1 /*
2  * Copyright 2011 Tresys Technology, LLC. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions are met:
6  *
7  *    1. Redistributions of source code must retain the above copyright notice,
8  *       this list of conditions and the following disclaimer.
9  *
10  *    2. Redistributions in binary form must reproduce the above copyright notice,
11  *       this list of conditions and the following disclaimer in the documentation
12  *       and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS
15  * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
16  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
17  * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
18  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
19  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
21  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
22  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
23  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  * The views and conclusions contained in the software and documentation are those
26  * of the authors and should not be interpreted as representing official policies,
27  * either expressed or implied, of Tresys Technology, LLC.
28  */
29 
30 #ifndef CIL_INTERNAL_H_
31 #define CIL_INTERNAL_H_
32 
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <stdint.h>
36 #include <arpa/inet.h>
37 
38 #include <sepol/policydb/services.h>
39 #include <sepol/policydb/policydb.h>
40 #include <sepol/policydb/flask_types.h>
41 
42 #include <cil/cil.h>
43 
44 #include "cil_flavor.h"
45 #include "cil_tree.h"
46 #include "cil_symtab.h"
47 #include "cil_mem.h"
48 
49 #define CIL_MAX_NAME_LENGTH 2048
50 
51 
52 enum cil_pass {
53 	CIL_PASS_INIT = 0,
54 
55 	CIL_PASS_TIF,
56 	CIL_PASS_IN,
57 	CIL_PASS_BLKIN_LINK,
58 	CIL_PASS_BLKIN_COPY,
59 	CIL_PASS_BLKABS,
60 	CIL_PASS_MACRO,
61 	CIL_PASS_CALL1,
62 	CIL_PASS_CALL2,
63 	CIL_PASS_ALIAS1,
64 	CIL_PASS_ALIAS2,
65 	CIL_PASS_MISC1,
66 	CIL_PASS_MLS,
67 	CIL_PASS_MISC2,
68 	CIL_PASS_MISC3,
69 
70 	CIL_PASS_NUM
71 };
72 
73 
74 /*
75 	Keywords
76 */
77 extern char *CIL_KEY_CONS_T1;
78 extern char *CIL_KEY_CONS_T2;
79 extern char *CIL_KEY_CONS_T3;
80 extern char *CIL_KEY_CONS_R1;
81 extern char *CIL_KEY_CONS_R2;
82 extern char *CIL_KEY_CONS_R3;
83 extern char *CIL_KEY_CONS_U1;
84 extern char *CIL_KEY_CONS_U2;
85 extern char *CIL_KEY_CONS_U3;
86 extern char *CIL_KEY_CONS_L1;
87 extern char *CIL_KEY_CONS_L2;
88 extern char *CIL_KEY_CONS_H1;
89 extern char *CIL_KEY_CONS_H2;
90 extern char *CIL_KEY_AND;
91 extern char *CIL_KEY_OR;
92 extern char *CIL_KEY_NOT;
93 extern char *CIL_KEY_EQ;
94 extern char *CIL_KEY_NEQ;
95 extern char *CIL_KEY_CONS_DOM;
96 extern char *CIL_KEY_CONS_DOMBY;
97 extern char *CIL_KEY_CONS_INCOMP;
98 extern char *CIL_KEY_CONDTRUE;
99 extern char *CIL_KEY_CONDFALSE;
100 extern char *CIL_KEY_SELF;
101 extern char *CIL_KEY_OBJECT_R;
102 extern char *CIL_KEY_STAR;
103 extern char *CIL_KEY_TCP;
104 extern char *CIL_KEY_UDP;
105 extern char *CIL_KEY_DCCP;
106 extern char *CIL_KEY_SCTP;
107 extern char *CIL_KEY_AUDITALLOW;
108 extern char *CIL_KEY_TUNABLEIF;
109 extern char *CIL_KEY_ALLOW;
110 extern char *CIL_KEY_DONTAUDIT;
111 extern char *CIL_KEY_TYPETRANSITION;
112 extern char *CIL_KEY_TYPECHANGE;
113 extern char *CIL_KEY_CALL;
114 extern char *CIL_KEY_TUNABLE;
115 extern char *CIL_KEY_XOR;
116 extern char *CIL_KEY_ALL;
117 extern char *CIL_KEY_RANGE;
118 extern char *CIL_KEY_GLOB;
119 extern char *CIL_KEY_FILE;
120 extern char *CIL_KEY_DIR;
121 extern char *CIL_KEY_CHAR;
122 extern char *CIL_KEY_BLOCK;
123 extern char *CIL_KEY_SOCKET;
124 extern char *CIL_KEY_PIPE;
125 extern char *CIL_KEY_SYMLINK;
126 extern char *CIL_KEY_ANY;
127 extern char *CIL_KEY_XATTR;
128 extern char *CIL_KEY_TASK;
129 extern char *CIL_KEY_TRANS;
130 extern char *CIL_KEY_TYPE;
131 extern char *CIL_KEY_ROLE;
