1 /* Author : Stephen Smalley, <sds@tycho.nsa.gov> */ 2 3 /* 4 * Updated: Joshua Brindle <jbrindle@tresys.com> 5 * Karl MacMillan <kmacmillan@tresys.com> 6 * Jason Tang <jtang@tresys.com> 7 * 8 * Module support 9 * 10 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 11 * 12 * Support for enhanced MLS infrastructure. 13 * 14 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 15 * 16 * Added conditional policy language extensions 17 * 18 * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com> 19 * 20 * Fine-grained netlink support 21 * IPv6 support 22 * Code cleanup 23 * 24 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 25 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 26 * Copyright (C) 2003 - 2004 Red Hat, Inc. 27 * Copyright (C) 2017 Mellanox Techonolgies Inc. 28 * 29 * This library is free software; you can redistribute it and/or 30 * modify it under the terms of the GNU Lesser General Public 31 * License as published by the Free Software Foundation; either 32 * version 2.1 of the License, or (at your option) any later version. 33 * 34 * This library is distributed in the hope that it will be useful, 35 * but WITHOUT ANY WARRANTY; without even the implied warranty of 36 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 37 * Lesser General Public License for more details. 38 * 39 * You should have received a copy of the GNU Lesser General Public 40 * License along with this library; if not, write to the Free Software 41 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 42 */ 43 44 /* FLASK */ 45 46 /* 47 * A policy database (policydb) specifies the 48 * configuration data for the security policy. 49 */ 50 51 #ifndef _SEPOL_POLICYDB_POLICYDB_H_ 52 #define _SEPOL_POLICYDB_POLICYDB_H_ 53 54 #include <stdio.h> 55 #include <stddef.h> 56 57 #include <sepol/policydb.h> 58 59 #include <sepol/policydb/flask_types.h> 60 #include <sepol/policydb/symtab.h> 61 #include <sepol/policydb/avtab.h> 62 #include <sepol/policydb/context.h> 63 #include <sepol/policydb/constraint.h> 64 #include <sepol/policydb/sidtab.h> 65 66 #define ERRMSG_LEN 1024 67 68 #define POLICYDB_SUCCESS 0 69 #define POLICYDB_ERROR -1 70 #define POLICYDB_UNSUPPORTED -2 71 72 #ifdef __cplusplus 73 extern "C" { 74 #endif 75 76 #define IB_DEVICE_NAME_MAX 64 77 78 /* 79 * A datum type is defined for each kind of symbol 80 * in the configuration data: individual permissions, 81 * common prefixes for access vectors, classes, 82 * users, roles, types, sensitivities, categories, etc. 83 */ 84 85 /* type set preserves data needed by modules such as *, ~ and attributes */ 86 typedef struct type_set { 87 ebitmap_t types; 88 ebitmap_t negset; 89 #define TYPE_STAR 1 90 #define TYPE_COMP 2 91 uint32_t flags; 92 } type_set_t; 93 94 typedef struct role_set { 95 ebitmap_t roles; 96 #define ROLE_STAR 1 97 #define ROLE_COMP 2 98 uint32_t flags; 99 } role_set_t; 100 101 /* Permission attributes */ 102 typedef struct perm_datum { 103 symtab_datum_t s; 104 } perm_datum_t; 105 106 /* Attributes of a common prefix for access vectors */ 107 typedef struct common_datum { 108 symtab_datum_t s; 109 symtab_t permissions; /* common permissions */ 110 } common_datum_t; 111 112 /* Class attributes */ 113 typedef struct class_datum { 114 symtab_datum_t s; 115 char *comkey; /* common name */ 116 common_datum_t *comdatum; /* common datum */ 117 symtab_t permissions; /* class-specific permission symbol table */ 118 constraint_node_t *constraints; /* constraints on class permissions */ 119 constraint_node_t *validatetrans; /* special