• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2011 Tresys Technology, LLC. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions are met:
6  *
7  *    1. Redistributions of source code must retain the above copyright notice,
8  *       this list of conditions and the following disclaimer.
9  *
10  *    2. Redistributions in binary form must reproduce the above copyright notice,
11  *       this list of conditions and the following disclaimer in the documentation
12  *       and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS
15  * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
16  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
17  * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
18  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
19  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
21  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
22  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
23  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  * The views and conclusions contained in the software and documentation are those
26  * of the authors and should not be interpreted as representing official policies,
27  * either expressed or implied, of Tresys Technology, LLC.
28  */
29 
30 #ifndef CIL_INTERNAL_H_
31 #define CIL_INTERNAL_H_
32 
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <stdint.h>
36 #include <arpa/inet.h>
37 
38 #include <sepol/policydb/services.h>
39 #include <sepol/policydb/policydb.h>
40 #include <sepol/policydb/flask_types.h>
41 
42 #include <cil/cil.h>
43 
44 #include "cil_flavor.h"
45 #include "cil_tree.h"
46 #include "cil_symtab.h"
47 #include "cil_mem.h"
48 
49 #define CIL_MAX_NAME_LENGTH 2048
50 
51 
52 enum cil_pass {
53 	CIL_PASS_INIT = 0,
54 
55 	CIL_PASS_TIF,
56 	CIL_PASS_IN,
57 	CIL_PASS_BLKIN_LINK,
58 	CIL_PASS_BLKIN_COPY,
59 	CIL_PASS_BLKABS,
60 	CIL_PASS_MACRO,
61 	CIL_PASS_CALL1,
62 	CIL_PASS_CALL2,
63 	CIL_PASS_ALIAS1,
64 	CIL_PASS_ALIAS2,
65 	CIL_PASS_MISC1,
66 	CIL_PASS_MLS,
67 	CIL_PASS_MISC2,
68 	CIL_PASS_MISC3,
69 
70 	CIL_PASS_NUM
71 };
72 
73 
74 /*
75 	Keywords
76 */
77 char *CIL_KEY_CONS_T1;
78 char *CIL_KEY_CONS_T2;
79 char *CIL_KEY_CONS_T3;
80 char *CIL_KEY_CONS_R1;
81 char *CIL_KEY_CONS_R2;
82 char *CIL_KEY_CONS_R3;
83 char *CIL_KEY_CONS_U1;
84 char *CIL_KEY_CONS_U2;
85 char *CIL_KEY_CONS_U3;
86 char *CIL_KEY_CONS_L1;
87 char *CIL_KEY_CONS_L2;
88 char *CIL_KEY_CONS_H1;
89 char *CIL_KEY_CONS_H2;
90 char *CIL_KEY_AND;
91 char *CIL_KEY_OR;
92 char *CIL_KEY_NOT;
93 char *CIL_KEY_EQ;
94 char *CIL_KEY_NEQ;
95 char *CIL_KEY_CONS_DOM;
96 char *CIL_KEY_CONS_DOMBY;
97 char *CIL_KEY_CONS_INCOMP;
98 char *CIL_KEY_CONDTRUE;
99 char *CIL_KEY_CONDFALSE;
100 char *CIL_KEY_SELF;
101 char *CIL_KEY_OBJECT_R;
102 char *CIL_KEY_STAR;
103 char *CIL_KEY_TCP;
104 char *CIL_KEY_UDP;
105 char *CIL_KEY_DCCP;
106 char *CIL_KEY_AUDITALLOW;
107 char *CIL_KEY_TUNABLEIF;
108 char *CIL_KEY_ALLOW;
109 char *CIL_KEY_DONTAUDIT;
110 char *CIL_KEY_TYPETRANSITION;
111 char *CIL_KEY_TYPECHANGE;
112 char *CIL_KEY_CALL;
113 char *CIL_KEY_TUNABLE;
114 char *CIL_KEY_XOR;
115 char *CIL_KEY_ALL;
116 char *CIL_KEY_RANGE;
117 char *CIL_KEY_GLOB;
118 char *CIL_KEY_FILE;
119 char *CIL_KEY_DIR;
120 char *CIL_KEY_CHAR;
121 char *CIL_KEY_BLOCK;
122 char *CIL_KEY_SOCKET;
123 char *CIL_KEY_PIPE;
124 char *CIL_KEY_SYMLINK;
125 char *CIL_KEY_ANY;
126 char *CIL_KEY_XATTR;
127 char *CIL_KEY_TASK;
128 char *CIL_KEY_TRANS;
129 char *CIL_KEY_TYPE;
130 char *CIL_KEY_ROLE;
131 char *CIL_KEY_USER;
132 char *CIL_KEY_USERATTRIBUTE;
133 char *CIL_KEY_USERATTRIBUTESET;
134 char *CIL_KEY_SENSITIVITY;
135 char *CIL_KEY_CATEGORY;