132 extern char *CIL_KEY_USER;
133 extern char *CIL_KEY_USERATTRIBUTE;
134 extern char *CIL_KEY_USERATTRIBUTESET;
135 extern char *CIL_KEY_SENSITIVITY;
136 extern char *CIL_KEY_CATEGORY;
137 extern char *CIL_KEY_CATSET;
138 extern char *CIL_KEY_LEVEL;
139 extern char *CIL_KEY_LEVELRANGE;
140 extern char *CIL_KEY_CLASS;
141 extern char *CIL_KEY_IPADDR;
142 extern char *CIL_KEY_MAP_CLASS;
143 extern char *CIL_KEY_CLASSPERMISSION;
144 extern char *CIL_KEY_BOOL;
145 extern char *CIL_KEY_STRING;
146 extern char *CIL_KEY_NAME;
147 extern char *CIL_KEY_SOURCE;
148 extern char *CIL_KEY_TARGET;
149 extern char *CIL_KEY_LOW;
150 extern char *CIL_KEY_HIGH;
151 extern char *CIL_KEY_LOW_HIGH;
152 extern char *CIL_KEY_GLBLUB;
153 extern char *CIL_KEY_HANDLEUNKNOWN;
154 extern char *CIL_KEY_HANDLEUNKNOWN_ALLOW;
155 extern char *CIL_KEY_HANDLEUNKNOWN_DENY;
156 extern char *CIL_KEY_HANDLEUNKNOWN_REJECT;
157 extern char *CIL_KEY_MACRO;
158 extern char *CIL_KEY_IN;
159 extern char *CIL_KEY_MLS;
160 extern char *CIL_KEY_DEFAULTRANGE;
161 extern char *CIL_KEY_BLOCKINHERIT;
162 extern char *CIL_KEY_BLOCKABSTRACT;
163 extern char *CIL_KEY_CLASSORDER;
164 extern char *CIL_KEY_CLASSMAPPING;
165 extern char *CIL_KEY_CLASSPERMISSIONSET;
166 extern char *CIL_KEY_COMMON;
167 extern char *CIL_KEY_CLASSCOMMON;
168 extern char *CIL_KEY_SID;
169 extern char *CIL_KEY_SIDCONTEXT;
170 extern char *CIL_KEY_SIDORDER;
171 extern char *CIL_KEY_USERLEVEL;
172 extern char *CIL_KEY_USERRANGE;
173 extern char *CIL_KEY_USERBOUNDS;
174 extern char *CIL_KEY_USERPREFIX;
175 extern char *CIL_KEY_SELINUXUSER;
176 extern char *CIL_KEY_SELINUXUSERDEFAULT;
177 extern char *CIL_KEY_TYPEATTRIBUTE;
178 extern char *CIL_KEY_TYPEATTRIBUTESET;
179 extern char *CIL_KEY_EXPANDTYPEATTRIBUTE;
180 extern char *CIL_KEY_TYPEALIAS;
181 extern char *CIL_KEY_TYPEALIASACTUAL;
182 extern char *CIL_KEY_TYPEBOUNDS;
183 extern char *CIL_KEY_TYPEPERMISSIVE;
184 extern char *CIL_KEY_RANGETRANSITION;
185 extern char *CIL_KEY_USERROLE;
186 extern char *CIL_KEY_ROLETYPE;
187 extern char *CIL_KEY_ROLETRANSITION;
188 extern char *CIL_KEY_ROLEALLOW;
189 extern char *CIL_KEY_ROLEATTRIBUTE;
190 extern char *CIL_KEY_ROLEATTRIBUTESET;
191 extern char *CIL_KEY_ROLEBOUNDS;
192 extern char *CIL_KEY_BOOLEANIF;
193 extern char *CIL_KEY_NEVERALLOW;
194 extern char *CIL_KEY_TYPEMEMBER;
195 extern char *CIL_KEY_SENSALIAS;
196 extern char *CIL_KEY_SENSALIASACTUAL;
197 extern char *CIL_KEY_CATALIAS;
198 extern char *CIL_KEY_CATALIASACTUAL;
199 extern char *CIL_KEY_CATORDER;
200 extern char *CIL_KEY_SENSITIVITYORDER;
201 extern char *CIL_KEY_SENSCAT;
202 extern char *CIL_KEY_CONSTRAIN;
203 extern char *CIL_KEY_MLSCONSTRAIN;
204 extern char *CIL_KEY_VALIDATETRANS;
205 extern char *CIL_KEY_MLSVALIDATETRANS;
206 extern char *CIL_KEY_CONTEXT;
207 extern char *CIL_KEY_FILECON;
208 extern char *CIL_KEY_IBPKEYCON;
209 extern char *CIL_KEY_IBENDPORTCON;
210 extern char *CIL_KEY_PORTCON;
211 extern char *CIL_KEY_NODECON;
212 extern char *CIL_KEY_GENFSCON;
213 extern char *CIL_KEY_NETIFCON;
214 extern char *CIL_KEY_PIRQCON;
215 extern char *CIL_KEY_IOMEMCON;
216 extern char *CIL_KEY_IOPORTCON;
217 extern char *CIL_KEY_PCIDEVICECON;
218 extern char *CIL_KEY_DEVICETREECON;
219 extern char *CIL_KEY_FSUSE;
220 extern char *CIL_KEY_POLICYCAP;
221 extern char *CIL_KEY_OPTIONAL;
222 extern char *CIL_KEY_DEFAULTUSER;
223 extern char *CIL_KEY_DEFAULTROLE;
224 extern char *CIL_KEY_DEFAULTTYPE;
225 extern char *CIL_KEY_ROOT;
226 extern char *CIL_KEY_NODE;
227 extern char *CIL_KEY_PERM;
228 extern char *CIL_KEY_ALLOWX;
229 extern char *CIL_KEY_AUDITALLOWX;
230 extern char *CIL_KEY_DONTAUDITX;
231 extern char *CIL_KEY_NEVERALLOWX;
232 extern char *CIL_KEY_PERMISSIONX;
233 extern char *CIL_KEY_IOCTL;
234 extern char *CIL_KEY_UNORDERED;
235 extern char *CIL_KEY_SRC_INFO;
236 extern char *CIL_KEY_SRC_CIL;
237 extern char *CIL_KEY_SRC_HLL;