transition rules */ 120 /* Options how a new object user and role should be decided */ 121 #define DEFAULT_SOURCE 1 122 #define DEFAULT_TARGET 2 123 char default_user; 124 char default_role; 125 char default_type; 126 /* Options how a new object range should be decided */ 127 #define DEFAULT_SOURCE_LOW 1 128 #define DEFAULT_SOURCE_HIGH 2 129 #define DEFAULT_SOURCE_LOW_HIGH 3 130 #define DEFAULT_TARGET_LOW 4 131 #define DEFAULT_TARGET_HIGH 5 132 #define DEFAULT_TARGET_LOW_HIGH 6 133 #define DEFAULT_GLBLUB 7 134 char default_range; 135 } class_datum_t; 136 137 /* Role attributes */ 138 typedef struct role_datum { 139 symtab_datum_t s; 140 ebitmap_t dominates; /* set of roles dominated by this role */ 141 type_set_t types; /* set of authorized types for role */ 142 ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 143 uint32_t bounds; /* bounds role, if exist */ 144 #define ROLE_ROLE 0 /* regular role in kernel policies */ 145 #define ROLE_ATTRIB 1 /* attribute */ 146 uint32_t flavor; 147 ebitmap_t roles; /* roles with this attribute */ 148 } role_datum_t; 149 150 typedef struct role_trans { 151 uint32_t role; /* current role */ 152 uint32_t type; /* program executable type, or new object type */ 153 uint32_t tclass; /* process class, or new object class */ 154 uint32_t new_role; /* new role */ 155 struct role_trans *next; 156 } role_trans_t; 157 158 typedef struct role_allow { 159 uint32_t role; /* current role */ 160 uint32_t new_role; /* new role */ 161 struct role_allow *next; 162 } role_allow_t; 163 164 /* filename_trans rules */ 165 typedef struct filename_trans { 166 uint32_t stype; 167 uint32_t ttype; 168 uint32_t tclass; 169 char *name; 170 } filename_trans_t; 171 172 typedef struct filename_trans_datum { 173 uint32_t otype; /* expected of new object */ 174 } filename_trans_datum_t; 175 176 /* Type attributes */ 177 typedef struct type_datum { 178 symtab_datum_t s; 179 uint32_t primary; /* primary name? can be set to primary value if below is TYPE_ */ 180 #define TYPE_TYPE 0 /* regular type or alias in kernel policies */ 181 #define TYPE_ATTRIB 1 /* attribute */ 182 #define TYPE_ALIAS 2 /* alias in modular policy */ 183 uint32_t flavor; 184 ebitmap_t types; /* types with this attribute */ 185 #define TYPE_FLAGS_PERMISSIVE (1 << 0) 186 #define TYPE_FLAGS_EXPAND_ATTR_TRUE (1 << 1) 187 #define TYPE_FLAGS_EXPAND_ATTR_FALSE (1 << 2) 188 #define TYPE_FLAGS_EXPAND_ATTR (TYPE_FLAGS_EXPAND_ATTR_TRUE | \ 189 TYPE_FLAGS_EXPAND_ATTR_FALSE) 190 uint32_t flags; 191 uint32_t bounds; /* bounds type, if exist */ 192 } type_datum_t; 193 194 /* 195 * Properties of type_datum 196 * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY 197 */ 198 #define TYPEDATUM_PROPERTY_PRIMARY 0x0001 199 #define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 200 #define TYPEDATUM_PROPERTY_ALIAS 0x0004 /* userspace only */ 201 #define TYPEDATUM_PROPERTY_PERMISSIVE 0x0008 /* userspace only */ 202 203 /* User attributes */ 204 typedef struct user_datum { 205 symtab_datum_t s; 206 role_set_t roles; /* set of authorized roles for user */ 207 mls_semantic_range_t range; /* MLS range (min. - max.) for user */ 208 mls_semantic_level_t dfltlevel; /* default login MLS level for user */ 209 ebitmap_t cache; /* This is an expanded set used for context validation during parsing */ 210 mls_range_t exp_range; /* expanded range used for validation */ 211 mls_level_t exp_dfltlevel; /* expanded range used for validation */ 212 uint32_t bounds; /* bounds user, if exist */ 213 } user_datum_t; 214 215 /* Sensitivity