136 char *CIL_KEY_CATSET;
137 char *CIL_KEY_LEVEL;
138 char *CIL_KEY_LEVELRANGE;
139 char *CIL_KEY_CLASS;
140 char *CIL_KEY_IPADDR;
141 char *CIL_KEY_MAP_CLASS;
142 char *CIL_KEY_CLASSPERMISSION;
143 char *CIL_KEY_BOOL;
144 char *CIL_KEY_STRING;
145 char *CIL_KEY_NAME;
146 char *CIL_KEY_SOURCE;
147 char *CIL_KEY_TARGET;
148 char *CIL_KEY_LOW;
149 char *CIL_KEY_HIGH;
150 char *CIL_KEY_LOW_HIGH;
151 char *CIL_KEY_HANDLEUNKNOWN;
152 char *CIL_KEY_HANDLEUNKNOWN_ALLOW;
153 char *CIL_KEY_HANDLEUNKNOWN_DENY;
154 char *CIL_KEY_HANDLEUNKNOWN_REJECT;
155 char *CIL_KEY_MACRO;
156 char *CIL_KEY_IN;
157 char *CIL_KEY_MLS;
158 char *CIL_KEY_DEFAULTRANGE;
159 char *CIL_KEY_BLOCKINHERIT;
160 char *CIL_KEY_BLOCKABSTRACT;
161 char *CIL_KEY_CLASSORDER;
162 char *CIL_KEY_CLASSMAPPING;
163 char *CIL_KEY_CLASSPERMISSIONSET;
164 char *CIL_KEY_COMMON;
165 char *CIL_KEY_CLASSCOMMON;
166 char *CIL_KEY_SID;
167 char *CIL_KEY_SIDCONTEXT;
168 char *CIL_KEY_SIDORDER;
169 char *CIL_KEY_USERLEVEL;
170 char *CIL_KEY_USERRANGE;
171 char *CIL_KEY_USERBOUNDS;
172 char *CIL_KEY_USERPREFIX;
173 char *CIL_KEY_SELINUXUSER;
174 char *CIL_KEY_SELINUXUSERDEFAULT;
175 char *CIL_KEY_TYPEATTRIBUTE;
176 char *CIL_KEY_TYPEATTRIBUTESET;
177 char *CIL_KEY_EXPANDTYPEATTRIBUTE;
178 char *CIL_KEY_TYPEALIAS;
179 char *CIL_KEY_TYPEALIASACTUAL;
180 char *CIL_KEY_TYPEBOUNDS;
181 char *CIL_KEY_TYPEPERMISSIVE;
182 char *CIL_KEY_RANGETRANSITION;
183 char *CIL_KEY_USERROLE;
184 char *CIL_KEY_ROLETYPE;
185 char *CIL_KEY_ROLETRANSITION;
186 char *CIL_KEY_ROLEALLOW;
187 char *CIL_KEY_ROLEATTRIBUTE;
188 char *CIL_KEY_ROLEATTRIBUTESET;
189 char *CIL_KEY_ROLEBOUNDS;
190 char *CIL_KEY_BOOLEANIF;
191 char *CIL_KEY_NEVERALLOW;
192 char *CIL_KEY_TYPEMEMBER;
193 char *CIL_KEY_SENSALIAS;
194 char *CIL_KEY_SENSALIASACTUAL;
195 char *CIL_KEY_CATALIAS;
196 char *CIL_KEY_CATALIASACTUAL;
197 char *CIL_KEY_CATORDER;
198 char *CIL_KEY_SENSITIVITYORDER;
199 char *CIL_KEY_SENSCAT;
200 char *CIL_KEY_CONSTRAIN;
201 char *CIL_KEY_MLSCONSTRAIN;
202 char *CIL_KEY_VALIDATETRANS;
203 char *CIL_KEY_MLSVALIDATETRANS;
204 char *CIL_KEY_CONTEXT;
205 char *CIL_KEY_FILECON;
206 char *CIL_KEY_PORTCON;
207 char *CIL_KEY_NODECON;
208 char *CIL_KEY_GENFSCON;
209 char *CIL_KEY_NETIFCON;
210 char *CIL_KEY_PIRQCON;
211 char *CIL_KEY_IOMEMCON;
212 char *CIL_KEY_IOPORTCON;
213 char *CIL_KEY_PCIDEVICECON;
214 char *CIL_KEY_DEVICETREECON;
215 char *CIL_KEY_FSUSE;
216 char *CIL_KEY_POLICYCAP;
217 char *CIL_KEY_OPTIONAL;
218 char *CIL_KEY_DEFAULTUSER;
219 char *CIL_KEY_DEFAULTROLE;
220 char *CIL_KEY_DEFAULTTYPE;
221 char *CIL_KEY_ROOT;
222 char *CIL_KEY_NODE;
223 char *CIL_KEY_PERM;
224 char *CIL_KEY_ALLOWX;
225 char *CIL_KEY_AUDITALLOWX;
226 char *CIL_KEY_DONTAUDITX;
227 char *CIL_KEY_NEVERALLOWX;
228 char *CIL_KEY_PERMISSIONX;
229 char *CIL_KEY_IOCTL;
230 char *CIL_KEY_UNORDERED;
231 char *CIL_KEY_SRC_INFO;
232 char *CIL_KEY_SRC_CIL;
233 char *CIL_KEY_SRC_HLL;
234 
235 /*
236 	Symbol Table Array Indices
237 */
238 enum cil_sym_index {
239 	CIL_SYM_BLOCKS = 0,
240 	CIL_SYM_USERS,
241 	CIL_SYM_ROLES,
242 	CIL_SYM_TYPES,
243 	CIL_SYM_COMMONS,
244 	CIL_SYM_CLASSES,
245 	CIL_SYM_CLASSPERMSETS,
246 	CIL_SYM_BOOLS,
247 	CIL_SYM_TUNABLES,
248 	CIL_SYM_SENS,
249 	CIL_SYM_CATS,
250 	CIL_SYM_SIDS,
251 	CIL_SYM_CONTEXTS,
252 	CIL_SYM_LEVELS,
253 	CIL_SYM_LEVELRANGES,
254 	CIL_SYM_POLICYCAPS,
255 	CIL_SYM_IPADDRS,
256 	CIL_SYM_NAMES,
257 	CIL_SYM_PERMX,
258 	CIL_SYM_NUM,
259 	CIL_SYM_UNKNOWN,
260 	CIL_SYM_PERMS	// Special case for permissions. This symtab is not included in arrays
261 };
262 
263 enum cil_sym_array {
264 	CIL_SYM_ARRAY_ROOT = 0,
265 	CIL_SYM_ARRAY_BLOCK,
266 	CIL_SYM_ARRAY_IN,
