int handle_unknown; 320 int mls; 321 int multiple_decls; 322 int target_platform; 323 int policy_version; 324 }; 325 326 struct cil_root { 327 symtab_t symtab[CIL_SYM_NUM]; 328 }; 329 330 struct cil_sort { 331 enum cil_flavor flavor; 332 uint32_t count; 333 uint32_t index; 334 void **array; 335 }; 336 337 struct cil_block { 338 struct cil_symtab_datum datum; 339 symtab_t symtab[CIL_SYM_NUM]; 340 uint16_t is_abstract; 341 struct cil_list *bi_nodes; 342 }; 343 344 struct cil_blockinherit { 345 char *block_str; 346 struct cil_block *block; 347 }; 348 349 struct cil_blockabstract { 350 char *block_str; 351 }; 352 353 struct cil_in { 354 symtab_t symtab[CIL_SYM_NUM]; 355 char *block_str; 356 }; 357 358 struct cil_optional { 359 struct cil_symtab_datum datum; 360 int enabled; 361 }; 362 363 struct cil_perm { 364 struct cil_symtab_datum datum; 365 unsigned int value; 366 struct cil_list *classperms; /* Only used for map perms */ 367 }; 368 369 struct cil_class { 370 struct cil_symtab_datum datum; 371 symtab_t perms; 372 unsigned int num_perms; 373 struct cil_class *common; /* Only used for kernel class */ 374 uint32_t ordered; /* Only used for kernel class */ 375 }; 376 377 struct cil_classorder { 378 struct cil_list *class_list_str; 379 }; 380 381 struct cil_classperms_set { 382 char *set_str; 383 struct cil_classpermission *set; 384 }; 385 386 struct cil_classperms { 387 char *class_str; 388 struct cil_class *class; 389 struct cil_list *perm_strs; 390 struct cil_list *perms; 391 }; 392 393 struct cil_classpermission { 394 struct cil_symtab_datum datum; 395 struct cil_list *classperms; 396 }; 397 398 struct cil_classpermissionset { 399 char *set_str; 400 struct cil_list *classperms; 401 }; 402 403 struct cil_classmapping { 404 char *map_class_str; 405 char *map_perm_str; 406 struct cil_list *classperms; 407 }; 408 409 struct cil_classcommon { 410 char *class_str; 411 char *common_str; 412 }; 413 414 struct cil_alias { 415 struct cil_symtab_datum datum; 416 void *actual; 417 }; 418 419 struct cil_aliasactual { 420 char *alias_str; 421 char *actual_str; 422 }; 423 424 struct cil_sid { 425 struct cil_symtab_datum datum; 426 struct cil_context *context; 427 uint32_t ordered; 428 }; 429 430 struct cil_sidcontext { 431 char *sid_str; 432 char *context_str; 433 struct cil_context *context; 434 }; 435 436 struct cil_sidorder { 437 struct cil_list *sid_list_str; 438 }; 439 440 struct cil_user { 441 struct cil_symtab_datum datum; 442 struct cil_user *bounds; 443 ebitmap_t *roles; 444 struct cil_level *dftlevel; 445 struct cil_levelrange *range; 446 int value; 447 }; 448 449 struct cil_userattribute { 450 struct cil_symtab_datum datum; 451 struct cil_list *expr_list; 452 ebitmap_t *users; 453 }; 454 455 struct cil_userattributeset { 456 char *attr_str; 457 struct cil_list *str_expr; 458 struct cil_list *datum_expr; 459 }; 460 461 struct cil_userrole { 462 char *user_str; 463 void *user; 464 char *role_str; 465 void *role; 466 }; 467 468 struct cil_userlevel { 469 char *user_str; 470 char *level_str; 471 struct cil_level *level; 472 }; 473 474 struct cil_userrange { 475 char *user_str; 476 char *range_str; 477 struct cil_levelrange *range; 478 }; 479 480 struct cil_userprefix { 481 char *user_str; 482 struct cil_user *user; 483 char *prefix_str; 484 }; 485 486 struct cil_selinuxuser { 487 char *name_str; 488 char *user_str; 489 struct cil_user *user; 490 char *range_str; 