attributes */ 216 typedef struct level_datum { 217 mls_level_t *level; /* sensitivity and associated categories */ 218 unsigned char isalias; /* is this sensitivity an alias for another? */ 219 unsigned char defined; 220 } level_datum_t; 221 222 /* Category attributes */ 223 typedef struct cat_datum { 224 symtab_datum_t s; 225 unsigned char isalias; /* is this category an alias for another? */ 226 } cat_datum_t; 227 228 typedef struct range_trans { 229 uint32_t source_type; 230 uint32_t target_type; 231 uint32_t target_class; 232 } range_trans_t; 233 234 /* Boolean data type */ 235 typedef struct cond_bool_datum { 236 symtab_datum_t s; 237 int state; 238 #define COND_BOOL_FLAGS_TUNABLE 0x01 /* is this a tunable? */ 239 uint32_t flags; 240 } cond_bool_datum_t; 241 242 struct cond_node; 243 244 typedef struct cond_node cond_list_t; 245 struct cond_av_list; 246 247 typedef struct class_perm_node { 248 uint32_t tclass; 249 uint32_t data; /* permissions or new type */ 250 struct class_perm_node *next; 251 } class_perm_node_t; 252 253 #define xperm_test(x, p) (1 & (p[x >> 5] >> (x & 0x1f))) 254 #define xperm_set(x, p) (p[x >> 5] |= (1 << (x & 0x1f))) 255 #define xperm_clear(x, p) (p[x >> 5] &= ~(1 << (x & 0x1f))) 256 #define EXTENDED_PERMS_LEN 8 257 258 typedef struct av_extended_perms { 259 #define AVRULE_XPERMS_IOCTLFUNCTION 0x01 260 #define AVRULE_XPERMS_IOCTLDRIVER 0x02 261 uint8_t specified; 262 uint8_t driver; 263 /* 256 bits of permissions */ 264 uint32_t perms[EXTENDED_PERMS_LEN]; 265 } av_extended_perms_t; 266 267 typedef struct avrule { 268 /* these typedefs are almost exactly the same as those in avtab.h - they are 269 * here because of the need to include neverallow and dontaudit messages */ 270 #define AVRULE_ALLOWED AVTAB_ALLOWED 271 #define AVRULE_AUDITALLOW AVTAB_AUDITALLOW 272 #define AVRULE_AUDITDENY AVTAB_AUDITDENY 273 #define AVRULE_DONTAUDIT 0x0008 274 #define AVRULE_NEVERALLOW AVTAB_NEVERALLOW 275 #define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) 276 #define AVRULE_TRANSITION AVTAB_TRANSITION 277 #define AVRULE_MEMBER AVTAB_MEMBER 278 #define AVRULE_CHANGE AVTAB_CHANGE 279 #define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) 280 #define AVRULE_XPERMS_ALLOWED AVTAB_XPERMS_ALLOWED 281 #define AVRULE_XPERMS_AUDITALLOW AVTAB_XPERMS_AUDITALLOW 282 #define AVRULE_XPERMS_DONTAUDIT AVTAB_XPERMS_DONTAUDIT 283 #define AVRULE_XPERMS_NEVERALLOW AVTAB_XPERMS_NEVERALLOW 284 #define AVRULE_XPERMS (AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \ 285 AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW) 286 uint32_t specified; 287 #define RULE_SELF 1 288 uint32_t flags; 289 type_set_t stypes; 290 type_set_t ttypes; 291 class_perm_node_t *perms; 292 av_extended_perms_t *xperms; 293 unsigned long line; /* line number from policy.conf where 294 * this rule originated */ 295 /* source file name and line number (e.g. .te file) */ 296 char *source_filename; 297 unsigned long source_line; 298 struct avrule *next; 299 } avrule_t; 300 301 typedef struct role_trans_rule { 302 role_set_t roles; /* current role */ 303 type_set_t types; /* program executable type, or new object type */ 304 ebitmap_t classes; /* process class, or new object class */ 305 uint32_t new_role; /* new role */ 306 struct role_trans_rule *next; 307 } role_trans_rule_t; 308 309 typedef struct role_allow_rule { 310 role_set_t roles; /* current role */ 311 role_set_t new_roles; /* new roles */ 312 struct role_allow_rule *next; 313 } role_allow_rule_t; 314 315 typedef struct