• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Author : Joshua Brindle <jbrindle@tresys.com>
2  *	    Karl MacMillan <kmacmillan@tresys.com>
3  *          Jason Tang     <jtang@tresys.com>
4  *	Added support for binary policy modules
5  *
6  * Copyright (C) 2004 - 2005 Tresys Technology, LLC
7  *	This program is free software; you can redistribute it and/or modify
8  *  	it under the terms of the GNU General Public License as published by
9  *	the Free Software Foundation, version 2.
10  */
11 
12 #ifndef MODULE_COMPILER_H
13 #define MODULE_COMPILER_H
14 
15 #include <sepol/policydb/hashtab.h>
16 
17 /* Called when checkpolicy begins to parse a policy -- either at the
18  * very beginning for a kernel/base policy, or after the module header
19  * for policy modules.  Initialize the memory structures within.
20  * Return 0 on success, -1 on error. */
21 int define_policy(int pass, int module_header_given);
22 
23 /* Declare a symbol declaration to the current avrule_decl.  Check
24  * that insertion is allowed here and that the symbol does not already
25  * exist.  Returns 0 on success, 1 if symbol was already there (caller
26  * needs to free() the datum), -1 if declarations not allowed, -2 for
27  * duplicate declarations, -3 for all else.
28  */
29 int declare_symbol(uint32_t symbol_type,
30 		   hashtab_key_t key, hashtab_datum_t datum,
31 		   uint32_t * dest_value, uint32_t * datum_value);
32 
33 role_datum_t *declare_role(unsigned char isattr);
34 type_datum_t *declare_type(unsigned char primary, unsigned char isattr);
35 user_datum_t *declare_user(void);
36 
37 type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr);
38 role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr);
39 
40 /* Add a symbol to the current avrule_block's require section.  Note
41  * that a module may not both declare and require the same symbol.
42  * Returns 0 on success, -1 on error. */
43 int require_symbol(uint32_t symbol_type,
44 		   hashtab_key_t key, hashtab_datum_t datum,
45 		   uint32_t * dest_value, uint32_t * datum_value);
46 
47 /* Enable a permission for a class within the current avrule_decl.
48  * Return 0 on success, -1 if out of memory. */
49 int add_perm_to_class(uint32_t perm_value, uint32_t class_value);
50 
51 /* Functions called from REQUIRE blocks.  Add the first symbol on the
52  * id_queue to this avrule_decl's scope if not already there.
53  * c.f. require_symbol(). */
54 int require_class(int pass);
55 int require_role(int pass);
56 int require_type(int pass);
57 int require_attribute(int pass);
58 int require_attribute_role(int pass);
59 int require_user(int pass);
60 int require_bool(int pass);
61 int require_tunable(int pass);
62 int require_sens(int pass);
63 int require_cat(int pass);
64 
65 /* Check if an identifier is within the scope of the current
66  * declaration or any of its parents.  Return 1 if it is, 0 if not.
67  * If the identifier is not known at all then return 1 (truth).  */
68 int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id);
69 
70 /* Check if a particular permission is within the scope of the current
71  * declaration or any of its parents.  Return 1 if it is, 0 if not.
72  * If the identifier is not known at all then return 1 (truth).  */
73 int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id);
74 
75 /* Search the current avrules block for a conditional with the same
76  * expression as 'cond'.  If the conditional does not exist then
77  * create one.  Either way, return the conditional. */
78 cond_list_t *get_current_cond_list(cond_list_t * cond);
79 
80 /* Append rule to the current avrule_block. */
81 void append_cond_list(cond_list_t * cond);
82 void append_avrule(avrule_t * avrule);
83 void append_role_trans(role_trans_rule_t * role_tr_rules);
84 void append_role_allow(role_allow_rule_t * role_allow_rules);
85 void append_range_trans(range_trans_rule_t * range_tr_rules);
86 void append_filename_trans(filename_trans_rule_t * filename_trans_rules);
87 
88 /* Create a new optional block and add it to the global policy.
89  * During the second pass resolve the block's requirements.  Return 0
90  * on success, -1 on error.
91  */
92 int begin_optional(int pass);
93 int end_optional(int pass);
94 
95 /* ELSE blocks are similar to normal blocks with the following two
96  * limitations:
97  *   - no declarations are allowed within else branches
98  *   - no REQUIRES are allowed; the else branch inherits the parent's
99  *     requirements
100  */
101 int begin_optional_else(int pass);
102 
103 /* Called whenever existing an avrule block.  Check that the block had
104  * a non-empty REQUIRE section.  If so pop the block off of the scop
105  * stack and return 0.  If not then send an error to yyerror and
106  * return -1. */
107 int end_avrule_block(int pass);
108 
109 #endif
110