491 struct cil_levelrange *range; 492 }; 493 494 struct cil_role { 495 struct cil_symtab_datum datum; 496 struct cil_role *bounds; 497 ebitmap_t *types; 498 int value; 499 }; 500 501 struct cil_roleattribute { 502 struct cil_symtab_datum datum; 503 struct cil_list *expr_list; 504 ebitmap_t *roles; 505 }; 506 507 struct cil_roleattributeset { 508 char *attr_str; 509 struct cil_list *str_expr; 510 struct cil_list *datum_expr; 511 }; 512 513 struct cil_roletype { 514 char *role_str; 515 void *role; /* role or attribute */ 516 char *type_str; 517 void *type; /* type, alias, or attribute */ 518 }; 519 520 struct cil_type { 521 struct cil_symtab_datum datum; 522 struct cil_type *bounds; 523 int value; 524 }; 525 526 #define CIL_ATTR_AVRULE (1 << 0) 527 #define CIL_ATTR_NEVERALLOW (1 << 1) 528 #define CIL_ATTR_CONSTRAINT (1 << 2) 529 #define CIL_ATTR_EXPAND_TRUE (1 << 3) 530 #define CIL_ATTR_EXPAND_FALSE (1 << 4) 531 struct cil_typeattribute { 532 struct cil_symtab_datum datum; 533 struct cil_list *expr_list; 534 ebitmap_t *types; 535 int used; // whether or not this attribute was used in a binary policy rule 536 int keep; 537 }; 538 539 struct cil_typeattributeset { 540 char *attr_str; 541 struct cil_list *str_expr; 542 struct cil_list *datum_expr; 543 }; 544 545 struct cil_expandtypeattribute { 546 struct cil_list *attr_strs; 547 struct cil_list *attr_datums; 548 int expand; 549 }; 550 551 struct cil_typepermissive { 552 char *type_str; 553 void *type; /* type or alias */ 554 }; 555 556 struct cil_name { 557 struct cil_symtab_datum datum; 558 char *name_str; 559 }; 560 561 struct cil_nametypetransition { 562 char *src_str; 563 void *src; /* type, alias, or attribute */ 564 char *tgt_str; 565 void *tgt; /* type, alias, or attribute */ 566 char *obj_str; 567 struct cil_class *obj; 568 char *name_str; 569 struct cil_name *name; 570 char *result_str; 571 void *result; /* type or alias */ 572 573 }; 574 575 struct cil_rangetransition { 576 char *src_str; 577 void *src; /* type, alias, or attribute */ 578 char *exec_str; 579 void *exec; /* type, alias, or attribute */ 580 char *obj_str; 581 struct cil_class *obj; 582 char *range_str; 583 struct cil_levelrange *range; 584 }; 585 586 struct cil_bool { 587 struct cil_symtab_datum datum; 588 uint16_t value; 589 }; 590 591 struct cil_tunable { 592 struct cil_symtab_datum datum; 593 uint16_t value; 594 }; 595 596 #define CIL_AVRULE_ALLOWED 1 597 #define CIL_AVRULE_AUDITALLOW 2 598 #define CIL_AVRULE_DONTAUDIT 8 599 #define CIL_AVRULE_NEVERALLOW 128 600 #define CIL_AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 601 struct cil_avrule { 602 int is_extended; 603 uint32_t rule_kind; 604 char *src_str; 605 void *src; /* type, alias, or attribute */ 606 char *tgt_str; 607 void *tgt; /* type, alias, or attribute */ 608 union { 609 struct cil_list *classperms; 610 struct { 611 char *permx_str; 612 struct cil_permissionx *permx; 613 } x; 614 } perms; 615 }; 616 617 #define CIL_PERMX_KIND_IOCTL 1 618 struct cil_permissionx { 619 struct cil_symtab_datum datum; 620 uint32_t kind; 621 char *obj_str; 622 struct cil_class *obj; 623 struct cil_list *expr_str; 624 ebitmap_t *perms; 625 }; 626 627 #define CIL_TYPE_TRANSITION 16 628 #define CIL_TYPE_MEMBER 32 629 #define CIL_TYPE_CHANGE 64 630 #define CIL_AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 631 struct cil_type_rule { 632 uint32_t rule_kind; 633 char *src_str; 634 