267 	CIL_SYM_ARRAY_MACRO,
268 	CIL_SYM_ARRAY_CONDBLOCK,
269 	CIL_SYM_ARRAY_NUM
270 };
271 
272 extern int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM];
273 
274 #define CIL_CLASS_SYM_SIZE	256
275 #define CIL_PERMS_PER_CLASS (sizeof(sepol_access_vector_t) * 8)
276 
277 struct cil_db {
278 	struct cil_tree *parse;
279 	struct cil_tree *ast;
280 	struct cil_type *selftype;
281 	struct cil_list *sidorder;
282 	struct cil_list *classorder;
283 	struct cil_list *catorder;
284 	struct cil_list *sensitivityorder;
285 	struct cil_sort *netifcon;
286 	struct cil_sort *genfscon;
287 	struct cil_sort *filecon;
288 	struct cil_sort *nodecon;
289 	struct cil_sort *portcon;
290 	struct cil_sort *pirqcon;
291 	struct cil_sort *iomemcon;
292 	struct cil_sort *ioportcon;
293 	struct cil_sort *pcidevicecon;
294 	struct cil_sort *devicetreecon;
295 	struct cil_sort *fsuse;
296 	struct cil_list *userprefixes;
297 	struct cil_list *selinuxusers;
298 	struct cil_list *names;
299 	int num_types_and_attrs;
300 	int num_classes;
301 	int num_cats;
302 	int num_types;
303 	int num_roles;
304 	int num_users;
305 	struct cil_type **val_to_type;
306 	struct cil_role **val_to_role;
307 	struct cil_user **val_to_user;
308 	int disable_dontaudit;
309 	int disable_neverallow;
310 	int attrs_expand_generated;
311 	unsigned attrs_expand_size;
312 	int preserve_tunables;
313 	int handle_unknown;
314 	int mls;
315 	int target_platform;
316 	int policy_version;
317 };
318 
319 struct cil_root {
320 	symtab_t symtab[CIL_SYM_NUM];
321 };
322 
323 struct cil_sort {
324 	enum cil_flavor flavor;
325 	uint32_t count;
326 	uint32_t index;
327 	void **array;
328 };
329 
330 struct cil_block {
331 	struct cil_symtab_datum datum;
332 	symtab_t symtab[CIL_SYM_NUM];
333 	uint16_t is_abstract;
334 	struct cil_list *bi_nodes;
335 };
336 
337 struct cil_blockinherit {
338 	char *block_str;
339 	struct cil_block *block;
340 };
341 
342 struct cil_blockabstract {
343 	char *block_str;
344 };
345 
346 struct cil_in {
347 	symtab_t symtab[CIL_SYM_NUM];
348 	char *block_str;
349 };
350 
351 struct cil_optional {
352 	struct cil_symtab_datum datum;
353 	int enabled;
354 };
355 
356 struct cil_perm {
357 	struct cil_symtab_datum datum;
358 	unsigned int value;
359 	struct cil_list *classperms; /* Only used for map perms */
360 };
361 
362 struct cil_class {
363 	struct cil_symtab_datum datum;
364 	symtab_t perms;
365 	unsigned int num_perms;
366 	struct cil_class *common; /* Only used for kernel class */
367 	uint32_t ordered; /* Only used for kernel class */
368 };
369 
370 struct cil_classorder {
371 	struct cil_list *class_list_str;
372 };
373 
374 struct cil_classperms_set {
375 	char *set_str;
376 	struct cil_classpermission *set;
377 };
378 
379 struct cil_classperms {
380 	char *class_str;
381 	struct cil_class *class;
382 	struct cil_list *perm_strs;
383 	struct cil_list *perms;
384 };
385 
386 struct cil_classpermission {
387 	struct cil_symtab_datum datum;
388 	struct cil_list *classperms;
389 };
390 
391 struct cil_classpermissionset {
392 	char *set_str;
393 	struct cil_list *classperms;
394 };
395 
396 struct cil_classmapping {
397 	char *map_class_str;
398 	char *map_perm_str;
399 	struct cil_list *classperms;
400 };
401 
402 struct cil_classcommon {
403 	char *class_str;
404 	char *common_str;
405 };
406 
407 struct cil_alias {
408 	struct cil_symtab_datum datum;
409 	void *actual;
410 };
411 
412 struct cil_aliasactual {
413 	char *alias_str;
414 	char *actual_str;
415 };
416 
417 struct cil_sid {
418 	struct cil_symtab_datum datum;
419 	struct cil_context *context;
420 	uint32_t ordered;
421 };
422 