238 
239 /*
240 	Symbol Table Array Indices
241 */
242 enum cil_sym_index {
243 	CIL_SYM_BLOCKS = 0,
244 	CIL_SYM_USERS,
245 	CIL_SYM_ROLES,
246 	CIL_SYM_TYPES,
247 	CIL_SYM_COMMONS,
248 	CIL_SYM_CLASSES,
249 	CIL_SYM_CLASSPERMSETS,
250 	CIL_SYM_BOOLS,
251 	CIL_SYM_TUNABLES,
252 	CIL_SYM_SENS,
253 	CIL_SYM_CATS,
254 	CIL_SYM_SIDS,
255 	CIL_SYM_CONTEXTS,
256 	CIL_SYM_LEVELS,
257 	CIL_SYM_LEVELRANGES,
258 	CIL_SYM_POLICYCAPS,
259 	CIL_SYM_IPADDRS,
260 	CIL_SYM_NAMES,
261 	CIL_SYM_PERMX,
262 	CIL_SYM_NUM,
263 	CIL_SYM_UNKNOWN,
264 	CIL_SYM_PERMS	// Special case for permissions. This symtab is not included in arrays
265 };
266 
267 enum cil_sym_array {
268 	CIL_SYM_ARRAY_ROOT = 0,
269 	CIL_SYM_ARRAY_BLOCK,
270 	CIL_SYM_ARRAY_IN,
271 	CIL_SYM_ARRAY_MACRO,
272 	CIL_SYM_ARRAY_CONDBLOCK,
273 	CIL_SYM_ARRAY_NUM
274 };
275 
276 extern int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM];
277 
278 #define CIL_CLASS_SYM_SIZE	256
279 #define CIL_PERMS_PER_CLASS (sizeof(sepol_access_vector_t) * 8)
280 
281 struct cil_db {
282 	struct cil_tree *parse;
283 	struct cil_tree *ast;
284 	struct cil_type *selftype;
285 	struct cil_list *sidorder;
286 	struct cil_list *classorder;
287 	struct cil_list *catorder;
288 	struct cil_list *sensitivityorder;
289 	struct cil_sort *netifcon;
290 	struct cil_sort *genfscon;
291 	struct cil_sort *filecon;
292 	struct cil_sort *nodecon;
293 	struct cil_sort *ibpkeycon;
294 	struct cil_sort *ibendportcon;
295 	struct cil_sort *portcon;
296 	struct cil_sort *pirqcon;
297 	struct cil_sort *iomemcon;
298 	struct cil_sort *ioportcon;
299 	struct cil_sort *pcidevicecon;
300 	struct cil_sort *devicetreecon;
301 	struct cil_sort *fsuse;
302 	struct cil_list *userprefixes;
303 	struct cil_list *selinuxusers;
304 	struct cil_list *names;
305 	int num_types_and_attrs;
306 	int num_classes;
307 	int num_cats;
308 	int num_types;
309 	int num_roles;
310 	int num_users;
311 	struct cil_type **val_to_type;
312 	struct cil_role **val_to_role;
313 	struct cil_user **val_to_user;
314 	int disable_dontaudit;
315 	int disable_neverallow;
316 	int attrs_expand_generated;
317 	unsigned attrs_expand_size;
318 	int preserve_tunables;
319 	int handle_unknown;
320 	int mls;
321 	int multiple_decls;
322 	int target_platform;
323 	int policy_version;
324 };
325 
326 struct cil_root {
327 	symtab_t symtab[CIL_SYM_NUM];
328 };
329 
330 struct cil_sort {
331 	enum cil_flavor flavor;
332 	uint32_t count;
333 	uint32_t index;
334 	void **array;
335 };
336 
337 struct cil_block {
338 	struct cil_symtab_datum datum;
339 	symtab_t symtab[CIL_SYM_NUM];
340 	uint16_t is_abstract;
341 	struct cil_list *bi_nodes;
342 };
343 
344 struct cil_blockinherit {
345 	char *block_str;
346 	struct cil_block *block;
347 };
348 
349 struct cil_blockabstract {
350 	char *block_str;
351 };
352 
353 struct cil_in {
354 	symtab_t symtab[CIL_SYM_NUM];
355 	char *block_str;
356 };
357 
358 struct cil_optional {
359 	struct cil_symtab_datum datum;
360 	int enabled;
361 };
362 
363 struct cil_perm {
364 	struct cil_symtab_datum datum;
365 	unsigned int value;
366 	struct cil_list *classperms; /* Only used for map perms */
367 };
368 
369 struct cil_class {
370 	struct cil_symtab_datum datum;
371 	symtab_t perms;
372 	unsigned int num_perms;
373 	struct cil_class *common; /* Only used for kernel class */
374 	uint32_t ordered; /* Only used for kernel class */
375 };
376 
377 struct cil_classorder {
378 	struct cil_list *class_list_str;
379 };
380 
381 struct cil_classperms_set {
382 	char *set_str;
383 	struct cil_classpermission *set;
384 };
385 
386 struct cil_classperms {
387 	char *class_str;
388 	struct cil_class *class;
389 	struct cil_list *perm_strs;
390 	struct cil_list *perms;
391 };
392 
393 struct cil_classpermission {
394 	struct cil_symtab_datum datum;
395 	struct cil_list *classperms;
396 };
397 