filename_trans_rule { 316 type_set_t stypes; 317 type_set_t ttypes; 318 uint32_t tclass; 319 char *name; 320 uint32_t otype; /* new type */ 321 struct filename_trans_rule *next; 322 } filename_trans_rule_t; 323 324 typedef struct range_trans_rule { 325 type_set_t stypes; 326 type_set_t ttypes; 327 ebitmap_t tclasses; 328 mls_semantic_range_t trange; 329 struct range_trans_rule *next; 330 } range_trans_rule_t; 331 332 /* 333 * The configuration data includes security contexts for 334 * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 335 * network interfaces, and nodes. This structure stores the 336 * relevant data for one such entry. Entries of the same kind 337 * (e.g. all initial SIDs) are linked together into a list. 338 */ 339 typedef struct ocontext { 340 union { 341 char *name; /* name of initial SID, fs, netif, fstype, path */ 342 struct { 343 uint8_t protocol; 344 uint16_t low_port; 345 uint16_t high_port; 346 } port; /* TCP or UDP port information */ 347 struct { 348 uint32_t addr; /* network order */ 349 uint32_t mask; /* network order */ 350 } node; /* node information */ 351 struct { 352 uint32_t addr[4]; /* network order */ 353 uint32_t mask[4]; /* network order */ 354 } node6; /* IPv6 node information */ 355 uint32_t device; 356 uint16_t pirq; 357 struct { 358 uint64_t low_iomem; 359 uint64_t high_iomem; 360 } iomem; 361 struct { 362 uint32_t low_ioport; 363 uint32_t high_ioport; 364 } ioport; 365 struct { 366 uint64_t subnet_prefix; 367 uint16_t low_pkey; 368 uint16_t high_pkey; 369 } ibpkey; 370 struct { 371 char *dev_name; 372 uint8_t port; 373 } ibendport; 374 } u; 375 union { 376 uint32_t sclass; /* security class for genfs */ 377 uint32_t behavior; /* labeling behavior for fs_use */ 378 } v; 379 context_struct_t context[2]; /* security context(s) */ 380 sepol_security_id_t sid[2]; /* SID(s) */ 381 struct ocontext *next; 382 } ocontext_t; 383 384 typedef struct genfs { 385 char *fstype; 386 struct ocontext *head; 387 struct genfs *next; 388 } genfs_t; 389 390 /* symbol table array indices */ 391 #define SYM_COMMONS 0 392 #define SYM_CLASSES 1 393 #define SYM_ROLES 2 394 #define SYM_TYPES 3 395 #define SYM_USERS 4 396 #define SYM_BOOLS 5 397 #define SYM_LEVELS 6 398 #define SYM_CATS 7 399 #define SYM_NUM 8 400 401 /* object context array indices */ 402 #define OCON_ISID 0 /* initial SIDs */ 403 #define OCON_FS 1 /* unlabeled file systems */ 404 #define OCON_PORT 2 /* TCP and UDP port numbers */ 405 #define OCON_NETIF 3 /* network interfaces */ 406 #define OCON_NODE 4 /* nodes */ 407 #define OCON_FSUSE 5 /* fs_use */ 408 #define OCON_NODE6 6 /* IPv6 nodes */ 409 #define OCON_IBPKEY 7 /* Infiniband PKEY */ 410 #define OCON_IBENDPORT 8 /* Infiniband End Port */ 411 412 /* object context array indices for Xen */ 413 #define OCON_XEN_ISID 0 /* initial SIDs */ 414 #define OCON_XEN_PIRQ 1 /* physical irqs */ 415 #define OCON_XEN_IOPORT 2 /* io ports */ 416 #define OCON_XEN_IOMEM 3 /* io memory */ 417 #define OCON_XEN_PCIDEVICE 4 /* pci devices */ 418 #define OCON_XEN_DEVICETREE 5 /* device tree node */ 419 420 /* OCON_NUM needs to be the largest index in any platform's ocontext array */ 421 #define OCON_NUM 9 422 423 /* section: module information */ 424 425 /* scope_index_t holds all of the symbols that are in scope in a 426 * particular situation. The bitmaps are indices (and thus must 427 * subtract one) into the global policydb->scope array. */ 428 typedef struct scope_index { 429 ebitmap_t scope[SYM_NUM]; 430 #define p_classes_scope scope[SYM_CLASSES] 431 #define