void *src; /* type, alias, or attribute */ 635 char *tgt_str; 636 void *tgt; /* type, alias, or attribute */ 637 char *obj_str; 638 struct cil_class *obj; 639 char *result_str; 640 void *result; /* type or alias */ 641 }; 642 643 struct cil_roletransition { 644 char *src_str; 645 struct cil_role *src; 646 char *tgt_str; 647 void *tgt; /* type, alias, or attribute */ 648 char *obj_str; 649 struct cil_class *obj; 650 char *result_str; 651 struct cil_role *result; 652 }; 653 654 struct cil_roleallow { 655 char *src_str; 656 void *src; /* role or attribute */ 657 char *tgt_str; 658 void *tgt; /* role or attribute */ 659 }; 660 661 struct cil_sens { 662 struct cil_symtab_datum datum; 663 struct cil_list *cats_list; 664 uint32_t ordered; 665 }; 666 667 struct cil_sensorder { 668 struct cil_list *sens_list_str; 669 }; 670 671 struct cil_cat { 672 struct cil_symtab_datum datum; 673 uint32_t ordered; 674 int value; 675 }; 676 677 struct cil_cats { 678 uint32_t evaluated; 679 struct cil_list *str_expr; 680 struct cil_list *datum_expr; 681 }; 682 683 struct cil_catset { 684 struct cil_symtab_datum datum; 685 struct cil_cats *cats; 686 }; 687 688 struct cil_catorder { 689 struct cil_list *cat_list_str; 690 }; 691 692 struct cil_senscat { 693 char *sens_str; 694 struct cil_cats *cats; 695 }; 696 697 struct cil_level { 698 struct cil_symtab_datum datum; 699 char *sens_str; 700 struct cil_sens *sens; 701 struct cil_cats *cats; 702 }; 703 704 struct cil_levelrange { 705 struct cil_symtab_datum datum; 706 char *low_str; 707 struct cil_level *low; 708 char *high_str; 709 struct cil_level *high; 710 }; 711 712 struct cil_context { 713 struct cil_symtab_datum datum; 714 char *user_str; 715 struct cil_user *user; 716 char *role_str; 717 struct cil_role *role; 718 char *type_str; 719 void *type; /* type or alias */ 720 char *range_str; 721 struct cil_levelrange *range; 722 }; 723 724 enum cil_filecon_types { 725 CIL_FILECON_FILE = 1, 726 CIL_FILECON_DIR, 727 CIL_FILECON_CHAR, 728 CIL_FILECON_BLOCK, 729 CIL_FILECON_SOCKET, 730 CIL_FILECON_PIPE, 731 CIL_FILECON_SYMLINK, 732 CIL_FILECON_ANY 733 }; 734 735 struct cil_filecon { 736 char *path_str; 737 enum cil_filecon_types type; 738 char *context_str; 739 struct cil_context *context; 740 }; 741 742 enum cil_protocol { 743 CIL_PROTOCOL_UDP = 1, 744 CIL_PROTOCOL_TCP, 745 CIL_PROTOCOL_DCCP, 746 CIL_PROTOCOL_SCTP 747 }; 748 749 struct cil_ibpkeycon { 750 char *subnet_prefix_str; 751 uint32_t pkey_low; 752 uint32_t pkey_high; 753 char *context_str; 754 struct cil_context *context; 755 }; 756 757 struct cil_portcon { 758 enum cil_protocol proto; 759 uint32_t port_low; 760 uint32_t port_high; 761 char *context_str; 762 struct cil_context *context; 763 }; 764 765 struct cil_nodecon { 766 char *addr_str; 767 struct cil_ipaddr *addr; 768 char *mask_str; 769 struct cil_ipaddr *mask; 770 char *context_str; 771 struct cil_context *context; 772 }; 773 774 struct cil_ipaddr { 775 struct cil_symtab_datum datum; 776 int family; 777 union { 778 struct in_addr v4; 779 struct in6_addr v6; 780 } ip; 781 }; 782 783 struct cil_genfscon { 784 char *fs_str; 785 char *path_str; 786 char *context_str; 787 struct cil_context *context; 788 }; 789 790 struct cil_netifcon { 791 char *interface_str; 792 char *if_context_str; 793 struct cil_context *if_context; 794 char *packet_context_str; 795 struct cil_context *packet_context; 796 char *context_str; 797 }; 798 