423 struct cil_sidcontext {
424 	char *sid_str;
425 	char *context_str;
426 	struct cil_context *context;
427 };
428 
429 struct cil_sidorder {
430 	struct cil_list *sid_list_str;
431 };
432 
433 struct cil_user {
434 	struct cil_symtab_datum datum;
435 	struct cil_user *bounds;
436 	ebitmap_t *roles;
437 	struct cil_level *dftlevel;
438 	struct cil_levelrange *range;
439 	int value;
440 };
441 
442 struct cil_userattribute {
443 	struct cil_symtab_datum datum;
444 	struct cil_list *expr_list;
445 	ebitmap_t *users;
446 };
447 
448 struct cil_userattributeset {
449 	char *attr_str;
450 	struct cil_list *str_expr;
451 	struct cil_list *datum_expr;
452 };
453 
454 struct cil_userrole {
455 	char *user_str;
456 	void *user;
457 	char *role_str;
458 	void *role;
459 };
460 
461 struct cil_userlevel {
462 	char *user_str;
463 	char *level_str;
464 	struct cil_level *level;
465 };
466 
467 struct cil_userrange {
468 	char *user_str;
469 	char *range_str;
470 	struct cil_levelrange *range;
471 };
472 
473 struct cil_userprefix {
474 	char *user_str;
475 	struct cil_user *user;
476 	char *prefix_str;
477 };
478 
479 struct cil_selinuxuser {
480 	char *name_str;
481 	char *user_str;
482 	struct cil_user *user;
483 	char *range_str;
484 	struct cil_levelrange *range;
485 };
486 
487 struct cil_role {
488 	struct cil_symtab_datum datum;
489 	struct cil_role *bounds;
490 	ebitmap_t *types;
491 	int value;
492 };
493 
494 struct cil_roleattribute {
495 	struct cil_symtab_datum datum;
496 	struct cil_list *expr_list;
497 	ebitmap_t *roles;
498 };
499 
500 struct cil_roleattributeset {
501 	char *attr_str;
502 	struct cil_list *str_expr;
503 	struct cil_list *datum_expr;
504 };
505 
506 struct cil_roletype {
507 	char *role_str;
508 	void *role; /* role or attribute */
509 	char *type_str;
510 	void *type; /* type, alias, or attribute */
511 };
512 
513 struct cil_type	{
514 	struct cil_symtab_datum datum;
515 	struct cil_type *bounds;
516 	int value;
517 };
518 
519 #define CIL_ATTR_AVRULE		(1 << 0)
520 #define CIL_ATTR_NEVERALLOW	(1 << 1)
521 #define CIL_ATTR_CONSTRAINT	(1 << 2)
522 #define CIL_ATTR_EXPAND_TRUE	(1 << 3)
523 #define CIL_ATTR_EXPAND_FALSE	(1 << 4)
524 struct cil_typeattribute {
525 	struct cil_symtab_datum datum;
526 	struct cil_list *expr_list;
527 	ebitmap_t *types;
528 	int used;	// whether or not this attribute was used in a binary policy rule
529 };
530 
531 struct cil_typeattributeset {
532 	char *attr_str;
533 	struct cil_list *str_expr;
534 	struct cil_list *datum_expr;
535 };
536 
537 struct cil_expandtypeattribute {
538 	struct cil_list *attr_strs;
539 	struct cil_list *attr_datums;
540 	int expand;
541 };
542 
543 struct cil_typepermissive {
544 	char *type_str;
545 	void *type; /* type or alias */
546 };
547 
548 struct cil_name {
549 	struct cil_symtab_datum datum;
550 	char *name_str;
551 };
552 
553 struct cil_nametypetransition {
554 	char *src_str;
555 	void *src; /* type, alias, or attribute */
556 	char *tgt_str;
557 	void *tgt; /* type, alias, or attribute */
558 	char *obj_str;
559 	struct cil_class *obj;
560 	char *name_str;
561 	struct cil_name *name;
562 	char *result_str;
563 	void *result; /* type or alias */
564 
565 };
566 
567 struct cil_rangetransition {
568 	char *src_str;
569 	void *src; /* type, alias, or attribute */
570 	char *exec_str;
571 	void *exec; /* type, alias, or attribute */
572 	char *obj_str;
573 	struct cil_class *obj;
574 	char *range_str;
575 	struct cil_levelrange *range;
576 };
577 
578 struct cil_bool {
579 	struct cil_symtab_datum datum;
580 	uint16_t value;
581 };
582 
583 struct cil_tunable {