398 struct cil_classpermissionset {
399 	char *set_str;
400 	struct cil_list *classperms;
401 };
402 
403 struct cil_classmapping {
404 	char *map_class_str;
405 	char *map_perm_str;
406 	struct cil_list *classperms;
407 };
408 
409 struct cil_classcommon {
410 	char *class_str;
411 	char *common_str;
412 };
413 
414 struct cil_alias {
415 	struct cil_symtab_datum datum;
416 	void *actual;
417 };
418 
419 struct cil_aliasactual {
420 	char *alias_str;
421 	char *actual_str;
422 };
423 
424 struct cil_sid {
425 	struct cil_symtab_datum datum;
426 	struct cil_context *context;
427 	uint32_t ordered;
428 };
429 
430 struct cil_sidcontext {
431 	char *sid_str;
432 	char *context_str;
433 	struct cil_context *context;
434 };
435 
436 struct cil_sidorder {
437 	struct cil_list *sid_list_str;
438 };
439 
440 struct cil_user {
441 	struct cil_symtab_datum datum;
442 	struct cil_user *bounds;
443 	ebitmap_t *roles;
444 	struct cil_level *dftlevel;
445 	struct cil_levelrange *range;
446 	int value;
447 };
448 
449 struct cil_userattribute {
450 	struct cil_symtab_datum datum;
451 	struct cil_list *expr_list;
452 	ebitmap_t *users;
453 };
454 
455 struct cil_userattributeset {
456 	char *attr_str;
457 	struct cil_list *str_expr;
458 	struct cil_list *datum_expr;
459 };
460 
461 struct cil_userrole {
462 	char *user_str;
463 	void *user;
464 	char *role_str;
465 	void *role;
466 };
467 
468 struct cil_userlevel {
469 	char *user_str;
470 	char *level_str;
471 	struct cil_level *level;
472 };
473 
474 struct cil_userrange {
475 	char *user_str;
476 	char *range_str;
477 	struct cil_levelrange *range;
478 };
479 
480 struct cil_userprefix {
481 	char *user_str;
482 	struct cil_user *user;
483 	char *prefix_str;
484 };
485 
486 struct cil_selinuxuser {
487 	char *name_str;
488 	char *user_str;
489 	struct cil_user *user;
490 	char *range_str;
491 	struct cil_levelrange *range;
492 };
493 
494 struct cil_role {
495 	struct cil_symtab_datum datum;
496 	struct cil_role *bounds;
497 	ebitmap_t *types;
498 	int value;
499 };
500 
501 struct cil_roleattribute {
502 	struct cil_symtab_datum datum;
503 	struct cil_list *expr_list;
504 	ebitmap_t *roles;
505 };
506 
507 struct cil_roleattributeset {
508 	char *attr_str;
509 	struct cil_list *str_expr;
510 	struct cil_list *datum_expr;
511 };
512 
513 struct cil_roletype {
514 	char *role_str;
515 	void *role; /* role or attribute */
516 	char *type_str;
517 	void *type; /* type, alias, or attribute */
518 };
519 
520 struct cil_type	{
521 	struct cil_symtab_datum datum;
522 	struct cil_type *bounds;
523 	int value;
524 };
525 
526 #define CIL_ATTR_AVRULE		(1 << 0)
527 #define CIL_ATTR_NEVERALLOW	(1 << 1)
528 #define CIL_ATTR_CONSTRAINT	(1 << 2)
529 #define CIL_ATTR_EXPAND_TRUE	(1 << 3)
530 #define CIL_ATTR_EXPAND_FALSE	(1 << 4)
531 struct cil_typeattribute {
532 	struct cil_symtab_datum datum;
533 	struct cil_list *expr_list;
534 	ebitmap_t *types;
535 	int used;	// whether or not this attribute was used in a binary policy rule
536 	int keep;
537 };
538 
539 struct cil_typeattributeset {
540 	char *attr_str;
541 	struct cil_list *str_expr;
542 	struct cil_list *datum_expr;
543 };
544 
545 struct cil_expandtypeattribute {
546 	struct cil_list *attr_strs;
547 	struct cil_list *attr_datums;
548 	int expand;
549 };
550 
551 struct cil_typepermissive {
552 	char *type_str;
553 	void *type; /* type or alias */
554 };
555 
556 struct cil_name {
557 	struct cil_symtab_datum datum;
558 	char *name_str;
559 };
560 
561 struct cil_nametypetransition {
562 	char *src_str;
563 	void *src; /* type, alias, or attribute */
564 	char *tgt_str;
565 	void *tgt; /* type, alias, or attribute */
566 	char *obj_str;
567 	struct cil_class *obj;
568 	char *name_str;
569 	struct cil_name *name;
570 	char *result_str;
571 	void *result; /* type or alias */
572 
573 };
574 
575 struct cil_rangetransition {