p_roles_scope scope[SYM_ROLES] 432 #define p_types_scope scope[SYM_TYPES] 433 #define p_users_scope scope[SYM_USERS] 434 #define p_bools_scope scope[SYM_BOOLS] 435 #define p_sens_scope scope[SYM_LEVELS] 436 #define p_cat_scope scope[SYM_CATS] 437 438 /* this array maps from class->value to the permissions within 439 * scope. if bit (perm->value - 1) is set in map 440 * class_perms_map[class->value - 1] then that permission is 441 * enabled for this class within this decl. */ 442 ebitmap_t *class_perms_map; 443 /* total number of classes in class_perms_map array */ 444 uint32_t class_perms_len; 445 } scope_index_t; 446 447 /* a list of declarations for a particular avrule_decl */ 448 449 /* These two structs declare a block of policy that has TE and RBAC 450 * statements and declarations. The root block (the global policy) 451 * can never have an ELSE branch. */ 452 typedef struct avrule_decl { 453 uint32_t decl_id; 454 uint32_t enabled; /* whether this block is enabled */ 455 456 cond_list_t *cond_list; 457 avrule_t *avrules; 458 role_trans_rule_t *role_tr_rules; 459 role_allow_rule_t *role_allow_rules; 460 range_trans_rule_t *range_tr_rules; 461 scope_index_t required; /* symbols needed to activate this block */ 462 scope_index_t declared; /* symbols declared within this block */ 463 464 /* type transition rules with a 'name' component */ 465 filename_trans_rule_t *filename_trans_rules; 466 467 /* for additive statements (type attribute, roles, and users) */ 468 symtab_t symtab[SYM_NUM]; 469 470 /* In a linked module this will contain the name of the module 471 * from which this avrule_decl originated. */ 472 char *module_name; 473 474 struct avrule_decl *next; 475 } avrule_decl_t; 476 477 typedef struct avrule_block { 478 avrule_decl_t *branch_list; 479 avrule_decl_t *enabled; /* pointer to which branch is enabled. this is 480 used in linking and never written to disk */ 481 #define AVRULE_OPTIONAL 1 482 uint32_t flags; /* any flags for this block, currently just optional */ 483 struct avrule_block *next; 484 } avrule_block_t; 485 486 /* Every identifier has its own scope datum. The datum describes if 487 * the item is to be included into the final policy during 488 * expansion. */ 489 typedef struct scope_datum { 490 /* Required for this decl */ 491 #define SCOPE_REQ 1 492 /* Declared in this decl */ 493 #define SCOPE_DECL 2 494 uint32_t scope; 495 uint32_t *decl_ids; 496 uint32_t decl_ids_len; 497 /* decl_ids is a list of avrule_decl's that declare/require 498 * this symbol. If scope==SCOPE_DECL then this is a list of 499 * declarations. If the symbol may only be declared once 500 * (types, bools) then decl_ids_len will be exactly 1. For 501 * implicitly declared things (roles, users) then decl_ids_len 502 * will be at least 1. */ 503 } scope_datum_t; 504 505 /* The policy database */ 506 typedef struct policydb { 507 #define POLICY_KERN SEPOL_POLICY_KERN 508 #define POLICY_BASE SEPOL_POLICY_BASE 509 #define POLICY_MOD SEPOL_POLICY_MOD 510 uint32_t policy_type; 511 char *name; 512 char *version; 513 int target_platform; 514 515 /* Set when the policydb is modified such that writing is unsupported */ 516 int unsupported_format; 517 518 /* Whether this policydb is mls, should always be set */ 519 int mls; 520 521 /* symbol tables */ 522 symtab_t symtab[SYM_NUM]; 523 #define p_commons symtab[SYM_COMMONS] 524 #define p_classes symtab[SYM_CLASSES] 525 #define p_roles symtab[SYM_ROLES] 526 #define p_types symtab[SYM_TYPES] 527 #define p_users symtab[SYM_USERS] 528 #define p_bools