584 	struct cil_symtab_datum datum;
585 	uint16_t value;
586 };
587 
588 #define CIL_AVRULE_ALLOWED     1
589 #define CIL_AVRULE_AUDITALLOW  2
590 #define CIL_AVRULE_DONTAUDIT   8
591 #define CIL_AVRULE_NEVERALLOW 128
592 #define CIL_AVRULE_AV         (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
593 struct cil_avrule {
594 	int is_extended;
595 	uint32_t rule_kind;
596 	char *src_str;
597 	void *src; /* type, alias, or attribute */
598 	char *tgt_str;
599 	void *tgt; /* type, alias, or attribute */
600 	union {
601 		struct cil_list *classperms;
602 		struct {
603 			char *permx_str;
604 			struct cil_permissionx *permx;
605 		} x;
606 	} perms;
607 };
608 
609 #define CIL_PERMX_KIND_IOCTL 1
610 struct cil_permissionx {
611 	struct cil_symtab_datum datum;
612 	uint32_t kind;
613 	char *obj_str;
614 	struct cil_class *obj;
615 	struct cil_list *expr_str;
616 	ebitmap_t *perms;
617 };
618 
619 #define CIL_TYPE_TRANSITION 16
620 #define CIL_TYPE_MEMBER     32
621 #define CIL_TYPE_CHANGE     64
622 #define CIL_AVRULE_TYPE       (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
623 struct cil_type_rule {
624 	uint32_t rule_kind;
625 	char *src_str;
626 	void *src; /* type, alias, or attribute */
627 	char *tgt_str;
628 	void *tgt; /* type, alias, or attribute */
629 	char *obj_str;
630 	struct cil_class *obj;
631 	char *result_str;
632 	void *result; /* type or alias */
633 };
634 
635 struct cil_roletransition {
636 	char *src_str;
637 	struct cil_role *src;
638 	char *tgt_str;
639 	void *tgt; /* type, alias, or attribute */
640 	char *obj_str;
641 	struct cil_class *obj;
642 	char *result_str;
643 	struct cil_role *result;
644 };
645 
646 struct cil_roleallow {
647 	char *src_str;
648 	void *src; /* role or attribute */
649 	char *tgt_str;
650 	void *tgt; /* role or attribute */
651 };
652 
653 struct cil_sens {
654 	struct cil_symtab_datum datum;
655 	struct cil_list *cats_list;
656 	uint32_t ordered;
657 };
658 
659 struct cil_sensorder {
660 	struct cil_list *sens_list_str;
661 };
662 
663 struct cil_cat {
664 	struct cil_symtab_datum datum;
665 	uint32_t ordered;
666 	int value;
667 };
668 
669 struct cil_cats {
670 	uint32_t evaluated;
671 	struct cil_list *str_expr;
672 	struct cil_list *datum_expr;
673 };
674 
675 struct cil_catset {
676 	struct cil_symtab_datum datum;
677 	struct cil_cats *cats;
678 };
679 
680 struct cil_catorder {
681 	struct cil_list *cat_list_str;
682 };
683 
684 struct cil_senscat {
685 	char *sens_str;
686 	struct cil_cats *cats;
687 };
688 
689 struct cil_level {
690 	struct cil_symtab_datum datum;
691 	char *sens_str;
692 	struct cil_sens *sens;
693 	struct cil_cats *cats;
694 };
695 
696 struct cil_levelrange {
697 	struct cil_symtab_datum datum;
698 	char *low_str;
699 	struct cil_level *low;
700 	char *high_str;
701 	struct cil_level *high;
702 };
703 
704 struct cil_context {
705 	struct cil_symtab_datum datum;
706 	char *user_str;
707 	struct cil_user *user;
708 	char *role_str;
709 	struct cil_role *role;
710 	char *type_str;
711 	void *type; /* type or alias */
712 	char *range_str;
713 	struct cil_levelrange *range;
714 };
715 
716 enum cil_filecon_types {
717 	CIL_FILECON_FILE = 1,
718 	CIL_FILECON_DIR,
719 	CIL_FILECON_CHAR,
720 	CIL_FILECON_BLOCK,
721 	CIL_FILECON_SOCKET,
722 	CIL_FILECON_PIPE,
723 	CIL_FILECON_SYMLINK,
724 	CIL_FILECON_ANY
725 };
726 
727 struct cil_filecon {
728 	char *path_str;
729 	enum cil_filecon_types type;
730 	char *context_str;
731 	struct cil_context *context;
732 };
733 
734 enum cil_protocol {
735 	CIL_PROTOCOL_UDP = 1,
736 	CIL_PROTOCOL_TCP,
737 	CIL_PROTOCOL_DCCP
738 };
739 
740 struct cil_portcon {
