1 /* Author : Joshua Brindle <jbrindle@tresys.com> 2 * Karl MacMillan <kmacmillan@tresys.com> 3 * Jason Tang <jtang@tresys.com> 4 * Added support for binary policy modules 5 * 6 * Copyright (C) 2004 - 2005 Tresys Technology, LLC 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation, version 2. 10 */ 11 12 #ifndef MODULE_COMPILER_H 13 #define MODULE_COMPILER_H 14 15 #include <sepol/policydb/hashtab.h> 16 17 /* Called when checkpolicy begins to parse a policy -- either at the 18 * very beginning for a kernel/base policy, or after the module header 19 * for policy modules. Initialize the memory structures within. 20 * Return 0 on success, -1 on error. */ 21 int define_policy(int pass, int module_header_given); 22 23 /* Declare a symbol declaration to the current avrule_decl. Check 24 * that insertion is allowed here and that the symbol does not already 25 * exist. Returns 0 on success, 1 if symbol was already there (caller 26 * needs to free() the datum), -1 if declarations not allowed, -2 for 27 * duplicate declarations, -3 for all else. 28 */ 29 int declare_symbol(uint32_t symbol_type, 30 hashtab_key_t key, hashtab_datum_t datum, 31 uint32_t * dest_value, uint32_t * datum_value); 32 33 role_datum_t *declare_role(unsigned char isattr); 34 type_datum_t *declare_type(unsigned char primary, unsigned char isattr); 35 user_datum_t *declare_user(void); 36 37 type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr); 38 role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr); 39 40 /* Add a symbol to the current avrule_block's require section. Note 41 * that a module may not both declare and require the same symbol. 42 * Returns 0 on success, -1 on error. */ 43 int require_symbol(uint32_t symbol_type, 44 hashtab_key_t key, hashtab_datum_t datum, 45 uint32_t * dest_value, uint32_t * datum_value); 46 47 /* Enable a permission for a class within the current avrule_decl. 48 * Return 0 on success, -1 if out of memory. */ 49 int add_perm_to_class(uint32_t perm_value, uint32_t class_value); 50 51 /* Functions called from REQUIRE blocks. Add the first symbol on the 52 * id_queue to this avrule_decl's scope if not already there. 53 * c.f. require_symbol(). */ 54 int require_class(int pass); 55 int require_role(int pass); 56 int require_type(int pass); 57 int require_attribute(int pass); 58 int require_attribute_role(int pass); 59 int require_user(int pass); 60 int require_bool(int pass); 61 int require_tunable(int pass); 62 int require_sens(int pass); 63 int require_cat(int pass); 64 65 /* Check if an identifier is within the scope of the current 66 * declaration or any of its parents. Return 1 if it is, 0 if not. 67 * If the identifier is not known at all then return 1 (truth). */ 68 int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id); 69 70 /* Check if a particular permission is within the scope of the current 71 * declaration or any of its parents. Return 1 if it is, 0 if not. 72 * If the identifier is not known at all then return 1 (truth). */ 73 int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id); 74 75 /* Search the current avrules block for a conditional with the same 76 * expression as 'cond'. If the conditional does not exist then 77 * create one. Either way, return the conditional. */ 78 cond_list_t *get_current_cond_list(cond_list_t * cond); 79 80 /* Append rule to the current avrule_block. */ 81 void append_cond_list(cond_list_t * cond); 82 void append_avrule(avrule_t * avrule); 83 void append_role_trans(role_trans_rule_t * role_tr_rules); 84 void append_role_allow(role_allow_rule_t * role_allow_rules); 85 void append_range_trans(range_trans_rule_t * range_tr_rules); 86 void append_filename_trans(filename_trans_rule_t * filename_trans_rules); 87 88 /* Create a new optional block and add it to the global policy. 89 * During the second pass resolve the block's requirements. Return 0 90 * on success, -1 on error. 91 */ 92 int begin_optional(int pass); 93 int end_optional(int pass); 94 95 /* ELSE blocks are similar to normal blocks with the following two 96 * limitations: 97 * - no declarations are allowed within else branches 98 * - no REQUIRES are allowed; the else branch inherits the parent's 99 * requirements 100 */ 101 int begin_optional_else(int pass); 102 103 /* Called whenever existing an avrule block. Check that the block had 104 * a non-empty REQUIRE section. If so pop the block off of the scop 105 * stack and return 0. If not then send an error to yyerror and 106 * return -1. */ 107 int end_avrule_block(int pass); 108 109 #endif 110