symtab[SYM_BOOLS] 529 #define p_levels symtab[SYM_LEVELS] 530 #define p_cats symtab[SYM_CATS] 531 532 /* symbol names indexed by (value - 1) */ 533 char **sym_val_to_name[SYM_NUM]; 534 #define p_common_val_to_name sym_val_to_name[SYM_COMMONS] 535 #define p_class_val_to_name sym_val_to_name[SYM_CLASSES] 536 #define p_role_val_to_name sym_val_to_name[SYM_ROLES] 537 #define p_type_val_to_name sym_val_to_name[SYM_TYPES] 538 #define p_user_val_to_name sym_val_to_name[SYM_USERS] 539 #define p_bool_val_to_name sym_val_to_name[SYM_BOOLS] 540 #define p_sens_val_to_name sym_val_to_name[SYM_LEVELS] 541 #define p_cat_val_to_name sym_val_to_name[SYM_CATS] 542 543 /* class, role, and user attributes indexed by (value - 1) */ 544 class_datum_t **class_val_to_struct; 545 role_datum_t **role_val_to_struct; 546 user_datum_t **user_val_to_struct; 547 type_datum_t **type_val_to_struct; 548 549 /* module stuff section -- used in parsing and for modules */ 550 551 /* keep track of the scope for every identifier. these are 552 * hash tables, where the key is the identifier name and value 553 * a scope_datum_t. as a convenience, one may use the 554 * p_*_macros (cf. struct scope_index_t declaration). */ 555 symtab_t scope[SYM_NUM]; 556 557 /* module rule storage */ 558 avrule_block_t *global; 559 /* avrule_decl index used for link/expand */ 560 avrule_decl_t **decl_val_to_struct; 561 562 /* compiled storage of rules - use for the kernel policy */ 563 564 /* type enforcement access vectors and transitions */ 565 avtab_t te_avtab; 566 567 /* bools indexed by (value - 1) */ 568 cond_bool_datum_t **bool_val_to_struct; 569 /* type enforcement conditional access vectors and transitions */ 570 avtab_t te_cond_avtab; 571 /* linked list indexing te_cond_avtab by conditional */ 572 cond_list_t *cond_list; 573 574 /* role transitions */ 575 role_trans_t *role_tr; 576 577 /* role allows */ 578 role_allow_t *role_allow; 579 580 /* security contexts of initial SIDs, unlabeled file systems, 581 TCP or UDP port numbers, network interfaces and nodes */ 582 ocontext_t *ocontexts[OCON_NUM]; 583 584 /* security contexts for files in filesystems that cannot support 585 a persistent label mapping or use another 586 fixed labeling behavior. */ 587 genfs_t *genfs; 588 589 /* range transitions table (range_trans_key -> mls_range) */ 590 hashtab_t range_tr; 591 592 /* file transitions with the last path component */ 593 hashtab_t filename_trans; 594 595 ebitmap_t *type_attr_map; 596 597 ebitmap_t *attr_type_map; /* not saved in the binary policy */ 598 599 ebitmap_t policycaps; 600 601 /* this bitmap is referenced by type NOT the typical type-1 used in other 602 bitmaps. Someday the 0 bit may be used for global permissive */ 603 ebitmap_t permissive_map; 604 605 unsigned policyvers; 606 607 unsigned handle_unknown; 608 } policydb_t; 609 610 struct sepol_policydb { 611 struct policydb p; 612 }; 613 614 extern int policydb_init(policydb_t * p); 615 616 extern int policydb_from_image(sepol_handle_t * handle, 617 void *data, size_t len, policydb_t * policydb); 618 619 extern int policydb_to_image(sepol_handle_t * handle, 620 policydb_t * policydb, void **newdata, 621 size_t * newlen); 622 623 extern int policydb_index_classes(policydb_t * p); 624 625 extern int policydb_index_bools(policydb_t * p); 626 627 extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p, 628 unsigned int verbose); 629 630 extern int policydb_role_cache(hashtab_key_t key, 631 hashtab_datum_t datum, 632 void *arg); 633 634 extern int policydb_user_cache(hashtab_key_t