741 	enum cil_protocol proto;
742 	uint32_t port_low;
743 	uint32_t port_high;
744 	char *context_str;
745 	struct cil_context *context;
746 };
747 
748 struct cil_nodecon {
749 	char *addr_str;
750 	struct cil_ipaddr *addr;
751 	char *mask_str;
752 	struct cil_ipaddr *mask;
753 	char *context_str;
754 	struct cil_context *context;
755 };
756 
757 struct cil_ipaddr {
758 	struct cil_symtab_datum datum;
759 	int family;
760 	union {
761 		struct in_addr v4;
762 		struct in6_addr v6;
763 	} ip;
764 };
765 
766 struct cil_genfscon {
767 	char *fs_str;
768 	char *path_str;
769 	char *context_str;
770 	struct cil_context *context;
771 };
772 
773 struct cil_netifcon {
774 	char *interface_str;
775 	char *if_context_str;
776 	struct cil_context *if_context;
777 	char *packet_context_str;
778 	struct cil_context *packet_context;
779 	char *context_str;
780 };
781 
782 struct cil_pirqcon {
783 	uint32_t pirq;
784 	char *context_str;
785 	struct cil_context *context;
786 };
787 
788 struct cil_iomemcon {
789 	uint64_t iomem_low;
790 	uint64_t iomem_high;
791 	char *context_str;
792 	struct cil_context *context;
793 };
794 
795 struct cil_ioportcon {
796 	uint32_t ioport_low;
797 	uint32_t ioport_high;
798 	char *context_str;
799 	struct cil_context *context;
800 };
801 
802 struct cil_pcidevicecon {
803 	uint32_t dev;
804 	char *context_str;
805 	struct cil_context *context;
806 };
807 
808 struct cil_devicetreecon {
809 	char *path;
810 	char *context_str;
811 	struct cil_context *context;
812 };
813 
814 
815 /* Ensure that CIL uses the same values as sepol services.h */
816 enum cil_fsuse_types {
817 	CIL_FSUSE_XATTR = SECURITY_FS_USE_XATTR,
818 	CIL_FSUSE_TASK = SECURITY_FS_USE_TASK,
819 	CIL_FSUSE_TRANS = SECURITY_FS_USE_TRANS
820 };
821 
822 struct cil_fsuse {
823 	enum cil_fsuse_types type;
824 	char *fs_str;
825 	char *context_str;
826 	struct cil_context *context;
827 };
828 
829 #define CIL_MLS_LEVELS "l1 l2 h1 h2"
830 #define CIL_CONSTRAIN_KEYS "t1 t2 r1 r2 u1 u2"
831 #define CIL_MLSCONSTRAIN_KEYS CIL_MLS_LEVELS CIL_CONSTRAIN_KEYS
832 #define CIL_CONSTRAIN_OPER "== != eq dom domby incomp not and or"
833 struct cil_constrain {
834 	struct cil_list *classperms;
835 	struct cil_list *str_expr;
836 	struct cil_list *datum_expr;
837 };
838 
839 struct cil_validatetrans {
840 	char *class_str;
841 	struct cil_class *class;
842 	struct cil_list *str_expr;
843 	struct cil_list *datum_expr;
844 };
845 
846 struct cil_param {
847 	char *str;
848 	enum cil_flavor flavor;
849 };
850 
851 struct cil_macro {
852 	struct cil_symtab_datum datum;
853 	symtab_t symtab[CIL_SYM_NUM];
854 	struct cil_list *params;
855 };
856 
857 struct cil_args {
858 	char *arg_str;
859 	struct cil_symtab_datum *arg;
860 	char *param_str;
861 	enum cil_flavor flavor;
862 };
863 
864 struct cil_call {
865 	char *macro_str;
866 	struct cil_macro *macro;
867 	struct cil_tree *args_tree;
868 	struct cil_list *args;
869 	int copied;
870 };
871 
872 #define CIL_TRUE	1
873 #define CIL_FALSE	0
874 
875 struct cil_condblock {
876 	enum cil_flavor flavor;
877 	symtab_t symtab[CIL_SYM_NUM];
878 };
879 
880 struct cil_booleanif {
881 	struct cil_list *str_expr;
882 	struct cil_list *datum_expr;
883 	int preserved_tunable;
884 };
885 
886 struct cil_tunableif {
887 	struct cil_list *str_expr;
888 	struct cil_list *datum_expr;
889 };
890 
891 struct cil_policycap {
892 	struct cil_symtab_datum datum;
893 };
894 
895 struct cil_bounds {
896 	char *parent_str;
897 	char *child_str;
898 };
899 
900 /* Ensure that CIL uses the same values as sepol policydb.h */
901 enum cil_default_object {
902 	CIL_DEFAULT_SOURCE = DEFAULT_SOURCE,