799 struct cil_ibendportcon { 800 char *dev_name_str; 801 uint32_t port; 802 char *context_str; 803 struct cil_context *context; 804 }; 805 struct cil_pirqcon { 806 uint32_t pirq; 807 char *context_str; 808 struct cil_context *context; 809 }; 810 811 struct cil_iomemcon { 812 uint64_t iomem_low; 813 uint64_t iomem_high; 814 char *context_str; 815 struct cil_context *context; 816 }; 817 818 struct cil_ioportcon { 819 uint32_t ioport_low; 820 uint32_t ioport_high; 821 char *context_str; 822 struct cil_context *context; 823 }; 824 825 struct cil_pcidevicecon { 826 uint32_t dev; 827 char *context_str; 828 struct cil_context *context; 829 }; 830 831 struct cil_devicetreecon { 832 char *path; 833 char *context_str; 834 struct cil_context *context; 835 }; 836 837 838 /* Ensure that CIL uses the same values as sepol services.h */ 839 enum cil_fsuse_types { 840 CIL_FSUSE_XATTR = SECURITY_FS_USE_XATTR, 841 CIL_FSUSE_TASK = SECURITY_FS_USE_TASK, 842 CIL_FSUSE_TRANS = SECURITY_FS_USE_TRANS 843 }; 844 845 struct cil_fsuse { 846 enum cil_fsuse_types type; 847 char *fs_str; 848 char *context_str; 849 struct cil_context *context; 850 }; 851 852 #define CIL_MLS_LEVELS "l1 l2 h1 h2" 853 #define CIL_CONSTRAIN_KEYS "t1 t2 r1 r2 u1 u2" 854 #define CIL_MLSCONSTRAIN_KEYS CIL_MLS_LEVELS CIL_CONSTRAIN_KEYS 855 #define CIL_CONSTRAIN_OPER "== != eq dom domby incomp not and or" 856 struct cil_constrain { 857 struct cil_list *classperms; 858 struct cil_list *str_expr; 859 struct cil_list *datum_expr; 860 }; 861 862 struct cil_validatetrans { 863 char *class_str; 864 struct cil_class *class; 865 struct cil_list *str_expr; 866 struct cil_list *datum_expr; 867 }; 868 869 struct cil_param { 870 char *str; 871 enum cil_flavor flavor; 872 }; 873 874 struct cil_macro { 875 struct cil_symtab_datum datum; 876 symtab_t symtab[CIL_SYM_NUM]; 877 struct cil_list *params; 878 }; 879 880 struct cil_args { 881 char *arg_str; 882 struct cil_symtab_datum *arg; 883 char *param_str; 884 enum cil_flavor flavor; 885 }; 886 887 struct cil_call { 888 char *macro_str; 889 struct cil_macro *macro; 890 struct cil_tree *args_tree; 891 struct cil_list *args; 892 int copied; 893 }; 894 895 #define CIL_TRUE 1 896 #define CIL_FALSE 0 897 898 struct cil_condblock { 899 enum cil_flavor flavor; 900 symtab_t symtab[CIL_SYM_NUM]; 901 }; 902 903 struct cil_booleanif { 904 struct cil_list *str_expr; 905 struct cil_list *datum_expr; 906 int preserved_tunable; 907 }; 908 909 struct cil_tunableif { 910 struct cil_list *str_expr; 911 struct cil_list *datum_expr; 912 }; 913 914 struct cil_policycap { 915 struct cil_symtab_datum datum; 916 }; 917 918 struct cil_bounds { 919 char *parent_str; 920 char *child_str; 921 }; 922 923 /* Ensure that CIL uses the same values as sepol policydb.h */ 924 enum cil_default_object { 925 CIL_DEFAULT_SOURCE = DEFAULT_SOURCE, 926 CIL_DEFAULT_TARGET = DEFAULT_TARGET, 927 }; 928 929 /* Default labeling behavior for users, roles, and types */ 930 struct cil_default { 931 enum cil_flavor flavor; 932 struct cil_list *class_strs; 933 struct cil_list *class_datums; 934 enum cil_default_object object; 935 }; 936 937 /* Ensure that CIL uses the same values as sepol policydb.h */ 938 enum cil_default_object_range { 939 CIL_DEFAULT_SOURCE_LOW = DEFAULT_SOURCE_LOW, 940 CIL_DEFAULT_SOURCE_HIGH = DEFAULT_SOURCE_HIGH, 941 CIL_DEFAULT_SOURCE_LOW_HIGH = DEFAULT_SOURCE_LOW_HIGH, 942 CIL_DEFAULT_TARGET_LOW = DEFAULT_TARGET_LOW, 943 CIL_DEFAULT_TARGET_HIGH = DEFAULT_TARGET_HIGH, 944 CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH, 945 CIL_DEFAULT_GLBLUB = DEFAULT_GLBLUB, 946 }; 947 948 /* Default labeling behavior for range */ 949 struct cil_defaultrange { 950 struct cil_list *class_strs; 951 struct cil_list *class_datums; 952 enum cil_default_object_range object_range; 953 }; 954 955 struct cil_handleunknown { 956 int handle_unknown; 957 }; 958 959 struct cil_mls { 960 int value; 961 }; 962 963 struct cil_src_info { 964 int is_cil; 965 char *path; 966 }; 967 968 void cil_db_init(struct cil_db **db); 969 void cil_db_destroy(struct cil_db **db); 970 971 void cil_root_init(struct cil_root **root); 972 void cil_root_destroy(struct cil_root *root); 973 974 void cil_destroy_data(void **data, enum cil_flavor flavor); 975 976 int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *index); 977 const char * cil_node_to_string(struct cil_tree_node *node); 978 979 int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size); 980 int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size); 981 int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size); 982 983 void cil_symtab_array_init(symtab_t symtab[], int symtab_sizes[CIL_SYM_NUM]); 984 void cil_symtab_array_destroy(symtab_t symtab[]); 985 void cil_destroy_ast_symtabs(struct cil_tree_node *root); 986 int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_sym_index sym_index); 987 988 void cil_sort_init(struct cil_sort **sort); 989 void cil_sort_destroy(struct cil_sort **sort); 990 void cil_netifcon_init(struct cil_netifcon **netifcon); 991 void cil_ibendportcon_init(struct cil_ibendportcon **ibendportcon); 992 void cil_context_init(struct cil_context **context); 993 void cil_level_init(struct cil_level **level); 994 void cil_levelrange_init(struct cil_levelrange **lvlrange); 995 void cil_sens_init(struct cil_sens **sens); 996 void cil_block_init(struct cil_block **block); 997 void cil_blockinherit_init(struct cil_blockinherit **inherit); 998 void cil_blockabstract_init(struct cil_blockabstract **abstract); 999 void cil_in_init(struct cil_in **in); 1000 void cil_class_init(struct cil_class **class); 1001 void cil_classorder_init(struct cil_classorder **classorder); 1002 void cil_classcommon_init(struct cil_classcommon **classcommon); 1003 void cil_sid_init(struct cil_sid **sid); 1004 void cil_sidcontext_init(struct cil_sidcontext **sidcontext); 1005 void cil_sidorder_init(struct cil_sidorder **sidorder); 1006 void cil_userrole_init(struct cil_userrole **userrole); 1007 void cil_userprefix_init(struct cil_userprefix **userprefix); 1008 void cil_selinuxuser_init(struct cil_selinuxuser **selinuxuser); 1009 void cil_roleattribute_init(struct cil_roleattribute **attribute); 1010 void cil_roleattributeset_init(struct cil_roleattributeset **attrset); 1011 void cil_roletype_init(struct cil_roletype **roletype); 1012 void cil_typeattribute_init(struct cil_typeattribute **attribute); 1013 void cil_typeattributeset_init(struct cil_typeattributeset **attrset); 1014 void cil_expandtypeattribute_init(struct cil_expandtypeattribute **expandattr); 1015 void cil_alias_init(struct cil_alias **alias); 1016 void cil_aliasactual_init(struct cil_aliasactual **aliasactual); 1017 void cil_typepermissive_init(struct cil_typepermissive **typeperm); 1018 void cil_name_init(struct cil_name **name); 1019 