key, 635 hashtab_datum_t datum, 636 void *arg); 637 638 extern int policydb_reindex_users(policydb_t * p); 639 640 extern int policydb_optimize(policydb_t * p); 641 642 extern void policydb_destroy(policydb_t * p); 643 644 extern int policydb_load_isids(policydb_t * p, sidtab_t * s); 645 646 extern int policydb_sort_ocontexts(policydb_t *p); 647 648 /* Deprecated */ 649 extern int policydb_context_isvalid(const policydb_t * p, 650 const context_struct_t * c); 651 652 extern void symtabs_destroy(symtab_t * symtab); 653 extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p); 654 655 extern void class_perm_node_init(class_perm_node_t * x); 656 extern void type_set_init(type_set_t * x); 657 extern void type_set_destroy(type_set_t * x); 658 extern int type_set_cpy(type_set_t * dst, type_set_t * src); 659 extern int type_set_or_eq(type_set_t * dst, type_set_t * other); 660 extern void role_set_init(role_set_t * x); 661 extern void role_set_destroy(role_set_t * x); 662 extern void avrule_init(avrule_t * x); 663 extern void avrule_destroy(avrule_t * x); 664 extern void avrule_list_destroy(avrule_t * x); 665 extern void role_trans_rule_init(role_trans_rule_t * x); 666 extern void role_trans_rule_list_destroy(role_trans_rule_t * x); 667 extern void filename_trans_rule_init(filename_trans_rule_t * x); 668 extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x); 669 670 extern void role_datum_init(role_datum_t * x); 671 extern void role_datum_destroy(role_datum_t * x); 672 extern void role_allow_rule_init(role_allow_rule_t * x); 673 extern void role_allow_rule_destroy(role_allow_rule_t * x); 674 extern void role_allow_rule_list_destroy(role_allow_rule_t * x); 675 extern void range_trans_rule_init(range_trans_rule_t *x); 676 extern void range_trans_rule_destroy(range_trans_rule_t *x); 677 extern void range_trans_rule_list_destroy(range_trans_rule_t *x); 678 extern void type_datum_init(type_datum_t * x); 679 extern void type_datum_destroy(type_datum_t * x); 680 extern void user_datum_init(user_datum_t * x); 681 extern void user_datum_destroy(user_datum_t * x); 682 extern void level_datum_init(level_datum_t * x); 683 extern void level_datum_destroy(level_datum_t * x); 684 extern void cat_datum_init(cat_datum_t * x); 685 extern void cat_datum_destroy(cat_datum_t * x); 686 extern int check_assertion(policydb_t *p, avrule_t *avrule); 687 extern int check_assertions(sepol_handle_t * handle, 688 policydb_t * p, avrule_t * avrules); 689 690 extern int symtab_insert(policydb_t * x, uint32_t sym, 691 hashtab_key_t key, hashtab_datum_t datum, 692 uint32_t scope, uint32_t avrule_decl_id, 693 uint32_t * value); 694 695 /* A policy "file" may be a memory region referenced by a (data, len) pair 696 or a file referenced by a FILE pointer. */ 697 typedef struct policy_file { 698 #define PF_USE_MEMORY 0 699 #define PF_USE_STDIO 1 700 #define PF_LEN 2 /* total up length in len field */ 701 unsigned type; 702 char *data; 703 size_t len; 704 size_t size; 705 FILE *fp; 706 struct sepol_handle *handle; 707 } policy_file_t; 708 709 struct sepol_policy_file { 710 struct policy_file pf; 711 }; 712 713 extern void policy_file_init(policy_file_t * x); 714 715 extern int policydb_read(policydb_t * p, struct policy_file *fp, 716 unsigned int verbose); 717 extern int avrule_read_list(policydb_t * p, avrule_t ** avrules, 718 struct policy_file *fp); 719 720 extern int policydb_write(struct policydb *p, struct policy_file *pf); 721 extern int policydb_set_target_platform(policydb_t *p, int platform); 722 723 #define PERM_SYMTAB_SIZE 32 724 725 /* Identify specific policy version changes */ 726 #define POLICYDB_VERSION_BASE 15 727 #define POLICYDB_VERSION_BOOL 16 728 #define POLICYDB_VERSION_IPV6 17 729 #define POLICYDB_VERSION_NLCLASS 18 730 #define POLICYDB_VERSION_VALIDATETRANS 19 731 #define POLICYDB_VERSION_MLS 19 732 #define POLICYDB_VERSION_AVTAB 20 733 #define POLICYDB_VERSION_RANGETRANS 21 734 #define POLICYDB_VERSION_POLCAP 22 735 #define POLICYDB_VERSION_PERMISSIVE 23 736 #define POLICYDB_VERSION_BOUNDARY 24 737 #define POLICYDB_VERSION_FILENAME_TRANS 25 738 #define POLICYDB_VERSION_ROLETRANS 26 739 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 740 #define POLICYDB_VERSION_DEFAULT_TYPE 28 741 #define POLICYDB_VERSION_CONSTRAINT_NAMES 29 742 #define POLICYDB_VERSION_XEN_DEVICETREE 30 /* Xen-specific */ 743 #define POLICYDB_VERSION_XPERMS_IOCTL 30 /* Linux-specific */ 744 #define POLICYDB_VERSION_INFINIBAND 31 /* Linux-specific */ 745 #define POLICYDB_VERSION_GLBLUB 32 746 747 /* Range of policy versions we understand*/ 748 #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 749 #define POLICYDB_VERSION_MAX POLICYDB_VERSION_GLBLUB 750 751 /* Module versions and specific changes*/ 752 #define MOD_POLICYDB_VERSION_BASE 4 753 #define MOD_POLICYDB_VERSION_VALIDATETRANS 5 754 #define MOD_POLICYDB_VERSION_MLS 5 755 #define MOD_POLICYDB_VERSION_RANGETRANS 6 756 #define MOD_POLICYDB_VERSION_MLS_USERS 6 757 #define MOD_POLICYDB_VERSION_POLCAP 7 758 #define MOD_POLICYDB_VERSION_PERMISSIVE 8 759 #define MOD_POLICYDB_VERSION_BOUNDARY 9 760 #define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10 761 #define MOD_POLICYDB_VERSION_FILENAME_TRANS 11 762 #define MOD_POLICYDB_VERSION_ROLETRANS 12 763 #define MOD_POLICYDB_VERSION_ROLEATTRIB 13 764 #define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 765 #define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 766 #define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16 767 #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 768 #define MOD_POLICYDB_VERSION_XPERMS_IOCTL 18 769 #define MOD_POLICYDB_VERSION_INFINIBAND 19 770 #define MOD_POLICYDB_VERSION_GLBLUB 20 771 772 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE 773 #define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_GLBLUB 774 775 #define POLICYDB_CONFIG_MLS 1 776 777 /* macros to check policy feature */ 778 779 /* TODO: add other features here */ 780 781 #define policydb_has_boundary_feature(p) \ 782 (((p)->policy_type == POLICY_KERN \ 783 && p->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ 784 ((p)->policy_type != POLICY_KERN \ 785 && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) 786 787 /* the config flags related to unknown classes/perms are bits 2 and 3 */ 788 #define DENY_UNKNOWN SEPOL_DENY_UNKNOWN 789 #define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN 790 #define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN 791 792 #define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN) 793 794 #define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE 1 << 31; 795 796 #define OBJECT_R "object_r" 797 #define OBJECT_R_VAL 1 798 799 #define POLICYDB_MAGIC SELINUX_MAGIC 800 #define POLICYDB_STRING "SE Linux" 801 #define POLICYDB_XEN_STRING "XenFlask" 802 #define POLICYDB_STRING_MAX_LENGTH 32 803 #define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC 804 #define POLICYDB_MOD_STRING "SE Linux Module" 805 806 #ifdef __cplusplus 807 } 808 #endif 809 810 #endif /* _POLICYDB_H_ */ 811 812 /* FLASK */ 813