576 	char *src_str;
577 	void *src; /* type, alias, or attribute */
578 	char *exec_str;
579 	void *exec; /* type, alias, or attribute */
580 	char *obj_str;
581 	struct cil_class *obj;
582 	char *range_str;
583 	struct cil_levelrange *range;
584 };
585 
586 struct cil_bool {
587 	struct cil_symtab_datum datum;
588 	uint16_t value;
589 };
590 
591 struct cil_tunable {
592 	struct cil_symtab_datum datum;
593 	uint16_t value;
594 };
595 
596 #define CIL_AVRULE_ALLOWED     1
597 #define CIL_AVRULE_AUDITALLOW  2
598 #define CIL_AVRULE_DONTAUDIT   8
599 #define CIL_AVRULE_NEVERALLOW 128
600 #define CIL_AVRULE_AV         (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
601 struct cil_avrule {
602 	int is_extended;
603 	uint32_t rule_kind;
604 	char *src_str;
605 	void *src; /* type, alias, or attribute */
606 	char *tgt_str;
607 	void *tgt; /* type, alias, or attribute */
608 	union {
609 		struct cil_list *classperms;
610 		struct {
611 			char *permx_str;
612 			struct cil_permissionx *permx;
613 		} x;
614 	} perms;
615 };
616 
617 #define CIL_PERMX_KIND_IOCTL 1
618 struct cil_permissionx {
619 	struct cil_symtab_datum datum;
620 	uint32_t kind;
621 	char *obj_str;
622 	struct cil_class *obj;
623 	struct cil_list *expr_str;
624 	ebitmap_t *perms;
625 };
626 
627 #define CIL_TYPE_TRANSITION 16
628 #define CIL_TYPE_MEMBER     32
629 #define CIL_TYPE_CHANGE     64
630 #define CIL_AVRULE_TYPE       (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
631 struct cil_type_rule {
632 	uint32_t rule_kind;
633 	char *src_str;
634 	void *src; /* type, alias, or attribute */
635 	char *tgt_str;
636 	void *tgt; /* type, alias, or attribute */
637 	char *obj_str;
638 	struct cil_class *obj;
639 	char *result_str;
640 	void *result; /* type or alias */
641 };
642 
643 struct cil_roletransition {
644 	char *src_str;
645 	struct cil_role *src;
646 	char *tgt_str;
647 	void *tgt; /* type, alias, or attribute */
648 	char *obj_str;
649 	struct cil_class *obj;
650 	char *result_str;
651 	struct cil_role *result;
652 };
653 
654 struct cil_roleallow {
655 	char *src_str;
656 	void *src; /* role or attribute */
657 	char *tgt_str;
658 	void *tgt; /* role or attribute */
659 };
660 
661 struct cil_sens {
662 	struct cil_symtab_datum datum;
663 	struct cil_list *cats_list;
664 	uint32_t ordered;
665 };
666 
667 struct cil_sensorder {
668 	struct cil_list *sens_list_str;
669 };
670 
671 struct cil_cat {
672 	struct cil_symtab_datum datum;
673 	uint32_t ordered;
674 	int value;
675 };
676 
677 struct cil_cats {
678 	uint32_t evaluated;
679 	struct cil_list *str_expr;
680 	struct cil_list *datum_expr;
681 };
682 
683 struct cil_catset {
684 	struct cil_symtab_datum datum;
685 	struct cil_cats *cats;
686 };
687 
688 struct cil_catorder {
689 	struct cil_list *cat_list_str;
690 };
691 
692 struct cil_senscat {
693 	char *sens_str;
694 	struct cil_cats *cats;
695 };
696 
697 struct cil_level {
698 	struct cil_symtab_datum datum;
699 	char *sens_str;
700 	struct cil_sens *sens;
701 	struct cil_cats *cats;
702 };
703 
704 struct cil_levelrange {
705 	struct cil_symtab_datum datum;
706 	char *low_str;
707 	struct cil_level *low;
708 	char *high_str;
709 	struct cil_level *high;
710 };
711 
712 struct cil_context {
713 	struct cil_symtab_datum datum;
714 	char *user_str;
715 	struct cil_user *user;
716 	char *role_str;
717 	struct cil_role *role;
718 	char *type_str;
719 	void *type; /* type or alias */
720 	char *range_str;
721 	struct cil_levelrange *range;
722 };
723 
724 enum cil_filecon_types {
725 	CIL_FILECON_FILE = 1,
726 	CIL_FILECON_DIR,
727 	CIL_FILECON_CHAR,
728 	CIL_FILECON_BLOCK,
729 	CIL_FILECON_SOCKET,
730 	CIL_FILECON_PIPE,
731 	CIL_FILECON_SYMLINK,
732 	CIL_FILECON_ANY
733 };
734 
735 struct cil_filecon {
736 	char *path_str;
737 	enum cil_filecon_types type;
738 	char *context_str;
739 	struct cil_context *context;