903 	CIL_DEFAULT_TARGET = DEFAULT_TARGET,
904 };
905 
906 /* Default labeling behavior for users, roles, and types */
907 struct cil_default {
908 	enum cil_flavor flavor;
909 	struct cil_list *class_strs;
910 	struct cil_list *class_datums;
911 	enum cil_default_object object;
912 };
913 
914 /* Ensure that CIL uses the same values as sepol policydb.h */
915 enum cil_default_object_range {
916 	CIL_DEFAULT_SOURCE_LOW      = DEFAULT_SOURCE_LOW,
917 	CIL_DEFAULT_SOURCE_HIGH     = DEFAULT_SOURCE_HIGH,
918 	CIL_DEFAULT_SOURCE_LOW_HIGH = DEFAULT_SOURCE_LOW_HIGH,
919 	CIL_DEFAULT_TARGET_LOW      = DEFAULT_TARGET_LOW,
920 	CIL_DEFAULT_TARGET_HIGH     = DEFAULT_TARGET_HIGH,
921 	CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH,
922 };
923 
924 /* Default labeling behavior for range */
925 struct cil_defaultrange {
926 	struct cil_list *class_strs;
927 	struct cil_list *class_datums;
928 	enum cil_default_object_range object_range;
929 };
930 
931 struct cil_handleunknown {
932 	int handle_unknown;
933 };
934 
935 struct cil_mls {
936 	int value;
937 };
938 
939 struct cil_src_info {
940 	int is_cil;
941 	char *path;
942 };
943 
944 void cil_db_init(struct cil_db **db);
945 void cil_db_destroy(struct cil_db **db);
946 
947 void cil_root_init(struct cil_root **root);
948 void cil_root_destroy(struct cil_root *root);
949 
950 void cil_destroy_data(void **data, enum cil_flavor flavor);
951 
952 int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *index);
953 const char * cil_node_to_string(struct cil_tree_node *node);
954 
955 int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size);
956 int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size);
957 int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size);
958 
959 void cil_symtab_array_init(symtab_t symtab[], int symtab_sizes[CIL_SYM_NUM]);
960 void cil_symtab_array_destroy(symtab_t symtab[]);
961 void cil_destroy_ast_symtabs(struct cil_tree_node *root);
962 int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_sym_index sym_index);
963 
964 void cil_sort_init(struct cil_sort **sort);
965 void cil_sort_destroy(struct cil_sort **sort);
966 void cil_netifcon_init(struct cil_netifcon **netifcon);
967 void cil_context_init(struct cil_context **context);
968 void cil_level_init(struct cil_level **level);
969 void cil_levelrange_init(struct cil_levelrange **lvlrange);
970 void cil_sens_init(struct cil_sens **sens);
971 void cil_block_init(struct cil_block **block);
972 void cil_blockinherit_init(struct cil_blockinherit **inherit);
973 void cil_blockabstract_init(struct cil_blockabstract **abstract);
974 void cil_in_init(struct cil_in **in);
975 void cil_class_init(struct cil_class **class);
976 void cil_classorder_init(struct cil_classorder **classorder);
977 void cil_classcommon_init(struct cil_classcommon **classcommon);
978 void cil_sid_init(struct cil_sid **sid);
979 void cil_sidcontext_init(struct cil_sidcontext **sidcontext);
980 void cil_sidorder_init(struct cil_sidorder **sidorder);
981 void cil_userrole_init(struct cil_userrole **userrole);
982 void cil_userprefix_init(struct cil_userprefix **userprefix);
983 void cil_selinuxuser_init(struct cil_selinuxuser **selinuxuser);
984 void cil_roleattribute_init(struct cil_roleattribute **attribute);
985 void cil_roleattributeset_init(struct cil_roleattributeset **attrset);
986 void cil_roletype_init(struct cil_roletype **roletype);
987 void cil_typeattribute_init(struct cil_typeattribute **attribute);
988 void cil_typeattributeset_init(struct cil_typeattributeset **attrset);
989 void cil_expandtypeattribute_init(struct cil_expandtypeattribute **expandattr);