void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans); 1020 void cil_rangetransition_init(struct cil_rangetransition **rangetrans); 1021 void cil_bool_init(struct cil_bool **cilbool); 1022 void cil_boolif_init(struct cil_booleanif **bif); 1023 void cil_condblock_init(struct cil_condblock **cb); 1024 void cil_tunable_init(struct cil_tunable **ciltun); 1025 void cil_tunif_init(struct cil_tunableif **tif); 1026 void cil_avrule_init(struct cil_avrule **avrule); 1027 void cil_permissionx_init(struct cil_permissionx **permx); 1028 void cil_type_rule_init(struct cil_type_rule **type_rule); 1029 void cil_roletransition_init(struct cil_roletransition **roletrans); 1030 void cil_roleallow_init(struct cil_roleallow **role_allow); 1031 void cil_catset_init(struct cil_catset **catset); 1032 void cil_cats_init(struct cil_cats **cats); 1033 void cil_senscat_init(struct cil_senscat **senscat); 1034 void cil_filecon_init(struct cil_filecon **filecon); 1035 void cil_ibpkeycon_init(struct cil_ibpkeycon **ibpkeycon); 1036 void cil_portcon_init(struct cil_portcon **portcon); 1037 void cil_nodecon_init(struct cil_nodecon **nodecon); 1038 void cil_genfscon_init(struct cil_genfscon **genfscon); 1039 void cil_pirqcon_init(struct cil_pirqcon **pirqcon); 1040 void cil_iomemcon_init(struct cil_iomemcon **iomemcon); 1041 void cil_ioportcon_init(struct cil_ioportcon **ioportcon); 1042 void cil_pcidevicecon_init(struct cil_pcidevicecon **pcidevicecon); 1043 void cil_devicetreecon_init(struct cil_devicetreecon **devicetreecon); 1044 void cil_fsuse_init(struct cil_fsuse **fsuse); 1045 void cil_constrain_init(struct cil_constrain **constrain); 1046 void cil_validatetrans_init(struct cil_validatetrans **validtrans); 1047 void cil_ipaddr_init(struct cil_ipaddr **ipaddr); 1048 void cil_perm_init(struct cil_perm **perm); 1049 void cil_classpermission_init(struct cil_classpermission **cp); 1050 void cil_classpermissionset_init(struct cil_classpermissionset **cps); 1051 void cil_classperms_set_init(struct cil_classperms_set **cp_set); 1052 void cil_classperms_init(struct cil_classperms **cp); 1053 void cil_classmapping_init(struct cil_classmapping **mapping); 1054 void cil_user_init(struct cil_user **user); 1055 void cil_userlevel_init(struct cil_userlevel **usrlvl); 1056 void cil_userrange_init(struct cil_userrange **userrange); 1057 void cil_role_init(struct cil_role **role); 1058 void cil_type_init(struct cil_type **type); 1059 void cil_cat_init(struct cil_cat **cat); 1060 void cil_catorder_init(struct cil_catorder **catorder); 1061 void cil_sensorder_init(struct cil_sensorder **sensorder); 1062 void cil_args_init(struct cil_args **args); 1063 void cil_call_init(struct cil_call **call); 1064 void cil_optional_init(struct cil_optional **optional); 1065 void cil_param_init(struct cil_param **param); 1066 void cil_macro_init(struct cil_macro **macro); 1067 void cil_policycap_init(struct cil_policycap **policycap); 1068 void cil_bounds_init(struct cil_bounds **bounds); 1069 void cil_default_init(struct cil_default **def); 1070 void cil_defaultrange_init(struct cil_defaultrange **def); 1071 void cil_handleunknown_init(struct cil_handleunknown **unk); 1072 void cil_mls_init(struct cil_mls **mls); 1073 void cil_src_info_init(struct cil_src_info **info); 1074 void cil_userattribute_init(struct cil_userattribute **attribute); 1075 void cil_userattributeset_init(struct cil_userattributeset **attrset); 1076 1077 #endif 1078