740 };
741 
742 enum cil_protocol {
743 	CIL_PROTOCOL_UDP = 1,
744 	CIL_PROTOCOL_TCP,
745 	CIL_PROTOCOL_DCCP,
746 	CIL_PROTOCOL_SCTP
747 };
748 
749 struct cil_ibpkeycon {
750 	char *subnet_prefix_str;
751 	uint32_t pkey_low;
752 	uint32_t pkey_high;
753 	char *context_str;
754 	struct cil_context *context;
755 };
756 
757 struct cil_portcon {
758 	enum cil_protocol proto;
759 	uint32_t port_low;
760 	uint32_t port_high;
761 	char *context_str;
762 	struct cil_context *context;
763 };
764 
765 struct cil_nodecon {
766 	char *addr_str;
767 	struct cil_ipaddr *addr;
768 	char *mask_str;
769 	struct cil_ipaddr *mask;
770 	char *context_str;
771 	struct cil_context *context;
772 };
773 
774 struct cil_ipaddr {
775 	struct cil_symtab_datum datum;
776 	int family;
777 	union {
778 		struct in_addr v4;
779 		struct in6_addr v6;
780 	} ip;
781 };
782 
783 struct cil_genfscon {
784 	char *fs_str;
785 	char *path_str;
786 	char *context_str;
787 	struct cil_context *context;
788 };
789 
790 struct cil_netifcon {
791 	char *interface_str;
792 	char *if_context_str;
793 	struct cil_context *if_context;
794 	char *packet_context_str;
795 	struct cil_context *packet_context;
796 	char *context_str;
797 };
798 
799 struct cil_ibendportcon {
800 	char *dev_name_str;
801 	uint32_t port;
802 	char *context_str;
803 	struct cil_context *context;
804 };
805 struct cil_pirqcon {
806 	uint32_t pirq;
807 	char *context_str;
808 	struct cil_context *context;
809 };
810 
811 struct cil_iomemcon {
812 	uint64_t iomem_low;
813 	uint64_t iomem_high;
814 	char *context_str;
815 	struct cil_context *context;
816 };
817 
818 struct cil_ioportcon {
819 	uint32_t ioport_low;
820 	uint32_t ioport_high;
821 	char *context_str;
822 	struct cil_context *context;
823 };
824 
825 struct cil_pcidevicecon {
826 	uint32_t dev;
827 	char *context_str;
828 	struct cil_context *context;
829 };
830 
831 struct cil_devicetreecon {
832 	char *path;
833 	char *context_str;
834 	struct cil_context *context;
835 };
836 
837 
838 /* Ensure that CIL uses the same values as sepol services.h */
839 enum cil_fsuse_types {
840 	CIL_FSUSE_XATTR = SECURITY_FS_USE_XATTR,
841 	CIL_FSUSE_TASK = SECURITY_FS_USE_TASK,
842 	CIL_FSUSE_TRANS = SECURITY_FS_USE_TRANS
843 };
844 
845 struct cil_fsuse {
846 	enum cil_fsuse_types type;
847 	char *fs_str;
848 	char *context_str;
849 	struct cil_context *context;
850 };
851 
852 #define CIL_MLS_LEVELS "l1 l2 h1 h2"
853 #define CIL_CONSTRAIN_KEYS "t1 t2 r1 r2 u1 u2"
854 #define CIL_MLSCONSTRAIN_KEYS CIL_MLS_LEVELS CIL_CONSTRAIN_KEYS
855 #define CIL_CONSTRAIN_OPER "== != eq dom domby incomp not and or"
856 struct cil_constrain {
857 	struct cil_list *classperms;
858 	struct cil_list *str_expr;
859 	struct cil_list *datum_expr;
860 };
861 
862 struct cil_validatetrans {
863 	char *class_str;
864 	struct cil_class *class;
865 	struct cil_list *str_expr;
866 	struct cil_list *datum_expr;
867 };
868 
869 struct cil_param {
870 	char *str;
871 	enum cil_flavor flavor;
872 };
873 
874 struct cil_macro {
875 	struct cil_symtab_datum datum;
876 	symtab_t symtab[CIL_SYM_NUM];
877 	struct cil_list *params;
878 };
879 
880 struct cil_args {
881 	char *arg_str;
882 	struct cil_symtab_datum *arg;
883 	char *param_str;
884 	enum cil_flavor flavor;
885 };
886 
887 struct cil_call {
888 	char *macro_str;
889 	struct cil_macro *macro;
890 	struct cil_tree *args_tree;
891 	struct cil_list *args;
892 	int copied;
893 };
894 
895 #define CIL_TRUE	1
896 #define CIL_FALSE	0
897 
898 struct cil_condblock {
899 	enum cil_flavor flavor;
900 	symtab_t symtab[CIL_SYM_NUM];
901 };
902 
903 struct cil_booleanif {
904 	struct cil_list *str_expr;
905 	struct cil_list *datum_expr;
906 	int preserved_tunable;
907 };
908 
909 struct cil_tunableif {
910 	struct cil_list *str_expr;
911 	struct cil_list *datum_expr;
912 };
913 
914 struct cil_policycap {