990 void cil_alias_init(struct cil_alias **alias);
991 void cil_aliasactual_init(struct cil_aliasactual **aliasactual);
992 void cil_typepermissive_init(struct cil_typepermissive **typeperm);
993 void cil_name_init(struct cil_name **name);
994 void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans);
995 void cil_rangetransition_init(struct cil_rangetransition **rangetrans);
996 void cil_bool_init(struct cil_bool **cilbool);
997 void cil_boolif_init(struct cil_booleanif **bif);
998 void cil_condblock_init(struct cil_condblock **cb);
999 void cil_tunable_init(struct cil_tunable **ciltun);
1000 void cil_tunif_init(struct cil_tunableif **tif);
1001 void cil_avrule_init(struct cil_avrule **avrule);
1002 void cil_permissionx_init(struct cil_permissionx **permx);
1003 void cil_type_rule_init(struct cil_type_rule **type_rule);
1004 void cil_roletransition_init(struct cil_roletransition **roletrans);
1005 void cil_roleallow_init(struct cil_roleallow **role_allow);
1006 void cil_catset_init(struct cil_catset **catset);
1007 void cil_cats_init(struct cil_cats **cats);
1008 void cil_senscat_init(struct cil_senscat **senscat);
1009 void cil_filecon_init(struct cil_filecon **filecon);
1010 void cil_portcon_init(struct cil_portcon **portcon);
1011 void cil_nodecon_init(struct cil_nodecon **nodecon);
1012 void cil_genfscon_init(struct cil_genfscon **genfscon);
1013 void cil_pirqcon_init(struct cil_pirqcon **pirqcon);
1014 void cil_iomemcon_init(struct cil_iomemcon **iomemcon);
1015 void cil_ioportcon_init(struct cil_ioportcon **ioportcon);
1016 void cil_pcidevicecon_init(struct cil_pcidevicecon **pcidevicecon);
1017 void cil_devicetreecon_init(struct cil_devicetreecon **devicetreecon);
1018 void cil_fsuse_init(struct cil_fsuse **fsuse);
1019 void cil_constrain_init(struct cil_constrain **constrain);
1020 void cil_validatetrans_init(struct cil_validatetrans **validtrans);
1021 void cil_ipaddr_init(struct cil_ipaddr **ipaddr);
1022 void cil_perm_init(struct cil_perm **perm);
1023 void cil_classpermission_init(struct cil_classpermission **cp);
1024 void cil_classpermissionset_init(struct cil_classpermissionset **cps);
1025 void cil_classperms_set_init(struct cil_classperms_set **cp_set);
1026 void cil_classperms_init(struct cil_classperms **cp);
1027 void cil_classmapping_init(struct cil_classmapping **mapping);
1028 void cil_user_init(struct cil_user **user);
1029 void cil_userlevel_init(struct cil_userlevel **usrlvl);
1030 void cil_userrange_init(struct cil_userrange **userrange);
1031 void cil_role_init(struct cil_role **role);
1032 void cil_type_init(struct cil_type **type);
1033 void cil_cat_init(struct cil_cat **cat);
1034 void cil_catorder_init(struct cil_catorder **catorder);
1035 void cil_sensorder_init(struct cil_sensorder **sensorder);
1036 void cil_args_init(struct cil_args **args);
1037 void cil_call_init(struct cil_call **call);
1038 void cil_optional_init(struct cil_optional **optional);
1039 void cil_param_init(struct cil_param **param);
1040 void cil_macro_init(struct cil_macro **macro);
1041 void cil_policycap_init(struct cil_policycap **policycap);
1042 void cil_bounds_init(struct cil_bounds **bounds);
1043 void cil_default_init(struct cil_default **def);
1044 void cil_defaultrange_init(struct cil_defaultrange **def);
1045 void cil_handleunknown_init(struct cil_handleunknown **unk);
1046 void cil_mls_init(struct cil_mls **mls);
1047 void cil_src_info_init(struct cil_src_info **info);
1048 void cil_userattribute_init(struct cil_userattribute **attribute);
1049 void cil_userattributeset_init(struct cil_userattributeset **attrset);
1050 
1051 #endif
1052