915 	struct cil_symtab_datum datum;
916 };
917 
918 struct cil_bounds {
919 	char *parent_str;
920 	char *child_str;
921 };
922 
923 /* Ensure that CIL uses the same values as sepol policydb.h */
924 enum cil_default_object {
925 	CIL_DEFAULT_SOURCE = DEFAULT_SOURCE,
926 	CIL_DEFAULT_TARGET = DEFAULT_TARGET,
927 };
928 
929 /* Default labeling behavior for users, roles, and types */
930 struct cil_default {
931 	enum cil_flavor flavor;
932 	struct cil_list *class_strs;
933 	struct cil_list *class_datums;
934 	enum cil_default_object object;
935 };
936 
937 /* Ensure that CIL uses the same values as sepol policydb.h */
938 enum cil_default_object_range {
939 	CIL_DEFAULT_SOURCE_LOW      = DEFAULT_SOURCE_LOW,
940 	CIL_DEFAULT_SOURCE_HIGH     = DEFAULT_SOURCE_HIGH,
941 	CIL_DEFAULT_SOURCE_LOW_HIGH = DEFAULT_SOURCE_LOW_HIGH,
942 	CIL_DEFAULT_TARGET_LOW      = DEFAULT_TARGET_LOW,
943 	CIL_DEFAULT_TARGET_HIGH     = DEFAULT_TARGET_HIGH,
944 	CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH,
945 	CIL_DEFAULT_GLBLUB          = DEFAULT_GLBLUB,
946 };
947 
948 /* Default labeling behavior for range */
949 struct cil_defaultrange {
950 	struct cil_list *class_strs;
951 	struct cil_list *class_datums;
952 	enum cil_default_object_range object_range;
953 };
954 
955 struct cil_handleunknown {
956 	int handle_unknown;
957 };
958 
959 struct cil_mls {
960 	int value;
961 };
962 
963 struct cil_src_info {
964 	int is_cil;
965 	char *path;
966 };
967 
968 void cil_db_init(struct cil_db **db);
969 void cil_db_destroy(struct cil_db **db);
970 
971 void cil_root_init(struct cil_root **root);
972 void cil_root_destroy(struct cil_root *root);
973 
974 void cil_destroy_data(void **data, enum cil_flavor flavor);
975 
976 int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *index);
977 const char * cil_node_to_string(struct cil_tree_node *node);
978 
979 int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size);
980 int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size);
981 int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size);
982 
983 void cil_symtab_array_init(symtab_t symtab[], int symtab_sizes[CIL_SYM_NUM]);
984 void cil_symtab_array_destroy(symtab_t symtab[]);
985 void cil_destroy_ast_symtabs(struct cil_tree_node *root);
986 int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_sym_index sym_index);
987 
988 void cil_sort_init(struct cil_sort **sort);
989 void cil_sort_destroy(struct cil_sort **sort);
990 void cil_netifcon_init(struct cil_netifcon **netifcon);
991 void cil_ibendportcon_init(struct cil_ibendportcon **ibendportcon);
992 void cil_context_init(struct cil_context **context);
993 void cil_level_init(struct cil_level **level);
994 void cil_levelrange_init(struct cil_levelrange **lvlrange);
995 void cil_sens_init(struct cil_sens **sens);
996 void cil_block_init(struct cil_block **block);
997 void cil_blockinherit_init(struct cil_blockinherit **inherit);
998 void cil_blockabstract_init(struct cil_blockabstract **abstract);
999 void cil_in_init(struct cil_in **in);
1000 void cil_class_init(struct cil_class **class);
1001 void cil_classorder_init(struct cil_classorder **classorder);
1002 void cil_classcommon_init(struct cil_classcommon **classcommon);
1003 void cil_sid_init(struct cil_sid **sid);
1004 void cil_sidcontext_init(struct cil_sidcontext **sidcontext);
1005 void cil_sidorder_init(struct cil_sidorder **sidorder);
1006 void cil_userrole_init(struct cil_userrole **userrole);
1007 void cil_userprefix_init(struct cil_userprefix **userprefix);
1008 void cil_selinuxuser_init(struct cil_selinuxuser **selinuxuser);
1009 void cil_roleattribute_init(struct cil_roleattribute **attribute);
1010 void cil_roleattributeset_init(struct cil_roleattributeset **attrset);
1011 void cil_roletype_init(struct cil_roletype **roletype);
1012 void cil_typeattribute_init(struct cil_typeattribute **attribute);
1013 void cil_typeattributeset_init(struct cil_typeattributeset **attrset);
1014 void cil_expandtypeattribute_init(struct cil_expandtypeattribute **expandattr);
1015 void cil_alias_init(struct cil_alias **alias);
1016 void cil_aliasactual_init(struct cil_aliasactual **aliasactual);
1017 void cil_typepermissive_init(struct cil_typepermissive **typeperm);
1018 void cil_name_init(struct cil_name **name);
1019 void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans);
1020 void cil_rangetransition_init(struct cil_rangetransition **rangetrans);
1021 void cil_bool_init(struct cil_bool **cilbool);
1022 void cil_boolif_init(struct cil_booleanif **bif);
1023 void cil_condblock_init(struct cil_condblock **cb);
1024 void cil_tunable_init(struct cil_tunable **ciltun);
1025 void cil_tunif_init(struct cil_tunableif **tif);
1026 void cil_avrule_init(struct cil_avrule **avrule);
1027 void cil_permissionx_init(struct cil_permissionx **permx);
1028 void cil_type_rule_init(struct cil_type_rule **type_rule);
1029 void cil_roletransition_init(struct cil_roletransition **roletrans);
1030 void cil_roleallow_init(struct cil_roleallow **role_allow);
1031 void cil_catset_init(struct cil_catset **catset);
1032 void cil_cats_init(struct cil_cats **cats);
1033 void cil_senscat_init(struct cil_senscat **senscat);
1034 void cil_filecon_init(struct cil_filecon **filecon);
1035 void cil_ibpkeycon_init(struct cil_ibpkeycon **ibpkeycon);
1036 void cil_portcon_init(struct cil_portcon **portcon);
1037 void cil_nodecon_init(struct cil_nodecon **nodecon);
1038 void cil_genfscon_init(struct cil_genfscon **genfscon);
1039 void cil_pirqcon_init(struct cil_pirqcon **pirqcon);
1040 void cil_iomemcon_init(struct cil_iomemcon **iomemcon);
1041 void cil_ioportcon_init(struct cil_ioportcon **ioportcon);
1042 void cil_pcidevicecon_init(struct cil_pcidevicecon **pcidevicecon);
1043 void cil_devicetreecon_init(struct cil_devicetreecon **devicetreecon);
1044 void cil_fsuse_init(struct cil_fsuse **fsuse);
1045 void cil_constrain_init(struct cil_constrain **constrain);
1046 void cil_validatetrans_init(struct cil_validatetrans **validtrans);
1047 void cil_ipaddr_init(struct cil_ipaddr **ipaddr);
1048 void cil_perm_init(struct cil_perm **perm);
1049 void cil_classpermission_init(struct cil_classpermission **cp);
1050 void cil_classpermissionset_init(struct cil_classpermissionset **cps);
1051 void cil_classperms_set_init(struct cil_classperms_set **cp_set);
1052 void cil_classperms_init(struct cil_classperms **cp);
1053 void cil_classmapping_init(struct cil_classmapping **mapping);
1054 void cil_user_init(struct cil_user **user);
1055 void cil_userlevel_init(struct cil_userlevel **usrlvl);
1056 void cil_userrange_init(struct cil_userrange **userrange);
1057 void cil_role_init(struct cil_role **role);
1058 void cil_type_init(struct cil_type **type);
1059 void cil_cat_init(struct cil_cat **cat);
1060 void cil_catorder_init(struct cil_catorder **catorder);
1061 void cil_sensorder_init(struct cil_sensorder **sensorder);
1062 void cil_args_init(struct cil_args **args);
1063 void cil_call_init(struct cil_call **call);
1064 void cil_optional_init(struct cil_optional **optional);
1065 void cil_param_init(struct cil_param **param);
1066 void cil_macro_init(struct cil_macro **macro);
1067 void cil_policycap_init(struct cil_policycap **policycap);
1068 void cil_bounds_init(struct cil_bounds **bounds);
1069 void cil_default_init(struct cil_default **def);
1070 void cil_defaultrange_init(struct cil_defaultrange **def);
1071 void cil_handleunknown_init(struct cil_handleunknown **unk);
1072 void cil_mls_init(struct cil_mls **mls);
1073 void cil_src_info_init(struct cil_src_info **info);
1074 void cil_userattribute_init(struct cil_userattribute **attribute);
1075 void cil_userattributeset_init(struct cil_userattributeset **attrset);
1076 
1077 #endif
1078